Name: SG

Text: Volume 7: VPM and Advanced Policy

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
[email protected]
http://www.bluecoat.com
For concerns or feedback about the documentation: [email protected]

Copyright© 1999-2007 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®,
Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate
Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Document Number: 231-02843
Document Revision: SGOS 5.1.x—03/2007

ii

Contents
Contact Information

Chapter 1: Introduction
Document Conventions....................................................................................................................................11
Chapter 2: Managing Policy Files
Creating and Editing Policy Files....................................................................................................................13
Using the Management Console ..............................................................................................................13
Using the CLI Inline Command ..............................................................................................................16
Unloading Policy Files......................................................................................................................................17
Configuring Policy Options .............................................................................................................................18
Policy File Evaluation ................................................................................................................................18
Transaction Settings: Deny and Allow....................................................................................................19
Policy Tracing .............................................................................................................................................19
Managing the Central Policy File....................................................................................................................20
Configuring Automatic Installation ........................................................................................................20
Configuring a Custom Central Policy File for Automatic Installation...............................................20
Configuring E-mail Notification ..............................................................................................................20
Configuring the Update Interval .............................................................................................................21
Checking for an Updated Central Policy File ........................................................................................21
Resetting the Policy Files...........................................................................................................................21
Moving VPM Policy Files from One ProxySG to Another...................................................................21
Viewing Policy Files..........................................................................................................................................21
Viewing the Installed Policy.....................................................................................................................22
Viewing Policy Source Files......................................................................................................................22
Viewing Policy Statistics ...........................................................................................................................22
Chapter 3: The Visual Policy Manager
Section A: About the Visual Policy Manager
Launching the Visual Policy Manager ...........................................................................................................26
About the Visual Policy Manager User Interface .........................................................................................26
Menu Bar .....................................................................................................................................................27
Tool Bar........................................................................................................................................................28
Policy Layer Tabs .......................................................................................................................................28
Rules and Objects .......................................................................................................................................29
About Code Sharing With the Management Console ..........................................................................29

iii

Volume 7: VPM and Advanced Policy

About VPM Components................................................................................................................................. 30
Policy Layers............................................................................................................................................... 30
Rule Objects ................................................................................................................................................ 31
Policy Layer/Object Matrix...................................................................................................................... 33
The Set Object Dialog ....................................................................................................................................... 33
The Add/Edit Object Dialog ........................................................................................................................... 35
Online Help........................................................................................................................................................ 35
Section B: Policy Layer and Rule Object Reference
About the Reference Tables ............................................................................................................................. 36
Administration Authentication Policy Layer Reference ............................................................................. 36
Administration Access Policy Layer Reference............................................................................................ 37
DNS Access Policy Layer Reference............................................................................................................... 37
SOCKS Authentication Policy Layer Reference ........................................................................................... 38
SSL Intercept Layer Reference......................................................................................................................... 38
SSL Access Layer Reference ............................................................................................................................ 38
Web Authentication Policy Layer Reference ................................................................................................ 39
Web Access Policy Layer Reference ............................................................................................................... 41
Web Content Policy Layer Reference............................................................................................................. 43
Forwarding Policy Layer Reference ............................................................................................................... 44
Section C: Detailed Object Column Reference
Source Column Object Reference.................................................................................................................... 45
Any............................................................................................................................................................... 45
Streaming Client......................................................................................................................................... 45
Client Hostname Unavailable .................................................................................................................. 45
Authenticated User.................................................................................................................................... 45
Client IP Address/Subnet ........................................................................................................................ 45
Client Hostname ........................................................................................................................................ 46
Proxy IP Address/Port ............................................................................................................................. 46
User .............................................................................................................................................................. 46
Group........................................................................................................................................................... 49
Attribute ...................................................................................................................................................... 52
DNS Request Name ................................................................................................................................... 53
RDNS Request IP Address/Subnet......................................................................................................... 53
DNS Request Opcode................................................................................................................................ 53
DNS Request Class .................................................................................................................................... 53
DNS Request Type..................................................................................................................................... 54
DNS Client Transport................................................................................................................................ 54
SOCKS Version........................................................................................................................................... 54
User Agent .................................................................................................................................................. 54
IM User Agent ............................................................................................................................................ 55
Request Header .......................................................................................................................................... 55
Client Certificate ........................................................................................................................................ 56
IM User ........................................................................................................................................................ 56

iv

Contents

P2P Client.................................................................................................................................................... 56
Client Negotiated Cipher.......................................................................................................................... 57
Client Negotiated Cipher Strength.......................................................................................................... 57
Client Negotiated SSL Version ................................................................................................................ 57
Client Connection DSCP Trigger............................................................................................................. 57
Combined Source Object........................................................................................................................... 58
Source Column/Policy Layer Matrix...................................................................................................... 59
Destination Column Object Reference ........................................................................................................... 60
Any............................................................................................................................................................... 60
DNS Response Contains No Data ........................................................................................................... 60
Destination IP Address/Subnet............................................................................................................... 60
Destination Host/Port .............................................................................................................................. 60
Request URL ............................................................................................................................................... 60
Request URL Category.............................................................................................................................. 61
Category ...................................................................................................................................................... 63
Server URL.................................................................................................................................................. 63
Server Certificate........................................................................................................................................ 63
Server Certificate Category ...................................................................................................................... 63
Server Negotiated Cipher ......................................................................................................................... 63
Server Negotiated Cipher Strength ......................................................................................................... 63
Server Negotiated SSL Version................................................................................................................ 64
File Extensions............................................................................................................................................ 64
HTTP MIME Types.................................................................................................................................... 64
Apparent Data Type .................................................................................................................................. 64
Response Code ........................................................................................................................................... 65
Response Header ....................................................................................................................................... 65
IM Buddy .................................................................................................................................................... 65
IM Chat Room ............................................................................................................................................ 66
DNS Response IP Address/Subnet......................................................................................................... 66
RDNS Response Host................................................................................................................................ 66
DNS Response CNAME............................................................................................................................ 67
DNS Response Code.................................................................................................................................. 67
Server Connection DSCP Trigger ............................................................................................................ 67
Combined Destination Objects ................................................................................................................ 68
Destination Column/Policy Layer Matrix ............................................................................................. 68
Service Column Object Reference................................................................................................................... 69
Any............................................................................................................................................................... 69
Using HTTP Transparent Authentication .............................................................................................. 69
Virus Detected ............................................................................................................................................ 69
Client Protocol............................................................................................................................................ 69
Service Name.............................................................................................................................................. 70
Protocol Methods ....................................................................................................................................... 70

v

Volume 7: VPM and Advanced Policy

SSL Proxy Mode ......................................................................................................................................... 71
IM File Transfer.......................................................................................................................................... 71
IM Message Text ........................................................................................................................................ 71
IM Message Reflection .............................................................................................................................. 72
Streaming Content Type ........................................................................................................................... 72
ICAP Error Code ........................................................................................................................................ 73
Combined Service Objects ........................................................................................................................ 74
Service Column/Policy Layer Matrix..................................................................................................... 74
Time Column Object Reference ...................................................................................................................... 74
Any............................................................................................................................................................... 74
Time ............................................................................................................................................................. 74
Combined Time Object ............................................................................................................................. 76
Time Column/Policy Layer Matrix ........................................................................................................ 76
Action Column Object Reference.................................................................................................................... 76
Allow ........................................................................................................................................................... 76
Deny............................................................................................................................................................. 77
Force Deny .................................................................................................................................................. 77
Allow Read-Only Access .......................................................................................................................... 77
Allow Read-Write Access ......................................................................................................................... 77
Do Not Authenticate ................................................................................................................................. 77
Authenticate................................................................................................................................................ 77
Force Authenticate..................................................................................................................................... 79
Bypass Cache .............................................................................................................................................. 80
Do Not Bypass Cache ................................................................................................................................ 80
Bypass DNS Cache..................................................................................................................................... 80
Do Not Bypass DNS Cache ...................................................................................................................... 80
Allow DNS From Upstream Server ........................................................................................................ 80
Serve DNS Only From Cache................................................................................................................... 80
Enable/Disable DNS Imputing ............................................................................................................... 80
Check/Do Not Check Authorization...................................................................................................... 80
Always Verify............................................................................................................................................. 81
Use Default Verification............................................................................................................................ 81
Block/Do Not Block PopUp Ads............................................................................................................. 81
Force/Do Not Force IWA for Server Auth ............................................................................................ 81
Reflect/Do Not Reflect IM Messages...................................................................................................... 81
Block/Do Not Block IM Encryption ....................................................................................................... 82
Require/Do Not Require Client Certificate ........................................................................................... 82
Deny............................................................................................................................................................. 82
Return Exception........................................................................................................................................ 82
Return Redirect .......................................................................................................................................... 83
Set Client Certificate Validation .............................................................................................................. 84
Set Server Certificate Validation.............................................................................................................. 84

vi

Contents

Set SSL Forward Proxy.............................................................................................................................. 85
Send IM Alert ............................................................................................................................................. 87
Modify Access Logging ............................................................................................................................ 87
Override Access Log Field........................................................................................................................ 88
Rewrite Host ............................................................................................................................................... 89
Reflect IP...................................................................................................................................................... 89
Suppress Header ........................................................................................................................................ 90
Control Request Header/Control Response Header ........................................................................... 91
Notify User.................................................................................................................................................. 92
Strip Active Content .................................................................................................................................. 95
HTTP Compression Level......................................................................................................................... 97
Set Client HTTP Compression ................................................................................................................. 97
Set Server HTTP Compression................................................................................................................. 98
Manage Bandwidth ................................................................................................................................... 98
ADN Server Optimization........................................................................................................................ 98
Modify IM Message................................................................................................................................... 99
Return ICAP Patience Page ...................................................................................................................... 99
Set Dynamic Categorization................................................................................................................... 100
Set External Filter Service ....................................................................................................................... 100
Set ICAP Request Service ....................................................................................................................... 101
Set ICAP Response Service..................................................................................................................... 102
Set FTP Connection.................................................................................................................................. 102
Set SOCKS Acceleration.......................................................................................................................... 103
Set Streaming Max Bitrate ...................................................................................................................... 103
Set Client Connection DSCP Value ....................................................................................................... 103
Set Server Connection DSCP Value....................................................................................................... 104
Send DNS/RDNS Response Code ........................................................................................................ 104
Send DNS Response ................................................................................................................................ 105
Send Reverse DNS Response ................................................................................................................. 105
Do Not Cache ........................................................................................................................................... 106
Force Cache............................................................................................................................................... 106
Use Default Caching................................................................................................................................ 106
Mark/Do Not Mark As Advertisement ............................................................................................... 106
Enable/Disable Pipelining ..................................................................................................................... 106
Set TTL....................................................................................................................................................... 106
Send Direct................................................................................................................................................ 106
Integrate/Do Not Integrate New Hosts ............................................................................................... 106
Allow Content From Origin Server....................................................................................................... 106
Serve Content Only From Cache ........................................................................................................... 107
Select SOCKS Gateway ........................................................................................................................... 107
Select Forwarding .................................................................................................................................... 107
Server Byte Caching ................................................................................................................................ 107

vii

Volume 7: VPM and Advanced Policy

Set IM Transport ...................................................................................................................................... 107
Set Streaming Transport ......................................................................................................................... 108
Authentication Charset ........................................................................................................................... 108
Combined Action Objects ....................................................................................................................... 108
Action Column/Policy Layer Matrix.................................................................................................... 108
Track Object Column Reference ................................................................................................................... 111
Event Log, E-mail, and SNMP ............................................................................................................... 111
Tracing Objects......................................................................................................................................... 112
Combined Track Object .......................................................................................................................... 113
Track Objects/Policy Layer Matrix ....................................................................................................... 113
Comment Object Reference ........................................................................................................................... 113
Using Combined Objects ............................................................................................................................... 113
Centralized Object Viewing and Managing................................................................................................ 116
Viewing Objects ....................................................................................................................................... 116
Managing Objects .................................................................................................................................... 118
Creating Categories ........................................................................................................................................ 119
Refreshing Policy ..................................................................................................................................... 121
Restricting DNS Lookups .............................................................................................................................. 122
About DNS Lookup Restriction............................................................................................................. 122
Creating the DNS Lookup Restriction List .......................................................................................... 122
Restricting Reverse DNS Lookups ............................................................................................................... 122
About Reverse DNS Lookup Restriction.............................................................................................. 122
Creating the Reverse DNS Lookup Restriction List ........................................................................... 122
Setting the Group Log Order......................................................................................................................... 123
About the Group Log Order .................................................................................................................. 123
Creating the Group Log Order List....................................................................................................... 123
Section D: Managing Policy Layers, Rules, and Files
How Policy Layers, Rules, and Files Interact.............................................................................................. 124
How VPM Layers Relate to CPL Layers............................................................................................... 124
Ordering Rules in a Policy Layer........................................................................................................... 125
Using Policy Layers of the Same Type ................................................................................................. 125
Ordering Policy Layers ........................................................................................................................... 126
Installing Policies ............................................................................................................................................ 127
Managing Policy.............................................................................................................................................. 127
Refreshing Policy ..................................................................................................................................... 127
Reverting to a Previous Policy ............................................................................................................... 128
Changing Policies .................................................................................................................................... 128
Managing Policy Layers.......................................................................................................................... 128
Managing Policy Rules............................................................................................................................ 129
Installing VPM-Created Policy Files ............................................................................................................ 129
Viewing the Policy/Created CPL ................................................................................................................. 131

viii

Contents

Section E: Tutorials
Tutorial—Creating a Web Authentication Policy ...................................................................................... 133
Example 1: Create an Authentication Rule .......................................................................................... 133
Example 2: Exempt Specific Users from Authentication ................................................................... 137
Tutorial—Creating a Web Access Policy ..................................................................................................... 140
Example 1: Restrict Access to Specific Websites ................................................................................. 140
Example 2: Allow Specific Users to Access Specific Websites .......................................................... 144
Chapter 4: Advanced Policy Tasks
Section A: Blocking Pop Up Windows
About Pop Up Blocking ................................................................................................................................. 156
Interactivity Notes .......................................................................................................................................... 156
Recommendations........................................................................................................................................... 156
Section B: Stripping or Replacing Active Content
About Active Content..................................................................................................................................... 158
About Active Content Types ......................................................................................................................... 158
Script Tags................................................................................................................................................. 158
JavaScript Entities .................................................................................................................................... 159
JavaScript Strings ..................................................................................................................................... 159
JavaScript Events...................................................................................................................................... 159
Embed Tags .............................................................................................................................................. 159
Object Tags................................................................................................................................................ 160
Section C: Modifying Headers
Section D: Defining Exceptions
Built-in Exceptions .......................................................................................................................................... 162
User-Defined Exceptions ............................................................................................................................... 166
About Exception Definitions ......................................................................................................................... 166
About the Exceptions Hierarchy................................................................................................................... 167
About the Exceptions Installable List........................................................................................................... 168
Creating or Editing Exceptions ..................................................................................................................... 169
Creating and Installing an Exceptions List.................................................................................................. 170
Viewing Exceptions ........................................................................................................................................ 172
Section E: Managing Peer-to-Peer Services
About Peer-to-Peer Communications .......................................................................................................... 174
About The Blue Coat Solution....................................................................................................................... 174
Supported Services .................................................................................................................................. 174
Deployment .............................................................................................................................................. 174
Policy Control .................................................................................................................................................. 175
VPM Support ............................................................................................................................................ 175
CPL Support ............................................................................................................................................. 175
Policy Example ......................................................................................................................................... 176

ix

Volume 7: VPM and Advanced Policy

P2P History Statistics...................................................................................................................................... 176
P2P Clients ................................................................................................................................................ 177
P2P Bytes ................................................................................................................................................... 178
Proxy Authentication ..................................................................................................................................... 179
Access Logging................................................................................................................................................ 179
Section F: Managing QoS and Differential Services
About The Blue Coat Solution....................................................................................................................... 180
About DSCP Values........................................................................................................................................ 180
About QoS Policy Tasks ................................................................................................................................. 182
Testing Incoming QoS ............................................................................................................................. 182
Setting the Outgoing QoS ....................................................................................................................... 182
Policy Components ......................................................................................................................................... 185
VPM Objects ............................................................................................................................................. 185
VPM Example........................................................................................................................................... 185
CPL Components ..................................................................................................................................... 186
Access Logging................................................................................................................................................ 187
Appendix A: Glossary
Index

x

Chapter 1: Introduction

Creating policy is the core task of implementing Blue Coat SG appliances into the
enterprise. After the basic SG appliance configurations are complete, defined policy is
what controls user activities and implements company authentication and network
resource allocation goals.
The Visual Policy Manager is a user interface that creates underlying Blue Coat Content
Policy Language (CPL). In the VPM, you create policy layers by selecting and
customizing policy objects. This volume discusses the facets of the VPM, including layer
interactions and summary object descriptions. When approrpriate, cross references are
provided to other Blue Coat volumes that describe the conceptual information of the
feature. This volume also contains a chapter that discusses some common tasks that are
only achieved through policy, not the Management Console.
This document contains the following chapters:


Chapter 2: "Managing Policy Files" on page 13



Chapter 3: "The Visual Policy Manager" on page 25



Chapter 4: "Advanced Policy Tasks" on page 155

Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax
conventions used in this manual.
Table 1-1. Document Conventions
Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

Courier font

Command line text that appears on your administrator workstation.

Courier Italics

A command line variable that is to be substituted with a literal name or
value pertaining to the appropriate facet of your network system.

Courier Boldface

A Blue Coat literal to be entered as shown.

{ }

One of the parameters enclosed within the braces must be supplied

[ ]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or must be
selected, but not both.

11

Volume 7: VPM and Advanced Policy

12

Chapter 2: Managing Policy Files

Policy files contain the policies (triggers and actions) that manage every aspect of the
SG appliance, from controlling user authentication and privileges to disabling access
logging or determining the version of SOCKS.
The policy for a given system can contain several files with many layers and rules in
each. Policies can be defined through the Visual Policy Manager (VPM) or composed in
Content Policy Language (CPL). (Some advanced policy features are not available in
VPM and can only be configured through CPL.)
Policies are managed through four files:


Central policy file—Contains global settings to improve performance and behavior
and filters for important and emerging viruses (such as Code Red and Nimda).
This file is usually managed by Blue Coat, although you can point the ProxySG to a
custom Central policy file instead.



Forward policy file—Usually used to supplement any policy created in the other
three policy files. The Forward policy file contains Forwarding rules when the
system is upgraded from a previous version of SGOS (2.x) or CacheOS (4.x).



Local policy file—A file you create yourself. When the VPM is not the primary tool
used to define policy, the Local file contains the majority of the policy rules for a
system. If the VPM is the primary tool, this file is either empty or includes rules for
advanced policy features that are not available in VPM.



Visual Policy Manager—The policy created by the VPM can either supplement or
override the policies created in the other policy files.

This chapter contains the following sections:


“Creating and Editing Policy Files” on page 13



“Managing the Central Policy File” on page 20



“Viewing Policy Files” on page 21

To learn about writing policies, refer to Volume 11: Blue Coat SG Appliance Content Policy
Language Guide.

Creating and Editing Policy Files
You can create and edit policy files two ways:


Through the Management console (recommended).



Through the CLI inline policy command (not recommended because the policies
can grow large and using inline policy overwrites any existing policy on the SG
appliance).

Using the Management Console
You can install the policy files with the following methods:


Using the SG appliance Text Editor, which allows you to enter directives (or copy
and paste the contents of an already-created file) directly onto the SG appliance.

13

Chapter 2: Managing Policy Files

Note: Do not use the inline policy command with files created using the
VPM module.
end-of-file-marker—Specifies the string that marks the end of the current
inline command input; eof usually works as a string. The CLI buffers all input

until you enter the marker string.
2.

Define the policy rules using CPL (refer to Volume 11: Blue Coat SG Appliance Content
Policy Language Guide).
Enter each line and press . To correct mistakes on the current line, use
. If a mistake has been made in a line that has already been terminated by
, exit the inline policy command by typing c to prevent the file from
being saved.

3.

Enter the eof marker to save the policies and exit the inline mode.

For more information on the inline command, refer to Volume 12: Blue Coat SG Appliance
Command Line Reference.
To load policy files:
At the (config) command prompt, enter the following commands:
SGOS#(config) policy {forward-path | local-path | central-path} url
SGOS#(config) load policy {forward | local | central}

The SG appliance compiles and installs the new policy. The SG appliance might display a
warning if the new policy causes conflicts. If a syntax error is found, the appliance
displays an error message. For information about these messages, refer to Volume 11: Blue
Coat SG Appliance Content Policy Language Guide. Correct the error, then reload the file.

Unloading Policy Files
To disable policies, perform the following procedure to unload the compiled policy file
from the SG appliance memory. These steps describe how to replace a current policy file
with an empty policy file.
To keep a current policy file, either make a backup copy or rename the file before
unloading it. By renaming the file, you can later reload the original policy file. If you use
multiple policy files, back up or rename files as necessary. Alternatively, rather than use
an empty policy file, you can delete the entire contents of the file, then reload it.
To unload policies:
1.

Select Configuration > Policy > Policy Files > Policy Files.

2.

Select Text Editor in the Install Local/Forward/Central File from drop-down list and click
the appropriate Install button. The Edit and Install the Local/Forward/Central Policy
File appears.

3.

Delete the text and click Install.

4.

View the results in the results page that opens; close the page.

5.

Click Close.

17

Chapter 2: Managing Policy Files

Transaction Settings: Deny and Allow
The default proxy transaction policy is to either deny proxy transactions or to allow proxy
transactions. A default proxy transaction policy of Deny prohibits proxy-type access to the
SG appliance: you must then create policies to explicitly grant access on a case-by-case
basis.
A default proxy transaction policy of Allow permits most proxy transactions however, if
protocol detection is enabled (the default), HTTP CONNECT transactions are only
allowed if they are tunneling SSL. If protocol detection is disabled, HTTP CONNECT is
only allowed on port 443. If your policy is set to Allow, you must create policies to
explicitly deny access on a case-by-case basis.
Note: The default proxy policy does not apply to admin transactions. By default, admin

transactions are denied unless you log in using console account credentials or if explicit
policy is written to grant read-only or read-write privileges.
The default depends on how you installed SGOS and if it was a new installation or an
upgrade:


If you installed the SGOS through a browser using the Initial Configuration Web site,
you chose whether to allow or deny proxied transactions during initial configuration.



If you installed the SGOS using the front panel or a serial console port, the default
setting is Deny.



If you upgraded the SGOS from a previous version, the default remains whatever it
was for the previous policy.

You can always change the setting—see the procedures below for instructions.
Also keep in mind that:


Changing the default proxy transaction policy affects the basic environment in which
the overall policy is evaluated. It is likely that you must revise policies to retain
expected behavior after such a change.



Changes to the evaluation order might result in different effective policy, because the
order of policy evaluation defines general rules and exceptions.



Changing the default proxy transaction policy does not affect the evaluation of cache
and admin transactions.

To configure Deny or Allow default proxy policy:
1.

Select Configuration > Policy > Policy Options.

2.

Under Default Proxy Policy, select either Deny or Allow.

3.

Select Apply to commit the changes to the SG appliance.

Policy Tracing
Tracing enabled with the Management Console or CLI is global; that is, it records every
policy-related event in every layer. It should be used only while troubleshooting. For
information on troubleshooting policy, refer to Volume 11: Blue Coat SG Appliance Content
Policy Language Guide. Turning on policy tracing of any kind is expensive in terms of
system resource usage and slows down the SG appliance's ability to handle traffic.

19

Volume 7: VPM and Advanced Policy
To enable policy tracing:
1.

Select Configuration > Policy > Policy Options.

2.

Select Trace all policy execution.

3.

Click Apply.

Managing the Central Policy File
The Central policy file is updated when needed by Blue Coat. The file can be updated
automatically or you can request e-mail notification. You can also configure the path to
point to your own custom Central policy file.

Configuring Automatic Installation
You can specify whether the SG appliance checks for a new version of the Central policy
file. If a new version exists, the appliance can install it automatically.
Perform the following procedure to configure the SG appliance to check for and install a
new version of the Central policy file.
To configure automatic installation:
1.

Select Configuration > Policy > Policy Files > Policy Files.

2.

Select Automatically install new Policy when central file changes.

3.

Click Apply.

Configuring a Custom Central Policy File for Automatic Installation
If you define your own Central policy file, you can configure the SG appliance to
automatically install any subsequent updated version of the file. To use this capability,
you must change the Central policy file’s first line with each version update. With
automatic installation, the SG appliance checks for a change to the first line of the file. In
defining a custom Central policy file, add an item, such as a comment, to the first line of
the Central policy file that changes with each update. The following is a sample first line,
containing date information that is routinely updated with each version:
; Central policy file MonthDate, Year version

When you update and save the file in the original location, the SG appliance automatically
loads the updated version.

Configuring E-mail Notification
You can specify whether the SG appliance sends e-mail when the Central policy file
changes. The e-mail address used is the same as that used in diagnostic reporting: the
event recipient for the custom heartbeat e-mail. For information about diagnostic
reporting, see “Diagnostic Reporting (Heartbeats)” on page 58.
To configure e-mail notification:
1.

Select Configuration > Policy > Policy Files > Policy Files.

2.

Select Send me email when central file changes.

3.

Click Apply.

20

Chapter 2: Managing Policy Files

Configuring the Update Interval
You can specify how frequently the SG appliance checks for a new version of the Central
policy file. By default, the appliance checks for an updated Central policy file once every
24 hours (1440 minutes). You must use the CLI to configure the update interval. You
cannot configure the update interval through the Management Console.
To configure the update interval:
At the (config) command prompt, enter the following command:
SGOS#(config) policy poll-interval minutes

Checking for an Updated Central Policy File
You can manually check whether the Central policy file has changed. You must use the
CLI. You cannot check for updates through the Management Console.
To check for an updated central file:
At the (config) command prompt, enter the following command:
SGOS#(config) policy poll-now

The SG appliance displays a message indicating whether the Central file has changed.

Resetting the Policy Files
You can clear all the policy files automatically through the CLI.
To clear all policy files:
1.

At the (config) command prompt, enter the following command:
SGOS#(config) policy reset
WARNING: This will clear local, central, forward and VPM policy. Are
you sure you want to reset ALL policy files? (y or n)

The SG appliance displays a warning that you are resetting all of your policy files.
2.

Enter y to continue or n to cancel.
Note: This command does not change the default proxy policy settings.

Moving VPM Policy Files from One ProxySG to Another
VPM policy files are specific to the SG appliance where they were created. But just as you
can use the same Central, Local, and Forward policy files on multiple SG appliance, you
can use VPM policies created on one appliance on other appliances.
For detailed information on moving VPM policy files, see “Installing Policies” on page
127.

Viewing Policy Files
You can view either the compiled policy or the source policy files. Use these procedures to
view policies defined in a single policy file (for example, using VPM) or in multiple policy
files (for example, using the Blue Coat Central policy file and VPM).

21

Volume 7: VPM and Advanced Policy

Viewing the Installed Policy
Use the Management Console or a browser to display installed Central, Local, or Forward
policy files.
Note: You can view VPM policy files through the Visual Policy Files tab.

To view Installed policy:
1.

Select Configuration > Policy > Policy Files > Policy Files.

2.

In the View File drop-down list, select Current Policy to view the installed and running
policy, as assembled from all policy source files. You can also select Results of Policy
Load to view any warnings or errors resulting from the last attempt (successful or not)
to install policy.

3.

Click View. The SG appliance opens a separate browser window and displays the
installed policy file.

To view the currently installed policy through a browser:
1.

Enter a URL in one of the following formats:


If an HTTPS-Console is configured, use https://SG_ip_address:HTTPSConsole_port/Policy/current (the default port is 8082).



If an HTTP-Console is configured, use http://SG_ip_address:HTTPConsole_port/Policy/current (the default port is 8081).

The SG appliance opens a separate browser window and displays the policy.
2.

Review the policy, then close the browser.

Viewing Policy Source Files
You can display source (uncompiled) policy files on the SG appliance.
To view policy source files:
1.

Select Configuration > Policy > Policy Files > Policy Files.

2.

To view a policy source file, select the file you want to view (Local, Forward, or
Central) from the View File drop-down list and click View.
The SG appliance opens a separate browser window and displays the appropriate
source policy file.

Viewing Policy Statistics
You can view policy statistics on all requests processed by the SG appliance. Use the
Management Console or a browser. You cannot view policy statistics through the CLI.
To review policy statistics:
1.

Select Statistics > Advanced.

2.

Click the Policy link.

22

Chapter 2: Managing Policy Files

3.

Click the Show policy statistics link.
A separate browser window opens and displays the statistics.

4.

Examine the statistics, then close the browser.

To review policy statistics through a browser:
1.

Enter a URL in one of the following formats:


If an HTTPS-Console is configured, use https://SG_ip_address:HTTPSConsole_port/Policy/statistics (the default port is 8082).



If an HTTP-Console is configured, use http://SG_ip_address:HTTPConsole_port/Policy/statistics (the default port is 8081).

The SG appliance opens a separate browser window and displays the statistics.
2.

Examine the statistics, then close the browser.

Related CLI Syntax to Manage Policy Files
SGOS#(config) policy order v l c
SGOS#(config) policy proxy-default {allow | deny}
SGOS# policy trace {all | none}
SGOS#(config) inline policy file end-of-input-marker
SGOS#(config) policy subscribe
SGOS#(config) policy notify:
SGOS#(config) show policy
SGOS#(config) show configuration
-orSGOS#(config) show sources policy {central | local | forward | vpm-cpl |
vpm-xml}

23

Volume 7: VPM and Advanced Policy

24

Chapter 3: The Visual Policy Manager

The Visual Policy Manager (VPM) is a graphical policy editor included with the SG
appliance. The VPM allows you to define Web access and resource control policies
without having an in-depth knowledge of Blue Coat Content Policy Language (CPL)
and without the need to manually edit policy files.
This chapter serves as a VPM object reference, and assumes that you are familiar with
basic concepts of SG appliance policy functionality as described in “Managing Policy
Files” on page 13.
While VPM creates only a subset of everything you can achieve by writing policies
directly in CPL, it is sufficient for most purposes. If your needs require more advanced
policies, consult Volume 11: Blue Coat SG Appliance Content Policy Language Guide.
This chapter contains the following sections:


Section A: "About the Visual Policy Manager" on page 26



Section B: "Policy Layer and Rule Object Reference" on page 36



Section C: "Detailed Object Column Reference" on page 45



Section D: "Managing Policy Layers, Rules, and Files" on page 124



Section E: "Tutorials" on page 133

Related topics:


Chapter 2: "Managing Policy Files"



Volume 8: Managing Content



Volume 11: Blue Coat SG Appliance Content Policy Language Guide

25

Volume 7: VPM and Advanced Policy
Section A: About the Visual Policy Manager
Table 3-1. VPM Menu Bar Items (Continued)
Configuration

View

Set DNS Lookup Restrictions

Restricts DNS lookups during policy evaluation.

Set Reverse DNS Lookup Restrictions

Restricts reverse DNS lookups during policy
evaluation.

Set Group Log Order

Configures the order in which the group
information is logged.

Edit Categories

Edits content filtering categories.

Generated CPL

Displays the CPL generated by VPM.

Current SG Appliance VPM Policy
Files

Displays the currently stored VPM policy files.

Object Occurrences

Lists the user-created object(s) in the selected
rule; lists use in other rules as well.

All Objects

Displays a dialog that lists current static and
user-defined VPM objects. You can also create,
edit, and delete objects. See “Centralized

Object Viewing and Managing” on page 116.

Help

Tool Tips

Toggles the tool-tip display on and off.

Help Topics

Displays the online help.

About

Displays copyright and version information.

Tool Bar
The VPM Tool Bar contains the following functions:


Add Rule—Adds a blank rule to visible policy layer; all values for the rule are the

defaults.


Delete Rule—Deletes the selected rule from the visible policy layer.



Move Up—Moves a rule up one position in the visible policy layer.



Move Down—Moves a rule down one position in the visible policy layer.



Install Policy—Converts the policies created in VPM into Blue Coat Content Policy
Language (CPL) and installs them on the SG appliance.

Policy Layer Tabs
Every policy layer you create from the Policy > Add Layer menu is displayed as a tab. Click
a tab and the rules included in that policy layer display below in the main body of the
pane. Right-clicking a tab displays the options of disable or enabling, renaming, and
deleting the policy layer.

28

Volume 7: VPM and Advanced Policy
Section A: About the Visual Policy Manager
For example, the SG appliance has two ICAP response services installed, A and B. In the
Management Console, you remove service B, but do not click Apply. You then start the
VPM and view the ICAP Response Services object. Only service A is viewable and
selectable.
The VPM synchronizes the latest change from the Management Console when the
following occur:


Clicking Revert.



Clicking Apply.



Clicking Policy Install.



Restart the Management Console.



Log out and re-log into the Management Console.

Any information the Management Console acquires from installable lists is immediately
available in the VPM. The following are the lists the VPM obtains from the Management
Console:


Access Log fields.



Authentication character sets.



Authentication realms.



Bandwidth gain classes.



Categories.



Exceptions.



Forwarding hosts.



ICAP request and response services.



Keyrings.



SOCKS gateways.



Websense filter services.

About VPM Components
This section describes the specific policy layer types and rule objects.

Policy Layers
The layers are:


Administration Authentication—Determines how administrators accessing SG

appliance must authenticate.


Administration Access—Determines who can access the SG appliance to perform

administration tasks.


DNS Access—Determines how the SG appliance processes DNS requests.



SOCKS Authentication—Determines the method of authentication for accessing the

proxy through SOCKS.


SSL Intercept—Determines whether to tunnel or intercept HTTPS traffic.

30

Chapter 3: The Visual Policy Manager

Section A: About the Visual Policy Manager


SSL Access—Determines the allow/deny actions for HTTPS traffic.



Web Authentication—Determines whether user clients that access the proxy or the
Web must authenticate.



Web Access—Determines what clients can and cannot access on the Web and specifies
any restrictions that apply.



Web Content—Determines caching behavior, such as verification and ICAP

redirection.


Forwarding—Determines forwarding hosts and methods.

As you create policy layers, you will create many different layers of the same type. Often,
an overall policy requires layers of different types designed to work together to perform a
task. For example, Authentication and Access layers usually accompany each other; an
Authentication layer determines if a user or client must authenticate, and an Access layer
subsequently determines where that user or client can go (what SG appliance or Web sites
they can access) once they are authenticated.
Each object type is described in “Policy Layer and Rule Object Reference” on page 36.

Rule Objects
Policy layers contain rule objects. Only the objects available for that policy layer type are
displayed. There are two types of objects:


Static Objects—A self-contained object that cannot be edited or removed. For
example, if you write a rule that prohibits users from accessing a specific Web site, the
Action object you select is Deny.
Static objects are part of the system and are always displayed.



Configurable Objects—A configurable object requires parameters. For example,
consider the rule mentioned in the previous item that prohibits users from accessing a
specific Web site. In this case, the user is a Source object. That object can be a specific
IP Address, user, group, user agent (such as a specific browser), and so on. Select one
and then enter the required information (such as a verifiable user name or group
name).
Configurable objects do not exist until you create them. A created object is listed along
with all static objects in the list dialog, and you can reuse it in other applicable policy
layers. For example, an IP address can be a Source or Destination object in many
different policy-layer types.
Important: The orders of policy layers, and the order of rules within a layer are
important. For more information, see “How Policy Layers, Rules, and Files Interact”
on page 124.

While individual object-type menus occasionally contain entries specific to the object
type, the basic menu options are:


Allow—(Web Access Layer Action column only) Quick menu access; sets the policy to
allow.



Deny—(Web Access Layer Action column only) Quick menu access; sets the policy to

deny.


Set—Displays the Set Object dialog where you select an object or create a new one.

31

Chapter 3: The Visual Policy Manager

Section A: About the Visual Policy Manager

Policy Layer/Object Matrix
The following table displays which object types are available in each policy layer.
.

Table 3-3. Available Object Types
Policy Layer

Source

Destination

Service

Time

Action

Track

Comment

Admin
Authentication

x

x

x

x

Admin Access

x

x

x

x

DNS Access

x

x

x

x

SOCKS
Authentication

x

x

x

x

SSL Intercept

x

x

x

x

x

SSL Access

x

x

x

x

x

Web Authentication

x

x

x

x

x

Web Access

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

Web Content
Forwarding

x

x

x

x

x

The Set Object Dialog
This section discusses the Set Object dialog used to select objects for configuration.
The object rules in all policy layer types determine the conditions for a particular policy
rule. Depending on the type of policy layer, an object can be anything from a user or
group to an IP address or a URL and so forth.
To create a rule, right-click a cell in an object cell. The relevant Set Object dialog displays.
In this dialog, select the objects for the rule or create new objects as necessary.
Objects have type-specific icons to provide a visual aid in distinguishing among different
types in the list.

33

Chapter 3: The Visual Policy Manager

Section A: About the Visual Policy Manager

The Add/Edit Object Dialog
From the Set Object dialog, the Add Object dialog is used to define configurable objects.
Existing configurable options can be altered using the Edit Object dialog. In terms of
functionality, the two dialogs are identical.
For the initial configuration of an object, click New on the Set Object dialog to display the
Add Object dialog. Perform the tasks required to configure the object and click OK. The
newly named and configured object appears in the list of selectable objects in the Set
Object dialog and is ready to be selected for the rule.
To edit an existing object, select an object from the list and click Edit. The Edit Object
dialog appears with the existing parameters on display. Edit as necessary and click OK.
To remove an existing object, select an object from the list and click Remove. A secondary
prompt verifies your attempt to remove the object; click OK. The object is deleted.

Online Help
The VPM contains its own Help module (a porting of this chapter). Each object in the
VPM contains a Help button that links to the corresponding object reference in the Help
file. This reference describes the purpose of the object. Interaction with other policy and
references to feature-related sections in the Blue Coat ProxySG Configuration and
Management Guide Suite volumes are provided, if relevant. Also, this Help module
contains navigation buttons and its own Table of Contents.
Note: The online Help file is displayed in a separate window and requires a few seconds
to load and scroll to the correct object. The speed of your system might impact this slight
lag time. Furthermore, this lag time increases on slower machines running JRE v1.5.

35

Volume 7: VPM and Advanced Policy
Section B: Policy Layer and Rule Object Reference

Section B: Policy Layer and Rule Object Reference
This section contains the following topics:


“About the Reference Tables” —Describes the table conventions used in this section.



“Administration Authentication Policy Layer Reference” —Describes the objects
available in this policy layer.



“Administration Access Policy Layer Reference” —Describes the objects available in
this policy layer.



“DNS Access Policy Layer Reference” —Describes the objects available in this policy
layer.



“SOCKS Authentication Policy Layer Reference” —Describes the objects available in
this policy layer.



“SSL Intercept Layer Reference” —Describes the objects available in this policy layer.



“SSL Access Layer Reference” —Describes the objects available in this policy layer.



“Web Authentication Policy Layer Reference” —Describes the objects available in this
policy layer.



“Web Access Policy Layer Reference” —Describes the objects available in this policy
layer.



“Web Content Policy Layer Reference” —Describes the objects available in this policy
layer.



“Forwarding Policy Layer Reference” —Describes the objects available in this policy
layer.

About the Reference Tables
The tables in this section list the static and configurable objects available for each policy
layer.
Note: If viewing this document as a PDF, you can click an object name to jump to a
description of that object (all objects are described in Section C). To jump back to a specific
policy layer reference, click policy layer name in any object reference table that appears in
the next section.

Administration Authentication Policy Layer Reference
The following table provides the objects available in the Administration Authentication
policy layer.
Source Objects

Action Objects

Track Objects

Client IP Address/Subnet

Do Not Authenticate

Trace

Client Hostname

Deny

Proxy IP Address/Port

Authenticate

Combined Objects

Force Authenticate

36

Chapter 3: The Visual Policy Manager

Section B: Policy Layer and Rule Object Reference

Administration Access Policy Layer Reference
The following table provides the objects available in the Administration Access policy
layer.
Source Objects

Action Objects

Track Objects

Client IP Address/Subnet

Allow Read-Only Access

Event Log

Client Hostname

Allow Read-Write Access

Email

Proxy IP Address/Port

Deny

SNMP

User

Force Deny

Trace

Group

Combined Objects

Attribute
Combined Objects

DNS Access Policy Layer Reference
The following table provides the objects available in the DNS Access policy layer.
Source Objects

Destination Objects

Time Objects

Action Objects

Track Objects

Client IP Address/
Subnet

DNS Response
Contains No Data

Time

Bypass DNS
Cache

Event Log

Proxy IP Address/
Port

DNS Response IP
Address/Subnet

Combined
Objects

Do Not Bypass
DNS Cache

Email

DNS Request
Name

RDNS Response
Host

Allow DNS From
Upstream Server

SNMP

RDNS Request IP
Address/Subnet

DNS Response
CNAME

Serve DNS Only
From Cache

Trace

DNS Request
Opcode

DNS Response Code

Enable/Disable
DNS Imputing

Combined
Objects

DNS Request
Class

Category

Send DNS/RDNS
Response Code

DNS Request
Type

Server Connection
DSCP Trigger

Send DNS
Response

DNS Client
Transport

Combined Objects

Send Reverse
DNS Response

Client Connection
DSCP Trigger

Reflect IP

Combined
Objects

Manage
Bandwidth
Set Client
Connection DSCP
Value

37

Volume 7: VPM and Advanced Policy
Section B: Policy Layer and Rule Object Reference
Source Objects

Destination Objects

Time Objects

Action Objects

Track Objects

Set Server
Connection DSCP
Value
Combined Objects

SOCKS Authentication Policy Layer Reference
The following table provides the objects available in the SOCKS Authentication policy
layer.
Source Objects

Action Objects

Track Objects

Client IP Address/Subnet

Do Not Authenticate

Trace

Client Hostname

Authenticate

Proxy IP Address/Port

Force Authenticate

SOCKS Version
Combined Objects

SSL Intercept Layer Reference
The following table provides the objects available in the SSL Forward Proxy policy layer.
Source Objects

Destination Objects

Action Objects

Track Objects

Client Hostname
Unavailable

Destination IP Address/
Subnet

Set SSL Forward
Proxy

Event Log

Client Hostname

Destination Host/
Port

Combined Objects

Email

Proxy IP Address/Port

Request URL

SNMP

Combined Objects

Request URL Category

Trace

Server URL

Combined Objects

Server Certificate
Server Certificate
Category
Combined Objects

SSL Access Layer Reference
The following table provides the objects available in the SSL Access Layer policy layer.

38

Chapter 3: The Visual Policy Manager

Section B: Policy Layer and Rule Object Reference

Source Objects

Destination Objects

Service Objects

Action Objects

Track Objects

Authenticated User

Destination IP
Address/Subnet

Client Protocol

Allow

Event Log

Client Hostname
Unavailable

Destination Host/
Port

SSL Proxy Mode

Deny (static)

Email

Client IP Address/
Subnet

Request URL

Combined
Objects

Require/Do Not
Require Client
Certificate

SNMP

Client Hostname

Request URL
Category

Force Deny

Trace

Proxy IP Address/
Port

Server URL

Deny

Combined
Objects

User

Server Certificate

Return Exception

Group

Server Certificate
Category

Set Client
Certificate
Validation

Attribute

Server Certificate

Set Server
Certificate
Validation

Client Certificate

Server Certificate
Category

Combined Objects

Client Negotiated
Cipher

Server Negotiated
Cipher

Client Negotiated
Cipher Strength

Server Negotiated
Cipher Strength

Client Negotiated
SSL Version

Server Negotiated
SSL Version

Combined Objects

Combined Objects

Web Authentication Policy Layer Reference
The following table provides the objects available in the Web Authentication policy layer.
Source Objects

Destination Objects

Action Objects

Track Objects

Client Hostname
Unavailable

Destination IP Address/
Subnet

Do Not Authenticate

Trace

Client IP Address/
Subnet

Destination Host/
Port

Deny

Client Hostname

Request URL

Authenticate

Proxy IP Address/Port

Request URL Category

Authentication
Charset

39

Volume 7: VPM and Advanced Policy
Section B: Policy Layer and Rule Object Reference
Source Objects

Destination Objects

Action Objects

User Agent

Combined Objects

Force Authenticate

Request Header

Track Objects

Combined Objects

Combined Objects

40

Chapter 3: The Visual Policy Manager

Section B: Policy Layer and Rule Object Reference

Web Access Policy Layer Reference
The following table provides the objects available in the Web Access policy layer.
Web Access policy layers regulate, from a general to a granular level, who or what can
access specific Web locations or content.


Users, groups, individual IP addresses, and subnets, as well as object lists comprised
of any combination of these, can be subject to rules.



Rules can include access control for specific Web sites, specific content from any Web
site, individual IP addresses, and subnets.



Actions taken can range from allowing and denying access to more finely tuned
changes or limitations.



Rules can also be subject to day and time specifications and protocol, file type, and
agent delimiters.

Source Objects

Destination Objects

Service Objects

Time Objects

Action Objects

Track
Objects

Streaming Client

Destination IP
Address/Subnet

Using HTTP
Transparent
Authentication

Time

Allow

Event Log

Client Hostname
Unavailable

Destination Host/
Port

Virus Detected

Combined
Objects

Deny

Email

Authenticated
User

Request URL

Client Protocol

Force Deny

SNMP

Client IP Address/
Subnet

Request URL
Category

Service Name

Bypass Cache

Client Hostname

File Extensions

Protocol
Methods

Do Not Bypass
Cache

Trace

Proxy IP Address/
Port

HTTP MIME Types

IM File Transfer

Check/Do Not
Check
Authorization

Combined
Objects

User

Apparent Data Type

IM Message
Text

Always Verify

Group

Response Code

IM Message
Reflection

Use Default
Verification

Attribute

Response Header

Streaming
Content Type

Block/Do Not
Block PopUp
Ads

User Agent

IM Buddy

ICAP Error Code

Force/Do Not
Force IWA for
Server Auth

IM User Agent

IM Chat Room

Combined
Objects

Reflect/Do Not
Reflect IM
Messages

41

Volume 7: VPM and Advanced Policy
Section B: Policy Layer and Rule Object Reference
Source Objects

Destination Objects

Service Objects

Time Objects

Action Objects

Request Header

Server Connection
DSCP Trigger

Block/Do Not
Block IM
Encryption

SOCKS Version

Combined Objects

Deny

IM User

Return
Exception

P2P Client

Return
Redirect

Client Negotiated
Cipher

Send IM Alert

Client Negotiated
Cipher Strength

Modify Access
Logging

Client Connection
DSCP Trigger

Override Access
Log Field

Combined
Objects

Rewrite Host

Track
Objects

Reflect IP
Suppress
Header
Control Request
Header/Control
Response
Header
Notify User
Strip Active
Content
Set Client HTTP
Compression
Set Server
HTTP
Compression
Manage
Bandwidth
Modify IM
Message
Return ICAP
Patience Page
Set External
Filter Service

42

Chapter 3: The Visual Policy Manager

Section B: Policy Layer and Rule Object Reference
Source Objects

Destination Objects

Service Objects

Time Objects

Action Objects

Track
Objects

Set ICAP
Request Service
Set FTP
Connection
Set SOCKS
Acceleration
Set Streaming
Max Bitrate
Set Client
Connection
DSCP Value
Set Server
Connection
DSCP Value
Combined
Objects

Web Content Policy Layer Reference
The following table provides the objects available in the Web Content policy layer.
The Web Content policy layer applies to requests independent of user identity.
Content scanning policy layers scan requested URLs and file types for viruses and other
malicious code. You must have an ICAP service installed on the SG appliance to use this
policy type.
Destination Objects

Action Objects

Track Objects

Destination IP Address/Subnet

Check/Do Not Check Authorization

Event Log

Destination Host/Port

Always Verify

Request URL

Use Default Verification

Email

Request URL Category

Use Default Caching

SNMP

File Extensions

Do Not Cache

Trace

HTTP MIME Types

Force Cache

Combined Objects

Response Header

Mark/Do Not Mark As
Advertisement

Server Connection DSCP Trigger

Enable/Disable Pipelining

Combined Objects

Set Dynamic Categorization
Set External Filter Service
Set Client HTTP Compression

43

Volume 7: VPM and Advanced Policy
Section B: Policy Layer and Rule Object Reference
Destination Objects

Action Objects

Track Objects

Set Server HTTP Compression
Manage Bandwidth
Set ICAP Request Service
Set ICAP Response Service
Set TTL
Modify Access Logging
Override Access Log Field
Set Server Connection DSCP Value
Combined Objects

Forwarding Policy Layer Reference
The following table provides the objects available in the Forwarding policy layer.
Source Objects

Destination Objects

Service Objects

Action Objects

Track
Objects

Streaming Client

Destination IP
Address/Subnet

Client Protocol

Send Direct

Trace

Authenticated
User

Destination Host/
Port

Combined Objects

Integrate/Do Not
Integrate New Hosts

Client IP Address/
Subnet

Server URL

Allow Content From
Origin Server

Client Hostname

Server Connection
DSCP Trigger

Serve Content Only
From Cache

Proxy IP Address/
Port

Combined Objects

Select SOCKS
Gateway

User

Select Forwarding

Group

Reflect IP

Attribute

Manage Bandwidth

SOCKS Version

Set IM Transport

P2P Client

Set Streaming
Transport

Client Connection
DSCP Trigger

Set Client Connection
DSCP Value

Combined Objects

Set Server Connection
DSCP Value
Combined Objects

44

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Section C: Detailed Object Column Reference
This section contains the following topics:


“Source Column Object Reference” on page 45



“Destination Column Object Reference” on page 60



“Service Column Object Reference” on page 69



“Time Column Object Reference” on page 74



“Action Column Object Reference” on page 76



“Track Object Column Reference” on page 111



“Comment Object Reference” on page 113



“Using Combined Objects” on page 113



“Creating Categories” on page 119

Source Column Object Reference
A source object specifies the communication or Web transaction origin that is evaluated by
the policy. Not all policy layers contain the same source objects.

Important: Because of character limitations required by the generated CPL, only
alphanumeric, underscore, dash, ampersand, period, or forward slash characters can
be used to define a source object name.

Any
Applies to any source.

Streaming Client
This is a static object. This rule applies to any request from a streaming client.

Client Hostname Unavailable
This is a static object. This rule applies if the client IP address could not be looked up with
a reverse DNS query.

Authenticated User
This is a static object. This rule applies to any authenticated user.

Client IP Address/Subnet
Specifies the IP address and, optionally, a subnet mask of a client. The policy defined in
this rule applies only to this address or addresses on this subnet. This object is
automatically named using the prefix Client; for example, Client: 1.2.0.0/255.255.0.0.

45

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Note: See “Combined Source Object” on page 58 for related information regarding this
source object.

Client Hostname
Specifies a reverse DNS hostname resolved in the reverse lookup of a client IP address.
Enter the host name and select matching criteria. This object is automatically named using
the prefix Client; for example, Client: host.com. If you select a matching qualifier, that
attribute is appended to the object in parentheses. For example, Client: host.com (RegEx).

Proxy IP Address/Port
Specifies the IP address and, optionally, a port on the SG appliance. The policy defined in
this rule applies only to this address or addresses with this subnet.

User
Specifies an individual user in the form of a verifiable username or login name. Enter a
user name and an authentication realm. The dialog then displays different information
depending on the type of authentication realm specified. Select the appropriate realm
from the drop-down list. Items in the list are taken from the realms configured by the
administrator in the SG appliance.
LDAP
You can optionally select a User Base DN from a drop-down list. Entries in the User Base
DN list come from those specified by the administrator in the SG appliance. You can also
edit an entry selected in the list, type a new one, or click Browse to manually select a
name. Edited names and new names are retained in the list. Notice in the Full Name field
that the VPM takes the User Attribute type specified by the administrator in the SG
appliance (cn= in the following illustration), and associates it with the user name and Base
DN entered here.

Important: When you configure a realm, the SG appliance assumes a default primary
user attribute (sAMAccountName for Active Directory; uid for Netscape/iPlanet
Directory Server/SunOne; cn for Novell NDS). You can accept the default or change
it. Whatever is entered there is what the VPM uses here, entering it in the Full Name
display field once a Base DN is selected.
If the primary user attribute specified in the SG appliance differs from the primary user
attribute specified in the directory server, enter the latter in the User field with the
appropriate value (in the format attribute=value). This replaces the entry in the Full Name
field. Examine the following screenshot. Assume that the organization uses phone as the
primary attribute in its LDAP directory:

46

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference
Netegrity SiteMinder
Entries in this list are not prepopulated. You must enter a name in the User field. An
entered name is retained and can subsequently be selected and edited. Notice in the Full
Name field that VPM displays domain name and user name entered above.
Oracle COREid
Entries in this list are not prepopulated. You must enter a name in the User field. An
entered name is retained and can subsequently be selected and edited. Notice in the Full
Name field that VPM displays domain name and user name entered above.
Policy Substitution
Entries in this list are not prepopulated. You must enter a name in the User field. An
entered name is retained and can subsequently be selected and edited. Notice in the Full
Name field that VPM displays domain name and user name entered above.
Sequences
Entries in this list are not prepopulated. You must enter a name in the User field. An
entered name is retained and can subsequently be selected and edited. Notice in the Full
Name field that VPM displays domain name and user name entered above. From the
Member Realm drop-down list, select an authentication realm (already configured on the
SG appliance). Depending on the realm type, new fields appear.

Group
Specifies a verifiable group name. Enter a user group and an authentication realm. The
dialog then displays different information depending on the type of authentication realm
specified.


Group field—Replace the default with a verifiable group name.



Authentication Realm field—Select the appropriate realm from the drop-down list.
Items in the list are taken from the realms configured by the administrator in the SG
appliance.



LDAP—Entries in the Group Base DN list come from those specified by the
administrator in the SG appliance. You can also edit an entry selected in the list, or
type a new one. Edited names and new names are retained in the list. Notice in
the Full Name field that the VPM takes the User Attribute type specified by the
administrator in the SG appliance (cn= in the following illustration), and conjoins
it with the group name and Base DN entered here.

Important: When you create a group, the default attribute is cn= in the Full Name
display field.

49

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference
To specify a DNS request class object:
1.

In the Name field, enter a custom name or leave as is to accept the default.

2.

Select one or more of the request classes.

3.

Click OK.

DNS Request Type
Specifies the DNS request types (QTYPE) attributes.
To specify a DNS Request Type object:
1.

In the Name field, enter a custom name or leave as is to accept the default.

2.

Select one or more of the request types.

3.

Click OK.

DNS Client Transport
Specifies the DNS client transport method, UDP or TCP.
To specify a DNS Client Transport object:
1.

Select UDP Transport or TCP Transport. This object is automatically named using the
prefix DNS; for example, DNS: Client Transport UDP.

2.

Click OK.

SOCKS Version
Specifies the SOCKS version, 4 or 5. This object is automatically named as SOCKSVersion4
or SOCKSVersion5.

User Agent
Specifies one or more agents a client might use to request content. The choices include
specific versions of: Microsoft Internet Explorer, Netscape Communicator, Microsoft
Windows Media Player and NetShow, Real Media RealPlayer and RealDownload, Apple
QuickTime, Opera, and Wget.
The policy defined in this rule applies to these selected agents. You can name this list and
create other custom lists to use with other policy layer rules.

54

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference
To specify P2P clients:
1.

In the Name field, enter a name for the object or accept the default.

2.

Select All P2P Clients (all protocols become selected), or one or more P2P protocols.

3.

Click OK.

Client Negotiated Cipher
Allows the testing of the SSL cipher in use between the SG appliance and the browser.
Select a code from the drop-down list.
To specify a client negotiated cipher:
1.

In the Name field, enter a name for the object or accept the default.

2.

Select one or more cipher codes valid for this rule.

3.

Click OK.

Client Negotiated Cipher Strength
Tests the cipher strength between a SG appliance-to-browser (client) HTTPS connection.
To specify a client negotiated cipher strength:
1.
2.

In the Name field, enter a name for the object or accept the default.
Select one or more of the strength options valid for this rule Export, High, Medium, or
Low.

3.

Click OK.

Low, Medium, and High strength ciphers are not exportable.

Client Negotiated SSL Version
Tests the SSL version between a SG appliance-to-browser (client) HTTPS connection.
To specify a client negotiated SSL version:
1.
2.

In the Name field, enter a name for the object or accept the default.
Select one or more of the version options valid for this rule SSL 2.0, SSL 3.0, or TLS
1.0.

3.

Click OK.

Client Connection DSCP Trigger
Tests the inbound differentiated service code point (DSCP) value of primary client-to-SG
appliance connections. After testing DSCP bits (in the IP header), additional policy
dictates how to handle traffic associated with the type of service.

57

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Source Column/Policy Layer Matrix
The following matrix lists all of the Source column objects and indicates which policy
layer they apply to.
Object

Admin Admin DNS SOCKS SSL SSL
Auth
Acc
Acc Auth
Int
Acc

Web
Auth

Web Web Fwding
Acc Cont
x

Streaming Client
x

Client Hostname Unavailable

x

x

x

Authenticated User
Client IP Address/Subnet

x

Client Hostname

x

Proxy IP Address/Port

x

x

x

x

x

x
x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

User

x

x

x

x

Group

x

x

x

x

Attribute

x

x

x

x

x

x

DNS Request Name

x

RDNS Request IP Address/Subnet

x

DNS Request Opcode

x

DNS Request Class

x

DNS Request Type

x

DNS Client Transport

x
x

SOCKS Version

x

User Agent

x
x

IM User Agent
x

Request Header

x

x

Client Certificate
IM User

x

P2P Client

x

Client Negotiated Cipher

x

x

Client Negotiated Cipher Strength

x

x

Client Negotiated SSL Version

x
x

Client Connection DSCP Trigger
Combined Objects

x

x

x

x

x

x

x

x

x

x

x

x

59

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference
To specify a server-negotiated cipher strength:
1.
2.

In the Name field, enter a name for the object or accept the default.
Select one or more of the strength options valid for this rule Export, High, Medium, or
Low.

3.

Click OK.

Low, Medium, and High strength ciphers are not exportable.

Server Negotiated SSL Version
Specifies the SSL version between a SG appliance-to-server HTTPS connection.
To specify a server-negotiated SSL version:
1.
2.

In the Name field, enter a name for the object or accept the default.
Select one or more of the strength options valid for this rule SSL 2.0, SSL 3.0, or TLS
1.0.

3.

Click OK.

File Extensions
Creates a list of file extensions. The rule is triggered for content with an extension
matching any on the list. You can create multiple lists that contain various extensions to
use in different rules. For example, create a list called Images, and select file extension
types such as GIF, JPEG, BMP, XPM, and so on.

HTTP MIME Types
Creates a list of HTTP MIME content types. The rule is triggered for content matching any
on the list. You can create multiple lists that contain various MIME types to use in
different rules. For example, create a list called MicrosoftApps, and select MIME types
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/vnd.ms-project, and
application/vnd.works.
Note: If you require a MIME type not contained in this list, use a Request URL object that
uses the At End matching criteria.

Apparent Data Type
The options in this object identify data content associated with Microsoft DOS and
Windows executable files. When used in a deny policy, the purpose of this object to deny
executable downloads and block drive-by installation of spyware.
To specify apparent data type:
1.

In the Name field, enter a name for the object or accept the default.

2.

Select one or both of the following data types:

64

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference
To specify DSCP values to test against inbound server connections:
1.

In the Name field, enter a name for the object or accept the default. This example
creates an object that tests for an IP Precedence of 2 or any Assured Forwarding Class
(AFC) of type 2 (for low, medium, and high drop rates).

2.

Select IP Precedense values (denoted by CS) and Assured Forwarding Classes
(Denoted by AF) as required).

3.

(Optional) Rather than select Precedense and AFC values, enter a DSCP value range.
The valid range is 0 to 63. Blue Coat does not recommend this option. Most
applications fit into one of the defined values.

For conceptual information about configuring the SG appliance to manipulate traffic
based on type of service, refer to "Managing QoS and Differential Services" on page 180.

Combined Destination Objects
Allows you to create an object that combines different destination types. Refer to “Using
Combined Objects” on page 113.

Destination Column/Policy Layer Matrix
The following matrix lists all of the Destination column objects and indicates which policy
layer they apply to.
Object

Admin Admin DNS SOCKS SSL
Auth
Acc
Acc Auth
Int

SSL
Acc

Web Web Web Fwding
Auth Acc Cont

Destination IP Address/Subnet

x

x

x

x

x

x

Destination Port

x

x

x

x

x

x

Request URL

x

x

x

x

x

x

Request URL Category

x

x

x

x

x

Server URL

x

x

Server Certificate

x

x

Server Certificate Category

x

x

File Extensions

x

x

HTTP MIME Types

x

x

Category

x

Server Negotiated Cipher

x

Server Negotiated Cipher Strength

x

Server Negotiated SSL Version

x

Apparent Data Type

x

Response Header

x

Response Code

x

68

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference
Admin Admin DNS SOCKS SSL
Auth
Acc
Acc Auth
Int

Object

SSL
Acc

Web Web Web Fwding
Auth Acc Cont

IM Buddy

x

IM Chat Room

x

DNS Response IP Address/
Subnet

x

RDNS Response Host

x

DNS Response CNAME

x

DNS Response Code

x

Server Connection DSCP Trigger

x

Combined Objects

x

x

x

x

x

x

x

x

Service Column Object Reference
A service object specifies a service type, such as a protocol, that is evaluated by the policy.
Not all policy layers contain the same service objects.
Important: Because of character limitations required by the generated CPL, only
alphanumeric, underscore, dash, ampersand, period, or forward slash characters can be
used to define a service object name.

Any
Applies to any service.

Using HTTP Transparent Authentication
This is a static object. The rule applies if the service is using HTTP transparent
authentication.

Virus Detected
This is a static object. The rule applies if ICAP scanning detects a virus.

Client Protocol
Specifies the client protocol types and subsets. From the first drop-down list, select a type
from the drop-down list: CIFS, Endpoint Mapper, FTP, HTTP, HTTPS, Instant Messaging, P2P,
Shell, SOCKS, SSL, Streaming, or TCP Tunneling.
The second drop-down list allows you to select a protocol subset (these options vary
depending on the selected protocol):


All—Applies to all communication using this type of protocol.



Pure—Applies if the protocol is using a direct connection.



Over—Applies if a protocol is communicating through a specific transport method.

69

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Combined Service Objects
Allows you to create an object that combines different service types. Refer to “Using
Combined Objects” on page 113.

Service Column/Policy Layer Matrix
The following matrix lists all of the Service column objects and indicates which policy
layer they apply to.
Object

Admin Admin DNS
Auth
Acc
Acc

SOCKS SSL
Auth
Int

SSL
Acc

Web
Cont

Fwding

x

x

x

x

x

x

x

x

x

Using HTTP Transparent
Authentication
x

Client Protocol

Web Web
Auth Acc

Protocol Methods
x

SSL Proxy Mode
IM File Transfer

x

IM Message Text

x

IM Message Reflection

x

Streaming Content Type

x

ICAP Error Code

x

Combined Objects

x

x

Time Column Object Reference
A time object specifies a block of time or time trigger that determines client access
regarding other parameters in the rule (such Web sites and content types). Currently, the
Time object is only applicable to the Web Access Layer.

Any
Applies anytime.

Time
Specifies the time restrictions.

74

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference
The range can be contained within one 24-hour calendar day, or overlap days. For
example, configuring the time to range from 22:00 to 06:00 sets a limit from 10 at night
to 6 the following morning.
4.

To specify a day of the week restriction, select Enable; in the Specific Weekday
Restriction field, select one or more days.

5.

To specify a day of the month range restriction, select Enable; in the Specify Day of
Month Restriction field, select the days, which are numbered from 01 to 31. To limit the
range to specific day, configure the numbers to be the same. For example, selecting 22
and 22 specifies the rule to apply only the 22nd day of every month.

6.

To specify a restriction that spans one or more months, select Enable; in the Specify
Annually-Recurring Date Restriction field, select the month and day ranges. This
calendar restriction applies every year unless the restriction is altered.
Overlapping months is allowed, similar to the behavior of day ranges in Step 3.

7.

To specify a one-time only restriction, select Enable; in the Specify Non-Recurring Date
Restriction field, select the year, month, and day ranges. This calendar restriction
applies only during the time specified and will not repeat.

8.

Click OK.

Combined Time Object
Allows you to combine a time object that adheres to multiple time restrictions. See “Using
Combined Objects” on page 113.

Time Column/Policy Layer Matrix
The following matrix lists all of the Time column objects and indicates which policy layer
they apply to.
Object

Admin Admin DNS
Auth
Acc
Acc

SOCKS SSL
Auth
Int

SSL
Acc

Web Web
Auth Acc

Time

x

x

Combined Objects

x

x

Web Fwding
Cont

Action Column Object Reference
An action object determines which action to take if other parameters, such as source,
destination, service, and time requirements validate the rule

Important: Because of character limitations required by the generated CPL, only
alphanumeric, underscore, and dash characters can be used to define an action object
name.

Allow
This is a static object. Selecting this overrides other related configurations and the
specified user requests are allowed.

76

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Deny
This is a static object. Selecting this overrides other related configurations and denies the
specified user requests.

Force Deny
This is a static object. Forces a request to be denied, regardless if rules in subsequent layers
would have allowed the request.

Allow Read-Only Access
This is a static object. Grants full access to view data on the appliance.

Allow Read-Write Access
This is a static object. Grants full access to view and manipulate data on the appliance.

Do Not Authenticate
This is a static object. Selecting this overrides other configurations and the specified users
are not authenticated when requesting content.

Authenticate
Creates an authentication object to verify users. An authentication realm must exist on the
SG appliance to be selected through VPM.
Note: In the SOCKS Authentication policy layer, the object is SOCKS Authenticate.

77

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference


Proxy IP—The SG appliance uses an explicit proxy challenge and the client's IP

address as a surrogate credential.


Origin—The SG appliance acts like an OCS and issues OCS challenges. The
authenticated connection serves as the surrogate credential.



Origin IP—The SG appliance acts like an OCS and issues OCS challenges. The

client IP address is used as a surrogate credential.


Origin Cookie—For transparent proxies: for clients that understand cookies but do
not understand redirects; the SG appliance acts like an origin server and issues
origin server challenges. The surrogate credential is used.



Origin Cookie Redirect—For transparent forward proxies: the client is redirected

to a virtual URL to be authenticated, and cookies are used as the surrogate
credential. The SG appliance does not support origin-redirects with the
CONNECT method.


Origin IP Redirect—Significantly reduces security; only useful for reverse proxy
and when clients have unique IP addresses and do not understand cookies (or
you cannot set a cookie). Provides partial control of transparently intercepted
HTTPS requests. The client is redirected to a virtual URL to be authenticated, and
the client IP address is used as a surrogate credential. The SG appliance does not
support origin-redirects with the CONNECT method.



SG2—The mode is selected automatically, based on the request using the SGOS

2.x-defined rules.
4.

(Optional) If you selected a Form mode in Step 3, the Authentication Form, New Pin
Form, and Query Form drop-down lists becomes active.


Authentication Form—When forms-based authentication is in use, this property

selects the form used to challenge the user.


New Pin Form—When forms-based authentication is in use, this selects the form to
prompt user to enter a new PIN.



Query Form—When forms-based authentication is in use, this selects the form to

display to the user when a yes/no questions needs to be answered.
Note: The New Pin Form and the Query Form are only used with RSA SecurID

authentication.
In most deployments, the default form settings should be adequate. However, if in
your enterprise you have customized authentication forms configured (on the SG
appliance Management Console: Configuration > Authentication>Forms), you can
select them from the drop-down lists. For example, HR_PIN.
5.

Click OK.

Users are prompted to provide a valid user name and password.

Force Authenticate
Forces the user to authenticate even though the request is going to be denied for reasons
that do not depend on authentication. This action is useful to identify a user before the
denial so that the username is logged along with the denial. See “Authenticate” on page
77 for a description of the fields in this object.

79

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Note: In the SOCKS Authentication policy layer, the object is Force SOCKS Authenticate.

Bypass Cache
This is a static object. Prevents the cache from being queried when serving a proxy
request, and prevents the response from the origin server from being cached.

Do Not Bypass Cache
This is a static object. The SG appliance always checks if the destination is cached before
going to the origin server; also, the content is cached if cacheable.

Bypass DNS Cache
This is a static object. Prevents the request from querying the DNS cache list of resolved
lookup names or addresses.

Do Not Bypass DNS Cache
This is a static object. The SG appliance always queries the DNS cache list of resolved
lookup names or addresses.

Allow DNS From Upstream Server
This is a static object. Allows the SG appliance to send requests for data not currently
cached to DNS servers.

Serve DNS Only From Cache
This is a static object. Instructs the SG appliance to only serve a DNS request from content
that is already cached.

Enable/Disable DNS Imputing
These are static objects. If DNS imputing is enabled, the SG appliance appends the suffixes
in the DNS imputing list to hostnames looked up when the original name is not found.

Check/Do Not Check Authorization
These are static objects. These actions control whether or not the SG appliance forces a
request to be sent to an upstream server every time to check authorization, even if the
content is already cached. The check action is not usually required for upstream origin
content servers performing authentication, as the SG appliance automatically tracks
whether content required authentication in each case. However, it can be required when
an upstream proxy is performing proxy authentication because of the way some proxies
cache credential information, causing them not to reliably challenge every request. When
requests are directed to an upstream proxy which operates in this manner, enabling Check
Authorization ensures that all such requests are properly authorized by the upstream
proxy before the content is served from the local cache.

80

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Always Verify
This is a static object. Cached content is always verified for freshness for the sources,
destinations, or service specified in the rule. For example, the CEO and Executive Staff
always require content to be the most recent, but everyone else can be served from the
cache.

Use Default Verification
This is a static object. Overrides the Always Verify action and instructs the SG appliance to
use its default freshness verification.

Block/Do Not Block PopUp Ads
These are a static objects. Blocks or allows pop up windows. Blue Coat recommends
creating separate Web Access policy layers that only contain pop up blocking actions.
Furthermore, many Web applications require pop up windows. As it is unlikely that your
Intranet contains pages that pop up unwanted advertising windows, Blue Coat
recommends disabling pop up blocking for your Intranet. For example:


Web Access rule 1: Specify the Intranet IP address and subnet mask in the Destination
column and select Do Not Block Popup Ads in the Action column.



Web Access rule 2: Select Block Popup Ads in the Action column.

As you continue to modify policy, you can add more policy layers to block or allow
specific IP addresses, but the policy layer as defined in the Web Access rule 2 above must
always be positioned last. Blocking pop up ads is the default if a previous policy rule does
not trigger.
For more concept information about pop up windows, see Section A: "Blocking Pop Up
Windows" on page 156.

Force/Do Not Force IWA for Server Auth
These are static objects. When configured for explicit proxy, Internet Explorer (IE) does not
support an IWA challenge from an origin server. If Force IWA for Server Auth is applied,
the SG appliance converts the 401-type server authentication challenge to a 407-type
proxy authentication challenge, which IE supports. The SG appliance also converts the
resulting Proxy-Authentication headers in client requests to standard server authorization
headers, which allows an origin server IWA authentication challenge to pass through
when IE is explicitly proxied through the SG appliance.

Reflect/Do Not Reflect IM Messages
These are static objects. IM traffic can be contained and restricted to the network so that it
never reaches the IM server. A hierarchy of SG appliance appliances manage the traffic
and routes it depending on each SG appliance fail open and fail closed configurations. For
detailed information about this deployment, refer to the Instant Messaging chapter in
Volume 4: Web Communication Proxies.

81

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Note: Two built-in exceptions can be used to notify the user that the verification of
the server's certificate failed: exception.ssl_server_cert_expired and
exception.ssl_server_unknown_ca. For information on using exceptions, see
Chapter 4: "Advanced Policy Tasks" on page 162.

Set SSL Forward Proxy
The SSL Proxy enables the SG appliance to act as an HTTPS Forward Proxy, providing
performance gains and security (authentication, content filtering, anti-virus scanning) for
HTTPS traffic before it is delivered to clients. This object allows HTTPS content to be
intercepted and examined.

85

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference
Accept
a>

You can also use a button image (the image resides on an external Web server, as in the
following example:



If you use an HTML editor to compose code, you can paste it into the VPM; however,
only copy the HTML from the tag to the tag.
4.

Under Notify mode, select an option that determines notification when visiting a new
Web site:


Notify once for all hosts—The notification page is displayed only once; this is used
for configuring compliance pages. This option uses a Virtual Notify URL. If you
must change the URL from the default value, please read the limitation section
following this procedure.
Note: This option might cause users to experience some noticeable Web

browsing slowness.


Notify only once for related domains—The notify page reappears each time the
user visits a new Web site; this is used for configuring coaching pages.
Note: This option interferes with some Web advertising banners. In some

cases, the notification page appears inside the banner. In other cases, banner ads
are disabled by javascript errors. To fix these problems, do not serve notification
pages for URLs that belong to the Web Advertising, Advertising, or Web Ads
category. The actual name of this category varies with the content filtering
vendor, and some vendors do not have an equivalent.


5.

Notify on every host—The notify page reappears each time the user visits a new
Web host. Blue Coat recommends that only highly experienced administrators
employ this option. In addition to breaking banner ads, as described above in the
previous option, this option, on some Internet Web sites, might cause Javascript
errors that impair the functionality of the site.

Under Notify users again, select an option that specifies when the notification expires
and re-notification is required:


At next browser session— The notification page does not reappear until the next
browser session. When a user reboots, logs out, or closes all Web browser
windows, this ends the browser session.



After (time interval)—Notification reoccurs after the defined elapsed time

(minutes or hours); this is useful for coaching.


After (specific time)—Notification reoccurs at a specific time of day. You can
specify an interval of days; this is useful for compliance.
Note: The time is referenced from the local workstation. If a compliance page is
configured, verify the workstations and SG appliance clocks are synchronized.

94

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference
The above example creates a Notify Object with a custom message, set to display once a
day after 7 AM.
Interactivities and Workarounds
If you must change the default Virtual Notify URL, consider the following:


The Virtual Notify URL consists of an HTTP domain name or IP address (http://); a
port number is optional.



Do not use a host name that is explicitly defined as a trusted site on Internet Explorer 6
for Windows XP, Service Pack 2. Furthermore, only use domain names that contain
dots. If you use domain names that do not contain dots, the HTTP redirects generated
by the notification action causes Internet Explorer to display false warning messages
each time the user is redirected from an untrusted site to a trusted site, or the other
way around.



For transparent proxy deployments, the domain name must be DNS-resolvable to an
IP address that is in the range of destination IP addresses that are routed to the SG
appliance.

Policy Interactions
This action generates CPL that might interfere with other policy or cause undesired
behavior. Enhancements will occur in future SGOS releases. For this release, consider the
following guidelines:


Do not create VPM policy that modifies the Cookie request header.



Do not create VPM policy that modifies the Set-Cookie and P3P response headers.



Notification pages exist in the browser history. Therefore, if you click Accept and are
taken to the requested page, then click the back button, you get the notification page
again.



If you have a chain of SG appliances, with different notification pages configured on
each appliance in the chain, then each notification page must have a different object
name.

Strip Active Content
Strips HTTP tags from specified active content HTML pages. For each item you select for
removal, you can also create a customized message that is displayed to the user.
Note: Pages served over an HTTPS tunneled connection are encrypted, so the content
cannot be modified.

See Section B: "Stripping or Replacing Active Content" on page 158 for detailed
information about the different types of active content.

95

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Set Server HTTP Compression
Enables or disables HTTP compression.
To specify compression options:
1.

In the Name field, enter name for the object or leave as is to accept the default.

2.

Select a compression option:


Disable HTTP compression—The default. Objects are not compressed.



Use client HTTP compression options—Default to the type of content requested by

the client.


Always request HTTP compression—Force clients to always request compressed

content.
3.

Click OK.

For recommended compression configurations, refer to Volume 3: Proxies and Proxy
Services.

Manage Bandwidth
Allows you to manage bandwidth for all protocols or specific protocols, on both inbound
and outbound traffic.
To create a manage bandwidth object:
1.

In the Name field, enter name for the object or leave as is to accept the default.

2.

Select to limit bandwidth on the: Client side or Server side.

3.



Client side—Traffic flowing between a client and the SG appliance.



Server side—Traffic flowing between a server and the SG appliance.

Select to limit bandwidth for: Inbound or Outbound traffic.


Inbound—Network packets flowing into the SG appliance. Inbound traffic mainly

consists of packets originating at the origin content server (OCS) and sent to the
SG appliance to load a Web object and packets originating at the client and sent to
the SG appliance for Web requests.


Outbound—Network packets flowing out of the SG appliance. Outbound traffic

mainly consists of packets sent to the client in response to a Web request and
packets sent to an OCS or other service (such as a virus scanner) to request a
service.
4.

Select a Bandwidth Class from the drop-down list.

5.

Click OK; click Save Changes.

For complete information about Bandwidth Management, refer to Volume 6: Advanced
Networking.

ADN Server Optimization
Specifies whether or not to apply byte caching, which increases performance, to an
Application Delivery Network tunnel connection. Byte caching can be applied to either
direction (server to client, client to server) or both.

98

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Set Dynamic Categorization
Dynamic categorization extends the process of categorizing a URL. Traditional content
filtering involves searching of massive URL pattern databases, which are published by
vendors and downloaded to the SG appliance at specified intervals. As new content
constantly reaches the Web, the limitation is that it cannot be filtered until its existence is
discovered, added, and uploaded. Dynamic categorization enhances content filtering by
scanning a new Web page, attempting to determine its contents, and categorizing
accordingly in real time.
When an un-categorized page is first encountered, the SG appliance calls an external
service with a categorization request. Once the content is scanned, a category is assigned
(a majority of the time).
For related information, refer to the Content Filtering chapter in Volume 8: Managing
Content.
To configure dynamic categorization:
1.

Select a mode:


Do not categorize dynamically—The loaded database is consulted for category
information. URLs not in the database show up as category none.



Categorize dynamically in the background—Objects not categorized by the

database are dynamically categorized as time permits. Proxy requests are not
blocked while DRTR is consulted. Objects not found in the database appear as
category pending, indicating that DRTR was requested, but the object was served
before the DRTR response was available.


Categorize dynamically in realtime—The default. Objects not categorized by the

database are dynamically categorized on first access. If this entails consulting the
DRTR service, the proxy request is blocked until DRTR responds.

2.

Use dynamic categorizing setting from configuration—Default to the SG appliance
configuration (Content Filtering>Blue Coat>Dynamic Categorization).

Click OK.

Set External Filter Service
Specifies which installed content filtering service or service group a content request is
subjected to or bypasses, and specifies what occurs if a communication error occurs
between the SG appliance and the external service.

100

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Set SOCKS Acceleration
Specifies whether or not accelerate SOCKS requests, and defines the transport method.
To set SOCKS acceleration:
1.

In the Name field, enter a name for the object or leave as is to accept the default.

2.

Select one of the following:

3.



Automatically—Accelerates SOCKS requests automatically, based on the
destination port receiving the connection.



Do Not Accelerate—Never accelerate SOCKS requests matched by this rule.



Accelerate via [HTTP | AOL IM | MSN IM | Yahoo IM]—Specifies the type of
acceleration applied to requests matched by this rule.

Click OK.

Set Streaming Max Bitrate
Specifies the maximum bitrate, in kilobits per second, of requested streaming media. If a
request exceeds this rule, the request is denied.

Set Client Connection DSCP Value
Sets the outgoing differentiated service code point (DCSP) value or action for primary
client connections (from the server) matching the DSCP value(s) in the Source column.
To set the server to client DSCP value or action:

103

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Do Not Cache
This is a static object. Specifies that objects are never cached.

Force Cache
This is a static object. Specifies that (cacheable) objects are always cached. Objects that are
not cacheable (for example, RealMedia file types) and supported in pass-through mode
only are not cached.

Use Default Caching
This is a static object. Overrides the Do Not Cache and Force Cache actions and instructs
the SG appliance to use its default determination of whether or not to cache the content.

Mark/Do Not Mark As Advertisement
These are static objects. Specifies content to be identified as an advertisement. The SG
appliance still fetches content from the cache (if present); however, just after serving to the
client, the content is re-fetched from the ad server so that hit counters are updated.

Enable/Disable Pipelining
These are static objects. Enables or disables the SG appliance pipelining feature, which,
when enabled, examines Web pages for embedded objects and requests them from the
origin server in anticipation of a client request.

Set TTL
Specifies the time-to-live (TTL) an object is stored in the SG appliance. In the Name field,
enter a name for the object (or leave as is to accept the default); in the TTL field, enter the
amount of time in seconds.

Send Direct
This is a static object. Overrides forwarding host, SOCKS gateway, or ICP configurations
and instructs the SG appliance to request the content directly from the origin server.

Integrate/Do Not Integrate New Hosts
This is a static object. Used in server accelerator deployments. When enabled, the
corresponding host that is accessed is added to the list of hosts for which the SG appliance
performs health checks. If that host name resolves to multiple IP addresses that
correspond to different servers, the SG appliance fetches content from the available
servers and ignores the servers that fail the health check.

Allow Content From Origin Server
This is a static object. Allows request to access content from an origin server if the content
is not cached.

106

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference

Serve Content Only From Cache
This is a static object. Requests to access content that is not cached are denied. If the
content is cached, the content is served.

Select SOCKS Gateway
Specifies which SOCKS gateway, if any, to use; defines behavior if communication
between the SOCKS gateway and the SG appliance is down.


To instruct the rule to connect directly without routing through a SOCKS service,
select Do not use SOCKS gateway.



To instruct the rule to connect through a SOCKS gateway, select Use SOCKS Gateway
and select an installed SOCKS service from the drop-down list.
In the If no SOCKS gateway is available field, select Deny the request or Connect
directly, which allows requests to bypass the SOCKS service.

Select Forwarding
Specifies which forwarding host or group, if any, to use; defines behavior if
communication between the forwarding and the SG appliance is down.


To instruct the rule to connect directly without redirecting to a forwarding host or
group, select Do not forward.



To instruct the rule to redirect to a forwarding host, select Use Forwarding and select
an installed forwarding host from the drop-down list.
In the If no forwarding is available field, select Deny the request (fail closed) or Connect
directly (fail open), which allows requests to bypass the forwarding host.



To instruct the rule to forward using the ICP configuration, select Forward using ICP.

Server Byte Caching
Specifies whether byte caching is employed on either (branch or core) or both sides of an
Application Delivery Network connection (specified IP addresses in the rule). Byte
caching reduces WAN latency.



Optimize traffic in both directions:
Optimize only inbound traffic: Only apply Byte Caching on traffic coming into the

server.


Optimize only outbound traffic: Only apply Byte Caching on traffic leaving the server.



Do not optimize traffic: Do not allow Byte Caching on specified connections.

Set IM Transport
Specifies the transport method used for IM traffic.


Auto—Connects using the transport method used by the client.



HTTP—Tunnels the IM requests over HTTP.



Native—Connects using the native transport used by the service.

107

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Set Streaming Transport
Specifies which streaming transport method the rule uses.


Auto—Connects using the transport method used by the client.



HTTP—Streaming over HTTP.



TCP—Streaming over TCP.

Authentication Charset
The VPM allows you enter non-ASCII in many objects, such user and group names and
text for the “Notify User” on page 92 object. This object allows you set the character set to
use in conjunction with localized policy. From the drop-down list, select a character set
and click OK.

Combined Action Objects
Allows you to combine an action object that invokes multiple actions. See “Using
Combined Objects” on page 113.

Action Column/Policy Layer Matrix
The following matrix lists all of the Action column objects and indicates which policy layer
they apply to.
Object

Admin Admin DNS SOCKS SSL
Auth
Acc
Acc Auth
Int

x

Allow
Deny (static)

SSL Web Web Web Fwding
Acc Auth Acc Cont

x

x

Allow Read-Only Access

x

Allow Read-Write Access

x

x
x

Do Not Authenticate

x

x

x

Authenticate

x

x

x

Force Authenticate

x

x

x

x

Bypass Cache

x

Do Not Bypass Cache

x

Check Authorization

x

x

Do Not Check Authorization

x

x

Always Verify

x

x

Use Default Verification

x

x

Block Up Ads

x

Do Not Block PopUp Ads

x

108

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference
Object

Admin Admin DNS SOCKS SSL
Auth
Acc
Acc Auth
Int

SSL Web Web Web Fwding
Acc Auth Acc Cont

Force IWA For Server Auth

x

Do Not Force IWA For Server Auth

x

Require Client Certificate

x

Do Not Require Client Certificate

x

Reflect IM Messages

x

Do Not Reflect IM Messages

x

Block IM Encryption

x

Do Not Block IM Encryption

x

Deny

x

x

Return Exception

x

x
x

Return Redirect
Set Client Certificate Validation

x

Set Server Certificate Validation

x
x

SSL Forward Proxy
Send IM Alert

x

Modify Access Logging

x

x

Override Access Log Field

x

x

Rewrite Host

x

Reflect IP

x

x

Suppress Header

x

Control Request Header

x

Control Response Header

x

Notify User

x

Strip Active Content

x

Set Client HTTP Compression

x

Set Server HTTP Compression

x

Modify IM Message

x

Return ICAP Patience Page

x
x

Set Dynamic Categorization
Set External Filter Service

x

Set ICAP Request Service

x

x

109

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference
Object

Admin Admin DNS SOCKS SSL
Auth
Acc
Acc Auth
Int

SSL Web Web Web Fwding
Acc Auth Acc Cont

Set ICAP Response Service

x

Use Default Caching

x

Set FTP Connection

x

Set SOCKS Acceleration

x

Set Streaming Max Bitrate

x

Client Connection DSCP Value

x

x

Server Connection DSCP Value

x

x

Send DNS/RDNS Response Code

x

Send DNS Response

x

Send Reverse DNS Response

x

x

Do Not Cache

x

Force Cache

x

Mark As Advertisement

x

Do Not Mark as Advertisement

x

Enable Pipelining

x

Disable Pipelining

x

Set TTL

x

x

Send Direct

x

Integrate New Hosts

x

Do Not Integrate New Hosts

x

Allow Content From Origin Server

x

Serve Content Only From Cache

x

Select SOCKS Gateway

x

Select Forwarding

x

Reflect IP

x

Set IM Transport

x

Set Streaming Transport

x
x

Authentication Charset
Combined Objects

x

x

x

x

x

x

110

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Note: The e-mail object also contains a Subject field.

4.

In the Message Text field, enter a customized message that appears with each entry.

5.

Optional: Add substitution variables. The substitution variables instruct the SG
appliance to append specific information to the tracking object. The variables are
categorized alphabetically, according to prefix.
Note: Some variables do not have prefixes.

In the Substitution Variables field:
a.
b.

From the Category drop-down list, select a category to narrow the view to a
subset of variables.
The Display Option options allow you to further aggregate the variables by
ELFF (Extended Log File Format) or CPL (Content Policy Language).

c.

Select a variable and click Insert. Rolling the mouse over a variable displays a
brief description of the variable. Repeat as required.

Tracing Objects
This object specifies rule and Web traffic tracing.
Click Trace Level and select one of the following trace options:


No Tracing—The default.



Request Tracing—Generates trace output for the current request. The trace output

contains request parameters (such as URL and client address), the final values of
property settings, and descriptions of all actions taken.


Rule and Request—Generates trace output that displays each rule that was executed



Verbose Tracing—Generates the same output as Rule and Request, but also lists which

rules were skipped because one or more of their conditions were false, and displays
the specific condition in the rule that was false.
Furthermore, a trace destination can be entered that specifies the destination for any trace
produced by the current transaction. To specify a destination path, select Trace File and
enter a path in the field. For example, abc.html.
If a trace destination is configured in multiple layers, the actual trace destination value
displayed is the one specified in the last layer that had a rule evaluated (which has a
destination property configured). Consider the following multiple Web Access Layer
example, demonstrated by the generated CPL:

url.domain=aol.com trace.request(yes) trace.rules(all)
trace.destination("aol_tracing.html")
url.domain=msn.com trace.request(yes)
trace.rules(all)trace.destination("msn_tracing.html")

client.address=10.10.10.1 trace.request(yes) trace.rules(all)

The resulting actions are:

112

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference


Requests to the aol.com domain are logged to aol_tracing.html.



Requests to the msn.com domain are logged to msn_tracing.html.



Requests from the client with the IP of 10.10.10.1 are logged to the default location
of default.html.

.

Note: After using a trace to troubleshoot, remove the trace to save log space.

The Trace File option can be used in conjunction or separately from the Trace Level option.
The default path of the trace file is accessible through one of the following URLs.
If the Management Console secure mode is enabled (the default on a new or upgraded
system):
https://SG_appliance_IP_address:8082/Policy/Trace/default_trace.html

If the Management Console is deployed in non-secure mode:
http://SG_appliance_address:8081/Policy/Trace/default_trace.html

Combined Track Object
Allows you to combine track objects into one. See “Using Combined Objects” .

Track Objects/Policy Layer Matrix
The following matrix lists all of the Track and column objects and indicates which policy
layer they apply to.
Object

Admin Admin DNS
Auth
Acc
Acc

SOCKS SSL
Auth
Int

SSL
Acc

Web Web Web
Auth Acc Cont

Event Log

x

x

x

x

x

x

Email Log

x

x

x

x

x

x

SNMP Objects

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

Trace
Combined Objects

x

x

Fwding

x

Comment Object Reference
The Comment object allows you to write any text to aid in labeling the policy layer. The
text in this field does not impact the policy.

Using Combined Objects
As previously discussed, you select one object for as many object types as required for a
given rule. Most object types also have the option of using a combined object. This feature
allows you to select multiple objects for a given type, thus creating more complex tools.
There are two uses for combined conditions: lists and multiple object types. Also consider
the Negate option, which exempts the objects in the list.

113

Volume 7: VPM and Advanced Policy
Section C: Detailed Object Column Reference

Restricting DNS Lookups
This section discusses DNS lookup restrictions and describes how to create a list.

About DNS Lookup Restriction
The DNS lookup restriction list is a list of domain names that apply globally, regardless of
policy layer definitions. Once a domain name is added to the list, DNS lookup requests do
not occur for that domain name while policy is evaluated. For more detailed information
about using DNS lookups, refer to Volume 11: Blue Coat SG Appliance Content Policy
Language Guide.

Creating the DNS Lookup Restriction List
The list is created from the VPM Menu bar.
To create the DNS lookup restriction list:
1.

Select Configuration > Set DNS Lookup Restrictions; the Set DNS lookup restrictions
dialog appears.
The default is None; no domain names are restricted.

2.

To restrict every domain name, select All.

3.

To add specific domain names, perform the following steps.
a.

Select Listed Host Patterns. This enables the Host Patterns field.

b.

Click Add; the Add Host Pattern dialog appears.

c.

Enter a domain name; click OK.

d. Repeat to add other domain names.
e.

Click OK.

Restricting Reverse DNS Lookups
This section discusses reverse DNS lookup restrictions and describes how to create a list.

About Reverse DNS Lookup Restriction
The Reverse DNS lookup restriction list is a list of subnets that apply globally, regardless
of policy layer definitions. Once a subnet is added to the list, the SG appliance will not
perform a reverse lookup of addresses on that subnet during policy evaluation. For more
detailed information about using reverse DNS lookups, refer to Volume 11: Blue Coat SG
Appliance Content Policy Language Guide.

Creating the Reverse DNS Lookup Restriction List
The list is created from the VPM Menu bar. This prevents the SG appliance from
performing reverse DNS lookups of addresses in the list while evaluating policy.
To create the reverse DNS lookup restriction list:
1.

Select Configuration > Set Reverse DNS Lookup Restrictions; the Set Reverse DNS
lookup restrictions dialog appears.

122

Chapter 3: The Visual Policy Manager

Section C: Detailed Object Column Reference
The default is None; no subnets are restricted.
2.

To restrict every subnet, select All.

3.

To add specific subnets, perform the following steps.
a.

Select Listed Subnets.
This enables the Subnets field.

b.

Click Add; the Add Subnet dialog appears.

c.

Enter a subnet; click OK.

d. Repeat to add other subnets.
e.

Click OK.

Setting the Group Log Order
This section discusses the group log order and describes how to create a list.

About the Group Log Order
The Group Log Order object allows you to establish the order group data appears in the
access logs. For more detailed information about using group log ordering, refer to Volume
11: Blue Coat SG Appliance Content Policy Language Guide.

Creating the Group Log Order List
The list is created from the VPM Menu bar.
To create the group log order list:
1.

Select Configuration > Set Group Log Order; the Set Group Log Order dialog appears.

2.

Click Add; the Add Group Object dialog appears.

3.

In the Group Name field, enter the name of a group.
The group must be already configured on the SG appliance.

4.

From the Authentication Realm drop-down list, select a realm.

5.

Click OK.

6.

Repeat as required to add more groups.

7.

To order the list, select a group and click Move Up or Move Down until you achieve the
desired order.

8.

Click OK.

123

Volume 7: VPM and Advanced Policy
Section D: Managing Policy Layers, Rules, and Files

Section D: Managing Policy Layers, Rules, and Files
This section contains the following topics:


“How Policy Layers, Rules, and Files Interact” —Describes the importance of rule
order policy layer order.



“Managing Policy” —Describes how to save and install policies on the SG appliance.



“Installing VPM-Created Policy Files” —Describes how to propagate a policy file
created on one SG appliance to another.



“Viewing the Policy/Created CPL” —Describes how to view the underlying CPL that
is created with VPM.

How Policy Layers, Rules, and Files Interact
The following critical points discuss the behaviors and priorities of policy rules, layers,
and files:


Rules in different policy layers of the same type work together, and the order of policy
layers is important.



The order of policy layers of different types is important.



The order of rules in a policy layer is important.



Policy created in VPM is saved in a file on the SG appliance; the state of the VPM user
interface is also stored as an XML file on the SG appliance.
Note: These files are stored only if the policy is installed without any errors.



How the appliance evaluates those rules in relation to policy layers that exist in the
central and local policy files is important. For more information, see Chapter 2:
"Managing Policy Files" on page 13.

How VPM Layers Relate to CPL Layers
VPM generates CPL in various layers, but the concept of layers presented in VPM is
slightly different. VPM provides policy layers for special purposes. For example, Web
Authentication and Web Authorization, which both generate CPL layers. This
minimizes timing conflicts by restricting the choices of triggers and properties to those
compatible timing requirements. The following table summarizes how to use VPM layers
and which CPL layers result.
Table 3-4. VPM-Generated CPL Layers
Policy Purpose

VPM Layer

CPL Layer

Establish Administrator identities.

Admin Authentication



Control Administrator access.

Admin Authorization



Control DNS access.

DNS Access



Establish SOCKS user identities.

SOCKS Authentication



124

Chapter 3: The Visual Policy Manager

Section D: Managing Policy Layers, Rules, and Files
Table 3-4. VPM-Generated CPL Layers (Continued)
Policy Purpose

VPM Layer

CPL Layer

Allow HTTPS interception.

SSL Intercept



Control HTTPS traffic.

SSL Access



Establish user identities.

Web Authentication



Control user access.

Web Access



Control content independent of
users.

Web Content



Control forwarding.

Forwarding



Note: VPM currently does not support the layer.

Ordering Rules in a Policy Layer
The SG appliance evaluates the rules in the order in which they are listed in a policy layer.
When it finds a rule that applies to the situation, it skips the remaining rules in the policy
layer and goes on to the next policy layer.
Consider the following simple example. Assume that a company has a policy that
prohibits everyone from accessing the Web. This is a policy that is easy to create with a
Web Access layer rule.
There are, however, likely to be exceptions to such a broad policy. For example, you
require the manager of the purchasing department to be able to access the Web sites of
suppliers. Members of the sales department need to access their customer Web sites.
Creating Web Access rules for both these situations is also simple. But if you put all these
rules in a single policy layer, then the rule prohibiting access to everyone must be ordered
last, or the other two rules are not applied.
Principle Design Rule:
Always go from the specific to the general.

Using Policy Layers of the Same Type
Because the SG appliance skips the remaining rules in a policy layer as soon as it finds one
that meets the condition, multiple policy layers and a combination of rules might be
required to accomplish a task.
Consider the following example. A company does not want to prohibit its employees from
accessing the Web, but it does not want them to abuse the privilege. To this end, the
company wants employees who access the Web to authenticate when they do so; that is,
enter a username and password. So the company creates a Web Authentication policy
layer with a rule that says: “If anyone from anywhere in the company sends a request to a
URL on the Web, authenticate the client before granting access.”

125

Volume 7: VPM and Advanced Policy
Section D: Managing Policy Layers, Rules, and Files
The company also allows members of the group Sales to access various sports Web sites
only during non-work hours. Given the Web Authentication rule above, these people
must authenticate when they do this. But the company feels that it is not important for
people going to these sites after hours to authenticate. So the company creates the
following Web Access policy-layer rule:


Grant Sales personnel access to sports Web sites from 5:00 PM to midnight.
But there are additional issues. Some members of the sales department spend a lot of
time watching game highlights on video clips, and this takes up a lot of bandwidth.
At the same time, a lot of customers access the company Web site in the evening
(during non-work hours), so internal bandwidth should remain manageable. The
company, therefore, limits the bandwidth available to the people in the Sales
department with a Web Access layer rule that is identical to the one above in all
respects except for the action:



Grant Sales personnel access to sports Web sites from 5:00 PM to midnight, but limit
the maximum streaming bitrate to 300 kilobits per second.

For both these rules to work, they need to be in separate policy layers. If they were in the
same policy layer, the rule listed second would never be applied.

Ordering Policy Layers
The order of policy layers is also important. The SG appliance evaluates policy layers in
the order in which they are listed in VPM. When the SG appliance is going through policy
layers, it does not execute a given rule as soon as it finds that it meets the specific
situation. Rather, it compiles a list of all the rules that meet the condition; when it has gone
through all the policy layers, it evaluates the list, resolves any apparent conflicts, and then
executes the required actions. If there is a conflict between rules in different policy layers,
the matching rule in the policy layer evaluated last takes precedence.
In the above example, there are two Web Access policy layers: one contains a rule stating
that Sales personnel can access certain Web sites without authenticating, and the other
states that when they do access these Web sites, limit the available bandwidth. The order
of these policy layers is irrelevant. The order is irrelevant because there is no conflict
between the rules in the layers.
The following is an example in which the order of policy layers does matter. Assume all
URL requests from members of the purchasing department are directed to a single proxy
server. To discourage employees from surfing the Web excessively during business hours,
a company creates a Web Authentication Policy rule that says: “Whenever a client request
comes in to the proxy server, prompt the client to authenticate.”
Members of the purchasing department, however, need to access specific Web sites for
business reasons, and the company does not want to require authentication every time
they do this. So they create a Web Access policy rule that says: “If any member of the
purchasing department sends a request to a specific URL contained in a combined-object
list, allow access.”
The policy layer with the first rule needs to come first in evaluation order; it is then
overridden by the second rule in a subsequent policy layer.
Principle Policy Layer Design Rule
Always go from the general to the specific; that is, establish a general rule in an early
policy layer, then write exception rules in later policy layers.

126

Chapter 3: The Visual Policy Manager

Section D: Managing Policy Layers, Rules, and Files

Installing Policies
As you add policy layers and rules, your work is saved in a file on the SG appliance.
However, policies only take effect after you install the policies and the generated XML has
been validated. The SG appliance then compiles the policies into CPL format and saves
the resulting policies in the vpm.cpl file. This overwrites any policies previously created
using VPM. The appliance saves VPM-generated policies in a single file and loads it all at
once. You do not need to load policies separately, as is the case with the local or central
policy files.
To install policies:


Select File>Install Policies, or



Click Install Policies on the Rule bar.
The VPM validates the generated XML for any issues, such as missing layers. If the
validation passes, the CPL is generated and the policies are loaded.
If the XML fails the validation, a dialog appears allowing you to:


Revert to the policy currently installed on the SG appliance, or



Continue to edit the policy and attempt another installation.

Furthermore, the failed XML file is written to your hard disk; view this file to
troubleshoot the failed XML. The default location for this file is:
C:\Documents and Settings\user.name\bluecoat\vpm_err.xml

Notes
The Category and Notify User objects and the DNS Lookup Restrictions, Reverse DNS
Lookup Restrictions, and Group Log Order configuration objects generate CPL, regardless
if they are or are not included in rules. These specific objects and features allow users to
edit categories and lists that might or might not be used in current policies.

Managing Policy
This section describes how to manage VPM policy.

Refreshing Policy
In between occurrences when either VPM is closed and reopened or Install Policies is
invoked, VPM does not recognize changes to VPM-managed policy that were made on the
SG appliance through another method. For example:


Another administrator opens a separate VPM to make changes.



Another administrator edits the local or central policy file through the serial console.



Another administrator makes edits the local or central policy file.



A new content filter database is downloaded automatically and the new update
contains category changes.



A new content filter database is downloaded manually by an administrator.

127

Volume 7: VPM and Advanced Policy
Section D: Managing Policy Layers, Rules, and Files

Reverting to a Previous Policy
If after creating new policies or editing an existing policy you decide to abandon the
process and continue with the existing policy installed on the SG appliance, you can revert
to that version. All current changes are deleted (VPM provides a verification prompt).
To revert to an existing installed policy:
Select File > Revert to Existing Policy on SG Appliance.

Changing Policies
You can change, edit, delete, add to, and otherwise manage policies created in VPM at any
time by returning to VPM and working with policy layers and rules just as you did when
creating them.

Managing Policy Layers
This section describes how to perform edits of policy layers.

Renaming a Policy Layer
The VPM allows you to rename policy layers and disable and re-enable layers.
To rename a policy layer:
1.

Right-click the tab of the policy layer and select Rename. The Rename New Layer
dialog appears.

2.

Rename the layer and click OK.

Disabling a Policy Layer
Disabling policy layers allows you to remove a subset of the employed policy without
losing the rules and the effort put forth to create them. Once disabled, the policy in that
layers is ignored. You can re-enable a disabled layer at any time.
To disable or enable a policy layer:
Right-click the tab of the policy layer and select Disable Layer. The layer name text turns
red and the layer rules are greyed-out.
To re-enable a layer, repeat this step and select Enable Layer.

Deleting a Policy Layer
You can completely remove a policy layer.

Important: Once deleted, a layer cannot be recovered.
To delete a policy layer:
1.

Right-click the tab of the policy layer to be deleted.

2.

Select Delete Policy from the drop-down list.

128

Chapter 3: The Visual Policy Manager

Section D: Managing Policy Layers, Rules, and Files

Note: All of the above procedures can be accomplished from the Menu Bar>Edit dropdown list.

Managing Policy Rules
Occasionally, you might need to temporarily disable rules in a policy layer; for example,
when troubleshooting compiles errors and warnings. This might help confirm that the SG
appliance can successfully compile the remaining policy. After disabling a rule, you can
edit the objects and re-enable the rule.
To disable or enable a rule:
1.

Click the appropriate policy layer tab.

2.

Right-click in the No. column.

3.

Click Disable Rule on the shortcut menu. The policy editor changes the rule text color
to red.

4.

To enable the rule, repeat step 3. After you enable a disabled rule, the policy editor
changes the rule text color to black.

Installing VPM-Created Policy Files
Policies created with VPM are saved on the specific SG appliance on which they are
created. SGOS automatically creates the following files when saving VPM-created
policies:
config_policy_source.xml
config_policy_source.txt

You can install VPM policies that were created on another SG appliance. This requires the
following steps:
1.

Copy the two VPM files, to be shared, to a Web server from the SG appliance on which
they reside.

2.

Use the Management Console or CLI to load VPM files on another SG appliance.

To copy VPM files from a SG appliance to a Web server:
1.

Select Statistics > Advanced.

2.

Scroll down and click Policy.
The page jumps down to the Policy files links.

129

Volume 7: VPM and Advanced Policy
Section D: Managing Policy Layers, Rules, and Files
To view the VPM policy file:
Select View > Current SG Appliance VPM Policy Files.
Important: Do not edit or alter VPM-generated files by opening the VPM policy file
and working in the generated CPL. To edit, change, or add to VPM policies, edit the
policy layers and re-install the policy.

132

Volume 7: VPM and Advanced Policy

154

Chapter 4: Advanced Policy Tasks

This chapter provides conceptual and procedural information about the SG appliance
advanced policy features. While many SG appliance features have a policy component,
some features have no configuration component outside policy. Configuring advanced
policy is accomplished by defining rules in the Visual Policy Manager (VPM) or by
composing Content Policy Language (CPL). While some examples are provided in this
chapter, references to the relevant VPM chapter component are included in each
section.
This chapter contains the following topics:


Section A: "Blocking Pop Up Windows" on page 156



Section B: "Stripping or Replacing Active Content" on page 158



Section C: "Modifying Headers" on page 161



Section D: "Defining Exceptions" on page 162



Section E: "Managing Peer-to-Peer Services" on page 174



Section F: "Managing QoS and Differential Services" on page 180

Excluding exceptions, you must use policy to implement these capabilities. (For
exceptions, you can create a list outside of policy to install on the system.)

155

Chapter 4: Advanced Policy Tasks

Section A: Blocking Pop Up Windows


Users—When a pop up window is blocked, a message is displayed in the status
bar:
blocked popup window -- use CTRL Refresh to see all popups.

While pressing the Control key, click the Web browser Refresh button; the page is
reloaded with pop up blocking disabled for that action.


Create a separate Web Access policy layer for pop up blocking actions. This alleviates
interference with Web applications deployed on your Intranet that require pop up
windows.



To prevent a cached Web page from spawning pop up windows, clear the browser
cache, then reload the page without holding down the CTRL key.

Blocking pop up windows is accomplished through the Visual Policy Manager. See
“Block/Do Not Block PopUp Ads” on page 81 for information about how to create
blocking actions in a policy layers.

157

Volume 7: VPM and Advanced Policy
Section B: Stripping or Replacing Active Content

Section B: Stripping or Replacing Active Content
This section describes the Blue Coat solution for stripping or replacing unwanted active
content.

About Active Content
Scripts activated within Web pages can pose a security concern. The ProxySG policy can
be configured to supplement standard virus scanning of Web content by detecting and
removing the HTML tags that launch active content such as Java applets or scripts. In
addition, the removed content can be replaced with predefined material, a process
referred to as active content transformation.
When the SG appliance is configured to perform active content transformation, Web pages
requested by a client are scanned before they are served and any specified tags and the
content they define are either removed or replaced. Because the transformed content is not
cached, the transformation process is based on a variety of conditions, including time of
day, client identity, or URL.
Note: Pages served over an HTTPS tunneled connection are encrypted, so the content
cannot be modified.

The following tags and related content can be removed or replaced:


—Java applets, as defined by HTML elements.



—Embedded multimedia objects displayed using Netscape Navigator plugins as defined by HTML elements.



—Embedded multimedia objects displayed using Internet Explorer ActiveX controls and other multimedia elements, as defined by HTML elements



—Embedded Javascript and VBScript programs, whether these are<br />represented as HTML <script> elements, Javascript entities, Javascript URLs, or<br />event handler attributes. The <noscript> tag is not affected by this features.<br /><br />Stripping active content is accomplished through the Visual Policy Manager or by<br />composing CPL.<br />❐<br /><br />See “Strip Active Content” on page 95 for information about how to create a Strip<br />Active Content action object in a Web Access policy layer.<br /><br />❐<br /><br />Refer to Volume 11: Blue Coat SG Appliance Content Policy Language Guide.<br /><br />About Active Content Types<br />The following sections provide more detail about the types of active content that can be<br />removed or replaced.<br /><br />Script Tags<br />Scripts are generally placed between the start and end tags <SCRIPT> and .
The type of script used is defined by the LANGUAGE attribute; for example, LANGUAGE=”JavaScript 1.0”>). When the LANGUAGE attribute is undefined, the browser
assumes JavaScript.

158

Chapter 4: Advanced Policy Tasks

Section B: Stripping or Replacing Active Content
When transform active_content is configured to remove scripts, the basic operation is
to remove all content between and including and , regardless of the
language type, and substitute any defined replacement text. A notable exception occurs
when a script is defined in the header portion of the HTML document (defined by the
tag). In this case, the script is simply removed. This is because images, objects, and
text are not allowed in the header of an HTML document. If the end script tag
is missing from the document (the end of the document is defined as either up to the
BODY> or tag, or the last character of the document), then all content from the
start tag to the end of the document is removed.<br /><br />JavaScript Entities<br />JavaScript entities have the following format: &{javascript code} and are found<br />anywhere in the value part of an attribute (that is, <IMG SRC=”&{images.logo};”). You<br />can define more than one entity in the value portion of the attribute. When transform<br />active_content is configured to remove scripts, all JavaScript entities attribute/value<br />pairs are removed. No replacement text is put in its place.<br /><br />JavaScript Strings<br />JavaScript strings have the following format: javascript: javascript code and are<br />found anywhere in the value part of an attribute, though usually only one of them can be<br />defined in an attribute. Most modern browsers support JavaScript strings. When<br />transform active_content is configured to remove scripts, all JavaScript string<br />attribute/value pairs are removed. No replacement text is put in its place.<br /><br />JavaScript Events<br />JavaScript events are attributes that start with the keyword on. For example, <A<br />HREF=”index.html onMouseOver=”javascript code”>. The HTML 4.01 specification<br />defines 21 different JavaScript events:<br />onBlur, onChange, onClick, onDblClick, onDragDrop, onFocus, onKeyDown,<br />onKeyPress, onKeyUp, onLoad, onMouseDown, onMouseMove, onMouseOut,<br />onMouseOver, onMouseUp, onMove, onReset, OnResize, onSelect, onSubmit,<br />onUnload<br /><br />Both Microsoft Internet Explorer and Netscape have defined variations on these events as<br />well as many new events. To catch all JavaScript events, the active content transformer<br />identifies any attribute beginning with the keyword on, not including on itself. For<br />example, the attribute onDonner in the tag <A HREF=”index.html”<br />onDONNER=”DONNER”> is removed even though onDonner does not exist as a valid<br />JavaScript event in the browser. In this case, the transformed file would show <A<br />HREF=”index.html”>.<br /><br />Embed Tags<br />HTML <EMBED> tags are not required to have an </EMBED> end tag. Many Web browsers<br />do, however, support the <EMBED> </EMBED> tag pair. The text between the tags is<br />supposed to be rendered by the browsers when there is no support for the embed tag, or if<br />the MIME-type of the embed object is not supported. Thus, when transform<br />active_content is configured to transform embed tags, only the <EMBED> tag is removed<br />and replaced with any replacement text. Any occurrence of the end tag </EMBED> is<br />simply removed, leaving the text between the beginning and end tags intact.<br /><br />159<br /><br />Volume 7: VPM and Advanced Policy<br />Section B: Stripping or Replacing Active Content<br /><br />Object Tags<br />Objects tags have a start <OBJECT> and end </OBJECT> tag pair, and the attributes<br />CODETYPE and TYPE determine the type of object. The text between the tags is supposed to<br />be rendered by the browsers when the object tag is not supported, so when transform<br />active_content is configured to transform object tags, only the <OBJECT> and </<br />OBJECT> tags are removed and replaced with any replacement text. The text between the<br />tags remains. The CODETYPE or TYPE attributes do not affect the transformation. Also, if<br />the end </OBJECT> tag is missing, the transformation will not be affected.<br /><br />160<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section C: Modifying Headers<br /><br />Section C: Modifying Headers<br />The request headers are sent when users access Web objects that contain a lot of<br />information. This can raise a concern that such details compromise the privacy or security<br />of the enterprise or user.<br />When a user clicks on a link, the Web browser sets the request’s Referer header to the URL<br />of the Web page that contained the link. (This header is not set if the URL was entered or<br />selected from a favorites or bookmarks list.) If an internal Web page provides links to<br />external Web sites, users clicking those links sends the URL of the internal pages, and are<br />logged in the Web logs of those external sites. This is not usually an issue; however, if the<br />external Web site is a competitor Web site or another site with interest in the internal<br />details of your enterprise, this might be a concern.<br />For example, how you structure your intranet might suggest something about your<br />company’s current or future direction. Certain project names or codewords might show<br />up in directory or file names. Exposing the structure of the intranet makes it easier for<br />hackers to attack the network.<br />The broad solution of deleting Referer headers from all requests presents a problem<br />because some Web sites do not serve images or other linked objects unless the Referer<br />header is set to a referring page on that same Web site. The solution implemented by Blue<br />Coat is to strip the Referer header only when the target Web page resides on the Internet<br />and the referring page is on an internal host.<br />Suppressing headers is accomplished through the Visual Policy Manager or by composing<br />CPL.<br />❐<br /><br />See “Suppress Header” on page 90 for information about how to create a Suppress<br />Header action object in a Web Access policy layer.<br /><br />❐<br /><br />Refer to Volume 11: Blue Coat SG Appliance Content Policy Language Guide.<br /><br />161<br /><br />Volume 7: VPM and Advanced Policy<br />Section D: Defining Exceptions<br /><br />Section D: Defining Exceptions<br />Exceptions are sent in response to certain SG appliance client requests, such as denial by<br />policy, failure to handle the request, and authentication failure. Exceptions are returned to<br />users based on policy rules defined by the SG appliance administrator. For example, if a<br />client sends a request for content that is not allowed, an exception HTML page (for HTTP<br />connections) or an exceptions string (for non-HTTP connections) is returned, informing<br />the client that access is denied.<br />Two types of exceptions are used: built-in and user-defined.<br /><br />Built-in Exceptions<br />Built-in exceptions are a set of pre-defined exceptions contained on the SG appliance.<br />Built-in exceptions send information back to the user under operational contexts that are<br />known to occur, such as policy_denied or invalid_request.<br />Built-in exceptions are always available and can also have their contents customized;<br />however, built-in exceptions cannot be deleted, and you cannot create new built-in<br />exceptions.<br />The table below lists the built-in exceptions and the context under which they are issued.<br />Table 4-1. Exceptions<br />Exception Type<br /><br />Issued When<br /><br />authentication_failed<br /><br />The transaction cannot be authenticated, usually<br />because the credentials were incorrect.<br />authentication_failed is a synonym for<br />deny.unauthorized.<br /><br />authentication_failed_<br />password_expired<br /><br />The authentication server reports that the credentials<br />provided have expired, and a new password must be<br />obtained.<br /><br />authentication_mode_not_<br />supported<br /><br />The configured authentication mode is not supported<br />for the current request.<br /><br />authentication_redirect_<br />from_virtual_host<br /><br />Transparent redirect authentication is being used. This<br />exception redirects the transaction from the virtual<br />authentication host to the original request.<br /><br />authentication_redirect_off_<br />box<br /><br />The request is being redirected to an authentication<br />service on another device.<br /><br />authentication_redirect_to_<br />virtual_host<br /><br />Transparent redirect authentication is being used. This<br />exception redirects the transaction to the virtual<br />authentication host.<br /><br />authentication_success<br /><br />Transparent redirect authentication with cookies is<br />being used. This exception redirects the transaction to<br />the original request, but removes the authentication<br />cookie form the request URL.<br /><br />162<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section D: Defining Exceptions<br />Table 4-1. Exceptions (Continued)<br />Exception Type<br /><br />Issued When<br /><br />authorization_failed<br /><br />The deny.unauthorized policy action is matched.<br />This exception notifies the user that their currently<br />authenticated identity is not permitted to perform the<br />requested operation, but they might have some other<br />credentials that would allow their request through (for<br />example. they get an opportunity to enter new<br />credentials).<br /><br />client_failure_limit_<br />exceeded<br /><br />Too many requests from your ip address<br />($(client.address)) have failed.<br /><br />configuration_error<br /><br />A configuration error on the SG appliance was<br />detected, and the requested operation could not be<br />handled because of the configuration error. This<br />exception is a likely indicator that the administrator of<br />the SG appliance must intervene to resolve the<br />problem.<br /><br />connect_method_denied<br /><br />A user attempted an CONNECT method to a nonstandard port when explicitly proxied. Blue Coat does<br />not allow CONNECT methods to non-standard ports<br />by default because it is considered a security risk to do<br />so.<br /><br />content_filter_denied<br /><br />A particular request is not permitted because of its<br />content categorization.<br /><br />content_filter_unavailable<br /><br />An external content-filtering service could not be<br />contacted, and the SG appliance is failing closed in<br />such a situation.<br /><br />dns_server_failure<br /><br />The request could not be processed because the SG<br />appliance was unable to communicate with the DNS<br />server in order to resolve the destination address of the<br />request.<br /><br />dns_unresolved_hostname<br /><br />The request could not be processed because the SG<br />appliance was unable to resolve the hostname in the<br />request with DNS.<br /><br />dynamic_bypass_reload<br /><br />The dynamic_bypass policy action is matched.<br /><br />gateway_error<br /><br />There was a network error while attempting to<br />communicate with the upstream gateway.<br /><br />icap_communication_error<br /><br />A network error occurred while the SG appliance was<br />attempting to communicate with an external ICAP<br />server.<br /><br />internal_error<br /><br />The SG appliance encountered an unexpected error<br />that resulted in the inability to handle the current<br />transaction.<br /><br />invalid_auth_form<br /><br />The submitted authentication form is invalid. The form<br />data must contain the username, password, and valid<br />original request information.<br /><br />163<br /><br />Volume 7: VPM and Advanced Policy<br />Section D: Defining Exceptions<br />Table 4-1. Exceptions (Continued)<br />Exception Type<br /><br />Issued When<br /><br />invalid_request<br /><br />The request received by the SG appliance was unable to<br />handle the request because it detected that there was<br />something fundamentally wrong with the syntax of the<br />request.<br /><br />license_expired<br /><br />The requested operation cannot proceed because it<br />would require the usage of an unlicensed feature.<br /><br />method_denied<br /><br />The requested operation utilizes a method that has<br />been explicitly denied because of the service properties<br />associated with the request.<br /><br />not_implemented<br /><br />The protocol cannot handle the requested operation<br />because it utilizes a feature that is not currently<br />implemented.<br /><br />notify<br /><br />Used internally by VPM. You do not need to customize<br />the text of this exception, since in this case the entire<br />HTML response is generated by VPM and is not taken<br />from the exception definition.<br /><br />notify_missing_cookie<br /><br />This exception is returned when a VPM Notify User<br />action is being used to notify the user, and the user has<br />disabled cookies in the Web browser.<br /><br />policy_denied<br /><br />policy_denied is a synonym for deny.<br /><br />policy_redirect<br /><br />A redirect action is matched in policy.<br /><br />redirected_stored_requests_<br />not_supported<br /><br />This applies to forms authentication with POST<br />requests only): The origin server returned a redirect for<br />the request. The SG appliance is configured to not<br />allow stored requests to be redirected.<br /><br />refresh<br /><br />A refresh (using the HTTP Refresh: header) is<br />required. The refresh exception (by default) refreshes<br />the originally requested URL (or in some cases, its postimputed form).<br /><br />server_request_limit_<br />exceeded<br /><br />Too many simultaneous requests are in progress to<br />$(url.host).<br /><br />silent_denied<br /><br />An exception(silent_denied) is matched in<br />policy. This exception is pre-defined to have no body<br />text, and is silent in that it results in only the status<br />code being sent to the client.<br /><br />ssl_domain_invalid<br /><br />There was a failure contacting an upstream host<br />through HTTPS because the certificate presented by the<br />upstream host was either the incorrect one or invalid.<br /><br />ssl_failed<br /><br />A secure connection could not be established to an<br />upstream host. This is typically because the upstream<br />host is not configured to accept SSL connections.<br /><br />164<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section D: Defining Exceptions<br />Table 4-1. Exceptions (Continued)<br />Exception Type<br /><br />Issued When<br /><br />tcp_error<br /><br />A network error occurred attempting to communicate<br />with an upstream host.<br /><br />transformation_error<br /><br />The server sends an unknown encoding and the SG<br />appliance is configured to do content transformation.<br /><br />unsupported_encoding<br /><br />The client makes a request with an AcceptEncoding: Identity;q=0, … header. Only<br />uncompressed content is available in cache, the SG<br />appliance is not configured to compress the content, or<br />the compression license is expired, or the client request<br />results in to Accept-Encoding: Identity;q=0<br />because of the combination of request and configured<br />policy.<br /><br />unsupported_protocol<br /><br />The protocol used in the request is not understood.<br /><br />Most of the above exceptions can be initiated directly through the policy exception<br />property. However, some require additional state that makes initiating them either<br />problematic or out of context. The following are exceptions that cannot be initiated<br />through the exception property:<br />❐<br /><br />authentication_failed<br /><br />❐<br /><br />authentication_failed_password_expired<br /><br />❐<br /><br />authentication_redirect_from_virtual_host<br /><br />❐<br /><br />authentication_redirect_to_virtual_host<br /><br />❐<br /><br />authentication_success<br /><br />❐<br /><br />dynamic_bypass_reload<br /><br />❐<br /><br />license_expired<br /><br />❐<br /><br />ssl_domain_invalid<br /><br />❐<br /><br />ssl_failed<br /><br />To view the content of a built-in exception, enter the following commands at the (config)<br />prompt:<br />SGOS#(config) exceptions<br />SGOS#(config exceptions) show exceptions configuration_error<br />configuration_error exception:<br />all protocols:<br />summary text:<br />SG configuration error<br />details text:<br />Your request could not be processed because of a configuration<br />error: $(exception.last_error)<br />help text:<br />The problem is most likely because of a configuration error,<br />$(exception.contact) and provide them with any pertinent information<br />from this message.<br />http protocol:<br />code: 403<br /><br />165<br /><br />Volume 7: VPM and Advanced Policy<br />Section D: Defining Exceptions<br /><br />User-Defined Exceptions<br />User-defined exceptions are created and deleted by the administrator. If a user-defined<br />exception is referenced by policy, it cannot be deleted. The default HTTP response code<br />for user-defined exceptions is 403.<br />Note: For users who are explicitly proxied and use Internet Explorer to request an<br />HTTPS URL, an exception body longer than 900 characters might be truncated. The<br />workaround is to shorten the exception body.<br /><br />An exception body less than 512 characters might cause a page does not exist 404 error. If<br />this occurs, use the exception.autopad(yes|no) property to pad the body to more than<br />513 characters. For more information on the exception.autopad property, refer to the<br />Blue Coat ProxySG Content Policy Language Guide.<br /><br />About Exception Definitions<br />Each exception definition (whether built-in or user-defined) contains the following<br />elements:<br />❐<br /><br />Identifier—Identifies the type of exception. Table 4-1 lists the built-in exception<br /><br />types. For user-defined exceptions, the identifier is the name specified upon creation.<br />❐<br /><br />Format—Defines the appearance of the exception. For an HTTP exception response,<br />the format is an HTML file. For other protocols, where the user agents are not able to<br />render HTML, the format is commonly a single line.<br /><br />❐<br /><br />Summary—A short description of the exception that labels the exception cause. For<br />example, the default policy_denied exception summary is “Access Denied”.<br /><br />❐<br /><br />Details—The default text that describes reason for displaying the exception. For<br />example, the default policy_denied exception (for the HTTP protocol) detail is: Your<br /><br />request has been denied by system policy.<br />❐<br /><br />Help—An informative description of common possible causes and potential solutions<br />for users to take. For example, if you want the categorization of a URL reviewed, you<br />can append the $(exception.category_review_url) and<br />$(exception.category_review_message) substitutions to the $(exception.help)<br />definition. You must first enable this capability through content filtering<br />configuration. For information on enabling review categorization, refer to Volume 8:<br />Managing Content.<br /><br />❐<br /><br />Contact—Used to configure site-specific contact information that can be substituted<br /><br />in all exceptions. Although it is possible to customize contact information on a perexception basis, customizing the top-level contact information, which is used for all<br />exceptions, is sufficient in most environments.<br />❐<br /><br />HTTP-Code—The HTTP response code to use when the exception is issued. For<br />example, the policy_denied exception by default returns the 403 Forbidden HTTP<br /><br />response code.<br />Important: Fields other than Format must be less than 8000 characters. If they are<br />greater than this, they are not displayed.<br /><br />166<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section D: Defining Exceptions<br />When defining the above fields, you can use substitution variables that are particular to<br />the given request. Some of the above fields are also available as substitutions:<br />❐<br /><br />$(exception.id)<br /><br />❐<br /><br />$(exception.summary)<br /><br />❐<br /><br />$(exception.details)<br /><br />❐<br /><br />$(exception.help)<br /><br />❐<br /><br />$(exception.contact)<br /><br />Additionally, the Format, Summary, Details, Help and Contact fields can be configured<br />specifically for HTTP, or configured commonly for all protocols.<br />The Format field, the body of the exception, is not available as a substitution. However,<br />the Format field usually includes other substitutions. For example, the following is a<br />simple HTML format:<br /><html><br /><title>$(exception.id): $(exception.summary)</title><br /><body><pre><br />Request: $(method) $(url)<br />Details: $(exception.details)<br />Help: $(exception.help)<br />Contact: $(exception.contact)<br /></pre></body></html><br /><br />Some additionally useful substitutions related to exceptions are:<br />❐<br /><br />$(exception.last_error)—For certain requests, the SG appliance determines<br /><br />additional details on why the exception was issued. This substitution includes that<br />extra information.<br />❐<br /><br />$(exception.reason)—This substitution is determined internally by the SG<br /><br />appliance when it terminates a transaction and indicates the reason that the<br />transaction was terminated. For example, a transaction that matches a DENY rule in<br />policy has its $(exception.reason) set to "Either 'deny' or 'exception' was<br />matched in policy".<br /><br />About the Exceptions Hierarchy<br />Unlike the error pages in previous SGOS releases, exceptions are not required to have its<br />entire contents defined. Exceptions are stored in a hierarchical model, and parent<br />exceptions can provide default values for child exceptions. There are two parent<br />exceptions from which other exceptions are derived: exception.all and<br />exception.user-defined.all.<br />Each built-in and user-defined exception derives its default values from the all exception.<br />For example, by default the built-in exceptions do not define the format field. Instead,<br />they depend on the all exception's format field definition. To change the format text for<br />all built-in and user-defined exceptions, customize the format field for the all exception.<br />The user-defined.all exception is the parent of all user-defined exceptions, but it is also<br />a child of the all exception. Configuring exception.user-defined.all is only<br />necessary if you want certain fields to be common for all user-defined exceptions, but not<br />common for built-in exceptions.<br />The following example demonstrates using the exception inline command to configure<br />the $(exception.contact) substitution for every HTTP exception:<br /><br />167<br /><br />Volume 7: VPM and Advanced Policy<br />Section D: Defining Exceptions<br />#(config exceptions) inline http contact EOF<br />For assistance, contact <a<br />href="mailto:[email protected]">sysadmin</a>EOF<br /><br />The following example configures a different $(exception.contact) substitution for<br />every HTTP exception:<br />#(config exceptions) user-defined inline http contact EOF<br />For assistance, contact <a<br />href="mailto:[email protected]">policyadmin</a>EOF<br /><br />About the Exceptions Installable List<br />The Exceptions Installable List uses the Structured Data Language (SDL) format. This<br />format provides an effective method to express a hierarchy of key/value pairs. For<br />example, the following is SDL file before customization:<br />(exception.all<br />(format "This is an exception: $(exception.details)")<br />(details "")<br />(exception.policy_denied<br />(format "")<br />(details "your request has been denied by system policy")<br />)<br /><br />This SDL file defines an exception called policy_denied that defines the<br />$(exception.details) substitution as "Your request has been denied by system<br />policy". Because the exception does not define the format field, it inherits the format<br />field from its parent exception (exception.all). When the policy_denied exception is<br />issued, the resulting text is: This is an exception: your request has been denied<br />by system policy.<br />Suppose you want to customize the $(exception.contact) substitution for every HTTP<br />exception. Edit the exception.all component.<br />Note: The default HTTP format and built-in exception definitions have been removed for<br /><br />example purposes.<br />(exception.all<br />(contact "For assistance, contact your network support team.")<br />(details "")<br />(format "$(exception.id): $(exception.details)")<br />(help "")<br />(summary "")<br />(http<br />(code "200")<br />(contact "")<br />(details "")<br />(format <<EOF<br /><format removed><br />EOF<br />)<br />(help "")<br />(summary "")<br />)<br /><built-in exceptions removed><br />)<br /><br />168<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section D: Defining Exceptions<br />To add the $(exception.contact) information, modify the contact substitution under<br />the http node:<br />(exception.all<br />(contact "For assistance, contact your network support team.")<br />(details "")<br />(format "$(exception.id): $(exception.details)")<br />(help "")<br />(summary "")<br />(http<br />(code "200")<br />(contact "For assistance, contact <a<br />href="mailto:[email protected]">sysadmin</a>")EOF<br />(details "")<br />(format <<EOF<br /><format removed><br />EOF<br />)<br />(help "")<br />(summary "")<br /><built-in exceptions removed><br />)<br />)<br /><br />Keep in mind the following conditions when modifying exception installable lists:<br />❐<br /><br />Every exception installable list must begin with a definition for exception.all.<br /><br />❐<br /><br />In the exceptions’ installable list, all definitions must be enclosed by<br />exception.all and its accompanying closing parenthesis; that is,<br />(exception.all<br />(exception.policy_denied)<br />)<br /><br />❐<br /><br />Keep the definition strings under the enclosed parentheses short, no longer than one<br />line if possible.<br /><br />❐<br /><br />Blue Coat strongly recommends downloading the existing exceptions installable list,<br />then modifying it.<br /><br />Creating or Editing Exceptions<br />You can create or edit an exception with the CLI or with installable lists on the<br />Management Console.<br />Note: You cannot create user-defined exceptions for Patience Pages.<br /><br />To create or edit an exception:<br />1.<br /><br />At the (config) prompt, enter the following commands:<br />SGOS#(config) exceptions<br />SGOS#(config exceptions) create definition_name<br />SGOS#(config exceptions) edit definition_name<br />SGOS#(config exceptions user-defined.definition_name) http-code<br />numeric HTTP<br />response code<br />SGOS#(config exceptions user-defined.definition_name) inline ?<br /><br />169<br /><br />Volume 7: VPM and Advanced Policy<br />Section D: Defining Exceptions<br />contact<br />details<br />format<br />help<br />http<br />summary<br />SGOS#(config<br />eof<br />string eof<br />SGOS#(config<br />eof<br />string eof<br />SGOS#(config<br />eof<br />string eof<br />SGOS#(config<br />string eof<br />SGOS#(config<br />eof<br />string eof<br /><br />2.<br /><br />Set the $(exceptions.contact) substitution<br />Set the $(exceptions.details) substitution<br />Set the format for this exception<br />Set the $(exceptions.help) substitution<br />Configure substitution fields for just HTTP exceptions<br />Set the $(exception.summary) substitution<br />exceptions user-defined.definition_name) inline contact<br /><br />exceptions user-defined.definition_name) inline details<br /><br />exceptions user-defined.definition_name) inline format<br /><br />exceptions user-defined.definition_name) inline help eof<br />exceptions user-defined definition_name) inline summary<br /><br />(Optional) View the results.<br />SGOS#(config exceptions user-defined.test) show exceptions userdefined.test<br />$(exception.id):<br />test<br />$(exception.summary):<br />Connection failed<br />$(exception.details):<br />Connection failed with stack error<br />$(exception.contact):<br />Tech Support<br /><br />To delete a user-defined exception:<br />From the (config) prompt, enter the following commands:<br />SGOS#(config) exceptions<br />SGOS#(config exceptions) delete exception_name<br />ok<br />Note: You cannot delete a user-defined exception that is referenced by policy.<br />You must remove the reference to the exception from the policy before deleting<br />the exception.<br /><br />Creating and Installing an Exceptions List<br />The Management Console allows you to create and install exceptions with the following<br />methods:<br />❐<br /><br />Using the SG appliance Text Editor, which allows you to customize the existing<br />exceptions file.<br /><br />❐<br /><br />Creating a local file on your local system; the SG appliance can browse to the alreadycreated file and install it.<br /><br />170<br /><br />Volume 7: VPM and Advanced Policy<br />Section E: Managing Peer-to-Peer Services<br /><br />Section E: Managing Peer-to-Peer Services<br />This section describes the Blue Coat solution for managing and blocking peer-to-peer<br />traffic.<br /><br />About Peer-to-Peer Communications<br />The use of peer-to-peer (P2P) technologies and services consumes an estimated 60% of<br />broadband ISP bandwidth. By design, most P2P services are port-agnostic, which makes<br />attempting to block them at the firewall extremely difficult. One peer finds another IP<br />address and port that is willing to share the file, but different peers can use different ports.<br />Furthermore, P2P is not based on any standards, which makes it nearly impossible for<br />network administrations to control or even detect.<br />Although P2P provides some practical business uses in enterprises, unmanaged P2P<br />activity creates risks:<br />❐<br /><br />Excessive bandwidth consumptions affects mission-critical applications.<br /><br />❐<br /><br />Exponential security risk of exposure to viruses, spyware, and other malicious<br />content.<br /><br />❐<br /><br />The threat of legal action concerning the unlawful downloading of copyrighted music<br />and movies.<br /><br />Managing P2P is a dynamic challenge, as the administrator must be able to evaluate both<br />P2P use and enterprise requirements.<br /><br />About The Blue Coat Solution<br />The SG appliance recognizes P2P activity relating to P2P file sharing applications. By<br />constructing policy, you can control, block, and log P2P activity and limit the bandwidth<br />consumed by P2P traffic.<br />Note: Neither caching nor acceleration are provided with this feature.<br /><br />Supported Services<br />This version of SGOS supports the following P2P services:<br />❐<br /><br />FastTrack (Kazaa)<br /><br />❐<br /><br />EDonkey<br /><br />❐<br /><br />BitTorrent<br /><br />❐<br /><br />Gnutella<br /><br />Note: Refer to the Release Notes for the most current list of P2P services and versions the<br />SG appliance supports.<br /><br />Deployment<br />To effectively manage P2P activity, the SG appliance must be deployed to intercept<br />outbound network traffic and the firewall configured to block outbound connections that<br />are not initiated by the SG appliance.<br /><br />174<br /><br />Volume 7: VPM and Advanced Policy<br />Section E: Managing Peer-to-Peer Services<br />The default is detect_protocol(all).<br /><br />Support CPL<br />The following properties can be used in conjunction with the P2P-specific CPL:<br />❐<br />❐<br /><br />allow, deny, force_deny<br />access_server(yes | no)—If the value is determined as no, the client is<br /><br />disconnected.<br />❐<br /><br />authenticate(realm)—Unauthenticated clients are disconnected.<br /><br />❐<br /><br />socks_gateway(alias_list | no)<br /><br />❐<br /><br />socks_gateway.fail_open(yes | no)<br /><br />❐<br /><br />forward(alias_list) | no)—Only forwarding hosts currently supported by TCP<br /><br />tunnels are supported.<br />❐<br /><br />forward.fail_open(yes | no)<br /><br />❐<br /><br />reflect_ip(auto | no | client | vip | ip_address)<br /><br />For complete CPL references, refer to Volume 11: Blue Coat SG Appliance Content Policy<br />Language Guide.<br /><br />Policy Example<br />The following policy example demonstrates how to deny network traffic that the ProxySG<br />recognizes as P2P:<br /><proxy><br />p2p.client=yes deny<br /><br />P2P History Statistics<br />You can construct policy that controls, blocks, and logs peer-to-peer (P2P) activity and<br />limits the bandwidth consumed by P2P traffic (refer to Volume 7: VPM and Advanced Policy<br />for information about constructing P2P policy). The following section explains how to<br />view P2P statistics, using either the Management Console or the CLI.<br />Note: Some P2P statistics (P2P client connections and total bytes sent and received over a<br /><br />period of time) can only be viewed through the Management Console (see "P2P Clients"<br />and "P2P Bytes", below).<br /><br />P2P Data<br />The P2P Data tab on the Management Console displays P2P statistics, either all P2P<br />services at once or one service at a time.<br />The following table details the statistics provided through the Management Console P2P<br />Data tab or through the CLI<br />Table 4-2. P2P Data Statistics<br />Status<br /><br />Description<br /><br />Current Tunneled Sessions<br /><br />The current number of P2P client connections using native<br />transport.<br /><br />176<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section E: Managing Peer-to-Peer Services<br /><br />Proxy Authentication<br />While P2P protocols do not support native proxy authentication, most P2P clients support<br />SOCKS v5 and HTTP 1.1 proxies. P2P proxy authentication is supported only for clients<br />using these protocols (that are configured for proxy authentication).<br />For information about proxy authentication, refer to Volume 5: Securing the Blue Coat SG<br />Appliance. For a list of P2P clients suspected of not supporting SOCKS v5 with<br />authentication, see the Release Notes for this release.<br /><br />Access Logging<br />P2P activity is logged and reviewable. Refer to Volume 9: Access Logging.<br /><br />179<br /><br />Volume 7: VPM and Advanced Policy<br />Section F: Managing QoS and Differential Services<br /><br />Section F: Managing QoS and Differential Services<br />This section describes how to create policy to manipulate Quality of Service (QoS)<br />information.<br /><br />About The Blue Coat Solution<br />Beginning with SGOS 5.1.3, the SG appliance appliance supports QoS detection, which is<br />becoming a more prevalent control point for network layer traffic. Previously, the QoS<br />information was lost—or not detected—when the ProxySG appliance terminated the client<br />connection and issued a new connection to server. QoS support allows you to create<br />policy to examine the Type of Service (ToS) fields in the IP header to determine the QoS of<br />the bits. The policy then either tests and matches ToS information and performs an action,<br />or performs an action to manipulate ToS information based on something else in the rule<br />(such as a user group).<br />You can apply QoS policy to any protocol supported on the SG appliance.<br /><br />About DSCP Values<br />Policy matches are based on Differentiated Services Code Point (DSCP) values, which<br />network devices use to identify traffic to be handled with higher or lower priority.<br />Identifying and matching values might trigger defined policy actions that either set a<br />different DSCP value or preserve or echo existing DSCP values to use for outbound<br />connections, thus regulating the QoS for different user classes (see descriptions in<br />subsequent sections).<br />Note:<br /><br />The SG appliance appliance policy requests a QoS level. Whether or not a level<br />of QoS can be achieved depends upon your network/router configurations, which<br />must also allow the level of requested QoS.<br />ToS is an eight-bit field in the IP header; the first six bits are used and the final two are<br />reserved for other TCP specification and control. The first six bits constitute the DSCP<br />value. For most networks, the DSCP values adhere to a standard set. The following table<br />lists these values.<br />Table 4-3. DSCP Values and Descriptions<br />Name<br /><br />DCSP Value<br /><br />Description<br /><br />Default<br /><br />000000 (0)<br /><br />Best effort (Precedence 0)<br /><br />CS1<br /><br />001000 (8)<br /><br />Precedence 1<br /><br />AF11<br /><br />001010 (10)<br /><br />Assured Forwarding Class 1, Low Drop Rate<br /><br />AF12<br /><br />001100 (12)<br /><br />Assured Forwarding Class 1, Medium Drop Rate<br /><br />AF13<br /><br />001110 (14)<br /><br />Assured Forwarding Class 1, High Drop Rate<br /><br />CS2<br /><br />010000 (16)<br /><br />Precedence 2<br /><br />AF21<br /><br />010010 (18)<br /><br />Assured Forwarding Class 2, Low Drop Rate<br /><br />AF22<br /><br />010100 (20)<br /><br />Assured Forwarding Class 2, Low Drop Rate<br /><br />180<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section F: Managing QoS and Differential Services<br />Table 4-3. DSCP Values and Descriptions (Continued)<br />AF23<br /><br />010110 (22)<br /><br />Assured Forwarding Class 2, Low Drop Rate<br /><br />CS3<br /><br />011000 (24)<br /><br />Precedence 3<br /><br />AF31<br /><br />011010 (26)<br /><br />Assured Forwarding Class 3, Low Drop Rate<br /><br />AF32<br /><br />011100 (28)<br /><br />Assured Forwarding Class 3, Medium Drop Rate<br /><br />AF33<br /><br />011110 (30)<br /><br />Assured Forwarding Class 3, High Drop Rate<br /><br />CS4<br /><br />100000 (32)<br /><br />Precedence 4<br /><br />AF41<br /><br />100010 (34)<br /><br />Assured Forwarding Class 4, Low Drop Rate<br /><br />AF42<br /><br />100100 (36)<br /><br />Assured Forwarding Class 4, Medium Drop Rate<br /><br />AF43<br /><br />100110 (38)<br /><br />Assured Forwarding Class 4, High Drop Rate<br /><br />CS5<br /><br />101000 (40)<br /><br />Precedence 5<br /><br />EF<br /><br />101110 (46)<br /><br />Expedited Forwarding—low drop rate, low latency<br /><br />CS6<br /><br />110000 (48)<br /><br />Precedence 6<br /><br />CS7<br /><br />111000 (56)<br /><br />Precedence 7<br /><br />Note:<br /><br />Before creating policy, verify that your network adheres to these values. Other<br />DSCP values are possible. You can specify a numerical range from 0 to 63. However,<br />Blue Coat recommends using the above classifications, as most applications are<br />associated to these classes already, which makes defining policy an easier task.<br />The conceptual definitions of the different classes are:<br />❐<br /><br />Best Effort—This is the default DSCP value if an application does not specify any<br />quality of service. The network delivers these packets if it can, but with no special<br />assigned priority. You can use other DSCP values to specify priorities that are either<br />above or below the Best Effort class; however, in most cases DSCP is used to specify<br />priorities that are better than Best Effort.<br /><br />❐<br /><br />Class Selector—These values are defined in RFC 2474 and are designed to be<br />backward compatible with the older Precedence field defined in RFC 791. Larger<br />precedence values indicate packets that are more important than packets with smaller<br />values of precedence; therefore, low-valued packets are dropped when a link becomes<br />congested. Most common, Precedence 7 is reserved for link-layer and routing protocol<br />keep-alive messages, and precedence 6 is reserved for other IP routing packets, both<br />of which must get through for the network to function correctly.<br /><br />❐<br /><br />Assured Forwarding—This is defined in RFC 2597. Assured Forwarding (AF) allows<br />you to specify both the relative priority and the drop sensitivity of traffic with a<br />Precendence class. For example, AF31 specifies low drop-rate with in the CS3<br />Precedence class.<br /><br />❐<br /><br />Expedited Forwarding—This is defined in RFC 2598. Expedited Forwarding (EF) is<br />usually reserved for premium traffic, or traffic that requires a virtual leased line. This<br />traffic is higher priority than AF, but lower priority than precedence 6 and 7 routing<br />messages.<br /><br />181<br /><br />Chapter 4: Advanced Policy Tasks<br /><br />Section F: Managing QoS and Differential Services<br /><br />Access Logging<br />The following access log formats are associated with QoS activity:<br />❐<br /><br />x-cs-connection-dscp: The incoming client DSCP value.<br /><br />❐<br /><br />x-rs-connection-dscp: The incoming server DSCP value.<br /><br />❐<br /><br />x-sc-connection-dscp-decision: The client.connection.dscp () property<br /><br />value, or preserve or echo.<br />❐<br /><br />x-sr-connection-dscp-decision: The server.connection.dscp () property<br /><br />value, or preserve or echo.<br /><br />187<br /><br />Volume 7: VPM and Advanced Policy<br /><br />188<br /><br />Appendix A: Glossary<br /><br />Term<br /><br />Description<br /><br />ADN Optimize Attribute<br /><br />Controls whether to optimize bandwidth usage when connecting upstream using an<br />ADN tunnel.<br /><br />Asynchronous Adaptive<br /><br />This allows the ProxySG to keep cached objects as fresh as possible, thus reducing<br />response times. The AAR algorithm allows HTTP proxy to manage cached objects<br />based on their rate of change and popularity: an object that changes frequently and/<br />or is requested frequently is more eligible for asynchronous refresh compared to an<br />object with a lower rate of change and/or popularity.<br /><br />Refresh (AAR)<br /><br />Asynchronous Refresh<br />Activity<br /><br />Refresh activity that does not wait for a request to occur, but that occurs<br />asynchronously from the request.<br /><br />Attributes (Service)<br /><br />The service attributes define the parameters, such as explicit or transparent,<br />cipher suite, and certificate verification, that the SG appliance uses for a<br />particular service. .<br /><br />Authenticate-401 Attribute<br /><br />All transparent and explicit requests received on the port always use transparent<br />authentication (cookie or IP, depending on the configuration). This is especially<br />useful to force transparent proxy authentication in some proxy-chaining scenarios<br /><br />authentication<br /><br />The process of identifying a specific user.<br /><br />authorization<br /><br />The permissions given to a specific user.<br /><br />Bandwidth Gain<br /><br />A measure of the difference in client-side and server-side Internet traffic expressed in<br />relation to server-side Internet traffic. It is managed in two ways: you can enable or<br />disable bandwidth gain mode or you can select the Bandwidth Gain profile (this also<br />enables bandwidth gain mode)..<br /><br />Bandwidth Class<br /><br />A defined unit of bandwidth allocation. An administrator uses bandwidth classes to<br />allocate bandwidth to a particular type of traffic flowing through the SG appliance.<br /><br />Bandwidth Class Hierarchy<br /><br />Bandwidth classes can be grouped together in a class hierarchy, which is a tree<br />structure that specifies the relationship among different classes. You create a<br />hierarchy by creating at least one parent class and assigning other classes to be its<br />children.<br /><br />Bandwidth Policy<br /><br />The set of rules that you define in the policy layer to identify and classify the traffic in<br />the SG appliance, using the bandwidth classes that you create. You must use policy<br />(through either VPM or CPL) in order to manage bandwidth.<br /><br />Bypass Lists<br /><br />The bypass list allows you to exempt IP addresses from being proxied by the SG<br /><br />appliance. The bypass list allows either <All> or a specific IP prefix entry for<br />both the client and server columns. Both UDP and TCP traffic is<br />automatically exempted.<br /><br />189<br /><br />Volume 7: VPM and Advanced Policy<br /><br />Term<br /><br />Description<br /><br />Byte-Range Support<br /><br />The ability of the ProxySG to respond to byte-range requests (requests with a Range:<br />HTTP header).<br /><br />Cache-hit<br /><br />An object that is in the ProxySG and can be retrieved when an end user requests the<br />information.<br /><br />Cache-miss<br /><br />An object that can be stored but has never been requested before; it was not in the<br />ProxySG to start, so it must be brought in and stored there as a side effect of<br />processing the end-user's request. If the object is cacheable, it is stored and served the<br />next time it is requested.<br /><br />Child Class (Bandwidth<br />Gain)<br /><br />The child of a parent class is dependent upon that parent class for available<br />bandwidth (they share the bandwidth in proportion to their minimum/maximum<br />bandwidth values and priority levels). A child class with siblings (classes with the<br />same parent class) shares bandwidth with those siblings in the same manner.<br /><br />Client consent certificates<br /><br />A certificate that indicates acceptance or denial of consent to decrypt an end user's<br />HTTPS request.<br /><br />Compression<br /><br />An algorithm that reduces a file’s size but does not lose any data. The ability to<br />compress or decompress objects in the cache is based on policies you create.<br />Compression can have a huge performance benefit, and it can be customized based<br />on the needs of your environment: Whether CPU is more expensive (the default<br />assumption), server-side bandwidth is more expensive, or whether client-side<br />bandwidth is more expensive.<br /><br />Default Proxy Listener<br /><br />See “ Proxy Service (Default)” .<br /><br />Detect Protocol Attribute<br /><br />Detects the protocol being used. Protocols that can be detected include:<br />HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper.<br /><br />Directives<br /><br />Directives are commands that can be used in installable lists to configure forwarding.<br />See also forwarding Configuration.<br /><br />Display Filter<br /><br />The display filter is a drop-down list at the top of the Proxy Services pane that allows<br />you to view the created proxy services by service name or action.<br /><br />Early Intercept Attribute<br /><br />Controls whether the proxy responds to client TCP connection requests before<br />connecting to the upstream server. When early intercept is disabled, the proxy delays<br />responding to the client until after it has attempted to contact the server.<br /><br />Emulated Certificates<br /><br />Certificates that are presented to the user by ProxySG when intercepting<br />HTTPS requests. Blue Coat emulates the certificate from the server and signs<br />it, copying the subjectName and expiration. The original certificate is used<br />between the ProxySG and the server.<br /><br />ELFF-compatible format<br /><br />A log type defined by the W3C that is general enough to be used with any protocol.<br /><br />Encrypted Log<br /><br />A log is encrypted using an external certificate associated with a private key.<br />Encrypted logs can only be decrypted by someone with access to the private key. The<br />private key is not accessible to the SG appliance.<br /><br />190<br /><br />Appendix A: Glossary<br /><br />Term<br /><br />Description<br /><br />explicit proxy<br /><br />A configuration in which the browser is explicitly configured to communicate with<br />the proxy server for access to content.<br />This is the default for the SG appliance, and requires configuration for both browser<br />and the interface card.<br /><br />Fail Open/Closed<br /><br />Failing open or closed applies to forwarding hosts and groups and SOCKS gateways.<br />Fail Open/Closed applies when the health checks are showing sick for each<br />forwarding or SOCKS gateway target in the applicable fail-over sequence. If no<br />systems are healthy, the SG appliance fails open or closed, depending on the<br />configuration. If closed, the connection attempt simply fails.<br />If open, an attempt is made to connect without using any forwarding target (or<br />SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no<br />setting is specified.<br /><br />Forwarding Configuration<br /><br />Forwarding can be configured through the CLI or through adding directives to a text<br />file and installing it as an installable list. Each of these methods (the CLI or using<br />directives) is equal. You cannot use the Management Console to configure<br />forwarding.<br /><br />Forwarding Host<br /><br />Upstream Web servers or proxies.<br /><br />forward proxy<br /><br />A proxy server deployed close to the clients and used to access many servers. A<br />forward proxy can be explicit or transparent.<br /><br />Freshness<br /><br />A percentage that reflects the objects in the ProxySG cache that are expected to be<br />fresh; that is, the content of those objects is expected to be identical to that on the OCS<br />(origin content server).<br /><br />Gateway<br /><br />A device that serves as entrance and exit into a communications network.<br /><br />Global Default Settings<br /><br />You can configure settings for all forwarding hosts and groups. These are called the<br />global defaults. You can also configure private settings for each individual<br />forwarding host or group. Individual settings override the global defaults.<br /><br />FTP<br /><br />See Native FTP; Web FTP.<br /><br />Host Affinity<br /><br />Host affinity is the attempt to direct multiple connections by a single user to the same<br />group member. Host affinity is closely tied to load balancing behavior; both should<br />configured if load balancing is important.<br /><br />Host Affinity Timeout<br /><br />The host affinity timeout determines how long a user remains idle before the<br />connection is closed. The timeout value checks the user's IP address, SSL ID, or<br />cookie in the host affinity table.<br /><br />Inbound Traffic (Bandwidth<br />Gain)<br /><br />Network packets flowing into the SG appliance. Inbound traffic mainly consists of<br />the following:<br />• Server inbound: Packets originating at the origin content server (OCS) and sent to<br />the SG appliance to load a Web object.<br />• Client inbound: Packets originating at the client and sent to the SG<br /><br />appliance for Web requests.<br /><br />191<br /><br />Volume 7: VPM and Advanced Policy<br /><br />Term<br /><br />Description<br /><br />Installable Lists<br /><br />Installable lists, comprised of directives, can be placed onto the SG appliance in one<br />of several methods: through creating the list through the SG text editor, by placing<br />the list at an accessible URL, or by downloading the directives file from the local<br />system.<br /><br />Integrated Host Timeout<br /><br />An integrated host is an Origin Content Server (OCS) that has been added to the<br />health check list. The host, added through the integrate_new_hosts property,<br />ages out of the integrated host table after being idle for the specified time. The default<br />is 60 minutes.<br /><br />IP Reflection<br /><br />Determines how the client IP address is presented to the origin server for explicitly<br />proxied requests. All proxy services contain a reflect-ip attribute, which enables or<br />disables sending of client's IP address instead of the SG's IP address.<br /><br />Issuer keyring<br /><br />The keyring that is used by the SG appliance to sign emulated certificates. The<br />keyring is configured on the appliance and managed through policy.<br /><br />Listener<br /><br />The service that is listening on a specific port. A listener can be identified by any<br /><br />destination IP/subnet and port range. Multiple listeners can be added to<br />each service.<br />Load Balancing<br /><br />The ability to share traffic requests among multiple upstream targets. Two methods<br />can be used to balance the load among systems: least-connections or roundrobin.<br /><br />Log Facility<br /><br />A separate log that contains a single logical file and supports a single log format. It<br />also contains the file’s configuration and upload schedule information as well as<br />other configurable information such as how often to rotate (switch to a new log) the<br />logs at the destination, any passwords needed, and the point at which the facility can<br />be uploaded.<br /><br />Log Format<br /><br />The type of log that is used: NCSA/Common, SQUID, ELFF, SurfControl, or<br />Websense.<br />The proprietary log types each have a corresponding pre-defined log format that has<br />been set up to produce exactly that type of log (these logs cannot be edited). In<br />addition, a number of other ELFF type log formats are also pre-defined (im, main,<br />p2p, ssl, streaming). These can be edited, but they start out with a useful set of log<br />fields for logging particular protocols understood by the SG appliance. It is also<br />possible to create new log formats of type ELFF or Custom which can contain any<br />desired combination of log fields.<br /><br />Log Tail:<br /><br />The access log tail shows the log entries as they get logged. With high traffic on the<br />SG appliance, not all access log entries are necessarily displayed. However, you can<br />view all access log information after uploading the log.<br /><br />Maximum Object Size<br /><br />The maximum object size stored in the ProxySG. All objects retrieved that are greater<br />than the maximum size are delivered to the client but are not stored in the ProxySG.<br /><br />NCSA common log format<br /><br />A log type that contains only basic HTTP access information.<br /><br />192<br /><br />Appendix A: Glossary<br /><br />Term<br /><br />Description<br /><br />Negative Responses<br /><br />An error response received from the OCS when a page or image is requested. If the<br />ProxySG is configured to cache such negative responses, it returns that response in<br />subsequent requests for that page or image for the specified number of minutes. If it<br />is not configured, which is the default, the ProxySG attempts to retrieve the page or<br />image every time it is requested.<br /><br />Native FTP<br /><br />Native FTP involves the client connecting (either explicitly or transparently) using<br />the FTP protocol; the SG appliance then connects upstream through FTP (if<br />necessary).<br /><br />Outbound Traffic<br />(Bandwidth Gain)<br /><br />Network packets flowing out of the SG appliance. Outbound traffic mainly consists<br />of the following:<br />• Client outbound: Packets sent to the client in response to a Web request.<br />• Server outbound: Packets sent to an OCS or upstream proxy to request a service.<br /><br />Origin Content Server (OCS)<br />Parent Class (Bandwidth<br />Gain)<br /><br />PASV<br /><br />A class with at least one child. The parent class must share its bandwidth with its<br />child classes in proportion to the minimum/maximum bandwidth values or priority<br />levels.<br />Passive Mode Data Connections. Data connections initiated by an FTP client to<br /><br />an FTP server.<br />proxy<br /><br />Caches content, filters traffic, monitors Internet and intranet resource usage, blocks<br />specific Internet and intranet resources for individuals or groups, and enhances the<br />quality of Internet or intranet user experiences.<br />A proxy can also serve as an intermediary between a Web client and a Web server<br />and can require authentication to allow identity based policy and logging for the<br />client.<br />The rules used to authenticate a client are based on the policies you create on the SG<br />appliance, which can reference an existing security infrastructure—LDAP, RADIUS,<br />IWA, and the like.<br /><br />Proxy Service<br /><br />The proxy service defines the ports, as well as other attributes. that are used by the<br />proxies associated with the service.<br /><br />Proxy Service (Default)<br /><br />The default proxy service is a service that intercepts all traffic not otherwise<br />intercepted by other listeners. It only has one listener whose action can be set to<br />bypass or intercept. No new listeners can be added to the default proxy service, and<br />the default listener and service cannot be deleted. Service attributes can be changed.<br /><br />realms<br /><br />A realm is a named collection of information about users and groups. The name is<br />referenced in policy to control authentication and authorization of users for access to<br />Blue Coat Systems SG services. Multiple authentication realms can be used on a<br />single SG appliance. Realm services include IWA, LDAP, Local, and RADIUS.<br /><br />Reflect Client IP Attribute<br /><br />Enables the sending of the client's IP address instead of the SG's IP address to the<br />upstream server. If you are using an Application Delivery Network (ADN), this<br />setting is enforced on the concentrator proxy through the Configuration>App.<br />Delivery Network>Tunneling tab.<br /><br />193<br /><br />Volume 7: VPM and Advanced Policy<br /><br />Term<br /><br />Description<br /><br />Refresh Bandwidth<br /><br />The amount of bandwidth used to keep stored objects fresh. By default, the ProxySG<br />is set to manage refresh bandwidth automatically. You can configure refresh<br />bandwidth yourself, although Blue Coat does not recommend this.<br /><br />reverse proxy<br /><br />A proxy that acts as a front-end to a small number of pre-defined servers, typically to<br />improve performance. Many clients can use it to access the small number of<br />predefined servers.<br /><br />rotate logs<br /><br />When you rotate a log, the old log is no longer appended to the existing log, and a<br />new log is created. All the facility information (headers for passwords, access log<br />type, and so forth), is re-sent at the beginning of the new upload.<br />If you're using Reporter (or anything that doesn't understand the concept of "file,”<br />such as streaming) the upload connection is broken and then re-started, and, again,<br />the headers are re-sent.<br /><br />serial console<br /><br />A device that allows you to connect to the SG appliance when it is otherwise<br />unreachable, without using the network. It can be used to administer the SG<br />appliance through the CLI. You must use the CLI to use a serial console.<br />Anyone with access to the serial console can change the administrative access<br />controls, so physical security of the serial console is critical.<br /><br />Server Certificate Categories<br /><br />The hostname in a server certificate can be categorized by BCWF or another content<br />filtering vendor to fit into categories such as banking, finance, sports.<br /><br />Sibling Class (Bandwidth<br />Gain)<br /><br />A bandwidth class with the same parent class as another class.<br /><br />SOCKS Proxy<br /><br />A generic way to proxy TCP and UDP protocols. The SG appliance supports both<br />SOCKSv4/4a and SOCKSv5; however, because of increased username and password<br />authentication capabilities and compression support, Blue Coat recommends that<br />you use SOCKS v5..<br /><br />SmartReporter log type<br /><br />A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter<br />tool.<br /><br />Split proxy<br /><br />Employs co-operative processing at the branch and the core to implement<br />functionality that is not possible in a standalone proxy. Examples of split<br />proxies include :<br />Mapi Proxy<br />SSL Proxy<br /><br />SQUID-compatible format<br /><br />A log type that was designed for cache statistics.<br /><br />SSL<br /><br />A standard protocol for secure communication over the network. Blue Coat<br />recommends using this protocol to protect sensitive information.<br /><br />SSL Interception<br /><br />Decrypting SSL connections.<br /><br />SSL Proxy<br /><br />A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or<br />reverse proxy mode.<br /><br />194<br /><br />Appendix A: Glossary<br /><br />Term<br /><br />Description<br /><br />static routes<br /><br />A manually-configured route that specifies the transmission path a packet must<br />follow, based on the packet’s destination address. A static route specifies a<br />transmission path to another network.<br /><br />SurfControl log type<br /><br />A proprietary log type that is compatible with the SurfControl reporter tool. The<br />SurfControl log format includes fully-qualified usernames when an NTLM realm<br />provides authentication. The simple name is used for all other realm types.<br /><br />Traffic Flow (Bandwidth<br />Gain)<br /><br />Also referred to as flow. A set of packets belonging to the same TCP/UDP connection<br />that terminate at, originate at, or flow through the SG appliance. A single request<br />from a client involves two separate connections. One of them is from the client to the<br />SG appliance, and the other is from the SG appliance to the OCS. Within each of<br />these connections, traffic flows in two directions—in one direction, packets flow out<br />of the SG appliance (outbound traffic), and in the other direction, packets flow into<br />the SG (inbound traffic). Connections can come from the client or the server. Thus,<br />traffic can be classified into one of four types:<br />• Server inbound<br />• Server outbound<br />• Client inbound<br />• Client outbound<br />These four traffic flows represent each of the four combinations described above.<br />Each flow represents a single direction from a single connection.<br /><br />transparent proxy<br /><br />A configuration in which traffic is redirected to the SG appliance without the<br />knowledge of the client browser. No configuration is required on the browser, but<br />network configuration, such as an L4 switch or a WCCP-compliant router, is<br />required.<br /><br />Variants<br /><br />Objects that are stored in the cache in various forms: the original form, fetched from<br />the OCS; the transformed (compressed or uncompressed) form (if compression is<br />used). If a required compression variant is not available, then one might be created<br />upon a cache-hit. (Note: policy-based content transformations are not stored in the<br />ProxySG.)<br /><br />Web FTP<br /><br />Web FTP is used when a client connects in explicit mode using HTTP and<br />accesses an ftp:// URL. The SG appliance translates the HTTP request into<br />an FTP request for the OCS (if the content is not already cached), and then<br />translates the FTP response with the file contents into an HTTP response for<br />the client.<br /><br />Websense log type<br /><br />A proprietary log type that is compatible with the Websense reporter tool.<br /><br />195<br /><br />Volume 7: VPM and Advanced Policy<br /><br />Term<br /><br />Description<br /><br />Wildcard Services<br /><br />When multiple non-wildcard services are created on a port, all of them must be of the<br />same service type (a wildcard service is one that is listening for that port on all IP<br />addresses). If you have multiple IP addresses and you specify IP addresses for a port<br />service, you cannot specify a different protocol if you define the same port on another<br />IP address. For example, if you define HTTP port 80 on one IP address, you can only<br />use the HTTP protocol on port 80 for other IP addresses.<br />Also note that wildcard services and non-wildcard services cannot both exist at the<br />same time on a given port.<br />For all service types except HTTPS, a specific listener cannot be posted on a port if<br />the same port has a wildcard listener of any service type already present.<br /><br />196<br /><br />Index<br /><br />A<br /><br />E<br /><br />active content<br />and HTTPS tunneled connection 158<br />definition of 158<br />embed tags 159<br />JavaScript 159<br />object tags 160<br />script tags 158<br />stripping 158<br />types 158<br />types that can be removed or replaced 158<br />administration access policy, Visual Policy Manager<br />reference 37<br />administration authentication policy, Visual Policy<br />Manager reference 36<br />authentication realm, in Visual Policy Manager 49<br /><br />embed tags 159<br />exceptions<br />built-in 162<br />definitions 166<br />hierarchy 167<br />installable list, about 168<br />user-defined 166<br />view 172<br /><br />B<br />base DN for a group in Visual Policy Manager 49<br />browser<br />viewing policy files with 22<br /><br />C<br />Central policy file<br />automatic installation 20<br />managing 20<br />update interval<br />configuring 21<br />updated, checking for 21<br />CPL<br />creating 16<br />generated by VPM 124<br />inline command 16<br />unloading policy files 17<br /><br />D<br />document<br />conventions 11<br />domain name for a group<br />in Visual Policy Manager 50, 51<br /><br />H<br />headers<br />deleting 161<br />modifying 161<br />HTTPS, tunneled connection 158<br /><br />I<br />inline commands<br />creating policy with 13, 16<br /><br />J<br />JavaScript 159<br /><br />M<br />menu bar in Visual Policy Manager 27<br /><br />N<br />negate option, using in Visual Policy Manager 32<br /><br />O<br />object tags 160<br />objects<br />in Visual Policy Manager 33<br /><br />P<br />P2P<br />access logging 179<br />authentication 179<br />managing 174<br />policy 175<br />patience pages, troubleshooting 169<br /><br />197<br /><br />Volume 7: VPM and Advanced Policy<br /><br />peer-to-peer<br />access logging 179<br />authentication 179<br />managing 174<br />policy 175<br />policy<br />changing in Visual Policy Manager 128<br />CLI inline command, using 16<br />configuring default policy proxy setting 19, 20<br />configuring policy evaluation order 20<br />creating 16<br />disabling 17<br />disabling in Visual Policy Manager 129<br />editing 13<br />enabling in Visual Policy Manager 129<br />files loading 13<br />files, loading 17<br />inline command 16<br />inline commands, using 13<br />layers in 126<br />loading in Visual Policy Manager 127<br />policy editor 25<br />saving in Visual Policy Manager 127<br />source, viewing 22<br />statistics, viewing 22<br />tabs for in Visual Policy Manager 28<br />tracing information 22<br />unloading 17<br />viewing with browser 22<br />Visual Policy Manager 25<br />policy rules<br />deleting in Visual Policy Manager 128<br />in Visual Policy Manager user interface 29<br />option menus for in Visual Policy Manager 29<br />ordering in Visual Policy Manager 125<br />pop-up ads, blocking 156<br />popup windows, blocking 155<br /><br />S<br />script tags 158<br />SSL access policy<br />Visual Policy Manager reference 38<br />SSL Intercept policy<br />Visual Policy Manager reference 38<br />statistics<br />policy 22<br />stripping active content 158<br /><br />198<br /><br />T<br />transforming active content tags 158<br />troubleshooting<br />patience pages 169<br /><br />V<br />virus scanning, policies for in Visual Policy Manager<br />43<br />Visual Policy Manager (VPM)<br />administration access policy reference 37<br />administration authentication policy reference 36<br />changing policies 128<br />command reference 27<br />deleting a policy 128<br />disabling a policy 129<br />downloading files for 129<br />enabling a policy 129<br />files for 129<br />generated CPL 124<br />loading policies 127<br />menu bar 27<br />objects 33<br />overview 25<br />policies, saving 127<br />policy layer tabs 28<br />policy layers 126<br />rule options in the user interface 29<br />rule order in 125<br />rules in the user interface 29<br />SSL access policy reference 38<br />SSL Intercept policy reference 38<br />Web access policy example 140<br />Web access policy reference 37, 41<br />Web authentication policy example 133<br />Web content policy reference 43<br /><br />W<br />Web access policy<br />example in Visual Policy Manager 140<br />Visual Policy Manager reference 37, 41<br />Web authentication policy, example in Visual Policy<br />Manager 133<br /><br />X<br />XML validation 127<br /><br />

Document Path: ["143-blue-coat-instruction-sg.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh