Name: ProxySG

Text: Blue Coat® Systems
ProxySG® Appliance

Configuration and Management Suite
Volume 7: Managing Content

SGOS Version 5.3.x

Volume 7: Managing Content

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation: documentation@bluecoat.com

Copyright© 1999-2008 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering
Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian
and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the
Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Document Number: 231-03016
Document Revision: SGOS 5.3.1—08/2008

ii

Contents
Chapter 1: Introduction

How This Document Is Organized................................................................................................... 7
Notes and Warnings ........................................................................................................................... 8
About Procedures ............................................................................................................................... 8
Illustrations .......................................................................................................................................... 8
Chapter 2: Filtering Web Content
Section A: About Filtering Web Content

About Content Filtering Databases ................................................................................................ 12
Setting the Memory Allocation ................................................................................................ 12
About Content Filtering Categories ............................................................................................... 13
On-Box Versus Off-Box Solutions .................................................................................................. 13
ProxySG Content Filtering Options ............................................................................................... 14
Section B: Configuring Blue Coat Web Filter

About Blue Coat Web Filter ............................................................................................................ 16
About Dynamic Real-Time Rating........................................................................................... 16
Selecting Blue Coat Web Filter........................................................................................................ 17
Configuring Blue Coat Web Filter ........................................................................................... 19
Specifying a Custom Time Period to Update Blue Coat Web Filter.......................................... 20
Configuring Dynamic Real-Time Rating....................................................................................... 21
About Proxy Chaining Support for DRTR ............................................................................. 21
Configuring DRTR ..................................................................................................................... 22
About DRTR States .................................................................................................................... 24
Diagnostics......................................................................................................................................... 24
Section C: Configuring a Local Database

Selecting the Local Database and Downloading the Database .................................................. 26
Specifying a Custom Time Period to Update a Local Database................................................. 28
Diagnostics......................................................................................................................................... 28
Section D: Configuring Internet Watch Foundation

Selecting the IWF Database ............................................................................................................. 30
Specifying a Custom Time Period to Update IWF....................................................................... 32
Diagnostics......................................................................................................................................... 33
Section E: Configuring a Third-Party Vendor

Selecting the Provider and Downloading the Database ............................................................. 34
Specifying a Custom Time Period to Update a Third-Party Database ..................................... 41
Diagnostics......................................................................................................................................... 42

iii

Volume 7: Managing Content

Section F: Applying Policy

Applying Policy to Categorized URLs .......................................................................................... 44
Using Content Filtering Vendors with Blue Coat Policies ......................................................... 46
Modifying Policy for SmartFilter Database Changes.................................................................. 48
Defining Custom Categories in Policy .......................................................................................... 48
Notes................................................................................................................................................... 50
Section G: Configuring Websense Off-Box Content Filtering

Performing a Health Check on a Websense Off-Box Service ..................................................... 54
Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

Determining Which Files to Scan ................................................................................................... 58
Workflow Tasks ................................................................................................................................ 59
About Response Modification.................................................................................................. 60
About Request Modification .................................................................................................... 61
Returning the Object to the ProxySG ...................................................................................... 62
Caching and Serving the Object............................................................................................... 63
ICAP v1.0 Features ........................................................................................................................... 63
Sense Settings.............................................................................................................................. 63
ISTags........................................................................................................................................... 63
Persistent Connections .............................................................................................................. 63
Improving the User Experience...................................................................................................... 64
About Patience Pages ................................................................................................................ 64
About Data Trickling ................................................................................................................. 64
Avoiding Network Outages due to Infinite Streaming Issues ............................................ 68
Section B: Configuring ProxySG ICAP Communications

Creating an ICAP Service ................................................................................................................ 70
Deleting an ICAP Service ................................................................................................................ 76
Configuring ICAP Feedback ........................................................................................................... 76
Customizing ICAP Patience Text ................................................................................................... 78
HTTP Patience Text ................................................................................................................... 78
FTP Patience Text ....................................................................................................................... 81
Section C: Creating ICAP Policy

VPM Objects ...................................................................................................................................... 84
Example ICAP Scanning Policy...................................................................................................... 84
Exempting HTTP Live Streams From Response Modification .................................................. 90
Streaming Media Request Modification Note .............................................................................. 90
CPL Notes .......................................................................................................................................... 90
Section D: Managing Virus Scanning

Advanced Configurations ............................................................................................................... 92

iv

Contents

Using Object-Specific Scan Levels ........................................................................................... 92
Improving Virus Scanning Performance ................................................................................ 92
Updating the ICAP Server............................................................................................................... 92
Replacing the ICAP Server .............................................................................................................. 93
Access Logging ................................................................................................................................. 93
Symantec AntiVirus Scan Engine 4.0 ...................................................................................... 93
Finjan SurfinGate 7.0 ................................................................................................................. 93
Chapter 4: Configuring Service Groups

About Weighted Load Balancing ................................................................................................... 95
Creating a Service Group ................................................................................................................ 97
Deleting a Service Group or Group Entry .................................................................................... 99
Displaying External Service and Group Information................................................................ 100
Appendix A: Troubleshooting

Unable to Communicate with the DRTR Service....................................................................... 103
Event Log Message: Invalid DRTR Service Name, Health Check Failed............................... 103
Error Determining Category for Requested URL ...................................................................... 104
Contacting Technical Support ...................................................................................................... 105
Glossary
Index

v

Volume 7: Managing Content

vi

Chapter 1: Introduction

This volume discusses how to apply content filtering and virus scanning to
requested and posted Web content in an enterprise, which is vital to securing
the network and improving productivity.


Content filtering allows you to regulate, based on content categories, which
Web sites employees are allowed to access and which are restricted.



Virus scanning allows you to scan both incoming content and content
leaving the enterprise network for viruses and other malicious code, such
as drive-by software that propagates spyware.

How This Document Is Organized
Table 1-1 describes the document components in Volume 7: Managing Content.
Table 1–1 Document Organization

Chapter Title

Description

Chapter 1: "Introduction"

Provides information about this document,
conventions used, and related documentation.

Chapter 2: "Filtering Web
Content"

Describes how to configure the ProxySG to
process client Web requests and filter the
returning content.

Chapter 3: "Malicious Content
Scanning Services"

Describes how to configure the ProxySG to
interact with external Internet Content
Adaptation Protocol (ICAP) clients and servers
to provide content scanning and
transformation.

Chapter 4: "Configuring Service
Groups"

Describes how to create and manage ICAP or
Websense service groups.

Appendix A: "Troubleshooting"

Describes common issues that might occur
when filtering Web content, and suggested
solutions.

Table 1–2 Document Conventions

Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

Courier font

Screen output. For example, command line text, file names, and
Blue Coat Content Policy Language (CPL).

7

Volume 7: Managing Content
Table 1–2 Document Conventions (Continued)
Courier Italics

A command line variable that is to be substituted with a literal
name or value pertaining to the appropriate facet of your
network system.

Courier Boldface

A Blue Coat literal to be entered as shown.

Arial Boldface

Screen elements in the Management Console.

{ }

One of the parameters enclosed within the braces must be
supplied

[ ]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or
must be selected, but not both.

Notes and Warnings
The following is provided for your information and to caution you against actions
that can result in data loss or personal injury:
Note: Information to which you should pay attention.

Important:

Critical information that is not related to equipment damage or
personal injury (for example, data loss).

WARNING! Used only to inform you of danger of personal injury or physical
damage to equipment. An example is a warning against electrostatic discharge
(ESD) when installing equipment.

About Procedures
Many of the procedures in this volume begin:


Select Configuration > TabName,

if you are working in the Management Console,

or


From the (config) prompt, if you are working in the command line interface (CLI).

Blue Coat assumes that you are logged into the first page of the Management
Console or entered into configuration mode in the CLI.

Illustrations
To save space, screen shots illustrating a procedure often have the bottom portion
removed, along with the blank space.

8

Chapter 1: Introduction

Figure 1–1

Configuration > General Tab with Bottom Buttons



Preview: Click this button to view the configuration changes before applying
the configuration to the ProxySG. To modify your changes, click Close and
return to the tab whose settings you want to modify.



Apply:



Revert:



Help: Click this button to view conceptual and procedural documentation
about the tab’s topic.

Click this button to apply unsaved configuration changes to the
ProxySG.
Click this button to revert any unapplied changes to the ProxySG
configuration. Changes that previously have been applied to the ProxySG are
not affected.

Figure 1–2

Configuration > General Tab with Bottom Buttons Removed

9

Volume 7: Managing Content

10

Chapter 2: Filtering Web Content

This chapter describes how to configure the ProxySG to process client Web
requests and filter the returning content.

Topics in this Chapter
This chapter includes information about the following topics:

11



Section A: "About Filtering Web Content" on page 12



Section B: "Configuring Blue Coat Web Filter" on page 16



Section C: "Configuring a Local Database" on page 26



Section D: "Configuring Internet Watch Foundation" on page 30



Section E: "Configuring a Third-Party Vendor" on page 34



Section F: "Applying Policy" on page 44



Section G: "Configuring Websense Off-Box Content Filtering" on page 52

Volume 7: Managing Content
Section A: About Filtering Web Content

Section A: About Filtering Web Content
Content filtering allows you to control access to Web sites based on their
perceived content. This section describes content filtering databases and
categories, on-box versus off-box solutions, Blue Coat content filtering options,
and Dynamic Real-Time Rating (DRTR).

About Content Filtering Databases
A content filtering database is simply a set of rules for organizing URLs into
meaningful categories. Depending on the vendor, a URL is listed under one
category or several categories.
A content filtering database does not block any Web site or any category by
default. The role of the database is to offer additional information to the proxy
server and to the administrator about the client request. Client access depends on
the rules and policies implemented by the administrator in accordance with
company standards.
Important:

Because of the dynamic nature of the Internet, there is a constant flow
of new URLs (and URLs on lesser-known sites) that will not be in the existing
content filtering database. Those URLs that are not in the database are marked as
none, and you can create a policy to categorize these.

Setting the Memory Allocation
Content filtering databases are becoming quite large and, in some cases, could
cause CPU spikes, appliance restarts, and other performance issues. It is
important to set the memory allocation for your specific deployment needs in
order to avoid any resulting performance issues.
The Normal memory allocation setting is ideal for most deployments, except for
the following situations:


If you are not using ADN and have a high transaction rate for content filtering,
you can increase the memory allocation setting to High. This helps content
filtering run more efficiently.



If you are using both ADN and content filtering but the transaction rate for
content filtering isn't very high, you can reduce the memory allocation setting
to Low. This makes more resources available for ADN, allowing it to support a
larger number of concurrent connections.

To set the memory allocation for content filtering:

1. Select Configuration > Content Filtering > General.
2. Select the memory allocation setting that works for your deployment: Low,
Normal, or High.
3. Click Apply.

12

Chapter 2: Filtering Web Content
Section A: About Filtering Web Content

Related Syntax to Change the Memory Allocation
To enter configuration mode:
SGOS#(config) content-filter
SGOS#(config content-filter) memory allocation ?
high Maximize memory use for filtering
low Minimize memory use for filtering
normal Use the default amount of memory for filtering

About Content Filtering Categories
A small number of categories can be used to effectively classify the vast and
constantly growing number of URLs that are found on the Web. After the Web
sites and content are categorized, you can control access to that content through
policy.
Individual content filter providers (Blue Coat Web Filter or third-party vendors)
define the content- filtering categories and their meanings. After providers are
configured and the databases are available, URLs can be mapped to lists of
categories. These categories are then made available to policy, where decisions
like limiting online shopping or blocking job searching can be controlled.
For example:

url.category="Jobs" exception( content_filter_denied )

Note: You can request that specific URLs be reviewed for correct categorization, if

your content filtering provider supports this. For Blue Coat Web Filter, visit
http://sitereview.bluecoat.com/ to have a URL's category reviewed.

On-Box Versus Off-Box Solutions
You can deploy content filtering in the following two ways, both of which the
ProxySG supports:


On-box: When the content filtering database exists on the proxy. This provides
the best performance because the proxy does not need to retrieve information
from another network server.



Off-box: When the proxy must contact another server over the network to
categorize URLs.

The following diagram illustrates the process flow when Web content filtering
(on-box or off-box) is employed in the network.

13

Volume 7: Managing Content
Section A: About Filtering Web Content

Legend
A: A client connected to the ProxySG.
B: ProxySG content filtering solution (content filter vendor + Blue Coat policy).
C: Web Content.
Process Flow
1: (Blue arrow) The client requests a Web page.
2: The ProxySG checks the requested URL against the content filtering database to
determine the categorization.
3: After the URL is categorized, the policy engine determines if the URL is allowable or
not.
4: (Blue arrow) The URL is allowed and the request continues to its destination.
5. (Red arrow) The policy denies the request and returns a message concerning?
corporate Web compliance.
Figure 2–1

Web Content Filtering Process Flow (On-box or Off-box)

ProxySG Content Filtering Options
The ProxySG offers the following content filtering options, any of which you can
use separately or simultaneously:


Using Blue Coat Web Filter (BCWF), an on-box content filtering database
maintained by Blue Coat, which also offers dynamic category-rating abilities.
For example, if a URL is not found in the on-box database, BCWF can attempt
to categorize it dynamically, in real time. See Section B: "Configuring Blue
Coat Web Filter" on page 16.



Uploading your custom content filtering database to the ProxySG. You would
create your own local database file in the same way that you create policy
files, except that only define category statements are allowed in the local
database. See Section C: "Configuring a Local Database" on page 26.



Enabling the Internet Watch Foundation (IWF) database. See Section D:
"Configuring Internet Watch Foundation" on page 30.
Note: or information about the IWF, visit their Web site at:

http://www.iwf.org.uk/

14

Chapter 2: Filtering Web Content
Section A: About Filtering Web Content


Using a currently supported third-party content filtering vendor database. See
Section E: "Configuring a Third-Party Vendor" on page 34.

See Also


“About Content Filtering Databases”



“Setting the Memory Allocation”



“About Content Filtering Categories”



“On-Box Versus Off-Box Solutions”

15

Volume 7: Managing Content
Section B: Configuring Blue Coat Web Filter

Section B: Configuring Blue Coat Web Filter
This section describes how to select and configure Blue Coat Web Filter (BCWF),
how to schedule a custom database update schedule, and how to change DRTR
settings.
Important:

BCWF requires a valid license provided by Blue Coat. Refer to the
Licensing chapter in Volume 1: Getting Started.

About Blue Coat Web Filter
Blue Coat Web Filter (BCWF) is a comprehensive URL-filtering database
specifically designed for on-box deployment on the ProxySG. It works in
combination with the ProxySG dynamic categorization service, which provides realtime categorization of unlisted URLs. For more information about real-time rating
and the dynamic categorization of URLs, see “About Dynamic Real-Time Rating”
on page 16.
A world-wide network of servers allows the ProxySG to expediently update the
master BCWF database. For information about BCWF automatic updating feature
and scheduling updates, see “Specifying a Custom Time Period to Update Blue
Coat Web Filter” on page 20.
Note: BCWF supports many languages. Refer to the Blue Coat Release Notes for
this release for the most up-to-date list of supported languages.

About Dynamic Real-Time Rating
Dynamic Real-Time Rating (DRTR) provides real-time analysis and content
categorization of requested Web pages to solve the problem of new and
previously unknown, uncategorized URLs—those not in the database.
When a user requests a URL that has not already been categorized by BCWF
database (for example, a brand new Web site), the ProxySG dynamic
categorization service analyzes elements of the requested content and assigns a
category or categories. The dynamic service is consulted only when the installed
BCWF database does not contain sufficient category information for a requested
URL.
Note: If the category returned by this service is blocked by policy, the offending

material never enters the network in any form.

About the DRTR Process
Dynamic analysis of content is performed on a remote network service and not
locally on the ProxySG. There is a small amount of bandwidth used for the roundtrip request and response, and a slight amount of time waiting for the service to

16

Chapter 2: Filtering Web Content
Section B: Configuring Blue Coat Web Filter

provide results. The service is only consulted for URLs that cannot be locally
categorized and results are cached on the ProxySG, so the user experience is
generally not affected.
To avoid per-request latency, you might want to run DRTR in background mode. For
more information, see “Configuring Dynamic Real-Time Rating” on page 21.
The following diagram illustrates BCWF content filtering flow when DRTR is
employed.

Legend
A: A client connected into the ProxySG.
B: ProxySG with BCWF content filtering and DRTR enabled.
C: DRTR server.
D: Web content.
Process Flow
1: (Blue arrow) Client 1 requests a Web page.
2: The ProxySG checks the requested URL against the BCWF database for
categorization. No match is found.
3: The remote Dynamic Rating Service accesses and analyzes the requested site, and
categorizes the content.
4: After the URL is categorized, the policy engine determines if the URL is allowable or
not. Steps 5 and 6 describe what happens if the URL is allowable. Step 7 describes
what happens if the URL is not allowable.
5: (Blue arrow) The URL is allowed and the request continues to its destination for full
retrieval.
6: (Blue arrow) The allowed content is served back to the client.
7: (Red arrow) The policy denies the request and returns a message concerning
corporate Web compliance.
Figure 2–2

BCWF with DRTR Content Employed

Selecting Blue Coat Web Filter
To select Blue Coat Web Filter:

1. Select Configuration > Content Filtering > General.

17

Volume 7: Managing Content
Section B: Configuring Blue Coat Web Filter

2. Select Enable for Blue Coat Web Filter.
3. Select the Lookup Mode.
a. The default is Always, which specifies that BCWF will always be
consulted for category information.
b. Uncategorized specifies that the lookup is skipped if the URL has
already been found in policy, a Local database, or the Internet Watch
Foundation (IWF) database.
4. (Optional) In the Options section, select Enable Category Review Message in
Exceptions. This adds a link to the default content filter exception page that can
be used to request review of the categories assigned to a blocked URL.
Two substitutions ($(exception_category_review_url) and
$(exception_category_review_message)) are automatically appended to the
help element of all exception definitions. For information on using the
$(exception.help) element, refer to Volume 6: The Visual Policy Manager and
Advanced Policy.
Note: The substitution values are empty if the database was not
consulted for categorization or if the categorization process failed due to
an error.

5. Select the memory allocation setting that is best your deployment. For full
details about how to determine your memory allocation setting, see “Setting
the Memory Allocation” on page 12.
6. Click Apply.
Note: If this is the first time you enabled BCWF, a small database that contains

the category list is downloaded, allowing immediate policy creation.
To download the database on demand or on a schedule, you must configure
BCWF service.

18

Volume 7: Managing Content
Section B: Configuring Blue Coat Web Filter

c. Click Close to close the Download status dialog.
d. Click View Download Status. A new browser window opens and displays
the Download log. For example:
Download log:
Blue Coat download at: 2008/08/09 17:40:42-0400
Downloading from https://list.bluecoat.com/bcwf/activity/download/
bcwf.db
Requesting differential update
Differential update applied successfully
Download size:
84103448
Database date:
Sat, 09 Aug 2008 08:11:51 UTC
Database expires:
Mon, 08 Sep 2008 08:11:51 UTC
Database version:
2005040

e. When you are finished viewing the download log, close the browser
window.
4. Click Apply.

Specifying a Custom Time Period to Update Blue Coat Web Filter
The ProxySG checks for updates to the database several times an hour. When an
update is available, it is automatically downloaded and applied. Typically, an
update contains only the information that has changed.
You can prevent this automatic check entirely by disabling automatic updates.
You can also restrict the checks to occur only within a specific time period. For
example, you can choose to check for updates only between the hours of 8 am and
11 pm. The time frame is always local time.
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download
log in the Management Console by clicking View Download Status on the BCWF tab,
selecting Statistics > Advanced > Content Filter Service, or in the CLI (SGOS#(config)
show content-filter status).

20

Chapter 2: Filtering Web Content
Section B: Configuring Blue Coat Web Filter
To specify a custom time period for updates:

1. Select Configuration > Content Filtering > Blue Coat. The Automatically Check for
Updates option is selected by default.

2. Configure the options:
a. Select the Only between the hours of option. The time frame is local time.
b. Click the arrows to view the drop-down lists, and set the time period
for your update schedule. For example, to check for updates between
the hours of 7 pm and midnight, set the first box to 19:00 and the
second box to 23:59.
3. Click Apply .

See Also


“About Dynamic Real-Time Rating”



“Configuring Dynamic Real-Time Rating”

Configuring Dynamic Real-Time Rating
By default, DRTR is enabled and configured to categorize un-categorized URLs. If
this service is causing significant delays to enterprise Web communications, you
can run it in the background or disable it.
Note: Customers who are using BCWF now have the option to secure their DRTR

connection. See “Configuring DRTR” on page 22.

About Proxy Chaining Support for DRTR
The ProxySG allows you to forward BCWF DRTR requests through upstream
proxies and SOCKS gateways, which eliminates the requirement for the ProxySG
to have direct connection to back-end servers.

21

Volume 7: Managing Content
Section B: Configuring Blue Coat Web Filter

Important:

Do not define your proxy as a server. If you attempt to configure
proxy chaining using a server, an error occurs.

Forwarding Hosts and Groups
You can specify the alias of a forwarding host or group that has already been
defined. If you want the DRTR requests to be forwarded through an upstream
HTTP proxy, configure a forwarding host that is defined as a proxy and has an
HTTP port set. Then select that forwarding host in the DRTR configuration.
Important:

If forwarding is configured, you cannot enable secure DRTR; if secure
DRTR is enabled, you cannot select a forwarding host. The forwarding host
would need to terminate the SSL connection correctly, and it does not have the
correct SSL certificate to do that.

SOCKS Gateways
When you use proxy chaining to forward DRTR requests through an upstream
SOCKS gateway, you must configure the SOCKS gateway. When both SOCKS and
forwarding are configured, the ProxySG connect to the SOCKS gateway first, then
to the forwarding host, and then to the DRTR service.
Important:

If you cannot connect to the DRTR service, verify that the SOCKS
gateway is operating correctly and take steps to repair it.

Configuring DRTR
Complete the following procedures to configure Dynamic Categorization
(DRTR). DRTR is enabled by default.
To configure DRTR:

1. Select Configuration > Content Filtering > Blue Coat > Dynamic Categorization (DRTR).

22

Volume 7: Managing Content
Section B: Configuring Blue Coat Web Filter



Categorize dynamically in real-time (default). In real-time mode, if the category

of the request is not already known, the URL request will wait for the
external service to respond with the categorization before proceeding. The
advantage of real-time mode categorization is that Blue Coat policy has
access to the results, allowing policy decisions to be made immediately
after receiving all available information.
3. (Optional) To enable secure connections, select Use secure connections.
Note: For most situations, using secure connections does not significantly
decrease performance. If you are regularly processing a large number of
unrated sites, using secure connections might have a larger performance
impact.

4. Click Apply.

About DRTR States
DRTR has three states:


Enabled: The service attempts to categorize unrated Web sites. This is the
default state.



Disabled: If the service is disabled, the ProxySG does not make any contact
with the service, regardless of any installed policy.



Suspended: Categorization from the database continues, but the service is no
longer employed. This occurs when the installed database is over 30 days old
due to the expiration of BCWF download credentials or network problems.
Once credentials are renewed or network problems are resolved, the service
returns to Enabled.

To view DRTR status (CLI only):

At the (config) prompt, enter the following command:
SGOS# (config content-filter) view
Provider: Blue Coat
Dynamic Categorization:
Service:
Enabled/Disabled/Suspended
Diagnostics
Diagnostics allows you to see all categories available for use in policy or test a
URL against the database. Categories are not displayed for a vendor or local
database if no database has been downloaded.
To see all available categories:

1. On the Configuration > Content Filtering > General page, click View Categories.
2. To see what categories a Web site is assigned by your current configuration,
enter the URL into the URL field and click Test.

24

Chapter 2: Filtering Web Content
Section B: Configuring Blue Coat Web Filter

Related CLI Syntax to Manage the BCWF Database


To enter configuration mode:
SGOS#(config) content-filter



The following subcommands are available:
SGOS#(config content-filter) provider bluecoat {enable | disable}
SGOS#(config content-filter) provider bluecoat lookup-mode {always |
uncategorized}
SGOS#(config content-filter) categories
SGOS#(config content-filter) bluecoat
SGOS#(config bluecoat) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config bluecoat) service {enable | disable}
SGOS#(config bluecoat) service {forward {none | host_or_group_alias} |
mode {background | realtime | none} | socks-gateway {none |
gateway_alias}}
SGOS#(config bluecoat) no download
SGOS#(config bluecoat) {exit | view}
SGOS#(config content-filter) test-url url

See Also


“Applying Policy”



“Applying Policy to Categorized URLs”



“Using Content Filtering Vendors with Blue Coat Policies”



“Defining Custom Categories in Policy”

25

Volume 7: Managing Content
Section C: Configuring a Local Database

Section C: Configuring a Local Database
This section describes how to select and refer to a local database and how to
schedule the database update schedule.

Selecting the Local Database and Downloading the Database
Two main reasons to use a local database instead of a policy file for defining
categories are:


A local database is more efficient than policy if you have a large number of
URLs.



A local database separates administration of categories from policy. This
separation is useful for three reasons:


It allows different individuals or groups to be responsible for
administrating the local database and policy.



It keeps the policy file from getting cluttered.



It allows the local database to share categories across multiple boxes that
have different policy.

However, some restrictions apply to a local database that do not apply to policy
definitions:


No more than 200 separate categories are allowed.



Category names must be 32 characters or less.



A given URL pattern can appear in no more than four category definitions.

You can use any combination of the local database, policy files, or the VPM to
manage your category definitions. See “Applying Policy to Categorized URLs” on
page 44 for more information. You can also use both a local database and a thirdparty vendor for your content filtering needs.
Note: Blue Coat recommends locating your local database on the same server as

any policy files you are using.
To configure local database content filtering:

1. Select Configuration > Content Filtering > General.

26

Chapter 2: Filtering Web Content
Section C: Configuring a Local Database

2. Select Local Database.
3. Select the Lookup Mode.
a. The default is Always, which specifies that the Local database will
always be consulted for category information.
b. Uncategorized specifies that the lookup is skipped if the URL has
already been found in policy.
4. Click Apply to commit the changes to the ProxySG.
5. Select Configuration > Content Filtering > Local Database.
6. If the database is located on a server that requires a password for access, you
must configure the ProxySG to use that password when accessing the
database:
a. Click Change Password. The Change Password dialog displays.
b. Enter your password and click OK.
7. Download the database:
a. In the URL field, enter the location of the file to be downloaded.
b. Click Download Now. The Download Status dialog displays.
c. Click Close to close the Download status dialog.
d. Click View Download Status. A new browser window opens and displays
the Download log. For example:
Download log:
Local database download at: 2008/08/11 17:40:42-0400
Downloading from ftp://1.1.1.1/list-1000000-cat.txt
Download size:
16274465
Database date: Sat, 09 Aug 2008 08:11:51 UTC
Total URL patterns: 1000000
Total categories:
10

8. Click Apply.

27

Volume 7: Managing Content
Section C: Configuring a Local Database

Future Downloads
You can return to this screen at any time and download a database on demand
(independent of the automatic download feature, which is described in the next
section).
Ordinarily, the ProxySG checks to see if the database has changed before initiating
a download. If the database is the most current, no download is performed.
Note: Incremental updates are not available for Local Database.

Specifying a Custom Time Period to Update a Local Database
The ProxySG checks for updates to the database several times an hour. When an
update is available, it is automatically downloaded and applied. Typically, an
update contains only the information that has changed.
You can prevent this automatic check entirely by disabling automatic updates.
You can also restrict the checks to occur only within a specific time period. For
example, you can choose to check for updates between 8 am and 11 pm only. The
time frame is always local time.
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download
log in the Management Console by selecting Statistics > Advanced > Content Filter
Service, or in the CLI (SGOS#(config) show content-filter status).
To specify a custom time period for updates:

1. Select Configuration > Content Filtering > Local Database. The Automatically check for
updates check box is selected by default.

2. Select the Only between the hours of check box. The time frame is local time.
3. Click the arrows to view the drop-down lists and set the time period for your
update schedule. For example, to check for updates between the hours of 8 am
and midnight, set the first box to 08:00 and the second box to 23:59.
4. Click Apply.

Diagnostics
Allows you to see all categories available for use in policy or test a URL against
the database. Categories are not displayed for a vendor or local database if no
database has been downloaded.

28

Chapter 2: Filtering Web Content
Section C: Configuring a Local Database
To see all available categories:

1. On the Configuration > Content Filtering > General page, click View Categories.
2. To see what categories a Web site is assigned by your current configuration,
enter the URL into the URL field and Click Test.

Related CLI Syntax to Configure Content Filtering


To enter configuration mode:
SGOS#(config) content-filter



The following subcommands are available:
SGOS#(config content-filter) provider local {enable | disable}
SGOS#(config content-filter) provider local lookup-mode {always |
uncategorized}
SGOS#(config content-filter) categories
SGOS#(config content-filter) local
SGOS#(config local) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config local) source
SGOS#(config local) clear
SGOS#(config local) {view | exit}
SGOS#(config content-filter) test-url url

See Also


“Applying Policy”



“Applying Policy to Categorized URLs”



“Using Content Filtering Vendors with Blue Coat Policies”



“Defining Custom Categories in Policy”

29

Volume 7: Managing Content
Section D: Configuring Internet Watch Foundation

Section D: Configuring Internet Watch Foundation
This section describes how to select the Internet Watch Foundation (IWF)
database and how to schedule the database update schedule.
The IWF is a non-profit organization that provides to enterprises a list of known
child pornography URLs. The IWF database features a single category called IWFRestricted, which is detectable and blockable using policy. IWF can be enabled
along with other content filtering services.

Selecting the IWF Database
To configure IWF content filtering:

1. Select Configuration > Content Filtering > General.

2. Select Internet Watch Foundation.
3. Select the Lookup Mode.
a. The default is Always, which specifies that IWF will always be
consulted for category information.
b. Uncategorized specifies that the lookup is skipped if the URL has
already been found in policy or a Local database.
4. Click Apply.
5. Select Configuration > Content Filtering > IWF.

30

Chapter 2: Filtering Web Content
Section D: Configuring Internet Watch Foundation

Note: A username and password are not required to download the
database.

6. Download the database:
a. The default database download location displays in the URL field.
Note: Only enter a new URL if instructed. Otherwise, accept the default.

b. Click Download Now. The Download Status dialog displays.
c. Click Close to close the Download status dialog.
d. Click View Download Status. A new browser window opens and displays
the Download log. For example:
Download log:
IWF download at: 2008/08/09 22:41:35 +0000
Downloading from https://list.bluecoat.com/iwf/activity/
download/iwf.db
Requesting differential update
File has not changed since last download attempt; no download
required
Previous download:
IWF download at: 2008/08/09 22:40:19 +0000
Downloading from https://list.bluecoat.com/iwf/activity/
download/iwf.db
Warning: Unable to determine current database version;
requesting full update
Download size: 20132
Database date: Fri, 08 Aug 2008 04:45:06 UTC
Database expires: Fri, 28 Nov 2008 04:45:06 UTC
Database version: 2007112993

31

Volume 7: Managing Content
Section D: Configuring Internet Watch Foundation
Database format: 1.1

7. When you are finished viewing the Download Log, close the browser window
and click Apply.

Future Downloads
You can return to this screen at any time and download a database on demand
(independent of the automatic download feature, which is described in the next
section). Ordinarily, the ProxySG checks to see if the database has changed before
initiating a download. If the database is the most current, no download is
performed. If an incremental update is available on the server, then it is
downloaded (an incremental update contains only the changes between the
current installed version and the latest published version of the database, and is
much smaller than a full copy of the database).

Specifying a Custom Time Period to Update IWF
The ProxySG checks for updates to the categorization database several times an
hour. When an update is available, it is automatically downloaded and applied.
Typically, an update contains only the information that has changed.
You can prevent this automatic check entirely by disabling automatic updates.
You can also restrict the checks to occur only within a specific time period. For
example, you can choose to check for updates between 8 am and 11 pm only. The
time frame is always local time.
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download
log in the Management Console by selecting Statistics > Advanced > Content Filter
Service, or in the CLI (SGOS#(config) show content-filter status).
To specify a custom time frame for updates:

1. Select Configuration > Content Filtering > IWF. The Automatically check for updates
check box is selected by default.

2. Select the Only between the hours of check box. The time frame is always local
time.
3. Click the arrows to view the drop-down lists and set the time period for your
update schedule. For example, to check for updates between the hours of 8 am
and midnight, set the first box to 08:00 and the second box to 23:59.
4. Click Apply.

32

Chapter 2: Filtering Web Content
Section D: Configuring Internet Watch Foundation

Diagnostics
This allows you to test a URL against the database.
To test a URL:

1. Select Configuration > Content Filtering > General.
2. Enter the URL into the URL field.
3. Click Test.

Related CLI Syntax to Manage IWF


To enter configuration mode:
SGOS#(config) content-filter



The following subcommands are available:
SGOS#(config content-filter) provider iwf {enable | disable}
SGOS#(config content-filter) provider iwf lookup-mode {always |
uncategorized}
SGOS#(config content-filter) iwf
SGOS#(config iwf) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config iwf) no download
SGOS#(config iwf) {exit | view}
SGOS#(config content-filter) test-url url

See Also


“Applying Policy”



“Applying Policy to Categorized URLs”



“Using Content Filtering Vendors with Blue Coat Policies”



“Defining Custom Categories in Policy”

33

Volume 7: Managing Content
Section E: Configuring a Third-Party Vendor

Section E: Configuring a Third-Party Vendor
This section describes how to select and configure your preferred third-party
vendor and how to schedule the database update schedule.
Most of the third-party vendor configuration tasks are identical, but there are a
few with vendor-specific options. As you follow the procedures, you are
prompted to proceed to another section for these vendors to continue the
configuration.

Selecting the Provider and Downloading the Database
This procedure assumes you have a valid account with your preferred vendor.
To configure third-party content filtering:

1. Select Configuration > Content Filtering > General.

2. From the 3rd-party database drop-down list, select your preferred vendor.
3. Select the Lookup Mode.
a. The default is Always, which specifies that the third-party database will
always be consulted for category information.
b. Uncategorized specifies that the lookup is skipped if the URL has
already been found in policy, a Local database, the Internet Watch
Foundation (IWF) database, or BCWF.
4. (Optional and applicable for SmartFilter and BCWF only) Select Enable
Category Review Message in Exceptions. This adds a link to the default content
filter exception page that can be used to request review of the categories
assigned to a blocked URL.

34

Chapter 2: Filtering Web Content
Section E: Configuring a Third-Party Vendor

Two substitutions ($(exception_category_review_url) and
$(exception_category_review_message)) are automatically appended to the
help element of all exception definitions. For information on using the
$(exception.help) element, refer to Volume 6: The Visual Policy Manager and
Advanced Policy.
Note: The substitution values are empty if the provider was not
consulted for categorization, or if the categorization process failed due to
an error.

5. Click Apply.
6. Proceed accordingly:
a. For SmartFilter, continue with “Configuring SmartFilter” on page 37.
b. For Websense, continue with: “Configuring Websense (on-box)” on
page 39.
c. For i-Filter, InterSafe, Optenet, Proventia, SurfControl, or Webwasher,
continue with Step 7.
7. Select Configuration > Content Filtering > Vendor_Name:

35

Volume 7: Managing Content
Section E: Configuring a Third-Party Vendor

8. (This example uses Surf Control.) If the database is located on a server that
requires a password for access, you must configure the ProxySG to use that
password when accessing the database:
a. Enter your third-party vendor username.
b. Click Change Password. The Change Password dialog displays.
c. Enter your password and click OK.
9. Download the database:
a. The default database download location is displayed in the URL field.
If you have been instructed to use a different URL, enter it here
(optional: click Set to default to always use this location).
b. Click Download Now. The Download Status dialog displays.
c. Click Close to close the Download status dialog.
d. Click View Download Status. A new browser window opens and displays
the Download log. For example:
Download log:
SurfControl download at: 2008/08/09 17:40:42-0400
Downloading from https://list.bluecoat.com/.../download/
surfcontrol.db
Warning: Unable to determine current database version; requesting
full update
Download size:
8106572
Database date:
Fri, 08 Aug 2008 08:11:51 UTC
Database expires:
Fri, 28 Nov 2008 08:11:51 UTC
Database version: 3

10. Click Apply.
11. Continue with “Specifying a Custom Time Period to Update a Third-Party
Database” on page 41.

36

Volume 7: Managing Content
Section E: Configuring a Third-Party Vendor

2. Configure SmartFilter:
a. In the License key field, enter the license key you received from Secure
Computing.
b. In the Server field, the default server is displayed. If you have been
instructed to use a different server, enter the hostname or IP address.
c. Select Automatically check for updates to enable the ProxySG to check for
database updates several times a day. For complete details about
setting up this option, see “Specifying a Custom Time Period to
Update a Third-Party Database” on page 41.
d. Select the database edition to use. The XL edition is the default, and is
compatible with SmartFilter 4.2 or later. The XL edition provides a
number of new categories, as well as some changes to existing
categories that are not available in the SL edition.
Note: When you upgrade from an earlier ProxySG version that only
supported the SL database edition, the default changes to the XL
database edition. To defer policy changes, re-select the SL edition
database.

If you change the selected database edition, be sure to examine your
policy compilation listing after the next database download. The set of
available categories will be different, and you will need to modify your
policy as a result. For more information, see “Modifying Policy for
SmartFilter Database Changes” on page 48.
e. Select Allow RDNS to enable reverse DNS lookup. RDNS resolves IP
addresses into domain names, which enables the ProxySG to look up
domain names in the SmartFilter database.
f.

Select Categorize search engine URLs by keyword to ensure blocking of
sites by keywords.

3. Click Download Now. The Download Status dialog displays.
4. Click Close to close the Download status dialog.
5. Click View Download Status. A new browser window opens and displays the
Download progress. At the completion of the download, the download log
displays. For example:
Download log:
Download in progress...
Previous download:
SmartFilter download at: 2008/03/06 14:29:59 -0800
Downloading from: list.smartfilter.com
Checking incremental update
Warning: Unable to open input control list
Warning: Unable to open installed control list
Downloading full control file

38

Chapter 2: Filtering Web Content
Section E: Configuring a Third-Party Vendor
Full download complete
Download size:
219221404
Database version:
10948
Database date:
Wed, 05 Mar 2008 23:53:01 UTC
Database expires:
Wed, 09 Apr 2008 23:53:01 UTC

Note: The first time you download a SmartFilter database, warnings
appear in the results message under Checking incremental update.
These are expected, and represent the normal process of checking to see
if an incremental update is possible. The next time you download a
SmartFilter database, the ProxySG checks the previously downloaded
database and downloads only what is necessary to keep the database
current.

6. Click Apply.

See Also
“Modifying Policy for SmartFilter Database Changes”

Configuring Websense (on-box)
The Websense database configuration screen contains unique options.
Note: Websense databases contain a category called User-Defined to support

locally-specified categorizations on other platforms. Do not use this category
on the ProxySG. Instead, define your own categories through the ProxySG
and assign URLs to them using Policy (see page “Defining Custom Categories
in Policy” on page 48), or using a local category database (refer to Volume 4:
Securing the Blue Coat ProxySG Appliance).
To configure Websense (on-box):

1. Select Configuration > Content Filtering > Websense.

39

Volume 7: Managing Content
Section E: Configuring a Third-Party Vendor

2. In the License Key field, enter the key assigned to you for downloading the
Websense database.
3. In the Server field, the default server is displayed. If you have been instructed
to use a different server, enter the hostname or IP address here.
4. (Optional) In the Contact e-mail field, enter an e-mail address by which
Websense can contact you.
5. Click Download Now. The Download Status dialog displays.
6. Click Close to close the Download status dialog.
7. Click View Download Status. A new browser window opens and displays the
Download log. For example:
Download log:
Websense download at: 2008/08/09 17:40:42-0400
No database is currently installed
Attempting full download
Downloading from download.websense.com
Processing download file
Retrieved full update
Download size:
147079939
Database version:
82300
Database date:
2008/08/08
License expires: 2008/09/21 08:11:51 UTC
License max users:
Licenses in use:
Library version:

25
0
3.2.0.0 [BCSI rev A]

8. (Optional) Always apply regular expressions to urls:

40

Chapter 2: Filtering Web Content
Section E: Configuring a Third-Party Vendor

Select this option to force an additional regular expression lookup for each
URL to be categorized. Normally, regular expression lookups are done only
when no category is found in the Websense database. If this option is selected,
regular expression lookups always occur, even for categorized URLs.
Selecting this option can cause a significant reduction in lookup performance,
but allow certain sites (such as translation, search engine, and link-cache sites)
to be categorized more accurately.
9. To use the Websense Reporter, you must enable the Websense Integration
Service.
a. In the Integration Service Host field, enter the Integration Service Host IP
(which has the same IP address as the Websense Log Server).
b. In the Port field, specify the port of the Websense Integration Service. It
must be between 0 and 65535 and match the port selected on the
Integration Service host.
c. Select Enabled to enable the service.
d. (Optional) Select Log forwarded client address. Normally, the ProxySG
logs the actual client IP address to the Websense Reporter log. You can
configure the ProxySG to log an address obtained from the XForwarded-For HTTP Header (if present and valid) instead. This is
useful in some specific network topologies.
Note: The Policy Server, the Log Server, and Reporter must be installed

and enabled on your PC before Reporter can be used. For information on
Websense products, refer to: http://www.websense.com.
You must also set up access logging on the ProxySG with Websense as the
client. For more information on configuring a Websense access logging
client, refer to Volume 8: Access Logging.
10. Click Apply.
11. Proceed to the “Specifying a Custom Time Period to Update a Third-Party
Database” on page 41.

See Also


“Configuring Websense Off-Box Content Filtering”



“Performing a Health Check on a Websense Off-Box Service”

Specifying a Custom Time Period to Update a Third-Party Database
The ProxySG checks for updates to the database several times an hour. When an
update is available, it is automatically downloaded and applied. Typically, an
update contains only the information that has changed.

41

Volume 7: Managing Content
Section E: Configuring a Third-Party Vendor

You can prevent this automatic check entirely by disabling automatic updates.
You can also restrict the checks to occur only within a specific time period. For
example, you can choose to check for updates between 8 am and 11 pm only. The
time frame is always local time.
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download
log in the Management Console by selecting Statistics > Advanced > Content Filter
Service, or in the CLI (SGOS#(config) show content-filter status).
To specify a custom time period for updates:

1. Select Configuration > Content Filtering > vendor. The Automatically check for updates
option is selected by default.

2. Select the Only between the hours of option. The time frame is always local time.
3. Click the arrows to view the drop-down lists and set the time period for your
update schedule. For example, to check for updates between the hours of 8 am
and midnight, set the first box to 08:00 and the second box to 23:59.
4. Click Apply.

Diagnostics
This allows you to see all categories available for use in policy or test a URL
against the database. Categories are not displayed for a vendor or local database if
no database has been downloaded.
To see all available categories or test a URL:

1. Select Configuration > Content Filtering > General page.
2. Click View Categories.
3. To see what categories a Web site is assigned by your current configuration,
enter the URL into the URL field.
4. Click Test.

Related CLI Syntax to Manage Third-Party Vendor Content Filtering


To enter configuration mode:
SGOS#(config) content-filter



42

The following subcommands are available:

Chapter 2: Filtering Web Content
Section E: Configuring a Third-Party Vendor
SGOS#(config content-filter) {i-filter | intersafe | optenet |
proventia | smartfilter | surfcontrol | websense | webwasher}
SGOS#(config content-filter) provider 3rd-party lookup-mode {always |
uncategorized}
SGOS#(config content-filter) provider 3rd-party vendor
SGOS#(config vendor) download {all-day | auto | between-hours |
encrypted-password | get-now | password | url | username}
SGOS#(config vendor) view
SGOS#(config smartfilter) download license license_key
SGOS#(config smartfilter) download server ip_address_or_hostname
SGOS#(config smartfilter) allow-rdns | no allow-rdns
SGOS#(config smartfilter) use-search-keywords
SGOS#(config websense) download email-contact e-mail_address
SGOS#(config websense) download server ip_address_or_hostname
SGOS#(config websense) download license license_key
SGOS#(config websense) {always-apply-regexes | no always-applyregexes}
SGOS#(config websense) integration-service {enable | disable}
SGOS#(config websense) integration-service host ip_address_or_hostname
SGOS#(config websense) integration-service port {0-65535}

See Also


“Applying Policy”



“Applying Policy to Categorized URLs”



“Using Content Filtering Vendors with Blue Coat Policies”



“Defining Custom Categories in Policy”

43

Volume 7: Managing Content
Section F: Applying Policy

Section F: Applying Policy
This section discusses the interaction between content filtering categories and the
application of control policies.

Applying Policy to Categorized URLs
Policy is applied to categories the same way as individual URLs: create policies
that restrict, allow, and track access. Policy rules are created by composing Blue
Coat Content Policy Language (CPL) or with the Visual Policy Manager (VPM).
Note: If you have extensive category definitions, Blue Coat recommends that you
put them into a local database rather than into a policy file. The local database
stores custom categories in a more scalable and efficient manner, and separates
the administration of categories from policy. See Section C: "Configuring a Local
Database" on page 26.

The policy trigger category= is used to test the category or categories assigned to
the request URL, and thus make a policy decision. For example, to block all
requests for URLs that are categorized as Sports:
DENY category=Sports

The following example demonstrates a condition that is true when a request
contains the Websense content categories Sexuality and Drugs:

category=(sexuality, drugs)

You can block multiple categories with a single rule:
category=(Sports, Gambling, Shopping) exception(content_filter_denied)

In this example, three categories are blocked and instead the predefined exception
page content_filter_denied is served; by default this indicates that the request
was denied due to its content and specifies the categories found.
The following example shows a condition that includes an extensive number of
categories:
category=(Abortion, Activist, Adult, Gambling, Illegal, Hacking,
Militancy, Racism, Shopping, Tasteless, Violence, Weapons)

URLs that are not categorized are assigned the system category none. This is not
an error condition; many sites (such as those inside a corporate intranet) are
unlikely to be categorized by a commercial service. Use category=none to detect
uncategorized sites and apply relevant policy. The following example disallows
access to uncategorized sites outside of the corporate network:
define subnet intranet
10.0.0.0/8 ; internal network
192.168.123.45; external gateway
end

44

Chapter 2: Filtering Web Content
Section F: Applying Policy

; allow unrestricted access to internal addresses
ALLOW url.address=intranet
; otherwise (internet), restrict Sports, Shopping and
uncategorized sites
DENY category=(Sports, Shopping, none)

Such category tests can also be combined with other types of triggers to produce
more complex policy, such as:


Restrict access by category and time: block sports from 6 am to 6 pm:
category=Sports time=0600..1800 DENY



Restrict by category and user identity: only members of the group Sales are
permitted to visit Shopping sites:
category=Shopping group=!Sales DENY



Require special authentication for access to certain categories:
category=Hacking authenticate(restricted_realm)

where restricted_realm is an authentication realm you have configured.


Log certain types of access:
category=Adult action.Log_adult_site_access(yes)

where Log_adult_site_access is a policy action defined elsewhere that
records extra information about this request in the event log.
Typically, category= can be used in policy anywhere that a basic URL test can be
used. Refer to Volume 10: Content Policy Language Guide for more details.
Depending on which provider you have selected and whether you have defined
any of your own categories in policy (see “Defining Custom Categories in Policy”
on page 48), you have a number of possible category names that can be used with
category=. To review the valid category names, use the categories CLI command
or click View Categories in the Management Console: Configuration > Content Filtering
> General.
The category= expressions are normally put in Layers (VPM: Web Access
Layers) because the goal of content filtering policy is to control requests from
users. They can also be used in (VPM: Web Content Layers) Layers. Either
way, policy is enforced on all user requests.
It is possible for an attempt to categorize a URL to fail—for example, if no
database is loaded, your license is expired, or if a system error occurs. In such a
case, the category is considered unavailable and triggers such as:
category=Sports

are false, even if the URL is actually a sports site, because the ProxySG is unable to
determine the category. When the policy depends on the category of a URL, you
do not want such errors to inadvertently allow ordinarily restricted content to be
served by the ProxySG. You can control how the ProxySG treats these situations
with the condition:
category=unavailable

45

Volume 7: Managing Content
Section F: Applying Policy

which is true in these cases. In continuing with the example, to make sure that
Sports is always blocked, even when errors occur (this is a mode of operation
called fail-closed), use a rule such as:
category=(sports, unavailable) exception(name_of_exception page)

This rule is true if the category is sports or if the category could not be
determined, and in either case the proper exception page is served instead of the
restricted content.
The category unlicensed is assigned in addition to unavailable when the failure to
categorize occurred because of license expiry. That can be caused by the
expiration of your Blue Coat license to use content filtering, or because of
expiration of your license from the provider. You can use
category=unlicensed

to detect this situation as a distinct case from other causes of unavailability.
You can also use this feature with custom exception pages (refer to Volume 6: The
Visual Policy Manager and Advanced Policy):

category=sports time=0800..1800 exception(sports_during_bus_hrs)
category=unlicensed exception(contact_admin_re_license)
category=unavailable exception(content_filter_unavailable)

where sports_during_bus_hrs is a custom exception page you have
created to respond to requests for Sports pages between 8 am and 6 pm
local time.
is another page that instructs the user to
inform the administrator about license expiry, and is served if a license
check fails. When the
category is unavailable for some other reason, the pre-defined exception
(content_filter_unavailable) is served.
contact_admin_re_license

The most common reason (other than license expiry) why categories are
unavailable is that a provider is selected but no database is installed. Barring
hardware or network problems that might cause a downloaded database to
become corrupted and unreadable, it is unlikely that the database will suddenly
become unavailable.
To define policies on the ProxySG, use either the VPM or manually edit Policy
files.
Content filtering policies are usually found in and layers.
If you are using content filtering to manage a type of content globally, create these
rules in the layer.
However, if your content filtering policy is dependent on user identity or request
characteristics, create these rules in the layer.

Using Content Filtering Vendors with Blue Coat Policies
The ProxySG provides the ability to define flexible Web access and control
policies. With content filtering, you can set up policies to provide a customized
level of Web-site access control. With vendor-based content filtering, these policies

46

Chapter 2: Filtering Web Content
Section F: Applying Policy

use and can supplement vendor categories. By supplementing content filtering
vendor categories, you can further refine the type of content filtering the ProxySG
performs. For example, if Travel is a vendor-defined content category, you can
define a policy that allows only Human Resources staff to access travel sites. You
can define policies that filter by a variety of conditions, including category,
protocol (including MMS and RTSP streaming protocols), time of day, and user or
user groups.

Example
Policy: Limit employee access to travel Web sites.
The first step is to rephrase this policy as a set of rules. In this example, the model
of a general rule and exceptions to that rule is used:


Rule 1: All users are denied access to travel sites



Rule 2: As an exception to the above, Human Resources users are allowed to
visit Travel sites

Before you can write the policy, you must be able to identify users in the Human
Resources group. You can do this with an external authentication server, or define
the group locally on the ProxySG. For information on identifying and
authenticating users, refer to Volume 4: Securing the Blue Coat ProxySG Appliance.
In this example, a group called human_resources is identified and authenticated
through an external server called my_auth_server.
This then translates into a fairly straightforward policy written in the local policy
file:

; Ensure all access is authenticated
Authenticate(my_auth_server)

; Rule 1: All users denied access to travel
DENY category=travel

; Rule 2: Exception for HR
ALLOW category=travel group=human_resources
DENY category=sites

Example
Policy: Student access to Health sites is limited to a specified time of day, when
the Health 100 class is held.
This time the policy contains no exceptions:


Rule 1: Health sites can be accessed Monday, Wednesday, and Friday from 1011am.



Rule 2: Health sites can not be accessed at other times.
define condition Health_class time
weekday=(1, 3, 5) time=1000..1100
end

47

Volume 7: Managing Content


; 1) Allow access to health while class in session
ALLOW category=health condition=health_class_time
; 2) at all other times, deny access to health
DENY category=health

Modifying Policy for SmartFilter Database Changes
SmartFilter’s XL database edition, which is compatible with SmartFilter 4.2 and
later, provides a number of new categories as well as some changes to existing
categories. A change in categories always has the potential to affect the way a
given SGOS policy is interpreted. It is important to modify policy to
accommodate database changes when you change the SmartFilter database you
use. Review the list of categories and ensure that your policy is structured
appropriately, especially for categories in the SL database that have been split into
more than one category in the XL database.

Defining Custom Categories in Policy
You can use CPL to create your own categories and assign URLs to them. This is
done with the define category construct (for more complete information on the
define category construct, refer to Volume 10: Content Policy Language Guide). To
add URLs to a category, list them in the definition. You only need to specify a
partial URL:


hosts and subdomains within the domain you specify will automatically be
included



if you specify a path, all paths with that prefix are included (if you specify no
path, the whole site is included)

Example:
define category Grand_Canyon
kaibab.org
www2.nature.nps.gov/air/webcams/parks/grcacam
nps.gov/grca
grandcanyon.org
end

Any URL at kaibab.org is now put into the Grand_Canyon category (in addition to
any category it might be assigned by a provider). Only those pages in the /grca
directory of nps.gov are put in this category.

Nested Definitions and Subcategories
You can define subcategories and nest category definitions by adding a
category= rule. To continue the example, you could add:
define category Yellowstone
yellowstone-natl-park.com
nps.gov/yell/
end
define category National_Parks

48

Chapter 2: Filtering Web Content

category=Grand_Canyon; Grand_Canyon is a subcategory of
National_Parks
category=Yellowstone; Yellowstone is a subcategory of National_Parks
nps.gov/yose; Yosemite – doesn’t have its own category (yet)
end

With these definitions, pages at kaibab.org are assigned two categories:
Grand_Canyon and National_Parks. You can add URLs to the Grand_Canyon
category and they are automatically added by implication to the National_Parks
category as well.
Multiple unrelated categories can also be assigned by CPL. For example, by
adding:
define category Webcams
www2.nature.nps.gov/air/webcams/parks/grcacam
end

the URL, http://www2.nature.nps.gov/air/webcams/parks/grcacam/grcacam.htm,
will have three categories assigned to it:
(because it appears in the definition directly)



Grand_Canyon



National_Parks



Webcams

(because Grand_Canyon is included as a subcategory)

(because it also appears in this definition)

However, the other sites in the Grand_Canyon category are not categorized as
This can be seen by testing the URL (or any other you want to try)
clicking the Test button on the Management Console or the test-url command in
the CLI.

Webcams.

You can test for any of these categories independently. For example, the following
example is a policy that depends on the above definitions, and assumes that your
provider has a category called Travel into which most national park sites
probably fall. The policy is intended to prevent access to travel sites during the
day, with the exception of those designated National_Parks sites. But the
Grand_Canyon webcam is an exception to that exception.

Example:

category=Webcams DENY
category=National_Parks ALLOW
category=Travel time =0800..1800 DENY

Click the Test button on the Management Console or the test-url command in
CLI to validate the categories assigned to any URL. This can help you to ensure
that your policy rules have the expected effect (refer to “Configuring Policy
Tracing” in Volume 10: Content Policy Language Guide).
If you are using policy-defined categories and a content-filter provider at the
same time, be sure that your custom category names do not coincide with the
ones supplied by your provider. You can also use the same names—this adds your
URLs to the existing categories, and extends those categories with your own
definitions. For example, if the webcam mentioned above was not actually
categorized as Travel by your provider, you could do the following to add it to the
Travel category (for the purpose of policy):

49

Volume 7: Managing Content

define category Travel ; extending a vendor category
www2.nature.nps.gov/air/webcams/parks/grcacam/ ; add the GC webcam
end

Note: The policy definitions described in this section can also be used as
definitions in a local database. See “Configuring a Local Database” on
page 26 for information about local databases.

Notes


When you use an expired database, the category unlicensed is assigned to all
URLs and no lookups occur on the database. This can occur even if your
download license with the database vendor is still valid, but you have not
downloaded a database for a long time (databases expire after a certain
number of days). You can view the date that your database expires (or
expired) in the download log or by using the view command in the CLI.
When you download a database, you can see the download log as soon as the
download is complete. To see the download log when you download a
database, click Results in the Installation Status dialog when the download is
complete.
To see the last download log without doing another download, enter the
following CLI (config) commands:
SGOS#(config) content-filter
SGOS#(config content-filter) view



When your license with the database vendor expires, you can no longer
download. This does not have an immediate effect—you can still use the
database you have for a period of time. But eventually, the database expires
and you receive the category unlicensed, as described above.



If HTTPS Intercept is disabled and a requested HTTPS host is categorized in a
content filtering database, then filtering applies. However, if the request
contains a path and the categorization relies on the host/relative path, content
filtering only filters on the host name because the path is not accessible. This
might result in a different categorization than if the host plus path were used.



If you receive an error message when downloading a content filtering
database, check the error message (in the Management Console, click Results
on the Installation status dialog; in the CLI, the results message displays in the
event of an error). If you see an error message such as ERROR: HTTP 401 Unauthorized, verify that you entered your username and password correctly.
For example, the following error message was generated by entering an
incorrect username and attempting to download a SmartFilter database:
Download log:
SmartFilter download at: Thu, 21 June 2007 18:03:08
Checking incremental update
Checking download parameters
Fetching:http://example.com/
Warning: HTTP 401 - Unauthorized
Downloading full control file
SmartFilter download at: Thu, 21 June 2007 18:03:17

50

Chapter 2: Filtering Web Content

Downloading from http://example.com/
Fetching:http://example.com/
ERROR: HTTP 401 - Unauthorized
Download failed
Download failed
Previous download:
...

51

Chapter 2: Filtering Web Content

5. Configure the service:
a. From the Websense Version drop-down list, select the version. The
default is 4.4 and higher; you can also select 4.3.
b. In the Host field, enter the hostname or IP address of the remote
Websense server.
c. In the Port field, enter the port number of the Websense server; or leave
as is to accept the default (15868).
d. In the Maximum connections field, enter the maximum number of
connections. The range is a number from 5 to 4096. The default is 5.
Blue Coat recommends that the setting not exceed 200.
e. In the Receive Timeout (seconds) field, enter the number of seconds the
ProxySG waits for replies from the Websense server. The range is 1 to
65535 seconds. The default timeout is 20 seconds.
6. The following settings are optional:
a. Fail open—If a default Websense service is selected (from the External
Services > Websense tab), a connection error with the Websense server
results in requests and responses proceeding, as the default Websense
service is subjected to policy.
b. Send: client address—Sends the client IP address to the Websense server.
c. Send: Authenticated user—Sends user information to the Websense
server.

53

Volume 7: Managing Content

d. Serve exception page when content is blocked—If the requested content is
defined by Websense as inappropriate, the client receives a page with
information stating the content is blocked. When this option is
selected, the exception page originates from the ProxySG; if not
selected, the Websense server provides the exception page.
7. Click OK to close the Websense dialog. To perform a health check on this
service, see “Performing a Health Check on a Websense Off-Box Service” on
page 54.
8. Click Apply to commit the changes to the ProxySG.
9. (Optional) You can designate a default Websense service to use. On the
Configuration > External Services > Websense tab, select a service from the Default
service to use drop-down list.
Because this is an external service feature, you can create service groups that
contain two or more Websense services. Then you can point the ProxySG to the
service group to allow for greater efficiency. See Chapter 4: "Configuring Service
Groups" on page 95.

Performing a Health Check on a Websense Off-Box Service
1. To perform a health check on the Websense service, click Health Check. The
Confirm Health Check dialog displays.

2. Make sure that you save changes to any open dialogs before proceeding.
3. Click OK to perform the health check. When the health check is complete, the
Health Check Results dialog displays information about the health check.
4. Click Close to close the Health Check Results dialog.

Related CLI Syntax to Configure Websense Off-box Content Filtering


To enter configuration mode:
SGOS#(config) external-services



54

The following subcommands are available:

Chapter 2: Filtering Web Content

SGOS# (config external-services) create websense service_name
SGOS# (config external-services) {edit | delete} service_name
SGOS# (config websense service_name) version {4.3 | 4.4}
SGOS# (config websense service_name) host {hostname | IP_address}
SGOS# (config websense service_name) port port_number
SGOS# (config websense service_name) max-conn number
SGOS# (config websense service_name) timeout timeout_seconds
SGOS# (config websense service_name) send {client-address |
authenticated-user}
SGOS# (config websense service_name) sense-categories
SGOS# (config websense service_name) apply-by-default
SGOS# (config websense service_name) fail-open
SGOS# (config websense service_name) test-url url

55

Volume 7: Managing Content

56

Chapter 3: Malicious Content Scanning Services

This chapter describes how to configure the ProxySG to interact with external
Internet Content Adaptation Protocol (ICAP) clients and servers to provide
content scanning and transformation.

Topics in this Chapter
This chapter includes information about the following topics:


Section A: "About Content Scanning" on page 58



Section B: "Configuring ProxySG ICAP Communications" on page 70



Section C: "Creating ICAP Policy" on page 84



Section D: "Managing Virus Scanning" on page 92

57

Volume 7: Managing Content
Section A: About Content Scanning

Section A: About Content Scanning
This section provides conceptual information about anti-virus (AV) scanning and
the ProxySG solution.
When integrated with a supported ICAP server, such as the ProxyAV, the
ProxySG provides content scanning, filtering, and repair service for Internetbased malicious code. To eliminate threats to the network and to maintain caching
performance, the ProxySG sends objects to the ICAP server for checking and
saves the scanned objects in its object store. With subsequent content requests, the
appliance serves the scanned object rather than rescanning the same object for
each request.
You can scan your data using plain ICAP, secure ICAP or both. Plain ICAP is
useful for scanning non-confidential data (HTTP) where secure ICAP sends data
that may be confidential (HTTPS) through a secure data channel.

Notes


Plain ICAP is faster than secure ICAP because it does not have to deal with
any encryption overhead. Therefore, Blue Coat recommends that you only use
secure ICAP when scanning confidential data.



Secure ICAP requires an SSL license.

Determining Which Files to Scan
In determining which files to scan, this integrated solution uses the content
scanning server’s filtering in addition to ProxySG capabilities. The following table
describes the supported content types and protocols.
Table 3–1 Content Types Scanned By ICAP Server and the ProxySG

ICAP Server
supported content types

ProxySG
supported protocols

Unsupported content
protocols

All or specified file types, based
on the file extension, as
configured on the server.

• All HTTP objects
(uploaded or downloaded)

• Streaming content (for
example, RTSP and MMS)

• All FTP over HTTP
(webftp) objects (uploaded or
downloaded)

• Live HTTP streams (for
example, HTTP radio
streams)

• All native FTP objects
(uploaded or downloaded)

• CIFS

The above is true for both
transparent and explicit proxies.

• IM

HTTPS connections terminated at a
ProxySG

HTTPS connections tunneled
through a ProxySG

Examples: .exe (executable
programs), .bat (batch
files), .doc and .rtf (document
files), and .zip (archive files); or
specific MIME types.

58

• MAPI
• TCP tunnel traffic

Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

Whenever an object is requested or being refreshed and it was previously
scanned, the ProxySG verifies whether the pattern file has been updated since it
was last scanned. If it was, the object is scanned again, even if the content has not
changed. If the content has changed, the object is rescanned.
With the ProxySG, you can define flexible, yet enterprise-specific content
scanning policies, which are discussed in the following two sections.

Workflow Tasks
Table 3–2 provides a high-level view of workflow tasks for configuring ProxySG
ICAP communications. It also provides task descriptions.
Table 3–2 Workflow Tasks–Configuring ProxySG ICAP Communications

Task

Task Description

1. Install the ICAP server

Follow the manufacturer instructions for installing
the ICAP server, including any configuration
necessary to work with the ProxySG.
Based on your network environment, you might use
the ProxySG with multiple ICAP servers or multiple
scanning services on the same server. Configure
options as needed, including the exception message
displayed to end users in the event the requested
object was modified or blocked.

2. Decide whether to scan data
using plain ICAP or secure
ICAP

Scan data using the plain ICAP method, secure ICAP
method or both.
• Plain ICAP should be used only for nonconfidential data. In particular, if plain ICAP is
used for intercepted HTTPS traffic, then data
intended to be cryptographically secured would
be transmitted in plain text on the local network.
• Secure ICAP send data through a secure data
channel. This method protects the integrity of
messages that are sent between the ProxySG and
the ICAP server while it allows users to
authenticate ICAP servers by enabling certificate
verification.

59

Volume 7: Managing Content
Section A: About Content Scanning
Table 3–2 Workflow Tasks–Configuring ProxySG ICAP Communications (Continued)

Task

Task Description

3. Create an SSL device profile
on the ProxySG
(Optional—secure ICAP
only)

Create an SSL device profile to authorize the ICAP
server if you use secure ICAP.
Select:
ProxySG Management Console: SSL > Device
Profiles. Select the Verify Peer option on the Edit
menu for the desired server.
Note: When the Verify Peer option is enabled,
the ProxySG must have the ICAP server
certificate installed as trusted under External
certificates. Otherwise, the ProxySG fails to
verify the ICAP server as a trusted server.

4. Create and configure new or
existing ICAP services

Create an ICAP service that specifies the ICAP server
IP address and supported connections. Configure
the services including the scanning method and
whether to use deferred scanning.
See "Creating an ICAP Service" on page 70.

5. Specify the feedback method

Select patience pages or data trickling for feedback
method.
See "Configuring ICAP Feedback" on page 76.

6. Define scanning policies, then
load the policy file on the
ProxySG

Decide which scanning policies your configuration
needs.

7. Add ICAP rules to policy

Depending on the configuration, add ICAP rules to
policy.

See "Creating ICAP Policy" on page 84

request.icap_service (server_name)
response.icap_service (server_name)

See "Creating ICAP Policy" on page 84

About Response Modification
The ProxySG sends the first part (a preview) of the object to the ICAP server that
supports response modification. The object preview includes the HTTP request
and response headers, and the first few bytes of the object. After checking those
bytes, the ICAP server either continues with the transaction (that is, asks the
ProxySG to send the remainder of the object for scanning) or sends a notification
to the appliance that the object is clean and opts out of the transaction.

60

Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

The ICAP server features and configuration determine how scanning works,
including the following:


Handling of certain objects, including those that are infected and cannot be
repaired



Whether to attempt to repair infected files
Note: The ProxyAV does not attempt to repair the file.



Whether to delete infected files that cannot be repaired from the ICAP server’s
archive

The following diagram illustrates the response modification process flow.

Figure 3–1

Response Modification Process Flow

About Request Modification
Request modification means the ICAP server scans contents that a client is
attempting to send outside the network. This prevents unaware users from
forwarding corrupted files or Webmail attachments. Request modification is also

61

Volume 7: Managing Content
Section A: About Content Scanning

a method of content filtering and request transformation, which is used to protect
network identification. Based on the results of the scan, the server might return an
HTTP response to the client (for example, sports not allowed); or the client
request might be modified, such as stripping a referrer header, before continuing
to the origin content server.
Note: Some ICAP servers do not support virus scanning for request modification,
but support only content filtering.

The following diagram illustrates the request modification process flow.

Figure 3–2

Request Modification Process Flow

Returning the Object to the ProxySG
For response modification, the returned object can be the original unchanged
object, a repaired version of the original object minus a virus, or an error message
indicating that the object contained a virus. Each of these responses is configured
on the ICAP server, independent of the appliance and the ICAP protocol. If the
appliance receives the error message, it forwards the error message to the client
and does not save the infected file.
Note: For request modification, an object is never returned, regardless of whether

it is infected or clean.

62

Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

Caching and Serving the Object
After an object has been scanned and is determined to be cacheable, the ProxySG
saves it and serves it for the subsequent content requests. When the appliance
detects that the cached content has changed on the origin server, it fetches a fresh
version, then forwards it to the ICAP server for scanning. If the ProxySG uses
policies in the ICAP configuration, the policy applies to content fetches,
distributions, refreshes, and pipelining fetches.
For more information on policies, see Section C: "Creating ICAP Policy" on page
84. For more information on the layer, refer to Volume 10: Content Policy
Language Guide.

ICAP v1.0 Features
This section describes features of the ICAP v1.0 protocol.

Sense Settings
The Sense Settings feature allows the ProxySG to query any identified ICAP
server running v1.0, detect the parameters, and configure the ICAP service as
appropriate. See "Creating an ICAP Service" on page 70.

ISTags
An ICAP v1.0 server is required to return in each response an ICAP header ISTag,
which indicates the current state of the ICAP server. This eliminates the need to
designate artificial pattern version numbers, as is required in v0.95.
Note: Backing out a virus pattern on the ICAP server can revert ISTags to
previous values that are ignored by the ProxySG. To force the ProxySG to
recognize the old values, use the Sense Settings option, which is described in the
configuration section.

Persistent Connections
New ICAP connections are created dynamically as ICAP requests are received (up
to the defined maximum connection limit). The connection remains open to
receive subsequent requests. If a connection error occurs, the connection closes to
prevent more errors.

63

Volume 7: Managing Content
Section A: About Content Scanning

Improving the User Experience
Object scanning adds another operation to the user process of requesting and
receiving Web content. Therefore, the user might experience extremely slight
noticeable delays during Web browsing as ICAP servers scan content. The
ProxySG allows you to mitigate slower browse times and educate your users
about what is occurring on their systems. This section discusses:


Patience pages



Data trickling



Deferred scanning and infinite streams

About Patience Pages
Patience pages are HTML pages displayed to the user if an ICAP content scan
exceeds the specified duration (seconds). You can configure the content of these
pages to include a custom message and a help link. Patience pages refresh every
five seconds and disappear when object scanning is complete.

Notes


Patience pages are not compatible with infinite stream connections—or live
content streamed over HTTP—such as a cam or video feed. ICAP scanning
cannot begin until the object download completes. Because this never occurs
with this type of content, the ProxySG continues downloading until the
maximum ICAP file size limit is breached. At that point, the ProxySG either
returns an error or attempts to serve the content to the client (depending on
fail open/closed policy). However, even when configured to fail open and
serve the content, the delay added to downloading this large amount of data
is often enough to cause the a user give up before reaching that point.



Patience pages are limited to Web browsers.

About Data Trickling
Patience pages provide a solution to appease users during relatively short delays
in object scans. However, scanning relatively large objects, scanning objects over a
smaller bandwidth pipe, or high loads on servers might disrupt the user
experience because connection time-outs occur. To prevent such time-outs, you
can allow data trickling to occur. Depending on the trickling mode you enable, the
ProxySG either trickles—or allows at a very slow rate—bytes to the client at the
beginning of the scan or near the very end.
The ProxySG begins serving server content without waiting for the ICAP scan
result. However, to maintain security, the full object is not delivered until the
results of the content scan are complete (and the object is determined to not be
infected).
Note: This feature is supported for the HTTP proxy only; FTP connections are not

supported.

64

Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

Trickling Data From the Start
In trickle from start mode, the ProxySG buffers a small amount of the beginning of
the response body. As the ICAP server continues to scan the response, the
ProxySG allows one byte per second to the client.

LEGEND:
1: After 5 seconds (default), trickling begins.
2: The response is received from the ICAP server (clean), and the client receives the
remaining bytes at the best connection possible.
Figure 3–3

A client receives only the initial bytes of a transaction during the ICAP scan.

After the ICAP server completes its scan:


If the object is deemed to be clean (no response modification is required), the
ProxySG sends the rest of the object bytes to the client at the best speed
allowed by the connection.



If the object is deemed to be malicious, the ProxySG terminates the connection
and the remainder of the response object bytes—which in this case are the
majority of the bytes—are not sent to the client.

Deployment Notes


This method is the more secure option because the client receives only a small
amount of data pending the outcome of the virus scan.



One drawback is that users might become impatient, especially if they notice
the browser display of bytes received. They might assume the connection is
poor or the server is busy, close the client, and restart a connection.

Trickling Data at the End
In trickle at end mode, the ProxySG sends the response to the client at the best
speed allowed by the connection, except for the last 16 KB of data. As the ICAP
server performs the content scan, the ProxySG allows one byte per second to the
client.

65

Volume 7: Managing Content
Section A: About Content Scanning

LEGEND:
1: After 5 seconds (default), the ICAP scan begins, but the client begins receiving bytes at
the best connection possible.
2: Trickling begins for the final 16K of data.
3: The response is received from the ICAP server (clean), and the client receives the
remaining bytes.
Figure 3–4

A client receives most of the bytes immediately during the ICAP scan.

After the ICAP server completes its scan, the behavior is the same as described in
"Trickling Data From the Start" on page 65.

Deployment Notes


Blue Coat recommends this method for media content, such as flash objects.



This method is more user-friendly than trickle at start. This is because users
tend to be more patient when they notice that 99% of the object is downloaded
versus 1%, and are less likely to perform a connection restart. However,
network administrators might perceive this method as the less secure method,
as a majority of the object is delivered before the results of the ICAP scan.

General Deployment Notes
This section provides information about data trickling deployments.

Deciding between Data Trickling and Patience Pages
ProxySG configuration options plus policy allow you to provide different ICAP
feedback actions depending upon the type of traffic detected:

66



Blue Coat defines interactive as the request involving a Web browser. Web
browsers support data trickling and patience pages.



Non-interactive traffic originates from non-browser applications, such as
automatic software download or update clients. Such clients are not
compatible with patience pages; therefore, data trickling or no feedback are
the only supported options.

Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

Based on whether the requirements of your enterprise places a higher value either
on security or availability, the ProxySG allows you to specify the appropriate
policy. However, you must also consider the user agents involved when
determining the appropriate feedback method. For example, streaming clients
cannot deliver patience pages, but they are susceptible to connection time-outs.
Therefore, trickling is the suggested method. The following diagram provides
basic guidelines for deciding which feedback method to implement.

Figure 3–5

Deciding which ICAP feedback method to employ.

Proxy Chaining Deployments
Proxy chaining deployments are common in enterprises, especially in core/
branch office scenarios. Data trickling is achievable, but behavior is dependent
upon how the ProxySGs are configured. The following are common deployment
scenarios.


The downstream ProxySG is performing ICAP scanning, and the upstream ProxySG is
not: Data trickling and patience pages are not affected in this scenario.

67

Volume 7: Managing Content
Section A: About Content Scanning


The upstream ProxySG is performing ICAP scanning, and the downstream ProxySG is
not: The only issue with this deployment is that user agent-specific policy

cannot be applied at the core ProxySG because the branch ProxySG
consolidates multiple client requests in one out-going request to the upstream
ProxySG. If data trickling is employed at the upstream ProxySG and if ICAP
scanning detects a virus, the upstream ProxySG resets the client connection.
This also deletes the corrupted object from the downstream ProxySG cache.


Both ProxySG appliances (upstream and downstream) are scanning: Behavior is
mostly determined by the configuration of the upstream ProxySG.



If the upstream ProxySG is configured to deliver patience pages, then the
downstream ProxySG also attempts to serve patience pages, including to
non-graphical user agents. Therefore, this method is not recommended.



If the upstream ProxySG employs data trickle from start, the downstream
ProxySG is not able to send any bytes to the client for a long period of
time. If a patience page is not configured on the downstream ProxySG,
users might experience connection time-outs.



If the upstream ProxySG employs trickle at end, the downstream ProxySG
allows for all options of patience page and data trickling.

Avoiding Network Outages due to Infinite Streaming Issues
Infinite streams are connections such as web cams or flash media—traffic over an
HTTP connection—that conceivably have no end. Characteristics of infinite
streams may include no content length, slow data rate and long response time.
Because the object cannot be fully downloaded, the ICAP content scan cannot
start; however, the connection between the ProxySG and the ProxyAV remains,
which wastes finite connection resources.
The deferred scanning feature solves the infinite streaming issue by detecting
ICAP requests that are unnecessarily holding up ICAP connections (without
requiring the ProxyAV) and defers those requests until the full object has been
received.

How Deferred Scanning Works
Deferred scanning detects the possibility of infinite streams by the fact that the
number of ICAP resources in use has reached a certain threshold. It then defers
the scanning of those streams by deferring the oldest, outstanding ICAP requests
first. For every new ICAP request, the ProxySG does the following:


If the total number of outstanding ICAP actions for the current server has
reached the defer threshold, the ProxySG defers the oldest ICAP connection
that has not yet received a full object.

The defer threshold is specified by the administrator as a percentage. For
example, if the defer threshold is set to 70 percent and the maximum connections
are set to 100, then up to 70 connections are allowed before the ProxySG begins to
defer connection which have not finished downloading a complete object.

68

Chapter 3: Malicious Content Scanning Services
Section A: About Content Scanning

Note: See "Creating an ICAP Service" on page 70 for information about setting

the defer scanning threshold value on the ProxySG Management Console.
When an ICAP connection is deferred, the connection to the ICAP server is closed.
The application response continues to be received and when the download is
complete the ICAP request is restarted. The new ICAP request may still be
queued if there are no available ICAP connections. Once a request is deferred,
ICAP waits to receive the full object before restarting the request. If there is a
queue when a deferred action has received a complete object, that action is
queued behind other deferred actions that have finished. However it will be
queued before other new requests.

Deferred Scanning and Setting the Feedback Options
Depending on how you configure the ICAP feedback option (patience page or
data trickling) and the size of the object, deferred scanning may cause a delay in
ICAP response because the entire response must be sent to the ICAP server at
once. The feedback option allows you to specify the type of feedback you want to
receive during an ICAP scan. For information about setting feedback options, see
"Configuring ICAP Feedback" on page 76.
If a patience page is configured, the browser continues to receive a patience page
until the object is fully received and the outstanding ICAP actions have
completed.
If the data trickle options are configured, the object continues to trickle during
deferred scanning. However, due to the trickle buffer requirement, there may be a
delay, with or without deferred scanning, before the ProxySG starts sending a
response.

About ICAP Server Failover
When creating an ICAP action, you can specify a list of ICAP servers or groups to
use, in order of preference. If the first server or group in the list does not pass the
health checks, the ProxySG moves down the list until it finds a server or group
that is healthy and uses that to perform the scanning.
The primary server resumes ICAP processing when the next health check is
successful; the standby server or server group does not retain the primary
responsibility.

Notes


Failover is configured as part of the ICAP policy definition.



You cannot configure failover policy until ICAP services are configured on the
ProxySG.



To avoid errors, ICAP service names cannot be named fail_open or fail_closed
(the CLI commands prevent these names from being created).

69

Chapter 3: Malicious Content Scanning Services
Section B: Configuring ProxySG ICAP Communications

4a-f

4. Configure the service communication options:
Note: The default ICAP version is 1.0 and cannot be changed.

a. In the Service URL field, enter the ICAP server URL (ProxyAV), which
includes the URL schema, ICAP server hostname or IP address. For
example:
icap://10.x.x.x/

b. In the Maximum Number of Connections field, enter the maximum
possible connections at any given time that can occur between the
ProxySG and the ICAP server. The range is a number from 1 to 65535.
The default is 5. The number of recommended connections depends on
the capabilities of the ICAP server. Refer to the vendor’s product
information.

71

Volume 7: Managing Content
Section B: Configuring ProxySG ICAP Communications

Note: An ICAP service pointing to a WebWasher server must use icap
as the protocol in the URL. Blue Coat also recommends that you review
your specific ICAP server documentation, as each vendor might require
additional URL information

c. In the Connection timeout field, enter the number of seconds the
ProxySG waits for replies from the ICAP server. The range is 1 to
65535. The default timeout is 70 seconds.
d. Select Defer scanning at threshold to set the threshold at which the
ProxySG defers the oldest ICAP connection that has not yet received a
full object. The range is 0 percent – 100 percent. By default, the
deferred scanning threshold is disabled when an ICAP service is
created. When enabled, the defer threshold scanning defaults to 80
percent.
e. Select Notify administrator when virus detected to send an e-mail to the
administrator if the ICAP scan detects a virus. The notification is also
sent to the Event Log and the Event Log e-mail list.
f.

Select Use vendor’s “virus found” page to display the default vendor error
exception page to the client instead of the ProxySG exception page.
This is the default behavior for SGOS upgrades from previous versions.
This feature maintains the same appearance of previous versions, but also
retains the inherent timestamp issues involved with cache hits. If this
option is not selected, the exception pages originate from the ProxySG,
and they employ the accurate timestamps for cache hits.

72

Chapter 3: Malicious Content Scanning Services
Section B: Configuring ProxySG ICAP Communications

"Workflow Tasks" on page 59
"Avoiding Network Outages due to Infinite Streaming Issues" on page 68
"Configuring ProxySG ICAP Communications" on page 70
"Creating ICAP Policy" on page 84
"Managing Virus Scanning" on page 92

Managing ICAP Health Checks
ProxySG health check features allow you to perform tasks such as immediate
checking, disable health checks, and override various notifications and settings.
To manage ICAP health checks:

1. Select Configuration > Health Checks > General.

2. Select an ICAP service or service group.
3. Click Perform health check to get an immediate connection status for the
ProxyAV or service group.
4. Click Edit to display the Edit ICAP Health Check dialog.
5. Select the Enabled state:


Enabled:



Disabled, reporting as healthy: Marks the ICAP service as healthy, but not able

Marks the ICAP service or group as enabled and functioning.

to receive connections. One reason to select this option is to preserve
current statistics; the disabled state is temporary.


Disabled, reporting as sick:

Marks the ICAP service as down and not able to
receive connections. One reason to select this is that you are taking the
server offline for maintenance or replacement.

6. Click Apply.
The Health Check chapter in Volume 5: Advanced Networking provides more
detailed information about all of the health check configuration options,
including override features.

75

Volume 7: Managing Content
Section B: Configuring ProxySG ICAP Communications

Deleting an ICAP Service
The following steps describe how to delete an ICAP service.
Note: You cannot delete an ICAP service used in an ProxySG policy (that is, if a

policy rule uses the ICAP service name) or that belongs to a service group.
To delete an ICAP service:

1. Select Configuration > External Services > ICAP.
2. Select the service to be deleted.
3. Click Delete; click OK to confirm.
4. Click Apply.

Configuring ICAP Feedback
This section describes how to specify what type of feedback is provided to users
during an ICAP scan. See "Improving the User Experience" on page 64.
To specify and configure the ICAP feedback method:

1. Select Configuration > External Services > ICAP > ICAP Feedback.

76

Volume 7: Managing Content
Section B: Configuring ProxySG ICAP Communications



Trickle object data at end: The client receives most (99%) of the object
data, but the final bytes are sent at the rate of one per second while the
ICAP scanner performs the scan. If the response from the ICAP server
is clean, the client receives the rest of the object data at the best
connection speed possible. If the scan detects malicious content, the
connection is dropped. This is the least secure method, as most of the
data has already been delivered to the client. However, this method
provides the best user experience because there most of the object is
already delivered.

Note: When deferred scanning is enabled and the data trickle options are
configured, the object continues to trickle during deferred scanning.
However, due to the trickle buffer requirement, there may be a delay
before the ProxySG starts sending a response.
3. Configure options for non-interactive traffic (content such as flash animation
over HTTP):
a. The Do not provide feedback... option means that if users experience
delays in receiving content, they are not notified as to the reason (ICAP
scanning). Selecting this option greys out the other options.
b. The default duration to wait before notifying a client that an ICAP
scan is occurring is five seconds. You can change this value in the
Provide feedback after field, but if you make the value too long, users
might become impatient and manually close the client, believing the
connection is hung.
c. Select the feedback method:


Trickle object data from start:



Trickle object data at end:

See the descriptions in Step 2.

See the descriptions in Step 2.

4. Click Apply.
These configurations are global. You can define further feedback policy that
applies to specific user and conditional subsets. In the VPM, the object is located
in the Web Access Layer: Return ICAP Feedback.

Customizing ICAP Patience Text
This section describes how to customize text displayed during ICAP scanning.
Patience pages are displayed if the appropriate option is selected, as described in
the previous section: "Improving the User Experience" on page 64.

HTTP Patience Text
The ProxySG allows you to customize the patience page components and text that
are displayed to users when HTTP clients experience delays as Web content is
scanned.

78

Chapter 3: Malicious Content Scanning Services
Section B: Configuring ProxySG ICAP Communications

c. Custom Patience Details Message—Uses data to indicate scanning
progress. The information includes the URL currently being scanned,
the number of bytes processed, and the elapsed time of the scan.

d. Custom Patience Help Message—Displays instructions for users should
they experience a problem with the patience page.
3. Click Apply.
All of these components are displayed on the patience page.

Windows XP, Service Pack 2 Behavior
Microsoft is continually updating Windows XP security measures, which impacts
how the ProxySG manages patience pages.


Browsers running on Windows XP, Service Pack 2 (XP SP2), experience
slightly different patience page behavior when pop-up blocking is enabled.


If pop-up blocking is not enabled, patience page behavior should be normal.



If pop-up blocking is enabled (the default), the ProxySG attempts to display the
patience page in the root window.



If the download triggers an invisible Javascript window, the user can track the
scanning progress with the progress bar at the bottom of the window; however, if
other policy blocks Javascript active content, this bar is also not visible.



If Internet Explorer blocks all downloads initiated by Javascript, the user must
click the yellow alert bar to download the scanned object.



Users experience two patience page responses for non-cacheable objects.

80

Volume 7: Managing Content
Section B: Configuring ProxySG ICAP Communications

Interactivity Notes


When ICAP scanning is enabled and a patience page is triggered, a unique
URL is dynamically generated and sent to the browser to access the patience
page. This unique URL might contain a modified version of the original URL.
This is expected behavior.



Patience pages and exceptions can only be triggered by left-clicking a link. If a
user right-clicks a link and attempts to save it, it is not possible to display
patience pages. If this action causes a problem, the user might see browserspecific errors (for example, an Internet site not found error); however, ICAP
policy is still in effect.



A patience page is not displayed if a client object request results in an HTTP
302 response and the ProxySG pipelines the object in the Location header.
After the ProxySG receives the client request for the object, the client enters a
waiting state because a server-side retrieval of the object is already in
progress. The wait status of the client request prevents the patience page from
displaying. To prevent the ProxySG from pipelining these requests (which
decreases performance) and to retain the ability to provide a patience page,
configure HTTP as follows:
#SGOS (config) http no pipeline client redirects



The status bar update does not work if it is disabled or if the Javascript does
not have sufficient rights to update it.



Looping: Certain conditions cause browsers to re-spawn patience pages. For
example, a site states it will begin a download in 10 seconds, initiates a pop-up
download window, and returns to the root window. If the download window
allows pop-ups, the patience page displays in a separate window. The
automatic return to the root window initiates the download sequence again,
spawning another patience page. If unnoticed, this loop could cause a system
hang. The same behavior occurs if the user clicks the back button to return to
the root window. For known and used download sites, you can create policy
that redirects the page so that it doesn’t return to the root window after a
download starts.

FTP Patience Text
For content over FTP, the patience text displayed to FTP clients during an ICAP
scan can be modified.
To customize FTP patience text:

1. Select Configuration > External Services > ICAP > ICAP Patience Page.

81

Volume 7: Managing Content
Section B: Configuring ProxySG ICAP Communications
SGOS# (config external-services) inline ftp icap-patience-text eof
SGOS# (config external-services) icap feedback interactive patiencepage {seconds)
SGOS# (config external-services) icap feedback {interactive | noninteractive} {trickle-start | trickle-end | none}{seconds)

83

Chapter 3: Malicious Content Scanning Services
Section C: Creating ICAP Policy

Section C: Creating ICAP Policy
Defined ICAP policy dictates the anti-virus and ICAP server failover behavior for
your enterprise. You can either use the Visual Policy Manager (VPM) or you can
manually edit policy files. For more information on the VPM and defining
policies, refer to Volume 6: The Visual Policy Manager and Advanced Policy.
Use the request.icap_service() (request modification) or
response.icap_service() (response modification) properties to manage the
ProxySG ICAP services.

VPM Objects
The VPM contains the following objects specific to AV scanning (linked to their
descriptions in the VPM chapter).
Table 3–3 AV Scanning Objects

Object

Layer>Column

Virus Detected

Web Access>Service

ICAP Error Code

Web Access>Service

Return ICAP Feedback

Web Access>Action

Set ICAP Request Service

Web Access>Action

Set ICAP Request Service

Web Content>Action

Set ICAP Response Service

Web Content>Action

Note:

For CPL policy, refer to Volume 10: Content Policy Language Guide.

Example ICAP Scanning Policy
The following VPM example demonstrates the implementation of an ICAP policy
that performs virus scanning on both client uploads (to prevent propagating a
virus) and responses (to prevent the introduction of viruses), and provides
failover with backup ICAP services.
For this example:


The ProxySG has configured ICAP services. The response service is
avresponse1 and the request service is avrequest1.



Two backup response services are configured: avreponse2 and avresponse3.



The ProxyAV is the virus scanner and it is configured to serve passwordprotected files.



A group named IT is configured on the ProxySG.



The IT group wants the ability to download password protected files, but
deny everyone else from doing the same.

84

Volume 7: Managing Content
Section C: Creating ICAP Policy

c. From the Available services field, select the avrequest1 and click Add. This
moves the service name to the Selected failover sequence field.
d. Accept the default: Deny the client request. This prevents a client from
propagating a threat. If a virus is found, the content is not uploaded.
For example, a user attempts to post a document that has a virus and is
denied.
e. Click OK; click OK again to add the object to the rule.

Figure 3-1. Request

6. In the VPM, select Policy > Add Web Content Layer. Name the rule ResponseAV.
7. Right-click the Action column; select Set. The Set Action Object dialog displays.
8. Click New.
9. Select Set ICAP Response Service; the Add ICAP Response Service Object dialog
displays.

86

Volume 7: Managing Content
Section C: Creating ICAP Policy

2. Right-click the Service column; select Set. The Set Service Object dialog
displays.
a. Select Virus Detected (static object).
b. Click OK to add the object to the rule.
3. Right-click the Action column. Select Deny.
4. Right-click the Track column. Select Set; the Set Track Object dialog displays.
a. Click New; select Event Log. The Event Log dialog displays.
b. In the Name field, enter VirusLog1.
c. From the scroll-list, select icap_virus_details, localtime, and clientaddress. Click Insert.
d. Click OK; click OK again to add the object to the rule.

Figure 3-2. The AVErrors rule

To create an exception for IT group:

1. In VPM, select Policy > Add Web Access Layer. Name the rule AVExceptions.
2. Add the IT group object to the Source column.
3. Right-click the Service column; select Set. The Set Service Object dialog
displays.
4. Click New; select ICAP Error Code. The Add ICAP Error Code Object displays.

88

Volume 7: Managing Content

After this policy is installed:


Virus scanning is performed for client attempts to upload content and content
responses to client requests.



If a virus is detected and there were no scanning process errors, a log entry
occurs.



As the ProxyAV is configured to serve password-protected objects, only the IT
group can download such files; everyone else is denied.

Exempting HTTP Live Streams From Response Modification
The following CPL examples demonstrate how to exempt HTTP live streams from
response modification, as they are not supported by ICAP. The CPL designates
user agents that are bypassed.

url.scheme=http request.header.User-Agent="RealPlayer G2"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(RMA)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(Winamp)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(NSPlayer)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(Windows-Media-Player)"
response.icap_service(no)
url.scheme=http request.header.User-Agent="QuickTime"
response.icap_service(no)
url.scheme=http request.header.User-Agent="(RealMedia Player)"
response.icap_service(no)

Streaming Media Request Modification Note
Some HTTP progressive download streaming media transactions are complex
enough to disrupt ICAP request modification services. If such behavior is noticed
(most common with RealPlayer), implement a workaround policy to bypass the
ICAP request modification service for HTTP progressive downloads:
For example:

url.scheme=http request_header.User-Agent="(RealMedia Player)"
request.icap_service(no)
url.scheme=http request_header.User-Agent="RMA"
request.icap_service(no)

CPL Notes


If policy specifies that an ICAP service is to be used, but the service is not
available, the default behavior is to fail closed—that is, deny the request or
response. The following CPL allows the serving of objects without ICAP
processing if the server is down.
request.icap_service(service_name, fail_open)
response.icap_service(service_name, fail_open)

90

Chapter 3: Malicious Content Scanning Services

When the ICAP service is restored, these objects are scanned and served from
the cache if they are requested again.
Note: Blue Coat recommends this CPL to be used for internal sites; use with

caution.


To provide an exception to a general rule, the following CPL negates ICAP
processing:
request.icap_service(no)
response.icap_service(no)



When configuring the secure ICAP feature, the following CPLs are used:
Note: These CPLs allow the user to configure the secure_connection
separately for each service in failover sequence.
request.icap_service.secure_connection(option)
response.icap_service.secure_connection(option)
request.icap_service.secure_connection.service_name(option)
response.icap_service.secure_connection.service_name(option)
request.icap_service.secure_connection
[service__0,service_1,...,service_N-1](option)
response.icap_service.secure_connection
[service__0,service_1,..., service_N-1](option)

where option is yes, no or auto. The default option is auto.


yes– This option means that secure ICAP is used for all traffic (HTTP and
HTTPS).



no– This option means that plain ICAP is used for all traffic (HTTP and
HTTPS).



auto–This option (default) means that plain ICAP is used for HTTP traffic
and secure ICAP is used for HTTPS traffic.

91

Volume 7: Managing Content

Section D: Managing Virus Scanning
You might need to perform additional ProxySG maintenance concerning virus
scanning, particularly for updates to the virus definition on the ICAP virus
scanning server.

Advanced Configurations
This section summarizes more-advanced configurations between the ProxySG
and multiple ICAP servers. These brief examples provide objectives and suggest
ways of supporting the configuration.

Using Object-Specific Scan Levels
You can specify different scanning levels for different types of objects, or for
objects from different sources.
This requires a service group of ICAP servers, with each server configured to
provide the same level of scanning. For more information, refer to Chapter 4:
"Configuring Service Groups" on page 95.

Improving Virus Scanning Performance
You can overcome request-handling limitations of ICAP servers. Generally,
ProxySGs can handle many times the volume of simultaneous user requests that
ICAP servers can handle.
This requires multiple ICAP servers to obtain a reasonable performance gain. On
the ProxySG, define policy rules that partition requests among the servers. If you
are going to direct requests to individual servers based on rules, configure in rule
conditions that only use the URL. Note that you can increase the scale by using a
service group, rather than use rules to partition requests among servers. For more
information on using multiple ICAP servers, refer to Chapter 4: "Configuring
Service Groups" on page 95. For more information about defining policies, refer to
the Managing Policy Files chapter in Volume 6: The Visual Policy Manager and
Advanced Policy, as well as Volume 11: Command Line Interface Reference.
When the virus definitions are updated, the ProxySG stores a signature. This
signature consists of the server name plus a virus definition version. If either of
these changes, the ProxySG checks to see if the object is up to date, and then
rescans it. If two requests for the same object are directed to different servers, then
the scanning signature changes and the object is rescanned.

Updating the ICAP Server
If there is a problem with the integration between the ProxySG and a supported
ICAP server after a version update of the server, you might need to configure the
preview size the appliance uses. For information, see "Creating an ICAP Service"
on page 70.

92

Chapter 3: Malicious Content Scanning Services

Replacing the ICAP Server
If you replace an ICAP server with another supported ICAP server, reconfigure
the ICAP service on the ProxySG:
SGOS# (config) external-services
SGOS# (config external-service) edit service_name
SGOS# (config service_name) url url

For information about these commands, see "Creating an ICAP Service" on page
70.

Access Logging
The ProxySG provides access log support for Symantec and Finjan ICAP 1.0
server actions (Management > Access Logging). The following sections describe
access logging behavior for the various supported ICAP servers.

Symantec AntiVirus Scan Engine 4.0
When this Symantec server performs a scan, identifies a problem (for example, a
virus), and performs a content transformation, the action is logged. For example:
“virus-id: Type=number; Resolution=[0 | 1 | 2]; Threat=name;”

where:
Type=number

Specifies the numeric code for the virus.

Resolution=

Specifies an integer value that indicates what action was taken to fix
the file. Zero (0) defines the file is unrepairable, one (1) specifies that
the file was repaired, and two (2) specifies that the file was deleted.

Threat=

Specifies the name of the virus.

Finjan SurfinGate 7.0
When this Finjan ICAP server performs a scan, identifies a problem (for example,
a virus), and performs a content transformation, the action is logged. For example:
“virus-id: name, response-info: Blocked, response-desc: virus_name was
detected”

Finjan ICAP servers also log occurrences malicious mobile code.
Note: The access log string cannot exceed 256 characters. If the header name or
value extends the length over the limit, then that string does not get logged. For
example, if the x-virus-id header value is 260 characters, the access log displays
"x-virus-id: " with no value because the value is too long to display. Also, if the
access log string is already 250 characters and the ProxySG attempts to append a
"Malicious-Mobile-Type: " string, the string is not appended

Access log entries might vary depending upon the type of ICAP scan performed
and the custom log formats. For information about Access Logging, refer to
Volume 8: Access Logging.

93

Volume 7: Managing Content

94

Chapter 4: Configuring Service Groups

This chapter describes how to create and manage ICAP or Websense service
groups. In high-traffic network environments, a service group accelerates
response time by a performing a higher volume of scanning.

Topics in this Chapter
This chapter includes information about the following topics:


"About Weighted Load Balancing" on page 95



"Creating a Service Group" on page 97



"Deleting a Service Group or Group Entry" on page 99



"Displaying External Service and Group Information" on page 100

About Weighted Load Balancing
The ProxySG supports weighted load balancing in forwarding requests to
service groups. By default, the ProxySG performs typical round-robin load
balancing and evenly forwards requests sequentially to servers as defined
within the service group. Manually assigning weights takes advantage of
round-robin load balancing in service groups that are not homogeneous, or
where the servers have different capacities.
Weighting determines what proportion of the load one server bears relative to
the others. If all servers have either the default weight (1) or the same weight,
each share an equal proportion of the load. If one server has weight 25 and all
other servers have weight 50, the 25-weight server processes half as much as
any other server.
Before configuring weights, consider the relative weights to assign to each
server. Factors that could affect assigned weight of a ICAP server include the
following:


The processing capacity of the server hardware in relationship to other
servers (for example, the number and performance of CPUs or the number
of network interface cards)



The maximum number of connections configured for the service. The
maximum connections setting pertains to how many simultaneous scans
can be performed on the server, while weighting applies to throughput in
the integration. While these settings are not directly related, consider both
when configuring weighted load balancing.

Note: External services (ICAP, Websense off-box) have a reserved connection

for health checks (if you created health check services). This means that as the
load goes up and the number of connections to the external service reaches
the maximum, with additional requests being queued up and waiting, the
maximum simultaneous connections is actually one less than the limit.

95

Volume 7: Managing Content

The following diagram provides an example of how weighting works with a
service group of three ProxyAV ICAP servers.

Legend:
A: AV1; a ProxyAV with 10 maximum connections and a specified weight of 1.
B: AV2; a ProxyAV with 10 maximum connections and a specified weight of 1.
C: AV3, a ProxyAV with 25 maximum connections and a specified weight of 3.
D: A ProxySG with a Service Group named AV_Reponse that contains AV1, AV2, and
AV3.
Process Flow:
1: With load balancing, the ProxySG sends 100 response modification requests to the
three ProxyAV appliances (by way of the AV_Reponse service group).
2: AV1 receives 20 requests.
3: AV2 receives 20 requests.
4: AV3 receives 60 requests.
Figure 4–1

Service Group Process Flow

Note: Setting the weight value to 0 (zero) disables weighted load balancing for
the ICAP service. Therefore, if one ICAP server of a two-server group has a
weight value of 1 and the second a weight value of 0, should the first server go
down, a communication error results because the second server cannot process
the request.

While you cannot specifically designate an ICAP server in a group as a backup,
you can specify weight values that create a large differential between a server that
is used continuously and one that is rarely used, thus simulating a backup server.

96

Volume 7: Managing Content
To delete a service group:

1. Select Configuration > External Services > Service-Groups.
2. Select the service group to be deleted.
3. Click Delete; click OK to confirm.
4. Click Apply.
To delete a service group entry:

1. Select Configuration > External Services > Service-Groups.
2. Select the service group to be modified.
3. Click Edit.
4. Select the service entry to be deleted; click Delete.
5. Click OK.
6. Click Apply.

Displaying External Service and Group Information
After configuring a service group, you can display aggregate service group (and
other External Services) information.
To display information about all external services and groups:

At the (config) command prompt, enter the following commands:
SGOS# (config) external-services
SGOS# (config external-services) view

Individual service information is displayed first, followed by service group
information. For example:
; External Services
icap4
ICAP-Version:
1.0
URL:
icap://10.1.1.1
Max-conn:
5
Timeout(secs):
70
Health-checks:
no
Patience-page(secs): disabled
Notification:
never
Methods:
RESPMOD
Preview-size:
0
Send:
nothing
ISTag:
websense4
Version:
4.4
Host:
www.websense.com/list
Port:
15868
Max-conn:
5
Timeout(secs):
70
Send:
nothing
Fail-by-default:
closed
Apply-by-default:
no
Serve-exception-page:yes

100

Chapter 4: Configuring Service Groups

; External Service-Groups
CorpICAP
total weight 5
entries:
ICAP1
weight 4
ICAP2
weight 1
BranchWebsense
total weight
entries:
Websense1
weight
1
Websense2
weight
1

2

Related CLI Syntax to Manage External Services


To enter configuration mode:
SGOS# (config) external-services



The following commands are available:
SGOS#
SGOS#
SGOS#
SGOS#
SGOS#
SGOS#
SGOS#
SGOS#

(config
(config
(config
(config
(config
(config
(config
(config

external-services) create service-group name
service-group name) add service_name
service-group name) edit service_name
service-group name) weight value
external-services) delete service_group_name
type name) remove entry_name
external-services) view
type name) view

101

Volume 7: Managing Content

102

Appendix A: Troubleshooting

This appendix describes troubleshooting tips and solutions for Dynamic
Categorization (DRTR) and Blue Coat Web Filter (BCWF). It discusses the
following topics:


"Unable to Communicate with the DRTR Service" on page 103



"Event Log Message: Invalid DRTR Service Name, Health Check Failed" on
page 103



"Error Determining Category for Requested URL" on page 104



"Contacting Technical Support" on page 105

Unable to Communicate with the DRTR Service
Blue Coat Web Filter and DRTR are enabled, and the following error message
displays:
Dynamic categorization error: unable to communicate with service 0
510000:1 ../protocols/cerberian/Cerberian_api.cpp:79

To resolve this issue:

1. Use DNS to resolve sp.cwfservice.net.
Note: The ProxySG resolves the domain name sp.cwfservice.net once a day
and maintains the list of returned IP addresses. The ProxySG then uses the IP
address that provides the fastest service. If an IP address that is in use fails to
respond, the ProxySG will failover to an alternate IP address. Health checks are
automatically conducted on all the IP addresses to make this failover as
smooth as possible and to restore service to the geographically closest IP
address as soon as it is available.

2. Check the firewall logs for messages about denied or blocked traffic
attempting to reach IP addresses or in response from IP addresses. A
firewall rule denying or blocking in either direction impedes DRTR.

Event Log Message: Invalid DRTR Service Name, Health Check Failed
The following event log message displays:
Invalid DRTR service name - Health check failed - Receive failed.

These messages are common in event logs and, for the most part, should not
affect your service. A server may fail an L4 health check for various reasons,
but unless all servers (services) are unavailable for extended periods of time,
you should not experience interruptions in DRTR services and can regard this
as expected behavior.

103

Volume 7: Managing Content

When the proxy makes a request for the DRTR service name, several IP addresses
for our servers are returned. The ProxySG will periodically perform a quick layer4 health check (opening and closing a tcp socket with no data transfer) to each of
those servers. In the event that the ProxySG cannot contact the server or doesn’t
receive a response quickly enough, it logs similar event log messages.
Your DRTR service will not be interrupted unless all of the servers are unable to
be contacted for more than a few seconds. When one of these error messages
appears, the services health status changes back to healthy within 2 to 10 seconds.

Error Determining Category for Requested URL
The access log shows the category for a URL as Unavailable.
The following is an example access log message:
2007-08-07 22:19:02 59 10.78.1.98 404 TCP_NC_MISS 412 428 GET http
www.sahnienterprise.com 80 /images/menu.gif - - - DIRECT
www.sahnienterprise.com text/html;%20charset=iso-8859-1 http://
www.sahnienterprise.com/Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 PROXIED “Unavailable” 10.78.1.100

Start by manually testing the URL using the ProxySG Management Console or the
test-url command.


If you can categorize the URL from the CLI or Management Console, you can
rule out most of the causes and suggested things to check in the following
table.



If you get Unavailable in your test, go through the list of possible causes in
the following table.
Possible Causes

Check the Following

The database is not installed.

Check show content-filter status.

The database is corrupt.

Check show content-filter status.

The database has expired.

Check show content-filter status.

A communication error occurred
contacting the DRTR service.

Check the event log entries for
DRTR messages.

The ProxySG license has expired.

Check show license.

(Possible, but not likely) There are
issues with memory or a disk error.

Check event log entries for disk or
memory messages.

For more information about possible causes and solutions, see Chapter 2: Filtering
Web Content, "Applying Policy to Categorized URLs" on page 44.

104

Appendix A: Troubleshooting

Contacting Technical Support
If you need further assistance after reading through the solutions in this
appendix, contact Blue Coat Technical Support at:
www.bluecoat.com/support/contact.html

105

Volume 7: Managing Content

106

Glossary

A
access control list—Allows

or denies specific IP addresses access to a server.

access log—A list of all the requests sent to a ProxySG. You can read an access
log using any of the popular log-reporting programs. When a client uses HTTP
streaming, the streaming entry goes to the same access log.
account—A

named entity that has purchased the ProxySG or the Entitlements
from Blue Coat.
activation code—A

string of approximately 10 characters that is generated and
mailed to customers when they purchase the ProxySG.

active content stripping—Provides a way to identify potentially dangerous mobile

or active content and scripts, and strip them out of a response.
active content types—Used in the Visual Policy Manager. Referring to Web
Access policies, you can create and name lists of active content types to be
stripped from Web pages. You have the additional option of specifying a
customized message to be displayed to the user
administration access policy—A

policy layer that determines who can access the
ProxySG to perform administrative tasks.

administration authentication policy—A

policy layer that determines how
administrators accessing the ProxySG must authenticate.
AJAX—Acronym

for Asynchronous JavaScript and XML, the technology used
for live updating of Web objects without having to reload the entire page.

Application Delivery Network (ADN)—A

WAN that has been optimized for
acceleration and compression by Blue Coat. This network can also be secured
through the use of appliance certificates. An ADN network is composed of an
ADN manager and backup ADN manager, ADN nodes, and a network
configuration that matches the environment.
ADN backup manager—Takes over for the ADN manager in the event it becomes
unavailable. See ADN manager.
ADN manager—Responsible for publishing the routing table to SG Clients (and
to other ProxySG appliances).
ADN optimize attribute—Controls whether to optimize bandwidth usage when
connecting upstream using an ADN tunnel.
A record—The central records of DNS, which

link a domain or subdomain to an
IP address. An A record can correspond to a single IP address or many IP
addresses.

asx rewrite—Allows you to rewrite URLs and then direct a client's subsequent
request to the new URL. One of the main applications of ASX file rewrites is to
provide explicit proxy-like support for Windows Media Player 6.4, which
cannot set explicit proxy mode for protocols other than HTTP.

107

Volume 7: Managing Content

audit—A

log that provides a record of who accessed what and how.

authenticate-401 attribute—All transparent and explicit requests received on the port
always use transparent authentication (cookie or IP, depending on the
configuration). This is especially useful to force transparent proxy authentication
in some proxy-chaining scenarios
authenticated content—Cached content that requires authentication at the origin
content server (OCS). Supported authentication types for cached data include
basic authentication and IWA (or NTLM).
authentication—Allows you to verify the identity of a user. In its simplest form, this

is done through usernames and passwords. Much more stringent authentication
can be employed using digital certificates that have been issued and verified by a
Certificate Authority. See also basic authentication, proxy authentication, and SSL
authentication.
authentication realm—Authenticates

and authorizes users to access SG services
using either explicit proxy or transparent proxy mode. These realms integrate
third-party vendors, such as LDAP, Windows, and Novell, with the Blue Coat
operating system.

authorization—The

permissions given to an authenticated user.

B
bandwidth—The

amount of data you can send through a network or modem
connection, usually measured in bits per second (bps).

bandwidth class—A defined

unit of bandwidth allocation.

bandwidth class hierarchy—A gouping of bandwidth classes into a tree structure
that specifies the relationship among different classes. You create a hierarchy by
creating at least one parent class and assigning other classes as its children.
bandwidth gain—Bandwidth

gain is a calculation of the savings that occur when
bandwidth is not consumed as a result of some form of optimization.
For example, bandwidth gain for active sessions is calculated by subtracting the
number of client bytes from the number of server bytes and dividing the result by
the number of server bytes.
(Client Bytes - Server Bytes) / Server Bytes

bandwidth management—Classify,

control, and, if needed, limit the amount of
bandwidth used by network traffic flowing in or out of a ProxySG.

basic authentication—The

standard authentication for communicating with the
target as identified in the URL.

BCAAA—Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to
manage authentication and authorization for IWA, CA eTrust SiteMinder realms,
Oracle COREid, Novell, and Windows realms. The agent is installed and
configured separately from SGOS 5.x and is available from the Blue Coat Web site.
BCLP—Blue

Coat Licensing Portal.

byte-range support—The

ability of the ProxySG to respond to byte-range requests
(requests with a Range: HTTP header).

108

C
cache—An

"object store," either hardware or software, that stores information
(objects) for later retrieval. The first time the object is requested, it is stored,
making subsequent requests for the same information much faster.

A cache helps reduce the response time and network bandwidth consumption on
future, equivalent requests. The ProxySG serves as a cache by storing content
from many users to minimize response time and prevent extraneous network
traffic.
cache control—Allows

you to configure which content the ProxySG stores.

cache efficiency—A tab found on the Statistics pages of the Management Console
that shows the percent of objects served from cache, the percent loaded from the
network, and the percent that were non-cacheable.
cache hit—Occurs when the ProxySG receives a request for an object and can serve

the request from the cache without a trip to the origin server.
cache miss—Occurs

when the ProxySG receives a request for an object that is not
in the cache. The ProxySG must then fetch the requested object from the origin
server.

cache object—Cache contents includes all objects currently stored by the ProxySG.
Cache objects are not cleared when the ProxySG is powered off.
Certificate Authority (CA)—A

trusted, third-party organization or company that
issues digital certificates used to create digital signatures and public key/private
key pairs. The role of the CA is to guarantee that the individuals or company
representatives who are granted a unique certificate are who they claim to be.

child class (bandwidth gain)—The child of a parent class is dependent on that parent
class for available bandwidth (they share the bandwidth in proportion to their
minimum/maximum bandwidth values and priority levels). A child class with
siblings (classes with the same parent class) shares bandwidth with those siblings
in the same manner.
cipher suite—Specifies the algorithms used to secure an SSL connection. When a
client makes an SSL connection to a server, it sends a list of the cipher suites that it
supports.
client consent certificates—A certificate that indicates acceptance or denial of
consent to decrypt an end user's HTTPS request.
client-side transparency—A

way of replacing the ProxySG IP address with the Web
server IP address for all port 80 traffic destined to go to the client. This effectively
conceals the ProxySG address from the client and conceals the identity of the
client from the Web server.

concentrator—A

ProxySG, usually located in a data center, that provides access to
data center resources, such as file servers.
content filtering—A way of controlling which content is delivered to certain users.
ProxySG appliances can filter content based on content categories (such as
gambling, games, and so on), type (such as http, ftp, streaming, and mime type),
identity (user, group, network), or network conditions. You can filter content
using vendor-based filtering or by allowing or denying access to URLs.

109

Volume 7: Managing Content

D
default boot system—The system that was successfully started last time. If a system
fails to boot, the next most recent system that booted successfully becomes the
default boot system.
default proxy listener—See

proxy service (default).

denial of service (DoS)—A

method that hackers use to prevent or deny legitimate
users access to a computer, such as a Web server. DoS attacks typically send many
request packets to a targeted Internet server, flooding the server's resources and
making the system unusable. Any system connected to the Internet and equipped
with TCP-based network services is vulnerable to a DoS attack.
The ProxySG resists DoS attacks launched by many common DoS tools. With a
hardened TCP/IP stack, the ProxySG resists common network attacks, including
traffic flooding.

destination objects—Used

in Visual Policy Manager. These are the objects that
define the target location of an entry type.

detect protocol attribute—Detects the protocol being used. Protocols that can be
detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and
Endpoint Mapper.
diagnostic reporting—Found in the Statistics pane, the Diagnostics tab allows you to

control whether Daily Heartbeats and/or Blue Coat Monitoring are enabled or
disabled.
directives—Commands used in installable lists to configure forwarding and
SOCKS gateway.
DNS access—A

policy layer that determines how the ProxySG processes DNS

requests.
domain name system (DNS)—An

Internet service that translates domain names into

IP addresses.
dynamic bypass—Provides a maintenance-free method for improving performance
of the ProxySG by automatically compiling a list of requested URLs that return
various kinds of errors.
dynamic real-time rating (DRTR)—Used

in conjunction with the Blue Coat Web Filter
(BCWF), DRTR (also known as dynamic categorization) provides real-time analysis
and content categorization of requested Web pages to solve the problem of new
and previously unknown uncategorized URLs—those not in the database.
When a user requests a URL that has not already been categorized by the BCWF
database (for example, a brand new Web site), the ProxySG dynamic
categorization service analyzes elements of the requested content and assigns a
category or categories. The dynamic service is consulted only when the installed
BCWF database does not contain category information for an object.

E
early intercept attribute—Controls

whether the proxy responds to client TCP
connection requests before connecting to the upstream server. When early
intercept is disabled, the proxy delays responding to the client until after it has
attempted to contact the server.

110

ELFF-compatible format—A

log type defined by the W3C that is general enough to
be used with any protocol.
emulated certificates—Certificates

that are presented to the user by the ProxySG
when intercepting HTTPS requests. Blue Coat emulates the certificate from the
server and signs it, copying the subjectName and expiration. The original
certificate is used between the ProxySG and the server.

encrypted log—A

log is encrypted using an external certificate associated with a
private key. Encrypted logs can only be decrypted by someone with access to the
private key. The private key is not accessible to the ProxySG.

EULA—End

user license agreement.

event logging—Allows you to specify the types of system events logged, the size of

the event log, and to configure Syslog monitoring. The ProxySG can also notify
you by email if an event is logged. See also access logging.
explicit proxy—A configuration in which the browser is explicitly configured to
communicate with the proxy server for access to content. This is the default for
the ProxySG and requires configuration for both the browser and the interface
card.
extended log file format (ELFF)—A variant of the common log file format, which has
two additional fields at the end of the line—the referer and the user agent fields.

F
fail open/closed—Failing

open or closed applies to forwarding hosts and groups
and SOCKS gateways. Fail open or closed applies when health checks are
showing sick for each forwarding or SOCKS gateway target in the applicable failover sequence. If no systems are healthy, the ProxySG fails open or closed,
depending on the configuration. If closed, the connection attempt simply fails.
If open, an attempt is made to connect without using any forwarding target (or
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no
setting is specified.

filtering—See

content filtering.

forward proxy—A

proxy server deployed close to the clients and used to access
many servers. A forward proxy can be explicit or transparent.

FTP—See

Native FTP and Web FTP.

G
gateway—A

device that serves as entrance and exit into a communications

network.

H
hardware serial number—A string that uniquely identifies the ProxySG; it is assigned

to each unit in manufacturing.
health check tests—The method of determining network connectivity, target
responsiveness, and basic functionality. The following tests are supported:

111

Volume 7: Managing Content



ICMP



TCP



SSL



HTTP



HTTPS



Group



Composite and reference to a composite result



ICAP



Websense



DRTR rating service

health check type—The kind of device or service the specific health check tests. The
following types are supported:



Forwarding host and forwarding group



SOCKS gateway and SOCKS gateway group



CAP service and ICAP service group



Websense off-box service and Websense off-box service group



DRTR rating service



User-defined host and a user-defined composite

heartbeat—Messages

sent once every 24 hours that contain the statistical and
configuration data for the ProxySG, indicating its health. Heartbeats are
commonly sent to system administrators and to Blue Coat. Heartbeats contain no
private information, only aggregate statistics useful for pre-emptively diagnosing
support issues.
The ProxySG sends emergency heartbeats whenever it is rebooted. Emergency
heartbeats contain core dump and restart flags in addition to daily heartbeat
information.

host affinity—The

attempt to direct multiple connections by a single user to the
same group member. Host affinity is closely tied to load balancing behavior; both
should be configured if load balancing is important.

host affinity timeout—The host affinity timeout determines how long a user remains

idle before the connection is closed. The timeout value checks the user's IP
address, SSL ID, or cookie in the host affinity table.

I
inbound traffic (bandwidth gain)—Network

packets flowing into the ProxySG.
Inbound traffic mainly consists of the following:


112

Server inbound: Packets originating at the origin content server (OCS) and
sent to the ProxySG to load a Web object.



Client inbound: Packets originating at the client and sent to the ProxySG
for Web requests.

installable list—A

list of configuration parameters that can be created using a text
editor (either Blue Coat or another text editor) or through the CLI inline
commands. The list can then be downloaded to the ProxySG from an HTTP server
or locally from your PC. Configurations that can be created and installed this way
include the SG Client, archiving, forwarding hosts, SOCKS gateways, ICP, policy
files, and exceptions.
integrated host timeout—An

integrated host is an origin content server (OCS) that
has been added to the health check list. The host, added through the
integrate_new_hosts property, ages out of the integrated host table after
being idle for the specified time. The default is 60 minutes.

intervals—Time

period from the completion of one health check to the start of the
next health check.

IP reflection—Determines how the client IP address is presented to the origin server

for explicitly proxied requests. All proxy services contain a reflect-ip attribute,
which enables or disables sending of client's IP address instead of the IP address
of the ProxySG.
issuer keyring—The keyring used by the ProxySG to sign emulated certificates. The

keyring is configured on the appliance and managed through policy.

L
licensable component (LC)—(Software)

A subcomponent of a license; it is an option
that enables or disables a specific feature.

LCAMS—License

Configuration and Management System.

license—Provides

both the right and the ability to use certain software functions
within a ProxyAV (or ProxySG) appliance. The license key defines and controls
the license, which is owned by an account.

listener—The service that is listening on a specific port. A listener can be identified

by any destination IP/subnet and port range. Multiple listeners can be added to
each service.
live content—Also

called live broadcast. Used in streaming, it indicates that the
content is being delivered fresh.

LKF—License

key file.

load balancing—A

way to share traffic requests among multiple upstream systems
or multiple IP addresses on a single host.

local bypass list—A

list you create and maintain on your network. You can use a
local bypass list alone or in conjunction with a central bypass list.

local policy file—Written by enterprises (as opposed to the central policy file written

by Blue Coat); used to create company- and department-specific advanced
policies written in the Blue Coat Policy Language (CPL).

113

Volume 7: Managing Content

log facility—A

separate log that contains a single logical file and supports a single
log format. It also contains the file’s configuration and upload schedule
information as well as other configurable information such as how often to rotate
(switch to a new log) the logs at the destination, any passwords needed, and the
point at which the facility can be uploaded.

log format—The type of log that is used: NCSA/Common, SQUID, ELFF,
SurfControl, or Websense.

The proprietary log types each have a corresponding pre-defined log format that
has been set up to produce exactly that type of log (these logs cannot be edited). In
addition, a number of other ELFF type log formats are also pre-defined (im, main,
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log
fields for logging particular protocols understood by the ProxySG. It is also
possible to create new log formats of type ELFF or Custom which can contain any
desired combination of log fields.
log tail—The access log tail shows the log entries as they get logged. With high
traffic on the ProxySG, not all access log entries are necessarily displayed.
However, you can view all access log information after uploading the log.

M
MACH5—SGOS

5 MACH5 Edition.

Management Console—A

graphical Web interface that lets you to manage,
configure, monitor, and upgrade the ProxySG from any location. The
Management Console consists of a set of Web pages and Java applets stored on
the ProxySG. The appliance acts as a Web server on the management port to serve
these pages and applets.

management information base (MIB)—Defines

the statistics that management systems
can collect. A managed device (gateway) has one or more MIBs as well as one or
more SNMP agents, which implements the information and management
functionality defined by a specific MIB.

maximum object size—The

maximum object size stored in the ProxySG. All objects
retrieved that are greater than the maximum size are delivered to the client but are
not stored in the ProxySG.

Media Access Control (MAC) address—A

unique value associated with a network
adapter; also known as hardware address or physical address. For the ProxySG, it
is a hardware address that is stored in each network card (such as an SSL
accelerator card or a Quad GigE Fiber LX card) on the ProxySG. The MAC
address uniquely identifies an adapter on a LAN and is a 12-digit hexadecimal
number (48 bits in length).
MIME/FILE type filtering—Allows

organizations to implement Internet policies for
both uploaded and downloaded content by MIME or FILE type.
multi-bit rate—The capability of a single stream to deliver multiple bit rates to
clients requesting content from ProxySG appliances from within varying levels of
network conditions (such as different connecting bandwidths and traffic).
multicast—Used

in streaming; the ability for hundreds or thousands of users to
play a single stream.

114

multicast aliases—Used

in streaming; a streaming command that specifies an alias
for a multicast URL to receive an .nsc file. The .nsc files allows the multicast
session to obtain the information in the control channel
multicast station—Used in streaming; a defined location on the proxy where the
Windows Media player can retrieve streams. A multicast station enables multicast
transmission of Windows Media content from the cache. The source of the
multicast-delivered content can be a unicast-live source, a multicast (live) source,
and simulated live (video-on-demand content converted to scheduled live
content).
multimedia content services—Used

in streaming; multimedia support includes Real
Networks, Microsoft Windows Media, Apple QuickTime, MP3, and Flash.

N
name inputing—Allows a ProxySG to resolve host names based on a partial name
specification. When a host name is submitted to the DNS server, the DNS server
resolves the name to an IP address. If the host name cannot be resolved, Blue Coat
adds the first entry in the name-inputing list to the end of the host name and
resubmits it to the DNS server
native FTP—Native

FTP involves the client connecting (either explicitly or
transparently) using the FTP protocol; the ProxySG then connects upstream
through FTP (if necessary).

NCSA common log format—Blue

Coat products are compatible with this log type,
which contains only basic HTTP access information.

network address translation (NAT)—The process of translating private network (such
as intranet) IP addresses to Internet IP addresses and vice versa. This
methodology makes it possible to match private IP addresses to Internet IP
addresses even when the number of private addresses outnumbers the pool of
available Internet addresses.
non-cacheable objects—A number of objects are not cached by the ProxySG because
they are considered non-cacheable. You can add or delete the kinds of objects that
the appliance considers non-cacheable. Some of the non-cacheable request types
are:



Pragma no-cache, requests that specify non-cached objects, such as when
you click refresh in the Web browser.



Password provided, requests that include a client password.



Data in request that include additional client data.



Not a GET request.

.nsc file—Created

from the multicast station definition and saved through the
browser as a text file encoded in a Microsoft proprietary format. Without an .nsc
file, the multicast station definition does not work.

115

Volume 7: Managing Content

NTP—To

manage objects in an appliance, a ProxySG must know the current
Universal Time Coordinates (UTC) time. By default, the ProxySG attempts to
connect to a Network Time Protocol (NTP) server to acquire the UTC time. The
ProxySG includes a list of NTP servers available on the Internet, and attempts to
connect to them in the order they appear in the NTP server list on the NTP tab.

O
object (used in caching)—An

object is the item that is stored in an appliance. These
objects can be frequently accessed content, content that has been placed there by
content publishers, or Web pages, among other things.

object (used in Visual Policy Manager)—An

object (sometimes referred to as a
condition) is any collection or combination of entry types you can create
individually (user, group, IP address/subnet, and attribute). To be included in an
object, an item must already be created as an individual entry.

object pipelining—This

patented algorithm opens as many simultaneous TCP
connections as the origin server will allow and retrieves objects in parallel. The
objects are then delivered from the appliance straight to the user's desktop as fast
as the browser can request them.

Online Certificate Status Protocol (OCSP)— An Internet protocol used for obtaining the

revocation status of an X.509 digital certificate. OCSP was created as an
alternative to certificate revocation lists (CRL), specifically addressing certain
problems associated with using CRLs in a public key infrastructure (PKI). OCSP
servers are called OCSP responders due to the request/response nature of these
messages.
origin content server (OCS)—Also

called origin server. This is the original source of
the content that is being requested. An appliance needs the OCS to acquire data
the first time, to check that the content being served is still fresh, and to
authenticate users.

outbound traffic (bandwidth gain)—Network packets flowing out of the ProxySG.
Outbound traffic mainly consists of the following:



Client outbound: Packets sent to the client in response to a Web request.



Server outbound: Packets sent to an OCS or upstream proxy to request a
service.

P
PAC (Proxy AutoConfiguration) scripts—Originally created by Netscape, PACs are a
way to avoid requiring proxy hosts and port numbers to be entered for every
protocol. You need only enter the URL. A PAC can be created with the needed
information and the local browser can be directed to the PAC for information
about proxy hosts and port numbers.
packet capture (PCAP)—Allows

filtering on various attributes of the Ethernet frame
to limit the amount of data collected. You can capture packets of Ethernet frames
going into or leaving a ProxySG.

116

parent class (bandwidth gain)—A

class with at least one child. The parent class must
share its bandwidth with its child classes in proportion to the minimum/
maximum bandwidth values or priority levels.

passive mode data connections (PASV)—Data connections initiated by an FTP client to

an FTP server.
pipelining—See

object pipelining.

policies—Groups

of rules that let you manage Web access specific to the needs of
an enterprise. Policies enhance ProxySG feature areas such as authentication and
virus scanning, and let you control end-user Web access in your existing
infrastructure.

policy-based bypass list—Used in policy. Allows a bypass based on the properties of
the client, unlike static and dynamic bypass lists, which allow traffic to bypass the
appliance based on destination IP address. See also dynamic bypass.
policy layer—A

collection of rules created using Blue Coat CPL or with the VPM.

pragma: no cache (PNC)—A

metatag in the header of a request that requires the
appliance to forward a request to the origin server. This allows clients to always
obtain a fresh copy.

proxy—Caches

content, filters traffic, monitors Internet and intranet resource
usage, blocks specific Internet and intranet resources for individuals or groups,
and enhances the quality of Internet or intranet user experiences.
A proxy can also serve as an intermediary between a Web client and a Web server
and can require authentication to allow identity-based policy and logging for the
client.
The rules used to authenticate a client are based on the policies you create on the
ProxySG, which can reference an existing security infrastructure—LDAP,
RADIUS, IWA, and the like.

Proxy Edition—SGOS

5 Proxy Edition.

proxy service—The proxy service defines the ports, as well as other attributes. that
are used by the proxies associated with the service.
proxy service (default)—The default proxy service is a service that intercepts all
traffic not otherwise intercepted by other listeners. It only has one listener whose
action can be set to bypass or intercept. No new listeners can be added to the
default proxy service, and the default listener and service cannot be deleted.
Service attributes can be changed.
ProxySG—A

Blue Coat security and cache box that can help manage security and
content on a network.

public key certificate—An

electronic document that encapsulates the public key of
the certificate sender, identifies this sender, and aids the certificate receiver to
verify the identity of the certificate sender. A certificate is often considered valid if
it has been digitally signed by a well-known entity, which is called a Certificate
Authority (such as VeriSign).

public virtual IP (VIP)—Maps multiple servers to one IP address and then propagates
that information to the public DNS servers. Typically, there is a public VIP known
to the public Internet that routes the packets internally to the private VIP. This
enables you to “hide” your servers from the Internet.

117

Volume 7: Managing Content

R
real-time streaming protocol (RTSP)—A

standard method of transferring audio and
video and other time-based media over Internet-technology based networks. The
protocol is used to stream clips to any RTP-based client.

reflect client IP attribute—Enables the sending of the client's IP address instead of the
SG's IP address to the upstream server. If you are using an application delivery
network (ADN), this setting is enforced on the concentrator proxy through the
Configuration > App. Delivery Network > Tunneling tab.
registration—An

event that binds the appliance to an account, that is, it creates the
Serial#, Account association.

remote authentication dial-in user service (RADIUS)—Authenticates

user identity via

passwords for network access.
Return to Sender (RTS)—A way of allowing outgoing TCP packets to use the same
network interface on which the corresponding incoming TCP packets arrived.
The destination Media Acess Control (MAC) address for the outgoing packets is
the same as the source MAC address of the incoming packets. See also Media
Access Control (MAC) address.
reverse proxy—A proxy that acts as a front end to a small number of predefined
servers, typically to improve performance. Many clients can use it to access the
small number of predefined servers.
routing information protocol (RIP)—Designed

to select the fastest route to a
destination. RIP support is built into ProxySG appliances.

router hops—The
RTS—See

number of jumps a packet takes when traversing the Internet.

Return to Sender.

S
secure shell (SSH)—Also

known as Secure Socket Shell. SSH is an interface and
protocol that provides strong authentication and enables you to securely access a
remote computer. Three utilities—login, ssh, and scp—comprise SSH. Security via
SSH is accomplished using a digital certificate and password encryption.
Remember that the Blue Coat ProxySG requires SSH1. A ProxySG supports a
combined maximum of 16 Telnet and SSH sessions.

serial console—A

third-party device that can be connected to one or more Blue
Coat appliances. Once connected, you can access and configure the appliance
through the serial console, even when you cannot access the appliance directly.
server certificate categories—The hostname in a server certificate can be categorized

by BCWF or another content filtering vendor to fit into categories such as
banking, finance, sports.
server portals—Doorways

that provide controlled access to a Web server or a
collection of Web servers. You can configure Blue Coat appliances to be server
portals by mapping a set of external URLs onto a set of internal URLs.

118

server-side transparency—The ability for the server to see client IP addresses, which

enables accurate client-access records to be kept. When server-side transparency
is enabled, the appliance retains client IP addresses for all port 80 traffic to and
from the ProxySG. In this scheme, the client IP address is always revealed to the
server.
service attributes—Define the parameters, such as explicit or transparent, cipher
suite, and certificate verification, that the ProxySG uses for a particular service.
sibling class (bandwidth gain)—A

bandwidth class with the same parent class as

another class.
signed system image—Cryptographically

signed with a key known only to Blue
Coat, and the signature is verified when the image is downloaded to the system.

simple network management protocol (SNMP)—The standard operations and
maintenance protocol for the Internet. It consists of a set of standards for network
management, including an application layer protocol, a database schema, and a
set of data objects. In SNMP, the available information is defined by management
information bases (MIBs), which describe the structure of the management data.
simulated live—Used

in streaming. Defines playback of one or more video-ondemand files as a scheduled live event, which begins at a specified time. The
content can be looped multiple times, or scheduled to start at multiple start times
throughout the day.

SmartReporter log type—A

proprietary ELFF log type that is compatible with the
SmartFilter SmartReporter tool.

SOCKS—A

proxy protocol for TCP/IP-based networking applications that allows
users transparent access across the firewall. If you are using a SOCKS server for
the primary or alternate forwarding gateway, you must specify the appliance’s ID
for the identification protocol used by the SOCKS gateway. The machine ID
should be configured to be the same as the appliance’s name.

SOCKS proxy—A generic way to proxy TCP and UDP protocols. The ProxySG
supports both SOCKSv4/4a and SOCKSv5; however, because of increased
username and password authentication capabilities and compression support,
Blue Coat recommends that you use SOCKS v5.
splash page—The custom message page that displays the first time you start the
client browser.
split proxy—Employs

co-operative processing at the branch and the core to
implement functionality that is not possible in a standalone proxy. Examples of
split proxies include:


Mapi Proxy



SSL Proxy

SQUID-compatible format—A

log type that was designed for cache statistics and is
compatible with Blue Coat products.
squid-native log format—The

Squid-compatible format contains one line for each

request.
SSL authentication—Ensures

that communication is with “trusted” sites only.
Requires a certificate issued by a trusted third party (Certificate Authority).

119

Volume 7: Managing Content

SSL client—See

SSL device profile.

SSL device profile—Used to determine various SSL parameters for outgoing HTTPS
connections. Specifically, its role is to:



Identify the SSL protocol version that the ProxySG uses in negotiations
with origin servers.



Identify the cipher suites used.



Determine which certificate can be presented to origin servers by
associating a keyring with the profile.

SSL interception—Decrypting

SSL connections.

SSL proxy—A proxy that can be used for any SSL traffic (HTTPS or not), in either
forward or reverse proxy mode.
static route—A manually-configured route that specifies the transmission path a
packet must follow, based on the packet’s destination address. A static route
specifies a transmission path to another network.
statistics—Every

Blue Coat appliance keeps statistics of the appliance hardware
and the objects it stores. You can review the general summary, the volume,
resources allocated, cache efficiency, cached contents, and custom URLs generated
by the appliance for various kinds of logs. You can also check the event viewer for
every event that occurred since the appliance booted.

stream—A flow of a single type of data, measured in kilobits per second (Kbps). A
stream could be the sound track to a music video, for example.
SurfControl log type—A proprietary log type that is compatible with the SurfControl
reporter tool. The SurfControl log format includes fully-qualified usernames
when an NTLM realm provides authentication. The simple name is used for all
other realm types.
syslog—An

event-monitoring scheme that is especially popular in Unix
environments. Most clients using Syslog have multiple devices sending messages
to a single Syslog daemon. This allows viewing a single chronological event log of
all of the devices assigned to the Syslog daemon. The Syslog format is: “Date Time
Hostname Event.”
system cache—The software cache on the appliance. When you clear the cache, all
objects in the cache are set to expired. The objects are not immediately removed
from memory or disk, but a subsequent request for any object requested is
retrieved from the origin content server before it is served.

T
TCP window size—The number of bytes that can be buffered before the sending host

must wait for an acknowledgement from the receiving host.
time-to-live (TTL) value—Used

in any situation where an expiration time is needed.
For example, you do not want authentication to last beyond the current session
and also want a failed command to time out instead of hanging the box forever.
traffic flow (bandwidth gain)—Also

referred to as flow. A set of packets belonging to
the same TCP/UDP connection that terminate at, originate at, or flow through the
ProxySG. A single request from a client involves two separate connections. One of

120

them is from the client to the ProxySG, and the other is from the ProxySG to the
OCS. Within each of these connections, traffic flows in two directions—in one
direction, packets flow out of the ProxySG (outbound traffic), and in the other
direction, packets flow into the ProxySG (inbound traffic). Connections can come
from the client or the server. Thus, traffic can be classified into one of four types:


Server inbound



Server outbound



Client inbound



Client outbound

These four traffic flows represent each of the four combinations described above.
Each flow represents a single direction from a single connection.
transmission control protocol (TCP)—TCP, when used in conjunction with IP (Internet

Protocol) enables users to send data, in the form of message units called packets,
between computers over the Internet. TCP is responsible for tracking and
handling, and reassembly of the packets; IP is responsible for packet delivery.
transparent proxy—A configuration in which traffic is redirected to the ProxySG
without the knowledge of the client browser. No configuration is required on the
browser, but network configuration, such as an L4 switch or a WCCP-compliant
router, is required.
trial period—Starting

with the first boot, the trial period provides 60 days of free
operation. All features are enabled during this time.

U
unicast alias—Defines

an name on the appliance for a streaming URL. When a
client requests the alias content on the appliance, the appliance uses the URL
specified in the unicast-alias command to request the content from the origin
streaming server.
universal time coordinates (UTC)—A ProxySG must know the current UTC time. By
default, the appliance attempts to connect to a Network Time Protocol (NTP)
server to acquire the UTC time. If the ProxySG cannot access any NTP servers,
you must manually set the UTC time.
URL filtering—See

content filtering.

URL rewrite rules—Rewrite

the URLs of client requests to acquire the streaming
content using the new URL. For example, when a client tries to access content on
www.mycompany.com, the ProxySG is actually receiving the content from the
server on 10.253.123.123. The client is unaware that mycompany.com is not
serving the content; however, the ProxySG access logs indicate the actual server
that provides the content.

W
WCCP—Web Cache Communication Protocol. Allows you to establish redirection
of the traffic that flows through routers.

121

Volume 7: Managing Content

Web FTP—Web

FTP is used when a client connects in explicit mode using HTTP
and accesses an ftp:// URL. The ProxySG translates the HTTP request into an
FTP request for the OCS (if the content is not already cached), and then translates
the FTP response with the file contents into an HTTP response for the client.
Websense log type—A

Blue Coat proprietary log type that is compatible with the
Websense reporter tool.

X
XML responder—HTTP
XML requestor—XML

122

XML service that runs on an external server.

realm.

Index

forwarding hosts and groups 22
proxy chaining support 21
secure connections 24
states 24

A
access logging, ICAP 93

B
Blue Coat Web Filter
about 16
configuring 16
custom time period 20
specifying a time period 20

C
content filtering
3rd party vendor
configuring 34
specifying a time period 41
Blue Coat Web Filter
configuring 16
example of category= 44
expired database, using 50
expired license, downloading a database with
50
IWF
automatic download 32
configuring 30
local database
configuring 26
policy with vendor categories 46
provider, selecting 13, 25
Websense on-box
configuring 39
content scanning
ICAP service 70
policy for 59

D
data trickling, about 64
deferred ICAP 68
Dynamic Categorization (DRTR)
about 16
configuring 21
enabling 23

F
FTP, content scanning 58

H
headers
request modification 61
response modification 60
HTTP, scanning HTTP objects 58
HTTPS, content scanning 58

I
ICAP
configuring Blue Coat SG for 70
data trickling 64
failover, about 69
feedback, configuring 76
health checks, managing 75
ISTags 63
patience pages, about 64
patience text, customizing 78
policy examples 84
replacing the server 93
request modification, about 61
response modification, about 60
sense settings 63
service, creating 70
infinite streaming issues 68
IWF
configuring 30
scheduling download 32
specifying a custom time period 32
updating 32

L
local database
configuring 26

123

Volume 7: Managing Content

specifying custom time period 28
updating 28

P
patience pages, about 64
plain 58
plain ICAP
ICAP 58
policy
content scanning 59
example, limit access to certain Web sites 47
example, limit access to specified time of day
47
vendor categories, using with 46
ProxySG
ICAP service configuration 70

R
request modification, about 61
response modification, about 60

S
secure 58
Secure Computing 37
secure ICAP

124

ICAP 58
SmartFilter
configuring 37
database editions 38
download 38

T
troubleshooting 103
access log error 104
cannot communicate with DRTR service 103
contacting support 105
health check failed 103
invalid DRTR service name 103
log error for requested URL 104
URL unavailable 104

V
virus scanning
advanced configurations 92
managing 92
replacing the ICAP server 93

W
Websense on-box
configuring 39

Document Path: ["170-blue-coat-instruction-proxysg.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh