Name: SG

Text: Volume 2: Getting Started

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
bcs.info@bluecoat.com
http://www.bluecoat.com
For concerns or feedback about the documentation: documentation@bluecoat.com

Copyright© 1999-2007 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®,
Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate
Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Document Number: 231-02838
Document Revision: SGOS 5.1.x.—03/2007

ii

Contents
Contact Information

Chapter 1: About Getting Started
About This Book ..................................................................................................................................................7
Document Conventions......................................................................................................................................7
Chapter 2: Licensing
About Licensing...................................................................................................................................................9
Licensable Components......................................................................................................................................9
About the Trial Period ......................................................................................................................................10
About License Expiration.................................................................................................................................11
About the System Serial Number ............................................................................................................11
Obtaining a WebPower Account.....................................................................................................................12
Registering and Licensing Blue Coat Hardware and Software ..................................................................12
Registering the Hardware.........................................................................................................................12
Creating a License Key File.......................................................................................................................13
Retrieving the License Key File................................................................................................................14
Manual License Installation .............................................................................................................................15
Disabling the Components Running in Trial Mode .....................................................................................17
Updating a License............................................................................................................................................17
Automatically Updating a License .................................................................................................................17
Chapter 3: Accessing the SG Appliance
Before You Begin: Understanding Modes .....................................................................................................19
Accessing the SG Appliance ............................................................................................................................20
Accessing the CLI.......................................................................................................................................20
Accessing the Management Console.......................................................................................................20
Accessing the Management Console Home Page ........................................................................................21
Logging On .................................................................................................................................................21
Logging Out ................................................................................................................................................21
Changing the Logon Parameters.....................................................................................................................22
Changing the Username and Password .................................................................................................22
Changing the SG Appliance Realm Name .............................................................................................24
Changing the SG Appliance Timeout .....................................................................................................25
Viewing the Appliance Health ........................................................................................................................25
Chapter 4: Configuring Basic Settings
Configuring the SG Appliance Name ............................................................................................................27
Viewing the Appliance Serial Number ..........................................................................................................27

iii

Volume 2: Getting Started

Configuring the System Time ......................................................................................................................... 28
Network Time Protocol.................................................................................................................................... 29
Configuring HTTP Timeout ............................................................................................................................ 30
Chapter 5: Archive Configuration
Sharing Configurations .................................................................................................................................... 33
Archiving a Configuration............................................................................................................................... 36
Chapter 6: Adapters
About Adapters ................................................................................................................................................. 39
About Virtual LAN Configuration ................................................................................................................. 39
The Blue Coat Solution.............................................................................................................................. 41
Configuring an Adapter................................................................................................................................... 42
Configuring Interface Settings ........................................................................................................................ 45
Disabling Transparent Interception ........................................................................................................ 45
Rejecting Inbound Connections............................................................................................................... 46
Using reject-inbound and allow-intercept ............................................................................................. 46
Manually Configuring Link Settings ...................................................................................................... 47
Configuring Proxies................................................................................................................................... 47
Detecting Network Adapter Faults ................................................................................................................ 47
Chapter 7: Software and Hardware Bridges
About Bridging.................................................................................................................................................. 49
Traffic Handling......................................................................................................................................... 50
Bridging Methods ...................................................................................................................................... 50
About the Pass-Through Adapter .................................................................................................................. 51
Configuring a Software Bridge ....................................................................................................................... 51
Customizing the Interface Settings................................................................................................................. 53
Setting Bandwidth Management for Bridging ............................................................................................. 54
Configuring Failover ........................................................................................................................................ 54
Setting Up Failover .................................................................................................................................... 55
Bridging Loop Detection.................................................................................................................................. 56
Adding Static Forwarding Table Entries ....................................................................................................... 58
Bypass List Behavior......................................................................................................................................... 59
Chapter 8: Gateways
About Gateways................................................................................................................................................ 61
SG Appliance Specifics..................................................................................................................................... 61
Switching to a Secondary Gateway......................................................................................................... 62
Routing ............................................................................................................................................................... 62
Using Static Routes .................................................................................................................................... 63
Notes ............................................................................................................................................................ 65

iv

Contents

Chapter 9: DNS
SG Appliance Specifics..................................................................................................................................... 67
Configuring Split DNS Support...................................................................................................................... 68
Changing the Order of DNS Servers.............................................................................................................. 69
Unresolved Hostnames (Name Imputing).................................................................................................... 70
Changing the Order of DNS Name Imputing Suffixes ............................................................................... 70
Caching Negative Responses .......................................................................................................................... 70
Appendix A: Glossary
Index

v

Volume 2: Getting Started

vi

Chapter 1: About Getting Started

Volume 2: Getting Started describes how to access the Blue Coat SG appliance using the
CLI or Management Console, and provides basic configuration information that is
required in every environment.

About This Book
This book deals with the following topics:


Chapter 2: "Licensing" on page 9



Chapter 3: "Accessing the SG Appliance" on page 19



Chapter 4: "Configuring Basic Settings" on page 27



Chapter 5: "Archive Configuration" on page 33



Chapter 6: "Adapters" on page 39



Chapter 7: "Software and Hardware Bridges" on page 49



Chapter 8: "Gateways" on page 61



Chapter 9: "DNS" on page 67



Appendix A: "Glossary" on page 73

Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax
conventions used in this manual.
Table 1-1. Document Conventions
Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

Courier font

Command line text that appears on your administrator workstation.

Courier Italics

A command line variable that is to be substituted with a literal name or
value pertaining to the appropriate facet of your network system.

Courier Boldface

A Blue Coat literal to be entered as shown.

{}

One of the parameters enclosed within the braces must be supplied

[]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or must be
selected, but not both.

7

Volume 2: Getting Started

8

Chapter 2: Licensing

This chapter describes the SG appliance licensing behavior.

About Licensing
SGOS 5.x features a global licensing system for the SGOS software. License key files are
issued on a per-appliance basis. One license key file includes all of the component
licenses for whichever SGOS features you have elected to use.
Note: When your Blue Coat appliance order was completed, you received an e-mail
that contained serial numbers for licensable components. Those numbers are required
for the procedures in this chapter.

Licensable Components
There are three types of licensable components:


Required—The SGOS 5 Base; these features are required on the SG appliance.



Included—Additional SGOS 5.x features, which are provided by Blue Coat and that
are included in the SGOS 5 base license.



Optional— Any additional (purchased) features.

When the license key file is created, it contains components of all three types. The
following table lists the SG appliance licensable components, categorized by type.
Table 2-1. Licensable Components
Type

Component

Description

Required

SGOS 5 Base

The ProxySG operating system, plus base features: HTTP, FTP, TCPTunnel, SOCKS, and DNS proxy.

Included

3rd Party Onbox
Content Filtering

Allows use with third-party vendor databases: Intersafe, Optenet,
Proventia, SmartFilter, SurfControl, Websense, and Webwasher.

Included

Websense
Offbox Content
Filtering

For Websense off-box support only.

Included

ICAP Services

External virus and content scanning with ICAP servers.

Included

Bandwidth
Management

Allows you to classify, control, and, if required, limit the amount of
bandwidth used by different classes of network traffic flowing into or
out of the ProxySG.

Included

Windows Media
Standard

MMS proxy; no caching or splitting; content pass-through. Full policy
control over MMS.

Included

Real Media
Standard

RTSP proxy for Real Media content; no caching or splitting; content
pass-through. Full policy control over RTSP.

9

Volume 2: Getting Started

Table 2-1. Licensable Components (Continued)
Type

Component

Description

Included

Apple QuickTime

RTSP proxy for QuickTime content; no caching or splitting; content
pass-through. Full policy control over RTSP.

Included

Netegrity
SiteMinder

Allows realm initialization and user authentication to SiteMinder
servers.

Included

Oracle COREid

Allows realm initialization and user authentication to COREid servers.

Included

Peer-to-Peer

Allows you to recognize and manage peer-to-peer P2P activity relating
to P2P file sharing applications.

Included

Compression

Allows reduction to file sizes without losing any data.

Optional

SSL Proxy

Native SSL proxy and Reverse HTTPS Proxy (SSL termination) on the
ProxySG. Includes an SSL accelerator card to be installed on the
appliance.
Upon upgrading to SGOS 4.2, the license description for an existing SSL
license changes to "SSL Proxy" instead of "SSL Termination." This is
simply a description change. SSL termination and SSL Proxy
functionality are available (when licensed) on SGOS 4.2.

Optional

IM

AOL Instant Messaging: AIM proxy with policy support for AOL Instant
Messenger.
MSN Instant Messaging: MSN proxy with policy support for MSN
Instant Messenger.
Yahoo Instant Messaging: Yahoo proxy with policy support for Yahoo
Instant Messenger.

Optional

Windows Media
Premium

MMS proxy; content caching and splitting.
Full policy control over MMS.
When the maximum concurrent streams is reached, all further streams
are denied and the client receives a message.

Optional

Real Media
Premium

RTSP proxy for Real Media content; content caching and splitting.
Full policy control over RTSP.
When the maximum concurrent streams is reached, all further streams
are denied and the client receives a message.

Optional

SG Client

Entitles you to support a certain number of SG Clients in your
enterprise; however, the license does not limit the number of ADN
tunnels to which clients can have access. SG Client licenses are
upgradeable so you can support a larger number of users.

Note: Only the appliance designated as the SG Client Manager requires
a license. To use SG Clients in your enterprise, you need to apply the
license only to the Client Manager, and not to any other appliances in
the ADN network.

About the Trial Period
Blue Coat provides a trial period. The initial system boot-up triggers the 60-day trial
period, during which you can evaluate the SGOS functionality. For the first 60 days, all
licensable components are active and available to use. Furthermore, when a license is
installed during the trial period (or while using a demo license), components that are not
part of that license remain available and active during the trial period.

10

Chapter 2: Licensing

Each time you navigate to the Management Console home page or click the Maintenance >
Licensing tab, a pop-up dialog appears warning you that the trial period expires in so
many days (a text message is displayed on a Telnet, SSH, or serial console). If you require
more time to explore the SGOS features, a demo license is available; refer to your reseller
or contact Blue Coat Sales.
The trial period streaming and IM licenses are no-count licenses—unlimited streams and
IM clients are accessible.
Upon installing licenses after or during the trial period, the Base SGOS, Instant Messaging
(IM), Windows Media basic, and Real Media premium licenses are also unlimited, but
Windows Media premium and IM licenses impose user limits established by each license
type.
Note: If you invoke the restore-defaults command after you have installed licenses,

and the serial number of your system is configurable (older boxes only), the licenses fail to
install and you return to the trial period (if any time is left).

About License Expiration
At the end of the trial or demo period or, subsequently, when any normally licensed
component expires, components that have not been licensed do not process requests. A
license expiration notification message is logged in the Event Log (refer to the Event log
information in Volume 10: Managing the Blue Coat SG Appliance for details).
If a license expires, users might not receive notification, depending upon the application
they are using. Notifications do occur for the following:


HTTP (Web browsers)—An HTML page is displayed stating the license has expired.



SSL—An exception page appears when an HTTPS connection is attempted.



Instant Messaging clients—Users do not receive a message that the license has expired.
Any IM activity is denied, and to the user it appears that the logon connection has
failed.



FTP clients—If the FTP client supports it, a message is displayed stating the license has
expired.



Streaming media clients—If the Windows Media Player, RealPlayer, or QuickTime
player version supports it, a message is displayed stating the license has expired.



SG Client—After the trial license has expired, clients cannot connect to the ADN
network.

You can still perform SGOS configuration tasks, CLI, SSH console, serial console, or Telnet
connection. Although the component becomes disabled, feature configurations are not
altered. Also, policy restrictions remain independent of component availability.

About the System Serial Number
Each SG serial number is the appliance identifier used to assign a license key file. The SG
contains an EEPROM with the serial number encoded. The SG appliance recognizes the
serial number upon system boot-up.
The serial number is visible by navigating to Configuration > General > Identification.

11

Volume 2: Getting Started

Obtaining a WebPower Account
Before you can register your SG and retrieve the license key, you must have a Blue Coat
WebPower user account.
If you do not have a WebPower account or have forgotten your account information, use
the following procedure.
Procedure: To obtain a WebPower account:
1.

Select Maintenance > Licensing > Install.

2.

In the License Administration field, click Register/Manage. The License Configuration
and Management Web page appears (ignore the dialog at this time).

3.

Perform one of the following:
To obtain a new account, click the link for Need a WebPower User ID. Enter the
information as prompted.
To obtain your current information for an existing account, click the Forgot your
password link.

Registering and Licensing Blue Coat Hardware and Software
This section describes how to automatically register the system with Blue Coat and,
through WebPower, generate and retrieve the software license key. Registering and
licensing involves the followings tasks.
Note: If the SG appliance does not have Internet access, see “Manual License
Installation” on page 15.
Table 2-2. Registration and Licensing Tasks
Task

Description

1

Register the hardware—The serial number for this SG appliance is already
linked to your Blue Coat account. This step electronically acknowledges that
you are ready to activate the system.

2

Register the software—This step links the software you ordered with the system (thus
generating a license key).

3

Retrieve the license key—Activates your SGOS features.

Registering the Hardware
Procedure: To register the hardware:
1.

Open a browser and ensure pop-up blocking is disabled.

2.

Enter the SGOS Management Console URL.
https://IP_address:8082

3.

Enter the access credentials specified during initial setup.

4.

Click Management Console. The license warning/registration page displays.

12

Chapter 2: Licensing

Enter a path to the license file or click Browse and navigate to the file. Click Install. A
results window opens. Examine the license installation results; close the window.
Click Close. Click Apply.
The license is now installed. All features that you subscribed to are fully operational.

Disabling the Components Running in Trial Mode
You have the option to not let users access features that are currently running in trial
mode; however, you cannot selectively disable trial mode features. You must either
enable all of them or disable all of them.
Note: When you purchase an SG appliance, some of the licenses are temporarily enabled
for evaluation purposes. This is called Trial Mode.

Procedure: To disable trial mode components:
1.

On the View License tab, select Disable in the Trial Components are enabled field.

2.

Click Apply.

3.

Click Refresh Data. All licenses that are in trial mode switch from Yes to No. Users
cannot use these features. Furthermore, they do not receive nag dialogs warning of
license expiration.

Also notice that this option text changes to Trial Components are disabled: Enabled. Repeat
this process to re-enable trial licenses.

Updating a License
After the initial license installation, you might decide to use another feature that requires
a license. For example, you currently support Windows Media, but want to add Real
Media support. The license must be updated to allow this support.
Procedure: To update a license:
1.

Select Maintenance>Licensing>Install.

2.

Click Register/Manage.

3.

Follow the instructions on the Blue Coat License Self-Service Web page.

4.

If using the automatic license installation feature, click Update; otherwise, manually
install the license as described in “Manual License Installation” on page 15.

Automatically Updating a License
The license automatic update feature allows the SG appliance to contact the Blue Coat
licensing Web page 31 days before the license is to expire. If a new license has been
purchased and authorized, the license is automatically downloaded. If a new license is not
available on the Web site, the SG appliance continues to contact the Web site daily for a
new license until the current license expires. Outside the above license expiration
window, the SG appliance performs this connection once every 30 days to check for new
license authorizations. This feature is enabled by default.
Procedure: To configure the license auto-update:
1.

Select Maintenance>Licensing>Install.

17

Volume 2: Getting Started

2.

Select Use Auto-Update.

3.

Select Apply to commit the changes to the SG appliance.
Note: If the automatic license update fails and you receive a Load from Blue Coat
error, you must log on to your License Management account:
https://services.bluecoat.com/eservice_enu/licensing/mgr.cgi.

Click Update License Key.
Related CLI Syntax to Manage Licensing
SGOS# licensing {disable-trial | enable-trial}
SGOS# licensing update-key
SGOS# (config) license-key path url
SGOS# (config) license-key auto-update {enable | disable}

18

Chapter 3: Accessing the SG Appliance

The SGOS software uses the Secure Shell (SSH) and HTTPS protocols to securely access
the SGOS CLI and Management Console. Both SSHv1 and SSHv2 are enabled by
default, and host keys have already been created on the SG appliance.
All data transmitted between the client and the SG appliance using SSH/HTTPS is
encrypted.
During initial configuration, you assigned the SG appliance a username and password
and a privileged-mode (enabled/configuration) password. These passwords are
always stored and displayed hashed.
This chapter discusses:


“Before You Begin: Understanding Modes” on page 19



“Accessing the SG Appliance” on page 20



“Accessing the Management Console Home Page” on page 21



“Changing the Logon Parameters” on page 22



“Viewing the Appliance Health” on page 25

Important:

This chapter assumes that you have completed the first-time setup of the SG appliance
using either the front panel or serial console, and that the appliance is running on the
network. These steps must be completed before accessing the appliance.
You can manage the SG appliance by logging on to and using one of the following:


An SSH session to access the CLI.



The Management Console graphical interface.

You can also use a serial console to access the CLI.
Note: To use a Telnet session, you must use a serial console connection until you

configure Telnet for use. (For security reasons Blue Coat does not recommend using
Telnet).

Before You Begin: Understanding Modes
SGOS 5.x supports different levels of command security:


Standard, or unprivileged, mode is read-only. You can see but not change system
settings and configurations. This is the level you enter when you first access the CLI.



Enabled, or privileged, mode is read-write. You can make immediate but not
permanent changes to the SG appliance, such as restarting the system. This is the
level you enter when you first access the Management Console.



Configuration is a mode within the Enabled mode. From this level, you can perform
permanent changes to the SG appliance configuration.

19

Volume 2: Getting Started

If you use the Management Console, you are in configuration mode when you log into
Enabled mode and type conf t.
If you use the CLI, you must enter each level separately:
Username: admin
Password:
SGOS> enable
Enable Password:
SGOS# configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
SGOS#(config)

For detailed information about the CLI and the CLI commands, refer to Volume 12: Blue
Coat SG Appliance Command Line Reference.
Note: Although most administrator tasks can be performed using either the
Management Console or the CLI, there is the occasional task that can only be done using
one of the two: these are specified in the manual.

Accessing the SG Appliance
You can access the SG appliance through either the CLI or the Management Console. By
default, SSHv2 (CLI) and HTTPS (Management Console) are used to connect to the
appliance.
The SSH and HTTPS ports are configured and enabled. For SSH, you can use either
version 1 or version 2 (with password or RSA client key authentication).

Accessing the CLI
If you use the CLI, you can use SSHv2 to access the SG appliance, but you cannot use
SSHv1 or Telnet without additional configuration.
Note: Enabling the Telnet-Console introduces a security risk, so it is not recommended.

To use SSHv1, you must first create an SSHv1 host key. For more information on creating
SSH host keys, refer to Volume 3: Proxies and Proxy Services.
To log on to the CLI, you must have:


the account name that has been established on the SG appliance



the IP address of the SG appliance



the port number (22 is the default port number)

You must log on from your SSH client.

Accessing the Management Console
The Management Console is a graphical Web interface that allows you to manage,
configure, monitor, and upgrade the SG appliance from any location.
In the Web browser, enter HTTPS, the SG appliance IP address, and port 8082 (the default
management port). For example, if the IP address configured during first-time installation
is 10.25.36.47, enter the URL https://10.25.36.47:8082 in the Web browser.

20

Volume 2: Getting Started

26

Chapter 4: Configuring Basic Settings

3.

Select the time zone that represents your local time. Once the local time zone is
selected, event logs record the local time instead of GMT. To add additional time
zones to the list, update the appliance's time zone database, as described in the
following procedure.

To update the database:
1.

Select Configuration > General > Clock > Clock.

2.

Enter the URL from which the database will be downloaded or click Set to default.

3.

Click Install.

Related CLI Syntax for Adding New Time Zones to the Database:
SGOS# (config) timezone database-path [url | default]
SGOS# (config) load timezone-database

To acquire the UTC:
1.

Ensure that Enable NTP is selected.

2.

Click Acquire UTC Time.

Related CLI Syntax for Acquiring and Setting UTC Time:
SGOS# acquire-utc
SGOS#(config) clock [subcommands]

Network Time Protocol
The Network Time Protocol (NTP) is used to synchronize the time of a computer client or
server to another server or reference time source, such as a radio or satellite receiver or
modem. There are more than 230 primary time servers, synchronized by radio, satellite
and modem.
The SG appliance ships with a list of NTP servers available on the Internet, and attempts
to connect to them in the order they appear in the NTP server list on the NTP tab. You can
add others, delete NTP servers, and reorder the NTP server list to give a specific NTP
server priority over others.
The SG appliance uses NTP and the Coordinated Universal Time (UTC) to keep the
system time accurate.
You can add and reorder the list of NTP servers the SG appliance uses for acquiring the
time. The reorder feature is not available.
To add an NTP server:
1.

Select Configuration > General > Clock > NTP.

29

Chapter 4: Configuring Basic Settings

To configure the HTTP receive timeout setting:
At the (config) command prompt, enter the following command:
SGOS#(config) http receive-timeout {client | refresh | server}
#_seconds

where:
client

#_seconds

Sets the receive timeout for client to #_seconds.
The default is 120 seconds.

refresh

#_seconds

Sets receive timeout for refresh to #_seconds. The
default is 90 seconds.

server

#_seconds

Sets receive timeout for server to #_seconds. The
default is 180 seconds.

To configure the HTTP persistent timeout setting:
At the (config) command prompt, enter the following command:
SGOS#(config) http persistent-timeout {client | server} #_seconds

where
:

client

#_seconds

The maximum amount of time the HTTP proxy
waits before closing the persistent client
connection if another request is not made. The
default is 360 seconds.

server

#_seconds

The maximum amount of time the HTTP proxy
waits before closing the persistent server
connection if that connection is not re-used for
any subsequent request from the proxy. The
default is 900 seconds.

31

Volume 2: Getting Started

32

Chapter 5: Archive Configuration

Blue Coat allows you to use an existing configuration (modified to include only general
parameters, not system-specific settings) to quickly set up a newly-manufactured SG
appliance and to save the running configuration off-box for archival purposes.
This section discusses:


“Sharing Configurations” on page 33



“Archiving a Configuration” on page 36

Sharing Configurations
You can share configurations between two SG appliances. You can take a post-setup
configuration file (one that does not include those configuration elements that are
established in the setup console) from an already-configured SG appliance and push it
to a newly-manufactured system.
Note: Blue Coat Director allows you to push a configuration from one SG

appliance to multiple appliances at the same time. For more information on using
Director, see Volume 10: Managing the Blue Coat SG Appliance.
The new configuration is applied to the existing configuration, changing any existing
values. This means, for instance, that if the new configuration creates a realm called
RealmA and the existing configuration has a realm called RealmB, the combined
configuration includes two realms, RealmA and RealmB.
To share configurations, you must


Change all "encrypted-password" entries to "password" followed by the actual
password in quotes.



Change any "hashed-password" entries to "password" followed by the actual
password in quotes.



Make sure that no services are tied to a specific proxy IP address.



Download a content filter database, if the configuration includes content filtering.

You can use either the Management Console or the CLI to create a post-setup
configuration file on one SG appliance and push it to another.
Note: You cannot push configuration settings to a newly manufactured system
until you have completed initial setup of the system.

To create and push a configuration to a newly manufactured SG appliance:
From the already configured SG appliance:
1.

Select Configuration > General > Archive.

33

Chapter 5: Archive Configuration

5.

Click Close.

To create and push a configuration to a newly manufactured SG appliance:
From the already configured SG appliance:
1.

From the enable prompt (#), determine which configuration you want to use for the
new system. The syntax is:
show configuration post-setup | brief | expanded

where:
post-setup

This displays the configuration on the current system, minus
any configurations created through the setup console, such as
the hostname and IP address. It also includes the installable
lists.

brief

This displays the configuration on the current system, but does
not include the installable lists.

expanded

This is the most complete snapshot of the system configuration,
but it contains system-specific settings that should not be
pushed to a new system.

2.

3.

Save the configuration. You can save the file two ways:


Copy the contents of the configuration to the clipboard. (Paste the file into the
terminal on the newly-manufactured system.)



Save it as a text file on a download FTP server accessible to the SG appliance. This
is advised if you want to re-use the file.

On the newly-manufactured SG appliance, retrieve the configuration file by doing
one of the following:


If you saved the configuration to the clipboard, go to the (config) prompt and
paste the configuration into the terminal.



If you saved the configuration on the FTP server:
At the enable command prompt, enter the following command:
SGOS# configure network “url”

where url must be in quotes and is fully-qualified (including the protocol, server
name or IP address, path, and filename of the configuration file). The
configuration file is downloaded from the server, and the SG appliance settings
are updated.
Note: If you rename the archived configuration file so that it does not contain
any spaces, the quotes surrounding the URL are unnecessary.

The username and password used to connect to the FTP server can be embedded
into the URL. The format of the URL is:
ftp://username:password@ftp-server

where ftp-server is either the IP address or the DNS resolvable hostname of the
FTP server.

35

Volume 2: Getting Started

If you do not specify a username and password, the SG appliance assumes that an
anonymous FTP is desired and thus sends the following as the credentials to
connect to the FTP server:
username: anonymous
password: proxy@

Archiving a Configuration
In the rare case of a complete system failure, restoring a SG appliance to its previous state
is simplified by loading an archived system configuration from an FTP or TFTP server.
The archive, taken from the running configuration, contains all system settings differing
from system defaults, along with any installable lists configured on the SG appliance.
Archive and restore operations must be done through the CLI.
Note: You can archive a system configuration to an FTP or TFTP server that allows
either anonymous logon or requires a specific username and password. Likewise, to
restore a system configuration, the server storing the archive can be configured either to
allow anonymous logon or to require a username and password.

To prepare to archive a system configuration
1.

Obtain write permission to a directory on an FTP server. This is where the archive will
be stored.
The system configuration must be stored using FTP.

2.

At the (config) command prompt, enter the following commands:
SGOS#(config) archive-configuration protocol {ftp | tftp}
SGOS#(config) archive-configuration host hostname

where hostname is the IP address of the server.
Note: TFTP does not require a password, path, or username.
SGOS#(config) archive-configuration password password
-orSGOS#(config) archive-configuration encrypted-password encryptedpassword

where password is the password (or encrypted password) used to access the server.
SGOS#(config) archive-configuration path path

where path is the directory on the server where the archive is to be stored, relative to
the preset FTP directory.
SGOS#(config) archive-configuration filename-prefix filename

where filename can contain % strings that represent the information in the upload
filename. If you do not use the filename command, the SG appliance creates a name
with a timestamp and the filename SG_last-ip-octet_timestamp. For % string
substitutions, see Volume 9: Access Logging.
SGOS#(config) archive-configuration username username

where user_name is the username used to access the server.

36

Chapter 5: Archive Configuration

Example Session
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok

archive-configuration host 10.25.36.47
archive-configuration password access
archive-configuration username admin1
archive-configuration path ftp://archive.server/stored
archive-configuration protocol ftp

Note: To clear the host, password, or path, type the above commands using empty
double-quotes instead of the variable. For example, to clear the path, enter archiveconfiguration path “”.

To archive a system configuration:
At the enable command prompt, enter the following command:
SGOS# upload configuration

To restore a system configuration:
At the enable command prompt, enter the following command:
SGOS# configure network “url”

See “Sharing Configurations” on page 33 for more information about formatting the URL
for FTP.

Troubleshooting
When pushing a shared configuration or restoring an archived configuration, keep in
mind the following issues:


Encrypted passwords (login, enable, and FTP) cannot be decrypted by a device other
than that on which it was encrypted. If you were sharing a configuration, these
encrypted passwords were probably already created before the configuration was
pushed to the system.



If the content filtering database has not yet been downloaded, any policy that
references categories is not recognized.



The following passwords must be re-created (if you use the application specified):


administrator console passwords (not needed for shared configurations)



privileged-mode (enable) passwords (not needed for shared configurations)



the front-panel PIN (recommended for limiting physical access to the system)



access log FTP client passwords (primary, alternate)



archive configuration FTP password



RADIUS primary and alternate secret



LDAP search password



SmartFilter download password



WebSense3 download password

37

Volume 2: Getting Started



SNMP read, write, and trap community strings



RADIUS and TACACS+ secrets for splash pages



A full download of the content filtering database must be done.



SSH certificate keys must be imported.



SSL certificate keys must be imported

In addition, you should make sure the system is functioning whenever you add a feature.
For example, make sure the system works after basic configuration; then, after you add
authentication, recheck the system.

38

Chapter 6: Adapters

This chapter describes SG network adapters and the adapter interfaces; the following
topics are discussed:


“About Adapters” on page 39



“About Virtual LAN Configuration” on page 39



“Configuring an Adapter” on page 42



“Configuring Interface Settings” on page 45



“Detecting Network Adapter Faults” on page 47

About Adapters
SG appliances ship with one or more network adapters installed on the system, each
with one or more interfaces. This chapter describes how to change interface parameters
or configure additional adapters or virtual LANs in the appliance. You can also accept
or reject inbound connections, change link settings in the event the system did not
correctly determine them, and configure the browser for proxy settings.
As you select adapters from the picklist, the Adapter panel (Configuration > Network >
Adapters) displays the state of the configured adapter and its interfaces.
Note: In Blue Coat documentation, the convention for the interface is
adapter.interface. For example, 0:0.

About Virtual LAN Configuration
This section discusses Virtual LAN (VLAN) deployments.

About VLAN Deployments
VLANs are created to group multiple physical network segments into individual
broadcast domains. The benefit to this is that clients can be organized logically—for
example, based on organization—rather than limited to physical connections to
interfaces. Because networks recognize VLANs as they do physical LANs, each VLAN
can have an IP prefix assigned to it. This enables IP routing of traffic flow between
VLANs, which allows for targeted traffic relaying rather than broadcasting to all
connected hosts.
VLAN configuration occurs on the switch. The network administrator specifies which
ports belong to which VLANs. The following diagram illustrates a port-based VLAN
configuration. Clients on network segments attached to switch ports 1 and 2 belong to
VLAN 1, which has the network address 10.0.1.x; network segments attached to
switch ports 14 and 15 belong to VLAN 2, which has the network address 10.0.2.x.

39

Chapter 6: Adapters

Table 6-1. Command Interaction for Reject-Inbound and Allow-Intercept
rejectinbound

allowintercept

Non-proxy ports
(mgmt-console,
ssh, etc)

Explicit proxy
ports

Transparent
proxy ports

Other ports

Disabled

Enabled

Terminated

Terminated

Terminated

Forwarded

Disabled

Disabled

Terminated

Terminated

Forwarded

Forwarded

Enabled

Enabled/
Disabled

Silently dropped

Silently dropped

Silently dropped

Silently dropped

Manually Configuring Link Settings
By default, the SGOS software automatically determines the link settings for all network
adapters. However, Blue Coat strongly recommends manually setting the link settings to
avoid problems.
To manually configure link settings:
1.

Select Configuration > Network > Adapters > Adapters.

2.

Select an adapter from the Adapters drop-down list.

3.

Click Settings.

4.

Select Manually configure link settings.

5.

Select Half or Full duplex.

6.

Select the correct network speed.

7.

Click OK to close the Advanced Settings dialog.

8.

Click Apply.

Related CLI Syntax to Manually Configure Link Settings


To enter configuration mode for standard interfaces:
SGOS#(config interface adapter:interface) {full-duplex | half-duplex}

Configuring Proxies
To configure proxies, refer to Volume 3: Proxies and Proxy Services.

Detecting Network Adapter Faults
The SG appliance can detect whether the network adapters in an appliance are
functioning properly. If the appliance finds that an adapter is faulty, it stops using it.
When the fault is remedied, the SG appliance detects the functioning adapter and uses it
normally.
To determine whether an adapter is functioning properly:
1.

Check whether the link is active (that is, a cable is connected and both sides are up).

2.

Check the ratio of error packets to good packets: both sent and received.

3.

Check if packets have been sent without any packets received.

47

Volume 2: Getting Started

If an adapter fault is detected and the adapter has an IP address assigned to it, the SG
appliance logs a severe event. When an adapter does not have an IP address, the appliance
does not log an entry.

48

Chapter 7: Software and Hardware Bridges

This chapter describes the SGOS hardware and software bridging capabilities. Network
bridging through the SG appliance provides transparent proxy pass-through and
failover support.
The following topics are discussed:


“About Bridging”



“About the Pass-Through Adapter” on page 51



“Configuring a Software Bridge” on page 51



“Customizing the Interface Settings” on page 53



“Setting Bandwidth Management for Bridging” on page 54



“Configuring Failover” on page 54

About Bridging
Bridging functionality allows SG appliances to be easily deployed as transparent
redirection devices, without requiring the additional expense and maintenance of L4
switches or WCCP-capable routers. Bridging is especially useful in smaller
deployments in which explicit proxies, L4 switches, or WCCP-capable routers are not
feasible options.
Important: Bridge interfaces cannot be used in WCCP configurations. If the
configuration includes bridge interfaces, you will receive the following error if you
attempt to load the WCCP configuration file:
Interface 0:0 is member of a bridge

Bridges are used to segment Ethernet collision domains, thus reducing frame collisions.
Unlike a hub, a bridge uses a frame’s destination MAC address to make delivery
decisions. Because these decisions are based on MAC addressing, bridges are known as
Layer 2 devices.
To make efficient delivery decisions, the bridge must discover the identity of systems
on each collision domain, and then store this information in its bridging table. After
learning the identity of the systems on each collision domain, the bridge uses the source
MAC address of frames to determine from which interface a given system can be
reached.
A branch office that would take advantage of a bridging configuration is likely to be
small; for example, it might have only one router and one firewall in the network, as
shown below.

49

Volume 2: Getting Started



SG A—software bridge IP address: 10.0.0.2. Create a virtual IP address and a
failover group, and designate this group the master.
SG_A#(config) virtual-ip address 10.0.0.4
SG_A#(config) failover
SG_A#(config failover) create 10.0.0.4
SG_A#(config failover) edit 10.0.0.4
SG_A#(config failover 10.0.0.4) master
SG_A#(config failover 10.0.0.4) priority 100
SG_A#(config failover 10.0.0.4) interval 1



SG B—software bridge IP address: 10.0.0.3. Create a virtual IP address and a
failover group.
SG_B#(config) virtual-ip address 10.0.0.4
SG_B#(config) failover
SG_B#(config failover) create 10.0.0.4
SG_B#(config failover) edit 10.0.0.4
SG_B#(config failover 10.0.0.4) priority 100
SG_B#(config failover 10.0.0.4) interval 1



In the bridge configuration on each SG appliance, attach the bridge configuration to the
failover group:
SG_A#(config bridge bridge_name) failover 10.0.0.4
SG_B#(config bridge bridge_name) failover 10.0.0.4



Specify the failover mode:
SG_A#(config bridge bridge_name) failover serial
SG_B#(config bridge bridge_name) failover serial

Bridging Loop Detection
Bridging now supports the Spanning Tree Protocol (STP). STP is a link management
protocol that prevents bridge loops in a network that has redundant paths that can cause
packets to be bridged infinitely without ever being removed from the network.
STP ensures that a bridge, when faced with multiple paths, uses a path that is loop-free. If
that path fails, the algorithm recalculates the network and finds another loop-free path.
The administrator can enable or disable spanning tree participation for the interface.
Enable spanning tree participation:
1.

Select Configuration > Network > Adapters > Bridges.

2.

Select the desired bridge.

3.

Click Edit.

56

Volume 2: Getting Started

The behavior of the static bypass list stays the same. The packets are forwarded in IP layer.

60

Chapter 8: Gateways

A key feature of the SGOS software is the ability to distribute traffic originating at the
appliance through multiple gateways. You can also fine tune how the traffic is
distributed to different gateways. This feature works with any routing protocol (such
as static routes or RIP).
Note: Load balancing through multiple gateways is independent from the perinterface load balancing the SG appliance automatically does when more than
one network interface is installed.

This chapter discusses:


“About Gateways”



“SG Appliance Specifics” on page 61



“Switching to a Secondary Gateway” on page 62



“Routing” on page 62

About Gateways
During the initial setup of the SG appliance, you optionally defined a gateway (a device
that serves as entrance and exit into a communications network) for the SG appliance.
By using multiple gateways, an administrator can assign a number of available
gateways into a preference group and configure the load distribution to the gateways
within the group. Multiple preference groups are supported.
The gateway specified applies to all network adapters in the system.

SG Appliance Specifics
Which gateway the SG appliance chooses to use at a given time is determined by how
the administrator configures the assignment of preference groups to default gateways.
You can define multiple gateways within the same preference group. A SG appliance
can have from 1 to 10 preference groups. If you have only one gateway, it automatically
has a weight of 100.
Initially, all gateways in the lowest preference group are considered to be the active
gateways. If a gateway becomes unreachable, it is dropped from the active gateway list,
but the remaining gateways within the group continue to be used until they all become
unreachable, or until an unreachable gateway in a lower preference group becomes
reachable again. If all gateways in the lowest preference group become unreachable,
the gateways in the next lowest preference group become the active gateways.

61

Chapter 8: Gateways

Note: If your environment uses explicit proxy or Layer-4 redirection, or if the
destination IP addresses cannot be verified by the SG appliance, static routes must be
configured.

Hardware or software bridges can be transparently routed if the destination IP address/
hostname can be verified. If the client-provided destination IP address is not in the list of
resolved IP addresses for the particular host, then the SG appliance uses static routes
instead. For hostname-less protocols such as CIFS and FTP, the IP address can always be
trusted. For other protocols, such as HTTP, RTSP, and MMS, which have a hostname that
must be resolved, verification can be an issue. URL rewrites that modify the hostname
also can cause verification to fail.
Transparent ADN connections that are handed off to an application proxy (HTTP or
MAPI, for example) can utilize L2/L3 transparency. Also, transparent ADN connections
that are tunneled but not handed off can utilize the functionality.
Note: IM is not supported with trust client addressing. In order to login and chat,
the default router must have Internet access. Other IM features require direct
connections, so static routes are required.

This feature is not user-configurable.

Using Static Routes
If you use an explicit proxy or layer-4 redirection deployment, or a Blue Coat feature such
as forwarding where the destination IP cannot be verified by the SG appliance, you can
use static routes.
A static route is a manually-configured route that specifies the transmission path a packet
must follow, based on the packet’s destination address. A static route specifies a
transmission path to another network, and a default static route already exists.
Situations in which static routes are used include:


DNS load balancing. Sites that use DNS load balancing and return a single IP address
cause a mismatch between the IP address provided by the client and the IP address
resolved by the SG appliance.



Anywhere that appropriate client-side routing information is unavailable, such as for
forwarding hosts, dynamic categorization, and ADN peers.
Note:

For bridged deployments, transparent routing, in most cases, overrides any
static route lookups.
The routing table is a text file containing a list of IP addresses, subnet masks, and
gateways. You are limited to 10,000 entries in the static routes table. The following is a
sample router table:
10.25.36.0
10.25.37.0
10.25.38.0

255.255.255.0
255.255.255.0
255.255.255.0

10.25.36.1
10.25.37.1
10.25.38.1

When a routing table is installed, all requested URLs are compared to the list and routed
based on the best match.

63

Volume 2: Getting Started

You can install the routing table several ways.


Using the Text Editor, which allows you to enter settings (or copy and paste the
contents of an already-created file) directly onto the appliance.



Creating a local file on your local system; the SG appliance can browse to the file and
install it.



Using a remote URL, where you place an already-created file on an FTP or HTTP
server to be downloaded to the SG appliance.



Using the CLI inline static-route-table command, which allows you to paste a
static route table into the SG appliance.



Using the CLI static-routes command, which requires that you place an alreadycreated file on an FTP or HTTP server and enter the URL into the SG appliance.

Note: If you upgrade to SGOS 5.x from SGOS 4.x, entries from the central and local
bypass lists are converted to static route entries in the static route table. The converted
static route entries are appended after the existing static route entries. Duplicate static
route entries are silently ignored.

All traffic leaving the SG appliance is affected by the static route entries created from the
SGOS 4.x bypass lists.

Installing a Routing Table
To install a routing table:
1.
2.

Select Configuration > Network > Routing > Routing.
From the drop-down list, select the method used to install the routing table; click
Install.



Remote URL:
Enter the fully-qualified URL, including the filename, where the routing table is
located. To view the file before installing it, click View. Click Install. To view the
installation results, click Results; close the window when you are finished. Click
OK.



Local File:
Click Browse to bring up the Local File Browse window. Browse for the file on the
local system. Open it and click Install. When the installation is complete, a results
window opens. View the results and close the window.



Text Editor:
The current configuration is displayed in installable list format. You can
customize it or delete it and create your own. Click Install. When the installation is
complete, a results window opens. View the results, close this window, and click
Close.

3.

Select Apply to commit the changes to the SG appliance.

Related CLI Syntax to Install a Routing Table
To install a routing table, you can use the inline command to install the table directly, or
enter a path to a remote URL that has an already-created text file ready to download.

64

Chapter 8: Gateways



To paste a static route table directly into the CLI:
SGOS#(config) inline static-route-table end-of-file_marker
paste static routing table
eof
ok



To enter the static route table manually:
SGOS#(config) inline static-route-table end-of-file_marker
10.25.36.0
255.255.255.0
10.25.46.57
10.25.37.0
255.255.255.0
10.25.46.58
10.25.38.0
255.255.255.0
10.25.46.59
eof
ok



To enter a path to a remote URL:
SGOS#(config) static-routes path url
SGOS#(config) load static-route-table

Notes


Any deployment that causes traffic to traverse the link from the SG appliance to the
home router twice is not supported. Some WCCP configurations might not work as
expected.



If you use URL host rewrite functionality in your policies, mismatches can occur
between the client-provided IP address and the resolved, rewritten hostname. In these
cases, static routing is used.

65

Volume 2: Getting Started

66

Chapter 9: DNS

During first-time installation of the SG appliance, you configured the IP address of a
single primary Domain Name Service (DNS) server. Using the Configuration > Network
> DNS tab, you can change this primary DNS server at any time, and you can also
define additional primary DNS servers and one or more alternate DNS servers.
This chapter discusses:


“SG Appliance Specifics”



“Configuring Split DNS Support” on page 68



“Changing the Order of DNS Servers” on page 69



“Unresolved Hostnames (Name Imputing)” on page 70



“Changing the Order of DNS Name Imputing Suffixes” on page 70



“Caching Negative Responses” on page 70

SG Appliance Specifics
If you have defined more than one DNS server, the SGOS software uses the following
logic to determine which servers are used to resolve a DNS host name and when to
return an error to the client:


SGOS first sends requests to DNS servers in the primary DNS server list.



Servers are always contacted in the order in which they appear in a list.



The next server in a list is only contacted if the SG appliance does not receive a
response from the current server.



If none of the servers in a list returns a response, the SG appliance returns an error
to the client.



The SG appliance only sends requests to servers in the alternate DNS server list if a
server in the primary list indicates that a DNS host name cannot be resolved.
If a DNS server returns any other error (other than an indication that a DNS host
name could not be resolved), the SG appliance returns the error to the client.
If a server in both the primary and alternate DNS server lists are unable to resolve a
DNS host name, an error is returned to the client.

The SG appliance always attempts to contact the first server in the primary DNS server.
If a response is received from this server, no attempts are made to contact any other
DNS servers in the primary list.
If the response from the first primary DNS server indicates a name error, the SG
appliance sends a DNS request to the first alternate DNS server, if one is defined. If no
alternate DNS servers have been defined, an error is returned to the client indicating a
name error. If the first alternate DNS server is unable to resolve the IP address, a name
error is returned to the client, and no attempt is made to contact any other DNS servers
in either the primary or alternate DNS server lists.

67

Volume 2: Getting Started

Unresolved Hostnames (Name Imputing)
Name imputing allows the SG appliance to resolve host names based on a partial name
specification. When the SG appliance submits a host name to the DNS server, the DNS
server resolves the name to an IP address. The SG appliance queries the original hostname
before checking imputing entries unless there is no period in the host name, in which case
imputing is applied first. The SG appliance tries each entry in the name-imputing list until
the name is resolved or it comes to the end of the list. If by the end of the list the name is
not resolved, the SG appliance returns a DNS failure.
For example, if the name-imputing list contains the entries company.com and com, and a
user submits the URL http://www.eedept, the SG appliance resolves the host names in
the following order.
http://www.eedept
http://www.eedept.company.com
http://www.eedept.com

To add names to the imputing list:
1.

Select Configuration > Network > DNS > Imputing.
The Imputing tab displays.

2.

Click New to add a new name to the imputing list.

3.

Enter the name in the dialog that appears and click OK.

4.

Select Apply to commit the changes to the SG appliance.

Related CLI Syntax to Add Names to the Imputing List
To add names to the imputing list:
SGOS#(config) dns imputing suffix

For example, to use company.com as the imputing suffix, enter dns-imputing
company.com.
Repeat until all imputing suffixes have been entered.

Changing the Order of DNS Name Imputing Suffixes
The SG appliance uses imputing suffixes in the order displayed. You can organize the list
of suffixes so the preferred suffix appears at the top of the list. This functionality is only
available through the Management Console. You cannot configure it through the CLI.
To change the order of DNS name imputing suffixes:
1.

Select Configuration > Network > DNS > Imputing.
The Imputing tab displays.

2.

Select the imputing suffix to promote or demote.

3.

Click Promote entry or Demote entry as appropriate.

4.

Select Apply to commit the changes to the SG appliance.

Caching Negative Responses
By default, the SG appliance caches negative DNS responses sent by a DNS server. You
can configure the SG appliance to set the time-to-live (TTL) value for a negative DNS
response to be cached. You can also disable negative DNS response caching.

70

Chapter 9: DNS

Note: The SG appliance generates more DNS requests when negative caching is

disabled.
The SG appliance supports caching of both type A and type PTR DNS negative responses.
This functionality is only available through the CLI. You cannot configure DNS negative
caching through the Management Console.
To configure negative caching TTL values:
From the (config) prompt:
SGOS#(config) dns negative-cache-ttl-override seconds

where seconds is any integer between 0 and 600.
Setting the TTL value to 0 seconds disables negative DNS caching; setting the TTL setting
to a non-zero value overrides the TTL value from the DNS response.
To restore negative caching defaults:
From the (config) prompt):
SGOS#(config) dns no negative-cache-ttl-override

71

Volume 2: Getting Started

72

Appendix A: Glossary

Term

Description

ADN Optimize Attribute

Controls whether to optimize bandwidth usage when connecting upstream using an
ADN tunnel.

Asynchronous Adaptive

This allows the ProxySG to keep cached objects as fresh as possible, thus reducing
response times. The AAR algorithm allows HTTP proxy to manage cached objects
based on their rate of change and popularity: an object that changes frequently and/
or is requested frequently is more eligible for asynchronous refresh compared to an
object with a lower rate of change and/or popularity.

Refresh (AAR)

Asynchronous Refresh
Activity

Refresh activity that does not wait for a request to occur, but that occurs
asynchronously from the request.

Attributes (Service)

The service attributes define the parameters, such as explicit or transparent,
cipher suite, and certificate verification, that the ProxySG uses for a
particular service. .

Authenticate-401 Attribute

All transparent and explicit requests received on the port always use transparent
authentication (cookie or IP, depending on the configuration). This is especially
useful to force transparent proxy authentication in some proxy-chaining scenarios

authentication

The process of identifying a specific user.

authorization

The permissions given to a specific user.

Bandwidth Gain

A measure of the difference in client-side and server-side Internet traffic expressed in
relation to server-side Internet traffic. It is managed in two ways: you can enable or
disable bandwidth gain mode or you can select the Bandwidth Gain profile (this also
enables bandwidth gain mode)..

Bandwidth Class

A defined unit of bandwidth allocation. An administrator uses bandwidth classes to
allocate bandwidth to a particular type of traffic flowing through the ProxySG.

Bandwidth Class Hierarchy

Bandwidth classes can be grouped together in a class hierarchy, which is a tree
structure that specifies the relationship among different classes. You create a
hierarchy by creating at least one parent class and assigning other classes to be its
children.

Bandwidth Policy

The set of rules that you define in the policy layer to identify and classify the traffic in
the ProxySG, using the bandwidth classes that you create. You must use policy
(through either VPM or CPL) in order to manage bandwidth.

Bypass Lists

The bypass list allows you to exempt IP addresses from being proxied by the
ProxySG. The bypass list allows either or a specific IP prefix entry for

both the client and server columns. Both UDP and TCP traffic is
automatically exempted.

73

Volume 2: Getting Started

Term

Description

Byte-Range Support

The ability of the ProxySG to respond to byte-range requests (requests with a
Range: HTTP header).

Cache-hit

An object that is in the ProxySG and can be retrieved when an end user requests the
information.

Cache-miss

An object that can be stored but has never been requested before; it was not in the
ProxySG to start, so it must be brought in and stored there as a side effect of
processing the end-user's request. If the object is cacheable, it is stored and served the
next time it is requested.

Child Class (Bandwidth
Gain)

The child of a parent class is dependent upon that parent class for available
bandwidth (they share the bandwidth in proportion to their minimum/maximum
bandwidth values and priority levels). A child class with siblings (classes with the
same parent class) shares bandwidth with those siblings in the same manner.

Client consent certificates

A certificate that indicates acceptance or denial of consent to decrypt an end user's
HTTPS request.

Compression

An algorithm that reduces a file’s size but does not lose any data. The ability to
compress or decompress objects in the cache is based on policies you create.
Compression can have a huge performance benefit, and it can be customized based
on the needs of your environment: Whether CPU is more expensive (the default
assumption), server-side bandwidth is more expensive, or whether client-side
bandwidth is more expensive.

Default Proxy Listener

See “ Proxy Service (Default)” .

Detect Protocol Attribute

Detects the protocol being used. Protocols that can be detected include:
HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper.

Directives

Directives are commands that can be used in installable lists to configure forwarding.
See also forwarding Configuration.

Display Filter

The display filter is a drop-down list at the top of the Proxy Services pane that allows
you to view the created proxy services by service name or action.

Early Intercept Attribute

Controls whether the proxy responds to client TCP connection requests before
connecting to the upstream server. When early intercept is disabled, the proxy delays
responding to the client until after it has attempted to contact the server.

Emulated Certificates

Certificates that are presented to the user by ProxySG when intercepting
HTTPS requests. Blue Coat emulates the certificate from the server and signs
it, copying the subjectName and expiration. The original certificate is used
between the ProxySG and the server.

ELFF-compatible format

A log type defined by the W3C that is general enough to be used with any protocol.

Encrypted Log

A log is encrypted using an external certificate associated with a private key.
Encrypted logs can only be decrypted by someone with access to the private key. The
private key is not accessible to the ProxySG.

74

Appendix A: Glossary

Term

Description

explicit proxy

A configuration in which the browser is explicitly configured to communicate with
the proxy server for access to content.
This is the default for the ProxySG, and requires configuration for both browser and
the interface card.

Fail Open/Closed

Failing open or closed applies to forwarding hosts and groups and SOCKS gateways.
Fail Open/Closed applies when the health checks are showing sick for each
forwarding or SOCKS gateway target in the applicable fail-over sequence. If no
systems are healthy, the ProxySG fails open or closed, depending on the
configuration. If closed, the connection attempt simply fails.
If open, an attempt is made to connect without using any forwarding target (or
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no
setting is specified.

Forwarding Configuration

Forwarding can be configured through the CLI or through adding directives to a text
file and installing it as an installable list. Each of these methods (the CLI or using
directives) is equal. You cannot use the Management Console to configure
forwarding.

Forwarding Host

Upstream Web servers or proxies.

forward proxy

A proxy server deployed close to the clients and used to access many servers. A
forward proxy can be explicit or transparent.

Freshness

A percentage that reflects the objects in the ProxySG cache that are expected to be
fresh; that is, the content of those objects is expected to be identical to that on the OCS
(origin content server).

Gateway

A device that serves as entrance and exit into a communications network.

Global Default Settings

You can configure settings for all forwarding hosts and groups. These are called the
global defaults. You can also configure private settings for each individual
forwarding host or group. Individual settings override the global defaults.

FTP

See Native FTP; Web FTP.

Host Affinity

Host affinity is the attempt to direct multiple connections by a single user to the same
group member. Host affinity is closely tied to load balancing behavior; both should
configured if load balancing is important.

Host Affinity Timeout

The host affinity timeout determines how long a user remains idle before the
connection is closed. The timeout value checks the user's IP address, SSL ID, or
cookie in the host affinity table.

Inbound Traffic (Bandwidth
Gain)

Network packets flowing into the ProxySG. Inbound traffic mainly consists of the
following:
• Server inbound: Packets originating at the origin content server (OCS) and sent to
the ProxySG to load a Web object.
• Client inbound: Packets originating at the client and sent to the ProxySG

for Web requests.

75

Volume 2: Getting Started

Term

Description

Installable Lists

Installable lists, comprised of directives, can be placed onto the ProxySG in one of
several methods: through creating the list through the ProxySG text editor, by
placing the list at an accessible URL, or by downloading the directives file from the
local system.

Integrated Host Timeout

An integrated host is an Origin Content Server (OCS) that has been added to the
health check list. The host, added through the integrate_new_hosts property,
ages out of the integrated host table after being idle for the specified time. The default
is 60 minutes.

IP Reflection

Determines how the client IP address is presented to the origin server for explicitly
proxied requests. All proxy services contain a reflect-ip attribute, which enables or
disables sending of client's IP address instead of the ProxySG's IP address.

Issuer keyring

The keyring that is used by the ProxySG to sign emulated certificates. The keyring is
configured on the ProxySG and managed through policy.

Listener

The service that is listening on a specific port. A listener can be identified by any

destination IP/subnet and port range. Multiple listeners can be added to
each service.
Load Balancing

The ability to share traffic requests among multiple upstream targets. Two methods
can be used to balance the load among systems: least-connections or roundrobin.

Log Facility

A separate log that contains a single logical file and supports a single log format. It
also contains the file’s configuration and upload schedule information as well as
other configurable information such as how often to rotate (switch to a new log) the
logs at the destination, any passwords needed, and the point at which the facility can
be uploaded.

Log Format

The type of log that is used: NCSA/Common, SQUID, ELFF, SurfControl, or
Websense.
The proprietary log types each have a corresponding pre-defined log format that has
been set up to produce exactly that type of log (these logs cannot be edited). In
addition, a number of other ELFF type log formats are also pre-defined (im, main,
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log
fields for logging particular protocols understood by the ProxySG. It is also possible
to create new log formats of type ELFF or Custom which can contain any desired
combination of log fields.

Log Tail:

The access log tail shows the log entries as they get logged. With high traffic on the
ProxySG, not all access log entries are necessarily displayed. However, you can view
all access log information after uploading the log.

Maximum Object Size

The maximum object size stored in the ProxySG. All objects retrieved that are greater
than the maximum size are delivered to the client but are not stored in the ProxySG.

NCSA common log format

A log type that contains only basic HTTP access information.

76

Appendix A: Glossary

Term

Description

Negative Responses

An error response received from the OCS when a page or image is requested. If the
ProxySG is configured to cache such negative responses, it returns that response in
subsequent requests for that page or image for the specified number of minutes. If it
is not configured, which is the default, the ProxySG attempts to retrieve the page or
image every time it is requested.

Native FTP

Native FTP involves the client connecting (either explicitly or transparently) using
the FTP protocol; the ProxySG then connects upstream through FTP (if necessary).

Outbound Traffic
(Bandwidth Gain)

Network packets flowing out of the ProxySG. Outbound traffic mainly consists of
the following:
• Client outbound: Packets sent to the client in response to a Web request.
• Server outbound: Packets sent to an OCS or upstream proxy to request a service.

Origin Content Server (OCS)
Parent Class (Bandwidth
Gain)

PASV

A class with at least one child. The parent class must share its bandwidth with its
child classes in proportion to the minimum/maximum bandwidth values or priority
levels.
Passive Mode Data Connections. Data connections initiated by an FTP client to

an FTP server.
proxy

Caches content, filters traffic, monitors Internet and intranet resource usage, blocks
specific Internet and intranet resources for individuals or groups, and enhances the
quality of Internet or intranet user experiences.
A proxy can also serve as an intermediary between a Web client and a Web server
and can require authentication to allow identity based policy and logging for the
client.
The rules used to authenticate a client are based on the policies you create on the
ProxySG, which can reference an existing security infrastructure—LDAP, RADIUS,
IWA, and the like.

Proxy Service

The proxy service defines the ports, as well as other attributes. that are used by the
proxies associated with the service.

Proxy Service (Default)

The default proxy service is a service that intercepts all traffic not otherwise
intercepted by other listeners. It only has one listener whose action can be set to
bypass or intercept. No new listeners can be added to the default proxy service, and
the default listener and service cannot be deleted. Service attributes can be changed.

realms

A realm is a named collection of information about users and groups. The name is
referenced in policy to control authentication and authorization of users for access to
Blue Coat Systems ProxySG services. Multiple authentication realms can be used on
a single ProxySG. Realm services include IWA, LDAP, Local, and RADIUS.

Reflect Client IP Attribute

Enables the sending of the client's IP address instead of the ProxySG's IP address to
the upstream server. If you are using an Application Delivery Network (ADN), this
setting is enforced on the concentrator proxy through the Configuration>App.
Delivery Network>Tunneling tab.

77

Volume 2: Getting Started

Term

Description

Refresh Bandwidth

The amount of bandwidth used to keep stored objects fresh. By default, the ProxySG
is set to manage refresh bandwidth automatically. You can configure refresh
bandwidth yourself, although Blue Coat does not recommend this.

reverse proxy

A proxy that acts as a front-end to a small number of pre-defined servers, typically to
improve performance. Many clients can use it to access the small number of
predefined servers.

rotate logs

When you rotate a log, the old log is no longer appended to the existing log, and a
new log is created. All the facility information (headers for passwords, access log
type, and so forth), is re-sent at the beginning of the new upload.
If you're using Reporter (or anything that doesn't understand the concept of "file,”
such as streaming) the upload connection is broken and then re-started, and, again,
the headers are re-sent.

serial console

A device that allows you to connect to the ProxySG when it is otherwise
unreachable, without using the network. It can be used to administer the ProxySG
through the CLI. You must use the CLI to use a serial console.
Anyone with access to the serial console can change the administrative access
controls, so physical security of the serial console is critical.

Server Certificate Categories

The hostname in a server certificate can be categorized by BCWF or another content
filtering vendor to fit into categories such as banking, finance, sports.

Sibling Class (Bandwidth
Gain)

A bandwidth class with the same parent class as another class.

SOCKS Proxy

A generic way to proxy TCP and UDP protocols. The ProxySG supports both
SOCKSv4/4a and SOCKSv5; however, because of increased username and password
authentication capabilities and compression support, Blue Coat recommends that
you use SOCKS v5..

SmartReporter log type

A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter
tool.

Split proxy

Employs co-operative processing at the branch and the core to implement
functionality that is not possible in a standalone proxy. Examples of split
proxies include :
Mapi Proxy
SSL Proxy

SQUID-compatible format

A log type that was designed for cache statistics.

SSL

A standard protocol for secure communication over the network. Blue Coat
recommends using this protocol to protect sensitive information.

SSL Interception

Decrypting SSL connections.

SSL Proxy

A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or
reverse proxy mode.

78

Appendix A: Glossary

Term

Description

static routes

A manually-configured route that specifies the transmission path a packet must
follow, based on the packet’s destination address. A static route specifies a
transmission path to another network.

SurfControl log type

A proprietary log type that is compatible with the SurfControl reporter tool. The
SurfControl log format includes fully-qualified usernames when an NTLM realm
provides authentication. The simple name is used for all other realm types.

Traffic Flow (Bandwidth
Gain)

Also referred to as flow. A set of packets belonging to the same TCP/UDP connection
that terminate at, originate at, or flow through the ProxySG. A single request from a
client involves two separate connections. One of them is from the client to the
ProxySG, and the other is from the ProxySG to the OCS. Within each of these
connections, traffic flows in two directions—in one direction, packets flow out of the
ProxySG (outbound traffic), and in the other direction, packets flow into the
ProxySG (inbound traffic). Connections can come from the client or the server. Thus,
traffic can be classified into one of four types:
• Server inbound
• Server outbound
• Client inbound
• Client outbound
These four traffic flows represent each of the four combinations described above.
Each flow represents a single direction from a single connection.

transparent proxy

A configuration in which traffic is redirected to the ProxySG without the knowledge
of the client browser. No configuration is required on the browser, but network
configuration, such as an L4 switch or a WCCP-compliant router, is required.

Variants

Objects that are stored in the cache in various forms: the original form, fetched from
the OCS; the transformed (compressed or uncompressed) form (if compression is
used). If a required compression variant is not available, then one might be created
upon a cache-hit. (Note: policy-based content transformations are not stored in the
ProxySG.)

Web FTP

Web FTP is used when a client connects in explicit mode using HTTP and
accesses an ftp:// URL. The ProxySG translates the HTTP request into an
FTP request for the OCS (if the content is not already cached), and then
translates the FTP response with the file contents into an HTTP response for
the client.

Websense log type

A proprietary log type that is compatible with the Websense reporter tool.

Wildcard Services

When multiple non-wildcard services are created on a port, all of them must be of the
same service type (a wildcard service is one that is listening for that port on all IP
addresses). If you have multiple IP addresses and you specify IP addresses for a port
service, you cannot specify a different protocol if you define the same port on another
IP address. For example, if you define HTTP port 80 on one IP address, you can only
use the HTTP protocol on port 80 for other IP addresses.
Also note that wildcard services and non-wildcard services cannot both exist at the
same time on a given port.
For all service types except HTTPS, a specific listener cannot be posted on a port if
the same port has a wildcard listener of any service type already present.

79

Volume 2: Getting Started

80

Index

A
administrator
read-only and read-write access 19

B
Blue Coat SG
DNS server 67
read-only and read-write access 19
realm name, changing 24
realm name, changing through CLI 24
subnet mask for 43
time, configuring 28
timeout, changing 25
bridging
about 49
bandwidth management 54
configuring
failover 54
software bridge 51
interface settings for 46
loop detection 56
pass-through card 51
prerequisites 51
static forwarding table 58
browser
accessing the Management Console with 20

C
CLI
accessing 20
configuration
sharing between systems 33
configuration mode, understanding 19
console account
tab in Management Console 22
console password, see password

D
DNS
adding alternate server 69
adding primary 68
negative caching, disabling 71
negative caching, enabling 71

understanding 67
DNS servers
addresses, specifying 67
changing name imputing order 70
changing order 69
name imputing 70
document
conventions 7

E
enable mode, understanding 19

G
gateways
load balancing 62
switching to secondary 62
understanding 61
using multiple default IP gateways 61
global configurations 27

H
HTTP
persistent timeout, setting 31
receive timeout, setting 31
timeout, configuring 30

I
imputing
adding names 70
changing suffix order 70
definition of 70
see also DNS 67
understanding 70
inbound connections, rejecting 46

L
licensing
about 9
components 9
expiration 11
trial period 10
updating 17
link settings 47

81

Volume 2: Getting Started

load balancing
gateways 62
using multiple default IP gateways 61
login parameters 21

M
Management Console
accessing 20
changing username and passwords in 22
console account 22
home page 21
logging in 21
logging out 21
message URL https
//services.bluecoat.com/eservice_enu/licensing
/mgr.cgi 18
modes, understanding 19

N
name imputing, see imputing
name, configuring 27
negative caching
disabling for DNS responses 71
enabling for DNS responses 71
network adapter
advanced configuration 46
link faults 47
link settings 47
rejecting inbound connections 46
Network Time Protocol server, see NTP
NTP
adding server 29
server order, changing 30
time server, definition of 28
understanding 29

P
password
changing 22
default for 22
see also privileged-mode password
privilege (enabled) mode, understanding 19
privileged-mode password
changing 22
default for 22

proxies
setting up 7

R
read-only access in Blue Coat SG 19
read-write access in Blue Coat SG 19
realm
name, changing 24
timeout, changing 25
routes
static 63
static, installing 64
transparent 62
routing
static routes 63

S
static routes
loading 70
table, 69
table, installing 68
static routes, using 63
subnet mask, configuring 43

T
time, configuring in the Blue Coat SG 28
timeout
HTTP, configuring 30
timeout, realm, changing 25

U
Universal Time Coordinates, see UTC
username
changing 22
default for 22
UTC time 28

V
Virtual LAN
about 39
adapter configuration 42
deployment 41
native 40
trunk 40

W
Web interface, definition of 20

82

Document Path: ["138-blue-coat-instruction-sg.pdf"]

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh