Bccpa Student v341 Us WMK

1[dT2^Pc2TacXUXTS
?a^ghB60S\X]XbcaPc^a2^dabT
ETabX^]"#
BcdST]cCTgcQ^^Z
Property of Blue Touch Training Services.

NOT for Distribution. For Internal Reference Purposes Only.
BlueTouch Training Services BCCPA Course v3.4.1
Contact Information
Blue Coat Systems Inc.
410 North Mary Avenue
Sunnyvale, California 94085
North America (USA) Toll Free: +1.866.302.2628 (866.30.BCOAT)
North America Direct (USA): +1.408.220.2200
Asia Pacific Rim (Hong Kong): +852.2166.8121
Europe, Middle East, and Africa (United Kingdom): +44 (0) 1276 854 100
training@bluecoat.com
training.books@bluecoat.com
www.bluecoat.com
Copyright 1999-2010 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be
reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or
translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title
and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems,
Inc. and its licensors. BluePlanet, CacheFlow, CachePulse, DRTR, ProxyAV, ProxyClient, ProxyRA
Connector, ProxyRA Manager, SGOS, and WebPulse are trademarks of Blue Coat Systems, Inc. Blue Coat,
BlueSource, BlueTouch, Control Is Yours, K9, IntelligenceCenter, PacketShaper, ProxySG, Permeo, the
Permeo logo, and the Blue Coat logo are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained
in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR
IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS
SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR
ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
April 2010
ii
Property
of Blue Touch Training Services.
Table of Contents
Course Introduction .....................................................................................1

Chapter 1: Blue Coat Product Family ..........................................................3
Chapter 2: Understanding Proxy Servers ..................................................25
Chapter 3: ProxySG Deployment ..............................................................33
Chapter 4: Blue Coat Product Licensing ...................................................49
Chapter 5: ProxySG Initial Setup ...............................................................61
Chapter 6: ProxySG Management Console .............................................. 69
Chapter 7: Services ...................................................................................87
Chapter 8: Hypertext Transfer Protocol ...................................................103
Chapter 9: Policy Management ...............................................................115
Chapter 10: WebPulse ............................................................................ 131
Chapter 11: Authentication ...................................................................... 147
Chapter 12: Authentication Using LDAP .................................................161
Chapter 13: Creating Notifications and Exceptions .................................169
Chapter 14: Access Logging ...................................................................179
Chapter 15: WAN Optimization Features ................................................195
Chapter 16: Service and Support ............................................................207
Appendix A: Deployment Planning ..........................................................219
Appendix B: Introduction to IPv6 .............................................................227
Appendix C: Conditional Probability ........................................................231
iii
iv
Property
Course Introduction
The Blue Coat Certified ProxySG Administrator course is intended for students who wish to
master the fundamentals of the Blue Coat ProxySG. It is designed for students who have not
taken any previous training courses about the ProxySG.
Students should be familiar with basic networking concepts, such as local-area networks (LANs),
the Internet, security, and IP protocols. A basic knowledge of authentication methods is also a
plus.
After studying this course, you will understand:
Key concepts of network security and wide-area network (WAN) optimization.
The major functions of the ProxySG, how they work, and how to administer them.
How the ProxySG interfaces with other Blue Coat products.
How to get service and support from Blue Coat.
By completing this course and passing an online exam, you can become a Blue Coat Certified
Proxy Administrator.
Applicable Software Versions

This course is based on version 5.5.1 of the SGOS operating system that is used on the ProxySG.
If your enterprise uses an earlier version of SGOS, some features described in this course might
not work as described here, and the appearance and functionality of screens, menus, commands,
and displays might be different from what you see here.
Typographic Conventions
In this book, text appearing in this font generally is text that is part of a graphical user
interface. This includes text in labels, names of buttons and menus, and Web page addresses
that you type into a Web browser.
Text appearing in this font generally is text that is part of a command-line interface. This
includes prompts, user input, and responses. This font also is used to show the content of
some communication protocols, such as headers, commands, and data between a client and a
server.
In both cases, text that appears in italics like this or like this represents text that you should
replace with text specific to your deployment. For example, the URL https://proxyIPaddr:8082
appears often in this book. In this example, the text proxyIPaddr should be replaced with the
actual four-octet numeric IP address of your ProxySG.
1
2
Property
Chapter 1: Blue Coat Product Family
In a connected world, the network is increasingly becoming a platform for collaboration bringing
people together to share ideas, speed decision-making, and enhance competitiveness.
Collaborative applications such as teleconferencing, unified communications, and social media
are being deployed at an increasing rate. An increasingly capable wide area network combines
with a host of regulatory mandates to drive infrastructure and data center consolidation, enabling
enterprises to gain greater efficiencies, contain costs, and enhance agility.
The key trends driving business today centralization, mobilization, and globalization often
make it difficult, if not downright impossible, to support on-demand application delivery. IT
initiatives such as server consolidation and voice, video, and data convergence can disrupt
network service. Your mobile applications and devices can be compromised by security breaches
and data theft. And global IT infrastructures often harbor data silos that are difficult to penetrate
and manage, obscuring the view of your IT resources.
Maintaining a sustainable competitive advantage in a rapidly changing business environment
requires new levels of responsiveness. Access to information where, when, and how it is needed is
critical to success. In todays market, information is the currency of business. Delivering a superior
user experience across corporate, branch, and remote locations depends on having:
The visibility to control what is running on the network.
The ability to accelerate business applications and meter recreational traffic.
The ability to do so in a safe and secure manner.
Application Delivery Networks (ADNs) are emerging as an essential requirement in addressing

these challenges. Blue Coat products provide an ADN infrastructure designed to optimize and
secure the flow of information to any user, on any network, anywhere.
After studying this chapter, you will understand:
The concepts of the Application Delivery Network.
How Blue Coats product family implements the ADN.
Basic features of each member of the Blue Coat product family.
3
Application Delivery Network
Blue Coat Systems, Inc. 2010. All Rights Reser ved.
6OLGH$SSOLFDWLRQ'HOLYHU\1HWZRUN
Implementing the Application Delivery Network answers the demand for greater application
mobility and security in a changing global business environment. By combining three core
capabilities application performance monitoring (visibility), WAN optimization (acceleration),
and secure Web gateway technologies (security) the ADN helps you:
See applications and users and how they behave on the network.
Troubleshoot performance issues.
Accelerate mission-critical applications, streaming video, SSL, and other enterprise

applications.
Secure against malware, data leaks, and performance degradation.
Enable a highly efficient and productive end-to-end user experience anytime, anywhere.
Visibility
Blue Coats ADN solutions provide the ability to identify and classify applications and users
across the network. You can discover all application traffic, monitor the user experience,
troubleshoot performance issues and resolve problems before they impact the user experience.
You can:
Automatically discover more than 600 applications.
Identify peer-to-peer (P2P), recreational, and streaming applications over any port.
Subclassify complex applications such as SAP, Oracle, Citrix, Web, CIFS, MAPI, and DCOM.
Discover URLs and external sites within HTTP.
Identify problem hosts, servers, and applications.
4
Property
Acceleration
Blue Coat helps you accelerate business-critical applications, including internal, external, and
real-time applications to any user, anywhere all while ensuring a headquarters work
experience, wherever your users are located. Acceleration technologies include:
Object and byte caching.
Compression and basic quality-of-service capabilities.
External Web and SSL acceleration.
Protocol acceleration for TCP, CIFS/NFS, MAPI, HTTP, and more.
Advanced Web policy and bandwidth management.
Advanced application ID technology.
Security
Blue Coat secures your Internet gateway to help protect users from malicious content and
applications. Security capabilities include:
Anti-virus and malware scanning.
URL and Web content filtering.
A centrally managed distributed gateway.
Granular policy management across more than 500 variables, including user, group,
application, source, content types, and transaction.
Logging, statistics, and SNMP support.
5
Blue Coat Products
6OLGH%OXH&RDWSURGXFWV
Blue Coat products provide total visibility and control over user and application performance
and fast, secure delivery of the critical applications that fuel business productivity.
Hardware-based Products
Blue Coat ProxySG: Delivers a scalable proxy platform architecture to secure Web
communications and accelerate the delivery of business applications. The ProxySG is built on
SGOS, a custom, object-based operating system that enables flexible policy control over
content, users, applications, and protocols. The ProxySG is designed to meet proxy
requirements at branch offices, Internet gateways, data centers, and global service providers.
Blue Coat ProxyAV: Enables organizations to detect viruses, worms, spyware, and trojans at
the Web gateway. The ProxyAV also can block most unknown spyware that targets HTTP, FTP,
and HTTPS protocols, in addition to preventing zero-day attacks and rootkit malware from
reaching desktops. The ProxyAV integrates with the caching capabilities of the ProxySG to
deliver outstanding anti-virus gateway performance.
Blue Coat PacketShaper: Delivers integrated visibility, control, and compression capabilities
in a single appliance. With PacketShaper, you can identify all of the applications on the
network and monitor response times and utilization at the application level. In addition,
PacketShaper optimizes performance with granular quality-of-service traffic controls as well
as application-specific compression techniques that increase WAN capacity.
Blue Coat Director: Provides centralized policy, configuration, and device management of
Blue Coat appliances across any distributed enterprise. From a single, easy-to-use Web
interface, administrators can deploy hundreds of appliances, monitor, and enforce security
policies and respond to emergencies with the click of a button. Director can automate the
deployment of remote Blue Coat appliances during rollout, allowing these appliances to be
pre-configured and shipped to remote locations for fast installation.
6
Property
Software-based Products
Blue Coat IntelligenceCenter: Delivers a unified approach to managing application

performance within distributed branch networks. By leveraging Blue Coats unparalleled
visibility, IntelligenceCenter provides powerful application performance monitoring and
helps enforce policies that govern application behavior.
Blue Coat PolicyCenter: Centrally manages the configuration, policy management, software
distribution, and adaptive response tracking of multi-unit deployments. PolicyCenter ensures
that application performance and bandwidth utilization stay aligned with the changing
demands of your business, whether for several appliances located at one site or thousands of
appliances distributed globally.
Blue Coat Reporter: Provides comprehensive, identity-based reporting on Web

communications, enabling enterprises to evaluate Web policies and manage network
resources with greater ease, efficiency, and effectiveness. Reporter enables you to see all
Web-based user activities on your network by providing detailed logs that capture the latest
data. Report data includes Web usage patterns, application access summaries, blocked sites,
sites accessed by category, time of day, length of time and more. You can also evaluate security
risks and block network infiltration through IM and P2P usage.
Blue Coat WebFilter: Helps enterprises and service providers prevent Internet attacks from
spyware, phishing, P2P traffic, viral content and more. To ensure accuracy, each site in the
WebFilter database is classified into multiple categories. This allows WebFilter customers to
define any number of categories to fit their specific filtering requirements. Each WebFilter
license includes patented technology that can instantly categorize Web sites when a user
attempts to access them. WebFilter supports more than 50 languages and more than 60
categories.
Blue Coat WebPulse: This cloud-computing service unites Blue Coat Web gateways and
remote users into a computing grid to detect malware, rate new Web content, and analyze site
reputations. It uses multiple threat engines, machine analysis, Web hunters, and human raters
to ensure quality ratings. These defenses together would not be practical or affordable for a
single enterprise; however, when provided as a cloud service, they are cost-effective for an
organization of any size. WebFilter is part of WebPulse.
Blue Coat ProxyClient: Helps deliver a headquarters work experience to all employees
wherever they are. By accelerating secure applications throughout the enterprise, ProxyClient
enhances business productivity and drives efficiency across the organization. In addition, you
can define which applications to accelerate and which to block based on security and
bandwidth requirements. ProxyClient is administered using the ProxySG for easy
provisioning, configuration, and maintenance. ProxyClient also can be distributed to user
computers using standard software provisioning services to reduce demand on IT resources.
To enhance network security, ProxyClient has a real-time relationship to WebPulse.
Blue Coat K9 Web Protection: Filters content for the home, using the same dynamic
categorization technology as WebFilter. The application works with any Internet service
provider and any Web browser. K9 Web Protection, free for home users, is available at
http://www.getk9.com.
7
ProxySG
WAN optimization
Secure Web gateway
Accelerate applications and data

to remote users
Prevent malware and

unauthorized applications from
compromising security
Lower operational costs by

reducing WAN usage
Establish security checkpoints at

multiple sites across distributed
enterprise
Enable remote offices to connect

directly to the Internet without
backhauling to headquarters
Application security and

application acceleration for all
Web content
Minimize external IT threats by

securing remote and traveling
users
Optional FIPS mode operation
6OLGH3UR[\6*
The ProxySG provides enterprises the ability to secure, control, and enhance the performance of
their networks. Because of its ability to secure Web communications and accelerate the delivery of
critical business applications, the ProxySG is well-suited for large, distributed environments and is
available in a wide range of sizes and configurations.
Benefits of the ProxySG include:
Security: Administrators can use ProxySG appliances to filter Web content, inspect encrypted
SSL traffic, guard against spyware and other malware, and control instant messaging,
peer-to-peer, voice over IP, and streaming traffic.
Control: Blue Coats patented Policy Processing Engine and integrated caching technology
enable administrators to create and enforce granular policies. Policies can be created through
the command-line interface or through the graphical Visual Policy Manager.
Performance: Blue Coats acceleration technology optimizes performance and delivery of

critical applications (hosted internally or externally) to all users across the distributed
enterprise.
The ProxySG provides complete proxy protocol support for HTTP, HTTPS, FTP, SOCKS, Telnet,
instant messaging (AIM, Windows Live Messenger, Yahoo!), DNS, and streaming media (Real
Media, QuickTime, and Windows Media).
The ProxySG typically is deployed at different places in the enterprise:
At the Internet gateway: The ProxySG protects internal users and networks from spyware,
phishing attacks, inappropriate Web use, and potential legal liability. At the same time, it
actually improves Web performance.
At the edge of an organizations application delivery infrastructure: The ProxySG controls the
acceleration of critical business applications, including file services, rich media applications,
and e-mail.
8
Property
The ProxySG is rack-mountable for simple installation and management. It is available in a wide
range of sizes and configurations appropriate for remote or branch offices, Internet gateways, data
centers, and global service providers.
SGOS supports Federal Information Processing Standards (FIPS) mode. When a properly signed
image of SGOS has been installed on a supported model of the ProxySG and FIPS mode has been
enabled, the appliance acts in accordance with the requirements of FIPS 140-2, Security
Requirements for Cryptographic Modules. The FIPS 140-2 certificate for SGOS is valid only when
the appliance is being operated in FIPS mode. FIPS mode affects a wide variety of ProxySG
subsystems and is not available in all possible ProxySG configurations; these numerous details are
beyond the scope of this course.
9
ProxySG Product Family
6OLGH3UR[\6*SURGXFWIDPLO\
In order for the ProxySG to efficiently secure, manage, and enhance your network, you need to
select the model that best fits your environment.
When choosing a device, the number of users and bandwidth requirements are the most
important considerations. However, you also need to consider the number and types of policies
that you need to implement.
As shown above, the ProxySG is available in a range of models, each optimized for a particular
use:
ProxySG 210: Provides an affordable solution for remote offices where direct Internet access
requires accelerated performance of business applications and granular control of Web
communications. It can be mounted in a rack or on a wall or even placed on a table or desk.
ProxySG 510: Offers an affordable rack-mountable solution for small enterprises and branch
offices that have direct access to the Internet. Like the ProxySG 210, the ProxySG 510 provides
controlled acceleration of business applications across the enterprise.
ProxySG 810: Designed for enterprises and large branch offices. Located at the Internet
gateway, the ProxySG 810 provides control of Internet traffic and improves Web performance.
At the edge of an organizations application delivery infrastructure, it accelerates business
applications across the enterprise.
ProxySG 9000: Provides the largest enterprises with the power to protect and accelerate Web
communications and business applications.
10
Property
PacketShaper
Classification
Application intelligent traffic classification
Monitoring
Discovers applications on the network
Shaping
Ensures QoS for mission-critical applications
6OLGH3DFNHW6KDSHU
PacketShaper maximizes application throughput across your existing network infrastructure. Get
more done in less time with fewer performance-related complaints and a higher quality of service
(QoS) for all networked users. Consolidating servers from remote sites to centralized data centers
makes sense, yet the additional traffic loads require accurate classification, monitoring, and
shaping before any benefits can be realized. PacketShaper identifies and controls common traffic,
including CIFS, VoIP, CRM, Web and P2P.
IP telephony (IPT) and voice/video over IP implementation varies between an enterprise and its
employees, impacting each network differently. Successful deployment hinges on guaranteed
bandwidth and QoS, as well as fitting more calls into a limited WAN resource. PacketShaper
effectively manages critical IPT protocols, delivering WAN capacity and true QoS functionality to
ensure the highest quality end-to-end communication for each call.
Multi-Protocol Label Switching and IP VPNs are useful for connecting distributed locations, but
benefits cannot be realized if applications are oversubscribed, traffic stalls in bottlenecks, and
critical applications are improperly assigned to best-effort classes. PacketShaper makes good on
the MPLS promise, assessing performance and identifying and marking application traffic with
special handling needs so traffic can move smoothly to the enterprise edge.
Internal threats from worm infections, unsanctioned recreational traffic, and rogue servers can
severely impact network capacity and bring down critical applications. PacketShaper helps
identify infected PCs and unsanctioned traffic as well as protect performance of key applications
and the network during an attack all while delivering hard return on investment from
bandwidth savings, increased WAN capacity, and accelerated application performance.
11
PacketShaper
6OLGH3DFNHW6KDSHU
PacketShaper is a complete performance solution, incorporating monitoring features plus control

features to correct and prevent problems. PacketShaper protects critical applications, limits the
impact of recreational and unsanctioned traffic, paces bursty business applications, and provisions
bandwidth on a per-application, per-user, or per-session basis to maximize throughput and
control application performance. It also provides TCP rate control, suppresses denial-of-service
attacks, and can mark packets for uniform treatment throughout a heterogeneous network.
The most common topological locations for PacketShaper are:
Core sites WAN link: Connects a core site to branches across a corporate WAN.
Core sites Internet link: Connects a core site to branches across a VPN and/or is simply a link
to the Internet.
Distributed branch sites WAN/Internet links: Connect branches to elsewhere.
PacketShaper goes beyond providing visibility into application and network behavior.
Acceleration enhances application performance by creating greater throughput, faster
performance, and increased network capacity. PacketShapers acceleration employs compression
to transfer data more quickly and enable more traffic to flow through constrained WAN links.
When bandwidth is freed, it becomes available to enhance the performance of applications that
are most critical to business. With PacketShapers compression capabilities, you can:
Experience compression gains of up to 10 times without loss of quality or data.
Increase capacity and direct bandwidth gains to critical applications.
Ease congestion on a saturated WAN link.
Postpone or avoid bandwidth upgrades.
Eliminate the burden of having to define and maintain compression tunnels.
Customize compression techniques for individual applications.
Streamline repeated data, shrink transfer size, and/or reduce the number of packets.
12
Property
ProxyAV
Powerful defense against
Viruses and worms
Spyware and Trojans
Supports secure ICAP
Protects often-overlooked back doors
Personal Web e-mail accounts
Trojans or spyware
Browser-based file downloads
6OLGH3UR[\$9
The use of Web-based e-mail and other Web-enabled applications can bring viruses and other
malware into the enterprise network, damaging systems and harming productivity. However,
traditional Web anti-virus gateways frequently lack the scalability and performance needed for
HTTP and FTP scanning, leaving an organizations desktops vulnerable.
The ProxyAV works with the ProxySG to provide the gateway anti-virus protection required by
Web-dependent enterprises. It enables organizations to scan for viruses, worms, spyware, and
Trojans entering through Web-based back doors, including:
Personal Web e-mail accounts, where most viruses and worms propagate.
Web spam or e-mail spam, which can activate Trojan downloads or hidden spyware.
Browser-based file downloads that bypass existing virus-scanning defenses.
The ProxyAV supports a range of virus scanning applications, including Kaspersky, Sophos,
McAfee, and Panda.
Blue Coat offers the following ProxyAV series, each designed to work in a different environment:
ProxyAV 210: Designed to secure direct Internet connections to branch offices.
ProxyAV 510: Designed for quick integration with the ProxySG 810 for deployment in
medium enterprise or distributed environments.
ProxyAV 810: Designed for high-volume Web gateways and enterprise needs.
ProxyAV 1400 and 2400: Designed for high-end enterprises and service providers with 10,000
users or more.
13
ProxyAV Deployment
6OLGH3UR[\$9GHSOR\PHQW
The ProxyAV and the ProxySG work together to provide scalability for virus scanning along with
visibility and control of enterprise Web communications.
The ProxySG and the ProxyAV communicate using an enhanced and optimized version of the
Internet Content Adaptation Protocol. This enables superior performance, reliability, and
error/exception handling over software-based ICAP servers.
The ProxySG provides flexible and granular control of Web traffic and access; you can use Content
Policy Language or the ProxySG Management Console to create virus-scanning policy. The
ProxyAV provides high-performance anti-virus scanning of both cached and non-cached content
at wire speed.
The ProxyAV scans only Web objects forwarded from the ProxySG. The ProxyAV eliminates
redundant scanning of frequently downloaded objects with intelligent cache integration. If an
object has been scanned and cached, it is delivered without being scanned again. However, if the
object is not in the cache, it is scanned and then cached and delivered.
Virus updates to the ProxyAV are automated with definable schedules, and cached content is
automatically cleared with each update.
14
Property
Director
6OLGH'LUHFWRU
Although the ProxySG graphical interface makes the appliance easy to manage, installing
configurations or updating policies on multiple appliances can be time-consuming, especially in a
distributed environment. Director centralizes those procedures, saving time and enabling
organizations to standardize configuration and policy. Management tasks including backups
and updates of configurations, policies, and software licenses can be performed immediately or
scheduled for one occasion or on a recurring basis.
Director consisting of a ProxySG 800 chassis and a proprietary operating system can
configure, manage, and monitor all of the ProxySG appliances in an organization. It can manage
up to 500 ProxySG appliances from any Windows computer with a Web browser. Director makes it
simple to configure and manage the multiple ProxySG appliances that ADN acceleration requires.
Using Director, administrators can perform a wide range of specific tasks for multiple ProxySG
appliances:
Configuration and policy management: Create and install standard configurations and
policies, customize appliance settings, back up and restore settings, distribute software
licenses, and schedule configuration and policy changes.
Resource and content management: Manage bandwidth to conserve resources; distribute

content, including frequently used files to ProxySG caches; limit access to Internet and
intranet resources.
Monitoring and planning: Monitor key hardware and software metrics of ProxySG appliances
remotely, create settings to issue alerts when certain changes occur, and use statistics to
evaluate and update network policies.
15
Reporter
6OLGH5HSRUWHU
The ProxySG records data about every transaction that passes through it, creating comprehensive
access logs. An organization can use the data in access logs to analyze network activity; however,
extracting information from enormous log files can be a tedious and time-consuming task.
Reporter provides a solution. The application makes it easy to analyze log files from one or more
ProxySG appliances, enabling organizations to manage network resources more effectively.
Administrators use Reporter to create reports through a Web interface or a command line. They
can use one of more than 150 pre-defined reports or create their own custom reports to identify
violators of Web access policies, track user activity that could bring viruses and other hazardous
content into the network, and preserve network resources by identifying abuse patterns.
Reports can be executed immediately or scheduled to run, either once or on a recurring basis.
Reports can also be exported in HTML format in e-mail or as Excel-compatible files.
16
Property
IntelligenceCenter
6OLGH,QWHOOLJHQFH&HQWHU
IntelligenceCenter provides powerful application performance monitoring, and it more effectively

enables policies to enforce and optimize application behavior. Deployed with Blue Coats
complete suite of WAN and application visibility and control tools, IntelligenceCenter ensures that
application performance meets expectations at all locations, anywhere that PacketShaper, iShaper,
PolicyCenter, switches, and routers are deployed across your network.
Flexible and customizable monitoring and reporting are available, and a set of programmable
interfaces allows extensions to the reporting and dashboard features.
IntelligenceCenter reports on Flow Detail Record (FDR), Measurement Engine (ME), and NetFlow
data to assist with detailed analysis and integration. FDRs provide traffic information such as
application used, flow origin and destination, flow size (in terms of packets and bytes), when the
flow was sent, flow utilization (throughput and efficiency), service type, ports, DSCP, VLAN, and
response-time measurement data.
These powerful features assist with:
Troubleshooting and forensics.
Comparing usage by application.
Monitoring individual application flows (such as VoIP, ERP, and Web services).
Reporting host activity by traffic class, application, and site.
Collecting top talkers, listeners, and host pairs data.
Tracking connections between local and remote networked devices.
17
PolicyCenter
6OLGH3ROLF\&HQWHU
PolicyCenter is a software management system that maintains multiple PacketShaper

configurations on a single Windows 2000 or Windows 2003 server. Because the configurations of
all the units on the network are stored in a single place, they can be managed very efficiently.
Multiple PacketShapers can be assigned to a single PolicyCenter configuration, allowing those
units to operate with nearly identical configurations. When you change a configuration, either
through PolicyCenter or through the browser or command-line interface of an individual unit, the
change immediately affects all units assigned to that configuration. It is this capability of
PolicyCenter that truly provides the economy of scale: One single change to a PolicyCenter
configuration can result in an instant configuration update on up to 1,500 different PacketShapers.
PolicyCenter also allows you to:
Deploy policies and partitions across multiple PacketShapers.
Distribute PacketWise software upgrades, plug-ins, customer portal files, and adaptive
response action files.
View a status summary of all managed PacketShapers.
Monitor and manage the status of your unit and network with the adaptive response feature.
18
Property
WebFilter and WebPulse
6OLGH:HE)LOWHUDQG:HE3XOVH
WebFilter is a powerful, on-proxy Web filtering solution that helps organizations protect their
networks from inappropriate Web content and such threats as spyware and phishing attacks.
There are two main approaches to content filtering. One tries to categorize Web sites by looking
for key words in the HTML pages that users request. This approach has two severe limitations:
lack of scalability and lack of accuracy. The other approach consists of teams of researchers to
categorize content and regularly update databases of sites organized by category. The major
limitations to this approach are the lack of flexibility and ability to adapt to specific content.
WebFilter uses a hybrid approach and provides a static list with its on-box database.
Administrators can write policy to allow or deny access to resources based on the information in
the database. Also, WebFilter offers optional remote dynamic categorization, which sends requests
to a server if the resource is not in the local WebFilter database.
Quality of filtering results is a key advantage of WebFilter. It supports more than 50 languages
including Chinese, Japanese, and Arabic and provides more than 60 categories to allow a high
degree of control in writing policy. The application is consistent in its categorization of resources
and gives top priority to categorizing resources that are requested most frequently.
WebFilter is part of WebPulse, the Blue Coat cloud computing service. WebPulse analyzes more
than a billion requests per week, completely driven by user-requested Web sites. The WebPulse
cloud service unites Blue Coat Web gateways and remote users into a computing grid to detect
malware, rate new Web content, and analyze site reputations. As a cloud service, it uses multiple
threat engines, machine analysis, Web hunters, and human raters to ensure quality ratings. These
defenses together would not be practical or affordable for a single enterprise; however, when
provided as a cloud service, they are cost-effective to an organization of any size. All WebPulse
ratings feed into the WebFilter database.
19
ProxyClient
6OLGH3UR[\&OLHQW
As part of an Application Delivery Network, Blue Coat ProxyClient accelerates secure network
applications to remote users and branch offices. ProxyClient combines the acceleration features of
Blue Coats acceleration technology with the network security provided by WebPulse. As a result,
ProxyClient can accelerate remote applications by up to 35 times and protect users wherever they
are, even on public networks.
Features and benefits of ProxyClient include:
Protecting remote users from malware and threats: ProxyClient leverages WebPulse, adding a
second layer of protection in addition to anti-virus software on the laptop.
Ensuring productivity on the road: ProxyClient minimizes lost user productivity from slow
networks, malware, and frivolous Web surfing with remote Web control and application
acceleration.
Accelerating remote performance: ProxyClient accelerates access and reduces bandwidth of

critical files, e-mail, and business applications for all remote users. This enables users to work
from anywhere with an Internet connection, allowing them to be close to customers, partners,
or home.
Load balancing and failover: A disaster or appliance outage does not leave users
unproductive or unsafe. If ProxyClient can reach the enterprise network, it will failover and
load balance automatically. If ProxyClient can reach the Internet, it can reach WebPulse for
control and security.
Location awareness: Administrators can enable or disable ProxyClient acceleration and Web
filtering based on the locations from which the client connects, improving efficiency and
making intelligent use of the ProxySG appliances in the network.
VPN transparency: ProxyClient can be deployed to VPN users without any changes to VPN
configuration.
20
Property
ProxyClient is automatically and transparently updated to minimize ongoing administrative time

and resources. ProxyClient also delivers business-critical features for load balancing and failover.
On the desktop, ProxyClient starts automatically on system boot and includes a real-time statistics
display to monitor application performance.
ProxyClient complements ProxySG appliances by establishing distributed points of control to
accelerate business applications for remote workers. Deployed for mobile employees, workers in
small branch offices, or both, ProxyClient delivers the application acceleration and WAN
optimization features necessary to maximize remote worker productivity through accelerated
access to corporate resources and applications.
21
K9 Web Protection
Uses W ebPulse technology
Free download at www.getk9.com
16
6OLGH.:HE3URWHFWLRQ
K9 Web Protection is a content filtering solution for your home computer. Its job is to provide you
with a family-safe Internet experience, where you control the Internet content that enters your
home. K9 Web Protection implements the same enterprise-class Web filtering technology used by
Blue Coats Fortune 500 customers around the world, wrapped in simple, friendly, and reliable
software for your Windows 2000, Windows XP, Windows 7, or Windows Vista computer.
If a user tries to go to a Web site that the Web filtering database has not seen before, it scans the
content of the site for inappropriate material, and then either permits or prohibits the site using
dynamic categorization. This provides real-time analysis and content categorization of requested
Web pages to solve the problem of new and previously unknown uncategorized URLs those
not in the database. When a user requests a URL that has not already been categorized by the
database (for example, a new Web site), the dynamic categorization service analyzes elements of
the requested content and assigns a category or categories. The dynamic service is consulted only
when the installed database does not contain category information for an object.
If the category returned by this service is blocked by policy, the offending material never enters the
network in any form. Dynamic analysis of content is performed on a remote network service.
You can download this free application from http://www.getk9.com.
K9 Web Protection is different from other solutions for the home in several important respects:
Service-based filtering: Blue Coats filtering database operates as a service. It receives and
rates more than 80 million requests every day, making it the most accurate content filtering
database available. This accuracy is important in protecting your family, given the Internets
rapid changes and growth. Plus, there is no database to download. K9 Web Protection will not
clog your Internet connection, get stale or out of date, or slow down your computer like other
products do.
22
Property
WebPulse: Blue Coats technology is vastly different from the old-fashioned keyword filtering
that is so frustrating to users. Using a method of cloud computing coupled with statistical
analysis and artificial intelligence to rate new or previously unrated Web pages, WebPulse can
determine the category of a URL on the fly without human intervention. However, WebPulse
only renders a rating when it is confident that it has reached an accurate conclusion.
Automatic updating: Automatic updates of the K9 Web Protection application ensure that you
are always protected by the latest features.
Efficient caching: Blue Coat is recognized worldwide as expert in high-performance caching

and secure proxy technology. Taking advantage of this expertise in K9 makes your Internet
experience fast, reliable, and safe.
23
24
Property
Chapter 2: Understanding Proxy Servers
The basic technology behind proxy servers has been around for many years; a detailed definition
of a proxy server appears in the earliest RFC for the HTTP protocol. A proxy is defined in RFC
1945 as an intermediary program which acts as both a server and a client for the purpose of
making requests on behalf of other clients. Requests are serviced internally or by passing them,
with possible translation, on to other servers. A proxy must interpret and, if necessary, rewrite a
request message before forwarding it. Proxies are often used as client-side portals through
network firewalls and as helper applications for handling requests via protocols not implemented
by the user agent.
Proxies have expanded in features and functionalities to go above simple content caching and IP
address masquerading (also known as NAT, network address translation). In particular, the Blue
Coat ProxySG has grown from an advanced caching device to a complete security appliance
and a WAN acceleration engine.
This chapter describes high-level proxy functionalities and, in particular, ProxySG security and
content acceleration features.
Comparing proxy technology with firewalls, you can see how the two technologies complement
each other. Traditionally, firewall technology is designed to protect the network from outside
attackers; across vendors, this technology is very mature, reliable, and very much a requirement
for any network, even the smallest ones (including home networks).
Networks face three major areas of concern that proxy servers are much better equipped to
handle:
Spyware, malware, trojans, and other HTTP response-borne threats.
Malicious insider users.
Slow performance due to protocol designed for LANs and performing well in lower -speed
and delay-prone WANs.
The ProxySG is powered by SGOS, a lightweight, purpose-built operating system designed to

deliver optimum performance and unsurpassed security in terms of both user-application
communications and administrative control. This functionality is complemented by powerful
management and reporting tools that make it fast and easy to deploy, configure, and administer
the ProxySG and other technology throughout the distributed enterprise.
The ProxySG is available in a broad range of configurations and is typically deployed in enterprise
branch offices, Internet gateways, end points, and data centers as well as in global service
provider organizations.
The appliances provide intelligent points of control to secure Web communications and accelerate
delivery of business applications. Just as important, Blue Coat gives IT organizations visibility and
very granular control over security and performance, so that policies can be set based on who,
what, where, when, and how users and applications communicate with each other.
25
Overview
Proxy servers are designed to:
Enhance security
Control content
Increase performance
Two roles for the proxy:

Secure gateway
W AN optimization
Blue Coat S ys tems, Inc. 2010. All Rights Reserv ed.
6OLGH2YHUYLHZ
At the perimeter of the enterprise network, firewalls block access to internal networks. But they
are not designed to provide visibility and granular control of all Web user communications in
order to create a productive, safe Web environment.
The solution is to use a proxy device such as the ProxySG, designed specifically to manage and
control user communications over the Web. A proxy device does not replace existing perimeter
security devices; rather, it complements them by giving organizations the ability to control user
communications in a number of ways that firewalls and other devices cannot.
WAN optimization: The ProxySG brings acceleration techniques to all of an enterprises key
applications, including Web, secure Web, file services, e-mail, and video. This enables
organizations to manage all of their user/application interactions to stop undesirable
applications, throttle less-important applications, differentiate users and groups, and
accelerate critical applications even when encrypted.
High-performance Web proxy: Scalable proxy appliance allows administrators to secure,

manage and control user access to Web information with accelerated performance.
Web content filtering and content controls: Integrated URL filtering enables network
operators to prevent users from accessing or viewing inappropriate content using company
resources, plus content stripping, replacement and controls when URL filtering is not enough.
Web virus scanning: Scan once, serve many model provides the real-time performance and
scalability required to effectively scan Web content.
Instant messaging control: Allows administrators to implement centralized management and

logging of AOL, Windows Live Messenger, and Yahoo! instant messaging
communications.
Internet monitoring and reporting: Identity-based reporting and monitoring enables

organizations to evaluate Web policies and manage resources more effectively.
Spyware prevention and control: Provides high-performance spyware prevention at the

Internet gateway while allowing page views and legitimate applications.
26
Property
Firewall Limitations
6OLGH)LUHZDOOOLPLWDWLRQV
Virtually every network (even a home office) is protected by a firewall. This diagram shows how a
firewall is effective in stopping an unwanted intruder from penetrating the network. The traffic
originating from the rogue machine on the Internet is immediately blocked when it reaches the
perimeter firewall of the network. You can configure the firewall to allow only selected traffic (for
instance, Web traffic) to selected destinations (such as a Web server in the DMZ).
But the nature of attacks has evolved. Hackers now exploit weaknesses in various protocols to
penetrate a secure network or grab data from internal workstations. As shown above, if a client
requests a legitimate object that has been compromised such as a Web page that contains
malicious JavaScript code the firewall most likely allows that connection because it appears to
be a valid HTTP request from an internal client.
The ProxySG operates at the application level (Layer 7 in the OSI model), so it can prevent
unwanted content from both being requested and being delivered to the client. For instance, in the
case of malicious code from a Web site, the content-filtering capabilities of the ProxySG can block
the client request. Additionally, it also can stop the response from the Web site and not deliver the
malicious code to the client.
For these reasons, the ProxySG is an essential complement to your security architecture and a
powerful defense against spyware and malware.
27
Firewalls And Proxies
6OLGH3UR[\OD\HUVRIRSHUDWLRQ
All firewalls allow you to control the data link layer through the transport layer. All proxies allow
you to control the application layer for HTTP, FTP, and a few other protocols. Some firewalls
might also offer protocol inspection features, operating at the application layer. Controlling Layer
7 is computationally very expensive for a firewall (the technology was not designed around
protocol inspections); furthermore, even the firewalls that offer this feature do not have the
granularity of control offered by a proxy.
The ProxySG, unlike other proxies, controls the entire protocol stack and can operate all the way
from the data link layer to the application layer. In particular, the ProxySG can act as:
A Layer 2 switch, either by bridging multiple interfaces via software or using an optional
pass-through bridge card.
A router, by participating in the Routing Information Protocol or by acting as an IP forwarder

to the default gateway on the network.
An application accelerator, by optimizing TCP communication and protocol efficiency (HTTP,

FTP, CIFS, MAPI, and so on).
An advanced caching engine for protocols such as HTTP, FTP, CIFS, and MMS.
You can create policy based on IP addresses, TCP parameters, and advanced protocol features; for
instance, you can easily control which HTTP methods are allowed and which are not.
28
Property
Gateway Proxy
6OLGH*DWHZD\SUR[\
This diagram shows how a proxy is an intermediary program which acts as both a server and a
client, as defined in the HTTP 1.0 specification, RFC 1945. Also, it is clear why the term proxy
was chosen; according to Merriam-Websters Online Dictionary, it means the agency, function, or
office of a deputy who acts as a substitute for another.
In general, the client makes a request to the proxy. The destination MAC address and destination
IP address in the client request are those of the proxy (assuming that they are on the same subnet).
Because the proxy receives a request from the client and returns a response, it is acting as a server
for the client; however, the proxy needs to pass the request to the origin content server, thus acting
as a client.
When the proxy connects to the OCS, it connects to the default gateway using its own source MAC
address and IP address. For the OCS, the proxy is the client, and the presence of the actual client is
practically unknown.
A client does not always connect explicitly to a proxy; instead, the proxy can be placed in a
location on the network where it can transparently intercept client requests. In this scenario, the
client is unaware of the presence of the proxy and believes that responses are coming from the OCS;
the OCS is unaware of the existence of the actual client issuing the request.
29
WAN Acceleration Proxy
6OLGH:$1DFFHOHUDWLRQSUR[\
The ProxySG can do much more than enhance the security of your network and optimize the
response time from servers on the Internet.
The ProxySG uses application management and tuning technologies that provide unrivaled
improvements in application performance and bandwidth utilization. Whether at the edge of your
network, or right in the heart of it, this technology provides a powerful toolkit for meeting any
application delivery challenge. Protocol optimization improves the performance of protocols that
are inefficient over the WAN through specific enhancements that make them more tolerant to the
higher latencies typically found there. Blue Coat has been optimizing network protocols for more
than a decade and offers multiple improvements for TCP, CIFS, HTTP, HTTPS, MAPI, and most
streaming video and IM protocols.
For example, tests conducted in production customer environments and Blue Coat labs show that
ProxySG appliances significantly improve the performance of Microsoft Office in real-world
scenarios. Using the ProxySG, the time needed to open, edit, and save a file in Microsoft Word,
PowerPoint, and Excel over a 256Kbps WAN link with 110 milliseconds of latency improved by
an average of 59%, while the same test over a T1 WAN link with the same latency still showed
improvement of 50% during the first (cold) pass of the data set. Subsequent operations on the
same files consistently showed 99% improvement in response time for both links. The ProxySG
provides a critical performance improvement needed to make these applications usable over a
WAN link.
30
Property
Proxy Features
6OLGH3UR[\IHDWXUHV
The ProxySG provides the capability to filter application-level traffic embedded in Web
communications, monitor Internet and intranet resource usage, and block specific Internet and
intranet resources for individuals or groups.
The ProxySG supports all popular Web protocols including instant messaging, HTTP, HTTPS, FTP,
SOCKS, Real Media, and Microsoft streaming. Additionally, the proxy supports TCP tunneling,
a solution to forward any application protocol running over TCP that does not provide native
proxy support. It provides deep inspection of all Web requests and responses by gathering
complete details on the transaction between users and servers. These details can then be used to
implement policies and produce reports on Web usage and communications.
For example, as shown in the above diagram, the ProxySG has the ability to:
1.
Stop malicious traffic sent from a client.
2.
Stop malicious traffic sent from an OCS.
3.
Modify content sent between a client and the ProxySG.
4.
Modify content sent between the ProxySG and an OCS.
The ProxySG Policy Processing Engine provides a comprehensive policy architecture across all
users, content types and applications, and security services. This framework allows a security
administrator to control Web protocols and Web communications across the entire enterprise.
Networking environments have become increasingly complex, with a variety of security and
access management issues. Enterprises also face challenges in configuring products to ensure that
the result supports written corporate policies. Authentication and authorization using policy
definitions on the ProxySG allow an administrator to manage Web access according to the
enterprises needs.
Blue Coat policies provide the administrator:
Fine-grained controls to manage behavior of the ProxySG.
Multiple policy decisions allowed for each request.
31
Multiple actions triggered by a particular condition.
Configurable bandwidth limits.
An authentication-aware proxy device, including user and group configurations.
Flexible user-defined conditions and actions.
Convenience of predefined common actions and header transformations.
Support for multiple authentication realms.
The ProxySG also can function as an intermediary between a Web client and a Web server
authenticating users from an enterprises existing security framework, such as LDAP, RADIUS,
certificates, NTLM, local lists, and other supported authentication services. The ProxySG either
challenges users when they attempt to access Web resources or transparently checks existing
authentication credentials.
32
Property
Chapter 3: ProxySG Deployment
This chapter discusses various methods of how the Blue Coat ProxySG can be deployed in a
network environment. It elaborates the differences between explicit proxy and transparent proxy.
The following deployment options are discussed in detail:
Forward proxy.
Reverse proxy.
Configuring transparent proxy by:
Using the ProxySG as the default gateway.
Using the ProxySG as a bridge.
Using Web Cache Communication Protocol (WCCP).
Using a Layer 4 switch.
Configuring explicit proxy by:
Using Proxy Auto-Configuration (PAC) files.
Using Web proxy auto-discovery.
Because many enterprises are migrating from a core deployment to an edge deployment, this
chapter defines this topology and discusses its purpose, benefits, requirements, and best practices.
You will see why deploying a Blue Coat solution at each remote location enables you to maintain
control of the network by:
Enforcing content-filtering policies.
Controlling the content of selected Secure Sockets Layer (SSL) transactions.
Using bandwidth-management options to prioritize the use of Internet connections for

business-relevant applications.
Enabling edge-to-core compression between ProxySG appliances to optimize WAN traffic.
The deployment strategy that you implement can determine the availability of ProxySG features
and functionalities. More importantly, this decision determines how users are affected by the
proxy deployment.
For example, a transparent proxy deployment that uses a Layer 4 switch might appear to be an
elegant, scalable, and easy-to-maintain solution. However, initial setup cost can be prohibitive,
and consistent user authentication can prove challenging to implement. On the other hand,
deploying an explicit proxy using PAC files might appear more laborious to implement, but this
method does not require any additional equipment, and user authentication is easier to
implement, making it a consistently popular option.
What a proxy is, what it does, and how it can be deployed, particularly the ProxySG.
Why setting up an explicit proxy is the easiest, but not necessarily the most scalable, proxy
deployment.
The complexities of Layer 4 transparent redirection and its benefits compared to the simplicity
of an explicit proxy.
Transparent redirection with WCCP and its load-balancing and traffic-segregation benefits.
33
Deployment Options
Client connection method
Explicit proxy
Transparent proxy
Proxy role
Forward proxy
Reverse proxy
Network deployment
Blu e Co at Sy ste ms, In c. 2 01 0. All Rig ht s Reserved .
6OLGH'HSOR\PHQWRSWLRQVIRUDSUR[\VHUYHU
In a typical proxy deployment, there are usually few factors that affect your deployment options.
The common concerns that result in a proxy deployment design are usually:
Client connection method: Client connection method can be either explicit or transparent.
Explicit proxying is the quickest and simplest proxy solution. However, this same simplicity
can be impractical if your network has many clients. Transparent proxy, on the other hand,
offers greater ease of administration and deployment as there is no configuration needed on
the client end. Transparent proxy is usually achieved by intercepting the client requests and
redirecting it to a proxy server.
Proxy role: A proxy can be deployed to play different roles. A forward proxy is the most
commonly deployed role. A forward proxy is used to proxy LAN users HTTP requests to an
external server on the Internet. While doing so, a proxy can provide additional functionality
like caching, anti-virus scanning, and enforcing security policies. Reverse proxy, however, is
usually deployed in the DMZ. It is used to allow Internet users to send requests to corporate
deployed Web servers. A reverse proxy server can significantly improve the performance of
serving Web content to Internet users. A reverse proxy server can also serve as an additional
layer of security to the publicly accessed Web server.
Network deployment: There are different network deployment methods that an administrator
can choose to deploy a proxy server. The decision of network deployment option usually is
determined by the current network design. This is especially apparent if the proxy server is
deployed in a transparent manner. WCCP, for example, is most appropriately used if there are
Cisco routers in the network, as Layer 4 switch deployment mode can be used if there is
already one installed.
34
Property
Explicit Proxy
6OLGH([SOLFLWSUR[\GHSOR\PHQW
Deploying an explicit proxy is the least complex solution and generally does not require any
additional software or hardware. A simple packet capture can show whether a client is using an
explicit proxy. Clients using an explicit proxy format the GET request in a different way than
clients using a transparent proxy or no proxy at all.
When the browser does not have a proxy set, the standard GET request has formatting similar to
the following:
GET / HTTP/1.1
HOST: www.bluecoat.com
When the browser is configured to use a proxy, the GET request includes the entire URL:
GET http://www.bluecoat.com/ HTTP/1.1

In an explicit proxy request, the destination IP address of the client request is the IP address of the
proxy, and not the IP address of the end Web server. Upon receiving the requested URL from the
client, the proxy proceeds by requesting it from the end Web server. During this request, the
source IP address is the IP address of the ProxySG.
35
Explicit Proxy
6OLGH6HSDUDWHWKUHHZD\KDQGVKDNHRQWKHFOLHQWDQGRQWKH3UR[\6*
HTTP is an application protocol that relies on TCP as its transport protocol. A TCP three-way
handshake must take place to establish a connection before HTTP messages can be exchanged. A
TCP three-way handshake is typically performed in the following manner:
1.
The client sends a SYN packet to a server to initiate the connection.
2.
In response, the server replies with a SYN/ACK packet.
3.
Finally, the client sends an ACK back to the server, and the connection is established.
The diagram above, however, shows two separate three-way handshakes taking place. This shows
that there are two separate connections on a single URL request: the first one from the client to the
proxy, and the second from the ProxySG to the external Web server.
The timeline shows that the ProxySG replies with the SYN/ACK to the client before receiving one
from the external Web server. This feature is known as early intercept in the ProxySG.
36
Property
Transparent Proxy
Blue Coat Systems, Inc. 2010. All Ri ghts Reser ved.
6OLGH7UDQVSDUHQWSUR[\GHSOR\PHQW
You can think of transparent proxying as the opposite of explicit proxying. The goal of transparent
proxying is to redirect all traffic to the ProxySG without requiring client knowledge of the proxy.
When you set up an explicit proxy, the clients user agent always knows that it is sending
connection requests to a proxy server. In a transparent proxy deployment, the clients user agent is
unaware that traffic is being redirected to a proxy and believes that it is talking to the remote
server directly, without intermediaries.
In essence, transparent proxying is a more complex technology than explicit proxying. But it is
also more efficient, scalable, and robust. However, transparent proxying is also generally more
expensive and more complex to set up.
Unlike the explicit proxy scenario, you cannot tell whether a client request is going to be
transparently proxied by looking at a packet capture of that request on the client machine.
In a transparent proxy request, the destination IP address of the client request is the IP address of
the remote server, not the IP address of the proxy. When the ProxySG initiates a subsequent
request to the external Web server, the source IP address is the IP address of the ProxySG by
default unless configured otherwise to reflect client IP addresses.
37
Forward Proxy
The proxy is on the same network as the clients
Blu e Co at Sy ste ms, Inc. 2 010. All Rig ht s Reserved.
6OLGH)RUZDUGSUR[\
A forward proxy is the most common form of a proxy server and is generally used to pass requests
from an internal network to the Internet through a firewall. By using a forward proxy, requests
from users in the internal network can be selectively allowed or denied by implementing
authentication.
If the request from the private network has been fulfilled earlier and the response is in the cache, a
forward proxy serves the requested content directly from its cache. If the requested content is not
in the cache, the forward proxy acts on behalf of the client to request the content from the external
server. On external server reply, the forward proxy can cache the content to expedite content
serving of the same content in subsequent requests.
Forward proxy also can perform advance proxy features such as enforcing enterprise security
policy and anti-virus scanning.
38
Property
Reverse Proxy
The proxy is on the same network as the servers
6OLGH5HYHUVHSUR[\
Unlike a forward proxy, which caches arbitrary content for clients, a reverse proxy serves specific
content on behalf of back-end servers. Reverse proxies are network servers or appliances that
typically reside in the DMZ between Web applications and the Internet.
The reverse proxy is effectively a trusted processor for Web servers, acting as a middleman
between users and the Web applications they access. A reverse proxy protects Web servers from
direct Internet access and off-loads from them computationally intensive processes to enhance
performance.
To the outside world, the reverse proxy is the Web server. For example, in the above diagram, all
requests going to the Web server are directed to the proxy, even though the actual content resides
on the back-end server. When content is requested, the proxy either serves the content from its
cache or gets the content from a back-end Web server. If the reverse proxy is accelerating several
different Web servers, the proxy (or Layer 4 switch) maintains Web-server mapping so that content
can be obtained from the correct server, thus achieving load balancing. In most instances, SSL
encryption is often not done by the Web server itself, but by a reverse proxy that is equipped with
an SSL acceleration card.
39
Out-of-path Deployment
6OLGH2XWRISDWKGHSOR\PHQW
In an out-of-path deployment, it is very difficult to achieve transparent interception and

redirection. Therefore, explicit deployment is a common choice for most administrators. In an
explicit proxy deployment, every client is configured to forward all traffic to the ProxySG. For
example, you can easily set your browser to send all HTTP requests to a proxy server. This figure
shows the proxy configuration screen for a Firefox client:
Once the client has been configured, the client sends all HTTP requests over port 8080 to the proxy
with the hostname myproxysg. This method is straightforward; however, it is impractical for most
organizations (except the very smallest) because you have to manually configure the browser on
each client machine. Alternatively, explicit proxy can be deployed by making use of other
advanced methods like a PAC file or Web Proxy Auto Discovery protocol.
Manual configuration still can be useful for testing and debugging purposes.
Note:
Malicious users can easily circumvent explicit proxy solutions.
40
Property
Using WCCP
6OLGH'HSOR\PHQWZLWK:&&3
Web Cache Communication Protocol is a content-routing technology that enables routers to

communicate with, and transparently redirect requests to, one or more Web caches. The purpose
of the interaction is to establish and maintain the transparent redirection of selected traffic types
flowing through a group of routers. WCCP version 2, the most widely used version, defines
mechanisms that allow one or more routers (enabled for transparent redirection) to discover,
verify, and advertise connectivity to one or more Web caches.
WCCP version 2 supports the redirection of traffic other than HTTP traffic through a traffic
segregation method called service groups.
WCCP is a good choice if your network is primarily made up of Cisco routers and switches.
However, to use WCCP version 2, your Cisco equipment must be installed with at least IOS
version 12.03(T) or above.
41
Network with Layer 4 Switch
6OLGH1HWZRUNZLWK/D\HUVZLWFK
In a transparent proxy deployment, the Layer 4 switch must be able to inspect all outbound traffic.
You can configure the switch to direct specific traffic to the ProxySG and to pass all other traffic to
the firewall (or other destinations). Traffic-routing decisions can be based on several parameters
destination address, protocol, port, source address, or a combination of these.
Most Layer 4 switches also provide additional features, such as advanced load balancing, URL
hashing, and advanced fault tolerance and redundancy.
The major obstacle to deploying and implementing Layer 4 switches often is cost. In the United
States, such devices can cost tens of thousands of dollars.
42
Property
ProxySG as a Bridge
6OLGH3UR[\6*DVDEULGJH
Most newer models of the ProxySG come with pass-through cards. The pass-through card has a
dual network interface card that allows support for hardware bridging and high availability. The
pass-through card eliminates single point of failure as it provides fail-open capability.
Using the proxy as a bridge, the ProxySG is usually deployed between the core switch and the
edge router. Because all outgoing Web requests are forwarded from the switch to the router, the
ProxySG can be installed in the path. Bridging in such a strategic location in the network allows
the ProxySG to have full visibility of all Web requests. As a result, advanced proxy features and
granular security policies can be enforced.
It is not uncommon for the connection between the switch and router to be in a trunking mode. A
trunking mode is usually used to forward all VLAN-tagged packets between network appliances,
for example, switch to switch or switch to router. Therefore, the ProxySG has a default setting
configured to support trunking for switches that encapsulates using the 802.1Q trunking protocol.
Note:
The ProxySG does not support trunk connections using ISL protocol encapsulation
because ISL is a Cisco proprietary protocol. However, most Cisco equipment supports
the 802.1Q encapsulation protocol.
43
ProxySG as Default Gateway
6OLGH3UR[\6*DVGHIDXOWJDWHZD\
The ProxySG can act as a default gateway for clients. In this scenario, the ProxySG is capable of
routing any kind of traffic: UDP, TCP, NetBIOS, unicast, multicast, and so on. Under such
situations, the ProxySG can either terminate and process the traffic or forward the traffic to the
next hop.
If the destination TCP port matches the service that is set to intercept, then the packets are
processed. Otherwise, the packets are forwarded based on the destination MAC address and the
IP address in the packet.
In order for the ProxySG to act as a default gateway:
Clients must have their TCP/IP default gateway set to the IP address of the ProxySG.
IP forwarding must be enabled on the ProxySG. If IP forwarding is not enabled, then the
ProxySG rejects the packets.
44
Property
Proxy Auto-Configuration File
6OLGH3UR[\DXWRFRQILJXUDWLRQILOH
In an explicit deployment, manually configuring the address of the proxy server in a large client
base network is virtually impossible. Therefore, a proxy auto-configuration file can be used as an
enterprise solution to inform all the Web browsers of the addresses of the proxy servers present in
their environment.
The proxy auto-configuration file defines how Web browsers can automatically choose the
appropriate proxy server for fetching a given URL.
1.
Upon launching the Web browser on the client machine, the Web browser attempts to retrieve
the PAC file from a pre-configured URL in the client. The URL can be entered either manually
or automatically by implementing Microsoft Group Policy.
2.
When the user requests a URL, the Web browser reads the PAC file to decide which proxy to
request it from. Upon identifying the proxy from the PAC file, the request is sent to the
respective proxy server.
3.
The proxy server receiving the request subsequently relays the request to the external Web
server on the Internet.
Note:
PAC files can be hosted on a ProxySG or on a dedicated internal Web server.
45
Proxy Auto-Discovery
6OLGH3UR[\DXWRGLVFRYHU\
Web Proxy Auto Discovery protocol is used for clients to automatically discover the presence and
the address of the proxy server in their network. WPAD offers greater ease of deployment to
administrators as there is no pre-configured URL required for the client to retrieve the
configuration file. The discovery of the configuration file (wpad.dat) is done by performing a DNS
query to a fully qualified domain name that is made by appending wpad followed by the DNS
suffix of the client computer.
1.
Upon launching the Web browser on the client machine, the browser automatically issues a
GET request for the wpad.dat file from wpad.mycompany.com, where mycompany.com is the
DNS suffix of the requesting client.
2.
When the user requests a URL, the Web browser has to read the wpad.dat file to decide which
proxy to request it from. Upon identifying the proxy from the wpad.dat file, the request is sent
to the respective proxy server.
3.
The proxy server receiving the request subsequently relays the request to the external Web
server on the Internet.
Note:
wpad.dat is written in the same way as the PAC file, but saved in a different file name.
Both use the JavaScript FindProxyForURL function to decide which proxy server to
use on different URL requests.
46
Property
Mixed Deployment
6OLGH'HSOR\PHQWUHYLHZ
This diagram shows how the same organization can deploy the ProxySG differently in separate
locations as well as in the same location. Organizations can combine a variety of deployments in
their different offices. The above diagram shows five different deployments in a single
organization: four in satellite offices and one in the main office.
1.
Transparent proxy using a Layer 4 switch in a satellite office.
2.
Explicit proxy in a satellite office (or reverse proxy or default gateway).
3.
Transparent proxy using WCCP in the main office.
4.
Bridging mode in a satellite office.
5.
Reverse proxy in a satellite office.
There is no one-size-fits-all solution when it comes to deployment. Carefully consider each

solution, and determine which one best fits your environment, policy, and budget/personnel
constraints.
47
48
Property
Chapter 4: Blue Coat Product Licensing
A license is a document granting a party permission to take a certain action. In the computing
world, a license is most often an agreement between the manufacturer and the user, granting
permission to install and use software or hardware on a given number of devices. Blue Coat uses
a licensing system to ensure that customers are able to install and operate the Blue Coat products
in the capacity that meets their needs. This includes using a license as a way to unlock key features
of the ProxySG to ensure that databases for content filtering are up-to-date and effective.
For the ProxySG and its related software, licenses are issued on a per-appliance basis, and each
license key file includes the license for all SGOS components purchased by a customer. One
license key file is tied to one appliance; each software license can only be used on the appliance for
which it was intended and no others. This ensures that the correct software is paired with the
correct appliance.
Because Blue Coat offers a variety of software configurations for each appliance, the license is
important in ensuring that customers receive access to the features they have purchased. For
example, the software that operates the ProxySG is available in two editions: MACH5 Edition and
Proxy Edition. By having two versions of the software, each deployment can be better tailored to
that customers network environment. In addition to the two editions, there are other features
available for the ProxySG, such as IM filtering, SSL, and Blue Coat WebFilter; each of these
features require its own license.
Other Blue Coat products, such as ProxyAV and Blue Coat Reporter, are licensed in a different
manner from the ProxySG. Some licenses are an annual subscription based on user count; others
are made up of only one perpetual license, giving the customer access to all of a products features.
This chapter provides an overview of the licensing process required to activate Blue Coat
products. It describes which products require a license, the licensable components available from
Blue Coat, and what to expect when the trial period ends. Some of the concepts in this chapter
including the ProxySG Management Console graphical user interface and policy management on
the ProxySG are covered in greater detail later in this course, and it is not important to
understand everything about them at this point.
The types of licenses and licensable components that are available for the ProxySG.
Differences between the two editions of the SGOS operating system.
How to register and license a ProxySG.
ProxySG license limits and how they are enforced.
Licensing of PacketShaper appliances is discussed in the training courses for those appliances
and is beyond the scope of this course.
49
License Types
Trial period
First 60 days; all features enabled
Demo license
Provided by Blue Coat or reseller
Limited license
Maximum users or length of time
Unlimited license
No restrictions on users or time
6OLGH/LFHQVHW\SHV
There are four types of licenses that can be used with ProxySG appliances. Each license allows for
different functions and user limits.
Trial Period
The trial period is a 60-day period that begins once initial configuration is completed, during
which a user is able to evaluate all features of the SGOS software. All features of SGOS can be used
by the customer, assuming the customer chooses to run Proxy Edition during the trial. At initial
configuration, the customer must choose to run MACH5 Edition or Proxy Edition during the trial
period; either can be chosen, regardless of which edition they purchased. For example, if a
customer purchases MACH5 Edition but chooses to run Proxy Edition during the trial period, all
of the Proxy Edition features and components are available for 60 days. However, once the 60-day
period ends, only the MACH5 features are available. The SSL and IM Filtering licenses are also
available during the trial period, although the full license must be added separately from SGOS.
To view the days remaining in the trial period, open the Management Console and go to
Maintenance > Licensing > View. The date on which the trial period ends is displayed in the
Expiration Date column. The Management Console is discussed in detail later in this course.
Demo License
Like the trial period, a demo license allows the customer to use all the features available on a Blue
Coat product. However, during the demo, the device is fully licensed. A demo license is provided
by Blue Coat or a Blue Coat reseller, who determines the length of the demo. Because a demo
license must be provided by Blue Coat, it is not automatically available to a customer.
50
Property
Limited License
This type of license places a limit on the maximum number of users or the length of time the
license is valid. A license with a user limit immediately begins enforcing that limit once installed.
When a licenses user limit is reached, depending on the product, a certain action is taken by the
appliance. If a license has a time limit, the feature continues operating at its full functionality until
the time period ends. This applies to products that are subscription-based, such as WebFilter;
when the time period ends, WebFilter no longer is updated by Blue Coat but continues to
categorize user requests.
License With No Limit

As the name implies, these licenses have no limitations based on user count or time. Once the
license has been applied to the product, all components related to the license are available for use.
51
Licensable Components
Type
Com ponent
Cost
Type
Comp onent
Cost
Required
SGOS Bas e
Included
I nc luded
Blue Coat WebFilter
By us er
count
Included
Windows Media
Streaming
Included
I nc luded
Websens e Offbox
Content Filtering
By us er
count
Included
Real Media Streaming
Included
I nc luded
ICAP Serv ic es
Included
Included
Quick Time Streaming
Included
Optional
AOL Instant Mes saging
Free
Optional
SSL
Additional
cost
Optional
MSN I ns tant Mes saging
Free
Included
Bandwidth
Management
Included
Optional
Yahoo I ns tant
Mess aging
Free
Included
Proxy Client
Acceleration
Included
I nc luded
Net egrit y SiteMinder
Included
I nc luded
Oracle C OREid
Included
Included
Proxy Client Web

Filtering
Included
I nc luded
Peer-to-Peer
Included
Included
3rd Part y Onbox

Cont ent Filt ering
By user
count
I nc luded
Compres sion
Included
6OLGH/LFHQVDEOHFRPSRQHQWV
In addition to the four license types, there are three types of licensable components. When a
license is created, it contains all three types:
Required: The only required licensable component is the SGOS base license. This license and
its features are required on any ProxySG. This contains the SGOS operating system plus base
features such as HTTP, FTP, TCP tunnel, SOCKS, and DNS proxies.
Included: These components contains additional SGOS features and are included with the
SGOS base license. However, some of these components only provide the capability to use
certain features. For example, on-box content filtering is an included component, but a
subscription must also be purchased for the content filtering service of the customers choice.
Some included components are ICAP services, streaming media filtering, peer-to-peer, and
compression.
Note:
The actual content-filtering database for WebFilter, Websense, or any third-party

vendor is not included in the license. The license included in SGOS gives the right to
install the database.
Optional: These features are not included with an SGOS license and need to be purchased or
added separately. IM filtering licenses are free; SSL is available at an additional cost. The need
for these components depends on individual deployment requirements.
52
Property
ProxySG Editions
6OLGH3UR[\(GLWLRQDQG0$&+(GLWLRQ
The ProxySG can run either the MACH5 Edition or Proxy Edition of SGOS. While the physical
appliance is the same and the underlying operating system is SGOS for both editions, the feature
set is different. The main difference between the two editions is that the MACH5 Edition is used as
an accelerator only, while the Proxy Edition can do both acceleration and security.
Proxy Edition contains all the features and functionality of SGOS.
MACH5 Edition has a reduced feature set. Some components not relevant for WAN
acceleration are disabled:
No content filtering and no IM proxy.
No HTTPS reverse proxy (SSL forward proxy is available).
Major realms only (such as IWA, LDAP, Local, Sequence).
Limited access logs.
If you select Proxy Edition for the trial period but purchase a MACH5 Edition license, the ProxySG
configuration is reset when you install the license. Also, some defaults default proxy policy,
trusting client-provided destination IP addresses, tolerating HTTP errors, and transparent WAN
interception on disabled bridge cards differ between the two editions.
53
Mixed Deployment
6OLGH0L[HGGHSOR\PHQWH[DPSOHRI0$&+(GLWLRQDQG3UR[\(GLWLRQ
Either the MACH5 Edition and the Proxy Edition can be used to optimize and secure any
deployment. Both editions can be used individually or together.
In the deployment shown above, the enterprise is taking advantage of both MACH5 Edition and
Proxy Edition. They have placed Proxy Edition appliances at their Internet gateways for security
and acceleration, while the two WAN links that are not directly connected to the Internet are
accelerated using MACH5 Edition.
The branch office that uses a direct-to-net connection to the Internet is using Proxy Edition at its
Internet gateway. However, because the other branch office has its Internet connection backhauled
through headquarters, it uses a MACH5 Edition appliance to accelerate its WAN link only.
54
Property
Register and License a ProxySG
6OLGH3UR[\6*UHJLVWUDWLRQDQGOLFHQVLQJ
To activate the license on a ProxySG, the appliance must first be registered with Blue Coat. There
are two ways to register a ProxySG: manually or automatically. How a ProxySG is registered
depends on two factors:
Has the hardware been registered previously?
Does the ProxySG have access to the Internet?
After initial configuration, accessing the Management Console displays the license status as a link
in the upper right corner. Hovering over the license link displays information such as the
expiration date of a trial period. Click the link to switch to the Maintenance > Licensing > View
section.
If this ProxySG is a new system and the hardware has been registered, you can retrieve the
associated license by completing the following steps:
1.
Go to Maintenance > Licensing > Install.
2.
Click Retrieve. The Request License Key dialog displays. Enter your BlueTouch Online
account information, and click Send Request. The ProxySG sends the entered credentials and
hardware serial number to Blue Coat. The ProxySG hardware and software serial numbers are
matched with the customers BlueTouch Online account, and the license is activated.
3.
The Confirm License Install dialog displays. Click OK to close the dialog.
4.
When the License Install Succeeded message displays, click OK.
5.
Click Close to close the Request License Key dialog.
If this ProxySG is not connected to the Internet or if the serial number of this ProxySG is not
associated with a software serial number, the license must be installed manually. To manually
obtain and install the license from the Management Console:
1.
Select Maintenance > Licensing > Install.
55
2.
Click Register/Manage. The Blue Coat Licensing Portal opens in a new browser window, and
you are prompted for BlueTouch Online credentials.
3.
Select the serial number of the ProxySG and match it to a listed software serial number, or
enter one that was provided by Blue Coat.
4.
If the device has Internet access, the software license is associated with and applied to the
ProxySG. However, if the device does not have Internet access, you are prompted to
download a binary file. This file must be manually applied to license the ProxySG.
Note:
If the ProxySG or another appliance asks for WebPower credentials instead of

BlueTouch Online credentials, enter your BlueTouch Online credentials anyway.
WebPower is an old name for this service, and not all appliances have been modified
to use the new name.
56
Property
License Expiration and Limits (1)

License type
Action on
expiration
Action on
exceeded
license limit
Base license
Included
Depends on default Action set by

ProxySG policy
administrator
IM filtering
Optional,
user-added
IM activity
is blocked
N/A
SSL termination
Optional,
costs extra
Intercepted HTTPS
connections
are blocked
N/A
(on expirat ion

of trial license)
6OLGH/LFHQVHH[SLUDWLRQDQGOLPLWVSDUWRI
When the ProxySG is initially configured, all available features are activated during the trial
period, allowing use of all of the features of the ProxySG. However, if the MACH5 Edition was
purchased, the security features available during the trial period expire at the end of the trial and
become unavailable.
If a ProxySG base license expires, the appliance behaves in accordance with the default policy that
has been configured by the administrator. If the default policy is Allow (the factory default for
MACH5 Edition licenses), then all user requests bypass the ProxySG; if the default policy is Deny
(the factory default for Proxy Edition licenses), then all user requests are blocked and users are
notified (if possible) that the appliances license has expired each time they issue a request.
In the Proxy Edition, the IM filtering and SSL licenses become unavailable at the end of the trial
period unless a full license is added. When the trial period ends, any operations requiring any
expired components cease to function or function in a limited capacity.
For example, SSL is a component that is not included with either edition of SGOS. However, it is
activated during the trial period. Therefore, during the trial period, all features of the full SSL
license can be used. But when the trial period ends, depending on the policy created, different
behavior occur:
If there is an SSL policy (and default policy is Allow to allow all connections that are not
otherwise processed by the policy), HTTPS proxy service is set to intercept, and there is no SSL
license or the SSL license has expired, then SSL traffic fails, and users get the following error:
Access Denied (license_expired).
If there is no SSL policy (and default policy is Allow), HTTPS proxy service is set to intercept,
and there is no SSL license or the SSL license has expired, then SSL traffic fails, and users get
the following error: Access Denied (license_expired).
If there is an SSL policy (and default policy is Allow or Deny), HTTPS proxy service is set to
bypass, and there is no SSL license or the SSL license has expired, then SSL traffic bypasses the
ProxySG, and requests are successful.
57
The SSL license is designed to take full advantage of the SSL card that is factory-installed in the
ProxySG. This license should be purchased for deployments handling large amounts of HTTPS
traffic.
In addition to a licenses expiration, each model of the ProxySG has a different user limit built into
it. This allows Blue Coat to align hardware capabilities for sizing purposes. The limit of the
ProxySG is dependent on the specific hardware; this cannot be changed based on the type of
license purchased. On the ProxySG, the user limit is counted using concurrent unique IP
addresses, not unique connections. For example, if a ProxySG is handling 20 users, each making 20
connections (for a total of 400 connections), it counts 20, not 400.
When the number of users reaches the limit, a warning message is logged, stating that the user
license limit has been reached. One of three courses of action can be taken when the user limit is
exceeded. In the Management Console, go to Configuration > Proxy Settings > General. Under the
section, User Overflow Action, there are three choices:
Do not enforce licensed user limit
Queue connections from users over licensed limit
Bypass connections from users over licensed limit
Listed below are all the models of ProxySG currently available for purchase, along with the user
limits for deployments with and without an Application Delivery Network enabled.
Table 4-1: User limits for the ProxySG
Model
User limit
(without ADN enabled)
User limit
(with ADN enabled)
210-5
30
10
210-10
150
50
210-25
unlimited
unlimited
510-5
200
50
510-10
500
125
510-20
1,200
300
510-25
unlimited
unlimited
810-5
2,500
500
810-10
3,500
700
810-20
5,000
1,000
810-25
unlimited
unlimited
8100 all models
unlimited
unlimited
9000 all models
unlimited
unlimited
Important: For any device that is listed as unlimited, the maximum number of users that can
create connections is based only on the limitations of the hardware.
58
Property
License Expiration and Limits (2)

License type
Action on
expiration
Action on
exceeded
license limit
ProxyAV
Hardware license
with annual
subscription
Scanning does
not occur
N/A
WebFilter
Annual
subscription by
user limit
URLs not
categorized
Over-limit warning
logged on
ProxySG
Reporter
Standard
included,
Enterprise added
N/A
Reporter profiles
are limited to 5
in Standard
Director
Perpetual,
N/A
no licensing steps
by user
N/A
6OLGH/LFHQVHH[SLUDWLRQDQGOLPLWVSDUWRI
Licenses for ProxyAV and WebFilter are sold on a per-user basis with an annual subscription.
When the license for these products is purchased, customers base their decision on the number of
users in their deployment and the length of time (one to three years) they want to use. The cost of
the anti-virus program is in addition to the cost of the ProxyAV hardware.
Note:
The ProxyAV licensing information described below refers to appliances using

software versions 3.1 and higher.
Like the ProxySG, the ProxyAV software serial number is linked to its hardware serial number
before it is shipped to the customer. When the customer is ready to activate the ProxyAV, three
items are needed: BlueTouch Online credentials, hardware serial number, and the Antivirus
Activation Code. Additionally, like the ProxySG, the ProxyAV can be activated with or without an
Internet connection.
For online activation, enter BlueTouch Online credentials and the activation code into the ProxyAV
Web interface. The ProxyAV automatically contacts Blue Coat and receives its license.
To activate a ProxyAV that has no Internet access, go to the Blue Coat Licensing Portal and enter
BlueTouch Online credentials followed by the hardware serial number and Antivirus Activation
code. This allows the license file to be downloaded and entered into ProxyAV Web interface.
Once WebFilter has been purchased, go to the Blue Coat Licensing Portal, and enter BlueTouch
Online credentials and the activation code provided by Blue Coat. This causes a license key file,
username, and password to be created. To activate WebFilter, enter the generated username and
password into the ProxySG Management Console.
WebFilter and ProxyAV both are sold with license limits, but these limits are not strictly enforced
as on other Blue Coat products.
59
Once Blue Coat Reporter is activated, it operates in the unlicensed Standard Edition. To license
Reporter, an upgrade to Enterprise Edition must be purchased. Once the upgrade is purchased,
Blue Coat sends a license key. In the Licensing section of the Reporter Management Console,
supply the provided license to complete the upgrade, allowing access to all of Reporters features,
including unlimited profiles.
In addition to unlimited profiles, Enterprise Edition adds multiple-processor support to Reporter
and the Report/Report Menu Editor tool. In Standard Edition, Reporter uses only one processor
regardless of the number of processors present on the system. The Report/Report Menu Editor
tool allows the elements of a report and the report menu to be edited; Standard Edition does not
allow this.
Unlike other Blue Coat appliances, Blue Coat Director does not have a software license. With the
purchase and installation of Director, the software is activated and ready to use. Its capabilities are
determined by its hardware configuration.
Although Director does not have its own license, it has the ability to monitor the licenses of the
ProxySG appliances it manages. These statistics are listed under the System Resources Health
Monitoring Metrics on Director. Director records the status of license utilization and expiration.
Utilization is used to measure the licenses that have user limits, and a warning is issued when the
limit is close to or has been reached. Director monitors the IM Filtering, Streaming Media, SGOS
Base, and SSL licenses.
60
Property
Chapter 5: ProxySG Initial Setup
After you have physically installed a new Blue Coat ProxySG, the next step is to configure the
operating software of the appliance so that it can begin filtering and optimizing network traffic.
This process involves making several key decisions about how the appliance will be deployed and
what it will be expected to do. This chapter describes the different methods that you can use to
initially configure a new ProxySG.
The most common configuration method involves connecting to the serial port of the ProxySG
and is the method that is presented in this chapter. While it also is possible to use a hardware
bridge or perform limited configuration via the front panel of the appliance (on those models that
have a front panel), these methods are less commonly used and do not offer the same
functionality.
How to configure a newly installed ProxySG.
How to select which edition of the SGOS operating system to use.
How to control access to the ProxySG.
Differences between standard and privileged mode on the ProxySG.
This chapter assumes that you already have physically installed your ProxySG.
61
Access Methods
6OLGH$FFHVVPHWKRGV
Before a newly installed ProxySG can filter and optimize network traffic, it must be configured
with an IP address and other parameters. There are three methods that you can use to access the
ProxySG to perform this configuration.
Serial Console
The ProxySG has a serial port that you can use for initial configuration and for almost all other
tasks, including policy creation. The specifications for the serial port are 9,600 bits per second, 8
bits of data, 1 stop bit, no parity, and no flow control. The serial interface requires a null-modem
9-pin female-to-female serial cable (provided with the ProxySG).
To activate the serial console after physically connecting to the serial port, press the Enter key
three times, and select the Setup Console option. This launches the ProxySG configuration wizard.
Once you have assigned the IP address to the appliance, you can finish the configuration via the
graphical user interface at https://proxyIPaddr:8082, you can continue via the command line
interface (CLI) on the serial console, or you can use Blue Coat Director.
The CLI offers the ability to complete nearly all of the tasks you can perform in the graphical user
interface; however, it is not as intuitive. Only advanced users should rely on the CLI for tasks
other than initial configuration. Only two relevant commands are available solely under the CLI:
restore-defaults factory-defaults: Restores the ProxySG to the default

configuration. When you restore system defaults, the IP address, default gateway, and the
DNS server addresses are cleared. In addition, any lists (for example, forwarding or bypass)
are cleared. After restoring system defaults, you need to restore the basic network settings.
This command can only be executed when you access the CLI via the serial console.
reset-trial: This undocumented and hidden command allows you to start a new 60-day
trial period. You can use the command up to two times. If your trial expires, then you can reset
it by using this command from the CLI and then rebooting the ProxySG. The 60-day period
resets when the ProxySG is rebooted after issuing this command.
62
Property
Other Access Methods
Front panel: This option, available for all models of the ProxySG except the SG200 and SG210
series, only allows you to configure an IP address and perform other limited configuration
tasks. After assigning the IP address using the front panel, you must enter the CLI or launch
the graphical user interface in order to continue ProxySG configuration.
Director: After a ProxySG has been assigned an IP address, the appliance can be registered
with Director, where multiple appliances can be configured and managed from a central
location. You cannot use Director to assign an IP address to a ProxySG.
63
Configuration Workflow Choices

In-path acceleration
MACH5 Edition
Manual configuration (not using Director)
Configure via serial console
SGOS 5.4 or later
Blue Coat Sky interface
All other deployments
Management Console interface
6OLGH&RQILJXUDWLRQZRUNIORZFKRLFHV
When you power up the ProxySG, it transmits data to the serial console. Using terminal software,
you can watch the boot sequence. If the appliance is new, the first thing you see is the
configuration wizard. This wizard allows you to configure network parameters, an administrative
username and password, an access control list of clients that are allowed to manage the appliance,
and a password to protect access to the serial port. The wizard does not allow you to set any other
parameters, but you can enter CLI privileged mode to configure other settings.
The configuration workflow that you use to configure your ProxySG depends on the type of
deployment and the access method you use. You can use the in-path acceleration workflow if your
deployment meets all of these conditions:
The ProxySG is deployed in-path.
You are running the MACH5 Edition of version 5.4 or later of the SGOS operating system.
You are configuring the appliance manually, not with Director.
You are configuring via the serial console.
The configuration wizard asks you to supply configuration information specific to an in-path
acceleration deployment. Then, you can launch the Blue Coat Sky interface to immediately see
how the ProxySG is optimizing network traffic.
For all other deployments, the configuration wizard asks information not specifically related to
in-path acceleration. After that, you can use the Management Console interface to configure other
filtering and acceleration parameters.
64
Property
Access Control
6OLGH$FFHVVFRQWURO
You can control access to the ProxySG in several ways: by limiting physical access to the system,
by using passwords, by restricting the use of the console account, through per-user RSA public
key authentication, and with Blue Coat Content Policy Language. How secure the system needs to
be depends upon your environment.
You can limit access to the ProxySG by:
Restricting physical access to the system and by requiring a PIN to access the front panel.
Restricting the IP addresses that are permitted to connect to the serial console.
Requiring a password to secure the setup console.
Disabling the built-in administrative account and enforcing the use of Active Directory or
LDAP accounts.
These methods are in addition to the restrictions placed on the console account (a console account
user password) and the enable password. By using every possible method (physically limiting
access, limiting workstation IP addresses, and using passwords), the ProxySG is very secure.
Requiring a PIN for the Front Panel

On ProxySG appliances that have a front panel display, you can create a four-digit PIN to protect
the system from unauthorized use. The PIN is hashed and stored. You can create a PIN only from
the command line interface. To create a front panel PIN after initial configuration:
#(config) security front-panel-pin PIN

where PIN is a four-digit number.
To clear the front-panel PIN:
#(config) security front-panel-pin 0000

This also means that you cannot use 0000 as your PIN.
65
Limiting Workstation Access

During initial configuration, you have the option of preventing workstations with unauthorized
IP addresses from accessing the CLI. If this option is not enabled, all workstations are allowed to
access the CLI. You also can add allowed workstations later to the access control list.
Securing the Serial Port

If you choose to secure the serial port, you must provide a Setup Console password that is
required to access the Setup Console in the future. Once the secure serial port is enabled, the Setup
Console password is required to access the Setup Console, and an authentication challenge
(username and password) is issued to access the CLI through the serial port.
To recover from a lost Setup Console password, you can:
Use the front panel display to either disable the secure serial port or enter a new Setup
Console password.
Use the CLI command restore-defaults factory-defaults to delete all system

settings.
Use the reset button (for models of the ProxySG with a reset button) to delete all system
settings.
Note:
You should not secure the serial console password unless you have a real need to do
so. The serial console is your last resort when all other access methods are not
available or passwords are lost.
Using LDAP Accounts

You have the ability to disable the built-in administrative account and enforce the use of
directory-based accounts. This is an important option for accounting and auditing purposes. You
do not want to share the same administrative account among different users, and you do not want
to create and maintain additional accounts outside your directory.
The ProxySG allows you to use any realm that supports basic authentication credentials such as
Microsoft Active Directory, Novell eDirectory, or another Lightweight Directory Access
Protocol realm to validate users before they can access the graphical user interface or the CLI.
Note:
The password for the CLI enable mode is the same as the users password when you
are using a realm. You still need to know the enable password you configured at setup
if you are accessing the CLI via the serial console.
66
Property
Command Levels
6OLGH&RPPDQGOHYHOV
CLI commands on the ProxySG are divided into those that can be issued while in standard mode
and enabled (privileged) mode. Most configuration settings are available in configuration mode,
which is a submenu of enable mode.
Enable Mode
Enable mode provides a set of commands to view, manage, and change ProxySG settings for
features such as log files, authentication, caching, DNS, HTTPS, packet capture filters, and
security. You can configure functionality such as the SSL proxy and HTTP compression. The
prompt changes from a greater-than sign (>) to a pound sign (#) to indicate that you are in enable
mode.
To enter enable mode from standard mode, use the enable command:
> enable
Enable Password:
#
When you type the enable password, it does not display.
For in-path acceleration deployments, the enable password is the same as the administrative
password that you specified during initial configuration. In all other deployments, separate
administrative and enable passwords are specified during initial configuration.
Configuration Mode
The configure command, available only in enable mode, allows you to configure ProxySG
settings from your current terminal session (configure terminal) or by loading a text file of
configuration settings from the network (configure network). The prompt changes from a
pound sign (#) to #(config) to indicate that you are in configuration mode. No additional
password is needed to enter configuration mode.
67
68
Property
Chapter 6: ProxySG Management Console
The Management Console is part of an easy-to-use software suite in the Blue Coat ProxySG. It
is the nerve center of the ProxySG. You can write policies to control users within a network,
authenticate users, report network activity, and create a productive and safe work environment.
You can also manage, configure, and upgrade the ProxySG from any location using the
Management Console.
The Management Console is a graphical user interface. The software suite also includes a
command line interface. Although you can use the CLI to perform tasks, the Management Console
is more user-friendly and time-saving. It has tabs, links, buttons, windows, and other easy-to-use
features to perform most configuration, management, and monitoring tasks.
How the Management Console controls the ProxySG.
How to access, and control access to, the Management Console.
What information and functions are available from the Management Console.
69
Overview
User interface to CLI
Generates the necessary commands
to implement the task
Divided into three functional tabs
Statistics
Configuration
Maintenance
6OLGH2YHUYLHZ
The Management Console helps you perform commands to configure, maintain, and monitor the
ProxySG. You can also gather a variety of monitoring statistics. The user interface generates the
necessary CLI commands to implement the selected task.
The Management Console is organized into three functional areas represented by the following
tabs:
Statistics: Monitors the status and the health of ProxySG. You can gather statistics on system
usage, traffic history, IM, bandwidth management, resources, efficiency, and more.
Configuration: Sets up the ProxySG and creates objects and parameters used to manage
policies. This is the starting point for most of the tasks that you perform on the ProxySG.
Maintenance: Keeps the ProxySG up to date. You can perform a number of maintenance tasks
including licensing components, archiving the configuration, and upgrading or downgrading

the SGOS operating system on the ProxySG.
The Statistics, Configuration, and Maintenance tabs have individual menus that display on the left
side of the Management Console.
70
Property
Web Browser Requirements

Supports JRE version 1.5.0_15 or later
Java enabled
Minimum resolution 1024x768
When in FIPS mode:
TLSv1 secured connection
Enabled by default in JRE 1.6
Must be enabled in Internet Explorer v7
6OLGH:HEEURZVHUUHTXLUHPHQWV
The Management Console consists of a set of Web pages and Java applets stored on the ProxySG.
The ProxySG acts as a Web server on the management port to serve these pages and applets. You
can access the Management Console securely over HTTPS on any client with a Web browser that
supports Java Runtime Environment version 1.5.0_15 or later. In the Web browser, enter the
address https://proxyIPaddr:port, where proxyIPaddr is the IP address you assigned to the ProxySG
during configuration and port is the port number of the HTTPS-Console service, which defaults to
8082 but can be changed. A port number is required.
A minimum display resolution of 1024x768 is recommended.
Management Console in FIPS Mode

SGOS supports Federal Information Processing Standards (FIPS) mode. When a properly signed
version of SGOS has been installed and enabled, the ProxySG acts in accordance with the
requirements of FIPS 140-2, Security Requirements for Cryptographic Modules.
When the ProxySG is operating in FIPS mode, the Management Console loads only over a
Transport Layer Security (TLS) version 1 secured connection. If your Web browser uses JRE
version 1.5 or earlier, you must explicitly enable TLSv1. JRE version 1.6 enables TLSv1 by default.
Microsoft Internet Explorer versions 6 and earlier do not have TLSv1 support enabled by default.
To do so, select Enable TLS 1.0 in IEs advanced security options. Beginning in IE version 7, TLSv1
support is enabled by default.
FIPS mode is enabled and disabled only from the command line interface, not the Management
Console. When you enable or disable FIPS mode, the ProxySG reinitializes, reboots, and will be
out of service for up to several minutes. Use these commands:
# fips-mode enable
# fips-mode disable
When operating in FIPS mode, many functions of the ProxySG appear and behave differently. The
details of FIPS-mode operation are beyond the scope of this course.
71
Authentication
6OLGH$XWKHQWLFDWLRQ
Using the Management Console, an administrator can control the ProxySG. Access to the
Management Console and the command line interface can be restricted to a selected pool of IP
addresses and users.
1.
You can access the Management Console from HTTPS and HTTP consoles. The default HTTPS
console (port 8082) is already enabled. The HTTP console (port 8081) is less secure than
HTTPS and is not enabled by default.
2.
Only if your IP address is present in the access control list (ACL) or if the ACL is empty, the
ProxySG allows you to access the Management Console. The ACL is a list of selective IP
addresses or subnets that you can create in the Management Console from Configuration >
Authentication > Console Access > Console Access.
3.
The ProxySG validates your credentials either against the Management Console accounts or
realm accounts. A realm is a named collection of information about users and groups. The
name is referenced in policy to control authentication and authorization of users for access to
ProxySG services. Multiple authentication realms can be used on a single ProxySG. Realm
services include IWA, LDAP, Local, and RADIUS.
4.
The summary of the actions performed while accessing the Management Console and logged
events is stored in the event log. Information stored in the event log helps in troubleshooting
problems that the ProxySG might encounter. It also allows you to track who performed what
changes while configuring the ProxySG.
Valid credentials are required to access the Management Console. The username is the name of the
account you are using. The name must already exist; you cannot create it while logging in. You
also need to have the password for the username you are using. Once you have logged in, you do
need not to do so again until your session times out. You also can configure or disable a session
time-out period (the default is 15 minutes).
Note:
If you get a host mismatch or an invalid certificate message when you access the
Management Console, re-create the security certificate used by the HTTPS console.
72
Property
Authentication Details
6OLGH$XWKHQWLFDWLRQGHWDLOV
Authentication is the act of determining the credibility of a user. The ProxySG checks the
authenticity of a user in multiple ways before providing access. You need to have a username and
password; also, if the access control list is not empty, the browsers IP address should be present in
the ACL.
The above diagram explains the authentication process:
1.
The client tries to directly connect to the ProxySG through port 8082. The client can connect
through port 8082. You can configure the Management Console to be accessible on any port.
2.
The ProxySG sends a 401 response asking for user authentication (username and password).
3.
The user enters the username and password.
4.
The ProxySG checks for the IP address of the user in the ACL. At this point, it does not matter
whether the credentials are valid. It checks just the IP address.
5.
If the ACL is enabled and there is a match for the users IP address, the ProxySG goes on to
check the credentials. If the ACL is empty, then all users can access the ProxySG with their
credentials.
6.
If the ProxySG fails to find a match for the users IP address, then it returns a 401 response
demanding credentials.
7.
If the credential check of the user is successful, the ProxySG grants access to the user.
8.
If the credential check fails, the user receives another 401 response for authentication. The user
might not be aware of the exact reason for receiving the 401 response. It could be either for the
absence of the users IP address in the ACL or for the invalid user credentials.
73
User Interface to CLI
6OLGH8VHULQWHUIDFHWR&/,
The Management Console generates the CLI commands necessary to perform the actions you
request. Accessing the Management Console is fairly simple:
1.
When you open the Management Console, the Java applet loads.
2.
Every time you click on a new tab, the Management Console retrieves the information from
the registry. The registry is a storage of all ProxySG configuration data. The registry can be
viewed by entering the following address in your Web browser:
https://proxyIPaddr:8082/registry/show
3.
You now can perform your changes in the configuration. Through the Management Console,
you can configure a wide range of settings. You can launch the Visual Policy Manager from
the Management Console, which helps you implement your organizations rules by creating
policies, performing maintenance tasks, and gathering information about system operations.
4.
When you click Apply, the Management Console generates the CLI commands necessary to
complete the configuration. The updated configuration is stored in the ProxySG registry.
74
Property
Managing Concurrent Access
6OLGH0DQDJLQJFRQFXUUHQWDFFHVV
The Management Console allows multiple users to access it concurrently. As a result, you can
access the Management Console at the same time another user is using the Management Console.
Even as administrator #1 is modifying the configuration of the Management Console,
administrator #2 can access the Management Console and also perform tasks.
The Management Console can accept modifications without any difficulties from multiple users if
the modifications happen in different parts of the registry. However, there is no protection if
multiple users try to change the same aspect of configuration concurrently. When two users try to
make the same changes in the configuration at the same time, the changes done by the user who is
the last to commit them stays in the registry.
You can prevent this by restricting the number of users who are authorized to change the basic
settings in the configuration.
75
Management Console Header
6OLGH0DQDJHPHQW&RQVROHKHDGHU
After you have logged in to the ProxySG, the Management Console header displays. It contains
several pieces of information about the ProxySG on which it is running:
1.
The appliance name that can be configured by the administrator is displayed in the header
line, in the Web browser title bar, and in the computers taskbar.
2.
The model of this ProxySG.
3.
The serial number of this ProxySG.
4.
The version of the SGOS operating system currently running on this ProxySG.
5.
Whether this version of SGOS is the Proxy Edition or the MACH5 Edition.
6.
The license status of this ProxySG.
7.
The current health status of this ProxySG.
76
Property
Statistics Tab
6OLGH6WDWLVWLFVWDE
When you launch the Management Console, the Statistics tab displays a summary of network
traffic and applications, showing how the ProxySG is using its acceleration, optimization, policy
control, and caching techniques to improve the performance of traffic on your network. The page
refreshes about once every 60 seconds.
This tab gathers and displays information about system operations. Click an option in the left
navigation bar, and the browser displays the appropriate interface, which you can use to configure
a wide range of settings.
The Statistics > Summary > Efficiency tab (shown above), which is the default display, shows the
bandwidth gain achieved of up to the top five services during the past hour within your network
in the Savings panel, and the performance of each interface in the Interface Utilization panel. This
tab also displays the duplex settings for each interface and indicates whether the interface uses full
duplex or half duplex. If a duplex mismatch occurs when the interface is auto-negotiated and the
connection is set to half duplex, the display icon changes to a yellow warning triangle. If you see a
duplex mismatch, you can adjust the interface settings by going to Configuration > Network >
Adapters.
The Statistics > Summary > Device tab displays a snapshot of key system resources, identification
specifics, and the status of external devices that are connected to the ProxySG.
Other displays available from the Statistics tab include:
Traffic Mix: Displays traffic distribution and bandwidth statistics for traffic running through
the ProxySG. You can display statistics for proxy types or for services, and for various time
periods. The display refreshes whenever you switch views or change the duration of the
sample. If there is no activity, the data refreshes every 60 seconds.
Traffic History: Monitors the traffic statistics for all traffic running through the ProxySG. The
graphical data in the page also gives you details on the bandwidth usage, bandwidth gain,
client bytes and server bytes. Chart data updates automatically every 60 seconds.
77
ADN History: Displays WAN optimization statistics for inbound and outbound compression
gain.
Bandwidth Management: Displays the current class and total class statistics.
ProxyClient History: Displays bandwidth usage, the number of active clients, configurations
served, software served, and client version count for ProxyClient installations served from
this ProxySG.
Network: The Interface History page displays the traffic to and from each interface, including
virtual local area network (VLAN) traffic. This display can be useful in verifying that traffic is
being seen by the ProxySG.
ICAP: Graphically displays information on Internet Content Adaptation Protocol traffic over
time, including active requests, number of connections, completed requests, and number of
bytes. The display can be filtered to show any or all of plain, secure, deferred, and queued
requests. The display can show statistics by service or by service group.
Protocol Details: Provides statistics for the protocols serviced by the ProxySG. These statistics
complement the statistics in the Traffic History and Traffic Mix pages.
System: Displays resource statistics, content statistics, event logging statistics, and failover
statistics.
Sessions: Displays information on active and errored sessions.
Health Monitoring: Displays the current state of the health monitoring metrics. Health
monitoring uses key hardware and software metrics to provide administrators with a remote
view of the health of the system.
Health Check: Displays the state of various health checks: whether the health check is enabled
or disabled, if it is reporting the device or service to be healthy or sick, or if errors are being
reported.
Access Logging: Display the log tail, log size, and upload status of the access log.
Authentication: Displays information on user login by username or IP address.
Advanced: Enables you to view a variety of system statistics located in one place and
accessible with URLs that can be accessed independently of the Management Console.
The details of these displays are discussed in the relevant chapters of this and subsequent courses.
78
Property
Configuration Tab
6OLGH&RQILJXUDWLRQWDE
The Configuration tab is the starting point for most of the operational tasks that you perform on the
ProxySG. You access this tab to change the configuration of the ProxySG and create objects and
parameters that you use in creating policies. Settings include:
General: Configure the name and serial number of the ProxySG, configuring system time, and
archiving configurations.
Network: Configure adapters and interface settings, software and hardware bridges, gateways,
routing tables, DNS servers, and IPv6 settings. Interface settings include the ability to assign
your own names to each interface.
ADN: Configure ProxySG appliances and byte caching to improve application traffic over the
WAN.
Services: Configure the proxy services available on the ProxySG, including CIFS, FTP, HTTP,
HTTPS, instant messaging, MAPI, SSL, SOCKS, streaming, and TCP tunnel.
ProxyClient: Configure the settings used to act as a ProxyClient server for remote users.
SSL: Create keyrings, import and create certificates, check the validity of certificates, create an
SSL client.
Proxy Settings: Provide various services that can enhance different proxy settings, such as
CIFS, FTP, HTTP, IM, and MAPI.
Bandwidth Management: Control the amount of bandwidth used by different classes of
network traffic; set priority for bandwidth among different classes.
Authentication: Define authentication realms, including IWA, LDAP, RADIUS, and other
realms; set up forms-based authentication.
Content Filtering: Configure the ProxySG to use Blue Coat WebFilter or a third-party filter to
block access to Web sites based on their content.
79
Threat Protection: Manage the interaction between the ProxySG and the WebPulse cloud
computing service; configure a ProxyAV for off-board malware scanning.
External Services: Install an ICAP server or create a WebSense off-box service.
Forwarding: Set up forwarding, allowing you to define the hosts and groups of hosts to which
client requests can be redirected.
Health Checks: Configure health checks on (and the availability of) a forwarding host or
external server that is providing a service.
Access Logging: Enable the logging of traffic through the ProxySG, configure access log
settings, select an access log upload client, set an upload schedule.
Policy: Set the default proxy policy to deny or allow traffic, view and install policy files, access
the VPM to create new policy.
The details of these displays are discussed in the relevant chapters of this and subsequent courses.
80
Property
Maintenance Tab
6OLGH0DLQWHQDQFHWDE
The Maintenance tab allows you to perform many different maintenance tasks, including:
System and Disks: Restart the ProxySG, restore the system to its default settings, clear the
DNS, object, and byte caches.
Director Registration: Automatically register the ProxySG with a Blue Coat Director, enable
Director to establish a secure administrative session with the ProxySG.
Upgrade: Download an upgrade through the Internet and install it. You also can download it
to your PC and install it from there.
Licensing: View the status of software licenses, and license new features you have purchased.
Event Logging: Set up event logging: Specify the types of system events logged, the size of the
event log, and whether the appliance sends an e-mail notification if a certain event is logged.
SNMP: Enable Simple Network Management Protocol (SNMP), which allows you to monitor
the ProxySG.
Health Monitoring: Configure the ProxySG health-monitoring features, such as setting
warnings for system performance and license expiration.
Core Images: Specify how much detail is logged to disk when the ProxySG is restarted.
Service Information: Send service information to Blue Coat using either the Management
Console or the CLI. You can select the information to send, send the information, view the
status of current transactions, and cancel current transactions. You also can send service
information automatically in case of a crash.
81
Preview, Revert, and Apply
6OLGH3UHYLHZUHYHUWDQGDSSO\
The Preview, Revert, and Apply buttons in the Management Console allow you to preview an
action, go back to the previous state, and commit changes to the registry. In the above example:
1.
The administrator enables the Trust Destination IP setting.
2.
The administrator clicks the Preview button.
3.
The Preview window displays, listing the pending actions in the ProxySG. To see the CLI
commands for a pending action, double-click on the action.
4.
The CLI commands corresponding to the Trust Destination IP setting are displayed. Click OK
in each window to return to the main Management Console window.
5.
An asterisk (*) next to an item in the main menu indicates that there are pending changes.
To apply the changes that you have made in the Management Console, click Apply. The changes
are recorded in the registry.
To cancel pending changes, click Revert.
Important: Once you apply changes, you cannot revert them. You must undo any changes
by hand.
82
Property
Sample CLI Generation
6OLGH6DPSOH&/,JHQHUDWLRQ
In general, the Management Console issues only the CLI commands necessary to perform the task
you want. However, the Management Console acts differently when you enter a list in which the
order is relevant.
For instance, the ProxySG uses DNS (Domain Name Service, an Internet service that translates
domain names into IP addresses) servers in the order displayed. Servers are always contacted in
the order in which they appear in the list. The ProxySG contacts the primary server first. If it does
not receive a response from that server, then it contacts the secondary server. For example, if you
want to add a secondary DNS server in which the order is important, the Management Console
automatically issues the necessary CLI commands to correctly order the items in the list.
In the above example, 172.16.90.110 is the IP address of the existing DNS server in the primary
forwarding group, and an additional server at 4.2.2.2 is to be added.
1.
Go to Configuration > Network > DNS > Groups.
2.
Click on the primary line to select that group, and click Edit.
3.
In the Edit DNS Forwarding Group window, click before the existing entry, and then enter the
new address, 4.2.2.2. Then, press the Enter key, and click OK.
4.
To see the CLI commands that have been generated, click Preview, and then double-click on
the Begin DNS Settings in the Preview section.
5.
The CLI add server command adds the new server to the end of the server list. In order to
move it to the top of list as shown in the Management Console, the CLI automatically
generates a promote command to move 4.2.2.2 to position 1 in the list.
83
IPv6 Support
14
6OLGH,3YVXSSRUW
Internet Protocol version 6 (IPv6) is a protocol designed to replace version 4 (IPv4), the currently
dominant protocol, to vastly expand the Internets address space to accommodate the growth in
network-connected devices. The secure Web gateway functions of the ProxySG are supported both
in IPv4 and IPv6 networks. Support for IPv6 is enabled by default and requires minimal
IPv6-specific configuration.
In the Management Console and command line interface, IP addresses can be entered in either
IPv4 or IPv6 format and, where applicable, include a field for entering the prefix length (for IPv6
addresses) or subnet mask (for IPv4 addresses).
The following proxies have underlying protocols that support IPv6 and can communicate using
either IPv4 or IPv6: DNS, FTP, HTTP, HTTPS, SSL, TCP tunnel, and Telnet shell. These proxies are
discussed in the relevant chapters of this and other courses.
The ProxySG also offers functionality as an IPv4-to-IPv6 transition device. When an IPv6-enabled
ProxySG is deployed between IPv4 and IPv6 networks as shown in the above diagram, IPv4
clients can access resources and services that are available only in the IPv6 domain:
1.
On the ProxySG, the HTTP proxy terminates the inbound HTTP request.
2.
The ProxySG queries a DNS server.
3.
The DNS server responds with the address of the IPv6 server.
4.
The ProxySG makes an outbound IPv6 connection to the server, honoring the request from the
IPv4 client. The requested content is spliced from the IPv6 connection to the IPv4 connection
toward the client without the need to perform any type of translation.
Likewise, IPv6 clients can access IPv4 resources when an IPv6-enabled ProxySG is part of the
deployment. The ProxySG understands both IPv4 and IPv6 addresses, handles the DNS resolution
of IPv4 and IPv6, and provides multiple proxy services that work in an IPv6 environment.
In the Management Console, two global IPv6 configuration settings are available at Configuration
> Network > Advanced > IPV6:
84
Property
To bypass all IPv6 traffic, select Enable IPv6 force-bypass. When this is selected, all IPv6 traffic
is bridged or routed.
To have the ProxySG route bypassed traffic, select Enable IPv6 forwarding. When this option is
disabled, the ProxySG discards bypassed traffic that is processed at Layer 3.
Both of these options are disabled by default.

IPv6 support on the ProxySG has these limitations:
The following proxies do not currently have IPv6 support: streaming (MMS, RTSP), SOCKS,
instant messaging (AOL-IM, MSN-IM, Yahoo-IM), CIFS, and MAPI.
IPv6 is not supported in an Application Delivery Network deployment.
The ProxySG does not intercept link-local addresses in transparent mode because such a
deployment is not practical; transparent link-local addresses are bypassed.
IPv6 is not supported in a WCCP deployment.
A brief introduction to IPv6 concepts is included as an appendix to this book.
85
86
Property
Chapter 7: Services
The Blue Coat ProxySG lets you configure which traffic is to be intercepted. Services define the
ports on which the ProxySG listens for incoming requests. Each service can be applied to all IP
addresses or limited to a specific set of addresses and port combinations.
A variety of settings can be defined for each service. The ProxySG ships with a number of
pre-defined services, you can create additional services as needed, and services can be arranged
into logical service groups.
Unless there is a service set to intercept that matches the destination TCP port and the IP address
range for an incoming transaction, the connection is not terminated by the proxy. Depending on
the specific deployment mode, traffic that is not terminated is dropped or forwarded to the next
available hop but is not processed against existing policies.
The two types of services on the ProxySG.
Pre-defined proxy service groups and the types of services are part of each group.
How traffic is intercepted and bypassed.
Settings that are used to control the behavior of services.
How management services facilitate administration of the ProxySG.
87
Service Types
6OLGH7ZRW\SHVRIVHUYLFHV
The Management Console makes it easy to configure two types of services: proxy services and
management services. The ProxySG ships with a number of pre-defined services; additional services
can be added as needed.
Proxy services: These allow the ProxySG to communicate with other systems, such as clients,
servers, and other proxies. Proxy services define the ports and addresses where the ProxySG
listens for incoming requests. Each proxy service is associated with a proxy type. For example,
the pre-defined HTTPS proxy service is associated with the SSL proxy. A variety of settings for
each proxy service can be defined, depending on the proxy type.
Management services: These are used to administer the ProxySG. The ProxySG comes with
five consoles designed to manage communication with the system. Consoles are pre-defined
for HTTP, HTTPS, SNMP, and SSH. A Telnet console is available, but the service is not defined
by default.
88
Property
Chapter 7: Services
Proxy Service Groups

Group name
Examples of pre-defined services
Standard
HTTP
HTTPS
Endpoint Mapper
Bypass
Recomm ended
Cisco VPN
Blue Coat ADN / WANop
Other encrypted services
Oracle over SSL

Blue Coat managem ent
Tunnel
Recomm ended
Citrix
IMAP
LDAP
Lotus Notes
Other business applications
Default Action
Any traffic not m atching listeners on other services
CIFS
Stream ing
Instant m essaging
FTP
DNS
SOCKS
Custom Service Services created by the administrator

Groups
6OLGH3UR[\VHUYLFHJURXSV
Services on the ProxySG are organized into service groups based on the type of traffic that each
service carries. You can edit the pre-defined service groups, and you can create custom groups.
The pre-defined service groups are:
Standard: These are the most commonly intercepted services.
Bypass Recommended: These services contain encrypted data and, therefore, probably cannot
benefit significantly from ADN optimization. This service group also includes other
interactive services.
Tunnel Recommended: These services use the TCP-Tunnel proxy to provide basic
application-independent acceleration.
Default Action: This detects any traffic that does not match other listeners on any other
services. It is essentially a global default bypass or intercept setting.
To list all of the services in a particular group in the Management Console, go to Configuration >
Services > Proxy Services. In the scrollable list of service groups, click on the name of a group to
expand it and list its services. The list of available services varies depending on whether your
ProxySG is running the MACH5 Edition or the Proxy Edition of the SGOS operating system.
You also can create custom service groups, which are listed alphabetically under the Custom
Service Groups section.
89
Services and Proxies

Proxies
Services
AOL-IM, CIFS, DNS, Endpoint Mapper, FTP,

Dedicated
HTTP (explicit and external), SSL (HTTPS), MMS,
proxies
intercepted by MSN-IM, RTSP, SOCKS, Yahoo-IM
default
TCP-Tunnel
proxy
Citrix, IMAP, Internal HTTP, Kerberos, LDAP, LPD,

Lotus Notes, MS SQL Server, MS Terminal Services,
MySQL, NFS, Novell GroupWise, Novell NCP,
Oracle, POP3, SMTP, SSH, Sybase SQL,
XWindows, Default (listens on all unattended ports)
6OLGH6HUYLFHVDQGSUR[LHV
This table shows the pre-defined proxy services supported by the ProxySG and their
corresponding proxies.
Proxy services define the ports and addresses where a ProxySG listens for incoming requests.
Attributes for each service can be defined. Each service can be applied to all IP addresses or
limited to a specific set of addresses and port combinations. Several services are pre-defined, and
additional services can be defined.
If the MACH5 Edition of the SGOS operating system has been installed, there are two
differences in this table:
A transparent TCP tunnel connection listening on port 23 is created in place of the default
Telnet service.
Instant messaging, HTTPS reverse proxy, SOCKS, and Telnet services are not created.
In a new ProxySG secure Web gateway deployment, all pre-defined services are bypassed by
default. In a WAN optimization deployment, some common services (such as External HTTP) can
be configured to intercept by default during initial setup.
90
Property
Chapter 7: Services
HTTP Services
6OLGH+773VHUYLFHV
The HTTP proxy is extremely robust when handling Internet traffic. But with applications on
internal networks, issues can arise because:
Applications deployed within the enterprise are not well designed or tested and can break
when a proxy introduces even slight changes.
Some applications use port 80 but are not really HTTP.
Some applications pretend to be HTTP but do not follow the HTTP specification closely.
To best handle applications running on an intranet, the ProxySG provides three HTTP services:
External HTTP: This service handles all transparent-proxy HTTP port 80 requests. This service
uses the HTTP proxy.
Explicit HTTP: This service handles all explicit-proxy HTTP requests on ports 8080 and 80.
This service also uses the HTTP proxy.
Internal HTTP: This service transparently intercepts HTTP traffic from clients to internal
network hosts. This service uses a TCP tunnel because some applications deployed within
enterprise networks are not fully compatible with HTTP specifications or are poorly designed,
causing connection disruptions when using an HTTP proxy. By default, the Internal HTTP
service uses the following addresses: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16,
and 192.0.2.0/24.
91
Listener Parameters
6OLGH/LVWHQHUSDUDPHWHUV
A listener defines the parameters by which a service on the ProxySG listens for incoming traffic. A
listener is identified by a unique combination of these items:
Source IP address: Usually is set to All, which means any IP address that originates the
request. Specific IP addresses and subnets can be specified.
Destination IP address: The IP address
TCP port: A specific port or range of ports. All pre-defined ProxySG services are configured to
industry-standard ports, such as 80 and 8080 for the Explicit HTTP service.
A listener must be uniquely identifiable; an incoming connection cannot match more than one
listener. It is possible to have more specific and less specific definitions for listeners provided that
the source IP address, destination IP address, and TCP port are not the same as those of another
listener. Every proxy service must have a proxy listener, and a service can have multiple listeners.
Important: Policies are applied only to the traffic matching a service that is set to Intercept
(for a proxy service) or Enabled (for a management service).
92
Property
Chapter 7: Services
Destination Addresses
Description
Destination
All
Intercepts all packets regardless of destination

address
Transparent
Intercepts packets with destination IP address

not matching that of the ProxySG
Explicit
Intercepts packets with destination IP address

matching that of the ProxySG
Destination host
or subnet
Intercepts packets matching a specific

destination IP address
6OLGH'HVWLQDWLRQDGGUHVVHV
The destination address component of each listener can be configured to one of four modes:
All: This mode intercepts all IP addresses. This means that all the packets that pass through
the ProxySG are intercepted, regardless of the destination address.
Transparent: In this mode, packets with a destination IP address that do not belong to the
ProxySG are intercepted transparently and processed without changing the IP header of the
source and destination packets. This setting requires a bridge (such as the one available in the
ProxySG), a Layer 4 switch, or a WCCP-compliant router. Requests can be transparently
redirected through a ProxySG by setting the workstations gateway to the IP address of the
ProxySG.
Explicit: This mode sends requests explicitly to the ProxySG instead of to an origin content
server.
Destination host or subnet: This mode intercepts traffic only for a specific IP address or
subnet.
93
Proxy Service Actions
6OLGH3UR[\VHUYLFHDFWLRQV
Actions define whether the ProxySG terminates and proxies traffic that a listener has detected. An
action can only be performed if the traffic matches the proxy listener. There are two possible
actions: intercept and bypass.
Intercept: Tells the proxy service to intercept and proxy any traffic that matches the proxy
listener. If policies exist for the proxy service, they are enforced.
Bypass: Tells the proxy service to not intercept any traffic that matches the proxy listener.
Policies are not enforced on the traffic.
Changing the state of a service to bypass or intercept is a necessary step in configuring a proxy, but
it alone is not sufficient. For any service that you intercept, you also must configure the proxy
settings and define policy, both of which determine how the ProxySG processes the intercepted
traffic. These topics are discussed later in this and other courses.
94
Property
Chapter 7: Services
Unintercepted Traffic
6OLGH8QLQWHUFHSWHGWUDIILF
In the previous flowchart, the meaning of the action unintercepted traffic is different based on how
the client connects to the ProxySG. The result experienced by the user can be either the requested
data or an error message about a connection being refused. To bypass traffic does not necessarily
mean to permit or to deny the traffic.
If the client connects explicitly to the ProxySG but there is not a service matching that connection
that is set to intercept, the connection is refused and the client displays an error. No other settings
can influence or change this behavior.
When the client is transparently proxied, there is a difference between bridging mode and all other
transparent proxy deployments. In bridging mode, the traffic is allowed to reach the requested
origin content server; the ProxySG passes the incoming traffic from one interface to another. For all
other transparent proxy deployments, verify that the setting Enable IP forwarding in the
Management Console, under Configuration > Network > Routing > Gateways, is selected.
IP forwarding must be enabled in order for the ProxySG to route incoming traffic that is
transparently proxied and does not match a service set to intercept or a management service.
95
Traffic Flow
10
6OLGH7UDIILFIORZ
The above diagram shows how the services framework of the ProxySG determines whether a
client request is transmitted to the server.
1.
All traffic is processed at the network layer. If traffic matches the bypass list, then A is the exit
point.
2.
The remaining traffic is processed at the service level. If it matches a service set to intercept,
the processing moves to Step 3. Otherwise, B is the exit point.
3.
Only traffic intercepted by a service goes through policy processing. In this case, if the traffic is
allowed, then C is the exit point.
Traffic that reaches exit point A or B continues to the server if bridging or IP forwarding is enabled
on the ProxySG. When traffic reaches exit point C, the decision whether to allow the connection is
made based on policy that has been configured on the ProxySG. Policy processing is discussed in
detail later in this course.
96
Property
Chapter 7: Services
Proxy Service Settings
6OLGH3UR[\VHUYLFHVHWWLQJV
Service settings define the default parameters for a proxy service. It is important to understand
service settings because they affect how the proxy service processes traffic.
There are three types of service settings, as shown in the above examples. The settings that are
available for a service vary based on the proxy type that the service is using. For example, the
Detect Protocol setting is available in the External HTTP and LDAP services, but not in the AOL
IM service. If a setting cannot be changed, it is grayed out, such as the TCP/IP Early Intercept
setting for the AOL IM and External HTTP services in this example.
Details of how to use these settings are covered in detail in chapters about individual services and
protocols.
Proxy Settings
Authenticate-401: All transparent and explicit requests received on the port always use
transparent authentication (cookie or IP, depending on the configuration). This is especially

useful to force transparent proxy authentication in some proxy-chaining scenarios.
Detect Protocol: Detects the protocol being used. Protocols that can be detected include HTTP,
peer-to-peer (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper.
Keyring, CCL: These settings allow you to specify a certificate list used for verifying client
certificates.
Forward Client Cert: When used with the Verify Client setting, this setting puts the extracted
client certificate information into a header that is included in the request when it is forwarded
to the OCS. The name of the header is Client-Cert. The header contains the certificate serial
number, subject, validity dates, and issuer (all as name=value pairs). The actual certificate itself
is not forwarded.
Enable SSL Version 2, Enable SSL Version 3, Enable TLS: Allow you to select which versions of
SSL you want to support. The default is to support all three versions. This attribute is available
only for HTTPS Reverse proxy.
97
Verify Client: Requests and validates the SSL client certificate. This attribute is available only
for HTTPS Reverse proxy.
TCP/IP Settings
Early Intercept: Controls whether the proxy responds to client TCP connection requests before
connecting to the upstream server. When early intercept is disabled, the proxy delays
responding to the client until after it has attempted to contact the server. If the Detect Protocol
setting is enabled, then Early Intercept is selected automatically.
Application Delivery Network Settings
Enable ADN: Controls whether ADN optimization is enabled for a specific service. Enabling
ADN does not guarantee that the connections are optimized by ADN. Instead, the actual
decision on whether to enable is determined by ADN routing (for explicit deployment) or
network setup (for transparent deployment).
Optimize Bandwidth: Controls whether to optimize bandwidth usage when connecting
upstream using an ADN tunnel.
98
Property
Chapter 7: Services
Global Service Settings

Attribute
Description
Tunnel on
protocol error
Tunnels non-HTTP traffic on any HTTP

service
Reflect client IP
ProxySG connects to the OCS using as

source IP address the clients IP address
Trust destination IP
ProxySG does not do DNS lookup

on specified address
User overflow action
Specify handling of traffic belonging

to users in excess of license limits
6OLGH*OREDOVHUYLFHDWWULEXWHV
The ProxySG supports four global option settings for proxy services. These are set in the
Management Console at Configuration > Proxy Settings > General and apply to all proxy services,
but not to management services.
Tunnel on protocol error: Some HTTP parsing errors might cause the ProxySG to issue an
exception, which could break applications. This could be caused by non-HTTP client requests,
HTTP requests that contain non-HTTP components, or formatting errors. When this setting is
enabled, the ProxySG tunnels non-HTTP traffic on any HTTP service.
Reflect Client IP: This option determines how the client IP address is presented to the origin
content server for all requests. This setting should be used with caution. Enabling this
attribute allows the ProxySG to connect to the origin content server using a source IP address
and the IP address of the client that made the request. You must ensure that the response from
the OCS (note that the OCS replies to the IP address of the client now) goes through the
ProxySG; if there is a direct path between the client and the OCS, you end up with asymmetric
connections. The client displays an error because the connection setup does not terminate
properly.
Trust Destination IP: If a client sometimes provides a destination IP address that the ProxySG
cannot determine, you can configure the ProxySG to allow that IP address and not do a DNS
lookup. This can improve performance, but it also potentially can cause a security issue.
Important:
The Reflect Client IP and Trust Destination IP settings can be used only in
transparent ProxySG deployments.
User Overflow Action: If you have more users going through the ProxySG than are allowed by
your license, you can configure overflow behavior. This setting is described in detail in the
Blue Coat Product Licensing chapter of this course.
99
Multiple Listeners
6OLGH0XOWLSOHOLVWHQHUV
It is possible, and sometimes necessary, to have more than one service terminate connections that
match the same destination TCP port range. As long as the listeners have separate,
nonoverlapping destination IP addresses configured, you can create as many listeners as you
want.
In the example above, three listeners are configured for TCP port 80:
External HTTP: The destination IP address is set to Transparent. This service matches any
connection sent to the proxy whose destination IP address is not one of the proxys IP
addresses and is not the IP address 192.168.0.50.
Example HTTP: The destination IP address is set to 192.168.0.50 (with a 32-bit netmask). This
service matches connections on port 80 where the destination IP address is specifically this IP
address and this IP address only.
HTTP-Console: The Proxy IP value is set to All. This services matches any connection on port
80 where the destination IP address is one of the IP addresses of the proxy, including virtual IP
addresses if applicable. (This service normally listens on port 8081 but was changed to port 80
for this example.)
Here, the ProxySG can have any IP address except 192.168.0.50. If the ProxySG had that IP
address, then two services would be identical and the ProxySG could not properly determine how
to handle incoming connections on port 80 with destination IP address 192.168.0.50. Should
Example HTTP or HTTP-Console terminate the connection? Because it is not possible to solve this
conflict by deterministically answering this question, such a scenario is not possible.
Not just the port range can match multiple proxy service listeners; also, the destination IP address
of a connection can match. Multiple matches are resolved using the most-specific match algorithm
used by routing devices. A listener is more specific if it has a larger destination IP subnet prefix.
For example, the subnet 10.0.0.0/24 is more specific than 10.0.0.0/16, which is more specific than
10.0.0.0/8.
100
Property
Chapter 7: Services
When a new connection is established, the ProxySG first finds the most specific listener
destination IP address. If a match is found and the destination port also matches, the connection is
then handled by that listener. If the destination port of the listener with the most specific
destination IP address does not match, the next most specific destination IP address is found; this
process continues until either a complete match is found or no more matching addresses are
found.
101
Management Services
6OLGH0DQDJHPHQWVHUYLFHV
Management services are used to communicate with the ProxySG. There are five types of consoles:
HTTPS console: This console provides access to the Management Console. It is created and
enabled by default. You can create and use more than one HTTPS console as long as the IP
address and the port match the existing console settings.
HTTP console: This console also provides access to the Management Console. It is created by
default but not enabled because it is less secure than HTTPS. You can create and use more than
one HTTP console as long as the IP address and the port match the existing console settings.
SSH console: This console provides access to the command line interface using an SSH client.
It is created and enabled by default. No action is required unless you want to change the
existing SSH host key, disable a version of SSH, or import RSA host keys.
SNMP console: One disabled Simple Network Management Protocol listener is defined by
default on the ProxySG, which you can enable or delete as needed. You also can add
additional SNMP services and listeners. Discussion of SNMP support in the ProxySG is
beyond the scope of this course.
Telnet console: The Telnet console allows you to connect to and manage the ProxySG using the
Telnet protocol. This console service is not created by default because the passwords are sent
unencrypted from the client to the ProxySG. Also, a Telnet shell proxy service exists on port
23, the default Telnet port. Because only one service can use a specific port, you must delete
the shell service if you want to create a Telnet console. If you want a Telnet shell proxy service
in addition to the Telnet console, you can re-create it later on a different port.
Important:
Telnet is an insecure protocol. It should be used only if SSH cannot be used. Blue
Coat does not recommend use of the Telnet console.
102
Property
Chapter 8: Hypertext Transfer Protocol
The idea of hypertext was first introduced by Tim Berners-Lee at CERN in Geneva, Switzerland.
The impetus behind his idea was the need for a better way of organizing long and complex
documents. HTTP is the application-layer protocol used to deliver Web-based content. The current
version of HTTP (HTTP 1.1) is described in RFC 2616. The original version (HTTP 1.0) is described
in RFC 1945: The Hypertext Transfer Protocol (HTTP) is an application-level protocol with the
lightness and speed necessary for distributed, collaborative, hypermedia information systems.
The most important part of the preceding paragraph is that HTTP is a Layer 7 protocol, indicating
that it is completely independent from the underlying network architecture.
Before going into more detail about HTTP and how it is supported on the Blue Coat ProxySG,
it is important that you know the key concepts of HTTP and its architecture:1
Uniform Resource Identifier (URI) and Uniform Resource Locator (URL): These indicate the
resource to which a method is to be applied. Messages are passed in a format similar to that
used by Internet mail and the Multipurpose Internet Mail Extensions (MIME).
Connection: A transport-layer virtual circuit established between two application programs for
the purpose of communication.
Message: The basic unit of HTTP communication, consisting of a structured sequence of octets
and transmitted via the connection.
Request: A message containing an HTTP request.
Response: A message containing the response to an HTTP request.
Resource: A network data object or service that can be identified by a URI. This should not be
confused with the concept of a physical machine or with server (daemon) software.
Client: A software application that sends requests to a server (see below) over an established
connection.
Server: A software application that accepts connections from a client, process the requests it
receives, and sends back responses.
Proxy: A software application (even appliances run a software application of some sort), which
acts as both a server and a client. The application acts as a server for the initial client and acts
as a client for the remote server. In fact, a proxy makes requests on behalf of other clients; this
is why it is considered both a client and a server. Client requests are serviced internally or are
passed to another server. A proxy can also translation-modify the request it receives from the
client and send it to the server or to other servers. Proxies can also be used as helper
applications for handling requests via protocols not implemented by the user agent.
Gateway: A gateway is a server that acts as an intermediary for another server. Unlike a proxy,
a gateway receives requests as if it were the origin server for the requested resource; the
requesting client may not be aware that it is communicating with a gateway. Gateways are
often used as server-side portals through network firewalls and as protocol translators for
access to resources stored on non-HTTP systems.
1. Portions of these descriptions are adapted from RFC 1945, copyright 1996 The Internet Society, and
RFC 2616, copyright 1999 The Internet Society. All rights reserved.
103
Tunnel: A tunnel is an intermediary program which acts as a blind relay between two
connections. Once active, a tunnel is not considered a party to the HTTP communication,
though the tunnel may have been initiated by an HTTP request. The tunnel ceases to exist
when both ends of the relayed connection are closed. Tunnels are used when a portal is
necessary and the intermediary cannot, or should not, interpret the relayed communication.
Cache: A cache is a programs local store of response messages and the subsystem that controls
message storage, retrieval, and deletion. A cache stores cacheable responses to reduce
response time and network bandwidth consumption for future requests for the same content.
Any client or server may include a cache (though a cache cannot be used by a server while it is
acting as a tunnel). Any given program may be capable of being both a client and a server; our
use of these terms refers only to the role performed by the program for a particular
connection, rather than to the programs capabilities in general. Likewise, any server may act
as an origin server, proxy, gateway, or tunnel changing behavior to address the needs of
each request.
104
Property
HTTP
Definition
Application-level protocol with the lightness and speed
necessary for distributed, collaborative, hypermedia
information systems
Different versions available
HTTP/0.9
HTTP/1.0 described in RFC 1945 (May 1996)
HTTP/1.1 described in RFC 2616 (June 1999)
6OLGH+LVWRU\RI+773
HTTP is one of the most commonly used protocols. It was first described in 1996, and its latest
update was in 1999. The protocols longevity is a reflection of its scalability and reliability.
Although HTTP was designed to deliver Web content and link-based text, it is now used to carry
many different types of content.
HTTP version 0.9 is obsolete and is almost never encountered. The GET command is the only
supported command.
HTTP version 1.0: This is the first version that was widely used, and it continues in wide use,
especially on servers.
HTTP version 1.1: This is the current version of the protocol. A main difference between
versions 1.0 and 1.1 is that version 1.1 enables persistent connections by default. Other
differences include caching, bandwidth optimization, error notifications, and security
features.
Several client-server applications use HTTP as a communication protocol. MIME encoding

translates binary files into ASCII and enables HTTP to transfer binary files. You can upload and
download files of any kind. Today, most Web downloads are not done with FTP, but with HTTP
directly from a Web browser.
105
HTTP
The client always initiates the connection

The server cannot initiate a connection
6OLGH+773UHTXHVWUHVSRQVHIORZ
An HTTP transaction is always initiated by the client. The client sends a request to the server. The
server processes the request and returns a response. The HTTP protocol does not allow responses to
be sent without a previous request.
When the server needs to send more information than requested by the client, it must send
instructions about that information to the client. It is up to the client to decide whether those
requests should be initiated. For example, when a client downloads a Web page, the server returns
the requested page (object), which includes instructions for downloading objects (such as HTML
links). After processing the response, the client may or may not issue new requests for the objects
listed in the links.
106
Property
HTTP URL
["http:" "//" host_name [ :port ] [ abs_path [ "?" query ]]
Host name is case-insensitive

Even for UNIX-based Web servers
Default port is 80
6OLGH+77385/
Most TCP-based protocols have well-known ports assigned to them. In theory, you should specify
the TCP port every time you are making a connection to a remote host unless the protocol used
has a pre-defined, well-known port assigned to it. The default TCP port for HTTP is 80. For
example, the two requests listed below are identical:
http://www.bluecoat.com:80
http://www.bluecoat.com
After specifying the hostname, you can specify the resource you want from the server (page,
image, files, and so on). You must specify the full path (as seen by the Web server) for that
resource. For example, the following URLs request two different resources on a Web site:
http://www.bluecoat.com/resources/training/index.html
http://www.bluecoat.com/images/BCS_leftnav_resources.jpg
In the request, you can also pass parameters that a script (running on the Web server) can process
and use to return a specific page based on your previous selections:
http://www.bluecoat.com/test.cgi?parameter=value 1
Resources are separated from the hostname and from each other by the slash (/) character;
parameters are separated from the script name by the question-mark (?) character and from each
other by the ampersand (&) character.
Special characters in the URL are represented by their hexadecimal ASCII code, preceded by the
percent-sign (%) character. For example:
http://www.bluecoat.com/this is a sample.html is an invalid URL.
http://www.bluecoat.com/this%20is%20a%20sample.html is a valid URL.
1. Not an actual URL on the Blue Coat Web site.

107
HTTP Message
Two types of messages
Request
Response
Two parts of the message
Headers
Data
6OLGH+773PHVVDJH
You have seen on previous pages how an HTTP transaction is a sequence of requests and
subsequent responses between a client and a server.
Both the request and the response are logically divided into two sections. The initial part contains
information relevant to the connection between the client and the server. The second part contains
the actual data.
The client and sever must agree on a series of parameter and protocol specifications before any
data can be sent. For example, the server response might differ for clients using HTTP version 1.0
than for those using HTTP version 1.1. A range of character encodings can be offered, but the
client and server must agree on which to use. These details are discussed in the header section.
Once the client and server have agreed on all relevant communication parameters, data delivery
begins.
Note:
The ProxySG allows you to have granular control over request and response headers,
thus controlling the communication parameters between client and server.
108
Property
Request Methods
GET
Retrieves whatever information (in the form of an entity) is
identified by the URL

Changes to a conditional GET if the request message
includes an If-Modified-Since or similar header
HEAD
Identical to GET except that the server MUST NOT return a
message-body in the response
6OLGH7KH*(7DQG+($'UHTXHVWPHWKRGV
The GET request method instructs the server to retrieve the information identified by the request
URL. GET is used to ask for a specific resource when you click on a link, GET is used, regardless
of whether the linked resource is a file, a script, or other content.
For example:
GET /sampletext.html HTTP/1.1

GET /samplescript.php HTTP/1.1
If the URL refers to a script, such as PHP or Active Server Pages (ASP), the processed data is
returned in the response.
The GET method can be conditional, if the request message includes an If-Modified-Since,
If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. What this means is that
the requesting agent has indicated that the content should be returned only if it meets the specified
condition. The conditional GET method is intended to optimize the delivery of cached data by
reducing the number of unnecessary connections to the Web server.
Responses to a GET request are cacheable only if the request meets the requirements for HTTP
caching as defined by the protocol.
The HEAD request method is identical to the GET method, except that HEAD returns only the
message headers and not the message body. HEAD can be used to obtain metainformation about
the entity; for example, the validity and accessibility of hypertext links.
109
Request Methods
POST
Designed to allow a uniform method to cover functions
such as:
Posting a message to a bulletin board, newsgroup,

mailing list, or similar group of articles
Providing a block of data, such as the result of submitting

a form, to a data-handling process
Extending a database through an append operation
CONNECT
Reserved for use with a proxy that can dynamically switch
to being a tunnel (such as SSL tunneling)
6OLGH7KH3267DQG&211(&7UHTXHVWPHWKRGV
The POST request method is used to send data to the server to be processed in some way. For
example, POST is used to return the results of Web shopping cart forms.
Unlike a GET request, the message body of a POST request contains a block of data.
The most common use of POST is to submit data to scripts such as those written in PHP and ASP.
The script receives the message body and decodes it.
You can use a POST request to send whatever data you want. The only stipulation is that the
receiving program must understand the format.
The CONNECT request method is used to direct Web proxies that provide SSL tunneling. CONNECT
signals the proxy to switch to an HTTP tunnel connection on TCP virtual port 443 to support
secure HTTPS connections.
110
Property
Response Codes
Sample success code
200 OK
Sample client-side issue
404 Page Not Found
Sample server-side issue
500 Internal Server Error
6OLGH+773UHVSRQVHFRGHV
HTTP uses a set of response codes to communicate messages from the server to the client. There
are five groups of response codes:
1xx: Used for notifications.
2xx: Used to indicate some sort of successful request.
3xx: Used to redirect the client from the requested URL to a new one.
4xx: Used to notify the client that its request could not be immediately fulfilled because of a
client-side issue.
5xx: Used to notify the client of an error on the server part.
4xx response codes often are called error codes, but you should interpret the term error
cautiously. For example, authentication requests are handled using the 4xx messages. When a
client requests a password-protected resource, the server replies with a 401 message. While that is
not an actual error, the client request is not fulfilled until authentication information is provided.
111
HTTP Protocol
Request
Response
GET / HTTP/1.1
Host: www.google.com
User-Agent:
Firefox/1.0
Accept: text/xml
HTTP/1.x 200 OK
Content-Type: text/html
Server: GWS/2.1
Content-Length: 1121
Date: Wed, 05 Jan 2005
22:09 GMT
6OLGH&OLHQWUHTXHVWDQGVHUYHUUHVSRQVH
This diagram shows some of the headers that are exchanged between a client and a server during
the first round of requests and responses.
The client issues a request specifying a method, a resource, and the protocol version. The method
is GET, which is the most commonly used one; it enables the client to retrieve the requested
resource from the server. The resource is /, which indicates the root of the Web server. Web servers
associate a default filename with the root of a directory (index.htm, default.htm, welcome.html,
and so on):
GET / HTTP/1.1
GET /index.htm HTTP/1.1
These two URLs return the same data.
Note:
This is only an example. Different servers use different default names.
The Host field (mandatory for HTTP version 1.1) is useful when one or more virtual servers are
associated with the same IP address.
The client also specifies that it is waiting for text or XML data.
The server replies with a 200 OK message, indicating that the request is valid and has been
accepted. The response is 1,121 bytes long.
112
Property
Cascaded HTTP Requests
The intermediate device is both a client and

a server
There can be any number of intermediate devices
Blue Coat S ys tems, Inc. 2010. All Rights Reserved.
6OLGH&DVFDGHG+773UHTXHVWV
HTTP allows a request (and, consequently, a response) to traverse any number of HTTP-aware
devices. The most common example is a proxy server. This device is a server for the client (on the
left side of the slide) and is a client for the server (on the right side of the slide). In general, the
client making the initial request is aware that it is talking to the server through a proxy server.
However, the server is not capable, at least in general terms, of distinguishing the actual client
from a proxy server.
There is no predefined limit to the number of proxy servers or similar devices that a request can
traverse. The client is usually aware, at the most, of the very first proxy in the chain. The proxy can
then forward the request directly to the origin content server or to another proxy. The same
concept applies to the other proxies in the chain.
113
GET Requests
GET http://www.bluecoat.com HTTP/1.1

GET / HTTP/1.1
6OLGH*(7UHTXHVWV
The GET request that a proxy-aware client uses is very characteristic. You can easily recognize
what is sometimes called a via-proxy GET request because the entire URL appears in the GET
request.
The via-proxy GET request contains the entire URL. The destination IP address of the client
request is the IP address of the proxy. The proxy has to know the location of the origin content
server that the client needs the data from. In general, in a direct Web request, the destination Web
server is the destination IP address for the client request, not that of any intermediary.
In HTTP version 1.0, the Host header is optional. In HTTP version 1.1, in which the Host field is
defined to be mandatory, the GET request with the full URL may seem redundant. However, all
clients conform to this convention regardless of which HTTP version is used.
114
Property
Chapter 9: Policy Management
While there are many problems associated with using the Internet as a business tool, there are
several that generally cause the most concern:
Intellectual property loss leading to decreased competitive advantage.
Malicious viruses.
Productivity loss caused by illegitimate or unauthorized Internet use.
Threats from hacking.
Legal problems caused by accessing unsavory or copyrighted material.
Although many organizations create Internet usage policies, they face challenges in configuring
systems to enforce written corporate policies. Only a secure proxy with an object-handling
operating system can offer the framework needed to identify and enforce policies across an entire
enterprise with line-speed performance.
The Blue Coat ProxySG policy processing engine provides a comprehensive policy architecture
that spans all users, content types, applications, and security services. This framework allows a
security administrator to control Web protocols and Web communications across the entire
enterprise.
Blue Coat policies provide to the administrator:
Fine-grained controls to manage behavior of the ProxySG.
Multiple policy decisions allowed for each request.
Multiple actions triggered by a particular condition.
Configurable bandwidth limits.
An authentication-aware proxy device, including user and group configurations.
Flexible user-defined conditions and actions.
Convenience of predefined common actions and header transformations.
Support for multiple authentication realms.
Configurable policy event logging.
115
Overview
Set default proxy policy
Set global security level
Understand Visual Policy Manager
Manage layers
Translate the Acceptable Usage Policy
Configure ProxySG settings
Create policy
6OLGH2YHUYLHZ
To successfully implement policies on your network using Blue Coat products, you must know
how to properly manage them. Before you can manage your policies, these concepts should be
understood:
Setting default proxy policy: Two settings are available: Allow and Deny.
Understand the Visual Policy Manager: The key to creating and using policy through the VPM
is understanding the layers. Once you have created a layer or layers in the VPM, there are
many ways to manage them. They can be enabled or disabled for times when you need them
temporarily. If you have created a policy but no longer need it, it can be easily deleted.
Translate the Acceptable Usage Policy: The first step to controlling and managing Web and
e-mail usage is having an Acceptable Usage Policy. An AUP establishes what is permissible
when using company resources to access the Internet. To enforce your written AUP, you need
a comprehensive and easy-to-use policy architecture. The ProxySG policy processing engine
allows you to control users, content types, applications, and security services, using Content
Policy Language or the VPM.
116
Property
Default Policy
Deny
Default option for ProxySG
All network traffic received by the proxy is blocked
Allow
Network traffic is allowed through the proxy
Other policies can deny selected traffic
6OLGH'HIDXOWSROLF\
Before any custom policy is evaluated, the ProxySG applies the default policy:
Deny: Prohibits proxy-type access to the ProxySG. If this setting is chosen, you must create
policies to grant access to the ProxySG on a case-by-case basis.
Allow: Permits most proxy transactions. However, if protocol detection is enabled (the
default), HTTP Connect transactions are allowed only if they are tunneling SSL. If protocol
detection is disabled, HTTP Connect is only allowed on port 443. If your policy is set to Allow,
you must create policies to explicitly deny access on a case-by-case basis.
Additionally, the default setting for your ProxySG depends on what version of the SGOS
operating system you are using:
MACH5 Edition: The default setting is Allow.
Proxy Edition: The default depends on how you configured your ProxySG:
If SGOS was installed using the front panel or through the serial console, the default
setting is Deny.
If you upgraded SGOS from a previous version, the default policy remains the same as it
was for the previous version.
117
Visual Policy Manager
6OLGH9LVXDO3ROLF\0DQDJHU
This diagram describes the behavior and actions taken by the ProxySG when an administrator
creates and installs policy.
1.
To create policy in through the Management Console, go to Configuration > Policy > Visual
Policy Manager and click Launch.
2.
This opens the Visual Policy Manager, in which policy layers and rules are created. This
window is a Java applet.
3.
Any configuration changes you make to the ProxySG in the Management Console are
synchronized with the VPM. The VPM shares information in various lists from the current
configuration in the Management Console, not the saved ProxySG configurations. When the
VPM is launched, it inherits the state of the ProxySG from the Management Console and
remains synchronous with that Management Console. This state might include configuration
changes that have not yet been applied or reverted. This does not include any changes made
through the CLI. When you click Apply in the Management Console, the configurations are
sent to the ProxySG; the Management Console and the VPM are synchronized with the
ProxySG.
4.
For policies created in the VPM to take effect, the administrator must install these policies.
Once the Install Policy button is clicked in the VPM, the newly created policy takes effect and
is generated into an XML file. The ProxySG then compiles the policies into CPL format and
saves the resulting policies in the vpm.cpl file. This overwrites any policies previously created
using VPM. The ProxySG saves VPM-generated policies in a single file and loads it all at once.
This newly created CPL is combined with any other CPL created through other means and
then saved on the ProxySG.
118
Property
VPM Policy Objects

Trigger objects
Used to determine if a rule matches or misses
Organized by source, destination, service, and time
Action objects
Used to determine proxy handling of a transaction
Organized by action and track
6OLGH930SROLF\REMHFWV
The VPM evaluates rules based upon trigger and action objects. Trigger objects represent the who,
where, how, and when of a rule; action objects represent the what.
Trigger objects also can be considered conditional objects. These objects allow you to create policy
for certain types of situations. When a request is sent through a ProxySG, the request is matched
against the created policy. If the request does not match, or misses, the policy, no action is triggered.
However, when the conditions outlined in the policy are met, an action occurs.
When certain conditions, based on your created policy, are met, an action is triggered. This is
where action objects come into play. The conditions that have been met based on your policy must
be acted upon based on the action objects created in policy.
In the VPM, when creating a Web Access Layer, for example, there are six settings that can be
modified. Four of these are trigger objects, and the other two are action objects.
Trigger Objects
Source: Specifies the source attribute, such as IP address, user, or group.
Destination: Specifies the destination attribute, such as URL, IP address, or file extension.
Service: Specifies the service attribute, such as protocols, protocol methods, and IM file
transfer limitations.
Time: Specifies day and time restrictions.
Action Objects
Action: Specifies what to do when the rules match.
Track: Specifies track attributes, such as event log and e-mail triggers.
Additionally, there is one optional object called Comment. This allows you to provide a comment
regarding the created rule.
119
Policy Translation Rule #1

Block all users from Hacking web sites
Source: ANY
Destination: Hacking
Service: ANY
Time: ANY
Action: DENY
Track: none
6OLGH5XOH+DFNLQJ
In this example, an administrator has created a rule to block users from accessing Web sites that
have to do with hacking. This rule is relatively simple and straightforward. The idea is to block
any users in any group from accessing hacking Web sites at any time.
Trigger Objects
Source: The administrator selected the ANY option. This means that any request from any
source to a hacking Web site is denied, no matter what that source may be.
Destination: This option is used to select the category of Web site being blockedin this case,
hacking Web sites. Categories are selected through the Blue Coat WebFilter and are added to
the policy rule through the VPM.
Service: By selecting ANY, the administrator has established that hacking Web sites cannot be
accessed through any protocol.
Time: The administrator has selected ANY under this category to deny access to hacking Web
sites at any time, even outside normal business hours.
Action Objects
Action: The DENY option denies access to hacking Web sites when the conditions listed above
are met. In this case, the triggers are all-encompassing, so the condition always is met.
Track: The administrator has elected not to receive any notification when a user attempts to
access a hacking Web site.
120
Property

Employees can visit travel Web sites only outside
regular working hours
Source: ANY
Destination: Travel
Service: ANY
Time: Mon-Fri; 08:00..17:00
Action: DENY
Track: none
6OLGH5XOH7UDYHO
Similar to the previous example, the administrator of this network wants to block traffic to certain
type of Web sites. This administrator does not want the employees planning their vacations while
they should be working. However, some lenience was given to the employees by allowing them to
access travel Web sites outside normal business hours. This shows that administrators have a great
amount of control over policy when using the ProxySG.
Trigger Objects
Source: The administrator has chosen to deny all access to travel Web sites, no matter the
client IP address, user, or group.
Destination: Using the categories available through the Blue Coat WebFilter, the administrator
created a policy object that is designed to block user access to travel Web sites.
Services: By selecting ANY, the administrator has created a policy object that blocks access to
travel Web sites, despite the method the user may be using to access the material.
Time: Under this policy object, the administrator has decided to deny access to material
pertaining to travel only during a certain time window. Between the hours of 8 a.m. and 5
p.m., access is denied, but outside that time frame, access to travel Web sites is allowed.
Action Objects
Action: The action object in this rule has been set to DENY. This means that access to travel
Web sites always is denied to everyone, but only between the hours of 8 a.m. and 5 p.m. If a
request is sent to a travel Web site at 6 p.m., there will be a miss in the trigger objects. Because
one of the conditions was not met, the DENY action is not triggered and access is allowed.
Track: The administrator has chosen not to receive any notifications if the policy is enforced by
the ProxySG.
121

Allow only users in the IT group to use FTP protocol.
Outside working hours, allow anybody.
Source: NOT(Group IT)
Destination: ANY
Service: FTP
Time: Mon.-Fri.; 08:00..17:00
Action: DENY
Track: none
6OLGH5XOH8VLQJ)73
In this example, a network administrator has created a policy designed to stop the use of the FTP
protocol by anyone except those who are in the IT group. However, outside normal business
hours, any user is allowed to use this protocol. Unlike the previous rules discussed, this one
allows access to any destination. However, the way in which the destination server can be
contacted is restricted.
Trigger Objects
Source: For this trigger object, the administrator has blocked the use of FTP by all users except
the IT group. This means that if all other conditions are met, any member of the IT group still
can make requests using FTP.
Destination: In this case, ANY does not mean that any destinations are blocked. Rather, it
means that any destination that a request is sent to over FTP is denied.
Service: In this object field, the administrator has set FTP as one of the trigger objects, meaning
that any connections attempted over FTP are denied.
Time: The time limitations on the policy rule have been set so that this rule applies only
during normal business hours, from 8 a.m. until 5 p.m.
Action Objects
Action: The prescribed action, if the above triggers are met, is to deny the request. However,
this object rule has multiple stipulations, unlike the previous two. When the source is checked,
if it is found to be a member of the IT group, the action is to allow the request. Additionally, if
the time of the request is found to be outside normal business hours, the action also is to allow
the request.
Track: No tracking action objects were added to this rule.
122
Property
Complete Web Access Policy
6OLGH&RPSOHWH:HEDFFHVVSROLF\
This example shows a set of policy rules created in the VPM. Note the following:
1.
Rules in a policy layer are applied from top to bottom. This is important to know because once
a rule matches a request, all subsequent rules are ignored. Therefore, you should put first the
most likely rule to be matched. This allows you to save processing time because the ProxySG
does not have to apply every rule every time a request is sent.
2.
This is an example of a source trigger. In the first two rules, the source trigger is set to Any,
making the source of the request irrelevant in those two rules. However, the third rule has an
active directory as a source trigger.
3.
This column is the destination trigger. If there is a request sent from a client to a travel Web
site, the first rule is applied to the request, but no action is taken, because that rule only blocks
hacking Web sites. However, when the request reaches the second rule, it triggers the Deny
action, and the Web site is blocked.
4.
The services column allows the administrator to select whether certain service attributes
should trigger an action. In the case above, the bottom rule includes an object for FTP. That
means for this rule to trigger, the request must be using FTP.
5.
The rule object in this column allows you to specify a certain time or time period in which the
rule triggers an action. The rule object above is called Working-Hours. If a request is sent
during the time period set in the Working-Hours object, and the other triggers of the rule are
met, the action is triggered, either Deny or Allow.
6.
This is the Action column. In the above example, all the actions are set to Deny. Therefore, if
any of the rules in this layer are triggered by a request, that request is denied.
7.
The Move Up and Move Down buttons let you select and move one or more rules up and down
within a layer. The rules to be moved in a single operation must be in consecutive order.
8.
When you click Install Policy, any additions, deletions, and changes that you have made are
installed on the ProxySG. The old VPM-CPL and VPM-XML files are deleted and are replaced
with the new CPL and XML information that reflects the policy modifications.
123
VPM Rules Priority
6OLGH930UXOHVSULRULW\
This diagram describes the order in which rules are applied to requests that go through the
ProxySG. The rules are processed from top to bottom as they are listed in the VPM. As an example,
imagine the three rules shown above are the rules that were discussed previously in this chapter:
Rule 1 blocks all access to hacking Web sites.
Rule 2 blocks access to travel Web sites, but only during normal business hours.
Rule 3 blocks the use of FTP for everyone except the IT team, during normal business hours.
Therefore, if a user at a remote office attempts to establish a connection to an FTP server at

headquarters, the rules are applied as follows:
1.
The ProxySG receives the request and checks it against rule 1. Because the FTP server is not a
hacking Web site, no triggers are met, and no action is taken.
2.
Because no action was taken by rule 1, the ProxySG checks the request against rule 2. Once
again, because the FTP server is not a travel Web site, no action is taken against this
connection.
3.
Next, the ProxySG checks the connection against rule 3. The ProxySG establishes whether or
not the user is member of the IT group. Once it has determined that, it checks the connection
type and determines that it is an FTP connection. This rule also has a time period rule object,
so this has to be checked as well.
If the user is not a member of the IT group and the connection attempt is made during
business hours, the Deny action is taken. However, if it is outside normal business hours, no
action is taken, and access is granted.
124
Property
VPM Policy Layers

Admin Authentication
SSL Access
Admin Access
Web Authentication
DNS Access
Web Access
SOCKS Authentication
Web Content
SSL Intercept
Forwarding
6OLGH930SROLF\OD\HUV
Many types of VPM policy layers are available. This wide variety allows for finer customization to
allow you to meet any needs your network might require. Each type of layer provides a way for
you to control how the ProxySG can be accessed for administrative purposes and how the
ProxySG handles traffic. These are the layer types and what they are used for:
Administration Authentication: This layer allows you to set how administrators attempting to
access the ProxySG must authenticate. Through this layer, you can limit access to the ProxySG
to make sure that any other policy you may set cannot be modified by individuals not allowed
to do so. Additionally, this layer is often used in conjunction with the different Access layers,
allowing you to determine where a user can go and what a user can do after being
authenticated.
Administration Access: The previous layer allows you set how an administrator must
authenticate; this layer allows you to set who is allowed to access the ProxySG.
DNS Access: You can use this layer to set how the ProxySG handles DNS requests.
SOCKS Authentication: This layer give you the ability to set the method of authentication for
accessing the ProxySG through SOCKS.
SSL Intercept: With this layer, you can set the ProxySG to tunnel or intercept HTTPS traffic.
Action taken for HTTPS traffic can be based on either the source or the destination of the
request.
SSL Access: Unlike the previous layer, this layer allows you to either deny or allow HTTPS
traffic through the ProxySG.
Web Authentication: You can use this layer to set whether or not certain users or groups have
to authenticate before they can access the ProxySG or the Internet. This can be useful if you
only want to give certain users access to certain resources.
Web Access: This is the layer that the previous examples about rules were based on. Through
this layer you can limit, allow, or deny access to Internet content.
125
Web Content: This layer is used to determine caching behavior, such as verification and ICAP
redirection, on the ProxySG. For example, you can set the ProxySG to cache Web sites that
your company access on a regular basis, but not other content.
Forwarding: With this layer, you can set the ProxySG to determine forwarding hosts and
methods.
126
Property
VPM Layers Priority
6OLGH930OD\HUVSULRULW\
In general, policy layers are processed from left to right. However, this only applies to layers of the
same type. The order in which layers are processed is logical and based on the order in which
things happen when a user is trying to access content on a server. In the above example, the layer
types are processed in this order:
1.
Administration Authentication Layer: This layer is used to determine how a user is

authenticated when trying to access the Management Console of a ProxySG. The Management
Console is access through a Web browser over an SSL connection. If you have a Web Access
Layer in place that is set up to block SSL traffic, this would not allow any user to access the
Management Console. In order to alleviate this issue, the ProxySG processes the
Administration Authentication Layer first. That way, a user can still access the Management
Console, but SSL traffic still is controlled.
2.
Web Authentication Layer: In the above example, this happens before the Web Access Layer
because it would not make sense to determine what a user can do on the Internet before
determining whether or no that user should have access to the Internet at all. Therefore, the
ProxySG first applies the Web Authentication Layer to determine whether the user can access
the Internet, and then says what the user is allowed to access once authenticated.
3.
The first Web Access Layer: Because it is the leftmost such layer that is displayed, it is
processed before any other layers of the same type.
4.
Another Web Access Layer: Because it appears to the right of the previous layer, it is processed
next.
5.
Based on its position and order of processing, this can be one of three layer types: an
additional Web Access Layer (as shown), a Web Content Layer, or a Forwarding Layer.
Note:
For a quick reference to the order in which layers are processed, you can look at the
Policy drop-down list in the VPM. The order in which they appear, from top to
bottom, is the order in which they are processed.
127
VPM Layer Guards
13
6OLGH930OD\HUJXDUGV
The same set of conditions or properties often appears in every rule in a layer. You can factor out
the common elements into layer guard expressions. This can help the ProxySG run more efficiently,
particularly when you have defined a large number of rules.
A layer guard is a single rule table that appears above the selected layer in the VPM. The layer
guard rule contains all of the columns available in the layer except for the Action and Track
columns. These columns are not required because the rule itself does not invoke an action other
than allowing or not allowing policy evaluation for the entire layer. You cannot add a layer guard
rule until you have created other rules for that layer.
In the above example, the administrator has created a layer called Guest User Web Access. When
this layer is evaluated:
1.
The layer guard is checked first. If the user is not a guest user, then the rest of the layer is not
evaluated.
2.
If the user is a guest user and if the user is attempting to access a resource that the
administrator has identified in Guest Categories, then this layer allows the transaction.
3.
Otherwise, this layer instructs the ProxySG to return an exception page to the user.
By default, a layer guard rule is enabled, but you can disable a layer guard (which keeps the rule
but does not process it) or delete the rule completely from the VPM.
128
Property
Best Practices
Policy construction
Express separate decisions in separate layers
Be consistent with your model
Policy integrity
Use ALLOW with caution
Policy optimization
Use regular expressions only when necessary
Place rules most likely to match at layer beginning
Use subnets when possible
Use definitions and layer guards
14
6OLGH%HVWSUDFWLFHV
The ProxySG policy processing engine is a powerful and flexible tool. But with that power and
complexity comes the need to create policy that is easy to understand and maintain.
When writing policy, consider the following points:
Express separate decisions in separate layers. As your policy grows, maintenance is easier if
the logic for each aspect of a policy is separate and distinct.
Be consistent with your model. Set the default policy (allow or deny) according to which one
more closely reflects your enterprises security policy, and then use blacklists or whitelists as
appropriate. For secure gateway deployments, the recommended default policy is Deny; for
WAN optimization deployments, the recommended default policy is Allow.
Understand the implications of using the Allow action. Depending on where it is used, it can
unintentionally reverse a previous denial.
Use regular expressions only when absolutely necessary. This is the most CPU-intensive type
of policy evaluation; in most cases, an alternate solution without regular expressions is
possible and also prevents unintended matches.
Place rules most likely to match at the beginning of a layer. Because layers are evaluated only
until a rule matches, doing so provides a performance benefit.
When implementing any policy that involves IP addresses, use subnets instead of a list of
specific addresses when possible.
Use definitions and layer guards. These constructs often result in faster policy evaluation than
using multiple rules to accomplish the same thing.
129
130
Property
Chapter 10: WebPulse
Content filtering is a primary capability of the Blue Coat ProxySG and is a key feature of
WebPulse, Blue Coats cloud computing service.
Cloud computing services act as a grid to unite millions of users as a defensive mirror, similar to
the protection in numbers practice that is common in nature. Cloud services are exposed to a
much larger profile of Web content than any one enterprise. This volume of Web content and
repetition of popular Web sites enables community-watch cloud services to detect Web threats and
rate Web content for the benefit of all users in the community.
Cloud services also can deploy more defenses that would be affordable for any one enterprise,
making the solution cost-effective for all participants.
Cybercrime leverages the Web as a computing grid; therefore, it only makes sense that a defense
should follow suit.
Linking WebPulse with the ProxySG creates a hybrid Web gateway solution. The cloud service
provides more malware defenses than possible on only the Web gateway, and it offloads the
processing that is needed to detect malware and rate new Web content. This allows the ProxySG to
run more efficiently and provide more defenses.
The cloud service extends to remote users. ProxyClient for enterprise users provides central
policy controls and reporting with a real-time relationship to WebPulse. K9 Web Protection, Blue
Coats home parenting solution, uses the cloud service to block malware and rate Web content for
families.
As an administrator, your task is to define how the ProxySG uses the information returned by
WebPulse, and how the ProxySG communicates with the various components of WebPulse.
How WebPulse provides best-in-class content filtering.
How content filtering is performed as part of a ProxySG transaction.
How content filtering decisions are made.
Some of the mathematical theory behind WebPulse.
How to customize the content filtering database and how it is shared with WebPulse.
131
Overview
6OLGH2YHUYLHZ
WebPulse provides real-time rating of Web sites, analyzing more than 150 million URL requests
per day, more than 1 billion requests per week. This is a constant process, with the results
continuously being used by new requests to make the content filtering service stronger.
Content filters perform Web content analysis and ratings, which supports simultaneous URL
databases for the latest ratings.
Unrated or new content goes to the dynamic categorization service to get rated.
Reputation analysis scores URLs and IP addresses to determine intention, which can help
identify Web sites that might be malicious.
All requests are analyzed in the background for malware using a computing grid of clients
with multiple threat-detection engines, machine content analysis, and human raters. When
malware and Web threats are detected by any member of the cloud, WebPulse receives a
notification that is made available to other members of the cloud.
There are two possible deployment options for content filtering: an on-box content filter database,
such as Blue Coat WebFilter; or an off-box database (available with Websense only).
For performance reasons, on-box is often the preferred choice; it makes sense that processing
requests locally on the ProxySG is faster than opening a network connection to an external server.
However, both configurations are fully supported, and customers use both.
The content filter database is a list of sites, pages, and IP addresses organized by category.
Depending on the vendor, a URL can belong to one or more categories. The database offers
additional information to the ProxySG (and to the administrator) about the request that is being
made by a user. The content filter database does not block any site or any category by default. It is
up to the administrator, through CPL or the Visual Policy Manager, to build a set of rules to allow
or deny access to specific resources based on information obtained by the content filer.
Before you can use a vendors content filter database, you need to obtain a valid key for one of the
vendors, download the database, and then install it. You can get a demonstration license from
most of the supported vendors.
132
Property
Content Filtering
Enable proxy to make smarter decisions
Based policy control on type of content
Offer more than just protocol and URL match
Attempt to categorize the Internet

Categorize the 20% of sites that generate 80% of the traffic
Use artificial intelligence to cover the remaining 80%
User-defined category set

Local database
6OLGH&RQWHQWILOWHULQJ
Content filtering allows you to block access to Web sites based on their perceived content.
Whether a Web site is blocked or allowed client access depends on the rules and policies
implemented by the administrator in accordance with company standards. The challenge
presented is that because of the dynamic nature of the Internet, there is a constant flow of new
URLs (and URLs on lesser-known sites) that are not in the content filtering database. As any URLs
that are not in the database are not classified, you must create a policy to process these.
The infinite number of URLs can be reduced to a small number of categories. After the Web sites
and content are categorized, access to that content can be controlled through policy by URL-based
triggers. Categories and their meanings are defined by the specific category providers.
Two main reasons to use a local database instead of a policy file for defining categories are:
A local database is more efficient than policy if you have a large number of URLs.
A local database separates administration of categories from policy.
This separation is useful for three reasons:
It allows different individuals or groups to be responsible for administrating the local

database and policy.
It keeps the policy file from getting cluttered.
It allows the local database to share categories across multiple appliances that have different
policies.
133
Content Filtering Flow
6OLGH&RQWHQWILOWHULQJIORZ
When content filtering is enabled, a ProxySG transaction follows this high-level flow:
1.
The user makes a request.
2.
The ProxySG extracts the URL from the request and sends it to WebPulse for categorization.
The components of WebPulse, including an on-box or off-box content filter, work together to
perform the categorization.
3.
The content filter returns one or more categories (depending on the vendor) for that URL.
4.
The policy engine considers the users information, the time of the day, the URL, and its
categorization. Based on the policies in place, it then makes a decision to allow or deny the
request.
5.
The user receives the requested content (5a) or an exception page (5b), depending on the
decision made by the policy engine.
134
Property
Categorization Techniques
Database pros
Accuracy (close to 100%)
Response time
Database cons
Small number of sites
Update time
Dynamic categorization
pros
Immediate coverage
Scalability
Dynamic categorization
cons
Response time
Accuracy (90%)
6OLGH&DWHJRUL]DWLRQWHFKQLTXHV
There are two main approaches to content filtering. One approach attempts to provide
categorization of Web sites by looking for key words in the HTML pages that users request.
However, this approach has two severe limitations: lack of scalability and lack of accuracy.
Another approach consists of assembling a team of content researchers and posting a new
database of sites organized by category. The new databases can be posted weekly, daily, or every
few hours. The major limitation to this approach is the lack of flexibility and ability to adapt to
specific content. Nobody ever could classify the entire Web.
WebFilter uses a hybrid approach consisting of a static list and remote dynamic categorization
using advanced Bayesian statistical analysis.
135
WebFilter
Hybrid solution, part of W ebPulse
On-box database for ProxySG
Optional service component to categorize unrated URLs
Data quality
Granular categories
Consistency
Relevant URLs (feedback)
Immediate coverage for new sites
Frequent updates
6OLGH:HE)LOWHUFKDUDFWHULVWLFV
WebFilter is a key component of WebPulse that takes a hybrid approach in providing its
content-filtering solution.
With an on-box database, WebFilter provides a static list. Administrators can write policy to allow
or deny access to resources based on the information in the database. WebFilter also offers
optional remote dynamic categorization, which sends requests to a server if the resource is not in
the local WebFilter database.
WebFilter also focuses on quality of results. It provides more than 60 categories to allow a high
degree of control in writing policy. It also is highly consistent in how it categorizes resources and
gives top priority to categorizing resources that are requested most frequently. The optional
dynamic categorization service also provides immediate coverage for sites that have not been
previously categorized.
Languages recognized by WebFilter include Chinese, Japanese, Arabic, English, Finnish, Italian,
German, and many others.
WebFilter automatically checks the status of the WebPulse database and downloads any
incremental updates every five minutes. This provides for rapid detection of new malware and
Web threats. Automatic database updates can be restricted to a range of hours each day or
disabled completely.
The number of URLs present in a list should only be part of the decision-making process to select
a vendor. The URLs need to be relevant and most of all accurate. The Blue Coat content
research team devotes serious attention to making sure that the list is not only as large as possible,
but also relevant and reliable.
136
Property
Dynamic Categorization
Extend W ebFilter capabilities
Scan and categorize the contents of a Web page
Immediate categorization
Provide a network service to accomplish dynamic
classification
Analysis is accomplished on the external service
No performance impact on the ProxySG
WebFilter service points located worldwide
6OLGH'\QDPLFFDWHJRUL]DWLRQ
Dynamic categorization provides real-time analysis and content categorization of requested Web
pages to solve the problem of new and previously unknown uncategorized URLs. When a user
requests a URL that has not already been categorized by the WebFilter database (for example, a
new Web site), the ProxySG dynamic categorization service analyzes elements of the requested
content and assigns a category or categories. The dynamic service is consulted only when the
installed WebFilter database does not contain category information for an object.
HTTPS requests are not subject to dynamic categorization. This prevents secure information from
being sent to WebPulse over an insecure connection.
If the category returned by this service is blocked by policy, the offending material never enters the
network in any form. Dynamic analysis of content is performed on a remote network service, not
locally on the ProxySG. Therefore, dynamic categorization incurs the following costs:
Bandwidth: Represents the round-trip request/response from the ProxySG to the service.
Because the dynamic categorization protocol is compact, this cost is minimal.
Latency: Represents the time spent waiting for the dynamic categorization service to provide a
result. While these costs are typically small, certain conditions might require you to run
dynamic categorization in the background or disable it.
The ProxySG uses a distributed network of servers to enable customers to download the WebFilter
database updates reliably and efficiently and to expedite dynamic categorization transactions.
Blue Coat has WebFilter service points located around the world. Each location features
high-bandwidth Internet access and a fully fault-tolerant and load-balanced security and
download architecture.
By contacting sp.cwfservice.net, the ProxySG discovers the closest and most available download
site for you.
137
WebPulse Workflow
6OLGH:HE3XOVHZRUNIORZ
The Internet changes constantly; therefore, no rating service can ever categorize every Web page.
A static list is only a partial solution to the need for categorizing content.
When users request a new URL that has not been rated in the WebFilter ratings database,
WebFilter retrieves the page from its host server to be analyzed for its content.
The dynamic rating (categorization) service looks at a number of elements, including the words on
the page, the context of each word, and the formatting used on the page and responds in one of
two ways. If this service can determine a rating for a new Web site in real time, it then rates and
categorizes it. These sites are then added to the WebFilter ratings database.
If the dynamic rating service cannot determine a rating for a new Web site in real time, it then
categorizes the site as other and moves it to a third-stage rating process called dynamic
background rating for additional review. Once the background rating service has reviewed the
site, it either assigns it to one of WebFilters content categories or queues in a list for the human
reviewers to rate it.
The process for categorizing Web sites operates as follows:
1.
A client makes a request.
2.
The request is matched against the WebFilter database installed on the local ProxySG. There is
a 95% success rate; 95 of every 100 URLs requested are found the local database (provided that
it is kept up to date). This lookup requires less than 5 milliseconds.
3.
If the URL is not available in the current database, WebFilter queries the external database.
This database contains the most up-to-date list of Web sites; it is updated every 15 minutes
and contains what will become the new available list on the next scheduled download. This
search usually takes 7 to 9 milliseconds and returns some additional sites.
4.
When the external database does not have a categorization for the URL, it sends a request to
the dynamic rating server. There are multiple locations around the world that handle this
process; all of them feature high-availability servers and high bandwidth.
138
Property
5.
The dynamic rating server queries the origin content server to get the data requested by the
client in Step 1. The dynamic rating server returns a response to the ProxySG only if the URL
is categorized as Adult, Pornography, Gambling, or one of a few other categories to which
administrators often restrict access. Dynamic rating can correctly categorize up to 95% of the
requests it receives for such sites. This process takes a median time of about 100 milliseconds.
6.
The URLs that do not return a positive match after the dynamic rating lookup are forwarded
to background rating for additional review. This process is more intensive than dynamic
rating and can take up to an hour. The URLs that are categorized by background rating are
uploaded to the WebFilter master database and are downloaded to the local database at the
next scheduled interval or on demand by the administrator.
7.
The URLs that do not have a match after being processed by the background rating service are
queued for human review by a multilingual team of content researchers. The reviewed URLs
are then uploaded into the master database. The human rating process can take a day or more.
8.
The ProxySG downloads updates to the master database at regular intervals specified by the
administrator or on demand.
While this process might seem laborious on the surface, it represents a state-of-the-art attempt to
offer the most accurate, reliable, fast, and scalable answer to organizations need to protect
themselves from inappropriate or malicious Web content.
As a community watch solution, the value of these processes is the volume of Web traffic they
analyze and the repetition to review popular and trusted Web sites continuously for malware
injection attacks. The cloud sees more Web traffic and uses more defenses than any one
organization could deploy and manage.
139
Dynamic Categorization Results
6OLGH'\QDPLFFDWHJRUL]DWLRQUHVXOWV
Dynamic categorization can operate in two different modes: in real time or in the background. The
difference defines how long the ProxySG waits for the service to reply.
Three options are available:
1.
Do not categorize dynamically: The loaded database is consulted for category information.
URLs not in the database show up as category None. This mode is distinct from disabling the
service. When this option is set as the default, dynamic categorization (in either real time or
background mode) can be explicitly invoked by policy. When the service is disabled, no
dynamic categorization is done, regardless of policy, and the ProxySG does not make any
contact with the dynamic categorization service.
2.
Categorize dynamically in the background: Objects not categorized by the database are
dynamically categorized as time permits. Proxy requests are not blocked while the dynamic
categorization service is consulted. Objects not found in the database appear as category
Pending, indicating that categorization was requested but the object was served before the
response was received.
3.
Categorize dynamically in real time: This is the default. Objects not categorized by the
database are dynamically categorized on first access. If this entails consulting the dynamic
categorization service, the proxy request is blocked until the service responds. The advantage
of real-time mode dynamic categorization is that Blue Coat policy has access to the results of
dynamic categorization, which means that policy decisions are made immediately upon
receiving all available information.
The above example shows an example of how a ProxySG has categorized content that it has been
asked to analyze. The following fields are highlighted:
Probability: The normalized probability calculated from each token (such as a word on the
page) represents the probability that the entire page is in language Y and it belongs to category
X. In the example shown above, the page is very likely to be in English. The normalized
probability is 1.00; in other words, the categorization service is convinced that it indeed is
English. Also, this is page very likely belongs to the category Sports/Recreation/Hobbies.
140
Property
Threshold: This is the normalized minimum probability value for a given category to reach
the designated precision and recall values.
Precision (Accuracy): This determines how accurate the service is. For instance, out of 100 sites
that the service marked as Pornography, how many are correctly categorized? If the service
claims 100 pages to be category X and 85 of them actually are category X, then the precision is
0.85.
Recall (Coverage): This defines the ability of the categorization service to catch all of the sites
in a certain category. If the service has processed 100 sites that are in the pornography
category, how many were categorized correctly? A recall value of 0.85 means that out of 100
pages that actually are category X, the service categorizes 85 of them correctly. The goal for a
tool such as dynamic categorization is to find a sweet spot where the precision is high enough
without compromising the recall value. The recall and precision value move in opposite
directions; when one gets better, the other one gets worse. WebFilter aims for 85% to 90%
precision. Blue Coat has by far the fewest false positives in any published testing of content
filtering vendors.
The dynamic categorization service does not return a categorization to the requesting ProxySG
unless the recall and precision value are within specific parameters that Blue Coat defines. For
instance if you process the site http://www.jal.co.jp through the service, you get the result Unrated.
In actuality, the categorization service has correctly identified that the language is Japanese and
the category is Travel; however, the recall value is too low for the service to be confident enough to
return the categorization of Travel.
For more details about the mathematical theory behind dynamic categorization, refer to the
Conditional Probability appendix of this book.
141
Local Database
Custom categories
Custom allowed list
Custom denied list
Internal URLs
Performance and security

Hash list
Does not require Management Console access
6OLGH/RFDOGDWDEDVH
You can create your own local database file and download it to the ProxySG. This file is created in
the same way that policy files are created, except that only Define Category statements are
allowed in the local database. You might find it convenient to put your local database on the same
server as any policy files you are using.
However, some restrictions apply to a local database that do not apply to policy definitions:
No more than 200 separate categories are allowed.
Category names must be 32 characters or less.
A given URL pattern can appear in no more than four category definitions.
You can use any combination of the local database, policy files, or the VPM to manage your
category definitions. You can also use both a local database and a third-party vendor for your
content filtering needs.
If you have extensive category definitions, Blue Coat recommends that you put them into a local
database rather than into a policy file. The local database stores custom categories in a more
scalable and efficient manner, and separates the administration of categories from policy.
Like the WebPulse database, the local database is checked for updates every five minutes, and
such checks can be restricted to a specific range of hours each day.
Here is an example of a local database file:
define category mycompany_allowed

bluecoat.com
symantec.com
kaspersky.com
sophos.com
microsoft.com
end
142
Property
define category mycompany_denied

www.playboy.com
www.hacking.com
www.sex.com
end
define category mycompany_internal
intranet.mycompany.com
webmail.mycompany.com
401k.mycompany.com
end
143
Local Database
6OLGH/RFDOGDWDEDVH
The ProxySG allows you to use up to four URL content filters at the same time. You can use any of
the following:
WebFilter.
Any single third-party content filter. Websense, SmartFilter, Proventia, and Optenet
are supported in the Management Console; legacy filters SurfControl, iFilter, Intersafe and
WebWasher must be administered through the ProxySG command line interface. If you are
using a legacy content filter, check with the database supplier to determine whether the filters
database continues to be updated.
A local database.
The database from the Internet Watch Foundation, a charitable organization based in the
United Kingdom that offers an online service for anyone in the world to report on content that
is potentially illegal. Acting on reports received from the public, the IWF produces a blacklist
of Internet sites and content that is deemed in contravention to UK laws.
You cannot use two third-party content filtering databases together. The most common
configuration is to use WebFilter and the local database. You can configure the ProxySG to
download the updates for each of the enabled content filtering lists. It is good practice to make
sure that they do not all happen at the same time.
In general, updates are incremental; for instance, if you are on version 100 of a database and the
vendor is on version 103, you only get the updates from 100 to 101, from 101 to 102, and from 102
to 103. If you are more then two weeks behind in your updates, WebFilter downloads the entire
database, which is faster and more efficient than performing 14 or more incremental updates.
An advantage of the local database is that you can configure and maintain it without requiring
access to the ProxySG. An administrator can manage the local database file without having any
permission on the ProxySG itself; the ProxySG can be configured to check for updates to the local
database and automatically install them.
144
Property
Private Networks
12
6OLGH3ULYDWHQHWZRUNV
Although the information collected by WebPulse is limited to generally benign items such as
URLs, HTTP Referer headers, and HTTP User-Agent headers, there are cases in which just a URL
or a header can contain private information that should not be sent across the Internet or stored in
a third-party database. You can define a list of private networks on the ProxySG; data from these
nonroutable addresses is not sent to WebPulse. The above flowchart shows how private networks
factor into the decision by the ProxySG whether to send data to WebPulse.
The following information is not sent to WebPulse:
Any host identified by a nonroutable IP address.
Any host with a DNS lookup that resolves to a nonroutable IP address.
Any host that is explicitly configured as private. These hosts may or may not be strictly
private, but this capability allows a host to be excluded even if it has a routable IP address.
Any HTTP Referer header that matches the above conditions.
To maintain data about private networks, the Management Console supports two lists: private
subnets and private domains. To edit and view these lists, go to Configuration > Network > Private
Network. By default, the list of private subnets contains nonroutable addresses 0.0.0.0/8,
127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.168.0.0/16, 224.0.0.0/3, and 10.0.0.0/8, and the list
of private domains is empty.
145
146
Property
Chapter 11: Authentication
Authentication refers to the option of challenging users to submit proper credentials (username and
password) before their requests are allowed to go through the proxy. This chapter details the
authentication challenges that can be handled by the Blue Coat ProxySG. In general, there are
three main reasons why users may be challenged for authentication:
They attempt to access the Management Console or CLI.
They attempt to access the Internet. (You can limit access through the ProxySG to authorized
users.)
They request a specific resource on the Internet (password-protected page or file).
The first two instances are controlled by the ProxySG directly; the administrator decides the
authentication and security policies.
The third authentication type is independent from the ProxySG; however, the proxy can handle
the request and pass it to the user and back to the origin content server transparently. This chapter
focuses on this type of authentication.
You can take steps to make access to the policy and configuration more secure. For instance, it is a
good idea to give selective read and write permission to modify the policies on the ProxySG,
based on Microsoft Active Directory or LDAP groups.
It is also recommended that you authenticate users before granting them access to the Internet.
This is a good practice for both security and auditing: You do not want unauthorized devices on
your network to connect to the Internet, and you want to keep an accurate log of who is accessing
which resource.
A realm authenticates and authorizes users for access to ProxySG services using either explicit
proxy or transparent proxy mode. Multiple authentication realms can be used on a single
ProxySG. Multiple realms are essential if the enterprise is a managed service provider or if the
company has merged with or acquired another company. Even for companies using only one
protocol, multiple realms might be necessary. This would be the case for a company using an
LDAP server with multiple authentication boundaries. You can use realm sequencing to search
multiple realms at once.
147
Explicit Proxy Authentication
6OLGH([SOLFLWSUR[\DXWKHQWLFDWLRQ
The HTTP 407 response code is defined to handle proxy authentication requests. The
authentication mechanism in HTTP for proxy-based connections is straightforward:
1.
When the user agent makes its first request to the proxy, the proxy returns an HTTP 407
response message, asking the user to authenticate (407 Proxy Authentication Required). The
browser resends the same request, but this time it adds the authentication credentials
(username and password). The credentials are, in general, passed in plaintext using Base64
encoding. NTLM is the most notable exception: The message is Base64-encoded, but NTLM
does not transmit the password over the network.
2.
The proxy passes authentication credentials to the authentication server and receives the
response, indicating whether the credentials are valid.
3.
If the credentials are valid, the proxy then accesses the origin content server on behalf of the
user agent.
Once the UA is aware that it is communicating with a proxy that requires authentication, the UA
sends the authentication information for each request, regardless of the URI requested.
Most browsers cache the authentication information as long as the browser main process is
running; unless you terminate the application, you should not be prompted again for username
and password.
Once the authentication is successful, the UA keeps sending the proper authentication credentials
when requesting a URI to the proxy without prompting the user again.
Important: If the UA is not using explicit proxy, it ignores any 407 requests.
148
Property
Authentication Options
6OLGH$XWKHQWLFDWLRQRSWLRQV
The ProxySG allows you to control how users are authenticated. When you create a rule in the
Web Authentication Layer, you can decide whether the authentication superseded a DENY
statement. You also can control whether the user can enter double-byte language credentials.
Action objects include:
Force authenticate: Forces the user to authenticate even though the request is going to be
denied for reasons that do not depend on authentication. This action is useful to identify a
user before the denial so that the username is logged along with the denial.
Authenticate: Creates an authentication object to verify users. An authentication realm must
already exist on the ProxySG.
Authentication Charset: Allows non-ASCII text in many objects, such user and group names
and text for the Notify User object. This object allows you set the character set to use in
conjunction with localized policy. From the drop-down list, select a character set and click OK.
149
Authentication Realms
IW A
Windows NT domains and Active Directory
Basic, NTLM, and Kerberos credentials
Other realms
LDAP, RADIUS, and several others
Sequence
List of authentication realms to be processed
6OLGH&RPPRQO\XVHGDXWKHQWLFDWLRQUHDOPV
A realm configuration includes:
Realm name.
Authentication service: IWA, LDAP, RADIUS, local, certificate, sequences, eTrust

SiteMinder, Oracle COREid, policy substitution.
External server configuration: Back-end server configuration information, such as host, port,
and other relevant information based on the selected service.
Authentication scheme: The definition used to authenticate users.
Authorization scheme: The definition used to authorize users for membership in defined
groups and to check for attributes that trigger evaluation against any defined policy rules.
When you have configured your realms, you can view the realms and manage the credentials
cache for a specific realm. The ProxySG can cache authentication credentials. You can specify the
length of time, in seconds, that user and administrator credentials are cached. Credentials can be
cached for up to 3,932,100 seconds (more than 45 days). The default is 900 seconds (15 minutes). If
you specify 0 as the cache time, traffic is increased to the authentication server because each
authentication request generates an authentication and authorization request to the server.
The ProxySG supports many authentication realms. This chapter focuses on the IWA and
Sequence realms. While you might use a different realm in your organization, the fundamental
concepts of implementing authentication are virtually identical regardless of the actual realm
used. The only real difference is the type of information needed to create the realm; you should be
able to collect the necessary information.
If your realm is not among the ones discussed here, ask your instructor to cover the details of the
realm that you use in your network.
Note:
One-time passwords are supported for RADIUS realms only.
150
Property
IWA Realm
Basic credentials
Username and password are sent Base64-encoded
Least secure option
NTLM credentials
Uses the Microsoft proprietary authentication
Medium security option
Kerberos credentials
Uses Microsoft implementation of MIT Kerberos v5
Highly secure option
6OLGH,:$UHDOP
An Integrated Windows Authentication (IWA) realm authenticates users against an Active

Directory tree or an NT domain. It supports three types of credentials, each detailed below. The
client receives the list of supported credentials from the proxy. The client should choose the most
secure common set of credentials.
Basic authentication: This method is described in the HTTP RFC. Every user agent (UA) and
every OCS on the Internet must support at least basic credentials. The username and
password are encoded using Base64. Because Base64 is not encryption, the username and
password are available to anybody who can run a packet trace of the communication between
the UA and the proxy. The credentials appear as username:password in a
Proxy-Authorization header. Every browser should support basic credentials.
NTLM authentication: NT LAN Manager is a Microsoft-proprietary protocol that

authenticates users and computers based on an authentication challenge and response. The
key idea behind NTLM is to authenticate users without the password ever being exchanged
between clients and the authentication server (the domain controller or DC). NTLM is
discussed in greater detail on the following pages.
Kerberos authentication: This is the most secure and modern authentication method. It uses a
very secure exchange of encrypted tickets, which allows client and server to mutually
authenticate each other.
151
NTLM Authentication
Provides secure authentication
Password is not transmitted over the network
Supports single sign-on
Requires compatible user agents
Widely used
Prevalence of Windows OS on desktops
6OLGH17/0DXWKHQWLFDWLRQ
NTLM offers a medium degree of security because the actual password is never transmitted over
the network.
Another benefit stemming from the close integration between Microsoft Internet Explorer and
the Microsoft Windows operating system is the ability of users to use single sign-on. In essence,
users who access the Internet through a proxy server (that is compatible with NTLM and requires
authentication) do not need to re-enter a username and password when they open the browser for
the first time. Internet Explorer sends, automatically and in the background, the users
information when it is challenged for authentication by a proxy server.
Other browsers, including Firefox, also have implemented support for single sign-on and NTLM
authentication. Note that this is a browser feature.
Because Windows is nearly ubiquitous on desktop computers, NTLM is by far the most commonly
used authentication method.
Note:
Forms authentication modes cannot be used with an NTLM realm that allows only
NTLM credentials, a Policy Substitution realm, or a Certificate realm. If a form mode
is in use and the authentication realm is any of them, you receive a configuration
error.
152
Property
NTLM Authentication
6OLGH17/0DXWKHQWLFDWLRQ
NTLM is a challenge/response authentication mechanism. This approach, while requiring more

transactions between the client and the authentication server, allows the client to be authenticated
without ever sending the password over the wire, either encrypted or in clear text.
When a client wants to authenticate, it sends a Type 1 message to the domain controller. This
message contains some information such as the client host name, the domain where it wants to
authenticate, the NTLM version supported, and other information.
The server replies with a Type 2 message. This message, in essence, contains a string that the client
has to encrypt using Data Encryption Standard (DES) encryption and the password as the key.
After sending the Type 2 message, the server calculates the DES encrypted version of the challenge
using the password associated to the username as the key. (Details of DES encryption are beyond
the scope of this course.)
The client computes the DES encryption of the challenge using the password as the key and then
sends it to the server. This reply is known as a Type 3 message. If the Type 3 message matches the
calculation done by the server, because of the properties of DES encryption, the server knows that
the client has knowledge of the correct password. If there is a mismatch, the authentication fails.
153
BCAAA
6OLGH%OXH&RDW$XWKHQWLFDWLRQDQG$XWKRUL]DWLRQ$JHQW
The SGOS operating system is designed to handle secure proxy server tasks. It uses external
software, the Blue Coat Authentication and Authorization Agent (BCAAA), to support
open-system or proprietary authentication systems.
The ProxySG can interface directly with open-standard databases such as LDAP because the
details of the implementation are known. Proprietary systems, such as NTLM, conceal fine
protocol detail but provide an Application Programming Interface (API) to help third parties
develop software that can interface with the systems.
The ProxySG uses BCAAA (pronounced BECK-ah) as an elegant and efficient approach to
supporting different authentication systems. BCAAA enables the ProxySG to support a growing
number of databases, which currently include NTLM, Kerberos, SiteMinder, and Oracle COREid.
In order for the ProxySG to use BCAAA, it must be run on a system supported by the supplier of
the API for a given authentication database. For example, if you want to use NTLM
authentication, BCAAA must run on a Windows system.
BCAAA is available for three operating systems:
Windows 2000 and later (supporting all three realm types).
Windows NT (for BCAAA versions earlier than 4.2).
Solaris (supporting SiteMinder realms).
154
Property
NTLM Authentication over HTTP
6OLGH17/0RYHU+773
In order to authenticate users with NTLM, you need to have BCAAA running on a Windows
machine either a desktop or server that is a member of the domain where you want to
authenticate users. BCAAA authenticates users in all domains trusted by the computer on which it
is running. A single BCAAA installation can support multiple ProxySG appliances.
Here are the steps in the authentication process when you use an NTLM realm:
1.
The client makes a request to the ProxySG. The ProxySG replies with a 407 HTTP response
code (explicit authentication mode), which prompts the user agent (UA) to resend the request,
this time including the authentication credentials. The ProxySG closes the connection. Note
that the ProxySG explicitly defines the authentication required as NTLM.
2.
The client resends the original request. This time, the UA includes the Type 1 message,
encoded using Base64. This is a standard technique used in HTTP to pass binary data between
entities. The Type 1 message is sent from the ProxySG to BCAAA over port 16101. (You can
customize the port over which the ProxySG and BCAAA communicate.) BCAAA decodes the
message from the Base64 to its original format and, using Windows API, passes the Type 1
message to the domain controller for authentication.
3.
The domain controller responds to BCAAA with the Type 2 message. This message is passed
to the ProxySG and to the client. After returning the Type 2 message to the client, the ProxySG
closes the connection.
4.
The UA receives the Type 2 message, which contains the challenge, and calculates, using the
users password, the Type 3 message for that challenge.
5.
The client sends the Type 3 message to the ProxySG as a Base64-encoded string. The ProxySG
passes the information to the BCAAA, which passes it to the domain controller for the final
validation. If the Type 3 message contains the correct encryption to the challenge, the domain
controller authenticates the user and notifies the BCAAA, which passes the information to the
ProxySG.
155
6.
After a successful authentication, the ProxySG returns an HTTP 200 response code to the
client. At this point, the connection between the ProxySG and the UA is authenticated, and the
user starts receiving the requested data.
While NTLM is more secure than other authentication methods (the password is not passed over
the wire), there is a bit more information being exchanged between the UA and the ProxySG.
There are two common issues with BCAAA that are easy to address. These messages appear in the
Windows Event Log.
If an attempt to start the BCAAA service is issued when BCAAA is already started, the
following error message displays:
The requested service has already been started.
If another application is using the same port number as the BCAAA service, the following
messages are displayed:
The BCAAA service could not be started.
A system error has occurred.
System error 10048 has occurred.
Only one usage of each socket address (protocol/network address/port) is normally permitted.
Important: The above diagram contains an intentional error. Can you find the error? The
answer is on the next page.
156
Property
Sequence Realm
Credentials checked in order against multiple realms
Different realm types in sequence
Ideal for mixed environments
6OLGH6HTXHQFLQJRYHUYLHZ
On the previous diagram, the error is on the first arrow. The request GET / HTTP/1.1 does not
make sense. That is server-style request. The ProxySG cannot reply with a 407 Proxy
Authentication to a server-style request because the client is not expecting a proxy in the path
and would reject the message.
Organizations can use multiple authentication methods throughout a network. The ProxySG
makes it simple to search for a users credentials in multiple authentication realms through a
method called sequencing. The basics are simple:
You enable sequencing by establishing a sequence realm and adding different authentication
realms to it.
A sequence realm checks a users credentials against multiple realms, one after the other.
You can place different types of realms in a sequence realm. However, you can have only one
IWA realm in a sequence.
Sequence authentication is ideal for mixed environments. It is common for organizations that
centralize operations or acquire other companies to have multiple authentication methods
for example, NTLM and LDAP.
When you have multiple realms, it can be difficult to determine where you should authenticate
users. By establishing a sequence realm on the ProxySG, you can authenticate users against all of
the realms you have put in the sequence. It does not matter whether the ProxySG is deployed in
transparent mode or explicit mode. Sequencing begins when a client makes an authentication
request to the ProxySG. The ProxySG then challenges the client for authentication. The client
submits credentials, which the ProxySG then checks against the different realms in the sequence.
Note:
Hard errors that are not user-correctable, such as a server down, do not fall through to
the next realm in a sequence. Instead, an exception is returned to the user. Only
authentication errors that an end user can correct, such as a bad password, result in
the next realm in a sequence being attempted.
157
Sequence Authentication
6OLGH6HTXHQFHDXWKHQWLFDWLRQ
In sequence authentication, the ProxySG begins seeking authentication from the first realm on its
list and ends the process when the credentials are authenticated or an uncorrectable error (such as
a server down) occurs. The above flowchart depicts the process.
1.
The ProxySG seeks to authenticate the users credentials with Realm 1. If it finds a match, the
user is authenticated and the process ends. If there is a hard error, authentication fails and the
process ends.
2.
If there is no match with Realm 1, the ProxySG seeks to authenticate the users credentials
with Realm 2. If it finds a match, the user is authenticated and the process ends. If there is a
hard error, authentication fails and the process ends.
3.
If there is no match with Realm 2 or any of the other realms in the sequence, or if a hard error
occurs while trying any other realm in the sequence, one of the following occurs:
Authentication fails.
The process begins again if the users browser allows more than one attempt. To allow for
typing mistakes, browsers generally allow users several attempts to authenticate.
Note:
4.
Browsers count a cycle through all the realms in the sequence as a single attempt.
They do not count each query of individual realms as a single attempt.
If multiple attempts are allowed by the browser, the ProxySG tries to authenticate the
credentials again. The process continues until the credentials are authenticated or the
browsers limit on the number of attempts has been exhausted and authentication is denied.
Setting up a sequence realm is simple, but there are several important rules:
The realm must exist before it can be added to a sequence. You cannot rename or delete a
realm as long as it is part of a sequence. If you must rename or delete a realm, you must
remove it from the sequence first. You can then rename or delete it.
158
Property
Make sure that each realm that you plan to add to the sequence is customized to your needs.
Make sure that their current values are correct. (For IWA, make sure that the Allow Basic
credentials check box is set correctly.)
Put no more than one IWA realm in a sequence.
If you have an IWA realm in a sequence, it must be either the first or last on the list. Make it the
first realm on the list if you want to enable single sign-on.
If you have an IWA realm and it does not support Basic credentials, make IWA the first realm
in the list and enable the Try IWA authentication only once check box.
You may put as many Basic and Windows SSO realms as you want in a sequence.
You cannot place connection-based realms, such as Certificate, in a sequence.
You cannot place a realm in a particular sequence more than once.
You cannot nest sequence realms; that is, you cannot place a sequence realm inside another
sequence realm.
If a realm is down, then an exception page is returned. Authentication is not tried against
subsequent realms in the sequence.
159
160
Property
Chapter 12: Authentication Using LDAP
A realm authenticates and authorizes users for access to Blue Coat ProxySG services using
either explicit proxy or transparent proxy mode. Multiple authentication realms can be used on a
single ProxySG. Among the many types of realms supported by the ProxySG are Lightweight
Directory Access Protocol (LDAP) realms.
LDAP enables software to find an individual user without knowing where that user is located in a
network topology. Directory services such as LDAP simplify administration; any additions or
changes made once to the information in the directory are immediately available to all users and
directory-enabled applications, devices, and ProxySG appliances.
The ProxySG supports the use of external LDAP database servers to authenticate and authorize
users on a per-group or per-attribute basis.
The tree structure of an LDAP database.
How an LDAP realm is created on the ProxySG.
How the ProxySG performs LDAP authentication.
This chapter assumes that you are familiar with the basic concepts of authentication on the
ProxySG.
161
Overview
Lightweight Directory Access Protocol
Uses TCP port 389
Client-server protocol
Offers interoperability among different vendors
Compatible systems expose an LDAP interface
Single sign-on
Single point to manage user permissions
6OLGH2YHUYLHZ
LDAP is a client/server protocol that runs over TCP. By default, the LDAP server accepts
connection from a client over TCP port 389. LDAP provides a series of authentication services for
users, devices, and so on.
The goal of LDAP is to integrate all of the applications in your network with a unique
authentication interface. If all of the vendors in your network support LDAP, users can use the
same credentials (username and password) for all compatible applications. Furthermore, when
you add or remove users and applications, you can manage everything centrally via LDAP. In
essence, LDAP provides a great degree of application integration and ease of management.
Two versions of LDAP are commercially available. Blue Coat supports both LDAP version 2 and
LDAP version 3 but recommends LDAP version 3 because it uses Transport Layer Security (TLS)
and SSL to provide a secure connection between the ProxySG and the LDAP server. An LDAP
directory, either version 2 or version 3, consists of a simple tree hierarchy. An LDAP directory
might span multiple LDAP servers. In LDAP version 3, servers can return referrals to others
servers back to the client, allowing the client to follow those referrals if desired.
LDAP is a language or interface used to query a compatible realm. You can search the information
in the realm. LDAP allows the realm designer to use a very flexible structure and implement the
parameters that are deemed necessary for that realm. Basically, there are very few set rules.
162
Property
Attributes
Contain specific information
Name, phone number, etc.
Group name
Pre-defined services
DC
Domain component
CN
OU
Common name
Organizational unit
6OLGH/'$3DWWULEXWHV
An LDAP database has a tree structure. You can identify a root, branches, and leaves. In a complex
environment, you can have multiple trees that create a forest. Each element in the forest has an
attribute to define it. The attribute names often are short and not immediately clear; they must
contain only letters and hyphens.
Some attributes in the tree have well-known names, but you can add any attribute you want and
choose any allowed name. Some of most commonly used are:
Domain Component (DC): This indicates part of the root of your tree.
Country (C): Indicates the branch associated with a specific country. For instance, you can
divide your tree into branches based on the geographic location of the objects represented in
each branch.
Organization Unit (OU): You can compare an OU with a group, not necessarily of users but a
group of objects (devices, users, and so on).
Common Name (CN): The most frequently used attribute to identify an object in the tree. It is
often associated with a users full name or, at times, login name.
The Distinguished Name (DN) attribute is the unique name of the object in the tree. It represents
the entire path from an object to the root of the tree and consists of all of the attributes of the tree,
from the leaf (or branch) to the root.
Note:
Each DN must be unique within a tree.
163
LDAP Active Directory Structure
6OLGH/'$3$FWLYH'LUHFWRU\VWUXFWXUH
An object is identified in a LDAP tree by its full path from the leaf to the root. This path is known
as a Distinguished Name (DN). Different vendors store the login name of a user in different parts
of the tree, using different attributes to define it. For instance, you can see a login name stored
under CN or UID attributes.
Microsoft Active Directory (AD) stores the login name of a user under the attribute
sAMAccountName; this attribute is not directly accessible using a DN. For instance, in the
example above, Joe Kelly has the username joe.kelly. The DN for this user is:
cn=Joe Kelly, cn=users, dc=training, dc=bluecoat, dc=com

The actual username cannot be used to connect to the LDAP interface because it is not part of a
DN. Instead, it is an attribute of a DN, which is a leaf. The branch cn=users in AD contains the
list of users and groups for that tree. The branch cn=computers stores the machine accounts for
the tree.
164
Property
LDAP Realm
6OLGH/'$3UHDOP
The ProxySG supports the use of external LDAP database servers to authenticate and authorize
users on a per-group or per-attribute basis. LDAP group-based authentication for the ProxySG can
be configured to support any LDAP-compliant directory including:
Microsoft Active Directory server.
Novell NDS/eDirectory server.
Netscape/Sun iPlanet Directory server.
Generic LDAP.
The ProxySG also provides the ability to search for a single user in a single root of an LDAP
directory information tree (DIT), and to search in multiple base Distinguished Names (DNs).
An LDAP realm supports Basic authentication and Basic authentication over SSL.
Important: You can configure an LDAP realm to use SSL when communicating to the LDAP
server.
165
LDAP Base DN
6OLGH%DVH'1
In configuring an LDAP realm, you need to define two key parameters: Base DN and Search user
DN. The ProxySG uses these DNs to bind to the LDAP tree and retrieve information. Some LDAP
implementations allow anonymous searches, but in general you need to provide both parameters.
The base DN defines where the ProxySG can should look for the requested information. You can
have a more generic or more specific DN. You should select the most inclusive, and yet most
specific, base DN you can. For instance, in a AD deployment like the one shown in the above
diagram, you can choose as a base DN the entire tree or a specific branch. If you define the base
DN as dc=training, dc=bluecoat, dc=com, then the ProxySG can locate entries under
both cn=users or cn=computers. This scenario is represented on the left side of the diagram.
If you are using only user accounts and groups to manage authentication with your LDAP realm,
you can make the base DN more specific and limit it only to the branch cn=Users. The ProxySG
can only locate entries that exist under the cn=users, dc=training, dc=bluecoat,
dc=com branch. This scenario is represented on the right side of the diagram.
The search user DN contains the information that the ProxySG needs in order to be able to bind to
an LDAP tree, which does not allow anonymous browsing. Remember that you need to use the
entire users DN. Also, specifically in the AD case, you cannot use the login name (stored under
the attribute sAMAccountName); you need to use the full name (stored under the attribute CN).
The easiest solution is to create a special user where the full name and the login name are the
same, so that there is no confusion. The account used to bind to the LDAP tree does not need to
have any specific power; it does not need to be an administrator or any other superuser. Any
account should work properly.
166
Property
LDAP Authentication Details
6OLGH/'$3DXWKHQWLFDWLRQGHWDLOV
Active Directory stores the username under the attributes sAMAccountName. This attribute
cannot be used to construct a DN; you need to run a query on the AD tree using the username as a
filter.
The above diagram shows the steps that the ProxySG performs to authenticate a user in AD via
the LDAP interface. The transactions between the client and the ProxySG are omitted from the list
below.
1.
The ProxySG binds to the LDAP tree using the credential that the administrator defined in the
realm configuration under the Search user DN section.
2.
The LDAP server responds to the bind request with a code of either success or failure.
3.
If the bind request was successful, then the ProxySG generates an LDAP search using the
users login name as a filter.
4.
The LDAP server returns the DN associated to that particular login name.
5.
The ProxySG binds to the LDAP tree using the DN received as result of the search in Step 3.
6.
If the bind request succeeds, then the user is authenticated.
The steps described here take place only for the first user, the first time the user authenticates. The
ProxySG maintains an active connection with the LDAP server; additionally, it caches the users
credentials for an amount of time configurable by the administrator. Credentials can be cached for
up to 3,932,100 seconds (more than 45 days). The default value is 900 seconds (15 minutes). If you
set the time to 0, this increases traffic to the LDAP server because each authentication request
generates an authentication and authorization request to the server.
167
168
Property
Chapter 13: Creating Notifications and Exceptions
The Blue Coat ProxySG can do more than let you control users Internet activities. It also allows
you to explain your organizations Internet usage policies clearly and at the most effective time
when users try to access questionable or forbidden pages.
Notifying users about policy when they use the Internet is a good practice, particularly when you
block access to certain types of content. Even if you install content-filtering software and write a
strict Internet usage policy, you may not see a gain in productivity unless you also tell users why
they cannot view some Web pages.
Users who cannot access a site might think a network problem has occurred and make
unnecessary calls to your organizations help desk. However, you can prevent that problem by
creating custom notification pages. These pages appear in users browsers and tell them why
access to certain sites is forbidden or why access to other sites is officially discouraged even if it is
allowed.
The ProxySG allows administrators to create notification pages through the Visual Policy Manager
(VPM) instead of requiring them to write advanced Content Policy Language (CPL).
This chapter introduces the different kinds of notification pages and briefly explains how they are
created. A companion laboratory exercise teaches you how to create different kinds of notification
pages.
169
Overview
Exception pages
Sent to user in response to policy denial, authentication
failure, or appliance errors
Two types: Built-in and user-defined
Available in Management Console and CLI
Notify User objects
Used for sending compliance pages (AUP)
Used for coaching pages
Available in VPM only
6OLGH2YHUYLHZ
Exceptions are sent in response to certain ProxySG client requests, such as denial by policy, failure
to handle the request, and authentication failure. Exceptions are returned to users based on policy
rules defined by the administrator. For example, if a client sends a request for content that is not
allowed, an exception HTML page is returned, informing the client that access is denied. If a client
fails to properly authenticate, an exception HTML page is returned informing the client of the
authentication failure. There are two types of exceptions: built-in and user-defined.
Notify User objects display a notification page in the users Web browser. A user must read the
notification and click an Accept button before accessing the Web content. This feature is only
configurable through the VPM.
Exception pages and Notify User objects can be designed to include substitution variables that are
particular to the given request. For example, the host name and category of the site requested, the
users IP address and authenticated user name, and the ProxySG that is generating the exception
can be placed into the response to the users browser.
170
Property
Exceptions
6OLGH([FHSWLRQV
Exception pages are customized Web pages (or messages) sent to users under specific conditions
defined by a company and their security polices. The ProxySG offers multiple built-in exception
pages that can be modified for a companys particular needs. Built-in exception pages are always
available and can also have their contents customized; however, built-in exceptions cannot be
deleted, and you cannot create new built-in exceptions. Built-in exception pages include
authentication_failed, policy_denied, and so on.
Additionally, user-defined exception pages can be created by the administrator. In a user-defined
exception page, you can write a more specific, detailed message than the ones contained in the
built-in exception pages. You also can use HTML or JavaScript code in writing the page or add
links to external resources, such as images.
Built-in and user-defined exceptions can used as an action object when creating policy in the VPM
or through CPL.
171
Exception Page Components
6OLGH([FHSWLRQSDJHFRPSRQHQWV
Each exception definition (whether built-in or user-defined) contains the following elements:
Identifier: Identifies the type of exception. For user-defined exceptions, the identifier is the
name specified upon creation.
Format: Defines the appearance of the exception. For an HTTP exception response, the format
is an HTML file. For other protocols, where the user agents are not able to render HTML, the
format is commonly a single line.
Summary: A short description of the exception that labels the exception cause. For example,
the default policy_denied exception summary is Access Denied.
Details: The default text that describes reason for displaying the exception. For example, the
default policy_denied exception (for HTTP) detail is Your request has been denied by system
policy.
Help: An informative description of common possible causes and potential solutions for users
to take. For example, if you want the categorization of a URL reviewed, you can append the
$(exception.category_review_url) and $(exception.category_review_
message) substitutions to the $(exception.help) definition. You must first enable this
capability through content filtering configuration.
Contact: Used to configure site-specific contact information that can be substituted in all
exceptions. Although it is possible to customize contact information on a per-exception basis,
customizing the top-level contact information is sufficient in most environments.
HTTP-Code: The HTTP response code to use when the exception is issued. For example, the
policy_denied exception by default returns the 403 Forbidden HTTP response code.
172
Property
Managing Exceptions via CLI
6OLGH([FHSWLRQVFUHDWLQJDQGHGLWLQJ
You can create or edit an exception with installable lists on the Management Console. The
exception installable list uses the Structured Data Language format. This format provides an
effective method to express a hierarchy of key/value pairs. The Management Console allows you
to create and install exceptions through a text editor, local file, or a remote URL. Additionally, you
can create or edit an exception through the CLI.
Exception pages are defined within a hierarchy, and parent exceptions can provide default values
for child exceptions. There are two parent exceptions from which other exceptions are derived:
exception.all and exception.user-defined.all. The general form of an exception is:
(exception.<exception-id>
(contact " ") ;displays the contact information for further assistance
(details " ") ; displays the reason why the exception was sent
(format " ") ; defines the page format, specifically HTML content
(help " ") ; defines the help message
(summary " ") ; defines a summary of the message
(http ; defines a summary of the message
(code " ") ; HTTP return code (typically 200 OK or 400 Forbidden)
(contact " ") ;displays the contact information for further assistance
(details " ") ; displays the reason why the exception was sent
(format " ") ; defines the page format, specifically HTML content
(help " ") ; defines the help message
(summary " ") ; defines a summary of the message
)
)
When defining the above fields, you can reference substitution variables such as authenticated
username, client IP address, time, date, and so on, allowing you to make user-specific messages.
173
Default Policy
6OLGH'HIDXOWSROLF\
The default proxy transaction policy is to either deny proxy transactions or to allow proxy
transactions. A default proxy transaction policy of Deny prohibits proxy-type access to the
ProxySG: You must then create policies to explicitly grant access on a case-by-case basis. Your
browser displays an access-denied page under such a situation.
The default proxy policy depends on how you installed SGOS and whether it was a new
installation or an upgrade:
MACH5 Edition: The default setting is Allow.
Proxy Edition: The default depends on how you configured your ProxySG:
If SGOS was installed using the front panel or through the serial console, the default
setting is Deny.
If you upgraded SGOS from a previous version, the default policy remains the same as it
was for the previous version.
Note:
The default proxy policy does not apply to admin transactions. By default, admin
transactions are denied unless you log in using console account credentials or if
explicit policy is written to grant read-only or read-write privilege.
174
Property
Notify User Objects

Used for special pages
Splash and Coaching pages
Based on cookies
HTTP only
Require user agent to support cookies
Creates large CPL code
Difficult to troubleshoot
6OLGH1RWLI\XVHUREMHFWV
The notify user feature is designed to provide the following functionality:
Web-use compliance: A compliance page is a customized notification page displayed when a

user attempts to access the Internet. This page ensures employees read and understand the
companys Acceptable Usage Policy before Internet use is granted.
Coach users: A coaching page displays when a user visits a Web site that is blocked by content
filtering policy. This page explains why the site is blocked, the consequences of unauthorized
access, and a link to the site if business purposes warrant access.
175
Splash Page
6OLGH6SODVKSDJH
Splash pages can be used to deliver any message to users. They often notify users of an
organizations Acceptable Usage Policy for the Internet or inform them of an event, such as a
planned network outage.
Splash pages generally appear at a specific time. For instance, a splash page reminds users that an
AUP could appear each time they launch their browsers.
When splash pages appear, users are not prevented from accessing any Web sites or other
resources. If the page appears when users type a URL, they can access the site they requested by
clicking the reload button on their browsers. If the splash page appears when the browser opens,
users can access the site they want by typing the URL or selecting a bookmark as usual.
In the above diagram, the administrator has defined a splash page to be presented to each user
once per day.
1.
The user requests a page for the first time in the day, so the ProxySG presents a splash page.
The user clicks Accept on the splash page, and the requested page is delivered.
2.
The same user then requests another page. If the splash time limit has not expired, then the
page is delivered.
3.
If the splash time limit has expired, then the splash page is presented and a new time period
begins.
176
Property
Coaching Page
6OLGH&RDFKLQJSDJH
Coaching pages have a dual purpose: They notify users that a Web site or other resource is
contrary to the organizations AUP, and they also allow users to access it. Coaching pages are
sometimes called burn-through pages.
When users see a coaching page, they are informed that their organizations AUP prohibits them
from viewing certain content. However, the coaching page also offers a link to the resource along
with a warning that users activity will be monitored and reported.
You might find it useful to use both exception and coaching pages. For instance, you might want
to block users from adult sites and return exception pages when they try to access them. You
might want to discourage traffic to travel or Web e-mail sites and return coaching pages when
users attempt to view them.
In the above diagram, the administrator has defined a coaching page to be presented whenever a
user requests a page that is prohibited by their organizations AUP.
1.
The user requests a prohibited page, so the ProxySG presents a coaching page. The user clicks
Accept on the coaching page, and the requested page is delivered.
2.
The same user then requests another prohibited page. Even though a coaching page was
presented for the request in Step 1, the ProxySG presents the coaching page again, this time for
the second prohibited page.
177
Notify User Configuration
6OLGH&RQILJXULQJQRWLILFDWLRQV
The Notify User object can be utilized as an action under the Web Access Layer. Notify objects can
only be created and customized through the VPM. This feature is not available through the CLI.
Once you have selected the Notify User object, select the customization options. Options include
HTML text of notification, virtual URL for storage of cross-domain cookies, scope of notification,
and frequency of renotification. You can combine Notify User action with other triggers available
in the Web Access Layer.
178
Property
Chapter 14: Access Logging
Access logging on the Blue Coat ProxySG allows you to track traffic for the entire network or
specific information on user or department usage patterns. Each time a user requests a resource,
the proxy saves information about that request to a file for later analysis.The information stored is
called a log. In addition to Web policy management, content filtering, and Web content virus
scanning, companies can implement monitoring schemes through the access logging feature.
Access logging gives companies the ability to audit all traffic for both external and internal content
requests.
Access logs can be directed to one or more log facilities, which associate the logs with their
configured log formats and upload schedules.
Stored data can be automatically uploaded to a remote location for analysis and archival purposes.
Uploads can take place using HTTP, FTP, or one of several vendor-specific protocols. Once
uploaded, reporting tools such as Blue Coat Reporter can be used to analyze log files. These logs
and reports generated from them can be made available in real time or on a scheduled basis.
Reporter is a full-featured tool with many options and possible uses that are beyond the scope of
this course. Separate training courses in Reporter are available from Blue Coat and Blue Coat
Authorized Training Centers.
The components of a ProxySG access log facility.
How to create and upload access logs.
How to specify the contents of access logs.
How to use the Visual Policy Manager to modify access logging parameters.
179
Access Logging
Record transaction information
Information specific per protocol
Necessary to run reports
Customizable
Track usage
Entire network
Specific information
User or department usage patterns
6OLGH$FFHVVORJJLQJ
Access logging helps you to track Web usage for the entire network or specific information on user
or for department usage patterns. The ProxySG supports access logging to help you monitor Web
usage. Monitoring allows you to detect and remedy failures and when done proactively, to
anticipate and resolve potential problems before they result in poor performance or failure.
The ProxySG creates access logs for all traffic flowing through the appliance. Each network
protocol can create an access log record at the end of each transaction. For example, the ProxySG
can create access logs for each HTTP request from the client. The access logs, each containing a
single logical file and supporting log format, are managed by policies created through the Visual
Policy Manager or Content Policy Language.
Access logs can be uploaded to a remote server and then analyzed using Reporter.
180
Property
Log Facilities
6OLGH/RJIDFLOLWLHV
A log facility is not just a log file; it also is all of the many characteristics and behaviors associated
with a log file. The facility also controls the upload schedule, how often to rotate the logs at the
destination, any passwords needed, the point at which the facility can be uploaded, and so on.
Three key parameters define a log facility:
Log name: An arbitrary alphanumeric name for the log file (main in the above example).
Log type: Defines the type of entries in an access log. The ProxySG supports several standard
log types, including NCSA Common, SQUID-compatible, and the World Wide Web
Consortium (W3C) Extended Log File Format (ELFF).
Log format: Defines the specific information about a transaction that is stored in the access
log. Each log format is of exactly one log type. You can use a predefined log format, or you can
create a custom one and select the transaction parameters you want to monitor.
The upload schedule allows you to configure the frequency of the access-logging upload to a
remote server, the time between connection attempts, the time between keep-alive packets, the
time at which the access log is uploaded, and the protocol that is used. Log rotation helps prevent
logs from growing too large. Especially with a busy site, logs can grow quickly and become too big
for easy analysis. With log rotation, the ProxySG periodically creates a new log file and archives
the older one without disturbing the current log file.
You can define specific behaviors in the log facility most importantly, how to control the
maximum size allocated to a log facility and how to handle critical scenarios:
Configure the maximum size occupied by all of the log files.
Specify the behavior of the log when the maximum size is reached. You can have the log stop
logging (and do an immediate upload) or have it delete the oldest log entries. If you decide to
start an early upload, then you can specify the size of the log that triggers this event.
Configure how to upload the logs from the ProxySG to an FTP, HTTP, or Reporter server. You
can stream the data continuously from the ProxySG to the target server, or you can batch bulk
data from the ProxySG to the target server at selected intervals.
181
Log Creation
6OLGH/RJFUHDWLRQ
Access logs contain data about user requests and the corresponding responses from Web servers.
An access log record is created only after a transaction is complete. These records are stored on the
disk of the ProxySG and can be made available for analysis later.
The above diagram shows the steps in the creation of an access log:
1.
The client sends a request for a resource.
2.
The ProxySG then sends this request to the origin content server.
3.
The OCS replies with a response to the ProxySG.
4.
The ProxySG records this transaction and saves it to its cache.
5.
The ProxySG sends the response to the client.
6.
An access log entry for this entire transaction is created after the client receives the response
from the ProxySG.
Note:
If the connection is denied or the content is served from the cache, Steps 2 and 3 are
completed by the ProxySG.
182
Property
Periodic Upload
6OLGH3HULRGLFXSORDG
The ProxySG can upload access logs to a remote server using different types of upload clients.
During the uploading process, the access logs can be digitally signed and encrypted for security.
You can digitally sign access logs to certify that a particular ProxySG wrote and uploaded this log
file. Signing is supported for both content types text and gzip and for both upload types
continuous and periodic. Each log file has a signature file associated with it that contains the
certificate and the digital signature for verifying the log file. The signature file has the same name
as the access log file but with a .sig extension; that is, filename.log.sig if the access log is a text file,
or filename.log.gzip.sig if the access log is a gzip file. If you use Reporter to analyze the access logs,
you need to decrypt the access logs before loading them into the database.
You can digitally sign your access log files with or without encryption. If the log is both signed
and encrypted, the signing operation is done first, meaning that the signature is calculated on the
unencrypted version of the file. You must decrypt the log file before verifying the file. Attempting
to verify an encrypted file fails.
The ProxySG supports the following upload clients: FTP (the default), HTTP client, a custom
client, and Websense. The custom client can be used for special circumstances, such as while
working with SurfControl Reporter. Only one upload client can be used by the ProxySG at a
time. All of the above upload clients can be configured, but only the selected client is used.
The ProxySG allows you to upload access log files periodically to a remote server. The upload
schedule feature of the ProxySG allows to configure the frequency of the access logging upload,
time between connection attempts, and time at which the log is uploaded. With periodic
uploading, the ProxySG transmits log entries on a scheduled basis, such as once a day or at
specific time intervals. The log entries are batched, saved to disk, and then uploaded to a remote
server at a particular time. Periodic uploading is advised when you do not need to analyze the log
entries in real time.
183
Continuous Upload
6OLGH&RQWLQXRXVXSORDG
Under continuous uploading, the ProxySG continuously streams new access log entries to the
remote server from its memory. Continuous uploading can send log information from a ProxySG
farm to a single log analysis tool. This allows you to treat multiple ProxySG appliances as a single
entity and to review combined information from a single log file or series of related log files.
When you configure the ProxySG for continuous uploading, it continues to stream log files until
you stop it. In this context, streaming refers to the real-time transmission of access logs files using
a specified upload client.
If the remote server is unavailable to receive continuous upload log entries, the ProxySG saves the
log information on the ProxySG disk. When the remote server is available again, the ProxySG
resumes continuous uploading. When you configure a log for continuous uploading, it continues
to upload until you stop it. To temporarily stop continuous uploading, switch to periodic
uploading. This is sometimes required for gzip or encrypted files, which must stop uploading
before you can view them.
Continuous uploading allows you to:
View the latest log information almost immediately.
Send log information to a log analysis tool for real-time processing and reporting.
Maintain ProxySG performance by sending log information to a remote server.
Save ProxySG disk space by saving log information on a remote server.
184
Property
Log File Compression
6OLGH/RJILOHFRPSUHVVLRQ
The ProxySG allows you to upload either plaintext or compressed access logs to the remote server.
The ProxySG uses gzip format to upload compressed access logs. Gzip-compressed files allow
more log entries to be stored on the ProxySG. Compressed log files have the extension .log.gz.
Compressed access logs can be best uploaded during a periodic or scheduled upload.
Some advantages of file compression are:
Reduced time and resources are used to produce a log file; fewer disk writes are required.
Less bandwidth is used when the ProxySG sends access logs to an upload server.
Less disk space is required.
Plaintext access logs have the extension .log. Text log files are best suited for continuous upload to
a remote server. Although gzip-compressed logs can be sent via continuous upload, Blue Coat
recommends using text format if you need to analyze log data in real time.
185
Protocols and Default Log Facilities

Protocol
Default Log Facility
HTTP, FTP, TCP tunnel,

Telnet, HTTPS reverse proxy,
Endpoint Mapper
main
Instant messaging
im
Peer-to-peer
p2p
Multimedia streaming
streaming
SSL, HTTPS forward proxy
ssl
CIFS
cifs
MAPI
mapi
ICP, SOCKS
No logging
6OLGH3URWRFROVDQGGHIDXOWORJIDFLOLWLHV
The above table shows the default log facility association for different protocols on the ProxySG.
Seven log facilities are predefined: cifs, im, main, mapi, p2p, ssl, and streaming. No logging is
performed by default for the ICP and SOCKS protocols.
You can associate a log facility with a protocol at any time. But if you have a policy that defines
protocol and log facility association, that policy will override any settings that you make. Multiple
access log facilities are supported in the ProxySG, although each access log supports a single log
format. You can log a single transaction to multiple log facilities through a global configuration
setting for the protocol that can be modified on a per-transaction basis through policy.
If you upgraded from a previous version of the SGOS operating system, some protocols might
already be associated with a specific log facility. Old logs are converted to the main log facility. You
can globally enable or disable access logging. If access logging is disabled, logging is turned off for
all log objects. Once globally enabled, connection information is sent to the default log facility for
the service.
Although the predefined log facilities are sufficient for most deployments, you also can create a
custom log facility. To create a custom log facility:
1.
Choose a log format, or create a custom format. Log formats are discussed later in this chapter.
2.
Create a log name, and assign a format.
3.
Assign a protocol to the log facility.
4.
Configure the upload client.
5.
Configure the upload schedule, rotation schedule, and general settings.
186
Property
Log Formats and Log Types
Log Format
Log Facility
Log Type
bcreportermain_v1 (with PVC)
main
ELFF
im
im
ELFF
p2p
p2p
ELFF
streaming
streaming
ELFF
bcreporterssl_v1
ssl
ELFF
bcreportercifs_v1
cifs
ELFF
mapi
mapi
ELFF
squid
Custom
Squid
ncsa
Custom
NCSA
websense
Custom
Websense
surfcontrol, surfcontrol_v5
Custom
SurfControl
smartreporter
Custom
ELFF
6OLGH/RJIRUPDWVDQGORJW\SHV
Several log formats are predefined on the ProxySG. The above table shows these formats, the log
facilities they are associated with, and the log type of each format.
Each log format has an associated predefined log type. These log types are:
ELFF: Uses entries in a format defined by the W3C and described later in this chapter. ELFF
requires a space between fields.
SQUID-compatible: Contains one line for each request; this log type is designed for cache
statistics.
NCSA Common: Contains one line for each request with only basic HTTP access information.
Websense: Compatible with the Websense Reporter tool.
SurfControl: Compatible with the SurfControl Reporter tool.
A majority of content is HTTP content and uses the main log facility, which uses the
ELFF-compatible log format bcreportermain_v1, designed for use with Blue Coat Reporter.
Similarly, CIFS content, which mostly comprises intranet access, uses the bcreportercifs_v1 format.
Secure content such as SSL and HTTPS uses the bcreporterssl_v1 format, which only contains
fields that do not reveal private or sensitive information.
The bcreportermain_v1 format also supports the Page View Combiner (PVC). This feature
combines multiple HTTP requests that are associated with a single Web page into a single log line.
When a user goes to a Web page, that page often sends out requests for more content, either from
the same server or from different servers. Rather than regarding each of these requests as separate
requests, the PVC combines all of these related page requests into one. This reduces the number of
database entries in the log file and improves report generation performance.
You can create additional log formats that use ELFF-compatible or custom format strings. You
cannot edit predefined log formats, but you can copy them to a new name and edit the copy.
187
ELFF Strings
6OLGH(/))VWULQJV
An ELFF definition consists of one or more strings. Each string is one of the following:
An identifier unrelated to any specific computer, such as date or time.
A prefix and an identifier separated by a dash:
Prefix: Identifies the computers to which the data applies. Valid prefixes are:
c: client
s: server (the ProxySG)
r: remote (the origin content server)
sr: server to remote
cs: client to server
sc: server to client
rs: remote to server
Identifier: Describes information related to a computer or a transfer, such as ip (IP

address) or bytes (number of bytes sent).
A prefix from the above list and the name of an HTTP header enclosed in parentheses.
The above diagram shows the definition of the main log format. In this definition, for example:
1.
c-ip is the IP address of the client.
2.
sc-bytes is the number of bytes sent from the server (the ProxySG) to the remote (the OCS).
3.
rs(Content-Type) is the value of the Content-Type header from the OCS to the ProxySG.
188
Property
Sample Log
1. Log file header

Valid log files must have a header
2. Log entry
6OLGH6DPSOHORJ
This diagram shows a sample log as seen in an access log file. Every log file must have a header.
The header lists information regarding the version of the ProxySG, the date and time of the log,
and the fields that are present in the access log. The header is followed by log entries that contain
detailed information about the date, time, and content that was accessed by a client. These log
entries make up the final log file that can then be digitally signed, encrypted, and uploaded via the
Management Console.
You can manually re-create the header if you have log files that would otherwise be valid.
Files without a header can appear when you change log formats without interrupting access
logging first.
Important: Log files must have valid headers. Blue Coat Reporter does not process log files
that do not contain valid headers.
189
Transaction Information
12
6OLGH7UDQVDFWLRQLQIRUPDWLRQ
This diagram describes the transaction that occurs between a client and a server and how access
logs keep a record of information that was served from a cache or entirely from RAM, or when the
information was obtained from the origin server.
When the client first requests information (an object), the ProxySG checks with the cache to
determine whether the requested object can be served from there. If the object is present in the
cache, then TCP_HIT is recorded in the access log and the object is sent to the client. If the object
was entirely present in the RAM, it is served from the RAM and TCP_MEM_HIT is recorded in the
server action field in the access log.
If the object was present in the cache but the virus-scanner-tag-id did not match the current
scanner tag, the object is rescanned by sending it to the ProxyAV. The server action field in the
access log then records the action as TCP_RESCAN_HIT. The object is sent to the client after the
virus scanning.
If the requested object is not found in the cache or the RAM, the request is sent to the origin
content server to retrieve the object. If the requested object was not present in cache at all, the
action is recorded as TCP_MISS. Usually when objects are obtained from the OCS, the ProxySG
saves a copy in its cache. If the object returned from the origin server is not cacheable, the action is
saved as TCP_NC_MISS. To speed delivery of requested objects, the ProxySG can serve cached
objects while requesting for fresher content from the origin server. In this case, the action gets
recorded in the access log as TCP_PARTIAL_MISS.
Actions are also logged in the access log when objects are delivered to the client. When the object
is successfully delivered to the client, the action is logged as ALLOWED. When policies in the
ProxySG deny the object from being delivered to the client, the action is logged as DENIED. When
access to the requested object is denied by a filter, the action is logged as TCP_DENIED.
190
Property
Access Logging Policies
6OLGH$FFHVVORJJLQJSROLFLHV
You can enable access logging from either the Management Console or the command line
interface. The ProxySG comes preconfigured with log facilities already assigned to the main proxy
services.
For most users, the default settings are sufficient; however, you can introduce a very detailed level
of customization. More importantly, you can use the VPM to define additional details of the
information, which is stored in the access log. For instance, you can disable monitoring of certain
users (such as the executive management and Human Resources). Similarly, you can disable
logging of traffic to certain URLs (there might be little information to gain in logging access to the
enterprise Internet and intranet sites).
Also, you can create a custom log facility, where you record very specific parameters, and create a
policy to log the traffic from a certain source, or to a certain destination or both in that log facility.
If you are investigating a user (or access to a specific resource), sometimes it is faster to gather the
information about the target user (or location) in a separate access log. This allows you to run
reports much more efficiently because you do not have to sort through your entire enterprises
data.
191
Statistics
6OLGH6WDWLVWLFV
Access-log statistics can be viewed from the Management Console Statistics > Access Logging tab
or the CLI command show access-log statistics log_name, although not all statistics
you can view in the Management Console are available in the CLI. You can also view some access
log statistics by going to Statistics > Advanced and clicking Access Log.
Statistics you can view from Statistics > Advanced on the Management Console include:
Show list of all logs: The access log manages multiple log objects internally. These are put
together as one logical access log file when the file is uploaded. This list shows the available
internal log objects for easy access. To download part of the access log instead of the whole log
file, click on the individual log object shown in the list. The latest log object can be identified
by its timestamp.
Show access log statistics: The statistics of an individual access log are shown.
Show statistics of all logs: The statistics of all the access logs on the system are displayed in a
single list.
Show last N bytes in the log: The most recent content of the log are shown.
Show last part of log every time it changes: A stream of the latest log entries is shown on the
page as they are written in the system.
Show access log tail with optional refresh time: A refresh from the browser displays the latest
log entries.
Show access log objects: The statistics of individual access log objects are displayed.
Show all access log objects: The statistics of all access log object are displayed in a single list.
The Log Size tab on the Management Console displays current log statistics:
Whether the log is being uploaded.
The current size of all access log objects.
192
Property
Disk space usage.
Last modified time.
Estimated size of the access log file, once uploaded.
The ProxySG displays the current access logging status on the Management Console. This
includes separate status information about:
The writing of access log information to disk.
The client the ProxySG uses to upload access log information to the remote server.
193
194
Property
Chapter 15: WAN Optimization Features
Todays IT organizations face a challenge: how to do more with less while increasing performance.
That challenge has resulted in three main trends: the use of the Web for enterprise applications;
server/data center consolidation; and increasing use of the public computing infrastructure.
The benefits of webification are clear: faster and more agile deployment of business applications,
and lower deployment and operations costs. But the benefits come at a cost. Because applications
are now browser-accessible, the vulnerabilities associated with browser use now apply equally to
business-critical applications. Additionally, employees have access to a bewildering variety of
browser content, making it possible for them to engage in unproductive, inappropriate, or even
criminal behavior. And as Web applications become more powerful, their bandwidth needs
increase exponentially.
Application consolidation also poses problems. Though organizations have been consolidating
application resources for several years, many of those applications are optimized for LAN
efficiency; the chatty protocols result in unacceptable response time when accessed from across the
WAN.
Server consolidation, increased application traffic, inefficient application protocols, highly
distributed users, and narrow bandwidth links have led to one thing: poor application
performance.
But the problem is not just a performance issue. IT managers cannot afford to increase
performance at the expense of control and security. At a minimum, an application acceleration
solution must:
Optimize use of existing WAN bandwidth.
Reduce latency associated with applications.
Improve the efficiency of application protocols.
Prioritize the applications that matter most.
Reuse and compress data where possible.
Accelerate file sharing, e-mail, and browser-based enterprise applications.
WAN optimization is a key part of Application Delivery Network technology on the Blue Coat
ProxySG and offers a consolidated and complete approach to solving the several pain points that
relate to bandwidth and user response time.
195
Application Acceleration Techniques

Bandwidth management
Control network resources by user, application, or content
Protocol optimization
Align high-level protocols with network characteristics
Object caching
Get Web, file, and video content close to users again
Byte caching
Store repetitive network traffic for dramatic acceleration
Compression
Inline reduction of data to reduce application bandwidth
6OLGH$SSOLFDWLRQDFFHOHUDWLRQWHFKQLTXHV
Visibility is the key to achieving secure application performance while maintaining control over
users and content. Because proxies terminate application traffic, they have a unique and native
visibility into the application, the user, and the content of the interaction. Because of this,
integrating security techniques (such as threat scanning and exploit blocking), control methods
(such as content filtering and user and application authentication), and acceleration tactics (such
as caching and compression) with the proxy, is far easier than with other architectures.
Blue Coat uses a multi-layer framework for increasing application performance over a WAN
infrastructure. Each layer can be controlled by policy, allowing you to apply the acceleration
techniques that are best suited to a particular situation. These techniques include:
Bandwidth management
Protocol optimization
Object caching
Byte caching
Compression
196
Property
Bandwidth Management
6OLGH%DQGZLGWKPDQDJHPHQW
In the battle for bandwidth on congested WAN and Internet access links, demanding applications
such as large downloads or e-mail attachments can flood capacity and undermine the
performance of critical applications. Abundant data, protocols that swell to consume all available
bandwidth, network bottlenecks, and new, popular, and bandwidth-hungry applications all seem
to conspire against critical application performance.
Most WAN optimization techniques focus on increasing the efficiency of the WAN. Even if the
WAN is made extremely efficient, however, there are times when large volumes of traffic result in
WAN congestion and, hence, WAN latency. The goal of bandwidth management, therefore, is to
prioritize traffic that is latency-sensitive and business-critical.
Bandwidth management adds a throttle or modulate option to possible actions, enabling enterprises
to limit, or guarantee bandwidth for individual (or groups of) applications. Using bandwidth
management, you can extract the greatest performance value from the available bandwidth. By
managing the bandwidth of specified classes of network traffic, administrators can:
Guarantee that certain traffic classes receive a specified minimum amount of available
bandwidth.
Limit certain traffic classes to a specified maximum amount of bandwidth.
Prioritize certain traffic classes to determine which classes have priority over available
bandwidth.
Administrators can create bandwidth rules using more than 500 different attributes, including
application, Web site, URL category, user/group, and time/priority.
197
Protocol Optimization
6OLGH3URWRFRORSWLPL]DWLRQ
Many of todays most common protocols were not designed to operate efficiently across wide-area
links. Instead, they were optimized for the LAN, where round-trip time is not an issue. These
chatty protocols such as CIFS and MAPI sometimes can result in hundreds or thousands of
round trips on the WAN for a single transaction, resulting in an unacceptable user experience.
Protocol optimization makes these protocols more efficient typically by converting a
time-consuming serial communication process into a more efficient parallel process where many
communication tasks are handled simultaneously. There are a variety of other optimization
techniques, depending on the protocol (such as TCP session reuse). While protocol optimization
does not reduce the amount of bandwidth that an application consumes, it can greatly accelerate
delivery of applications and reduce latency in the process.
The ProxySG uses several types of protocol optimization, including object pipelining (parallel
advanced retrieval of all Web objects linked to the requested page), local authentication, and DNS
caching.
In the above example:
1.
The client communicates with the edge ProxySG in the original protocol of the client request
(such as CIFS).
2.
The edge ProxySG and core ProxySG communicate via a proprietary, optimized protocol.
3.
The core ProxySG communicates with the origin content server using the original protocol
from Step 1.
198
Property
Object Caching
6OLGH2EMHFWFDFKLQJ
Object caching:
Delivers content extremely rapidly when content is unchanged.
Is built on high-level applications and protocols.
Can cache HTTP/Web, streaming, CIFS, and other objects.
When the cache contains a requested object, the user is immediately served the object from a local
store, virtually eliminating latency and WAN bandwidth consumption. If the cache does not
contain the object or contains an outdated version of the object, then a new object is reloaded into
the cache, and the performance gains are realized the next time the object is requested.
The above diagram shows an example:
1.
Client 1 requests an object. This request is handled by the ProxySG appliances on both sides of
the WAN.
2.
The origin content server processes the request and sends the requested object.
3.
The client-side ProxySG forwards the object to the client and at the same time stores the object
in its cache.
4.
Client 2 sends a separate request for the same object.
5.
The client-side ProxySG serves the object from its local cache, eliminating latency and
bandwidth consumption.
Application object caching is application-specific and variable. The degree of Web object caching
can be between 30% and 70% of the content, depending on the application. Object caching delivers
content extremely rapidly if the content is unchanged. Even when the content has changed, rapid
delivery can be achieved if byte caching is coupled with object caching because only a few updates
are required.
199
Organizations can use a few different methods to place content at user sites ahead of demand.
Adaptive refresh is a predictive refresh of frequently requested objects, which essentially
decouples user requests and object cache refreshing activity. So, if many users are requesting the
same object, the appliance refreshes the object more frequently. Additionally, the appliance can use
a publish/subscribe model (as in a content delivery network) to pre-position content near users by
means of a manual push, or by proactively monitoring a URL or storage volume.
200
Property
Byte Caching
6OLGH%\WHFDFKLQJ
ADNs use byte caching to reduce the amount of TCP traffic across a WAN by replacing large
chunks of repeated data with small tokens representing that data. Working with patterns detected
in the WAN traffic, the ProxySG pair handling the traffic builds a byte cache dictionary of small
tokens that replace up to 64 KB of data each.
Byte caching slices objects into atomic bits and then sends only the updated, or different, bits over
the WAN. Byte caching is very low-level and is not application-specific. It works to increase
effective bandwidth for all traffic. Byte caching works well where the same (or similar) content
might be stored in multiple places, and when the content is dynamic. Furthermore, the Blue Coat
byte caching implementation, while transparent to users and applications, is user- and
application-aware and is incorporated into the policy framework of the ProxySG.
ADN optimization requires two-sided deployments, with a ProxySG (a peer) at each end of the
WAN link to create the dictionary for the common tokens. In such an environment, with only
minimal configuration changes, between 30% and 90% of WAN usage can be eliminated, and
WAN performance can be increased by 30% to 90%. Applications that can benefit from ADN
optimization include Windows file servers, Web share applications such as WebDAV, customer
resource management programs such as Siebel, and e-mail.
201
Compression
6OLGH&RPSUHVVLRQ
Compression technology uses a variety of common algorithms to remove extraneous/predictable

information from the traffic before it is transmitted. The information is reconstituted at the
destination based on the same algorithms. Compression reduces the size of content transferred
over the network, enabling optimized bandwidth usage and response time to the end user. This
technique, when applied with byte and object caching as discussed above, helps optimize
bandwidth savings and performance. The ProxySG compression feature:
Uses industry-standard and Blue Coat proprietary algorithms to compress all traffic.
Removes predictable white space from content and objects being transmitted.
Caches both compressed and uncompressed objects.
Uses HTTP and point-to-point compression.
The ProxySG supports two types of compression methodologies: HTTP and point-to-point. HTTP
compression (part of the HTTP version 1.1 specification) is fully supported. Web browsers support
compression algorithms such as gzip and deflate. These algorithms are also implemented in the
ProxySG.
The ProxySG can retrieve compressed content from the origin Web server and serve the
compressed content to clients that support compression algorithms; the ProxySG also
decompresses content on the fly to serve to clients that do not support compression. Content is
cached in compressed and uncompressed formats.
Point-to-point compression for any arbitrary protocol also can be configured in the ProxySG.
Point-to-point compression enables organizations to create compressed tunnels between proxies.
Traffic forwarded through these tunnels is automatically compressed before being sent through
the tunnel.
202
Property
Layered Approach
6OLGH/D\HUHGDSSURDFK
WAN optimization techniques complement one another, providing a multi-layered approach to

application acceleration. As you can see in the slide above, the techniques work together to
optimize application delivery to remote locations.
For example, if the object cache contains an outdated copy of a document, the byte caching
capability has patterns and tokens that require only the tokens, plus the changes to be sent. What
little is sent is then compressed, and protocol optimized (reducing bandwidth consumed and
latency/round trips). All of this is prioritized according the enterprises preferences, using
bandwidth management, so that the important applications get through first and with the
bandwidth they need.
203
SSL Acceleration
6OLGH66/DFFHOHUDWLRQ
SSL traffic is growing rapidly. Until recently, most enterprises were concerned with using SSL to
secure communications between external users and internal applications. With the advent of more
critical applications utilizing Web technologies (such as online financial services, third-party
hosted applications and application components, supply chain applications, and CRM),
SSL-encrypted traffic is becoming a larger portion of traffic between enterprise users and external
application resources.
However, the secured communications enabled by SSL prevents organizations from applying the
same degree of control that they apply to normal, outbound Web traffic. Threats and rogue
applications flow into and out of the enterprise unfettered. The ProxySG has an SSL proxy that
enables customers to apply the same policies to encrypted traffic that they do for unencrypted
traffic and apply the protection, control, and acceleration provided by the ProxySG to that
traffic as well. This is not simply SSL offload or termination, where IT owns both the application
and the proxy, but rather a gateway, or SSL forward proxy, where applications are outside the
organization (public, outsourced, partner, or internal).
The Blue Coat SSL solution:
Accelerates internal and external SSL-encrypted applications.
Preserves corporate and user privacy policies.
Provides a granular policy over users, applications, and content.
Includes multiple options for handling SSL interactions and the ability to remind and warn
users.
Stops unauthorized applications from clogging port 443 (and the network).
204
Property
Application Acceleration
6OLGH$SSOLFDWLRQDFFHOHUDWLRQ
With ADN technology, the ProxySG delivers substantial acceleration, without sacrificing control
or security. Application acceleration can increase as much as 1,000 times (for streaming audio and
video).
Using ADNs, you can anticipate and address the application problems of tomorrow. Both
applications and networks are evolving at a rapid pace. Whether that evolution brings new
applications or direct connections to the Internet at remote sites, ADN technology accelerates
enterprise applications and limits or eliminates undesirable applications, regardless of changes in
applications and networks.
In a nutshell, the Application Delivery Network is not a point solution; rather, it is a consolidated
approach to a comprehensive solution to the bandwidth optimization and user response time
needs in your enterprise.
205
206
Property
Chapter 16: Service and Support
Selecting the right product to ensure safe and productive user communications over the Web is
only the first step. Companies also are looking for ways to maximize their operational efficiencies,
maintain their support costs, and protect their investment. BlueTouch Services is a
comprehensive set of Blue Coat services and support that help security administrators safeguard
their network and maximize their investment while managing costs.
With technical support centers worldwide, Blue Coats experienced staff is equipped to rapidly
respond to your request. BlueTouch service options and warranty services protect your business in
the event of a hardware failure. Blue Coats training and professional services organizations are
available to bring administrators quickly up to speed or to provide customized consulting
services.
All BlueTouch service options are designed to protect your business and maintain the flexibility
required to meet your organizations specific logistical and budget needs.
Teamed together, Blue Coats appliances and service offerings provide the protection and
flexibility required to keep your network up and running.
How Blue Coats support organization provides worldwide technical support, professional
services, and customer care.
What options are available in BlueTouch service.
How to use BlueTouch Online to submit and check service requests, and how service requests
are prioritized.
How to use the Blue Coat Licensing Portal to license ProxySG components.
Other support tools that are available from BlueTouch Online.
Important: The service descriptions in this chapter are summaries only and are subject to
change. For a complete description of Blue Coat service offerings, including
important terms and conditions, contact Blue Coat Systems.
207
Support Organization
Technical support
Software troubleshooting, hardware troubleshooting, RMAs
Professional services
Installations, deployment, upgrades
Customer care
Licensing, renewals, BlueTouch Online logins
6OLGH%OXH&RDWVXSSRUWRUJDQL]DWLRQ
Blue Coat provides superior service through a combination of customer care, online support,
technical support, service options, training services, and professional services.
Technical support: Technical support provides troubleshooting of all hardware and software
problems of deployed Blue Coat appliances. Support might require remote access to customer
systems for diagnosis. Support is available online and by telephone 24 hours a day, seven days
a week. While the primary language of our global support centers is English, local language
support varies by region.
Professional services: Blue Coat professional services provide on-site integration consulting
for customers, network environment assessment and improvement recommendations,
architecture design, and project planning. They can be engaged to provide installation and
configuration of Blue Coat appliances, customization of advanced features, and
environment-specific knowledge transfer. Professional services are a billable service not
included in annual support contracts.
Customer care: This team handles licensing issues and login administration of the BlueTouch
Online customer support portal.
208
Property
Global Support Centers
6OLGH*OREDOVXSSRUWFHQWHUORFDWLRQV
Global support centers are strategically positioned worldwide to provide support for more than
Blue Coat appliances deployed worldwide. Blue Coat global support centers are located in:
Sunnyvale, California, United States
Waterloo, Ontario, Canada
London, United Kingdom
Dubai, United Arab Emirates
Kuala Lumpur, Malaysia
Tokyo, Japan
Your call is automatically routed based on the time of your call and the region of the world you are
calling from.
Also, distribution centers and stocking locations are located around the world so that Blue Coat
can provide fast and reliable hardware delivery in case of hardware failure.
209
BlueTouch Service Options
6OLGH%OXH7RXFKVHUYLFHRSWLRQV
To complement warranty services, Blue Coat offers a comprehensive set of BlueTouch service
options. All service options include:
Unlimited 24x7 telephone support.
Access to BlueTouch Online.
Unlimited access to major, minor, and maintenance releases of Blue Coat operating system
software.
Hardware replacement options including return to factory, same-day shipment, guaranteed

next-business-day arrival, and four-hour replacement.
Optional on-site technician to install replacement hardware at your location (available in

selected packages).
Standard Service
Standard Service packages provide two levels of hardware replacement options. Standard Service
includes a 10-business-day turnaround on returned hardware. Products covered under Standard
Plus Service will have replacement hardware shipped the same day the request is received,
provided that cutoff times are met. Actual hardware delivery time is not guaranteed.
Advanced Service
If you require faster response on your hardware, this package provides guaranteed
next-business-day arrival of replacement hardware, provided that cutoff times are met. An on-site
technician option is available.
210
Property
Premium Service
Premium Service packages provide the highest level of hardware support. Premium Service
guarantees four-hour replacement hardware during normal business hours, provided that cutoff
times are met. Premium Plus Service extends response time to 24 hours a day, seven days a week.
An on-site technician option is available with both Premium and Premium Plus.
Eligible and Ineligible Products

BlueTouch service options are available for the following Blue Coat products placed on the market
since July 2006:
ProxySG: 200, 210, 510, 810, 8100, 9000 models.
ProxyAV: 210, 510, 810, 1400, 2400 models.
Blue Coat Director: 510, 810 models.
Blue Coat Reporter: Enterprise Edition.
PacketShaper: Appliances sold since August 2008.
IntelligenceCenter
PolicyCenter
Legacy products from Blue Coat placed on the market before July 2006 that are not in the above
list are not eligible for BlueTouch services. They are covered under existing service contracts that
are beyond the scope of this course.
211
BlueTouch Online
6OLGH%OXH7RXFK2QOLQH
BlueTouch Online is available to Blue Coat partners and customers with products actively covered
under the one-year warranty or a service contract. Customers with BlueTouch Online have
immediate, personal, and secure online access to Blue Coat information and resources 24 hours a
day, seven days a week. Benefits include:
Access to resources such as an interactive knowledge base, installation notes, technical briefs,
and security advisories.
The ability to create, modify, and update service requests, called SRs.
To get a BlueTouch Online login, go to https://support.bluecoat.com, click Need a login?, and then
follow the instructions given. You will receive a confirmation e-mail that allows you to begin using
BlueTouch Online immediately.
Logins are created only for individuals and not groups. An individual login, however, allows a
user to see all of their companys cases. Creating logins for individuals versus groups allows Blue
Coat to identify who is creating or modifying records for a company, and control who in the
customers company has access to BlueTouch Online records. Blue Coat deactivates individual
logins when notified that users no longer work for a company or should no longer have access.
In addition to managing service requests, BlueTouch Online has three other main functions that
are available through tabs at the top of the page:
Downloads: Current and previous releases of Blue Coat software are available.
Licensing: Provides access to license-related functions for Blue Coat products.
Documentation: Includes software and hardware documentation for Blue Coat products.
212
Property
Service Requests
Case Management Process
Priority 1
(Special cases)
Priority 2
(Highest priority)
Priority 3
(Customer
high priority)
Priority 4
(Customer
low priority)
Telephone
technical support
Telephone
technical support
Online submission with

BlueTouch Online
Online submission with

BlueTouch Online
9Support
9System restarts
9First reported restart 9Documentation
9Instability issues
9Production issues
9URL issues
9Third-party
9Non-critical RMAs
9Feature requests
9Incapacitating RMAs
9Not performing
9Specific behaviors
management
discretion
issues
configuration issues
as designed
(FRs)
9Exposed security
vulnerabilities
9Customer revenueimpacting issues
6OLGH6HUYLFHUHTXHVWSULRULWLHV
Service requests are prioritized according to severity and perceived impact on customer use of
Blue Coat products.
A priority 4, low-priority service request is appropriate in cases such as these: documentation

issues, non-critical Return Material Authorizations (RMAs), feature requests, and questions
about specific behaviors.
A priority 3, medium-priority service request is appropriate in cases such as these: a Blue Coat
product is not performing as advertised, a restart has occurred for the first time on a specific
piece of hardware, one or more URLs cannot be accessed, there are configuration issues with
third-party hardware, or there are performance issues with the Blue Coat equipment.
A priority 2, high-priority service request is appropriate for issues such as frequent

unexpected system restarts, system instability issues, removal of an appliance from
production, incapacitating RMAs, exposed security vulnerabilities, and other issues that
directly affect customer revenue.
A priority 1, urgent priority service request is one that was previously priority 2 but needs
urgent review and feedback. Only Blue Coat technical support management can escalate a
service request to this level.
Priority 3 is the highest level that can be directly assigned by a customer. Service requests of
priority 3 or 4 should be submitted online through BlueTouch Online. Priority 2 and priority 1
requests must be opened directly through telephone contact.
213
Send Service Information
6OLGH6HQGLQJVHUYLFHLQIRUPDWLRQ
Blue Coat recommends that you create a new service request in BlueTouch Online, record the
assigned service request number, and then upload diagnostic information. In an urgent situation,
you can follow through by calling a global support center for immediate assistance.
When submitting a service request, it is important to include any information that might be
helpful in diagnosing the problem. The ProxySG Management Console can be used to send
diagnostic information directly to Blue Coat, where it can be associated with an open service
request and sent to the support engineers working on the service request.
Support engineers have checklists that indicate which items are most likely to be helpful in a
particular situation, and they will request that the customer send the relevant information, such as
packet captures, event logs, Sysinfo files, and snapshots.
In the Management Console, select Maintenance > Service Information > Send Information and click
Send Service Information. Next, type the number of the service request (this number was assigned
when the service request was created), and select the files to be sent. Items that are grayed out are
not available on this ProxySG at the time the request was issued, most likely because they have not
been created.
In this example, the customer has chosen to send a packet capture, event log, Sysinfo file, and
snapshot, all to be associated with service request 2-0000000.
After selecting the information to be sent, click Send to begin uploading the information to Blue
Coat. To view the progress of the upload, click View Progress.
214
Property
Blue Coat Licensing Portal

Product
Available functions
Content filtering
Activate license
ProxySG
ProxyClient / SSL activation; activate upgrade; licensing

page; revert upgrade
ProxyAV
Activate license; antivirus serial number; download

license; upgrade cold standby; swap licenses
ProxyRA
Activate license; download license; swap licenses
Blue Coat Reporter
Activate license
PacketShaper
Download license; activate upgrade; revert upgrade
IntelligenceCenter /
PolicyCenter
Get license; upgrade; revert upgrade
NetCache
Activate license
Appliance certificate
verification
Birth certificate validation
6OLGH%OXH&RDW/LFHQVLQJ3RUWDO
The Blue Coat Licensing Portal provides access to license-related functions for Blue Coat products.
To access the licensing portal from the BlueTouch Online homepage, select Licensing. Then, select
License a Proxy to perform licensing functions for a ProxySG, or select License Others to perform
other licensing functions.
When your organization purchases hardware or software licenses, e-mail containing activation
codes is sent to the e-mail address your organization specified at purchase time. To activate
licenses, you need to have the codes from that e-mail, as shown in this example:
Other license-related functions at the Blue Coat Licensing Portal include:
Content filtering: This feature of the ProxySG requires a separate license. To enable it, select
this option and type the activation code.
ProxySG: Four functions are available: SSL license activation, ProxySG upgrade, ProxySG
licensing, and the ability to revert to a previous upgrade.
ProxyAV: Five functions are available: license activation for systems at version 3.1 or later,
license activation for systems older than version 3.1, downloading anti-virus license for
systems at version 3.1 or later, upgrading a cold-standby appliance, and swapping a version
3.1 or later license from one appliance to another.
ProxyRA: Three functions are available: activate, download, and swap licenses.
Blue Coat Reporter: To enable this application, select this option and type the activation code.
215
PacketShaper: Three functions are available: download a license, upgrade, and revert
upgrade.
IntelligenceCenter / PolicyCenter: Three functions are available: get a license, upgrade, and
revert upgrade.
NetCache: To activate licenses for legacy NetCache equipment, select this option and type the
activation code.
Appliance certificate verification: Enter your hardware serial number to determine whether
that ProxySG supports Blue Coat appliance certificates.
216
Property
Other Support Tools
6OLGH2WKHUVXSSRUWWRROV
BlueTouch Online is a comprehensive online offering. In addition to licensing and managing

service issues, these functions are available:
Knowledge base: You can type questions about Blue Coat products in natural language and
get immediate answers from a large, frequently updated database of support information.
Discussion forums: The Blue Coat discussion forums at http://forums.bluecoat.com are a

useful, unfiltered way for customers to exchange tips and tricks. It is not uncommon to have
your forum question answered by a Blue Coat support engineer or developer. The main
drawbacks to the forum are that there is no guaranteed response time for questions, and
responses are voluntary.
Security advisories: Documents potential security issues and their impact on Blue Coat
products including public reporting of security vulnerability information.
Technical briefs: Illustrate the features and capabilities of Blue Coat products, providing
baseline configurations for common deployment scenarios.
Field alerts: Provide information on critical product and software issues.
Also, always read the release notes for each version of the Blue Coat product that you are
installing. The release notes contain useful information and known issues and might answer your
questions more quickly than by contacting technical support.
217
218
Property
Appendix A: Deployment Planning
Planning and designing the most efficient deployment is the most important decision you have to
make, second only to the one of actually buying the Blue Coat ProxySG.
The ProxySG is engineered to offer the maximum flexibility of deployment; you can scale from
small to extremely large environments, and you can build fault tolerance and redundancy.
The Deployment Question

You may be new to the use of proxy servers; however, even if you are not, it is important that you
review the many ways in which the ProxySG can be deployed. Your network is already designed
to send all outbound traffic along a specific path. Now you need to direct to the ProxySG all the
traffic that you want it to manage.
Figure A-1: The deployment dilemma
You may have a very complex network, but it can always be logically reduced to the simple
diagram shown in Figure A-1. All of the solutions to route selected traffic from your clients to the
ProxySG can be grouped into two main categories: transparent and explicit.
Firewall Best Practice

Regardless of how you decide to direct client traffic to the proxy, you should modify the firewall
configuration in order to enforce the use of the proxy.
Typically, a firewall allows outbound traffic from the clients to the Internet. More restrictive
policies may only allow HTTP and HTTPS traffic from the clients to the Internet. In either case,
you now may want to block the traffic that you want to go through the proxy. For instance, if you
want to proxy HTTP and HTTPS, you should block the clients from directly accessing outside
resources over these protocols. Only the ProxySG should be allowed through the firewall.
This configuration allows you to enforce the use of the proxy by all clients, regardless of the
deployment strategy that you will implement; this solution also deters the most advanced users
from bypassing the proxy.
219
Explicit Proxy
Creating an explicit proxy is conceptually the easiest solution and in general does not require any
additional software or hardware. A simple packet capture can show you if a client is using explicit
proxy. You can refer to the HTTP chapter of this book for more details. A client using explicit
proxy formats GET requests to support the proxy.
Manual Configuration
Every client is configured to forward all traffic to the ProxySG. For instance, you can easily set
your browser to send all HTTP requests to a proxy server. In Figure A-2 below, you can see how
the configuration screen looks for a Firefox client.
Figure A-2: Firefox proxy configuration
The client now sends all HTTP requests to the proxy with IP address 172.16.90.22 over port 8080.
You can see how this method is fairly straightforward; however, it is impractical for any
organization but the smallest. This method requires a lot of administrator time and, unless it is
paired with good firewall rules, can be easily bypassed. Manual configuration can still be useful
for testing and debugging purposes.
Proxy Auto-Configuration (PAC) File

The Proxy Auto-Configuration (PAC) file is used to distribute to the browser the proxy
configuration information from a remote JavaScript file rather than from static information
entered directly. It is even possible to specify which proxies each user can access. You can use a
PAC file to create a very basic fault-tolerant and load-balanced environment. In this example, you
can configure four ProxySG appliances (sg01 to sg04) as follows: One handles all .com requests,
one handles all .net requests, one handles all other domains, and the last one is a hot standby for
the other three. If any of the three main proxies go down, the fourth will take over. The table below
shows the role of each proxy.
Table A-1: Proxy Purpose
Proxy Name
Domain
sg01
.com domain
sg02
.net domain
sg03
all other domains
sg04
hot standby
220
Property
In particular, the local sites (inside the network) are accessed by the clients directly. The proxy
servers communicate with the clients over port 8080. This is the JavaScript necessary to achieve
the results described above:
function FindProxyForURL(url, host)

{
if (isPlainHostName(host) || dnsDomainIs(host, ".mydomain.com"))
return "DIRECT";
else if (shExpMatch(host, "*.com"))
return "PROXY sg01:8080; PROXY sg04:8080";
else if (shExpMatch(host, "*.net"))
else
}
The PAC file can reside on a shared resource. One of the main advantages of the PAC file is that it
allows you to make changes to your proxy configuration without having to reconfigure each
client.
Note:
You should save the JavaScript function to a file with a .pac filename extension; for
example, proxy.pac. You should also configure your server to map the .pac filename
extension to the MIME type: application/x-ns-proxy-autoconfig.
Each client needs to know where the PAC file is located. Figure A-3 below shows a Firefox client
configuration for a PAC file.
Figure A-3: PAC configuration for Firefox
Web Proxy Auto-Discovery (WPAD)

Microsoft Internet Explorer version 5 (and later) supports Web Proxy Auto-Discovery (WPAD).
This solution is designed to enable the browser to automatically detect proxy settings without user
or administrator intervention. WPAD works by attaching wpad to the systems fully-qualified
domain name and progressively removing subdomains until it finds a WPAD server. For instance,
a client in the clients.bluecoat.com domain will query wpad.clients.bluecoat.com and then
wpad.bluecoat.com. This approach can be open to vulnerabilities because the third-level domain
may not be a trusted one.
This solution requires a DNS change and possibly a dedicated server.
221
Figure A-4: Internet Explorer automatic proxy settings
Figure A-4 above shows how the configuration for Internet Explorer looks when there is a WPAD
server.
Active Directory Policy

If you are running any of the operating systems listed below, you can configure the clients proxy
settings automatically via Active Directory Group Policy.
Windows 2000 Professional and Server
Windows XP Professional
Windows 2003 Server
Note:
Windows 9x/Me and Windows XP Home Edition are not supported.
Furthermore, each client must be part of the Active Directory forest. This configuration can be
used in conjunction with PAC files. You can use Active Directory not only to distribute a specific
server configuration but a more generic PAC file.
Figure A-5: Active Directory policy proxy configuration
This solution will become more feasible as more companies roll out Active Directory for the entire
organization and stop using operating systems that are not supported.
222
Property
Issues with Explicit Proxy

Based on the information provided above, you can see how relying on explicit proxy raises several
potential issues. The main advantage is reduced cost, which may not be significant.
Unless you implement more restrictive firewall policies, any advanced user can bypass the proxy
setting that you are trying to enforce. Even group policy can be bypassed by using a browser other
than Internet Explorer.
A user can take advantage of WPAD to open security gaps; however, the possibility is remote
because it requires advanced skills.
Transparent Proxy
You can think of transparent proxy as exactly the opposite of explicit proxy. The goal of setting up
transparent proxy is to redirect all of the desired traffic to the ProxySG without the clients
knowledge or consent. Regardless of the solution that you choose for explicit proxy, the clients
user agent knows that it is sending the connection requests to a proxy server. However, in a
transparent proxy scenario, the clients user agent believes that it is talking to the remote server
directly, without intermediaries.
In essence, transparent proxy is more complex, as a technology, than explicit proxy but it is also
more efficient, scalable, and robust. Unfortunately, it is also, in general, more expensive and can be
more complex to set up.
Layer 4 Switches
Switching technology has evolved from the Data Link Layer to cover up to the Application Layer.
In general, most Layer 4 switches are capable of handling up to Layer 7 and down to Layer 2.
Figure A-6:
ProxySG with Layer 4 switch
If you compare Figure A-6 with Figure A-1, you can notice where the Layer 4 switch needs to be
installed. It needs to be in a position to inspect all outbound traffic. The traffic that you want to
proxy is redirected by the switch to the ProxySG; all other traffic is passed to the firewall (or other
destinations).
Most Layer 4 switches offer a very useful set of added functions, such as:
Advanced load balancing
Most available
223
Round-robin
Least CPU utilization
URL hashing
Advanced fault tolerance and redundancy
The only major obstacle to the deployment and implementation of Layer 4 switches is cost; in the
United States, such devices can cost up to tens of thousands of dollars.
Traffic routing decisions can be based on several parameters, such as destination address,
protocol, port, source address, or a combination of these.
A Layer 4 switch can also change the way a particular request looks; for instance, it can change a
direct HTTP GET request to a proxy-style HTTP GET request as shown in Figure A-7 below.
Figure A-7: HTTP request transformation
You can see that the client user agent is not aware that the connection will go via proxy server. The
ability of a Layer 4 switch (also known as a content switch) to change HTTP requests allows it to
be compatible with any proxy and not just the more advanced ones like the ProxySG.
Web Cache Communication Protocol

You can configure a ProxySG in a Web Cache Communication Protocol (WCCP) deployment when
a WCCP-capable router collaborates with a set of WCCP-configured ProxySG appliances to
service requests.
WCCP is a Cisco-developed protocol that allows you to establish redirection of the traffic that
flows through routers.
The main benefits of using WCCP are:
Scalability: With no reconfiguration overhead, redirected traffic can be automatically

distributed to up to 32 ProxySG appliances.
Redirection safeguards: If no ProxySG appliances are available, redirection stops and the
router forwards traffic to the original destination address.
WCCP version 2 is supported by the ProxySG. The active WCCP protocol set up in the ProxySG
configuration must match the version running on the WCCP router. For Cisco routers using
WCCP version 2, minimum IOS releases are 12.0(3)T and 12.0(4).
224
Property
WCCP and Transparent Redirection

A WCCP-capable router operates in conjunction with the ProxySG appliances to transparently
redirect traffic to a set of caches that participate in the specified WCCP protocol. IP packets are
redirected based on fields within each packet.
Load balancing is achieved through a redirection hash table to determine which ProxySG will
receive the redirected packet.
WCCP version 2 multicasting allows caches and routers to discover each other through a common
multicast service group and matching passwords. In addition, up to 32 WCCP-capable routers can
transparently redirect traffic to a set of up to 32 ProxySG appliances. Version 2 WCCP-capable
routers are capable of redirecting IP traffic to a set of ProxySG appliances based on various fields
within those packets.
WCCP version 2 allows routers and caches to participate in multiple, simultaneous service
groups. Routers can transparently redirect IP packets based on their formats. For example, one
service group could redirect HTTP traffic and another could redirect FTP traffic.
Note:
Blue Coat recommends that WCCP-compliant caches from different vendors be kept
separate and that only one vendors routers be used in a service group.
One of the caches participating in the WCCP service group is automatically elected to configure
the home routers redirection tables. This way, caches can be transparently added and removed
from the WCCP service group without requiring operator intervention. WCCP version 2 supports
multiple service groups.
ProxySG in Bridging Mode

The ProxySG can be configured to bridge two sides of an IP network. This solution allows you to
create a transparent proxy environment. This solution is not recommend for medium or large
networks (more than 50 hosts).
Figure A-8: ProxySG in bridging mode
In the configuration shown in Figure A-8 above, the ProxySG receives all outbound traffic and can
inspect it. If the traffic matches any of the criteria set forth by the administrators, the ProxySG
further inspects the traffic and can apply any desired rule or action (allow, block, redirect, cache,
and so on).
225
The ProxySG becomes a single point of failure for the network, and it is susceptible to overload or
congestion if there are too many nodes attached to that network. That is because the ProxySG is
now processing and forwarding all the packets, not just those that match given policies.
226
Property
Appendix B: Introduction to IPv6
Internet Protocol version 4 (IPv4), specified in 1980 and 1981, was the first widely deployed
version of the protocol that is used for communicating across a packet-switched internetwork.
IPv4 uses a 32-bit address space, which allows a theoretical limit of about 4.3 billion addresses.
(Many of these addresses are reserved, so the actual limit is somewhat less.)
With the rapid growth in the number of Internet-connected devices, the IPv4 address space has
become insufficient. Even with the use of techniques such as network address translation (NAT),
the IPv4 address space is expected to be exhausted in the early 2010s.
This situation led to the development of Internet Protocol version 6 (IPv6), which has a 128-bit
address space. This leads to a theoretical limit of about 2128 (or about 3.4 x 1038) addresses, which
is expected to provide an endless supply of addresses. In theory, IPv6 allows each person on the
planet to have their own network that is as large as the current Internet.
IPv6 was first specified in 1996, but its deployment continues to be limited, although the pace of
deployment is accelerating due to the impending exhaustion of available IPv4 addresses.
Managing the conversion from IPv4 to IPv6 poses challenges for IT organizations, especially
because existing IPv4 devices and applications must continue to function during the conversion.
All major computer operating systems now support IPv6. Beginning with version 5.5 of the
SGOS operating system, the Blue Coat ProxySG supports IPv6 in secure Web gateway
deployments, and introduction of additional IPv6 capabilities is planned for future releases.
IPv6 Addressing
An IPv6 address consists of eight 16-bit fields, each of which is expressed as a hexadecimal string,
such as this:
fe80:0000:0000:0000:02d0:83ff:fe04:eb0a
Within each field, leading zeros can be omitted:
fe80:0:0:0:2d0:83ff:fe04:eb0a
And a series of consecutive zero fields can be omitted a maximum of once per address:
fe80::2d0:83ff:fe04:eb0a
Some special addresses are reserved:
Loopback address: 0:0:0:0:0:0:0:1 or ::1
Unspecified address: 0:0:0:0:0:0:0:0 or ::
When entered in a Web browser, an IPv6 address is enclosed in square brackets:
http://[fe80::2d0:83ff:fe04:eb0a]/index.html
IPv6 Address Scopes

The IPv6 address structure is similar to that of IPv4, containing a subnet prefix and interface
identifier. The following figure shows the main components of an IPv6 address:
227
However, IPv6 addresses are much more structured than those in IPv4. The top bits of an IPv6
address determine its scope:
Multicast: A device sends a single packet to multiple destinations.
Link-local unicast: This is similar to automatic configuration in IPv4. A device is connected to

the Internet, and it generates an address and starts communicating with all nodes on the same
physical network segment.
Site-local unicast: This address is allowed to communicate with all nodes in an organization,
but it cannot be used to communicate outside the organization boundary. This address type
has been deprecated and should not be in wide use; link-local addresses can be used to
achieve the same functionality.
Global scope unicast: This address can communicate with anyone.
In IPv6, addresses must have the same scope in order to communicate with each other. (For
example, a link-local address cannot communicate with a global scope address.) When an IPv6
device connects to the network, it has to join all of these groups in order for IPv6 to function
properly.
For routing, a global scope unicast address can have a global prefix:
IPv6 Packet Header

The following diagram shows the format of IPv4 and IPv6 packet headers:
228
Property
Appendix B: Introduction to IPv6
With only eight fields plus options and a fixed length of 40 bytes, the IPv6 header is considerably
simpler than the IPv4 header. Fields in the IPv6 header include:
Version: The version of Internet Protocol (in this case, always 6).
Traffic class: Packet priority.
Flow label: Intended for quality of service management, but currently not used in most
implementations due to a lack of standardization.
Payload length: Size of the payload in octets.
Next header: Specifies up to six extension headers, which then follow the IPv6 header in
distinct order: hop by hop options header, routing header, fragment header, destination
options header, authentication header, and encapsulated security payload.
Hop limit: Similar to the time-to-live field of the IPv4 header.
Source address and destination address: 128-bit IPv6-style addresses.
IPv6 Support on the ProxySG

SGOS version 5.5 supports the use of IPv6 addresses with many of the Blue Coat secure Web
gateway protocol proxies and features including HTTP, HTTPS, SSL, DNS, TCP-Tunnel, Telnet,
advanced forwarding, active sessions, and the FTP application layer.
For these protocols, the ProxySG Management Console, the Blue Coat Sky management interface,
the command line interface, the Visual Policy Manager, and Content Policy Language allow the
use of IPv6 addresses.
Because the Web Cache Communication Protocol (WCCP) does not support IPv6, WCCP-related
commands and configuration screens on the ProxySG do not allow IPv6 addresses.
229
230
Property
Appendix C: Conditional Probability
Modern content-filtering technology, as well as spam e-mail detection, relies on some fundamental
theorems of statistical analysis. This section discusses, at a very high level, the Bayes Theorem.
This section assumes that you are familiar with some basic principles of statistics.
You can determine the probability of a future event based on knowledge that a different event
already occurred. We can apply this theory to content filtering. Suppose that you want your
system to recognize new and uncategorized text documents (past events), based on the probability
of certain events (prior probabilities). For example, you want the device to recognize when a page
contains Adult/Mature content.
The device cannot determine that a text page contains a certain type of content without having
some point of reference. No computer ever can know that a page contains Adult/Mature
content; however, it is possible for the computer to determine the probability that a page contains
Adult/Mature content, by comparing that probability to the probability that it contains some
other type of content for example, News/Media content.
Bayes Theorem
Let us consider a set of mutually exclusive events {A1, A2, A3...AN} and define, using P(Ai), the
probability of the event Ai happening. We can perform an experiment, referred to as event B, to
determine how the probability changes. We want to calculate the probability of the event Ai,
conditional to the event B, which we will call P(Ai|B). In essence, we want to determine the
probability that event Ai is going to happen, knowing that event B has happened. For example, if
you have a bag with six balls, three red and three blue, you want to determine the probability of
extracting a blue ball (P(Ai)), knowing that you just picked up from the bag a red one (P(B)).
We can determine, through a controlled experiment, both the probability of event B, which we will
call P(B), and the probability of event B happening conditional to the generic event Ai, for each
value of i.
Recall the theorem of the total probability, as shown in formula (a) below:
(a)
P ( B ) = P ( A i )P ( B A i )
i = 1
The formula (a) states that an event is the sum of the probabilities of combined events. To better
understand formula (a), we can use a real-life example. In the state of California, the registered
voters are divided according to the table below:
Table B-1: Registered voters in Californiaa
Democrats
43 percent P(D)=0.43
Republicans
34 percent P(R)=0.34
Other
23 percent P(O)=0.23
a. Data from State of California Registrar of Voters (April 2006)
231
If you know that 60 percent of the registered Democrats, 20 percent of the registered Republicans,
and 90 percent of the others favor a new bill, what is the probability that the new bill will pass?
The probability that the new bill will pass is P(B), the probability that a person belongs to a certain
party is P(Ai), and the probability that a person will vote a certain way is P(B|Ai). Using the
numbers above, we determine that the probability that the bill will pass is:
(b)
P(B)= (0.43 x 0.60) + (0.34 x 0.20) + (0.23 x 0.90) = 0.53
Formula (b) tells us that the bill can pass, but only by a narrow margin.
The next step is to try to determine the probability of the event P(Ai|B). This probability can be
expressed using formula (c) below:
(c)
P ( A i )P ( B A i )
P ( A i B ) = ----------------------------------P(B )
If you use the value of P(B) from formula (a) and substitute in it formula (c), you obtain Bayes
Theorem, shown below in formula (d):
(d)
P ( A i )P ( B A i )
P ( A i B ) = -------------------------------------------------- N
P ( A i )P ( B A i )
i = 1
Using the example of the voters in California, formula (d) allows us to calculate, knowing that the
bill was approved, the probability that a person of a given party voted for the bill. Applying the
numbers listed above and the result of formula (b) to formula (d), we obtain:
(e)
P(Ad) = (0.43 x 0.6) / 0.53 = 0.48
So, knowing that the bill passed, the probability that a voter was a Democrat is 48 percent.
Bayes Theorem allowed us to reverse the probability. We started knowing that a certain
percentage of registered voters would vote a certain way. Knowing that the bill was approved, we
determined that the probability that a voter belonged to a certain party.
Application to Content Filtering

The concept discussed in the previous section can be applied to content categorization. To teach a
system how to differentiate between the different categories, you need to provide it with a solid
foundation. You need to have good documents that the system can use to learn how to recognize
different categories.
You define the categories as the mutually exclusive events {A1, A2, A3...AN}. For example, you can
say that A1 is Adult/Mature, A2 is Pornography, and so on.
You can define the appearance of a word as event B; for instance, P(B) could be the probability of
finding the word sex. So you can say:
P(A2)= Probability of a site being Pornography
P(B|A2)= Probability of the word sex appearing in a Pornography pages
P(B)= Probability of finding the word sex
P(A2|B)= Probability of a site being Pornography when the word sex is found in it
232
Property
Appendix C: Conditional Probability
Using the preceding definitions, you obtain the following formula:

P ( Pornography )P ( Sex Pornography )
P ( Pornography Sex ) = -------------------------------------------------------------------------------------------------P ( Sex )
Obviously, you cannot create these formulas manually. You need to create a tool that can
automatically calculate all of the different probabilities; ultimately, this will provide you with an
accurate P(B|A2). To achieve this result, you must submit a series of documents belonging to
known categories to the automatic tool. For example, submit 1,000 Pornography pages, 1,000
News/Media pages, and so on. The system processes the content of the pages and, by calculating
the multiple probabilities for the different events, learns how to recognize new pages that is has
not seen before.
It is important to consider other parameters any time you do any statistical analysis. You need to
evaluate the accuracy of your estimators and the coverage. The accuracy is determined as a
percentage of correct results. For instance, if we process 100 sites that we estimated to be
categorized as Pornography, how many were really porn sites? The coverage determines the miss
rate of the tool; in a pool of X sites known to belong in the Pornography category, how many did
the tool catch?
Unfortunately, you cannot achieve 100 percent success in both accuracy and coverage; you can
achieve 100 percent in one or the other. However, if 100 percent accuracy is achieved, coverage
will suffer tremendously and vice versa. The goal is to find a sweet spot where accuracy is
sufficient and the coverage is still good. Blue Coat WebFilter aims at 8590 percent accuracy.
Blue Coats dynamic categorization technology uses a two-step approach. The first step is to
recognize the language of the Web site. This is important because the same word may exist in
more than one language but have different meanings in the different languages. For instance, the
word burro has the same spelling both in Italian and Spanish; however, it means butter in Italian
and donkey in Spanish! The system needs to correctly determine the language before it can apply
any statistical analysis on the words.
You can see an example in Figure B-1 from the site http://www.jal.co.jp:
Figure B-1: Words reservation and month
The word
(reservation) represents sites in Japanese with a probability of 0.00052, while the
word
(month) represents Japanese sites with a probability of 0.00236. The products of the
probability of each language token, by the number of occurrences are grouped and summed by
language. The language that has the highest weight becomes the assumed language for that Web
site.
233
Dynamic categorization adopts the same approach for the categorization of a Web site. The result
that dynamic categorization produces for the site http://www.jal.co.jp is shown in Figure B-2:
Figure B-2: Terms hotel, time table, and reservation
There are three tokens that refer to the Travel category and one that refers to Political/Activist
Groups category:
(hotel) = Travel
(time table) = Travel
(reservation) = Travel
(city) = Political/Activist Groups
The total weight associated with the Travel category is 0.00253 (this is NOT a probability!), while
the weight associated with Political/Activist Groups category is only 0.000809. Therefore, the site
is assumed to be a travel site in Japanese.1
1. There are actually many more tokens used for both language and category; this appendix only shows a
few relevant ones as an example.
234
Property
Your comments, please

Thank you for taking this BlueTouch Training Services course. Your comments on this course are
appreciated and will help Blue Coat improve future versions of this course.
Course: BCCPA
Edition: Student textbook
Version: 3.4.1
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
Send your comments via postal mail to:
Blue Coat Systems Inc.
BlueTouch Training Services
410 North Mary Avenue
Sunnyvale, California USA 94085
Or you can send comments via e-mail to:
training.books@bluecoat.com
When e-mailing, please include the course name, edition, and version as shown above.
For information on other courses offered by BlueTouch Training Services, go online to:
http://bluecoat.com/support/training
235
236
Property

Bccpa Student v341 Us WMK

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bccpa Student v341 Us WMK

Uploaded by

Copyright:

Available Formats

1[dT2^Pc2TacXUXTS

Property of Blue Touch Training Services.

BlueTouch Training Services BCCPA Course v3.4.1

Course Introduction .....................................................................................1

BlueTouch Training Services BCCPA Course v3.4.1

Key concepts of network security and wide-area network (WAN) optimization.

How the ProxySG interfaces with other Blue Coat products.

How to get service and support from Blue Coat.

Applicable Software Versions

BlueTouch Training Services BCCPA Course v3.4.1

Chapter 1: Blue Coat Product Family

The visibility to control what is running on the network.

The ability to accelerate business applications and meter recreational traffic.

The ability to do so in a safe and secure manner.

Application Delivery Networks (ADNs) are emerging as an essential requirement in addressing

The concepts of the Application Delivery Network.

How Blue Coats product family implements the ADN.

Basic features of each member of the Blue Coat product family.

BlueTouch Training Services BCCPA Course v3.4.1

Application Delivery Network

Blue Coat Systems, Inc. 2010. All Rights Reser ved.

Troubleshoot performance issues.

Accelerate mission-critical applications, streaming video, SSL, and other enterprise

Secure against malware, data leaks, and performance degradation.

Automatically discover more than 600 applications.

Discover URLs and external sites within HTTP.

Identify problem hosts, servers, and applications.

Chapter 1: Blue Coat Product Family

Object and byte caching.

Compression and basic quality-of-service capabilities.

External Web and SSL acceleration.

Protocol acceleration for TCP, CIFS/NFS, MAPI, HTTP, and more.

Advanced Web policy and bandwidth management.

Advanced application ID technology.

Anti-virus and malware scanning.

URL and Web content filtering.

A centrally managed distributed gateway.

Logging, statistics, and SNMP support.

BlueTouch Training Services BCCPA Course v3.4.1

Blue Coat Products

Blue Coat Systems, Inc. 2010. All Rights Reser ved.

Chapter 1: Blue Coat Product Family

Blue Coat IntelligenceCenter: Delivers a unified approach to managing application

Blue Coat Reporter: Provides comprehensive, identity-based reporting on Web

BlueTouch Training Services BCCPA Course v3.4.1

Secure Web gateway

Accelerate applications and data

Prevent malware and

Lower operational costs by

Establish security checkpoints at

Enable remote offices to connect

Application security and

Minimize external IT threats by

Optional FIPS mode operation

Blue Coat Systems, Inc. 2010. All Rights Reser ved.

Performance: Blue Coats acceleration technology optimizes performance and delivery of

Chapter 1: Blue Coat Product Family

BlueTouch Training Services BCCPA Course v3.4.1

ProxySG Product Family

Blue Coat Systems, Inc. 2010. All Rights Reser ved.

Chapter 1: Blue Coat Product Family

Blue Coat Systems, Inc. 2010. All Rights Reser ved.

BlueTouch Training Services BCCPA Course v3.4.1