Name: ProxySG

Text: Volume 7: Managing Content

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
[email protected]
http://www.bluecoat.com
For concerns or feedback about the documentation: [email protected]

Copyright© 1999-2007 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and
CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®,
The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are
registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of
their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Document Number: 231-02844
Document Revision: SGOS 5.2.2—09/2007

ii

Contents
Contact Information
Chapter 1: Introduction
Document Conventions......................................................................................................................................7
Chapter 2: Filtering Web Content
Section A: About Filtering Web Content
About Content Filtering Databases ................................................................................................................10
About Content Filtering Categories................................................................................................................10
On-box Versus Off-box Solutions ...................................................................................................................10
Blue Coat Web Content Filtering Solutions...................................................................................................11
About Blue Coat Web Filter......................................................................................................................12
About Dynamic Real-Time Rating ..........................................................................................................12
Section B: Configuring Blue Coat Web Filter
Selecting Blue Coat Web Filter ........................................................................................................................14
Specifying a Custom Time Period to Update Blue Coat Web Filter ..........................................................16
Configuring Dynamic Real-Time Rating .......................................................................................................17
About Proxy Chaining Support for DRTR .............................................................................................17
Configuring DRTR .....................................................................................................................................18
About DRTR States ...........................................................................................................................................19
Diagnostics .........................................................................................................................................................19
Section C: Configuring a Local Database
Selecting the Local Database and Downloading the Database...................................................................20
Specifying a Custom Time Period to Update a Local Database .................................................................22
Diagnostics .........................................................................................................................................................22
Section D: Configuring Internet Watch Foundation
Selecting the IWF Database..............................................................................................................................24
Specifying a Custom Time Period to Update IWF .......................................................................................26
Diagnostics .........................................................................................................................................................26
Section E: Configuring a Third-Party Vendor
Selecting the Provider and Downloading the Database ..............................................................................28
Specifying a Custom Time Period to Update a Third-Party Database......................................................33
Diagnostics .........................................................................................................................................................34
Section F: Applying Policy
Applying Policy to Categorized URLs ...........................................................................................................35
Using Content Filtering Vendors with Blue Coat Policies ..........................................................................37
Defining Custom Categories in Policy ...........................................................................................................38
Notes ...................................................................................................................................................................40

iii

Volume 7: Managing Content

Section G: Configuring Websense Off-box Content Filtering
Performing a Health Check on a Websense Off-box Service...................................................................... 44
Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning
Determining Which Files to Scan.................................................................................................................... 48
About Response Modification.................................................................................................................. 48
About Request Modification .................................................................................................................... 49
Returning the Object to the Blue Coat Appliance ................................................................................. 50
Caching and Serving the Object............................................................................................................... 50
ICAP v1.0 Features............................................................................................................................................ 51
Sense Settings ............................................................................................................................................. 51
ISTags........................................................................................................................................................... 51
Persistent Connections .............................................................................................................................. 51
Improving the User Experience ...................................................................................................................... 51
About Patience Pages ................................................................................................................................ 51
About Data Trickling................................................................................................................................. 52
About ICAP Server Failover............................................................................................................................ 55
Section B: Configuring SG Appliance ICAP Communications
Configuration Tasks ......................................................................................................................................... 56
Installing the ICAP Server ............................................................................................................................... 56
Creating an ICAP Service ................................................................................................................................ 56
Deleting an ICAP Service................................................................................................................................. 60
Configuring ICAP Feedback ........................................................................................................................... 61
Customizing ICAP Patience Text ................................................................................................................... 62
HTTP Patience Text ................................................................................................................................... 62
FTP Patience Text....................................................................................................................................... 65
Section C: Creating ICAP Policy
VPM Objects....................................................................................................................................................... 67
Example ICAP Scanning Policy ...................................................................................................................... 67
Exempting HTTP Live Streams From Response Modification .................................................................. 72
Streaming Media Request Modification Note .............................................................................................. 72
CPL Notes .......................................................................................................................................................... 72
Section D: Managing Virus Scanning
Advanced Configurations................................................................................................................................ 74
Using Object-Specific Scan Levels ........................................................................................................... 74
Improving Virus Scanning Performance................................................................................................ 74
Updating the ICAP Server ............................................................................................................................... 74
Replacing the ICAP Server .............................................................................................................................. 75
Access Logging.................................................................................................................................................. 75
Symantec AntiVirus Scan Engine 4.0 ...................................................................................................... 75
Finjan SurfinGate 7.0 ................................................................................................................................. 75

iv

Contents

Chapter 4: Configuring Service Groups
About Weighted Load Balancing.................................................................................................................... 77
Creating a Service Group................................................................................................................................. 78
Deleting a Service Group or Group Entry..................................................................................................... 81
Displaying External Service and Group Information .................................................................................. 82
Appendix A: Glossary
Index

v

Volume 7: Managing Content

vi

Chapter 1: Introduction

Applying content filtering and virus scanning to requested and posted Web content in
an enterprise is vital to securing the network and improving productivity.


Content filtering allows you to regulate, based on content categories, which Web
sites employees are allowed to access and which are restricted.



Virus scanning allows you to scan both incoming content and content leaving the
enterprise network for viruses and other malicious code, such as drive-by software
that propagates spyware.

This document contains the following chapters:


Chapter 2: "Filtering Web Content"



Chapter 3: "Malicious Content Scanning Services"



Chapter 4: "Configuring Service Groups"

Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax
conventions used in this manual.
Table 1-1. Document Conventions
Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

Courier font

Command line text that appears on your administrator workstation.

Courier Italics

A command line variable that is to be substituted with a literal name or
value pertaining to the appropriate facet of your network system.

Courier Boldface

A Blue Coat literal to be entered as shown.

{}

One of the parameters enclosed within the braces must be supplied

[]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or must be
selected, but not both.

7

Volume 7: Managing Content

8

Chapter 2: Filtering Web Content

This chapter describes how to configure the SG appliance to process client Web
requests and filter the returning content.
This chapter contains the following sections:


"Section A: About Filtering Web Content" on page 10



"Section B: Configuring Blue Coat Web Filter" on page 14



"Section C: Configuring a Local Database" on page 20



"Section D: Configuring Internet Watch Foundation" on page 24



"Section E: Configuring a Third-Party Vendor" on page 28



"Section F: Applying Policy" on page 35



"Section G: Configuring Websense Off-box Content Filtering" on page 42

9

Volume 7: Managing Content
Section A: About Filtering Web Content

Section A: About Filtering Web Content
Content filtering allows you to control access to Web sites based on their perceived
content. This section describes Web-content filtering.

About Content Filtering Databases
A content filtering database is simply a set of rules for organizing URLs into meaningful
categories. Depending on the vendor, a URL is listed under one category or several
categories.
A content filtering database does not block any Web site or any category by default. The
role of the database is to offer additional information to the proxy server and to the
administrator about the client request. Client access depends on the rules and policies
implemented by the administrator in accordance with company standards.
Important: Because of the dynamic nature of the Internet, there is a constant flow of
new URLs (and URLs on lesser-known sites) that will not be in the existing content
filtering database. Those URLs that are not in the database are marked as none, and you
can create a policy to categorize these.

About Content Filtering Categories
A small number of categories can be used to effectively classify the vast and constantly
growing number of URLs that are found on the Web. After the Web sites and content are
categorized, you can control access to that content through policy.
Individual content filter providers (Blue Coat Web Filter or third-party vendors) define
the content- filtering categories and their meanings. After providers are configured and
the databases are available, URLs can be mapped to lists of categories. These categories
are then made available to policy, where decisions like limiting online shopping or
blocking job searching can be controlled.
For example:

url.category="Jobs" exception( content_filter_denied )
Note: You can request that specific URLs be reviewed for correct categorization, if your
content filtering provider supports this. For Blue Coat Web Filter, visit
http://sitereview.bluecoat.com/ to have a URL's category reviewed.

On-box Versus Off-box Solutions
You can deploy content filtering in the following two ways, both of which the SG
appliance supports:


On-box: When the content filtering database exists on the proxy. This provides the
best performance because the proxy does not need to retrieve information from
another network server.



Off-box: When the proxy must contact another server over the network to categorize
URLs.

10

Volume 7: Managing Content
Section A: About Filtering Web Content

About Blue Coat Web Filter
Blue Coat Web Filter (BCWF) is a hybrid solution combining an extremely comprehensive
on-box URL database with a service that can provide real-time categorization of unlisted
URLs. For more information about real-time rating and categorization of URLs, see
“About Dynamic Real-Time Rating” on page 12.
A world-wide network of servers allows the SG appliance to expediently update the
master BCWF database. For information about BCWF automatic updating feature and
scheduling updates, see “Specifying a Custom Time Period to Update Blue Coat Web
Filter” on page 16.
Note: BCWF supports many languages. Refer to the Blue Coat Release Notes for this
release for the most up-to-date list of supported languages.

About Dynamic Real-Time Rating
Dynamic Real-Time Rating (DRTR) provides real-time analysis and content categorization
of requested Web pages to solve the problem of new and previously unknown,
uncategorized URLs—those not in the database.
When a user requests a URL that has not already been categorized by the BCWF database
(for example, a brand new Web site), the SG appliance dynamic categorization service
analyzes elements of the requested content and assigns a category or categories. The
dynamic service is consulted only when the installed BCWF database does not contain
sufficient category information for a requested URL.
Note: If the category returned by this service is blocked by policy, the offending material
never enters the network in any form.

About the DRTR Process
Dynamic analysis of content is performed on a remote network service and not locally on
the SG appliance. There is a very minimal amount of bandwidth used for the round-trip
request and response, and a slight amount of time waiting for the service to provide
results. The service is only consulted for URLs that cannot be locally categorized and
results are cached on the SG appliance, so the user experience is generally not affected. To
avoid any amount of user-request latency and to defer categorization, set DRTR to run in
background mode. For more information, see “Configuring Dynamic Real-Time Rating” on
page 17.
The following diagram illustrates BCWF content filtering flow when DRTR is employed.

12

Chapter 2: Filtering Web Content

Section B: Configuring Blue Coat Web Filter

About DRTR States
DRTR has three states:


Enabled: The service attempts to categorize unrated Web sites.



Disabled: If the service is disabled, the SG appliance does not make any contact with
the service, regardless of any installed policy.



Suspended: If BCWF license expires and DRTR is enabled, the service enters a
suspended state; during this time the SG appliance does not make contact with the
service, regardless of any installed policy. After BCWF license is updated, DRTR
returns to enabled status.

To view DRTR status (CLI only):
At the (config) prompt, enter the following command:
SGOS# (config content-filter) view
Provider: Blue Coat
Dynamic Categorization:
Service:
Enabled/Disabled/Suspended
Diagnostics
Diagnostics allows you to see all categories available for use in policy or test a URL
against the database. Categories are not displayed for a vendor or local database if no
database has been downloaded.
To see all available categories:
1.

On the Configuration > Content Filtering > General page, click View Categories.

2.

To see what categories a Web site is assigned by your current configuration, enter the
URL into the URL field and click Test.

Related CLI Syntax to Manage the BCWF Database


To enter configuration mode:
SGOS#(config) content-filter



The following subcommands are available:
SGOS#(config content-filter) provider bluecoat {enable | disable}
SGOS#(config content-filter) provider bluecoat lookup-mode {always |
uncategorized}
SGOS#(config content-filter) categories
SGOS#(config content-filter) bluecoat
SGOS#(config bluecoat) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config bluecoat) service {enable | disable}
SGOS#(config bluecoat) service {forward {none | host_or_group_alias} |
mode {background | realtime | none} | socks-gateway {none |
gateway_alias}}
SGOS#(config bluecoat) no download
SGOS#(config bluecoat) {exit | view}
SGOS#(config content-filter) test-url url

19

Volume 7: Managing Content
Section C: Configuring a Local Database

Section C: Configuring a Local Database
This section describes how to select and refer to a local database and how to schedule the
database update schedule.

Selecting the Local Database and Downloading the Database
Two main reasons to use a local database instead of a policy file for defining categories
are:


A local database is more efficient than policy if you have a large number of URLs.



A local database separates administration of categories from policy. This separation is
useful for three reasons:


It allows different individuals or groups to be responsible for administrating the
local database and policy.



It keeps the policy file from getting cluttered.



It allows the local database to share categories across multiple boxes that have
different policy.

However, some restrictions apply to a local database that do not apply to policy
definitions:


No more than 200 separate categories are allowed.



Category names must be 32 characters or less.



A given URL pattern can appear in no more than four category definitions.

You can use any combination of the local database, policy files, or the VPM to manage
your category definitions. See “Applying Policy to Categorized URLs” on page 35 for
more information. You can also use both a local database and a third-party vendor for
your content filtering needs.
Note: Blue Coat recommends locating your local database on the same server as any
policy files you are using.

To configure local database content filtering:
1.

Select Configuration > Content Filtering > General.

20

Chapter 2: Filtering Web Content

Section C: Configuring a Local Database
Related CLI Syntax to Configure Content Filtering


To enter configuration mode:
SGOS#(config) content-filter



The following subcommands are available:
SGOS#(config content-filter) provider local {enable | disable}
SGOS#(config content-filter) provider local lookup-mode {always |
uncategorized}
SGOS#(config content-filter) categories
SGOS#(config content-filter) local
SGOS#(config local) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config local) source
SGOS#(config local) clear
SGOS#(config local) {view | exit}
SGOS#(config content-filter) test-url url

23

Chapter 2: Filtering Web Content

Section D: Configuring Internet Watch Foundation
SGOS#(config iwf) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config iwf) no download
SGOS#(config iwf) {exit | view}
SGOS#(config content-filter) test-url url

27

Chapter 2: Filtering Web Content

Section E: Configuring a Third-Party Vendor
When the operation is complete, the dialog changes to indicate installation status.
d. Click Results to see the completion message:
Download log:
SmartFilter download at: 2007/06/07 17:40:42-0400
Checking incremental update
Warning: Unable to open input control list
Warning: Unable to open installed control list
Downloading full control file
SmartFilter download at: 19 June 2007 17:40:42-0400
Downloading from http://example.com/...version=4.0
Download size:
45854194
Database version:
95
Database date:
Wed, 07 Jun 2007 08:11:51 UTC
Database expires:
Fri, 07 Jul 2007 08:11:51 UTC

Note: The first time you download a SmartFilter database, warnings appear in
the results message under Checking incremental update. These are
expected, and represent the normal process of checking to see if an incremental
update is possible. The next time you download a SmartFilter database, the SG
appliance checks the previously downloaded database, and downloads only
what is necessary to keep the database current.

3.

Click Apply to commit the changes to the SG appliance.

4.

Continue with “Specifying a Custom Time Period to Update a Third-Party Database”
on page 33.

Configuring Websense (on-box)
The Websense database configuration screen contains unique options.
Note: Websense databases contain a category called User-Defined to support locallyspecified categorizations on other platforms. Do not use this category on the SG
appliance. Instead, define your own categories through the SG appliance and assign
URLs to them using Policy (see page “Defining Custom Categories in Policy” on page
38), or using a local category database (refer to Volume 4: Securing the Blue Coat SG
Appliance).

To configure Websense (on-box):
1.

Select Configuration > Content Filtering > Websense.

31

Chapter 2: Filtering Web Content

Section E: Configuring a Third-Party Vendor
Select this option to force an additional regular expression lookup for each URL to be
categorized. Normally, regular expression lookups are done only when no category is
found in the Websense database. If this option is selected, regular expression lookups
always occur, even for categorized URLs. Selecting this option can cause a significant
reduction in lookup performance, but allow certain sites (such as translation, search
engine, and link-cache sites) to be categorized more accurately.
9.

To use the Websense Reporter, you must enable the Websense Integration Service.
a.

In the Integration Service Host field, enter the Integration Service Host IP
(which has the same IP address as the Websense Log Server).

b.

In the Port field, specify the port of the Websense Integration Service. It must
be between 0 and 65535 and match the port selected on the Integration Service
host.

c.

Select Enabled to enable the service.

d. (Optional) Select Log forwarded client address. Normally, the SG logs the
actual client IP address to the Websense Reporter log. You can configure the
SG to log an address obtained from the X-Forwarded-For HTTP Header (if
present and valid) instead. This is useful in some specific network topologies.
Note: The Policy Server, the Log Server, and Reporter must be installed and
enabled on your PC before Reporter can be used. For information on Websense
products, refer to: http://www.websense.com/support/documentation/
integrationservice.

You must also set up access logging on the SG appliance with Websense as the
client. For more information on configuring a Websense access logging client,
refer to Volume 8: Access Logging.
10. Click Apply to commit the changes to the SG appliance.
11. Proceed to the “Specifying a Custom Time Period to Update a Third-Party Database”
on page 33.

Specifying a Custom Time Period to Update a Third-Party Database
The SG appliance checks for updates to the database several times an hour. When an
update is available, it is automatically downloaded and applied. Typically, an update
contains only the information that has changed.
You can prevent this automatic check entirely by disabling automatic updates. You can
also restrict the checks to occur only within a specific time period. For example, you can
choose to check for updates between 8 am and 11 pm only. The time frame is always local
time.
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download log in the
Management Console by selecting Statistics > Advanced > Content Filter Service, or in the
CLI (SGOS#(config) show content-filter status).

To specify a custom time period for updates:
1.

Select Configuration > Content Filtering > vendor. The Automatically check for updates
check box is selected by default.

33

Chapter 2: Filtering Web Content

Section F: Applying Policy

Section F: Applying Policy
This section discusses the interaction between content filtering categories and the
application of control policies.

Applying Policy to Categorized URLs
Policy is applied to categories the same way as individual URLs: create policies that
restrict, allow, and track access. Policy rules are created by composing Blue Coat Content
Policy Language (CPL) or with the Visual Policy Manager (VPM).
Note: If you have extensive category definitions, Blue Coat recommends that you put
them into a local database rather than into a policy file. The local database stores custom
categories in a more scalable and efficient manner, and separates the administration of
categories from policy. See "Section C: Configuring a Local Database" on page 20.

The policy trigger category= is used to test the category or categories assigned to the
request URL, and thus make a policy decision. For example, to block all requests for URLs
that are categorized as Sports:
DENY category=Sports

The following example demonstrates a condition that is true when a request contains the
Websense content categories Sexuality and Drugs:

category=(sexuality, drugs)

You can block multiple categories with a single rule:
category=(Sports, Gambling, Shopping) exception(content_filter_denied)

In this example, three categories are blocked and instead the predefined exception page
content_filter_denied is served; by default this indicates that the request was denied
due to its content and specifies the categories found.
The following example shows a condition that includes an extensive number of
categories:
category=(Abortion, Activist, Adult, Gambling, Illegal, Hacking,
Militancy, Racism, Shopping, Tasteless, Violence, Weapons)

URLs that are not categorized are assigned the system category none. This is not an error
condition; many sites (such as those inside a corporate intranet) are unlikely to be
categorized by a commercial service. Use category=none to detect uncategorized sites
and apply relevant policy. The following example disallows access to uncategorized sites
outside of the corporate network:
define subnet intranet
10.0.0.0/8 ; internal network
192.168.123.45; external gateway
end

; allow unrestricted access to internal addresses
ALLOW url.address=intranet
; otherwise (internet), restrict Sports, Shopping and uncategorized
sites
DENY category=(Sports, Shopping, none)

35

Volume 7: Managing Content
Section F: Applying Policy
Such category tests can also be combined with other types of triggers to produce more
complex policy, such as:


Restrict access by category and time: block sports from 6 am to 6 pm:
category=Sports time=0600..1800 DENY



Restrict by category and user identity: only members of the group Sales are permitted
to visit Shopping sites:
category=Shopping group=!Sales DENY



Require special authentication for access to certain categories:
category=Hacking authenticate(restricted_realm)

where restricted_realm is an authentication realm you have configured.


Log certain types of access:
category=Adult action.Log_adult_site_access(yes)

where Log_adult_site_access is a policy action defined elsewhere that records
extra information about this request in the event log.
Typically, category= can be used in policy anywhere that a basic URL test can be used.
Refer to Volume 10: Blue Coat SG Appliance Content Policy Language Guide for more details.
Depending on which provider you have selected and whether you have defined any of
your own categories in policy (see “Defining Custom Categories in Policy” on page 38),
you have a number of possible category names that can be used with category=. To
review the valid category names, use the categories CLI command or click View
Categories in the Management Console: Configuration > Content Filtering > General.
The category= expressions are normally put in Layers (VPM: Web Access
Layers) because the goal of content filtering policy is to control requests from users. They
can also be used in (VPM: Web Content Layers) Layers. Either way, policy is
enforced on all user requests.
It is possible for an attempt to categorize a URL to fail—for example, if no database is
loaded, your license is expired, or if a system error occurs. In such a case, the category is
considered unavailable and triggers such as:
category=Sports

are false, even if the URL is actually a sports site, because the SG appliance is unable to
determine the category. When the policy depends on the category of a URL, you do not
want such errors to inadvertently allow ordinarily restricted content to be served by the
SG appliance. You can control how the SG appliance treats these situations with the
condition:
category=unavailable

which is true in these cases. In continuing with the example, to make sure that Sports is
always blocked, even when errors occur (this is a mode of operation called fail-closed), use
a rule such as:
category=(sports, unavailable) exception(name_of_exception page)

This rule is true if the category is sports or if the category could not be determined, and in
either case the proper exception page is served instead of the restricted content.
The category unlicensed is assigned in addition to unavailable when the failure to
categorize occurred because of license expiry. That can be caused by the expiration of
your Blue Coat license to use content filtering, or because of expiration of your license
from the provider. You can use

36

Chapter 2: Filtering Web Content

Section F: Applying Policy
category=unlicensed

to detect this situation as a distinct case from other causes of unavailability.
You can also use this feature with custom exception pages (refer to Volume 6: VPM and
Advanced Policy):

category=sports time=0800..1800 exception(sports_during_bus_hrs)
category=unlicensed exception(contact_admin_re_license)
category=unavailable exception(content_filter_unavailable)

where sports_during_bus_hrs is a custom exception page you have created to
respond to requests for Sports pages between 8 am and 6 pm local time.
contact_admin_re_license is another page that instructs the user to inform the

administrator about license expiry, and is served if a license check fails. When the
category is unavailable for some other reason, the pre-defined exception
(content_filter_unavailable) is served.
The most common reason (other than license expiry) why categories are unavailable is
that a provider is selected but no database is installed. Barring hardware or network
problems that might cause a downloaded database to become corrupted and unreadable,
it is unlikely that the database will suddenly become unavailable.
To define policies on the SG appliance, use either the VPM or manually edit Policy files.
Content filtering policies are usually found in and layers.
If you are using content filtering to manage a type of content globally, create these rules in
the layer.
However, if your content filtering policy is dependent on user identity or request
characteristics, create these rules in the layer.

Using Content Filtering Vendors with Blue Coat Policies
The SG appliance provides the ability to define flexible Web access and control policies.
With content filtering, you can set up policies to provide a customized level of Web-site
access control. With vendor-based content filtering, these policies use and can supplement
vendor categories. By supplementing content filtering vendor categories, you can further
refine the type of content filtering the SG appliance performs. For example, if Travel is a
vendor-defined content category, you can define a policy that allows only Human
Resources staff to access travel sites. You can define policies that filter by a variety of
conditions, including category, protocol (including MMS and RTSP streaming protocols),
time of day, and user or user groups.

37

Volume 7: Managing Content
Section F: Applying Policy
Example
Policy: Limit employee access to travel Web sites.
The first step is to rephrase this policy as a set of rules. In this example, the model of a
general rule and exceptions to that rule is used:


Rule 1: All users are denied access to travel sites



Rule 2: As an exception to the above, Human Resources users are allowed to visit
Travel sites

Before you can write the policy, you must be able to identify users in the Human
Resources group. You can do this with an external authentication server, or define the
group locally on the SG appliance. For information on identifying and authenticating
users, refer to Volume 4: Securing the Blue Coat SG Appliance.
In this example, a group called human_resources is identified and authenticated through
an external server called my_auth_server.
This then translates into a fairly straightforward policy written in the local policy file:

; Ensure all access is authenticated
Authenticate(my_auth_server)

; Rule 1: All users denied access to travel
DENY category=travel

; Rule 2: Exception for HR
ALLOW category=travel group=human_resources
DENY category=sites

Example
Policy: Student access to Health sites is limited to a specified time of day, when the Health
100 class is held.
This time the policy contains no exceptions:


Rule 1: Health sites can be accessed Monday, Wednesday, and Friday from 10-11am.



Rule 2: Health sites can not be accessed at other times.
define condition Health_class time
weekday=(1, 3, 5) time=1000..1100
end

; 1) Allow access to health while class in session
ALLOW category=health condition=health_class_time
; 2) at all other times, deny access to health
DENY category=health

Defining Custom Categories in Policy
You can use CPL to create your own categories and assign URLs to them. This is done
with the define category construct (for more complete information on the define
category construct, refer to Volume 10: Blue Coat SG Appliance Content Policy Language
Guide). To add URLs to a category, list them in the definition. You only need to specify a
partial URL:


hosts and subdomains within the domain you specify will automatically be included

38

Chapter 2: Filtering Web Content

Section F: Applying Policy


if you specify a path, all paths with that prefix are included (if you specify no path, the
whole site is included)

Example:
define category Grand_Canyon
kaibab.org
www2.nature.nps.gov/air/webcams/parks/grcacam
nps.gov/grca
grandcanyon.org
end

Any URL at kaibab.org is now put into the Grand_Canyon category (in addition to any
category it might be assigned by a provider). Only those pages in the /grca directory of
nps.gov are put in this category.
Nested Definitions and Subcategories
You can define subcategories and nest category definitions by adding a category=
rule. To continue the example, you could add:
define category Yellowstone
yellowstone-natl-park.com
nps.gov/yell/
end
define category National_Parks
category=Grand_Canyon; Grand_Canyon is a subcategory of
National_Parks
category=Yellowstone; Yellowstone is a subcategory of National_Parks
nps.gov/yose; Yosemite – doesn’t have its own category (yet)
end

With these definitions, pages at kaibab.org are assigned two categories: Grand_Canyon
and National_Parks. You can add URLs to the Grand_Canyon category and they are
automatically added by implication to the National_Parks category as well.
Multiple unrelated categories can also be assigned by CPL. For example, by adding:
define category Webcams
www2.nature.nps.gov/air/webcams/parks/grcacam
end

the URL, http://www2.nature.nps.gov/air/webcams/parks/grcacam/grcacam.htm,
will have three categories assigned to it:


Grand_Canyon (because it appears in the definition directly)



National_Parks (because Grand_Canyon is included as a subcategory)



Webcams (because it also appears in this definition)

However, the other sites in the Grand_Canyon category are not categorized as Webcams.
This can be seen by testing the URL (or any other you want to try) clicking the Test button
on the Management Console or the test-url command in the CLI.
You can test for any of these categories independently. For example, the following
example is a policy that depends on the above definitions, and assumes that your
provider has a category called Travel into which most national park sites probably fall.
The policy is intended to prevent access to travel sites during the day, with the exception
of those designated National_Parks sites. But the Grand_Canyon webcam is an exception
to that exception.

39

Volume 7: Managing Content
Section F: Applying Policy
Example:

category=Webcams DENY
category=National_Parks ALLOW
category=Travel time =0800..1800 DENY

Click the Test button on the Management Console or the test-url command in CLI to
validate the categories assigned to any URL. This can help you to ensure that your policy
rules have the expected effect (refer to “Configuring Policy Tracing” in Volume 10: Blue
Coat SG Appliance Content Policy Language Guide).
If you are using policy-defined categories and a content-filter provider at the same time,
be sure that your custom category names do not coincide with the ones supplied by your
provider. You can also use the same names—this adds your URLs to the existing
categories, and extends those categories with your own definitions. For example, if the
webcam mentioned above was not actually categorized as Travel by your provider, you
could do the following to add it to the Travel category (for the purpose of policy):
define category Travel ; extending a vendor category
www2.nature.nps.gov/air/webcams/parks/grcacam/ ; add the GC webcam
end
Note: The policy definitions described in this section can also be used as
definitions in a local database. See “Configuring a Local Database” on page 20
for information about local databases.

Notes


When you use an expired database, the category unlicensed is assigned to all URLs
and no lookups occur on the database. This can occur even if your download license
with the database vendor is still valid, but you have not downloaded a database for a
long time (databases expire after a certain number of days). You can view the date
that your database expires (or expired) in the download log or by using the view
command in the CLI.
When you download a database, you can see the download log as soon as the
download is complete. To see the download log when you download a database, click
Results in the Installation Status dialog when the download is complete.
To see the last download log without doing another download, enter the following
CLI (config) commands:
SGOS#(config) content-filter
SGOS#(config content-filter) view



When your license with the database vendor expires, you can no longer download.
This does not have an immediate effect—you can still use the database you have for a
period of time. But eventually, the database expires and you receive the category
unlicensed, as described above.



If HTTPS Intercept is disabled and a requested HTTPS host is categorized in a content
filtering database, then filtering applies. However, if the request contains a path and
the categorization relies on the host/relative path, content filtering only filters on the
host name because the path is not accessible. This might result in a different
categorization than if the host plus path were used.

40

Chapter 2: Filtering Web Content

Section F: Applying Policy


If you receive an error message when downloading a content filtering database, check
the error message (in the Management Console, click Results on the Installation status
dialog; in the CLI, the results message displays in the event of an error). If you see an
error message such as ERROR: HTTP 401 - Unauthorized, verify that you entered your
username and password correctly. For example, the following error message was
generated by entering an incorrect username and attempting to download a
SmartFilter database:
Download log:
SmartFilter download at: Thu, 21 June 2007 18:03:08
Checking incremental update
Checking download parameters
Fetching:http://example.com/
Warning: HTTP 401 - Unauthorized
Downloading full control file
SmartFilter download at: Thu, 21 June 2007 18:03:17
Downloading from http://example.com/
Fetching:http://example.com/
ERROR: HTTP 401 - Unauthorized
Download failed
Download failed
Previous download:
...

41

Chapter 2: Filtering Web Content

Section G: Configuring Websense Off-box Content Filtering
SGOS# (config websense service_name) send {client-address |
authenticated-user}
SGOS# (config websense service_name) sense-categories
SGOS# (config websense service_name) apply-by-default
SGOS# (config websense service_name) fail-open
SGOS# (config websense service_name) test-url url

45

Volume 7: Managing Content

46

Chapter 3: Malicious Content Scanning Services

This chapter describes how to configure the SG appliance to interact with external
Internet Content Adaptation Protocol (ICAP) clients and servers to provide content
scanning and transformation.
This chapter contains the following sections:


"Section A: About Content Scanning"



"Section B: Configuring SG Appliance ICAP Communications"



"Section C: Creating ICAP Policy"



"Section D: Managing Virus Scanning"

47

Volume 7: Managing Content
Section A: About Content Scanning

Section A: About Content Scanning
This section provides conceptual information about anti-virus (AV) scanning and the SG
appliance solution.
When integrated with a supported ICAP server, such as the Blue Coat AV™, the SG
appliance provides content scanning, filtering, and repair service for Internet-based
malicious code. To eliminate threats to the network and to maintain caching performance,
the SG appliance sends objects to the ICAP server for checking and saves the scanned
objects in its object store. With subsequent content requests, the appliance serves the
scanned object rather than rescanning the same object for each request.

Determining Which Files to Scan
In determining which files to scan, this integrated solution uses the content scanning
server’s filtering in addition to SG appliance capabilities. The following table describes
the supported content types and protocols.
Table 3-1. Content Types Scanned By ICAP Server and the SG Appliance
ICAP Server
supported content types

SG appliance
supported protocols

Unsupported content
protocols

All or specified file types, based on the file
extension, as configured on the server.

• HTTP objects

• Streaming content (for example,
RTSP and MMS)

Examples: .exe (executable programs), .bat
(batch files), .doc and .rtf (document files),
and .zip (archive files); or specific MIME
types.

• FTP objects (uploads
and downloads)

• Live HTTP streams (for example,
HTTP radio streams)

• Transparent FTP
responses
HTTPS connections
terminated at an SG
appliance

HTTPS connections tunneled
through an SG appliance

Whenever an object is requested or being refreshed and it was previously scanned, the SG
appliance verifies whether the pattern file has been updated since it was last scanned. If it
was, the object is scanned again, even if the content has not changed. If the content has
changed, the object is rescanned.
With the SG appliance, you can define flexible, yet enterprise-specific content scanning
policies, which is discussed in the following two sections.

About Response Modification
The SG appliance sends the first part (a preview) of the object to the ICAP server that
supports response modification. The object preview includes the HTTP request and
response headers, and the first few bytes of the object. After checking those bytes, the
ICAP server either continues with the transaction (that is, asks the SG appliance to send
the remainder of the object for scanning) or sends a notification to the appliance that the
object is clean and opts out of the transaction.
The ICAP server features and configuration determine how scanning works, including the
following:

48

Chapter 3: Malicious Content Scanning Services

Section A: About Content Scanning

ICAP v1.0 Features
This section describes features of the ICAP v1.0 protocol.

Sense Settings
The Sense Settings feature allows the SG appliance to query any identified ICAP server
running v1.0, detect the parameters, and configure the ICAP service as appropriate. See
“Creating an ICAP Service” on page 56.

ISTags
An ICAP v1.0 server is required to return in each response an ICAP header ISTag, which
indicates the current state of the ICAP server. This eliminates the need to designate
artificial pattern version numbers, as is required in v0.95.
Note: Backing out a virus pattern on the ICAP server can revert ISTags to previous
values that are ignored by the SG appliance. To force the SG appliance to recognize the old
values, use the Sense Settings option, which is described in the configuration section.

Persistent Connections
New ICAP connections are created dynamically as ICAP requests are received (up to the
defined maximum connection limit). The connection remains open to receive subsequent
requests. If a connection error occurs, the connection closes to prevent more errors.

Improving the User Experience
Object scanning adds another operation to the user process of requesting and receiving
Web content. Therefore, the user might experience extremely slightly noticeble delays
during Web browsing as ICAP servers scan content. The SG appliance allows you to
mitigate slower browse times and educate your users about what is occuring on their
systems. This section describes those functionalities.

About Patience Pages
Patience pages are HTML pages displayed to the user if an ICAP content scan exceeds the
specified duration (seconds). You can configure the content of these pages to include a
custom message and a help link. Patience pages refresh every five seconds and disappear
when object scanning is complete.
Notes


Patience pages are not compatible with infinite stream connections—or live content
streamed over HTTP—such as a cam or video feed. ICAP scanning cannot begin until
the object download completes. Because this never occurs with this type of content,
the SG appliance continues downloading until the maximum ICAP file size limit is
breached. At that point, the SG appliance either returns an error or attempts to serve
the content to the client (depending on fail open/closed policy). However, even when
configured to fail open and serve the content, the delay added to downloading this
large amount of data is often enough to cause the a user give up before reaching that
point.

51

Chapter 3: Malicious Content Scanning Services

Section A: About Content Scanning
Proxy Chaining Deployments
Proxy chaining deployments are common in enterprises, especially in core/branch office
scenarios. Data trickling is achievable, but behavior is dependent upon how the SG
appliances are configured. The following are common deployment scenarios.


The downstream SG appliance is performing ICAP scanning, and the upstream SG
appliance is not: Data trickling and patience pages are not affected in this scenario.



The upstream SG appliance is performing ICAP scanning, and the downstream SG
appliance is not: The only issue with this deployment is that user agent-specific policy

cannot be applied at the core SG appliance because the branch SG appliance
consolidates multiple client requests in one out-going request to the upstream SG
appliance. If data trickling is employed at the upstream SG appliance and if ICAP
scanning detects a virus, the upstream SG appliance resets the client connection. This
also deletes the corrupted object from the downstream SG appliance cache.


Both SG appliances (upstream and downtream) are scanning: Behavior is mostly
determined by the configuration of the upstream SG appliance.



If the upstream SG appliance is configured to deliver patience pages, then the
downstream SG appliance also attempts to serve patience pages, including to
non-graphical user agents. Therefore, this method is not recommended.



If the upstream SG appliance employs data trickle from start, the downstream SG
appliance is not able to send any bytes to the client for a long period of time. If a
patience page is not configured on the downstream SG appliance, users might
experience connection timeouts.



If the upstream SG appliance employs trickle at end, the downstream SG
appliance allows for all options of patience page and data trickling.

About ICAP Server Failover
When creating an ICAP action, you can specify a list of ICAP servers or groups to use, in
order of preference. If the first server or group in the list does not pass the health checks,
the SG appliance moves down the list until it finds a server or group that is healthy and
uses that to perform the scanning.
The primary server resumes ICAP processing when the next health check is successful;
the standby server or server group does not retain the primary responsibility.
Notes


Failover is configured as part of the ICAP policy definition.



You cannot configure failover policy until ICAP services are configured on the SG
appliance.



To avoid errors, ICAP service names cannot be named fail_open or fail_closed (the
CLI commands prevent these names from being created).

55

Volume 7: Managing Content
Section B: Configuring SG Appliance ICAP Communications

Section B: Configuring SG Appliance ICAP Communications
This section describes how to configure the SG appliance to communicate with an ICAP
server to perform content scanning tasks.

Configuration Tasks
Configuring ICAP on the SG appliance involves the following steps:


Install the ICAP server.



Configure the SG appliance to use ICAP and configure basic features.



Specify feedback method (patience pages or data trickling).



Define scanning policies, then load the policy file on the SG appliance.

Installing the ICAP Server
Follow the manufacturer instructions for installing the ICAP server, including any
configuration necessary to work with the SG appliance. Based on your network
environment, you might use the SG appliance with multiple ICAP servers or multiple
scanning services on the same server. Configure options as needed, including the
exception message displayed to end users in the event the requested object was modified
or blocked.

Creating an ICAP Service
An ICAP service on the SG appliance is specific to the ICAP server and includes the server
IP address or hostname, as well as the supported number of connections. If you are using
the SG appliance with multiple ICAP servers or multiple scanning services on the same
server, add an ICAP service for each server or scanning service.
To create and configure an ICAP service:
1.

Select Configuration > External Services > ICAP Services.

56

Volume 7: Managing Content
Section B: Configuring SG Appliance ICAP Communications
icap://10.x.x.x/

The default port number is 1344, which can be changed. For example:
icap://10.x.x.x:99. You can also enter an HTTP URL, but you must define a
port number.
Note: An ICAP service pointing to a WebWasher server must use icap as the
protocol in the URL. Blue Coat also recommends that you review your specific
ICAP server documentation, as each vendor might require additional URL
information.

b.

The Maximum Number of Connections field specifies the maximum possible
connections at any given time between the SG appliance and the ICAP server.
The range is a number from 1 to 65535. The default is 5. The number of
recommended connections depends on the capabilities of the ICAP server.
Refer to the vendor’s product information.

c.

The Connection timeout field specifies the number of seconds the SG
appliance waits for replies from the ICAP server. The range is 1 to 65536. The
default timeout is 70 seconds.

d. Select Notify administrator: Virus detected to send an e-mail to the
administrator if the ICAP scan detects a virus. The notification is also sent to
the Event Log and the Event Log e-mail list.
e.

Select Virus found page: Use vendor’s “virus found” page to display the default
vendor error exception page to the client instead of the SG appliance
exception page. This is the default behavior for SGOS upgrades from
previous versions. This feature maintains the same appearance of previous
versions, but also retains the inherent timestamp issues involved with cache
hits. If this option is not selected, the exception pags originate from the SG
appliance, and they employ the accurate timestamps for cache hits.

58

Volume 7: Managing Content
Section B: Configuring SG Appliance ICAP Communications


3.

4.

Trickle object data at end: The client receives most (99%) of the object data, but
the final bytes are sent at the rate of one per second while the ICAP scanner
performs the scan. If the response from the ICAP server is clean, the client
receives the rest of the object data at the best connection speed possible. If the
scan detects malicious content, the connection is dropped. This is the least
secure method, as most of the data has already been delivered to the client.
However, this method provides the best user experience because there most
of the object is already delivered.

Configure options for non-interactive traffic (content such as flash animation over
HTTP):
a.

The Do not provide feedback... option means that if users experience delays in
receiving content, they are not notified as to the reason (ICAP scanning).
Selecting this option greys out the other options.

b.

The default duration to wait before notifiying a client that an ICAP scan is
occuring is five seconds. You can change this value in the Provide feedback
after field, but if you make the value too long, users might become impatient
and manually close the client, believing the connection is hung.

c.

Select the feedback method:


Trickle object data from start: See the descriptions in Step 2.



Trickle object data at end: See the descriptions in Step 2.

Click Apply.

These configurations are global. You can define further feedback policy that applies to
specific user and conditional subsets. In the VPM, the object is located in the Web Access
Layer: Return ICAP Feedback.

Customizing ICAP Patience Text
This section describes how to customize text displayed during ICAP scanning. Patience
pages are displayed if the appropriate option is selected, as described in the previous
section: “Improving the User Experience” on page 51.

HTTP Patience Text
The SG appliance allows you to customize the patience page components and text that are
displayed to users when HTTP clients experience delays as Web content is scanned.
To customize HTTP patience pages:
1.

Select Configuration > External Services > ICAP > ICAP Patience Page.

62

Chapter 3: Malicious Content Scanning Services

Section B: Configuring SG Appliance ICAP Communications

Interactivity Notes


When ICAP scanning is enabled and a patience page is triggered, a unique URL is
dynamically generated and sent to the browser to access the patience page. This
unique URL might contain a modified version of the original URL. This is expected
behavior.



Patience pages and exceptions can only be triggered by left-clicking a link. If a user
right-clicks a link and attempts to save it, it is not possible to display patience pages. If
this action causes a problem, the user might see browser-specific errors (for example,
an Internet site not found error); however, ICAP policy is still in effect.



A patience page is not displayed if a client object request results in an HTTP 302
response and the SG appliance pipelines the object in the Location header. After the
SG appliance receives the client request for the object, the client enters a waiting state
because a server-side retrieval of the object is already in progress. The wait status of
the client request prevents the patience page from displaying. To prevent the SG
appliance from pipelining these requests (which decreases performance) and to retain
the ability to provide a patience page, configure HTTP as follows:
#SGOS (config) http no pipeline client redirects



The status bar update does not work if it is disabled or if the Javascript does not have
sufficient rights to update it.



Looping: Certain conditions cause browsers to re-spawn patience pages. For example,
a site states it will begin a download in 10 seconds, initiates a pop-up download
window, and returns to the root window. If the download window allows pop-ups,
the patience page displays in a separate window. The automatic return to the root
window initiates the download sequence again, spawning another patience page. If
unnoticed, this loop could cause a system hang. The same behavior occurs if the user
clicks the back button to return to the root window. For known and used download
sites, you can create policy that redirects the page so that it doesn’t return to the root
window after a download starts.

FTP Patience Text
For content over FTP, the patience text displayed to FTP clients during an ICAP scan can
be modified.
To customize FTP patience text:
1.

Select Configuration > External Services > ICAP > ICAP Patience Page.

65

Chapter 3: Malicious Content Scanning Services

Section C: Creating ICAP Policy

Section C: Creating ICAP Policy
Defined ICAP policy dictates the anti-virus and ICAP server failover behavior for your
enterprise. You can either use the Visual Policy Manager (VPM) or you can manually edit
policy files. For more information on the VPM and defining policies, refer to Volume 6:
VPM and Advanced Policy.
Use the request.icap_service() (request modification) or response.icap_service()
(response modification) properties to manage the SG appliance ICAP services.

VPM Objects
The VPM contains the following objects specific to AV scanning (linked to their
descriptions in the VPM chapter).
Table 3-2. AV Scanning Objects
Object

Layer>Column

Virus Detected

Web Access>Service

ICAP Error Code

Web Access>Service

Return ICAP Feedback

Web Access>Action

Set ICAP Request Service

Web Access>Action

Set ICAP Request Service

Web Content>Action

Set ICAP Response Service

Web Content>Action

Note: For CPL policy, refer to Volume 10: Blue Coat SG Appliance Content Policy Language

Guide.

Example ICAP Scanning Policy
The following VPM example demonstrates the implementation of an ICAP policy that
performs virus scanning on both client uploads (to prevent propagating a virus) and
responses (to prevent the introduction of viruses), and provides failover with backup
ICAP services.
For this example:


The SG appliance has configured ICAP services. The response service is avresponse1
and the request service is avrequest1.



Two backup response services are configured: avreponse2 and avresponse3.



The Blue Coat AV is the virus scanner and it is configured to serve passwordprotected files.



A group named IT is configured on the SG appliance.



The IT group wants the ability to download password protected files, but deny
everyone else from doing the same.

67

Chapter 3: Malicious Content Scanning Services

Section C: Creating ICAP Policy


As the Blue Coat AV is configured to serve password-protected objects, only the IT
group can download such files; everyone else is denied.

Exempting HTTP Live Streams From Response Modification
The following CPL examples demonstrate how to exempt HTTP live streams from
response modification, as they are not supported by ICAP. The CPL designates user
agents that are bypassed.

url.scheme=http request.header.User-Agent="RealPlayer G2"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(RMA)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(Winamp)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(NSPlayer)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(Windows-Media-Player)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="QuickTime"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(RealMedia Player)"
response.icap_service(no)

Streaming Media Request Modification Note
Some HTTP progressive download streaming media transactions are complex enough to
disrupt ICAP request modification services. If such behavior is noticed (most common
with RealPlayer), implement a workaround policy to bypass the ICAP request
modification service for HTTP progressive downloads:
For example:

url.scheme=http request_header.User-Agent="(RealMedia Player)"
request.icap_service(no)
url.scheme=http request_header.User-Agent="RMA"
request.icap_service(no)

CPL Notes


If policy specifies that an ICAP service is to be used, but the service is not available,
the default behavior is to fail closed—that is, deny the request or response. The
following CPL allows the serving of objects without ICAP processing if the server is
down.
request.icap_service(service_name, fail_open)
response.icap_service(service_name, fail_open)

When the ICAP service is restored, these objects are scanned and served from the
cache if they are requested again.
Note: Blue Coat recommends this CPL to be used for internal sites; use with caution.

72

Volume 7: Managing Content
Section C: Creating ICAP Policy


To provide an exception to a general rule, the following CPL negates ICAP
processing:
request.icap_service(no)
response.icap_service(no)

73

Chapter 3: Malicious Content Scanning Services

Section D: Managing Virus Scanning

Section D: Managing Virus Scanning
You might need to perform additional SG appliance maintenance concerning virus
scanning, particularly for updates to the virus definition on the ICAP virus scanning
server.

Advanced Configurations
This section summarizes more-advanced configurations between the SG appliance and
multiple ICAP servers. These brief examples provide objectives and suggest ways of
supporting the configuration.

Using Object-Specific Scan Levels
You can specify different scanning levels for different types of objects, or for objects from
different sources.
This requires a service group of ICAP servers, with each server configured to provide the
same level of scanning. For more information, refer to Chapter 4: "Configuring Service
Groups" on page 77.

Improving Virus Scanning Performance
You can overcome request-handling limitations of ICAP servers. Generally, SG appliances
can handle many times the volume of simultaneous user requests that ICAP servers can
handle.
This requires multiple ICAP servers to obtain a reasonable performance gain. On the SG
appliance, define policy rules that partition requests among the servers. If you are going
to direct requests to individual servers based on rules, configure in rule conditions that
only use the URL. Note that you can increase the scale by using a service group, rather
than use rules to partition requests among servers. For more information on using
multiple ICAP servers, refer to Chapter 4: "Configuring Service Groups" on page 77. For
more information about defining policies, refer to the Managing Policy Files chapter in
Volume 6: VPM and Advanced Policy, as well as Volume 11: Blue Coat SG Appliance Command
Line Reference.
When the virus definitions are updated, the SG appliance stores a signature. This
signature consists of the server name plus a virus definition version. If either of these
changes, the SG appliance checks to see if the object is up to date, and then rescans it. If
two requests for the same object are directed to different servers, then the scanning
signature changes and the object is rescanned.

Updating the ICAP Server
If there is a problem with the integration between the SG appliance and a supported ICAP
server after a version update of the server, you might need to configure the preview size
the appliance uses. For information, see “Creating an ICAP Service” on page 56.

74

Chapter 3: Malicious Content Scanning Services

Section D: Managing Virus Scanning

Replacing the ICAP Server
If you replace an ICAP server with another supported ICAP server, reconfigure the ICAP
service on the SG appliance:
SGOS# (config) external-services
SGOS# (config external-service) edit service_name
SGOS# (config service_name) url url

For information about these commands, see “Creating an ICAP Service” on page 56.

Access Logging
The SG appliance provides access log support for Symantec and Finjan ICAP 1.0 server
actions (Management > Access Logging). The following sections describe access logging
behavior for the various supported ICAP servers.

Symantec AntiVirus Scan Engine 4.0
When this Symantec server performs a scan, identifies a problem (for example, a virus),
and performs a content transformation, the action is logged. For example:
“virus-id: Type=number; Resolution=[0 | 1 | 2]; Threat=name;”

where:
Type=number

Specifies the numeric code for the virus.

Resolution=

Specifies an integer value that indicates what action was taken to fix
the file. Zero (0) defines the file is unrepairable, one (1) specifies that
the file was repaired, and two (2) specifies that the file was deleted.

Threat=

Specifies the name of the virus.

Finjan SurfinGate 7.0
When this Finjan ICAP server performs a scan, identifies a problem (for example, a virus),
and performs a content transformation, the action is logged. For example:
“virus-id: name, response-info: Blocked, response-desc: virus_name was
detected”

Finjan ICAP servers also log occurrences malicious mobile code.
Note: The access log string cannot exceed 256 characters. If the header name or value
extends the length over the limit, then that string does not get logged. For example, if the
x-virus-id header value is 260 characters, the access log displays "x-virus-id: " with
no value because the value is too long to display. Also, if the access log string is already
250 characters and the SG appliance attempts to append a "Malicious-Mobile-Type: "
string, the string is not appended

Access log entries might vary depending upon the type of ICAP scan performed and the
custom log formats. For information about Access Logging, refer to Volume 8: Access
Logging.

75

Volume 7: Managing Content

76

Chapter 4: Configuring Service Groups

This chapter describes how to create and manage ICAP or Websense service groups. In
high-traffic network environments, a service group accelerates response time by a
performing a higher volume of scanning.

About Weighted Load Balancing
The SG appliance supports weighted load balancing in forwarding requests to service
groups. By default, the SG appliance performs typical round-robin load balancing and
evenly forwards requests sequentially to servers as defined within the service group.
Manually assigning weights takes advantage of round-robin load balancing in service
groups that are not homogeneous, or where the servers have different capacities.
Weighting determines what proportion of the load one server bears relative to the
others. If all servers have either the default weight (1) or the same weight, each share an
equal proportion of the load. If one server has weight 25 and all other servers have
weight 50, the 25-weight server processes half as much as any other server.
Before configuring weights, consider the relative weights to assign to each server.
Factors that could affect assigned weight of a ICAP server include the following:


The processing capacity of the server hardware in relationship to other servers (for
example, the number and performance of CPUs or the number of network interface
cards)



The maximum number of connections configured for the service. The maximum
connections setting pertains to how many simultaneous scans can be performed on
the server, while weighting applies to throughput in the integration. While these
settings are not directly related, consider both when configuring weighted load
balancing.

Note: External services (ICAP, Websense off-box) have a reserved connection for
health checks (if you created health check services). This means that as the load goes
up and the number of connections to the external service reaches the maximum, with
additional requests being queued up and waiting, the maximum simultaneous
connections is actually one less than the limit.

The following diagram provides an example of how weighting works with a service
group of three Blue Coat AV ICAP servers.

77

Volume 7: Managing Content
To delete a service group:
1.

Select Configuration > External Services > Service-Groups.

2.

Select the service group to be deleted.

3.

Click Delete; click OK to confirm.

4.

Click Apply.

To delete a service group entry:
1.

Select Configuration > External Services > Service-Groups.

2.

Select the service group to be modified.

3.

Click Edit.

4.

Select the service entry to be deleted; click Delete.

5.

Click OK.

6.

Click Apply.

Displaying External Service and Group Information
After configuring a service group, you can display aggregate service group (and other
External Services) information.
To display information about all external services and groups:
At the (config) command prompt, enter the following commands:
SGOS# (config) external-services
SGOS# (config external-services) view

Individual service information is displayed first, followed by service group information.
For example:
; External Services
icap4
ICAP-Version:
1.0
URL:
icap://10.1.1.1
Max-conn:
5
Timeout(secs):
70
Health-checks:
no
Patience-page(secs): disabled
Notification:
never
Methods:
RESPMOD
Preview-size:
0
Send:
nothing
ISTag:
websense4
Version:
4.4
Host:
www.websense.com/list
Port:
15868
Max-conn:
5
Timeout(secs):
70
Send:
nothing
Fail-by-default:
closed
Apply-by-default:
no
Serve-exception-page:yes

82

Chapter 4: Configuring Service Groups

; External Service-Groups
CorpICAP
total weight 5
entries:
ICAP1
weight 4
ICAP2
weight 1
BranchWebsense
total weight
entries:
Websense1
weight
1
Websense2
weight
1

2

Related CLI Syntax to Manage External Services


To enter configuration mode:
SGOS# (config) external-services



The following commands are available:
SGOS# (config external-services) create service-group name
SGOS# (config service-group name) add service_name
SGOS# (config service-group name) edit service_name
SGOS# (config service-group name) weight value
SGOS# (config external-services) delete service_group_name
SGOS# (config type name) remove entry_name
SGOS# (config external-services) view
SGOS# (config type name) view

83

Volume 7: Managing Content

84

Appendix A: Glossary

A
access control list

Allows or denies specific IP addresses access to a server.

access log

A list of all the requests sent to an appliance. You can read an access log using any of
the popular log-reporting programs. When a client uses HTTP streaming, the
streaming entry goes to the same access log.

account

A named entity that has purchased the appliance or the Entitlements from Blue Coat.

activation code

A string of approximately 10 characters that is generated and mailed to customers
when they purchase the appliance.

active content stripping

Provides a way to identify potentially dangerous mobile or active content and
scripts, and strip them out of a response.

active content types

Used in the Visual Policy Manager. Referring to Web Access policies, you can create
and name lists of active content types to be stripped from Web pages. You have the
additional option of specifying a customized message to be displayed to the user

administration access policy

A policy layer that determines who can access the SG appliance to perform
administrative tasks.

administration
authentication policy

A policy layer that determines how administrators accessing the SG appliance must
authenticate.

Application Delivery
Network (ADN)

A WAN that has been optimized for acceleration and compression by Blue Coat. This
network can also be secured through the use of appliance certificates. An ADN
network is composed of an ADN manager and backup ADN manager, ADN nodes,
and a network configuration that matches the environment.

ADN backup manager

Takes over for the ADN manager in the event it becomes unavailable. See ADN
manager.

ADN manager

Responsible for publishing the routing table to SG Clients (and to other SG
appliances).

ADN optimize attribute

Controls whether to optimize bandwidth usage when connecting upstream using an
ADN tunnel.

asx rewrite

Allows you to rewrite URLs and then direct a client's subsequent request to the new
URL. One of the main applications of ASX file rewrites is to provide explicit proxylike support for Windows Media Player 6.4, which cannot set explicit proxy mode for
protocols other than HTTP.

audit

A log that provides a record of who accessed what and how.

85

Volume 7: Managing Content

authenticate-401 attribute

All transparent and explicit requests received on the port always use transparent
authentication (cookie or IP, depending on the configuration). This is especially
useful to force transparent proxy authentication in some proxy-chaining scenarios

authenticated content

Cached content that requires authentication at the origin content server (OCS).
Supported authentication types for cached data include basic authentication and
IWA (or NTLM).

authentication

Allows you to verify the identity of a user. In its simplest form, this is done through
usernames and passwords. Much more stringent authentication can be employed
using digital certificates that have been issued and verified by a Certificate
Authority. See also basic authentication, proxy authentication, and SSL
authentication.

authentication realm

Authenticates and authorizes users to access SG services using either explicit proxy
or transparent proxy mode. These realms integrate third-party vendors, such as
LDAP, Windows, and Novell, with the Blue Coat operating system.

authorization

The permissions given to an authenticated user.

B
bandwidth class

A defined unit of bandwidth allocation.

bandwidth class hierarchy

Bandwidth classes can be grouped together in a class hierarchy, which is a tree
structure that specifies the relationship among different classes. You create a
hierarchy by creating at least one parent class and assigning other classes to be its
children.

bandwidth management

Classify, control, and, if needed, limit the amount of bandwidth used by network
traffic flowing in or out of an SG appliance.

basic authentication

The standard authentication for communicating with the target as identified in the
URL.

BCAAA

Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to manage
authentication and authorization for IWA, CA eTrust SiteMinder realms, Oracle
COREid, Novell, and Windows realms. The agent is installed and configured
separately from SGOS 5.x and is available from the Blue Coat Web site.

BCLP

Blue Coat Licensing Portal.

byte-range support

The ability of the SG appliance to respond to byte-range requests (requests with a
Range: HTTP header).

C
cache

An "object store," either hardware or software, that stores information (objects) for
later retrieval. The first time the object is requested, it is stored, making subsequent
requests for the same information much faster.
A cache helps reduce the response time and network bandwidth consumption on
future, equivalent requests. The SG appliance serves as a cache by storing content
from many users to minimize response time and prevent extraneous network traffic.

86

Appendix A: Glossary

cache control

Allows you to configure which content the SG appliance stores.

cache efficiency

A tab found on the Statistics pages of the Management Console that shows the
percent of objects served from cache, the percent loaded from the network, and the
percent that were non-cacheable.

cache hit

Occurs when the SG appliance receives a request for an object and can serve the
request from the cache without a trip to the origin server.

cache miss

Occurs when the appliance receives a request for an object that is not in the cache.
The appliance must then fetch the requested object from the origin server. .

cache object

Cache contents includes all objects currently stored by the SG appliance. Cache
objects are not cleared when the SG appliance is powered off.

Certificate Authority (CA)

A trusted, third-party organization or company that issues digital certificates used to
create digital signatures and public key/private key pairs. The role of the CA is to
guarantee that the individuals or company representatives who are granted a unique
certificate are who they claim to be.

child class (bandwidth gain)

The child of a parent class is dependent upon that parent class for available
bandwidth (they share the bandwidth in proportion to their minimum/maximum
bandwidth values and priority levels). A child class with siblings (classes with the
same parent class) shares bandwidth with those siblings in the same manner.

client consent certificates

A certificate that indicates acceptance or denial of consent to decrypt an end user's
HTTPS request.

client-side transparency

A way of replacing the appliance IP address with the Web server IP address for all
port 80 traffic destined to go to the client. This effectively conceals the SG appliance
address from the client and conceals the identity of the client from the Web server.

concentrator

An SG appliance, usually located in a data center, that provides access to data center
resources, such as file servers.

content filtering

A way of controlling which content is delivered to certain users. SG appliances can
filter content based on content categories (such as gambling, games, and so on), type
(such as http, ftp, streaming, and mime type), identity (user, group, network), or
network conditions. You can filter content using vendor-based filtering or by
allowing or denying access to URLs.

D
default boot system

The system that was successfully started last time. If a system fails to boot, the next
most recent system that booted successfully becomes the default boot system.

default proxy listener

See proxy service (d efault).

87

Volume 7: Managing Content

denial of service (DoS)

A method that hackers use to prevent or deny legitimate users access to a computer,
such as a Web server. DoS attacks typically send many request packets to a targeted
Internet server, flooding the server's resources and making the system unusable. Any
system connected to the Internet and equipped with TCP-based network services is
vulnerable to a DoS attack.
The SG appliance resists DoS attacks launched by many common DoS tools. With a
hardened TCP/IP stack, SG appliance resists common network attacks, including
traffic flooding.

destination objects

Used in Visual Policy Manager. These are the objects that define the target location of
an entry type.

detect protocol attribute

Detects the protocol being used. Protocols that can be detected include: HTTP, P2P
(eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper.

diagnostic reporting

Found in the Statistics pane, the Diagnostics tab allows you to control whether Daily
Heartbeats and/or Blue Coat Monitoring are enabled or disabled.

directives

Commands used in installable lists to configure forwarding and SOCKS gateway.

DNS access

A policy layer that determines how the SG appliance processes DNS requests.

domain name system (DNS)

An Internet service that translates domain names into IP addresses. See also private
DNS or public DNS.

dynamic bypass

Provides a maintenance-free method for improving performance of the SG appliance
by automatically compiling a list of requested URLs that return various kinds of
errors.

dynamic real-time rating
(DRTR)

Used in conjunction with the Blue Coat Web Filter (BCWF), DRTR (also known as
dynamic categorization) provides real-time analysis and content categorization of
requested Web pages to solve the problem of new and previously unknown
uncategorized URLs—those not in the database. When a user requests a URL that has
not already been categorized by the BCWF database (for example, a brand new Web
site), the SG appliance dynamic categorization service analyzes elements of the
requested content and assigns a category or categories. The dynamic service is
consulted only when the installed BCWF database does not contain category
information for an object.

E
early intercept attribute

Controls whether the proxy responds to client TCP connection requests before
connecting to the upstream server. When early intercept is disabled, the proxy delays
responding to the client until after it has attempted to contact the server.

ELFF-compatible format

A log type defined by the W3C that is general enough to be used with any protocol.

emulated certificates

Certificates that are presented to the user by SG appliance when intercepting HTTPS
requests. Blue Coat emulates the certificate from the server and signs it, copying the
subjectName and expiration. The original certificate is used between the SG
appliance and the server.

encrypted log

A log is encrypted using an external certificate associated with a private key.
Encrypted logs can only be decrypted by someone with access to the private key. The
private key is not accessible to the SG appliance.

88

Appendix A: Glossary

EULA

End user license agreement.

event logging

Allows you to specify the types of system events logged, the size of the event log, and
to configure Syslog monitoring. The appliance can also notify you by email if an
event is logged. See also access logging.

explicit proxy

A configuration in which the browser is explicitly configured to communicate with
the proxy server for access to content.
This is the default for the SG appliance, and requires configuration for both browser
and the interface card.

extended log file format
(ELFF)

A variant of the common log file format, which has two additional fields at the end of
the line—the referer and the user agent fields.

F
fail open/closed

Failing open or closed applies to forwarding hosts and groups and SOCKS gateways.
Fail open or closed applies when health checks are showing sick for each forwarding
or SOCKS gateway target in the applicable fail-over sequence. If no systems are
healthy, the SG appliance fails open or closed, depending on the configuration. If
closed, the connection attempt simply fails.
If open, an attempt is made to connect without using any forwarding target (or
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no
setting is specified.

filtering

See content filtering.

forward proxy

A proxy server deployed close to the clients and used to access many servers. A
forward proxy can be explicit or transparent.

FTP

See Native FTP; Web FTP.

G
gateway

A device that serves as entrance and exit into a communications network.

H
hardware serial number

A string that uniquely identifies the appliance; it is assigned to each unit in
manufacturing.

89

Volume 7: Managing Content

health check tests

The method of determining network connectivity, target responsiveness, and basic
functionality. The following tests are supported:
• ICMP
• TCP
• SSL
• HTTP
• HTTPS
• Group
• Composite and reference to a composite result
• ICAP
• Websense
• DRTR rating service

health check type

The kind of device or service the specific health check tests. The following types are
supported:
• Forwarding host and forwarding group
• SOCKS gateway and SOCKS gateway group
• CAP service and ICAP service group
• Websense off-box service and Websense off-box service group
• DRTR rating service
• User-defined host and a user-defined composite

heartbeat

Messages sent once every 24 hours that contain the statistical and configuration data
for the SG appliance, indicating its health. Heartbeats are commonly sent to system
administrators and to Blue Coat. Heartbeats contain no private information, only
aggregate statistics useful for pre-emptively diagnosing support issues.
The SG appliance sends emergency heartbeats whenever it is rebooted. Emergency
heartbeats contain core dump and restart flags in addition to daily heartbeat
information.

host affinity

The attempt to direct multiple connections by a single user to the same group
member. Host affinity is closely tied to load balancing behavior; both should be
configured if load balancing is important.

host affinity timeout

The host affinity timeout determines how long a user remains idle before the
connection is closed. The timeout value checks the user's IP address, SSL ID, or
cookie in the host affinity table.

I
inbound traffic (bandwidth
gain)

Network packets flowing into the SG appliance. Inbound traffic mainly consists of
the following:
• Server inbound: Packets originating at the origin content server (OCS) and sent to
the SG appliance to load a Web object.
• Client inbound: Packets originating at the client and sent to the SG appliance for
Web requests.

90

Appendix A: Glossary

installable lists

Installable lists, comprised of directives, can be placed onto the SG appliance in one
of the following ways:
• Creating the list using the SG text editor
• Placing the list at an accessible URL
• Downloading the directives file from the local system

integrated host timeout

An integrated host is an origin content server (OCS) that has been added to the health
check list. The host, added through the integrate_new_hosts property, ages out
of the integrated host table after being idle for the specified time. The default is 60
minutes.

intervals

Time period from the completion of one health check to the start of the next health
check.

IP reflection

Determines how the client IP address is presented to the origin server for explicitly
proxied requests. All proxy services contain a reflect-ip attribute, which enables or
disables sending of client's IP address instead of the SG's IP address.

issuer keyring

The keyring used by the SG appliance to sign emulated certificates. The keyring is
configured on the appliance and managed through policy.

L
licensable component (LC)

(Software) A subcomponent of a license; it is an option that enables or disables a
specific feature.

license

Provides both the right and the ability to use certain software functions within an AV
(or SG) appliance. The license key defines and controls the license, which is owned
by an account.

listener

The service that is listening on a specific port. A listener can be identified by any
destination IP/subnet and port range. Multiple listeners can be added to each
service.

live content

Also called live broadcast. Used in streaming, it indicates that the content is being
delivered fresh.

LKF

License key file.

load balancing

A way to share traffic requests among multiple upstream systems or multiple IP
addresses on a single host.

local bypass list

A list you create and maintain on your network. You can use a local bypass list alone
or in conjunction with a central bypass list. See bypass list.

local policy file

Written by enterprises (as opposed to the central policy file written by Blue Coat);
used to create company- and department-specific advanced policies written in the
Blue Coat Policy Language (CPL).

log facility

A separate log that contains a single logical file and supports a single log format. It
also contains the file’s configuration and upload schedule information as well as
other configurable information such as how often to rotate (switch to a new log) the
logs at the destination, any passwords needed, and the point at which the facility can
be uploaded.

91

Volume 7: Managing Content

log format

The type of log that is used: NCSA/Common, SQUID, ELFF, SurfControl, or
Websense.
The proprietary log types each have a corresponding pre-defined log format that has
been set up to produce exactly that type of log (these logs cannot be edited). In
addition, a number of other ELFF type log formats are also pre-defined (im, main,
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log
fields for logging particular protocols understood by the SG appliance. It is also
possible to create new log formats of type ELFF or Custom which can contain any
desired combination of log fields.

log tail

The access log tail shows the log entries as they get logged. With high traffic on the
SG appliance, not all access log entries are necessarily displayed. However, you can
view all access log information after uploading the log.

M
MACH5

SGOS 5 MACH5 Edition.

Management Console

A graphical Web interface that lets you to manage, configure, monitor, and upgrade
the SG appliance from any location. The Management Console consists of a set of
Web pages and Java applets stored on the SG appliance. The appliance acts as a Web
server on the management port to serve these pages and applets.

management information
base (MIB)

Defines the statistics that management systems can collect. A managed device
(gateway) has one or more MIBs as well as one or more SNMP agents, which
implements the information and management functionality defined by a specific
MIB.

maximum object size

The maximum object size stored in the SG appliance. All objects retrieved that are
greater than the maximum size are delivered to the client but are not stored in the SG
appliance.

MIME/FILE type filtering

Allows organizations to implement Internet policies for both uploaded and
downloaded content by MIME or FILE type.

multi-bit rate

The capability of a single stream to deliver multiple bit rates to clients requesting
content from appliances from within varying levels of network conditions (such as
different connecting bandwidths and traffic).

multicast

Used in streaming; the ability for hundreds or thousands of users to play a single
stream.

multicast aliases

Used in streaming; a streaming command that specifies an alias for a multicast URL
to receive an .nsc file. The .nsc files allows the multicast session to obtain the
information in the control channel

multicast station

Used in streaming; a defined location on the proxy where the Windows Media player
can retrieve streams. A multicast station enables multicast transmission of Windows
Media content from the cache. The source of the multicast-delivered content can be a
unicast-live source, a multicast (live) source, and simulated live (video-on-demand
content converted to scheduled live content).

multimedia content services

Used in streaming; multimedia support includes Real Networks, Microsoft Windows
Media, Apple QuickTime, MP3, and Flash.

92

Appendix A: Glossary

N
name inputing

Allows an SG appliance to resolve host names based on a partial name specification.
When a host name is submitted to the DNS server, the DNS server resolves the name
to an IP address. If the host name cannot be resolved, Blue Coat adds the first entry in
the name-inputing list to the end of the host name and resubmits it to the DNS server

native FTP

Native FTP involves the client connecting (either explicitly or transparently) using
the FTP protocol; the SG appliance then connects upstream through FTP (if
necessary).

NCSA common log format

Blue Coat products are compatible with this log type, which contains only basic
HTTP access information.

network address translation
(NAT)

The process of translating private network (such as intranet) IP addresses to Internet
IP addresses and vice versa. This methodology makes it possible to match private IP
addresses to Internet IP addresses even when the number of private addresses
outnumbers the pool of available Internet addresses.

non-cacheable objects

A number of objects are not cached by the Blue Coat appliance because they are
considered non-cacheable. You can add or delete the kinds of objects that the
appliance considers non-cacheable. Some of the non-cacheable request types are:
• Pragma no-cache, requests that specify non-cached objects, such as when you click
refresh in the Web browser.
• Password provided, requests that include a client password.
• Data in request that include additional client data.
• Not a GET request.

.nsc file

Created from the multicast station definition and saved through the browser as a text
file encoded in a Microsoft proprietary format. Without an .nsc file, the multicast
station definition does not work.

NTP

To manage objects in an appliance, an SG appliance must know the current Universal
Time Coordinates (UTC) time. By default, the SG appliance attempts to connect to a
Network Time Protocol (NTP) server to acquire the UTC time. SG appliance includes
a list of NTP servers available on the Internet, and attempts to connect to them in the
order they appear in the NTP server list on the NTP tab.

O
object (used in caching)

An object is the item that is stored in an appliance. These objects can be frequently
accessed content, content that has been placed there by content publishers, or Web
pages, among other things.

object (used in Visual Policy
Manager)

An object (sometimes referred to as a condition) is any collection or combination of
entry types you can create individually (user, group, IP address/subnet, and
attribute). To be included in an object, an item must already be created as an
individual entry.

object pipelining

This patented algorithm opens as many simultaneous TCP connections as the origin
server will allow and retrieves objects in parallel. The objects are then delivered from
the appliance straight to the user's desktop as fast as the browser can request them.

93

Volume 7: Managing Content

origin content server (OCS)

Also called origin server. This is the original source of the content that is being
requested. An appliance needs the OCS to acquire data the first time, to check that
the content being served is still fresh, and to authenticate users.

outbound traffic (bandwidth
gain)

Network packets flowing out of the SG appliance. Outbound traffic mainly consists
of the following:
• Client outbound: Packets sent to the client in response to a Web request.
• Server outbound: Packets sent to an OCS or upstream proxy to request a service.

P
PAC (Proxy
AutoConfiguration) scripts

Originally created by Netscape, PACs are a way to avoid requiring proxy hosts and
port numbers to be entered for every protocol. You need only enter the URL. A PAC
can be created with the needed information and the local browser can be directed to
the PAC for information about proxy hosts and port numbers.

packet capture (PCAP)

Allows filtering on various attributes of the Ethernet frame to limit the amount of
data collected. You can capture packets of Ethernet frames going into or leaving an
SG appliance.

parent class (bandwidth
gain)

A class with at least one child. The parent class must share its bandwidth with its
child classes in proportion to the minimum/maximum bandwidth values or priority
levels.

passive mode data
connections (PASV)

Data connections initiated by an FTP client to an FTP server.

pipelining

See object pipelining.

policies

Groups of rules that let you manage Web access specific to the needs of an enterprise.
Policies enhance SG appliance feature areas such as authentication and virus
scanning, and let you control end-user Web access in your existing infrastructure.
See also refresh policies.

policy-based bypass list

Used in policy. Allows a bypass based on the properties of the client, unlike static
and dynamic bypass lists, which allow traffic to bypass the appliance based on
destination IP address. See also bypass lists and dynamic bypass.

policy layer

A collection of rules created using Blue Coat CPL or with the VPM.

pragma: no cache (PNC)

A metatag in the header of a request that requires the appliance to forward a request
to the origin server. This allows clients to always obtain a fresh copy (of the request?).

proxy

Caches content, filters traffic, monitors Internet and intranet resource usage, blocks
specific Internet and intranet resources for individuals or groups, and enhances the
quality of Internet or intranet user experiences.
A proxy can also serve as an intermediary between a Web client and a Web server
and can require authentication to allow identity based policy and logging for the
client.
The rules used to authenticate a client are based on the policies you create on the SG
appliance, which can reference an existing security infrastructure—LDAP, RADIUS,
IWA, and the like.

94

Appendix A: Glossary

Proxy Edition

SGOS 5 Proxy Edition.

proxy service

The proxy service defines the ports, as well as other attributes. that are used by the
proxies associated with the service.

proxy service (default)

The default proxy service is a service that intercepts all traffic not otherwise
intercepted by other listeners. It only has one listener whose action can be set to
bypass or intercept. No new listeners can be added to the default proxy service, and
the default listener and service cannot be deleted. Service attributes can be changed.

public key certificate

An electronic document that encapsulates the public key of the certificate sender,
identifies this sender, and aids the certificate receiver to verify the identity of the
certificate sender. A certificate is often considered valid if it has been digitally signed
by a well-known entity, which is called a Certificate Authority (such as VeriSign).

public virtual IP (VIP)

Maps multiple servers to one IP address and then propagates that information to the
public DNS servers. Typically, there is a public VIP known to the public Internet that
routes the packets internally to the private VIP. This enables you to “hide” your
servers from the Internet.

R
real-time streaming protocol
(RTSP)

A standard method of transferring audio and video and other time-based media over
Internet-technology based networks. The protocol is used to stream clips to any RTPbased client.

reflect client IP attribute

Enables the sending of the client's IP address instead of the SG's IP address to the
upstream server. If you are using an application delivery network (ADN), this setting
is enforced on the concentrator proxy through the Configuration > App. Delivery
Network > Tunneling tab.

registration

An event that binds the appliance to an account, that is, it creates the Serial#, Account
association.

remote authentication dialin user service (RADIUS)

Authenticates user identity via passwords for network access.

reverse proxy

A proxy that acts as a front-end to a small number of pre-defined servers, typically to
improve performance. Many clients can use it to access the small number of
predefined servers.

routing information protocol
(RIP)

Designed to select the fastest route to a destination. RIP support is built into Blue
Coat appliances.

router hops

The number of jumps a packet takes when traversing the Internet.

S

95

Volume 7: Managing Content

secure shell (SSH)

Also known as Secure Socket Shell. SSH is an interface and protocol that provides
strong authentication and enables you to securely access a remote computer. Three
utilities—login, ssh, and scp—comprise SSH. Security via SSH is accomplished using
a digital certificate and password encryption. Remember that the Blue Coat SG
appliance requires SSH1. An SG appliance supports a combined maximum of 16
Telnet and SSH sessions.

serial console

A third-party device that can be connected to one or more Blue Coat appliances.
Once connected, you can access and configure the appliance through the serial
console, even when you cannot access the appliance directly.

server certificate categories

The hostname in a server certificate can be categorized by BCWF or another content
filtering vendor to fit into categories such as banking, finance, sports.

server portals

Doorways that provide controlled access to a Web server or a collection of Web
servers. You can configure Blue Coat SG appliances to be server portals by mapping
a set of external URLs onto a set of internal URLs.

server-side transparency

The ability for the server to see client IP addresses, which enables accurate clientaccess records to be kept. When server-side transparency is enabled, the appliance
retains client IP addresses for all port 80 traffic to and from the SG appliance. In this
scheme, the client IP address is always revealed to the server.

service attributes

Define the parameters, such as explicit or transparent, cipher suite, and certificate
verification, that the SG appliance uses for a particular service. .

SG appliance

A Blue Coat security and cache box that can help manage security and content on a
network.

sibling class (bandwidth
gain)

A bandwidth class with the same parent class as another class.

simple network
management protocol
(SNMP)

The standard operations and maintenance protocol for the Internet. It uses MIBs,
created or customized by Blue Coat, to handle (needs completion).

simulated live

Used in streaming. Defines playback of one or more video-on-demand files as a
scheduled live event, which begins at a specified time. The content can be looped
multiple times, or scheduled to start at multiple start times throughout the day.

SmartReporter log type

A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter
tool.

SOCKS

A proxy protocol for TCP/IP-based networking applications that allows users
transparent access across the firewall. If you are using a SOCKS server for the
primary or alternate forwarding gateway, you must specify the appliance’s ID for the
identification protocol used by the SOCKS gateway. The machine ID should be
configured to be the same as the appliance’s name.

SOCKS proxy

A generic way to proxy TCP and UDP protocols. The SG appliance supports both
SOCKSv4/4a and SOCKSv5; however, because of increased username and password
authentication capabilities and compression support, Blue Coat recommends that
you use SOCKS v5.

splash page

Custom message page that displays the first time you start the client browser.

96

Appendix A: Glossary

split proxy

Employs co-operative processing at the branch and the core to implement
functionality that is not possible in a standalone proxy. Examples of split proxies
include:
• Mapi Proxy
• SSL Proxy

SQUID-compatible format

A log type that was designed for cache statistics and is compatible with Blue Coat
products.

squid-native log format

The Squid-compatible format contains one line for each request.

SSL authentication

Ensures that communication is with “trusted” sites only. Requires a certificate issued
by a trusted third party (Certificate Authority).

SSL interception

Decrypting SSL connections.

SSL proxy

A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or
reverse proxy mode.

static route

A manually-configured route that specifies the transmission path a packet must
follow, based on the packet’s destination address. A static route specifies a
transmission path to another network.

statistics

Every Blue Coat appliance keeps statistics of the appliance hardware and the objects
it stores. You can review the general summary, the volume, resources allocated,
cache efficiency, cached contents, and custom URLs generated by the appliance for
various kinds of logs. You can also check the event viewer for every event that
occurred since the appliance booted.

stream

A flow of a single type of data, measured in kilobits per second (Kbps). A stream
could be the sound track to a music video, for example.

SurfControl log type

A proprietary log type that is compatible with the SurfControl reporter tool. The
SurfControl log format includes fully-qualified usernames when an NTLM realm
provides authentication. The simple name is used for all other realm types.

syslog

An event-monitoring scheme that is especially popular in Unix environments. Most
clients using Syslog have multiple devices sending messages to a single Syslog
daemon. This allows viewing a single chronological event log of all of the devices
assigned to the Syslog daemon. The Syslog format is: “Date Time Hostname Event.”

system cache

The software cache on the appliance. When you clear the cache, all objects in the
cache are set to expired. The objects are not immediately removed from memory or
disk, but a subsequent request for any object requested is retrieved from the origin
content server before it is served.

T
time-to-live (TTL) value

Used in any situation where an expiration time is needed. For example, you do not
want authentication to last beyond the current session and also want a failed
command to time out instead of hanging the box forever.

97

Volume 7: Managing Content

traffic flow
(bandwidth gain)

Also referred to as flow. A set of packets belonging to the same TCP/UDP connection
that terminate at, originate at, or flow through the SG appliance. A single request
from a client involves two separate connections. One of them is from the client to the
SG appliance, and the other is from the SG appliance to the OCS. Within each of
these connections, traffic flows in two directions—in one direction, packets flow out
of the SG appliance (outbound traffic), and in the other direction, packets flow into
the SG (inbound traffic). Connections can come from the client or the server. Thus,
traffic can be classified into one of four types:
• Server inbound
• Server outbound
• Client inbound
• Client outbound
These four traffic flows represent each of the four combinations described above.
Each flow represents a single direction from a single connection.

transmission control
protocol (TCP)

TCP, when used in conjunction with IP (Internet Protocol) enables users to send data,
in the form of message units called packets, between computers over the Internet.
TCP is responsible for tracking and handling, and reassembly of the packets; IP is
responsible for packet delivery.

transparent proxy

A configuration in which traffic is redirected to the SG appliance without the
knowledge of the client browser. No configuration is required on the browser, but
network configuration, such as an L4 switch or a WCCP-compliant router, is
required.

trial period

Starting with the first boot, the trial period provides 60 days of free operation. All
features are enabled during this time.

U
unicast alias

Defines an name on the appliance for a streaming URL. When a client requests the
alias content on the appliance, the appliance uses the URL specified in the unicastalias command to request the content from the origin streaming server.

universal time coordinates
(UTC)

An SG appliance must know the current UTC time. By default, the appliance
attempts to connect to a Network Time Protocol (NTP) server to acquire the UTC
time. If the SG appliance cannot access any NTP servers, you must manually set the
UTC time.

URL filtering

See content filtering.

URL rewrite rules

Rewrite the URLs of client requests to acquire the streaming content using the new
URL. For example, when a client tries to access content on www.mycompany.com,
the appliance is actually receiving the content from the server on 10.253.123.123. The
client is unaware that mycompany.com is not serving the content; however, the
appliance access logs indicate the actual server that provides the content.

W
WCCP

Web Cache Communication Protocol. Allows you to establish redirection of the
traffic that flows through routers.

98

Appendix A: Glossary

Web FTP

Web FTP is used when a client connects in explicit mode using HTTP and accesses an
ftp:// URL. The SG appliance translates the HTTP request into an FTP request for
the OCS (if the content is not already cached), and then translates the FTP response
with the file contents into an HTTP response for the client.

Websense log type

A Blue Coat proprietary log type that is compatible with the Websense reporter tool.

X

XML responder

HTTP XML service that runs on an external server.

XML requestor

XML realm.

99

Volume 7: Managing Content

100

Index

Numerics

D

3rd party
configuring 28
specifying a time period 33
specifying time period 33

data trickling, about 52
document
conventions 7
Dynamic Categorization
about 12

A
access logging, ICAP 75

B

F
FTP, content scanning 48

H

Blue Coat SG
ICAP service configuration 56
Blue Coat Web Filter
configuring 14
specifying a time period 16
update time period 16

headers
request modification 49
response modification 48
HTTP, scanning HTTP objects 48
HTTPS, content scanning 48

C

I

content filtering
3rd party
configuring 28
3rd party, automatic download 33
Blue Coat Web Filter
configuring 14
example of category= 35
expired database, using 40
expired license, downloading a database with 40
IWF
automatic download 26
configuring 24
local database
configuring 20
policy with vendor categories 37
provider, selecting 19
SmartFilter
configuring 30
Websense on-box
configuring 31
content scanning
ICAP service 56
policy for 48

ICAP
configuring Blue Coat SG for 56
data trickling 52
failover, about 55
feedback, configuring 61
health checks, managing 59
installing server 56
ISTags 51
patience pages, about 51
patience text, customizing 62
policy examples 67
replacing the server 75
request modification, about 49
response modification, about 48
sense settings 51
service, creating 56
IWF
configuring 24
custom time frame update 26
scheduling download 26

L
local database
configuring 20

101

Volume 7: Managing Content

P

S

patience pages, about 51
policy
content scanning 48
example, limit access to certain Web sites 38
example, limit access to specified time of day 38
vendor categories, using with 37

SmartFilter
configuring 30

V

R

virus scanning
advanced configurations 74
managing 74
replacing the ICAP server 75

request modification, about 49
response modification, about 48

W
Websense on-box
configuring 31

102

Document Path: ["169-blue-coat-instruction-proxysg.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh