Name: SG

Text: Volume 4: Web Communication Proxies

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
[email protected]
http://www.bluecoat.com
For concerns or feedback about the documentation: [email protected]
Copyright© 1999-2007 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®,
Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate
Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Document Number: 231-02840
Document Revision: SGOS 5.1.x—03/2007

ii

Contents
Contact Information
Chapter 1: Introduction
Document Conventions......................................................................................................................................7
Chapter 2: Managing Instant Messaging Protocols
About the Risks of Instant Messaging..............................................................................................................9
About the Blue Coat IM Proxies........................................................................................................................9
HTTP Proxy Support ...................................................................................................................................9
Instant Messaging Proxy Authentication .................................................................................................9
Access Logging ...........................................................................................................................................10
Managing Skype.........................................................................................................................................10
About Instant Message Network Interactivty...............................................................................................10
Recommended Deployments ...................................................................................................................10
About Instant Messaging Reflection .......................................................................................................11
Configuring SG Appliance IM Proxies...........................................................................................................13
Configuring IM Services ...........................................................................................................................14
Configuring IM DNS Redirection............................................................................................................17
The Default IM Hosts ................................................................................................................................18
Configuring Instant Messaging HTTP Handoff ....................................................................................18
Configuring IM Alerts ...............................................................................................................................18
Configuring IM Clients.....................................................................................................................................20
General Configuration...............................................................................................................................20
AOL Messenger Client Explicit Proxy Configuration ..........................................................................20
MSN Messenger Client Explicit Proxy Configuration..........................................................................21
Yahoo Messenger Client Explicit Proxy Configuration........................................................................22
Policy Examples.................................................................................................................................................23
Example 1: File Transfer............................................................................................................................24
Example 2: Send an IM Alert Message....................................................................................................26
Reference: Equivalent IM CLI Commands ....................................................................................................27
Reference: Access Log Fields ...........................................................................................................................28
Reference: CPL Triggers, Properties, and Actions .......................................................................................28
Triggers........................................................................................................................................................29
Properties and Actions ..............................................................................................................................29
IM History Statistics..........................................................................................................................................29
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
About Streaming Media ...................................................................................................................................34
Supported Streaming Media Clients and Protocols .....................................................................................34

iii

Volume 4: Web Communication Proxies

Supported Streaming Media Clients and Servers ................................................................................. 34
Supported Streaming Protocols ............................................................................................................... 35
About Processing Streaming Media Content................................................................................................ 37
Delivery Methods ...................................................................................................................................... 37
Serving Content: Live Unicast ................................................................................................................. 37
Serving Content: Video-on-Demand Unicast ........................................................................................ 37
Serving Content: Multicast Streaming.................................................................................................... 38
About HTTP Handoff................................................................................................................................ 39
Limiting Bandwidth .................................................................................................................................. 39
Caching Behavior: Protocol Specific ....................................................................................................... 40
Caching Behavior: Video on Demand .................................................................................................... 41
Caching Behavior: Live Splitting ............................................................................................................. 41
Multiple Bit Rate Support......................................................................................................................... 41
BitrateThinning .......................................................................................................................................... 42
Pre-Populating Content ............................................................................................................................ 42
About Fast Streaming (Windows Media)............................................................................................... 42
About Streaming Media Authentication ....................................................................................................... 42
Windows Media Server-Side Authentication ........................................................................................ 43
Windows Media Proxy Authentication.................................................................................................. 43
Real Media Proxy Authentication ........................................................................................................... 44
QuickTime Proxy Authentication ........................................................................................................... 44
Section B: Configuring Streaming Media
Configuring Streaming Services ..................................................................................................................... 45
Configuring Streaming Proxies....................................................................................................................... 48
Limiting Bandwidth ......................................................................................................................................... 49
Configuring Bandwidth Limits—Global................................................................................................ 49
Configuring Bandwidth Limits—Protocol-Specific.............................................................................. 50
Configuring Bandwidth Limitation—Fast Start (WM) ........................................................................ 51
Configuring the SG Appliance Multicast Network ..................................................................................... 51
Configuring Media Server Authentication Type (Windows Media) ........................................................ 52
Related CLI Syntax to Manage Streaming..................................................................................................... 52
Reference: Access Log Fields........................................................................................................................... 53
Reference: CPL Triggers, Properties, and Actions ....................................................................................... 54
Triggers........................................................................................................................................................ 54
Properties and Actions .............................................................................................................................. 54
Streaming History Statistics ............................................................................................................................ 54
Viewing Windows Media Statistics ........................................................................................................ 54
Viewing Real Media Statistics.................................................................................................................. 55
Viewing QuickTime Statistics .................................................................................................................. 56
Viewing Current and Total Streaming Data Statistics ......................................................................... 56
Section C: Additional Configuration Tasks—Windows Media (CLI)
Managing Multicast Streaming for Windows Media .................................................................................. 58
About Multicast Stations .......................................................................................................................... 58

iv

Contents

About Broadcast Aliases ........................................................................................................................... 59
Creating a Multicast Station ..................................................................................................................... 59
Monitoring the Multicast Station............................................................................................................. 61
Managing Simulated Live Content (Windows Media) ............................................................................... 61
About Simulated Live Content ................................................................................................................ 62
Creating a Broadcast Alias for Simulated Live Content ...................................................................... 62
ASX Rewriting (Windows Media).................................................................................................................. 63
About ASX Rewrite ................................................................................................................................... 64
Section D: Windows Media Player
Configuring Windows Media Player ............................................................................................................. 67
Windows Media Player Interactivity Notes.................................................................................................. 68
Striding ........................................................................................................................................................ 68
Other Notes................................................................................................................................................. 68
Section E: RealPlayer
Configuring RealPlayer.................................................................................................................................... 70
Section F: QuickTime Player
Configuring QuickTime Player....................................................................................................................... 74
Appendix A: Glossary
Index

v

Volume 4: Web Communication Proxies

vi

Chapter 1: Introduction

A proxy filters traffic, monitors Internet and intranet resource usage, blocks or allows
specific Internet and intranet resources for individuals or groups, and enhances the
quality of Internet or intranet user experiences.
The Blue Coat SG appliance Instant Messaging (IM) proxies allow you to control, track,
and record communications that occur over AOL, MSN, or Yahoo IM clients on your
corporate networks. The Streaming proxies allow you to alter allowed bandwidth and
manage the broadcasts of streaming content over Microsoft and RealNetworks (with
limited support for Apple) protocols.
This document contains the following chapters:


Chapter 2: "Managing Instant Messaging Protocols" on page 9



Chapter 3: "Managing Streaming Media" on page 33

Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax
conventions used in this manual.
Table 1-1. Document Conventions
Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

Courier font

Command line text that appears on your administrator workstation.

Courier Italics

A command line variable that is to be substituted with a literal name or
value pertaining to the appropriate facet of your network system.

Courier Boldface

A Blue Coat literal to be entered as shown.

{}

One of the parameters enclosed within the braces must be supplied

[]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or must be
selected, but not both.

7

Volume 4: Web Communication Proxies

8

Chapter 2: Managing Instant Messaging Protocols

This chapter discusses how to control Instant Messaging (IM) activity through the SG
appliance.

About the Risks of Instant Messaging
Instant Messaging use in an enterprise environment creates security concerns because
regardless of how network security is configured, IM connections can occur from any
established protocol, such as HTTP or SOCKS, on any open port. Because it is common
for coworkers to use IM to communicate, especially in remote offices, classified
company information can be exposed outside the network. Viruses and other malicious
code can also be introduced into the network from file sharing through IM clients.

About the Blue Coat IM Proxies
The SG appliance serves as an IM proxy. With policy, you can control IM actions by
allowing or denying IM communications and file sharing based on users (both
employee identities and IM handles), groups, file types and names, and other triggers.
All IM communications can be logged and archived for review.
The SG appliance supports the AOL, MSN, and Yahoo IM client protocols. For the most
current list of supported client versions, refer to the most current Release Notes for this
release.

HTTP Proxy Support
The SG appliance supports instant messaging through the HTTP proxy. IM clients are
configured to connect to IM services through HTTP, which allows IM activity from
behind restrictive firewalls.
The application of policies and IM activity logging is accomplished by the HTTP proxy
handing off IM communications to the IM proxy.
Notes


AOL and Yahoo clients lose certain features when connected through HTTP proxy
rather than through SOCKS or transparent connections:



AOL—Direct connections, file transfers, and files sharing are not available.



Yahoo—Client cannot create a chat room.

Instant Messaging Proxy Authentication
The SG appliance supports explicit proxy authentication if explicit SOCKS V5 proxy is
specified in the IM client configuration.
Because the IM protocols do not natively support proxy authentication, authentication
for transparently redirected clients is not supported because policies requiring
authentication would deny transparently redirected clients.

9

Volume 4: Web Communication Proxies

Notes
Consider the following proxy authentication notes, which apply to IM clients using HTTP
proxy:


AOL IM—Proxy authentication is supported.



MSN IM (5.0 and above)—Although the MSN IM client supports user credentials, it
cannot respond to HTTP proxy authentication requests from the SG appliance and the
MSN passport service login fails. You can, however, add policy to pass-through the
traffic to the MSN passport.com site without requiring authentication.



Yahoo IM—Yahoo IM clients do not have proxy authentication configuration abilities.

Access Logging
Access log entries occur from various IM actions, such as logging on or joining a chat
room. By default, the SG appliance uses the Blue Coat IM access log format:
date time c-ip cs-username cs-auth-group cs-protocol x-im-method x-imuser-id x-im-user-name x-im-user-state x-im-client-info x-im-buddy-id
x-im-buddy-name x-im-buddy-state x-im-chat-room-id x-im-chat-room-type
x-im-chat-room-members x-im-message-text x-im-message-size x-immessage-route x-im-message-type x-im-file-path x-im-file-size s-action

For a reference list and descriptions of used log fields, see “Reference: Access Log Fields”
on page 28.

Managing Skype
Skype is the most used IM service outside of the United States. It provides free PC-to-PC
calling using VoIP. Skype communication is based on Peer-to-Peer technology. Managing
Skype communications requires the creation of firewall and SG appliance policies,
procedures that are outside the scope of this chapter.
See the Blue Coat Controlling Skype Technical Brief, available on the Blue Coat Website
Download page.

About Instant Message Network Interactivty
This section discusses IM deployment and describes IM reflection, which is how the SG
appliance policy dictates IM communications.

Recommended Deployments
Blue Coat recommends the following deployments:


For large networks with unimpeded Internet access, Blue Coat recommends
transparently redirecting the IM protocols to the SG appliance, which requires the SG
appliance bridging feature or an L4 switch or WCCP.



For networks that do not allow outbound access, Blue Coat recommends using the
SOCKS proxy and configuring policy and content filtering denials for HTTP requests
to IM servers.

10

Volume 4: Web Communication Proxies

Configuring IM Services
By default (upon upgrade and on new systems), the SG appliance has IM services
configured for transparent connections on the following ports:


AOL-IM: 5190



MSN-IM: 1863 and 6891



Yahoo-IM: 5050 and 5101

Notes:


MSN port 1863 and Yahoo port 5050 are the default client login ports. MSN port 6891
and Yahoo port 5101 are the default for client-to-client direct connections and file
transfers. If these ports are not enabled:



Client-to-client direct connections do not occur.



After a file transfer request is allowed by the SG appliance, the resulting data is sent
directly from one client to another without passing through the SG appliance:


For MSN: The above bullet point only applies to MSN version previous to and
including 6.0. Post-6.0 versions use a dynamic port for file transfers; therefore,
port 6891 is not required for the SG appliance to intercept file transfers.



For Yahoo: The above bullet only applies to standard file transfer requests. Port
5101 must be enabled to allow file list requests.

Note: All file transfers for AOL clients are handled through the default (5190) or
specified client login port.

By default, these services are configured be Transparent and in Bypass mode. The
following procedure describes how to change them to Intercept mode, and explains other
attributes within the service.
To configure the IM proxies services attributes:
1.

From the Management Console, select Configuration > Services > Proxy Services.

14

Volume 4: Web Communication Proxies

SG appliance IM proxy configuration is complete. The final step is to configure IM clients
to send traffic to the SG appliance.

Configuring IM Clients
This section describes how to configure the IM clients to send traffic through the SG
appliance.

General Configuration
As each IM client has different menu structures, the procedures to configure them differ.
This section provides the generic tasks that need to be completed.

Explicit Proxy
Perform the following tasks on the IM client:
1.

Navigate to the Connection Preferences dialog.

2.

Select Use Proxies.

3.

Select proxy type as SOCKS V5.

4.

Enter the SG appliance IP address.

5.

Enter the SOCKS port number; the default is 1080.

6.

Enter authentication information, if required.

Transparent Proxy
IM clients do not require any configuration changes for transparent proxy. An L4 switch
or inline SG appliance routes the traffic.

AOL Messenger Client Explicit Proxy Configuration
The following example configures a Yahoo Messenger client for explicit proxy.
Note: This example uses AOL Messenger 5.9. Other versions might vary.

1.

Select My AIM > Edit Options > Edit Preferences.

20

Volume 4: Web Communication Proxies

SGOS#(config proxy-services) create {aol-im | msn-im | yahoo-im}
service_name


The following submodes are available:
SGOS#(config proxy-services) edit service-name
SGOS#(config service-name) add all | ip_address | ip_address/subnetmask} {port | first_port-last_port} [intercept | bypass]
SGOS#(config service-name) attribute reflect-client-ip {enable |
disable}
SGOS#(config service-name) bypass all | ip_address | ip_address/
subnet-mask} {port | first_port-last_port}
SGOS#(config service-name) exit
SGOS#(config service-name) intercept all | ip_address | ip_address/
subnet-mask} {port | first_port-last_port}
SGOS#(config service-name) remove all | ip_address | ip_address/
subnet-mask} {port | first_port-last_port}
SGOS#(config service-name) view

Reference: Access Log Fields
The default Blue Coat IM fields are (only IM-specific or relative are listed and described):


cs-protocol: Protocol used in the client's request.



x-im-method: The method associated with the instant message.



x-im-user-id: Instant messaging user identifier.



x-im-user-name: Display name of the client.



x-im-user-state: Instant messaging user state.



x-im-client-info: The instant messaging client information.



x-im-buddy-id: Instant messaging buddy ID.



x-im-buddy-name: Instant messaging buddy display name.



x-im-buddy-state: Instant messaging buddy state



x-im-chat-room-id: Instant messaging identifier of the chat room in use.



x-im-chat-room-type: The chat room type, one of public or public, and possibly
invite_only, voice and/or conference.



x-im-chat-room-members: The list of chat room member IDs.



x-im-message-text: Text of the instant message.



x-im-message-size: Length of the instant message (in...?)



x-im-message-route: The route of the instance message.



x-im-message-type: The type of the instant message (such as...?)



x-im-file-path: Path of the file associated with an instant message.



x-im-file-size: Size of the file (in...?) associated with an instant message.

Reference: CPL Triggers, Properties, and Actions
The following Blue Coat CPL is supported for IM:

28

Chapter 2: Managing Instant Messaging Protocols

Triggers


im.buddy=



im.chat_room.conference=



im.chat_room.id=



im.chat_room.invite_only=



im.chat_room.type=



im.chat_room.member=



im.chat_room.voice_enabled=



im.client=



im.file.extension=



im.file.name=



im.file.path=



im.file.size=



im.message.opcode=



im.message.reflected=



im.message.route=



im.message.size=



im.message.text=



im.message.type=



im.method=



im.user_agent=



im.user_id=

Properties and Actions


im.block_encryptions()



im.reflect()



im.strip_attachments()



im.transport()



im.altert()

IM History Statistics
The IM statistics allow you to track IM connections, file transfers, and messages that are
currently in use and in total, or have been allowed and denied. The information can be
displayed for each IM client type or combined.

IM Connection Data Tab
The following IM Connection Data statistics indicate current and overall connection data
since the last statistics clear:


Native Clients—The number of native IM clients connected.



HTTP Clients—The number of HTTP IM clients connected.



Chat Sessions—The number of IM chats occurring.

29

Chapter 3: Managing Streaming Media

This chapter contains the following sections:


"Section A: Concepts: Streaming Media"—Provides streaming media terminology
and Blue Coat streaming solution concepts.



"Section B: Configuring Streaming Media"—Provides feature-related concepts and
procedures for configuring the SG to manage streaming media applications and
bandwidth.



"Section D: Windows Media Player"—Describes how to configure the Windows
Media client and describes associated interactivities and access log conventions.



"Section E: RealPlayer"—Describes how to configure the Real Media client and
describes associated interactivities and access log conventions.



"Section F: QuickTime Player"—Describes how to configure the QuickTime client
and describes associated interactivities and access log conventions.

33

Volume 4: Web Communication Proxies
Section A: Concepts: Streaming Media

Section A: Concepts: Streaming Media
This section contains the following topics:


"About Streaming Media" on page 34



"Supported Streaming Media Clients and Protocols" on page 34



"About Processing Streaming Media Content" on page 37



"About Streaming Media Authentication" on page 42

About Streaming Media
Streaming is a method of content delivery. With media streaming, video and audio are
delivered over the Internet rather than the user having to wait for an entire file to be
downloaded before it can be played.
Streaming media support on the SG appliance provides the following features:


Streaming media files can be live or prerecorded.



Employs flexible delivery methods: unicast, multicast, HTTP, TCP, and UDP.



Ability to seek, fast-forward, reverse, and pause.



Ability to play entire file and control media playback, even before it is downloaded.



Adjust media delivery to available bandwidth, including multi-bit-rate and thinning
support.

Supported Streaming Media Clients and Protocols
This section describes the vendor-specific streaming protocols supported by the SG
appliance.

Supported Streaming Media Clients and Servers
The SG appliance supports Microsoft Windows Media, RealNetworks RealPlayer, and
Apple QuickTime; however, the various players might experience unexpected behavior
dependent upon certain SGOS configurations and features. Feature sections list such
interactivities, as necessary. For a list of the most current versions of each supported client,
refer to the Blue Coat SGOS Release Notes for this release.

Supported Windows Media Players and Servers
The SG appliance supports the following versions and formats:


Windows Media Player



Windows Media Server

Supported Real Media Players and Servers
The SG appliance supports the following versions:


RealOne Player



RealPlayer



RealServer

34

Chapter 3: Managing Streaming Media

Section A: Concepts: Streaming Media


Helix Universal Server
Note: Blue Coat does not recommend deploying a Helix proxy between the SG
appliance and a Helix server where the Helix proxy is the parent to the SG appliance.
This causes errors with the Helix server. The reverse is acceptable (using a Helix
proxy as a child to the SG appliance).

Supported QuickTime Players and Servers
The SG appliance supports the following versions, but in pass-through mode only:


QuickTime Player



Darwin Streaming Server



Helix Universal Server

Supported Streaming Protocols
Each streaming media platform supports their own set of protocols. This section describes
the protocols the SG appliance supports.

Windows Media Protocols
The SG appliance supports the following protocols:


MMS-UDP (Microsoft Media Streaming—User Data Protocol)



MMS-TCP (Microsoft Media Streaming—Transmission Control Protocol)



HTTP streaming.



All protocols between the client and the SG appliance for video-on-demand and live
unicast content.



MMS-TCP and HTTP streaming between the SG appliance and origin server for
video-on-demand and live unicast content.



Multicast-UDP is the only delivery protocol supported for multicast. No TCP control
connection exists for multicast delivery.

The following briefly describes each of the supported delivery protocols:


MMS-UDP—UDP provides the most efficient network throughput from server to
client. The disadvantage to UDP is that many network administrators close their
firewalls to UDP traffic, limiting the potential audience for Multicast-UDP-based
streams.
The Windows Media Player attempts to connect in the following order:


Multicast session. Multicast-UDP uses a TCP connection for control messages and
UDP for streaming data. TCP provides packet receipt acknowledgement back to
the sender. This insures control message delivery.



MMS-TCP session. If an MMS-UDP session cannot be established, the client falls
back to MMS-TCP automatically.

The SG appliance then establishes a connection to the origin server running the
Microsoft Windows Media service.

35

Volume 4: Web Communication Proxies
Section A: Concepts: Streaming Media


MMS-TCP—TCP provides a reliable protocol for delivering streaming media content
from a server to a client. At the expense of less efficiency compared to MMS-UDP data
transfer, MMS-TCP provides a reliable method for streaming content from the origin
server to the SG appliance.
Note: The MMS protocol is usually referred to as either MMS-TCP or MMS-UDP
depending on whether TCP or UDP is used as the transport layer for sending
streaming data packets. MMS-UDP uses a TCP connection for sending and receiving
media control messages, and a UDP connection for streaming the actual media data.
MMS-TCP uses TCP connections to send both control and data messages.



HTTP Streaming—The Windows Media server also supports HTTP-based media
control commands along with TCP-based streaming data delivery. This combination
has the benefit of working with all firewalls that let only Web traffic through (port 80).

Depending on the configuration, if MMS-UDP is used between the SG appliance and the
client, the appliance can use MMS-TCP, HTTP, or multicast-UDP as the connection to the
media server. No protocol relationship exists between the SG appliance and the media
server, or between the SG appliance and the client.

Real Media Protocols
The SG appliance supports the following Real Media protocols:
Client-Side


RDT over unicast UDP (RTSP over TCP, RDT over unicast UDP)



Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection)



RDT over multicast UDP (RTSP over TCP, RDT over multicast UDP; for live content
only)



HTTP streaming (RTSP and RDT over TCP tunneled through HTTP)—HTTP
streaming is supported through a handoff process from HTTP to RTSP. HTTP accepts
the connection and, based on the headers, hands off to RTSP. The headers identify an
RTSP URL.

Server-Side


Interleaved RTSP



HTTP streaming

Unsupported Protocols
The following Real Media protocols are not supported in this version of SGOS:


PNA.



Server-side RDT/UDP (both unicast and multicast).

QuickTime Protocols
The SG appliance supports the following protocols:


RTP over unicast UDP (RTSP over TCP, RDT over unicast UDP)



Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection)

36

Chapter 3: Managing Streaming Media

Section A: Concepts: Streaming Media


HTTP streaming (RTSP and RDT over TCP tunneled through HTTP)—HTTP
streaming is supported through a handoff process from HTTP to RTSP. HTTP accepts
the connection and, based on the headers, hands off to RTSP. The headers identify an
RTSP URL.

Server-Side


Interleaved RTSP



HTTP streaming

Unsupported Protocols
The following QuickTime protocols are not supported in this version of SGOS:


Server-side RTP/UDP, both unicast and multicast, is not supported.



Client-side multicast is not supported.

About Processing Streaming Media Content
The following sections describe how the SG appliance processes, stores, and serves
streaming media requests. Using the SG appliance for streaming delivery minimizes
bandwidth use by allowing the SG appliance to handle the broadcast and allows for
policy enforcement over streaming use. The delivery method depends on if the content is
live or video-on-demand.

Delivery Methods
The SG appliance supports the following streaming delivery methods:


Unicast—A one-to-one transmission, where each client connects individually to the
source, and a separate copy of data is delivered from the source to each client that
requests it. Unicast supports both TCP- and UDP-based protocols. The majority of
streaming media traffic on the Internet is unicast.



Multicast—Allows efficient delivery of streaming content to a large number of users.
Multicast enables hundreds or thousands of clients to play a single stream, thus
minimizing bandwidth use.

The SG appliance provides caching, splitting, and multicast functionality.

Serving Content: Live Unicast
An SG appliance can serve many clients through one unicast connection by receiving the
content from the origin server and then splitting that stream to the clients that request it.
This method saves server-side bandwidth and reduces the server load. You cannot pause
or rewind live broadcasts. A live broadcast can be of prerecorded content. A common
example is a company president making a speech to all employees.

Serving Content: Video-on-Demand Unicast
An SG appliance can store frequently requested data and distribute it upon client
requests. Because the SG appliance is closer to the client than the origin server, the data is
served locally, which saves firewall bandwidth and increases quality of service by
reducing pauses or buffering during playback. The SG appliance provides higher quality

37

Volume 4: Web Communication Proxies
Section A: Concepts: Streaming Media
streams (also dependent on the client connection rate) than the origin server because of its
closer proximity to the end user. VOD content can be paused, rewound, and played back.
Common examples include training videos or news broadcasts.

Serving Content: Multicast Streaming
This section describes multicast streaming and how to configure the SG appliance to
manage multicast broadcasts.

About Multicast Content
The SG appliance can take a unicast stream from the OCS and deliver it as a multicast
broadcast. This enables the SG appliance to take a one-to-one stream and split it into a
one-to-many stream, saving bandwidth and reducing the server load. It also produces a
higher quality broadcast.
For Windows Media multicast, an NSC file is downloaded through HTTP to acquire the
control information required to set up content delivery.
For Real Media and QuickTime (through RTSP), multicasting maintains a TCP control
(accounting) channel between the client and media server. The multicast data stream is
broadcast using UDP from the SG appliance to streaming clients, who join the multicast.

About Serving Multicast Content
The SG appliance takes a multicast stream from the origin server and delivers it as a
unicast stream. This avoids the main disadvantage of multicasting—that all of the routers
on the network must be multicast-enabled to accept a multicast stream. Unicast-tomulticast, multicast-to-multicast, and broadcast alias-(scheduled live from stored
content)-to-multicast are also supported.

Multicast to Unicast Live Conversion at the SG Appliance
The SG appliance supports converting multicast streams from an origin content server to
unicast streams. The stream at the SG appliance is given the appropriate unicast headers
to allow the appliance to direct one copy of the content to each user on the network.
Multicast streaming only uses UDP protocol and does not know about the control
channel, which transfers essential file information. The .nsc file (a file created off-line that
contains this essential information) is retrieved at the beginning of a multicast session
from an HTTP server. The multicast-alias command specifies an alias to the URL to
receive this .nsc file.
The converted unicast stream can use any of the protocols supported by Windows Media
and Real Media, including HTTP streaming.
When a client requests the alias content, the SG uses the URL specified in the multicastalias command to fetch the .nsc file from the HTTP server. The .nsc file contains all of
the multicast-related information, such as addresses and .asf file header information that
is normally exchanged through the control connection for unicast-delivered content.
Note: For Windows Media steaming clients, additional multicast information is provided
in “ Managing Multicast Streaming for Windows Media” on page 58.

38

Chapter 3: Managing Streaming Media

Section A: Concepts: Streaming Media

About HTTP Handoff
When a Windows Media, Real Media, or QuickTime client requests a stream from the SG
appliance over port 80, which in common deployments is the only port allowing traffic
through a firewall, the HTTP module passes control to the streaming module so HTTP
streaming can be supported through the HTTP proxy port.

Limiting Bandwidth
The following sections describe bandwidth limitation and how to configure the SG to
limit global and protocol-specific media bandwidth.
Streaming media bandwidth management is achieved by configuring the SG appliance to
restrict the total number of bits per second the appliance receives from the origin media
servers and delivers to clients. The configuration options are flexible to allow you to
configure streaming bandwidth limits for the SG appliance, as well as for each streaming
protocol (Windows Media, Real Media, and QuickTime).
Note: Bandwidth claimed by HTTP, non-streaming protocols, and network infrastructure
is not constrained by this limit. Transient bursts that occur on the network can exceed the
hard limits established by the bandwidth limit options.

After it has been configured, the SG appliance limits streaming access to the specified
threshold. If a client tries to make a request after a limit has been reached, the client
receives an error message.
Note: If a maximum bandwidth limitation has been specified for the SG appliance, the
following condition can occur. If a Real Media client, followed by a Windows Media
client, requests streams through the same SG appliance and total bandwidth exceeds the
maximum allowance, the Real Media client enters the rebuffering state. The Windows
Media client continues to stream.

Consider the following features when planning to limit streaming media bandwidth:


SG appliance to server (all protocols)—The total kilobits per second allowed between
the appliance and any origin content server or upstream proxy for all streaming
protocols. Setting this option to 0 effectively prevents the SG appliance from initiating
any connections to the media server. The SG appliance supports partial caching in
that no bandwidth is consumed if portions of the media content are stored in the SG
appliance.



Client to SG appliance (all protocols)—The total kilobits per second allowed between
streaming clients and the SG. Setting this option to 0 effectively prevents any
streaming clients from initiating connections through the SG appliance.



SG appliance to server—The total kilobits per second allowed between the Appliance
and the media server. Setting this option to 0 effectively prevents the SG appliance
from accepting media content.
Limiting SG appliance bandwidth restricts the following streaming media-related
functions:


Live and video-on-demand media, the sum of all bit rates



Limits the ability to fetch new data for an object that is partially cached

39

Volume 4: Web Communication Proxies
Section A: Concepts: Streaming Media



Reception of multicast streams

Client to SG appliance—The total kilobits per second allowed between Windows
Media streaming media clients and the SG appliance. Setting this option to 0
effectively prevents streaming clients from making connections to the SG appliance.
Limiting server bandwidth restricts the following streaming media-related functions:





MBR is supported; the SG appliance assumes the client is using the maximum bit
rate



Limits the transmission of multicast streams

Client connections—The total number of clients that can connect concurrently. When
this limit is reached, clients attempting to connect receive an error message and are
not allowed to connect until other clients disconnect. Setting this variable to 0
effectively prevents any streaming media clients from connecting.

Selecting a Method to Limit Streaming Bandwidth
You can control streaming bandwidth using two different methods: you can use the
streaming features described in “Limiting Bandwidth” on page 39, or you can use the
bandwidth management features described in Volume 6: Advanced Networking. Do not,
however, use both methods to control streaming bandwidth. The way that each method
controls bandwidth differs—read the information below to decide which method best
suits your deployment requirements.
Limiting streaming bandwidth using the streaming features (described in this chapter)
works this way: if a new stream comes in that pushes above the specified bandwidth limit,
that new stream is denied. This allows existing streams to continue to get the same level of
quality they currently receive.
Limiting streaming bandwidth using the bandwidth management features works this
way: all streaming traffic for which you have configured a bandwidth limit shares that
limit. If a new stream comes in that pushes above the specified bandwidth limit, that
stream is allowed, and the amount of bandwidth available for existing streams is reduced.
This causes streaming players to drop to a lower bandwidth version of the stream. If a
lower bandwidth version of the stream is not available, players that are not receiving
enough bandwidth can behave in an unpredictable fashion. In other words, if the amount
of bandwidth is insufficient to service all of the streams, some or all of the media players
experience a reduction in stream quality.
For most circumstances, Blue Coat recommends that you use the streaming features to
control streaming bandwidth rather than the bandwidth management features.

Caching Behavior: Protocol Specific
This section describes what is cached for each supported protocol.

Windows Media
The SG appliance caches Windows Media-encoded video and audio files. The standard
extensions for these file types are: .wmv, .wma, and .asf.

40

Chapter 3: Managing Streaming Media

Section A: Concepts: Streaming Media

Real Media
The SG appliance caches Real Media-encoded files, such as RealVideo and RealAudio.
The standard extensions for these file types are: .ra, .rm, and .rmvb. Other content served
from a Real Media server through RTSP is also supported, but it is not cached. This
content is served in pass-through mode only.

QuickTime
The SG appliance does not cache QuickTime content (.mov files). All QuickTime content is
served in pass-through mode only.

Caching Behavior: Video on Demand
The SG appliance supports the caching of files for VOD streaming. First, the client
connects to the SG appliance, which in turn connects to the origin server and pulls the
content, storing it locally. Subsequent requests are served from the SG appliance. This
provides bandwidth savings, as every hit to the SG appliance means less network traffic.
Blue Coat also supports partial caching of streams
.

Note: On-demand files must be unicast.

Caching Behavior: Live Splitting
The SG appliance supports splitting of live content, but behavior varies depending upon
the media type.
For live streams, the SG appliance can split streams for clients that request the same
stream. First, the client connects to the SG appliance, which then connects to the origin
server and requests the live stream. Subsequent requests are split from the appliance.
Two streams are considered identical by the SG appliance if they share the following
characteristics:


The stream is a live or broadcast stream.



The URL of the stream requested by client is identical.



MMS, MMSU, MMST, and HTTP are considered as identical.

Note: If the URL is composed of hostnames instead of IP addresses, splitting does not

occur across WMP 7.0 clients.
Splitting of live unicast streams provides bandwidth savings, since subsequent requests
do not increase network traffic.

Multiple Bit Rate Support
The SG appliance supports multiple bit rate (MBR), which is the capability of a single
stream to deliver multiple bit rates to clients requesting content from caches from within
varying levels of network conditions (such as different connecting bandwidths and
traffic). This allows the SG appliance and the client to negotiate the optimal stream quality
for the available bandwidth even when the network conditions are bad. MBR increases
client-side streaming quality, especially when the requested content is not cached.

41

Volume 4: Web Communication Proxies
Section A: Concepts: Streaming Media
Only the requested bitrate is cached. Therefore, a media client that requests a 50Kbps
stream receives that stream, and the SG appliance caches only the 50Kbps bitrate content.

BitrateThinning
Thinning support is closely related to MBR, but different in that thinning allows for data
rate optimizations even for single data-rate media files. If the media client detects that
there is network congestion, it requests a subset of the single data rate stream. For
example, depending on how congested the network is, the client requests only the key
video frames or audio-only instead of the complete video stream.

Pre-Populating Content
The SG appliance supports pre-population of streaming files (QuickTime content is not
supported) from HTTP servers and origin content servers. Downloading streaming files
from HTTP servers reduces the time required to pre-populate the file. With previous
SGOS versions, pre-population was accomplished through streaming from the media
server. The required download time was equivalent to the file length; for example, a twohour movie required two hours to download. With the pre-population content
management feature, if the media file is hosted on a HTTP server, the download time
occurs at normal transfer speeds of an HTTP object, and is independent of the play length
of the media file.
Note: Content must be hosted on a HTTP server in addition to the media server.

Using the content distribute CLI command, content is downloaded from the HTTP
server and renamed with a given URL argument. A client requesting the content perceives
that the file originated from a media server. If the file on the origin media server
experiences changes (such as naming convention), SGOS bypasses the cached mirrored
version and fetches the updated version.

About Fast Streaming (Windows Media)
Note: This feature applies to Windows Media only.

Windows Media Server version 9 contains a feature called Fast Streaming that allows
clients to provide streams with extremely low buffering time.
SGOS 4.x supports the following functionality for both cached and uncached content:


Fast Start



Fast Cache

Fast Recovery and Fast Reconnect are currently not supported.

About Streaming Media Authentication
The following sections discuss authentication between streaming media clients and SG
appliance appliances and between SG appliance appliances and origin content servers
(OCS).

42

Chapter 3: Managing Streaming Media

Section A: Concepts: Streaming Media

Windows Media Server-Side Authentication
Windows Media server authentication for HTTP and MMS supports the following
authentication types:


HTTP—BASIC Authentication and Membership Service Account



HTTP—BASIC Authentication and Microsoft Windows Integrated Windows
Authentication (IWA) Account Database



IWA Authentication and IWA Account Database

The SG appliance supports the caching and live-splitting of server-authenticated data. The
functionality is also integrated with partial caching functionality so that multiple security
challenges are not issued to the Windows Media Player when it accesses different portions
of the same media file.
When Windows Media content on the server is accessed for the first time, the SG
appliance caches the content along with the authentication type enabled on the server. The
cached authentication type remains until the appliance learns that the server has changed
the enabled authentication type, either through cache coherency (checking to be sure the
cached contents reflect the original source) or until the SG appliance connects to the origin
server (to verify access credentials).
Authentication type on the server refers to the authentication type enabled on the origin
server at the time when the client sends a request for the content.

Windows Media Proxy Authentication
If proxy authentication is configured, Windows Media clients are authenticated based on
the policy settings. The the SG appliance evaluates the request from the client and verifies
the accessibility against the set policies. The Windows Media player then prompts the
client for the proper password. If the client is accepted, the Windows Media server might
also require the client to provide a password for authentication. If a previously accepted
client attempts to access the same Windows Media content again, the SG appliance
verifies the user credentials using its own credential cache. If successful, the client request
is forwarded to the Windows Media server for authentication.
Windows Media Player Authentication Interactivities
Consider the following proxy authentication interactivities with the Windows Media
player (except when specified, these do not apply to HTTP streaming):


If the proxy authentication type is configured as BASIC and the server authentication
type is configured as IWA, the default is denial of service.



If proxy authentication is configured as IWA and the server authentication is
configured as BASIC, the proxy authentication type defaults to BASIC.



The SG appliance does not support authentication based on url_path or
url_path_regex conditions when using mms as the url_scheme.



Transparent style HTTP proxy authentication fails to work with Windows Media
players when the credential cache lifetime is set to 0 (independent of whether serverside authentication is involved).



If proxy authentication is configured, a request for a stream through HTTP prompts
the user to enter access credentials twice: once for the proxy authentication and once
for the media server authentication.

43

Volume 4: Web Communication Proxies
Section A: Concepts: Streaming Media


Additional scenarios involving HTTP streaming exist that do not work when the TTL
is set to zero (0), even though only proxy authentication (with no server
authentication) is involved. The SG appliance returning a 401-style proxy
authentication challenge to the Windows Media Player 6.0 does not work because the
Player cannot resolve inconsistencies between the authentication response code and
the server type returned from the SG appliance. This results in an infinite loop of
requests and challenges. Example scenarios include transparent authentication—
resulting from either transparent request from player or hard-coded service specified
in the SG appliance—and request of cache-local (ASX-rewritten or unicast alias)
URLs.

Real Media Proxy Authentication
If proxy authentication is configured, Real Media clients are authenticated based on the
policy settings. The proxy (the SG appliance) evaluates the request from the client and
verifies the accessibility against the set policies. Next, RealPlayer prompts the client for
the proper password. If the client is accepted, the Real Media server can also require the
client to provide a password for authentication. If a previously accepted client attempts to
access the same Real Media content again, the SG appliance verifies the user credentials
using its own credential cache. If successful, the client request is forwarded to the Real
Media server for authentication.
Real Media Player Authentication Limitation
Using RealPlayer 8.0 in transparent mode with both proxy and Real Media server
authentication configured to BASIC, RealPlayer 8.0 always sends the same proxy
credentials to the media server. This is regardless of whether a user enters in credentials
for the media server. Therefore, the user is never authenticated and the content is not
served.

QuickTime Proxy Authentication
BASIC is the only proxy authentication mode supported for QuickTime clients. If an IWA
challenge is issued, the mode automatically downgrades to BASIC.

44

Chapter 3: Managing Streaming Media

Section B: Configuring Streaming Media

Section B: Configuring Streaming Media
This section describes how to configure the various SG appliance streaming options. This
section contains the following topics:


"Configuring Streaming Services" on page 45



"Configuring Streaming Proxies" on page 48



"Limiting Bandwidth" on page 49



"Configuring the SG Appliance Multicast Network" on page 51



"Configuring Media Server Authentication Type (Windows Media)" on page 52



"Related CLI Syntax to Manage Streaming" on page 52



"Reference: Access Log Fields" on page 53



"Reference: CPL Triggers, Properties, and Actions" on page 54



"Streaming History Statistics" on page 54

Related Topics
You must also configure the network service (Configuration > Network > Services) to assign
port numbers and modes (transparent or proxy). For more information, refer to Volume 3:
Proxies and Proxy Services.

Configuring Streaming Services
By default, the streaming services (MMS and RTSP) are configured be Transparent and in
Bypass mode. The following procedure describes how to change them to Intercept mode,
and explains other attributes within the service.
To configure the MMS/RTSP proxy services attributes:
1.

From the Management Console, select Configuration > Services > Proxy Services.

45

Chapter 3: Managing Streaming Media

Section B: Configuring Streaming Media

Note: A value of 0 requires the streaming content to always be checked for
freshness.

3.

Enable HTTP handoff: Enabled by default. Only disable if you do not want HTTP

streams to be cached or split. See “About HTTP Handoff” on page 39.
4.

Forward client-generated logs to origin media server: Enabled by default. The SG

appliance logs information, such as client IP address, the date, and the time, to the
origin server for Windows Media and Real Media content.
Note: For Real Media, the log is only forwarded before a streaming session is halted;
QuickTime log forwarding is not supported.

5.

Enable multicast (Real Media proxy only): The SG appliance receives a unicast stream
from the origin RealServer and serves it as a multicast broadcast. This allows the SG to
take a one-to-one stream and split it into a one-to-many stream, saving bandwidth
and reducing the server load. It also produces a higher quality broadcast.

Multicasting maintains a TCP control (accounting) channel between the client and
RealServer. The multicast data stream is broadcast using UDP from the SG appliance
to RealPlayers that join the multicast. The SG appliance support for Real Media uses
UDP port 554 (RTSP) for multicasting. This port number can be changed to any valid
UDP port number.
6.

Click Apply.

Note: For Multicast, additional configuration is required. See “Configuring the SG
Appliance Multicast Network” on page 51.

Limiting Bandwidth
This section describes how to limit bandwidth from both the clients to the SG appliance
and the SG appliance to origin content servers (OCS).

Configuring Bandwidth Limits—Global
This section describes how to limit all bandwidth use through the SG appliance.
To specify the bandwidth limit for all streaming protocols:
1.

Select Configuration > Services > Streaming Proxies > General.

49

Chapter 3: Managing Streaming Media

Section B: Configuring Streaming Media
SGOS#(config) streaming {windows-media | real-media | quicktime} {maxgateway-bandwidth kbits_second | no max-gateway-bandwidth}
SGOS#(config) streaming {windows-media | real-media | quicktime} {maxconnections number | no max-connection}
SGOS#(config) streaming {windows-media | real-media | quicktime} httphandoff disable
SGOS#(config) streaming {windows-media | real-media} refresh-interval
number.number
SGOS#(config) streaming real-media multicast enable
SGOS#(config) streaming windows-media server-auth-type {basic | ntlm}
SGOS#(config) content-distribute url [from url]

Reference: Access Log Fields
The default Blue Coat streaming fields are (only Streaming-specific or relative are listed
and described):
c-ip date time c-dns cs-uri-scheme cs-host cs-uri-port cs-uri-path csuri-query c-starttime x-duration c-rate c-status c-playerid cplayerversion c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe chostexever c-os c-osversion c-cpu filelength filesize avgbandwidth
protocol transport audiocodec videocodec channelURL sc-bytes c-bytes
s-pkts-sent c-pkts-received c-pkts-lost-client c-pkts-lost-net c-pktslost-cont-net c-resendreqs c-pkts-recovered-ECC c-pkts-recoveredresent c-buffercount c-totalbuffertime c-quality s-ip s-dns stotalclients s-cpu-util x-cache-user x-cache-info x-client-address


audiocodec: Audio codec used in stream.



avgbandwidth: Average bandwidth (in bits per second) at which the client was

connected to the server.


channelURL: URL to the .nsc file.



c-buffercount: Number of times the client buffered while playing the stream.



c-bytes: An MMS-only value of the total number of bytes delivered to the client.



c-cpu: Client computer CPU type.



c-hostexe: Host application.



c-os: Client computer operating system.



c-osversion: Client computer operating system version number.



c-playerid: Globally unique identifier (GUID) of the player.



c-playerlanguage: Client language-country code.



c-playerversion: Version number of the player.



c-rate: Mode of Windows Media Player when the last command event was sent.



c-starttime: Timestamp (in seconds) of the stream when an entry is generated in the

log file.


c-status: Codes that describe client status.



c-totalbuffertime: Time (in seconds) the client used to buffer the stream.



filelength: Length of the file (in seconds).

53

Volume 4: Web Communication Proxies
Section B: Configuring Streaming Media


filesize: Size of the file (in bytes).



protocol: Protocol used to access the stream: mms, http, or asfm.



s-totalclients: Clients connected to the server (but not necessarily receiving streams).



transport: Transport protocol used (UDP, TCP, multicast, and so on).



videocodec: Video codec used to encode the stream.



x-cache-info: Values: UNKNOWN, DEMAND_MISS, DEMAND_PARTIAL_HIT, DEMAND_HIT,
LIVE_FROM_ORIGIN, LIVE_PARTIAL_SPLIT, LIVE_SPLIT.



x-duration: Length of time a client played content prior to a client event (FF, REW,

Pause, Stop, or jump to marker).


x-wm-c-dns: Hostname of the client determined from the Windows Media protocol.



x-wm-c-ip: The client IP address determined from the Windows Media protocol.



x-cs-streaming-client: Type of streaming client in use (windows_media,
real_media, or quicktime).



x-rs-streaming-content: Type of streaming content served.



x-streaming-bitrate: The reported client-side bitrate for the stream.

Reference: CPL Triggers, Properties, and Actions
The following Blue Coat CPL is supported in Streaming:

Triggers


streaming.client=



streaming.content=

Properties and Actions
streaming.transport=

Streaming History Statistics
The Streaming History tabs (Windows Media, Real Media, and QuickTime) display bar
graphs that illustrate the number of active client connections over the last 60 minutes, 24
hours, and 30 days. These statistics are not available through the CLI. The Current
Streaming Data and Total Streaming Data tabs display real-time values for current
connection and live traffic activity on the SG appliance. Current and total streaming data
statistics are available through the CLI.

Viewing Windows Media Statistics
The Windows Media tab shows the number of active Windows Media client connections
over the last 60 minutes, 24 hours, and 30 days.
To view Windows Media client statistics:
1.

Select Statistics > Protocol Details > Streaming History > Windows Media.

54

Volume 4: Web Communication Proxies
Section C: Additional Configuration Tasks—Windows Media (CLI)

Section C: Additional Configuration Tasks—Windows Media (CLI)
This section provides Windows Media configuration tasks that cannot be accomplished
through the Management Console, but can be accomplished through the CLI.
This section contains the following topics:


"Managing Multicast Streaming for Windows Media" on page 58



"Managing Simulated Live Content (Windows Media)" on page 61



"ASX Rewriting (Windows Media)" on page 63

Managing Multicast Streaming for Windows Media
This section describes multicast station and .nsc files, and describes how to configure the
SG appliance to send multicast broadcasts to Windows Media clients.

About Multicast Stations
A multicast station is a defined location from where the Windows Media player retrieves
live streams. This defined location allows .asf streams to be delivered to many clients
using only the bandwidth of a single stream. Without a multicast station, streams must be
delivered to clients through unicast.
A multicast station contains all of the information needed to deliver .asf content to a
Windows Media player or to another SG appliance, including:


IP address



Port



Stream format



TTL value (time-to-live, expressed hops)

The information is stored in an .nsc file, which the Window Media Player must be able to
access to locate the IP address.
If Windows Media Player fails to find proper streaming packets on the network for
multicast, the player can roll over to a unicast URL. Reasons for this include lack of a
multicast-enabled router on the network or if the player is outside the multicast station’s
TTL. If the player fails to receive streaming data packets, it uses the unicast URL specified
in the .nsc file that is created from the multicast station configuration. All .nsc files
contain a unicast URL to allow rollover.
Unicast to Multicast
Unicast to multicast streaming requires converting a unicast stream on the server-side
connection to a multicast station on the SG appliance. The unicast stream must contain
live content before the multicast station works properly. If the unicast stream is a videoon-demand file, the multicast station is created but is not able to send packets to the
network. For video-on-demand files, use the broadcast-alias command, discussed
below.
Multicast to Multicast
Use the multicast-alias command to get the source stream for the multicast station.

58

Chapter 3: Managing Streaming Media

Section C: Additional Configuration Tasks—Windows Media (CLI)

About Broadcast Aliases
A broadcast alias defines a playlist, specify a starting time, date, and the number of times
the content is repeated.

Creating a Multicast Station
To create a multicast station, you must perform the following:


Define a name for the multicast station.



Define the source of the multicast stream.



The port range to be used.



Define the address range of the multicast stream.



Define the TTL value.



Create the multicast alias, unicast alias, and broadcast alias commands to enable the
functionality.

Syntax
multicast-station name {alias | url} [address | port | ttl]

where


name specifies the name of the multicast station, such as station1.



{alias | url} defines the source of the multicast stream. The source can be a
URL or it can be a multicast alias, a unicast alias, or simulated live. (The source
commands must be set up before the functionality is enabled within the multicast
station.)



[address | port | ttl] are optional commands that you can use to override
the default ranges of these values. (Defaults and permissible values are discussed
below.)

Example 1: Create a Multicast Station
This example:


Creates a multicast station, named station1, on SG 10.25.36.47.



Defines the source as mms://10.25.36.47/tenchi.



Accepts the address, port, and TTL default values.
SGOS#(config) streaming windows-media multicast-station station1 mms:/
/10.25.36.47/tenchi.

To delete multicast station1:
SGOS#(config) streaming no multicast-station station1

Example 2: Create a Broadcast Alias and Direct a Multicast Station to use It
This example:


To allow unicast clients to connect through multicast, creates a broadcast alias named
array1; defines the source as mms://10.25.36.48/tenchi2.



Instructs the multicast station from Example 1, station1, to use the broadcast alias,
array1, as the source.

59

Volume 4: Web Communication Proxies
Section C: Additional Configuration Tasks—Windows Media (CLI)
SGOS#(config) streaming windows-media broadcast-alias array1 mms://
10.25.36.48/tenchi2 0 today noon
SGOS#(config) streaming windows-media multicast-station station1
array1

Changing Address, Port, and TTL Values
Specific commands allow you to change the address range, the port range, and the default
TTL value. To leave the defaults as they are for most multicast stations and change it only
for specified station definitions, use the multicast-station command.
The multicast-station command randomly creates an IP address and port from the
specified ranges.


Address-range: the default ranges from 224.2.128.0 to 224.2.255.255; the
permissible range is 224.0.0.2 and 239.255.255.255.



Port-range: the default ranges from 32768 to 65535; the permissible range is between
1 and 65535.



TTL value: the default is 5 hops; the permissible range is from 1 to 255.

Syntax, with Defaults Set
multicast address-range <224.2.128.0>-<224.2.255.255>
multicast port-range <32768>-<65535>
multicast ttl <5>

Getting the .nsc File
The .nsc file is created from the multicast station definition and saved through the
browser as a text file encoded in a Microsoft proprietary format.
Without an .nsc file, the multicast station definition does not work.
To get an .nsc file from newly created station1, open the file by navigating through the
browser to the multicast station’s location (where it was created) and save the file as
station1.nsc.
The file location, based on the streaming configuration above:
http://10.25.36.47/MMS/nsc/station1.nsc

Save the file as station1.nsc.
Note: You can also enter the URL in the Windows Media Player to start the stream.

The newly created file is not editable; the settings come from streaming configuration file.
In that file, you have already defined the following pertinent information for the file:


The address, which includes TTL, IP Address, IP Port, Unicast URL, and the NSC
URL. All created .nsc files contain a unicast URL for rollover in case the Windows
Media Player cannot find the streaming packets.



The description, which references the MMS URL that you defined.



The format, which contains important ASF header information. All streams delivered
by the multicast station definition have their ASF headers defined here.

60

Chapter 3: Managing Streaming Media

Section C: Additional Configuration Tasks—Windows Media (CLI)

Monitoring the Multicast Station
You can determine the multicast station definitions by viewing the streaming windows
configuration. To determine the current client connections and current SG appliance
connections, use the show streaming windows-media statistics command.
To view the multicast station setup:
SGOS#(config) show streaming windows config
; Windows Media Configuration
license:
1XXXXXXX-7XXXXXXX-7XXXXX
logging: enable
logging
enable
http-handoff: enable
live-retransmit: enable
transparent-port (1755):
enable
explicit proxy: 0
refresh-interval:
no refresh interval (Never check freshness)
max connections:
no max-connections (Allow maximum
connections)
max-bandwidth:
no max-bandwidth (Allow maximum bandwidth)
max-gateway-bandwidth:
no max-gateway-bandwidth (Allow maximum
bandwidth)
multicast address:
224.2.128.0 – 224.2.255.255
multicast port:
32768 – 65535
multicast TTL:
5
asx-rewrite:
No rules
multicast-alias:
No rules
unicast-alias:
No rules
broadcast-alias:
No rules
multicast-station:
station1 mms://10.25.36.47/tenchi
224.2.207.0 40465 5 (playing)
Note: Playing at the end of the multicast station definition indicates that the station

is currently sending packets onto the network. The IP address and port ranges have
been randomly assigned from among the default ranges allowed.
To view the multicast station statistics:
SGOS#(config) show streaming windows stat
;Windows Media Statistics
Current client connections:
by transport: 0 UDP, 0 TCP, 0 HTTP, 1 multicast
by type: 1 live, 0 on-demand
Current gateway connections:
by transport: 0 UDP, 1 TCP, 0 HTTP, 0 multicast
by type:
1 live, 0 on-demand

Managing Simulated Live Content (Windows Media)
This section describes simulated live content and how to configure the SG appliance to
manage and serve simulated live content.

61

Volume 4: Web Communication Proxies
Section C: Additional Configuration Tasks—Windows Media (CLI)

About Simulated Live Content
The simulated live content feature defines playback of one or more video-on-demand files
as a scheduled live event, which begins at a specified time. The content can be looped
multiple times, or scheduled to start at multiple start times throughout the day. If used in
conjunction with the multicast-alias command, the live content is multicast; otherwise,
live content is accessible as live-splitting sources. The feature does not require the content
to be cached.
When a starting date and time for the simulated live content have been set, the broadcast
of the content starts when there is at least one client requesting the file. Clients requesting
the simulated live content before the scheduled time are put into wait mode. Clients
requesting the content after all of the contents have played receive an error message.
Video-on-demand content does not need to be on the SG appliance before the scheduled
start time, but prepopulating the content on the appliance provides better streaming
quality.
Before configuring simulated live, consider the following:


The simulated live content name must be unique. Aliases are not case sensitive.



The name cannot be used for both a unicast and a multicast alias name.



After simulated live content is referenced by one or more multicast stations, the
simulated live content cannot be deleted until all multicast stations referencing the
simulated live content are first deleted.

The multicast station appears as another client of simulated live content, just like a
Windows Media Player.
Note: This note applies to HTTP only. If a client opens Windows Media player and

requests an alias before the starting time specified in the broadcast-alias option, the HTTP
connection closes after a short time period. When the specified time arrives, the player
fails to reconnect to the stream and remains in waiting mode.
Three scenarios can occur when a client requests the simulated live content:


Clients connect before the scheduled start time of the simulated live content: clients
are put into wait mode.



Clients connect during the scheduled playback time of the simulated live content:
clients receive cached content for playback.



Clients connect after the scheduled playback time of the simulated live: the client
receives an error message.

The ProxySG computes the starting playtime of the broadcast stream based on the time
difference between the client request time and the simulated live starting time.

Creating a Broadcast Alias for Simulated Live Content
Syntax
streaming windows-media broadcast-alias alias url loops date time

where:


alias is the name of the simulated live content.

62

Chapter 3: Managing Streaming Media

Section C: Additional Configuration Tasks—Windows Media (CLI)


url is the URL for the video-on-demand stream. Up to 128 URLs can be specified
for simulated live content.



loops is the number of times you want the content to be played back. Set to 0
(zero) to allow the content to be viewed an indefinite number of times.



date is the simulated live content starting date. Valid date strings are in the
format yyyy-mm-dd or today. You can specify up to seven start dates by using the
comma as a separator (no spaces).



time is the simulated live content starting time. Valid time strings are in the
format hh:mm (on a 24-hour clock) or one of the following strings:
— midnight, noon
— 1am, 2am, ...
— 1pm, 2pm, ...

Specify up to 24 different start times within a single date by using the comma
as a separator (no spaces).
Example 1
This example creates a playlist for simulated live content. The order of playback is
dependent on the order you enter the URLs. Up to 128 URLs can be added.
SGOS#(config) streaming windows-media broadcast-alias alias url

Example 2
This example demonstrates the following:


creates a simulated live file called bca.



plays back mms://ocs.bca.com/bca1.asf and mms://ocs.bca.com/bca2.asf.



configures the SG appliance to play back the content twice.



sets a starting date and time of today at 4 p.m., 6 p.m., and 8 p.m.
SGOS#(config) streaming windows-media broadcast-alias bca mms://
ocs.bca.com/bca1.asf 2 today 4pm,6pm,8pm
SGOS#(config) streaming windows-media broadcast-alias bca mms://
ocs.bca.com/bca2.asf

To delete simulated live content:
SGOS#(config) streaming windows-media no broadcast-alias alias

ASX Rewriting (Windows Media)
This section describes ASX rewriting and applies to Windows Media only.

63

Volume 4: Web Communication Proxies
Section C: Additional Configuration Tasks—Windows Media (CLI)

About ASX Rewrite
If your environment does not use a Layer 4 switch or the Cisco Web Cache Control
Protocol (WCCP), the SG appliance can operate as a proxy for Windows Media Player
clients by rewriting the Windows Media metafile (which contains entries with URL links
to the actual location of the streaming content) to point to the appliance rather than the
Windows Media server. The metadata files can have .asx, .wvx, or .wax extensions, but
are commonly referred to as .asx files. The .asx file refers to the actual media files
(with .asf, .wmv, and .wma extensions). An .asx file can refer to other .asx files, although
this is not a recommended practice. If the file does not have one of the metafile extensions
and the Web server that is serving the metadata file does not set the correct MIME type, it
is not processed by the Windows Media module. Also, the .asx file with the appropriate
syntax must be located on an HTTP (not Windows Media) server.
The ASX rewrite module is triggered by either the appropriate file extension or the
returned MIME type from the server (x-video-asf).
Note: If an .asx file syntax does not follow the standard tag-based syntax, the

ASX rewrite module is not triggered.
For the SG appliance to operate as a proxy for Windows Media Player requires the
following:


The client is explicitly proxied for HTTP content to the SG appliance that rewrites
the .asx metafile.



The streaming media SG appliance is configurable.
Note: Windows Media Player automatically tries to roll over to different protocols

according to its Windows Media property settings before trying the rollover URLs in
the .asx metafile.
With the asx-rewrite command, you can implement redirection of the streaming media
to a SG appliance by specifying the rewrite protocol, the rewrite IP address, and the
rewrite port.
The protocol specified in the ASX rewrite rule is the protocol the client uses to reach the
SG. You can use forwarding and policy to change the default protocol specified in the
original .asx file that connects to the origin media server.
When creating ASX rewrite rules, you need to determine the number priority. It is likely
you will create multiple ASX rewrite rules that affect the .asx file; for example, rule 100
could redirect the IP address from 10.25.36.01 to 10.25.36.47, while rule 300 could
redirect the IP address from 10.25.36.01 to 10.25.36.58. In this case, you are saying
that the original IP address is redirected to the IP address in rule 100. If that IP address is
not available, the SG looks for another rule matching the incoming IP address.
Notes and Interactivities
Before creating rules, consider the following.


Each rule you create must be checked for a match; therefore, performance might be
affected if you create large amounts of rules.



Lower numbers have a higher priority than high numbers.

64

Chapter 3: Managing Streaming Media

Section C: Additional Configuration Tasks—Windows Media (CLI)

Note: Rules can only be created through the CLI.


ASX rewrite rules configured for multiple SG appliances configured in an HTTP
proxy-chaining configuration can produce unexpected URL entries in access logs for
the downstream SG appliance (the SG appliance that the client proxies to). The
combination of proxy-chained SG appliances in the HTTP path coupled with ASX
rewrite configured for multiple SG appliances in the chain can create a rewritten URL
requested by the client in the example form of:
protocol1://downstream_SecApp/redirect?protocol2://SecApp>/redirect?protocol3://origin_host/origin_path

In this scenario, the URL used by the downstream SG for caching and access logging
can be different than what is expected. Specifically, the downstream SG appliance
creates an access log entry with protocol2://upstream_SecApp/redirect as the
requested URL. Content is also cached using this truncated URL. Blue Coat
recommends that the ASX rewrite rule be configured for only the downstream SG
appliance, along with a proxy route rule that can forward the Windows Media
streaming requests from the downstream to upstream SG appliances.
Syntax for the asx-rewrite Command:
asx-rewrite rule # in-addr cache-proto cache-addr [cache-port]

where:


in-addr—Specifies the hostname or IP address delivering the content



cache-proto—Specifies the rewrite protocol on the SG. Acceptable values for the
rewrite protocol are:

— mmsu specifies Microsoft Media Streaming UDP
— mmst specifies Microsoft Media Streaming TCP
— http specifies HTTP
— mms specifies either MMS-UDP or MMS-TCP
— * specifies the same protocol as in the .asx file
If the .asx file is referred from within another .asx file (not a recommended
practice), use a * for the cache-proto value. This specifies that the protocol
specified in the original URL is used. As a conservative, alternative approach,
you could use HTTP for the cache-proto value.


cache-addr—Specifies the rewrite address on the SG appliance.



cache-port—Specifies the port on the SG appliance. This value is optional.

To set up the .asx rewrite rules:
At the (config) command prompt, enter the following command:
SGOS#(config) streaming windows-media asx-rewrite number in-addr
cache-proto cache-addr cache-port
Note: To delete a specific rule, enter streaming windows-media no asx-rewrite
number.

65

Volume 4: Web Communication Proxies
Section C: Additional Configuration Tasks—Windows Media (CLI)
To ensure that an ASX rewrite rule has been modified immediately, clear the local browser
cache.
Example
This example:


Sets the priority rule to 200



Sets the protocol to be whatever protocol was originally specified in the URL and
directs the data
stream to the appropriate default port.



Provides the rewrite IP address of 10.9.44.53, the SG appliance.
SGOS#(config) streaming windows-media asx-rewrite 200 * * 10.9.44.53
Note: ASX files must be fetched from HTTP servers. If you are not sure of the
network topology or the content being served on the network, use the asterisks to
assure the protocol set is that specified in the URL.

ASX Rewrite Incompatibility With Server-side IWA Authentication
Server-side authentication (MMS only, not HTTP) is supported if the origin media server
authentication type is BASIC or No Auth. However, if you know that a Windows Media
server is configured for IWA authentication, the following procedure allows you to
designate any virtual IP addresses to the IWA authentication type. If you know that all of
the activity through the SG appliance requires IWA authentication, you can use the IP
address of the appliance.
To designate an IP address to an authentication type:
1.

If necessary, create a virtual IP address that is used to contact the Windows Media
server.

2.

At the (config) prompt, enter the following command:
SGOS#(config) streaming windows-media server-auth-type ntlm ip_address

3.

Configure the ASX rewrite rule to use the IP address.
a.

To remove the authentication type designation:
SGOS#(config) streaming windows-media no server-auth-type
ip_address

b.

To return the authentication type to BASIC:
SGOS#(config) streaming windows-media server-auth-type basic
ip_address

66

Volume 4: Web Communication Proxies
Section D: Windows Media Player
3.

4.

5.

Navigate to protocol configuration:
a.

Select Network.

b.

Select MMS.

c.

Click Configure. The Configure Protocol Dialog appears.

Configure the proxy settings:
a.

Select Use the following proxy server.

b.

Enter the SG appliance IP address and the port number used for the explicit
proxy (the default MMS port is 1755). These settings must match the settings
configured in the SG appliance. If you change the SG appliance explicit proxy
configuration, you must also reconfigure the Windows Media Player.

Click OK in both dialogs. Result: the Windows Media Player now proxies through the
SG appliance and content is susceptible to streaming configurations and access
policies.

Windows Media Player Interactivity Notes
This section describes Windows Media Player interactivities that might affect
performance.

Striding
When you use the Windows Media Player, consider the following interactivities in regard
to using fast forward and reverse (referred to as striding):


If you request a cached file and repeatedly attempt play and fast forward, the file
freezes.



If you attempt a fast reverse of a cached file that is just about to play, you receive an
error message, depending on whether you have a proxy:





Without a proxy: A device attached to the system is not functioning.



With a proxy: The request is invalid in the current state.

If Windows Media Player is in pause mode for more than ten minutes and you press
fast reverse or fast forward, an error message displays: The network connection
has failed.

Other Notes


Applies to Versions 9: if a url_host_rewrite rule is configured to rewrite a host
name that is a domain name instead of an IP address, a request through the MMS
protocol fails and the host is not rewritten. As the connect message sent by the player
at the initial connection does not contain the host name, a rewrite cannot occur. HTTP
requests are not affected by this limitation.



If explicit proxy is configured and the access policy on the SG appliance is set to deny,
a requested stream using HTTP from Windows Media Player 9 serves the stream
directly from the origin server even after the request is denied. The player sends a
request to the OCS and plays the stream from there.

68

Chapter 3: Managing Streaming Media

Section D: Windows Media Player
Blue Coat recommends the following policy:

streaming.content=yes deny
-or
streaming.content=windows_media deny

The above rules force the HTTP module to hand-off HTTP requests to the MMS
module. MMS returns the error properly to the player, and does not go directly to the
origin server to try to server the content.


If you request an un-cached file using the HTTP protocol, the file is likely to stop
playing if the authentication type is set to BASIC or NTLM/Kerberos and you initiate
rapid seeks before the buffering begins for a previous seek. The Windows Media
Player, however, displays that the file is still playing.



If a stream is scheduled to be accessible at a future time (using a simulated live rule),
and the stream is requested before that time, the Windows Media Player enters a
waiting stage. This is normal. However, if HTTP is used as the protocol, after a minute
or two the Windows Media Player closes the HTTP connection, but remains in the
waiting stage, even when the stream is broadcasting.

Notes:
For authentication-specific notes, see "Windows Media Server-Side Authentication" on
page 43 and "Windows Media Proxy Authentication" on page 43.

69

Chapter 3: Managing Streaming Media

Section E: RealPlayer
3.

4.

Navigate to proxy settings:
a.

Select Connection > Proxy.

b.

Click Change Settings. The Streaming Proxy Settings dialog appears.

Click OK in :
a.

In the PNA and RTSP proxies: field, select Use proxies.

b.

Enter the SG IP address and the port number used for the explicit proxy (the
default RTSP port is 544). These settings must match the settings configured
in the SG appliance. If you change the SG appliance explicit proxy
configuration, you must also reconfigure the RealPlayer. If using transparent
proxy, RTSP port 554 is set by default and cannot be changed.
Note: For HTTP Proxy, if you have an HTTP proxy already configured in your
browser, select Use system Internet Connection proxy settings.

c.

Optional: For HTTP Proxy, if you have an HTTP proxy already configured in
your browser, select Use system Internet Connection proxy settings.

d. Optional: In the Do not use proxy for: section, you can enter specific hosts and
bypass the SG appliance.
Note: This can also be accomplished with policy, which is the method Blue
Coat recommends.

e.

Click OK to close the Streaming Proxy Settings dialog.

71

Appendix A: Glossary

Term

Description

ADN Optimize Attribute

Controls whether to optimize bandwidth usage when connecting upstream using an
ADN tunnel.

Asynchronous Adaptive

This allows the ProxySG to keep cached objects as fresh as possible, thus reducing
response times. The AAR algorithm allows HTTP proxy to manage cached objects
based on their rate of change and popularity: an object that changes frequently and/
or is requested frequently is more eligible for asynchronous refresh compared to an
object with a lower rate of change and/or popularity.

Refresh (AAR)

Asynchronous Refresh
Activity

Refresh activity that does not wait for a request to occur, but that occurs
asynchronously from the request.

Attributes (Service)

The service attributes define the parameters, such as explicit or transparent,
cipher suite, and certificate verification, that the SG appliance uses for a
particular service. .

Authenticate-401 Attribute

All transparent and explicit requests received on the port always use transparent
authentication (cookie or IP, depending on the configuration). This is especially
useful to force transparent proxy authentication in some proxy-chaining scenarios

authentication

The process of identifying a specific user.

authorization

The permissions given to a specific user.

Bandwidth Gain

A measure of the difference in client-side and server-side Internet traffic expressed in
relation to server-side Internet traffic. It is managed in two ways: you can enable or
disable bandwidth gain mode or you can select the Bandwidth Gain profile (this also
enables bandwidth gain mode)..

Bandwidth Class

A defined unit of bandwidth allocation. An administrator uses bandwidth classes to
allocate bandwidth to a particular type of traffic flowing through the SG appliance.

Bandwidth Class Hierarchy

Bandwidth classes can be grouped together in a class hierarchy, which is a tree
structure that specifies the relationship among different classes. You create a
hierarchy by creating at least one parent class and assigning other classes to be its
children.

Bandwidth Policy

The set of rules that you define in the policy layer to identify and classify the traffic in
the SG appliance, using the bandwidth classes that you create. You must use policy
(through either VPM or CPL) in order to manage bandwidth.

Bypass Lists

The bypass list allows you to exempt IP addresses from being proxied by the SG

appliance. The bypass list allows either or a specific IP prefix entry for
both the client and server columns. Both UDP and TCP traffic is
automatically exempted.

75

Volume 4: Web Communication Proxies

Term

Description

Byte-Range Support

The ability of the ProxySG to respond to byte-range requests (requests with a Range:
HTTP header).

Cache-hit

An object that is in the ProxySG and can be retrieved when an end user requests the
information.

Cache-miss

An object that can be stored but has never been requested before; it was not in the
ProxySG to start, so it must be brought in and stored there as a side effect of
processing the end-user's request. If the object is cacheable, it is stored and served the
next time it is requested.

Child Class (Bandwidth
Gain)

The child of a parent class is dependent upon that parent class for available
bandwidth (they share the bandwidth in proportion to their minimum/maximum
bandwidth values and priority levels). A child class with siblings (classes with the
same parent class) shares bandwidth with those siblings in the same manner.

Client consent certificates

A certificate that indicates acceptance or denial of consent to decrypt an end user's
HTTPS request.

Compression

An algorithm that reduces a file’s size but does not lose any data. The ability to
compress or decompress objects in the cache is based on policies you create.
Compression can have a huge performance benefit, and it can be customized based
on the needs of your environment: Whether CPU is more expensive (the default
assumption), server-side bandwidth is more expensive, or whether client-side
bandwidth is more expensive.

Default Proxy Listener

See “ Proxy Service (Default)” .

Detect Protocol Attribute

Detects the protocol being used. Protocols that can be detected include:
HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper.

Directives

Directives are commands that can be used in installable lists to configure forwarding.
See also forwarding Configuration.

Display Filter

The display filter is a drop-down list at the top of the Proxy Services pane that allows
you to view the created proxy services by service name or action.

Early Intercept Attribute

Controls whether the proxy responds to client TCP connection requests before
connecting to the upstream server. When early intercept is disabled, the proxy delays
responding to the client until after it has attempted to contact the server.

Emulated Certificates

Certificates that are presented to the user by ProxySG when intercepting
HTTPS requests. Blue Coat emulates the certificate from the server and signs
it, copying the subjectName and expiration. The original certificate is used
between the ProxySG and the server.

ELFF-compatible format

A log type defined by the W3C that is general enough to be used with any protocol.

Encrypted Log

A log is encrypted using an external certificate associated with a private key.
Encrypted logs can only be decrypted by someone with access to the private key. The
private key is not accessible to the SG appliance.

76

Appendix A: Glossary

Term

Description

explicit proxy

A configuration in which the browser is explicitly configured to communicate with
the proxy server for access to content.
This is the default for the SG appliance, and requires configuration for both browser
and the interface card.

Fail Open/Closed

Failing open or closed applies to forwarding hosts and groups and SOCKS gateways.
Fail Open/Closed applies when the health checks are showing sick for each
forwarding or SOCKS gateway target in the applicable fail-over sequence. If no
systems are healthy, the SG appliance fails open or closed, depending on the
configuration. If closed, the connection attempt simply fails.
If open, an attempt is made to connect without using any forwarding target (or
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no
setting is specified.

Forwarding Configuration

Forwarding can be configured through the CLI or through adding directives to a text
file and installing it as an installable list. Each of these methods (the CLI or using
directives) is equal. You cannot use the Management Console to configure
forwarding.

Forwarding Host

Upstream Web servers or proxies.

forward proxy

A proxy server deployed close to the clients and used to access many servers. A
forward proxy can be explicit or transparent.

Freshness

A percentage that reflects the objects in the ProxySG cache that are expected to be
fresh; that is, the content of those objects is expected to be identical to that on the OCS
(origin content server).

Gateway

A device that serves as entrance and exit into a communications network.

Global Default Settings

You can configure settings for all forwarding hosts and groups. These are called the
global defaults. You can also configure private settings for each individual
forwarding host or group. Individual settings override the global defaults.

FTP

See Native FTP; Web FTP.

Host Affinity

Host affinity is the attempt to direct multiple connections by a single user to the same
group member. Host affinity is closely tied to load balancing behavior; both should
configured if load balancing is important.

Host Affinity Timeout

The host affinity timeout determines how long a user remains idle before the
connection is closed. The timeout value checks the user's IP address, SSL ID, or
cookie in the host affinity table.

Inbound Traffic (Bandwidth
Gain)

Network packets flowing into the SG appliance. Inbound traffic mainly consists of
the following:
• Server inbound: Packets originating at the origin content server (OCS) and sent to
the SG appliance to load a Web object.
• Client inbound: Packets originating at the client and sent to the SG

appliance for Web requests.

77

Volume 4: Web Communication Proxies

Term

Description

Installable Lists

Installable lists, comprised of directives, can be placed onto the SG appliance in one
of several methods: through creating the list through the SG text editor, by placing
the list at an accessible URL, or by downloading the directives file from the local
system.

Integrated Host Timeout

An integrated host is an Origin Content Server (OCS) that has been added to the
health check list. The host, added through the integrate_new_hosts property,
ages out of the integrated host table after being idle for the specified time. The default
is 60 minutes.

IP Reflection

Determines how the client IP address is presented to the origin server for explicitly
proxied requests. All proxy services contain a reflect-ip attribute, which enables or
disables sending of client's IP address instead of the SG's IP address.

Issuer keyring

The keyring that is used by the SG appliance to sign emulated certificates. The
keyring is configured on the appliance and managed through policy.

Listener

The service that is listening on a specific port. A listener can be identified by any

destination IP/subnet and port range. Multiple listeners can be added to
each service.
Load Balancing

The ability to share traffic requests among multiple upstream targets. Two methods
can be used to balance the load among systems: least-connections or roundrobin.

Log Facility

A separate log that contains a single logical file and supports a single log format. It
also contains the file’s configuration and upload schedule information as well as
other configurable information such as how often to rotate (switch to a new log) the
logs at the destination, any passwords needed, and the point at which the facility can
be uploaded.

Log Format

The type of log that is used: NCSA/Common, SQUID, ELFF, SurfControl, or
Websense.
The proprietary log types each have a corresponding pre-defined log format that has
been set up to produce exactly that type of log (these logs cannot be edited). In
addition, a number of other ELFF type log formats are also pre-defined (im, main,
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log
fields for logging particular protocols understood by the SG appliance. It is also
possible to create new log formats of type ELFF or Custom which can contain any
desired combination of log fields.

Log Tail:

The access log tail shows the log entries as they get logged. With high traffic on the
SG appliance, not all access log entries are necessarily displayed. However, you can
view all access log information after uploading the log.

Maximum Object Size

The maximum object size stored in the ProxySG. All objects retrieved that are greater
than the maximum size are delivered to the client but are not stored in the ProxySG.

NCSA common log format

A log type that contains only basic HTTP access information.

78

Appendix A: Glossary

Term

Description

Negative Responses

An error response received from the OCS when a page or image is requested. If the
ProxySG is configured to cache such negative responses, it returns that response in
subsequent requests for that page or image for the specified number of minutes. If it
is not configured, which is the default, the ProxySG attempts to retrieve the page or
image every time it is requested.

Native FTP

Native FTP involves the client connecting (either explicitly or transparently) using
the FTP protocol; the SG appliance then connects upstream through FTP (if
necessary).

Outbound Traffic
(Bandwidth Gain)

Network packets flowing out of the SG appliance. Outbound traffic mainly consists
of the following:
• Client outbound: Packets sent to the client in response to a Web request.
• Server outbound: Packets sent to an OCS or upstream proxy to request a service.

Origin Content Server (OCS)
Parent Class (Bandwidth
Gain)

PASV

A class with at least one child. The parent class must share its bandwidth with its
child classes in proportion to the minimum/maximum bandwidth values or priority
levels.
Passive Mode Data Connections. Data connections initiated by an FTP client to

an FTP server.
proxy

Caches content, filters traffic, monitors Internet and intranet resource usage, blocks
specific Internet and intranet resources for individuals or groups, and enhances the
quality of Internet or intranet user experiences.
A proxy can also serve as an intermediary between a Web client and a Web server
and can require authentication to allow identity based policy and logging for the
client.
The rules used to authenticate a client are based on the policies you create on the SG
appliance, which can reference an existing security infrastructure—LDAP, RADIUS,
IWA, and the like.

Proxy Service

The proxy service defines the ports, as well as other attributes. that are used by the
proxies associated with the service.

Proxy Service (Default)

The default proxy service is a service that intercepts all traffic not otherwise
intercepted by other listeners. It only has one listener whose action can be set to
bypass or intercept. No new listeners can be added to the default proxy service, and
the default listener and service cannot be deleted. Service attributes can be changed.

realms

A realm is a named collection of information about users and groups. The name is
referenced in policy to control authentication and authorization of users for access to
Blue Coat Systems SG services. Multiple authentication realms can be used on a
single SG appliance. Realm services include IWA, LDAP, Local, and RADIUS.

Reflect Client IP Attribute

Enables the sending of the client's IP address instead of the SG's IP address to the
upstream server. If you are using an Application Delivery Network (ADN), this
setting is enforced on the concentrator proxy through the Configuration>App.
Delivery Network>Tunneling tab.

79

Volume 4: Web Communication Proxies

Term

Description

Refresh Bandwidth

The amount of bandwidth used to keep stored objects fresh. By default, the ProxySG
is set to manage refresh bandwidth automatically. You can configure refresh
bandwidth yourself, although Blue Coat does not recommend this.

reverse proxy

A proxy that acts as a front-end to a small number of pre-defined servers, typically to
improve performance. Many clients can use it to access the small number of
predefined servers.

rotate logs

When you rotate a log, the old log is no longer appended to the existing log, and a
new log is created. All the facility information (headers for passwords, access log
type, and so forth), is re-sent at the beginning of the new upload.
If you're using Reporter (or anything that doesn't understand the concept of "file,”
such as streaming) the upload connection is broken and then re-started, and, again,
the headers are re-sent.

serial console

A device that allows you to connect to the SG appliance when it is otherwise
unreachable, without using the network. It can be used to administer the SG
appliance through the CLI. You must use the CLI to use a serial console.
Anyone with access to the serial console can change the administrative access
controls, so physical security of the serial console is critical.

Server Certificate Categories

The hostname in a server certificate can be categorized by BCWF or another content
filtering vendor to fit into categories such as banking, finance, sports.

Sibling Class (Bandwidth
Gain)

A bandwidth class with the same parent class as another class.

SOCKS Proxy

A generic way to proxy TCP and UDP protocols. The SG appliance supports both
SOCKSv4/4a and SOCKSv5; however, because of increased username and password
authentication capabilities and compression support, Blue Coat recommends that
you use SOCKS v5..

SmartReporter log type

A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter
tool.

Split proxy

Employs co-operative processing at the branch and the core to implement
functionality that is not possible in a standalone proxy. Examples of split
proxies include :
Mapi Proxy
SSL Proxy

SQUID-compatible format

A log type that was designed for cache statistics.

SSL

A standard protocol for secure communication over the network. Blue Coat
recommends using this protocol to protect sensitive information.

SSL Interception

Decrypting SSL connections.

SSL Proxy

A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or
reverse proxy mode.

80

Appendix A: Glossary

Term

Description

static routes

A manually-configured route that specifies the transmission path a packet must
follow, based on the packet’s destination address. A static route specifies a
transmission path to another network.

SurfControl log type

A proprietary log type that is compatible with the SurfControl reporter tool. The
SurfControl log format includes fully-qualified usernames when an NTLM realm
provides authentication. The simple name is used for all other realm types.

Traffic Flow (Bandwidth
Gain)

Also referred to as flow. A set of packets belonging to the same TCP/UDP connection
that terminate at, originate at, or flow through the SG appliance. A single request
from a client involves two separate connections. One of them is from the client to the
SG appliance, and the other is from the SG appliance to the OCS. Within each of
these connections, traffic flows in two directions—in one direction, packets flow out
of the SG appliance (outbound traffic), and in the other direction, packets flow into
the SG (inbound traffic). Connections can come from the client or the server. Thus,
traffic can be classified into one of four types:
• Server inbound
• Server outbound
• Client inbound
• Client outbound
These four traffic flows represent each of the four combinations described above.
Each flow represents a single direction from a single connection.

transparent proxy

A configuration in which traffic is redirected to the SG appliance without the
knowledge of the client browser. No configuration is required on the browser, but
network configuration, such as an L4 switch or a WCCP-compliant router, is
required.

Variants

Objects that are stored in the cache in various forms: the original form, fetched from
the OCS; the transformed (compressed or uncompressed) form (if compression is
used). If a required compression variant is not available, then one might be created
upon a cache-hit. (Note: policy-based content transformations are not stored in the
ProxySG.)

Web FTP

Web FTP is used when a client connects in explicit mode using HTTP and
accesses an ftp:// URL. The SG appliance translates the HTTP request into
an FTP request for the OCS (if the content is not already cached), and then
translates the FTP response with the file contents into an HTTP response for
the client.

Websense log type

A proprietary log type that is compatible with the Websense reporter tool.

81

Volume 4: Web Communication Proxies

Term

Description

Wildcard Services

When multiple non-wildcard services are created on a port, all of them must be of the
same service type (a wildcard service is one that is listening for that port on all IP
addresses). If you have multiple IP addresses and you specify IP addresses for a port
service, you cannot specify a different protocol if you define the same port on another
IP address. For example, if you define HTTP port 80 on one IP address, you can only
use the HTTP protocol on port 80 for other IP addresses.
Also note that wildcard services and non-wildcard services cannot both exist at the
same time on a given port.
For all service types except HTTPS, a specific listener cannot be posted on a port if
the same port has a wildcard listener of any service type already present.

82

Index

A

M

ASX rewrite
command syntax 65
rules 64
setting up for Windows Media 64

multicast
defined 37
unicast, converting by Windows Media 38

B

port services
instant messaging protocols 9
proxies
definition 7

Blue Coat SG
instant messaging
configuring clients 20
proxy authentication 9
securing 9
Yahoo Messenger client configuration 22
instant messaging, IM clients tab statistics 31
instant messaging, IM data tab statistics 29

D
document
conventions 7

H
HTTP
handoff, enabling 39

I
instant messaging
configuring clients 20
proxy authentication 9
securing 9
statistics, IM clients tab 31
statistics, IM data tab 29
Yahoo Messenger client configuration 22

P

R
RealMedia
proxy authentication 44

S
streaming media
delivery type 37
live content defined 37
multicast defined 37
prepopulating content, description 42
unicast defined 37

U
unicast
defined 37
multicast, converting from by Windows Media 38

W
Windows Media
.ASX-rewrite rules 64
.nsc file 60
ASX rewrite and NTLM incompatibility 66
authentication limitations 43
HTTP handoff enabling 39
multicast station monitoring 61
multicast to unicast 38
prepopulating content description 42
setting up ASX rewrite 64

83

Blue Coat ProxySG Configuration and Management Guide

84

Document Path: ["140-blue-coat-instruction-sg.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh