Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
In both cases, text that appears in italics like this or like this represents text that you should
replace with text specific to your deployment. For example, the URL https:IlproxylPaddr.8082
appears often in this book. In this example, the text proxylPaddr should be replaced with the
actual four-octet numeric IP address of your ProxySG.
BlueTouch Training Services BCCPA Course v3.5.1
2
Chapter 1: Blue Coat Product Family
In a connected world, the network is increasingly becoming a platform for collaboration bringing
people together to share ideas, speed decision-making, and enhance competitiveness.
Collaborative applications such as teleconferencing, unified communications, and social media
are being deployed at an increasing rate. An increasingly capable wide area network combines
with a host of regulatory mandates to drive infrastructure and data center consolidation, enabling
enterprises to gain greater efficiencies, contain costs, and enhance agility.
The key trends driving business today centralization, mobilization, and globalization often
make it difficult, if not downright impossible, to support on-demand application delivery. IT
initiatives such as server consolidation and voice, video, and data convergence can disrupt
network service. Your mobile applications and devices can be compromised by security breaches
and data theft. And global IT infrastructures often harbor data silos that are difficult to penetrate
and manage, obscuring the view of your IT resources.
Maintaining a sustainable competitive advantage in a rapidly changing business environment
requires new levels of responsiveness. Access to information where, when, and how it is needed is
critical to success. In todays market, information is the currency of business. Delivering a superior
user experience across corporate, branch, and remote locations depends on having:
The visibility to control what is running on the network.
The ability to accelerate business applications and meter recreational traffic.
The ability to do so in a safe and secure manner.
Application Delivery Networks (ADNs) are emerging as an essential requirement in addressing
these challenges. Blue Coat products provide an ADN infrastructure designed to optimize and
secure the flow of information to any user, on any network, anywhere.
After studying this chapter, you will understand:
The concepts of the Application Delivery Network.
How Blue Coats product family implements the ADN.
Basic features of each member of the Blue Coat product family.
3
BlueTouch Training Services BCCPA Course v3.5.1
Application Delivery Network
Slide 1 1: Application Delivery Network
S
Implementing the Application Delivery Network answers the demand for greater application
mobility and security in a changing global business environment. By combining three core
capabilities application performance monitoring (visibility), WAN optimization (acceleration),
and Secure Web Gateway technologies (security) the ADN helps you:
See applications and users and how they behave on the network.
Troubleshoot performance issues.
Accelerate mission-critical applications, streaming video, SSL, and other enterprise
applications.
Secure against malware, data leaks, and performance degradation.
Enable a highly efficient and productive end-to-end user experience anytime, anywhere.
Visibility
ii
Blue Coats ADN solutions provide the ability to identify and classify applications and users
across the network. You can discover all application traffic, monitor the user experience,
troubleshoot performance issues and resolve problems before they impact the user experience.
You can:
Automatically discover more than 600 applications.
Identify peer-to-peer (P2P), recreational, and streaming applications over any port.
Subclassify complex applications such as SAP, Oracle, Citrix, Web, CIFS, MAPI, and DCOM.
Discover URLs and external sites within HTTP.
Identify problem hosts, servers, and applications.
1
4
[[i
Chapter 1: Blue Coat Product Family
Acceleration
Blue Coat helps you accelerate business-critical applications, including internal, external, and
real-time applications to any user, anywhere all while ensuring a headquarters work
experience, wherever your users are located. Acceleration technologies include:
Object and byte caching.
Compression and basic quality-of-service capabilities.
External Web and SSL acceleration.
Protocol acceleration for TCP, CIFS/NFS, MAPI, HTTP, and more.
Advanced Web policy and bandwidth management.
Advanced application ID technology.
Security
Blue Coat secures your Internet gateway to help protect users from malicious content and
applications. Security capabilities include:
Anti-virus and maiware scanning.
Comprehensive data loss prevention.
URL and Web content filtering.
A centrally managed distributed gateway.
Granular policy management across more than 500 variables, including user, group,
application, source, content types, and transaction.
Logging, statistics, and SNMP support.
5
BIueTouchTrairNng Services BCCPA Course v3.5.1
6
Blue Coat Products
Blue Coat products provide total visibility and control over user and application performance
and fast, secure delivery of the critical applications that fuel business productivity.
Proxy Technology
Blue Coat ProxySG: Delivers a scalable proxy platform architecture to secure Web
communications and accelerate the delivery of business applications. The ProxySG is built on
SGOS, a custom, object-based operating system that enables flexible policy control over
content, users, applications, and protocols. The ProxySG is designed to meet proxy
requirements at branch offices, Internet gateways, data centers, and global service providers.
The ProxySG is available as a physical appliance or as a virtual, software-only WAN
optimization appliance that can be deployed on industry-standard servers and virtualization
environments.
Hardware-based Products
Blue Coat ProxyAV: Enables organizations to detect viruses, worms, spyware, and trojans at
the Web gateway. The ProxyAV also can block most unknown spyware that targets HTTP, FTP,
and HTTPS protocols, in addition to preventing zero-day attacks and rootkit malware from
reaching desktops. The ProxyAV integrates with the caching capabilities of the ProxySG to
deliver outstanding anti-virus gateway performance.
Blue Coat CacheFlow: Enables service providers to manage dramatic increases in network
traffic and subscriber growth. Using highly effective Web caching technology, CacheFlow
appliances save bandwidth on expensive international links and backhaul traffic, while
improving the end-user Web experience.
Blue Coat PacketShaper: Delivers integrated visibility, control, and compression capabilities in
a single appliance. With PacketShaper, you can identify all of the applications on the network
and monitor response times and utilization at the application level. In addition, PacketShaper
optimizes performance with granular quality-of-service traffic controls as well as
application-specific compression techniques that increase WAN capacity.
3 P
Slide 1 2: Blue Coat products
BlueQCoat
ll
U
a
1I
Chapter 1: Blue Coat Product Family
Blue Coat Director: Provides centralized policy, configuration, and device management of
Blue Coat appliances across any distributed enterprise. From a single, easy-to-use Web
interface, administrators can deploy hundreds of appliances, monitor, and enforce security
policies and respond to emergencies with the click of a button. Director can automate the
deployment of remote Blue Coat appliances during rollout, allowing these appliances to be
pre-configured and shipped to remote locations for fast installation.
Blue Coat Data Loss Prevention (DLP): Detect and blocks potential data leaks quickly and
accurately while achieving industry and regulatory compliance and risk mitigation objectives.
Blue Coat DLP helps you maintain comprehensive security policies with minimal
management overhead.
Software-based Products
Blue Coat IntelligenceCenter: Delivers a unified approach to managing application
performance within distributed branch networks. By leveraging Blue Coats unparalleled
visibility, IntelligenceCenter provides powerful application performance monitoring and
helps enforce policies that govern application behavior.
Blue Coat PolicyCenter: Centrally manages the configuration, policy management, software
distribution, and adaptive response tracking of multi-unit deployments. PolicyCenter ensures
that application performance and bandwidth utilization stay aligned with the changing
demands of your business, whether for several appliances located at one site or thousands of
appliances distributed globally.
Blue Coat Reporter: Provides comprehensive, identity-based reporting on Web
communications, enabling enterprises to evaluate Web policies and manage network
resources with greater ease, efficiency, and effectiveness. Reporter enables you to see all
Web-based user activities on your network by providing detailed logs that capture the latest
data. Report data includes Web usage patterns, application access summaries, blocked sites,
sites accessed by category, time of day, length of time and more. You can also evaluate security
risks and block network infiltration through IM and P2P usage.
Blue Coat WebFilter: Helps enterprises and service providers prevent Internet attacks from
spyware, phishing, P2P traffic, viral content and more. To ensure accuracy, each site in the
WebFilter database is classified into multiple categories. This allows WebFilter customers to
define any number of categories to fit their specific filtering requirements. Each WebFilter
license includes patented technology that can instantly categorize websites when a user
attempts to access them. WebFilter supports more than 50 languages and more than 80
categories. WebFilter is part of Blue Coat WebPulse, the cloud-computing service that unites
Blue Coat Web gateways and remote users into a computing grid to detect malware, rate new
Web content, and analyze site reputations. It uses multiple threat engines, machine analysis,
Web hunters, and human raters to ensure quality ratings.
Blue Coat Cloud Service: Enables organizations to provide complete Web protection without
updating appliances, servers, or user desktops. This Internet-delivered security service offers
real-time protection against Web-borne threats by leveraging Blue Coats proven security
technology as well as the WebPulse cloud community of more than 75 million users.
Blue Coat ProxyClient: Helps deliver a headquarters work experience to all employees
wherever they are. By accelerating secure applications throughout the enterprise, ProxyClient
enhances business productivity and drives efficiency across the organization. In addition, you
can define which applications to accelerate and which to block based on security and
bandwidth requirements. ProxyClient is administered using the ProxySG for easy
provisioning, configuration, and maintenance. ProxyClient also can be distributed to user
computers using standard software provisioning services to reduce demand on IT resources.
To enhance network security, ProxyClient has a real-time relationship to WebPulse.
7
rg
BlueTouch Training Services BCCPA Course v3.5.1
Blue Coat K9 Web Protection: Filters content for the home, using the same dynamic
categorization technology as WebFilter. The application works with any Internet service
provider and any Web browser. K9 Web Protection, free for home users, is available at
http:llwww.getk9.com.
I
S
R
8
Chapter 1: Blue Coat Product Family
Slide 13: ProxySG
The ProxySG provides enterprises the ability to secure, control, and enhance the performance of
their networks. Because of its ability to secure Web communications and accelerate the delivery of
critical business applications, the ProxySG is well-suited for large, distributed environments and is
available in a wide range of sizes and configurations.
Benefits of the ProxySG include:
Security: Administrators can use ProxySG appliances to filter Web content, inspect encrypted
SSL traffic, guard against spyware and other maiware, and control instant messaging,
peer-to-peer, voice over IP and streaming traffic.
Control: Blue Coats patented Policy Processing Engine and integrated caching technology
enable administrators to create and enforce granular policies. Policies can be created through
the command line interface or through the graphical Visual Policy Manager.
Performance: Blue Coats acceleration technology optimizes performance and delivery of
critical applications (hosted internally or externally) to all users across the distributed
enterprise.
The ProxySG provides complete proxy protocol support for HTTP, HTTPS, FTP, SOCKS, Telnet,
instant messaging (AIM, Windows Live Messenger, Yahoo!), DNS, and streaming media (Real
Media, QuickTime, and Windows Media).
The ProxySG typically is deployed at different places in the enterprise:
At the Internet gateway: The ProxySG protects internal users and networks from spyware,
phishing attacks, inappropriate Web use, and potential legal liability At the same time, it
actually improves Web performance.
At the edge of an organizations application delivery infrastructure: The ProxySG controls the
acceleration of critical business applications, including file services, rich media applications,
and email.
ProxySG
WANoptimization
LSecureWebGatewayl
.:... h
Accelerate applkations and data Prevent maiware and
to remote users unauthorized applications from
compromising security
Loweropertional costs by Establish security checkpoints at
reducing WAN usage multiple sitesacross distributed
enterprise
Enable remote offices tonnect Application security and
directlytothe Internet without application acceleration for all
backhaulingto headquarters Web content
Minimize external IT threats by Optional FIPS mode operation
securing remote and traveling
users
BlueQCoat
9
BlueTouch Training Services BCCPA Course v3.5.1
ProxySG technology is available in two forms:
Physical appliance: Rack-mountable for simple installation and management, the appliance is
available in a wide range of sizes and configurations appropriate for remote or branch offices,
Internet gateways, data centers, and global service providers.
Virtual appliance: Virtualization allows you take advantage of todays powerful server
hardware and mix applications and operating systems according to your business needs. The
ProxySG VA supports the WAN optimization functions of the ProxySG and is sized for remote
and branch offices.
S
SGOS supports Federal Information Processing Standards (FIPS) mode. When a properly signed
image of SGOS has been installed on a supported model of the ProxySG and FIPS mode has been
enabled, the appliance acts in accordance with the requirements of FIPS 140-2, Security
Requirements for Cryptographic Modules. The FIPS 140-2 certificate for SGOS is valid only when
the appliance is being operated in FIPS mode. FIPS mode affects a wide variety of ProxySG
subsystems and is not available in all possible ProxySG configurations; these numerous details are
beyond the scope of this course.
10
Chapter 1: Blue Coat Product Family
Slide 14: WebFilter and WebPulse
WebFilter is a powerful, on-proxy Web filtering solution that helps organizations protect their
networks from inappropriate Web content and such threats as spyware and phishing attacks.
There are two main approaches to content ifitering. One tries to categorize websites by looking for
key words in the HTML pages that users request. This approach has two severe limitations: lack of
scalability and lack of accuracy. The other approach consists of teams of researchers to categorize
content and regularly update databases of sites organized by category. The major limitations to
this approach are the lack of flexibility and ability to adapt to specific content.
WebFilter uses a hybrid approach and provides a static list with its on-box database.
Administrators can write policy to allow or deny access to resources based on the information in
the database. Also, WebFilter offers optional remote dynamic categorization, which sends requests
to a server if the resource is not in the local WebFilter database.
Quality of filtering results is a key advantage of WebFilter. It supports more than 50 languages
including Chinese, Japanese, and Arabic and provides more than 60 categories to allow a high
degree of control in writing policy. The application is consistent in its categorization of resources
and gives top priority to categorizing resources that are requested most frequently.
WebFilter is part of WebPulse, the Blue Coat cloud computing service. WebPulse analyzes more
than a billion requests per week, completely driven by user-requested websites. The WebPulse
cloud service unites Blue Coat Web gateways and remote users into a computing grid to detect
malware, rate new Web content, and analyze site reputations. As a cloud service, it uses multiple
threat engines, machine analysis, Web hunters, and human raters to ensure quality ratings. These
defenses together would not be practical or affordable for a single enterprise; however, when
provided as a cloud service, they are cost-effective to an organization of any size. All WebPulse
ratings feed into the WebFilter database.
WebFilter and WebPulse
Li
WebFilter
local database
ProxyClient
)9 Web Predior,
WebPulse
B(ueOCoat
11
The Web Security Module of the Blue Coat Cloud Service provides market-leading Web protection
to organizations of all sizes without updating appliances, servers, or user desktops. The Web
Security Module is an Internet-delivered service that leverages Blue Coats proven technology and
collaborative, cloud-based community of more than 75 million users to ensure real-time protection
against known and unknown web-borne threats. With extensive Web application controls and
detailed reporting features, the Web Security Module enables administrators to create and enforce
granular policies that are instantly applied to all covered users, including fixed locations and
roaming users.
The Cloud Service is built to ensure flexibility and instant interoperability with existing network
infrastructures. A simple configuration change to firewall, router, or proxy solution allows
administrators to instantly protect and enforce Internet use policies for all users connected behind
the device. An optional lightweight desktop agent ensures that roaming users are protected
regardless of their location.
Features include:
Market-leading Web threat protection and control:
Sophisticated Web intelligence and inline maiware scanning.
Identify and categorize new Web content in real time with greater than 99% accuracy.
Manage Web 2.0 applications with granular controls.
Reduced cost and complexity:
No up-front costs pay as you go.
Integrates seamlessly with existing network infrastructure.
Less downtime, higher user productivity.
i Service architecture provides infinite scalability.
Easy to configure and manage:
BlueTouch Training Services BCCPA Course v3.5.1
Blue Coat Cloud Service
Web Security Module
Slide 1 5: Blue Coat Cloud Service
i
S
[I
U
12
Chapter 1: Blue Coat Product Family
Quickly enforce policies for network access and use.
Instantly report on Web threats and user activity.
Support cloud-only or hybrid deployment models.
Transparent integration with Microsoft Active Directory.
Built on the robust, scalable WebPulse infrastructure:
i Deployed globally on a purpose-built, multitenant architecture.
More than 75 million users regularly access the service.
In production for more than six years.
Backed by a guaranteed 99.999% uptime service level agreement.
13
BlueTouch Training Services BCCPA Course v3.5.1
II...
PacketShaper
Classification
Application intelligent traffic classification
Monitoring
Disccwers applications on the network
Shaping
Ensures QoS for mission-critical applications
BIueOCoat
Slide 6: PacketShaper
PacketShaper maximizes application throughput across your existing network infrastructure. Get
more done in less time with fewer performance-related complaints and a higher quality of service
(Q0S) for all networked users. Consolidating servers from remote sites to centralized data centers
makes sense, yet the additional traffic loads require accurate classification, monitoring, and
shaping before any benefits can be realized. PacketShaper identifies and controls common traffic,
including CIFS, VoIP, CRM, Web and P2P.
IP telephony (IPT) and voice/video over IF implementation varies between an enterprise and its
employees, impacting each network differently. Successful deployment hinges on guaranteed
bandwidth and QoS, as well as fitting more calls into a limited WAN resource. PacketShaper
effectively manages critical IPT protocols, delivering WAN capacity and true Q0S functionality to
ensure the highest quality end-to-end communication for each call.
Multi-Protocol Label Switching and IF VPNs are useful for connecting distributed locations, but
benefits cannot be realized if applications are oversubscribed, traffic stalls in bottlenecks, and
critical applications are improperly assigned to best-effort classes. PacketShaper makes good on
the MPLS promise, assessing performance and identifying and marking application traffic with
special handling needs so traffic can move smoothly to the enterprise edge.
Internal threats from worm infections, unsanctioned recreational traffic, and rogue servers can
severely impact network capacity and bring down critical applications. PacketShaper helps
identify infected PCs and unsanctioned traffic as well as protect performance of key applications
and the network during an attack all while delivering hard return on investment from
bandwidth savings, increased WAN capacity, and accelerated application performance.
14
Chapter 1: Blue Coat Product Family
...1
PacketShaper
Recreational Without Shaping
Applications
Applications
Router
Bandwidth
Hungry
Branch Applications
Office
With Shaping
Recreational
___ ___ _________
Router
PackeiShaper
Bandwidth
Branch
Hungry
Office Applications
BlueQCoat
Slide 1 7: PacketShaper
PacketShaper is a complete performance solution, incorporating monitoring features plus control
features to correct and prevent problems. PacketShaper protects critical applications, limits the
impact of recreational and unsanctioned traffic, paces bursty business applications, and provisions
bandwidth on a per-application, per-user, or per-session basis to maximize throughput and
control application performance. It also provides TCP rate control, suppresses denial-of-service
attacks, and can mark packets for uniform treatment throughout a heterogeneous network.
The most common topological locations for PacketShaper are:
Core sites WAN link: Connects a core site to branches across a corporate WAN.
Core sites Internet link: Connects a core site to branches across a VPN and/or is simply a link
to the Internet.
Distributed branch sites WAN/Internet links: Connect branches to elsewhere.
PacketShaper goes beyond providing visibility into application and network behavior.
Acceleration enhances application performance by creating greater throughput, faster
performance, and increased network capacity. PacketShaper s acceleration employs compression
to transfer data more quickly and enable more traffic to flow through constrained WAN links.
When bandwidth is freed, it becomes available to enhance the performance of applications that
are most critical to business. With PacketShaper s compression capabilities, you can:
Experience compression gains of up to 10 times without loss of quality or data.
Increase capacity and direct bandwidth gains to critical applications.
Ease congestion on a saturated WAN link.
Postpone or avoid bandwidth upgrades.
Eliminate the burden of having to define and maintain compression tunnels.
Customize compression techniques for individual applications.
Streamline repeated data, shrink transfer size, and/or reduce the number of packets.
15
BlueTouch Training Services BCCPA Course v3.5.1
Slide 18: CacheFlow
Through a scalable architecture of CacheFlow appliances, service providers can accelerate the
delivery of rich Web 2.0 content, large files, and video. This significantly reduces infrastructure
costs by controlling bandwidth consumption while improving customer satisfaction.
By caching content in-region and closer to the user, CacheFlow drastically reduces bandwidth
consumption. This translates into a rapid return on investment and significant long-term cost
savings for service providers on international bandwidth, as well as reducing backhaul traffic on
domestic links.
CacheFlow leverages CachePulse for automatic, network-based updates as the Web changes to
ensure the appliance effectively caches content and consistently delivers high bandwidth savings.
Customers can also provide direct feedback into the CachePulse community and share new or
emerging sites in their region that could benefit from caching.
Also, CacheFlow supports Blue Coat WebFilter and the WebPulse collaborative cloud defense to
filter and secure Web traffic.
r
[
I
I
B
B
C
CacheFlow
Subscriber
requests
BlueOCoat
16
Chapter 1: Blue Coat Product Family
ProxyAV
Powerful defense against
Viruses and worms
S pyware and Trojans
Supports secure ICAP
Protects often-overlooked back doors
Personal Web email accounts
Trojans or spyware
Browser-based file downloads
BlueQCoat
Slide 1-9: ProxyAV
The use of Web-based email and other Web-enabled applications can bring viruses and other
maiware into the enterprise network, damaging systems and harming productivity. However,
traditional Web anti-virus gateways frequently lack the scalability and performance needed for
HTTP and FTP scanning, leaving an organizations desktops vulnerable.
The ProxyAV works with the ProxySG to provide the gateway anti-virus protection required by
Web-dependent enterprises. It enables organizations to scan for viruses, worms, spyware, and
Trojans entering through Web-based back doors, including:
Personal Web email accounts, where most viruses and worms propagate.
Web spam or email spam, which can activate Trojan downloads or hidden spyware.
Browser-based file downloads that bypass existing virus-scanning defenses.
The ProxyAV supports a range of virus scanning applications, including Kaspersky, Sophos,
McAfee, Panda, and Trend Micro.
Blue Coat offers several ProxyAV models, each designed to work in a different environment from
branch offices to high-volume Web gateways, service providers, and enterprise needs.
17
BlueTouch Training Services BCCPA Course v3.5.1
Slide 110: ProxyAV deployment
The ProxyAV and the ProxySG work together to provide scalabiity for virus scanning along with
visibility and control of enterprise Web communications.
The ProxySG and the ProxyAV communicate using an enhanced and optimized version of the
Internet Content Adaptation Protocol. This enables superior performance, reliability, and
error/exception handling over software-based ICAP servers.
The ProxySG provides flexible and granular control of Web traffic and access; you can use Content
Policy Language or the ProxySG Management Console to create virus-scanning policy. The
ProxyAV provides high-performance anti-virus scanning of both cached and non-cached content
at wire speed.
The ProxyAV scans only Web objects forwarded from the ProxySG. The ProxyAV eliminates
redundant scanning of frequently downloaded objects with intelligent cache integration. If an
object has been scanned and cached, it is delivered without being scanned again. However, if the
object is not in the cache, it is scanned and then cached and delivered.
Virus updates to the ProxyAV are automated with definable schedules, and cached content is
automatically cleared with each update.
ProxyAV Deployment
Q
If infected
Content requests
Clean file
ICAP
+
ProxyAV
BlueQCoat
18
Chapter 1: Blue Coat Product Family
Slide 111: Blue Coat DLP
The Blue Coat Data Loss Prevention (DLP) appliance leverages powerful discovery capabilities to
identify sensitive and unsecured information on your network before it gets into the wrong hands.
You can quickly and easily deploy and maintain enterprise-class data loss prevention as a separate
product or as part of an ADN.
Features of the Blue Coat DLP include:
Network, Web, and email DLP: Effectively secure sensitive data that might inappropriately
travel across the network through email, webmail or social networking and other Web 2.0
communication channels. Blue Coat DLP allows you to easily create policies that analyze the
data source, content, destination and more.
Inspection: To help reduce data manipulation resulting from intentional or accidental
tampering, Blue Coat DLP is file-format and language independent, double-byte capable, and
can inspect more than 600 document types, as well as archive and compress files.
Discovery: Blue Coat DLP allows you to identify, catalog, and secure data on servers and in
databases across the network all without installing or testing a local software agent.
Comprehensive discovery features let you fingerprint data, such as patient records, that
resides in your databases. By fingerprinting your critical data, you can easily trace content that
might be distributed in an unauthorized format, such as an email attachment or pasted into a
slide presentation.
SSL compliance: When deployed in conjunction with the ProxySG, Blue Coat DLP allows
organizations to monitor and control SSL traffic through the gateway to mitigate the potential
loss of sensitive information through secure Web transfers such as webmail, a common tool of
employee information theft.
Blue Coat DLP
e
Web DLP
%)
Network DL
Email Database CMS
12 t.
BlueOCoat
19
BlueTouch Training Services BCCPA Course v3.5.1
L
I
F
I
I
Although the ProxySG graphical interface makes the appliance easy to manage, installing
configurations or updating policies on multiple appliances can be time-consuming, especially in a
distributed environment. Director centralizes those procedures, saving time and enabling
organizations to standardize configuration and policy. Management tasks including backups
and updates of configurations, policies, and software licenses can be performed immediately or
scheduled for one occasion or on a recurring basis.
Director consisting of a ProxySG 510 chassis and a proprietary operating system can
configure, manage, and monitor all of the ProxySG appliances in an organization. It can manage
up to 500 ProxySG appliances from any Windows computer with a Web browser. Director makes it
simple to configure and manage the multiple ProxySG appliances that ADN acceleration requires.
[
Using Director, administrators can perform a wide range of specific tasks for multiple ProxySG
appliances:
Configuration and policy management: Create and install standard configurations and
policies, customize appliance settings, back up and restore settings, distribute software
licenses, and schedule configuration and policy changes.
Resource and content management: Manage bandwidth to conserve resources; distribute
content, including frequently used files to ProxySG caches; limit access to Internet and
intranet resources.
Monitoring and planning: Monitor key hardware and software metrics of ProxySG appliances
remotely, create settings to issue alerts when certain changes occur, and use statistics to
evaluate and update network policies.
Slide 112: Director
20
Chapter 1: Blue Coat Product Family
Slide 11 3: Reporter
The ProxySG records data about every transaction that passes through it, creating comprehensive
access logs. An organization can use the data in access logs to analyze network activity; however,
extracting information from enormous log files can be a tedious and time-consuming task.
Reporter provides a solution. The application makes it easy to analyze log files from one or more
ProxySG appliances, enabling organizations to manage network resources more effectively.
Achriinistrators use Reporter to create reports through a Web interface or a command line. They
can use one of more than 150 pre-defined reports or create their own custom reports to identify
violators of Web access policies, track user activity that could bring viruses and other hazardous
content into the network, and preserve network resources by identifying abuse patterns.
Reports can be executed immediately or scheduled to run, either once or on a recurring basis.
Reports can also be exported in HTML format in email or as Excel-compatible files.
Reporter
ProxySO ProxySG
ProxySG
Eee Ccat Stiom 2011. Pa F1gitsiOa,Pa.
C
User
Reporter
BlueOCoat
21
BlueTouch Training Services BCCPA Course v3.5.1
Slide 1 14: IntelligenceCenter
IntelligenceCenter provides powerful application performance monitoring, and it more effectively
enables policies to enforce and optimize application behavior. Deployed with Blue Coats
complete suite of WAN and application visibility and control tools, InteuigenceCenter ensures that
application performance meets expectations at all locations, anywhere that PacketShaper, iShaper,
PolicyCenter, switches, and routers are deployed across your network.
Flexible and customizable monitoring and reporting are available, and a set of programmable
interfaces allows extensions to the reporting and dashboard features.
IntelligenceCenter reports on Flow Detail Record (FDR), Measurement Engine (ME), and NetFlow
data to assist with detailed analysis and integration. FDRs provide traffic information such as
application used, flow origin and destination, flow size (in terms of packets and bytes), when the
flow was sent, flow utilization (throughput and efficiency), service type, ports, DSCP, VLAN, and
response-time measurement data.
These powerful features assist with:
Troubleshooting and forensics.
Comparing usage by application.
Monitoring individual application flows (such as VoW, ERP, and Web services).
Reporting host activity by traffic class, application, and site.
Collecting top talkers, listeners, and host pairs data.
Tracking com-tections between local and remote networked devices.
a
IntelligenceCenter
PackatShaper
Router Switch
ME data
FOR data NetFlow v5 flows
IntelligenceCenter
Coat ShroJoc. 2Ott I tIhtsRoaot.
Client
BlueCCoat
22
Chapter 1: Blue Coat Product Family
Slide 11 5: PolicyCenter
PolicyCenter is a software management system that maintains multiple PacketShaper
configurations on a single Windows 2000 or Windows 2003 server. Because the configurations of
all the units on the network are stored in a single place, they can be managed very efficiently.
Multiple PacketShapers can be assigned to a single PolicyCenter configuration, allowing those
units to operate with nearly identical configurations. When you change a configuration, either
through PolicyCenter or through the browser or command line interface of an individual unit, the
change immediately affects all units assigned to that configuration. It is this capability of
PolicyCenter that truly provides the economy of scale: One single change to a PolicyCenter
configuration can result in an instant configuration update on up to 1,500 different PacketShapers.
PolicyCenter also allows you to:
Deploy policies and partitions across multiple PacketShapers.
Distribute PacketWise software upgrades, plug-ins, customer portal files, and adaptive
response action files.
View a status summary of all managed PacketShapers.
Monitor and manage the status of your unit and network with the adaptive response feature.
Headquarters
Policies
Remote Office
kn.C11
23
L
I [
III
BlueTouch Training Services BCCPA Course v3.5.1
Branch
ProxyClient
Branch
ProxyClients
Roaming ProxyClients
BlueCCoat
Slide 116: ProxyClient
As part of an Application Delivery Network, Blue Coat ProxyClient accelerates secure network
applications to remote users and branch offices. ProxyClient combines the acceleration features of
Blue Coats acceleration technology with the network security provided by WebPulse. As a result,
ProxyClient can accelerate remote applications by up to 35 times and protect users wherever they
are, even on public networks.
Features and benefits of ProxyClient include:
Protecting remote users frommalware and threats: ProxyClient leverages WebPulse, adding a
second layer of protection in addition to anti-virus software on the laptop.
Ensuring productivity on the road: ProxyClient minimizes lost user productivity from slow
networks, maiware, and frivolous Web surfing with remote Web control and application
acceleration.
Accelerating remote performance: ProxyClient accelerates access and reduces bandwidth of
critical files, email, and business applications for all remote users. This enables users to work
from anywhere with an Internet connection, allowing them to be close to customers, partners,
or home.
Load balancing and failover: A disaster or appliance outage does not leave users
unproductive or unsafe. If ProxyClient can reach the enterprise network, it wifi faiover and
load balance automatically. If Proxydient can reach the Internet, it can reach WebPulse for
control and security.
Location awareness: Administrators can enable or disable ProxyClient acceleration and Web
filtering based on the locations from which the client connects, improving efficiency and
making inteffigent use of the ProxySG appliances in the network.
VPN transparency: ProxyClient can be deployed to VPN users without any changes to VPN
configuration.
I.
I
I
r
U
I
24
Chapter 1: Blue Coat Product Family
ProxyClient is automatically and transparently updated to minimize ongoing administrative time
and resources. ProxyClient also delivers business-critical features for load balancing and failover.
On the desktop, ProxyClient starts automatically on systemboot and includes a real-time statistics
display to monitor application performance.
ProxyClient complements ProxySG appliances by establishing distributed points of control to
accelerate business applications for remote workers. Deployed for mobile employees, workers in
small branch offices, or both, ProxyClient delivers the application acceleration and WAN
optimization features necessary to maximize remote worker productivity through accelerated
access to corporate resources and applications.
25
BlueTouch Training Services BCCPA Course v3.5.1
Slide 11 7: K9 Web Protection
K9 Web Protection is a content filtering solution for your home computer. Its job is to provide you
with a family-safe Internet experience, where you control the Internet content that enters your
home. K9 Web Protection implements the same enterprise-class Web ifitering technology used by
Blue Coats Fortune 500 customers around the world, wrapped in simple, friendly, and reliable
software for Windows, Mac OS, iPhone, iPad, and iPod.
If a user tries to go to a website that the Web filtering database has not seen before, it scans the
content of the site for inappropriate material, and then either permits or prohibits the site using
dynamic categorization. This provides real-time analysis and content categorization of requested
Web pages to solve the problem of new and previously unknown uncategorized URLs those
not in the database. When a user requests a URL that has not already been categorized by the
database (for example, a new website), the dynamic categorization service analyzes elements of
the requested content and assigns a category or categories. The dynamic service is consulted only
when the installed database does not contain category information for an object.
If the category returned by this service is blocked by policy, the offending material never enters the
network in any form. Dynamic analysis of content is performed on a remote network service.
You can download this free application from http:llwww.getk9.com.
K9 Web Protection is different from other solutions for the home in several important respects:
Service-based filtering: Blue Coats filtering database operates as a service. It receives and
rates more than 80 million requests every day, making it the most accurate content filtering
database available. This accuracy is important in protecting your family, given the Internets
rapid changes and growth. Plus, there is no database to download. K9 Web Protection will not
clog your Internet connection, get stale or out of date, or slow down your computer like other
products do.
K9 Web Protection
Uses WebPulse technology
Free download at www.getk9.com
K9 Web Protection Administration
18 2. BlueOCoat
4UE VIEW IIJTEVNEVACTMTY SEWP
0
You are protected by Kg Web Protection!
ternetAc8tE Setup Get Help
L .
F
S
II
- 26
Chapter 1: Blue Coat Product Family
WebPulse: Blue Coats technology is vastly different from the old-fashioned keyword filtering
that is so frustrating to users. Using a method of cloud computing coupled with statistical
analysis and artificial intelligence to rate new or previously unrated Web pages, WebPulse can
determine the category of a URL on the fly without human intervention. However, WebPulse
only renders a rating when it is confident that it has reached an accurate conclusion.
Automatic updating: Automatic updates of the K9 Web Protection application ensure that you
are always protected by the latest features.
Efficient caching: Blue Coat is recognized worldwide as expert in high-performance caching
and secure proxy technology. Taking advantage of this expertise in K9 makes your Internet
experience fast, reliable, and safe.
27
U
L
i
L
.
i
L
R
i
L
R
i
L
i
i
L
i
i
L
I
]
L
I
I
L
I
J
L
.
i
A
L
i
1
1
c
)
> a
)
(
I
)
D C
C
-
)
0 0 0
U
)
C
)
C
-)
C
)
C
/
)
0
)
C C C
C
I
0 0
I
-
C
)
U
)
Chapter 2: ProxySG Fundamentals
The basic technology behind proxy servers has been around for many years; a detailed definition
of a proxy server appears in the earliest RFC for the Hypertext Transfer Protocol (HTTP). A proxy
is defined in RFC 1945 as an intermediary programwhich acts as both a server and a client for the
purpose of making requests on behalf of other clients. Requests are serviced internally or by
passing them, with possible translation, on to other servers. A proxy must interpret and, if
necessary, rewrite a request message before forwarding it. Proxies are often used as client-side
portals through network firewalls and as helper applications for handling requests via protocols
not implemented by the user agent.
Proxies have expanded in features and functionalities to go above simple content caching and IF
address masquerading (also known as NAT, network address translation). In particular, the Blue
Coat ProxySG has grown from an advanced caching device to a complete security appliance and a
WAN acceleration engine.
This chapter describes high-level proxy functionalities and, in particular, ProxySG security and
content acceleration features.
Comparing proxy technology with firewalls, the two technologies complement each other.
Traditionally, firewall technology is designed to protect the network from outside attackers; across
vendors, this technology is very mature, reliable, and very much a requirement for any network,
even the smallest ones (including home networks).
Networks face three major areas of concern that proxy servers are much better equipped to
handle:
Spyware, malware, trojans, and other HTTP response-borne threats.
Malicious internal users.
Slow performance due to protocol designed for LANs and performing well in lower -speed
and delay-prone WANs.
The ProxySG is powered by SGOS, a lightweight, purpose-built operating system designed to
deliver optimum performance and unsurpassed security in terms of both user-application
communications and administrative control. This functionality is complemented by powerful
management and reporting tools that make it fast and easy to deploy, configure, and administer
the ProxySG and other technology throughout the distributed enterprise.
The ProxySG is available in a broad range of configurations and is typically deployed in enterprise
branch offices, Internet gateways, end points, and data centers as well as in global service
provider organizations.
The appliances provide intelligent points of control to secure Web communications and accelerate
delivery of business applications. Just as important, Blue Coat gives IT organizations visibility and
very granular control over security and performance, so that policies can be set based on who,
what, where, when, and how users and applications communicate with each other.
After studying this chapter, you will understand:
How proxies differ from firewalls.
How proxies are used in secure gateway and WAN optimization deployments.
High-level features of the ProxySG.
29
BlueTouch Training Services BCCPA Course v3.5.1
Overview
Proxy servers are designed to:
Enhance security
Control content
Increase performance
a Two roles for the proxy:
Secure gateway
WAN optimization
BiueQCoat
Slide 21: Overview
At the perimeter of the enterprise network, firewalls block access to internal networks. But they
are not designed to provide visibility and granular control of all Web user communications in
order to create a productive, safe Web environment.
The solution is to use a proxy appliance such as the ProxySG, designed specifically to manage and
control user communications over the Web. The ProxySG does not replace existing perimeter
security devices; rather, it complements them by giving organizations the ability to control user
communications in a number of ways that firewalls and other devices cannot.
WAN optimization: The ProxySG brings acceleration techniques to all of an enterprises key
applications, including Web, secure Web, file services, email, and video. This enables
organizations to manage all of their user/application interactions to stop undesirable
applications, throttle less-important applications, differentiate users and groups, and
accelerate critical applications even when encrypted.
High-performance Web proxy: Scalable proxy appliance allows administrators to secure,
manage and control user access to Web information with accelerated performance.
Web content filtering and content controls: Integrated URL filtering enables network
operators to prevent users from accessing or viewing inappropriate content using company
resources, plus content stripping, replacement and controls when URL filtering is not enough.
Web virus scanning: Scan once, serve many model provides the real-time performance and 1!
scalability required to effectively scan Web content.
Instant messaging control: Allows administrators to implement centralized management and
logging of AOL, Windows Live Messenger, and Yahoo! instant messaging communications.
Internet monitoring and reporting: Identity-based reporting and monitoring enables
organizations to evaluate Web policies and manage resources more effectively.
Spyware prevention and control: Provides high-performance spyware prevention at the
Internet gateway while allowing page views and legitimate applications.
30
Chapter 2: ProxySG Fundamentals
Slide 22: Firewall limitations
Virtually every network (even a home office) is protected by a firewall. This diagram shows how a
firewall is effective in stopping an unwanted intruder from penetrating the network. The traffic
originating from the rogue machine on the Internet is immediately blocked when it reaches the
perimeter firewall of the network. You can configure the firewall to allow only selected traffic (for
instance, Web traffic) to selected destinations (such as a Web server in the DMZ).
But the nature of attacks has evolved. Hackers now exploit weaknesses in various protocols to
penetrate a secure network or grab data from internal workstations. As shown above, if a client
requests a legitimate object that has been compromised such as a Web page that contains
malicious JavaScript code the firewall most likely allows that connection because it appears to
be a valid HTTP request from an internal client.
The ProxySG operates at the application level (Layer 7 in the OSI model), so it can prevent
unwanted content from both being requested and being delivered to the client. For instance, in the
case of malicious code from a website, the content-filtering capabilities of the ProxySG can block
the client request. Additionally, it also can stop the response from the website and not deliver the
malicious code to the client.
For these reasons, the ProxySG is an essentia1(meno your security architecture and a
powerful defense against spyware and malware.
Firewall Limitations
Firewall
.Eie CLBI S>st,rn bcO1 1. fltRaqvi. BlueOCoat
31
BlueTouch Training Services BCCPA Course v3.5.1
Slide 23: Proxy layers of operation
All firewalls allow you to control the data link layer through the transport layer. All proxies allow
you to control the appcation la_yr for HTTP, FTP, and a few other protocols. Some firewalls
might also offer protocol inspection features, operating at the application layer. Controlling Layer
7 is computationally very expensive for a firewall (the technology was not designed around
protocol inspections); furthermore, even the firewalls that offer this feature do not have the
granularity of control offered by a proxy.
The ProxySG, unlike other proxies, controls the entire protocol stack and can operate all the way
from the data link layer to the application layer. In particular, the ProxySG can act as:
A Layer 2 switch, either by bridging multiple interfaces via software or using an optional
pass-through bridge card.
A router, by participating in the Routing Information Protocol or by acting as an IP forwarder
to the default gateway on the network.
An application accelerator, by optimizing TCP communication and protocol efficiency (HTTP,
FTP, CIFS, MAPI, and so on).
An advanced caching engine for protocols such as HTTP, FTP, CIFS, and MMS.
You can create policy based on IP addresses, TCP parameters, and advanced protocol features; for
instance, you can easily control which HTTP methods are allowed and which are not.
pin
Firewalls And Proxies
Layer 7 - Application
Layer 6 - Presentation
FewaII
Layer 5- Session
Layer 4 - Transport
Layer 3- Network
ProxySG
Layer 2 Data Link
Layer 1 - Physical
t 2Oi. a
BlueOCoat
32
Chapter 2: ProxySG Fundamentals
Gateway Proxy
4
4
ProxySG
Server Client
Client MAC Address
Proxy MAC Address
ClientiP
ProxylP
Proxy P /
Server P
Server IP
TCP Data
TCP Data
BiueOCoat
Slide 24: Gateway proxy
This diagram shows how a proxy is an intermediary program which acts as both a server and a
client, as defined in the HTTP 1.0 specification, RFC 1945. Also, it is clear why the term proxy
was chosen; according to Merriam-Websters Online Dictionary, it means the agency, function, or
office of a deputy who acts as a substitute for another.
In general, the client makes a request to the proxy. The destination MAC address and destination
IP address in the client request are those of the proxy (assuming that they are on the same subnet).
Because the proxy receives a request from the client and returns a response, it is acting as a server
for the client; however, the proxy needs to pass the request to the origin content server, thus acting
as a client.
When the proxy connects to the OCS, it connects to the default gateway using its own source MAC
address and IP address. For the OCS, the proxy is the client, and the presence of the actual client is
practically unknown.
A client does not always connect explicitly to a proxy; instead, the proxy can be placed in a
location on the network where it can transparently intercept client requests. In this scenario, the
client is unaware of the presence of the proxy and believes that responses are coming from the OCS;
the OCS is unaware of the existence of the actual client issuing the request.
33
BlueTouch Training Services BCCPA Course v3.5.1
I
____________
____________
Slide 25: WAN acceleration proxy
The ProxySG can do much more than enhance the security of your network and optimize the
response time from servers on the Internet.
The ProxySG uses application management and tuning technologies that provide unrivaled
improvements in application performance and bandwidth utilization. Whether at the edge of your
network, or right in the heart of it, this technology provides a powerful toolkit for meeting any
application delivery challenge. Protocol optimization improves the performance of protocols that
are inefficient over the WAN through specific enhancements that make them more tolerant to the
higher latencies typically found there. Blue Coat has been optimizing network protocols for more
than a decade and offers multiple improvements for TCP, CIFS, HTTP, HTTPS, MAPI, and most
streaming video and TM protocols.
For example, tests conducted in production customer environments and Blue Coat labs show that
ProxySG appliances significantly improve the performance of Microsoft Office in real-world
scenarios. Using the ProxySG, the time needed to open, edit, and save a file in Microsoft Word,
PowerPoint, and Excel over a 256Kbps WAN link with 110 milliseconds of latency improved by an
average of 59%, while the same test over a Ti WAN link with the same latency still showed
improvement of 50% during the first (cold) pass of the data set. Subsequent operations on the
same files consistently showed 99% improvement in response time for both links. The ProxySG
provides a critical performance improvement needed to make these applications usable over a
WAN link.
I
WAN Acceleration Proxy
Client
un-optimized
Data Server
(Znet
PraxySG
Un-optimized TCP
ProxySG
Optimized TCP Optimized TCP
BlueOCoat
34
Chapter 2: ProxySG Fundamentals
Proxy Features
LE
flJ
Client
ac a
Server
nc
C
Authentication
BlueOCoat
Slide 26: Proxy features
The ProxySG provides the capability to filter application-level traffic embedded in Web
communications, monitor Internet and intranet resource usage, and block specific Internet and
intranet resources for individuals or groups.
The ProxySG supports all popular Web protocols including instant messaging, HTTP, HTTPS, FTP,
SOCKS, Real Media, and Microsoft streaming. Additionally, the proxy supports TCP tunneling, a
solution to forward any application protocol running over TCP that does not provide native proxy
support. It provides deep inspection of all Web requests and responses by gathering complete
details on the transaction between users and servers. These details can then be used to implement
policies and produce reports on Web usage and communications.
For example, as shown in the above diagram, the ProxySG has the ability to:
1. Stop malicious traffic sent from a client.
2. Stop malicious traffic sent from an OCS.
3. Modify content sent between a client and the ProxySG.
4. Modify content sent between the ProxySG and an OCS.
The ProxySG Policy Processing Engine provides a comprehensive policy architecture across all
users, content types and applications, and security services. This framework allows a security
administrator to control Web protocols and Web communications across the entire enterprise.
Networking environments have become increasingly complex, with a variety of security and
access management issues. Enterprises also face challenges in configuring products to ensure that
the result supports written corporate policies. Authentication and authorization using policy
definitions on the ProxySG allow an administrator to manage Web access according to the
enterprises needs.
Blue Coat policies provide the administrator:
Fine-grained controls to manage behavior of the ProxySG.
Multiple policy decisions allowed for each request.
35
BlueTouch Training Services BCCPA Course v3.5.1
Multiple actions triggered by a particular condition.
Configurable bandwidth limits.
An authentication-aware proxy device, including user and group configurations.
I
Flexible user-defined conditions and actions.
Convenience of predefined common actions and header transformations.
Support for multiple authentication realms.
The ProxySG also can function as an intermediary between a Web client and a Web server
authenticating users from an enterprises existing security framework, such as LDAP, RADIUS,
certificates, NTLM, local lists, and other supported authentication services. The ProxySG either
challenges users when they attempt to access Web resources or transparently checks existing
authentication credentials.
F-
K
I
II
-
III
36
Chapter 3: ProxySG Deployment
This chapter discusses various methods of how the Blue Coat ProxySG can be deployed in a
network environment. It describes the differences between explicit proxy and transparent proxy.
The following deployment options are discussed in detail:
Forward proxy.
Reverse proxy.
Configuring transparent proxy by:
Using the ProxySG as a bridge: Very common, simple to implement, and is best
practice for transparent implementations.
Using Web Cache Communication Protocol (WCCP): Preferred if you have a Cisco
router and require load balancing.
Using a Layer 4 switch: Recommended for high-availability networks.
Using the ProxySG as the default gateway: Useful for small implementations and
testing.
Configuring explicit proxy by:
Using Proxy Auto-Configuration (PAC) files: The recommended explicit solution for
most deployments; it scales well.
Manually adding proxy settings: Easy to use for special requirements and testing. Best
practice is to use hostnames instead of IP addresses.
Using Web proxy auto-discovery: Supported for customers who require this type of
configuration.
Because many enterprises are migrating from a core deployment to an edge deployment, this
chapter defines this topology and discusses its purpose, benefits, requirements, and best practices.
You will see why deploying a Blue Coat solution at each remote location enables you to maintain
control of the network by:
Enforcing content-filtering policies.
Controlling the content of selected Secure Sockets Layer (SSL) transactions.
Using bandwidth-management options to prioritize the use of Internet connections for
business-relevant applications.
Enabling edge-to-core compression between ProxySG appliances to optimize WAN traffic.
The deployment strategy that you implement can determine the availability of ProxySG features
and functionalities. More importantly, this decision determines how users are affected by the
proxy deployment.
For example, a transparent proxy deployment that uses a Layer 4 switch might appear to be an
elegant, scalable, and easy-to-maintain solution. However, initial setup cost can be prohibitive,
and consistent user authentication can prove challenging to implement. On the other hand,
deploying an explicit proxy using PAC files might appear more laborious to implement, but this
method does not require any additional equipment, and user authentication is easier to
implement, making it a consistently popular option.
After studying this chapter, you wifi understand:
37
BlueTouch Training Services BCCPA Course v3.5.1
What a proxy is, what it does, and how it can be deployed, particularly the ProxySG.
Why setting up an explicit proxy is the easiest, but not necessarily the most scalable, proxy
deployment.
Transparent redirection with WCCP and its load-balancing and traffic-segregation benefits.
The complexities of Layer 4 transparent redirection and its benefits compared to the simplicity
of an explicit proxy.
S
I
ii
I
L
38
Chapter 3: ProxySG Deployment
Deployment Options
Client connection method
Explicit proxy
Transparent proxy
Proxy role
Forward proxy
Reverse proxy
Network deployment
BtueOCoat
Slide 31: Deployment options
In a typical proxy deployment, there are usually few factors that affect your deployment options.
The common concerns that result in a proxy deployment design are usually:
Client connection method: Client connection method can be either explicit or transparent.
Explicit proxying is the quickest and simplest proxy solution. However, this same simplicity
can be impractical if your network has many clients. Transparent proxy, on the other hand,
offers greater ease of administration and deployment as there is no configuration needed on
the client end. Transparent proxy means that the client is not aware that it is using a proxy. The
client does not have proxy settings in the browser or other applications. The client sends
requests to the server, and the transparent proxy intercepts this traffic.
Proxy role: A proxy can be deployed as a forward or reverse proxy. A forward proxy is used to
proxy LAN users requests to an external server on the Internet. While doing so, a proxy can
provide additional functionality such as caching, anti-virus scanning, and enforcing security
policies. A reverse proxy, however, is usually deployed in the DMZ. It is used to allow Internet
users to send requests to corporate-deployed Web servers. A reverse proxy server can
significantly improve the performance of serving Web content to Internet users. A reverse
proxy server also can serve as an additional layer of security to the publicly accessed Web
server.
Network deployment: There are different network deployment methods that an administrator
can choose to deploy a proxy server. The decision of network deployment option usually is
determined by the current network design. This is especially apparent if the proxy server is
deployed in a transparent manner. WCCP, for example, is most appropriately used if there are
Cisco routers in the network because Layer 4 switch deployment mode can be used if there is
already one installed.
39
BlueTouch Training Services BCCPA Course v3.5.1
Slide 32: Explicit proxy deployment
Deploying an explicit proxy is the least complex solution and generally does not require any
additional software or hardware. A simple packet capture can show whether a client is using an
explicit proxy. Clients using an explicit proxy format the GET request in a different way than
clients using a transparent proxy or no proxy at all.
When the browser does not have a proxy set, the standard GET request has formatting similar to
the following:
GET
/
HTTP/l.1
HOST: www . bluecoat . corn
When the browser is configured to use a proxy, the GET request includes the entire URL:
GET http://www.bluecoat.com/ HTTP/1 .1
HOST: www . bluecoat . corn
In an explicit proxy request, the destination IP address of the client request is the IF address of the
proxy, and not the IF address of the end Web server. Upon receiving the requested URL from the
client, the proxy proceeds by requesting it from the end Web server. During this request, the
source IP address is the IP address of the ProxySG.
[.
1.
Explicit Proxy
Source P Destination P TCP Packet
Client
tT4t(;-S).R.iiI.i JiR,th(t
Source P Destination P TCP Packet
BlueQCoat
40
I
r -
Chapter 3: ProxySG Deployment
Explicit Proxy
ProxySG
Client Server
E1
SYN
4 SYN/ACK
ACK
-
Client request
I
EJ
1
4
ACK
- L F
Client to proxy Proxy to server
BlueCoat
Slide 33: Explicit proxy
HTTP is an application protocol that relies on TCP as its transport protocol. A TCP three-way
handshake must take place to establish a connection before HTTP messages can be exchanged. A
TCP three-way handshake is typically performed in the following manner:
1. The client sends a SYN packet to a server to initiate the connection.
2. In response, the server replies with a SYN/ACK packet.
3. Finally, the client sends an ACK back to the server, and the connection is established.
The diagram above, however, shows two separate three-way handshakes taking place. This shows
that there are two separate connections on a single URL request: the first one from the client to the
proxy, and the second from the ProxySG to the external Web server.
The timeline shows that the ProxySG replies with the SYN/ACK to the client before receiving one
from the external Web server. This feature is known as early intercept in the ProxySG.
41
BlueTouch Training Services BCCPA Course v3.5.1 V
Client IP Server P TCP DATA
Slide 34: Transparent proxy
You can think of transparent proxying as the opposite of explicit proxying. The goal of transparent
proxying is to redirect all traffic to the ProxySG without requiring client knowledge of the proxy.
When you set up an explicit proxy, the clients user agent always knows that it is sending
connection requests to a proxy server. In a transparent proxy deployment, the clients user agent is
unaware that traffic is being redirected to a proxy and believes that it is talking to the remote
server directly, without intermediaries.
Unlike the explicit proxy scenario, you cannot tell whether a client request is going to be
transparently proxied by looking at a packet capture of that request on the client machine.
In a transparent proxy request, the destination IP address of the client request is the IF address of
the remote server, not the IF address of the proxy. When the ProxySG initiates a subsequent
request to the external Web server, the source IF address is the IF address of the ProxySG by
default unless configured otherwise to reflect client IP addresses.
I
I
I
[
ilL
Transparent Proxy
Client
\
[1
Server
ProxySG
Default
Reflect Client P
* (,Y BlueQCoat
42
Chapter 3: ProxySG Deployment
Forward Proxy
The proxy is on the same network as the clients
I
_____ ____
ilL
I
<> Forward Proxy I
I
I J
Internal Network External Server
BlueQCoat
Slide 35: Forward proxy
A forward proxy is the most common form of a proxy server and is generally used to pass requests
from an internal network to the Internet through a firewall. By using a forward proxy, requests
from users in the internal network can be selectively allowed or denied by implementing
authentication.
If the request from the internal network was fulfilled earlier and the response is in the cache and is
considered fresh, a forward proxy serves the requested content directly from its cache. If the data
is in the cache but is outdated, the cache can validate the object via a Get-If-Modified-Since (GIMS)
message to the external server. If the requested content is not in the cache, then the forward proxy
acts on behalf of the client to request the content from the external server. When the external server
replies, the forward proxy can cache the content to expedite serving the same content in
subsequent requests.
A forward proxy also can perform advanced proxy features such as enforcing enterprise security
policy and anti-virus scanning.
43
BlueTouch Training Services BCCPA Course v3.5.1
Reverse Proxy
The proxy is on the same network as the servers
I Reverse Proxy I
I
Internal Network
External Client
It
BlueQCoat
Slide 36: Reverse proxy
Unlike a forward proxy, which caches arbitrary content for clients, a reverse proxy serves specific
content on behalf of back-end servers. Reverse proxies are network servers or appliances that
typically reside in the DMZ between Web applications and the Internet.
The reverse proxy is effectively a trusted processor for Web servers, acting as a middleman
between users and the Web applications they access. A reverse proxy protects Web servers from
direct Internet access and off-loads from them computationally intensive processes to enhance
performance.
To the outside world, the reverse proxy is the Web server. For example, in the above diagram, all
requests going to the Web server are directed to the proxy, even though the actual content resides
on the back-end server. When content is requested, the proxy either serves the content from its
cache or gets the content from a back-end Web server. If the reverse proxy is accelerating several
different Web servers, the proxy (or Layer 4 switch) maintains Web-server mapping so that content
can be obtained from the correct server, thus achieving load balancing. In most instances, SSL
F
encryption is often not done by the Web server itself, but by a reverse proxy that is equipped with
an SSL acceleration card.
F
I
I
44
1
Chapter 3: ProxySG Deployment
Slide 37: Outofpath deployment
In an out-of-path deployment, it is very difficult to achieve transparent interception and
redirection. Therefore, explicit proxy is a common choice in this deployment. In an explicit proxy
deployment, every client is configured to forward all traffic to the ProxySG. For example, you can
easily set your browser to send all HTTP requests to a proxy server. This figure shows the proxy
configuration screen for a Firefox client:
When the client has been configured, the client sends all HTTP requests over port 8080 to the
proxy with the hostname myproxysg. This method is straightforward; however, it is impractical
for most organizations (except the very smallest) because you have to manually configure the
browser on each client machine. Alternatively, an explicit proxy can be deployed by making use of
other advanced methods such as a PAC file or Web Proxy Auto Discovery protocol.
Manual configuration still can be useful for testing and debugging purposes.
Out-of-path Deployment
c2Dfl I BtueQCoat
Connettion Settings
Corthgxe Proxies to Ao,so the Internet
QNoproxt
O
kto-detect proxy settings for INS netpprrk
0 1anuaI proxy cartpurabon:
iroxy
LEE!
_____
j
ort
J Use this proxy servor total protocols
Note: Malicious users can easily circumvent explicit proxy solutions.
45
BlueTouch Training Services BCCPA Course v3.5.1
Slide 38: ProxySG as a bridge
All models of the ProxySG can be configured to support bridging between interfaces. In addition,
most models have a pass-through card that allows hardware failover in case of a power outage,
other failures, and during startup. In recent ProxySG models, the behavior in a failure can be
configured in software. In redundant network design, the ProxySG can be configured to propagate
a link failure to another switch port so that other network devices can be aware of the failure.
Using the proxy as a bridge, the ProxySG is usually deployed between the core switch and the
edge router. Because all outgoing Web requests are forwarded from the switch to the router, the
ProxySG can be installed in the path. Bridging in such a strategic location in the network allows
the ProxySG to have full visibility of all Web requests. As a result, advanced proxy features and
granular security policies can be enforced.
It is not uncommon for the connection between the switch and router to be in a trunking mode. A
trunking mode is usually used to forward all VLAN-tagged packets between network appliances,
for example, switch to switch or switch to router. Therefore, the ProxySG has a default setting
configured to support trunking for switches that encapsulates using the 802.1Q tnmking protocol.
ProxySG as a Bridge
. BlueQCoat
Note: The ProxySG does not support trunk connections using ISL protocol encapsulation
because ISL is a Cisco proprietary protocol. However, most Cisco equipment supports
the 802.1Q encapsulation protocol.
46
Chapter 3: ProxySG Deployment
Slide 39: Using WCCP
Web Cache Communication Protocol is a content-routing technology that enables routers to
communicate with, and transparently redirect requests to, one or more Web caches. The purpose
of the interaction is to establish and maintain the transparent redirection of selected traffic types
flowing through a group of routers. WCCP version 2, the most widely used version, defines
mechanisms that allow one or more routers (enabled for transparent redirection) to discover,
verify, and advertise connectivity to one or more Web caches.
WCCP version 2 supports the redirection of traffic other than HTTP traffic through a traffic
segregation method called service groups.
WCCP is a good choice if your network is primarily made up of Cisco routers and switches.
However, to use WCCP version 2, your Cisco equipment must be installed with at least lOS
version 12.03(T) or above.
Note: lOS support for WCCP is tied to specific lOS images, not release numbers. If you plan
to use WCCP, verify that your specific lOS image supports WCCP.
Using WCCP
J2OlJ,
BtueQCoat
47
BlueTouch Trairng Services BCCPA Course v3.5.1
Slide 3--i 0: Network with Layer 4 switch
In a transparent proxy deployment, the Layer 4 switch must be able to inspect all outbound traffic.
You can configure the switch to direct specific traffic to the ProxySG and to pass all other traffic to
the firewall (or other destinations). Traffic-routing decisions can be based on several parameters
destination address, protocol, port, source address, or a combination of these.
Most Layer 4 switches also provide additional features such as advanced load balancing, URL
hashing, and advanced fault tolerance and redundancy.
The major obstacle to deploying and implementing Layer 4 switches often is cost. In the United
States, for example, such devices can cost more than $10,000 each.
I
C.
C
I
r
Network with Layer 4 Switch
C:., t,g.Cn,.20:i JiRtR BlueOCoat
48
Chapter 3: ProxySG Deployment
Slide 31 1: ProxySG as default gateway
The ProxySG can act as a default gateway for clients. In this scenario, the ProxySG is capable of
routing any kind of traffic: UDP, TCP, NetBIOS, unicast, multicast, and so on. Under such
situations, the ProxySG can either terminate and process the traffic or forward the traffic to the
next hop.
If the destination TCP port matches the service that is set to intercept, then the packets are
processed. Otherwise, the packets are forwarded based on the destination MAC address and the
IF address in the packet.
For the ProxySG to act as a default gateway:
Clients must have their TCP/IP default gateway set to the IF address of the ProxySG.
IP forwarding must be enabled on the ProxySG. If IP forwarding is not enabled, then the
ProxySG rejects the packets.
Client IP address reflection must not be enabled on the ProxySG.
ProxySG as Default Gateway
BtueOCoat
49
In an explicit deployment with a large number of clients, manually configuring the address of the
proxy server on every client can be complicated or impractical. A proxy auto-configurationfile (PAC
file) simplifies this task by informing all the Web browsers of the addresses of the proxy servers
present in their environment.
A PAC file is reloaded every time a user launches a Web browser. Also, the administrator can
centrally manage the PAC file, and PAC files offer many useful features such as exceptions and
load balancing.
The PAC file defines how Web browsers can automatically choose the appropriate proxy server for
fetching a given URL. As shown in the above diagram:
1. Upon launching the Web browser on the client computer, the Web browser attempts to
retrieve the PAC file from a pre-configured URL in the client. The URL can be entered either
manually or automatically by implementing Microsoft Group Policy.
2. When the user requests a URL, the Web browser reads the PAC file to decide which proxy to
request it from. Upon identifying the proxy from the PAC file, the request is sent to the
respective proxy server.
3. The proxy server receiving the request subsequently relays the request to the external Web
server on the Internet.
PAC files can be hosted on the ProxySG or on a dedicated internal Web server. Two PAC files are
shipped with the ProxySG: a default PAC file that cannot be edited, and an accelerated PAC file that
you can edit to reflect your networks requirements.
For more information on PAC files and the ProxySG, refer to the knowledge base article You want
help writing or editing a PAC file at BlueTouch Online.
Proxy Auto-Configuration File
RAQS Gccy. -
Srec&(ikVl
WU tS rtkc
I
I
ProxySG Editions
No
Proxy Edibon MACH5Edition
-
Yes
eirors
1anarentV ireE*on
ResoLIce ierf low aban Drop
Limited s4.port
Access logging
Forwardng
h.
Policy controls
yservices
Not siqod
Lerautherilicatian
Contentflterhg
ProxySG VA Ecternal seivbes (ICAP, bsense)
[lnstantmessaging and peer-to-peer
rThatpon
BlueQCoat
56
Chapter 4: ProxySG Licensing
Slide 4-4: Mixed deployment
Both the MACH5 Edition and the Proxy Edition can be used individually or together to optimize
and secure any deployment.
In the deployment shown above, the enterprise is taking advantage of both the MACH5 Edition
and the Proxy Edition. Proxy Edition appliances have been placed at Internet gateways for
security and acceleration, while the two WAN links that are not directly connected to the Internet
are accelerated using the MACH5 Edition.
The branch office that uses a direct-to-net connection to the Internet is using the Proxy Edition at
its Internet gateway. However, because the other branch office has its Internet connection
backhauled through headquarters, it uses a MACH5 Edition appliance to accelerate its WAN link
only.
Mixed Deployment
Branch office
Blue0Coat
MACH5 Edition
:oii
57
BlueTouch Training Services BCCPA Course v3.5.1
Menn
S d IT
Of f fT gO Ii t0
Upd.
,. [
[ Pjf4q
ptt .C.fTWb4*
Slide 45: Register and license a ProxySG
After initial configuration, the ProxySG Management Console displays the license status as a link
in the upper right. Hovering over the license link displays information such as the expiration date
of a trial period. Click the link to go to the Maintenance> Licensing > View page.
Activating the licenses on a ProxySG is performed through BlueTouch Online and is a two-step
process:
1. Register the ProxySG with Blue Coat.
2. Retrieve and install the associated SGOS license. If this ProxySG has Internet access, go to
Maintenance> Licensing> Install in the Management Console and click Retrieve. If this
ProxySG does not have Internet access, access BlueTouch Online at http:llsupport.bluecoat.com
from an Internet-connected workstation. You will prompted to download a binary file; this file
must be manually applied to license the ProxySG. This license includes the SGOS base license
and any optional supplemental components such as SSL and RTMP support that you
purchased.
Step-by-step instructions for registering and licensing a ProxySG are available on the appliance. In
the Management Console, go to Maintenance> Licensing> Install and click Help. To get BlueTouch
Online access, go to Maintenance> Licensing > Install, click Register/Manage, and click the link next
to Need a BlueTouch Online User ID.
I
Im
Register and License a ProxySG
SGOS license
License
database
Optional
Admin
BlueTouch
Online
ProxySG
Register appliance
2i. M
BlueCCoat
58
Slide 46: License expiration and limits
Chapter 4: ProxySG Licensing
When the ProxySG is initially configured, all available features are activated during the trial
period, allowing use of all of the features of the ProxySG. However, if the MACH5 Edition was
purchased, the security features available during the trial period expire at the end of the trial and
become unavailable.
If a ProxySG base license expires, the appliance behaves in accordance with the default policy that
has been configured by the administrator. If the default policy is Allow (the factory default for
MACH5 Edition licenses), then all user requests bypass the ProxySG; if the default policy is Deny
(the factory default for Proxy Edition licenses), then all user requests are blocked and users are
notified (if possible) that the appliances license has expired each time they issue a request.
In the Proxy Edition, the IM filtering and SSL licenses (if required for your model of ProxySG)
become unavailable at the end of the trial period unless a full license is added. When the trial
period ends, any operations requiring any expired components cease to function or function in a
limited capacity.
For example, a license is required to use the SSL functionality of the ProxySG 810 and ProxySG
9000 models. This license is activated during the trial period, and all features of the full SSL license
can be used. But when the trial period ends, depending on the policy created, different behaviors
occur:
If there is an SSL policy (and default policy is Allow to allow all connections that are not
otherwise processed by the policy), HTTPS proxy service is set to intercept, and there is no SSL
license or the SSL license has expired, then SSL traffic fails, and users get the following error:
Access Denied (license_expired).
If there is no SSL policy (and default policy is Allow), HTTPS proxy service is set to intercept,
and there is no SSL license or the SSL license has expired, then SSL traffic fails, and users get
the following error: Access Denied (license_expired).
If there is an SSL policy (and default policy is Allow or Deny), HTTPS proxy service is set to
bypass, and there is no SSL license or the SSL license has expired, then SSL traffic bypasses the
ProxySG, and requests are successful.
License Expiration and Limits
Depends on .Bypassnewconnections, or
defaultProxySG
Quenewnctbns or
.Ignoie flieIcenselim iardwae
applnes only)
I
-j
LiceraetVpe Action on
f
expiration
Base license lncded
IM fillerkg Optbnal, IM activity
user-added
SSL Variesbymlel Intei..........
rmInation PS
connections
are blocked
(on expiration
se)
Flesh
streammg extra ntercepted
RTMP con
nections cnled
NIA
BlueQCoat
59
BlueTouch Training Services BCCPA Course v3.5.1
The SSL license is designed to take full advantage of the SSL card that is factory-installed in the
ProxySG. This license should be purchased for deployments handling large amounts of HTTPS
traffic on ProxySG models for which a separate SSL license is required.
For Flash streaming, if a license is expired or not installed, the RTMP proxy does not accept HTTP
handoffs from the HTTP proxy; RTMP traffic tunneled through the HTTP proxy using RTMPT is
handled entirely by the HTTP proxy. Also, if an RTMP proxy listener is set to intercept, those
connections are denied.
In addition to a licenses expiration, each model of the ProxySG has a different user limit built into
it. This allows Blue Coat to align hardware capabilities for sizing purposes. The limit of the
ProxySG is dependent on the specific hardware; this cannot be changed based on the type of
license purchased. On the ProxySG, the user limit is counted using the number of unique client IP
addresses with open inbound TCP connections to the ProxySG, not the number of unique TCP
connections. For example, if a ProxySG is handling 20 users from different IP addresses, each
making 20 connections (for a total of 400 connections), it counts as 20, not 400.
When the number of users reaches the limit, a warning message is logged. The ProxySG takes
action based on the setting of the User Overflow Action parameter at Configuration> Proxy Settings
> General in the Management Console:
Do not enforce licensed user limit: The ProxySG performs as if the user limit had not been
exceeded. This option is available only on hardware ProxySG appliances; on the ProxySG VA,
user limits are enforced, and all connections exceeding the maximum are passed through the
ProxySG without processing.
Bypass connections from users over licensed limit: All connections exceeding the maximum
are passed through the ProxySG without processing.
Queue connections from users over licensed limit: All connections exceeding the maximum are
queued, waiting for another connection to drop off.
Listed below are all of the models of ProxySG currently available for purchase, along with the user
limits for deployments with and without an Application Delivery Network enabled.
Table 4-1: User limits for the ProxySG
Model User limit User limit
(without ADN enabled) (with ADN enabled)
300-5 30 10
300-10 150 50
300-25 unlimited unlimited
600-10 500 100
600-20 1,000 200
600-35 unlimited unlimited
810-5 2,500 500
810-10 3,500 700
810-20 5,000 1,000
810-25 unlimited unlimited
9000 all models unlimited unlimited
VA-5 not applicable 10
VA-b not applicable 50
VA-15 not applicable 125
VA-20 not applicable 300
E
6
i
L
60
Chapter 4: ProxySG Licensing
Important: For any device that is listed as unlimited, the maximum number of users that can
create connections is based only on the limitations of the hardware.
61
.
a
L
b
J
c
)
> a
)
C
,)
0
C
-
)
0 C
-
)
0 C
,
c
i)
C
.)
a
)
(
I
)
0
)
C C c
c
i
I
0 D 0
I
-
a
)
D
c
J
C
D
Chapter 5: ProxySG Initial Setup
After you have physically installed a new Blue Coat ProxySG, the next step is to configure the
operating software of the appliance so that it can begin filtering and optimizing network traffic.
This process involves making several key decisions about how the appliance will be deployed and
what it will be expected to do. This chapter describes the different methods that you can use to
initially configure a new ProxySG.
The most common configuration method involves connecting to the serial port of the ProxySG
and is the method that is presented in this chapter. While it also is possible to use a hardware
bridge or perform limited configuration via the front panel of the appliance (on those models that
have a front panel), these methods are less commonly used and do not offer the same
functionality.
After studying this chapter, you will understand:
How to configure a newly installed ProxySG.
How to select which edition of the SGOS operating system to use.
How to control access to the ProxySG.
Differences between standard and privileged mode on the ProxySG.
This chapter assumes that you already have physically installed your ProxySG. Also, this chapter
applies only to physical ProxySG appliances, not the ProxySG VA. For information on ProxySG
VA setup, refer to the ProxySG VA Initial Configuration Guide.
63
BlueTouch Training Services BCCPA Course v3.5.1
I
Slide 51: Access methods
Before a newly installed ProxySG can filter and optimize network traffic, it must be configured
with an IF address and other parameters. There are three methods that you can use to access the
ProxySG to perform this configuration.
Serial Console
The ProxySG has a serial port that you can use for initial configuration and for almost all other
tasks, including policy creation. The specifications for the serial port are 9,600 bits per second, 8
bits of data, 1 stop bit, no parity, and no flow control. The serial interface requires a null-modem
9-pin female-to-female serial cable (provided with the ProxySG).
To activate the serial console after physically connecting to the serial port, press the Enter key
three times, and select the Setup Console option. This launches the ProxySG configuration wizard.
Once you have assigned the IF address to the appliance, you can finish the configuration via the
graphical user interface at https:IlproxylPaddr.8082, you can continue via the command line
interface (CLI) on the serial console, or you can use Blue Coat Director.
The CLI offers the ability to complete nearly all of the tasks you can perform in the graphical user
interface; however, it is not as intuitive. Only advanced users should rely on the CLI for tasks
other than initial configuration. Only two relevant commands are available solely under the CLI:
restore-defaults factory-defaults: Restores the ProxySG to the default
configuration. When you restore system defaults, the IP address, default gateway, and the
DNS server addresses are cleared. In addition, any lists (for example, forwarding or bypass)
are cleared. After restoring system defaults, you need to restore the basic network settings.
This command can only be executed when you access the CLI via the serial console.
reset-trial: This undocumented and hidden command allows you to start a new 60-day
trial period. You can use the command up to two times. If your trial expires, then you can reset
it by using this command from the CLI and then rebooting the ProxySG. The 60-day period
resets when the FroxySG is rebooted after issuing this command.
Access Methods
Primary access method
Enet
Serial cabIe
I-
Blue Coat
Director
Client
Front panel
Admin
Other access methods
BlueQCoat
64
Chapter 5: ProxySG Initial Setup
Other Access Methods
Front panel: This option, available for most models of the ProxySG, only allows you to
configure an IP address and perform other limited configuration tasks. After assigning the IP
* address using the front panel, you must enter the CLI or launch the graphical user interface in
order to continue ProxySG configuration.
Director: After a ProxySG has been assigned an IF address, the appliance can be registered
with Director, where multiple appliances can be configured and managed from a central
location. You cannot use Director to assign an IP address to a ProxySG.
65
BlueTouch Training Services BCCPA Course v3.5.1
Configuration Workf low Choices
In-path acceleration
MACH5 Edition
Manual configuration (not using Director)
Configure via serial console
SGOS 5.4 or later
Blue Coat Sky interface
All other deployments
Management Console interface
BlueOCoat
Slide 52: Configuration workflow choices
When you power up the ProxySG, it transmits data to the serial console. Using terminal software,
YOU can watch the boot sequence. If the appliance is new, the first thing you see is the
configuration wizard. This wizard allows you to configure network parameters, an administrative
username and password, an access control list of clients that are allowed to manage the appliance,
and a password to protect access to the serial port. The wizard does not allow you to set any other
parameters, but you can enter CLI privileged mode to configure other settings.
The configuration workflow that you use to configure your ProxySG depends on the type of
deployment and the access method you use. You can use the in-path acceleration workflow if your
deployment meets all of these conditions:
The ProxySG is deployed in-path.
You are running the MACH5 Edition of version 5.4 or later of the SGOS operating system.
You are configuring the appliance manually, not with Director.
You are configuring via the serial console.
The configuration wizard asks you to supply configuration information specific to an in-path
acceleration deployment. Then, you can launch the Blue Coat Sky interface to immediately see
how the ProxySG is optimizing network traffic.
For all other deployments, the configuration wizard asks information not specifically related to
in-path acceleration. After that, you can use the Management Console interface to configure other
filtering and acceleration parameters.
I 66
Chapter 5: ProxySG Initial Setup
Slide 53: Access control
You can control access to the ProxySG in several ways: by limiting physical access to the system,
by using passwords, by restricting the use of the console account, through per-user RSA public
key authentication, and with Blue Coat Content Policy Language. How secure the system needs to
be depends upon your environment.
You can limit access to the ProxySG by:
Restricting physical access to the system and by requiring a PiN to access the front panel.
Restricting the IF addresses that are permitted to access the appliance from the management
user interface.
Requiring a password to secure the serial console.
Disabling the built-in administrative account and enforcing the use of Active Directory or
LDAP accounts.
These methods are in addition to the restrictions placed on the console account (a console account
user password) and the enable password. By using every possible method (physically limiting
access, limiting workstation IF addresses, and using passwords), the ProxySG is very secure.
Requiring a PIN for the Front Panel
On ProxySG appliances that have a front panel display, you can create a four-digit PIN to protect
the system from unauthori2ed use. The PIN is hashed and stored. You can create a PIN only from
the command line interface. To create a front panel PIN after initial configuration:
#(config) security front-panel-pin PIN
where PINis a four-digit number.
To clear the front-panel PIN:
#(config) security front-panel-pin 0000
This also means that you cannot use 0000 as your PIN.
Access Control
Serial console
password
7
Access control list
Other LDAP
BlueOCoat
67
BlueTouch Training Services BCCPA Course v3.5.1
Limiting Workstation Access
During initial configuration, you have the option of preventing workstations with unauthorized
IP addresses from accessing the CLI and Web-based management interfaces. If this option is not
enabled, all workstations are allowed to access the CLI and Web-based management interfaces.
You also can add allowed workstations later to the access control list.
Securing the Serial Port
If you choose to secure the serial port, you must provide a Setup Console password that is
required to access the Setup Console in the future. Once the secure serial port is enabled, the Setup
Console password is required to access the Setup Console, and an authentication challenge
(username and password) is issued to access the CLI through the serial port.
To recover from a lost Setup Console password, you can:
Use the front panel display to either disable the secure serial port or enter a new Setup
Console password.
UsetheCLlcommand restore-defaults factory-defaults to delete all system
settings.
Use the reset button (for models of the ProxySG with a reset button) to delete all system
settings.
Note: You should not secure the serial console password unless you have a real need to do
so. The serial console is your last resort when all other access methods are not
available or passwords are lost.
Using LDAP Accounts
You have the ability to disable the built-in administrative account and enforce the use of
directory-based accounts. This is an important option for accounting and auditing purposes. You
do not want to share the same administrative account among different users, and you do not want
to create and maintain additional accounts outside your directory.
The ProxySG allows you to use any realm that supports basic authentication credentials such as
Microsoft Active Directory, Novell eDirector or another Lightweight Directory Access Protocol
realm to validate users before they can access the graphical user interface or the CLI.
Note: The password for the CLI enable mode is the same as the users password when you
are using a realm. You still need to know the enable password you configured at setup
if you are accessing the CLI via the serial console.
F
I
68
F
Chapter 5: ProxySG Initial Setup
Slide S4: Command levels
CLI commands on the ProxySG are divided into those that can be issued while in standard mode
and enabled (privileged) mode. Most configuration settings are available in configuration mode,
which is a submenu of enable mode.
Enable Mode
Enable mode provides a set of commands to view, manage, and change ProxySG settings for
features such as log files, authentication, caching, DNS, HTTPS, packet capture filters, and
security. You can configure functionality such as the SSL proxy and HTTP compression. The
prompt changes from a greater-than sign
(>)
to a pound sign
(#)
to indicate that you are in enable
mode.
To enter enable mode from standard mode, use the enable command:
> enable
Enable Password:
When you type the enable password, it does not display.
For in-path acceleration deployments, the enable password is the same as the administrative
password that you specified during initial configuration. In all other deployments, separate
administrative and enable passwords are specified during initial configuration.
Configuration Mode
The configure command, available only in enable mode, allows you to configure ProxySG
settings from your current terminal session (configure terminal) or by loading a text file of
configuration settings from the network (configure network). The prompt changes from a
pound sign
(#) to 4 (config) to indicate that you are in configuration mode. No additional
password is needed to enter configuration mode.
Command Levels
Basic CLI
Blue Coat Sky
Management Console
b- Enabled access
Visual Policy Man
Privileged CLI
[
Configuration mode
BlueQCoat
69
L
(
c
)
> a
)
c
i)
a
0 0 0 0
C
,)
a
)
0 a
)
C
,)
0
)
C C
F
-
-
c 0 D 0
I
0 D
Chapter 6: ProxySG Management Console
The Management Console is part of an easy-to-use software suite in the Blue Coat ProxySG. It is
the nerve center of the ProxySG. You can write policies to control users within a network,
authenticate users, report network activity, and create a productive and safe work environment.
You can also manage, configure, and upgrade the ProxySG from any location using the
Management Console.
The Management Console is a graphical user interface. The software suite also includes a
command line interface and Blue Coat Sky, an alternate graphical interface tailored for WAN
optimization configurations. Although you can use the CLI to perform tasks, the Management
Console is more user-friendly and time-saving. It has tabs, links, buttons, windows, and other
easy-to-use features to perform most configuration, management, and monitoring tasks. Blue Coat
Sky is discussed as part of separate training courses in WAN optimization deployments.
After studying this chapter, you will understand:
How the Management Console controls the ProxySG.
How to access, and control access to, the Management Console.
What information and functions are available from the Management Console.
71
BlueTouch Training Services BCCPA Course v3.5.1
Overview
User interface to CLI
Generates the necessary commands
to implement the task
Divided into three funclional tabs
Statistics
Configuration
Maintenance
I
BlueCCoat
Slide 61: Overview
The Management Console helps you perform commands to configure, maintain, and monitor the
ProxySG. You can also gather a variety of monitoring statistics. The user interface generates the
necessary CLI commands to implement the selected task.
The Management Console is organized into three functional areas represented by the following
tabs:
Statistics: Monitors the status and the health of ProxySG. You can gather statistics on system
usage, traffic history, TM, bandwidth management, resources, efficiency, and more.
Configuration: Sets up the ProxySG, creates objects and parameters used to manage policies,
and archives and restores configurations. This is the starting point for most of the tasks that
you perform on the ProxySG.
Maintenance: Keeps the ProxySG up to date. You can perform a number of maintenance tasks
including licensing components, monitoring appliance health, and upgrading or
downgrading the SGOS operating system on the ProxySG.
The Statistics, Configuration, and Maintenance tabs have individual menus that display on the left
side of the Management Console.
I
II
72
Chapter 6: ProxySG Management Console
Web Browser Requirements
Supports JRE version 1.5.O_15 or later
Java enabled
Minimum resolution 1024x768
When in FIPS mode:
TLSv1 secured connection
Enabled by default in JRE 1 .6
Must be enabled in Internet Explorer v6 and earlier
BIueQCoat
Slide 62: Web browser requirements
The Management Console consists of a set of Web pages and Java applets stored on the ProxySG.
The ProxySG acts as a Web server on the management port to serve these pages and applets. You
can access the Management Console securely over HTTPS on any client with a Web browser that
supports Java Runtime Environment version 1.5.0_15 or later. In the Web browser, enter the
address https:UproxylPaddr.port, where proxylPaddr is the IP address you assigned to the ProxySG
during configuration and port is the port number of the HTTPS-Console service, which defaults to
8082 but can be changed. A port number is required.
A minimum display resolution of 1024x768 is recommended.
Management Console in FIPS Mode
When the ProxySG is operating in Federal Information Processing Standards (FIPS) mode, the
Management Console loads only over a Transport Layer Security (TLS) version 1 secured
coimection. If your Web browser uses IRE version 1.5 or earlier, you must explicitly enable TLSv1.
JRE version 1.6 enables TLSv1 by default.
Microsoft Internet Explorer versions 6 and earlier do not have TLSv1 support enabled by default.
To do so, select Enable TLS 1.0 in JEs advanced security options. Beginning in JE version 7, TLSv1
support is enabled by default.
FIPS mode is enabled and disabled only from the command line interface, not the Management
Console. When you enable or disable FIPS mode, the ProxySG reinitializes, reboots, and wifi be
out of service for up to several minutes. Use these commands:
4* fips-mode enable
4* fips-mode disable
When operating in FIPS mode, many ftmctions of the ProxySG appear and behave differently. The
details of FIPS-mode operation are beyond the scope of this course. For more information on FIPS
mode, refer to the FIPS Upgrade Information chapter of the SGOS Upgrade/Downgrade Feature
Change Reference.
73
BlueTouch Training Services BCCPA Course v3.5.1
Slide 63: Authentication
Using the Management Console, an administrator can control the ProxySG. Access to the
Management Console and the command line interface can be restricted to a selected pooi of IP
addresses and users.
1. You can access the Management Console from HTTPS and HTTP consoles. The default HTTPS
console (port 8082) is already enabled. The HTTP console (port 8081) is less secure than
HTTPS and is not enabled by default.
2. Only if your IP address is present in the access control list (ACL) or if the ACL is empty, the
ProxySG allows you to access the Management Console. The ACL is a list of selective IP
addresses or subnets that you can create in the Management Console from Configuration>
Authentication > Console Access > Console Access.
3. The ProxySG validates your credentials either against the Management Console accounts or
realm accounts. A realm is a named collection of information about users and groups. The
name is referenced in policy to control authentication and authorization of users for access to
ProxySG services. Multiple authentication realms can be used on a single ProxySG. Realm
services include TWA, LDAP, Local, and RADIUS.
4. The summary of the actions performed while accessing the Management Console and logged
events is stored in the event log. Information stored in the event log helps in troubleshooting
problems that the ProxySG might encounter. It also allows you to track who performed what
changes while configuring the ProxySG.
Valid credentials are required to access the Management Console. The usemame is the name of the
account you are using. The name must already exist; you cannot create it while logging in. You
also need to have the password for the usemame you are using. Once you have logged in, you do
need not to do so again until your session times out. You also can configure or disable a session
time-out period (the default is 15 minutes).
74
[1
1L
Authentication
El
Event log
Open MC
HTTPS on port 8082
&
w
Open MC
Client
-ITTP on port 8081
w
r
Local MC accounts
U-S..asinri BlueQCoat
Note: If you get a host mismatch or an invalid certificate message when you access the
Management Console, re-create the security certificate used by the HTTPS console.
Chapter 6: ProxySG Management Console
Slide 64: Authentication details
Authentication is the act of determining the credibility of a user. The ProxySG checks the
authenticity of a user in multiple ways before providing access. You need to have a username and
password; also, if the access control list is not empty, the browsers IF address should be present in
the ACL.
The above diagram explains the authentication process:
1. The client tries to directly connect to the ProxySG through port 8082. The client can connect
through port 8082. You can configure the Management Console to be accessible on any port.
2. The ProxySG sends a 401 response asking for user authentication (username and password).
3. The user enters the username and password.
4. The ProxySG checks for the IF address of the user in the ACL. At this point, it does not matter
whether the credentials are valid. It checks just the IF address.
5. If the ACL is enabled and there is a match for the users IP address, the ProxySG goes on to
check the credentials. If the ACL is empty, then all users can access the ProxySG with their
credentials.
6. If the ProxySG fails to find a match for the users IF address, then it returns a 401 response
demanding credentials.
7. If the credential check of the user is successful, the ProxySG grants access to the user.
8. If the credential check fails, the user receives another 401 response for authentication. The user
might not be aware of the exact reason for receiving the 401 response. It could be either for the
absence of the users IP address in the ACL or for the invalid user credentials.
Authentication Details
ci 401 responsc
_______
EEl
Usemame and password
Client
w
xlJ
BlueQcoat
75
BlueTouch Training Services BCCPA Course v3.5.1
User Interface to CLI
LI
___
Open MC
[]
Client
odiconfiguration
El
CLI commands necessary
to perform the action Registry
BlueCCoat
Slide 65: User interface to CLI I-
The Management Console generates the CLI commands necessary to perform the actions you
request. As shown in the above diagram:
1. When you open the Management Console, the Java applet loads.
2. Every time you click on a new tab, the Management Console retrieves the information from
the registry. The registry is a storage of all ProxySG configuration data. The registry can be
viewed by entering the following address in your Web browser:
https:llproxylPaddr.8O82lregistrylshow I [.
3. You now can perform your changes in the configuration. Through the Management Console,
you can configure a wide range of settings. You can launch the Visual Policy Manager from
the Management Console, which helps you implement your organizations rules by creating
policies, performing maintenance tasks, and gathering information about system operations.
4. When you click Apply, the Management Console generates the CLI commands necessary to
complete the configuration. The updated configuration is stored in the ProxySG registry.
76
Chapter 6: ProxySG Management Console
Managing Concurrent Access
Access first
Admin
Ei
Registry
C Access while
Admin 2 Admin #1 still using MC
BlueQCoat
Slide 66: Managing concurrent access
The Management Console allows multiple users to access it concurrently. As a result, you can
access the Management Console at the same time another user is using the Management Console.
Even as administrator #1 is modifying the configuration of the Management Console,
administrator #2 cai-i access the Management Console and also perform tasks.
The Management Console can accept modifications without any difficulties from multiple users if
the modifications happen in different parts of the registry. However, there is no protection if
multiple users try to change the same aspect of configuration concurrently. When two users try to
make the same changes in the configuration at the same time, the changes done by the user who is
the last to commit them stays in the registry.
You can prevent this by restricting the number of users who are authorized to change the basic
settings in the configuration.
77
I-
BlueTouch Training Services BCCPA Course v3.5.1
Slide 67: Management Console header
After you have logged in to the ProxySG, the Management Console header displays. It contains
several pieces of information about the ProxySG on which it is running:
1. The appliance name that can be configured by the administrator is displayed in the header
line, in the Web browser title bar, and in the computers taskbar.
2. The model of this ProxySG.
3. The serial number of this ProxySG.
4. The version of the SGOS operating system currently running on this ProxySG.
5. Whether this version of SGOS is the Proxy Edition or the MACH5 Edition.
6. The license status of this ProxySG.
7. The current health status of this ProxySG.
I
I
rw
L
-.:
L
Management Console Header
Cor.,un
IJt (.::t,s I- flRutL,P,,ni.
BlueQCoat
78
L
Slide 68: Statistics tab
Chapter 6: ProxySG Management Console
When you launch the Management Console, the Statistics tab displays a summary of network
traffic and applications, showing how the ProxySG is using its acceleration, optimization, policy
control, and caching techniques to improve the performance of traffic on your network. The page
refreshes about once every 60 seconds.
This tab gathers and displays information about system operations. Click an option in the left
navigation bar, and the browser displays the appropriate interface, which you can use to configure
a wide range of settings.
The Statistics > Summary> Efficiency tab (shown above), which is the default display, shows the
bandwidth gain achieved of up to the top five services during the past hour within your network
in the Savings panel, and the performance of each interface in the Interface Utilization panel. This
tab also displays the duplex settings for each interface and indicates whether the interface uses full
duplex or half duplex. If a duplex mismatch occurs when the interface is auto-negotiated and the
connection is set to half duplex, the display icon changes to a yellow warning triangle. If you see a
duplex mismatch, you can adjust the interface settings by going to Configuration > Network>
Adapters.
The Statistics> Summary> Device tab displays a snapshot of key system resources, identification
specifics, and the status of external devices that are connected to the ProxySG.
Other displays available from the Statistics tab include:
Traffic Mix: Displays traffic distribution and bandwidth statistics for traffic running through
the ProxySG. You can display statistics for proxy types or for services, and for various time
periods. The display refreshes whenever you switch views or change the duration of the
sample. If there is no activity, the data refreshes every 60 seconds.
Traffic History: Monitors the traffic statistics for all traffic running through the ProxySG. The
graphical data in the page also gives you details on the bandwidth usage, bandwidth gain,
client bytes and server bytes. Chart data updates automatically every 60 seconds.
IA
Statistics Tab
8bUbc
Sumrna.y
T,fIk Mi
Tffl Hiy
AUN I1dory
8ndwJdth
PrnyCIi...t
Nlw,k
cAp
detI.
Splem
Seleee
HeehU MeSong
HeetthCheb
__________
Ae.. LSle
*a4hencatf en
Adnneed
I______
BiueQCoat
- WeIact LrRais - flantR&z eec.... PS.
0 kPO: P.. PtpO P00 P50.01 POp 03.9 POpa 0
0 D0e.0 Qtcn 9509
79
I
:
BlueTouch Training Services BCCPA Course v3.5.1
ADN History: Displays WAN optimization performance, dictionary sizing, and adaptive
compression statistics.
Bandwidth Management: Displays the current class and total class statistics.
ProxyClient History: Displays bandwidth usage, the number of active clients, configurations
served, software served, and client version count for ProxyClient installations served from
this ProxySG.
Network: The Interface History page displays the traffic to and from each interface, including
virtual local area network (VLAN) traffic. This display can be useful in verifying that traffic is
being seen by the ProxySG.
ICAP: Graphically displays information on Internet Content Adaptation Protocol traffic over
time, including active requests, number of connections, completed requests, and number of
bytes. The display can be filtered to show any or all of plain, secure, deferred, and queued
requests. The display can show statistics by service or by service group.
Protocol Details: Provides statistics for the protocols serviced by the ProxySG. These statistics
complement the statistics in the Traffic History and Traffic Mix pages.
System: Displays resource statistics, content statistics, event logging statistics, and failover
statistics.
Sessions: Displays information on active and errored sessions.
Health Monitoring: Displays the current state of the health monitoring metrics. Health
monitoring uses key hardware and software metrics to provide administrators with a remote
view of the health of the system.
Health Check: Displays the state of various health checks: whether the health check is enabled
or disabled, if it is reporting the device or service to be healthy or sick, or if errors are being
reported.
Access Logging: Display the log tail, log size, and upload status of the access log.
Authentication: Displays information on user login by username or IP address.
Advanced: Enables you to view a variety of system statistics located in one place and
F
accessible with URLs that can be accessed independently of the Management Console.
The details of these displays are discussed in the relevant chapters of this and subsequent courses.
I
80
Chapter 6: ProxySG Management Console
d
tilctie2000,w in ext ox
n ZIG
W.d,or 172169023
tnxrver0rn7 7629617 xnyExtrnr
OniOxextrrneiD 06203 3262. y
MCO MAC W*E
76ItirrnrAer
Slide 69: Configuration tab
The Configuration tab is the starting point for most of the operational tasks that you perform on the
ProxySG. You access this tab to change the configuration of the ProxySG and create objects and
parameters that you use in creating policies. Settings include:
General: Configure the name and serial number of the ProxySG, configuring system time, and
archiving configurations.
Network: Configure adapters and interface settings, software and hardware bridges, gateways,
routing tables, DNS servers, and lPv6 settings. Interface settings include the ability to assign
your own names to each interface.
ADN: Configure ProxySG appliances to improve application traffic over the WAN.
Services: Configure the proxy services available on the ProxySG, including CIFS, FTP, HTTP,
HTTPS, instant messaging, MAPI, SSL, SOCKS, streaming, and TCP tunnel.
ProxyClient: Configure the settings used to act as a ProxyClient server for mobile users.
SSL: Create keyrings, import and create certificates, check the validity of certificates, create an
SSL client.
Proxy Settings: Provide various services that can enhance different proxy settings, such as
CIFS, FTP, HTTP, TM, and MAPI.
Bandwidth Management: Control the amount of bandwidth used by different classes of
network traffic; set priority for bandwidth among different classes.
Authentication: Define authentication realms, including TWA, LDAP, RADIuS, and other
realms; set up forms-based authentication.
Content Filtering: Configure the ProxySG to use Blue Coat WebFilter or a third-party filter to
block access to websites based on their content.
Threat Protection: Manage the interaction between the ProxySG and the WebPulse cloud
computing service; configure a ProxyAV for off-board malware scanning.
Configuration Tab
_____________
_20n20
a Gocetal
20910700410fl
Clooll
9023%
Network
AGO
Se62oo.
PrnoyCllorrl
a ssi
Proxy Sortie9.
0.ndwlrtitr Mwr
Aetheroticatien
Coxeeni FilterIng
Threat Protection
External Sorvicte
Forwotdlny
Health Cttocb
a Axcn.e Lx061779
Policy
Re9.rl .1 lIMP
BlueOCoat
81
BlueTouch Training Services BCCPA Course v3.5.1
External Services: Install an ICAP server or create a WebSense off-box service.
Forwarding: Set up forwarding, allowing you to define the hosts and groups of hosts to which
client requests can be redirected.
Health Checks: Configure health checks on (and the availability of) a forwarding host or
external server that is providing a service.
Access Logging: Enable the logging of traffic through the ProxySG, configure access log
settings, select an access log upload client, set an upload schedule.
Policy: Set the default proxy policy to deny or allow traffic, view and install policy files, access
the VPM to create new policy.
The details of these displays are discussed in the relevant chapters of this and subsequent courses.
82
Chapter 6: ProxySG Management Console
Maintenance Tab
M00t02l0fl00
_______
I Sy.0202 2OdDkOlO
I
0frec1.r R.gk*raUoo
__________________________________________________________________________
M 210
E.o In0
MI,0 id 1021 02I1
H Id, MonIlo log
C002 IoI*d I
W.d8o, 21100221
d S.Monlnfo,n,otlon
5002Onn, 1GC10Ill2101YEn
ono 121 5021?32bk, o02d,
MC0M
SeIdru,: 40d1022111
gydoffiatod: 201049-1121:W:29cC:OWTC
@UtEkgk: II 0102*
rrrr
BlueQCoat
Slide 610: Maintenance tab
The Maintenance tab allows you to perform many different maintenance tasks, including:
System and Disks: Restart the ProxySG, restore the system to its default settings, clear the
DNS, object, and byte caches.
Director Registration: Automatically register the ProxySG with a Blue Coat Director, enable
Director to establish a secure administrative session with the ProxySG.
Upgrade: Download an upgrade through the Internet and install it. You also can download it
to your PC and install it from there.
Licensing: View the status of software licenses, and license new features you have purchased.
Event Logging: Set up event logging: Specify the types of system events logged, the size of the
event log, and whether the appliance sends an email notification if a certain event is logged.
SNMP: Enable Simple Network Management Protocol (SNMP), which allows you to monitor
the ProxySG.
Health Monitoring: Configure the ProxySG health-monitoring features, such as setting
warnings for system performance and license expiration.
Core Images: Specify how much detail is logged to disk when the ProxySG is restarted.
Service Information: Send service information to Blue Coat. You can select the information to
send, send the information, view the status of current transactions, and cancel current
transactions. You also can send service information automatically in case of a crash.
83
L
BlueTouch Training Services BCCPA Course v3.5.1
Slide 61 1: Preview, revert, and apply
The Preview, Revert, and Apply buttons in the Management Console allow you to preview an
action, go back to the previous state, and commit changes to the registry. In the above example:
1. The administrator enables the Trust Destination IP setting.
2. The administrator clicks the Preview button.
3. The Preview window displays, listing the pending actions in the ProxySG. To see the CLI
commands for a pending action, double-click on the action.
4. The CLI commands corresponding to the Trust Destination IP setting are displayed. Click OK
in each window to return to the main Management Console window.
5. An asterisk
(*)
next to an item in the main menu indicates that there are pending changes.
To apply the changes that you have made in the Management Console, click Apply. The changes
are recorded in the registry.
To cancel pending changes, click Revert.
I
Preview, Revert, and Apply
_______
Apply
ProxySG Registry
IaFIZ G,fig.t
a o,,,.,.I E*.
CWk
a
[
0 SeMces r
a PyCIi.
0 SSL
FTP PrPq
HTTP P,o
54
54W, Pnr,
Th54 P,P54*
SOC(5 P,ry
Stpan1n0 Pro,ieS
a ndwidh Mqn,.
54
a C,,tnt F5t.n,g
a I 2
a I
S ForwardS,.
BlueCCoat
Important: Once you apply changes, you cannot revert them. You must undo any changes
by hand.
84
Chapter 6: ProxySG Management Console
Slide 6i 2: Sample CLI generation
In general, the Management Console issues only the CLI commands necessary to perform the task
you want. However, the Management Console acts differently when you enter a list in which the
order is relevant.
For instance, the ProxySG uses DNS (Domain Name Service, an Internet service that translates
domain names into IF addresses) servers in the order displayed. Servers are always contacted in
the order in which they appear in the list. The ProxySG contacts the primary server first. If it does
not receive a response from that server, then it contacts the secondary server. For example, if you
want to add a secondary DNS server in which the order is important, the Management Console
automatically issues the necessary CLI commands to correctly order the items in the list.
In the above example, 172.16.90.110 is the IP address of the existing DNS server in the primary
forwarding group, and an additional server at 4.2.2.2 is to be added.
1. Go to Configuration > Network> DNS> Groups.
2. Click on the primary line to select that group, and click Edit.
3. In the Edit DNS Forwarding Group window, click before the existing entry, and then enter the
new address, 4.2.2.2. Then, press the Enter key, and click OK.
4. To see the CLI commands that have been generated, click Preview, and then double-click on
the Begin DNS Settings in the Preview section.
5. The CLI add server command adds the new server to the end of the server list. In order to
move it to the top of list as shown in the Management Console, the CLI automatically
generates a promote command to move 4.2.2.2 to position 1 in the list.
Sample CLI Generation
yh26lJ
BlueQCoat
85
BlueTouch Training Services BCCPA Course v3.5.1
Slide 61 3: IPv6 support
Internet Protocol version 6 (IPv6) is a protocol designed to replace version 4 (IPv4), the currently
dominant protocol, to vastly expand the Internets address space to accommodate the growth in
network-connected devices. The Secure Web Gateway functions of the ProxySG are supported
both in IPv4 and IPv6 networks. Support for IPv6 is enabled by default and requires minimal
IPv6-specific configuration.
In the Management Console and command line interface, IP addresses can be entered in either
IPv4 or IPv6 format and, where applicable, include a field for entering the prefix length (for IPv6
addresses) or subnet mask (for IPv4 addresses).
The following proxies have underlying protocols that support IPv6 and can communicate using
either IPv4 or IPv6: DNS, FTP, HTTP, HTTPS, SSL, TCP tunnel, and Telnet shell. These proxies are
discussed in the relevant chapters of this and other courses.
The ProxySG also offers functionality as an IPv4-to-IPv6 transition device. When an IPv6-enabled
ProxySG is deployed between IPv4 and IPv6 networks as shown in the above diagram, IPv4
clients can access resources and services that are available only in the IPv6 domain:
1. On the ProxySG, the HTTP proxy terminates the inbound HTTP request.
2. The ProxySG queries a DNS server.
3. The DNS server responds with the address of the IPv6 server.
4. The ProxySG makes an outbound IPv6 connection to the server, honoring the request from the
IPv4 client. The requested content is spliced from the IPv6 connection to the IPv4 connection
toward the client without the need to perform any type of translation.
Likewise, IPv6 clients can access IPv4 resources when an IPv6-enabled ProxySG is part of the
deployment. The ProxySG understands both IPv4 and IPv6 addresses, handles the DNS resolution
of IPv4 and IPv6, and provides multiple proxy services that work in an IPv6 environment.
In the Management Console, two global IPv6 configuration settings are available at Configuration
> Network > Advanced > IPV6:
IN
I-
IPv6 Support
lPv4 Pv6
LI
bluecoat.com
2001 :1:2:3:4:5:6
DNSseer
bluecoatcom
4 T*
BlueQCoat
86
Chapter 6: ProxySG Management Console
To bypass all IPv6 traffic, select Enable lPv6 force-bypass. When this is selected, all IPv6 traffic
is bridged or routed.
To have the ProxySG route bypassed traffic, select Enable lPv6 forwarding. When this option is
disabled, the ProxySG discards bypassed traffic that is processed at Layer 3.
Both of these options are disabled by default.
IPv6 support on the ProxySG has these limitations:
The following proxies do not currently have IPv6 support: streaming via MMS, SOCKS,
instant messaging (AOL-TM, MSN-IM, Yahoo-TM), CIFS, and MAPI.
The ProxySG does not intercept link-local addresses in transparent mode because such a
deployment is not practical; transparent link-local addresses are bypassed.
IPv6 is not supported in a WCCP deployment.
A brief introduction to IPv6 concepts is included as an appendix to this book.
87
I
L
J
L
h
J
L
h
J
L
h
J
L
h
J
h
i
k
i
I
I
I
i
L
I
I
L
I
]
L
i
i
L
I
]
1
1
L
I
I
L
i
i
L
i
i
T
J
1
1
1
1
L
I
I
i
r
C
)
> U
)
C
C
-
)
a C
)
C
)
U
)
C
,)
c
i)
0 2
:
c
i)
C
l
)
C
)
C C c
c
i
I
0 D 0
I
-
a
)
D
U
)
Chapter 7: Services
The Blue Coat ProxySG lets you configure which traffic is to be intercepted. Services define the
ports on which the ProxySG listens for incoming requests. Each service can be applied to all IF
addresses or limited to a specific set of addresses and port combinations.
A variety of settings can be defined for each service. The ProxySG ships with a number of
pre-defined services, you can create additional services as needed, and services can be arranged
into logical service groups.
Unless there is a service set to intercept that matches the destination TCP port and the IF address
range for an incoming transaction, the connection is not terminated by the proxy. Depending on
the specific deployment mode, traffic that is not terminated is dropped or forwarded to the next
available hop but is not processed against existing policies.
After studying this chapter, you will understand:
The two types of services on the ProxySG.
Pre-defined proxy service groups and the types of services are part of each group.
How traffic is intercepted and bypassed.
Settings that are used to control the behavior of services.
How management services facilitate administration of the ProxySG.
89
BlueTouch Training Services BCCPA Course v3.5.1
Service Types
<
ProxySG
Client
Server
Proxy seices -
Zr0xYSGW
/
Mrn:nt
Administmtors
BlueCCoat
Slide 71: Two types of services
The Management Console makes it easy to configure two types of services: proxy services and
management services. The ProxySG ships with a number of pre-defined services; additional services
can be added as needed.
Proxy services: These allow the ProxySG to communicate with other systems, such as clients,
servers, and other proxies. Proxy services define the ports and addresses where the ProxySG
listens for incoming requests. Each proxy service is associated with a proxy type. For example,
the pre-defined HTTPS proxy service is associated with the SSL proxy. A variety of settings for
each proxy service can be defined, depending on the proxy type.
Management services: These are used to administer the ProxySG. The ProxySG comes with
five consoles designed to manage communication with the system. Consoles are pre-defined
for HTTP, HTTPS, SNMP, and SSH. A Telnet console is available, but the service is not defined
by default.
FR
90
L
Chapter 7: Services
Bypass . CiscoVPN Oicle over SSL
Recommended
Blue Coat ADN / WANop Blue Coat management
Other encrypted services
Tunnel Citrix Lotus Notes
Recommended
IMAP Other business applications
LDAP
fault Action Any tiaffic not matching listeners on other services
Custom Service Services created by the administrator
Gtups
Slide 72: Proxy service groups
Services on the ProxySG are organized into service groups based on the type of traffic that each
service carries. You can edit the pre-defined service groups, and you can create custom groups.
The pre-defined service groups are:
Standard: These are the most commonly intercepted services.
Bypass Recommended: These services contain encrypted data and, therefore, probably cannot
benefit significantly from ADN optimization. This service group also includes other
interactive services.
Tunnel Recommended: These services use the TCP-Tunnel proxy to provide basic
application-independent acceleration.
Default Action: This detects any traffic that does not match other listeners on any other
services. It is essentially a global default bypass or intercept setting.
To list all of the services in a particular group in the Management Console, go to Configuration>
Services> Proxy Services. In the scrollable list of service groups, click on the name of a group to
expand it and list its services. The list of available services varies depending on whether your
ProxySG is running the MACH5 Edition or the Proxy Edition of the SGOS operating system.
You also can create custom service groups, which are listed alphabetically under the Custom
Service Groups section.
Proxy Service Groups
Gro name
J
gdfii
Standard HTTP
HTTPS
Endpoint Mapper
CIFS FTP
Streaming DNS
Instant messaghig SOCKS
rc, 4Syflmt*. r2GI I AIIRkTh Rt
BlueOCoat
91
BlueTouch Training Services BCCPA Course v3.5.1
92
Slide 73: Services and proxies
This table shows the pre-defined proxy services supported by the ProxySG and their
corresponding proxies.
Proxy services define the ports and addresses where a ProxySG listens for incoming requests.
Attributes for each service can be defined. Each service can be applied to all IP addresses or
limited to a specific set of addresses and port combinations. Several services are pre-defined, and
additional services can be defined.
If the MACH5 Edition of the SGOS operating system has been installed, there are two differences
in this table:
A transparent TCP tunnel connection listening on port 23 is created in place of the default
Telnet service.
Instant messaging, HTTPS reverse proxy, SOCKS, and Telnet services are not created.
In a new ProxySG Secure Web Gateway deployment, all pre-defined services are bypassed by
default. In a WAN optimization deployment, some common services (such as External HTTP) can
be configured to intercept by default during initial setup.
Fr
I
r
N
I
S
Services and Proxies
-
rvices
AOL-IM, C IFS, DNS, Endpoint Mapper. FTP,
I HTTP (explicit and external), SSL (HTTPS). MMS,
MSN-IM. RTMP. TSP. SOCKS. Yahoo-IM
I Citrix, IMAP, Internal HTTP. Kerberos, LDAP. LPD.
proxy Lotus Notes, MS SQL Server, MS Terminal Services,
MySQL. NFS, Novell GroupWise, Novell NCP,
Oracle, POP3. SMTP, SSH, Sybase SQL,
L
XWindows, Default (listens on all unattended ports)
.1
....
..
BlueQCoat
F
Chapter 7: Services
The HTTP proxy is extremely robust when handling Internet traffic. But with applications on
internal networks, issues can arise because:
Applications deployed within the enterprise are not well designed or tested and can break
when a proxy introduces even slight changes.
Some applications use port 80 but are not really HTTP.
Some applications pretend to be HTTP but do not follow the HTTP specification closely.
To best handle applications nmning on an intranet, the ProxySG provides three HTTP services:
External HTTP: This service handles all transparent-proxy HTTP port 80 requests. This service
uses the HTTP proxy.
Explicit HTTP: This service handles all explicit-proxy HTTP requests on ports 8080 and 80.
This service also uses the HTTP proxy.
Internal HTTP: This service transparently intercepts HTTP traffic from clients to internal
network hosts. This service uses a TCP tunnel because some applications deployed within
enterprise networks are not fully compatible with HTTP specifications or are poorly designed,
causing connection disruptions when using an HTTP proxy. By default, the Internal HTTP
service uses the following addresses: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16,
and 192.0.2.0/24.
Slide 74: HTTP services
93
r
w
I
BlueTouch Training Services BCCPA Course v3.5.1
Listener Parameters
:
ProxySG
BlueOCoat
Slide 75: Listener parameters
A listener defines the parameters by which a service on the ProxySG listens for incoming traffic. A
listener is identified by a unique combination of these items:
Source IP address: Usually is set to All, which means any IP address that originates the
request. Specific IF addresses and subnets can be specified.
Destination IP address: The IP address
TCP port: A specific port or range of ports. All pre-defined ProxySG services are configured to
industry-standard ports, such as 80 and 8080 for the Explicit HTTP service.
A listener must be uniquely identifiable; an incoming connection cannot match more than one
listener. It is possible to have more specific and less specific definitions for listeners provided that
the source IF address, destination IP address, and TCP port are not the same as those of another
listener. Every proxy service must have a proxy listener, and a service can have multiple listeners.
Important: Policies are applied only to the traffic matching a service that is set to Intercept
(for a proxy service) or Enabled (for a management service).
a
I
I
94
Chapter 7: Services
Destination Addresses
pSC1 _Pnatko
All Intercepts all packets regardless of destination
address .
Transparent Intercepts packets with destifiiiIPaddress
notmatchingthatofthePioxySG
ExpIit Intercepts packets with dtination IP address
matching thatot the ProxySG
The above diagram shows how the services framework of the ProxySG determines whether a
client request is transmitted to the server.
1. All traffic is processed at the network layer. If traffic matches the bypass list, then A is the exit
point.
2. The remaining traffic is processed at the service level. If it matches a service set to intercept,
the processing moves to Step 3. Otherwise, B is the exit point.
3. Only traffic intercepted by a service goes through policy processing. In this case, if the traffic is
allowed, then C is the exit point.
Traffic that reaches exit point A or B continues to the server if bridging or IF forwarding is enabled
on the ProxySG. When traffic reaches exit point C, the decision whether to allow the connection is
made based on policy that has been configured on the ProxySG. Policy processing is discussed in
detail later in this course.
Traffic Flow
Access denied notification
BlueTouch Training Services BCCPA Course v3.5.1
IF
[i
The message varies from browser to browser, also
on explicit vs. transparent connection.
In
Server
BlueQCoat
L11
hi
Lj
ra
98
Chapter 7: Services
Slide 710: Proxy service settings
Service settings define the default parameters for a proxy service. It is important to understand
service settings because they affect how the proxy service processes traffic.
There are three types of service settings, as shown in the above examples. The settings that are
available for a service vary based on the proxy type that the service is using. For example, the
Detect Protocol setting is available in the External HTTP and LDAP services, but not in the AOL
ilvi service. If a setting cannot be changed, it is grayed out, such as the TCP/IP Early Intercept
setting for the AOL TM and External HTTP services in this example.
Details of how to use these settings are covered in detail in chapters about individual services and
protocols.
Proxy Settings
Authenticate-401: All transparent and explicit requests received on the port always use
transparent authentication (cookie or IF, depending on the configuration). This is especially
useful to force transparent proxy authentication in some proxy-chaining scenarios.
Detect Protocol: Detects the protocol being used. Protocols that can be detected include HTTP,
peer-to-peer (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper.
Keyring, CCL: These settings allow you to specify a certificate list used for verifying client
certificates.
Forward Client Cert: When used with the Verify Client setting, this setting puts the extracted
client certificate information into a header that is included in the request when it is forwarded
to the OCS. The name of the header is Client-Cert. The header contains the certificate serial
number, subject, validity dates, and issuer (all as name=value pairs). The actual certificate itself
is not forwarded.
Enable SSL Version 2, Enable SSL Version 3, Enable TLS: Allow you to select which versions of
SSL you want to support. The default is to support all three versions. This attribute is available
only for HTTPS Reverse proxy.
Proxy Service Settings
BtueOCoat
99
BlueTouch Training Services BCCPA Course v3.5.1
Verify Client: Requests and validates the SSL client certificate. This attribute is available only
for HTTPS Reverse proxy.
TCP/IP Settings
Early Intercept: Controls whether the proxy responds to client TCP connection requests before
connecting to the upstream server. When early intercept is disabled, the proxy delays
responding to the client until after it has attempted to contact the server. If the Detect Protocol
setting is enabled, then Early Intercept is selected automatically.
Application Delivery Network Settings
Enable ADN: Controls whether ADN optimization is enabled for a specific service. Enabling
ADN does not guarantee that the connections are optimized by ADN. Instead, the actual
decision on whether to enable is determined by ADN routing (for explicit deployment) or
network setup (for transparent deployment).
Optimize Bandwidth: Controls whether to optimize bandwidth usage when connecting
upstream using an ADN tunnel.
[
a
L1
100
Chapter 7: Services
Slide 711: Global service attributes
The ProxySG supports four global option settings for proxy services. These are set in the
Management Console at Configuration > Proxy Settings> General and apply to all proxy services,
but not to management services.
Tunnel on protocol error: Some HTTP parsing errors might cause the ProxySG to issue an
exception, which could break applications. This could be caused by non-HTTP client requests,
HTTP requests that contain non-HTTP components, or formatting errors. When this setting is
enabled, the ProxySG ftmnels non-HTTP traffic on any HTTP service.
Reflect Client IP: This option determines how the client IF address is presented to the origin
content server for all requests. This setting should be used with caution. Enabling this
attribute allows the ProxySG to connect to the origin content server using a source IP address
and the IP address of the client that made the request. You must ensure that the response from
the OCS (note that the OCS replies to the IP address of the client now) goes through the
ProxySG; if there is a direct path between the client and the OCS, you end up with asymmetric
connections. The client displays an error because the connection setup does not terminate
properly.
Trust Destination lP: If a client sometimes provides a destination IP address that the ProxySG
caimot determine, you can configure the ProxySG to allow that iF address and not do a DNS
lookup. This can improve performance, but it also potentially can cause a security issue.
Important: The Reflect Client IP and Trust Destination IP settings can be used only in
transparent ProxySG deployments.
_______
Global Service Settings
Tunnel on
protocol error
Reflect chent IP
Trust destination i
rvice
non-HTTP traffic on any HTTP
?roxySG connects to the OCS using as
sourcelP addressthe clients IP address
does not do DNS lookup
pn specified address
User overflowaction 5pecy handling of traffic belonging
. users in excess of license limits
pp
C 2IL
BlueQCoat
User Overflow Action: If you have more users going through the ProxySG than are allowed by
your license, you can configure overflow behavior. This setting is described in detail in the
Blue Coat Product Licensing chapter of this course.
101
I
I.
BlueTouch Training Services BCCPA Course v3.5.1
Multiple Listeners
Mnqmnt 5kes
cz
----- EZ1j
Pey 5SkAA ypc Ut
j
R5kAd ntApk SAt
r0 OAts
j
Li Tors.Ady byps, ti psy
EsdostMscoss Al Al
EsAtOHTTP Al 192 160 It !0 to Int,tckO
Espk0 OTTO
- SI-s Expk80A0
Jntossspt
EAto
: :
BlueOCoat
3. Any configuration changes you make to the ProxySG in the Management Console are
synchronized with the VPM. The VPM shares information in various lists from the current
configuration in the Management Console, not the saved ProxySG configurations. When the
VPM is launched, it inherits the state of the ProxySG from the Management Console and
remains synchronous with that Management Console. This state might include configuration
changes that have not yet been applied or reverted. This does not include any changes made
through the CLI. When you click Apply in the Management Console, the configurations are
sent to the ProxySG; the Management Console and the [PM are synchronized with the
ProxySG.
4. For policies created in the VPM to take effect, the administrator must install these policies.
Once the Install Policy button is clicked in the VPM, the newly created policy takes effect and
is generated into an XML file. The ProxySG then compiles the policies into CPL format and
saves the resulting policies in the vpm.cpl file. This overwrites any policies previously created
using VPM. The ProxySG saves VPM-generated policies in a single file and loads it all at once.
This newly created CPL is combined with any other CPL created through other means and
then saved on the ProxySG.
[L
l
Slide 93: Visual Policy Manager
120
Chapter 9: Policy Management
VPM Policy Objects
Trigger objects
Used to determine if a rule matches or misses
Organized by source, destination, service, and time
Action objects
Used to determine proxy handling of a transaction
Organized by action and track
BlueOCoat
Slide 94: VPM policy objects
The VPM evaluates rules based upon trigger and action objects. Trigger objects represent the who,
where, how, and when of a rule; action objects represent the what.
Trigger objects also can be considered conditional objects. These objects allow you to create policy
for certain types of situations. When a request is sent through a ProxySG, the request is matched
against the created policy. If the request does not match, or misses, the policy, no action is triggered.
However, when the conditions outlined in the policy are met, an action occurs.
When certain conditions, based on your created policy, are met, an action is triggered. This is
where action objects come into play. The conditions that have been met based on your policy must
be acted upon based on the action objects created in policy.
In the VPM, when creating a Web Access Layer, for example, there are six settings that can be
modified. Four of these are trigger objects, and the other two are action objects.
Trigger Objects
Source: Specifies the source attribute, such as IP address, user, or group.
Destination: Specifies the destination attribute, such as URL, IP address, or file extension.
Service: Specifies the service attribute, such as protocols, protocol methods, and IM file
transfer limitations.
Time: Specifies day and time restrictions.
Action Objects
Action: Specifies what to do when the rules match.
Track: Specifies track attributes, such as event log and email triggers.
Additionally, there is one optional object called Comment. This allows you to provide a comment
regarding the created rule.
121
BlueTouch Training Services BCCPA Course v3.5.1
Slide 95: Rule #1: Hacking
In this example, an administrator has created a rule to block users from accessing websites that
have to do with hacking. This rule is relatively simple and straightforward. The idea is to block
any users in any group from accessing hacking websites at any time.
Trigger Objects
Source: The administrator selected the ANY option. This means that any request from any
source to a hacking website is denied, no matter what that source may be.
Destination: This option is used to select the category of website being blockedin this case,
hacking websites. Categories are selected through the Blue Coat WebFilter and are added to
the policy rule through the VPM.
Service: By selecting ANY, the administrator has established that hacking websites cannot be
accessed through any protocol.
Time: The administrator has selected ANY under this category to deny access to hacking
websites at any time, even outside normal business hours.
Action Objects
Action: The DENY option denies access to hacking websites when the conditions listed above
are met. In this case, the triggers are all-encompassing, so the condition always is met.
Track: The administrator has elected not to receive any notification when a user attempts to
access a hacking website.
Policy Translation Rule #1
K
Block all users from Hacking websites
_____J
Source: ANY
Destination: Hacking
)-
Service: ANY
- Time: ANY
Action: DENY
Track: none
BlueQCoat
122
Chapter 9: Policy Management
Policy Translation Rule #2
Employees can visit travel websites only outside regular
working hours
Source: ANY
Destination: Travel
- Service: ANY
Time: Mon-Fri; 08:00..l 7:00
Action: DENY
Track: none
BtueQCoat
Slide 96: Rule #2: Travel
Similar to the previous example, the administrator of this network wants to block traffic to certain
type of websites. This administrator does not want the employees planning their vacations while
they should be working. However, some lenience was given to the employees by allowing them to
access travel websites outside normal business hours. This shows that administrators have a great
amount of control over policy when using the ProxySG.
Trigger Objects
Source: The administrator has chosen to deny all access to travel websites, no matter the client
IP address, user, or group.
Destination: Using the categories available through the Blue Coat WebFilter, the administrator
created a policy object that is designed to block user access to travel websites.
Services: By selecting ANY, the administrator has created a policy object that blocks access to
travel websites, despite the method the user may be using to access the material.
Time: Under this policy object, the administrator has decided to deny access to material
pertaining to travel only during a certain time window. Between the hours of 8 a.m. and 5
p.m., access is denied, but outside that time frame, access to travel websites is allowed.
Action Objects
Action: The action object in this rule has been set to DENY This means that access to travel
websites always is denied to everyone, but only between the hours of 8 a.m. and 5 p.m. If a
request is sent to a travel website at 6 p.m., there will be a miss in the trigger objects. Because
one of the conditions was not met, the DENY action is not triggered and access is allowed.
Track: The administrator has chosen not to receive any notifications if the policy is enforced by
the ProxySG.
123
BlueTouch Training Services BCCPA Course v3.5.l
Policy Translation Rule #3
Allow only users in the IT group to use FTP. Outside
working hours, allow anybody.
Source: NOT(Group IT)
Destination: ANY
Service: FTP
Time: Mon.-Fri.; 08:00.. 17:00
Action: DENY
Track: none
kh (yI2I. RP
U. BiueQCoat
Slide 97: Rule #3: Using FTP
In this example, a network administrator has created a policy designed to stop the use of FTP by
anyone except those who are in the IT group. However, outside normal business hours, any user is
allowed to use this protocol. Unlike the previous rules discussed, this one allows access to any
destination. However, the way in which the destination server can be contacted is restricted.
S
Trigger Objects
Source: For this trigger object, the administrator has blocked the use of FTP by all users except
the IT group. This means that if all other conditions are met, any member of the IT group still
can make requests using FTP.
Destination: In this case, ANY does not mean that any destinations are blocked. Rather, it
means that any destination that a request is sent to over FTP is denied.
Service: In this object field, the administrator has set FTP as one of the trigger objects, meaning
that any connections attempted over FTP are denied.
Time: The time limitations on the policy rule have been set so that this rule applies only
during normal business hours, from 8 a.m. until 5 p.m.
Action Objects
Action: The prescribed action, if the above triggers are met, is to deny the request. However,
this object rule has multiple stipulations, unlike the previous two. When the source is checked,
if it is found to be a member of the IT group, the action is to allow the request. Additionally, if
the time of the request is found to be outside normal business hours, the action also is to allow
the request.
Track: No tracking action objects were added to this rule.
124
Chapter 9: Policy Management
Complete Web Access Policy
E
_____E1
t Ee k Edky oeWoo oon
AO DeietenjeO Novp
WnbAothnoeNoADn(I)
____________
No yDoon Sroo Tenk Connnen*
Any H.ddng My Deny nnn
FT WnnNn1ynen Deny Nene
E1
SwvA \JJo Otces 1cc i&j & ktIc Cec&ce & .LS &AL.
BtueOCoat
Slide 98: Complete Web access policy
This example shows a set of policy rules created in the VPM. Note the following:
1. Rules in a policy layer are applied from top to bottom. This is important to know because once
a rule matches a request, all subsequent rules are ignored. Therefore, you should put first the
most likely rule to be matched. This allows you to save processing time because the ProxySG
does not have to apply every rule every time a request is sent.
2. This is an example of a source trigger. In the first two rules, the source trigger is set to Any,
making the source of the request irrelevant in those two rules. However, the third rule has an
active directory as a source trigger.
3. This column is the destination trigger. If there is a request sent from a client to a travel website,
the first rule is applied to the request, but no action is taken, because that rule only blocks
hacking websites. However, when the request reaches the second rule, it triggers the Deny
action, and the website is blocked.
4. The services columj- allows the administrator to select whether certain service attributes
should trigger an action. In the case above, the bottom rule includes an object for FTP. That
means for this rule to trigger, the request must be using FTP.
5. The rule object in this colunm allows you to specify a certain time or time period in which the
rule triggers an action. The rule object above is called Working-Hours. If a request is sent
during the time period set in the Working-Hours object, and the other triggers of the rule are
met, the action is triggered, either Deny or Allow.
6. This is the Action colun-u-i. In the above example, all the actions are set to Deny. Therefore, if
any of the rules in this layer are triggered by a request, that request is denied. The VPM also
supports a separate action called Deny (Content Filter); this action also denies a request, but
presents a more specific exception to the user that includes the content filter category of the
request. The difference between Deny and Deny (Content Filter) can be important when using
external products such as Blue Coat Reporter to analyze ProxySG activity.
125
BlueTouch Training Services BCCPA Course v3.5.1 I .
7. The Move Up and Move Down buttons let you select and move one or more rules up and down
within a layer. The rules to be moved in a single operation must be in consecutive order.
8. When you click Install Policy, any additions, deletions, and changes that you have made are
installed on the ProxySG. The old VPM-CPL and VPM-XML files are deleted and are replaced
with the new CPL and XML information that reflects the policy modifications.
a
S
126
Chapter 9: Policy Management
Slide 99: VPM rules priority
This diagram describes the order in which rules are applied to requests that go through the
ProxySG. The rules are processed fromtop to bottom as they are listed in the VPM. As an example,
imagine the three rules shown above are the rules that were discussed previously in this chapter:
Rule 1 blocks all access to hacking websites.
Rule 2 blocks access to travel websites, but only during normal business hours.
Rule 3 blocks the use of FTP for everyone except the IT team, during normal business hours.
Therefore, if a user at a remote office attempts to establish a connection to an FTP server at
headquarters, the rules are applied as follows:
1. The ProxySG receives the request and checks it against rule 1. Because the FTP server is not a
hacking website, no triggers are met, and no action is taken.
2. Because no action was taken by rule 1, the ProxySG checks the request against rule 2. Once
again, because the FTP server is not a travel website, no action is taken against this connection.
3. Next, the ProxySG checks the connection against rule 3. The ProxySG establishes whether or
not the user is member of the IT group. Once it has determined that, it checks the connection
type and determines that it is an FTP connection. This rule also has a time period rule object,
so this has to be checked as well.
If the user is not a member of the IT group and the connection attempt is made during
business hours, the Deny action is taken. However, if it is outside normal business hours, no
action is taken, and access is granted.
VPM Rules Priority
Policy Layer
Rue1
m
C
Rule2
I.
Rule 3
- -
BlueOCoat
127
BlueTouch Training Services BCCPA Course v3.5.1
Admin Access Web Access
Slide 910: VPM policy layers
Many types of VPM policy layers are available. This wide variety allows for finer customization to
allow you to meet any needs your network might require. Each type of layer provides a way for
you to control how the ProxySG can be accessed for administrative purposes and how the
ProxySG handles traffic. These are the layer types and what they are used for:
Admin Authentication: This layer allows you to set how administrators attempting to access
the ProxySG must authenticate. Through this layer, you can limit access to the ProxySG to
make sure that any other policy you may set cannot be modified by individuals not allowed to
do so. Additionally, this layer is often used in conjunction with the different Access layers,
allowing you to determine where a user can go and what a user can do after being
authenticated.
Admin Access: The previous layer allows you set how an administrator must authenticate;
this layer allows you to set who is allowed to access the ProxySG.
DNS Access: You can use this layer to set how the ProxySG handles DNS requests.
SOCKS Authentication: This layer give you the ability to set the method of authentication for
accessing the ProxySG through SOCKS.
SSL Intercept: With this layer, you can set the ProxySG to tunnel or intercept HTTPS traffic.
Action taken for HTTPS traffic can be based on either the source or the destination of the
request.
SSL Access: Unlike the previous layer, this layer allows you to either deny or allow HTTPS
traffic through the ProxySG.
Web Authentication: You can use this layer to set whether or not certain users or groups have
to authenticate before they can access the ProxySG or the Internet. This can be useful if you
only want to give certain users access to certain resources.
Web Access: This is the layer that the previous examples about rules were based on. Through
this layer you can limit, allow, or deny access to Internet content.
c5L
k
r9
VPM Policy Layers
Admin Authentication Web Authentication
DNS Access
3
8
SOCKS Authentication
Web Content
SSL Intercept
Forwarding
SLAccess
CPL
N
BlueQCoat
128
Chapter 9: Policy Management
Web Content: This layer is used to determine caching behavior, such as verification and ICAP
redirection, on the ProxySG. For example, you can set the ProxySG to cache websites that your
company access on a regular basis, but not other content.
Forwarding: With this layer, you can set the ProxySG to determine forwarding hosts and
methods.
CPL: You can write code directly in Blue Coats Content Policy Language in this layer. The
details of CPL are beyond the scope of this chapter.
This list does not imply a specific evaluation order for layers, for reasons discussed on the next
page.
129
BlueTouch Training Services BCCPA Course v3.5.1
VPM Layers Priority
Left to right processing order_ CS 4
for layers of same type vr (J-
Idt c5cy oni5abn 5e
[2?A
mZLZ
Slide 911: VPM layers priority
In general, policy layers are processed from left to right. However, this only applies to layers of the
same type. The order in which layers are processed is logical and based on the order in which
things happen when a user is trying to access content on a server. In the above example, the layer
types are processed in this order:
1. Admin Authentication Layer: This layer is used to determine how a user is authenticated
when trying to access the Management Console of a ProxySG. The Management Console is
access through a Web browser over an SSL connection. If you have a Web Access Layer in
place that is set up to block SSL traffic, this would not allow any user to access the
Management Console. In order to alleviate this issue, the ProxySG processes the Admin
Authentication Layer first. That way, a user can still access the Management Console, but SSL
traffic stifi is controlled.
2. Web Authentication Layer: In the above example, this happens before the Web Access Layer
because it would not make sense to determine what a user can do on the Internet before
determining whether or no that user should have access to the Internet at all. Therefore, the
ProxySG first applies the Web Authentication Layer to determine whether the user can access
the Internet, and then says what the user is allowed to access once authenticated.
3. The first Web Access Layer: Because it is the leftmost such layer that is displayed, it is
processed before any other layers of the same type.
4. Another Web Access Layer: Because it appears to the right of the previous layer, it is processed
next.
5. Based on its position and order of processing, this can be one of three layer types: an
additional Web Access Layer (as shown), a Web Content Layer, or a Forwarding Layer.
Lfi
&ILei Z L1J
,/elevar\
layers
processing
/
order /
/
/
Separate
layer types
J
\ /
/
p
I
U
BlueQCoat
130
Chapter 9: Policy Management
Slide 912: VPM layer guards
The same set of conditions or properties often appears in every rule in a layer. You can factor out
the common elements into layer guard expressions. This can help the ProxySG run more efficiently,
particularly when you have defined a large number of rules.
A layer guard is a single rule table that appears above the selected layer in the VPM. The layer
guard rule contains all of the columns available in the layer except for the Action and Track
columns. These columns are not required because the rule itself does not invoke an action other
than allowing or not allowing policy evaluation for the entire layer. You cannot add a layer guard
rule until you have created other rules for that layer.
In the above example, the administrator has created a layer called Guest User Web Access. When
this layer is evaluated:
1. The layer guard is checked first. If the user is not a guest user, then the rest of the layer is not
evaluated.
2. If the user is a guest user and if the user is attempting to access a resource that the
administrator has identified in Guest Categories, then this layer allows the transaction.
3. Otherwise, this layer instructs the ProxySG to return an exception page to the user.
By default, a layer guard rule is enabled, but you can disable a layer guard (which keeps the rule
but does not process it) or delete the rule completely from the VPM.
VPM Layer Guards
4
e t dc fQratbn ew e1p
MdtL Deie(5) ,Wpc&]
__________ ________________
Gord Gu.t USe My Any
Nn. e OtoCfl 5ernce Tnn Atnn
An
2
2 Aw Any
Any Any Exte4Aon-Guest-Aens-Denie 111
BlueQCoat
131
BlueTouch Training Services BCCPA Course v3.5.1
F
Best Practices
F
Policy construction
Express separate decisions in separate layers
Be consistent with your model
Policy integrity
Use ALLOW with caution
Policy optimization
F
Use regular expressions only when necessary
Place rules most likely to match at layer beginning
Use subnets when possible
Use definitions and layer guards
BlueCCoat
Slide 91 3: Best practices
L
The ProxySG policy processing engine is a powerful and flexible tool. But with that power and
complexity comes the need to create policy that is easy to understand and maintain.
When writing policy, consider the following points:
Express separate decisions in separate layers. As your policy grows, maintenance is easier if
the logic for each aspect of a policy is separate and distinct.
Be consistent with your model. Set the default policy (allow or deny) according to which one
more closely reflects your enterprises security policy, and then use blacklists or whitelists as
appropriate. For secure gateway deployments, the recommended default policy is Deny; for
WAN optimization deployments, the recommended default policy is Allow.
Understand the implications of using the Allow action. Depending on where it is used, it can
unintentionally reverse a previous denial.
Use regular expressions only when absolutely necessary. This is the most CPU-intensive type
of policy evaluation; in most cases, an alternate solution without regular expressions is
possible and also prevents unintended matches.
Place rules most likely to match at the beginning of a layer. Because layers are evaluated only
until a rule matches, doing so provides a performance benefit.
When implementing any policy that involves IP addresses, use subnets instead of a list of
specific addresses when possible.
Use definitions and layer guards. These constructs often result in faster policy evaluation than
using multiple rules to accomplish the same thing.
132
Chapter 10: WebPulse
Content filtering is a primary capability of the Blue Coat ProxySG and is a key feature of
WebPulse, Blue Coats cloud computing service.
Cloud computing services act as a grid to unite millions of users as a defensive mirror, similar to
the protection in numbers practice that is common in nature. Cloud services are exposed to a
much larger profile of Web content than any one enterprise. This volume of Web content and
repetition of popular websites enables community-watch cloud services to detect Web threats and
rate Web content for the benefit of all users in the community.
Cloud services also can deploy more defenses that would be affordable for any one enterprise,
making the solution cost-effective for all participants.
Cybercrime leverages the Web as a computing grid; therefore, it only makes sense that a defense
should follow suit.
Linking WebPulse with the ProxySG creates a hybrid Web gateway solution. The cloud service
provides more malware defenses than possible on only the Web gateway, and it offloads the
processing that is needed to detect malware and rate new Web content. This allows the ProxySG to
run more efficiently and provide more defenses.
The cloud service extends to remote users. ProxyClient for enterprise users provides central policy
controls and reporting with a real-time relationship to WebPulse. K9 Web Protection, Blue Coats
home parenting solution, uses the cloud service to block malware and rate Web content for
families.
As an administrator, your task is to define how the ProxySG uses the information returned by
WebPulse, and how the ProxySG communicates with the various components of WebPulse.
After studying this chapter, you will understand:
How WebPulse provides best-in-class content filtering.
How content filtering is performed as part of a ProxySG transaction.
How content filtering decisions are made.
Some of the mathematical theory behind WebPulse.
How to customize the content filtering database and how it is shared with WebPulse.
133
WebPulse provides real-time rating of websites, analyzing more than 2 billion requests per week
from more than 75 million users. This is a constant process, with the results continuously being
used by new requests to make the content filtering service stronger.
Content filters perform Web content analysis and ratings, which supports simultaneous URL
databases for the latest ratings.
Unrated or new content goes to the dynamic categorization service to get rated.
Reputation analysis scores URLs and IF addresses to determine intention, which can help
identify websites that might be malicious.
All requests are analyzed in the background for malware using a computing grid of clients
with multiple threat-detection engines, machine content analysis, and human raters. When
malware and Web threats are detected by any member of the cloud, WebPulse receives a
notification that is made available to other members of the cloud.
There are two possible deployment options for content filtering: an on-box content filter database,
such as Blue Coat WebFilter; or an off-box database (available with Websense only).
For performance reasons, on-box is often the preferred choice; it makes sense that processing
requests locally on the ProxySG is faster than opening a network connection to an external server.
However, both configurations are fully supported, and customers use both.
The content filter database is of sites, pages, and IP addresses organized by category.
Depending on the vendor, a URL can belong to one or more categories. The database offers
additional information to the ProxySG (and to the administrator) about the request that is being
made by a user. The content filter database does not block any site or any category by default. It is
up to the administrator, through CPL or the Visual Policy Manager, to build a set of rules to allow
or deny access to specific resources based on information obtained by the content filer.
Before you can use a vendors content filter database, you need to obtain a for one of the
vendors, download the database, and then install it. You can get a demonstration license from
most of the supported vendors.
134 LL
BlueTouch Training Services BCCPA Course v3.5.l
Eic.
Content filter
Dynamic
categorization
Reputation Maiware
analysis detection
Overview
ProxySG
ProxyClient
wets Froteton
More than
75 million
users
2 C 2 Coat r. 2O I M
Slide 101: Overview
Content ratings
BlueQCoat
[
IL
Chapter 10: WebPulse
Content Filtering
Enable proxy to make smarter decisions
Based policy control on type of content
Offer more than just protocol and URL match
Attempt to categorize the Internet
Categorize the 20% of sites that generate 80% of the traffic
Use artificial intelligence to cover the remaining 80%
User-defined category set
Local database
r4 BiueOCoat
Slide 1 02: Content filtering
Content filtering allows you to block access to websites based on their perceived content. Whether
a website is blocked or allowed client access depends on the rules and policies implemented by
the administrator in accordance with company standards. The challenge presented is that because
of the dynamic nature of the Internet, there is a constant flow of new URLs (and URLs on
lesser-known sites) that are not in the content filtering database. As any URLs that are not in the
database are not classified, you must create a policy to process these.
The infinite number of URLs can be reduced to a small number of categories. After the websites
and content are categorized, access to that content can be controlled through policy by URL-based
triggers. Categories and their meanings are defined by the specific category providers.
Two main reasons to use a local database instead of a policy file for defining categories are:
A local database is more efficient than policy if you have a large number of URLs.
A local database separates administration of categories from policy.
This separation is useful for three reasons:
It allows different individuals or groups to be responsible for administrating the local
database and policy.
It keeps the policy file from getting cluttered.
It allows the local database to share categories across multiple appliances that have different
policies.
135
BlueTouch Training Services BCCPA Course v3.5.1
[
I
Slide 03: Content filtering flow
When content filtering is enabled, a ProxySG transaction follows this high-level flow:
1. The user makes a request.
2. The ProxySG extracts the URL from the request and sends it to WebPulse for categorization.
The components of WebPulse, including an on-box or off-box content filter, work together to
perform the categorization.
3. The content filter returns one or more categories (depending on the vendor) for that URL.
4. The policy engine considers the users information, the time of the day, the URL, and its
categorization. Based on the policies in place, it then makes a decision to allow or deny the
request.
5. The user receives the requested content (5a) or an exception page (5b), depending on the
decision made by the policy engine.
1
Content Filtering Flow
URLcateorTzallon}
C
LI
URL request* Access permitted
User
Access denied
BlueCCoat
136
Chapter 10: WebPulse
Categorization Techniques
Database pros Dynamic categ oriz at ion
Accuracy (close to 1 00%)
pr
a
Response time
Immediatecoverage
a
Scalability
Database cons
Small number of sites
Dynamic categorization
cons
Update time
Response time
a
Accuracy (90%)
BlueQCoat
Slide 1 04: Categorization techniques
There are two main approaches to content filtering. One approach attempts to provide
categorization of websites by looking for key words in the HTML pages that users request.
However, this approach has two severe limitations: lack of scalabiity and lack of accuracy.
Another approach consists of assembling a team of content researchers and posting a new
database of sites organized by category. The new databases can be posted weekly, daily, or every
few hours. The major limitation to this approach is the lack of flexibility and ability to adapt to
specific content. Nobody ever could classify the entire Web.
WebFilter uses a hybrid approach consisting of a static list and remote dynamic categorization
using advanced Bayesian statistical analysis.
137
II
BlueTouch Training Services BCCPA Course v3.5.1
Blue Coat WebFilter
Hybrid solution, part of WebPulse
On-box datase for ProxySG
Optional service component to categorize unrated URLs
a
Data quality
Granular categories
Consistency
Relevant URLs (feedback)
Immediate coverage for n sites
Frequent updates
Application and operation filtering
BlueQCoat
Slide 105: Blue Coat WebFilter
Blue Coat WebFilter is a key component of WebPulse that takes a hybrid approach in providing its
content-filtering solution. With an on-box database, WebFilter provides a static list.
Administrators can write policy to allow or deny access to resources based on the information in
the database. WebFilter also offers optional remote dynamic categorization, which sends requests
to a server if the resource is not in the local WebFilter database.
WebFilter focuses on quality of results. It provides more than 80 categories to allow a high degree
of control in writing policy. It is highly consistent in how it categorizes resources and gives top
priority to categorizing resources that are requested most frequently. The optional dynamic
categorization service also provides immediate coverage for sites that have not been previously
categorized. WebFilter recognizes more than 50 languages.
WebFilter automatically checks the status of the WebPulse database and downloads any
incremental updates every five minutes. This provides for rapid detection of new maiware and
Web threats. Automatic database updates can be restricted to a range of hours each day or
I!
disabled completely.
The number of URLs present in a list should only be part of the decision-making process to select
a vendor. The URLs need to be relevant and most of all accurate. The Blue Coat content
research team devotes serious attention to making sure that the list is not only as large as possible,
but also relevant and reliable.
Also, WebFilter recognizes many key Internet applications such as Gmail, Facebook, and
YouTube and detects URLs used to perform many operations in these applications, such as
uploading videos and sending email attachments.
1i
1$..
I
138
Chapter 10: WebPulse
Social Networkirg
Audio/Video Clips
Fucebook Upload Videou
Calegones Application
Slide 1 06: Application filtering
Application filtering gives you more granular control of content access than URL category
identification and blocking. This feature is available when you use Blue Coat WebFilter in
conjunction with WebPulse. Here are some examples of how you can use this feature to help avoid
data loss accidents, prevent security threats, and increase employee productivity:
Allow users to post comments and chat in Facebook, but block sending pictures and videos.
Prevent the uploading of videos to YouTube, but allow viewing of videos that others have
posted.
Allow users to access their personal email accounts on popular Web-based services such as
Gmail and Hotmail, but prevent them from sending email attachments.
When you use WebFilter with WebPulse, requests to categorize URLs can return three
components: one or more categories, an application, and an operation within that application. In
the above example:
1. The ProxySG sends a request for the URL used by Facebook to upload videos.
2. WebFilter returns two categories for this URL and also detects that the application is Facebook
and the request is to upload a video.
Using the advanced Content Policy Language (CPL) on the ProxySG, you can write policy that
blocks access to certain Web applications and operations performed within those applications.
For more information on application filtering with WebFilter, including a current list of supported
applications and operations, plus examples of CPL code to implement application filtering, refer
to the Blue Coat SGOS 6.2.x Release Notes, available at BlueTouch Online.
Note: If an operation occurs in the background via AJAX or another Web 2.0 capability and
the operation is blocked with an application-filtering policy, the ProxySG cannot
deliver an exception to the user. The operation still is blocked, but it might appear to
the user that the website has an issue because no error message displays.
Application Filtering
http If fmebmok. /vid.mo/up1madgive.php
WebPulse III
ProxySG
iowa/Media
Perssgoawiy
Fjr.anclsi Services
Seciul Noecoksg
5diC;;dc-s Clipe
Operation
FsceScok is Messages
lySpace Spices FIctares
SOS I SpisadVidasu
Fcad Email --
icci Emaci
?oct 553355cc
PeaS Email
iced Email
7 like (501 $c5m ho 1(1 t l.mmc
BlueQCoat
139
p
BlueTouch Training Services BCCPA Course v3.5.1
Dynamic Categorization
Extend WebFilter capabilities
Scan and categorize the contents of aWeb page
Immediate categorization
Provide a network service to accomplish dynamic
classification
Analysis is accomplished on the external service
No performance impact on the ProxySG
WebFilter service points located worldwide
BlueCCoat
Slide 1 07: Dynamic categorization
Dynamic categorization provides real-time analysis and content categorization of requested Web
pages to solve the problem of new and previously unknown uncategorized URLs. When a user
requests a URL that has not already been categorized by the WebFilter database (for example, a
new website), the ProxySG dynamic categorization service analyzes elements of the requested
content and assigns a category or categories. The dynamic service is consulted only when the
installed WebFilter database does not contain category information for an object.
HTTPS requests are not subject to dynamic categorization. This prevents secure information from
being sent to WebPulse over an insecure connection.
If the category returned by this service is blocked by policy, the offending material never enters the
network in any form. Dynamic analysis of content is performed on a remote network service, not
locally on the ProxySG. Therefore, dynamic categorization incurs the following costs:
Bandwidth: Represents the round-trip request/response from the ProxySG to the service.
Because the dynamic categorization protocol is compact, this cost is minimal.
Latency: Represents the time spent waiting for the dynamic categorization service to provide a
result. While these costs are typically small, certain conditions might require you to run
dynamic categorization in the background or disable it.
The ProxySG uses a distributed network of servers to enable customers to download the WebFilter
database updates reliably and efficiently and to expedite dynamic categorization transactions.
Blue Coat has WebFilter service points located around the world. Each location features
high-bandwidth Internet access and a fully fault-tolerant and load-balanced security and
[
download architecture.
By contacting sp.cwfservice.net, the ProxySG discovers the closest and most available download
site for you.
140
Chapter 10: WebPulse
Slide 108: WebPulse workflow
The Internet changes constantly; therefore, no rating service can ever categorize every Web page.
A static list is only a partial solution to the need for categorizing content.
When users request a new URL that has not been rated in the WebFilter ratings database,
WebFilter retrieves the page from its host server to be analyzed for its content.
The dynamic rating (categorization) service looks at a number of elements, including the words on
the page, the context of each word, and the formatting used on the page and responds in one of
two ways. If this service can determine a rating for a new website in real time, it then rates and
categorizes it. These sites are then added to the WebFilter ratings database.
If the dynamic rating service cannot determine a rating for a new website in real time, it then
categorizes the site as none and moves it to a third-stage rating process called dynamic
background rating for additional review. Once the background rating service has reviewed the
site, it either assigns it to one of WebFilters content categories or queues in a list for the human
reviewers to rate it.
The process for categorizing websites operates as follows:
1. A client makes a request.
2. The request is matched against the WebFilter database installed on the local ProxySG. There is
a 95% success rate; 95 of every 100 URLs requested are found the local database (provided that
it is kept up to date). This lookup requires less than 5 milliseconds.
3. If the URL is not available in the current database, WebFilter queries the external database.
This database contains the most up-to-date list of websites; it is updated every 15 minutes and
contains what will become the new available list on the next scheduled download. This search
usually takes 7 to 9 milliseconds and returns some additional sites.
4. When the external database does not have a categorization for the URL, it sends a request to
the dynamic rating server. There are multiple locations around the world that handle this
process; all of them feature high-availability servers and high bandwidth.
WebPulse Workf low
Client
ProxySG
Periodic
updates
WebPulse
OCS
Dynamic rating Background rating
100 msec median Deep content and threat analysis
Minutes to I day or more
5r I.
BlueQCoat
141
BlueTouch Training Services BCCPA Course v3.5.1
5. The dynamic rating server queries the origin content server to get the data requested by the
client in Step 1. The dynamic rating server returns a response to the ProxySG only if the URL
is categorized as Adult, Pornography, Gambling, or one of a few other categories to which
administrators often restrict access. Dynamic rating can correctly categorize up to 95% of the
requests it receives for such sites. This process takes a median time of about 100 milliseconds.
6. The URLs that do not return a positive match after the dynamic rating lookup are forwarded
to background rating for additional review. This process is more intensive than dynamic
rating and can take up to an hour. The URLs that are categorized by background rating are
uploaded to the WebFilter master database and are downloaded to the local database at the
next scheduled interval or on demand by the administrator.
7. The URLs that do not have a match after being processed by the background rating service are
queued for human review by a multilingual team of content researchers. The reviewed URLs
are then uploaded into the master database. The human rating process can take a day or more.
8. The ProxySG downloads updates to the master database at regular intervals specified by the
administrator or on demand.
While this process might seem laborious on the surface, it represents a state-of-the-art attempt to
offer the most accurate, reliable, fast, and scalable answer to organizations need to protect
themselves from inappropriate or malicious Web content.
As a community watch solution, the value of these processes is the volume of Web traffic they
analyze and the repetition to review popular and trusted websites continuously for malware
injection attacks. The cloud sees more Web traffic and uses more defenses than any one
organization could deploy and manage.
[I
IF
II:
142
Chapter 10: WebPulse
=
english 1.0 UJUuUO 7 / 0.99
slovenian
0.00000rO.50000LOO/038
talian 0.0000O 05O00Ol0O/ L00
diiese 0.0000O0.500Q01 1.00 / 0.97
Tp Categories
Category Probabilit3 Threshold PIR.
Spor s/Recreation/Hobbies 1.0000 057908 0.80 / 0.60
4ews/Media 0.0000 l.000000.83 / 0.73
Education 0.0000 0.98417O8O/078
IMiscellaneous &0000 NEVER 1.00 / 023
Slide 1 09: Dynamic categorization results
Dynamic categorization can operate in two different modes: in real time or in the background. The
difference defines how long the ProxySG waits for the service to reply.
Three options are available:
1. Do not categorize dynamically: The loaded database is consulted for category information.
URLs not in the database show up as category none. This mode is distinct from disabling
the service. When this option is set as the default, dynamic categorization (in either real time
or background mode) can be explicitly invoked by policy. When the service is disabled, no
dynamic categorization is done, regardless of policy, and the ProxySG does not make any
contact with the dynamic categorization service.
2. Categorize dynamically in the background: Objects not categorized by the database are
dynamically categorized as time permits. Proxy requests are not blocked while the dynamic
categorization service is consulted. Objects not found in the database appear as category
Pending, indicating that categorization was requested but the object was served before the
response was received.
3. Categorize dynamically in real time: This is the deft. Objects not categorized by the
database are dynamically If this entails consulting the dynamic
categorization service, the proxy request is blocked until the service responds. The advantage
of real-time mode dynamic categorization is that Blue Coat policy has access to the results of
dynamic categorization, which means that policy decisions are made immediately upon
receiving all available information.
The above example shows an example of how a ProxySG has categorized content that it has been
asked to analyze. The following fields are highlighted:
Dynamic Categorization Results
BlueQCoat
143
ir
BlueTouch Training Services BCCPA Course v3.5.1
[F
Probability: The normalized probability calculated from each token (such as a word on the
page) represents the probability that the entire page is in language Y and it belongs to category
X. In the example shown above, the page is very likely to be in English. The normalized
probability is 1.00; in other words, the categorization service is convinced that it indeed is
English. Also, this is page very likely belongs to the category Sports/Recreation/Hobbies.
Pages are first categorized by language and then by category.
Threshold: This is the normalized minimum probability value for a given category to reach
the designated precision and recall values.
Precision (Accuracy): This determines how accurate the service is. For instance, out of 100 sites
that the service marked as Pornography, how many are correctly categorized? If the service
claims 100 pages to be category X and 85 of them actually are category X, then the precision is
0.85.
Recall (Coverage): This defines the ability of the categorization service to catch all of the sites
in a certain category. If the service has processed 100 sites that are in the pornography
category, how many were categorized correctly? A recall value of 0.85 means that out of 100
pages that actually are category X, the service categorizes 85 of them correctly. The goal for a
tool such as dynamic categorization is to find a sweet spot where the precision is high enough
without compromising the recall value. The recall and precision value move in opposite
directions; when one gets better, the other one gets worse. WebFilter aims for 85% to 90%
precision. Blue Coat has by far the fewest false positives in any published testing of content
filtering vendors.
The dynamic categorization service does not return a categorization to the requesting ProxySG
unless the recall and precision value are within specific parameters that Blue Coat defines. For
instance if you process the site http:llwww.jal.co.jp through the service, you get the result Unrated.
In actuality, the categorization service has correctly identified that the language is Japanese and
the category is Travel; however, the recall value is too low for the service to be confident enough to
return the categorization of Travel.
For more details about the mathematical theory behind dynamic categorization, refer to the
Conditional Probability appendix of this book.
F
II
I
L
L
144
Chapter 10: WebPulse
Local Database
Custom categories
Custom ailcmed list
Custom denied list
Internal URLs
Performance and security
Hash list
Does not require Management Console access
BlueOCoat
Slide 1 01 0: Local database
You can create your own local database file and download it to the ProxySG. This file is created in
the same way that policy files are created, except that only Define Category statements are
allowed in the local database. You might find it convenient to put your local database on the same
server as any policy files you are using.
However, some restrictions apply to a local database that do not apply to policy definitions:
No more than 200 separate categories are allowed.
Category names must be 32 characters or less.
A given URL pattern can appear in no more than four category definitions.
You can use any combination of the local database, policy files, or the VPM to manage your
category definitions. You can also use both a local database and a third-party vendor for your
content filtering needs.
If you have extensive category definitions, Blue Coat recommends that you put them into a local
database rather than into a policy file. The local database stores custom categories in a more
scalable and efficient manner, and separates the administration of categories from policy.
Like the WebPulse database, the local database is checked for updates every five minutes, and
such checks can be restricted to a specific range of hours each day.
Here is an example of a local database file:
define category mycompany allowed
bluecoat . corn
symantec corn
kaspersky. corn
sophos . corn
rnicrosoft . corn
end
145
BlueTouch Trairing Services BCCPA Course v3.5.1
define category mycompany denied
www .playboy. corn
www. hacking. corn
www. sex. corn
end
define category rnycornpany internal
intranet rnycornpany corn
webmail mycornpany. corn
401k .mycompany. corn
end
I
I
I
I
Ii
L
L
146
Chapter 10: WebPulse
Slide 1 011: Local database
The ProxySG allows you to use up to four URL content ifiters at the same time. You can use any of
the following:
WebFilter.
Any single third-party content filter. Websense, SmartFilter, Proventia, and Optenet are
supported in the Management Console; legacy filters SurfControl, iFilter, Intersafe and
WebWasher must be administered through the ProxySG command line interface. If you are
using a legacy content filter, check with the database supplier to determine whether the filters
database continues to be updated.
A local database.
The database from the Internet Watch Foundation, a charitable organization based in the
United Kingdom that offers an online service for anyone in the world to report on content that
is potentially illegal. Acting on reports received from the public, the IWF produces a blacklist
of Internet sites and content that is deemed in contravention to UK laws.
You cannot use two third-party content filtering databases together. The most common
configuration is to use WebFilter and the local database. You can configure the ProxySG to
download the updates for each of the enabled content filtering lists. It is good practice to make
sure that they do not all happen at the same time.
In general, updates are incremental; for instance, if you are on version 100 of a database and the
vendor is on version 103, you only get the updates from 100 to 101, from 101 to 102, and from 102
to 103. If you are more then two weeks behind in your updates, WebFilter downloads the entire
database, which is faster and more efficient than performing 14 or more incremental updates.
An advantage of the local database is that you can configure and maintain it without requiring
access to the ProxySG. An administrator can manage the local database file without having any
permission on the ProxySG itself; the ProxySG can be configured to check for updates to the local
database and automatically install them.
I.
Internal
Web server
Local Database
Create I edit local database
User
Client
IS hOI1.
WebFilter Third-party IWF
updates updates updates
Blue0Coat
147
148
Slide 1012: Private networks
BlueTouch Training Services BCCPA Course v3.5.1
Private Networks
-I
Private networks
I!!!
Private
subnet list
Private
domain list
No remote
\\ lookup
13 (1 2Ci. ,iI
BlueQCoat
F
F
F
I
I
I:
L
Although the information collected by WebPulse is limited to generally benign items such as
URLs, HTTP Referer headers, and HTTP User-Agent headers, there are cases in which just a URL
or a header can contain private information that should not be sent across the Internet or stored in
a third-party database. You can define a list of private networks on the ProxySG; data from these
nonroutable addresses is not sent to WebPulse. The above flowchart shows how private networks
factor into the decision by the ProxySG whether to send data to WebPulse.
The following information is not sent to WebPulse:
Any host identified by a nonroutable IF address.
Any host with a DNS lookup that resolves to a nonroutable IF address.
Any host that is explicitly configured as private. These hosts may or may not be strictly
private, but this capability allows a host to be excluded even if it has a routable IF address.
Any HTTP Referer header that matches the above conditions.
To maintain data about private networks, the Management Console supports two lists: private
subnets and private domains. To edit and view these lists, go to Configuration> Network> Private
Network. By default, the list of private subnets contains nonroutable addresses 0.0.0.0/8,
127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.168.0.0/16, 224.0.0.0/3, and 10.0.0.0/8, and the list
of private domains is empty.
II
Chapter 11: Authentication
Authentication refers to the option of challenging users to submit proper credentials (username and
password) before their requests are allowed to go through the proxy. This chapter details the
authentication challenges that can be handled by the Blue Coat ProxySG. In general, there are
three main reasons why users may be challenged for authentication:
They attempt to access the Management Console or CLI.
They attempt to access the Internet. (You can limit access through the ProxySG to authorized
users.)
They request a specific resource on the Internet (password-protected page or ifie).
The first two instances are controlled by the ProxySG directly; the administrator decides the
authentication and security policies.
The third authentication type is independent from the ProxySG; however, the proxy can handle
the request and pass it to the user and back to the origin content server transparently. This chapter
focuses on this type of authentication.
You can take steps to make access to the policy and configuration more secure. For instance, it is a
good idea to give selective read and write permission to modify the policies on the ProxySG,
based on Microsoft Active Directory or LDA1 groups.
It is also recommended that you authenticate users before granting them access to the Internet.
This is a good practice for both security and auditing: You do not want unauthorized devices on
your network to comiect to the Internet, and you want to keep an accurate logpwho is accessing
which resource.
00
-
A realm authenticates and authorizes users for acces to ProxySG services using either explicit
proxy or transparent proxy mode. Multiple authentication realms can be used on a single
ProxySG. Multiple realms are essential if the enterprise is a managed service provider or if the
company has merged with or acquired another company. Even for companies using only one
protocol, multiple realms might be necessary. This would be the case for a company using an
LDAP server with multiple authentication boundaries. You can use realm sequencing to search
multiple realms at once.
149
;
I
BlueTouch Training Services BCCPA Course v3.5.1
Explicit Proxy Authentication
I.
GET http://www.bluecoat.com HTTP/1.1 El
H1PI1 1 407 Proxy Authentication Required (1
GET request + Authentication credentials
Authentication Server
Client
LI
wwwbluecoat.com
I,
BlueCCoat
Slide 11 1: Explicit proxy authentication
The HTTP 407 response code is defined to handle proxy authentication requests. The
authentication mechanism in HTTP for proxy-based connections is straightforward:
1. When the user agent makes its first request to the proxy returns an HTTP 407
response message, asking the user to authenticat (40 uthenticationiired). The
browser resends the same request, but this time irsthe authenfiiion
(username and password). The credentials are, in general, passed in plaintext using Base64
encoding. NTLM is the most notable exception: The message is Base64-encoded, but NTLM
does not transmit the password over the network.
2. The proxy passes authentication credentials to the authentication server and receives the
response, indicating whether the credentials are valid.
3. If the credentials are valid, the proxy then accesses the origin content server on behalf of the
user agent.
Once the UA is aware that it is communicating with a proxy that requires authentication, the UA
sends the authentication information for each request, regardless of the TJRI requested.
Most browsers cache the authentication information as long as the browser main process is
running; unless you terminate the application, you should not be prompted again for username
and password.
Once the authentication is successful, the UA keeps sending the proper authentication credentials
when requesting a URI to the proxy without prompting the user again.
Important: If the UA is not using explicit proxy, it ignores any 407 requests.
c
)
UDf
iu
Loc
)
150
Chapter 11: Authentication
Authentication Options
Force Authenticate
I cn1 -=LG
4 Authentication r
Access denied
ProxySG
Client
vo -
Authenbcate
VM -s
Request
prohthited resource
Internet
4 Access denied
PXYSG
Client
o.yrn,.h2GH. iIR.
BIUeOCoat
Slide 11 2: Authentication options
The ProxySG allows you to control how users are authenticated. When you create a rule in the
Web Authentication Layer, you can decide whether the authentication superseded a DENY
statement. You also can control whether the user can enter double-byte language credentials.
Action objects include:
Force authenticate: Forces the user to authenticate even though the request is going to be
denied for reasons that do not depend on authentication. This action is useful to identify a
user before the denial so that the username is logged along with the denial.
Authenticate: Creates an authentication object to verify users. An authentication realm must
already exist on the ProxySG.
Authentication Charset: Allows non-ASCII text in many objects, such user and group names
and text for the Notify User object. This object allows you set the character set to use in
conjunction with localized policy. From the drop-down list, select a character set and click OK.
151
BlueTouch Training Services BCCPA Course v3.5.l
Authentication Realms
IWA
t\Q&
)Ju c&i
Windows NT domains and Active Directory
Basic, NTLM, and Kerberos credenals
a-
a
Other realms
LDAP, RADIUS,and several others
a
Sequence
List of authentication realms to be processed
I
BlueQCoat
Slide 113: Commonly used authentication realms
A realm configuration includes:
Realm name.
Authentication service: TWA, LDAP, RADIUS, local, certificate, sequences, eTrust SiteMinder,
Oracle COREid, policy substitution.
External server configuration: Back-end server configuration information, such as host, port,
and other relevant information based on the selected service.
Authentication scheme: The definition used to authenticate users.
Authorization scheme: The definition used to authorize users for membership in defined
groups and to check for attributes that trigger evaluation against any defined policy rules.
When you have configured your realms, you can view the realms and manage the credentials
cache for a specific realm. The ProxySG can cache authentication credentials. You can specify the
length of time, in seconds, that user and administrator credentials are cached. Credentials can be
cached for up to 3,932,100 seconds (more than 45 days). The default is 900 seconds (15 minutes). If
you specify 0 as the cache time, traffic is increased to the authentication server because each
authentication request generates an authentication and authorization request to the server.
The ProxySG supports many authentication realms. This chapter focuses on the TWA and
Sequence realms. While you might use a different realm in your organization, the fundamental
concepts of implementing authentication are virtually identical regardless of the actual realm
used. The only real difference is the type of information needed to create the realm; you should be
able to collect the necessary information.
If your realm is not among the ones discussed here, ask your instructor to cover the details of the
realm that you use in your network.
Note: One-time passwords are supported for RADIUS realms only.
152
Chapter 11: Authentication
IWA Realm
Basic credentials
Username and password are sent Base64-encoded
Least secure option
NTLM credentials
Uses the Microsoft proprietary authentication
Medium security option
Kerberos credentials
Uses Microsoft implementation of MIT Kerberos v5
Highly secure option
BlueOCoat
Slide 114: WA realm
- An Integrated Windows AuthentiojWA) realm authenticates users against an Active
Directory tree or an NT domain. It supports three types of credentials, each detailed below. The
client receives the list of supported credentials from the proxy. The client should choose the most
secure common set of credentials.
Basic authentication: This method is described in the HTTP RFC. Every user agent (UA) and
every OCS on the Internet must support at least basic credentials. The username and
password are encoded using Base64. Because Base64 is not encryption, the username and
password are available to anybody who can run a packet trace of the communication between
the UA and the proxy. The credentials appear as username :pas sword in a
Proxy-Authorization header. Every browser should support basic credentials.
NTLM authentication: NT LAN Manager is a Microsoft-proprietary protocol that
authenticates users and computers based on an authentication challenge and response. The
key idea behind NTLM is to authenticate users without the password ever being exchanged
between clients and the authentication server (the domain controller or DC). NTLM is
discussed in greater detail on the following pages.
Kerberos authentication: This is the most secure and modern authentication method. It uses a
very secure exchange of encrypted tickets, which allows client and server to mutually
authenticate each other.
153
Iii
BlueTouch Training Services BCCPA Course v3.5.1
- I r
NTLM Authentication
ProAdes secure authentication
Password is not transmitted over the network
Supports single sign-on
Requires compatible user agents
I
Widely used
Prevalence of Windows OS on desktops
[
BIueOot I
Slide 11 5: NTLM authentication
NTLM offers a medium degree of security because the actual password is never transmitted over
the network.
Another benefit stemming from the close integration between Microsoft Internet Explorer and the
Microsoft Windows operating system is the ability of users to use single sign-on. In essence, users
who access the Internet through a proxy server (that is compatible with NTLM and requires
authentication) do not need to re-enter a username and password when they open the browser for
the first time. Internet Explorer sends, automatically and in the background, the users
information when it is challenged for authentication by a proxy server.
Other browsers, including Firefox, also have implemented support for single sign-on and NTLM
authentication. Note that this is a browser feature.
Because Windows is nearly ubiquitous on desktop computers, NTLM is by far the most commonly
used authentication method.
Note: Forms authentication modes cannot be used with an NTLM realm that allows only
NTLM credentials, a Policy Substitution realm, or a Certificate realm. If a form mode
is in use and the authentication realm is any of them, you receive a configuration
error.
I
II
154
Chapter 11: Authentication
NTLM Authentication
_____________
Type I message
_____________
Domain and workstation name
.JIL
_________
Type2mossage
_________
frR
P1
LDAP Active Directory Structure
Bt O.aS.,I,,c 21111. .AJIIttsiIwn, 11
BlueQCoat
p
Chapter 12: Authentication Using LDAP
Slide 124: LDAP realm
The ProxySG supports the use of external LDAP database servers to authenticate and authorize
users on a per-group or per-attribute basis. LDAP group-based authentication for the ProxySG can
be configured to support any LDAP-compliant directory including:
Microsoft Active Directory server.
Novell NDS/eDirectory server.
Netscape/Sun iPlanet Directory server.
Generic LDAP.
The ProxySG also provides the ability to search for a single user in a single root of an LDAP
directory information tree (DIT), and to search in multiple base Distinguished Names (DNs).
An LDAP realm supports Basic authentication and Basic authentication over SSL.
Important: You can configure an LDAP realm to use SSL when communicating to the LDAP
server.
LDAP Realm
I. AIRO kd
ProxySG
Generic LDAP
BlueOCoat
167
Slide 125: Base DN
In configuring an LDAP realm, you need to define two key parameters: Base DN and Search user
DN. The ProxySG uses these DNs to bind to the LDAP tree and retrieve information. Some LDAP
implementations allow anonymous searches, but in general you need to provide both parameters.
The base DN defines where the ProxySG can should look for the requested information. You can
have a more generic or more specific DN. You should select the most inclusive, and yet most
specific, base DN you can. For instance, in a AD deployment like the one shown in the above
diagram, you can choose as a base DN the entire tree or a specific branch. If you define the base
DN as dc=training, dc=bluecoat, dc=com, then the ProxySG can locate entries under
both cn=users or cn=computers. This scenario is represented on the left side of the diagram.
If you are using only user accounts and groups to manage authentication with your LDAP realm,
you can make the base DN more specific and limit it only to the branch cn=Users. The ProxySG
can only locate entries that exist under the cn=users, dc=training, dc=bluecoat,
dc=com branch. This scenario is represented on the right side of the diagram.
The search user DN contains the information that the ProxySG needs in order to be able to bind to
an LDAP tree, which does not allow anonymous browsing. Remember that you need to use the
entire users DN. Also, specifically in the AD case, you cannot use the login name (stored under
the attribute sAMAccountName); you need to use the full name (stored under the attribute CN).
The easiest solution is to create a special user where the full name and the login name are the
same, so that there is no confusion. The account used to bind to the LDAP tree does not need to
have any specific power; it does not need to be an administrator or any other superuser. Any
account should work properly.
LDAP - Base DN
BlueTouch Training Services BCCPA Course v3.5.1
.1
Ii
P0th OsSyt.tIn 2011. 01!flItth
BlueQCoat
Ii
[
L
[
F
168
Chapter 12: Authentication Using LDAP
LDAP Authentication Details
Search User
LDAP BIND request
Client \\
$>
4 BIND response
.. P
LDAP Search CN where
_____
,
saMAccountName User ID
Search result DN = FuIINamc
IDAP BIND using user DN
ProxySG BIND response
Active Directory
BlueQCoat
Slide 1 26: LDAP authentication details
Active Directory stores the username under the attributes sAMAccountName. This attribute
cannot be used to construct a DN; you need to run a query on the AD tree using the username as a
filter.
The above diagram shows the steps that the ProxySG performs to authenticate a user in AD via
the LDAP interface. The transactions between the client and the ProxySG are omitted from the list
below.
1. The ProxySG binds to the LDAP tree using the credential that the administrator defined in the
realm configuration under the Search user DN section.
2. The LDAP server responds to the bind request with a code of either success or failure.
3. If the bind request was successful, then the ProxySG generates an LDAP search using the
users login name as a filter.
4. The LDAP server returns the DN associated to that particular login name.
5. The ProxySG binds to the LDAP tree using the DN received as result of the search in Step 3.
6. If the bind request succeeds, then the user is authenticated.
The steps described here take place only for the first user, the first time the user authenticates. The
ProxySG maintains an active connection with the LDAP server; additionally, it caches the users
credentials for an amount of time configurable by the administrator. Credentials can be cached for
up to 3,932,100 seconds (more than 45 days). The default value is 900 seconds (15 minutes). If you
set the time to 0, this increases traffic to the LDAP server because each authentication request
generates an authentication and authorization request to the server.
169
BlueTouch Training Services BCCPA Course v3.5.1
I
I
170
Chapter 13: Creating Notifications and Exceptions
The Blue Coat ProxySG can do more than let you control users Internet activities. It also allows
you to explain your organizations Internet usage policies clearly and at the most effective time
when users try to access questionable or forbidden pages.
Notifying users about policy when they use the Internet is a good practice, particularly when you
block access to certain types of content. Even if you install content-filtering software and write a
strict Internet usage policy, you may not see a gain in productivity unless you also tell users why
they cannot view some Web pages.
Users who cannot access a site might think a network problem has occurred and make
unnecessary calls to your organizations help desk. However, you can prevent that problem by
creating custom notification pages. These pages appear in users browsers and tell them why
access to certain sites is forbidden or why access to other sites is officially discouraged even if it is
allowed.
The ProxySG allows administrators to create notification pages through the Visual Policy Manager
(VPM) instead of requiring them to write advanced Content Policy Language (CPL).
This chapter introduces the different kinds of notification pages and briefly explains how they are
created. A companion laboratory exercise teaches you how to create different kinds of notification
pages.
171
BueTouch Training ServicesBCCPA Course v3.5.1
..-....-.-.-
Overview
Exception pages
Sent to user in response to policy denial, authentication
failure, or appliance errors
Twotypes: Built-in and user-defined
F
Available in Management Console and CLI
Notify User objects
Used for sending compliance pages (AUP)
Used for coaching pages
Available in VPM only
IRP
.
Slide 131: Overview
Exceptions are sent in response to certain ProxySG client requests, such as denial by policy, failure
to handle the request, and authentication failure. Exceptions are returned to users based on policy
rules defined by the administrator. For example, if a client sends a request for content that is not
allowed, an exception HTML page is returned, informing the client that access is denied. If a client
fails to properly authenticate, an exception HTML page is returned informing the client of the
authentication failure. There are two types of exceptions: built-in and user-defined.
Notify User objects display a notification page in the users Web browser. A user must read the
notification and click an Accept button before accessing the Web content. This feature is only
configurable through the VPM.
Exception pages and Notify User objects can be designed to include substitution variables that are
particular to the given request. For example, the host name and category of the site requested, the
users IF address and authenticated user name, and the ProxySG that is generating the exception
can be placed into the response to the users browser.
I
172
I
Chapter 13: Creating Notifications and Exceptions
Slide 1 32: Exceptions
Exception pages are customized Web pages (or messages) sent to users under specific conditions
defined by a company and their security polices. The ProxySG offers multiple built-in exception
pages that can be modified for a companys particular needs. Built-in exception pages are always
available and can also have their contents customized; however, built-in exceptions cannot be
deleted, and you cannot create new built-in exceptions. Built-in exception pages include
authentication_failed, policy_denied, and so on.
Additionally, user-defined exception pages can be created by the administrator. In a user-defined
exception page, you can write a more specific, detailed message than the ones contained in the
built-in exception pages. You also can use HTML or JavaScript code in writing the page or add
links to external resources, such as images.
Built-in and user-defined exceptions can used as an action object when creating policy in the VPM
or through CPL.
Exceptions
4
Admn
user-defined. exception_name
exception_name
BlueQCoat
173
BlueTouch Training Services BCCPA Course v3.5.1
Exception Page Components
oo0
____
,..Mcess Denied (policy_denied)
4.____..._.
fr Voor sorrr poUcy hon dennd aceos 0 tie reqr,eoted URL
Oor as000on, s0rrton osr relonO soppee sam
[(ezcepbonid) iecy_desded
) iepdodetaili)
S3D
enid
ijyosyitesa pocy ha. atesaedthe eate4actsc.
orthelp)
[
____________
[&O0 contact) For aon,tarsce contact yoon netwedcsuppozt tea..
&onlseader)
BlueOCoat
Slide 1 33: Exception page components
Each exception definition (whether built-in or user-defined) contains the following elements:
Identifier: Identifies the type of exception. For user-defined exceptions, the identifier is the
name specified upon creation.
Format: Defines the appearance of the exception. For an HTTP exception response, the format
is an HTML file. For other protocols, where the user agents are not able to render HTML, the
format is commonly a single line.
Summary: A short description of the exception that labels the exception cause. For example,
the default policy_denied exception summary is Access Denied.
Details: The default text that describes reason for displaying the exception. For example, the
default policy_denied exception (for HTTP) detail is Your request has been denied by system
policy.
Help: An informative description of common possible causes and potential solutions for users
to take. For example, if you want the categorization of a URL reviewed, you can append the
$ (exception.category review un) and $ (exception.category review
message) substitutions to the
$ (exception . help) definition. You must first enable this
capability through content filtering configuration.
Contact: Used to configure site-specific contact information that can be substituted in all
exceptions. Although it is possible to customize contact information on a per-exception basis,
customizing the top-level contact information is sufficient in most environments.
HTTP-Code: The HTTP response code to use when the exception is issued. For example, the
policy_denied exception by default returns the 403 Forbidden HTTP response code.
174
Chapter 13: Creating Notifications and Exceptions
create <exception name>
delete <exception name>
edit <exception name>
Slide 1 34: Exceptions creating and editing
You can create or edit an exception with mstallable lists on the Management Console. The
exception installable list uses the Structured Data Language format. This format provides an
effective method to express a hierarchy of key/value pairs. The Management Console allows you
to create and install exceptions through a text editor, local file, or a remote URL. Additionally, you
can create or edit an exception through the CLI.
Exception pages are defined within a hierarchy, and parent exceptions can provide default values
for child exceptions. There are two parent exceptions from which other exceptions are derived:
exception.all and exception.user-defined.all. The general form of an exception is:
(exception. <exception-id>
(contact ) ;displays the contact information for further assistance
(details ) ; displays the reason why the exception was sent
(format ) ; defines the page format, specifically HTML content
(help ) ; defines the help message
(summary ) ; defines a summary of the message
(http ; defines a summary of the message
(code ) ; HTTP return code (typically 200 OK or 400 Forbidden)
(contact ) ;displays the contact information for further assistance
(details ) displays the reason why the exception was sent
(format ) ;
defines the page format, specifically HTML content
(help ) ; defines the help message
(summary ) ; defines a summary of the message
When defining the above fields, you can reference substitution variables such as authenticated
usernan-te, client I? address, time, date, and so on, allowing you to make user-specific messages.
Managing Exceptions via CLI
#(000fig exceptions)
httpcode <code (as: 433)>
inline <parameter> <eof mark
summary
detais
rmat
help
contact
BlueOCoat
175
BlueTouch Training Services BCCPA Course v3.5.1
[I I
rEE_
[j
Slide 1 35: Default policy
The default proxy transaction policy is to either deny proxy transactions or to allow proxy
transactions. A default proxy transaction policy of Deny prohibits proxy-type access to the
ProxySG: You must then create policies to explicitly grant access on a case-by-case basis. Your
browser displays an access-denied page under such a situation.
The default proxy policy depends on how you installed SGOS and whether it was a new
installation or an upgrade:
MACH5 Edition: The default setting is Allow.
Proxy Edition: The default depends on how you configured your ProxySG:
If SGOS was installed using the front panel or through the serial console, the default
setting is Deny.
i II you upgraded SGOS from a previous version, the default policy remains the same as it
was for the previous version.
I-.
exception. poiicy denied
(contact)
(details Your system policy has denied the requested itctixn. 9
(ormat(
(help)
(sw000ry Access Deniea9
(http
(code 403)
(cohtact(
(details Your system paltry has denied acces, to the requested IIRL.(
(format)
(help)
(so,eary(
Default Policy
BlueOCoat
C
- -
5...
Note: The default proxy policy does not apply to admin transactions. By default, admin
transactions are denied unless you log in using console account credentials or if
explicit policy is written to grant read-only or read-write privilege.
176
Chapter 13: Creating Notifications and Exceptions
Notify User Objects
Used for special pages
Splash and Coaching pages
Based on cookies
HTTP0nIy
Require user agent to support cookies
Creates large CPL code
Difficult to troubleshoot
BlueQCoat
Slide 1 36: Notify user objects
The notify user feature is designed to provide the following functionality:
Web-use compliance: A compliance page is a customized notification page displayed when a
user attempts to access the Internet. This page ensures employees read and understand the
companys Acceptable Usage Policy before Internet use is granted.
Coach users: A coaching page displays when a user visits a website that is blocked by content
filtering policy. This page explains why the site is blocked, the consequences of unauthorized
access, and a link to the site if business purposes warrant access.
177
BlueTouch Training Services BCCPA Course v3.5.l
Splash Page
http:llww.tirstsiteoftheday.com-.
4 Return splash page
Click Accept
4 Requested page
,
ProxySG :-N,
.httpi/www.anothersitetoday.com.. N
/ N
ijl 4 Requested page NO
Time to
L.J
splash again?
N, 7
N
4 Return splash page YES
BlueOCoat
Slide 1 37: Splash page
Splash pages can be used to deliver any message to users. They often notify users of an
organizations Acceptable Usage Policy for the Internet or inform them of an event, such as a
planned network outage.
Splash pages generally appear at a specific time. For instance, a splash page reminds users that an
AUP could appear each time they launch their browsers.
When splash pages appear, users are not prevented from accessing any websites or other
resources. If the page appears when users type a URL, they can access the site they requested by
clicking the reload button on their browsers. If the splash page appears when the browser opens,
users can access the site they want by typing the URL or selecting a bookmark as usual.
In the above diagram, the administrator has defined a splash page to be presented to each user
once per day.
1. The user requests a page for the first time in the day, so the ProxySG presents a splash page.
The user clicks Accept on the splash page, and the requested page is delivered.
2. The same user then requests another page. If the splash time limit has not expired, then the
page is delivered.
3. If the splash time limit has expired, then the splash page is presented and a new time period
begins.
A ProxySG splash page requires a cookie-enabled user agent in order to work properly.
178
Chapter 13: Creating Notifications and Exceptions
Coaching Page
httpJ/wewnotsogooclsite.com*
4 Return coaching page
Click Accept
4 Requested page
User
http;llww.anotherbadonecom*-
ProxySG
i:i
Return coaching page
Click Accept
4 Requested page
BlueQCoat
Slide 1 38: Coaching page
Coaching pages have a dual purpose: They notify users that a website or other resource is contrary
to the organizations AUP, and they also allow users to access it. Coaching pages are sometimes
called burn-through pages.
When users see a coaching page, they are informed that their organizations AUP prohibits them
from viewing certain content. However, the coaching page also offers a link to the resource along
with a warning that users activity will be monitored and reported.
You might find it useful to use both exception and coaching pages. For instance, you might want
to block users from adult sites and return exception pages when they try to access them. You
might want to discourage traffic to travel or Web email sites and return coaching pages when
users attempt to view them.
In the above diagram, the administrator has defined a coaching page to be presented whenever a
user requests a page that is prohibited by their organizations AUP.
1. The user requests a prohibited page, so the ProxySG presents a coaching page. The user clicks
Accept on the coaching page, and the requested page is delivered.
2. The same user then requests another prohibited page. Even though a coaching page was
presented for the request in Step 1, the ProxySG presents the coaching page again, this time for
the second prohibited page.
A ProxySG coaching page requires a cookie-enabled user agent in order to work properly.
179
F
F
BlueTouch Training Services BCCPA Course v3.5.1
Notify User Configuration
Iknde
0Notly ie or *1 hogs
WtunoiyLPL: bpI/natfyjcot,om
()Nofyy rddc,s
2*
I4 cy,L:(
F,..
I
F
BlueCCoat
Slide 1 39: Configuring notifications
The Notify User object can be utilized as an action under the Web Access Layer. Notify objects can
only be created and customized through the VPM. This feature is not available through the CLI.
Once you have selected the Notify User object, select the customization options. Options include
HTML text of notification, virtual URL for storage of cross-domain cookies, scope of notification,
and frequency of renotification. You can combine Notify User action with other triggers available
in the Web Access Layer.
F
[
[F
180
Chapter 14: Access Logging
Access logging on the Blue Coat ProxySG allows you to track traffic for the entire network or
specific information on user or department usage patterns. Each time a user requests a resource,
the proxy saves information about that request to a file for later analysis.The information stored is
called a log. In addition to Web policy management, content filtering, and Web content virus
scanning, companies can implement monitoring schemes through the access logging feature.
Access logging gives companies the ability to audit all traffic for both external and internal content
requests.
Access logs can be directed to one or more log facilities, which associate the logs with their
configured log formats and upload schedules.
Stored data can be automatically uploaded to a remote location for analysis and archival purposes.
Uploads can take place using HTTP, FTP, or one of several vendor-specific protocols. Once
uploaded, reporting tools such as Blue Coat Reporter can be used to analyze log files. These logs
and reports generated from them can be made available in real time or on a scheduled basis.
Reporter is a full-featured tool with many options and possible uses that are beyond the scope of
this course. Separate training courses in Reporter are available from Blue Coat and Blue Coat
Authorized Training Centers.
After studying this chapter, you will understand:
The components of a ProxySG access log facility.
How to create and upload access logs.
How to specify the contents of access logs.
How to use the Visual Policy Manager to modify access logging parameters.
181
rn
BlueTouch Training Services BCCPA Course v3.5.1
I
I
Access Logging
Record transaction information
Information specific per protocol
Necessary to run reports
Customizable
Track usage
Entire network
Specific information
User or department usage patterns
BIOOat .
Slide 141: Access logging
Access logging helps you to track Web usage for the entire network or specific information on user
or for department usage patterns. The ProxySG supports access logging to help you monitor Web
usage. Monitoring allows you to detect and remedy failures and when done proactively, to
anticipate and resolve potential problems before they result in poor performance or failure.
The ProxySG creates access logs for all traffic flowing through the appliance. Each network
protocol can create an access log record at the end of each transaction. For example, the ProxySG
can create access logs for each HTTP request from the client. The access logs, each containing a
single logical file and supporting log format, are managed by policies created through the Visual
Policy Manager or Content Policy Language.
Access logs can be uploaded to a remote server and then analyzed using Reporter.
F
182
Slide 142: Log facilities
Chapter 14: Access Logging
A logfacility is not just a log file; it also is all of the many characteristics and behaviors associated
with a log file. The facility also controls the upload schedule, how often to rotate the logs at the
destination, any passwords needed, the point at which the facility can be uploaded, and so on.
Three key parameters define a log facility:
Log name: An arbitrary alphanumeric name for the log file (main in the above example).
Log type: Defines the type of entries in an access log. The ProxySG supports several standard
log types, including NCSA Common, SQUID-compatible, and the World Wide Web
Consortium (W3C) Extended Log File Format (ELFF).
Log format: Defines the specific information about a transaction that is stored in the access
log. Each log format is of exactly one log type. You can use a predefined log format, or you can
create a custom one and select the transaction parameters you want to monitor.
The upload schedule allows you to configure the frequency of the access-logging upload to a
remote server, the time between connection attempts, the time between keep-alive packets, the
time at which the access log is uploaded, and the protocol that is used. Log rotation helps prevent
logs from growing too large. Especially with a busy site, logs can grow quickly and become too big
for easy analysis. With log rotation, the ProxySG periodically creates a new log file and archives
the older one without disturbing the current log file.
You can define specific behaviors in the log facility most importantly, how to control the
maxin-turn size allocated to a log facility and how to handle critical scenarios:
Configure the maximum size occupied by all of the log files.
Specify the behavior of the log when the maximum size is reached. You can have the log stop
logging (and do an immediate upload) or have it delete the oldest log entries. If you decide to
start an early upload, then you can specify the size of the log that triggers this event.
Configure how to upload the logs from the ProxySG to an FTP, HTTP, or Reporter server. You
can stream the data continuously from the ProxySG to the target server, or you can batch bulk
data from the ProxySG to the target server at selected intervals.
LgS
Log 60rOOYI
0O0L L6o fo. o.ogooo6 hgpododlo.K k
Log
Theo.ethr60oo 0
oo.tyog0od9ogr60oheo 7632
NoteL Oh ao.,Ioo.od oo.t thoo1o.id 6 9540mog
LhIood the .ooeo. log
0
Wotboo.00oo.e0otto.ete, 60 }oeoonth
to.obeko.g-dee tog po.bto, 1 oeoond0
Ohtoed he bgt
0
ctt type:
Tr0000105)Dfl Po.ymytt,0:
ErpeCo.ttho60e: <lot Enoryption>
Thntngtyp <too 5.peloypt.
So.ypthelogtoeeoo Oghofte Qfextfk
5ee<l portlot boffor otto..
Bdo.ithh Close. <loose>
Log Facilities
Logo >
Type>xsk )oo4tteo.sen -g
BlueQCoat
0Conoote Foessof etonog (oneofy Lobs)
0WX E4eeeded log POe Fotentt (ELFP) eteteg (,ponfy boOsts)
0**Oe.Meedhosde,
Ohyot CoO POe LloO
LOne50IO5VOgtO
L
esgebotos
Pnotooron log o4sso roothd:
0 dotooe ddeoo log 060005
00555 sl loodi000otbgpegeoodsso 7632 eothgte5
0600: the <txbot etoty ,otloed 0001005 non be noon non
rpoood M7ssebgooostgpethkogOnod.
COonjyl_]ogtooogotsdoxo.ro.Olybgoogo.ep.
183
Slide 143: Log creation
Access logs contain data about user requests and the corresponding responses from Web servers.
An access log record is created only after a transaction is complete. These records are stored on the
disk of the ProxySG and can be made available for analysis later.
The above diagram shows the steps in the creation of an access log:
1. The client sends a request for a resource.
2. The ProxySG then sends this request to the origin content server.
3. The OCS replies with a response to the ProxySG.
4. The ProxySG records this transaction and saves it to its cache.
5. The ProxySG sends the response to the client.
6. An access log entry for this entire transaction is created after the client receives the response
from the ProxySG.
I1
1
BlueTouch Training Services BCCPA Course v3.5.1
Log Creation
F
ocs
Reporter
Server
ProxySG
IStC:-SSY.TqCr flRit*R. BlueCCoat
E.
Note: If the connection is denied or the content is served from the cache, Steps 2 and 3 are
completed by the ProxySG.
184
Chapter 14: Access Logging
Slide 144: Periodic upload
The ProxySG can upload access logs to a remote server using different types of upload clients.
During the uploading process, the access logs can be digitally signed and encrypted for security.
You can digitally sign access logs to certify that a particular ProxySG wrote and uploaded this log
file. Signing is supported for both content types text and gzip and for both upload types
continuous and periodic. Each log file has a signature ifie associated with it that contains the
certificate and the digital signature for verifying the log file. The signature file has the same name
as the access log file but with a .sig extension; that is, fllename.Iog.sig if the access log is a text file,
or fllename.Iog.gzip.sig if the access log is a gzip file. If you use Reporter to analyze the access logs,
decrypt the access logs using a command-line decryption tool (such as OpenSSL) before loading
them into the database.
You can digitally sign your access log files with or without encryption. If the log is both signed
and encrypted, the signing operation is done first, meaning that the signature is calculated on the
unencrypted version of the file. You must decrypt the log file before verifying the file. Attempting
to verify an encrypted file fails.
The ProxySG supports the following upload clients: FTP (the default), HTTP client, a custom
client, and Websense. The custom client can be used for special circumstances, such as while
working with SurfControl Reporter. Only one upload client can be used by the ProxySG at a time.
All of the above upload clients can be configured, but only the selected client is used.
The ProxySG allows you to upload access log files periodically to a remote server. The upload
schedule feature of the ProxySG allows to configure the frequency of the access logging upload,
time between com-ection attempts, and time at which the log is uploaded. With periodic
uploading, the ProxySG transmits log entries on a scheduled basis, such as once a day or at
specific time intervals. The log entries are batched, saved to disk, and then uploaded to a remote
server at a particular time. Periodic uploading is advised when you do not need to analyze the log
entries in real time.
Periodic Upload
kflR.([
Upload Server I Reporter
BlueOCoat
185
BlueTouch Training Services BCCPA Course v3.5.1
186
Slide 145: Continuous upload
Under continuous uploading, the ProxySG continuously streams new access log entries to the
remote server from its memory. Continuous uploading can send log information from a ProxySG
farm to a single log analysis tool. This allows you to treat multiple ProxySG appliances as a single
entity and to review combined information from a single log file or series of related log files.
When you configure the ProxySG for continuous uploading, it continues to stream log files until
you stop it. In this context, streaming refers to the real-time transmission of access logs files using
a specified upload client.
If the remote server is unavailable to receive continuous upload log entries, the ProxySG saves the
log information on the ProxySG disk. When the remote server is available again, the ProxySG
resumes continuous uploading. When you configure a log for continuous uploading, it continues
to upload until you stop it. To temporarily stop continuous uploading, switch to periodic
uploading. This is sometimes required for gzip or encrypted files, which must stop uploading
before you can view them.
Continuous uploading allows you to:
View the latest log information almost immediately.
Send log information to a log analysis tool for real-time processing and reporting.
Maintain ProxySG performance by sending log information to a remote server.
Save ProxySG disk space by saving log information on a remote server.
Ii
p
Continuous Upload
ProxySG
BlueQCoat
I[
Chapter 14: Access Logging
Slide 146: Log file compression
The ProxySG allows you to upload either plaintext or compressed access logs to the remote server.
The ProxySG uses gzip format to upload compressed access logs. Gzip-compressed files allow
more log entries to be stored on the ProxySG. Compressed log files have the extension .Iog.gz.
Compressed access logs can be best uploaded during a periodic or scheduled upload.
Some advantages of file compression are:
Reduced time and resources are used to produce a log file; fewer disk writes are required.
Less bandwidth is used when the ProxySG sends access logs to an upload server.
Less disk space is required.
Plaintext access logs have the extension .10g. Text log files are best suited for continuous upload to
a remote server. Although gzip-compressed logs can be sent via continuous upload, Blue Coat
recommends using text format if you need to analyze log data in real time.
Log File Compression
Continuous
upload
Periodic upload
Plaintext Plaintext
Ozip
compression
r2OII BlueQCoat
187
I
BlueTouch Training Services BCCPA Course v3.5.1
Slide 147: Protocols and default log facilities
The above table shows the default log facility association for different protocols on the ProxySG.
Seven log facilities are predefined: cifs, im, main, mapi, p2p, ssl, and streaming. No logging is
performed by default for the ICP and SOCKS protocols.
You can associate a log facility with a protocol at any time. But if you have a policy that defines
protocol and log facility association, that policy will override any settings that you make. Multiple
access log facilities are supported in the ProxySG, although each access log supports a single log
format. You can log a single transaction to multiple log facilities through a global configuration
setting for the protocol that can be modified on a per-transaction basis through policy.
If you upgraded from a previous version of the SGOS operating system, some protocols might
already be associated with a specific log facility. Old logs are converted to the main log facility. You
can globally enable or disable access logging. If access logging is disabled, logging is turned off for
all log objects. Once globally enabled, connection information is sent to the default log facility for
the service.
Although the predefined log facilities are sufficient for most deployments, you also can create a
custom log facility. To create a custom log facility:
1. Choose a log format, or create a custom format. Log formats are discussed later in this chapter.
2. Create a log name, and assign a format.
3. Assign a protocol to the log facility.
4. Configure the upload client.
5. Configure the upload schedule, rotation schedule, and general settings.
Protocols and Default Log Facilities
HTTP, FTP, TCP tunnel, main
Telnet. HTTPS reverse proxy,
Endpoint Mapper ,
im
1
Instant messaging
Peer-to-peer
Multimedia streamin
SSL, HTTPS forward proxy
[
L
streaming
ssl
cifs
mapi
No logging
W I* (s. BlueCCoat
F
ELF
L
188
Slide 148: Log formats and log types
Chapter 14: Access Logging
Several log formats are predefined on the ProxySG. The above table shows these formats, the log
facilities they are associated with, and the log type of each format.
Each log format has an associated predefined log type. These log types are:
ELFF: Uses entries in a format defined by the W3C and described later in this chapter. ELFF
requires a space between fields.
SQUID-compatible: Contains one line for each request; this log type is designed for cache
statistics.
NCSA Common: Contains one line for each request with only basic HTTP access information.
Websense: Compatible with the Websense Reporter tool.
SurfControl: Compatible with the SurfControl Reporter tool.
A majority of content is HTTP content and uses the main log facility, which uses the
ELFF-compatible log format bcreportermain_vl, designed for use with Blue Coat Reporter.
Similarly, CIFS content, which mostly comprises intranet access, uses the bcreportercifs_vl format.
Secure content such as SST.. and HTTPS uses the bcreporterssl_vl format, which only contains
fields that do not reveal private or sensitive information.
The bcreportermain_vl format also supports the Page View Combiner (PVC). This feature
combines multiple HTTP requests that are associated with a single Web page into a single log line.
When a user goes to a Web page, that page often sends out requests for more content, either from
the same server or from different servers. Rather than regarding each of these requests as separate
requests, the PVC combines all of these related page requests into one. This reduces the number of
database entries in the log file and improves report generation performance.
You can create additional log formats that use ELFF-compatible or custom format strings. You
cam-iot edit predefined log formats, but you can copy them to a new name and edit the copy.
Log Formats and Log Types
Famat
bcteporterma1n_v 11
im
___
p
V
-I
mapi -.
squid
_____
ncsa I
websense
surfcontrol, sui
-
1
streaming ELFF
ssl ELFF
cifs ELFF
mapi ELFF
custom Squid
Custom NCSA i..
Websense
SurfControl
ELFF - -.
BlueQCoat
stnartreporter
trol
9 iCypflfflJ
189
BlueTouch Training Services BCCPA Course v3.5.1
[
Slide 149: ELFF strings
An ELFF definition consists of one or more strings. Each string is one of the following:
An identifier unrelated to any specific computer, such as date or time. F
A prefix and an identifier separated by a dash:
Prefix: Identifies the computers to which the data applies. Valid prefixes are:
C: client
s: server (the ProxySG)
r: remote (the origin content server)
sr: server to remote
E.
Cs: client to server
Sc: server to client
rs: remote to server
i Identifier: Describes information related to a computer or a transfer, such as ip (IP
address) or bytes (number of bytes sent).
A prefix from the above list and the name of an HTTP header enclosed in parentheses.
The above diagram shows the definition of the main log format. In this definition, for example:
1. c - ip is the IP address of the client.
2. SCbytes is the number of bytes sent from the server (the ProxySG) to the remote (the OCS).
3. rs (Content-Type) is the value of the Content-Type header from the OCS to the ProxySG.
ELFF Strings
___________
sr
-4rs
Cient ProxySG Server
C S r
date time trme-taker c-status ssctiortes s-bytes
csmethod cs-un-scheme cs-host csun-port csura-path
csunquery csusern -authgroup s-hierarchy
3 s-supplier-nam s (Content-T e s (Raferer) cc (User-Agent)
sc-filterresult cs-ca egores c-virus-id s-ip
BlueOCoat
190
Chapter 14: Access Logging
Sample Log
9softwnre, 3505 5.4.1.2
9Vereiofl 1.0
#St.rt0ate 2009-0330 1708:l1
lIsts: 20090330 16:36:39
Itisids date time time-taken c-ip co-unername co-ruth-group m-emosptioo-id so-tutor-result
oscategories as (Relater) so-status s-action cs-method ow (Content-Type) csun-scheme os-host
cs-calport osun-path os-octquery es-un-extension cc (Ussr?.gent) sip scbytes cs-bytes a-
virus-id
IRseark: 4607062031 172.16.90.21 Blue Coat 05210 Series 172.16.90.21 main
2009-03-30 17:13:39 32 10,3.7.103 - - PROXIED unaveilsble;Sssrch Eoginss/Portals http://
snn..gccgie.cme/ 304 TCP_HIT GET imsgsJgif http owu.google.cme 80 /imtl/en_3,Lljimagee/logo.gif
gif 14onills/S.0 (Windows: U; Windows NT 5.1; an-US; n-v:1.9.0.7) Gocko/2009021910 Firefus/
3.0.7 172.16.90.21 275 712
1. Log file header
Valid log files must have a header
2. Log entry
.7 Ott n0 l:.cl; ItdaOtrrc
Slide 1410: Sample log
This diagram shows a sample log as seen in an access log file. Every log file must have a header.
The header lists information regarding the version of the ProxySG, the date and time of the log,
and the fields that are present in the access log. The header is followed by log entries that contain
detailed information about the date, time, and content that was accessed by a client. These log
entries make up the final log file that can then be digitally signed, encrypted, and uploaded via the
Management Console.
You can manually re-create the header if you have log files that would otherwise be valid.
Files without a header can appear when you change log formats without interrupting access
logging first.
Important: Log files must have valid headers. Blue Coat Reporter does not process log files
that do not contain valid headers.
191
BlueTouch Training Services BCCPA Course v3.5.l
Transaction Information
TOP_MISS
TOP_NC_MISS
TOP_PARTIAL_MISS
Client ALLOWED
Server
DENIED
TOP_DENIED
\
1w 0
f_a.
Cache
2 . BlueQCoat
Slide 1411: Transaction information
This diagram describes the transaction that occurs between a client and a server and how access
logs keep a record of information that was served from a cache or entirely from RAM, or when the
information was obtained from the origin server.
When the client first requests information (an object), the ProxySG checks with the cache to
determine whether the requested object can be served from there. If the object is present in the
cache, then TCP_HIT is recorded in the access log and the object is sent to the client. If the object
was entirely present in the RAM, it is served from the RAM and TCP MEM HIT is recorded in the
server action field in the access log.
If the object was present in the cache but the virus - scanner - tag- i d did not match the current
scanner tag, the object is rescanned by sending it to the ProxyAV. The server action field in the
access log then records the action as TCP_RESCAN_HIT. The object is sent to the client after the
virus scanning.
If the requested object is not found in the cache or the RAM, the request is sent to the origin
content server to retrieve the object. If the requested object was not present in cache at all, the
action is recorded as TCP_MI SS. Usually when objects are obtained from the OCS, the ProxySG
saves a copy in its cache. If the object returned from the origin server is not cacheable, the action is
saved as TCP_NC_MISS. To speed delivery of requested objects, the ProxySG can serve cached
objects while requesting for fresher content from the origin server. In this case, the action gets
recorded in the access log as TCP_PARTIAL_MISS.
Actions are also logged in the access log when objects are delivered to the client. When the object
is successfully delivered to the client, the action is logged as ALLOWED. When policies in the
ProxySG deny the object from being delivered to the client, the action is logged as DENI ED. When
access to the requested object is denied by a filter, the action is logged as TCP_DENIED.
192
Chapter 14: Access Logging
Default Logging O&& Seeigs
El
fnthte Access LoQg
Den 5,nte T Acb,n Tr,d C,,,..
iL T-ngcEO 4ny Any Any
2, TR 45d,e y Any
Slide 141 2: Access logging policies
You can enable access logging from either the Management Console or the command line
interface. The ProxySG comes preconfigured with log facilities already assigned to the main proxy
services.
For most users, the default settings are sufficient; however, you can introduce a very detailed level
of customization. More importantly, you can use the VPM to define additional details of the
information, which is stored in the access log. For instance, you can disable monitoring of certain
users (such as the executive management and Human Resources). Similarly, you can disable
logging of traffic to certain URLs (there might be little information to gain in logging access to the
enterprise Internet and intranet sites).
Also, you can create a custom log facility, where you record very specific parameters, and create a
policy to log the traffic from a certain source, or to a certain destination or both in that log facility.
If you are investigating a user (or access to a specific resource), sometimes it is faster to gather the
information about the target user (or location) in a separate access log. This allows you to run
reports much more efficiently because you do not have to sort through your entire enterprises
data.
Access Logging Policies
Enable logging for all default settings
,, ny snw e
bA&t.ae 1 Annn 4 tnAnpn&v
Ann,, Loy,g p,,:
1) Disable ALL logging for the user CEO
2) Log the student TRAINING\student in a special log facility
BlueQCoat
193
1k
BlueTouch Training Services BCCPA Course v3.5.1
[
[
Slide 143: Statistics
Access-log statistics can be viewed from the Management Console Statistics> Access Logging tab
or the CLI command show access-log statistics log_name, although not all statistics
you can view in the Management Console are available in the CLI. You can also view some access
log statistics by going to Statistics> Advanced and clicking Access Log.
Statistics you can view from Statistics > Advanced on the Management Console include:
Show list of all logs: The access log manages multiple log objects internally. These are put
together as one logical access log file when the file is uploaded. This list shows the available
internal log objects for easy access. To download part of the access log instead of the whole log
file, click on the individual log object shown in the list. The latest log object can be identified
by its tirnestamp.
Show access log statistics: The statistics of an individual access log are shown.
Show statistics of all logs: The statistics of all the access logs on the system are displayed in a
single list.
Show last N bytes in the log: The most recent content of the log are shown.
Show last part of log every time it changes: A stream of the latest log entries is shown on the
page as they are written in the system.
Show access log tail with optional refresh time: A refresh from the browser displays the latest
log entries.
Show access log objects: The statistics of individual access log objects are displayed.
Show all access log objects: The statistics of all access log object are displayed in a single list.
The Log Size tab on the Management Console displays current log statistics:
Whether the log is being uploaded.
The current size of all access log objects.
Statistics
Chent
Access log statistics
Access log tail
Access log objects
Access log size
List of logs
Disk space usage
BlueQCoat
194
Chapter 14: Access Logging
Disk space usage.
Last modified time.
Estimated size of the access log file, once uploaded.
The ProxySG displays the current access logging status on the Management Console. This
includes separate status information about:
The writing of access log information to disk.
The client the ProxySG uses to upload access log information to the remote server.
195
BlueTouch Training Services BCCPA Course v3.5.1
196
Chapter 15: WAN Optimization Features
Todays 11 organizations face a challenge: how to do more with less while increasing performance.
That challenge has resulted in three main trends: the use of the Web for enterprise applications;
server/data center consolidation; and increasing use of the public computing infrastructure.
The benefits of webification are clear: faster and more agile deployment of business applications,
and lower deployment and operations costs. But the benefits come at a cost. Because applications
are now browser-accessible, the vulnerabilities associated with browser use now apply equally to
business-critical applications. Additionally, employees have access to a bewildering variety of
browser content, making it possible for them to engage in unproductive, inappropriate, or even
criminal behavior. And as Web applications become more powerful, their bandwidth needs
increase exponentially.
Application consolidation also poses problems. Though organizations have been consolidating
application resources for several years, many of those applications are optimized for LAN
efficiency; the chatty protocols result in unacceptable response time when accessed from across the
WAN.
Server consolidation, increased application traffic, inefficient application protocols, highly
distributed users, and narrow bandwidth links have led to one thing: poor application
performance.
But the problem is not just a performance issue. IT managers cannot afford to increase
performance at the expense of control and security. At a minimum, an application acceleration
solution must:
Optimize use of existing WAN bandwidth.
Reduce latency associated with applications.
Improve the efficiency of application protocols.
Prioritize the applications that matter most.
Reuse and compress data where possible.
Accelerate file sharing, email, and browser-based enterprise applications.
WAN optimization is a key part of Application Delivery Network technology on the Blue Coat
ProxySG and offers a consolidated and complete approach to solving the several pain points that
relate to bandwidth and user response time.
197
I
BlueTouch Training Services BCCPA Course v3.5.1
Application Acceleration Techniques
Bandwkith management
Control network resources by user, application, or content
Protocol optimization
Align high-leIel protocols with network characteristics
Object caching
Get Web, file, and video content close to users again
Byte caching
Store repetitive network traffic for dramatic acceleration
Compression
Inline reduction of data to reduce application bandwidth
BiueOa
Slide 1 5i: Application acceleration techniques
Visibility is the key to achieving secure application performance while maintaining control over
users and content. Because proxies terminate application traffic, they have a unique and native
visibility into the application, the user, and the content of the interaction. Because of this,
integrating security techniques (such as threat scanning and exploit blocking), control methods
(such as content filtering and user and application authentication), and acceleration tactics (such
as caching and compression) with the proxy, is far easier than with other architectures.
Blue Coat uses a multi-layer framework for increasing application performance over a WAN
infrastructure. Each layer can be controlled by policy, allowing you to apply the acceleration
techniques that are best suited to a particular situation. These techniques include:
Bandwidth management
Protocol optimization
Object caching
Byte caching
Compression
198
Chapter 15: WAN Optimization Features
Slide 1 52: Bandwidth management
In the battle for bandwidth on congested WAN and Internet access links, demanding applications
such as large downloads or email attachments can flood capacity and undermine the performance
of critical applications. Abundant data, protocols that swell to consume all available bandwidth,
network bottlenecks, and new, popular, and bandwidth-hungry applications all seem to conspire
against critical application performance.
Most WAN optimization techniques focus on increasing the efficiency of the WAN. Even if the
WAN is made extremely efficient, however, there are times when large volumes of traffic result in
WAN congestion and, hence, WAN latency. The goal of bandwidth management, therefore, is to
prioritize traffic that is latency-sensitive and business-critical.
Bandwidth management adds a throttle or modulate option to possible actions, enabling enterprises
to limit, or guarantee bandwidth for individual (or groups of) applications. Using bandwidth
management, you can extract the greatest performance value from the available bandwidth. By
managing the bandwidth of specified classes of network traffic, administrators can:
Guarantee that certain traffic classes receive a specified minimum amount of available
bandwidth.
Limit certain traffic classes to a specified maximum amount of bandwidth.
Prioritize certain traffic classes to determine which classes have priority over available
bandwidth.
Administrators can create bandwidth rules using more than 500 different attributes, including
application, website, URL category, user/group, and time/priority.
Bandwidth Management
MMS
HTYP
IM
CIFS
Other
Client
Server
Blue0 Coat
199
BlueTouch Training Services BCCPA Course v3.5.1
BlueQCoat
Slide 53: Protocol optimization
Many of todays most common protocols were not designed to operate efficiently across wide-area
links. Instead, they were optimized for the LAN, where round-trip time is not an issue. These
chatty protocols such as CIFS and MAPI sometimes can result in hundreds or thousands of
round trips on the WAN for a single transaction, resulting in an unacceptable user experience.
Protocol optimization makes these protocols more efficient typically by converting a
time-consuming serial communication process into a more efficient parallel process where many
communication tasks are handled simultaneously. There are a variety of other optimization
techniques, depending on the protocol (such as TCP session reuse). While protocol optimization
does not reduce the amount of bandwidth that an application consumes, it can greatly accelerate
delivery of applications and reduce latency in the process.
The ProxySG uses several types of protocol optimization, including object pipelining (parallel
advanced retrieval of all Web objects linked to the requested page), local authentication, and DNS
caching.
In the above example:
1. The client communicates with the edge ProxySG in the original protocol of the client request
(such as CIFS).
2. The edge ProxySG and core ProxySG communicate via a proprietary optimized protocol.
3. The core ProxySG communicates with the origin content server using the original protocol
from Step 1.
Protocol Optimization
ent
LID
tr (.Syt,icX.
112
Server
200
Chapter 15: WAN Optimization Features
Delivers content extremely rapidly when content is unchanged.
Is built on high-level applications and protocols.
Can cache HTTP/ Web, streaming, CIFS, and other objects.
When the cache contains a requested object, the user is immediately served the object from a local
store, virtually eliminating latency and WAN bandwidth consumption. If the cache does not
contain the object or contains an outdated version of the object, then a new object is reloaded into
the cache, and the performance gains are realized the next time the object is requested.
The above diagram shows an example:
1. Client 1 requests an object. This request is handled by the ProxySG appliances on both sides of
the WAN.
2. The origin content server processes the request and sends the requested object.
3. The client-side ProxySG forwards the object to the client and at the same time stores the object
in its cache.
4. Client 2 sends a separate request for the same object.
5. The client-side ProxySG serves the object from its local cache, eliminating latency and
bandwidth consumption.
Application object caching is application-specific and variable. The degree of Web object caching
can be between 30% and 70% of the content, depending on the application. Object caching delivers
content extremely rapidly if the content is unchanged. Even when the content has changed, rapid
delivery can be achieved if byte caching is coupled with object caching because only a few updates
are required.
Object Caching
E1
Client 1
ProxySG ProxySG
BlueQCoat
Slide 1 54: Object caching
Object caching:
201
BlueTouch Training Services BCCPA Course v3.5.1
Organizations can use a few different methods to place content at user sites ahead of demand. F
Adaptive refresh is a predictive refresh of frequently requested objects, which essentially
decouples user requests and object cache refreshing activity. So, if many users are requesting the
same object, the appliance refreshes the object more frequently. Additionally, the appliance can use
a publish/subscribe model (as in a content delivery network) to pre-position content near users by
means of a manual push, or by proactively monitoring a URL or storage volume.
I
i.
202
E
Chapter 15: WAN Optimization Features
Byte Caching
OAF6D169{token)E12F]
AreJ Connection
DI Dl
Client
Server
BlueQCoat
Slide 155: Byte caching
ADNs use byte caching to reduce the amount of TCP traffic across a WAN by replacing large
chunks of repeated data with small tokens representing that data. Working with patterns detected
in the WAN traffic, the ProxySG pair handling the traffic builds a byte cache dictionary of small
tokens that replace up to 64 KB of data each.
Byte caching slices objects into atomic bits and then sends only the updated, or different, bits over
the WAN. Byte caching is very low-level and is not application-specific. It works to increase
effective bandwidth for all traffic. Byte caching works well where the same (or similar) content
might be stored in multiple places, and when the content is dynamic. Furthermore, the Blue Coat
byte caching implementation, while transparent to users and applications, is user- and
application-aware and is incorporated into the policy framework of the ProxySG.
ADN optimization requires two-sided deployments, with a ProxySG (a peer) at each end of the
WAN link to create the dictionary for the common tokens. In such an environment, with only
minimal configuration changes, between 30% and 90% of WAN usage can be eliminated, and
WAN performance can be increased by 30% to 90%. Applications that can benefit from ADN
optimization include Windows file servers, Web share applications such as WebDAV, customer
resource management programs such as Siebel, and email.
203
ic BlueTouch Training Services BCCPA Course v3.5.1
Compression
(Z.
ADN Connection
Client
Server
BlueOCoat
Slide 1 56: Compression
Compression algorithms remove extraneous or predictable information from network traffic
before it is transmitted. The information is reconstituted at the destination using the same
algorithms. Compression reduces the amount of content transferred over the network, optimizing
bandwidth usage and improving end-user response time. On the ProxySG, compression:
Uses industry-standard and Blue Coat proprietary algorithms to compress all traffic.
Removes predictable white space from content and objects being transmitted.
Caches both compressed and uncompressed objects.
Uses HTTP and point-to-point compression.
Can adapt the level of compression based on CPU utilization.
The ProxySG supports two types of compression methodologies: HTTP and point-to-point. HTTP
compression (part of the HTTP version 1.1 specification) is fully supported. Web browsers support
compression algorithms such as gzip and deflate. These algorithms are also implemented in the
ProxySG.
The ProxySG can retrieve compressed content from the origin content server and serve the
compressed content to clients that support compression algorithms; the ProxySG also
decompresses content on the fly to serve to clients that do not support compression. Content is
cached in compressed and uncompressed formats.
Point-to-point compression for any arbitrary protocol also can be configured in the ProxySG.
Point-to-point compression enables organizations to create compressed tunnels between proxies.
Traffic forwarded through these tunnels is automatically compressed before being sent through
the tunnel.
204
Chapter 15: WAN Optimization Features
Slide 1 5-7: Layered approach
WAN optimization techniques complement one another, providing a multi-layered approach to
application acceleration. As you can see in the slide above, the techniques work together to
optimize application delivery to remote locations.
For example, if the object cache contains an outdated copy of a document, the byte caching
capability has patterns and tokens that require only the tokens, plus the changes to be sent. What
little is sent is then compressed, and protocol optimized (reducing bandwidth consumed and
latency/round trips). All of this is prioritized according the enterprises preferences, using
bandwidth management, so that the important applications get through first and with the
bandwidth they need.
Layered Approach
_______
ADN
Client
Server
BtueOCoat
Ix,;fl_,
205
I
SSL traffic is growing rapidly. Until recently, most enterprises were concerned with using SSL to
secure communications between external users and internal applications. With the advent of more
critical applications utilizing Web technologies (such as online financial services, third-party
hosted applications and application components, supply chain applications, and CRM),
SSL-encrypted traffic is becoming a larger portion of traffic between enterprise users and external
application resources.
However, the secured communications enabled by SSL prevents organizations from applying the
same degree of control that they apply to normal, outbound Web traffic. Threats and rogue
applications flow into and out of the enterprise unfettered. The ProxySG has an SSL proxy that
enables customers to apply the same policies to encrypted traffic that they do for unencrypted
traffic and apply the protection, control, and acceleration provided by the ProxySG to that
traffic as well. This is not simply SSL offload or termination, where IT owns both the application
and the proxy, but rather a gateway, or SSL forward proxy, where applications are outside the
organization (public, outsourced, partner, or internal).
The Blue Coat SSL solution:
Accelerates internal and external SSL-encrypted applications.
Preserves corporate and user privacy policies.
Provides a granular policy over users, applications, and content.
Includes multiple options for handling SSL interactions and the ability to remind and warn
users.
Stops unauthorized applications from clogging port 443 (and the network).
BlueTouch Training Services BCCPA Course v3.5.1
Server 2
Server I
SSL Acceleration
External Applications
Corporate Users
BlueQCoat t (Sic (S.CSV tSS.Iir 201 0
Mobile
Mobile
Clientl
Client 2
Client 1
Client 3
Client 2
Mobile
Client 3
Slide 1 58: SSL acceleration
206
Chapter 15: WAN Optimization Features
Application Acceleration
Typical Speedup Upper/Max :Z.
File Services CIFS ii:: zzz:n
File Services NFS Si
Collaboration MAPI Email, Exchange
Collaboration Lotus Notes
Web Internet K1TP/HTIPS
Web HTPS ERP, Web 2.0
Backup and Replication 1.ZZDZ
Streaming Video Real, Microsoft
Software DistributIon SMS IEE
Database - SQL zz:z:15
ERP Fat Client ZIO
CItlix[ zo
0 5x lOx 15x 20x 25x 200 or more ->
B(UeOCOat
Slide 1 59: Application acceleration
With ADN technology, the ProxySG delivers substantial acceleration, without sacrificing control
or security. Application acceleration can increase as much as 1,000 times (for streaming audio and
video).
Using ADNs, you can anticipate and address the application problems of tomorrow. Both
applications and networks are evolving at a rapid pace. Whether that evolution brings new
applications or direct connections to the Internet at remote sites, ADN technology accelerates
enterprise applications and limits or eliminates undesirable applications, regardless of changes in
applications and networks.
In a nutshell, the Application Delivery Network is not a point solution; rather, it is a consolidated
approach to a comprehensive solution to the bandwidth optimization and user response time
needs in your enterprise.
207
J
L
J
J
i
J
i
J
L
I
M
J
I
K
J
L
i
i
a
J
L
I
I
L
i
h
A
i
i
L
i
i
L
i
i
J
> c
i)
U
)
0
C
-
)
0 C
)
C
-
)
U
)
(
c
i
a
)
0 2
:
a
)
C
l
)
0
)
C C (
c
i
I
0 0
I
-
c
i)
2
a
)
U
)
Chapter 16: Service and Support
Selecting the right product to ensure safe and productive user communications over the Web is
only the first step. Companies also are looking for ways to maximize their operational efficiencies,
maintain their support costs, and protect their investment. BlueTouch Services is a comprehensive
set of Blue Coat services and support that help security administrators safeguard their network
and maximize their investment while managing costs.
With technical support centers worldwide, Blue Coats experienced staff is equipped to rapidly
respond to your request. BlueTouch service options and warranty services protect your business in
the event of a hardware failure. Blue Coats training and professional services organizations are
available to bring administrators quickly up to speed or to provide customized consulting
services.
All BlueTouch service options are designed to protect your business and maintain the flexibility
required to meet your organizations specific logistical and budget needs.
Teamed together, Blue Coats appliances and service offerings provide the protection and
flexibility required to keep your network up and running.
After studying this chapter, you will understand:
What options are available in BlueTouch Services.
How to use BlueTouch Online to submit and check service requests, and how service requests
are classified.
How to use the Blue Coat Licensing Portal to license ProxySG components.
Other support tools that are available from BlueTouch Online.
Important: The service descriptions in this chapter are summaries only and are subject to
change. For a complete description of Blue Coat service offerings, including
important terms and conditions, contact Blue Coat Systems.
209
III;
I
BlueTouch Training Services BCCPA Course v3.5.l
BlueTouch Services
Protect Your Accelerate Yoix Enthb Operational Maximize Your
Investment Time to Value Efficiency Investment
BlueTouch 5JeTouch Bluelouch BieTouch
Support Professenal Tracing Proactive
Services Services Servces Servces
BlueTojchStaridard&
Standaiti Plus
Core lnstallatiai & MrrrinetralionCcurs BjeTouchCorrnrsLon
BtueTwafl Advanced
Gonfiguratn Services
Advanced Courses L BkjeTouch Essential
BtUeTwchPremiun & I iupderan&
ADN Trwblesoteq BkieTouch Enterpree
Eluerwch Software CustomServes
Serve
Service & Sqport Packages
BlueQCoat
Slide 161: BlueTouch Services
Blue Coat provides superior service through a combination of customer care, online support,
technical support, service options, training services, and professional services.
Support services: Technical support provides troubleshooting of all hardware and software
problems of deployed Blue Coat appliances. Support might require remote access to customer
systems for diagnosis. Support is available online and by telephone 24 hours a day, seven days
a week. While the primary language of our global support centers is English, local language
support varies by region.
Professional services: This worldwide team provides post-sales expertise that enables you to
maximize the benefits of your investment in Blue Coat products. These services can be
purchased on an as-needed basis or as part of an annual proactive services agreement.
Training services: BlueTouch Training Services helps customers increase operational efficiency
by making effective use of Blue Coat technology and enabling a higher level of IT staff
productivity. Training is delivered in a variety of formats including instructor-led courses
(available through a worldwide network of Blue Coat Authorized Training Centers),
self-paced online courses, and topic-specific computer-based training modules.
Proactive services: When added to an existing support agreement, these services enable
customers to efficiently manage mission-critical environments and plan for growth and
change within their network. Available service levels provide features including assigned
support delivery managers, a single point of contact, and training credits.
210
Chapter 16: Service and Support
Slide 162: Global support center locations
Global support centers are strategically positioned worldwide to provide support for more than
Blue Coat appliances deployed worldwide. Blue Coat global support centers are located in:
Sunnyvale, California, United States
Waterloo, Ontario, Canada
London, United Kingdom
Dubai, United Arab Emirates
Kuala Lumpur, Malaysia
Tokyo, Japan
Your call is automatically routed based on the time of your call and the region of the world you are
calling from.
Also, distribution centers and stocking locations are located around the world so that Blue Coat
can provide fast and reliable hardware delivery in case of hardware failure.
Global Support Centers
Kuala Lumpur
oyrnh2GlI
BtueOCoat
211
F BlueTouch Training Services BCCPA Course v3.5.1
Slide 1 63: BlueTouch support services
To complement warranty services, Blue Coat offers a comprehensive set of BlueTouch service
options. All service options include:
Unlimited 24x7 telephone support.
Access to BlueTouch Online.
Unlimited access to major, minor, and maintenance releases of Blue Coat operating system
software.
Hardware replacement options including return to factory, same-day shipment, guaranteed
next-business-day arrival, and four-hour replacement.
Optional on-site technician to install replacement hardware at your location (available in
selected packages).
Eligible Products
BlueTouch service options are available for Blue Coat products placed on the market since July
2006. Legacy products are covered under existing service contracts that are beyond the scope of
this course.
F
F
F
[
I-
F
BlueTouch Support Services
BlueTouch
Support Option
On.Line 24x7 Phone
Web Support Support
Software
Access
Standard
Standard Plus
RMA Optional
Support On-sib Tech
Advanced
lODay F1TF
Same 0 ,
Shipmert
Premium
Next Risiness
DayArnvel
PremiumPks
Software Service
Ibto:Vmrty poides 5 esuppx lxii
4 Hour Anival
4 Hour Arrival
C24x7)
(. vs ivO
I I
RTF poly.r sxppstaixl dcwxl, aBbeTo chwp 1stcontsd wtlbe qoired.
BlueQCoat
212
Chapter 16: Service and Support
BlueTouch Online
BWeOCH.l Hk.TsHQaHa* ai2
Supaaqt Has. 1 .JWaI,IqJrN1
- G,;H,
--- asPaa..a rti Appib.as 3.H..M Caafija.Haa 1dHa
H,a..atc. Ha#CLHH;HnHaIa .r..Hac.taawaHHai.cra ps5HHa.a.4Sfl,fl.Hk*CHatDtp.p,oct.
.
LAamacwH latcH, ccoIZtnw.4aflH, ,rnu;I, ataucHIalt., *1 tWI HHHflIHHIIHHSHHHHflflH
- .4HO.a,H44IHHH,HoaatIoaHattaIHa,bHac,sas*aea5.*tatH
Ytala Satalil. Iat Slat, Cat tadatata
A..CtXtO
lCtSpp
BlueOCoat
Slide 1 64: BlueTouch Online
BlueTouch Online is available to Blue Coat partners and customers with products actively covered
under the one-year warranty or a service contract. Customers with BlueTouch Online have
immediate, personal, and secure online access to Blue Coat information and resources 24 hours a
day, seven days a week. Benefits include:
Access to resources such as an interactive knowledge base, installation notes, technical briefs,
security advisories, and field alerts.
The ability to create, modify, and update service requests, called SRs.
To get a BlueTouch Online login, go to https:/Isupport.bluecoat.com, click Need a login?, and then
follow the instructions given. You will receive a confirmation email that allows you to begin using
BlueTouch Online immediately.
Logins are created only for individuals and not groups. An individual login, however, allows a
user to see all of their companys cases. Creating logins for individuals versus groups allows Blue
Coat to identify who is creating or modifying records for a company, and control who in the
customers company has access to BlueTouch Online records. Blue Coat deactivates individual
logins when notified that users no longer work for a company or should no longer have access.
BlueTouch Online has three other main functions:
Downloads: Current and previous releases of Blue Coat software are available.
Licensing: Provides access to license-related functions for Blue Coat products.
Documentation: Includes software and hardware documentation for Blue Coat products.
213
BlueTouch Training ServicesBCCPA Course v3.5.1
I.
c.emnt Process
Severity I Severity Severity 3 .. SeverIty 4
(Criticel) (High) (Medium) (Low)
Slide 165: Service requests
When an service request is opened, either by contacting a Global Support Center or through
Bluelouch Online, technical information about the product, environment, and customer site is
verified, and a service severity level is assigned to the case.
Severity is defined by problem type and technical impact and sets guidelines for response times,
update frequency, and escalation time. By setting severity levels, Blue Coat can assign the proper
resources to any customer call arid allow for the timely resolution of technical issues.
The above table shows the four severity levels and common situations that correspond to each
level.
Blue Coats targets for response time to service requests are based on severity:
Severity 1 requests are responded to on a 24/7 basis.
Severity 2 requests are responded to on a 24/7 basis as agreed between the customer and Blue
Coat.
Severity 3 and 4 are responded to during normal business hours for the region where the
service requests was originated.
These response hines are targets only. Actual response times might vary.
Also, a duty manager is on call to assist customers who might feel that the severity of their issue
has not been accurately characterized, or the response has not been within the stated timelines.
The duty manager role is not a replacement to the existing support processes; it is a resource for
customers to review the assigned SR severity level, request changes to the severity level, or discuss
additional management focus and attention.
Service Requests
Network or
application outage,
network/application Is
down;no worka round
CriticaI customer
businessoperation is
fully impaired by
inadequate
performance
?lnai,ed
functionalty, citticaIr
impactir customers
busines S operations
i Operational aspect Performance of the Operational issues
of network or naiwork or application for certain Features or
application is severely is inpaired with Imited capablitieswth no
deacted impact to bsness impactto business
Continuousor operatfuns operatiorisand nob
trequentinstilLies Afunctional, stress of funcilonafty
affecting customer orperforrrence failure / General 1ow-to
business or network with a workaround questions
operations Successful I Docunientation or
I Inablity to deplc, a workaround in place for plocessissues
feature, function or a S2 issue
capability
I Successful
workaround in place for
aSi issue
BlueQCoat
214
Chapter 16: Service and Support
M,t, j
dO
Ordor Rf
Et
SNMP EI.2M)
c.nlmages
,s n.I
epIt L
Sdo,endj
Pa{k%ICIph,res
I. .
IL
L II
Slide 1 66: Sending service information
Blue Coat recommends that you create a new service request in BlueTouch Online, record the
assigned service request number, and then upload diagnostic information. In an urgent situation,
you can follow through by calling a global support center for immediate assistance.
When submitting a service request, it is important to include any information that might be
helpful in diagnosing the problem. The ProxySG Management Console can be used to send
diagnostic information directly to Blue Coat, where it can be associated with an open service
request and sent to the support engineers working on the service request.
Support engineers have checklists that indicate which items are most likely to be helpful in a
particular situation, and they will request that the customer send the relevant information, such as
packet captures, event logs, Sysinfo files, and snapshots.
In the Management Console, select Maintenance > Service Information > Send Information and click
Send Service Information. Next, type the number of the service request (this number was assigned
when the service request was created), and select the files to be sent. Items that are grayed out are
not available on this ProxySG at the time the request was issued, most likely because they have not
been created.
In this example, the customer has chosen to send a packet capture, event log, Sysinfo file, and
snapshot, all to be associated with service request 2-0000000.
After selecting the information to be sent, click Send to begin uploading the information to Blue
Coat. To view the progress of the upload, click View Progress.
Send Service Information
BlueOCoat
215
BlueTouch Training Services BCCPA Course v3.5.1
Slide 167: Blue Coat Licensing Portal
The Blue Coat Licensing Portal provides access to license-related functions for Blue Coat products.
To access the licensing portal from the BlueTouch Online homepage, select Licensing. Then, select
License a Proxy to perform licensing functions for a ProxySG, or select License Others to perform
other licensing functions.
When your organization purchases hardware or software licenses, email containing activation
codes is sent to the email address your organization specified at purchase time. To activate
licenses, you need to have the codes from that email, as shown in this example:
Other license-related functions at the Blue Coat Licensing Portal include:
Content filtering: This feature of the ProxySG requires a separate license. To enable it, select
this option and type the activation code.
ProxySG: Four functions are available: SSL license activation, ProxySG upgrade, ProxySG
licensing, and the ability to revert to a previous upgrade.
ProxyAV: Five functions are available: license activation for systems at version 3.1 or later,
license activation for systems older than version 3.1, downloading anti-virus license for
systems at version 3.1 or later, upgrading a cold-standby appliance, and swapping a version
3.1 or later license from one appliance to another.
ProxyOne: You can enter an upgrade activation code for your appliance.
ProxyRA: Three functions are available: activate, download, and swap licenses.
r
[
Blue Coat Licensing Portal
tunctions
- activation; activate upgrade; licensing
page: revert upgrade
Activate license: antivirusserial number; download
upgrade cold standby; swap licenses
Dne upgrades
te license; download Ticense: sp Ticei
Activate license
.Jr Download license; activate upgrade; revert i
lntelliger._e Center! Get license: upgrade; revert upgrade
PolicyGenter
NetCache Activate license
Appliance certificate Birth certificate validation -.
verification
BlueCCoat
Order
line
Product Code Description Activation Code
UPG-KII-SG8IO- Upgrade Kit, Hardware and License,
I2I4Lcmo
1 10-TO-20 SGS1O-lOtoSG8lO-20
UPG-K1T-
__________
Upgrade Kit, Hardware and License,
SG8100-0 to SG8100-20, Proxy I 2MJ
2 SG8IOO-10-TO-
20-PR
216
Chapter 16: Service and Support
Blue Coat Reporter: To enable this application, select this option and type the activation code.
PacketShaper: Three functions are available: download a license, upgrade, and revert
upgrade.
IntelligenceCenter / PolicyCenter: Three functions are available: get a license, upgrade, and
revert upgrade.
NetCache: To activate licenses for legacy NetCache equipment, select this option and type the
activation code.
Appliance certificate verification: Enter your hardware serial number to determine whether
that ProxySG supports Blue Coat appliance certificates.
217
BlueTouch Training Services BCCPA Course v3.5.1
--JJ.LW.L
Other Support Tools
OtneOccat 0lt,c3cA..
0
P(AIB)
=
N Es
(d)
P(A)P(BA)
i=1
Ii
Using the example of the voters in California, formula (d) allows us to calculate, knowing that the
bill was approved, the probability that a person of a given party voted for the bill. Applying the
numbers listed above and the result of formula (b) to formula (d), we obtain:
(e) P(Ad) = (0.43 x 0.6) / 0.53 = 0.48
So, knowing that the bill passed, the probability that a voter was a Democrat is 48 percent.
Bayes Theorem allowed us to reverse the probability. We started knowing that a certain
percentage of registered voters would vote a certain way. Knowing that the bill was approved, we
determined that the probability that a voter belonged to a certain party.
Application to Content Filtering
The concept discussed in the previous section can be applied to content categorization. To teach a
-;
system how to differentiate between the different categories, you need to provide it with a solid
L
foundation. You need to have good documents that the system can use to learn how to recognize
different categories.
You define the categories as the mutually exclusive events {A 1,A2,A3...AN}.
For example, you can
say that A1is Adult/Mature, A2is Pornography, and so on.
You can define the appearance of a word as event B; for instance, P(B) could be the probability of
finding the word sex. So you can say:
P(A 2)=Probability of a site being Pornography
P(B
I
A2)=Probability of the word sex appearing in a Pornography pages
P(B)= Probability of finding the word sex
P(A 2
I
B)= Probability of a site being Pornography when the word sex is found in it
Ill
232
Appendix C: Conditional Probability
Using the preceding definitions, you obtain the following formula:
P(Pornography
I
Sex)
P(Pornography)P(Sex
I
Pornography)
P(Sex)
Obviously, you cannot create these formulas manually. You need to create a tool that can
automatically calculate all of the different probabilities; ultimately, this will provide you with an
accurate P(B
I
A2). To achieve this result, you must submit a series of documents belonging to
known categories to the automatic tool. For example, submit 1,000 Pornography pages, 1,000
News/Media pages, and so on. The system processes the content of the pages and, by calculating
the multiple probabilities for the different events, learns how to recognize new pages that is has
not seen before.
It is important to consider other parameters any time you do any statistical analysis. You need to
evaluate the accuracy of your estimators and the coverage. The accuracy is determined as a
percentage of correct results. For instance, if we process 100 sites that we estimated to be
categorized as Pornography, how many were really porn sites? The coverage determines the miss
rate of the tool; in a pool of X sites known to belong in the Pornography category, how many did
the tool catch?
Unfortunately, you cannot achieve 100 percent success in both accuracy and coverage; you can
achieve 100 percent in one or the other. However, if 100 percent accuracy is achieved, coverage
will suffer tremendously and vice versa. The goal is to find a sweet spot where accuracy is
sufficient and the coverage is still good. Blue Coat WebFilter aims at 8590 percent accuracy.
Blue Coats dynamic categorization technology uses a two-step approach. The first step is to
recognize the language of the website. This is important because the same word may exist in more
than one language but have different meanings in the different languages. For instance, the word
burro has the same spelling both in Italian and Spanish; however, it means butter in Italian and
donkey in Spanish! The system needs to correctly determine the language before it can apply any
statistical analysis on the words.
You can see an example in Figure B-i from the site http:llwww.jal.co.jp:
The word ffj (reservation) represents sites in Japanese with a probability of 0.00052, while the
word
)Ej
(month) represents Japanese sites with a probabifity of 0.00236. The products of the
probability of each language token, by the number of occurrences are grouped and summed by
language. The language that has the highest weight becomes the assumed language for that
website.
Figure B-i: Words reservation and month
233
hi:
BlueTouch Training ServicesBCCPA Course v3.5.1
Dynamic categorization adopts the same approach for the categorization of a website. The result
that dynamic categorization produces for the site http:/Iwww.jal.co.jp is shown in Figure B-2:
1 0.00086
0.000861
Travel
2 0.00043 0.00086 Travel
fJ
2 0.00040
0.000811
Travel
i1i.
2 0.000405 0.000809J Political/Activist Groups
[
Figure B-2: Terms hotel, time table, and reservation
I
There are three tokens that refer to the Travel category and one that refers to Political/Activist
Groups category:
*A (hotel) = Travel
IliJ
(time table) = Travel
f
(reservation) Travel
1IT (city) Political/Activist Groups
The total weight associated with the Travel category is 0.00253 (this is NOT a probability!), while
the weight associated with Political/Activist Groups category is only 0.000809. Therefore, the site
is assumed to be a travel site in Japanese.
I
F.
I.
I
a
I.
ill
I.
1. There are actually many more tokens used for both language and category; this appendix only shows a
few relevant ones as an example.
234
I
I].
I