Name: ProxySG

Text: Blue Coat® Systems
ProxySG™

Configuration and Management Guide

Version SGOS 4.2.3

Blue Coat ProxySG Configuration and Management Guide

Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
bcs.info@bluecoat.com
http://www.bluecoat.com
For concerns or feedback about the documentation: documentation@bluecoat.com
Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxySG™, ProxyAV™, CacheOS™, SGOS™,
Spyware Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and
CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The
Ultimate Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat
Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Document Number: 231-02778
Document Revision: SGOS 4.2.3 10/2006
For concerns or feedback about the documentation: documentation@bluecoat.com

ii

Third Party Copyright Notices

Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in
the copyright notices below.
The following lists the copyright notices for:
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above
copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety
in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display
the following acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific
prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the
Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the User's
Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5
Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular
purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet
some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
Novell and eDirectory are [either] registered trademarks [or] trademarks of Novell, Inc. in the United States and other countries.

Blue Coat ProxySG Configuration and Management Guide

LDAPSDK.DLL Copyright (c) 2006 Novell, Inc. All rights reserved.
LDAPSSL.DLL Copyright (c) 2006 Novell, Inc. All rights reserved.
LDAPX.DLL Copyright (c) 2006 Novell, Inc. All rights reserved.
The following are copyrights and licenses included as part of Novell's LDAP Libraries for C:
HSpencer
Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject
to the following restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in
the documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits
must appear in the documentation.
4. This notice may not be removed or altered.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright (c) 1994
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
@(#)COPYRIGHT

8.1 (Berkeley) 3/16/94

OpenLDAP
Copyright 1998,1999 The OpenLDAP Foundation, Redwood City, California, USA
All rights reserved.
Redistribution and use in source and binary forms are permitted only as authorized by the OpenLDAP Public License. A copy of this license is available at
http://www.OpenLDAP.org/license.html or in file LICENSE in the top-level directory of the distribution.
Individual files and/or contributed packages may be copyright by other parties and use subject to additional restrictions.
This work is derived from the University of Michigan LDAP v3.3 distribution. Information concerning is available at
http://www.umich.edu/~dirsvcs/ldap/ldap.html.
This work also contains materials derived from public sources.
Additional Information about OpenLDAP can be obtained at:
http://www.openldap.org/
or by sending e-mail to:
info@OpenLDAP.org
Portions Copyright (c) 1992-1996 Regents of the University of Michigan.
All rights reserved.
Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of
Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior
written permission. This software is provided ``as is'' without express or implied warranty.
The OpenLDAP Public License
Version 2.0.1, 21 December 1999
Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA.
All Rights Reserved.
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following
conditions are met:

iv

Third Party Copyright Notices

1. Redistributions of source code must retain copyright statements and notices. Redistributions must also contain a copy of this document.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The name "OpenLDAP" must not be used to endorse or promote products derived from this Software without prior written permission of the OpenLDAP
Foundation. For written permission, please contact foundation@openldap.org.
4. Products derived from this Software may not be called "OpenLDAP" nor may "OpenLDAP" appear in their names without prior written permission of the
OpenLDAP Foundation. OpenLDAP is a trademark of the OpenLDAP Foundation.
5. Due credit should be given to the OpenLDAP Project
(http://www.openldap.org/.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below
for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License
--------------====================================================================
Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written
permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
====================================================================
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
Original SSLeay License
----------------------Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered
by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should
be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

v

Blue Coat ProxySG Configuration and Management Guide

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)"
The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement:
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and
put under another distribution licence [including the GNU Public Licence.]
[end of copyrights and licenses for Novell's LDAP Libraries for C]
OpenLDAP
Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim
copies of this document is granted.
http://www.openldap.org/software/release/license.html
The OpenLDAP Public License Version 2.7, 7 September 2001
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under
terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF
THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software
without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
OpenSSH
Copyright (c) 1995 Tatu Ylonen , Espoo, Finland. All rights reserved
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a
licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly
marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure
Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my
direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose
(the GNU license being the most restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed
from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included

vi

Third Party Copyright Notices

- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific
library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible for
any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any
responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER
OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky
3) ssh-keygen was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres . Modification and redistribution in source and binary forms is permitted provided that due credit
is given to the author and the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen
@author Antoon Bosselaers
@author Paulo Barreto
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original
Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

vii

Blue Coat ProxySG Configuration and Management Guide

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson .
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial
purposes.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered
by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should
be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic
software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic
related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This
product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and
put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

viii

Third Party Copyright Notices

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written
permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following restrictions:
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the
University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PHAOS SSLava and SSLavaThin
Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development of
which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The software
and any portions or copies thereof shall at all times remain the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN COMBINATION WITH
ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR
SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above
copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of
the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by
SNMP Research, Incorporated.
Restricted Rights Legend:
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause, FAR 52.227-19; and in
similar clauses in the NASA FAR Supplement and other corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. Unauthorized copying,
redistribution or other use of this work is prohibited. The above notice of copyright on this source code product does not indicate any actual or intended
publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission to
modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is included with
the above copyright notice.

ix

Blue Coat ProxySG Configuration and Management Guide

The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.
Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon
Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Moscow
Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Trend Micro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of
this software.
ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines Corporation and
others All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission
notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO
EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT
OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to
promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder

x

Contents
Contact Information
Chapter 1: Introducing the ProxySG
Web Security Solution ......................................................................................................................................25
New Features in this Release ...........................................................................................................................30
Protocols Supported..........................................................................................................................................32
Supported Browsers..........................................................................................................................................32
Upgrade and Upgrade Behavior.....................................................................................................................32
Where to Go From Here ...................................................................................................................................32
About the Document Organization ................................................................................................................39
Related Blue Coat Documentation..................................................................................................................41
Document Conventions....................................................................................................................................41
Chapter 2: Licensing
About Licensing.................................................................................................................................................43
Licensable Components....................................................................................................................................43
About the Trial Period ......................................................................................................................................44
About License Expiration.................................................................................................................................45
Obtaining a WebPower Account.....................................................................................................................46
Registering the Hardware ................................................................................................................................46
Installing a License Key File ............................................................................................................................47
Viewing License Information ..........................................................................................................................51
Updating a License............................................................................................................................................52
Automatically Updating a License .................................................................................................................52
Chapter 3: Accessing the ProxySG
Before You Begin: Understanding Modes .....................................................................................................55
Accessing the ProxySG .....................................................................................................................................56
Accessing the Management Console Home Page ........................................................................................57
Changing the Logon Parameters.....................................................................................................................59
Configuring the SSH Console..........................................................................................................................63
Chapter 4: Configuring the System
Section A: Global Configurations
Configuring the ProxySG Name .....................................................................................................................70
Configuring the Serial Number.......................................................................................................................70
Configuring the System Time..........................................................................................................................71
Network Time Protocol ....................................................................................................................................73
Section B: Archive Configuration
Sharing Configurations ....................................................................................................................................76
Troubleshooting.................................................................................................................................................81

xi

Blue Coat ProxySG Configuration and Management Guide

Section C: Adapters
Configuring an Adapter................................................................................................................................... 82
Section D: Software and Hardware Bridges
Setting Bandwidth Management for Bridging ............................................................................................. 88
Configuring a Software Bridge ....................................................................................................................... 89
Section E: Gateways
Switching to a Secondary Gateway ................................................................................................................ 95
Defining Static Routes ...................................................................................................................................... 96
Section F: Using RIP
Installing RIP Configuration Files ................................................................................................................ 101
Configuring Advertising Default Routes .................................................................................................... 105
Section G: DNS Servers
Configuring Split DNS Support.................................................................................................................... 107
Changing the Order of DNS Servers............................................................................................................ 108
Unresolved Hostnames (Name Imputing).................................................................................................. 109
Changing the Order of DNS Name Imputing Suffixes ............................................................................. 109
Section H: Attack Detection
Section I: Using a Bypass List
Section J: Installing WCCP Settings
Section K: Virtual IP Addresses
Section L: Configuring Failover
Configuring Failover ...................................................................................................................................... 134
Section M: Configuring the ProxySG as a Session Monitor
Creating the CPL ............................................................................................................................................. 141
Section N: TCP/IP Configuration
Chapter 5: Managing Port Services
Section A: Managing Multiple Management Consoles
Managing the HTTPS Console (Secure Console) ....................................................................................... 148
Managing the HTTP Console ........................................................................................................................ 151
Managing the SSH Console ........................................................................................................................... 152
Managing the Telnet Console........................................................................................................................ 153
Section B: Creating and Editing Services
About Service Attributes................................................................................................................................ 157
Managing the DNS Proxy .............................................................................................................................. 158
Managing the Endpoint Mapper Proxy....................................................................................................... 161
Managing the FTP Service ............................................................................................................................. 162
Managing HTTP Services .............................................................................................................................. 164
Managing the HTTPS Reverse Proxy........................................................................................................... 165
Managing Instant Messaging Protocols....................................................................................................... 168
Managing Streaming Protocols ..................................................................................................................... 169

xii

Contents

Managing SOCKS Services ............................................................................................................................ 170
Managing TCP Tunneling Services .............................................................................................................. 171
Managing the Telnet Shell Proxy Service .................................................................................................... 173
Chapter 6: Configuring Proxies
About Explicit and Transparent Proxy ........................................................................................................ 177
Section A: Configuring Explicit Proxies
Creating an Explicit Proxy Server................................................................................................................. 179
Configuring the FTP Proxy............................................................................................................................ 181
Configuring FTP Connection Welcome Banners........................................................................................ 186
Managing HTTP Proxy .................................................................................................................................. 187
Understanding HTTP Terms ......................................................................................................................... 189
Configuring Refresh Bandwidth for the HTTP Proxy............................................................................... 191
Setting Default HTTP Proxy Policy .............................................................................................................. 192
Choosing the HTTP Proxy Profile ................................................................................................................ 196
Configuring HTTP for Bandwidth Gain...................................................................................................... 204
Viewing HTTP Settings through the CLI .................................................................................................... 206
Understanding HTTP Compression............................................................................................................. 207
Troubleshooting HTTP Proxy Issues ........................................................................................................... 216
Configuring a SOCKS Proxy ......................................................................................................................... 219
Understanding Shell Proxies ......................................................................................................................... 225
Configuring an SSL Proxy ............................................................................................................................. 231
Advanced Topics............................................................................................................................................. 249
Section B: Transparent Proxies
Configuring the Transparent Proxy Hardware .......................................................................................... 255
Understanding IP Forwarding...................................................................................................................... 257
Creating a Transparent Proxy Service ......................................................................................................... 258
Chapter 7: Using Secure Services
Section A: HTTPS Reverse Proxy Overview
Public Keys and Private Keys........................................................................................................................ 262
Certificates........................................................................................................................................................ 262
Keyrings............................................................................................................................................................ 264
Cipher Suites Supported by SGOS ............................................................................................................... 264
Server Gated Cryptography and International Step-Up ........................................................................... 265
Understanding SSL Client ............................................................................................................................. 265
Section B: Configuring HTTPS Reverse Proxy
Creating a Keyring .......................................................................................................................................... 267
Deleting an Existing Keyring and Certificate ............................................................................................. 271
Managing Certificate Signing Requests....................................................................................................... 272
Managing Server (SSL) Certificates.............................................................................................................. 275
Using Certificate Revocation Lists ............................................................................................................... 282
Troubleshooting Certificate Problems ......................................................................................................... 286

xiii

Blue Coat ProxySG Configuration and Management Guide

Section C: Managing the SSL Client
Creating an SSL Client.................................................................................................................................... 287
Associating a Keyring and Protocol with the SSL Client .......................................................................... 288
Setting the SSL Negotiation Timeout ........................................................................................................... 292
Section D: Configuring HTTP or HTTPS Origination to the Origin Content Server
Creating Policy for HTTP and HTTPS Origination ................................................................................... 295
Section E: Advanced Configuration
Importing an Existing Keypair and Certificate........................................................................................... 296
About Certificate Chains................................................................................................................................ 298
Importing a CA Certificate ............................................................................................................................ 299
Creating CA Certificate Lists......................................................................................................................... 302
Chapter 8: Security and Authentication
Section A: Controlling Access to the ProxySG
Limiting Access to the ProxySG Appliance ................................................................................................ 307
About Password Security............................................................................................................................... 308
Limiting User Access to the ProxySG—Overview..................................................................................... 309
Moderate Security: Restricting Management Console Access Through the Console Access Control List
(ACL) ........................................................................................................................................................ 311
Maximum Security: Administrative Authentication and Authorization Policy ................................... 313
Section B: Controlling Access to the Internet and Intranet
Using Authentication and Proxies................................................................................................................ 319
Using SSL with Authentication and Authorization Services ................................................................... 325
Creating a Proxy Layer to Manage Proxy Operations............................................................................... 325
Chapter 9: Using Authentication Services
Understanding Realms................................................................................................................................... 335
SSL Between the ProxySG and the Authentication Server ....................................................................... 335
Section A: IWA Realm Authentication and Authorization
How Blue Coat Works with IWA ................................................................................................................. 337
Creating an IWA Realm ................................................................................................................................ 337
IWA Servers ..................................................................................................................................................... 338
Defining IWA Realm General Properties .................................................................................................... 340
Creating the CPL ............................................................................................................................................. 343
Notes ................................................................................................................................................................. 344
Section B: Windows Single Sign-on Authentication
How Windows SSO Realms Work ............................................................................................................... 345
Creating a Windows SSO Realm ................................................................................................................. 347
Windows SSO Agents..................................................................................................................................... 348
Configuring Authorization............................................................................................................................ 349
Defining Windows SSO Realm General Properties ................................................................................... 350
Modifying the sso.ini File for Windows SSO Realms ................................................................................ 352
Creating the CPL ............................................................................................................................................. 354
Notes ................................................................................................................................................................. 354

xiv

Contents

Section C: LDAP Realm Authentication and Authorization
Overview .......................................................................................................................................................... 356
Creating an LDAP Realm .............................................................................................................................. 357
LDAP Servers .................................................................................................................................................. 358
Defining LDAP Base Distinguished Names ............................................................................................... 362
LDAP Search & Groups Tab (Authorization and Group Information) .................................................. 365
Customizing LDAP Objectclass Attribute Values...................................................................................... 368
Defining LDAP General Realm Properties.................................................................................................. 370
Creating the CPL ............................................................................................................................................. 371
Section D: Novell Single Sign-on Authentication and Authorization
How Novell SSO Realms Work .................................................................................................................... 374
Creating a Novell SSO Realm ....................................................................................................................... 375
Novell SSO Agents.......................................................................................................................................... 375
Adding LDAP Servers to Search and Monitor ........................................................................................... 377
Querying the LDAP Search Realm ............................................................................................................... 379
Configuring Authorization............................................................................................................................ 380
Defining Novell SSO Realm General Properties ........................................................................................ 382
Modifying the sso.ini File for Novell SSO Realms ..................................................................................... 383
Creating the CPL ............................................................................................................................................. 384
Notes ................................................................................................................................................................. 384
Section E: RADIUS Realm Authentication and Authorization
Creating a RADIUS Realm............................................................................................................................. 385
Defining RADIUS Realm Properties ............................................................................................................ 387
Defining RADIUS Realm General Properties ............................................................................................. 388
Creating the Policy.......................................................................................................................................... 391
Troubleshooting .............................................................................................................................................. 393
Section F: Local Realm Authentication and Authorization
Creating a Local Realm .................................................................................................................................. 395
Changing Local Realm Properties ................................................................................................................ 396
Defining the Local User List .......................................................................................................................... 398
Creating the CPL ............................................................................................................................................. 405
Section G: Certificate Realm Authentication
How Certificate Realm Works ...................................................................................................................... 406
Creating a Certificate Realm.......................................................................................................................... 407
Defining a Certificate Realm ......................................................................................................................... 408
Defining Certificate Realm General Properties .......................................................................................... 409
Revoking User Certificates ............................................................................................................................ 411
Creating the Certificate Authorization Policy ............................................................................................ 411
Tips.................................................................................................................................................................... 412
Section H: Netegrity SiteMinder
Understanding SiteMinder Interaction with Blue Coat ............................................................................ 414
Participating in a Single Sign-On (SSO) Scheme ........................................................................................ 416
Creating a SiteMinder Realm ....................................................................................................................... 418

xv

Blue Coat ProxySG Configuration and Management Guide

Configuring SiteMinder Servers ................................................................................................................... 421
Defining SiteMinder Server General Properties......................................................................................... 424
Creating the CPL ............................................................................................................................................. 428
Section I: Oracle COREid
Understanding COREid Interaction with Blue Coat ................................................................................. 429
Configuring the COREid Access System..................................................................................................... 429
Additional COREid Configuration Notes ................................................................................................... 430
Configuring the ProxySG Realm .................................................................................................................. 430
Participating in a Single Sign-On (SSO) Scheme ........................................................................................ 431
Creating a COREid Realm ............................................................................................................................. 432
Configuring Agents ........................................................................................................................................ 433
Configuring the COREid Access Server ...................................................................................................... 435
Configuring the General COREid Settings.................................................................................................. 437
Creating the CPL ............................................................................................................................................. 439
Section J: Policy Substitution Realm
How Policy Substitution Realms Work ....................................................................................................... 441
Creating a Policy Substitution Realm .......................................................................................................... 444
Configuring User Information ...................................................................................................................... 445
Creating a List of Users to Ignore ................................................................................................................. 448
Configuring Authorization............................................................................................................................ 450
Defining Policy Substitution Realm General Properties ........................................................................... 450
Notes ................................................................................................................................................................. 452
Creating the Policy Substitution Policy ....................................................................................................... 453
Section K: Sequence Realm Authentication
Adding Realms to a Sequence Realm........................................................................................................... 454
Creating a Sequence Realm ........................................................................................................................... 455
Adding Realms to a Sequence Realm........................................................................................................... 456
Defining Sequence Realm General Properties ........................................................................................... 457
Tips.................................................................................................................................................................... 459
Section L: Forms-Based Authentication
Understanding Authentication Forms......................................................................................................... 460
Creating and Editing a Form......................................................................................................................... 464
Setting Storage Options.................................................................................................................................. 470
Using CPL with Forms-Based Authentication............................................................................................ 472
Tips and Boundary Conditions..................................................................................................................... 473
Section M: Managing the Credential Cache
Notes ................................................................................................................................................................. 475
Chapter 10: Bandwidth Management
Bandwidth Management Terms ................................................................................................................... 477
Bandwidth Management Overview............................................................................................................. 478
Configuring Bandwidth Allocation.............................................................................................................. 483
Using Policy to Manage Bandwidth............................................................................................................. 488

xvi

Contents

Chapter 11: External Services
Section A: ICAP
Supported ICAP Servers ................................................................................................................................ 500
ICAP v1.0 Features.......................................................................................................................................... 500
About Content Scanning ................................................................................................................................ 501
Installing the ICAP Server ............................................................................................................................. 503
Creating an ICAP Service .............................................................................................................................. 503
Deleting an ICAP Service............................................................................................................................... 507
Customizing ICAP Patience Text ................................................................................................................. 508
Creating ICAP Policy...................................................................................................................................... 513
Managing Virus Scanning.............................................................................................................................. 518
Access Logging................................................................................................................................................ 519
References......................................................................................................................................................... 520
Section B: Websense
Creating a Websense Service......................................................................................................................... 521
Deleting a Websense Service ......................................................................................................................... 523
Section C: Service Groups
Creating a Service Group............................................................................................................................... 525
Deleting a Service Group or Group Entry................................................................................................... 527
About Weighted Load Balancing.................................................................................................................. 528
Section D: Displaying External Service and Group Information
Chapter 12: Health Checks
About General Health Checks....................................................................................................................... 533
Configuring Service-Specific Health Checks .............................................................................................. 534
About Global Forwarding and SOCKS Gateway Health Checks ............................................................ 538
Configuring Global Health Checks .............................................................................................................. 538
Pausing or Resuming Global Health Checking .......................................................................................... 539
Chapter 13: Managing Policy Files
About Policy Files ........................................................................................................................................... 541
Creating and Editing Policy Files ................................................................................................................. 544
Managing the Central Policy File ................................................................................................................. 549
Viewing Policy Files ....................................................................................................................................... 551
Chapter 14: The Visual Policy Manager
Section A: About the Visual Policy Manager
System Requirements ..................................................................................................................................... 557
Launching the Visual Policy Manager ......................................................................................................... 558
About the Visual Policy Manager User Interface ....................................................................................... 559
About VPM Components............................................................................................................................... 561
The Set Object Dialog ..................................................................................................................................... 564
The Add/Edit Object Dialog ......................................................................................................................... 566
Online Help...................................................................................................................................................... 566

xvii

Blue Coat ProxySG Configuration and Management Guide

Section B: Policy Layer and Rule Object Reference
About the Reference Tables ........................................................................................................................... 568
Administration Authentication Policy Layer Reference ........................................................................... 568
Administration Access Policy Layer Reference.......................................................................................... 568
DNS Access Policy Layer Reference............................................................................................................. 569
SOCKS Authentication Policy Layer Reference ......................................................................................... 569
SSL Intercept Layer Reference....................................................................................................................... 570
SSL Access Layer Reference .......................................................................................................................... 570
Web Authentication Policy Layer Reference .............................................................................................. 571
Web Access Policy Layer Reference ............................................................................................................. 571
Web Content Policy Layer Reference........................................................................................................... 575
Forwarding Policy Layer Reference ............................................................................................................. 576
Section C: Detailed Object Column Reference
Source Column Object Reference.................................................................................................................. 578
Destination Column Object Reference ......................................................................................................... 592
Service Column Object Reference................................................................................................................. 601
Time Column Object Reference .................................................................................................................... 607
Action Column Object Reference.................................................................................................................. 610
Track Object Column Reference ................................................................................................................... 646
Comment Object Reference ........................................................................................................................... 649
Using Combined Objects ............................................................................................................................... 649
Centralized Object Viewing and Managing................................................................................................ 652
Creating Categories ........................................................................................................................................ 655
Restricting DNS Lookups .............................................................................................................................. 658
Restricting Reverse DNS Lookups ............................................................................................................... 659
Setting the Group Log Order......................................................................................................................... 659
Section D: Managing Policy Layers, Rules, and Files
How Policy Layers, Rules, and Files Interact.............................................................................................. 661
Installing Policies ............................................................................................................................................ 664
Managing Policy.............................................................................................................................................. 664
Installing VPM-Created Policy Files ............................................................................................................ 666
Viewing the Policy/Created CPL ................................................................................................................. 669
Section E: Tutorials
Tutorial—Creating a Web Authentication Policy ...................................................................................... 671
Tutorial—Creating a Web Access Policy ..................................................................................................... 679
Chapter 15: Advanced Policy
Section A: Blocking Pop Up Windows
About Pop Up Blocking ................................................................................................................................. 694
Limitations ....................................................................................................................................................... 694
Recommendations........................................................................................................................................... 694
Section B: Stripping or Replacing Active Content
About Active Content..................................................................................................................................... 696
About Active Content Types ......................................................................................................................... 696

xviii

Contents

Section C: Modifying Headers
Section D: Defining Exceptions
Built-in Exceptions .......................................................................................................................................... 700
User-Defined Exceptions ............................................................................................................................... 704
About Exception Definitions ......................................................................................................................... 704
About the Exceptions Hierarchy................................................................................................................... 706
About the Exceptions Installable List........................................................................................................... 706
Creating or Editing Exceptions ..................................................................................................................... 708
Viewing Exceptions ........................................................................................................................................ 711
Section E: Managing Peer-to-Peer Services
About Peer-to-Peer Communications .......................................................................................................... 713
The Blue Coat Solution................................................................................................................................... 713
Policy Control .................................................................................................................................................. 714
Proxy Authentication ..................................................................................................................................... 715
Access Logging................................................................................................................................................ 715
Chapter 16: Streaming Media
Section A: About Streaming Media
Streaming Media Overview........................................................................................................................... 718
Windows Media Streaming ........................................................................................................................... 719
Real Media Streaming .................................................................................................................................... 722
QuickTime Streaming..................................................................................................................................... 722
Streaming Media Authentication ................................................................................................................. 723
Streaming Media Caching Behavior............................................................................................................. 725
Section B: Configuring Streaming Media
Limiting Bandwidth ....................................................................................................................................... 729
Configuring the Refresh Rate ........................................................................................................................ 734
Configuring HTTP Handoff .......................................................................................................................... 734
Forwarding Client Logs to the Media Server.............................................................................................. 735
Configuring Media Server Authentication Type (Windows Media) ...................................................... 736
About Multicast Streaming............................................................................................................................ 736
Managing Multicast Streaming for Windows Media ................................................................................ 738
Managing Multicast Streaming for Real Media.......................................................................................... 742
Managing Simulated Live Content (Windows Media) ............................................................................. 742
ASX Rewriting (Windows Media)................................................................................................................ 744
About Fast Streaming (Windows Media).................................................................................................... 745
Section C: Windows Media Player
Configuring Windows Media Player ........................................................................................................... 746
Limitations ....................................................................................................................................................... 747
Windows Media Access Log Formats.......................................................................................................... 748
Troubleshooting Windows Media Player 6.4 ............................................................................................. 748
Section D: RealPlayer
Configuring RealPlayer.................................................................................................................................. 752

xix

Blue Coat ProxySG Configuration and Management Guide

Real Media Access Log Formats ................................................................................................................... 754
Limitations and Known Issues...................................................................................................................... 754
Section E: QuickTime Player
Configuring QuickTime Player..................................................................................................................... 755
QuickTime Access Log Formats ................................................................................................................... 755
Limitations ....................................................................................................................................................... 755
Access Log Format .......................................................................................................................................... 756
Chapter 17: Instant Messaging
About Securing Instant Messaging............................................................................................................... 757
Recommended Deployments ........................................................................................................................ 757
About the Instant Messaging Protocol Services ......................................................................................... 757
About HTTP Proxy Support.......................................................................................................................... 758
About Instant Messaging Reflection ............................................................................................................ 758
IM Reflection Diagrams ................................................................................................................................. 758
About Instant Messaging Proxy Authentication ........................................................................................ 762
Securing AOL Encryption Capability .......................................................................................................... 762
Instant Message Proxies ................................................................................................................................. 763
Configuring Instant Messenger Clients ....................................................................................................... 766
VPM Examples ................................................................................................................................................ 770
Statistics ............................................................................................................................................................ 771
Related Material .............................................................................................................................................. 771
Chapter 18: Content Filtering
About the Internet Watch Foundation......................................................................................................... 774
Configuration Sections ................................................................................................................................... 774
Selecting Category Providers ........................................................................................................................ 774
Configuring a Local Database ....................................................................................................................... 778
Configuring Blue Coat Web Filter ............................................................................................................... 783
Configuring i-FILTER..................................................................................................................................... 791
Configuring InterSafe ..................................................................................................................................... 794
Configuring IWF ............................................................................................................................................. 797
Configuring Optenet ...................................................................................................................................... 800
Configuring Proventia Web Filter ................................................................................................................ 803
Configuring SmartFilter ................................................................................................................................. 805
Configuring SurfControl................................................................................................................................ 808
Configuring Websense ................................................................................................................................... 811
Configuring Webwasher URL Filter ............................................................................................................ 817
Scheduling Automatic Downloads for Third-Party Vendors................................................................... 819
Chapter 19: Configuring the Upstream Networking Environment
Understanding Forwarding........................................................................................................................... 829
Understanding Forwarding Terminology................................................................................................... 831
Configuring Forwarding................................................................................................................................ 832

xx

Contents

SOCKS Gateway Configuration.................................................................................................................... 852
Internet Caching Protocol (ICP) Configuration.......................................................................................... 860
Using Policy to Manage Forwarding ........................................................................................................... 866
Chapter 20: Access Logging
Section A: Overview
Understanding Facilities ................................................................................................................................ 874
Understanding Protocols and Formats ........................................................................................................ 875
Terms ................................................................................................................................................................ 876
Enabling or Disabling Access Logging ........................................................................................................ 877
Section B: Creating and Editing Log Formats
Creating a Custom or ELFF Log Format ..................................................................................................... 879
Section C: Creating an Access Log Facility
Section D: Editing an Existing Log Facility
Section E: Associating a Log Facility with a Protocol
Disabling Access Logging for a Particular Protocol .................................................................................. 891
Section F: Configuring Global Settings
Section G: Configuring the Upload Client
Encrypting the Access Log ............................................................................................................................ 895
Importing an External Certificate ................................................................................................................. 895
Digitally Signing Access Logs ....................................................................................................................... 898
Disabling Log Uploads................................................................................................................................... 902
Decrypting an Encrypted Access Log .......................................................................................................... 902
Verifying a Digital Signature......................................................................................................................... 902
Editing Upload Clients................................................................................................................................... 903
Section H: Configuring the Upload Schedule
Testing Access Log Uploading...................................................................................................................... 918
Viewing Access-Log Statistics ....................................................................................................................... 919
Using Access Logging with Policy Rules .................................................................................................... 920
Example: Using VPM to Prevent Entries Matching a Source IP Address from Being Logged ........... 920
Chapter 21: Maintaining the ProxySG
Restarting the ProxySG .................................................................................................................................. 925
Restoring System Defaults............................................................................................................................. 927
Purging the DNS Cache ................................................................................................................................. 930
Clearing the System Cache ............................................................................................................................ 930
Upgrading the ProxySG ................................................................................................................................. 931
Managing ProxySG Systems ......................................................................................................................... 934
Event Logging and Notification.................................................................................................................... 937
Configuring SNMP ......................................................................................................................................... 943
Configuring Health Monitoring.................................................................................................................... 946
Disk Reinitialization ....................................................................................................................................... 956
Deleting Objects from the ProxySG.............................................................................................................. 957

xxi

Blue Coat ProxySG Configuration and Management Guide

Chapter 22: Statistics
Selecting the Graph Scale............................................................................................................................... 959
General Statistics ............................................................................................................................................. 959
Viewing SSL Accelerator Cards .................................................................................................................... 961
System Usage Statistics .................................................................................................................................. 965
HTTP/FTP History Statistics ........................................................................................................................ 968
IM History Statistics ....................................................................................................................................... 972
P2P History Statistics...................................................................................................................................... 974
SSL History Statistics ...................................................................................................................................... 977
Streaming History Statistics .......................................................................................................................... 980
SOCKS History Statistics................................................................................................................................ 983
Shell History Statistics .................................................................................................................................... 987
Resources Statistics ......................................................................................................................................... 987
Efficiency Statistics.......................................................................................................................................... 990
Contents Statistics ........................................................................................................................................... 994
Event Logging.................................................................................................................................................. 995
Bandwidth Management Statistics ............................................................................................................... 996
Access-Log Statistics ....................................................................................................................................... 999
Failover Statistics........................................................................................................................................... 1003
Advanced Statistics....................................................................................................................................... 1004
Appendix A: Using the Authentication/Authorization Agent
Installing the BCAAA Service on a Windows System............................................................................. 1009
Completing Setup for the BCAAA Service ............................................................................................... 1016
Installing the BCAAA Service on a Solaris System.................................................................................. 1017
Creating Service Principal Names for IWA Realms................................................................................. 1017
Troubleshooting Authentication Agent Problems ................................................................................... 1019
Common BCAAA Event Messages ............................................................................................................ 1020
Appendix B: Access Log Formats
Custom or W3C ELFF Format..................................................................................................................... 1027
SQUID-Compatible Format ......................................................................................................................... 1030
NCSA Common Access Log Format .......................................................................................................... 1032
Fields Available for Creating Access Log Formats .................................................................................. 1034
Appendix C: Using WCCP
Overview ........................................................................................................................................................ 1073
Quick Start...................................................................................................................................................... 1075
Configuring a WCCP Version 2 Service on the Router ........................................................................... 1076
Creating a ProxySG WCCP Configuration File ........................................................................................ 1083
Examples ........................................................................................................................................................ 1093
Troubleshooting: Home Router .................................................................................................................. 1098
Tips.................................................................................................................................................................. 1101

xxii

Contents

Appendix D: RIP Commands
net .................................................................................................................................................................... 1103
host .................................................................................................................................................................. 1103
RIP Parameters .............................................................................................................................................. 1104
ProxySG-Specific RIP Parameters............................................................................................................... 1105
Using Passwords with RIP .......................................................................................................................... 1106
Appendix E: Diagnostics
Diagnostic Reporting (Service Information) ............................................................................................. 1108
Packet Capturing (the PCAP Utility) ......................................................................................................... 1116
Core Image Restart Options ........................................................................................................................ 1122
Diagnostic Reporting (Heartbeats) ............................................................................................................. 1123
Diagnostic Reporting (CPU Monitoring)................................................................................................... 1125
Appendix F: Using Blue Coat Director to Manage Multiple Appliances
How Director Works with ProxySG .......................................................................................................... 1127
Backing Up a ProxySG’s SSL Settings........................................................................................................ 1131
Creating Profiles............................................................................................................................................ 1131
Creating Overlays ......................................................................................................................................... 1132
Director Documentation .............................................................................................................................. 1132
Index

xxiii

Blue Coat ProxySG Configuration and Management Guide

xxiv

Chapter 1: Introducing the ProxySG

Blue Coat® Systems ProxySG™ Appliance represents the latest in perimeter defense for securing and
controlling Web-based content and applications. The Blue Coat ProxySG is designed to integrate
protection and control functions for Internet and intranet traffic without sacrificing performance and
employee productivity.
The ProxySG series of proxy appliances is designed specifically to manage and control user
communication over the Internet. Acting on behalf of the user and the application, the ProxySG does
not replace existing perimeter security devices; rather, it complements them by giving organizations
the ability to control communications in a number of ways that firewalls and other externally focused
devices cannot.

Web Security Solution
The Blue Coat ProxySG provides a point of integration, control, and acceleration for enterprise Web
security applications, including:


Layered security approach with content-level protection to combat Web-based threats using port
80.



Abundant policy controls wrapped in performance-based hardware and a custom operating
system to give organizations visibility and control over employee Web communications.



A preventative spyware defense that combines multiple techniques in a high-performance
solution acceptable for Web-based business communications.



Integrated reverse proxy caching and SSL support to offload content delivery and encryption
tasks from Web servers, reducing server bottlenecks and enhancing Web site performance and
scalability.



Control over which users are allowed to use Instant Messaging, and which IM protocols are
allowed, what features are to be enabled, to whom users may IM or chat with (inside the company
or outside the company), what time of the day they can IM, and how logging is managed.



Immediate and dynamic Peer-to-Peer (P2P) control, allowing an administrator to identify, log, and
block P2P traffic.



Integrated caching, content positioning, bandwidth savings, and bandwidth management to
provide superior performance for controlling Web content.



Control over Windows Media, RealTime, and QuickTime video and audio streams as the file is
being downloaded over the Internet.



Prevention of the spread of viruses and other malicious code by using the Blue Coat ProxyAV™
Appliance in conjunction with the Blue Coat ProxySG. The ProxySG with ProxyAV integration is a
high-performance Web anti-virus (AV) solution.

25

Blue Coat ProxySG Configuration and Management Guide



Control over the type of content retrieved by the ProxySG. You can also filter requests made by
clients. If you use Blue Coat Web Filter (BCWF), a highly effective content filtering service that
quickly learns and adapts to the working set of its users, you can also use a network service that
dynamically examines and categorizes Web pages as they are requested.

Ease of Deployment
The ProxySG is specifically designed to increase security and reduce costs associated with central,
regional, and branch office Web protection. For example, the SG200 and SG400 platforms easily drop in
to remote environments where technical support staff is not always available, and features simple
installation and remote management.
Other platforms also feature a simple-to-manage system that installs in minutes with little ongoing
maintenance. In addition, they also provide configuration restoration that allows system
configuration to be archived, including all system settings, filtering and policies; removable,
hot-swappable disk drives for true fault tolerance, and are field serviceable and upgradeable.

Policy and Management Architecture
Networking environments have become increasingly complex, with a variety of security and access
management issues. Enterprises face challenges in configuring products and ensuring the result
supports enterprise policies. Policies enhance ProxySG features, such as authentication and virus
scanning, allowing you to manage Web access specific to the enterprise’s needs.
Blue Coat policies provide:


Fine-grained control over various aspects of ProxySG behavior.



Multiple policy decisions for each request.



Multiple actions triggered by a particular condition.



Bandwidth limits.



Authentication awareness, including user and group configuration.



Flexibility of user-defined conditions and actions.



Convenience of predefined common actions and transformations.



Support for multiple authentication realms.



Configurable policy event logging.



Built-in debugging.

The ProxySG uses policies and system configuration together to provide the best possible security for
your network environment.
Blue Coat's unique architecture allows for scalable decision making. Effectively turning on multiple
combinations of granular policy requires a unique level of performance.
Blue Coat's flexible logging features, coupled with integrated authentication and identification
capabilities, give organizations the power to monitor Web access for every user in the network at any
time, regardless of where they are. Internet access traffic flowing through the ProxySG gives
administrators and managers the ability to audit Web traffic as needed.

26

Chapter 1: Introducing the ProxySG

Content Filtering
As the number of users and the total amount of traffic grows, policy enforcement demands higher
performance to provide adequate end-user quality of experience. To satisfy the management level and
scalability that enterprise traffic demands, ProxySG Appliances have emerged as a new layer of
infrastructure that provide the performance and manageability required for enterprise-wide
policy-based content filtering.
SGOS 4.1offers a dynamic categorization service if you use the Blue Coat Web Filter (BCWF). The
BCWF categorization service is an Internet service, available from designated service points with
high-bandwidth connections and dedicated hardware. It analyzes data externally so that content
(offensive, distasteful, or perhaps even potentially a legal liability) never enters the network.

Figure 1-1: Content Filtering

The ProxySG enforces Internet access policies based on:


Content categories (gambling, sex, etc.)— Besides BCWF, which includes a database and a
dynamic categorization service, databases from leading third-party filtering vendors are offered.



Content type and protocols (HTTP, FTP, streaming, MIME type, etc.)—Adds the ability to block
certain types of content transported on certain types of protocols.



Identity (user, group, network)—Customize policy based on who the users are regardless of
location.



Network conditions—Customize based on real-time conditions.

Content and Virus Scanning
When integrated with a supported Internet Content Adaptation Protocol (ICAP) server such as the
Blue Coat ProxyAV appliance, Blue Coat provides content scanning and filtering. ICAP is an evolving
protocol that allows an enterprise to dynamically scan and change Web content. Content scanning
includes actions like sending a given request for content to an ICAP server for virus scanning or
malicious mobile code detection.
To eliminate threats to the network and to maintain caching performance, the ProxySG sends objects
to the integrated ICAP server for evaluation and saves the scanned objects in its object store. With
subsequent content requests, the ProxySG serves the scanned object rather than rescanning the same
object for each request.

27

Blue Coat ProxySG Configuration and Management Guide

Figure 1-2: Content and Virus Scanning

The ProxySG blocks viruses from Web content behind and in front of the firewall. Blue Coat
architecture is optimized to handle Web requests and responses that require scanning for potentially
malicious mobile code and viruses. The ProxySG uses ICAP to vector responses to supported virus
scanning servers to deliver unmatched flexibility and performance in scanning Web content.

Spyware
Spyware leverages multiple vectors, making silver bullet defenses using coarse-grained controls
useless and unproductive and impeding critical Web-based business communications. No single
technique can filter out spyware and adware to defend against the threat.
Blue Coat combines multiple techniques in a high-performance solution acceptable for Web-based
business communications. Latency is minimal and the protection layers are comprehensive to stop,
block, and scan spyware. With Blue Coat, you can:


stop spyware installations;



block spyware Web sites;



scan for spyware signatures;



detect desktop spyware and target for cleanup.

Figure 1-3: Preventing Spyware

For information on using the ProxySG and ProxyAV together, refer to the Blue Coat ProxyAV
Configuration and Management Guide.

28

Chapter 1: Introducing the ProxySG

Instant Messaging
Instant Message (IM) usage in an enterprise environment creates security concerns because, regardless
of how network security is configured, IM connections can be made from any established protocol,
such as HTTP or SOCKS, on any open port. Because it is common for coworkers to use IM to
communicate, especially in remote offices, classified company information can be exposed outside the
network. Viruses and other malicious code can also be introduced to the network from file sharing
through IM clients.
The ProxySG serves as an IM proxy, both in transparent and explicit modes. You can control IM
actions by allowing or denying IM communications and file sharing based on users (both employee
identities and IM handles), groups, file types and names, and other triggers. You can also log and
archive all IM chats.
Using policy, administrators can quickly deploy sophisticated IM usage policies that integrate with
existing authentication directories through LDAP, IWA and Radius.

Figure 1-4: Controlling Instant Messaging

Peer-to-Peer
The very nature of the Peer-to-Peer (P2P) client architecture is to evade firewalls and general network
security. Additionally, blocking a P2P client at the firewall has proved to be extremely difficult
because:


port blocking, as a means to controlling P2P, is very limited.



P2P packets cannot be classified simply by looking at packet headers such as an IP address and
port number.

Blue Coat ProxySG Appliances provide a powerful platform for immediate and dynamic P2P control.

Integrated Reverse Proxy
ProxySG Appliances are easily configured for reverse proxy mode, providing optimized Web server
acceleration and featuring a high RAM-to-disk ratio and a built-in Secure Sockets Layer (SSL)
encryption/decryption processor. This processor can manage 10 to 40 times more secure sessions than
a standard Web server, allowing the appliances to accelerate the delivery of both public (HTTP) and
private (HTTPS) content. The product is packaged in a compact 1U form factor (ProxySG 400 and
ProxySG 800 models) a major advantage in space-constrained data centers, or a 4U form factor
(ProxySG 8000) that allows for modular expansion of network interface cards, SSL cards, processors,
and RAM.

29

Blue Coat ProxySG Configuration and Management Guide

The ProxySG system software is easily tuned for the workload of high traffic Web sites. This
environment is characterized by a finite amount of site content accessed by many remote users, often
resulting in flash crowds. The ProxySG Appliances allow efficient scaling of Web farms to address
flash or peak periods of traffic, and includes advanced features such as protection against
Denial-of-Service attacks and dynamic content acceleration.

Bandwidth Management
Bandwidth management allows you to classify, control, and, if required, limit the amount of
bandwidth used by different classes of network traffic flowing into or out of the ProxySG. Network
resource sharing (or link sharing) is accomplished using a bandwidth-management hierarchy where
multiple traffic classes share available bandwidth in a controlled manner.
You can also create policies to constrain who can use certain media types, and how much of it. For
example, you can allow your executives to view high-bandwidth streaming media, but only allow the
accounting group to view streams up to 56k on corporate sites.
With Blue Coat, you can limit access based on user, group, network address, and the time of day. You
can also prevent all access to the Internet except for a group of users who need access to do their jobs,
effectively freeing bandwidth for mission-critical needs.

New Features in this Release
Blue Coat has long been the leader in proxy appliances. For SGOS 4.2, Blue Coat built upon this
leadership by adding:


Support for Kerberos and Integrated Windows Authentication (IWA), replacing NTLM as an
authentication realm where appropriate



SSL Proxy



Certification Revocation List support



Support for RADIUS servers that use challenge/response as part of the authentication process as
well as support for RADIUS groups and the ability to fine-tune RADIUS realms with a number of
new attributes



New authentication forms to support RSA SecurID and Secure Computer SafeWord



New policy to support new SGOS 4.2 features

For information on each of these features, continue with the following sections.

Integrated Windows Authentication (IWA) and Kerberos Support
Windows 2000 and later provides an authentication mechanism based on Kerberos. Users can
automatically choose between Kerberos and NTLM as appropriate. All existing features of the Blue
Coat implementation of the NTLM realm are available, but IWA realms can participate in Kerberos
authentication as well as the automatic choosing of Kerberos or NTLM.
Blue Coat has renamed the NTLM authentication realm to be IWA. All original functionality remains,
and Kerberos is enabled by default.

30

Chapter 1: Introducing the ProxySG

Note:

BCAAA installation changes with the addition of Kerberos support. For more information
on installing BCAAA in a Kerberos environment, see Appendix A: “Using the
Authentication/Authorization Agent” on page 1007.

SSL Proxy
The SSL proxy allows you to intercept HTTPS traffic so that security measures like virus scanning and
URL filtering can be applied to HTTPS content. Additionally, the SSL proxy allows you to validate
server certificates presented by various HTTPS sites at the gateway and offers rich information about
the HTTPS traffic in the access log.
For information on understanding and configuring an SSL proxy, see "Configuring an SSL Proxy" on
page 231.

Certificate Revocation List
Certificate Revocation Lists (CRLs) can be used in multiple situations:


SSL proxy when intercepting or tunneling; Certificate revocation lists are incorporated during the
certificate verification process



HTTP reverse proxy



For ProxySG-originated HTTPS downloads (secure image download, content filter database
download, and the like)

For more information on using CRLs, see "Using Certificate Revocation Lists" on page 282x.

RADIUS Realms and Authentication Form Realms
The ProxySG supports RADIUS servers that use challenge/response as part of the authentication
process. SafeWord asynchronous tokens use challenge/response to provide authentication. SecurID
tokens use challenge/response to initialize or change PINs.
To support challenge/response authentication, two new authentication forms—new_pin_form and
query_form—have been added to the authentication forms realm. For more information on these two
new authentication forms, see “Section L: Forms-Based Authentication” on page 460.
Note:

For this release, HTTP is the only supported protocol.

In addition, you can create RADIUS groups and otherwise fine-tune RADIUS realms through the
attribute. and has_attribute. CPL conditions and source objects in VPM.
For more information on RADIUS realms, see “Section E: RADIUS Realm Authentication and
Authorization” on page 385.

31

Blue Coat ProxySG Configuration and Management Guide

New Policy
New policy gestures—conditions, properties, and actions—have been added to support the SSL proxy,
CRL, the new authentication forms, as well as new a new Referer header and HTTP content regex
gestures. For information on using new policy gestures, refer to the Blue Coat ProxySG Content Policy
Language Guide.

Protocols Supported
Blue Coat ProxySGs are multi-protocol. For administrative purposes, you can connect to the Blue Coat
ProxySG Appliances through the:


HTTPS-Console: This is the default protocol used by the Management Console. It is configured
and enabled by default.



SSH-Console: This is the default protocol for connecting to the ProxySG through the CLI. It is
configured and enabled by default.

If you prefer and are in a secure environment, you can use the HTTP-Console or Telnet-Console for
administrative access to the system.
Note:

HTTP-Console and Telnet-Console are security risks. They should not be used for
administrative access in insecure situations.

Supported Browsers
The ProxySG Management Console supports Microsoft® Internet Explorer 6, Netscape®
Communicator 7.2 or 8.x, and Firefox 1.x.
The Management Console uses the Java Runtime Environment. Because of security concerns, you
should use JRE 1.5.0 (also called J2SE 5.0) if you plan to access external Internet sites.

Upgrade and Upgrade Behavior
For information on doing upgrades or downgrades, or for restoring default system settings, refer to
the Blue Coat SGOS 4.x Upgrade Guide.

Where to Go From Here
The following sections describe the top-level tasks you need to carry out to customize the ProxySG to
your environment. The tasks are shown in the order of a typical deployment:

Placing the ProxySG in a Network
To install a ProxySG into a network, the network must be set up to present the ProxySG with traffic to
control.


32

Explicit Proxy: All the ProxySG needs is IP address connectivity to the network; browsers must be
configured to point to the ProxySG through a PAC file.

Chapter 1: Introducing the ProxySG



Transparent Proxy: The majority of networks use transparent proxy. Transparent proxying occurs
when the ProxySG receives traffic destined for Origin Content Servers (OCS) and terminates the
traffic, then initiates the same request to the OCS.


Bridging: With this configuration, you do not have to make router or L4 switch configuration
changes. The ProxySG is placed inline on a segment of the network where all outgoing traffic
flows; one Ethernet interface is connected to the internal network, the other Ethernet interface
is connected to the Internet. The ProxySG terminates all traffic on the service ports in which
the proxy has been configured and sends the request to the outside OCS. All other traffic is
bridged between the two Ethernet interfaces.
Note that this configuration, without using policy controls, can lead to an open proxy. An open
proxy results when traffic is allowed on the outside (Internet) interface because users are
accessing internal Web servers behind the proxy.



WCCP: If the site has Cisco routers, WCCP can be used to direct certain TCP/IP connections
to the ProxySG. TCP/IP ports to forward to the ProxySG are communicated between ProxySG
appliances and the Cisco routers. Typically, this is enforced on the outgoing interface on the
Cisco router.



L4 switching: Similar to WCCP, the L4 switch is configured to forward traffic for specific
TCP/IP ports to the attached ProxySG.

Initial Setup
The ProxySG must be initially configured before it operates on a network. This can be done through
the front panel (if applicable) or the serial console. The initial setup sets not only the IP address, but
enable and console passwords. Once completed, the ProxySG can be managed through the serial
console, SSH, or HTTPS at port 8082. Information on setting up the ProxySG is in the Quick Start
Guide and Installation Guide for your platform.

Simple Policy
The default policy on new ProxySG appliances is to deny everything. To test initial setup, you can
create a policy of ALLOW, along with changing access logging to log to the default logs. If the
ProxySG is correctly set up, Web browsers can surf the Internet and all transactions are logged. Once
the ProxySG setup is verified, the policy should again be set to DENY, unless otherwise required.
If the policy is set to allow everything and a bridged configuration is used, clients can send a
connection request for any port, including e-mail, using the proxy to send spam. This is called an open
proxy and usually results in performance slowdowns (among other things).
To prevent the ProxySG from becoming an open proxy in a bridged configuration if you must use an
ALLOW configuration, add the following policy to the end of the local policy:
define subnet Trusted_Clients
10.0.0.0/8
end subnet
define subnet Trusted_Servers
216.52.23.0/24
end subnet

33

Blue Coat ProxySG Configuration and Management Guide


client.address = Trusted_Clients OK ; Policy below applies
proxy.address = Trusted_Servers OK ; Policy below applies
FORCE_DENY ; Force a denial for everything else

; Add other allow or deny rules here
; Example: Allow all traffic not denied above
ALLOW

Implementing Policies
Once the basic system is set up, you need to decide which controls—policies— to put in place.
Typically, the following are configured on the system:


Proxy caching (HTTP, FTP, Streaming)



Authentication/single sign-on



Access control policy



Content filtering



Web anti-virus

Implementing policies is a two-step process:


Configure the feature; for example, choose Blue Coat Web Filter (BCWF) or another content
filtering vendor, enable it, and schedule downloads of the database.



Create policy through the graphical Visual Policy Manager (VPM) or through the Content Policy
Language (CPL).

Managing the ProxySG
Once the configuration and policy on the ProxySG are set, you should know how to evaluate the
current operating state. This can include reviewing event log messages, utilizing SNMP, or diagnostics
such as CPU utilization.


Archive a configuration file: "Archiving a Configuration" on page 79



Upgrade the system: "Upgrading the ProxySG" on page 931



Set up event logging: "Event Logging and Notification" on page 937



Configure SNMP: "Configuring SNMP" on page 943



Understand Diagnostics: Appendix E: “Diagnostics” on page 1107

Managing the ProxyAV
The ProxySG with ProxyAV™ integration is a high-performance Web anti-virus (AV) solution. For
most enterprises, Web applications and traffic are mission-critical, representing 90% of the total
Internet traffic.
By deploying the ProxySG/ProxyAV solution, you gain performance and scalability (up to 250+ Mbps
HTTP throughput), along with Web content control.

34

Chapter 1: Introducing the ProxySG

For information on managing the ProxyAV, refer to the Blue Coat ProxyAV Configuration and
Management Guide.

Troubleshooting
Use the access logs, event logs, and packet captures to check connections and view traffic passing
through the ProxySG. Use policy tracing to troubleshoot policy. Note that policy tracing is global; that
is, it records every policy-related event in every layer. Turning on policy tracing of any kind is
expensive in terms of system resource usage and slows down the ProxySG's ability to handle traffic.


Policy tracing: For information on using policy tracing, see "Policy Tracing" on page 543.



Access Logs: For information on configuring and using access logs, see Chapter 20: “Access
Logging” on page 873.



Event logs: For information on using event logs, see "Event Logging and Notification" on
page 937.



Packet capture: For information on using the PCAP utility, see "Packet Capturing (the PCAP
Utility)" on page 1116.

Task Tables
The tables below refer to the sections in the manuals that describe the top-level tasks to customize the
ProxySG to your environment. The tables are listed in alphabetical order (for example, access logging,
authentication, bridging, caching, and so on).
Table 1.1: Access Logging
Task

Reference

Configure access logging with
• Blue Coat Reporter
• SurfControl Reporter
• Websense Reporter

• Blue Coat Reporter: Chapter 3, “Creating the First
Profile,” Blue Coat Reporter Configuration and Management
Guide
• SurfControl Reporter: "Using SurfControl Reporter with
SGOS 4.x" on page 811
• Websense Reporter: "Configuring Websense" on page 811

Table 1.2: Anti-Virus
Task

Reference

Block Web viruses using ProxyAV

“Section A: ICAP” on page 500; Blue Coat ProxyAV
Configuration and Management Guide

Set up anti-virus filtering

Blue Coat ProxyAV Configuration and Management Guide

35

Blue Coat ProxySG Configuration and Management Guide

Table 1.3: Authentication
Task

Reference

Achieve single sign-on with IWA (formerly
NTLM)

"Section A: IWA Realm Authentication and Authorization"
on page 337

Select the right authentication mode

"Understanding Authentication Modes" on page 319

Install the Blue Coat
authentication/authorization agent to work
with IWA (formerly NTLM)

Appendix A: “Using the Authentication/Authorization
Agent” on page 1007

Configure authentication to work with an
existing authentication service

Chapter 9: “Using Authentication Services” on page 335

Set up authentication schemes and use them in
policy

Chapter 8: “Security and Authentication” on page 305

Table 1.4: Bridging
Task

Reference

Configure bridging (hardware or software)

“Section D: Software and Hardware Bridges” on page 87

Allow those from outside a bridged deployment
to get to internal servers

"Defining Static Routes" on page 96

Table 1.5: Caching
Task

Reference

Disable caching

"Configuring Refresh Bandwidth for the HTTP Proxy" on
page 191

Table 1.6: HTTP
Task

Reference

Redirect HTTP with WCCP

"Standard HTTP Redirection" on page 1093

Table 1.7: HTTPS

36

Task

Reference

Create a transparent HTTPS service

"Managing the HTTPS Reverse Proxy" on page 165

Chapter 1: Introducing the ProxySG

Table 1.8: Instant Messaging
Task

Reference

Allow, block, and control the supported Instant
Messaging clients

Chapter 17: “Instant Messaging” on page 757

Table 1.9: Management
Task

Reference

Get the Management Console to work

Chapter 3: “Accessing the ProxySG” on page 55

Manage the System:
• License the system

• Chapter 2: “Licensing” on page 43

• Back up the configuration

• "Archiving a Configuration" on page 79

• View statistics

• Chapter 22: “Statistics” on page 959

 Resources

• "Resources Statistics" on page 987

 Efficiency

• "Efficiency Statistics" on page 990

• SNMP monitoring

• "Configuring SNMP" on page 943

Table 1.10: Policy
Task

Reference

Set up authentication schemes and use them in
policy

Chapter 8: “Security and Authentication” on page 305

Limit network access and configuring
compliance pages

“Section B: Controlling Access to the Internet and Intranet”
on page 319

Block unwanted content

"How to Apply Policy to Categorized URLs" on page 821

Change policy default

"Transaction Settings: Deny and Allow" on page 543

Write policy using the Visual Policy Manager
(VPM)

“Section E: Tutorials” on page 670

Write policy using the Content Policy Language
(CPL)

Blue Coat ProxySG Content Policy Language Guide

Table 1.11: Proxies
Task

Reference

Determine the best type of proxy for the
environment

Chapter 6: “Configuring Proxies” on page 177

Set up HTTPS Reverse Proxy

"Section D: Configuring HTTP or HTTPS Origination to the
Origin Content Server" on page 293

37

Blue Coat ProxySG Configuration and Management Guide

Table 1.11: Proxies (Continued)
Get traffic to the proxy

Chapter 6: “Configuring Proxies” on page 177

Table 1.12: Reporter, Blue Coat
Task

Reference

Make Blue Coat Reporter work with access
logging

"Section G: Configuring the Upload Client" on page 894;
Blue Coat Reporter: Chapter 3, “Creating the First Profile,”
Blue Coat Reporter Configuration and Management Guide

Use Scheduler to set up report generation

Chapter 3, “Using Scheduler,” in the Blue Coat Reporter
Configuration and Management Guide

Generate specific reports for specific people

Blue Coat Reporter Configuration and Management Guide

Table 1.13: Reporter, SurfControl
Task

Reference

Configure SurfControl Reporter

"Using SurfControl Reporter with SGOS 4.x" on page 811

Table 1.14: Reporter, Websense
Task

Reference

Configure Websense Reporter

"Configuring Websense" on page 811

Table 1.15: Services
Task

Reference

Create a port service

“Section B: Creating and Editing Services” on page 156

Table 1.16: Streaming
Task

Reference

Control streaming protocols

Chapter 16: “Streaming Media” on page 717

Table 1.17: WCCP

38

Task

Reference

Configure WCCP for multiple ports

"Creating a Configuration File" on page 1088

Redirect HTTP with WCCP

"Standard HTTP Redirection" on page 1093

Chapter 1: Introducing the ProxySG

Table 1.17: WCCP
Task

Reference

Configure the home-router IP

"Creating a Configuration File" on page 1088

Configure multiple home-routers

"Creating a Configuration File" on page 1088

Configure a multicast address as the proxy's
home router

"Configuring a WCCP Version 2 Service on the Router" on
page 1076

About the Document Organization
This document is organized for easy reference, and is divided into the following sections and chapters:
Table 1.18: Document Organization
Chapter Title

Description

Chapter 1 – Introducing the ProxySG

This chapter discusses the ProxySG Security Solution and
new features and enhancements in SGOS 3.x. It also covers
document conventions.

Chapter 2 – Licensing

Several features must be licensed to be used beyond the
evaluation trial date. This chapter describes which features
require licenses and how to download licenses.

Chapter 3 – Accessing the ProxySG

This chapter explains how to log in to the ProxySG CLI and
Web-based Management Console; how to change the
administrator username, password, privileged-mode
password; and how to make a secure connection using SSH
and HTTPS.

Chapter 4 – Configuring the System

Instructions on setting the ProxySG name and system time,
configuring the network adapter, load balancing, and FTP
port services, and specifying DNS servers. This chapter also
describes how to track client IP addresses using server-side
transparency or virtual IP addresses.

Chapter 5 – Managing Port Services

This chapter describes port services configurable on the
ProxySG, including several kinds of Management Consoles,
such as HTTPS, HTTP, SSH, and Telnet Consoles, and
application proxies such as Instant Messenger (IM), SOCKS,
FTP, MMS, and RTSP, HTTP and HTTPS.

Chapter 6 – Configuring Proxies

Explicit and Transparent proxies are discussed in this
chapter, as well as the recommended types of proxy.

Chapter 7 – Using Secure Services

HTTPS termination, including SSL, Certificates, keyrings,
and keypairs are discussed in this chapter.

Chapter 8 – Security and Authentication

Enabling and maintaining security on the ProxySG is
discussed in this chapter.

39

Blue Coat ProxySG Configuration and Management Guide

Table 1.18: Document Organization (Continued)

40

Chapter Title

Description

Chapter 9 – Using Authentication Services

Blue Coat supports six kinds of authentication, discussed
here: LDAP, IWA, RADIUS, Local (formerly UNIX),
Certificate (which allows you to authenticate using
certificates), and Sequence (which allows you to
authenticate using multiple authentication servers).

Chapter 10 – Bandwidth Management

Managing the amount of bandwidth used by different
classes of network traffic is discussed in this chapter.

Chapter 11 – External Services

ICAP and Websense off-box are described in this chapter.

Chapter 12 – Health Checks

The health of services, such as SOCKS, ICAP, and
forwarding services, is discussed in this chapter.

Chapter 13 – Managing Policy Files

Four policy files are used to manage policy: Central, Local,
Visual Policy Manager, and Forwarding. This chapter
discusses how to manage them.

Chapter 14 – The Visual Policy Manager

This chapter contains a reference guide and several tutorials
for using the Visual Policy Manager.

Chapter 15 – Advanced Policy

This chapter discusses using features such as pop-up ad
blocking, managing active content, and creating exceptions.

Chapter 16 – Streaming Media

This chapter discusses streaming, including the new RTSP
proxy.

Chapter 17 – Instant Messaging

How to configure and use the ProxySG’s instant messaging
capabilities is discussed in this chapter.

Chapter 18 – Content Filtering

This chapter discusses how to configure and use the
ProxySG’s content filtering capabilities, as well as
configuring and using content filtering vendors to work
with the ProxySG.

Chapter 19– Configuring the Upstream
Networking Environment

This chapter discusses how to control upstream interaction
with the ProxySG.

Chapter 20 – Access Logging

Log formats, upload clients, upload schedules, and
protocols are discussed in this chapter.

Chapter 21 – Maintaining the ProxySG

This chapter discusses upgrading the system and
configuring event logs, SMNP, STMP, heartbeats, and core
images.

Chapter 22 – Statistics

This chapter discusses viewing various kinds of
statistics—system usage, efficiency, resources, and logs of all
kinds.

Appendix A – Using the Authentication/
Authorization Agent

The ProxySG BCAAA agent is discussed in this appendix.

Appendix B – Access Log Formats

ELFF, SQUID, NCSA/Common, and custom logs are
discussed in this appendix.

Chapter 1: Introducing the ProxySG

Table 1.18: Document Organization (Continued)
Chapter Title

Description

Appendix C – Using WCCP

Configuring and using a WCCP router with the ProxySG is
discussed in this appendix.

Appendix D – RIP Commands

Commands supported for the Routing Information Protocol
(RIP) configuration text file are discussed in the appendix.

Appendix E – Diagnostics

Determining and resolving ProxySG problems are discussed
in this appendix.

Appendix F – Using Blue Coat Director to
Manage Multiple ProxySG Appliances

Discusses how Blue Coat Director works with multiple
ProxySG Appliances.

Note:

The Blue Coat ProxySG Configuration and Management Guide and the online help contain the
same information but are not identical. For the latest information, refer to the Blue Coat
ProxySG Configuration and Management Guide.

Related Blue Coat Documentation


Blue Coat 6000 and 7000 Installation Guide



Blue Coat 200 Series Installation Guide



Blue Coat 400 Series Installation Guide



Blue Coat ProxySG 800 Series Installation Guide



Blue Coat ProxySG 8000 Series Installation Guide



Blue Coat ProxySG Content Policy Language Guide



Blue Coat ProxySG Command Line Reference

Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax conventions
used in this manual.
Table 1.19: Typographic Conventions
Conventions

Definition

Italics

The first use of a new or Blue Coat-proprietary term.

Courier font

Command line text that appears on your administrator
workstation.

Courier Italics

A command line variable that is to be substituted with a literal
name or value pertaining to the appropriate facet of your network
system.

41

Blue Coat ProxySG Configuration and Management Guide

Table 1.19: Typographic Conventions

42

Courier Boldface

A ProxySG literal to be entered as shown.

{ }

One of the parameters enclosed within the braces must be
supplied

[ ]

An optional parameter or parameters.

|

Either the parameter before or after the pipe character can or must
be selected, but not both.

Chapter 2: Licensing

This chapter describes the ProxySG licensing behavior.

About Licensing
SGOS 4.x features a global licensing system for the ProxySG. License key files are issued on a
per-appliance basis. One license key file includes all of the component licenses for whichever ProxySG
features you have elected to use.
Note:

When your ProxySG order was completed, you received an e-mail that contains serial
numbers for licensable components. Those numbers are required for the procedures in
this chapter.

Licensable Components
There are three types of licensable components:


Required—The SGOS 4 Base; these features are required on the ProxySG.



Included—Additional SGOS 4.x features, which are provided by Blue Coat.



Optional— Any additional (purchased) features.
When the license key file is created, it consists of all three components. The following
table lists the ProxySG licensable components, categorized by type.

Table 2.1: Licensable Components
Type

Component

Description

Required

SGOS 5 Base

The ProxySG operating system, plus base features: HTTP, FTP,
TCP-Tunnel, SOCKS, and DNS proxy.

Included

3rd Party Onbox
Content Filtering

Allows use with third-party vendor databases: Intersafe, Optenet,
Proventia, SmartFilter, SurfControl, Websense, and Webwasher.

Included

Websense Offbox
Content Filtering

For Websense off-box support only.

Included

ICAP Services

External virus and content scanning with ICAP servers.

Included

Bandwidth
Management

Allows you to classify, control, and, if required, limit the amount of
bandwidth used by different classes of network traffic flowing into or
out of the ProxySG.

Included

Windows Media
Standard

MMS proxy; no caching or splitting; content pass-through. Full policy
control over MMS.

43

Blue Coat ProxySG Configuration and Management Guide

Table 2.1: Licensable Components (Continued)
Type

Component

Description

Included

Real Media
Standard

RTSP proxy; no caching or splitting; content pass-through. Full policy
control over RTSP.

Included

Apple QuickTime
Basic

RTSP proxy; no caching or splitting; content pass-through. Full policy
control over RTSP.

Included

Netegrity
SiteMinder

Allows realm initialization and user authentication to SiteMinder
servers.

Included

Oracle COREid

Allows realm initialization and user authentication to COREid servers.

Included

Peer-to-Peer

Allows you to recognize and manage peer-to-peer P2P activity relating to
P2P file sharing applications.

Included

Compression

Allows reduction to file sizes without losing any data.

Optional

SSL Proxy

Native SSL proxy and Reverse HTTPS Proxy (SSL termination) on the
ProxySG. Includes an SSL accelerator card to be installed on the
appliance.
Upon upgrading to SGOS 4.2, the license description for an existing SSL
license changes to "SSL Proxy" instead of "SSL Termination." This is
simply a description change. SSL termination and SSL Proxy
functionality are available (when licensed) on SGOS 4.2.

Optional

IM

AOL Instant Messaging: AIM proxy with policy support for AOL Instant
Messenger.
MSN Instant Messaging: MSN proxy with policy support for MSN
Instant Messenger.
Yahoo Instant Messaging: Yahoo proxy with policy support for Yahoo
Instant Messenger.

Optional

Windows Media
Premium

MMS proxy; content caching and splitting.
Full policy control over MMS.
When the maximum concurrent streams is reached, all further streams
are denied and the client receives a message.

Optional

Real Media
Premium

RTSP proxy; content caching and splitting.
Full policy control over RTSP.
When the maximum concurrent streams is reached, all further streams
are denied and the client receives a message.

About the Trial Period
Blue Coat provides a trial period. The initial system boot-up triggers the 60-day trial period, during
which you can evaluate the ProxySG functionality. For the first 60 days, all licensable components are
active and available to use. Furthermore, when a license is installed during the trial period (or while
using a demo license), components that are not part of that license remain available and active during
the trial period.

44

Chapter 2: Licensing

Note:

The ProxySG Licensing feature has slight changes from SGOS 3.x. The Blue Coat SGOS 4.x
Upgrade Guide (in Chapter 2) describes licensing behavior concerning an upgrade to SGOS
4.x from SGOS 3.x.

Each time you navigate to the Management Console home page or click the Maintenance>Licensing tab,
a pop-up dialog appears warning you that the trial period expires in so many days (a text message is
displayed on a Telnet, SSH, or serial console). If you require more time to explore the ProxySG
features, a demo license is available; refer to your reseller or contact Blue Coat Sales.
The trial period streaming and IM licenses are no-count licenses—unlimited streams and IM clients
are accessible.
Upon installing licenses after or during the trial period, the Base SGOS, Instant Messaging (IM),
Windows Media basic, and Real Media premium licenses are also unlimited, but Windows Media
premium and IM licenses impose user limits established by each license type.
Note:

If you invoke the restore-defaults command after you have installed licenses, and the
serial number of your system is configurable (older boxes only), the licenses fail to install
and you return to the trial period (if any time is left).

About License Expiration
At the end of the trial or demo period or, subsequently, when any normally licensed component
expires, components that have not been licensed do not process requests. A license expiration
notification message is logged in the Event Log (see "Viewing the Event Log" on page 995 for
information).
If a license expires, users might not receive notification, depending upon the application they are
using. Notifications do occur for the following:


HTTP (Web browsers)—An HTML page is displayed stating the ProxySG license has expired.



SSL—An exception page appears when an HTTPS connection is attempted.



Instant Messaging clients—Users do not receive a message that the ProxySG license has expired.
Any IM activity is denied, and to the user it appears that the logon connection has failed.



FTP clients—If the FTP clients supports it, a message is displayed stating the ProxySG license has
expired.



Streaming media clients—If the Windows Media Player, RealPlayer, or QuickTime player version
supports it, a message is displayed stating the ProxySG license has expired.

You can still perform ProxySG configuration tasks through the Management Console, CLI, SSH
console, serial console, or Telnet connection. Although the component becomes disabled, feature
configurations are not altered. Also, policy restrictions remain independent of component availability.

45

Blue Coat ProxySG Configuration and Management Guide

Obtaining a WebPower Account
Before you can generate the license key file, you must have a Blue Coat WebPower user account and
register the ProxySG.
If you do not have a WebPower account or forgot your account information, perform the following
procedure.
To Obtain a WebPower Account
1.

Select Maintenance>Licensing>Install.

2.

In the License Administration field, click Register/Manage. The License Configuration and
Management Web page appears (ignore the dialog at this time).

3.

Perform one of the following:


To obtain a new account, click the link for Need a WebPower User ID. Enter the information as
prompted.



To obtain your current information for an existing information, click the link for Forgot your
password.

Registering the Hardware
This section describes how to enter the appliance serial number and register the appliance with Blue
Coat.

System Serial Number Prerequisite
Each ProxySG serial number is the appliance identifier used to assign a license key file. The ProxySG
contains an EEPROM with the serial number encoded. The ProxySG recognizes the serial number
upon system boot-up.
The serial number is visible by navigating to Configuration>General>Identification.

The License Warning Dialog
When you first access the ProxySG Management Console, or when you select
Maintenance>Licensing>Install, a License Warning dialog appears.

46

Chapter 2: Licensing

Figure 2-1: License Warning dialog: Hardware not registered

You cannot install a license key until the hardware has been registered. The License Warning field
indicates this status.
If you know the hardware has been manually registered, select Hardware has been manually registered
and click Close. The system searches for the last instance and value of hardware registration. Proceed
to "Installing a License Key File" on page 47.

Registering the ProxySG
This section describes how to register the ProxySG.
To Register the Hardware
1.

If the License Warning dialog is not displayed, select Maintenance>Licensing. The License Warning
dialog appears.

2.

Select Register hardware with Blue Coat automatically.

3.

Enter your WebPower username and password.

4.

Click Proceed. The Registration Status field displays relative information.
The ProxySG connects to the Blue Coat License Self-Service page. The next step is to obtain and
install the license key file that allows access to the ProxySG features you require.

Installing a License Key File
This section describes how to register the ProxySG with Blue Coat and install the license key file.

Creating a License Key File
The License Self-Service Web page allows you to create a license key file.

47

Blue Coat ProxySG Configuration and Management Guide

Figure 2-2: The License Self-Service Web page

Upon purchasing the ProxySG from Blue Coat or a reseller, you received an e-mail that contains
license serial numbers. These serial numbers are required to create the license key file.
To Create a License Key File
1.

In the first field under Add a new software solution to this appliance, enter the serial number for the
SGOS 4.x base license.

2.

In the subsequent fields, enter the serial numbers for any optional licenses you obtained (for
example, Compression and IM).

Figure 2-3: Entering license serial numbers

3.

Click Apply.
A license key file, which contains either just the base license or the base combined with optional
licenses, is generated and is ready to be downloaded and installed.

Downloading the License Key File
Downloading the license key file is accomplished by using the automatic installation feature or by
receiving the key through e-mail and manually installing it from a Web server or a local file.

48

Chapter 2: Licensing

Automatic License Installation
If the ProxySG has Internet access, you can use the automatic license installation feature to retrieve
and install the license from Blue Coat.
To Automatically Obtain and Install the License from the Management Console
1.

Select Maintenance>Licensing>Install.

2.

In the License Key Automatic Installation field, click Retrieve. The Request License Key dialog appears.

Figure 2-4: Requesting a License

3.

Enter your Blue Coat WebPower user ID and password.

4.

Click Send Request.
The ProxySG fetches the license associated with the serial number that is displayed.

5.

The Installation Status field displays relevant information. When installation is complete, click
Results; examine the results and click OK; click Close. The ProxySG is now licensed.

Manual License Installation
If the ProxySG does not have Internet access, Blue Coat can send you the license in an e-mail. The file
can then be installed from a Web server or a local directory.
To Manually Obtain and Install the License
1.

Select Maintenance>Licensing>Install.

2.

Click Register/Manage. A new window opens to the Blue Coat ProxySG Registration page. This
Web page provides instructions for requesting that the license (associated to the ProxySG by the
serial number) be sent through e-mail.

3.

When the e-mail arrives, save the attached license file on a Web server or to a local file.

49

Blue Coat ProxySG Configuration and Management Guide

4.

In the License Key Manual Installation field, select one of the following from the drop-down list and
click Install:
Note:


A message is written to the event log when you install a list through the ProxySG.

Remote URL—If the file resides on a Web server. The Install License Key dialog displays.

Figure 2-5: Installing a License from a Web Server

Enter the URL path and click Install. The Installation Status field displays relevant information.
When installation is complete, click Results; examine the results, close the window, and click
OK. Click Apply.


Local File—If the file resides in a local directory. The Upload and Install File window opens.

Figure 2-6: Uploading a License from a Local File

Enter a path to the license file or click Browse and navigate to the file. Click Install. A results
window opens. Examine the license installation results; close the window. Click Close. Click Apply.
The ProxySG license is now installed. All features that you subscribed to are fully operational.

50

Chapter 2: Licensing

Viewing License Information
You can review the validity and expiration date of any licensed feature.
To View the License Information through the Management Console
Select Maintenance>Licensing>View.

Figure 2-7: Viewing License Information

Each licensable component is listed, along with its validity and its expiration date.
Note:

To view the most current information, click Refresh Data.

You can also highlight a license component and click View Details. A dialog appears displaying more
detailed information about that component. For example, a streaming component displays the
maximum number of streams allowed.

Disabling the Components Running in Trial Mode
You might decide to not let users access ProxySG features that are currently running in trial mode.
To Disable Trial Mode Components from the Management Console:
1.

On the View License tab, select Trial Components are enabled: Disable.

2.

Click Apply.

3.

Click Refresh Data. All licenses that are in trial mode switch from Yes to No. Users cannot use these
features. Furthermore, they do not receive nag dialogs warning of license expiration.

Also notice that this option text changes to Trial Components are disabled: Enabled. Repeat this process to
re-enable trial licenses.

51

Blue Coat ProxySG Configuration and Management Guide

To Disable Trial Mode Components from the CLI
At the enable prompt, enter the following command:
SGOS# licensing disable-trial

To re-enable:
SGOS# licensing enable-trial

Updating a License
After the initial license installation, you might decide to use another feature that requires a license. For
example, you currently support Windows Media, but want to add Real Media support. The license
must be updated to allow this support.
To Update a License through the Management Console
1.

Select Maintenance>Licensing>Install.

2.

Click Register/Manage.

3.

Follow the instructions on the Blue Coat License Self-Service Web page.

4.

If using the automatic license installation feature, click Update; otherwise, manually install the
license as described in "Manual License Installation" on page 49.

To Update a License through the CLI
At the enable prompt, enter the following command:
SGOS# licensing update-key

Automatically Updating a License
The license automatic update feature allows the ProxySG to contact the Blue Coat licensing Web page
31 days before the license is to expire. If a new license has been purchased and authorized, the license
is automatically downloaded. The ProxySG continues to contact the Web site up to 30 days after the
license is set to expire. Outside the above license expiration window, the ProxySG performs this
connection once every 30 days to check for new license authorizations. This feature is enabled by
default.
To Configure the License Auto-Update Feature through the Management Console
1.

Select Maintenance>Licensing>Install.

2.

Select Use Auto-Update.

3.

Click Apply.

To Configure the License Auto-Update Feature through the CLI
At the (config) prompt, enter the following command:
SGOS# (config) license-key path url
SGOS# (config) license-key auto-update {enable | disable}

52

Chapter 2: Licensing

Note:

If the automatic license update fails and you receive a Load from Blue Coat error,
you must log on to your License Management account:
https://services.bluecoat.com/eservice_enu/licensing/mgr.cgi. Click Update
License Key.

53

Blue Coat ProxySG Configuration and Management Guide

54

Chapter 3: Accessing the ProxySG

The Blue Coat Systems ProxySG uses the Secure Shell (SSH) and HTTPS protocols to securely access
the ProxySG CLI and Management Console. Both SSHv1 and SSHv2 are enabled by default, and host
keys have already been created on the ProxySG.
All data transmitted between the client and the ProxySG using SSH/HTTPS is encrypted.
During initial configuration, you assigned the ProxySG a username and password and a
privileged-mode (enabled/configuration) password. These passwords are always stored and
displayed hashed.
This chapter discusses:


"Before You Begin: Understanding Modes"



"Accessing the ProxySG"



"Accessing the Management Console Home Page"



"Changing the Logon Parameters"



"Configuring the SSH Console"

Important: This chapter assumes that you have completed the first-time setup of the ProxySG
using either the front panel or serial console, and that the appliance is running on the
network. These steps must be completed before accessing the appliance.
You can manage the ProxySG by logging on to and using one of the following:


An SSH session to access the CLI.



The Management Console graphical interface.

You can also use a serial console to access the CLI.
Note:

To use a Telnet session, you must use a serial console connection until you have
configured Telnet for use. (For security reasons Blue Coat does not recommend using
Telnet).

Before You Begin: Understanding Modes
SGOS 4.x supports different levels of command security:


Standard, or unprivileged, mode is read-only. You can see but not change system settings and
configurations. This is the level you enter when you first access the CLI.

55

Blue Coat ProxySG Configuration and Management Guide



Enabled, or privileged, mode is read-write. You can make immediate but not permanent changes
to the ProxySG, such as restarting the box. This is the level you enter when you first access the
Management Console.



Configuration is a mode within the enabled mode. From this level, you can perform permanent
changes to the ProxySG configuration.

If you use the Management Console, you are in configuration mode when you are completely logged
on to the system.
If you use the CLI, you must enter each level separately:
Username: admin
Password:
SGOS> enable
Enable Password:
SGOS# configure terminal
Enter configuration commands, one per line. End with CTRL-Z.
SGOS#(config)

For detailed information about the CLI and the CLI commands, refer to the Blue Coat ProxySG
Command Line Reference.
Note:

Although most administrator tasks can be performed using either the Management
Console or the CLI, there is the occasional task that can only be done using one of the two:
these are specified in the manual.

Accessing the ProxySG
You can access the ProxySG through either the CLI or the Management Console. By default, SSHv2
(CLI) and HTTPS (Management Console) are used to connect to the appliance.
The SSH and HTTPS ports are configured and enabled. For SSH, you can use either version 1 or
version 2 (with password or RSA client key authentication).

Accessing the CLI
If you use the CLI, you can use SSHv2 to access the ProxySG, but you cannot use SSHv1 or Telnet
without additional configuration.
Note:

Enabling the Telnet-Console introduces a security risk, so it is not recommended.

To use SSHv1, you must first create an SSHv1 host key. For more information on creating SSH host
keys, see "Configuring the SSH Console" on page 63.
To log on to the CLI, you must have:

56



the account name that has been established on the ProxySG



the IP address of the ProxySG



the port number (8082 is the default port number)

Chapter 3: Accessing the ProxySG

You must log on from your SSH client.

Accessing the Management Console
The Management Console is a graphical Web interface that allows you to manage, configure, monitor,
and upgrade the ProxySG from any location.
In the Web browser, enter HTTPS, the ProxySG IP address, and port 8082 (the default management
port). For example, if the IP address configured during first-time installation is 10.25.36.47, enter the
URL https://10.25.36.47:8082 in the Web browser.
The Management Console consists of a set of Web pages and Java applets stored on the ProxySG. The
appliance acts as a Web server on the management port to serve these pages and applets. From the
ProxySG home page on the appliance, you can access the management applets, statistics applets, and
documentation. The Management Console is supported with a complete online help facility to assist
you in defining the various configuration options.
Note:

If, when you access the Management Console home page, you get a “host mismatch” or
an “invalid certificate” message, you need to recreate the security certificate used by the
HTTPS-Console. For information on changing the security certificate, see "Managing the
HTTPS Console (Secure Console)" on page 148.

Accessing the Management Console Home Page
When you access the Management Console home page (see "Accessing the Management Console" on
page 57), you are prompted to log on to the box.

Logging On
Each time you access the Management Console, you must log on.

Figure 3-1: Logon Dialog


The Site is the IP address of the ProxySG to which you are logging on.

57

Blue Coat ProxySG Configuration and Management Guide



The Realm is a configurable name that can be anything you choose. The ProxySG IP address is the
default. For more information on configuring the realm name, see "Changing the ProxySG Realm
Name" on page 62.



The User Name is the name of the account you are using on this ProxySG. The name must already
exist. It cannot be created here.



The Password is the password for the account you are using. It cannot be changed here.

You can change the username and password for the console through the Management Console or the
CLI. See "Changing the Logon Parameters" on page 59.
Note:

All successful and failed logon attempts are logged to the ProxySG event log.

Logging Out
Once you have logged on, you do not have to log on again unless you exit the current session or the
session times out. The session timeout period, with a default of 900 seconds (15 minutes), is
configurable.
Thirty seconds before the session times out, a warning dialog displays. Click the Keep Working button
or the X in the upper-right-corner of the dialog box to keep the session alive.
Note:

The Keep Working button saves your changes to the current applet. You cannot work in
other applets without logging back on to the ProxySG.

Figure 3-2: Automatic Logout Warning

If you do not click Keep Working or the X in the upper-right-hand corner within the thirty-second
period, you are logged out. You must log back on to access the Management Console.

Figure 3-3: Logout Dialog

Click the hyperlink to log back on to the ProxySG.

58

Chapter 3: Accessing the ProxySG

Note:

If no applet is running when the session times out (you are on the Management Console
home page), you are logged out without seeing the logout warning dialog. You might not
be aware that you are logged out until you try to access an applet. You must enter the
logon information again.

Changing the Logon Parameters
You can change the console username and password, the console realm name (which displays when
you log on to the ProxySG), and the auto-logout timeout (in seconds; the default is 900 seconds.)
The Management Console requires a valid administrator username and password to have full
read-write access; you do not need to enter a privileged-mode password as you do when using the
CLI. A privileged-mode password, however, must already be set.
Note:

To prevent unauthorized access to the ProxySG, only give the console username and
password to those who administer the ProxySG.

Changing the Username and Password through the Management Console
You can change either the username or the password without changing both.

Changing the Username through the Management Console
The console account username was assigned during initial setup of the system. You can change the
username at any time.
To Change the Username through the Management Console
1.

Select Configuration>Authentication>Console Access>Console Account.
The Console Account tab displays.

Figure 3-4: Console Account Tab

59

Blue Coat ProxySG Configuration and Management Guide

Note:

2.

Changing the Console Account username or password causes the Management Console
to refresh and log back on using the new information. Note that each parameter must be
changed and individually refreshed. You cannot change both parameters at the same
time.

Enter the username of the administrator or administrator group who is authorized to view and
revise console properties.
Only one console account exists on the ProxySG. If you change the console account username, that
username overwrites the existing console account username.
The console account username can be changed to anything that is not null and contains no more
than 64 characters.

3.

Click Apply.
After clicking Apply, an Unable to Update configuration error is displayed. The username change was
successfully applied, but the configuration could not be fetched from the ProxySG, as the
username offered in the fetch request is still the old username.

4.

Refresh the screen. You are then challenged for the new username.

To Change the Password through the Management Console
The console password and privileged-mode password were defined during initial configuration of the
system. The console password can be changed at any time through the Management Console. The
privileged-mode, or enabled-mode, password can only be changed through the CLI or the serial
console.
1.

Select Configuration>Authentication>Console Access>Console Account.
The Console Account tab displays.

2.

Click Change Password.

Figure 3-5: Setting or Changing a Password

3.

60

Enter and re-enter the console password that is used to view and edit configuration information.
The password must be from 1 to 64 characters long. As you enter the new password, it is obscured
with asterisks. Click OK.

Chapter 3: Accessing the ProxySG

Note:

This does not change the enabled-mode password. You can only change the
enabled-mode password through the CLI.

4.

Refresh the screen, which forces the ProxySG to re-evaluate current settings. When challenged,
enter the new password.

5.

(Optional) Restrict access by creating an access control list or by creating a policy file containing
layer rules. For more information, see "Moderate Security: Restricting Management
Console Access Through the Console Access Control List (ACL)" on page 311.

Changing the Username and Password through the CLI
To Change the Console Account Username or Password, Privileged-Mode Password, and the
Front-Panel PIN through the CLI
1.

Open a terminal session with the ProxySG and enter the current username and password as
prompted.

2.

At the command prompt, enter the following command:
SGOS> enable

3.

Enter the privileged-mode password when prompted.

4.

At the command prompt, enter the following commands (note that usernames and passwords can
each be from 1 to 64 characters in length, but that passwords need to be in quotes):
SGOS# configure terminal
SGOS#(config) security username username

This command specifies the administrator username.
SGOS#(config) security password “password”
-orSGOS#(config) security hashed-password hashed_password

These commands specify the administrator console password.
SGOS#(config) security enable-password “password”
-orSGOS#(config) security hashed-enable-password hashed_password

These commands specify the administrator privileged-mode password. The ProxySG hashes
the password if you enter it in clear text.
5.

(Optional, for maximum security. Note that these commands are not available if the ProxySG does
not have a front panel.) At the command prompt, change the ProxySG front panel PIN:
SGOS#(config) security front-panel-pin pin
-orSGOS#(config) security hashed-front-panel-pin hashed_pin

6.

(Optional) Restrict access by creating an access control list or by creating a policy file containing
layer rules. For more information, see “Section A: Controlling Access to the ProxySG” on
page 307.

61

Blue Coat ProxySG Configuration and Management Guide

Changing the ProxySG Realm Name
The realm name displays when you log on to the ProxySG Management Console. The default realm
name is the connection used to access the ProxySG, usually the IP address of the system.
To Change the Realm Name through the Management Console
1.

Select Configuration>Authentication>Console Access>Console Account.
The Console Account tab displays.

2.

Enter a new realm name.
The new realm name displays the next time you log on to the ProxySG Management Console.

3.

Click Apply.

To Change the Realm Name through the CLI
1.

At the (config) prompt, enter the following command to change the name from the default.
SGOS#(config) security management display-realm name

The new realm name displays the next time you log on to the ProxySG Management Console.
2.

(Optional) View the results. As the show security command displays lengthy output, only the
relevant section is displayed in the following example:
SGOS#(config) show security
Account:
Username:
"admin"
Hashed Password: $1$aWMpN$/dsvVrZK6R68KH8r2SQxt/
Hashed Enable Password: $1$P4lpm$ZqFXg4J4A/T.ORgUbr0B/1
Hashed Front Panel PIN: "$1$GGSf2$lEhLm9oITgny9PDF2kVFp."
Management console display realm name: ""
Management console auto-logout timeout: Never

You can negate the security management display-realm values by entering no before the
command; for example, security management no display-realm.

Changing the ProxySG Timeout
The timeout is the length of time a session persists before you are logged out. The default timeout is
900 seconds (15 minutes).
To Change the Timeout through the Management Console
1.

Select Configuration>Authentication>Console Access>Console Account.
The Console Account tab displays.

2.

Either deselect Enforce auto-logout (which eliminates auto-logout entirely) or change the
auto-logout timeout from its default of 900 seconds (15 minutes) to another time (in seconds). This
is the allowable time on the ProxySG before the current session times out. Acceptable values are
between 300 and 86400 seconds (5 minutes to 24 hours).
If you change the timeout value, the change takes effect on the next refresh of any applet on the
Management Console.

62

Chapter 3: Accessing the ProxySG

3.

Click Apply.

To Change the Timeout through the CLI
1.

To change the timeout from its default of 900 seconds (15 minutes), enter:
SGOS#(config) security management auto-logout-timeout seconds

The change takes effect on the next refresh of any applet in the Management Console. Acceptable
values are between 300 and 86400 seconds (5 minutes to 24 hours).
2.

(Optional) View the results. As the show security command displays lengthy output, only the
relevant section is displayed in the following example:
SGOS#(config) show security
Account:
Username:
“admin”
Hashed Password: $1$a2zTlEE$1b88R3SXUTXS.zO7lh8db0
Hashed Enable Password: $1$xQnqGerX$LU65b20trsIAF6yJox26L.
Hashed Front Panel PIN: "$1$ThSEiB1v$seyBhSxtTXEtUGDZ5NOB1/"
Management console display realm name: "Aurora"
Management console auto-logout timeout: Never

You can negate the security management auto-logout-timeout values by entering no
before the command; for example, security management no auto-logout-timeout.

Configuring the SSH Console
By default, the ProxySG uses Secure Shell (SSH) and password authentication so administrators can
access the ProxySG CLI or Management Console securely. SSH is a protocol for secure remote logon
over an insecure network. No action is required unless you want to change the existing SSH host key,
disable a version of SSH, or import RSA host keys. Only one SSH service is allowed on the ProxySG.
To disable the SSH port, see "Managing the SSH Host Connection" below.

Managing the SSH Host Connection
You can manage the SSH host connection through either the Management Console or the CLI.
To Manage the SSH Connection through the Management Console
Note:

1.

Only one SSH Console can be enabled at a time. By default, both SSHv1 and SSHv2 are
enabled and assigned to port 22. You do not need to create a new host key unless you
want to change the existing configuration.

Select Configuration>Services>SSH Console>SSH Host.
The SSH Host tab displays.

63

Blue Coat ProxySG Configuration and Management Guide

Figure 3-6: SSH Host Tab

2.

To delete either SSHv1 or SSHv2 support on the ProxySG, click the appropriate Delete button.
The change is made on the ProxySG instantly.
Important:

Do not delete both versions. This disables the SSH Console. Even if you add SSHv1
or SSHv2 client keys back, you will have to enable the service through
Configuration>Services>Service Ports.

The SSH host tab redisplays with the appropriate host key deleted.
3.

To add SSHv1 or v2 support, select the Create checkbox for the version you want. Remember that
if both versions are deleted, you must re-enable the SSH service on port 22.

4.

The SSH host key displays in the appropriate pane.

To Manage SSH Host Keys through the CLI
Note:

Only one SSH Console can be enabled at a time. By default, both SSHv1 and SSHv2 are
enabled and set up on port 22. You do not need to create a new host key unless you want
to change the existing configuration. In fact, you cannot create a new host key unless you
delete one of the existing client keys.

You must set up RSA client keys to connect to the ProxySG using RSA. To set up RSA client keys, see
"Managing the SSH Client" below.
1.

From the (config) prompt of the ProxySG, enter the following commands to create a host key.
SGOS#(config) services
SGOS#(config services) ssh-console
SGOS#(config services ssh-console) create host-keypair [sshv1 | sshv2]

The client key, either SSHv1 or SSHv2 or both, is created, depending on which client key was
previously deleted.

64

Chapter 3: Accessing the ProxySG

2.

(Optional) View the results.
SGOS#(config services ssh-console) view host-public-key [sshv1 | sshv2]
1024 35
190118975106704546356706163851813093052627858203406609264841510464285480824
068799445880489701889675368436600545643174140823440610328520806007156774811
989754027101280816905716431491183274963949027032871437205903863441301419664
1366408168414061584835486361481236628643756053169543839452802141370496747163
3977037
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA2rSeDb3vhr78AFmd7TbdtziYfUQybaDxdMBbSLuyJVgwVbq+
tIvS4L6kDsTuFYGVR8Cg74Xqsj2kO6iwo71YGwdUnDXEzIFBwl0nvS4LkV2UINUwbuP0R0hD4Dt
jVTKsURrOHbTxcXkFipplDwFPDiCKOIqLm4ypcaC/Pj+Juq0=

3.

To disable SSH, enter:
SGOS#(config services ssh-console) delete host-keypair [sshv1 | sshv2]

Deleting both of the client keys disables the SSH service on port 22, which then must be
re-enabled before you can use SSH Console services again, even if you re-create the host
keys.

Managing the SSH Client
You can have multiple RSA client keys on the ProxySG to allow for actions such as logging on to the
ProxySG from different locations. You cannot create an RSA client key through the appliance, only
through an SSH client. Many SSH clients are commercially available for UNIX and Windows.
Once you have created an RSA client key following the instructions of your SSH client, you can import
the key onto the ProxySG using either the Management Console or the CLI.

Understanding OpenSSH.pub Format
Blue Coat supports the OpenSSH.pub format. Keys created in other formats will not work.
An OpenSSH.pub public key is similar to the following:
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwFI78MKyvL8DrFgcVxpNRHMFKJrBMeBn2PKcv5oAJ2qz+uZ7
hiv7Zn43A6hXwY+DekhtNLOk3HCWmgsrDBE/NOOEnDpLQjBC6t/T3cSQKZjh3NmBbpE4U49rPdu
iiufvWkuoEiHUb5ylzRGdXRSNJHxxmg5LiGEiKaoELJfsDMc= user@machine

One of the public key format examples (this one created by the SSH client) is similar to the following:
---- BEGIN SSH2 PUBLIC KEY ---Comment: “[1024-bit rsa, user.name@machine, Wed Feb 19 2003 19:2\8:09]”
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCw52JeWr6Fv4kLkzbPZePvapCpaTadPYQwqsGnCIYdf1W
e7/8336EmzV918G1jb/VT1SI1tM1Ku1BTal7uWAi+aUBGKLlYuyhCTo03IZFMnsQC7QYzY1y3ju
fUP3H0be52fg7n7p7gNZR11yzWhVei1vIKiyVKpjqiq6hxCbMb2Q==
---- END SSH2 PUBLIC KEY ----

The OpenSSH.pub format appends a space and a user ID to the end of the client key.
The user ID for the key must be unique. Because the ProxySG manages the keys through the user, no
two can be the same.
Other caveats:

65

Blue Coat ProxySG Configuration and Management Guide



1024 bits is the maximum supported key size.



An ssh-rsa prefix must be present.



Trailing newline characters must be removed from the key before it is imported.

To Import RSA Client Keys through the Management Console
1.

From your SSH client, create a client key and copy it to the clipboard.
Note:

2.

The above step must be done with your SSH client. The ProxySG cannot create client
keys.

Select Configuration>Services>SSH Console>SSH Client.
The SSH Client tab displays.

Figure 3-7: SSH Client Tab

3.

Click Import to import a new host key.
The Import Client Key dialog displays.

Figure 3-8: Import Client Key Dialog

66

Chapter 3: Accessing the ProxySG

4.

Specify whether the client key is associated with an existing user or a new user, and enter the
name.

5.

Paste the RSA key that you previously created with an SSH client into the Client key field. Ensure
that a key ID is included at the end. Otherwise, the import fails.

6.

Click OK.
The SSH Client tab reappears, with the fingerprint of the imported key displayed.

Figure 3-9: SSH Client with Imported Client Key

To Import a Client Key through the CLI
1.

From your SSH client, create a client key and copy it to the clipboard.

2.

From the (config) prompt, enter the following commands to import a client key.
SGOS#(config) services
SGOS#(config services) ssh-console
SGOS#(config ssh-console) import client-key username
Paste client key here, end with “...” (three periods)
ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAIEAtAy+axsx0iwroFN7B9qSJYjfVbsxPfyC0aoZpSMBd
g97/oiFozDXPhrRmPI3c42EiVdJtVo65r0Aerpu4ybCYVeq6MjRwdsszaezY+VdqtfyYVptC6V1
7Pmj2erw4+A9AggKHTp56BBCm3mEPQDdVW7J6QBrJ+U1ClFS/sMcbV8=laptop@GLYPH
...
ok

3.

(Optional) View the results.
SGOS#(config services ssh-console) view client-key username
user_ID@PC 45:5C:3F:5F:EA:65:6E:CF:EE:4A:05:58:9A:C5:FB:4F
user_ID@LAPTOP 61:ED:79:23:F5:2A:1A:6D:84:81:A0:5B:25:36:C7:5F

Note:

If you have upgraded from an older version ProxySG, and you want to view a previously
imported client key, you might not need to enter a username.

67

Blue Coat ProxySG Configuration and Management Guide

68

Chapter 4: Configuring the System

This chapter describes how to configure various ProxySG system configurations, such as setting the
time, configuring adapters, and creating software bridges.
This chapter contains the following sections:


"Global Configurations"



"Archive Configuration"



"Adapters"



"Software and Hardware Bridges"



"Gateways"



"Defining Static Routes"



"Using RIP"



"DNS Servers"



"Attack Detection"



"Using a Bypass List"



"Installing WCCP Settings"



"Virtual IP Addresses"



"Configuring Failover"



"TCP/IP Configuration"

During initial configuration, Interface 0 was configured by default. The NTP server was defined to
keep the system time correct. You also optionally configured a bridge, a gateway, and a DNS server.
These configurations require no further modification. These procedures are provided if you need to
configure other adapters in the system or if the need to change a configuration occurs.

69

Blue Coat ProxySG Configuration and Management Guide

Section A: Global Configurations

Section A: Global Configurations
The ProxySG global configurations include: defining the ProxySG name and serial number, setting the
time, and configuring NTP for your environment.
The following topics are discussed in this section:


"Configuring the ProxySG Name"



"Configuring the Serial Number"



"Configuring the System Time"



"Network Time Protocol"



"Configuring HTTP Timeout"

Configuring the ProxySG Name
You can assign any name to a ProxySG. A descriptive name helps identify the system.
To Set the ProxySG Name through the Management Console
1.

Select Configuration>General>Identification.
The Identification tab displays.

Figure 4-1: General Identification Tab

2.

In the Unique name for this ProxySG Appliance field, enter a ProxySG name.

3.

Click Apply.

To Set the ProxySG Name through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) hostname name

Configuring the Serial Number
The ProxySG serial number assists Blue Coat Systems Customer Support when analyzing
configuration information, including heartbeat reports. This number is found on the ProxySG. Once
the serial number is entered, the ProxySG does not verify the validity of the number, only that it is
numeric.

70

Chapter 4: Configuring the System

Section A: Global Configurations

Note:

If the EPROM contains the ProxySG serial number, you cannot manually enter a serial
number.

To Enter the Serial Number through the Management Console
1.

Select Configuration>General>Identification.
The Identification tab displays.

2.

In the Serial Number field, enter the serial number.

3.

Click Apply.

To Enter the Serial Number through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) serial-number serial_number

Displayed Information
The serial number is visible on the Management Console home page. and is displayed using the show
serial-number command. If the serial number was entered through the Management Console or the
CLI, it is appended with (configured) to indicate a manual entry.

Configuring the System Time
To manage objects, the ProxySG must know the current Universal Time Coordinates (UTC) time,
which is the international time standard and is based on a 24-hour clock.
By default, the ProxySG attempts to connect to an NTP server to acquire the UTC time. The appliance
ships with a list of NTP servers available on the Internet, and attempts to connect to them in the order
they appear in the NTP server list on the NTP tab. If the appliance cannot access any of the listed NTP
servers, you must manually set the UTC time.
To Set UTC Time through the Management Console
1.

Select Configuration>General>Clock>Clock.
The Clock tab displays.

71

Blue Coat ProxySG Configuration and Management Guide

Section A: Global Configurations

Figure 4-2: General Clock Tab

2.

Verify that Enable NTP is selected.

3.

To set your local time, select a time zone from the Timezone drop-down list.
Once the local time zone is selected, event logs record the local time instead of GMT.

4.

Click Acquire UTC time.

5.

Click Apply.

To Set UTC Time through the CLI
At the enable prompt, enter the following command:
SGOS# acquire-utc

If NTP is disabled, an error is displayed.
To Manually Set UTC Time through the Management Console
1.

Select Configuration>General>Clock>Clock.
The Clock tab displays.

2.

De-select Enable NTP.
The UTC time and date fields become editable when NTP is disabled.

3.

To set your local time, select a time zone from the Timezone drop-down list.
Once the local time zone is selected, event and access logs record the local time instead of GMT.

4.

Click Pause in the upper-right-hand corner to stop the system clock.

5.

Enter the current UTC time and date in the UTC time and date fields.

6.

Click Resume to start the system clock.

7.

Click Apply.

To Manually Set UTC Time through the CLI
1.

72

At the (config) command prompt, enter the following commands

Chapter 4: Configuring the System

Section A: Global Configurations
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)

2.

clock
clock
clock
clock
clock
clock

day 1-31
hour 0-23
minute 0-59
month 1-12
second 0-59
year year

(Optional) View the results.
SGOS#(config) show clock
2003-08-28 22:50:56+00:00UTC
2003-08-28 22:50:56+00:00UTC

Network Time Protocol
The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to
another server or reference time source, such as a radio or satellite receiver or modem. There are more
than 230 primary time servers, synchronized by radio, satellite and modem.
The ProxySG ships a list of NTP servers available on the Internet, and attempts to connect to them in
the order they appear in the NTP server list on the NTP tab. You can add others, delete NTP servers,
and reorder the NTP server list to give a specific NTP server priority over others.
The ProxySG uses NTP and the Universal Time Coordinates (UTC) to keep the system time accurate.
You can add and reorder the list of NTP servers the ProxySG uses for acquiring the time through the
Management Console. The reorder feature is not available through the CLI.
To Add an NTP Server through the Management Console
1.

Select Configuration>General>Clock>NTP.
The NTP tab displays.

Figure 4-3: General Clock NTP Tab

73

2.

Click New to add a new server to the list.

3.

Enter either the domain name or IP address of the NTP server and click OK.

Blue Coat ProxySG Configuration and Management Guide

Section A: Global Configurations
4.

Click Apply.

To Add an NTP Server through the CLI
1.

At the (config) command prompt, enter:
SGOS#(config) ntp server domain_name
SGOS#(config) ntp interval minutes
SGOS#(config) ntp enable

2.

(Optional) View the results.
SGOS#(config) show ntp
NTP is enabled
NTP servers:
ntp.bluecoat.com
ntp2.bluecoat.com
Query NTP server every 60 minutes

3.

To remove a server from the NTP server list:
SGOS#(config) ntp no server domain_name

To Change the Access Order through the Management Console
NTP servers are accessed in the order displayed. You can organize the list of servers so the preferred
server appears at the top of the list. This feature is not available through the CLI.
1.

Select Configuration>General>Clock>NTP.
The NTP tab displays.

2.

Select an NTP server to promote or demote.

3.

Click Promote entry or Demote entry as appropriate.

4.

Click Apply.

Configuring HTTP Timeout
You can configure various network receive timeout settings for HTTP transactions. You can also
configure the maximum time that the HTTP proxy waits before reusing a client-side or server-side
persistent connection. You must use the CLI to configure these settings.
To Configure the HTTP Receive Timeout Setting through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) http receive-timeout {client | refresh | server} #_seconds

where:

74

client

#_seconds

Sets the receive timeout for client to #_seconds. The
default is 120 seconds.

refresh

#_seconds

Sets receive timeout for refresh to #_seconds. The default
is 90 seconds.

Chapter 4: Configuring the System

Section A: Global Configurations
server

#_seconds

Sets receive timeout for server to #_seconds. The default
is 180 seconds.

To Configure the HTTP Persistent Timeout Setting through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) http persistent-timeout {client | server} #_seconds

where:

75

client

#_seconds

The maximum amount of time the HTTP proxy waits
before closing the persistent client connection if another
request is not made. The default is 360 seconds.

server

#_seconds

The maximum amount of time the HTTP proxy waits
before closing the persistent server connection if that
connection is not re-used for any subsequent request
from the proxy. The default is 900 seconds.

Blue Coat ProxySG Configuration and Management Guide

Section B: Archive Configuration

Section B: Archive Configuration
Blue Coat allows you to both use an existing configuration (modified to include only general
parameters, not system-specific settings) to quickly set up a newly-manufactured ProxySG and to
save the running configuration off-box for archival purposes.
This section discusses:


"Sharing Configurations"



"Archiving a Configuration"

Sharing Configurations
You can share configuration between two ProxySG Appliances. You can take a post-setup configuration
file (one that does not include those configuration elements that are established in the setup console)
from an already-configured ProxySG and push it to a newly-manufactured system.
Note:

Blue Coat Director allows you to push configuration from one ProxySG to multiple
ProxySG Appliances at the same time. For more information on using Director, see
Appendix F: “Using Blue Coat Director to Manage Multiple Appliances” on page 1127.

The new configuration is applied to the existing configuration, changing any existing values. This
means, for instance, that if the new configuration creates a realm called RealmA and the existing
configuration has a realm called RealmB, the combined configuration includes two realms, RealmA and
RealmB.
You can use either the Management Console or the CLI to create a post-setup configuration file on one
ProxySG and push it to another.
Note:

You cannot push configuration settings to a newly manufactured system until you have
completed initial setup of the system.

To Create and Push a Configuration to a Newly Manufactured ProxySG through the Management
Console
From the already configured ProxySG:
1.

Select Configuration>General>Archive.
The Archive Configuration tab displays.

76

Chapter 4: Configuring the System

Section B: Archive Configuration

Figure 4-4: Archive Configuration Tab

2.

In the View Current Configuration panel, select the configuration from the drop-down list that you
want to use for the newly-manufactured machine:


Configuration - post setup: This displays the configuration on the current system, minus any

configurations created through the setup console, such as the hostname and IP address. It also
includes the installable lists.


Configuration - brief: This displays the configuration on the current system, but does not include

the installable lists.


Configuration - expanded: This is the most complete snapshot of the system configuration, but it

contains system-specific settings that should not be pushed to a new system.


Results of Configuration Load: This displays the results of the last configuration pushed to the

system.
3.

View the configuration you selected by clicking View. You can also view the file by selecting Text
Editor in the Install Configuration panel and clicking Install.

4.

Save the configuration. You can save the file two ways:


Save it as a text file on your local system. This is advised if you want to re-use the file.



Copy the contents of the configuration. (You will paste the file into the Text Editor on the
newly-manufactured system.)

From the newly-manufactured ProxySG:

77

1.

Launch the Management Console in a new browser window.

2.

Select Configuration>General>Archive.

3.

The Archive Configuration tab displays.

4.

In the Install Configuration panel, select either Local File or Text Editor from the drop-down list
(depending on whether you saved the file to your system or just copied it to the clipboard) and
click Install.


If you saved the file to your system, browse to the location of the Local File, highlight the file,
and click Install. The configuration is installed, and the results screen displays.



If you copied the contents of the file, paste it into the Text Editor and click Install. The
configuration is installed, and the results screen displays.

Blue Coat ProxySG Configuration and Management Guide

Section B: Archive Configuration

Note:
5.

A message is written to the event log when you install a list through the ProxySG.

Click Close.

To Create and Push a Configuration to a Newly Manufactured ProxySG through the CLI
From the already configured ProxySG:
1.

From the enable prompt (#), determine which configuration you want to use for the new system.
The syntax is:
show configuration post-setup | brief | expanded

where:
Configuration - post setup

This displays the configuration on the current system, minus any
configurations created through the setup console, such as the
hostname and IP address. It also includes the installable lists.

Configuration - brief:

This displays the configuration on the current system, but does not
include the installable lists.

Configuration - expanded

This is the most complete snapshot of the system configuration, but it
contains system-specific settings that should not be pushed to a new
system.

SGOS# show configuration post-setup

The selected configuration displays on the screen.
2.

Save the configuration. You can save the file two ways:


Copy the contents of the configuration to the clipboard. (Paste the file into the terminal on the
newly-manufactured system.)



Save it as a text file on a download FTP server accessible to the ProxySG. This is advised if you
want to re-use the file.

From the newly-manufactured ProxySG, do one of the following:


If you saved the configuration to the clipboard, go to the (config) prompt and paste the
configuration into the terminal.



If you saved the configuration on the FTP server:
At the enable command prompt, enter the following command:
SGOS# configure network “url”

where url must be in quotes and is fully-qualified (including the protocol, server name or
IP address, path, and filename of the configuration file). The configuration file is
downloaded from the server, and the ProxySG settings are updated.

78

Chapter 4: Configuring the System

Section B: Archive Configuration

Note:

If you rename the archived configuration file so that it does not contain any spaces,
the quotes surrounding the URL are unnecessary.

The username and password used to connect to the FTP server can be embedded into the
URL. The format of the URL is:
ftp://username:password@ftp-server

where ftp-server is either the IP address or the DNS resolvable hostname of the FTP server.
If you do not specify a username and password, the ProxySG assumes that an anonymous
FTP is desired and thus sends the following as the credentials to connect to the FTP server:
username: anonymous
password: proxy@

Archiving a Configuration
In the rare case of a complete system failure, restoring a ProxySG to its previous state is simplified by
loading an archived system configuration from an FTP or TFTP server. The archive, taken from the
running configuration, contains all system settings differing from system defaults, along with any
installable lists configured on the ProxySG.
Archive and restore operations must be done through the CLI.
Note:

You can archive a system configuration to an FTP or TFTP server that allows either
anonymous logon or requires a specific username and password. Likewise, to restore a
system configuration, the server storing the archive can be configured either to allow
anonymous logon or to require a username and password.

To Prepare to Archive a System Configuration
1.

Obtain write permission to a directory on an FTP server. This is where the archive will be stored.
The system configuration must be stored using FTP.

2.

At the (config) command prompt, enter the following commands:
SGOS#(config) archive-configuration protocol {ftp | tftp}
SGOS#(config) archive-configuration host hostname

where hostname is the IP address of the server.
Note:

TFTP does not require a password, path, or username.

SGOS#(config) archive-configuration password password
-orSGOS#(config) archive-configuration encrypted-password encrypted-password

where password is the password (or encrypted password) used to access the server.
SGOS#(config) archive-configuration path path

79

Blue Coat ProxySG Configuration and Management Guide

Section B: Archive Configuration
where path is the directory on the server where the archive is to be stored, relative to the
preset FTP directory.
SGOS#(config) archive-configuration filename-prefix filename

where filename can contain % strings that represent the information in the upload
filename. If you do not use the filename command, the ProxySG creates a name with a
timestamp and the filename SG_last-ip-octet_timestamp. For % string substitutions,
see "Fields Available for Creating Access Log Formats" on page 1034.
SGOS#(config) archive-configuration username username

where user_name is the username used to access the server.
Example Session
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok
SGOS#(config)
ok

Note:

archive-configuration host 10.25.36.47
archive-configuration password access
archive-configuration username admin1
archive-configuration path ftp://archive.server/stored
archive-configuration protocol ftp

To clear the host, password, or path, type the above commands using empty
double-quotes instead of the variable. For example, to clear the path, enter
archive-configuration path “”.

To Archive a System Configuration through the CLI
At the enable command prompt, enter the following command:
SGOS# upload configuration

To Restore a System Configuration through the CLI
At the enable command prompt, enter the following command:
SGOS# configure network “url”

where url must be in quotes and is fully-qualified (including the protocol, server name or
IP address, path, and filename of the configuration file). The configuration file is
downloaded from the server, and the ProxySG settings are updated.
Note:

If you rename the archived configuration file so that it does not contain any spaces,
the quotes surrounding the URL are unnecessary.

The username and password used to connect to the FTP server can be embedded into the URL. The
format of the URL is:
ftp://username:password@ftp-server

80

Chapter 4: Configuring the System

Section B: Archive Configuration
where ftp-server is either the IP address or the DNS resolvable hostname of the FTP server.
If you do not specify a username and password, the ProxySG assumes that an anonymous FTP is
desired and thus sends the following as the credentials to connect to the FTP server:
username: anonymous
password: proxy@

Troubleshooting
When pushing a shared configuration or restoring an archived configuration, keep in mind the
following issues:


Encrypted passwords (login, enable, and FTP) cannot be decrypted by a device other than that on
which it was encrypted. If you were sharing a configuration, these encrypted passwords were
probably already created before the configuration was pushed to the system.



If the content filtering database has not yet been downloaded, any policy that references
categories is not recognized.



The following passwords must be re-created (if you use the application specified):


administrator console passwords (not needed for shared configurations)



privileged-mode (enable) passwords (not needed for shared configurations)



the front-panel PIN (recommended for limiting physical access to the system)



access log FTP client passwords (primary, alternate)



archive configuration FTP password



RADIUS primary and alternate secret



LDAP search password



SmartFilter download password



WebSense3 download password



SNMP read, write, and trap community strings



RADIUS and TACACS+ secrets for splash pages



A full download of the content filtering database must be done.



SSH certificate keys must be imported.



SSL certificate keys must be imported

In addition, you should make sure the system is functioning whenever you add a feature. For
example, make sure the system works after basic configuration; then, after you add authentication,
recheck the system.

81

Blue Coat ProxySG Configuration and Management Guide

Section C: Adapters

Section C: Adapters
This section describes ProxySG network adapters and the adapter interfaces.
Note:

In Blue Coat documentation, the convention for adapters and their interfaces (the
connections on the adapter) is Adapter 0, Interface 0, or 0:0.

This section discusses:


"About Adapters"



"Network Interface States"



"Configuring an Adapter"



"About the Settings Button"



"Detecting Network Adapter Faults"

About Adapters
ProxySG Appliances ship with one or more network adapters installed on the system, each with one
or more interfaces. You can change interface parameters or configure additional adapters in the
appliance. You can also accept or reject inbound connections, change link settings in the event the
system did not correctly determine them, and configure the browser for proxy settings.

Network Interface States
As you select adapters from the picklist, the Adapter panel (Configuration>Network>Adapters) displays
the state of the configured adapter and its interfaces. When you initially set up the ProxySG, you
optionally configured Adapter 0, Interface 0. If your system has only one adapter, you can skip this
section. If your system shipped with other adapters, you can configure them through these
procedures.

Configuring an Adapter
The following procedure describes how to configure an adapter. Repeat the process if the system has
additional adapters.
To Configure a Network Adapter through the Management Console
1.

Select Configuration>Network>Adapters>Adapters.
The Adapters tab displays.
Note:

82

Different ProxySG models have different adapter configurations, and the appearance of
the Adapters tab varies accordingly.

Chapter 4: Configuring the System

Section C: Adapters

Figure 4-5: Network Adapters Tab

2.

Select an adapter from the Adapter drop-down list.
Notice that in the Interfaces field, a message displays stating whether the interface belongs to a
bridge. For more information about network bridging, see "Software and Hardware Bridges" on
page 87.

3.

(Optional) If you have a dual interface adapter, select an interface from the drop-down list.

4.

Enter the IP address and subnet mask for the interface into the IP address for interface x and Subnet
mask for interface x fields (where interface x refers to the interface selected in the Interfaces
drop-down list.)

5.

(Optional) To configure link settings, restrict inbound connections, or set up browser proxy
behavior for the adapter, select the adapter (under Interfaces) and click Settings. Enter any changes
and click OK to close the Settings dialog.
Note:

6.

The default is to permit all inbound connections. Link settings are automatically
determined and should not need to be modified. The browser default is to use the proxy’s
default PAC file. (See "About the Settings Button" below for more information on link
settings and inbound connections.)

Click Apply.

To Configure a Network Adapter through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) interface fast-ethernet interface_number

where interface_number is 0, 1, or n, up to one number less than the number of adapters in
the system.
SGOS#(config interface interface_#:0) ip-address ip_address
SGOS#(config interface interface_#:0) subnet-mask subnet
SGOS#(config interface interface_#:0) exit

83

Blue Coat ProxySG Configuration and Management Guide

Section C: Adapters

About the Settings Button
The Settings button in the Interfaces field allows you to restrict inbound connections on the selected
adapter, and to choose manual or automatic configuration of the adapter link settings.
The default for Inbound connections is to permit all incoming connections. The link settings are
automatically determined and should not normally require modification.
Note:

Rejecting inbound connections improperly, or manually configuring link settings
improperly, can cause the ProxySG to malfunction. Make sure that you know the correct
settings before attempting either of these. If the ProxySG fails to operate properly after
changing these settings, contact Blue Coat Support.

Rejecting Inbound Connections
The default setting allows inbound connections on all network adapters.
To Reject Inbound Connections through the Management Console
1.

Select Configuration>Network>Adapters>Adapters.

2.

Select an adapter from the Adapter drop-down list.
The Adapters tab displays.

Figure 4-6: Settings for Individual Network Adapters

84

3.

Click Settings.

4.

To allow inbound connections, select the Accept inbound connections radio button. To reject
inbound connections, select Reject inbound connections.

Chapter 4: Configuring the System

Section C: Adapters
5.

Click OK to close the Settings dialog.

6.

Click Apply.

To Reject Inbound Connections through the CLI
At the (config) command prompt, switch to the interface submode to enter the following
commands:
SGOS#(config) interface interface_#
SGOS#(config interface interface_#:0) no accept inbound
SGOS#(config interface interface_#:0) exit

Manually Configuring Link Settings
By default, the ProxySG automatically determines the link settings for all network adapters. If the
device incorrectly identifies the network adapter, you can manually configure the link settings.
To Manually Configure Link Settings through the Management Console
1.

Select Configuration>Network>Adapters>Adapters.
The Adapters tab displays.

2.

Select an adapter from the Adapters drop-down list.

3.

Click Settings.

4.

Select Manually configure link settings.

5.

Select Half or Full duplex.

6.

Select the correct network speed.

7.

Click OK to close the Advanced Settings dialog.

8.

Click Apply.

To Manually Configure Link Settings through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) interface fast-ethernet
SGOS#(config interface interface_#:0)
SGOS#(config interface interface_#:0)
SGOS#(config interface interface_#:0)

interface_#
full-duplex | half-duplex
speed 10 | 100 | 1gb
exit

Setting Up Proxies
To set up proxies, see "Configuring Proxies" on page 177.

Detecting Network Adapter Faults
The ProxySG can detect whether the network adapters in an appliance are functioning properly. If the
appliance finds that an adapter is faulty, it stops using it. When the fault is remedied, the ProxySG
detects the functioning adapter and uses it normally.

85

Blue Coat ProxySG Configuration and Management Guide

Section C: Adapters
To determine whether an adapter is functioning properly:
1.

Check whether the link is active (that is, a cable is connected and both sides are up).

2.

Check the ratio of error packets to good packets: both sent and received.

3.

Check if packets have been sent without any packets received.

If an adapter fault is detected, and the adapter has an IP address assigned to it, the ProxySG logs a
severe event. When an adapter does not have an IP address, the appliance does not log an entry.

86

Chapter 4: Configuring the System

Section D: Software and Hardware Bridges

Section D: Software and Hardware Bridges
This section describes the ProxySG hardware and software bridging capabilities. The following topics
are discussed:


"About Bridging"



"About the Pass-Through Adapter"



"ProxySG Prerequisites"



"Setting Bandwidth Management for Bridging"



"Configuring a Software Bridge"



"Configuring Failover"



"Static Forwarding Table Entries"

About Bridging
Network bridging through the ProxySG provides transparent proxy pass-through and failover
support. This functionality allows ProxySG Appliances to be deployed in environments where L4
switches and WCCP-capable routers are not feasible options.
Important: Bridge interfaces cannot be used in WCCP configurations. If the configuration
includes bridge interfaces, you will receive the following error if you attempt to load
the WCCP configuration file: Interface 0:0 is member of a bridge
The ProxySG provides bridging functionality by two methods:


Software—A software, or dynamic, bridge is constructed using a set of installed interfaces. Within
each logical bridge, interfaces can be assigned or removed.



Hardware—A hardware, or pass-through, bridge uses a 10/100 dual interface Ethernet adapter.
This type of bridge provides pass-through support.

About the Pass-Through Adapter
A pass-through adapter is a 10/100 dual interface Ethernet adapter designed by Blue Coat to provide an
efficient fault-tolerant bridging solution. If this adapter is installed on a ProxySG, SGOS detects the adapter
upon system bootup and automatically creates a bridge—the two Ethernet interfaces serve as the bridge ports.
If the ProxySG is powered down or loses power for any reason, the bridge fails open; that is, Web traffic passes
from one Ethernet interface to the other. Therefore, Web traffic is uninterrupted, but does not route through
the appliance.

Important: This scenario creates a security vulnerability.

87

Blue Coat ProxySG Configuration and Management Guide

Section D: Software and Hardware Bridges
Once power is restored to the ProxySG, the bridge comes back online and Web traffic is routed to the appliance
and thus is subject to that appliance’s configured features, policies, content scanning, and redirection
instructions. Note that bridging supports only failover; it does not support load balancing.
The following figure provides an example of how the ProxySG indicates that an installed adapter is a
pass-through adapter.

Figure 4-7: Pass-through Adapter

Note:

The adapter state is displayed on Configuration>Network>Adapters>Adapters.

ProxySG Prerequisites
Before configuring a software bridge, the following conditions must be satisfied:


Adapters—The adapters must of the same type. Although the software does not restrict you from
configuring bridges with adapters of different types (10/100 or GIGE, for example), the resultant
behavior is unpredictable.



IP addresses—If the bridge already has an IP address configured, IP addresses must be removed
from any of adapter interfaces to be added. If the bridge does not have an IP address configured,
the bridge can inherit the IP address from the first interface to be added.

Setting Bandwidth Management for Bridging
After you have created and configured a bandwidth management class for bridging (see Chapter 10:
“Bandwidth Management” on page 477), you can manage the bandwidth used by all bridges.
Note:

Before you can manage the bandwidth for bridging, you must first create a
bandwidth-management class configured for bridging. See Chapter 10: “Bandwidth
Management” on page 477 for information about creating and configuring the bandwidth
class.

To Configure Bandwidth Management for Bridging through the Management Console
1.

Select Configuration>Network>Adapters>Bridges.
The Bridges tab displays.

88

Chapter 4: Configuring the System

Section D: Software and Hardware Bridges

Figure 4-8: Bridges Tab

2.

In the Bridging Bandwidth Class drop-down menu, select a bandwidth management class to manage
the bandwidth for bridging, or select to disable bandwidth management for bridging.

3.

Click Apply.

To Configure Bandwidth Management for Bridging through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) bridge
SGOS#(config bridge) bandwidth-class bw_class_name

where bw_class_name designates the name of the bandwidth class that you have created and
configured to manage the bandwidth for software bridging.
2.

(Optional) To disable bandwidth management for software bridging, enter the following
command:
SGOS#(config bridge) no bandwidth-class

Configuring a Software Bridge
This section describes how to use the Management Console or the CLI to link adapters and interfaces
to create a network bridge.
To Create and Configure a Software Bridge through the Management Console
1.

Select Configuration>Network>Adapters>Bridges.
The Bridges tab displays.

89

2.

In the Software Bridges area, click Create.

3.

In the New Bridge Name field of the dialog that appears, enter a name for the bridge, up to 16
characters; click OK.

Blue Coat ProxySG Configuration and Management Guide

Section D: Software and Hardware Bridges
4.

In the Bridge IP Address field, enter the IP address of the interface you previously configured (see
"Configuring an Adapter" on page 82).

5.

In the Bridge Subnet Mask field, enter the subnet mask of the interface.

6.

To add a port to the bridge:
a.

In the Ports field, click New; the Create port for bridge dialog appears.

b.

From the drop-down lists, select a port number and adapter interface number; click OK.

c.

By default, link settings are automatically sensed. To change the Duplex and Speed
options, click Link Settings, select Manually configure link settings, and change as required.

d. Click OK.
7.

To further customize the bridge:
a.

In the Software Bridges field, click Settings; the Settings for bridge dialog appears.

b.

In the Security field, the default is to accept inbound connections on this interface. To
disallow inbound connections, select Reject inbound connections.

c.

The default browser instruction is to use the browser’s default PAC file. To instruct the
browser to use a proxy or other PAC file type, make a selection from the list in the Browser
Configuration field.

d. Click OK.
8.

Click Apply.

The Bridge Settings options allow you to clear bridge forwarding table and clear bridge statistics.
To Create or Edit a Software Bridge through the CLI
1.

To create a new software bridge, enter the following commands at the (config) command
prompt:
SGOS#(config) bridge
SGOS#(config bridge) create bridge_name

where bridge_name designates the name of the new bridge. The limit is 16 characters.
2.

To edit the configuration of an existing software bridge, enter the following commands:
SGOS#(config bridge) edit bridge_name

where bridge_name designates the name of the bridge that you want to configure. The
prompt changes to a submode for that bridge.
SGOS#(config bridge bridge_name) ip-address ip_address

where ip_address designates the IP address of the adapter interface you previously
configured (see "Configuring an Adapter" on page 82).
SGOS#(config bridge bridge_name) subnet-mask subnet_mask

where subnet_mask designates the subnet mask of the interface you previously configured.
3.

To configure a port on a bridge, enter the following commands (repeat to add more ports):
SGOS#(config bridge bridge_name) port port_number

where port_number identifies a port on the interface. This changes the prompt to a submode
for that port number on that bridge.

90

Chapter 4: Configuring the System

Section D: Software and Hardware Bridges


To attach port to an interface or change the Duplex and Speed options, enter the following
commands:
SGOS#(config bridge bridge_name port port_number) attach-interface
interface_number
SGOS#(config bridge bridge_name port port_number) {full-duplex |
half-duplex}
SGOS#(config bridge bridge_name port port_number) speed {10 | 100 | 1gb}

where:
attach-interface

interface_number

Attaches an interface for this port.

full-duplex

Configures this port for full duplex.

half-duplex

Configures this port for half duplex.

speed

10 | 100 | 1gb

Configures speed for this port.

SGOS#(config bridge bridge_name port port_number) exit
SGOS#(config bridge bridge_name)



By default, link settings are automatically sensed. To perform an auto-sense, enter the
following command:
SGOS#(config bridge bridge_name port port_number) link-autosense



Return to the bridge_name submode:
SGOS#(config bridge bridge_name port port_number) exit
SGOS#(config bridge bridge_name)

4.

To specify the maximum transmission unit (MTU), enter the following command:
SGOS#(config bridge bridge_name) mtu-size size

where size is a value from 72 to 1500.
5.

The default is to accept inbound connections on this interface. To disallow inbound connections,
enter the following command:
SGOS#(config bridge bridge_name) no accept-inbound

6.

The default browser instruction is to use the browser’s default PAC file. To instruct to use a proxy
or other PAC file type, enter the following command:
SGOS#(config bridge bridge_name) instructions {proxy | default-pac |
central-pac url | accelerated-pac}

where:
proxy

Use a proxy.

default-pac

Use the Blue Coat default PAC file.

central-pac
accelerated-pac

91

url

Use the PAC file specified at the given URL.
Use the proxy’s accelerated PAC file.

Blue Coat ProxySG Configuration and Management Guide

Section D: Software and Hardware Bridges

Configuring Failover
You can configure failover for software bridges, but not for hardware bridges. Failover is
accomplished by creating virtual IP addresses on each proxy, creating a failover group, and attaching
the bridge configuration. One of the proxies must be designated with a higher priority (a master
proxy).
Example
The following example creates a bridging configuration with one bridge on standby.
Note:



This deployment requires a hub on both sides of the bridge or a switch capable of port
mirroring.

ProxySG A—software bridge IP address: 10.0.0.2. Create a virtual IP address and a failover
group, and designate this group the master.
ProxySG_A#(config) virtual-ip address 10.0.0.4
ProxySG_A#(config) failover
ProxySG_A#(config failover) create 10.0.0.4
ProxySG_A#(config failover) edit 10.0.0.4
ProxySG_A#(config failover 10.0.0.3) master
ProxySG_A#(config failover 10.0.0.3) priority 100
ProxySG_A#(config failover 10.0.0.3) interval 1



ProxySG B—software bridge IP address: 10.0.0.3. Create a virtual IP address and a failover
group.
ProxySG_B#(config) virtual-ip address 10.0.0.4
ProxySG_B#(config) failover
ProxySG_B#(config failover) create 10.0.0.4
ProxySG_B#(config failover) edit 10.0.0.4
ProxySG_B#(config failover 10.0.0.3) priority 100
ProxySG_B#(config failover 10.0.0.3) interval 1



In the bridge configuration on each ProxySG, attach the bridge configuration to the failover group:
ProxySG_A#(config bridge bridge_name) failover 10.0.0.4
ProxySG_B#(config bridge bridge_name) failover 10.0.0.4

Static Forwarding Table Entries
Certain firewall configurations require the use of static forwarding table entries. Failover
configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) addresses. When a client
sends an ARP request to the firewall VIP, the firewall replies with a VMAC (which can be an Ethernet
multicast address); however, when the firewall sends a packet, it uses a physical MAC address, not
the VMAC.
The solution is to create a static forwarding table entry that defines the next hop gateway that is on the
correct side of the bridge.

92

Chapter 4: Configuring the System

Section D: Software and Hardware Bridges
To Create a Static Forwarding Table Entry through the CLI
1.

At the (config) prompt, enter the following commands:
SGOS#
SGOS#
SGOS#
SGOS#

2.

(config) bridge
(config bridge) edit bridge_name
(config bridge bridge_name) port port_number
(config bridge_name port port_number) static-fwtable-entry mac_address

Add up to 256 entries per bridge.

To Clear a Static Forwarding Table Entry through the CLI
At the (config) prompt, enter the following commands:
SGOS# (config) bridge
SGOS# (config bridge) edit bridge_name
SGOS# (config bridge bridge_name) clear-fwtable

93

Blue Coat ProxySG Configuration and Management Guide

Section E: Gateways

Section E: Gateways
A key feature of the ProxySG is the ability to distribute traffic originating at the appliance through
multiple gateways. You can also fine tune how the traffic is distributed to different gateways. This
feature works with any routing protocol (such as static routes or RIP).
Note:

Load balancing through multiple gateways is independent from the per-interface load
balancing the ProxySG automatically does when more than one network interface is
installed.

This section discusses:


"About Gateways"



"ProxySG Specifics"



"Switching to a Secondary Gateway"



"Defining Static Routes"

About Gateways
During the initial setup of the ProxySG, you optionally defined a gateway (a device that serves as
entrance and exit into a communications network) for the ProxySG.
By using multiple gateways, an administrator can assign a number of available gateways into a
preference group and configure the load distribution to the gateways within the group. Multiple
preference groups are supported.
The gateway specified applies to all network adapters in the system.

ProxySG Specifics
Which gateway the ProxySG chooses to use at a given time is determined by how the administrator
configures the assignment of preference groups to default gateways. You can define multiple
gateways within the same preference group. A ProxySG can have from 1 to 10 preference groups. If
you have only one gateway, it automatically has a weight of 100.
Initially, all gateways in the lowest preference group are considered to be the active gateways. If a
gateway becomes unreachable, it is dropped from the active gateway list, but the remaining gateways
within the group continue to be used until they all become unreachable, or until an unreachable
gateway in a lower preference group becomes reachable again. If all gateways in the lowest preference
group become unreachable, the gateways in the next lowest preference group become the active
gateways.

94

Chapter 4: Configuring the System

Section E: Gateways
In addition to a preference group, each gateway within a group can be assigned a relative weight
value from 1 to 100. The weight value determines how much bandwidth a gateway is given relative to
the other gateways in the same group. For example, in a group with two gateways, assigning both
gateways the same weight value, whether 1 or 100, results in the same traffic distribution pattern. In a
group with two gateways, assigning one gateway a value of 10 and the other gateway a value of 20
results in the ProxySG sending approximately twice the traffic to the gateway with a weight value of
20.

Switching to a Secondary Gateway
When a gateway goes down, the ProxySG takes from 25 seconds to 120 seconds to determine that the
gateway is unreachable. At that point, the ProxySG switches to a secondary gateway if one is
configured.
The check to determine whether a gateway has failed is done five times at five-second intervals once
the route entry has aged for 90 seconds. The check to determine whether a gateway is now reachable
is done every 10 seconds.
These times are not user-configurable.
To Configure Multiple Gateway Load Balancing through the Management Console
1.

Select Configuration>Network>Routing>Gateways.
The Gateways tab displays.

Figure 4-9: Network Routing Gateways Tab and Add List Item Dialog

95

2.

Click New.

3.

Enter the IP address, group, and weight for the gateway into the Add list item dialog that appears.

4.

Click OK.

5.

Repeat steps 2 to 4 until IP addresses, groups, and weights have been defined for all of your
gateways.

6.

Click Apply.

Blue Coat ProxySG Configuration and Management Guide

Section E: Gateways
To Configure Multiple Gateway Load Balancing through the CLI
1.

At the (config) command prompt, enter the following command:
SGOS#(config) ip-default-gateway ip_address preference_group weight

The first value is the IP address of the gateway, the second value is the preference group,
and the third value is the relative weighting for this gateway. For example, to use the
gateway 10.25.36.1, the preference group 1, and the relative weighting 100, enter:
ip-default-gateway 10.25.36.1 1 100

2.

Repeat until all IP addresses, groups, and weights of your IP gateways have been defined.

3.

(Optional) View the results.
SGOS#(config) show ip-default-gateway
Default IP gateways
Gateway
Weight
Group
10.25.36.1
100
1

Defining Static Routes
The ProxySG can be configured to use static routes, a manually-configured route that specifies the
transmission path a packet must follow, based on the packet’s destination address. A static route
specifies a transmission path to another network.
Note:

You are limited to 10,000 entries in the static routes table.

You can install the routing table several ways.


Using the ProxySG Text Editor, which allows you to enter settings (or copy and paste the contents
of an already-created file) directly onto the appliance.



Creating a local file on your local system; the ProxySG can browse to the file and install it.



Using a remote URL, where you place an already-created file on an FTP or HTTP server to be
downloaded to the ProxySG.



Using the CLI inline static-route-table command, which allows you to paste a static route
table into the ProxySG.



Using the CLI static-routes command, which requires that you place an already-created file on
an FTP or HTTP server and enter the URL into the ProxySG.

The routing table is a text file containing a list of IP addresses, subnet masks, and gateways. The
following is a sample router table:
10.25.36.0
10.25.37.0
10.25.38.0

255.255.255.0
255.255.255.0
255.255.255.0

10.25.46.57
10.25.46.58
10.25.46.59

When a routing table is loaded, all requested URLs are compared to the list and routed based on the
best match.

96

Chapter 4: Configuring the System

Section E: Gateways
To Install a Routing Table through the Management Console
1.

Select Configuration>Network>Routing>Routing.
The Routing tab displays.

Figure 4-10: Network Routing Tab

2.

From the drop-down list, select the method used to install the routing table; click Install.


Remote URL:
Enter the fully-qualified URL, including the filename, where the routing table is located. To
view the file before installing it, click View. Click Install. To view the installation results, click
Results; close the window when you are finished. Click OK.

Figure 4-11: Specifying the Remote Location of a Routing Table



Local File:
Click Browse to bring up the Local File Browse window. Browse for the file on the local
system. Open it and click Install. When the installation is complete, a results window opens.
View the results and close the window.

97

Blue Coat ProxySG Configuration and Management Guide

Section E: Gateways

Figure 4-12: Specifying the Local Location of a Routing Table



Text Editor:
The current configuration is displayed in installable list format. You can customize it or delete
it and create your own. Click Install. When the installation is complete, a results window
opens. View the results, close this window, and click Close.

98

Chapter 4: Configuring the System

Section E: Gateways

Figure 4-13: Creating a Static Routing Table on the ProxySG

3.

Click Apply.

Installing a Routing Table Through the CLI
To install a routing table through the CLI, you can use the inline command to install the table
directly, or enter a path to a remote URL that has an already-created text file ready to download.
When entering input for the inline command, you can correct mistakes on the current line using the
key. If you detect a mistake in a line that has already been terminated using the
key, you can abort the inline command by typing . If the mistake is detected after you
terminate input to the inline command, type the same inline command again, but with the correct
configuration information. The corrected information replaces the information from the last inline
command.
The end-of-input marker is an arbitrary string chosen by the you to mark the end of input for the
current inline command. The string can be composed of standard characters and numbers, but
cannot contain any spaces, punctuation marks, or other symbols.
Take care to choose a unique end-of-input string that does not match any string of characters in the
configuration information.

99

Blue Coat ProxySG Configuration and Management Guide

Section E: Gateways
To Install a Routing Table through the CLI
Do one of the following:


To paste a static route table directly into the CLI, enter the following command at the (config)
command prompt, then paste the table on the line after the first end-of-file marker:
SGOS#(config) inline static-route-table end-of-file_marker
paste static routing table
eof
ok



To enter the static route table manually, enter the following command, then enter each IP
address/subnet on the second line, following the first end-of-file marker:
SGOS#(config) inline static-route-table end-of-file_marker
10.25.36.0
255.255.255.0
10.25.46.57
10.25.37.0
255.255.255.0
10.25.46.58
10.25.38.0
255.255.255.0
10.25.46.59
eof
ok



To enter a path to a remote URL where you have placed an already-created static route table, enter
the following commands at the (config) command prompt:
SGOS#(config) static-routes path url
SGOS#(config) load static-route-table

100

Chapter 4: Configuring the System

Section F: Using RIP

Section F: Using RIP
The Routing Information Protocol (RIP) is designed to select the fastest route to a destination. RIP
support is built into the ProxySG, and is configured by created and installing an RIP configuration text
file onto the ProxySG.
Blue Coat’s RIP implementation also supports advertising default gateways. Default routes added by
RIP are treated the same as the static default routes; that is, the default route load balancing schemes
apply to the default routes from RIP as well.
This section discusses


"Installing RIP Configuration Files"



"Configuring Advertising Default Routes"

Installing RIP Configuration Files
No RIP configuration file is shipped with the appliance. For commands that can be entered into the
RIP configuration file, see Appendix D: "RIP Commands" on page 1103.
Once you have created an RIP configuration file, you can install it several ways:


Using the ProxySG Text Editor, which allows you to enter settings (or copy and paste the contents
of an already-created file) directly onto the appliance.



Creating a local file on your local system; the ProxySG can browse to the file and install it.



Using a remote URL, where you place an already-created file on an FTP or HTTP server to be
downloaded to the ProxySG.



Using the CLI inline rip-settings command, which allows you to paste the RIP settings into
the CLI.



Using the CLI rip commands, which require that you place an already-created file on an FTP or
HTTP server and enter the URL into the CLI. You can also enable or disable RIP with these
commands.

To Install an RIP Configuration File through the Management Console
Note:

1.

When entering RIP settings that will change current settings (for instance, when
switching from ripv1 to ripv2), disable RIP before you change the settings; re-enable RIP
when you have finished.

Select Configuration>Network>Routing>RIP.
The RIP tab displays.

101

Blue Coat ProxySG Configuration and Management Guide

Section F: Using RIP

Figure 4-14: Network Routing RIP Tab

2.

To display the current RIP settings, routes, or source, click one or all of the View RIP buttons.

3.

In the Install RIP Setting from the drop-down list, select the method used to install the routing table;
click Install.


Remote URL:
Enter the fully-qualified URL, including the filename, where the routing table is located. To
view the file before installing it, click View. Click Install. To view the installation results, click
Results; close the window when you are finished. Click OK.

Figure 4-15: Specifying the Remote Location of a RIP Configuration File



Local File:
Click Browse to display the Local File Browse window. Browse for the file on the local system.
Open it and click Install. When the installation is complete, a results window opens. View the
results and close the window.

102

Chapter 4: Configuring the System

Section F: Using RIP

Figure 4-16: Specifying the Local Location of a RIP File



Text Editor:
The current configuration is displayed in installable list format. You can customize it or delete
it and create your own. Click Install. When the installation is complete, a results window
opens. View the results, close the window, and click OK.

103

Blue Coat ProxySG Configuration and Management Guide

Section F: Using RIP

Figure 4-17: Creating an RIP file on the ProxySG

4.

Click Apply.

5.

Select Enable RIP.

6.

Click Apply.

Configuring RIP through the CLI
Note:

When entering RIP settings that will change current settings (for instance, when
switching from ripv1 to ripv2), disable RIP before you change the settings; re-enable RIP
when you have finished.

To Disable/Enable RIP through the CLI
Enter the following command at the (config) command prompt:
SGOS#(config) rip {disable | enable}

104

Chapter 4: Configuring the System

Section F: Using RIP
To Install an RIP Configuration through the CLI
Do one of the following:


To enter a path to a remote URL where you have placed an already-created RIP configuration file,
enter the following commands at the (config) command prompt:
SGOS#(config) rip path url
SGOS#(config) load rip-settings



To paste an RIP configuration directly into the CLI, enter the following command at the (config)
command prompt:
SGOS#(config) inline rip-settings end-of-file_marker

At this point you can paste RIP settings into the inline command, or you can enter
values for specific settings. When you finish, enter your end-of-file_marker command.
Example
SGOS#(config) inline rip-settings eofm
ripv2
ripv1_out
no_rdisc eofm
ok

Configuring Advertising Default Routes
Default routes advertisements are treated the same as the static default routes; that is, the default
route load balancing schemes also apply to the default routes from RIP.
By default, RIP ignores the default routes advertisement. You can change the default from disable to
enable and set the preference group and weight through the CLI only. This feature is not available
through the Management Console.
To Enable and Configure Advertising Default Gateway Routes
1.

At the (config) command prompt:
SGOS#(config) rip default-route enable
SGOS#(config) rip default-route group group_number
SGOS#(config) rip default-route weight weight_number

Where group_number defaults to 1, and weight_number defaults to 100, the same as the static
default route set by the ip-default-gateway command.
2.

(Optional) To view the default advertising routes, enter:
SGOS#(config) show rip default-route
RIP default route settings:
Enabled:
Yes
Preference group:
3
Weight:
30

105

Blue Coat ProxySG Configuration and Management Guide

Section G: DNS Servers

Section G: DNS Servers
During first-time installation of the ProxySG, you configured the IP address of a single primary
Domain Name Service (DNS) server. Using the Configuration>Network>DNS tab, you can change this
primary DNS server at any time, and you can also define additional primary DNS servers and one or
more alternate DNS servers.
This section discusses:


"ProxySG Specifics"



"Configuring Split DNS Support"



"Changing the Order of DNS Servers"



"Unresolved Hostnames (Name Imputing)"



"Changing the Order of DNS Name Imputing Suffixes"



"Caching Negative Responses"

ProxySG Specifics
If you have defined more than one DNS server, the ProxySG uses the following logic to determine
which servers are used to resolve a DNS host name and when to return an error to the client:


The ProxySG first sends requests to DNS servers in the primary DNS server list.



Servers are always contacted in the order in which they appear in a list.



The next server in a list is only contacted if the ProxySG does not receive a response from the
current server.



If none of the servers in a list returns a response, the ProxySG returns an error to the client.



The ProxySG only sends requests to servers in the alternate DNS server list if a server in the
primary list indicates that a DNS host name cannot be resolved.
If a DNS server returns any other error (other than an indication that a DNS host name could not
be resolved), the ProxySG returns the error to the client.
If a server in both the primary and alternate DNS server lists are unable to resolve a DNS host
name, an error is returned to the client.

The ProxySG always attempts to contact the first server in the primary DNS server. If a response is
received from this server, no attempts are made to contact any other DNS servers in the primary list.
If the response from the first primary DNS server indicates a name error, the ProxySG sends a DNS
request to the first alternate DNS server, if one is defined. If no alternate DNS servers have been
defined, an error is returned to the client indicating a name error. If the first alternate DNS server is
unable to resolve the IP address, a name error is returned to the client, and no attempt is made to
contact any other DNS servers in either the primary or alternate DNS server lists.
If a response is not received from any DNS server in a particular DNS server list, the ProxySG sends a
DNS request to the next server in the list. The ProxySG returns a name error to the client if none of the
servers in a DNS server list responds to the DNS request.

106

Chapter 4: Configuring the System

Section G: DNS Servers

Note:

The alternate DNS server is not used as a failover DNS server. It is only used when DNS
resolution of primary DNS server returns name error. If a timeout occurs when looking
up the primary DNS server, no alternate DNS server is contacted.

If the ProxySG receives a negative DNS response (a response with an error code set to Name Error), it
caches that negative response. You can configure the ProxySGs negative response time-to-live value.
(A value of zero disables negative caching.) If the ProxySG is not configured (the default), the
ProxySG caches the negative response and uses the TTL value from the DNS response to determine
how long it should be cached.

Configuring Split DNS Support
Customers with split DNS server configuration (for example, environments that maintain private
internal DNS servers and external DNS servers) might choose to populate an Alternate DNS server
list as well as the Primary DNS server list. In the ProxySG, the internal DNS servers are placed in the
Primary list, while external DNS servers (with the Internet information) populate the Alternate list.
Complete the following procedures to configure primary and alternate DNS servers.
To Add a Primary DNS Server through the Management Console
1.

Select Configuration>Network>DNS>DNS.
The DNS tab displays.

Figure 4-18: Network DNS Tab and Add List Item Dialog

2.

Click New.

3.

Enter the IP address of the DNS server in the dialog that appears and click OK.

4.

Click Apply.

To Add a Primary DNS Server through the CLI
At the (config) command prompt, enter the following command:

107

Blue Coat ProxySG Configuration and Management Guide

Section G: DNS Servers
SGOS#(config) dns server ip_address

To Add an Alternate DNS Server through the Management Console
1.

Select Configuration>Network>DNS>DNS.
The DNS tab displays.

2.

Select Alternate DNS in the drop-down list.

3.

Click New.

4.

Enter the IP address of the DNS server in the dialog that appears and click OK.

5.

Click Apply.

To Add an Alternate DNS Server through the CLI
1.

At the (config) command prompt, enter the following command:
SGOS#(config) dns alternate ip_address

2.

Repeat until alternate DNS servers have been defined.

Changing the Order of DNS Servers
The ProxySG uses DNS servers in the order displayed. You can organize the list of servers so that the
preferred servers appear at the top of the list. This functionality is not available through the CLI.
To Change the Order of DNS Servers through the Management Console
1.

Select Configuration>Network>DNS>Imputing.
The Imputing tab displays.

Figure 4-19: Network DNS Imputing Tab

108

2.

Select the DNS server to promote or demote.

3.

Click Promote entry or Demote entry as appropriate.

Chapter 4: Configuring the System

Section G: DNS Servers
4.

Click Apply.

Unresolved Hostnames (Name Imputing)
Name imputing allows the ProxySG to resolve host names based on a partial name specification.
When the ProxySG submits a host name to the DNS server, the DNS server resolves the name to an IP
address. The ProxySG queries the original hostname before checking imputing entries unless there is
no period in the host name, in which case imputing is applied first. The ProxySG tries each entry in
the name-imputing list until the name is resolved or it comes to the end of the list. If by the end of the
list the name is not resolved, the ProxySG returns a DNS failure.
For example, if the name-imputing list contains the entries company.com and com, and a user submits
the URL http://www.eedept, the ProxySG resolves the host names in the following order.
http://www.eedept
http://www.eedept.company.com
http://www.eedept.com

To Add Names to the Imputing List through the Management Console
1.

Select Configuration>Network>DNS>Imputing.
The Imputing tab displays.

2.

Click New to add a new name to the imputing list.

3.

Enter the name in the dialog that appears and click OK.

4.

Click Apply.

To Add Names to the Imputing List through the CLI
1.

At the (config) command prompt, enter the following command:
SGOS#(config) dns imputing suffix

For example, to use company.com as the imputing suffix, enter dns-imputing company.com.
2.

Repeat until all imputing suffixes have been entered.

Changing the Order of DNS Name Imputing Suffixes
The ProxySG uses imputing suffixes in the order displayed. You can organize the list of suffixes so the
preferred suffix appears at the top of the list. This functionality is only available through the
Management Console. You cannot configure it through the CLI.
To Change the Order DNS Name Imputing Suffixes through the Management Console
1.

Select Configuration>Network>DNS>Imputing.
The Imputing tab displays.

109

2.

Select the imputing suffix to promote or demote.

3.

Click Promote entry or Demote entry as appropriate.

4.

Click Apply.

Blue Coat ProxySG Configuration and Management Guide

Section G: DNS Servers

Caching Negative Responses
By default, the ProxySG caches negative DNS responses sent by a DNS server. You can configure the
ProxySG to set the time-to-live (TTL) value for a negative DNS response to be cached. You can also
disable negative DNS response caching.
Note:

The ProxySG generates more DNS requests when negative caching is disabled.

Both type A and type PTR DNS responses are affected by negative caching.
This functionality is only available through the CLI. You cannot configure DNS negative caching
through the Management Console.
To Configure Negative Caching TTL Values
From the (config) prompt:
SGOS#(config) dns negative-cache-ttl-override seconds

where seconds is any integer between 0 and 600.
Setting the TTL value to 0 seconds disables negative DNS caching; setting the TTL setting to a
non-zero value overrides the TTL value from the DNS response.
To Restore Negative Caching Defaults
From the (config) prompt):
SGOS#(config) dns no negative-cache-ttl-override

110

Chapter 4: Configuring the System

Section H: Attack Detection

Section H: Attack Detection
The ProxySG can reduce the effects of distributed denial of service (DDoS) attacks and port scanning,
two of the most common virus infections.
A DDoS attack occurs when a pool of machines that have been infected with a DDoS-type of virus
attack a specific Web site. As the attack progresses, the target host shows decreased responsiveness
and often stops responding. Legitimate HTTP traffic is unable to proceed because the ProxySG is still
waiting for a response from the target host.
Port scanning involves viruses attempting to self-propagate to other machines by arbitrarily trying to
connect to other hosts on the Internet. If the randomly selected host is unavailable or behind a firewall
or does not exist, the ProxySG continues to wait for a response, thus denying legitimate HTTP traffic.
The ProxySG prevents attacks by limiting the number of simultaneous TCP connections from each
client IP address and either does not respond to connection attempts from a client already at this limit
or resets the connection. It also limits connections to servers known to be overloaded.
You can configure attack detection for both clients and servers or server groups, such as
http://www.bluecoat.com. The client attack-detection configuration is used to control the behavior of
virus-infected machines behind the ProxySG. The server attack-detection configuration is used when
an administrator knows ahead of time that a virus is set to attack a specific host.
This feature is only available through the CLI. You cannot use the Management Console to enable
attack detection.
This section discusses:


"Configuring Attack-Detection Mode for the Client"



"Configuring Attack-Detection Mode for a Server or Server Group"

Configuring Attack-Detection Mode for the Client
To Enter Attack-Detection Mode for the Client
From the (config) prompt, enter the following commands:
SGOS#(config) attack-detection
SGOS#(config attack-detection) client

The prompt changes to:
SGOS#(config client)

To Change Global Settings
The following defaults are global settings, used if a client does not have specific limits set. They do not
need to be changed for each IP address/subnet if they already suit your environment:

111



client limits enabled: true



client interval: 20 minutes



block-action: drop (for each client)

Blue Coat ProxySG Configuration and Management Guide

Section H: Attack Detection


connection-limit: 100 (for each client)



failure-limit: 50 (for each client)



unblock-time: unlimited



warning-limit: 10 (for each client)

To Change the Global Defaults
Remember that enable/disable limits and interval affect all clients. The values cannot be changed for
individual clients. Other limits can be modified on a per-client basis.
Note:

If you edit an existing client’s limits to a smaller value, the new value only applies to new
connections to that client. For example, if the old value was 10 simultaneous connections
and the new value is 5, existing connections above 5 are not dropped.

SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

client)
client)
client)
client)
client)
client)
client)
client)

enable-limits | disable-limits
interval minutes
block ip_address [minutes] | unblock ip_address
default block-action drop | send-tcp-rst
default connection-limit integer_between_1_and_65535
default failure-limit integer_between_1_and_500
default unblock-time minutes_between_10_and_1440
default warning-limit integer_between_1_and_100

where:
enable-limits |
disable-limits

112

Toggles between enabled and disabled. The default is
disabled. This is a global setting and cannot be modified
for individual clients.

interval

integer

Indicates the amount of time, in multiples of 10 minutes,
that client activity is monitored. The default is 20. This is a
global setting and cannot be modified for individual
clients.

block | unblock

ip_address
[minutes]

Blocks a specific IP address for the number of minutes
listed. If the optional minutes argument is omitted, the
client is blocked until explicitly unblocked. Unblock
releases a specific IP address.

default
block-action

drop |
send-tcp-rst

Indicates the behavior when clients are at the maximum
number of connections or exceed the warning limit: drop
the connections that are over the limit or send TCP RST
for connections over the limit. The default is drop. This
limit can be modified on a per-client basis.

default
connection-limit

integer

Indicates the number of simultaneous connections
between 1 and 65535. The default is 100. This limit can be
modified on a per-client basis.

Chapter 4: Configuring the System

Section H: Attack Detection
default
failure-limit

integer

Indicates the maximum number of failed requests a client
is allowed before the proxy starts issuing warnings.
Default is 50. This limit can be modified on a per-client
basis.

default
unblock-time

minutes

Indicates the amount of time a client is blocked at the
network level when the client-warning-limit is exceeded.
Time must be a multiple of 10 minutes, up to a maximum
of 1440. The default is unlimited. This limit can be
modified on a per-client basis.

default
warning-limit

integer

Indicates the number of warnings sent to the client before
the client is blocked at the network level and the
administrator is notified. The default is 10; the maximum
is 100. This limit can be modified on a per-client basis.

To Create and Edit a Client IP Address through the CLI
1.

Make sure you are in the attack-detection client submode.
SGOS#(config) attack-detection
SGOS#(config attack-detection) client
SGOS#(config client)

2.

Create a client.
SGOS#(config client) create client ip_address or ip_and_length

3.

Move to edit client submode.
SGOS#(config client) edit client_ip_address

The prompt changes to:
SGOS#(config client ip_address)

4.

Change the client limits as necessary.
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

client
client
client
client
client

ip_address)
ip_address)
ip_address)
ip_address)
ip_address)

block-action drop | send-tcp-rst
connection-limit integer_between_1_and_65535
failure-limit integer_between_1_and_65535
unblock-time minutes
warning-limit integer_between_1_and_65535

where:

113

block-action

drop |
send-tcp-rst

Indicates the behavior when the client is at the maximum
number of connections: drop the connections that are over
the limit or send TCP RST for the connection over the
limit. The default is drop.

connection-limit

integer

Indicates the number of simultaneous connections
between 1 and 65535. The default is 100.

failure-limit

integer

Indicates the behavior when the specified client is at the
maximum number of connections: drop the connections
that are over the limit or send TCP RST for the connection
over the limit. The default is 50.

Blue Coat ProxySG Configuration and Management Guide

Section H: Attack Detection
unblock-time

minutes

Indicates the amount of time a client is locked out at the
network level when the client-warning-limit is exceeded.
Time must be a multiple of 10 minutes, up to a maximum
of 1440. The default is unlimited.

warning-limit

integer

Indicates the number of warnings sent to the client before
the client is locked out at the network level and the
administrator is notified. The default is 10; the maximum
is 100.

To View the Specified Client Configuration
Enter the following command from the edit client submode:
SGOS#(config client ip_address)
Client limits for 10.25.36.47:
Client connection limit:
Client failure limit:
Client warning limit:
Blocked client action:
Client connection unblock time:

view
700
50
10
Drop
unlimited

To View the Configuration for all Clients
1.

Exit from the edit client submode:
SGOS#(config client ip_address) exit

2.

Use the following syntax to view the client configuration:
view | blocked | connections | statistics

To View All Settings
SGOS#(config client) view
Client limits enabled:
Client interval:

true
20 minutes

Default client limits:
Client connection limit:
100
Client failure limit:
50
Client warning limit:
10
Blocked client action:
Drop
Client connection unblock time:
unlimited
Client limits for 10.25.36.47:
Client connection limit:
Client failure limit:
Client warning limit:
Blocked client action:
Client connection unblock time:

114

700
50
10
Drop
unlimited

Chapter 4: Configuring the System

Section H: Attack Detection
To View the Number of Simultaneous Connections to the ProxySG
SGOS#(config client) view connections
Client IP
Connection Count
127.0.0.1
1
10.9.16.112
1
10.2.11.133
1

To View the Number of Blocked Clients
SGOS#(config client) view blocked
Client
Unblock time
10.11.12.13
2004-07-09 22:03:06+00:00UTC
10.9.44.73
Never

To View Client Statistics
SGOS#(config client) view statistics
Client IP
Failure Count
10.9.44.72
1

Warning Count
0

To Disable Attack-Detection Mode for all Clients
SGOS#(config client) disable-limits

Configuring Attack-Detection Mode for a Server or Server Group
You can create, edit, or delete a server. A server must be created before it can be edited. You can treat
the server as an individual host or you can add other servers, creating a server group. All servers in
the group have the same attack-detection parameters, meaning that if any server in the group gets the
maximum number of simultaneous requests, all servers in the group are blocked.
To Create a Server or Server Group
1.

At the (config) prompt, enter the following commands:
SGOS#(config) attack-detection
SGOS#(config attack-detection) server

The prompt changes to:
SGOS#(config server)

2.

Create the first host in a server group, using the fully qualified domain name:
SGOS#(config server) create hostname

To Edit a Server or Server Group
At the (config server) prompt, enter the following commands:
SGOS#(config server) edit hostname

The prompt changes to (config server hostname).
SGOS#(config server hostname) {add | remove} hostname
SGOS#(config server hostname) request-limit integer_from_1_to_65535

115

Blue Coat ProxySG Configuration and Management Guide

Section H: Attack Detection
where:
hostname

The name of a previously created server or server group. When
adding a hostname to the group, the hostname does not have to
be created. The host that was added when creating the group
cannot be removed.

add | remove

hostname

Adds or removes a server from this server group.

request-limit

integer

Indicates the number of simultaneous requests allowed from this
server or server group. The default is 1000.

To View the Server or Server Group Configuration
SGOS#(config server hostname) view
Server limits for hostname:
Request limit:
1500

116

Chapter 4: Configuring the System

Section I: Using a Bypass List

Section I: Using a Bypass List
A bypass list can be used to completely skip all ProxySG processing of requests sent to specific
destination hosts or subnets. This prevents the appliance from enforcing any policy on these requests
and disables any caching of the corresponding responses, so it should be used with care. A bypass list
allows traffic to pass through to sites as-is when servers at the site are not properly adhering to
protocol standards or when the processing in the ProxySG is otherwise causing problems.
The bypass list contains IP addresses, subnet masks, and gateways. When a request matches an IP
address and subnet mask specification in the bypass list, the request is sent to the designated gateway
and is not processed by the ProxySG.
Note:

Because a bypass list bypasses Blue Coat policy, bypass lists should be used sparingly
only for specific situations.

Blue Coat supports three types of bypass lists: local list, central list, and policy-based (dynamic
bypass) list. The bypass lists all work together, or you can just create and maintain one.
Note:

The Local List and Central List are not the same as the Local Policy file and the Central
Policy file.

This section discusses:


"Using the Local Bypass List"



"Using the Central Bypass List"



"Creating and Installing Local or Central Bypass Lists"



"Using Policy to Configure Dynamic Bypass Lists"

Using the Local Bypass List
The local bypass list is one you create and maintain on your network. You can use a local bypass list
alone, or in conjunction with a central list.
The gateways specified in the bypass list must be on the same subnet as the ProxySG. The local bypass
list limit is 10,000 entries.
The local bypass list contains a list of IP addresses, subnet masks, and gateways. It can also define the
default bypass gateway to be used by both the local bypass list and central bypass list. The gateways
specified in the bypass list must be on the same subnet as the ProxySG. When you download a bypass
list, the list is stored in the appliance until it is replaced by downloading a new list.
Note:

117

Because a bypass list bypasses Blue Coat policy, bypass lists should be used sparingly
only for specific situations.

Blue Coat ProxySG Configuration and Management Guide

Section I: Using a Bypass List
The following is a sample of a local bypass list:
;define the default gateway for the local and central bypass list
BYPASS_GATEWAY 10.25.46.57
;define addresses to bypass
;IP address
subnet
gateway (or use default gateway)
10.25.36.47
255.255.255.255
10.25.36.48
255.255.255.255
10.25.0.0
255.255.255.0
10.25.46.58

If you do not specify the bypass_gateway and you do not designate the gateway in the address
specification, the ProxySG forwards the request to the default gateway defined in the network
configuration.
For installation procedures for the local bypass list, see "Creating and Installing Local or Central
Bypass Lists" on page 118.

Using the Central Bypass List
The central bypass list is usually a shared list of addresses that is used by multiple ProxySG
Appliances. Because each ProxySG Appliance can be located on a different subnet and can be using
different gateways, the central bypass list should not contain any gateway addresses.
The gateway used for matches in the central bypass list is the gateway specified by the
bypass_gateway command in the local bypass list. If there is no bypass_gateway option, the ProxySG
uses the default gateway defined by the network configuration.
Note:

Because a bypass list bypasses Blue Coat policy, bypass lists should be used sparingly
only for specific situations.

You can create your own central bypass list to manage multiple ProxySG Appliances, or you can use
the central bypass list maintained by Blue Coat Technical Support at:
https://download.bluecoat.com/release/SG4/files/CentralBypassList.txt

Note:

The central bypass list is limited to 10,000 entries.

You can select whether to download the list automatically when it changes or to receive an e-mail
notifying you of the update. By default, neither is enabled.
For installation procedures for the central bypass list, continue with the next section.

Creating and Installing Local or Central Bypass Lists
You can install the local and central bypass lists several ways:


118

Use the ProxySG Text Editor, which allows you to enter the lists (or copy and paste the contents of
an already-created file) directly onto the ProxySG through the Management Console (see the
instructions below).

Chapter 4: Configuring the System

Section I: Using a Bypass List


Create a local file on your local system; use the Management Console to browse to the file and
install it (see the instructions below).



Use a remote URL, where you place an already-created file on an FTP or HTTP server to be
downloaded to the ProxySG. This can be done through either the Management Console or the CLI
(see the instructions below).



Use the CLI inline bypass-list {central | local} command, which allows you to paste the
configurations onto the ProxySG (see the instructions below). For more information on using the
CLI inline command, see "Using the Local Bypass List" on page 117 or "Using the Central Bypass
List" on page 118.

To Install Bypass Lists through the Management Console
1.

Select Configuration>Network>Advanced>Bypass List.
The Bypass List tab displays.

Figure 4-20: Bypass List Tab

2.

To view the current bypass list or the source for the current bypass list before installing it, click
Bypass List or Source.

3.

(Optional) If installing the central bypass list, you can select whether to download the list
automatically when it changes, or be sent an e-mail notifying you of the update. By default,
neither is enabled.

4.

Select a method to install the file for either the local or central bypass list; click Install.


Remote URL:
Enter the fully-qualified URL, including the filename, where the routing table is located. To
view the file before installing it, click View. Click Install. View the installation status that
displays; click OK.

119

Blue Coat ProxySG Configuration and Management Guide

Section I: Using a Bypass List

Figure 4-21: Specifying the Remote Location of a Local Bypass List Configuration File



Local File:
Click Browse to bring up the Local File Browse window. Browse for the file on your local
system. Open it and click Install. When the installation is complete, a results window opens.
View the results, close the window, and click Close.

Figure 4-22: Specifying the Local Location of a Local Bypass List



Text Editor:
The current configuration is displayed in installable list format. You can customize it or delete
it and create your own. Click Install. When the installation is complete, a results window
opens. View the results, close the window, and click Close.

120

Chapter 4: Configuring the System

Section I: Using a Bypass List

Figure 4-23: Creating a Local Bypass List on the ProxySG

5.

Click Apply.

To Install an Already Existing Bypass List through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) bypass-list {local-path | central-path} url
SGOS#(config) load bypass-list {local | central}

To Install a Bypass List through the CLI inline Command
At the (config) command prompt, enter the following command:
SGOS#(config) inline bypass-list {local | central} end-of-file_marker

At this point you can paste in local or central configuration files, or you can enter values
for specific settings, such as server_bypass_threshold, max_dynamic_bypass_entry
or dynamic_timeout. When you finish, enter your end-of-file string.

121

Blue Coat ProxySG Configuration and Management Guide

Section I: Using a Bypass List
Example
SGOS#(config) inline bypass-list local eof
max_dynamic_bypass_entry 20000
server_bypass_threshold 30
dynamic_timeout 100 eof
ok

Using Policy to Configure Dynamic Bypass Lists
Dynamic bypass, available through policy (VPM or CPL), can automatically compile a list of
requested URLs that return various kinds of errors. The policy-based bypass list is maintained in the
Forward Policy file or Local Policy file.
Note:

Because a bypass list bypasses Blue Coat policy, bypass lists should be used sparingly
only for specific situations.

Dynamic bypass keeps its own (dynamic) list of which connections to bypass, where connections are
identified by both source and destination rather than just destination. Dynamic bypass can be based
on any combination of policy triggers. In addition, some global settings in HTTP configuration can be
used to selectively enable dynamic bypass based on specific HTTP response codes. Once an entry
exists in the dynamic bypass table for a specific source/destination IP pair, all connections from that
source IP to that destination IP are bypassed in the same way as connections that match against the
static bypass lists.
With dynamic bypass, the ProxySG adds dynamic bypass entries containing the specific
source/destination IP pair for sites that have returned an error to the appliance’s local bypass list. For
a configured period of time, further requests for the error-causing URLs are sent immediately to the
origin content server (OCS), saving the ProxySG processing time. The amount of time a dynamic
bypass entry stays in the list and the types of errors that cause the ProxySG to add a site to the list, as
well as several other settings, are configurable from the CLI.
Once the dynamic bypass timeout for a URL has ended, the ProxySG removes the URL from the
bypass list. On the next client request for the URL, the ProxySG attempts to contact the OCS. If the
OCS still returns an error, the URL is once again added to the local bypass list for the configured
dynamic bypass timeout. If the URL does not return an error, the request is handled in the normal
manner.

Limitations

122



Dynamic bypass applies to transparent proxy connections only.



Dynamic bypass entries are lost when the ProxySG is restarted or the static bypass file is
reinstalled.



No filtering checks are performed on client requests that match entries in the dynamic bypass list.



Requests to sites that are put into the dynamic bypass list bypass future policy evaluation. If a site
that requires forwarding policy to reach its destination is populated into the bypass list, the site
might be inaccessible.

Chapter 4: Configuring the System

Section I: Using a Bypass List


Sites requiring that client accesses always be subjected to ProxySG filtering considerations must
either use the appliance in explicit proxy mode or leave dynamic bypass functionality disabled.

Configuring Dynamic Bypass
Dynamic bypass is disabled by default. Enabling and fine-tuning dynamic bypass is a two-step
process:


Edit or create a local bypass list, adding the desired dynamic bypass timeout and threshold
parameters.



Use the CLI to enable dynamic bypass and set the types of errors that cause dynamic bypass to
add an entry to the bypass list.

Adding Dynamic Bypass Parameters to the Local Bypass List
The first step in configuring dynamic bypass is to edit the local bypass list to set the
server_bypass_threshold, max_dynamic_bypass_entry, or dynamic_timeout values.

Note:

This step is optional because the ProxySG uses default configurations if you do not
specify them in the local bypass list. Use the default values unless you have specific
reasons for changing them. Contact Blue Coat Technical Support for detailed advice on
customizing these settings.



The server_bypass_threshold value defines the maximum number of entries in the
dynamically generated portion of the local bypass list before the ProxySG consolidates
client–server pair entries into a single server entry. The range is 1 to 256. The default is 16. When a
consolidation occurs, the lifetime of the consolidated entry is set to the value of
dynamic_timeout.



The max_dynamic_bypass_entry defines the maximum number of total dynamic bypass entries.
The range is 1 to 50,000. The default value is 16,000. When the number of entries exceeds the
max_dynamic_bypass_entry value, the oldest entries are removed to make way for new entries.



The dynamic_timeout value defines the number of minutes a dynamic bypass entry can remain
unreferenced before it is deleted from the bypass list. The range is 1 to 6000. The default value is
60.

Enabling Dynamic Bypass and Specifying Triggers
Enabling dynamic bypass and specifying the types of errors that causes a URL to be added to the local
bypass list are done with the CLI.
To Enable Dynamic Bypass and Trigger Events through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) dynamic-bypass enable
SGOS#(config) dynamic-bypass trigger trigger_event

where trigger_event can be any item in listed in Table 4.1, below.

123

Blue Coat ProxySG Configuration and Management Guide

Section I: Using a Bypass List
Enabling dynamic bypass causes the following warning to appear:
WARNING:
Requests to sites that are put into the dynamic bypass list will bypass
future policy evaluation. This could result in subversion of on-box policy.
The use of dynamic bypass is cautioned.
Table 4.1: Values for the Dynamic-Bypass Trigger Event
Event

Description

all

Enables all dynamic bypass triggers.

non-http

Enables dynamic bypass for non-HTTP responses.

connect-error

Enables dynamic bypass for any connection failure to the origin content server, including
timeouts.

receive-error

Enables dynamic bypass for when a TCP connection to an origin content server succeeds,
but the cache does not receive an HTTP response.

400

Enables dynamic bypass for HTTP 400 responses.

401

Enables dynamic bypass for HTTP 401 responses.

403

Enables dynamic bypass for HTTP 403 responses.

405

Enables dynamic bypass for HTTP 405 responses.

406

Enables dynamic bypass for HTTP 406 responses.

500

Enables dynamic bypass for HTTP 500 responses.

502

Enables dynamic bypass for HTTP 502 responses.

503

Enables dynamic bypass for HTTP 503 responses.

504

Enables dynamic bypass for HTTP 504 responses.

Example
For instance, the following command will enable connection error events:
SGOS#(config) dynamic-bypass trigger connect-error

Bypassing Connection and Receiving Errors
In addition to HTTP code triggers, you can configure the ProxySG to trigger dynamic bypass for
connection and receiving errors.
If connect-error is enabled, any connection failure to the origin content server (OCS), including
timeouts, inserts the OCS destination IP address into the dynamic bypass list. In this instance, the
ProxySG bypasses any connection attempts from the client to this IP address. By default, the timeout
duration is 20 seconds, and the retry count is 3. These parameters are not configurable. Both the
timeout duration and the retry attempt, whichever occurs first, triggers connect-error.

124

Chapter 4: Configuring the System

Section I: Using a Bypass List
If receive-error is enabled, when the cache does not receive an HTTP response on a successful TCP
connection to the OCS, the OCS destination IP address is inserted into the dynamic bypass list. In this
instance, the appliance bypasses any attempts from the client to this IP address. Server timeouts can
also trigger receive-error. The default timeout value is 180 seconds, which can be changed (see
"Configuring HTTP Timeout" on page 74).

Disabling Dynamic Bypass Triggers
Disabling one or more specific dynamic bypass triggers is an easy way to customize which errors
cause a dynamic bypass entry to be created. For example, if you want all error events except 401
responses to create a dynamic bypass entry, you can enable all triggers and then disable only the
401-event trigger.
To Disable One or More Dynamic Bypass Triggers through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) dynamic-bypass no trigger event

where event can be any item listed above in Table 4.1.
To Clear the Dynamic Bypass List through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) dynamic-bypass clear

To Disable Dynamic Bypass through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) dynamic-bypass disable

Viewing the Dynamic Bypass List
You can view the dynamic bypass list several ways:
To Display the Dynamic Bypass List through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) show bypass-list

To Display the Dynamic Bypass List through the Management Console
In a Web browser, enter the following URL:
https://ip_address_of_ProxySG:8082/TCP/IP-bypass

To View the Current Dynamic Bypass Configuration through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) show dynamic-bypass

125

Blue Coat ProxySG Configuration and Management Guide

Section I: Using a Bypass List
To Disable Dynamic Bypass through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) dynamic-bypass disable

126

Chapter 4: Configuring the System

Section J: Installing WCCP Settings

Section J: Installing WCCP Settings
The ProxySG can be configured to participate in a WCCP (Web Cache Control Protocol) scheme,
where a WCCP-capable router collaborates with a set of WCCP-configured ProxySG Appliances to
service requests.
Before you can install the WCCP configurations, you must create a WCCP configuration file for the
ProxySG. The ProxySG does not ship with a default WCCP configuration file.
You can install the WCCP settings several ways:


Using the ProxySG Text Editor, which allows you to enter settings (or copy and paste the contents
of an already-created file) directly onto the appliance.



Creating a local file on your local system; the ProxySG can browse to the file and install it.



Using a remote URL, where you place an already-created file on an FTP or HTTP server to be
downloaded to the ProxySG.



Using the CLI inline wccp-settings command, which allows you to paste the WCCP settings
into the CLI.



Using the CLI wccp command, which requires that you place an already-created file on an FTP or
HTTP server and enter the URL into the CLI.

For more information about WCCP, see Appendix C: “Using WCCP” on page 1073.
To Install WCCP Settings through the Management Console
1.

Select Configuration>Network>Advanced>WCCP.
The WCCP tab displays.

Figure 4-24: Network Advanced WCCP Tab

2.

From the drop-down list, select the method used to install the WCCP settings; click Install.


Remote URL:
Enter the fully-qualified URL, including the filename, where the WCCP file is located. To
view the file before installing it, click View. Click Install. Viewing the installation status that
displays; click OK.

127

Blue Coat ProxySG Configuration and Management Guide

Section J: Installing WCCP Settings

Figure 4-25: Specifying the Remote Location of a WCCP Settings File



Local File:
Click Browse to display the Local File Browse window. Browse for the file on the local system.
Open it and click Install. When the installation is complete, a results window opens. View the
results, close the window, and click Close.

Figure 4-26: Specifying the Local Location of a WCCP Settings File



Text Editor:
The current configuration is displayed in installable list format. You can customize it or delete
it and create your own. Click Install. When the installation is complete, a results window
opens. View the results, close the window, and click Close.

128

Chapter 4: Configuring the System

Section J: Installing WCCP Settings

Figure 4-27: Creating a WCCP Settings File on the ProxySG

3.

Click Apply.

To Install WCCP Settings through the CLI
Do one of the following:


To enter WCCP settings directly onto the ProxySG, enter the following commands at the
(config) command prompt:
SGOS#(config) inline wccp-settings end-of-file_marker
wccp enable
wccp version 2
service-group 9
assignment-type hash
priority 1
protocol 6
service-flags destination-ip-hash
service-flags ports-defined

129

Blue Coat ProxySG Configuration and Management Guide

Section J: Installing WCCP Settings
ports 80 21 1755 554 80 80 80 80
interface 6
home-router 10.16.18.2
forwarding l2
eof

The preceding example implements WCCP load-balancing using a redirection hash table
(assignment-type hash). You can also use the mask assignment method to load balance
WCCP traffic (assignment-type mask). However, the mask assignment method can only be
used with the Catalyst 6500 Series switches and Cisco 7600 series routers. Specifically, the
"Supervisor Engine II with Policy Feature Card 2 (PFC2) and MSFC2, 256-MB memory option" is
required.
For more information about the mask assignment method and detailed instructions on
configuring a WCCP file, see Appendix C: “Using WCCP” on page 1073.


To enter a path to a remote URL where you have placed an already-created static route table, enter
the following commands at the (config) command prompt:
SGOS#(config) wccp path url

where url is a fully qualified URL, including the filename, where the configuration file is
located.
SGOS#(config) load wccp-settings
SGOS#(config) wccp enable

130

Chapter 4: Configuring the System

Section K: Virtual IP Addresses

Section K: Virtual IP Addresses
Virtual IP (VIP) addresses are addresses assigned to a system that are recognized by other systems on
the network. Up to 255 VIPs can be configured on each ProxySG. They have several uses:


Assign multiple identities to a system on the same or different network, partitioning the box in to
separate logical entities for resource sharing or load sharing.



Create an HTTPS Console to allow multiple, simultaneous, secure connections to the system.



Direct authentication challenges to different realms.



Set up failover among multiple ProxySG s on the same subnet.

Note:

For information on creating an HTTPS Console, see "Creating and Editing Services" on
page 156; for information on using VIPs with authentication realms, see Chapter 9:
“Using Authentication Services” on page 335; to use VIPs with failover, see "Configuring
Failover" on page 133.

To Create a VIP through the Management Console
1.

Select Configuration>Network>Advanced>VIPs.
The VIPs tab displays.

Figure 4-28: Network Advanced VIPs Tab

2.

Click New.
The Add VIP dialog displays.

3.

131

Enter the virtual IP address you want to use. It can be any IP address, except a multicast address.
(A multicast address is a group address, not an individual IP address.)

Blue Coat ProxySG Configuration and Management Guide

Section K: Virtual IP Addresses

Note:

4.

You cannot create a VIP address that is the IP address used by the origin content server.
You must assign a different address on the ProxySG, and use DNS or forwarding to point
to the origin content server's real IP address.

Click OK; click Apply.

The VIP address can now be used.
To Create a VIP through the CLI
At the (config) command prompt, run the virtual IP address command:
SGOS#(config) virtual address ip_address
ok

To Delete a VIP through the CLI
Note that VIP addresses are deleted silently. If you are using a VIP for a service, the service will no
longer work once the VIP is deleted.
SGOS#(config) virtual no address ip_address
ok

To Clear All VIP Addresses in the System
SGOS#(config) virtual clear
ok

To View All the VIPs in the System
SGOS#(config) show virtual
Virtual IP addresses:
SGOS#(config) accelerated-pac path 10.25.36.47
10.9.36.47
10.25.36.48
10.25.36.47

132

Chapter 4: Configuring the System

Section L: Configuring Failover

Section L: Configuring Failover
Using IP address failover, you can create a redundant network for any explicit proxy configuration. If
you require transparent proxy configuration, you can create software bridges to use failover. For
information on creating software bridges, see "About Bridging" on page 87.
Note:

If you use the Pass-Through adapter for transparent proxy, you must create a software
bridge rather than configuring failover. For information on using the Pass-Through
adapter, see "About the Pass-Through Adapter" on page 87.

Using a pool of IP addresses to provide redundancy and load balancing, Blue Coat migrates these IP
addresses among a group of machines.
This section discusses:


"About Failover"



"Configuring Failover"



"Viewing Statistics"

About Failover
Failover allows a second machine to take over if a first machine fails, providing redundancy to the
network through a master/slave relationship. In normal operations, the master (the machine whose IP
address matches the group name) owns the address. The master sends keepalive messages
(advertisements) to the slaves. If the slaves do not receive advertisements at the specified interval, the
slave with the highest configured priority takes over for the master. When the master comes back
online, the master takes over from the slave again.
The Blue Coat failover implementation resembles the Virtual Router Redundancy Protocol (VRRP)
with the following exceptions:


A configurable IP multicast address is the destination of the advertisements.



The advertisements’ interval is included in protocol messages and is learned by the slaves.



A virtual router identifier (VRID) is not used.



Virtual MAC addresses are not used.



MD5 is used for authentication at the application level.

Masters are elected, based on the following factors:


If the failover mechanism is configured for a physical IP address, the machine owning the
physical address have the highest priority. This is not configurable.



If a machine is configured as a master using a virtual IP address, the master has a priority that is
higher than the slaves.

When a slave takes over because the master fails, an event is logged in the event log. No e-mail
notification is sent.

133

Blue Coat ProxySG Configuration and Management Guide

Section L: Configuring Failover

Configuring Failover
Before you begin, be aware that software bridges must already exist before you can use them to
configure failover. For information on configuring bridges, see "Adapters" on page 82.
You also need to decide which machine is the master and which machines are the slaves, and whether
you want to configure explicit proxy or transparent proxy network.
When configuring the group, the master and all the systems in the group must have exactly the same
failover configuration except for priority, which is used to determine the rank of the slave machines. If
no priority is set, a default priority of 100 is used. If two ProxySG Appliances have equal priority, the
one with the highest physical address ranks higher.
To Configure Failover through the Management Console
1.

Go to Configuration>Network>Advanced>Failover.
The Failover tab displays.

Figure 4-29: Network Advanced Failover Tab

2.

Click New.
The Add Failover Group dialog displays.

134

Chapter 4: Configuring the System

Section L: Configuring Failover

Figure 4-30: Add Failover Group Dialog

3.

In the Add Failover Group dialog that appears, fill in the fields as appropriate:


Create a group using either a new IP address or an existing IP address. If the group has
already been created, you cannot change the new IP address without deleting the group and
starting over.



The enabled option specifies whether this group is active or inactive. Select enabled to enable
the failover group.



Multicast address refers to a Class D IP address that is used for multicast. It is not a virtual IP

address.
Note:



Class D IP addresses are reserved for multicast. A Class D IP address has a first bit
value of 1, second bit value of 1, third bit value of 1, and fourth bit value of 0. The
other 28 bits identify the group of computers that receive the multicast message.

Relative Priority refers to a range from 1-255 that is assigned to systems in the group. 255 is

reserved for the system whose failover group ID equals the real IP address.

4.

135



(Optional) Master identifies the system with the highest priority.



(Optional) Advertisement Interval refers to the length of time between advertisements sent by
the group master. The default is 40 seconds. Once the group master has failed, the slave with
the highest priority takes over (after approximately three times the interval value). The
failover time of the group can be controlled by setting this value.



(Optional, but recommended) Group Secret refers to a password shared only with the group.

Click OK; click Apply.

Blue Coat ProxySG Configuration and Management Guide

Section L: Configuring Failover
To Configure Failover through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) failover
SGOS#(config failover) create group_address

The IP address does not have to exist.
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
-orSGOS#(config
SGOS#(config

failover) edit group_address
failover group_address) multicast-address multicast_address
failover group_address) master
failover group_address) priority number
failover group_address) interval seconds
failover group_address) secret secret
failover group_address) encrypted-secret encrypted_secret
failover group_address) enable

where:

2.

group_address

Refers to the IP address or VIP address that is monitored by this group.
Once the group has been named, you cannot change the name. To
change the name, you must delete the group and start over.

multicast-address
multicast_address

Refers to a multicast address where the master sends the keepalives
(advertisements) to the slave systems.

master

(Optional) Identifies the system to be used as the master.

no

Negates these settings: multicast-address, priority, interval, secret, and
master.

priority number

(Optional) Refers to the rank of slave systems. The range is from 1 to
254. (The master system, the one whose IP address matches the group
address, gets 255.) Output of show config and show failover
might differ when the master system is also the holder of the physical
IP address.

interval seconds

(Optional) Refers to the time between advertisements from the master
to the multicast address. The default is 40 seconds. Entering no
interval resets the interval to the default time of 40 seconds.

secret secret
-orencrypted-secret
encrypted_secret

(Optional but recommended) Refers to a password shared only with
the group. You can create a secret, which then is hashed, or you can
provide an encrypted secret.

enable | disable

Enables or disables failover on the ProxySG.

(Optional) View the results.
SGOS#(config) show failover configuration group_address
Failover Config
Group Address: 10.25.36.47
Multicast Address
: 224.1.2.3
Local Address
: 10.9.17.159

136

Chapter 4: Configuring the System

Section L: Configuring Failover
Secret
: none
Advertisement Interval: 40
Priority
: 100
Current State
: DISABLED
Flags
: V M

Three flags exist, set as you configure the group.
V—Specifies the group name is a virtual IP address.
R—Specifies the group name is a physical IP address
M—Specifies this machine can be configured to be the master if it is available

3.

(Optional) You can view Failover Group Statistics
These are all integers/counters that count various events.
SGOS#(config) show failover statistics
Failover Statistics
Advertisements Received
: 0
Advertisements Sent
: 194
States Changes
: 2
Bad Version
: 0
Bad Packet
: 0
Bad Checksum
: 0
Packet Too Short
: 0
Bad Packet Header
: 0
Invalid Group
: 0

Viewing Statistics
To view statistics on failover, see "Failover Statistics" on page 1003

137

Blue Coat ProxySG Configuration and Management Guide

Section M: Configuring the ProxySG as a Session Monitor

Section M: Configuring the ProxySG as a Session Monitor
You can configure the ProxySG to monitor RADIUS accounting messages and to maintain a session
table based on the information in these messages. The session table can then be used for logging or
authentication.
You can also, optionally, configure multiple ProxySG appliances to act as a session monitor cluster. The
session table is then replicated to all members of the cluster.
Once configured and enabled, the ProxySG session monitor maintains a session table that records
which sessions are currently active and the user identity for each session.

Configuring the Session Monitor
Three steps are required to configure the session monitor:


Configure the RADIUS accounting protocol parameters for the session monitor.



(Optional) Configure the session monitor cluster.



Configure the session monitor parameters.

Configuring the RADIUS Accounting Protocol Parameters
The configuration commands to create the RADIUS accounting protocol parameters can only be done
through the CLI. If you are using session-monitor clustering, the commands must be done on each
system in an already-existing failover group. (For information on configuring a failover group, see
“Section L: Configuring Failover” on page 133.)
To Configure the RADIUS Accounting Protocol Parameters
At the (config) prompt, enter the following commands:
SGOS#(config) session-monitor
SGOS#(config session-monitor)
SGOS#(config session-monitor)
SGOS#(config session-monitor)
encrypted_secret
SGOS#(config session-monitor)
SGOS#(config session-monitor)
SGOS#(config session-monitor)

radius acct-listen-port port_number
radius authentication {enable | disable}
radius encrypted-shared-secret
radius no encrypted-shared-secret
radius response {enable | disable}
radius shared-secret plaintext_secret

where
Command

Option

Description

radius
acct-listen-port

port_number

The port number where the ProxySG
listens for accounting messages

radius authentication enable | disable

138

Enable or disable (the default) the
authentication of RADIUS messages
using the shared secret. Note that the
shared secret must be configured before
authentication is enabled.

Chapter 4: Configuring the System

Section M: Configuring the ProxySG as a Session Monitor
Command

Option

Description

radius
encrypted-sharedsecret

encrypted_shared_
secret

Specify the shared secret (in encrypted
form) used for RADIUS protocol
authentication. The secret is decrypted
using the configuration-passwords-key.

radius no
shared-secret

Clears the shared secret used for
RADIUS protocol authentication.

radius response

enable | disable

Enable (the default) or disable
generation of RADIUS responses.

radius shared-secret

plaintext_secret

Specify the shared secret used for
RAIDUS protocol in plaintext.

Configuring a Session Monitor Cluster
Configuring a session monitor cluster is optional. When a session monitor cluster is enabled, the
session table is replicated to all members of the cluster. The cluster members are the ProxySG
Appliances that are configured as part of the failover group referenced in the session monitor cluster
configuration. The failover group must be configured before the session monitor cluster. (For
information on configuring a failover group, see “Section L: Configuring Failover” on page 133.)
If you want the session table to be replicated to all the members of a failover group, you can use the
following commands.
Note:

When using a session monitor cluster, the RADIUS client must be configured to send the
RADIUS accounting messages to the failover group's virtual IP address.

Proxy traffic can be routed to any of the machines in the cluster.
Note:

Each member of the failover group must configured with the cluster commands to
maintain the session table for RADIUS accounting messages.

To Configure Session Monitor Cluster Parameters
At the (config) prompt, enter the following commands:
SGOS#(config) session-monitor
SGOS#(config session-monitor)
SGOS#(config session-monitor)
SGOS#(config session-monitor)
SGOS#(config session-monitor)
SGOS#(config session-monitor)

139

cluster
cluster
cluster
cluster
cluster

{enable | disable}
group-address IP_address
port port_number
grace-period seconds
synchronization-delay seconds

Blue Coat ProxySG Configuration and Management Guide

Section M: Configuring the ProxySG as a Session Monitor
where
Command

Option

Description

cluster

enable |
disable

Enable or disable (the default) clustering on
a failover group. The group address must be
set before the cluster can be enabled.

cluster group-address
| no group-address

IP_address

Set or clear (the default) the failover group
IP address. This must be an existing failover
group address.

cluster port

port_number

Set the TCP/IP port for the session
replication control. The default is 55555.

cluster
synchronization-delay

seconds

Set the maximum time to wait for session
table synchronization. The default is zero;
the range is from 0 to 2 ^31 -1 seconds.
During this time evaluation of
$(session.username) is delayed, so
proxy traffic might also be delayed.

cluster grace-period

seconds

Set the time to keep session transactions in
memory while waiting for slave logins. This
can be set to allow session table
synchronization to occur after the
synchronization-delay has expired. The
default is 30 seconds; the range is 0 to 2^31-1
seconds.

Configuring the Session Monitor
The session monitor commands set up session monitoring behavior. If using session-monitor
clustering, these commands must be done on all ProxySG systems in the failover group.
To Configure the Session Monitor
1.

At the (config) prompt, enter the following commands:
SGOS#(config) session-monitor
SGOS#(config session-monitor) disable | enable
SGOS#(config session-monitor) max-entries integer
SGOS#(config session-monitor) timeout minutes

where
Command

Option

enable | disable
max_entries

140

Description
Enable or disable (the default) session monitoring

integer

The maximum number of entries in the session table.
The default is 500,000; the range is from 1 to 2,000,000. If
the table reaches the maximum, additional START
messages are ignored.

Chapter 4: Configuring the System

Section M: Configuring the ProxySG as a Session Monitor

2.

Command

Option

Description

timeout

minutes

The amount of time before a session table entry
assumes a STOP message has been sent. The default is
120 minutes; the range is from 0 to 65535 minutes. Zero
indicates no timeout.

(Optional) To view the session-monitor configuration, you can either use the session-monitor
view command or the config show session-monitor command.
SGOS#(config) show session-monitor
General:
Status: enabled
Entry timeout: 120 minutes
Maximum entries: 500000
Cluster support: enabled
Cluster port: 55555
Cluster group address: 10.9.17.159
Synchronization delay: 0
Synchronization grace period: 30
Accounting protocol: radius
Radius accounting:
Listen ports:
Accounting: 1813
Responses: Enabled
Authentication: Enabled
Shared secret: ************

Creating the CPL
Be aware that the examples below are just part of a comprehensive authentication policy. By
themselves, they are not adequate.
Note:



Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and
how transactions trigger the evaluation of policy file layers.

The ProxySG is using the session table maintained by the session monitor for authentication.

allow authenticate(session)

where session is a Policy Substitution realm that uses $(session.username) in building
the username. (For information on creating a Policy Substitution realm, see “Section J: Policy
Substitution Realm” on page 441.)

141

Blue Coat ProxySG Configuration and Management Guide

Section M: Configuring the ProxySG as a Session Monitor

Limitations

142



The session table is kept in memory. If the system goes down, the contents of the session table are
lost. However, if the system is a member of a failover cluster, the current contents of the session
table can be obtained from another machine in the cluster. The only situation in which the session
table is entirely lost is if all machines in the cluster go down at the same time.



The session table is stored entirely in memory. The amount of memory needed is roughly 40MB
for 500,000 users.



The session replication protocol replicates session information only; configuration information is
not exchanged. That means that each ProxySG must be properly configured for session
monitoring.



The session replication protocol is not secured. The failover group should be on a physically
secure network to communicate with each other.



The session monitor requires sufficient memory and at least 100Mb-per-second network links
among the cluster to manage large numbers of active sessions.



The username in the session table is obtained from the Calling-Station-ID attribute in the RADIUS
accounting message and can be a maximum of 19 bytes.

Chapter 4: Configuring the System

Section N: TCP/IP Configuration

Section N: TCP/IP Configuration
Use the TCP/IP configuration options to enhance the performance and security of the ProxySG.
Except for IP Forwarding (see "Understanding IP Forwarding" on page 257), these commands are only
available through the CLI.


RFC-1323: Enabling RFC-1323 support enhances the high-bandwidth and long-delay operation of
the ProxySG over very high-speed paths, ideal for satellite environments.



TCP NewReno: Enabling TCP NewReno support improves the fast recovery of the ProxySG.



ICMP Broadcast Echo: Disabling the response to these messages can limit security risks and
prevent an attacker from creating a distributed denial of service (DDoS) to legitimate traffic.



ICMP Timestamp Echo: Disabling the response to these messages can prevent an attacker from
being able to reverse engineer some details of your network infrastructure.



TCP Window Size: configures the amount of unacknowledged TCP data that the ProxySG can
receive before sending an acknowledgement.



PMTU Discovery: Enabling PMTU Discovery prevents packets from being unable to reach their
destination because they are too large.

To view the TCP/IP configuration, see "Viewing the TCP/IP Configuration" on page 146.
This section discusses


"RFC-1323"



"TCP NewReno"



"ICMP Broadcast Echo Support"



"ICMP Timestamp Echo Support"



"TCP Window Size"



"PMTU Discovery"



"TCP Time Wait"



"Viewing the TCP/IP Configuration"

RFC-1323
The RFC-1323 TCP/IP option enables the ProxySG to use a set of extensions to TCP designed to
provide efficient operation over large bandwidth-delay-product paths and reliable operation over
very high-speed paths, including satellite environments. RFC-1323 support can only be configured
through the CLI, and is enabled by default.
To Enable or Disable RFC-1323 Support through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) tcp-ip rfc-1323 {enable | disable}

143

Blue Coat ProxySG Configuration and Management Guide

Section N: TCP/IP Configuration

TCP NewReno
NewReno is a modification of the Reno algorithm. TCP NewReno improves TCP performance during
fast retransmit and fast recovery when multiple packets are dropped from a single window of data.
TCP NewReno support is disabled by default.
To Enable or Disable TCP NewReno Support through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) tcp-ip tcp-newreno {enable | disable}

ICMP Broadcast Echo Support
Disabling the ICMP broadcast echo command can prevent the ProxySG from participating in a Smurf
Attack. A Smurf attack is a type of Denial-of-Service (DoS) attack, where the attacker sends an ICMP
echo request packet to an IP broadcast address. This is the same type of packet sent in the ping
command, but the destination IP is broadcast instead of unicast. If all the hosts on the network send
echo reply packets to the ICMP echo request packets that were sent to the broadcast address, the
network is jammed with ICMP echo reply packets, making the network unusable. By disabling ICMP
broadcast echo response, the ProxySG does not participate in the Smurf Attack.
This setting is disabled by default.
To Enable or Disable ICMP Broadcast Echo Support through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) tcp-ip icmp-bcast-echo {enable | disable}

For more information on preventing DDoS attacks, see "Attack Detection" on page 111.

ICMP Timestamp Echo Support
By disabling the ICMP timestamp echo commands, you can prevent an attacker from being able to
reverse engineer some details of your network infrastructure.
For example, disabling the ICMP timestamp echo commands prevents an attack that occurs when the
ProxySG responds to an ICMP timestamp request by accurately determining the target's clock state,
allowing an attacker to more effectively attack certain time-based pseudo-random number generators
(PRNGs) and the authentication systems on which they rely.
This setting is disabled by default.
To Enable or Disable ICMP Timestamp Echo Support through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) tcp-ip icmp-timestamp-echo {enable | disable}

TCP Window Size
Adjusting the TCP window-size regulates the amount of unacknowledged data that the ProxySG
receives before sending an acknowledgement.

144

Chapter 4: Configuring the System

Section N: TCP/IP Configuration
To Configure the TCP Window Size through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) tcp-ip window-size window_size

where window_size indicates the number of bytes allowed before acknowledgement (the
value must be between 8192 and 4194304).

PMTU Discovery
PMTU (Path Maximum Transmission Unit) is a mechanism designed to discover the largest packet
size sent that is not fragmented anywhere along the path between two communicating ProxySG
Appliances that are not directly attached to the same link. A ProxySG doing PMTU sets the
Do-Not-Fragment bit in the IP header when transmitting packets. If fragmentation becomes
necessary before the packets arrive at the second ProxySG, a router along the path discards the
packets and returns an ICMP Host Unreachable error message, with the error condition of
Needs-Fragmentation, to the original ProxySG. The first ProxySG then reduces the PMTU size and
re-transmits the transmissions.
The discovery period temporarily ends when the ProxySG’s estimate of the PMTU is low enough that
its packets can be delivered without fragmentation or when the ProxySG stops setting the
Do-Not-Fragment bit. Five minutes later (this value is configurable), rediscovery is used to see if the
transmittable packet size has changed.
Following discovery and rediscovery, the size of the packets that are transferred between the two
communicating nodes dynamically adjust to a size allowable by the path, which might contain
multiple segments of various types of physical networks.
PMTU is disabled by default.
A ProxySG that is not running PMTU might send packets larger than that allowed by the path,
resulting in packet fragmentation at intermediate routers. Packet fragmentation affects performance
and can cause packet discards in routers that are temporarily overtaxed.
To Configure PMTU Discovery through the CLI
Note:

PMTU discovery can only be configured through the CLI. It is not available through the
Management Console.

At the (config) command prompt, enter the following commands:
SGOS#(config) tcp-ip pmtu-discovery enable | disable
SGOS#(config) tcp-ip pmtu-discovery expire-period seconds
SGOS#(config) tcp-ip pmtu-discovery probe-interval seconds

where
tcp-ip
pmtu-discovery

145

enable | disable

Allows you to enable PMTU discovery. The
default is disabled.

Blue Coat ProxySG Configuration and Management Guide

Section N: TCP/IP Configuration
expire-period
seconds

Determines the time, in seconds, when PMTU
rediscovery takes place after receiving the
ICMP Host Unreachable – Needs
Fragmentation error message. The default
is 600 seconds.

probe-interval seconds

Determines the time, in seconds, when the
next PMTU rediscovery takes place following
a previous consecutive successful expansion
of the PMTU value. The default is 120
seconds.

TCP Time Wait
When a TCP connection is closed (such as a user entering “quit” for an FTP session), the TCP
connection remains in the TIME_WAIT state for twice the Maximum Segment Lifetime (MSL) before
completely removing the connection control block.
The TIME_WAIT state allows an end point (one end of the connection) to remove remnant packets
from the old connection, eliminating the situation where packets from a previous connection are
accepted as valid packets in a new connection.
The MSL defines how long a packet can remain in transit in the network. The value of MSL is not
standardized; the default value is assigned according to the specific implementation.
To change the MSL value, enter the following commands at the (config) command prompt:
SGOS#(config) tcp-ip tcp-2msl seconds

where seconds is the length of time you chose for the 2MSL value.

Viewing the TCP/IP Configuration
To view the TCP/IP configuration:
SGOS#(config) show tcp-ip
RFC-1323 support:
TCP Newreno support:
IP forwarding:
ICMP bcast echo response:
ICMP timestamp echo response:
Path MTU Discovery:
PMTU expiration period:
PMTU probe interval:
TCP 2MSL timeout
TCP window size:

146

enabled
disabled
disabled
disabled
disabled
enabled
600 seconds
120 seconds
120 seconds
65535 bytes

Chapter 5: Managing Port Services

This chapter describes port services that are configurable on the ProxySG. These services run on the
ProxySG, and include Management Consoles such as HTTPS, HTTP, SSH, and Telnet Consoles, and
application proxies such as Instant Messenger (IM), SOCKS, FTP, MMS, and RTSP, HTTP and HTTPS.
Other proxy services, like ICAP and Websense, are remote to the ProxySG and are discussed in
Chapter 11: “External Services” on page 499.
This chapter discusses


"Managing Multiple Management Consoles"



"Creating and Editing Services"

This chapter does not discuss configuration of some of the port services that are created or enabled
here. The following are discussed in Chapter 6: “Configuring Proxies” on page 177:


FTP Proxy



HTTP Proxy



SOCKS Proxy



Shell Proxies (Telnet)



SSL Proxy

147

Blue Coat ProxySG Configuration and Management Guide

Section A: Managing Multiple Management Consoles

Section A: Managing Multiple Management Consoles
The ProxySG ships with a number of already existing consoles designed to manage the system and
communication with the system:


HTTP and HTTPS Consoles: These consoles are designed to allow you access to the ProxySG. The
HTTPS Console is created and enabled; the HTTP Console is created by default but not enabled
because it is less secure than HTTPS.



SSH Console: This console is created and enabled by default, allowing you access to the ProxySG
through the CLI with your SSH service.



Telnet Console: This console is created but is disabled by default because of security concerns. You
must enable the service before you can access the ProxySG through a Telnet client (not
recommended).

Managing the HTTPS Console (Secure Console)
The HTTPS Console provides secure access to the Management Console through the HTTPS protocol.
You can create multiple management HTTPS consoles, allowing you to simultaneously access the
Management Console using any IP address belonging to the box as well as any of the ProxySG’s
virtual IP (VIP) addresses. The default is HTTPS over port 8082.
The ProxySG ships with an HTTPS Console already created and enabled. You do not need to create
other HTTPS Consoles unless you need them for other purposes.
An HTTPS Console and an HTTPS Reverse Proxy are not the same. The HTTPS Console is for
accessing the ProxySG. An HTTPS Reverse Proxy allows secure access to other systems.
Note:

Another difference between the HTTPS Console and an HTTPS Reverse Proxy is that an
SSL proxy license is required for an HTTPS Reverse Proxy. If the ProxySG has no valid
license for the SSL proxy, you get an exception page when you attempt to connect to the
HTTPS Reverse Proxy.
You can set up and use the HTTPS Secure Console without an SSL proxy license.
For information on licensing, see Chapter 2: “Licensing” on page 43.

Creating a new HTTPS Console port requires three steps, discussed in the following sections:

148



Selecting a keyring (a keypair and a certificate that is stored together)



Selecting an IP address and port on the system that the service will use, including virtual IP
addresses



Putting the keyring and service together into an HTTPS Console

Chapter 5: Managing Port Services

Section A: Managing Multiple Management Consoles

Selecting a Keyring
The ProxySG ships with a default keyring that can be reused with each HTTPS Reverse Proxy that you
create. You can also create your own keyrings for other purposes.
To use the default keyring, accept the default keyring through the Management Console. If using the
CLI, enter default for the keyring ID when using the services https-console create command.
Note:

When using certificates for the HTTPS Console or for HTTPS termination services that are
issued by Certificate Signing Authorities that are not well-known, see "Creating
Self-Signed SSL Certificates" on page 276.
If you get “host mismatch” errors or if the security certificate is called out as invalid,
create a different certificate and use it for the HTTPS Console.

For information on creating a keypair and a certificate to make a keyring, see “Section B: Configuring
HTTPS Reverse Proxy” on page 266.

Selecting an IP Address
You can use any IP address on the ProxySG for the HTTPS Console service, including virtual IP
addresses. To create a virtual IP address, see "Virtual IP Addresses" on page 131.

Enabling the HTTPS Console Service
The final step in editing or creating an HTTPS Console service is to select a port and enable the
service.
To Create or Edit an HTTPS Console Port Service through the Management Console
1.

149

Select Configuration>Services>Service Ports.

Blue Coat ProxySG Configuration and Management Guide

Section A: Managing Multiple Management Consoles

Figure 5-1: Service Ports Tab

2.

Do one of the following:


To create a new HTTPS Console port service, click New; the Add Service dialog appears. Select
HTTPS-Console from the Protocol drop-down list.



To edit an existing HTTPS Console port service, highlight the HTTPS Console and click Edit;
the Edit Service dialog appears.

Continue with the next step.

Figure 5-2: HTTPS-Console Add Service Dialog

150

3.

The default IP address value is . To limit the service to a specific IP address, select the IP
address from the drop-down list. It must already exist.

4.

Identify the port you want to use for this service.

Chapter 5: Managing Port Services

Section A: Managing Multiple Management Consoles
5.

In the Keyring drop-down list, select any already created keyring that is on the system. The system
ships with a default keyring that is reusable for each HTPPS service.
Note:

The configuration-passwords-key keyring that shipped with the ProxySG does not
contain a certificate and cannot be used for HTTPS Consoles.

6.

(Optional) In the SSL Versions drop-down list, select the version to use for this service. The default
is SSL v2/v3 and TLS v1.

7.

Click OK; click Apply.
Note:

For information on creating keyrings and client certification lists, see “Section B:
Configuring HTTPS Reverse Proxy” on page 266.

To Create Another HTTPS Console Port Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) https-console
SGOS#(config services https-console) create [ip_address:] port [keyring_id]

If you do not specify a keyring, the default is used.
SGOS#(config services https-console) attribute cipher-suite ip_address:port

2.

(Optional) View the results:
SGOS#(config services https-console) view
Port:
8082
IP: 0.0.0.0
Type: https-console
Keyring: default
Properties: explicit, enabled
Cipher suite:
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC3-MD5:RC2-CBC-MD5:RC4-64-MD5:DES-CBC-SHA
:DES-CBC-MD5:EXP1024-RC4-MD5:EXP1024-RC4-SHA:EXP1024-RC2-CBC-MD5:EXP1024-DES
-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-DES-CBC-SHA:
+SSLv2:+SSLv3+LOW:+SSLv2+LOW:+EXPOHTTP

Note:

To create client-certification lists and keyrings, see “Section B: Configuring HTTPS
Reverse Proxy” on page 266. To set the cipher-suite to the ciphers you want to use, see
"Changing the Cipher Suites of the SSL Client" on page 289.

Managing the HTTP Console
The HTTP Console is meant to allow you to access the ProxySG if you require a less secure
environment. The default HTTP Console is already configured; you must enable it before it can be
used.
You can create and use more than one HTTP Console as long the IP address and the port do not match
the existing HTTP Console settings.

151

Blue Coat ProxySG Configuration and Management Guide

Section A: Managing Multiple Management Consoles
To Create or Edit an HTTP Console Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Do one of the following:


To create a new HTTP-Console port service, click New; the Add Service dialog appears. Select
HTTP-Console from the Protocol drop-down list.



To edit an existing HTTP-Console port service, highlight the HTTP-Console and click Edit; the
Edit Service dialog appears.

Figure 5-3: HTTP-Console Add Service Dialog

In either case, continue with the next step.
3.

The default IP address value is . To limit the service to a specific IP address, select the IP
address from the drop-down list. It must already exist.

4.

Identify the port you want to use for this service.

5.

Click OK; click Apply.

To Create or Edit an HTTP Console Port Service and Enable It through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) http-console
SGOS#(config services http-console) create [ip_address:]port

2.

(Optional) View the results:
SGOS#(config services http-console) view
Port:
8085 IP: 0.0.0.0
Type: http-console
Properties: enabled

Managing the SSH Console
The SSH Console is created and enabled by default. Only one SSH Console can exist on the ProxySG.
If you inadvertently deleted the SSHv1 and SSHv2 host keys from the system at the same time, you
automatically disabled the SSH Console and must enable the SSH Console after you create a host key.
For information on managing SSH, see "Configuring the SSH Console" on page 63.

152

Chapter 5: Managing Port Services

Section A: Managing Multiple Management Consoles
To Edit an SSH Console Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

To edit the existing SSH-Console port service, highlight the SSH-Console and click Edit.
The Edit Service dialog appears.

Figure 5-4: SSH-Console Add Service Dialog

3.

The default IP address value is all. To limit the service to a specific IP address, select the IP address
from the drop-down list.

4.

In the Port field, specify a port number; select Enable.

5.

Click OK; click Apply.

To Create an SSH Port Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) ssh-console
SGOS#(config services ssh-console) create [ip_address:]port
SGOS#(config services ssh-console) enable [ip_address:]port

2.

(Optional) View the results:
SGOS#(config services ssh-console) view
Port:
22
IP: 0.0.0.0 Type: ssh-console
Properties: enabled

Managing the Telnet Console
The Telnet Console allows you to connect to and manage the ProxySG using the Telnet protocol.
Remember that Telnet is an insecure protocol that should not be used in insecure conditions. By
default, only SSH is created and enabled.
Blue Coat Systems recommends against using Telnet because of the security hole it creates.

153

Blue Coat ProxySG Configuration and Management Guide

Section A: Managing Multiple Management Consoles

Note:

If you do enable the Telnet Console, be aware that you cannot use Telnet everywhere in
the CLI. Some modules, such as SSL, respond with the error message:
Telnet sessions are not allowed access to ssl commands.

To Create or Edit a Telnet Console Port Service through the Management Console
Before you begin, verify that no Telnet service exists on the default telnet port (23). If it does exist,
delete it and apply the changes before continuing. If you also want a Telnet service, you can re-create
it later (use a different port). For information on the Telnet service, see"Managing the Telnet Shell
Proxy Service" on page 173.
1.

Select Configuration>Services>Service Ports.

2.

Do one of the following:


To create a new Telnet-Console port service, click New; the Add Service dialog appears. Select
Telnet-Console from the Protocol drop-down list.



To edit an existing Telnet-Console port service, highlight the Telnet-Console and click Edit; the
Edit Service dialog appears.

In either case, continue with the next step.

Figure 5-5: Telnet Console Edit Service Dialog

3.

Select Telnet protocol from the drop-down list.

4.

The default IP address value is all. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; 23 is the default.
Note:

6.

154

To use the Telnet shell proxy and retain the Telnet Console, you must change the port
number on one of them. Only one service is permitted on a port. For more information on
the Telnet shell proxy, see "Understanding Telnet Shell Proxies" on page 227.

Select Enabled.

Chapter 5: Managing Port Services

Section A: Managing Multiple Management Consoles
7.

Click OK; click Apply.

To Create or Edit a Telnet Port Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) telnet-console
SGOS#(config services telnet-console) create [ip_address:]port

2.

(Optional) View the results.
SGOS#(config services telnet-console) view
Port:
23
IP: 0.0.0.0
Type: telnet-console
Properties: enabled

155

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

Section B: Creating and Editing Services
Proxy services define the ports for which ProxySG will terminate incoming requests. A variety of
attributes for each service can also be defined. Each service can be applied to all IP addresses or
limited to a specific address. A number of default services are predefined. Additional services can be
defined on other ports.
You can create as many services as you require, keeping in mind that every newly created service uses
up resources.
Note:

When multiple non-wildcard services are created on a port, all of them must be of the
same service type (a wildcard service is one that is listening for that port on all IP
addresses). This means that if you have multiple IP addresses, and you specify IP
addresses for a port service, you cannot specify a different protocol if you define the same
port on another IP address. For example, if you define HTTP port 80 on one IP address,
you can only use the HTTP protocol on port 80 for other IP addresses.
Also note that wildcard services and non-wildcard services cannot both exist at the same
time on a given port.

The following table lists the available ProxySG services, including their attributes and default status.
The defaults are for a new ProxySG. If you have an upgraded appliance, the settings do not change.
Table 5.1: Proxy Port Services
Proxy Service

Default Port

Status

Configuration Discussed

DNS

53 (both transparent and explicit)

Disabled

"Managing the DNS Proxy"

EPMapper

135 (both transparent and explicit) Disabled

"Managing the Endpoint Mapper
Proxy"

FTP

21 (transparent and explicit

Disabled

"Managing the FTP Service"

HTTP

80 (transparent and explicit)
8080 (explicit only)

Enabled

"Managing HTTP Services"

HTTP-Console

8081

Disabled

"Managing the HTTP Console"

Disabled

"Managing the HTTPS Reverse
Proxy"

Enabled

"Managing the HTTPS Console
(Secure Console)"

HTTPS Reverse
Proxy

156

HTTPS-Console

8082

MSN-IM

1863 (transparent and explicit) and Disabled
6891 (transparent and explicit)

"Managing Instant Messaging
Protocols"

Yahoo-IM

5050 (transparent and explicit) and Disabled
5101 (transparent and explicit)

"Managing Instant Messaging
Protocols"

Chapter 5: Managing Port Services

Section B: Creating and Editing Services
Table 5.1: Proxy Port Services (Continued)
Proxy Service

Default Port

Status

Configuration Discussed

AOL-IM

5190 (transparent and explicit)

Disabled

"Managing Instant Messaging
Protocols"

MMS

1755 (transparent and explicit)

Disabled

"Managing Streaming Protocols"

RTSP

554 (transparent and explicit)

Disabled

"Managing Streaming Protocols"

SOCKS

1080

Disabled

"Managing SOCKS Services"

SSH-Console

22

Enabled

"Managing the SSH Console"

Not Created

"Managing TCP Tunneling Services"

TCP-Tunnel
Telnet-Console

23

Not Created

"Managing the Telnet Console"

Telnet Shell
Proxy

23

Disabled

"Managing the Telnet Shell Proxy
Service"

Note:

If HTTP is configured to be explicit, Internet Explorer version 6.0 users accessing FTP sites
over HTTP must disable the browser setting Enable folder view for FTP sites. To access this
attribute in Internet Explorer, select Tools>Internet Options, click the Advanced tab, deselect
Enable folder view for FTP sites, and click OK.

About Service Attributes
The service attributes define the parameters the ProxySG uses for a particular service.
Note:

For all service types except HTTPS, a specific listener cannot be posted on a port if the
same port has a wildcard listener of any service type already present.

The following table describes the attributes; however, depending on the protocol, not all attributes are
available.
Table 5.2: Attributes
Attribute

Description

Explicit

Enables or disables explicit attribute for the port. (Explicit allows connections to a
ProxySG IP address.)
Note: If DNS redirection is used to direct traffic to the ProxySG, the explicit flag on
its services must be enabled, as these connections are routed through DNS to the
ProxySG’s IP address.

Transparent

157

Enables or disables transparent-proxy attribute for port. (This allows connections to
any IP address other than those belonging to the ProxySG.)

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services
Table 5.2: Attributes
Attribute

Description

Authenticate-401

All transparent and explicit requests received on the port always use transparent
authentication (cookie or IP, depending on the configuration). This is especially
useful to force transparent proxy authentication in some proxy-chaining scenarios.

Send client IP

Enables or disables sending of client's IP address instead of the ProxySG's IP
address. For more information, see the section on tracking client IP addresses using
server-side transparency.

Note:

If you use the CLI to create a service, specify 0.0.0.0 to define that the service listens on
all IP addresses; specify the individual IP address to limit the service to one IP address.

Managing the DNS Proxy
When a DNS proxy service is enabled, it listens on port 53 for both explicit and transparent DNS
domain query requests. By default, the service is created but not enabled.
The DNS does a lookup of the DNS cache to determine if requests can be answered. If yes, the
ProxySG responds. If not, the DNS forwards the request to the DNS server list configured on the
ProxySG. (To configure the DNS server list, see Configuration>Network>DNS.)
Note:

The ProxySG is not a DNS server. It does not perform zone transfers, and recursive
queries are forwarded to other name servers.

Through policy, you can configure the list of resolved domain names (the resolving name list) the DNS
uses. The domain name in each query received by the ProxySG is compared against the resolving
name list. Upon a match, the ProxySG checks the resolving list. If a domain name match is found but
no IP address was configured for the domain, the ProxySG sends a DNS query response containing its
own IP address. If a domain name match is found with a corresponding IP address, that IP address is
returned in a DNS query response. All unmatched queries are sent to the name servers configured on
the ProxySG.
To Create or Edit a DNS Proxy Service through the Management Console

158

1.

Select Configuration>Services>Service Ports.

2.

Click New or Edit; the Add (or Edit) Service dialog appears.

3.

Select DNS from the Protocol drop-down list.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services

Figure 5-6: DNS Add Service Dialog

4.

The default IP address value is All. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, 53 displays; you can change it to any unused port.

6.

Select Enabled.

7.

In the Attributes field, select Transparent, Explicit, Send-client-IP (spoofing), or all three. Explicit is the
default.
Note:

8.

The Send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

Click OK; click Apply.

To Create or Edit a DNS Proxy Service through the CLI
1.

At the (config) command prompt, enter the following commands to set the value returned to the
client before configuring the DNS service:
SGOS#(config) services
SGOS#(config services) dns
SGOS#(config services dns) create ip_address:port

2.

If you do not need to change the defaults, you have completed the procedure. To change the
attributes, enter the following command:
SGOS#(config services dns) attribute {explicit | transparent |
send-client-ip} {enable | disable} [ip_address:] port

159

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services
where:
attribute

explicit |
transparent |
send-client-ip enable
[ip_address:] port

Give the DNS proxy explicit and transparent
attributes, and create IP spoofing (where the ProxySG
pretends to be a client so the OCS can see the client’s IP
address).
Note: The Send-client-IP attribute allows the ProxySG
to pretend to be a client, allowing the origin content
server to see the client’s IP address. If an alternate path
exists for traffic returning from the Internet to the
client, the Send-client-IP attribute does not work.

enable

3.

[ip_address:] port

Enable the new DNS proxy.

(Optional) View the results:
SGOS#(config services dns) view
Port:
53
IP: 0.0.0.0
Type: dns
Properties: transparent, explicit, enabled
Port:
54
IP: 0.0.0.0
Type: dns
Properties: transparent, enabled

Creating a Resolving Name List
You can create the resolving name list that the DNS proxy uses to resolve domain names. This
procedure can only be done through policy. (For a discussion on using the layer, refer to
the Blue Coat ProxySG Content Policy Language Guide.)
Each name resolving list entry contains a domain-name matching pattern. The matching rules are:


test.com matches only test.com and nothing else.



.test.com matches test.com, www.test.com and so on.



“.” matches all domain names.

An optional IP address can be added, which allows the DNS proxy to return any IP address if the DNS
request's name matches the domain name suffix string (domain.name).
To create a resolving name list, create a policy, using the layer, that contains text similar
to the following:

dns.request.name=www.example.com dns.respond.a(vip)
-or
dns.request.name=.example.com dns.respond.a(vip)
-or
dns.request.name=www.example.com dns.respond.a(10.1.2.3)

Note:

160

You can also create a resolving name list using VPM. For more information on using the
DNS-Proxy layer in VPM, see "Web Content Policy Layer Reference" on page 575.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services

Managing the Endpoint Mapper Proxy
The Endpoint Mapper proxy accelerates Microsoft RPC traffic (applications that use dynamic port
numbers) between branch and main offices, automatically creating TCP tunnels to ports where RPC
services are running. The Endpoint Mapper proxy can be used in both explicit and transparent mode.
Note: Endpoint Mapper works by intercepting and tunnelling RPC traffic in the branch office
(branch proxy). The tunneled data is compressed and forwarded to the main office (concentrator
proxy). The upstream proxy, using SOCKS gateways, decompresses the traffic and forwards it to
RPC server. (For information on SOCKS compression, see “Understanding SOCKS Compression”
in Chapter 6, Proxies.)
By default, the service is created but not enabled.
To Create or Edit Endpoint Mapper Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New or highlight the existing Endpoint Mapper proxy service and click Edit; the Add (or
Edit) Service dialog appears.

3.

Select EndpointMapper from the Protocol drop-down list.

Figure 5-7: Endpoint Mapper Edit Service Dialog

161

4.

The default IP address value is All. It cannot be changed.

5.

In the Port field, 135 displays. Port 135 is the standard port for Microsoft RPC traffic.

6.

Select Enabled.

7.

In the Attributes field, select Send-client-IP, if necessary. Explicit and Transparent attributes are not user
configurable.

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

Note:

8.

The Send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

Click OK; click Apply.

To Create or Edit an Endpoint Mapper Proxy Service through the CLI
1.

At the (config) command prompt, enter the following commands to create a new Endpoint
Mapper proxy service. If you want to edit the existing Endpoint Mapper proxy, skip to step 2.:
SGOS#(config) services
SGOS#(config services) epmapper
SGOS#(config services epmapper) create port

2.

To enable the Endpoint Mapper proxy service or enable the send-client-ip attribute, enter the
following commands:
SGOS#(config services epmapper) enable port
SGOS#(config services epmapper) attribute send-client-ip {enable | disable}
port

where:
attribute

send-client-ip enable port

Enable sending the client's IP address instead of
the ProxySG's IP address.
Note: If an alternate path exists for traffic
returning from the Internet to the client, the
Send-client-IP attribute does not work.

enable

3.

port

Enable the new Endpoint Mapper proxy. Port
135 is the standard port for Microsoft RPC
traffic.

(Optional) View the results:
SGOS#(config services epmapper) view
Port:
135
IP: 0.0.0.0
Type: epmapper
Properties: transparent, explicit, disabled

Managing the FTP Service
To configure the native FTP proxy, see "Configuring the FTP Proxy" on page 181.
To Create or Edit an FTP Port Service through the Management Console

162

1.

Select Configuration>Services>Service Ports.

2.

Click New or Edit; the Add (or Edit) Service dialog appears.

3.

Select FTP from the Protocol drop-down list.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services

Figure 5-8: FTP Edit Service Dialog

4.

The default IP address value is all. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; select the Enabled checkbox.

6.

In the Attributes field, both Explicit and Transparent are selected. You can de-select one of them if
necessary

7.

Click OK; click Apply.

To Create an FTP Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) ftp
SGOS#(config services ftp) create [ip_address:]port
SGOS#(config services ftp) attribute passive-mode {enable | disable}
-orSGOS#(config services ftp) attribute {explicit | transparent} {enable |
disable} [ip_address:]port

2.

(Optional) View the results.
10.9.17.159 - Blue Coat SG3000#(config services ftp) view
Port:
21
IP: 0.0.0.0
Type: ftp
Properties: transparent, enabled, passive-allowed

163

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

Managing HTTP Services
Two HTTP services exist by default and are enabled, one with explicit and transparent attributes on
port 80 and one with explicit attributes on port 8080. You can change the attributes or create other
HTTP ports if needed. For example, if you configure SSL proxy functionality, you must use an HTTP
service to allow the browser to issue HTTP CONNECT requests to the ProxySG for HTTPS content.
You need to create an HTTP Service if one does not exist already. The ProxySG detects the presence of
the SSL protocol and enables SSL Proxy functionality for such connections. For more information on
SSL Proxy functionality, see "Configuring an SSL Proxy" on page 231.
To Create or Edit an HTTP Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New or highlight the service and click Edit; the Add (or Edit) Service dialog appears.

3.

Make sure HTTP is selected from the Protocol drop-down list.

Figure 5-9: HTTP Edit Service Dialog

4.

The default IP address value is all. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; be sure Enabled is selected.

6.

In the Attributes field, select all that apply: Explicit, Transparent, Authenticate-401, or Send-client-IP.
Note:

7.

164

The Send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

Click OK; click Apply.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services
To Create an HTTP Service through the CLI
Two HTTP services exist and are enabled on the ProxySG. If you need to create another at a different
port in addition to the services already existing on the system, complete the following steps:
At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) http
SGOS#(config services http) create [ip_address:]port
SGOS#(config services http) attribute {authenticate-401 | explicit |
send-client-ip | transparent} {enable | disable} [ip_address:]port

Note:

The Send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

To view the results:
SGOS#(config services http) view
Port:
8080
IP: 0.0.0.0
Type: http
Properties: explicit, enabled
Port:
80
IP: 0.0.0.0
Type: http
Properties: transparent, explicit, enabled

Managing the HTTPS Reverse Proxy
The HTTPS reverse proxy is not configured or enabled by default when the ProxySG ships. You can
configure and use multiple HTTPS reverse proxies.
Note:

With SGOS version 4.2, the HTTPS service was renamed to HTTPS Reverse Proxy service.
Nothing else changed.

To Create an HTTPS Reverse Proxy through the Management Console

165

1.

Select Configuration>Services>Service Ports.

2.

Click New; the Add Service dialog appears.

3.

Select HTTPS Reverse Proxy from the Protocol drop-down list.

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

Figure 5-10: HTTPS Reverse Proxy Add Service Dialog

4.

166

To select or add an IP address, do one of the following:


To select a local address, specify a real IP address from the IP drop-down list. All is not a
selection option.



To add a non-local IP address, first select the Transparent attribute, then enter a non-local IP
address that is not bound to the ProxySG.

5.

In the Port field, specify a port number; select Enable.

6.

In the Attributes field, select all that apply: Explicit, Transparent, Send-client-IP, Verify-client, or
Forward-client-cert.


The Send-client-IP attribute lets the ProxySG to pretend to be a client, allowing the origin
content server to see the client’s IP address.



The Verify-client attribute requests the client certificate and validates the client certificate



The Forward-client-cert attribute, when used with the verify-client attribute, puts the extracted
client certificate information into a header that is included in the request when it is forwarded
to the OCS. The name of the header is Client-Cert. The header contains the certificate serial
number, subject, validity dates and issuer (all as name=value pairs). The actual certificate
itself is not forwarded.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services
7.

In the Keyring drop-down list, select any already-created keyring that is on the system. The system
ships with a default keyring that can be reused for each HTTPS Reverse Proxy. Keep in mind that
the default certificate associated with the default keyring is self-signed and might not be trusted
by all clients.
Note:

The configuration-passwords-key keyring that shipped with the ProxySG does not
contain a certificate and cannot be used for HTTPS Reverse Proxies.

8.

In the SSL Versions drop-down list, select the version that you want to use for this service. The
default is SSL v2/v3 and TLS v1.

9.

In the CA-Cert Lists drop-down list, select the list (already created) for the HTTPS Reverse Proxy to
use.

10. Click OK; click Apply.
Note:

To create CA certification lists (CCLs) and keyrings, see “Section B: Configuring HTTPS
Reverse Proxy” on page 266.

To Create an HTTPS Reverse Proxy through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) https-reverse-proxy
SGOS#(config services https-reverse-proxy) create ip_address:port keyring
SGOS#(config services https-reverse-proxy) attribute ccl list_name
ip_address:port
-orSGOS#(config services https-reverse-proxy) attribute cipher-suite
ip_address:port
-orSGOS#(config services https-reverse-proxy) attribute {forward-client-cert |
send-client-ip | verify-client} {enable | disable} ip_address:port
-orSGOS#(config services https-reverse-proxy) attribute ssl-protocol-version
{sslv2 | sslv3 | tlsv1 | sslv2v3| sslv2tlsv1 | sslv3tlsv1 | sslv2v3tlsv1}
ip_address:port

Note:

If the ProxySG HTTPS Reverse Proxy is configured to require a client certificate
(verify-client and forward-client-cert are enabled), information from the client certificate
is extracted and put into a header that is included in the request when it is forwarded to
the OCS.
The Send-client-IP attribute lets the ProxySG to pretend to be a client, allowing the origin
content server to see the client’s IP address.
The Verify-client attribute requests the client certificate and validates the client certificate.

167

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

The Forward-client-cert attribute, when used with the verify-client attribute, puts the
extracted client certificate information into a header that is included in the request when
it is forwarded to the OCS. The name of the header is Client-Cert. The header contains
the certificate serial number, subject, validity dates and issuer (all as name=value pairs).
The actual certificate itself is not forwarded.
2.

(Optional) View the results:
SGOS#(config services https-reverse-proxy) view
Port:
1000
IP: 10.9.17.159
Type: https
Keyring: default
Properties: explicit, enabled
SSL Protocol version: SSLv2v3TLSv1
CA Certificate List: not configured
Cipher suite:
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC3-MD5:RC2-CBC-MD5:RC4-64-MD5:DES-CBC-SHA
:DES-CBC-MD5:EXP1024-RC4-MD5:EXP1024-RC4-SHA:EXP1024-RC2-CBC-MD5:EXP1024-DES
-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-DES-CBC-SHA:AES128-SHA:AES256-SHA:+
SSLv2:+SSLv

Managing Instant Messaging Protocols
Supported instant messaging (IM) services are present by default with the transparent and explicit
attributes selected and listening on all IP addresses; none of them are enabled. The explicit attribute is
not user-configurable.
To Create or Enable an AOL, Yahoo, or MSN Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New or highlight the service you want and select Edit; the Add (or Edit) Service dialog
appears.

3.

Select the IM service you want to create or edit from the Protocol drop-down list.

4.

The default port is determined by the protocol:

5.



AOL— Port 5190



Yahoo—Ports 5050 and 5101



MSN—1863 and 6891

Click OK; click Apply.

To Manage an Instant Messaging Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) aol-im | msn-im | yahoo-im
SGOS#(config services protocol) create port
SGOS#(config services protocol) attribute send-client-ip {enable | disable}
port

168

Chapter 5: Managing Port Services

Section B: Creating and Editing Services

Note:

2.

The send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

(Optional) View the results:
SGOS#(config services aol-im) view
Port:
5190 IP: 0.0.0.0
Type: aol-im
Properties: transparent, explicit, enabled
SGOS#(config services aol-im) exit
SGOS#(config services) yahoo-im
SGOS#(config services yahoo-im) view
Port:
5050 IP: 0.0.0.0
Type: yahoo-im
Properties: transparent, explicit, enabled

Managing Streaming Protocols
MMS and RTSP services are configured on the system, but are disabled by default. To enable the
default MMS and RTSP service, follow the steps below.
To Enable an MMS or RTSP Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New to create a new MMS or RTSP port service or highlight the existing service and click
Edit.
The Add (or Edit) Service dialog appears.

3.

Select MMS or RTSP from the Protocol drop-down list.

4.

The default IP address value is All. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; select Enabled.

6.

In the Attributes field, select the attributes you want the service to have.

7.

Click OK; click Apply.

To Enable an MMS or RTSP Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) {mms | rtsp}
SGOS#(config services protocol) create [ip_address:]port
SGOS#(config services protocol) attribute {explicit | send-client-ip |
transparent} {enable | disable} [ip_address:]port

169

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

Note:

2.

The send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

(Optional) View the results:
SGOS#(config services mms) view
Port:
1755
IP: 0.0.0.0
Type: mms
Properties: transparent, explicit, enabled
SGOS#(config services mms) exit
SGOS#(config services) rtsp
SGOS#(config services rtsp) view
Port:
554
IP: 0.0.0.0
Type: rtsp
Properties: transparent, explicit, enabled

Managing SOCKS Services
By default, a SOCKS service is configured with explicit attribute on port 1080, but not enabled. You
can create additional SOCKS services.
To enable a SOCKS port service, complete the steps below. To configure SOCKS gateway forwarding,
see "SOCKS Gateway Configuration" on page 852.
Note:

The version of SOCKS used is controlled through policy. For example, to use only
SOCKSv5:
client.protocol=socks
ALLOW socks.version=4 deny
DENY

To Create or Edit a SOCKS Port Service through the Management Console

170

1.

Select Configuration>Services>Service Ports.

2.

Click New to create a new SOCKS service or select Edit to enable the existing service; the Add (or
Edit) Service dialog appears.

3.

Select SOCKS from the Protocol drop-down list.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services

Figure 5-11: SOCKS Edit Service Dialog

4.

The default IP address value is All. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; select Enable.

6.

Click OK; click Apply.

To Create a SOCKS Port Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) socks
SGOS#(config services socks) create [ip_address:]port
SGOS#(config services socks) enable [ip_address:]port

2.

(Optional) View the results:
SGOS#(config services socks) view
Port:
1080
IP: 10.25.36.48 Type: socks
Properties: explicit, enabled

Managing TCP Tunneling Services
Tunneling, or port forwarding, is a way to forward TCP traffic. Any application protocol running over
TCP can be tunneled using this service. Client-server applications carry out any authentication
procedures just as they do when TCP tunneling is not involved.
SGOS uses a tcp:// scheme for TCP-tunnel transactions instead of HTTPS because SGOS does not
actually know that it is HTTPS that is being tunneled.
You can use the SOCKS proxy in conjunction with TCP tunnels to compress and accelerate the
tunnelled traffic. For information on using the SOCKS proxy, see "Configuring a SOCKS Proxy" on
page 219.

171

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services
Both explicit and transparent TCP tunneling are supported. Which one you use depends on your
needs.
Explicit TCP tunneling allows connections to one of the ProxySG's IP addresses.
Transparent TCP tunneling allows connections to any IP address other than those belonging to the
ProxySG. TCP tunneling in transparent mode supports categorization as well as blocking of
destination IP address, port, host, and domain.
Note:

The TCP-Tunnel service does not support content filtering with Websense offbox or ICAP.

You can use the Management Console or the CLI to create a transparent TCP tunneling protocol.
When a TCP-Tunnel service is created, it is by default an explicit service and automatically enabled.
To Create a Transparent or Explicit TCP-Tunnel Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New; the Add Service dialog appears.

3.

Select TCP-Tunnel from the Protocol drop-down list.
The Add Service dialog displays.

Figure 5-12: TCP-Tunnel Add Service Dialog

172

4.

The default IP address value is All. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; select Enabled.

6.

If you are configuring a transparent TCP-Tunnel service, make sure Transparent is selected in the
Attributes field; if you are configuring an explicit TCP-Tunnel service, verify Explicit is selected.

7.

Click OK; click Apply.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services
To Create a TCP-Tunnel Transparent or Explicit Port Service through the CLI
1.

At the (config) prompt, enter the following commands to create a transparent or explicit service:
SGOS#(config) services
SGOS#(config services) tcp-tunnel
SGOS#(config services tcp-tunnel) create [ip_address:]port

where ip_address is the IP address of the ProxySG (use 0.0.0.0 to indicate all available IP
addresses), and port is the number of the port the ProxySG listens to. You must choose a port
that is not configured for any other service.
2.

Enable the service to be transparent or explicit. By default, the port service is explicit.
SGOS#(config services tcp-tunnel) attribute {explicit | transparent} {enable
| disable} [ip_address:]port

3.

(Optional) View the results.
SGOS#(config services tcp-tunnel) view
Port:
7080
IP: 0.0.0.0
Type: tcp-tunnel
Properties: transparent, explicit, enabled

If you created a transparent TCP-Tunnel service, the procedure is complete. If you created an explicit
TCP-Tunnel service, you must configure a forwarding destination port.
To Configure a Forwarding Destination Port through the CLI
1.

Create a forwarding destination port, where the ProxySG directs traffic.
SGOS#(config services tcp-tunnel) exit
SGOS#(config services) exit
SGOS#(config) forwarding
SGOS#(config forwarding) create host_alias ip_address tcp=port

2.

(Optional) View the results:
SGOS#(config forwarding) view
Forwarding Groups: (* = host unresolved)
No forwarding groups defined.
Individual Hosts: (* = host unresolved)
Host_Alias 10.25.36.47 tcp=port_number

Managing the Telnet Shell Proxy Service
On a new system, Telnet proxy service is configured and disabled on port 23. On an upgrade, Telnet
proxy service is not created.
To Enable or Create a Telnet Proxy Service through the Management Console
Important: To use Telnet to manage the ProxySG, create a Telnet-Console rather than a Telnet
service. The Telnet service allows you to use Telnet for outbound connections, and
the ProxySG functions as Shell proxy in that situation. For more information on the
Telnet-Console, see "Managing the Telnet Console" on page 153.
1.

173

Select Configuration>Services>Service Ports.

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services
2.

Click New if you are creating a new Telnet service; highlight the Telnet service and click Edit if you
are enabling an existing Telnet service;
The Add or Edit Service dialog appears.

Figure 5-13: Creating a Telnet Service

3.

In the Protocol drop-down list, select Telnet.

4.

The default IP address value is all. To limit the service to a specific IP address, select the IP address
from the drop-down list.

5.

In the Port field, specify a port number; select Enable. Port 23 is the default.
Important:

6.

In the Attributes field, select Transparent, Explicit, Send-client-IP (spoofing), or all three. Explicit is the
default.
Note:

7.

174

You can have only one service on a port, so you must choose a port number for
the Telnet service that is different from the port chosen for the Telnet Console.

The send-client-IP attribute allows the ProxySG to pretend to be a client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

Click OK; Click Apply.

Chapter 5: Managing Port Services

Section B: Creating and Editing Services
To Enable or Create a Telnet Proxy Service through the CLI
Note:

The explicit attribute is enabled by default and the transparent and
send-client-ip attributes are disabled by default. Note also that only one service can
use a port, so if you have Telnet-Console enabled on Port 23, you must choose a different
port number for the Telnet shell proxy.

From the (config) prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) telnet
SGOS#(config services telnet) create [ip_address:]port
SGOS#(config services telnet) attribute {explicit | transparent |
send-client-ip} enable [ip_address:]port
SGOS#(config services telnet) enable [ip_address:]port

where:
create

[ip_address:] port

Create a Telnet shell proxy service at the (optional)
address and port number.

attribute

explicit |
transparent |
send-client-ip enable
[ip_address:] port

Assign the Telnet shell proxy explicit and transparent
attributes, and create IP spoofing (where the ProxySG
pretends to be a client so the OCS can see the client’s IP
address).
Note: The Send-client-IP attribute allows the ProxySG
to pretend to be a client, allowing the origin content
server to see the client’s IP address.If an alternate path
exists for traffic returning from the Internet to the
client, the Send-client-IP attribute does not work.

enable

[ip_address:] port

Enable the new Telnet shell proxy.

To View the Results:
SGOS#(config services telnet) view
Port:
23
IP: 0.0.0.0
Type: telnet
Properties: transparent, explicit, disabled
Port:
24
IP: 10.25.36.47 Type: telnet
Properties: explicit, enabled

175

Blue Coat ProxySG Configuration and Management Guide

Section B: Creating and Editing Services

176

Chapter 6: Configuring Proxies

A proxy filters traffic, monitors Internet and intranet resource usage, blocks specific Internet and
intranet resources for individuals or groups, and enhances the quality of Internet or intranet user
experiences.
A proxy also serves as an intermediary between a Web client and a Web server and can require
authentication to allow identity-based policy and logging for the client. The rules used to authenticate
a client are based on the policies created and implemented through your existing security framework,
such as LDAP, RADIUS, and IWA, and are further discussed in "Using Authentication Services" on
page 335.
Explicit/Transparent proxy specifies the mode the client requests get to the proxy.


Explicit—The default, requiring software configuration for both browser and service.



Transparent—Requires a Layer-4 switch or a WCCP-compliant router. You can also transparently
redirect requests through a ProxySG by setting the workstation’s gateway to the ProxySG IP
address. You can also use the ProxySG software bridge to transparently proxy requests.
Some software configuration on the ProxySG is also required to allow the appliance to know what
traffic to intercept.

You might also configure both proxy types, depending on the services you require.
This chapter contains the following topics:


"About Explicit and Transparent Proxy"



"Creating an Explicit Proxy Server"



"Configuring the Transparent Proxy Hardware"

About Explicit and Transparent Proxy
Whether you select explicit or transparent proxy deployment is determined by factors such as network
configuration, number of desktops, desired user experience, and desired authentication approach.
Note:

While you must configure proxying to do authentication, verify the proxy is configured
correctly and is functioning before adding authentication to the mix. Many network or
other configuration problems can appear similar to authentication errors.

177

Blue Coat ProxySG Configuration and Management Guide

Understanding the Explicit Proxy
In an explicit proxy configuration, the client (browser) is explicitly configured to use a proxy server.
The browser is given the IP address and port number of the proxy service (the ProxySG). It is also
possible to configure the browser to download the proxy settings from a Web server. This is called a
Proxy Auto-Configuration (PAC) file. When a user makes a request, the browser connects to the proxy
service and sends the request. Because the browser knows it is talking to a proxy, the browser
provides the proxy server with the destination server.
The proxy service accepts the explicit connection to it, and fetches the request from the browser. The
request identifies the desired origin content server (OCS) and the resource on that server. The proxy
service uses this information to contact the OCS if necessary.
The disadvantage to explicit proxy is that each desktop must be properly configured to use the proxy,
which might not be feasible in a large organization.

Understanding the Transparent Proxy
When transparent proxy is enabled, the client (browser) does not know the traffic is being processed
by a machine other than the OCS. The browser believes it is talking to the OCS, so the request is
formatted for the OCS and the proxy determines for itself the destination server based on information
in the request, such as the destination IP address in the packet, or the Host: header in the request.
To enable the ProxySG to intercept traffic sent to it, you must create a service and define it as
transparent. The service is configured to intercept traffic for a specified port, or for all IP addresses on
that port. A transparent HTTP proxy, for example, typically intercepts all traffic on port 80 (all IP
addresses).
To make sure that the appropriate traffic is directed to the ProxySG, deploy hardware such as a
Layer-4 switch or a WCCP router, or the ProxySG appliance’s software bridge that can redirect
selected traffic to the appliance. Traffic redirection is managed through polices you create on the
redirection device.
For detailed information on explicit proxies, continue with the next section; for detailed information
on transparent proxies, continue with "Transparent Proxies" on page 255.

178

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Section A: Configuring Explicit Proxies
You can configure several different explicit proxy servers and services:


Native FTP—See "Configuring the FTP Proxy" on page 181.



HTTP Proxy—See "Managing HTTP Proxy" on page 187.



SOCKS—See "Configuring a SOCKS Proxy" on page 219.



SSL Proxy—See "Configuring an SSL Proxy" on page 231



Shell Proxies—See "Customizing Policy Settings for Shell Proxies" on page 226

For information on creating an explicit proxy server, regardless of type, continue with "Creating an
Explicit Proxy Server".

Creating an Explicit Proxy Server
If your network does not use transparent proxy, clients on the network must configure their browsers
to use either an explicit proxy server or a Proxy Auto-Configuration (PAC) file.
Two PAC files ship with the ProxySG:


PAC file.



Accelerated PAC file.

They can be accessed at:


https://ProxySG_IP_Address:8082/accelerated_pac_base.pac



https://ProxySG_IP_Address:8082/proxy_pac_file

They can be edited with any text editor.
The ProxySG generates client instructions that describe how to configure Microsoft Internet Explorer,
Netscape Communicator, and other browsers based on instructions selected by the ProxySG
administrator. You can configure client instructions for each network adapter in the ProxySG with the
Configuration>Network>Adapters>Interface>Settings button.
After selecting client instructions, the ProxySG administrator directs clients to go to the ProxySG
home page and follow the instructions in the Browser Configuration section. The ProxySG detects the
browser installed on the client and displays the appropriate instructions.

Using the ProxySG as an Explicit Proxy
To use the ProxySG as an explicit proxy and use services such as SOCKS or FTP, you must provide
custom instructions to clients instructing them how to configure their browsers to use the ProxySG as
a proxy server.

179

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
This is a two-step process, requiring that you add the proxy IP address to the browser and also
instruct the ProxySG which adapter interface uses the proxy IP address.
Before the proxy can be used, you must:


Configure the proxy server.



Enable the explicit proxy (whether a service or a server).

The browsers described here are Internet Explorer 6.0 and Netscape 6.2. If you have different browsers
or different versions of Internet Explorer or Netscape, refer to the vendor documentation for
information on configuring proxies.
From Internet Explorer
1.

Select Tools>Internet Options>Connections>LAN Settings.

2.

Select Use a proxy server.

3.

Enter the IP address and port number for the proxy, or click Advanced to set proxy server IP
addresses and port numbers for services such as HTTP, FTP, and SOCKS. (Configure HTTPS
through the Secure field.)

4.

Click OK to exit the Advanced Settings tab, then continue to click OK until you exit the Tools menu.

From Netscape
1.

Select Edit>Preferences>Advanced>Proxies.

2.

Select Manual proxy configuration.

3.

Enter proxy server IP addresses and port numbers for services such as HTTP, FTP, SOCKS and
SSL.

4.

Click OK.
Note:

Explicit proxy allows a redundant configuration using IP address failover among a cluster
of machines. For information on creating a redundant configuration for failover, see
“Section L: Configuring Failover” on page 133.

Configuring Adapter Proxy Settings
Once the explicit proxy is configured on the browser, decide which adapter interfaces listen for which
service. Each adapter interface can listen for only one IP address; you can configure multiple proxies
on one ProxySG using the same IP address.
To Provide Configuration Instructions through the Management Console

180

1.

Select Configuration>Network>Adapters.

2.

Select an adapter and the correct interface and click Settings.

3.

Select Using a proxy.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
4.

Click OK to close the Settings dialog.

5.

Click Apply.

To Provide Configuration Instructions through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) interface fast-ethernet interface_#
SGOS#(config interface interface_#) instructions proxy

Configuring the FTP Proxy
In previous SGOS releases, connections to FTP origin content servers were only accomplished over
HTTP. SGOS 4.x supports Native FTP proxy.
Note:

As in previous releases, FTP requests sent through the HTTP proxy are still valid.

Configuring an FTP proxy requires ProxySG configuration and specific configuration of the FTP
client. The service must be enabled on the ProxySG before it can be used.
Data connections initiated by an FTP client to an FTP server are known as passive mode data
connections. This type of connection is useful in situations where an FTP server is unable to make a
connection to an FTP client because the client is located behind a firewall or other similar device
where outbound connections from the client are allowed, but inbound connections to the client are
blocked.
This functionality allows administrators to select how the ProxySG responds to a request from an FTP
client for a passive mode data connection (PASV command). This functionality does not affect HTTP
requests for FTP objects (for example, those originating from browsers that are explicitly proxied to a
ProxySG).
If the FTP server responds that it supports PASV, but the ProxySG is unable to connect because of a
firewall blocking the port, the ProxySG only attempts a PORT command. Some FTP clients do not
open a passive mode data connection to an IP address that is different from the IP address used for the
control connection.
Disabling passive mode data connections on the ProxySG servicing requests from this type of FTP
client might provide a more acceptable response to the end user.
When passive mode data connections are disabled, the ProxySG returns a response to the FTP client
indicating that the server does not support passive mode. The FTP client software controls any
messages displayed to the end user as a result of this response from the ProxySG.
Limitations

181



Internet Explorer does not support proxy authentication for Native FTP.



The ProxySG FTP proxy does not support exceptions.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Understanding FTP Spoofing
Using policy, you can spoof the IP addresses for FTP data connections in both transparent and explicit
deployments, for both active and passive modes; certain deployments are subject to limitations. The
client and server-side policies are:


ftp.match_client_data_ip(yes)—Matches the source IP address of the ACTIVE data
connection with the destination IP address of the control connection (client side).



ftp.match_server_data_ip(yes)—Matches the source IP address of the PASV data connection

with the source IP address of the ProxySG control connection (server side).
Note:

To always use the ProxySG physical IP address (no spoofing), define policy as
ftp.match_[client | server]_data_ip(no).

The following points describe the various data flow scenarios:


Outbound client data connection (ProxySG to client)—When the client issues a PORT command,
the ProxySG opens a data connection to the FTP client with the source IP address of whatever
destination IP address the client used when opening the control connection.



Inbound client data connection (client to ProxySG)—When the client issues a PASV command, the
ProxySG returns the IP address and port to which client makes a data connection.


Explicit—The ProxySG returns the destination IP address of the control connection; this can
be a physical or virtual ProxySG IP address.




Transparent—The ProxySG returns the IP address of the physical adapter on which the
control connection arrived.

Outbound server data connection (ProxySG to FTP server)—When the ProxySG issues a PASV
command upstream, the server returns an IP address and port to connect to. The ProxySG then
opens a data connection to the server with the same source IP address it used to open the control
connection. This address is defined by the reflect_ip property.



Inbound server data connection (FTP server to ProxySG)—When the ProxySG issues a PORT
command, the ProxySG provides the IP address and port number to which the server makes a
data connection.


The ProxySG sends the control connection’s source IP address if that IP is a local ProxySG
(virtual or physical) IP address; or



The ProxySG sends the IP address of the physical adapter that was used to make the outgoing
control connection.

FTP Server Limitations
Consider the following limitations when defining FTP spoofing policy:

182

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies


IIS and WS_FTP servers do not support PASV data connections with a source IP address that is
different from the source IP address of the control connection.



IIS and WS_FTP servers do not support ACTIVE data connections with a destination IP address
that differs from the source IP address of the control connection.

Configuring the ProxySG for Native FTP Proxy
This section describes how to configure the ProxySG through the Management Console and the CLI.
To Configure Native FTP Proxy through the Management Console
1.

Select Configuration>Services>FTP Proxy.

Figure 6-1: FTP Proxy Tab

2.

Select Allow caching of FTP objects. The default is enabled.

3.

Determine the amount of time in percentage of how long since the object was last modified. The
default is 10%.

4.

Enter an amount, in hours, that the object remains in the cache before becoming eligible for
deletion. The default is 24 hours.

5.

Select Allow use of PASV mode to clients. The default is enabled.

To Configure Native FTP Proxy through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) caching
SGOS#(config caching) max-cache-size 18
SGOS#(config caching) ftp
SGOS#(config caching ftp) enable
SGOS#(config caching ftp) type-m-percent 20
SGOS#(config caching ftp) type-n-initial 12

183

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
where:
max-cache-size

megabytes

The maximum size, in megabytes, of the largest object that
can stored on the ProxySG. The max-cache-size value
sets the maximum object size for both HTTP and FTP.

enable | disable

2.

Enables or disables the caching of FTP objects.

type-m-percent

percent

Time to live for objects with a last-modified time.

type-n-initial

hours

Time to live for objects without a last-modified time.

(Optional) View the result.
SGOS#(config caching ftp) view
Caching FTP objects is enabled
FTP objects with last modified date, cached for 20% of last modified time
FTP objects without last modified date, initially cached for 12 hours

3.

(Optional) Change the default login syntax. The default syntax is Raptor. The ProxySG also
supports the Checkpoint authentication syntax. The supported Checkpoint formats are:


remoteuser@proxyuser@host (in USER command) for explicit FTP.



remotepass@proxypass (in PASS command) for explicit FTP.



remoteuser@proxyuser (in USER command) for transparent FTP.



remotepass@proxypass (in PASS command) for transparent FTP.

Enter the following command to change the login syntax:
SGOS# (config) ftp login-syntax {raptor | checkpoint}

Note:

Neither proxy authentication for transparent FTP nor proxy chaining are supported with
the Checkpoint syntax.

Enabling the FTP Service
By default, an FTP service is already created with explicit and transparent attributes, but it is disabled.
You must enable the FTP port before it can be used.
To Create and Enable a Native FTP Port Service through the Management Console

184

1.

Select Configuration>Services>Service Ports.

2.

Click New; the Add Service dialog appears.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-2: FTP Add Service Dialog

3.

In the Protocol drop-down list, select FTP.

4.

The default IP address value is All. To limit the service to a specific IP, select the IP from the
drop-down list.

5.

In the Port field, specify a port number; select Enabled.

6.

Select the FTP attributes, as required: Explicit, Transparent, or both.

7.

Click OK; Click Apply.

To Create a Native FTP Port Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) ftp
SGOS#(config services ftp)
SGOS#(config services ftp)
SGOS#(config services ftp)
SGOS#(config services ftp)

2.

create [ip_address:]port
attribute passive-mode {enable | disable}
attribute explicit enable [ip_address:]port
attribute transparent enable [ip_address:]port

(Optional) View the results.
SGOS#(config services ftp) view
Port:
25
IP: 0.0.0.0
Type: ftp
Properties: transparent, explicit, enabled, passive-allowed

Configuring FTP Clients
FTP clients must be configured as follows:


185

Enable firewall.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


Select USER with no logon.



For proxy authentication, select USER remoteID@remoteHost fireID and specify a proxy username
and password.

Example
The following graphic demonstrates configuring a WSFtp client.

Figure 6-3: Configuring the WSFtp Client for Native FTP

Configuring FTP Connection Welcome Banners
You can customize banners that usually describe the policies and content of the FTP server displayed
to FTP clients. Without modification, the ProxySG sends a default banner to newly-connected FTP
clients: Welcome to Blue Coat FTP. However, you might not want users to know that a Blue Coat
ProxySG exists on the network. A default banner can be defined in the Management Console or the
CLI, but other banners defined for specific groups can be created in policy layers.
Note:

Configurable banners are only displayable when FTP is explicit through the ProxySG. In
transparent deployments, the banner is sent to the client when proxy authentication is
required; otherwise, the banner is forwarded from the FTP server.

To Define the Default FTP Banner through the Management Console

186

1.

Select Configuration>Services>FTP Proxy.

2.

In the Welcome Banner field, enter a line of text that is displayed on FTP clients upon connection. If
the message length spans multiple lines, the ProxySG automatically formats the string for
multiline capability.

3.

Click Apply.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-4: Configuring an FTP Connection Welcome Banner

To Define the Default FTP Banner through the CLI
At the (config) prompt, enter the following command:
#SGOS#(config) ftp
#SGOS#(config) ftp welcome-banner "message"

To Create Policy that Overrides the Default Banner
Add the following property to a policy:

ftp.welcome_banner "message"

If entering text that spans more than one line, use $(crlf) for line breaks.

Managing HTTP Proxy
By default, an HTTP proxy service, with both explicit and transparent attributes set, is enabled on
port 80. To change the attributes of the proxy service or create new HTTP proxy services, see
"Managing HTTP Services" on page 164.
The HTTP proxy is the first line of defense for the ProxySG, controlling all traffic that arrives on
port 80 to the ProxySG. To control that traffic and improve performance, you can:

187



Set default caching policies to configure the length of time an object or negative response is
cached, whether objects are always revalidated before being served, whether server certificates
are verified by default, and how headers are parsed. For more information, see "Setting Default
HTTP Proxy Policy" on page 192.



Configure the HTTP proxy as a server accelerator. For more information, see "Choosing the HTTP
Proxy Profile" on page 196.



Set a limit to the maximum bandwidth the ProxySG is allowed to use for refreshing objects in the
background. For more information, see "Configuring Refresh Bandwidth for the HTTP Proxy" on
page 191.



Compress and decompress content. For more information, see "Understanding HTTP
Compression" on page 207.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Note:

Use of the compression feature is a trade-off among three resources: server-side
bandwidth, client side-bandwidth, and CPU. If server-side bandwidth is expensive
compared to CPU, always request compressed content from the OCS. If CPU is
comparatively expensive, then the ProxySG should ask the server for the compression
formats that the client asked for and forward whatever the server returns.

The HTTP proxy is designed to control Web traffic, providing:


Security



Authentication



Virus Scanning and Patience Pages



Performance


Default HTTP Proxy Policy



HTTP Proxy Caching Profiles



Byte-Range Support



Refresh Bandwidth



Compression

This chapter deals with HTTP proxy performance. See also:


Chapter 8: “Security and Authentication” on page 305 to learn about controlling access to the
ProxySG, Internet, intranet, and making decisions based on user identity.



"Forms-Based Authentication" on page 460 for information about using Web forms for
authentication.



See "About Content Scanning" on page 501 for information about virus scanning and sending
patience pages to explain the delays that can occur when scanning for viruses before serving data.

Configuring HTTP Proxy Performance
Understanding Default HTTP Proxy Policy
Using the ProxySG Management Console or CLI, you can configure global defaults that determine
HTTP proxy caching policy, such as the maximum size of cacheable objects, the length of time that
negative responses remain in the cache, whether the ProxySG revalidates each object before serving it,
whether the server certificate is verified by default, and how headers are parsed.
For information about setting default policy for HTTP proxy caching, see "Setting Default HTTP
Proxy Policy" on page 192.

HTTP Proxy Acceleration Profiles
You have a choice of three profiles to use for the ProxySG:

188

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies


Normal (the default setting) acts as a client accelerator, and is used for enterprise deployments



Portal acts as a server accelerator, and is used for Web hosting



Bandwidth Gain is used for ISP deployments

For information on HTTP profiles, see "Choosing the HTTP Proxy Profile" on page 196.

Byte-Range Support
If a client makes a request using the Range: HTTP header, the ProxySG serves the requested portions
of the file from the cache if byte-range support is enabled (the default). If byte range support is
disabled, all such requests are forwarded to the origin content server and the response is not cached.
For information on using byte-range support to determine how the ProxySG handles byte-range
requests, see "Configuring HTTP for Bandwidth Gain" on page 204.

Refresh Bandwidth
Refresh bandwidth refers to server-side bandwidth used for all forms of asynchronous refresh activity.
The default configuration is to allow the ProxySG to manage refresh bandwidth. The ProxySG
manages the bandwidth in order to preserve the maximum freshness of accessed objects. However,
sometimes the automatic refresh bandwidth amount is too high. It is not unusual for refresh
bandwidth to spike up occasionally, depending on access patterns at the time. If necessary, you can
impose a limit on refresh bandwidth. To limit the refresh bandwidth to a specified amount, you must
disable automatic management of the bandwidth and explicitly set a bandwidth limit. Setting the
refresh bandwidth amount too low can lower the estimated freshness of objects in the cache. If you set
the refresh bandwidth amount to zero, the ProxySG does not do active refresh at all.
For information about configuring refresh bandwidth, see "Configuring Refresh Bandwidth for the
HTTP Proxy" on page 191.

Compression
Compression is disabled by default. If compression is enabled, the HTTP proxy forwards the
supported compression algorithm (either deflate or gzip) from the client’s request
(Accept-Encoding: request header) to the server as is, and attempts to send compressed content to
client whenever possible. This allows the ProxySG to send the response as is when the server sends
compressed data, including non-cacheable responses. Any unsolicited encoded response is forwarded
as is to the client.
For more information on compression, see "Understanding HTTP Compression" on page 207.

Understanding HTTP Terms


189

Asynchronous Adaptive Refresh (AAR)—This allows the ProxySG to keep cached objects as fresh
as possible, thus reducing response times. The AAR algorithm allows HTTP proxy to manage
cached objects based on their rate of change and popularity: an object that changes frequently
and/or is requested frequently is more eligible for asynchronous refresh compared to an object
with a lower rate of change and/or popularity.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


Asynchronous Refresh Activity—Refresh activity that does not wait for a request to occur, but that
occurs asynchronously from the request.



Bandwidth Gain—A measure of the difference in client-side and server-side Internet traffic
expressed in relation to server-side Internet traffic. It is managed in two ways: you can enable or
disable bandwidth gain mode or you can select the Bandwidth Gain profile (this also enables
bandwidth gain mode). See "Configuring the HTTP Proxy Profile" on page 202 for information
about configuring bandwidth gain.



Byte-Range Support—The ability of the ProxySG to respond to byte-range requests (requests with
a Range: HTTP header).



Cache-hit—An object that is in the ProxySG and can be retrieved when an end user requests the
information.



Cache-miss—An object that can be stored but has never been requested before; it was not in the
ProxySG to start, so it must be brought in and stored there as a side effect of processing the
end-user's request. If the object is cacheable, it is stored and served the next time it is requested.



Compression—An algorithm that reduces a file’s size but does not lose any data. The ability to
compress or decompress objects in the cache is based on policies you create. Compression can
have a huge performance benefit, and it can be customized based on the needs of your
environment: Whether CPU is more expensive (the default assumption), server-side bandwidth is
more expensive, or whether client-side bandwidth is more expensive.



Freshness—A percentage that reflects the objects in the ProxySG cache that are expected to be
fresh; that is, the content of those objects is expected to be identical to that on the OCS (origin
content server).



Maximum Object Size—The maximum object size stored in the ProxySG. All objects retrieved that
are greater than the maximum size are delivered to the client but are not stored in the ProxySG.

190



Negative Responses—An error response received from the OCS when a page or image is
requested. If the ProxySG is configured to cache such negative responses, it returns that response
in subsequent requests for that page or image for the specified number of minutes. If it is not
configured, which is the default, the ProxySG attempts to retrieve the page or image every time it
is requested.



Refresh Bandwidth—The amount of bandwidth used to keep stored objects fresh. By default, the
ProxySG is set to manage refresh bandwidth automatically. You can configure refresh bandwidth
yourself, although Blue Coat does not recommend this.



Variants—Objects that are stored in the cache in various forms: the original form, fetched from the
OCS; the transformed (compressed or uncompressed) form (if compression is used). If a required
compression variant is not available, then one might be created upon a cache-hit. (Note:
policy-based content transformations are not stored in the ProxySG.)

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Configuring Refresh Bandwidth for the HTTP Proxy
The ProxySG uses as much bandwidth as necessary for refreshing to achieve the desired access
freshness.
The amount of bandwidth used varies depending on client demands. If you determine that the
ProxySG is using too much bandwidth (by reviewing the logged statistics and examining current
bandwidth used shown in the Refresh bandwidth field), you can specify a limit to the amount of
bandwidth the ProxySG uses to try to achieve the desired freshness. Be aware, however, that if you
limit the amount of bandwidth the ProxySG can use, you might prohibit the ProxySG from achieving
the desired freshness. If the refresh bandwidth configuration remains at the recommended
default—Let the ProxySG Appliance manage refresh bandwidth (recommended) in the Management
Console or SGOS#(config caching) refresh automatic in the CLI—then the ProxySG uses
whatever bandwidth is available in its efforts to maintain 99.9% estimated freshness of the next access.
To Set Refresh Bandwidth through the Management Console
1.

Select Configuration>Services>HTTP Proxy>Freshness.

Figure 6-5: Freshness Tab

The Refresh bandwidth field displays the refresh bandwidth options. The default setting is to allow
the ProxySG to manage refresh bandwidth automatically.
Important:
2.

3.

191

Blue Coat strongly recommends that you not change the setting from the default.

Do one of the following:


To turn off automatic bandwidth refresh, select Limit refresh bandwidth to (not recommended).
Enter a new value into the kilobits/sec field, if necessary.



To return the ProxySG to automatic bandwidth refresh, select Let the ProxySG Appliance
manage refresh bandwidth (recommended).

Click Apply.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
To Set Refresh Bandwidth through the CLI
1.

To disable automatic bandwidth refresh (not recommended), enter the following commands at the
(config) command prompt:
SGOS#(config) caching
SGOS#(config caching) refresh no automatic

2.

(Optional) To adjust the kilobit/sec refresh bandwidth value, enter the following commands:
Note:

Adjusting the refresh bandwidth value has no effect if you do not also turn off the
automatic refresh bandwidth option (you must perform Step 1). You can skip Step 2 if the
refresh bandwidth value is acceptable (200 Kbps is the default).

SGOS#(config) caching
SGOS#(config caching) refresh bandwidth kbps

3.

To return the ProxySG to automatic bandwidth refresh (recommended), enter the following
commands:
SGOS#(config) caching
SGOS#(config caching) refresh automatic

4.

(Optional) View the (truncated) results:
SGOS#(config caching) view
Refresh:
Estimated access freshness is 100.0%
Let the ProxySG Appliance manage refresh bandwidth
Current bandwidth used is 0 kilobits/sec

To view all HTTP settings, see "Viewing HTTP Settings through the CLI" on page 206.

Setting Default HTTP Proxy Policy
Using the ProxySG Management Console or CLI, you can configure global defaults that determine
HTTP proxy policy, such as the maximum size of cacheable objects, the length of time that negative
responses remain in the cache, whether the ProxySG revalidates each object before serving it, whether
the server certificate is verified by default, and how headers are parsed.
Other policy can be controlled only by using Blue Coat Content Policy Language (CPL). This section is
about using the Management Console or CLI to set default HTTP proxy policy; see "Creating a Proxy
Layer to Manage Proxy Operations" on page 325 for information about using CPL to configure HTTP
proxy caching.
Note:

Tolerant HTTP request parsing can only be done through the CLI; it is not available
through the Management Console.

To Set HTTP Default Proxy Policy through the Management Console
1.

192

Select Configuration>Services>HTTP Proxy>Policies.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-6: Policies Tab

2.

Fill in the fields as appropriate:


In the Do not cache objects larger than field, enter the maximum object size to cache. The default
is 1024 MB. This configuration determines the maximum object size to store in the ProxySG.
All objects retrieved that are greater than the maximum size are delivered to the client but are
not stored in the ProxySG.



In the Cache negative responses for field, enter the number of minutes the ProxySG stores
negative responses. The default is 0, meaning that the ProxySG does not cache negative
responses and always attempts to retrieve the object.
The OCS might send a client error code (4xx HTTP response) or a server error code (5xx HTTP
response) as a response to some requests. If the ProxySG is configured to cache such negative
responses, it returns that response in subsequent requests for that page or image for the
specified number of minutes. If it is not configured, which is the default, the ProxySG
attempts to retrieve the page or image every time it is requested.
If you enter a number of minutes into this field, then the response times improve, but you
could receive negative responses to requests that might otherwise have been served for that
period of time.



To always verify that each object is fresh upon access, select the Always check with source before
serving object checkbox. Enabling this setting has a significant impact on performance because
HTTP proxy revalidates requested cached objects with the OCS before serving them to the
client, resulting in a negative impact on response times and bandwidth gain. Therefore, do not
enable this configuration unless absolutely required.



193

If you communicate with an OCS through HTTPS and want the origin content server’s
certificate to be verified by the ProxySG, verify that Verify server certificate for secure connections
is selected.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


The default is to parse HTTP meta tag headers in HTML documents if the MIME type of the
object is text/HTML. The function of all meta tags is same as the corresponding HTTP
headers.
To disable meta-tag parsing, remove the check from the checkbox for:


Parse “cache-control” meta tag

The following sub-headers are parsed when this checkbox is selected: private,
no-store, no-cache, max-age, s-maxage, must-revalidate, proxy-revalidate.

3.



Parse “expires” meta tag



Parse “pragma-no-cache” meta tag

Click Apply.

To Set HTTP Proxy Default Policy through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) caching
SGOS#(config caching)
SGOS#(config caching)
SGOS#(config caching)
-orSGOS#(config caching)

max-cache-size megabytes
negative-response minutes
always-verify-source
no always-verify-source

where:
max-cache-size

megabytes

The maximum size, in megabytes, of the largest object
that can stored on the ProxySG. The
max-cache-size sets the maximum object size for
both HTTP and FTP.

negative-response

minutes

always-verifysource

no

Note:

194

The amount of time, in minutes, that the ProxySG
remembers that an object is not stored.
Ensures that every object is always fresh upon access.
This has a significant impact on performance because
HTTP proxy revalidates requested cached objects with
the OCS before serving them to the client, resulting in
a negative impact on response times and bandwidth
gain. Therefore, do not enable this configuration item
unless absolutely required.

always-verify
source

The default setting. This tells the ProxySG never to
check objects on the source before serving them to the
client.

If you use HTTPS, you might want to change the verify-server certificate from the default
of enabled to suppress verification of the OCS certificate (step 2).

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
2.

(Optional) To enable or disable the verify-server certificate setting, enter one of the following
commands:
SGOS#(config caching) exit
SGOS#(config) http ssl-verify-server
-orSGOS#(config) http no ssl-verify-server

Note:

3.

The http ssl-verify-server command is overridden by the CPL property
server.certificate.validate or the forwarding hosts ssl-verify-server
command, if explicitly set.

(Optional) To enable or disable meta-tag parsing (parsing is enabled by default), enter one of the
following commands:
SGOS#(config services) exit
SGOS#(config) http parse meta-tag {cache-control | expires | pragma-no-cache}
-orSGOS#(config) http no parse meta-tag {cache-control | expires |
pragma-no-cache}

To view all HTTP settings, see "Viewing HTTP Settings through the CLI" on page 206.
Tips on Parsing Meta Tags


If ICAP response modification is occurring, the response body modified by the ICAP server is not
parsed.



Relevant HTTP meta tags must appear within the first 256 bytes of HTTP object body. If the meta
tag does not appear within the first 256 bytes, it is ignored.

Tips on Using Meta Tags With Policy


The following CPL properties can be used in the layer to control meta tag processing for
HTTP proxy, HTTP refresh, and HTTP pipeline transactions:
http.response.parse_meta_tag.Pragma.no-cache(yes|no)
http.response.parse_meta_tag.Cache-Control(yes|no)
http.response.parse_meta_tag.Expires(yes|no)



VPM support for this feature is not available.

Understanding Tolerant HTTP Request Parsing
By default, the ProxySG blocks malformed HTTP requests, returning a 400 Invalid Request error. The
tolerant HTTP request parsing flag causes certain types of malformed requests to be processed instead
of being rejected.
By default, a header line not beginning with a or space character must consist of a header name
(which contains no or space characters), followed by a colon, followed by an optional value, or
an error is reported. With tolerant request parsing enabled, a request header name is allowed to
contain or space characters, and if the request header line does not contain a colon, then the
entire line is taken as the header name.

195

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
A header containing one or more or space characters, and nothing else, is considered
ambiguous. Blue Coat does not know if this is a blank continuation line or if it is the blank line that
signals the end of the header section. By default, an ambiguous blank line is illegal, and an error is
reported. With tolerant request parsing enabled, an ambiguous blank line is treated as the blank line
that signals the end of the header section.
To Enable the HTTP Tolerant Request Parsing Flag through the CLI
Note:

This feature is only available through the CLI. It cannot be set through the Management
Console.

From the (config) prompt, enter the following command to enable tolerant HTTP request parsing
(the default is disabled):
SGOS#(config) http tolerant-request-parsing

To disable HTTP tolerant request parsing, enter the following command:
SGOS#(config) http no tolerant-request-parsing

To view all HTTP settings, including http tolerant-request-parsing if it is enabled, see "Viewing
HTTP Settings through the CLI" on page 206.

Choosing the HTTP Proxy Profile
You can select from among three profiles for the HTTP proxy, depending on your needs, and you can
also create a customized profile from the three available.
The three profiles are:


Normal, which acts as a client-accelerator and is used for enterprise deployments



Portal, which acts as a server accelerator and is used for Web-hosting



Bandwidth, which is used for ISP deployments

The table below shows the configuration for each profile.
Table 6.1: Normal, Portal, and Bandwidth Gain Profiles

196

Configuration

Normal Profile

Portal Profile

Bandwidth Gain

Pipeline embedded objects in client requests

Enabled

Disabled

Disabled

Pipeline embedded objects in prefetch requests

Enabled

Disabled

Disabled

Pipeline redirects for client requests

Enabled

Disabled

Disabled

Pipeline redirects for prefetch requests

Enabled

Disabled

Disabled

Cache expired objects

Enabled

Disabled

Enabled

Bandwidth Gain Mode

Disabled

Disabled

Enabled

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
Table 6.1: Normal, Portal, and Bandwidth Gain Profiles (Continued)
Configuration

Normal Profile

Portal Profile

Bandwidth Gain

Substitute GET for IMS (if modified since)

Disabled

Enabled

Enabled

Substitute GET for PNC (Pragma no cache)

Disabled

Enabled

Does not change

Substitute GET for HTTP 1.1 conditionals

Disabled

Enabled

Enabled

Substitute GET for IE (Internet Explorer) reload

Disabled

Enabled

Does not change

Never refresh before expiration

Disabled

Enabled

Enabled

Never serve after expiration

Disabled

Enabled

Does not change

When a ProxySG is first manufactured, it is set to a Normal profile. Depending on your needs, you can
use the Bandwidth Gain profile or the Portal profile. You can also combine needed elements of all three
profiles.

Using the Normal Profile
Normal is the default profile and can be used wherever the ProxySG is used as a normal forward
proxy. This profile is typically used in enterprise environments, where the freshness of objects is more
important than controlling the use of server-side bandwidth. The Normal profile is the profile that
most follows the HTTP standards concerning object revalidation and staleness. Additionally,
prefetching (pipelining) of embedded objects and redirects is enabled, which reduces response time
for clients.

Using the Portal Profile
When configured as a server accelerator, the ProxySG improves object response time to client requests,
scalability of the origin content server (OCS) site, and overall Web performance at the OCS. A server
accelerator services requests meant for an OCS as if it is the OCS itself.
Because an OCS can actually consist of many servers—a single Web server or an entire server
farm—OCSs are identified by domain name or IP address. To the ProxySG, the domain name or IP
address is treated as the OCS, regardless of how many back-end Web servers might be installed.

Using the Bandwidth Gain Profile
The Bandwidth-Gain profile is useful wherever server-side bandwidth is an important resource. This
profile is typically used in Internet Service Provider (ISP) deployments. In such deployments, the
freshness of the object is not as important as controlling the use of server-side bandwidth. The
Bandwidth-Gain profile enables various HTTP configurations that can increase page response times
and the likelihood that stale objects are served, but that reduces the amount of server-side bandwidth
required.

197

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Understanding HTTP Object Types
HTTP proxy categorizes HTTP objects into three types:


Type-T: The OCS specifies explicit expiration time.



Type-M: Expiration time is not specified; however, the last modified time is specified by the OCS.



Type-N: Neither expiration nor last modified time has been specified.

The ProxySG’s asynchronous adaptive refresh (AAR) algorithm is normally applied to all three types
of HTTP objects. To maximize the freshness of the next access to objects in the ProxySG’s cache,
asynchronous revalidations are performed on those objects in accordance with their relative
popularity and the amount of time remaining before their estimated time of expiration. Estimated
expiration times vary as object content changes are observed during such asynchronous revalidations.
This happens even for type-T objects because the expiration times of type-T objects are not always
perfectly managed by Webmasters of content servers. However, for situations where such
management can be trusted, certain configuration items exist to reduce speculative revalidation of
type-T objects. In the following section, the terms revalidation and refresh mean the same thing—to
assess the freshness of an object by sending a conditional GET request to the object’s OCS.

Understanding HTTP Proxy Profile Configuration Components
Table 6.1 gives a definition of the customizable HTTP proxy profile settings. Both the Management
Console field and CLI (config) command text is included.
Table 6.1: Description of Profile Configuration Components in the Management Console and CLI

198

Management Console
Checkbox Field

CLI (config)
Command

Definition

Pipeline embedded
objects in client request

http [no] pipeline
client requests

This configuration item applies only to HTML
responses. When this setting is enabled, and the object
associated with an embedded object reference in the
HTML is not already cached, HTTP proxy acquires
the object’s content before the client requests the
object. This improves response time dramatically. If
this setting is disabled, HTTP proxy does not acquire
embedded objects until the client requests them.

Pipeline redirects for
client request

http [no] pipeline
client redirects

When this setting is enabled, and the response of a
client request is one of the redirection responses (such
as 301, 302, or 307 HTTP response code), then HTTP
proxy pipelines the object specified by the Location
header of that response, provided that the redirection
location is an HTML object. This feature improves
response time for redirected URLs. If this setting is
disabled, HTTP proxy does not pipeline redirect
responses resulting from client requests.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
Table 6.1: Description of Profile Configuration Components in the Management Console and CLI
Management Console
Checkbox Field

CLI (config)
Command

Definition

Pipeline embedded
objects in prefetch
request

http [no] pipeline
prefetch requests

This configuration item applies only to HTML
responses resulting from pipelined objects. When this
setting is enabled, and a pipelined object’s content is
also an HTML object, and that HTML object has
embedded objects, then HTTP proxy also pipelines
those embedded objects. This nested pipelining
behavior can occur three levels deep at most. If this
setting is disabled, HTTP proxy does not engage in
nested pipelining behavior.

Pipeline redirects for
prefetch request

http [no] pipeline
prefetch
redirects

When this setting is enabled, HTTP proxy pipelines
the object specified by a redirect location returned by
a pipelined response. If this setting is disabled, HTTP
proxy does not try to pipeline redirect locations
resulting from a pipelined response.

Substitute Get for IMS

http [no]
substitute
if-modified-since

If the time specified by the If-Modified-Since:
header in the client’s conditional request is greater
than the last modified time of the object in the cache,
it is a strong indication that the copy in the cache is
stale. If so, HTTP proxy does a conditional GET to the
OCS, based on the last modified time of the cached
object.
To control this aspect of the ProxySG’s treatment of
the If-Modified-Since: header, disable the
Substitute Get for IMS setting. When this setting is
disabled, a client time condition greater than the last
modified time of the object in the cache does not
trigger revalidation of the object.
However, not all objects necessarily have a
last-modified time specified by the OCS.

199

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
Table 6.1: Description of Profile Configuration Components in the Management Console and CLI
Management Console
Checkbox Field

CLI (config)
Command

Definition

Substitute Get for HTTP
1.1 conditionals

http [no]
substitute
conditional

HTTP 1.1 provides additional controls to the client
over the behavior of caches concerning the staleness
of the object. Depending on various
Cache-Control: headers, the ProxySG can be
forced to consult the OCS before serving the object
from the cache. For more information about the
behavior of various Cache-Control: header
values, refer to RFC 2616.
If the Substitute Get for HTTP 1.1 Conditionals setting
is enabled, HTTP proxy ignores the following
Cache-Control: conditions from the client request:
• "max-stale" [ "=" delta-seconds ]
• "max-age" "=" delta-seconds
• "min-fresh" "=" delta-seconds
• "must-revalidate"
• "proxy-revalidate"

200

Substitute Get for PNC

http [no]
substitute
pragma-no-cache

Typically, if a client sends an HTTP GET request with
a Pragma: no-cache or Cache-Control:
no-cache header (for convenience, both are hereby
referred to as PNC), a cache must consult the OCS
before serving the content. This means that HTTP
proxy always re-fetches the entire object from the
OCS, even if the cached copy of the object is fresh.
Because of this, PNC requests can degrade proxy
performance and increase server-side bandwidth
utilization. However, if the Substitute Get for PNC
setting is enabled, then the PNC header from the
client request is ignored (HTTP proxy treats the
request as if the PNC header is not present at all).

Substitute Get for IE
reload

http [no]
substitute
ie-reload

Some versions of Internet Explorer issue the
Accept: */* header instead of the Pragma:
no-cache header when you click Refresh. When an
Accept header has only the */* value, HTTP proxy
treats it as a PNC header if it is a type-N object. You
can control this behavior of HTTP proxy with the
Substitute GET for IE Reload setting. When this
setting is enabled, the HTTP proxy ignores the PNC
interpretation of the Accept: */* header.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
Table 6.1: Description of Profile Configuration Components in the Management Console and CLI

201

Management Console
Checkbox Field

CLI (config)
Command

Definition

Never refresh before
expiration

http [no]
strict-expiration
refresh

Applies only to cached type-T objects. When this

Never serve after
expiration

http [no]
strict-expiration
serve

Applies only to cached type-T objects. If this setting is
enabled, an object is synchronously revalidated
before being served to a client, if the client accesses
the object after its expiration time. If this setting is
disabled, the object is served to the client and,
depending on its relative popularity, may be
asynchronously revalidated before it is accessed
again.

Cache expired objects

http [no] cache
expired

Applies only to type-T objects. When this setting is
enabled, type-T objects that are already expired at the
time of acquisition is cached (if all other conditions
make the object cacheable). When this setting is
disabled, already expired type-T objects become
non-cacheable at the time of acquisition.

setting is enabled, the ProxySG does not
asynchronously revalidate such objects before their
specified expiration time. When this setting is
disabled, such objects, if they have sufficient relative
popularity, can be asynchronously revalidated and
can, after a sufficient number of observations of
changes, have their estimates of expiration time
adjusted accordingly.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
Table 6.1: Description of Profile Configuration Components in the Management Console and CLI
Management Console
Checkbox Field

CLI (config)
Command

Definition

Enable Bandwidth Gain
Mode

bandwidth-gain
{disable | enable}

This setting controls both HTTP-object acquisition
after client-side abandonment and AAR
(asynchronous adaptive refresh) revalidation
frequency.
• HTTP-Object Acquisition
When Bandwidth Gain mode is enabled, if a client
requesting a given object abandons its request,
then HTTP proxy immediately abandons the
acquisition of the object from the OCS, if such an
acquisition is still in progress. When bandwidth
gain mode is disabled, the HTTP proxy continues
to acquire the object from the OCS for possible
future requests for that object.
• AAR Revalidation Frequency
Under enabled bandwidth gain mode, objects that
are asynchronously refreshable are revalidated at
most twice during their estimated time of
freshness. With bandwidth gain mode disabled,
they are revalidated at most three times. Not all
asynchronously refreshable objects are guaranteed
to be revalidated.

Configuring the HTTP Proxy Profile
You can configure the profile you want from either the Management Console or the CLI.
To Configure the HTTP Proxy Profile through the Management Console
1.

Select Configuration>Services>HTTP Proxy>Acceleration Profile.
The Acceleration Profile tab displays (Normal is the default profile). Text appears at the bottom of
this tab indicating which profile is selected. If you have a customized profile, this text does not
appear.

202

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-7: Acceleration Profile Tab

Important:

If you have a customized profile and you click one of the Use Profile buttons, no
record of your customized settings remains. However, once the ProxySG is set
to a specific profile, the profile is maintained in the event the ProxySG is
upgraded.

2.

To select a profile, click one of the three profile buttons (Use Normal Profile, Use Bandwidth Gain
Profile, or Use Portal Profile).
The text at the bottom of the Acceleration Profile tab changes to reflect the new profile.
Note:

You can customize the settings, no matter which profile button you select.

3.

(Optional) To customize the profile settings, select or deselect any of the checkboxes (see Table 6.1
on page 198 for information about each setting).

4.

Click Apply.

To Configure the HTTP Proxy Profile through the CLI
1.

At the (config) command prompt, enter the profile you want:
SGOS#(config) profile {normal | portal | bwgain}

2.

(Optional) Use the following commands to customize the profile settings (see Table 6.1 on
page 198 for information about these settings):
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)

203

http
http
http
http
http
http

[no]
[no]
[no]
[no]
[no]
[no]

pipeline client requests
pipeline client redirects
pipeline prefetch requests
pipeline prefetch redirects
substitute if-modified-since
substitute conditional

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)

3.

http [no] substitute pragma-no-cache
http [no] substitute ie-reload
http [no] strict-expiration refresh
http [no] strict-expiration serve
http [no] cache expired
bandwidth-gain {disable | enable}

(Optional) View the settings. (This example assumes you have selected the Portal profile.)
SGOS#(config) show profile
SG is currently using the Normal Profile
Pipeline client requests:
Enabled
Pipeline client redirects:
Enabled
Pipeline prefetch requests:
Enabled
Pipeline prefetch redirects:
Enabled
Substitute Get "if-modified-since": Disabled
Substitute Get "pragma: no-cache":
Disabled
Substitute HTTP 1.1 Conditional Get: Disabled
Substitute Internet Explorer reload: Disabled
Never refresh before expiration:
Disabled
Never serve after expiration:
Disabled
Cache expired objects:
Enabled
Bandwidth gain mode:
Disabled

You can view all HTTP settings. See "Viewing HTTP Settings through the CLI" on page 206 for more
information.

Configuring HTTP for Bandwidth Gain
In addition to the configuration items related to top-level profiles, other configurable items also affect
bandwidth gain. You can set the top-level profile and adjust various related configuration items to fine
tune ProxySG for your needs (see "Configuring the HTTP Proxy Profile" on page 202), and you can
provide additional fine-tuning with the following configuration items:


Byte-range support



Revalidate pragma-no-cache

Byte-range requests can be made with a PNC header. To serve these requests from the cache, enable
the revalidate PNC setting (see "Understanding Revalidate Pragma-No-Cache" below).

Understanding Byte-Range Support
If a client requests a byte range using the Range: HTTP header, the ProxySG serves the requested
portions of the file from the cache if byte-range support is enabled (the default). If byte range support
is disabled, all such requests are forwarded in a non-cacheable way to the origin content server.
Byte-range configuration can significantly affect bandwidth gain where heavy use of range requests is
expected. Download managers (such as NetAnts®) typically use byte-range requests heavily.

204

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
With byte-range support enabled, if the object is already cached and does not need to be reloaded
from the OCS, the ProxySG serves the byte-range request from the cache only. But if the object is not in
the cache, or if a reload of the object is required, the ProxySG might treat the byte-range request as if
byte-range support is disabled and serve the object from the cache. It is important to note that HTTP
proxy never caches partial objects, even if byte-range support is enabled.
If byte-range support is disabled, HTTP treats all byte-range requests as non-cacheable. Such requests
are never served from the cache, even if the object exists in the cache. The client’s request is sent
unaltered to the OCS and the response is not cached. Thus a byte-range request has no effect on the
cache if byte-range support is disabled.
HTTP proxy categorizes the range requests in following three categories when byte-range support is
enabled:


Type-1: 0-N: Range request for first N bytes of the object



Type-2: N-M: Range request from N bytes to M bytes of the object



Type-3: -N: Range request for last N bytes of the object

If the object does not exist in the cache, and a byte-range request is received with the first range being
type-1 or type-2, and the start byte of the first requested range is within 14336 bytes (hard coded
threshold), then the entire object is retrieved from the OCS and cached in the ProxySG. Even though
HTTP proxy retrieves the entire object from the OCS, it sends an appropriate byte-range response to
the client. If the object does not exist in the cache, and if the first range in the request is not of type-1 or
type-2, or if the start byte of the first requested range is beyond 14336 bytes, then the client’s request is
sent unaltered to the OCS and the response is not cached.
If the object exists in the cache, and if a range request with an effective PNC (the PNC header is not
substituted or revalidated—see "Understanding Revalidate Pragma-No-Cache" below) is made, and
the first range in the request is either type-3 or type-1 or 2 with a start byte offset greater than 14336
bytes, then, even if the object exists in the cache, the transaction is made non-cacheable (the request is
sent to the OCS without any modification and the response is not cached). If an object exists in the
cache and a byte-range request is made without the PNC header, then the byte-range response is
satisfied from the cache.
Most download managers make byte-range requests with a PNC header. To serve such requests from
the cache, the revalidate pragma-no-cache option should be configured along with byte-range support
(see "Understanding Revalidate Pragma-No-Cache" below).
To Configure Byte-Range Support through the CLI
Note:

Enabling or disabling byte-range support can only be configured through the CLI.

To enable or disable byte-range support, enter one of the following commands at the (config)
command prompt:
SGOS#(config) http byte-ranges
-orSGOS#(config) http no byte-ranges

To view all HTTP settings, see "Viewing HTTP Settings through the CLI" on page 206.

205

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Understanding Revalidate Pragma-No-Cache
The pragma-no-cache (PNC) header in a client’s request can affect the efficiency of the proxy from a
bandwidth gain perspective (this behavior is described in Table 6.1 in the Substitute Get for PNC
configuration description). If you do not want to completely ignore PNC in client requests (which you
can do by using the Substitute Get for PNC configuration), you can lower the impact of the PNC by
enabling the revalidate-pragma-no-cache setting. When the revalidate-pragma-no-cache
setting is enabled, a client’s non-conditional PNC-GET request results in a conditional GET request
sent to the OCS if the object is already in the cache. This gives the OCS a chance to return the 304 Not
Modified response, thus consuming less server-side bandwidth, because it has not been forced to return
full content even though the contents have not actually changed. By default, the revalidate PNC
configuration is disabled and is not affected by changes in the top-level profile. When the Substitute
Get for PNC configuration is enabled (see "Configuring the HTTP Proxy Profile" for configuration
information), the revalidate PNC configuration has no effect.
To Configure the Revalidate PNC Setting through the CLI
Note:

The revalidate pragma-no-cache setting can only be configured through the CLI.

To enable or disable the revalidate PNC setting, enter one of the following commands at the (config)
command prompt:
SGOS#(config) http revalidate-pragma-no-cache
-orSGOS#(config) http no revalidate-pragma-no-cache

To view all HTTP settings, see "Viewing HTTP Settings through the CLI" below.

Viewing HTTP Settings through the CLI
You can view the existing HTTP settings by entering the following command:
SGOS#(config) show http
Supported protocol version: HTTP 1.1
Caching options:
Cache authenticated data: enabled
Cache expired objects:
enabled
Cache personal pages:
disabled
Strip From Headers:
disabled
Byte range support:
enabled
Force NTLM on proxy IE:
disabled
Rewrite redirects for XP: disabled
Revalidate "pragma: no-cache":
disabled
WWW redirect if host not found:
enabled
Force explicit expirations:
Never refresh before:
disabled
Never serve after:
disabled
Add headers:
"Front-end-https":
disabled
"Via":
disabled
"X-forwarded-for":
disabled

206

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
"Client-ip":
disabled
Parsing options:
HTML meta tag "Cache-Control":
enabled
HTML meta tag "Expires":
enabled
HTML meta tag "Pragma: no-cache": enabled
Persistent connections:
Client connections:
enabled
Server connections:
enabled
Pipeline:
Client requests:
enabled
Client redirects:
enabled
Prefetch requests:
enabled
Prefetch redirects:
enabled
Substitute simple Get for:
Get "if-modified-since": disabled
Get "pragma: no-cache":
disabled
HTTP 1.1 Conditional get: disabled
Internet Explorer reload: disabled
Proprietary header extensions:
Blue Coat extensions:
disabled
FTP proxy:
Url path is:
absolute from root
Configuration/access log uploads: will use PASV
Persistent connection timeouts:
Server:
900
Client:
360
Receive timeouts:
Server:
180
Client:
120
Refresh:
90
Https:
ssl-verify-server:
enabled
tolerant-request-parsing: enabled

Understanding HTTP Compression
Compression reduces a file size but does not lose any data. Whether you should use compression
depends upon three resources: server-side bandwidth, client-side bandwidth, and ProxySG CPU. If
server-side bandwidth is more expensive in your environment than CPU, always request compressed
content from the origin content server (OCS). However, if CPU is comparatively expensive, the
ProxySG should instead be configured to ask the OCS for the same compressions that the client asked
for and to forward whatever the server returns.
The default configuration assumes that CPU is costlier than bandwidth. If this is not the case, you can
change the ProxySG behavior.

207

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Note:

Decompression, content transformation, and recompression increases response time by a
small amount because of the CPU overhead. (The overhead is negligible in most cases.)
RAM usage also increases if compression is enabled.
Compression might also appear to adversely affect bandwidth gain. Because compression
results in a smaller file being served to the client than was retrieved by the ProxySG from
the origin content server, bandwidth gain statistics reflect such requests/responses as
negative bandwidth gain.

Compression is disabled by default. If compression is enabled, the HTTP proxy forwards the
supported compression algorithm (gzip and deflate) from the client’s request (Accept-Encoding:
request header) to the server as is, and attempts to send compressed content to client whenever
possible. This allows the ProxySG to send the response as is when the server sends compressed data,
including non-cacheable responses. Any unsolicited encoded response is forwarded to the client as is.
Note:

If compression is not enabled, the ProxySG does not compress the content if the server
sends uncompressed content. However, the ProxySG continues to uncompress content if
necessary to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.

Compression is controlled by policy only.
You can view compression statistics by going to Statistics>System Usage>Client Comp. Gain and Server
Comp. Gain and Statistics>HTTP/FTP History>Client Comp. Gain and Server Comp. Gain. For information on
these statistics, see "System Usage Statistics" on page 965 and "HTTP/FTP History Statistics" on
page 968.

Understand Compression Behavior
The ProxySG compression behavior is detailed in the tables below.
Note:

A variant is the available form of the object in the cache—compressed or uncompressed.
The Content-Encoding: header Identity refers to the uncompressed form of the content.

Compression increases the overall percentage of cacheable content, increasing the hit rate in terms of
number of objects served from the cache.

208

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
For cache-hit compression behavior, see Table 6.2 below. For cache-miss compression behavior, see
Table 6.3 on page 209.
Table 6.2: Cache-Hit Compression Behavior
Accept-Encoding:
in client request

Variant Available when
the Request Arrived

Variant Stored as a
Result of the Request

Content-Encoding: in

Identity

Uncompressed object

None

Identity

No uncompressed object

Uncompressed

Identity

Identity

ProxySG response

gzip compressed
gzip, deflate

Uncompressed object

gzip compressed

gzip

gzip, deflate

Uncompressed object

None

gzip

None

deflate

deflate compressed

deflate

gzip compressed
gzip, deflate

Uncompressed object
deflate compressed

deflate

No uncompressed object
gzip compressed

(This is effectively a cache-miss.
The ProxySG does not convert
from gzip to deflate.)

Table 6.3: Cache-Miss Compression Behavior
Content-Encoding:
in server response

Generated variants

Identity

Identity

uncompressed object

Identity

gzip, deflate

Identity

uncompressed object

gzip

Accept-Encoding:
in client request

Accept-Encoding:

Identity
gzip, deflate

in ProxySG
request

Content-Encoding:
in ProxySG
response

gzip-compressed
gzip, deflate

gzip, deflate

gzip

No uncompressed
object

gzip

gzip-compressed
gzip, deflate,
compress

gzip, deflate

gzip

No uncompressed
object

gzip

gzip-compressed
gzip, deflate

209

gzip, deflate

compress (illegal
response)

compress

compress

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Compression Exceptions


The ProxySG issues a transformation_error exception (HTTP response code 403), when the
server sends an unknown encoding and the ProxySG is configured to do content transformation.



The ProxySG issues an unsupported_encoding exception (HTTP response code 415 Unsupported Media Type) when the ProxySG is unable to deliver content due to configured
policy.

The messages in the exception pages can be customized. For information on using exception pages,
see “Section D: Defining Exceptions” on page 700.

Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.

Using VPM to Configure Compression Behavior
Three objects can be used to configure compression and compression levels through VPM:


Client HTTP compression object: Allows you to determine the behavior when the client wants the
content in a different form than is in the cache.



Server HTTP compression object: Allows you to enable or disable compression and to set options.



HTTP compression level object: Allows you to set a compression level of low, medium, or high.

Complete the following steps to manage server and client HTTP compression and compression levels.
To Add or Edit Client Compression
1.

2.

Create a Web Access Layer:


Select Configuration>Policy>Visual Policy Manager; click Launch.



Select Policy>Add Web Access Layer from the menu of the Blue Coat VPM window that appears.



Type a layer name into the dialog that appears and click OK.

Add an Action object:


Right click on the item in the Action column; select Set.



Click New in the Set Action Object dialog that appears; select Set Client HTTP Compression.
The Add Client HTTP Compression Object dialog displays.

210

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-8: Add Client HTTP Compression Object Dialog



Select the compression options you want to use; click OK.



Click OK again; close the VPM window and click Yes in the dialog to save your changes.

To Add or Edit Server Compression
1.

2.

Create a Web Access Layer:


Select Configuration>Policy>Visual Policy Manager; click Launch.



Select Policy>Add Web Access Layer from the menu of the Blue Coat VPM window that appears.



Type a layer name into the dialog that appears and click OK.

Add an Action object:


Right click on the item in the Action column; select Set.



Click New in the Set Action Object dialog that appears; select Set Server HTTP Compression.
The Add Server HTTP Compression Object dialog displays.

211

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Figure 6-9: Add Server HTTP Compression Object Dialog



Select compression options; click OK.



Click OK again; close the VPM window and click Yes in the dialog to save your changes.

Using VPM to Set HTTP Compression Levels
You can control the compression level based on any transaction condition (such as the client IP
address, the hostname, request/response headers, and the like).
To Set Compression Levels
1.

2.

Create a Web Access Layer:


Select Configuration>Policy>Visual Policy Manager; click Launch.



Select Policy>Add Web Access Layer from the menu of the Blue Coat VPM window that appears.



Type a layer name into the dialog that appears and click OK.

Add an Action object:


Right click on the item in the Action column; select Set.



Click New in the Set Action Object dialog that appears; select Set HTTP Compression Level.
The Add HTTP Compression Level Object dialog displays.

Figure 6-10: Set HTTP Compression Level

212

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies


Select the compression level needed; click OK.



Click OK again; close the VPM window and click Yes in the dialog to save your changes.

Using Policy to Configure Compression Behavior
Compression and decompression are allowed if compression is enabled. If compression is not
enabled, neither compression nor decompression are allowed.
Policy controls the compression or decompression of content on the ProxySG. If compression is turned
off, uncompressed content is served to the client if a compressed variant is not available. If
decompression is turned off, an uncompressed version is fetched from the OCS if the variant does not
exist and the client requested uncompressed content.
Note:

The ProxySG decompresses the content if transformation is to be applied, even if the
compression is not enabled.

You can use server-side or client-side controls to manage compression through policy, as described in
the following table.
Table 6.4: Compression Properties

213

Compression Properties

Meaning

http.allow_compression(yes | no)

Allow the ProxySG to compress content on
demand if needed.

http.allow_decompression(yes | no)

Allow the ProxySG to decompress content on
demand if needed.

http.compression_level(low | medium | high)

Set the compression level to be low (1), medium
(6), or high (9). Low is the default.

http.server.accept_encoding(client)

Turn on only client encodings

http.server.accept_encoding(identity)

Turn off all encodings

http.server.accept_encoding(all)

Turn on all supported encodings, including the
client’s encodings.

http.server.accept_encoding(gzip, deflate)

Send specific encodings (order sensitive)

http.server.accept_encoding(gzip, client)

Send specific encodings (order sensitive)

http.server.accept_encoding.gzip(yes | no)

Add/remove an encoding

http.server.accept_encoding[gzip, deflate,
identity](yes | no)

Add/remove a list of encodings

http.server.accept_encoding.allow_unknown
(yes | no)

Allow/disallow unknown encodings.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
Table 6.4: Compression Properties
Compression Properties

Meaning

http.client.allow_encoding(identity);

Allow no encodings (send uncompressed).

http.client.allow_encoding(client);

Allow all client encodings. This is the default.

http.client.allow_encoding(gzip, deflate);

Allow fixed set of encodings.

http.client.allow_encoding(gzip, client);

Allow fixed set of encodings.

http.client.allow_encoding.gzip(yes | no);

Add/remove one encoding

http.client.allow_encoding[gzip, deflate,
identity](yes | no);

Add/remove list of encodings

Default Behavior
By default, Blue Coat sends the client’s list of the accept encoding algorithms, except for unknown
encodings. If compression is not enabled, the default overrides any configured CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the compression
related policy settings shown in Table 6.4. The Accept-Encoding header modification can continue
to be used if no compression policies are applied, or if compression is not enabled. Otherwise, the
compression-related policies override any Accept-Encoding header modification, even if the
Accept-Encoding header modification appears later in the policy file.
Adding encoding settings with client-side controls depend on if the client originally listed that
encoding in its Accept-Encoding header. If so, these encodings are added to the list of candidates to
be delivered to the client. The first cache object with an Accept-Encoding match to the client-side list
is the one that is delivered.
Suggested Settings for Compression


If client-side bandwidth is expensive in your environment, use the following policy:

http.client.allow_encoding(client)
http.allow_compression(yes)



If server-side bandwidth is expensive in your environment, compared to client-side bandwidth
and CPU:
http.server.accept_encoding(all)
http.server.accept_encoding.allow_unknown(no); default
http.allow_compression(yes)
http.allow_decompression(yes)



214

If CPU is expensive in your environment, compared to server-side and client-side bandwidth:

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
http.server.accept_encoding(client);If no content transformation policy is
configured
http.server.accept_encoding(identity);If some content transformation policy
is configured
http.allow_compression(no); default
http.allow_decompression(no); default

Limitations

215



Policy-based content transformations are not stored as variant objects. If content transformation is
configured, it is applied on all cache-hits, and objects might be compressed all the time at the end
of such transformation if they are so configured.



The variant that is available in the cache is served, even if the client requests a compression choice
with a higher qvalue. For example, if a client requests Accept-encoding: gzip;q=1,
deflate;q=0.1, and only a deflate-compressed object is available in the cache, the deflate
compressed object is served.



The HTTP proxy ignores Cache-Control: no-transform directive of the OCS. To change this,
write policy to disallow compression or decompression if Cache-Control: no-transform
response header is present.



The ProxySG treats multiple content encoding (gzip, deflate or gzip, gzip) as an unknown
encoding. (These strings indicate the content has been compressed twice.)



The gzip and deflate formats are treated as completely separate and are not converted from one to
the other.



Blue Coat recommends using gzip encoding (or allowing both gzip and deflate) when using
the HTTP compression feature.



If the ProxySG receives unknown content encoding and if content transformation is configured
(such as popup blocking), an error results.



If the origin server provides compressed content with a different compression level then that
specified in policy, the content is not re-compressed.



If the ProxySG compressed and cached content at a different compression level than the level
specified in a later transaction, the content is not re-compressed.



Parsing of container HTML pages occurs on the server side, so pipelining (prefetching) does not
work when the server provides compressed content.



Compressing a zip file breaks some browser versions, and compressing images does not provide
added performance. For a current list of content types that are not compressed, refer to the
Release Notes.



All responses from the server can be compressed, but requests to the server, such as POST
requests, cannot.



Only 200 OK responses can be compressed.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Troubleshooting HTTP Proxy Issues
This section discusses problems you might encounter using the HTTP proxy.

Using Explicit HTTP Proxy with Internet Explorer
Internet Explorer does not allow OCS NTLM authentication through a ProxySG when explicitly
proxied. To correct this, Blue Coat added a Proxy-Support: Session-based-authentication
header that is sent by default when the ProxySG receives a 401 authentication challenge from
upstream when the client connection is an explicit proxy connection.
For older browsers or if both the ProxySG and the OCS do NTLM authentication, the Proxy-Support
header might not work. In this case, you can disable the header and instead enable NTLM-force,
which converts the 401-type server authentication challenge to a 407-type proxy authentication
challenge, supported by Internet Explorer. The ProxySG also converts the resulting
Proxy-Authentication headers in client requests to standard server authorization headers, which
allows an OCS NTLM authentication challenge to pass through when Internet Explorer is explicitly
proxied through the ProxySG.

Disabling the Proxy-Support Header
You can control the header using header modification policy. Suppression or modification of the
Proxy-Support custom header keeps the ProxySG from sending this default header. Use either the
Visual Policy Manager (VPM) or CPL to disable the header through policy. For complete information
on using VPM, see Chapter 14: “The Visual Policy Manager” on page 555.
Note:

To suppress the Proxy-Support header globally, use the http force-ntlm command to
change the option. To suppress the header only in certain situations, continue with the
procedures below.

To Suppress Proxy-Support Header through VPM
To suppress the header using VPM, create a new Web Access Layer. Then:
1.

Right click in the Action field to see the drop-down list; select Set.
The Existing Action Object dialog displays.

2.

Click New to see the drop-down list; select Control Response Header.
The Add Control Response Header Object dialog displays.

216

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-11: Add Control Response Header Object

3.

Fill in the fields as follows:


Name: Enter a meaningful name. This name displays in the Existing Action Objects dialog.



Show: Select Custom from the drop-down list.



Header Name: Enter Proxy-Support.



Make sure the Suppress radio button is selected.

4.

Click OK.

5.

Scroll to the bottom of the Add Control Response Header Object dialog to see the Proxy-Support
header.

6.

Click OK.

To Suppress Proxy-Support Header through CPL
Use CPL to define the Proxy-Support custom header object and to specify what action to take. The
example below uses Proxy-Support as the action name, but you can choose any name meaningful to
you. The result of this action is to suppress the Proxy-Support header

action.Proxy-Support(yes)
define action Proxy-Support
delete(response.x_header.Proxy-Support)
end action Proxy-Support

Enabling or Disabling NTLM Authentication for Internet Explorer Clients
The following procedure forces Internet Explorer clients explicitly-proxied through a ProxySG to
participate in NTLM authentication. This CLI setting is global, affecting all clients. You can also use
VPM or CPL to provide granular control for NTLM authentication. (See "To Force NTLM
Authentication through VPM" on page 218 and "To Force NTLM Authentication through CPL" on
page 218.) These commands should only be used if the Proxy-support header is not suitable for the
situation.

217

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Note:

These procedures can only be done through the CLI. The Management Console is not
available.

Do one of the following (note that the default is http no force-ntlm):


To force NTLM authentication for Internet Explorer clients, enter the following command at the
(config) command prompt:
SGOS#(config) http force-ntlm



To disable NTLM authentication for Internet Explorer clients, enter the following command at the
(config) command prompt:
SGOS#(config) http no force-ntlm

To view all HTTP settings, see "Viewing HTTP Settings through the CLI" on page 206.
To Force NTLM Authentication through VPM
To use VPM to force NTLM authentication, create a new Web Access Layer. Then:
1.

Right click in the Action field to see the drop-down list; select Set.
The Existing Action Object dialog displays.

2.

Scroll to the Force NTLM for Server Auth static object; select it.

3.

Click OK.

To Force NTLM Authentication through CPL
Global configuration of NTLM authentication behavior is set through the CLI command http
force-ntlm (the default is http no force-ntlm). The http.force_ntlm_for_server_auth( ) CPL
property can be used to override the global settings for a particular subset.
To create a rule to force NTLM authentication for explicitly proxied Internet Explorer clients, first
define the action, then define the rule.
This example implements the following policies:


All clients from the “ForceNTLM_subnet” have Force-NTLM turned on. These clients do not use
the Proxy-Support header.



Requests for all other hosts have Force-NTLM turned off. These hosts use the Proxy-Support
header.
define subnet ForceNTLM_subnet
10.10.0.0/16
end

client.address=ForceNTLM_subnet http.force_ntlm_for_server_auth(yes)
http.force_ntlm_for_server_auth(no)
end

218

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Configuring a SOCKS Proxy
While SOCKS servers are generally used to provide firewall protection to an enterprise, they also can
be used to provide a generic way to proxy any TCP/IP or UDP protocols. The ProxySG supports both
SOCKSv4/4a and SOCKSv5; however, because of increased username and password authentication
capabilities and compression support, Blue Coat recommends that you use SOCKS v5.
Note:

For Blue Coat compatibility with SOCKS clients, check with customer support. For
information on the Permeo Premium Agent (Permeo PA), see "Using the Permeo PA
SOCKS Client with the Blue Coat SOCKS Server" on page 223.

Understanding SOCKS Compression
Compression over SOCKS is supported for TCP/IP tunnels, which can compress the data transferred
between the branch (branch proxy) and main office (concentrator proxy), reducing bandwidth
consumption and improving latency.
TCP tunnels are created by posting a listener on a static port for protocols that have a well-known
port; applications that use dynamic port numbers are handled through the Endpoint Mapper proxy
that automatically creates TCP tunnels to ports where Microsoft RPC services are running. (For
information on using the Endpoint Mapper proxy, see “Managing the Endpoint Mapper Proxy in
Chapter 5, Services.)
Except for enabling the SOCKS proxy, no configuration is required on the concentrator ProxySG to
support SOCKS compression. However, configuration is required on the branch ProxySG to forward
data through the SOCKS gateway. You can use policy or the socks-gateway CLI options to enable
SOCKS compression globally. Using policy, you can enable or disable compression on a
per-connection basis on either the client side or the server side.
If SOCKS compression is enabled and the upstream SOCKS gateway does not support it, the
connection fails.
Note:

Enabling compression on TCP tunnels impacts performance and should be done only
when the ProxySG is sized correctly to handle the incremental CPU load.

In a typical deployment, you will:

219



Create an Endpoint Mapper proxy at the remote office (the downstream proxy) that intercepts
Microsoft RPC traffic and creates dynamic TCP tunnels. Traffic to port 135 is transparently
redirected to this service using bridging or L4 switch or WCCP. For information on creating and
enabling an Endpoint Mapper proxy service, see "Managing the Endpoint Mapper Proxy" on
page 161.



Create any other TCP tunnel proxies you need at the remote office: SMTP, DNS, and the like. For
information on configuring TCP tunnels, see "Managing TCP Tunneling Services" on page 171.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


Create a SOCKS gateway at the remote office and enable compression for that gateway. This
SOCKS gateway points to a SOCKS proxy located at the main office location (the upstream proxy,
the core of the network). For information on creating a SOCKS gateway and enabling SOCKS
compression, see "SOCKS Gateway Configuration" on page 852.



Set policy to forward TCP traffic through that SOCKS gateway. You can do this through the
layer using either the VPM or CPL. For more information, see "Using Policy to Control
the SOCKS Proxy" on page 222.

Note:

In cases where more than two proxies exist in the chain and intermediate proxy nodes are
configured to do compression, the traffic is forwarded as is. If the intermediate proxy is
not configured to do compression, traffic is decompressed before being forwarded to the
next proxy.

Creating and Configuring the SOCKS Service
Complete the following steps to create a SOCKS proxy and to configure SOCKS-proxy connection and
timeout values.
To Create a SOCKS Proxy Server through the Management Console
1.

Select Configuration>Services>SOCKS Proxy.

Figure 6-12: SOCKS Proxy Tab

2.

220

Fill in the option fields (described below) as needed. The defaults are displayed and should be
sufficient for most purposes.
Max-Connections

connections

Set maximum allowed SOCKS client connections. The default
of 0 indicates an infinite number of connections are allowed.

Connection timeout

seconds

Set maximum time to wait on an outbound CONNECT.

Bind timeout on
accept

seconds

Set maximum time to wait on an inbound BIND.

Minimum idle timeout

seconds

Specifies the minimum idle timeout after which SOCKS can
consider the connection for termination when the max
connections are reached.

Maximum idle timeout

seconds

Specifies the maximum idle timeout value after which SOCKS
should terminate the connection.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
To Configure the SOCKS Proxy through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) socks-proxy accept-timeout seconds | connect-timeout seconds |
max-connections number | max-idle-timeout seconds | min-idle-timeout seconds

2.

(Optional) View the results.
SGOS#(config) show socks-proxy
max-connections: 0
accept-timeout: 120
connect-timeout: 120
min-idle-timeout: 7200
max-idle-timeout: 0

Enabling the SOCKS Proxy
Note that a SOCKS port is already configured on port 1080 and enabled.
To Edit an Existing SOCKS Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Highlight the SOCKS server.

3.

Click Edit; the Edit Service dialog appears.

Figure 6-13: SOCKS Add Service Dialog

221

4.

In the Protocol drop-down list, select SOCKS.

5.

The default IP address value is all. To limit the service to a specific IP, select the IP from the
drop-down list.

6.

In the Port field, specify a port number; select Enable.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
7.

Click OK; Click Apply.

To Edit an Existing SOCKS Port Service through the CLI
1.

At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) socks
SGOS#(config services socks) enable [ip_address:]port

2.

(Optional) View the results:
SGOS#(config services socks) view
Port:
1080
IP: 10.9.87.85
Properties: explicit, enabled

Type: socks

Using Policy to Control the SOCKS Proxy
Once the basic configuration for the SOCKS proxy has been set through the Management Console or
the CLI, you can use policy to control the SOCKS proxy.
Note:



SOCKS compression requires that a SOCKS gateway be set up with SOCKS compression
enabled. You can either use policy to configure a gateway for SOCKS compression, or you
can configure SOCKS compression while you are configuring the SOCKS gateway. To
configure the SOCKS gateway, see "SOCKS Gateway Configuration" on page 852.

To use SOCKS version 5, which allows you to use a SOCKS username/password and SOCKS
compression, you must set the version through policy. SOCKS version 4 does not support
compression.


If using VPM, go to the Forwarding layer, select Source>Set Source Object>New>SOCKS Version.



If using CPL. enter the following:
client.protocol=socks
ALLOW socks.version=5
DENY



To use SOCKS compression, you must request SOCKS compression through policy.




If using VPM:


For global outbound connections (the downstream proxy or branch office location): go to
the Forwarding layer, select Source>Set Source Object>New>SOCKS Gateway Compression
Object. (Request compression is enabled by default.)



For global inbound connections (the upstream proxy or the main office location): go to the
Web Access Layer, select Action>New>SOCKS Compression Object. (Allow compression is
enabled by default.)

If using CPL:


222

For global outbound connections (the downstream proxy or branch office location):

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

client.protocol=tcp socks_gateway(socks_gateway_alias)
socks_gateway.request_compression(yes|no|default)

where default refers to the current configuration.
To enable SOCKS compression on a per-connection basis, use a policy similar to the
following:

client_address=ip_address
socks_gateway.request_compression(yes|no|default)



For global inbound connections (the upstream proxy or the main office location):

socks.method=CONNECT socks.allow_compression(yes|no)

Allow compression is enabled by default.

Using the Permeo PA SOCKS Client with the Blue Coat SOCKS Server
The Blue Coat ProxySG can be used as a SOCKS gateway by the Permeo Premium Agent (PA), with
full licensing support and Dynamic Port Management (DPM) functionality.
The ProxySG supports the Windows Permeo PA SOCKS client version 5.12a, including those clients
that require the special probe license protocol and corresponding customer ID. Note that each
ProxySG can only support PA clients with the same customer ID.
Licensing the PA SOCKS client on the ProxySG is a two step process:


Get the customer ID from the PA client.



Tell the ProxySG the PA customer ID.

Note:

The default license setting for the Permeo PA client on the ProxySG is off. This setting
should only be enabled when you are using the PA client.

To obtain the PA Customer ID:
1.

223

From the PA client, launch the Permeo Agent User Properties (Start Menu>All Programs>Permeo
Premium Agent).

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Figure 6-14: Permeo Premium Agent User Properties

2.

Click the About tab.

Figure 6-15: Permeo Premium Agent About Tab

3.

Make a note of the Customer ID number, which is in hex. In the example above the Customer ID is
1111.

To Validate the Permeo PA License on theProxySG:
Note:
1.

You cannot validate the license through the Management Console.

From the ProxySG, launch the CLI:
SGOS> enable
Enable Password:
SGOS# configure terminal
Enter configuration commands, one per line. End with CTRL-Z.

224

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
2.

From the (config) prompt:
SGOS#(config) socks-proxy pa-customer-id customer_id

where customer_id is the Customer ID number you took from the About tab on the PA
client.
To Disable the Permeo PA License:
From the (config) prompt:
SGOS#(config) socks-proxy pa-customer-id 0

Limitations


Protocol Detection interferes with SOCKS and must be disabled on the ProxySG. The CPL policy
should include the line detect_protocol(no).



SOCKS compression should be disabled when using the PA SOCKS client. The CPL policy should
include the line socks.accelerate(no).



The ProxySG only supports username and password authentication between the ProxySG and the
SOCKS Permeo PA client.



The ping and trace route functions from Permeo PA administrator tool are not compatible with
this release (5.1).



Proxy chaining is not supported between the ProxySG and the Permeo Application Gateway
(ASG).



The policy update feature on the PA is not supported when using the ProxySG. Note that PA can
get policy from the HTTP source as well as the ASG so it can still do automatic updates from a
external Web server.



Only the UPWD authentication method is supported.

Understanding Shell Proxies
Shell proxies are those that provide a shell allowing a client to connect to the ProxySG. In this version,
only a Telnet shell proxy is supported.
Using a shell proxy, you can:

225



terminate a Telnet protocol connection either transparently or explicitly.



authenticate users either transparently or explicitly.



view the access log.



enforce policies specified by CPL.



communicate though an upstream SOCKS gateway and HTTP proxy using the CONNECT
method.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
Within the shell, you can configure the prompt and various banners using CPL $substitutions. You
can also use hard-coded text instead of CPL substitutions (available substitutions are listed in the table
below). The syntax for a CPL substitution is:
$(CPL_property)
Table 6.5: Substitutions Available at New Connection Time
proxy.name or
appliance.name

Configured name of the ProxySG.

proxy.address

IP address of the appliance on which this connection is accepted.

proxy.card

Adapter number of the appliance on which this connection is accepted.

client.protocol

This is "telnet".

client.address

IP address of the client.

proxy.primary_address or
appliance.primary_address

Primary address of the proxy, not where the user is connected.

release.id

SGOS version.

Customizing Policy Settings for Shell Proxies
To manage a shell proxy through policy, you can use the conditions, properties, and actions list below.
For information on using CPL to manage shell proxies, refer to the Blue Coat ProxySG Content Policy
Language Guide.
Conditions:
All time and date related triggers

proxy.address=

All exception related triggers

proxy.card=

All server_url triggers

proxy.port=

All url triggers

client.protocol=

All authentication related triggers

user-defined conditions

category=

client.protocol=telnet

client.address=

url.scheme=telnet

Properties:

226

allow, deny, force_deny

force_exception(exception_id[, details])

action.action_name{yes|no)

forward(alias_list | no)

All trace() properties

forward.fail_open(yes | no)

All access_log() properties

reflect_ip(auto|no|client|vip|ip-address)

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
All log.xxx() properties

socks_gateway(alias_list | no)

access_server(yes|no)

socks_gateway.fail_open(yes | no)

authenticate.force(yes|no)

telnet.prompt(no | string)

authenticate(realm)

telnet.realm_banner(no | string)

exception(exception_id[, details])

telnet.welcome_banner(no | string)

The banner strings support $-sign substitutions.
Actions:
rewrite(url.host, host_regex_pattern,
replacement_pattern)

log_message()

rewrite(url, url_regex_pattern,
replacement_pattern)

notify_email(subject, body)

set(url_port, port_number)

notify_snmp(message)

Boundary Conditions for Shell Proxies


A hardcoded timeout of five minutes is enforced from the acceptance of a new connection until
destination information is provided using the Telnet command.



If proxy authentication is enabled, users have three chances to provide correct credentials.



Users are not authenticated until destination information is provided.



Users can only enter up to an accumulated 2048 characters while providing the destination
information. (Previous attempts count against the total number of characters.)



Connection to an upstream HTTP proxy is not encouraged.



If connections from untrustworthy IP address or subnet are not desired, then a
client IP/subnet-based deny policy must be written.

Understanding Telnet Shell Proxies
The Telnet shell proxy allows you to manage a Telnet protocol connection to the ProxySG. Using the
Telnet shell proxy, you can do:


Explicit termination without proxy authentication, where you explicitly connect, through Telnet,
to the ProxySG hostname or IP address. In this case, the ProxySG provides a shell.



Explicit termination with proxy authentication, where after obtaining the destination host and
port information from user, the ProxySG challenges for proxy credentials. Once the correct proxy
credentials are provided and authenticated, the ProxySG makes an upstream connection and goes
into tunnel mode. In this case, the ProxySG provides a shell.

227

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


Transparent termination without proxy authentication, where the ProxySG intercepts Telnet
traffic through an L4 switch, software bridge, or any other transparent redirection mechanism.
From the destination address of TCP socket, the ProxySG obtains OCS contact information and
makes the appropriate upstream connection, either directly or through any configured proxy. For
more information on configuring a transparent proxy, see "Transparent Proxies" on page 255.



Transparent termination with proxy authentication, where, after intercepting the transparent
connection, the ProxySG challenges for proxy credentials. Once the correct proxy credentials are
provided and authenticated, the ProxySG makes an upstream connection and goes into tunnel
mode. For more information on configuring a transparent proxy, see "Transparent Proxies" on
page 255.

Once in the shell, the following commands are available:


help: Displays available commands and their effects.



telnet : Makes an outgoing telnet connection to specified server. The colon (:)
between server and port can be replaced with a space, if preferred.



exit: Terminates the shell session.

Creating a Telnet Shell Proxy Service
On a new system, Telnet proxy service is configured but disabled on port 23. On an upgrade, a Telnet
proxy service is not created.
To enable or create a Telnet proxy service, use Services>Service Ports on the Management Console, or
config>services>telnet from the CLI. For more information, see "Managing the Telnet Shell Proxy
Service" on page 173.

Customizing Welcome and Realm Banners and Prompt Settings
You can configure banners for the Telnet shell and the realm and set the prompt that users see when
entering the shell.
To Customize Telnet Shell Proxy Settings through the Management Console
1.

Select Configuration>Services>Shell Proxies>Telnet Proxy Settings.

Figure 6-16: Telnet Proxy Settings

228

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
2.

To set the maximum concurrent connections, select Limit Max Connections. Enter the number of
maximum concurrent connections allowed for this service. Allowed values are between 1 and
65535.

3.

Set the banner settings:
a.

To set the Welcome banner message (users see this when they enter the shell), click
View/Edit next to the Welcome Banner. The Edit Welcome Banner dialog displays. (If you
do not want this banner displayed, remove the text.)

Figure 6-17: Editing Welcome Banner Properties.

Change the banner as necessary. The $(client.protocol) text is a CPL variable indicating
that Telnet is the protocol. You do not have to use a variable. (For a list of available
$substitutions, see "Substitutions Available at New Connection Time" on page 226.) When
finished, click OK. Click Apply.
b.

To set the realms banner message (users see this help message just before they see the
Username prompt for proxy authentication), click View/Edit next to the Realms Banner. The

Edit Realms Banner dialog displays. (If you do not want this banner displayed, remove
the text.)

Figure 6-18: Editing Realm Banner Properties

Change the banner as necessary. The $(realm) text is a CPL variable indicating the name of
the realm. You do not have to use a variable. (For a list of available substitutions, see
"Substitutions Available at New Connection Time" on page 226.) When finished, click OK.
Click Apply.

229

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
c.

To set the prompt, click View/Edit next to the Prompt line. The Prompt dialog displays.

Figure 6-19: Editing the Prompt

Change the banner as necessary. The default is $(client-protocol)>, where
$(client-protocol) is Telnet. You do not have to use a variable. (For a list of available
substitutions, see "Substitutions Available at New Connection Time" on page 226.) When
finished, click OK. Click Apply.
To Customize Telnet Shell Proxy Settings through the CLI
You can use CPL substitutions when creating welcome and realm banners and Telnet prompts. For a
list of available CPL substitutions, see "Substitutions Available at New Connection Time" on page 226.
1.

From the (config) prompt, enter the following commands:
SGOS#(config) shell max-connections number
SGOS#(config) shell welcome-banner welcome-banner-string (Enclose string in
quotes if string includes spaces)
SGOS#(config) shell realm-banner realm-banner-string (Enclose string in
quotes if string includes spaces)
SGOS#(config) shell prompt prompt-string (Enclose string in quotes if string
includes spaces)

where:

2.

230

max-connections

number

Allowed values are between 1 and 65535.

welcome-banner

string

The text a user sees when the shell is entered. You can hide this
banner by using shell no welcome-banner.

realm-banner

string

The text a user sees when the realm is entered. You can hide this
banner by using shell no welcome-banner.

prompt

string

The prompt a user sees when the shell is entered. You can hide
the prompt by using shell no prompt.

(Optional) To view the shell settings:

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
SGOS#(config) show shell
max-connections:
Unlimited
prompt:
Telnet #
realm-banner:
Enter credentials for realm Test
welcome-banner:
Welcome to Blue Coat Telnet shell proxy

To Hide the Shell’s Settings:
SGOS#(config)
SGOS#(config)
SGOS#(config)
SGOS#(config)

shell
shell
shell
shell

no
no
no
no

welcome-banner
realm-banner
prompt
max-connections

Limitations for Telnet Shell Proxies


Telnet credential exchange is in plaintext.



A Telnet proxy cannot be used to communicate with non-Telnet servers (such as Webservers on
port 80) because Telnet proxies negotiate Telnet options with the client before a server connection
can be established.

Configuring an SSL Proxy
HTTPS traffic poses a major security risk to enterprises. Because the SSL content is encrypted, it can’t
be intercepted by normal means, allowing users to bring in viruses, access forbidden sites, or leak
business confidential information over the HTTPS connection on port 443.
The SSL proxy allows you to intercept HTTPS traffic (in explicit and transparent modes) so that
security measures such as authentication, virus scanning and URL filtering, and performance
enhancements such as HTTP caching can be applied to HTTPS content. Additionally, the SSL proxy
allows you to validate server certificates presented by various HTTPS sites at the gateway and offers
information about the HTTPS traffic in the access log.
Important: An SSL proxy license is required to use the SSL proxy. For information on licensing,
see Chapter 2: “Licensing” on page 43.

Understanding the SSL Proxy
The SSL Proxy can be used to tunnel or intercept HTTPS traffic. The SSL Proxy tunnels all HTTPS
traffic by default unless there is an exception, such as a certificate error or a policy denial. In such
cases the SSL Proxy intercepts the SSL connection and sends an error page to the user. The SSL Proxy
allows interception of HTTPS traffic even when there are no errors. Such interception enables the
application of various security policies to HTTPS content.
Some HTTPS traffic, such as financial information, should not be intercepted. The SSL proxy can do
the following operations while tunneling HTTPS traffic.

231



Validate server certificates, including revocation checks using Certificate Revocation Lists (CRLs).



Check various SSL parameters such as cipher and version.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


Log useful information about the HTTPS connection.

When the SSL Proxy is used to intercept HTTPS traffic, it can also:


Cache HTTPS content.



Apply HTTP-based authentication mechanism.



Do virus scanning and URL filtering.



Apply granular policy (such as validating mime type and filename extension).

Validating the Server Certificate
The SSL Proxy can do the following checks on server certificates:


Verification of issuer signature.



Verification of certificate dates.



Comparison of hostname in the URL and certificate (intercepted connections only).
Hostnames in server certificates are important because the SSL Proxy can identify a Web site just
by looking at the server certificate if the hostname is in the certificate. Most content-filtering
HTTPS sites follow the guideline of putting the name of the site as the common name in the
server's certificate.



Verification of revocation status.

To mimic the overrides supported by browsers, the SSL Proxy can be configured to ignore failures for
the verification of issuer signatures and certificate dates and comparision of the hostname in the URL
and the certificate.
The ProxySG trusts all root CA certificates that are trusted by Internet Explorer and Firefox. This list is
updated periodically to be in sync with the latest versions of IE and Firefox.

Checking CRLs
An additional check on the server certificate is done through Certificate Revocations Lists (CRLs).
CRLs are lists that show which certificates are no longer valid; the CRLs are created and maintained
by Certificate Signing Authorities that issued the original certificates.
Only CRLs that are issued by a trusted issuer can be used by the ProxySG successfully. The CRL issuer
certificate must exist as CA certificate on the ProxySG before the CRL can be imported successfully.
The ProxySG allows:


One local CRL per certificate issuing authority.



An import of a CRL that is expired; a warning is displayed in the log.



An import of a CRL that is effective in the future; a warning is displayed in the log.

Determining What HTTPS Traffic to Intercept
The default mode of operation for the SSL Proxy is to intercept HTTPS traffic only if there is an
exception, such as a certificate error. It tunnels all HTTPS traffic otherwise..

232

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
To intercept HTTPS traffic for reasons other than error reporting many existing policy conditions, such
as destination IP address and port number, can be used.
Additionally, the SSL proxy allows the hostname in the server certificate to be used to make the
decision to intercept or tunnel the traffic. The server certificate hostname can be used as is to make
intercept decisions for individual sites, or it can be categorized using any of the various URL
databases supported by Blue Coat. Categorization of server certificate hostnames can help place the
intercept decision for various sites into a single policy rule.
Recommendations for intercepting traffic include:


Intercept Intranet traffic.



Intercept suspicious Internet sites, particularly those that are categorized as none in the server
certificate.



Intercept sites that provide secure web based e-mail, such as Gmail over HTTPS.

Managing Decrypted Traffic
After the HTTPS connection is intercepted, you can do:


Anti-virus scanning over ICAP.



URL filtering (on box and off-box). Blue Coat recommends on box URL/Content filtering if you
use transparent proxy. When the URL is sent off-box for filtering, only the hostname or IP address
of the URL (not the full path) is sent for security reasons.



Filtering based on the server certificate hostname.



Caching.

HTTPS applications that require browsers to present client certificates to secure Web servers do not
work if you are intercepting traffic. Such applications should not be intercepted by creating a policy
rule.
If you intercept HTTPS traffic, be aware that local privacy laws might require you to notify the user
about interception or obtain consent prior to interception. You can use the HTML Notify User object to
notify users after anticipation. You can use consent certificates to obtain consent prior to interception.
The HTML Notify User is easier; however, note that the ProxySG has to decrypt the first request from
the user before it can issue an HTML notification page.

Terminology

233



Client consent certificates: A certificate that indicates acceptance or denial of consent to decrypt
an end user's HTTPS request.



Emulated certificates: Certificates that are presented to the user by ProxySG when intercepting
HTTPS requests. Blue Coat emulates the certificate from the server and signs it, copying the
subjectName and expiration. The original certificate is used between the ProxySG and the server.



Issuer keyrings: The keyring that is used by the ProxySG to sign emulated certificates. The
keyring is configured on the ProxySG and managed through policy.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


Server Certificate Categories: The hostname in a server certificate can be categorized by BCWF or
another content filtering vendor to fit into categories such as banking, finance, sports.



SSL Interception: Decrypting SSL connections.



SSL Proxy: A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or
reverse proxy mode.

Intercepting HTTPS Traffic
Intercepting HTTPS traffic (by decrypting SSL connections at the ProxySG) allows you to apply
security measures like virus scanning and URL filtering.
Configuration of the interception of HTTPS traffic requires the following steps:

234



Determine whether you are using transparent or explicit mode. For information on explicit versus
transparent proxies, see "About Explicit and Transparent Proxy" on page 177.



Create an SSL service or HTTP/SOCKS services, depending on whether you are using transparent
or explicit mode. For more information on creating an SSL service, skip to "Setting Up the SSL
Proxy in Transparent Proxy Mode" on page 235.



Create or import an issuer keyring, which is used to sign emulated server certificates to clients on
the fly, allowing the SSL proxy to examine SSL content. For more information on creating an
issuer keyring, see "Creating an Issuer Keyring for SSL Interception" on page 237.



(Optional) Use the Notify User object or client consent certificates to notify users that their requests
are being intercepted and monitored. Whether this is required depends on local privacy laws.
Note that the ProxySG has to decrypt the first request from the user to issue an HTML notification
page. If this is not desirable, use client consent certificates instead. For more information on
configuring the Notify User object, see "Notify User" on page 626. For information on managing
client consent certificates, see "Using Client Consent Certificates" on page 239.



Download CA certificates to desktops to avoid a security warning from the client browsers when
the ProxySG is intercepting HTTPS traffic. For information, see "Downloading an Issuer
Certificate" on page 239.



Using policy (VPM or CPL), create rules to intercept SSL traffic and to control validation of server
certificates. By default, such traffic is tunneled and as long as there are no errors such as certificate
errors or policy denials, the traffic is not intercepted. You must create suitable policy before
intercepting SSL traffic. For more information on using policy to intercept SSL traffic, see
"Configuring SSL Rules through Policy" on page 241.



Configure the ProxyAV or other third-party ICAP vendor, if you have not already done this. For
more information on ICAP-based virus scanning, see “Section A: ICAP” on page 500.



Configure the Blue Coat Web Filter (BCWF) or a third-party URL-filtering vendor, if you have not
already done this. For more information on configuring BCWF, see "Configuring Blue Coat Web
Filter" on page 783.



Configure Access Logging. For more information on configuring access logging, see Chapter 20:
“Access Logging” on page 873.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies


To customize exception pages (in case of server certificate verification failure), see “Section D:
Defining Exceptions” on page 700.

Setting Up the SSL Proxy in Transparent Proxy Mode
Proxy services are configured from the Management Console or the CLI. If using SSL proxy in
transparent mode, continue with this section. If using SSL proxy in explicit mode, you might need an
HTTP proxy or a SOCKS proxy. For information on configuring an SSL Proxy in explicit mode, see
"Setting Up the SSL Proxy in Explicit Proxy Mode" on page 236.
To Configure an SSL Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New; the Add Service dialog appears.

Figure 6-20: Creating an SSL Service

3.

In the Protocol drop-down list, select SSL.

4.

The default IP address value is all, and cannot be changed.

5.

Make sure the Enabled box is checked.

6.

In the Port field, specify a port number; Port 443 is the default.

7.

In the Attributes field, select Send-client-IP if required. Other values are not configurable.
Note:

235

The Send-client-IP attribute allows the ProxySG to pretend to be the client, allowing the
origin content server to see the client’s IP address. If an alternate path exists for traffic
returning from the Internet to the client, the Send-client-IP attribute does not work.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
8.

Click OK; Click Apply.

Continue with "Creating an Issuer Keyring for SSL Interception" on page 237.
To Create an SSL Service through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) ssl
SGOS#(config services ssl) create port
SGOS#(config services ssl) attribute send-client-ip enable | disable
SGOS#(config services ssl) enable port

You can use a TCP Tunnel service in transparent mode to get the same functionality. A TCP tunnel
service is useful when you have a combination of SSL and non-SSL traffic going over port 443 and you
do not want to break the non-SSL traffic. The SSL service requires that all requests to its port be SSL.
To View the Results
SGOS#(config services ssl) view
Port:
443
IP: 0.0.0.0
Type: ssl
Keyring:
Properties: transparent, enabled
Cipher suite:
RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC3-MD5:RC2-CBC-MD5:RC4-64-MD5:DES-CBC-SHA
:DES-CBC-MD5:EXP1024-RC4-MD5:EXP1024-RC4-SHA:EXP1024-RC2-CBC-MD5:EXP1024-DES
-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-DES-CBC-SHA:AES128-SHA:AES256-SHA:+
SSLv2:+SSLv

Continue with "Downloading an Issuer Certificate" on page 239.

Setting Up the SSL Proxy in Explicit Proxy Mode
The SSL Proxy can be used in explicit mode in conjunction with the HTTP Proxy or SOCKS Proxy. You
must create an HTTP Proxy service or a SOCKS Proxy service and use it as the explicit proxy from
desktop browsers. When requests for HTTPS content are sent to either a SOCKS proxy or an HTTP
proxy, the proxies can detect the use of the SSL protocol on such connections and enable SSL Proxy
functionality.
Note:

SSL detection is disabled by default for HTTP CONNECT, SOCKS, and TCP tunnels if
you are running a new 4.2.2 system or you upgraded to 4.2.2 from a version other than
4.2.1. If you use the SSL proxy in explicit proxy mode, you must enable SSL detection for
the desired protocol. For information on enabling SSL detection with HTTP CONNECT,
SOCKS, or TCP tunnels, see "Setting SSL Detection Parameters in Explicit Proxy Mode".

For information on configuring a new HTTP proxy service, see "Managing HTTP Services" on
page 164. For information on configuring a SOCKS proxy service, see "Configuring a SOCKS Proxy"
on page 219.
Continue with "Setting SSL Detection Parameters in Explicit Proxy Mode" and "Creating an Issuer
Keyring for SSL Interception".

236

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Setting SSL Detection Parameters in Explicit Proxy Mode
SSL detection is disabled by default for HTTP CONNECT, SOCKS, and TCP tunnels if you are
running a new 4.2.2 system or you upgraded to 4.2.2 from a version other than 4.2.1. If you use the SSL
proxy in explicit proxy mode and want to enable SSL detection, you must manually enable it for the
desired protocol.
To Set SSL Detection in Explicit Proxy Mode
1.

Select Configuration>Services>SSL Proxy; the SSL Proxy pane displays.

2.

Select the protocol for which you want to enable SSL detection, HTTP CONNECT, SOCKS, or TCP
tunnels.
Note:

3.

For example, to enable SSL protocol detection for HTTPS and SOCKS, select the HTTP
CONNECT and SOCKS checkboxes.

Click Apply.

Creating an Issuer Keyring for SSL Interception
The SSL proxy can emulate server certificates; that is, present a certificate that appears to come from
the origin content server. In actuality, Blue Coat has emulated the certificate and signed it using the
issuer keyring. By default only the subjectName and expiration from the server certificate is copied to
the new certificate sent to the client.
Note that only keyrings with both a certificate and a keypair can be used as issuer keyrings.
To Specify the Keyring Through the Management Console
If you prefer, you can specify the issuer keyring through VPM or CPL instead of creating it here.

237

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
1.

You can create a new keyring, import a keyring, or select among existing keyrings. For
information on creating a keyring, see "Creating a Keyring" on page 267.

2.

Select Configuration>Services>SSL Proxy; the SSL Proxy pane displays.

Figure 6-21: Configuring an SSL Intercept Keyring

3.

From the dropdown menu, select the keyring you want to use as the issuer keyring.

4.

Click Apply.

To configure policy, see "Configuring SSL Rules through Policy" on page 241.
To Specify the Keyring and Detection Parameters through the CLI
If you prefer, you can select the issuer keyring through VPM or CPL instead of creating it here.
1.

You can create a new keyring, import a keyring, or decide which existing keyring you want to use
for SSL interception. For information on creating a keyring, see "Creating a Keyring" on page 267.

2.

(Optional) Before you select a keyring to be the issuer keyring, you might want to view the
existing keyrings already on the system. Note that keyrings without certificates cannot be used as
an issuer keyring. To view existing keyrings:
SGOS# conf t
SGOS#(config) ssl
SGOS#(config ssl) view keyring
KeyringID: default
Is private key showable? yes
Have CSR? no
Have certificate? yes
Is certificate valid? yes
CA: Blue Coat SG610
Expiration Date: Jun 26 00:07:15 2014 GMT
Fingerprint: 7D:2C:1C:29:43:69:A1:3B:52:1B:D8:57:C8:56:CA:C0
KeyringID: configuration-passwords-key
Is private key showable? yes
Have CSR? no
Have certificate? no

3.

Select a keyring to be the issuer keyring:
SGOS#(config ssl) proxy issuer-keyring keyring_name

4.

238

(Optional) To enable detection of HTTP CONNECT, SOCKS, or TCP tunnel:

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
SGOS#(config) ssl
SGOS#(config ssl) proxy {http-ssl-detect {disable | enable)| socks-ssl-detect
{disable | enable)| tcp-tunnel-ssl-detect {disable | enable)}

To configure policy, see "Configuring SSL Rules through Policy" on page 241.

Using Client Consent Certificates
The SSL Proxy, in forward proxy deployments, can specify whether a client (typically a browser)
certificate is required. These certificates are used for user consent, not for user authentication.
Whether they are needed depends upon local privacy laws.
With client consent certificates, each user is issued a pair of certificates with the corresponding private
keys. Both certificates have a meaningful user-readable string in the common name field. One
certificate has a string that indicates grant of consent something like: “Yes, I agree to SSL
interception”. The other certificate has a common name indicating denial of consent, something like:
“No, I do not agree to SSL interception”.
Policy is installed on the ProxySG to look for these common names and to allow or deny actions. For
example, when the string “Yes, I agree to SSL interception” is seen in the client certificate common
name, the connection is allowed; otherwise, it is denied.
To Configure Client Consent Certificates
1.

Install the issuer of the client consent certificates as a CA certificate.

2.

In VPM, configure the Require Client Certificate object in the Action column of the SSL Layer.

3.

Configure the Client Certificate object in the Source column to match common names.

Downloading an Issuer Certificate
When the SSL Proxy intercepts an SSL connection, it presents an emulated server certificate to the
client browser. The client browser issues a security pop-up to the end-user because the browser does
not trust the issuer used by the ProxySG. This pop-up does not occur if the issuer certificate used by
SSL Proxy is imported as a trusted root in the client browser's certificate store.
The ProxySG makes all configured certificates available for download via its management console.
You can ask end users to download the issuer certificate through Internet Explorer or Firefox and
install it as a trusted CA in their browser of choice. This eliminates the certificate popup for emulated
certificates.
To download the certificate through Internet Explorer, see "To Download a Certificate through
Internet Explorer". To download a certificate through Firefox, see "To Download a Certificate through
Firefox" on page 241.
To Download a Certificate through Internet Explorer
Note:

1.

239

You can e-mail the console URL corresponding to the issuer certificate to end users so that
the end-user can install the issuer certificate as a trusted CA.

Go to Statistics>Advanced.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
2.

Select SSL.

3.

Click Download a ProxySG Certificate as a CA Certificate; the list of certificates on the system display.

4.

Click a certificate (it need not be associated with a keyring); the File Download Security Warning
displays asking what you want to do with the file.

Figure 6-22: Internet Explorer Security Warning/Download File Dialog Box

5.

Click Save. When the Save As dialog box displays, click Save; the file downloads.

6.

Click Open to view the Certificate properties; the Certificate window displays.

Figure 6-23: Install Certificate Dialog Box

7.

240

Click the Install Certificate button to launch the Certificate Import Wizard.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
8.

Make sure the Automatically select the certificate store based on the type of certificate radio button is
enabled before completing the wizard; the wizard announces when the certificate is imported.

9.

(Optional) To view the installed certificate, go to Internet Explorer, Select Tools>Internet
Options>Contents>Certificates, and open either the Intermediate Certification Authorities tab or the
Trusted Root Certification Authorities tab, depending on the certificate you downloaded.

To Download a Certificate through Firefox
Note:

You can e-mail the console URL corresponding to the issuer certificate to end users so that
the end-user can install the issuer certificate as a trusted CA.

1.

Go to Statistics>Advanced.

2.

Select SSL.

3.

Click Download a ProxySG Certificate as a CA Certificate; the list of certificates on the system display.

4.

Click a certificate (it need not be associated with a keyring); the Download Certificate dialog
displays.

Figure 6-24: Downloading an Issuer Certificate through the Firefox Browser

5.

Enable the checkboxes needed. Note that you should view the certificate before trusting it for any
purpose.

6.

Click OK; close the Advanced Statistics window.

Configuring SSL Rules through Policy
SSL interception and access rules, including server certificate validation, are configured through
policy—either VPM or CPL. Note that VPM is much easier to use than CPL. Use the SSL Intercept
Layer to configure SSL interception; use the SSL Access Layer to control other aspects of SSL
communication such as server certificate validation and SSL versions. To configure SSL rules using
CPL, continue with "CPL and the SSL Intercept Layer" on page 246.
This section covers the following topics:

241

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies


"Using the SSL Intercept Layer" on page 242.



"Using the SSL Access Layer" on page 244



"Using Client Consent Certificates"

Using the SSL Intercept Layer
The SSL intercept layer allows you to set intercept options:


"To Intercept HTTPS Content through VPM"



"To Customize Server Certificate Validation through VPM"

For a list of policy conditions, properties, and actions, see "CPL and the SSL Intercept Layer" on
page 246.
Note:

For detailed instructions on using VPM, see Chapter 14: “The Visual Policy Manager” on
page 555.

To Intercept HTTPS Content through VPM

242

1.

Go to Configuration>Policy>Visual Policy Manager and launch VPM.

2.

From the Policy drop-down menu, select Add SSL Intercept Layer.

3.

Right-click Set in the Action column; the Set Action object displays.

4.

Click New and select SSL Intercept object; the Add SSL Forward Proxy object displays.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies

Figure 6-25: Adding an SSL Forward Proxy Object

5.

The default behavior is Do not Intercept. To allow SSL content to be examined, select the Intercept as
HTTPS Forward Proxy radio button. When the SSL proxy intercepts HTTPS connections, it generates
a private key and corresponding certificate dynamically. The checkboxes for Issuer Keyring,
Hostname, Splash Text, and Splash URL all control various aspects for certificate emulation. Fill in
the fields as follows:


Issuer Keyring: If you selected an issuer keyring previously, that keyring displays. If you did
not select an issuer keyring previously, the default keyring displays. To change the keyring
that is used as the issuer keyring, choose a different keyring from the dropdown menu.



Hostname: The hostname you put here is the hostname in the emulated certificate.



Splash Text: You are limited to a maximum of 200 characters. The splash text is added to the
emulated certificate as a certificate extension.



Splash URL: The splash URL is added to the emulated certificate as a certificate extension.

To Categorize Hostnames in Server Certificates through VPM

243

1.

While still in the Destination column of the SSL Intercept layer, right-click Set; the Set Destination
Object displays.

2.

Click New and highlight Server Certificate Category object. The Server Certificate Category Object
displays. You can change the name in the top field if needed.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Figure 6-26: Server Certificate Category Object.

3.

Highlight the categories and click Add.
The categories you selected display in the left-hand column.

4.

Click OK.

Using the SSL Access Layer
The SSL Access layer allows you to set accessibility options:


"To Intercept HTTPS Requests to Specific Sites through VPM"



"To Customize Server Certificate Validation through VPM"

For a list of the conditions, properties, and actions that can be used in the SSL Access layer, see "CPL in
the SSL Layer" on page 248.
Note:

For detailed instructions on using VPM, see Chapter 14: “The Visual Policy Manager” on
page 555.

To Intercept HTTPS Requests to Specific Sites through VPM

244

1.

Go to Configuration>Policy>Visual Policy Manager and launch VPM.

2.

From the Policy drop-down menu, select Add SSL Access Layer.

3.

In the Action column, right-click Set; the Set Action object displays.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
4.

Click New and select Server Certificate; the Add Server Certificate object displays.

Figure 6-27: The Add Server Certificate Object

5.

Fill in the fields as described below. Note that you can only choose one field:


Hostname: This is the hostname of the server whose traffic you want to intercept. After
entering the hostname, use the drop-down menu to specify Exact Match, Contains, At Beginning,
At End, Domain, or Regex.



Subject: This is the subject field in the server's certificate. After you enter the subject, use the
drop-down menu to specify Exact Match, Contains, At Beginning, At End, Domain, or Regex.

To Customize Server Certificate Validation through VPM
Note:

245

The policy property server.certificate.validate, if set, overrides the
ssl-verify-server command for either HTTP or for forwarding hosts.

1.

Go to Configuration>Policy>Visual Policy Manager and launch VPM.

2.

From the Policy drop-down menu, select Add SSL Access Layer.

3.

In the Action column, right-click Set; the Set Action object displays.

4.

Click New and select Set Server Certificate Validation object.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Figure 6-28: Managing Server Certificate Validation

5.

By default, server certificate validation is enabled; to disable it, select Disable server certificate
validation at the bottom of the dialog.
If server certificate validation is enabled, you can determine behavior by selecting checkboxes to
Ignore a hostname mismatch, Ignore certificate expiration, or Ignore untrusted issuer. These overrides

mimic the overrides supported by most browsers.
You can add server certificates to the ProxySG to allow proper validation. For more information,
see "Importing a CA Certificate" on page 299.
6.

If you want to check the CA certificate revocation list (CRL) from a Certificate Authority, verify
Also check certification revocation is selected. For information on using CRL, see "Checking CRLs" on
page 232.

CPL and the SSL Intercept Layer
Note:

VPM is much easier to use than CPL. All CPL gestures except the
ssl.forward_proxy.server_keyring property, used only for troubleshooting, are
also in VPM.

The following CPL gestures can be used in the SSL Intercept layer:
Note:

246

No authentication-related triggers are allowed in the SSL Intercept layer.

Chapter 6: Configuring Proxies

Section A: Configuring Explicit Proxies
Allowed Properties (allowed in the SSL Intercept layer only):
• ssl.forward_proxy( )

• ssl.forward_proxy.splash_text( )

• ssl.forward_proxy.hostname( )

• trace.destination( )

• ssl.forward_proxy.issuer_keyring( )

• trace.request( )

• ssl.forward_proxy.server_keyring(),

• trace.rules( )

• ssl.forward_proxy.splash_url( )

• ssl.forward_proxy.server_keyring
(used for troubleshooting only)

Allowed Actions
• log_message( )

• notify_snmp( )

• notify_email( )

Allowed Conditions
• category

• proxy.port

• client.address

• server.certificate.hostname

• client.host

• server.certificate.hostname.category

• client.host.has_name

• server.certificate.subject

• client.protocol

• server_url.*

• proxy.address

• url.*

• proxy.card

An example of using CPL to intercept SSL traffic is:
;create list of servers to intercept
define condition server_intercept_list
server.certificate.hostname.category=webmail
server.certificate.hostname=porn.com
server.certificate.hostname.category=gambling
server.certificate.hostname.category=none
end condition server_intercept_list

; value no means tunnel, value https means intercept as forward proxy
condition=server_intercept_list ssl.forward_proxy(https)
ssl.forward_proxy(no)

Note:

247

For detailed instructions on using CPL, including detailed explanations of the gestures
listed here, refer to the Blue Coat ProxySG Content Policy Language Guide.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

CPL in the SSL Layer
The following CPL gestures can be used in the SSL layer (called SSL Access layer in VPM):
Allowed Actions (allowed in the SSL layer only)
• server.certificate.
validate(yes | no)

• server.certificate.
validate.
check_revocation
(local | no))

• server.certificate.
validate.ignore
(hostname_mismatch |
expiration |
untrusted _issuer)

• client.certificate.
validate(yes | no)

• client.certificate.
validate.check_
revocation(local | no)

• client.certificate.
require(yes)

Allowed Conditions and Properties
• client.connection.
negotiated_ssl_version =
(condition)

• client.certificate.
common_name.regex =


• client.certificate.subject.
dn =

• client.certificate.common
_name
[.exact|.substring|.pref
ix|.suffix] =

• client.certificate.
subject[.exact|
.substring|.prefix|.
suffix|
.regex] =

• client.certificate.subject.
regex =

• server.certificate.
hostname[.exact|
.substring|.prefix|.suff
ix]=

• server.certificate.
hostname.regex=


• server.certificate.hostname.
category =
\

• server.certificate
.hostname.category =!
> (condition)

• server.connection.
negotiated_cipher =

• server.connection.negotiated
_cipher.strength = low |
medium | high | export

• ssl.proxy_mode=

• client.protocol=
tunneled=

Note:

248

For detailed instructions on using CPL, including detailed explanations of the gestures
listed here, refer to the Blue Coat ProxySG Content Policy Language Guide.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Notes
Note:

Pipelining configuration for HTTP is ignored for HTTPS requests intercepted by the SSL
Proxy. When the SSL Proxy intercepts an HTTPS request, and the response is an HTML
page with embedded images, the embedded images are not pre-fetched by the ProxySG.



If the ProxySG and the origin content server cannot agree on a common cipher suite for
intercepted connections, the connection is aborted.



Key lengths of greater than 1024 bits are not supported.



Server-Gated Cryptography and step-up certificates are treated just as regular certificates; special
extensions present in these certificates are not be copied into the emulated certificate. Clients
relying on SGC/step-up certificates continue using weaker ciphers between the client and the
ProxySG when the SSL Proxy intercepts the traffic.

Advanced Topics
If you use OpenSSL or Active Directory, you can follow the procedures below to manage your
certificates.
For OpenSSL, see "Creating an Intermediate CA using OpenSSL"; if using Active Directory, see
"Creating an Intermediate CA using Microsoft Server 2003 (Active Directory)" on page 252.

Creating an Intermediate CA using OpenSSL
This section describes the certificate management when creating an intermediate CA using OpenSSL.
The overall steps are:


"Install OpenSSL "



"Create a Root Certificate"



"Modify the OpenSSL.cnf File "



"Sign the ProxySG CSR"



"Import the Certificate into the ProxySG"



"Test the Configuration"

Various OpenSSL distributions can be found at http://www.openssl.org.

Install OpenSSL
Once OpenSSL is installed, you must edit the openssl.cnf file and ensure the pathnames are
correct. By default root certificates are located under ./PEM/DemoCA; generated certificates are located
under /certs.

249

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Create a Root Certificate
In order to create a root Certificate Authority (CA) certificate, complete the following steps.
Note:
1.

The key and certificate in this example is located at ./bin/PEM/demoCA/private/

Open a MS-DOS window, and enter:
openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\
cakey.pem -out c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem

where the root directory for openssl is: \resources\ssl\openssl
openssl req -new -x509 -keyout
c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem -out
c:\resources\ssl\openssl\bin\PEM\demoCA\private\CAcert.pem
Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....................................+++++
................................................+++++
writing new private key to
'c:\resources\ssl\openssl\bin\PEM\demoCA\private\cakey.pem'
Enter PEM pass phrase:

2.

Type any string more than four characters for the PEM pass phrase.

3.

Enter the certificate parameters, such as country name, common name that are required for a
Certificate Signing Request (CSR).
The private key and root CA are now located under the directory ./PEM/DemoCA/private

4.

5.

From the ProxySG Management Console, select Configuration>SSL>Keyrings.

b.

Click Create; fill in the fields as appropriate.

c.

Click OK.

Create a CSR on the ProxySG.
a.

Select Configuration>SSL>Keyrings.

b.

Highlight the keyring you just created; click Edit/View.

c.

In the Certificate Signing Request pane, click Create and fill in the fields as appropriate.

Note:

Detailed instructions on creating a keyring and a CSR are in Chapter 7 of the Blue Coat
ProxySG Configuration and Management Guide. They can also be found in the online help.

6.

250

Create a ProxySG keyring.
a.

Paste the contents of the CSR into a text file called new.pem located in the ./bin directory.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies

Modify the OpenSSL.cnf File
Modify the openssl.cnf file to import the openSSL root CA into your browser. If you do not do this
step, you must import he ProxySG certificate into the browser.
1.

In the openssl.cnf file, look for the string basicConstraints=CA, and set it to TRUE.
basicConstraints=CA:TRUE

2.

Save the openSSL.cnf file.

Sign the ProxySG CSR
Open a MS-DOS window and enter:
openssl ca -policy policy_anything -out newcert.pem -in new.pem

The output is:
Using configuration from C:\Resources\SSL\OpenSSL\bin\openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName
:PRINTABLE:'FR'
stateOrProvinceName
:PRINTABLE:'Paris'
localityName
:PRINTABLE:'Paris'
organizationName
:PRINTABLE:'BlueCoat'
organizationalUnitName:PRINTABLE:'Security Team'
commonName
:PRINTABLE:'proxysg.bluecoat.com'
emailAddress
:IA5STRING:'support@bc.com'
Certificate is to be certified until Sep 27 13:29:09 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

This signs the certificate; it can then be imported into the ProxySG.

Import the Certificate into the ProxySG

251

1.

Open the file newcert.pem in a text editor.

2.

Go to the Management Console>Configuration>SSL>SSL Keyrings.

3.

Selecting the keyring used for SSL interception; click Edit/View.

4.

Paste in the contents of the newcert.pem file.

5.

Import the contents of the newcert.pem file into the CA Certificates list.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
a.

From the ProxySG Management Console, select Configuration>SSL>CA Certificates.

b.

Click Import; enter the certificate name in the CA Cert Name field.

c.

Paste the certificate, being sure to include the -----BEGIN CERTIFICATE---- and the
----END CERTIFICATE----- statements in the ./bin/PEM/demoCA/private/CAcert file.

d. Click OK.
Note:

Detailed instructions on importing a CA certificate are in Chapter 7 of the Blue Coat
ProxySG Configuration and Management Guide.

Test the Configuration
Import the root CA into your browser and construct an SSL interception policy.
Note:

Detailed instructions on constructing an SSL interception policy are in Chapter 6 of the
Blue Coat ProxySG Configuration and Management Guide.

You should not be prompted for any certificate warning.

Creating an Intermediate CA using Microsoft Server 2003 (Active Directory)
This section describes certificate management when creating an intermediate CA using Active
Directory.
Before you begin:


Make sure the Windows 2003 system is an Active Directory server.



Make sure IIS is installed.



Install the "Certificate Services" through the control panel



Select the mode to be Enterprise root CA.

All certificate management is done through the browser using the following URL:
http://@ip_server/CertSrv
You will complete the following steps:


"To Install the Root CA onto the Browser"



"To Create a ProxySG Keyring and Certificate Signing Request"



"To Sign the ProxySG CSR"



"To Import the Certificate onto the ProxySG"



"To Test the Configuration"

To Install the Root CA onto the Browser

252

1.

Connect to HTTP://@ip_server/CertSrv

2.

Click Download a CA Certificate.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
3.

Click Install this CA Certificate chain.

This installs the root CA onto the browser.
To Create a ProxySG Keyring and Certificate Signing Request
1.

From the ProxySG Management Console, go to SSL>Keyrings.

2.

Create a new keyring. For detailed instructions on creating a new keyring, see "Creating a
Keyring" on page 267.

3.

Create a Certificate Signing Request (CSR). For detailed instructions on creating a CSR, see
"Managing Certificate Signing Requests" on page 272.

4.

Click OK.

To Sign the ProxySG CSR
1.

Connect to http://@ip_server/CertSrv

2.

Select the option Request a certificate.

3.

Select Submit an advanced certificate request and then Submit a certificate request by using a base 64
encoded …

4.

Paste the contents of the ProxySG CSR.

5.

Select the Certificate Template Subordinate Certification Authority.
If this template does not exist, connect to the certificate manager tool on the Active Directory
server and add the template.

6.

Click on Submit.

7.

Download the certificate (not the chain) as Base 64 encoded.

8.

Save this file on the workstation as newcert.pem.

To Import the Certificate onto the ProxySG
1.

Open the file newcert.pem in a text editor.

2.

Go to the Management Console>Configuration>SSL>SSL Keyrings.

3.

Select the keyring that has the CSR created; click Edit/View.
Note:

253

Make sure this keyring is used as the issuer keyring for emulated certificates. Use policy
or the SSL intercept setting in the Management Console or the CLI.

4.

Paste the contents of the newcert.pem file.

5.

Import the contents of the newcert.pem file into the CA Certificates list.

Blue Coat ProxySG Configuration and Management Guide

Section A: Configuring Explicit Proxies
a.

From the ProxySG Management Console, select Configuration>SSL>CA Certificates.

b.

Click Import; enter the certificate name in the CA Cert Name field.

c.

Paste the certificate, being sure to include the -----BEGIN CERTIFICATE---- and the
----END CERTIFICATE----- statements in the ./bin/PEM/demoCA/private/CAcert file.

d. Click OK.
Note:

Detailed instructions on importing a CA certificate are in Chapter 7 of the Blue Coat
ProxySG Configuration and Management Guide.

To Test the Configuration
Import the root CA into your browser and construct a SSL interception policy.
Note:

Detailed instructions on constructing an SSL interception policy are in Chapter 6 of the
Blue Coat ProxySG Configuration and Management Guide.

You will not be prompted for any certificate warning.

254

Blue Coat ProxySG Configuration and Management Guide

Section B: Transparent Proxies

Section B: Transparent Proxies
To use transparent proxy, you must:


Configure the network to redirect client requests



Create a transparent proxy service

Configuring the Transparent Proxy Hardware
For transparent proxy to work, you must use one of the following:


ProxySG Pass-Through card



ProxySG software bridge



Layer-4 switch



WCCP

Configuring the Pass-Through Card for Hardware Bridging
The Blue Coat Pass-Through card is a device that enables a bridge, using its two adapters, so that
packets can be forwarded across it. However, if the system crashes, the Pass-Through card becomes a
network: the two Ethernet cables are connected so that traffic can continue to pass through without
restriction.
Configure a transparent service on the bridge's IP address just like for any other IP address, and it
intercepts traffic as usual.
The differences are:


Forwards traffic: it does not intercept without enabling global IP packet forwarding.



Proxies for requests on either adapter, so if you connected one side of the bridge to your Internet
connection, be careful.

Configuring the ProxySG for Software Bridging
Blue Coat supports a software or dynamic bridge that is constructed using a set of installed adapters.
Keep in mind the following about software bridges:


The adapters must of the same type. Although the software does not restrict you from configuring
bridges with adapters of different types (10/100 or GIGE), the resultant behavior is unpredictable.



IP addresses—If any of the adapter interfaces to be added to the bridge already have IP addresses
assigned to them, those IP addresses must be removed.

To set up a software bridge, see "Configuring a Software Bridge" on page 89.

255

Blue Coat ProxySG Configuration and Management Guide

Section B: Transparent Proxies

Configuring a Layer-4 Switch for Transparent Proxy
In Transparent Proxy Acceleration, as traffic is sent to the OCS, any traffic sent on TCP port 80 is
redirected to the ProxySG Appliances by the Layer 4 switch. The benefits to using a Layer 4 switch
include:


Built-in failover protection. In a multi-ProxySG setup, if one ProxySG fails, the Layer 4 switch can
route to the next ProxySG.



Request partitioning based on IP address instead of on HTTP transparent proxying. (This feature
is not available on all Layer 4 switches.)



ProxySG bypass prevention. You can configure a Layer 4 device to always go through the Blue
Coat ProxySG machine even for requests to a specific IP address.



ProxySG bypass enabling. You can configure a Layer 4 device to never go through the ProxySG.

The following are generic directions for configuring transparent proxy using a Layer 4 switch and
ProxySG Appliances. The steps to perform depend on the brand of Layer 4 switch. Refer to the Layer
4 switch manufacturer’s documentation for details.
To Set up Transparent Proxy Using a Layer-4 Switch and the ProxySG
From the Layer 4 switch:
1.

Configure the Layer 4 switch according to the manufacturer's instructions.

2.

Configure for global transparent cache switching (TCS). With global TCS, incoming traffic from all
devices attached to all ports of the Layer-4 switch is redirected to the ProxySG. Assign an IP
address, default gateway, and subnet mask to the Layer-4 switch.

3.

Configure TCS using a global policy, enabling redirection for all ports.

4.

Identify one or more ProxySG Appliances.

5.

Create a device server group.

6.

Apply the ProxySG name to the device group.

7.

Configure Ethernet interface 2.

8.

Disable the redirection policy for the port to which the ProxySG is connected.

9.

Configure Ethernet interface 4.

10. Disable the redirection policy for the port to which the router is connected.
11. (Optional) Configure the Layer-4 switch for server load balancing.
12. Save the Layer-4 switch configuration.
From the ProxySG:

256

Chapter 6: Configuring Proxies

Section B: Transparent Proxies


Define the appropriate IP configurations per the instructions in the Installation Guide that
accompanied the ProxySG.



Test the new network configuration.

Configuring WCCP for Transparent Proxy
WCCP is a Cisco®-developed protocol that allows you to establish redirection of the traffic that flows
through routers.
The main benefits of using WCCP are:


Scalability—With no reconfiguration overhead, redirected traffic can be automatically distributed
to up to 32 ProxySG Appliances.



Redirection safeguards—If no ProxySG Appliances are available, redirection stops and the router
forwards traffic to the original destination address.

For information on using WCCP with a Blue Coat ProxySG, see Appendix C: “Using WCCP” on page
1073.

Understanding IP Forwarding
IP Forwarding is a special type of transparent proxy. The ProxySG is configured to act as a gateway.
The gateway is configured so that if a packet is addressed to the gateway’s adapter, but not to its IP
address, the packet is forwarded toward the final destination. (If IP forwarding is turned off, the
packet is rejected as being mis-addressed).
By default, IP forwarding is set to off (disabled) to maintain a secure network.
To Enable IP Forwarding through the Management Console
1.

Select Configuration>Network>Routing>Gateways.

2.

Select the Enable IP forwarding checkbox.

3.

Click Apply.

To Enable IP Forwarding through the CLI
At the (config) command prompt, enter the following command:
SGOS#(config) tcp-ip ip-forwarding enable

Important: When IP forwarding is enabled, be aware that all ProxySG ports are open and all the
traffic coming through them is not subjected to policy, with the exception of the
ports explicitly defined (Configuration> Services>Service Ports).

257

Blue Coat ProxySG Configuration and Management Guide

Section B: Transparent Proxies

Creating a Transparent Proxy Service
As noted earlier, Blue Coat recommends that you ignore authentication until the proxy service is
configured and running.
The below example uses HTTP. Note that two HTTP services are already configured and enabled on
SGOS 4.x.
To Create a Transparent HTTP Port Service through the Management Console
1.

Select Configuration>Services>Service Ports.

2.

Click New; the Add Service dialog appears.

Figure 6-29: HTTP Add Service Dialog

3.

In the Protocol drop-down list, select HTTP.

4.

The default IP address value is all. To limit the service to a specific IP, select the IP from the
drop-down list.

5.

In the Port field, specify a port number; select Enable.

6.

In the Attributes field, select Transparent.

7.

Click OK; Click Apply.

To Create a Transparent HTTP Port Service through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) services
SGOS#(config services) http
SGOS#(config services http) create [ip_address:]port
SGOS#(config services http) attribute transparent enable [ip_address:]port
SGOS#(config services http) enable [ip_address:]port

258

Chapter 6: Configuring Proxies

Section B: Transparent Proxies
Example
SGOS#(config services http) attribute transparent enable 80

To View the Results
SGOS#(config services http) view
Port:
8080
IP: 0.0.0.0
Properties: explicit, enabled
Port:
80
IP: 0.0.0.0
Properties: transparent, enabled

259

Type: http
Type: http

Blue Coat ProxySG Configuration and Management Guide

260

Chapter 7: Using Secure Services

Secure services allow you to provide the maximum security level for your enterprise. Maximum
security is provided by using:


SSH (with optional RSA authentication).



HTTPS instead of HTTP for secure communication over insecure channels.



A method of authenticating (identifying your users) and authorizing (limiting what a user can
do).

Configuring secure services requires creating and using keypairs and certificates to verify trusted
hosts.
This chapter discusses:


“HTTPS Reverse Proxy Overview”



“Configuring HTTPS Reverse Proxy”



“Managing the SSL Client”



“Configuring HTTP or HTTPS Origination to the Origin Content Server”



“Advanced Configuration”

261

Blue Coat ProxySG Configuration and Management Guide

Section A: HTTPS Reverse Proxy Overview

Section A: HTTPS Reverse Proxy Overview
Offloading SSL processing from the origin server (referred to as HTTPS Reverse Proxy), allows a large
number of requests to be processed very quickly from the ProxySG.
The HTTPS Reverse Proxy implementation:


Combines hardware-based SSL acceleration with full caching functionality.



Establishes and services incoming SSL sessions.



Provides SSL v2.0, v3.0, and TLSv1 protocol support.

A common scenario in using HTTPS Reverse Proxy, which connects the client to the ProxySG, is in
conjunction with HTTPS origination, which is used to connect the ProxySG to the origin content server
(OCS).
Before discussing the specifics of how a ProxySG accelerates HTTPS requests, it is important to
understand securing data using HTTPS. There are several RFCs and books on the public key
cryptographic system (PKCS). This discussion of the elements of PKCS is relevant to their
implementation in SGOS.
The key concepts to understand are:


Public keys and private keys



Certificates



Keyrings



Cipher Suites



SSL client

Public Keys and Private Keys
The intended recipient of encrypted data generates a private/public keypair, and publishes the public
key, keeping the private key secret. The sender encrypts the data with the recipient's public key, and
sends the encrypted data to the recipient. The recipient uses the corresponding private key to decrypt
the data.
For two-way encrypted communication, the endpoints can exchange public keys, or one endpoint can
choose a symmetric encryption key, encrypt it with the other endpoint's public key, and send it.

Certificates
Two major kinds of certificates are used with SGOS:

262



Server (SSL) Certificates



Self-Signed Certificates

Chapter 7: Using Secure Services

Section A: HTTPS Reverse Proxy Overview

Server (SSL) Certificates
Server certificates are used to authenticate the identity of a server. A certificate is electronic
confirmation that the owner of a public key is who he or she really claims to be and thus holds the
private key corresponding to the public key in the certificate. The certificate contains other
information, such as its expiration date.
The association between a public key and a particular server is done by generating a certificate
signing request using the server's public key. A certificate signing authority verifies the identity of the
server and generates a signed certificate. The resulting certificate can then be offered by the server to
clients who can recognize the CA's signature and trust that the server is who it claims to be. Such use
of certificates issued by CAs has become the primary infrastructure for authentication of
communications over the Internet.
ProxySG Appliances come with many popular CA certificates already installed. You can review these
certificates using the Management Console or the CLI. You can also add certificates for your own
internal certificate authorities.
The ProxySG trusts all root CA certificates trusted by Internet Explorer and Firefox. The list is updated
periodically to be in sync with the latest versions of IE and Firefox.
CA certificates installed on the ProxySG are used to verify the certificates presented by HTTPS servers
and the client certificates presented by browsers (when browsers are configured to do so).
Certificate Revocation Lists (CRLs) allow checking server certificates against lists provided and
maintained by CAs that show certificates that are no longer valid. Only CRLs that are issued by a
trusted issuer can be verified by the ProxySG successfully. The CRL can be imported only when the
CRL issuer certificate exists as CA certificate on the ProxySG.

Self-Signed Certificates
A self-signed certificate is a certificate that you create and authorize yourself that has no official
guarantees or authority in the real world. It is mainly used for intranet security.
Any server certificate can contain a common name with wildcard characters.
Wildcard certificates during HTTPS Reverse Proxy are supported. Microsoft’s implementation of
wildcard certificates is as described in RFC 2595, allowing an * (asterisk) in the leftmost-element of the
server's common name only. For information on wildcards supported by Internet Explorer, refer to the
Microsoft knowledge base, article: 258858.
Note:

263

Another kind of certificate is called an external certificate. An external certificate is an
X.509 certificate created outside the ProxySG for the purpose of encrypting data, such as
access logs, with a public key on the ProxySG so that it can only be decrypted by someone
off-box who has the corresponding private key. When you import an external certificate to
the ProxySG, you can use it to encrypt your access logs so that only those with the
appropriate security credential can decrypt them. See “Configuring the Upload Client”
on page 894 for information about encrypting access logs.

Blue Coat ProxySG Configuration and Management Guide

Section A: HTTPS Reverse Proxy Overview

Keyrings
A keyring contains a public/private keypair. It can also contain a certificate signing request or a
signed certificate.

Cipher Suites Supported by SGOS
A cipher suite is an object that specifies the algorithms used to secure an SSL connection. When a
client makes an SSL connection to a server, it sends a list of the cipher suites that it supports. The
server compares this list with its own supported cipher suites and chooses the first cipher suite
proposed by the client that they both support. Both the client and server then use this cipher suite to
secure the connection.
Note:

You can delete cipher suites that you do not trust.

All cipher suites supported by the ProxySG use the RSA key exchange algorithm, which uses the
public key encoded in the server's certificate to encrypt a piece of secret data for transfer from the
client to server. This secret is then used at both endpoints to compute encryption keys.
By default, the ProxySG is configured to allow SSLv2 and v3 as well as TLSv1 traffic. The cipher suites
available to use differ depending on whether you configure SSL for version 2, version 3, TLS, or a
combination of these.
Table 7.1: SGOS Cipher Suites Shipped with the ProxySG

264

SGOS Cipher #

Cipher Name

Strength

Exportable

Description

1

RC4-MD5

Medium

No

128-bit key size.

2

RC4-SHA

Medium

No

128-bit key size.

3

DES-CBC3-SHA

High

No

168-bit key size.

4

DES-CBC3-MD5

High

No

168-bit key size.

5

RC2-CBC-MD5

Medium

No

128-bit key size.

6

RC4-64-MD5

Low

No

64-bit key size.

7

DES-CBC-SHA

Low

No

56-bit key size.

8

DES-CBC-MD5

Low

No

56-bit key size.

9

EXP1024-RC4-MD5

Export

Yes

56-bit key size.

10

EXP1024-RC4-SHA

Export

Yes

56-bit key size.

11

EXP1024-RC2-CBC-MD5

Export

Yes

56-bit key size.

12

EXP1024-DES-CBC-SHA

Export

Yes

56-bit key size.

13

EXP-RC4-MD5

Export

Yes

40-bit key size.

Chapter 7: Using Secure Services

Section A: HTTPS Reverse Proxy Overview
Table 7.1: SGOS Cipher Suites Shipped with the ProxySG (Continued)
14

EXP-RC2-CBC-MD5

Export

Yes

40-bit key size.

15

EXP-DES-CBC-SHA

Export

Yes

40-bit key size.

16

AES128-SHA

Medium

No

128-bit key size.

17

AES256-SHA

High

No

256-bit key size.

Cipher Suite configuration is discussed in “Associating a Keyring and Protocol with the SSL Client”
on page 288.

Server Gated Cryptography and International Step-Up
Due to US export restrictions, international access to a secure site requires the site negotiate
export-only ciphers. These are relatively weak ciphers ranging from 40-bit to 56-bit key lengths, and
are vulnerable to attack.
Server Gated Cryptography (SGC) is a Microsoft extension to the certificate that allows the client
receiving the certificate to first negotiate export strength ciphers, followed by a re-negotiation with
strong ciphers. Netscape has a similar extension called International Step-up.
The ProxySG supports both SGC and International Step-up in its SSL implementation. There are,
however, known anomalies in Internet Explorer's implementation that can cause SSL negotiation to
fail. Refer to the following two documents for more detail and check for recent updates on the
Microsoft support site.
http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP
http://support.microsoft.com/support/kb/articles/Q244/3/02.ASP

To take advantage of this technology, the ProxySG supports VeriSign's Global ID Certificate product.
The Global ID certificate contains the extra information necessary to implement SGC and
International Step-up.
Note:

When requesting a Global ID certificate, be sure to specify bluecoat as the server.

Understanding SSL Client
The SSL client is used to determine the protocol of outgoing HTTPS connections. The protocol must be
specified when a ProxySG obtains content from the origin server using an encrypted connection.
The ProxySG uses one SSL client. The role of the SSL client is to:

265



Determine which certificate can be presented to origin servers by associating a keyring with the
SSL client.



Identify the protocol version the ProxySG uses in negotiations with origin servers.



Identify the cipher suites used.

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy

Section B: Configuring HTTPS Reverse Proxy
To configure HTTPS Reverse Proxy, complete the following tasks:


Create a keyring. A default keyring is shipped with the system and is used for accessing the
management console. Create other keyrings for each SSL service. (See “Creating a Keyring” on
page 267.)
Note:

You can also import keyrings. For information on importing keyrings, see “Importing an
Existing Keypair and Certificate” on page 296.



(Optional) Create Certificate Signing Requests (CSRs) that can be sent to Certificate Signing
Authorities (CAs).



Import server certificates from CA authorities for external use and associate them with the
keyring. (See “Managing Server (SSL) Certificates” on page 275.)
-or-



Create certificates for internal use and associate them with the keyring. (See “Deleting an Existing
Keyring and Certificate” on page 271.)



(Optional, if using server certificates from CA authorities) Import Certificate Revocation Lists
(CRLs) so the ProxySG can verify that certificates are still valid.



Create the HTTPS Service. The keyring should contain the server certificate to present to clients
connecting to this service. For general information on enabling services, see Chapter 5:
“Managing Port Services” on page 147. For specific information on enabling the HTTPS Service,
see “Managing the HTTPS Reverse Proxy” on page 165.)
Note:

If connections will be forwarded upstream using HTTPS, you can configure the SSL client
appropriately. You can also set the SSL configuration timeout period, if the default is not
satisfactory. For information on managing the SSL client, see “Managing the SSL Client”
on page 287.

Do these steps in order.
Note:

These steps must be done with a serial console or SSH connection.

Before you begin, you should be familiar with the following terms:
CA Certificates

This is a certificate that has been given out by a CA identifying the authority and what
public key to use to verify certificates signed by them. CA certificates are used to verify
certificates presented by clients during HTTPS Reverse Proxy or to verify certificates
presented by servers during HTTPS origination.
You only need this certificate if the ProxySG is obtaining data through an encrypted
source.

266

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy
CA-Certificate
Lists

CA-Certificate lists allow you to associate a specific CA certificate (or a list of CA
certificates) with the HTTPS service you create.

Certificates

Regular certificates are presented by the ProxySG as server certificates when doing
HTTPS Reverse Proxy or as client certificates when doing HTTPS origination.
A certificate can be created (self-signed) or imported from another machine. Certificates
and CA Certificates are imported differently on the ProxySG and have different purposes.

Certificate Signing
Authority (CA)

CAs receive Certificate Signing Requests and create certificates from the information and
the keypair provided. The certificate is then returned to the originator, who can import it
into the ProxySG.

Certificate Signing
Request (CSR)

CSRs are used to send a keypair and critical information to a Certificate Signing
Authority. You can use Blue Coat to create a CSR or you can create a CA Certificate
off-line.
The CSR is then sent to a Certificate Signing Authority, which provides a signed
certificate after verifying the requester's identity.

Certificate
Revocation List
(CRL)

CRLs are lists that show which certificates are no longer valid; the CRLs are created and
maintained by Certificate Signing Authorities.

SSL Client

Only one SSL client can be used on the ProxySG, and only one keyring can be associated
with it. If a keyring is associated with the SSL client and you change the association, the
old association is overwritten by the new.

HTTPS Service

A service on which the ProxySG listens for Web requests sent through the HTTPS
protocol.

Keyring

A keyring holds a public and private keypair, and can be used when configuring secure
connections on the ProxySG. When a keyring is created, it only contains a keypair. You
can associate a certificate with this keyring. If you have multiple certificates, you can
configure multiple keyrings and associate the certificates and the keyrings.

Only CRLs that are issued by a trusted issuer can be verified by the ProxySG successfully.
The CRL can be imported only when the CRL issuer certificate exists as CA certificate on
the ProxySG.

Creating a Keyring
The ProxySG ships with two keyrings already created:


default



configuration-passwords-key

The default keyring contains a certificate and an automatically-generated keypair. The default key is
intended for securely accessing the ProxySG management console. Create an additional keyring for
each HTTPS service defined.
Note:

267

A keyring is not re-usable. If you use multiple certificates, you must create multiple
keyrings.

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
You must associate a keyring with the SSL client if the ProxySG is obtaining content through HTTPS
from an origin content server (OCS) that requires a client certificate to be presented. If the OCS
requires a client certificate and no keyring is associated with the SSL client, the connections fails. For
information on associating a keyring with the SSL client, “Managing the SSL Client” on page 287.
The configuration-passwords-key keyring contains a keypair but does not contain a certificate. It is
a keyring created for encrypting passwords in the show config command and should not be used for
other purposes.
To Create a Keyring through the Management Console
1.

Select Configuration>SSL>Keyrings>SSL Keyrings; the SSL Keyrings tab displays.

Figure 7-1: SSL Keyring Tab

2.

Click Create; the Create Keyring dialog appears.

Figure 7-2: Create Keyring Dialog

268

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy
3.

Fill in the dialog window as follows:


Keyring Name: Give the keyring a meaningful name to you.

Note:



Spaces in keyring names are not supported. Including a space can cause unexpected
errors while using such keyrings.

Select the show option you need:


Show keypair allows the keys, and everything in the keys, to be exported.



Do not show keypair prevents the keypair from being exported.



Show keypair to director is a keyring viewable only if Director is issuing the command using

a SSH-RSA connection.
Note:



The choice of show/show-director/no-show has implications for whether keyrings
are included in profiles and backups created by Director. For more information, refer
to the Blue Coat Director User Guide.

Select the key length in the Create a new ______ -bit keyring field. A length of 1024 bits is the
maximum (and default). Longer keyrings provide better security, but with a slight
performance expense on the ProxySG. Be aware that the maximum key length allowed for
international export might be different than the default. For deployments reaching outside the
U.S., determine the maximum key length allowed for export.
Click OK. The keyring is created with the name you chose. It does not have a certificate
associated with it yet. To associate a certificate, see “Associating a Keyring and Protocol with
the SSL Client” on page 288
-or-



Select the Import keyring radio button.
The grayed-out Keyring field becomes enabled, allowing you to paste in an already existing
private key. The certificate associated with this private key must be imported separately. For
information on importing a certificate, see “Deleting an Existing Keyring and Certificate” on
page 271.
If the private key that is being imported has been encrypted with a password, select Keyring
Password and enter the password into the field.
Note:

4.

269

Click OK.

The only way to retrieve a keyring's private key from the ProxySG is by using
Director or the command line —it cannot be exported through the management
console.

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
To View or Edit a Keyring through the Management Console
1.

Select Configuration>SSL>Keyrings>SSL Keyrings; the SSL Keyrings tab displays.

2.

Click View/Edit; the Create Keyring dialog appears.

To Create an SSL Keyring through the CLI
At the (config) command prompt, enter the following commands to create an SSL keyring:
SGOS#(config) ssl
SGOS#(config ssl) create keyring {show | show-director | no-show} keyring_id
[key_length]

where:
show |
show-director
| no-show

• show: Allows the keys, and everything in the keys, to be exported.
• show-director: Prevents the keypair from being exported.
• no-show: A keyring viewable only if Director is issuing the command using a
SSH-RSA connection.
Note: The choice of show/show-director/no-show has implications for
whether keyrings are included in profiles and backups created by Director. For
more information, refer to the Blue Coat Director User Guide.

keyring_id

The name, meaningful to you, of the keyring.

key_length

Longer keypairs provide better security, but with a slight performance expense
on the ProxySG appliance. The default key length used in SGOS and most
US-based servers is 1024, which is the maximum key length. Be aware that the
maximum key length allowed for international export might be different than the
default. For deployments reaching outside of the US, determine the maximum
key length allowed for export.

To View the Results of a New Keyring through the CLI
Note:

This example shows the default keyring.

SGOS#(config ssl) view keyring
KeyringID: default
Is private key showable? yes
Have CSR? no
Have certificate? yes
Is certificate valid? yes
CA: Blue Coat SG110
Expiration Date: Dec 16 22:37:30 2013 GMT
Fingerprint: AA:E2:34:DB:5D:06:A7:FF:D8:69:BE:0D:12:FC:34:D5
KeyringID: configuration-passwords-key
Is private key showable? yes
Have CSR? no
Have certificate? no

270

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy
To View a Keypair
Note:

This example shows the default keypair, unencrypted.

SGOS#(config ssl) view keypair [des | des3 | unencrypted] [keyring_id]
[password]
-----BEGIN RSA PRIVATE KEY----MIICWwIBAAKBgQC6t/IhFTYuyczvEN/wT4dcJl3Ar/aEKs/CjL9DPG+ND79sscFe
tfzmLrjBvxJmZYnim6VEMtKb0qH37YQjXwtQFqYAdWe+yKS6kqJ+Rky/mgHX8awL
RvijFlBkLYMG2SOa1YphOTg/v/dPm28TyJ5ZcavM5Atdpa+RRGPPDR1YQwIDAQAB
AoGAE4TVL/Yqsttvq/Ikptd5e/2awWDjsU9UZq8V825m7uUdirxOTZtSs7FgqQhT
YRbuQh0pOqbhc16ihetza8sswGXJe7YYF7d2zQAfwDsvSTcsVu1mXQmdhddItGuv
+nZWVMqP/tQIk/NtRhp6IJ2qg4Mu3yEVfDEeHP1Um2nGPbECQQDltYIaoiLW27sa
+O7Rzl2geVoVvdROjKg0g0gyT65tRCgqyGv6AXI1+gWl1TcP5rhOlB9XX3i0wiUp
HejKsompAkEA0BbQNCRXUXZTPyK6R6JaHE0Ji8SSXtLCUN9RZrChdjGc263D6/IV
/jqpqkLLR2qSibmKDX1ADmYAP9U18ta+CwJAecPBd8TCmwpXIHEch3LRBqPNMQEz
bX/6GfwNZT3/xEQA1szvD9N8a0hhfgqL6Y3v3Rd/lZ0yKv9PG4CTSf9iIQJAL7Jq
+uixkxyaLEibhjvyh7Yoz/64xj9tBviJQg6Ok/b/S2NjGzwcSm/L4Bj7W11URXlf
6YOiISrEN915RjZuzQJAYUlytdCj7pM2nziyO7jrWnY8MmIod3+kHlQajoV/OI6Q
Z5gaJ2nLOwicSlSY4MFewHavvRS18yI9JP2q1+6Y/g==
-----END RSA PRIVATE KEY-----

Notes


If you want to view the keypair in an encrypted format, you can optionally specify des or des3
before the keyring_id, along with an optional password. If the optional password is provided on
the command line, the CLI does not prompt for a password. You can also use ““ to specify an
empty password to make the command non-interactive.



If the optional password is not provided on the command line, the CLI asks for the password
(interactive). If you specify either des or des3, you are prompted.



To view the keypair in unencrypted format, select either the optional keyring_id or use the
unencrypted command option.



You cannot view a keypair over a Telnet connection because of the risk that it could be
intercepted.

Deleting an Existing Keyring and Certificate
To Delete a Keyring and the Associated Certificate through the Management Console
1.

Select Configuration>SSL>Keyrings>SSL Keyrings.

2.

Highlight the name of the keyring that you want to delete.

3.

Click Delete.
The Confirm delete dialog appears.

4.

271

Click OK in the Confirm delete dialog.

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
To Delete a Keyring and the Associated Certificate through the CLI
From the (config) prompt, enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) delete keyring keyring_id

Managing Certificate Signing Requests
While you must create certificate signing requests (CSR) to get a certificate signed by a Certificate
Authority, CSRs are also used for the configuration of certificates that are sent out to clients or servers
for external validation.

Creating a CSR
To Create a CSR through the Management Console
1.

Select Configuration>SSL>SSL Keyrings; click Edit/View.

2.

From the drop-down list, select the keyring for which you need a signed certificate.

3.

From the Certificate Signing Request tab, click the Create button.
The Create Certificate-signing-request dialog displays.

Figure 7-3: Create Certificate-Signing-Request Dialog

4.

272

Fill in the fields as appropriate:


State/Province—Enter the state or province where the machine is located.



Country Code—Enter the two-character ISO code of the country.



City/Locality—Enter the city.



Organization—Enter the name of the company.



Unit—Enter the name of the group that is managing the machine.



Common Name—Enter the URL of the company.

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy


Challenge—Enter a 4-16 character alphanumeric challenge.



E-mail Address—The e-mail address you enter must be 40 characters or less. A longer e-mail

address will generate an error.


Company—Enter the name of the company.

5.

The Create tab displays the message: Creating....

6.

Click OK.

To Create a CSR through the CLI
You have a choice of using the interactive or non-interactive create command.
Note:

Director uses non-interactive commands in profiles and overlays to create certificate
signing requests.
For more information on Director, refer to the Blue Coat Director Configuration and
Management Guide.)

To create a CSR using the:


interactive create signing-request command: continue with the next section.



non-interactive create signing-request command: skip to “To Create a Signing Request
Non-interactively Using Create Commands” on page 274.

To Create a CSR Interactively using Create Commands
1.

At the (config) command prompt, enter the following commands to create an SSL CSR:
SGOS#(config) ssl
SGOS#(config ssl) create signing-request keyring_id
Country code []: US
State or province []: CA
Locality or city []: SV
Organization name []: Blue Coat
Organization unit []: Docs
Common name []: www.bluecoat.com
Email address []: test@bluecoat.com
Challenge []: test
Company name []: Blue Coat
ok

where:

273

Country code

At the country code prompt, enter the two-character ISO code of the
country.

State or province

Name of the state or province where the machine is located.

Locality or city

Name of the town where the machine is located.

Organization name

Name of the company.

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy

2.

Organization unit

Name of the group within the company.

Common name

Verify the Common name is the same as the domain name of the Web
site being terminated. If the Common name and site domain name do
not match, a client browser generates a warning whenever the
ProxySG terminates an HTTPS request for that site. The use of
wildcards is supported in the Common name.

Email address

The e-mail address you enter must be 40 characters or less. A longer
e-mail address generates an error

Challenge

At the challenge prompt, enter a 4-16 character alphanumeric secret.

Company name

Name of the company.

View the results.
SGOS#(config ssl) view signing-request keyring_id
-----BEGIN CERTIFICATE REQUEST----MIIBVDCCAQ4CAQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCU1YxEjAQ
BgNVBAoTCUJsdWUgQ29hdDENMAsGA1UECxMERG9jczEZMBcGA1UEAxMQd3d3LmJsdWVjb2F0LmN
vbTEgMB4GCSqGSIb3DQEJARYRdGVzdEBibHVlY29hdC5jb20wTDANBgkqhkiG9w0BAQEFAAM7AD
A4AjEAobHjK0AsnKV0TcsntWCdfTaNyCgwNDXffxT5FwM0xkzQi0pCSku27CJXn7TahrKRAgMBA
AGgMTAUBgkqhkiG9w0BCQcxBxMFdGVzdAAwGQYJKoZIhvcNAQkCMQwWCkJsdWUgQ29hdAAwDQYJ
KoZIhvcNAQEEBQADMQBooZfEnzZT2WMMiu3oT9EP3CdtddOTtdBImWUXPdHJGfm1vEJ7HI0cE0W
71JP6pUY=
-----END CERTIFICATE REQUEST-----

To Create a Signing Request Non-interactively Using Create Commands
At the (config) command prompt, enter the following commands to create a signing request:
SGOS#(config) ssl
SGOS#(config ssl) create signing-request keyring_id [attribute_value]
[attribute_value]

where the following attribute and value pairs are accepted:
Mandatory:
• cn common_name
• challenge at_least_four_characters
Optional:
• c 2_character_country_code
• o organization_name
• ou organizational_unit
• email e-mail_id
• state state or province
• city locality or city
• company company_name

Notes:

274

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy


If you do not specify any attributes, the interactive mode is assumed, meaning that the CSR
cannot be created by Director in profiles or overlays.



The name of the attribute is predefined and the value of the attribute is a string. The value can be
quoted if it contains white space or other special characters.



You must specify the name and value together; the order of appearance of multiple name value
pairs does not matter. If you omit an attribute, an empty string is assumed for the value of the
attribute.

Example:
#(config ssl) create signing-request keyring_id cn bluecoat challenge test
c US state CA company bluecoat

Viewing a Certificate Signing Request
The main reason to view a certificate signing request is so that it can be copied for submission to the
Certificate Signing Authority. You can view the certificate signing request either through the
Management Console or the CLI.
To View a Certificate Signing Request through the Management Console
1.

Select Configuration>SSL>SSL Keyrings.

2.

Click Edit/View; the SSL Certificates pane displays.

3.

From the drop-down list, select the keyring for which you have created a certificate signing
request.
The certificate signing request displays in the Certificate Signing Request window and can be
copied for submission to a Certificate Signing Authority.

To View a Certificate Signing Request through the CLI
At the (config) command prompt, enter the following commands to create a signing request:
SGOS#(config) ssl
SGOS#(config ssl) view signing-request keyring_id

The certificate signing request displays and can be copied for submission to a Certificate
Signing Authority

Managing Server (SSL) Certificates
Server (SSL) certificates can be obtained two ways:


Created on the ProxySG as a self-signed certificate



Imported after receiving the certificate from the signing authority

If you plan to use server (SSL) certificates (issued by well-known Certificate Authorities), you can
obtain the keypair and Certificate Signing Requests (CSRs) off box and send them to the Certificate
Authority for signing. You can also create self-signed SSL certificates for internal use.

275

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
Once the signed request is returned to you from the CA, you can import the certificate into the
ProxySG. To create a Blue Coat CSR, see “Creating a CSR” on page 272.
Note:

If you have a CA certificate that is not on the ProxySG default CA certificate list, you
might receive the following message when attempting to connect to a Web site:
Network Error (ssl_failed)
A secure SSL session could not be established with the Web Site:.

You must import the CA Certificate before the ProxySG can trust the site.
To create a SSL self-signed certificate on the ProxySG using a Certificate Signing Request, continue
with the next section.
Note:

You can also create a self-signed certificate just by pressing the Create button on the
Configuration>SSL>Keyrings>Edit/View pane.

To import an SSL Certificate, skip “Importing a Server Certificate” on page 280.

Creating Self-Signed SSL Certificates
The ProxySG ships with a self-signed certificate, associated with the default keyring. Only one
certificate can be associated with a keyring. If you have multiple services, you require one keyring for
each certificate.

Adding a Self-Signed SSL Certificate
Self-signed certificates are generally meant for intranet use, not Internet.
To Create a Self-Signed Certificate through the Management Console
1.

Select Configuration>SSL>Keyrings>SSL Keyrings; the SSL Keyrings tab displays.

2.

Highlight the keyring for which you want to add a certificate.

3.

Click Edit/View in the Keyring tab.
The SSL Certificate dialog displays.

276

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy

Figure 7-4: Create Certificate Dialog

4.

Click Create to Create a Certificate; the Create Certificate dialog displays.

Figure 7-5: Creating a Certificate

5.

277

Fill in the fields as appropriate:

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy


State/Province—Enter the state or province where the machine is located.



Country Code—Enter the two-character ISO code of the country.



City/Locality—Enter the city.



Organization—Enter the name of the company.



Unit—Enter the name of the group that is managing the machine.



Common Name—A common name should be the one that contains the URL with client access

to that particular origin server.


Challenge—Enter a 4-16 character alphanumeric challenge.



E-mail Address—The e-mail address you enter must be 40 characters or less. A longer e-mail

address will generate an error.

6.

Company—Enter the name of the company.

The Create tab displays the message: Creating.....

To Create a Self-Signed SSL Certificate through the CLI
You can create a self-signed certificate two ways: interactively or non-interactively.
Note:

Director uses non-interactive commands in profiles and overlays to create self-signed
certificates.

To create a certificate using the:


interactive version of the create certificate command: continue with the next section.



non-interactive version of the create certificate command: skip to “To Create a Self-Signed
SSL Certificate Non-interactively Using Create Commands” on page 279.

Note:

If you want the certificate to be part of a profile or overlay, the keyring must be configured
as showable.

To Create a Self-Signed SSL Certificate Interactively Using Create Commands
1.

At the (config) command prompt, enter the following commands to interactively create a
self-signed certificate.
SGOS#(config ssl) create certificate keyring_id
Country code []: US
State or province []: CA
Locality or city []: SV
Organization name []: Blue Coat
Organization unit []: Docs

278

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy
Common name []: www.bluecoat.com
Email address []: test@bluecoat.com
Challenge []: test
Company name []: Blue Coat
ok

where:

2.

Country code

At the Country code prompt, enter the two-character ISO code of the
country.

State or province

Name of the state or province where the machine is located.

Locality or city

Name of the town where the machine is located.

Organization name

Name of the company.

Organization unit

Name of the group within the company.

Common name

Verify the Common name is the same as the domain name of the Web site
being terminated. If the Common name and site domain name do not
match, a client browser generates a warning whenever the ProxySG
terminates an HTTPS request for that site. The use of wildcards is
supported in the Common name.

Email address

The e-mail address you enter must be 40 characters or less. A longer
e-mail address will generate an error

Challenge

At the Challenge prompt, enter a 4-16 character alphanumeric secret.

Company name

Name of the company.

View the certificate.
SGOS#(config ssl) view certificate keyring_id
-----BEGIN CERTIFICATE----MIIB3zCCAZmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMQswCQYDVQQHEwJTVjESMBAGA1UEChMJQmx1ZSBDb2F0MQ0wCwYDVQQLEwREb2NzMRkwFwY
DVQQDExB3d3cuYmx1ZWNvYXQuY29tMSAwHgYJKoZIhvcNAQkBFhF0ZXN0QGJsdWVjb2F0LmNvbT
AeFw0wMzAzMDQyMTA2NThaFw0wMzA0MDMyMTA2NThaMIGHMQswCQYDVQQGEwJVUzELMAkGA1UEC
BMCQ0ExCzAJBgNVBAcTAlNWMRIwEAYDVQQKEwlCbHVlIENvYXQxDTALBgNVBAsTBERvY3MxGTAX
BgNVBAMTEHd3dy5ibHVlY29hdC5jb20xIDAeBgkqhkiG9w0BCQEWEXRlc3RAYmx1ZWNvYXQuY29
tMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAK+AGYRMbnjyGr7U0oZUYdslO6y8uQnxq2PV6qCr4Q
BpN1Vqyr1Fi7ZEaw0lyMs5FwIDAQABMA0GCSqGSIb3DQEBBAUAAzEAe8zoYW0igTcGRGG7sBpca
U95J907ZVm8qSU/PQfx1IrDzKdRSQPO9Gs1I8MqXi0D
-----END CERTIFICATE-----

To Create a Self-Signed SSL Certificate Non-interactively Using Create Commands
Note:

If you want the keyring to part of an overlay or profile, the keyring must be configured as
showable.

At the (config) command prompt, use the following syntax to create a self-signed certificate

279

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
SGOS#(config ssl) create certificate keyring-id [attribute_value]
[attribute_value]

where any or all of the following attribute and value pairs are accepted:
Mandatory:
• cn common_name
• challenge at_least_four_characters
Optional:
• c 2_character_country_code
• o organization_name
• ou organizational_unit
• email e-mail_id
• state state or province
• city locality or city
• company company_name

Notes:


If you do not specify any attributes, the interactive mode is assumed, meaning that the self-signed
certificate cannot be created by Director in profiles or overlays.



The name of the attribute is predefined and the value of the attribute is a string. The value can be
quoted if it contains white space or other special characters.



You must specify the name and value together; the order of appearance of multiple name value
pairs does not matter. If you omit an attribute, an empty string is assumed for the value of the
attribute.

Example:
SGOS#(config ssl) create certificate keyring-id cn bluecoat challenge test
c US state CA company bluecoat

Importing a Server Certificate
A server certificate is sent to you by a Certificate Signing Authority after receiving the Certificate
Signing Request. The certificate request is created either off box or with the signing request you
created through the SSL >Keyrings tab. To create an SSL signing request, follow the instructions in
“Creating a CSR” on page 272. After the server certificate is signed by a Certificate Signing Authority
and returned, it can be imported by completing the steps below.
To Import a Server Certificate

280

1.

Copy the certificate to your clipboard. Be sure to include the “Begin Certificate” and “End
Certificate” statements.

2.

Select Configuration>SSL>Keyrings; the SSL Keyrings tab displays.

3.

Highlight the keyring for which you want to import a certificate.

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy
4.

Click Edit/View in the Keyrings tab.
The SSL Certificates pane displays.

Figure 7-6: SSL Certificates Pane

5.

In the certificate panel, click Import.
The Import Certificate dialog displays.

Figure 7-7: SSL Import Certificate Dialog

6.

281

Paste the certificate you copied into the dialog box. Click OK.

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
The certificate should display in the SSL Certificates Pane, associated with the keyring you
selected earlier.

Using Certificate Revocation Lists
A revocation check on the server certificate is done through Certificate Revocations Lists (CRLs).
CRLs are lists that show which certificates are no longer valid; the CRLs are created and maintained
by Certificate Signing Authorities.
Only CRLs that are issued by a trusted issuer can be verified by the ProxySG successfully. The CRL
can be imported only when the CRL issuer certificate exists as CA certificate on the ProxySG.
The ProxySG allows:


one local CRL list per certificate issuing authority.



an import of a CRL that is expired; a warning is displayed in the log.



an import of a CRL that is effective in the future; a warning is displayed in the log.

CRLs can be used for the following purposes:


Checking revocation status of client and/or server certificates with HTTPS Reverse Proxy.



Checking revocation status of server certificates with SSL proxy. (For more information on using
CRLS with the SSL proxy, see “Configuring an SSL Proxy” on page 231.)



ProxySG-originated HTTPS downloads (secure image download, content filter database
download, and the like).

PEM-encoded CRLs are supported for inline cut-and-paste imports via the CLI or Management
Console. DER-format (binary) CRLs are supported if downloaded from a URL.
To Import a CRL
You can choose from among four methods to install a CRL on the ProxySG through the Management
Console:


Use the ProxySG Text Editor, which allows you to enter the installable list (or copy and paste the
contents of an already-created file) directly onto the ProxySG.



Create a local file on your local system; the ProxySG can browse to the file and install it.



Enter a remote URL, where you placed an already-created file on an FTP or HTTP server to be
downloaded to the ProxySG.



Use the CLI inline command.

To Create a CRL through the Management Console
1.

282

Select Configuration>SSL>CRLs. The CRL tab displays.

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy

Figure 7-8: Creating a new CRL

2.

Click New or highlight an existing CRL and click Edit. The Add/Edit CRL dialog box displays.

Figure 7-9: Adding a CRL

3.

Give the CRL a name.

4.

From the drop-down list, select the method to use to install the CRL; click Install.


Remote URL:
Enter the fully-qualified URL, including the filename, where the CRL is located. To view the
file before installing it, click View. Click Install.
The Install CRL dialog displays. Examine the installation status that displays; click OK.

283

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy

Figure 7-10: Specifying the Remote Location of a CRL



Local File:
Click Browse to display the Local File Browse window. Browse for the CRL file on the local
system. Open it and click Install. When the installation is complete, a results window opens.
View the results, close the window, click Close.

Figure 7-11: Specifying the Local Location of a CRL



Text Editor:

Copy a new CRL file into the window, and click Install.
When the installation is complete, a results window opens. View the results, close the window,
click Close.

284

Chapter 7: Using Secure Services

Section B: Configuring HTTPS Reverse Proxy

Note:

The Management Console text editor is a way to enter a CRL file. It is not a way to
enter CLI commands.

Figure 7-12: Using the ProxySG Text Editor

5.

Click Apply.

To Create a CRL through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) create crl list_name
SGOS#(config ssl) edit crl list_name
SGOS#(config ssl crl list_name) path url

where url is a fully-qualified URL, including the filename, where the installable list is
located.
SGOS#(config ssl crl list_name) load list_name

285

Blue Coat ProxySG Configuration and Management Guide

Section B: Configuring HTTPS Reverse Proxy
To Create an Installable List through the CLI Inline Commands
1.

Copy the CRL to the clipboard.

2.

At the (config) command prompt, enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) inline crl CRL_list_name eof
Paste CRL here
eof

Troubleshooting Certificate Problems


If the client does not trust the Certificate Signing Authority that has signed the ProxySG
Appliance’s certificate, an error message similar to the following appears in the event log:
2004-02-13 07:29:28-05:00EST "CFSSL:SSL_accept error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown" 0 310000:1
../cf_ssl.cpp:1398

This commonly occurs when you use the HTTPS-Console service on port 8082, which uses a
self-signed certificate by default. When you access the Management Console over HTTPS, the
browser displays a pop-up that says that the security certificate is not trusted and asks if you want
to proceed. If you select No instead of proceeding, the browser sends an unknown CA alert to the
ProxySG.
You can eliminate the error message one of two ways:



286



If this was caused by the Blue Coat self-signed certificate (the certificate associated with the
default keyring), import the certificate as from a trusted Certificate Signing Authority in
Internet Explorer.



Import a certificate on the ProxySG that is signed by a well-known Certificate Signing
Authority and use that for HTTPS Console access and HTTPS Reverse Proxy.

If the ProxySG’s certificate is not accepted because of a host name mismatch or it is an invalid
certificate, you can correct the problem by creating a new certificate and editing the
HTTPS-Console service to use it. For information on editing the HTTPS-Console service, see
“Managing the HTTPS Console (Secure Console)” on page 148.

Chapter 7: Using Secure Services

Section C: Managing the SSL Client

Section C: Managing the SSL Client
The SSL client:


Determines which certificates can be presented to origin servers if the secure server requires the
ProxySG to present a certificate.



Identifies the protocol the ProxySG uses in negotiations with origin servers.



Identifies the cipher suites to be used with the certificate.

You can change the protocol and the cipher suites used.
You must associate a keyring with the SSL client if the ProxySG is obtaining content through HTTPS
from an origin content server (OCS) that requires a client certificate to be presented. If the OCS
requires a client certificate and no keyring is associated with the SSL client, the connections fails. For
information on creating a keyring, see “Creating a Keyring” on page 267.

Creating an SSL Client
The ProxySG is configured with a default SSL client.
Note:

Only one SSL client can be created on a ProxySG.

Creation of the SSL client means that for every HTTPS connection to the destination server, the
ProxySG picks the parameters needed for negotiating the SSL connection from the SSL-client
configuration. Thus, multiple SSL connections to different HTTPS destination servers can be
supported with a single SSL-client configuration. This is similar to a browser where one configuration
is used to negotiate multiple connections with different hosts.
When the ProxySG is acting as an SSL client (SSL origination), SSL sessions are re-used until the server
forces a fresh handshake or until the same session ID has been used 255 times.
If you just need to change the protocol, the cipher suites, or the keyring associated with the SSL client,
you do not need to recreate the client. Continue with “Associating a Keyring and Protocol with the
SSL Client” on page 288 or “Changing the Cipher Suites of the SSL Client” on page 289.
To Create the SSL Client through the CLI
SGOS#(config ssl) create ssl-client default
defaulting protocol to SSLv2v3TLSv1
defaulting associated keyring-id to default
ok

To Delete the SSL Client through the CLI
SGOS#(config ssl) delete ssl-client default
ok

287

Blue Coat ProxySG Configuration and Management Guide

Section C: Managing the SSL Client

Associating a Keyring and Protocol with the SSL Client
The SSL client, called default, already exists on the ProxySG. Keyrings that are not used to
authenticate encrypted connections do not need to be associated with the SSL client.
Important: Only one keyring can be associated with the SSL client at a time.
To Associate a Keyring with the SSL Client and Change the Protocol Version through the Management
Console
1.

Select Configuration>SSL>SSL Client.

Figure 7-13: SSL Client

2.

To use the SSL client, verify Use SSL Client is selected.

3.

Only keyrings with certificates can be associated with the SSL client, displayed in the Keyring
drop-down list. Select the keyring used to negotiate with origin content servers through an
encrypted connection.

4.

You can change the SSL Versions default from SSLv2v3TLSv1 to any other protocol listed in the
drop-down list.

5.

Click Apply.

To Associate a Keyring and Protocol with the SSL Client through the CLI
1.

To associate a keyring with the SSL client, enter the following commands at the (config)
command prompt:
SGOS#(config) ssl
SGOS#(config ssl) edit ssl-client default
SGOS#(config ssl ssl-client default) keyring-id keyring_id
SGOS#(config ssl ssl-client default) protocol {sslv2 | sslv3 | tlsv1 |
sslv2v3 | sslv2tlsv1 | sslv3tlsv1 | sslv2v3tlsv1}

Note:

To configure the ProxySG to accept only SSL version 3 traffic, for example, use the
sslv3 parameter. To configure the ProxySG to accept SSL version 2 and version 3
traffic, use the sslv2v3 parameter.

2.

288

View the results. The results also show the current value of the cipher suites, which is discussed in
“Changing the Cipher Suites of the SSL Client” on page 289.

Chapter 7: Using Secure Services

Section C: Managing the SSL Client
SGOS#(config ssl ssl-client default) view
SSL-Client Name

Keyring Name

Protocol

default

default

SSLv2v3TLSv1

Changing the Cipher Suites of the SSL Client
The cipher suite sets the encryption method used by the ProxySG. As the encryption key strength is
determined by the signed certificate, configuring a higher cipher suite than defined by the certificate
has no affect. Conversely, the cipher suite configuration must be high enough to accommodate
certification encryption values.
This can only be done through the CLI.
To Change the Cipher Suite of the SSL Client through the CLI
The default is to use all ciphers.
You have a choice of using the interactive or non-interactive create command.
Note:

Director uses non-interactive commands in profiles and overlays to create cipher suites.
For more information on Director, refer to the Blue Coat Director Configuration and
Management Guide.)

To change the cipher suites used through the:


interactive command: continue with the next procedure.



non-interactive command: skip to “To Change the Cipher Suites Non-interactively” on page 290.

To Change the Cipher Suites using the Interactive Cipher-Suites Command:
Note that the Use column in the set cipher-suite output below indicates that the default is to use
all ciphers.
1.

Choose the cipher suites you want to use at the prompt.
SGOS#(config) ssl
SGOS#(config ssl) edit ssl-client default
SGOS#(config ssl ssl-client default) cipher-suite
SSL-Client Name
-------------default
Cipher#
------1
2
3
4

289

Use
--yes
no
no
no

Keyring Name
-----------default
Description
-------------------RC4-MD5
RC4-SHA
DES-CBC3-SHA
DES-CBC3-MD5

Protocol
-----------SSLv2v3TLSv1
Strength
-------Medium
Medium
High
High

Blue Coat ProxySG Configuration and Management Guide

Section C: Managing the SSL Client
5
6
7
8
9
10
11
12
13
14
15
16
17

no
no
no
no
no
no
no
no
no
no
no
no
no

RC2-CBC-MD5
RC4-64-MD5
DES-CBC-SHA
DES-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC2-CBC-MD5
EXP-DES-CBC-SHA
AES128-SHA
AES256-SHA

Medium
Low
Low
Low
Export
Export
Export
Export
Export
Export
Export
Medium
High

Select cipher numbers to use, separated by commas: 1,3,4
ok

2.

(Optional) View the results. Notice the change in the Use column.
SGOS#(config ssl ssl-client default) view
SSL-Client Name
--------------default
Cipher#
------1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Use
--yes
no
yes
yes
no
no
no
no
no
no
no
no
no
no
no
no
no

Keyring Name
-----------default
Description
-------------------RC4-MD5
RC4-SHA
DES-CBC3-SHA
DES-CBC3-MD5
RC2-CBC-MD5
RC4-64-MD5
DES-CBC-SHA
DES-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC2-CBC-MD5
EXP-DES-CBC-SHA
AES128-SHA
AES256-SHA

Protocol
-----------SSLv2v3TLSv1
Strength
-------Medium
Medium
High
High
Medium
Low
Low
Low
Export
Export
Export
Export
Export
Export
Export
Medium
High

To Change the Cipher Suites Non-interactively
Enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) edit ssl-client default
SGOS#(config ssl ssl-client default) cipher-suite cipher-suite cipher-suite

where [cipher-suite] can be any combination of the following:

290

Chapter 7: Using Secure Services

Section C: Managing the SSL Client
1. rc4-md5
2. rc4-sha
3. des-cbc3-sha
4. des-cbc3-md5
5. rc2-cbc-md5
6. rc4-64-md5
7. des-cbc-sha
8. des-cbc-md5
9. exp1024-rc4-md5
10.exp1024-rc4-sha
11.exp1024-rc2-cbc-md5
12.exp1024-des-cbc-sha
13.exp-rc4-md5
14.exp-rc2-cbc-md5
15.exp-des-cbc-sha
16.aes128-sha
17.aes256-sha

Notes:


If you do not specify any attributes, the interactive mode is assumed, meaning that the cipher
suites cannot be used by Director in profiles or overlays.



Multiple cipher suites can be specified on the command line.

Example
SGOS#(config ssl ssl-client default) cipher-suite rc4-md5 des-cbc3-md5
exp1024-rc4-md5 exp-des-cbc-sha
ok
SGOS#(config ssl ssl-client default) view
SSL-Client Name
Keyring Name
Protocol
-----------------------------------default
default
SSLv2v3TLSv1
Cipher#
------1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

291

Use
--no
no
no
no
no
no
no
no
no
no
no
no
no
no
yes
no
no

Description
-------------------RC4-MD5
RC4-SHA
DES-CBC3-SHA
DES-CBC3-MD5
RC2-CBC-MD5
RC4-64-MD5
DES-CBC-SHA
DES-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-DES-CBC-SHA
EXP-RC4-MD5
EXP-RC2-CBC-MD5
EXP-DES-CBC-SHA
AES128-SHA
AES256-SHA

Strength
-------Medium
Medium
High
High
Medium
Low
Low
Low
Export
Export
Export
Export
Export
Export
Export
Medium
High

Blue Coat ProxySG Configuration and Management Guide

Section C: Managing the SSL Client

Troubleshooting Server Certificate Verification
Server certificate verification can be disabled for all upstream hosts or specific upstream hosts. The
ProxySG, by default, verifies the SSL certificate presented by the upstream HTTPS server. However, it
fails to negotiate the SSL connection if SSL certificate verification fails.
The two most common causes of server certificate verification failure are:


The absence of a suitable CA certificate on the ProxySG. Ensure that the ProxySG is configured
with the relevant CA certificates to avoid unwanted verification failures. The default behavior can
be changed by using the http ssl-verify-server option.
If a forwarding host of type HTTPS server is being used, you can override the default behavior by
changing the ssl-verify-server option on a per-host basis.



The server is using a self-signed certificate. In this case, you need to change the keyring to one that
has a CA certificate.

Setting the SSL Negotiation Timeout
The SSL negotiation timeout value dictates the time a ProxySG waits for a new SSL handshake to
complete. This value applies to both HTTPS Reverse Proxy and SSL origination.
You can change the default SSL negotiation timeout value if the default, 300 seconds, is not sufficient
for your environment. This value can only be changed through the CLI; it cannot be set from the
Management Console.
To change the HTTPS Reverse Proxy timeout period, enter the follow commands from the command
prompt:
SGOS#(config) ssl
SGOS#(config ssl) view ssl-nego-timeout
300
SGOS#(config ssl) ssl-nego-timeout seconds

292

Chapter 7: Using Secure Services

Section D: Configuring HTTP or HTTPS Origination to the Origin Content Server
where:
host_alias

ip_address

Specifies the IP address of the OCS.

host_name

url

Specifies the URL of the OCS, such as www.bluecoat.com.

http

[=port_number]

Specifies the port number on the OCS in which HTTP is
listening.

server

server specifies to use the relative path for URLs in the
HTTP header because the next hop is a Web server, not a
proxy server. Proxy is the default.

Creating Policy for HTTP and HTTPS Origination
Forwarding hosts must be already created on the ProxySG before forwarding policy can be created.
To Create a Policy using CPL

url.host=host_name forward(host_alias)

To Create a Policy using VPM

295

1.

In the VPM module, create a Forwarding layer.

2.

Set the Destination to be the URL of the OCS.

3.

Set the Action to forward to the forwarding host and configure parameters to control forwarding
behavior.

Blue Coat ProxySG Configuration and Management Guide

Section E: Advanced Configuration

Section E: Advanced Configuration
This section includes the following topics:


"Importing an Existing Keypair and Certificate"



"About Certificate Chains"



"Importing a CA Certificate"



"Creating CA Certificate Lists"

Importing an Existing Keypair and Certificate
If you have a keypair and certificate from another system, you can import it for use on a different
system. You can also import a certificate chain containing multiple certificates in a single operation.
Use the inline certificate command to import multiple certificates through the CLI.
If you are importing a keyring and one or more certificates onto a ProxySG, first import the keyring,
followed by the related certificates. The certificates contain the public key from the keyring, and the
keyring and certificates are related.
To Import a Keyring through the Management Console
1.

Copy the already-created keypair onto the clipboard.

2.

Select Configuration>SSL>Keyrings>SSL Keyrings.

3.

Click Create.
The Create Keyring dialog appears.

Figure 7-14: Import a Keyring

296

Chapter 7: Using Secure Services

Section E: Advanced Configuration
4.

Fill in the dialog window as follows:


Keyring Name: Give the keyring a meaningful name to you.



Select the show option:


show: Keyrings created with this attribute can be included as part of a profile or overlay
pushed by Director.



show-director: Keyrings created with this attribute can be included as part of a profile

or overlay pushed by Director.




no-show: Keyrings created with this attribute cannot be part of a profile. The no-show
option is provided as additional security for environments where the keys will never be
used outside of the particular ProxySG.

Select the keyring length in the Create a new ______ -bit keyring field. A length of 1024 bits is the
maximum (and default). Longer keypairs provide better security, but with a slight
performance expense on the ProxySG. Be aware that the maximum key length allowed for
international export might be different than the default. For deployments reaching outside of
the US, determine the maximum key length allowed for export.
Click OK. The keyring, containing a keypair, is created with the name you chose. It does not
yet have an associated certificate associated. To associate a certificate, see “Deleting an
Existing Keyring and Certificate” on page 271.
-or-



Select the Import keyring radio button.
The grayed-out Keyring field becomes enabled, allowing you to paste in the already existing
keypair. The certificate associated with this keypair must be imported separately.
If the keypair that is being imported has been encrypted with a password, select Keyring
Password and enter the password into the field.

5.

Click OK.

To Import a Certificate and Associate it with a Keyring through the Management Console
1.

Copy the certificate onto the clipboard.

2.

Select Configuration>SSL>Keyrings and click Edit/view.

3.

From the drop-down list, select the keyring that you just imported.

4.

Click Import in the Certificate field.

5.

Paste the certificate into the Import Certificate dialog that appears. Be sure to include the
----BEGIN CERTIFICATE---- and -----END CERTIFICATE---- statements.

6.

Click OK.

To Import a Keyring through the CLI Using Inline Commands

297

1.

Copy the keyring to the clipboard.

2.

At the (config) command prompt, enter the following commands:

Blue Coat ProxySG Configuration and Management Guide

Section E: Advanced Configuration
SGOS#(config) ssl
SGOS#(config ssl) inline {keyring show | show-director | no-show} keyring_id
eof
Paste keypair here
eof

where:


Show allows the keys, and everything in the keys, to be exported.



no-show prevents the keypair from being exported.



show-director is a keyring viewable only if Director is issuing the command using a

SSH-RSA connection.
Note:



The choice of show/show-director/no-show has implications for whether keyrings
are included in profiles and backups created by Director. For more information, refer
to the Blue Coat Director User Guide.

eof: End-of-file marker. This can be anything, as long as it does not also appear in the
inline text. (If it appears in the inline text, the inline command completes at that point.)

To Import a Certificate and Associate it with a Keyring through the CLI
Note:

The keyring you want to associate with the certificate must already be on this ProxySG.
The key and certificate must be imported onto the ProxySG in PEM (base64 encoded text)
format.

1.

Copy the certificate or certificate chain to the clipboard. Be sure to include the ----BEGIN
CERTIFICATE---- and -----END CERTIFICATE---- statements.

2.

At the (config) command prompt, enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) inline certificate keyring_id eof
Paste certificate here
eof

About Certificate Chains
A certificate chain is one that requires that the certificates form a chain where the next certificate in the
chain validates the previous certificate, going up the chain to the root, which is signed by a
well-known root certificate provider. However, expiration is done at the single certificate level and is
checked independently of the chain verification. Each certificate in the chain must not have expired
for the entire chain to be valid. You can import a certificate chain containing multiple certificates in a
single operation.
The valid certificate chain can be presented to a browser. To get the ProxySG to present a valid
certificate chain, the keyring for the HTTPS service must be updated.

298

Chapter 7: Using Secure Services

Section E: Advanced Configuration
The ProxySG Appliance's CA-certificate list must also be updated if the ProxySG uses HTTPS to
communicate with the origin server and if the ProxySG is configured, through the
ssl-verify-server option, to verify the certificate (chain) presented by HTTPS server. If the
ProxySG uses HTTP to communicate with the origin server, updating the CA-certificate list has no
effect.

Importing a CA Certificate
A CA Certificate is a certificate that verifies the identity of a Certificate Authority. The certificate is
used by the ProxySG to verify server certificates and client certificates.
To Import an Approved CA Certificate through the Management Console
1.

Copy the certificate to the clipboard.

2.

Select Configuration>SSL>CA Certificates>CA Certificates.
The CA Certificates tab displays, with its list of existing CA certificates.

Figure 7-15: CA Certificates

3.

Click Import.
The Import CA Certificate dialog displays.

299

Blue Coat ProxySG Configuration and Management Guide

Section E: Advanced Configuration

Figure 7-16: Import CA Certificate Dialog

4.

Give the certificate a name.
Note:

Spaces in CA Certificate names are not supported. Including a space can cause
unexpected errors while using such certificates.

5.

Paste the signed CA Certificate into the Import CA Certificate field.

6.

Click OK.

7.

When the certificate displays in the Certificate tab, click Apply.

To View a CA Certificate through the Management Console
1.

Select Configuration>SSL>CA Certificates>CA Certificates.

2.

Select the certificate you want to view.

3.

Click View.
The certificate displays.

Figure 7-17: View CA Certificate

300

Chapter 7: Using Secure Services

Section E: Advanced Configuration
4.

Examine the contents and click Close.

To Delete a CA Certificate through the Management Console
1.

Select Configuration>SSL>CA Certificates>CA Certificates.

2.

Select the certificate to delete.

3.

Click Delete.

4.

Click OK.

5.

Click Apply.

To Import a CA Certificate through the CLI Using Inline Commands
1.

Copy the certificate to the clipboard.

2.

At the (config) command prompt, enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) inline ca-certificate ca_certificate_name eof
Paste certificate here
eof

3.

(Optional) You can view the certificate you just imported, a summary of the just-imported
certificate, or a summary of all CA Certificates.
a.

To view the certificate you just imported:
SGOS#(config ssl) view ca-certificate ca_certificate_name
-----BEGIN CERTIFICATE----MIIEJzCCA5CgAwIBAgIEN35hxjANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMC
VVMxLTArBgNVBAoTJEZpcnN0IERhdGEgRGlnaXRhbCBDZXJ0aWZpY2F0ZXMgSW5j
LjFFMEMGA1UEAxM8Rmlyc3QgRGF0YSBEaWdpdGFsIENlcnRpZmljYXRlcyBJbmMu
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk5MDcwMzE4NDczNFoXDTE5MDcw
MzE5MTczNFowgYMxCzAJBgNVBAYTAlVTMS0wKwYDVQQKEyRGaXJzdCBEYXRhIERp
Z2l0YWwgQ2VydGlmaWNhdGVzIEluYy4xRTBDBgNVBAMTPEZpcnN0IERhdGEgRGln
aXRhbCBDZXJ0aWZpY2F0ZXMgSW5jLiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCB
nTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEA3xwUHgm5v6RAciCZebaEIvTXhZLF
BCToBy4C5BeVBTeVdj38seUPhw5iuSwwlybhCxVnAKYV3uiNy5XsAlhSwEdlM0xW
nwofBMA3UIFXut/68mtn68vQgA/ZV5UQZXsGRVjrrrRe45MVK5m8tikv+0KfRysu
TOs0KDKZDu//b6ECAQOjggGmMIIBojARBglghkgBhvhCAQEEBAMCAAcwgawGA1Ud
HwSBpDCBoTCBnqCBm6CBmKSBlTCBkjELMAkGA1UEBhMCVVMxLTArBgNVBAoTJEZp
cnN0IERhdGEgRGlnaXRhbCBDZXJ0aWZpY2F0ZXMgSW5jLjFFMEMGA1UEAxM8Rmly
c3QgRGF0YSBEaWdpdGFsIENlcnRpZmljYXRlcyBJbmMuIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCsGA1UdEAQkMCKADzE5OTkwNzAzMTg0
NzM0WoEPMjAxOTA3MDMxODQ3MzRaMAsGA1UdDwQEAwIBBjAfBgNVHSMEGDAWgBSm
uCDJFkuPT1wMw8PumA0+fu5WVTAdBgNVHQ4EFgQUprggyRZLj09cDMPD7pgNPn7u
VlUwDAYDVR0TBAUwAwEB/zA7BgNVHSUENDAyBggrBgEFBQcDAQYIKwYBBQUHAwIG
CCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwGQYJKoZIhvZ9B0EABAwwChsE
VjQuMAMCBJAwDQYJKoZIhvcNAQEEBQADgYEAEObEaCOpbLeXSbFzNp3+v3KiDhLC
KlEGH2mTlDARNYVOqHkG43FVPBxWYx5Ee2qBwjB1bN7z8gzDTsp/ycbAX1/vxAZi
qk/6EN4yzOAu/2rixcdFKXU5+YxZC8ZrmQSYWsy6v7F4ApGqtoeAO1cUWzz8zAPK
hqGZqDpta2V+Ubg=
-----END CERTIFICATE-----

301

Blue Coat ProxySG Configuration and Management Guide

Section E: Advanced Configuration
b.

To view a summary of the certificate you just imported.
SGOS#(config ssl) view summary ca-certificate ca_certificate_name
CA Certificate ID: ca_certificate_name
Is certificate valid? yes
CA: First Data Digital Certificates Inc.
Expiration Date: Jul 03 19:17:34 2019 GMT
Fingerprint: 70:B5:7C:48:81:95:3E:80:DC:28:9B:BA:EF:1E:E4:85

c.

To view summaries of all CA Certificates on the ProxySG:
SGOS#(config ssl) view summary ca-certificate

A long list of certificates are displayed, each with the summary information displayed
above.

Creating CA Certificate Lists
A CA certificate list can refer to any subset of the available CA Certificates on the ProxySG. When
configuring an HTTPS service to do HTTPS Reverse Proxy, this list can be specified to restrict the set
of certificate authorities that are trusted to validate client certificates presented to that service.
The default is that no list is configured; all certificates are used in authentication.
To Create a CA-Certificate List through the Management Console
1.

Select Configuration>SSL>CA Certificates>CA Certificate Lists.

Figure 7-18: SSL CA-Certificates Lists Dialog

The current CA-Certificate lists display in the pane.
2.

Click New to create a new list.
The Create CA Certificate List dialog displays.

302

Chapter 7: Using Secure Services

Section E: Advanced Configuration

Figure 7-19: Create CA Certificate List Dialog

3.

Enter a name meaningful to you for the list in the CA-Certificate List Name field.

4.

To add CA Certificates to the list, highlight the certificate and click Add. You cannot add a
certificate to a certificate list if it is not already present.

5.

To remove CA Certificates from the list, highlight the certificate in the Add list and click Remove.

6.

Click OK; click Apply.

To Create CA-Certificate Lists through the CLI
1.

At the (config) command prompt, view the CA certificates already existing on the system. You
cannot add a certificate to a certificate list if it is not already present.
SGOS#(config) ssl
SGOS#(config ssl) view summary ca-certificate

All the CA Certificates on the system display.
2.

Enter the followings commands to create a list and add existing certificates to the list you just
generated.
SGOS#(config ssl) create ccl list_name
SGOS#(config ssl) edit ccl list_name

The prompt changes, putting you in ccl submode.
SGOS#(config ssl ccl list_name) add ca_cert_name

3.

Repeat the above command until you have entered all the needed certificates. You can have more
than one CA-Certificate list. Each list can have an unlimited number of certificates.

4.

(Optional) View the list.
SGOS#(config ssl ccl list_name) view
CA Certificate ID: VRSN_Secure_Server_CA
Is certificate valid? yes
CA: RSA Data Security, Inc.
Expiration Date: Jan 07 23:59:59 2010 GMT
Fingerprint: 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

303

Blue Coat ProxySG Configuration and Management Guide

Section E: Advanced Configuration
CA Certificate ID: DeutscheTelekom
Is certificate valid? yes
CA: Deutsche Telekom AG
Expiration Date: Jul 09 23:59:00 2019 GMT
Fingerprint: 9B:34:0D:1A:31:5B:97:46:26:98:BC:A6:13:6A:71:96
CA Certificate ID: CWHKT_SecureNetA
Is certificate valid? yes
CA: C&W HKT SecureNet CA Class A
Expiration Date: Oct 15 23:59:00 2009
Fingerprint: E2:D5:20:23:EC:EE:B8:72:E1:2B:5D:29:6F:FA:43:DA

To Delete a CA Certificate through the CLI
At the (config) command prompt, enter the following commands:
SGOS#(config) ssl
SGOS#(config ssl) delete ca-certificate ca_certificate_name

304

Chapter 8: Security and Authentication

Enterprise-wide security begins with security on the ProxySG itself, and continues with controlling
user access to the Intranet and Internet.
Table 8.1 defines some common security and authentication terms.
Table 8.1: Security and Authentication Terms
Term

Definition

proxy

Caches content, filters traffic, monitors Internet and intranet resource usage,
blocks specific Internet and intranet resources for individuals or groups, and
enhances the quality of Internet or intranet user experiences.
A proxy can also serve as an intermediary between a Web client and a Web server
and can require authentication to allow identity based policy and logging for the
client.
The rules used to authenticate a client are based on the policies you create on the
ProxySG, which can reference an existing security infrastructure—LDAP,
RADIUS, IWA, and the like, discussed in more detail in Chapter 9: “Using
Authentication Services” on page 335.

explicit proxy

A configuration in which the browser is explicitly configured to communicate
with the proxy server for access to content.
This is the default for the ProxySG, and requires configuration for both browser
and the interface card.

transparent proxy

A configuration in which traffic is redirected to the ProxySG without the
knowledge of the client browser. No configuration is required on the browser, but
network configuration, such as an L4 switch or a WCCP-compliant router, is
required.

forward proxy

A proxy server deployed close to the clients and used to access many servers. A
forward proxy can be explicit or transparent.

reverse proxy

A proxy that acts as a front-end to a small number of pre-defined servers,
typically to improve performance. Many clients can use it to access the small
number of predefined servers.

SSL

A standard protocol for secure communication over the network. Blue Coat
recommends using this protocol to protect sensitive information.

authentication

The process of identifying a specific user.

authorization

The permissions given to a specific user.

305

Blue Coat ProxySG Configuration and Management Guide

Table 8.1: Security and Authentication Terms (Continued)
Term

Definition

realms

A realm is a named collection of information about users and groups. The name is
referenced in policy to control authentication and authorization of users for access
to Blue Coat Systems ProxySG services. Multiple authentication realms can be
used on a single ProxySG. Realm services include IWA, LDAP, Local, and
RADIUS. For detailed information on realms, see Chapter 9: “Using
Authentication Services” on page 335.

serial console

A device that allows you to connect to the ProxySG when it is otherwise
unreachable, without using the network. It can be used to administer the ProxySG
through the CLI. You must use the CLI to use a serial console.
Anyone with access to the serial console can change the administrative access
controls, so physical security of the serial console is critical.

SSH and HTTPS are the recommended (and default) methods for managing access to the ProxySG.
SSL is the recommended protocol for communication between the ProxySG and a realm's off-box
authentication server.
This chapter contains the following sections:

306



"Controlling Access to the ProxySG"



"Controlling Access to the Internet and Intranet"

Chapter 8: Security and Authentication

Section A: Controlling Access to the ProxySG

Section A: Controlling Access to the ProxySG
You can control access to the ProxySG several ways: by limiting physical access to the system, by
using passwords, restricting the use of console account, through per-user RSA public key
authentication, and through Blue Coat Content Policy Language (CPL). How secure the system needs
to be depends upon the environment.
This section contains:


"Limiting Access to the ProxySG Appliance"



"About Password Security"



"Limiting User Access to the ProxySG—Overview"



"Moderate Security: Restricting Management Console Access Through the Console Access
Control List (ACL)"



"Maximum Security: Administrative Authentication and Authorization Policy"

Limiting Access to the ProxySG Appliance
You can limit access to the ProxySG appliance by:


Restricting physical access to the system and by requiring a PIN to access the front panel.



Restricting the IP addresses that are permitted to connect to the ProxySG CLI.



Requiring a password to secure the Setup Console.

These methods are in addition to the restrictions placed on the console account (a console account user
password) and the Enable password. For information on using the console account, see "Changing the
Username and Password through the Management Console" on page 59.
By using every possible method (physically limiting access, limiting workstation IP addresses, and
using passwords), the ProxySG is very secure.
This section discusses:


"Requiring a PIN for the Front Panel"



"Limiting Workstation Access"



"Securing the Serial Port"

Requiring a PIN for the Front Panel
On systems that have a front panel display, you can create a four-digit PIN to protect the system from
unauthorized use. The PIN is hashed and stored. You can only create a PIN from the command line.
To create a front panel PIN, after initial configuration is complete:
From the (config) prompt:
SGOS#(config) security front-panel-pin PIN

where PIN is a four-digit number.

307

Blue Coat ProxySG Configuration and Management Guide

Section A: Controlling Access to the ProxySG
To clear the front-panel PIN, enter
SGOS#(config) security front-panel-pin 0000

Limiting Workstation Access
During initial configuration, you have the option of preventing workstations with unauthorized IP
addresses from accessing the CLI. If this option is not enabled, all workstations are allowed to access
the CLI. You can also add allowed workstations later to the access control list (ACL). (For more
information on limiting workstation access, see "Moderate Security: Restricting Management Console
Access Through the Console Access Control List (ACL)" on page 311.)

Securing the Serial Port
If you choose to secure the serial sort, you must provide a Setup Console password that is required to
access the Setup Console in the future.
Once the secure serial port is enabled:


The Setup Console password is required to access the Setup Console.



An authentication challenge (username and password) is issued to access the CLI through the
serial port.

To recover from a lost Setup Console password, you can:


Use the Front Panel display to either disable the secure serial port or enter a new Setup Console
password.



Use the CLI restore-defaults factory-defaults command to delete all system settings. For
information on using the restore-defaults factory-defaults command, see
"Factory-Defaults" on page 927.



Use the reset button (if the appliance has a reset button) to delete all system settings.

To enable the secure serial port, refer to the Installation Guide for your platform.

About Password Security
In the ProxySG, the console administrator password, the Setup Console password, and Enable
(privileged-mode) password are hashed and stored. It is not possible to reverse the hash to recover the
plaintext passwords.
In addition, the show config and show security CLI commands display these passwords in their
hashed form. The length of the hashed password depends on the hash algorithm used so it is not a
fixed length across the board.
Passwords that the ProxySG uses to authenticate itself to outside services are encrypted using
triple-DES on the appliance, and using RSA public key encryption for output with the show config
CLI command. You can use a third-party encryption application to create encrypted passwords and
copy them into the ProxySG using an encrypted-password command (which is available in several
modes and described in those modes). If you use a third-party encryption application, verify it
supports RSA encryption, OAEP padding, and Base64 encoded with no new lines.

308

Chapter 8: Security and Authentication

Section A: Controlling Access to the ProxySG
These passwords, set up during configuration of the external service, include:


Access log FTP client passwords (primary, alternate)—For configuration information, see "Editing
the FTP Client" on page 903



Archive configuration FTP password—For configuration information, see "Archive
Configuration" on page 76



RADIUS primary and alternate secret—For configuration information, see "Defining RADIUS
Realm Properties" on page 387



LDAP search password—For configuration information, see "LDAP Search & Groups Tab
(Authorization and Group Information)" on page 365



Content filter download passwords—For configuration information, see Chapter 18: “Content
Filtering” on page 773

Limiting User Access to the ProxySG—Overview
When deciding how to give other users read-only or read-write access to the ProxySG, sharing the
basic console account settings is only one option. The following summarizes all available options:
Note:

If Telnet Console access is configured, Telnet can be used to manage the ProxySG with
behavior similar to SSH with password authentication.
SSL configuration is not allowed through Telnet, but is permissible through SSH.
Behavior in the following sections that applies to SSH with password authentication also
applies to Telnet. Use of Telnet is not recommended because it is not a secure protocol.



Console account—minimum security
The console account username and password are evaluated when the ProxySG is accessed from
the Management Console through a browser and from the CLI through SSH with password
authentication. The Enable (privileged-mode) password is evaluated when the console account is
used through SSH with password authentication and when the CLI is accessed through the serial
console and through SSH with RSA authentication. The simplest way to give access to others is
sharing this basic console account information, but it is the least secure and is not recommended.
To give read-only access to the CLI, do not give out the Enable (privileged-mode) password.



Console access control list—moderate security
Using the access control list (ACL) allows you to further restrict use of the console account and
SSH with RSA authentication to workstations identified by their IP address and subnet mask.
When the ACL is enforced, the console account can only be used by workstations defined in the
console ACL. Also, SSH with RSA authentication connections are only valid from workstations
specified in the console ACL (provided it is enabled).

309

Blue Coat ProxySG Configuration and Management Guide

Section A: Controlling Access to the ProxySG
After setting the console account username, password, and Enable (privileged-mode) password,
use the CLI or the Management Console to create a console ACL. See "Moderate Security:
Restricting Management Console Access Through the Console Access Control List (ACL)" on
page 311.


Per-user RSA public key authentication—moderate security
Each administrator’s public keys are stored on the appliance. When connecting through SSH, the
administrator logs in with no password exchange. Authentication occurs by verifying knowledge
of the corresponding private key. This is secure because the passwords never go over the network.
This is a less flexible option than CPL because you cannot control level of access with policy, but it
is a better choice than sharing the console credentials.



Blue Coat Content Policy Language (CPL)—maximum security
CPL allows you to control administrative access to the ProxySG through policy. If the credentials
supplied are not the console account username and password, policy is evaluated when the
ProxySG is accessed through SSH with password authentication or the Management Console.
Policy is never evaluated on direct serial console connections or SSH connections using RSA
authentication.


Using the CLI or the Management Console GUI, create an authentication realm to be used for
authorizing administrative access. For administrative access, the realm must support BASIC
credentials—for example, LDAP, RADIUS, Local, or IWA with BASIC credentials enabled. For
more information on realms, see Chapter 9: “Using Authentication Services” on page 335.



Using the Visual Policy Manager, or by adding CPL rules to the Local or Central policy file,
specify policy rules that: (1) require administrators to log in using credentials from the
previously-created administrative realm, and (2) specify the conditions under which
administrators are either denied all access, given read-only access, or given read-write access.
Authorization can be based on IP address, group membership, time of day, and many other
conditions. For more information, see "Defining Policies Using the Visual Policy Manager" on
page 314.



To prevent anyone from using the console credentials to manage the ProxySG, set the console
ACL to deny all access (unless you plan to use SSH with RSA authentication). For more
information, see "Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 311. You can also restrict access to a single IP
address that can be used as the emergency recovery workstation.

The following chart details the various ways administrators can access the ProxySG console and the
authentication and authorization methods that apply to each.
Table 8.2: ProxySG Console Access Methods/Available Security Measures
Security Measures Available

Username and password evaluated
(console-level credentials)

310

Serial Console

SSH with
Password
Authentication

3

SSH with RSA
Authentication

Management
Console

3

Chapter 8: Security and Authentication

Section A: Controlling Access to the ProxySG
Table 8.2: ProxySG Console Access Methods/Available Security Measures (Continued)

3

Console Access List evaluated

CPL Layer evaluated

3

3(if console

(if console
credentials are
offered)

credentials are
offered)

3(see Note 1
below)

3(see Note 2
below)

Enable password required to enter
privileged mode (see Note 2 below)

3

3

3

CLI line-vty timeout command
applies.

3

3

3

Management Console Login/Logout

3

Note 1: When using SSH (with a password) and credentials other than the console account, the enable
password is actually the same as the login password. The privileged mode password set during
configuration is used only in the serial console, SSH with RSA authentication, or when logging in with
the console account.
Note 2: In this case, user credentials are evaluated against the policy before executing each CLI
command. If you log in using the console account, user credentials are not evaluated against the
policy.

Moderate Security: Restricting Management Console Access Through
the Console Access Control List (ACL)
The ProxySG allows you to limit access to the Management Console and CLI through the console
ACL. An ACL, once set up, is enforced only when console credentials are used to access either the CLI
or the Management Console, or when an SSH with RSA authentication connection is attempted. The
following procedure specifies an ACL that lists the IP addresses permitted access.
To Create an ACL through the Management Console
1.

311

Select Configuration>Authentication>Console Access>Console Access.

Blue Coat ProxySG Configuration and Management Guide

Section A: Controlling Access to the ProxySG

Figure 8-1: Console Access Tab

2.

(Optional) To add a new address to the ACL, click New.
The Add List Item dialog is displayed.

Figure 8-2: Add List Item Dialog

a.

In the IP/Subnet fields, enter a static IP address.

b.

In the Mask fields, enter the subnet mask. To restrict access to an individual workstation,
enter 255.255.255.255.

c.

Click OK to add the workstation to the ACL and return to the Console Access page.

d. Repeat step 2 to add other IP addresses.

312

3.

(Optional) To remove a source address from the ACL, select the address to remove from the
Console Access page and click Delete.

4.

(Optional) To change a source IP address, select the IP address to revise and click Edit. See step 2,
above, for details.

5.

To impose the ACL defined in the list box, select Enforce ACL for built-in administration. To allow
access to the CLI or Management Console using console account credentials from any
workstation, deselect the checkbox. The ACL is ignored.

Chapter 8: Security and Authentication

Section A: Controlling Access to the ProxySG

Important:

6.

Before you enforce the ACL, verify the IP address for the workstation you are using
is included in the list. If you forget, or you find that you mistyped the IP address,
you must correct the problem using the serial console.

Click Apply.

To Create an ACL through the CLI
1.

At the (config) command prompt, enter the following command to add workstation IP
addresses to the ACL:
SGOS#(config) security allowed-access add ip_address [subnet_mask]

Note:

If you omit the subnet mask, the default subnet mask of 255.255.255.255 is
assumed.

2.

Repeat step 1 for each workstation that you need to add to the console access list.

3.

At the (config) command prompt, enter the following command to enforce the ACL created in
step 1
SGOS#(config) security enforce-acl enable

Only those workstation IP addresses added to the ACL are able to use the Management
console account to administer the ProxySG. Verify that the IP address for the workstation you
are using is included in the list.
4.

To disable the ACL and open through the access to the console account user, enter the following
command:
security enforce-acl disable

5.

To remove an IP address and subnet mask from the ACL, enter the following command:
SGOS#(config) security allowed-access remove ip_address [subnet_mask]

Note:

If you omit the subnet mask, the default subnet mask of 255.255.255.255 is
assumed.

Maximum Security: Administrative Authentication and Authorization
Policy
The ProxySG permits you to define a rule-based administrative access policy. This policy is enforced
when accessing:

313



the Management Console through http or https



the CLI through SSH when using password authentication



the CLI through telnet

Blue Coat ProxySG Configuration and Management Guide

Section A: Controlling Access to the ProxySG


the CLI through the serial port if the secure serial port is enabled

These policy rules can be specified either by using the VPM or by editing the Local policy file. Using
policy rules, you can deny access, allow access without providing credentials, or require
administrators to identify themselves by entering a username and password. If access is allowed, you
can specify whether read-only or read-write access is given. You can make this policy contingent on IP
address, time of day, group membership (if credentials were required), and many other conditions.
Serial-console access is not controlled by policy rules. For maximum security to the serial console,
physical access must be limited.
SSH with RSA authentication also is not controlled by policy rules. You can configure several settings
that control access: the enable password, the console ACL, and per-user keys configured through the
Configuration>Services>SSH>SSH Client page. (If you use the CLI, SSH commands are under
config>services>ssh-console.)

Defining Administrator Authentication and Authorization Policies
The ProxySG uses CPL to define policies, including administrator, authentication, and authorization
policies. CPL also allows you to give administrator privileges to users in any external authentication
service.
The following summarizes the steps required to define Administrator Authentication and
Authorization policies on the ProxySG:


(Optional) If you need to give administrative access to existing users or groups, create and
configure the authentication realm. See Chapter 9: “Using Authentication Services” on page 335
for details on configuring authentication realms.



Define the policies in the appropriate policy file where you keep the Layer layers and
rules.



Load the policy file on the ProxySG.

When you define such policies, make sure you define them in the appropriate policy file(s). For more
information on policy files and how they are used, see Chapter 14: “The Visual Policy Manager” on
page 555.

Defining Policies Using the Visual Policy Manager
To define policies through the Management Console, use the Visual Policy Manager. When you use
the VPM, policies are configured in CPL and saved in the VPM policy file. For examples of
Administrator authentication or authorization policy CPL, continue with the next section. The VPM is
described in detail in Chapter 14: “The Visual Policy Manager” on page 555.

Defining Policies Directly in Policy Files
To define policies manually, type CPL rules directly in one of the two policy files, Central or Local.

314

Chapter 8: Security and Authentication

Section A: Controlling Access to the ProxySG

Important: Do not manually enter CPL rules directly into the VPM file. The file becomes
corrupted.
For specific information on creating policies within the policy files, refer to the Blue Coat ProxySG
Content Policy Language Guide.
Following are the CPL elements that can be used to define administrator policies for the ProxySG.
To Define Administrator Policies by Editing a Policy File:
1.

Open the policy file in a text editor.

2.

Define the policies, using the correct CPL syntax.

3.

Save the file.

4.

Load the policy file (see "Creating and Editing Policy Files" on page 544).

Admin Transactions and Layers
Admin transactions execute layers. Only a restricted set of conditions, properties, and actions
are permitted in layers. Table 8.3 lists the conditions permitted in the layer:
Table 8.3: Layer Conditions
Network Connection Conditions
client_address=ip_address
[.subnetmask]

Tests for a match between ip_address and the IP address of the
client transaction source.

proxy.port=number

Tests for a match between number and the port number for which
the request is destined.

proxy.address=ip_address

Tests for a match between ip_address and the IP address of the
network interface card for which the request is destined.

proxy.card=number

Tests for a match between number and the ordinal number
associated with the network interface card for which the request is
destined.

General Conditions
condition=condition.label

Tests if the specified defined condition is true.

release.id=

Tests the ProxySG release id.

Date/Time Conditions
date[.utc]=[date | date…date]

315

Tests for a match between date and the date timestamp associated
with the source of the transaction. date specifies a single date of the
form YYYY-MM-DD or an inclusive range, as in
YYYY-MM-DD…YYYY-MM-DD. By default, date is calculated based on
local time. To calculate year based on the Coordinated Universal
Time, include the .utc qualifier

Blue Coat ProxySG Configuration and Management Guide

Section A: Controlling Access to the ProxySG
Table 8.3: Layer Conditions (Continued)

316

year[.utc]=[year | year…year]

Tests for a match between year and the year timestamp associated
with the source of the transaction. year specifies a single Gregorian
calendar year of the form YYYY or an inclusive range of years, as in
YYYY…YYYY. By default, year is calculated based on local time. To
calculate year based on the Coordinated Universal Time, include
the .utc qualifier.

month[.utc]=[month |
month…month]

Tests for a match between month and the month timestamp
associated with the source of the transaction. month specifies a
single Gregorian calendar month of the form MM or an inclusive
range of months, as in MM…MM. By default, month is calculated based
on local time. To calculate month based on the Coordinated
Universal Time, include the .utc qualifier.

weekday[.utc]=[number |
number…number]

Tests for a match between weekday and the weekday timestamp
associated with the source of the transaction. weekday specifies a
single day of the week (where Monday=1, Tuesday=2, and
Sunday=7) or an inclusive range of weekdays, as in
number…number. By default, weekday is calculated based on local
time. To calculate weekday based on the Coordinated Universal
Time, include the .utc qualifier.

day[.utc]=[day | day…day]

Tests for a match between day and the day timestamp associated
with the source of the transaction. day specifies a single Gregorian
calendar day of the month of the form DD or an inclusive range of
days, as in DD…DD. By default, day is calculated based on local time.
To calculate day based on the Coordinated Universal Time, include
the .utc qualifier.

hour[.utc]=[hour | hour…hour]

Tests for a match between hour and the hour timestamp associated
with the source of the transaction. hour specifies a single Gregorian
hour of the form HH (00, 01, and so forth, through 23) or an inclusive
range of hours, as in HH…HH. By default, hour is calculated based
on local time. To calculate hour based on the Coordinated Universal
Time, include the .utc qualifier.

minute[.utc]=[minute |
minute…minute]

Tests for a match between minute and the minute timestamp
associated with the source of the transaction. minute specifies a
single Gregorian minute of the form MM (00, 01, and so forth,
through 59) or an inclusive range of minutes, as in MM…MM. By
default, minute is calculated based on local time. To calculate minute
based on the Coordinated Universal Time, include the .utc qualifier.

time[.utc]=[time | time…time]

Tests for a match between time and the time timestamp associated
with the source of the transaction. time specifies military time of the
form TTTT (0000 through 2359) or an inclusive range of times, as in
TTTT…TTTT. By default, time is calculated based on local time. To
calculate time based on the Coordinated Universal Time, include
the .utc qualifier.

Chapter 8: Security and Authentication

Section A: Controlling Access to the ProxySG
Table 8.3: Layer Conditions (Continued)
Authorization Conditions
attribute.name =value

Tests if the current transaction is authorized in a RADIUS or LDAP
realm, and if the authenticated user has the specified attribute with
the specified value. This trigger is unavailable if the current
transaction is not authenticated

authenticated={yes | no}

Tests if authentication was requested and the credentials could be
verified.

group=group_name

If authenticate=yes, the group condition tests the source of the
transaction for membership in the specified groupname.

has_attribute.name=boolean

Tests if the current transaction is authorized in an LDAP realm and if
the authenticated user has the specified LDAP attribute.

realm=realm_name

If authenticate=yes, the realm condition tests the source of the
transaction for membership in the specified realm name.

user=username

If authenticate=yes, the user condition tests the source of the
transaction for the expected username.

user.domain=
windows_domain_name

(This condition is IWA-realm specific.) If authenticate=yes, the
user_domain condition tests whether the realm type is IWA and
whether the domain component of the username is the expected
domain name.

Read-only or Read-write Conditions
admin_access=read | write

read tests whether the source of the transaction has read-only
permission for the ProxySG console. write tests whether the source
has read-write permission.
When an Administrator logs into the CLI, the ProxySG executes an
transaction that includes the condition
admin_access=read. If the transaction is ultimately allowed (all
conditions have been met), the user will have read-only access to
configuration information through the CLI. Further, when that user
executes the CLI enable command, or logs into the Management
Console, the ProxySG executes an transaction with
admin_access=write. If the transaction is allowed, the user will
have read-write access within the CLI or the Management Console.

Table 8.4 lists the properties permitted in the layer:
Table 8.4: Layer Properties
Properties

317

deny

Refuse service to the source of the transaction.

authenticate(realm_name)

Requests authentication of the transaction source for the
specified realm.

Blue Coat ProxySG Configuration and Management Guide

Section A: Controlling Access to the ProxySG
Table 8.4: Layer Properties (Continued)
authenticate.force( )

If yes is specified then forces authentication even if the
transaction is denied. This results in the user information
being available for logging. If no, then early denial without
authentication is possible.

allow

Permit further service to the source of the transaction.

log.suppress.field-id ( )

Controls suppression of the specified field-id in all
facilities

log.suppress.field-id[log_list]( )

Controls suppression of the specified field-id in the
specified facilities.

log.rewrite.field-id( )

Controls rewrites of a specific log field in all facilities.

log.rewrite.field-id[log_list]
( )

Controls rewrites of a specific log field in a specified list of
log facilities.

Table 8.5 lists the actions permitted in the layer:
Table 8.5: Layer Actions
Actions
notify_email( )

Sends an e-mail notification to the list of recipients specified in the
Event Log mail configuration when the transaction terminates.

notify_snmp( )

The SNMP trap is sent when the transaction terminates.

Example Policy Using CPL Syntax
To authenticate users against an LDAP realm, use the following syntax in the Local Policy file:

authenticate(LDAP_Realm)

group="cn=Administrators,cn=Groups,dc=bluecoat,dc=com" allow

This authenticates users against the specified LDAP realm. If the users are successfully authenticated
and belong to group Administrators, they are allowed to administer the ProxySG.

318

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet

Section B: Controlling Access to the Internet and Intranet
Once the ProxySG is secure, you can limit access to the Internet and intranet. It is possible to control
access to the network without using authentication. You only need to use authentication if you want
to use identity-based access controls.
This section contains:


"Using Authentication and Proxies"



"Using SSL with Authentication and Authorization Services"



"Creating a Proxy Layer to Manage Proxy Operations"

Using Authentication and Proxies
Authentication means that the ProxySG requires proof of user identity in order to make decisions
based on that identity. This proof is obtained by sending the client (a browser, for example) a
challenge—a request to provide credentials. Browsers can respond to different kinds of credential
challenges:


Proxy-style challenges—Sent from proxy servers to clients that are explicitly proxied. In HTTP, the
response code is 407.
An authenticating explicit proxy server sends a proxy-style challenge (407/Proxy-Authenticate)
to the browser. The browser knows it is talking to a proxy and that the proxy wants proxy
credentials. The browser responds to a proxy challenge with proxy credentials
(Proxy-Authorization: header). The browser must be configured for explicit proxy in order for it
to respond to a proxy challenge.



Origin-style challenges—Sent from origin content servers (OCS), or from proxy servers
impersonating a OCS. In HTTP, the response code is 401 Unauthorized.
In transparent proxy mode, the ProxySG uses the OCS authentication challenge (HTTP 401 and
WWW-Authenticate)—acting as though it is the location from which the user initially requested a
page. A transparent proxy, including a reverse proxy, must not use a proxy challenge, because the
client might not be expecting it.

Once the browser supplies the credentials, the ProxySG authenticates them.

Understanding Authentication Modes
You can control the way the ProxySG interacts with the client for authentication by controlling the
authentication mode. The mode specifies the challenge type and the accepted surrogate credential.
Note:

Challenge type is the kind of challenge (for example, proxy or origin-ip-redirect) issued.
Surrogate credentials are credentials accepted in place of the user’s real credentials.

319

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet


Auto: The default; the mode is automatically selected, based on the request. Auto can choose any
of proxy, origin, origin-ip, or origin-cookie-redirect, depending on the kind of connection (explicit or

transparent) and the transparent authentication cookie configuration.
Note:



When auto mode chooses origin-ip, as is the case with Windows SSO or Novell SSO
authentication, any requests coming from the authenticated IP address are considered
authenticated for the length of the cache duration. If multiple users often log in from the
same IP address, a shorter realm cache duration than the default of 900 seconds or a
different authentication mode are recommended.

Proxy: The ProxySG uses an explicit proxy challenge. No surrogate credentials are used. This is the

typical mode for an authenticating explicit proxy. In some situations proxy challenges do not
work; origin challenges are then issued.
If you have many requests consulting the back-end authentication authority (such as LDAP,
RADIUS, or the BCAAA service), you can configure the ProxySG (and possibly the client) to use
persistent connections. This dramatically reduces load on the back-end authentication authority
and improves the all-around performance of the network.
Important:

Windows supports Kerberos authentication only to origin servers; proxy servers
cannot participate. Therefore, explicit authentication modes are not compatible with
Kerberos. However, because Internet Explorer automatically selects NTLM for an
explicit challenge (where the browser is configured with the proxy as a proxy
server), no special processing is required for explicit authentication. An origin
redirect authentication mode, such as authenticate.mode
(origin-cookie-redirect), can be used to obtain Kerberos authentication
when using an explicit proxy if the browser is configured to bypass the proxy for
the virtual URL.



Proxy-IP: The ProxySG uses an explicit proxy challenge and the client's IP address as a surrogate
credential. Proxy-IP specifies an insecure forward proxy, possibly suitable for LANs of single-user
workstations. In some situations proxy challenges do not work; origin challenges are then issued.



Origin: The ProxySG acts like an OCS and issues OCS challenges. The authenticated connection
serves as the surrogate credential.



Origin-IP: The ProxySG acts like an OCS and issues OCS challenges. The client IP address is used as
a surrogate credential. Origin-IP is used to support IWA authentication to the upstream device

when the client cannot handle cookie credentials. This mode is primarily used for automatic
downgrading, but it can be selected for specific situations.


320

Origin-cookie: The ProxySG acts like an origin server and issues origin server challenges. A cookie
is used as the surrogate credential. Origin-cookie is used in forward proxies to support
pass-through authentication more securely than origin-ip if the client understands cookies. Only
the HTTP and HTTPS protocols support cookies; other protocols are automatically downgraded
to origin-ip.

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet
This mode could also be used in reverse proxy situations if impersonation is not possible and the
origin server requires authentication.


Origin-cookie-redirect: The client is redirected to a virtual URL to be authenticated, and cookies are

used as the surrogate credential. The ProxySG does not support origin-redirects with the
CONNECT method. For forward proxies, only origin-*-redirect modes are supported for
Kerberos/IWA authentication. (Any other mode uses NTLM authentication.)
Note:

During cookie-based authentication, the redirect to strip the authentication cookie from
the URL is logged as a 307 (or 302) TCP_DENIED.



Origin-IP-redirect: The client is redirected to a virtual URL to be authenticated, and the client IP
address is used as a surrogate credential. The ProxySG does not support origin-redirects with the
CONNECT method. For forward proxies, only origin-*-redirect modes are supported for
Kerberos/IWA authentication. (Any other mode uses NTLM authentication.)



SG2: The mode is selected automatically, based on the request, and uses the SGOS 2.x-defined

rules.


Form-IP: A form is presented to collect the user's credentials. The form is presented whenever the
user’s credential cache entry expires.



Form-Cookie: A form is presented to collect the user's credentials. The cookies are set on the OCS
domain only, and the user is presented with the form for each new domain. This mode is most
useful in reverse proxy scenarios where there are a limited number of domains.



Form-Cookie-Redirect: A form is presented to collect the user's credentials. The user is redirected to
the authentication virtual URL before the form is presented. The authentication cookie is set on
both the virtual URL and the OCS domain. The user is only challenged when the credential cache
entry expires.



Form-IP-redirect: This is similar to form-ip except that the user is redirected to the authentication

virtual URL before the form is presented.
Important: Modes that use an IP surrogate credential are insecure: After a user has
authenticated from an IP address, all further requests from that IP address are
treated as from that user. If the client is behind a NAT, or on a multi-user system, this
can present a serious security problem.
The default value is auto.
For more information on using authentication modes, see the Blue Coat ProxySG Content Policy
Language Guide.

Setting the Default Authenticate Mode Property
Setting the authentication.mode property selects a challenge type and surrogate credential
combination. In auto mode, explicit IWA uses connection surrogate credentials. In sg2 mode, explicit
IWA uses IP surrogate credentials.

321

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet
To Configure the IWA Default Authenticate Mode Settings
At the (config) command prompt, enter the following commands:
SGOS#(config) security default-authenticate-mode {auto | sg2}

Understanding Origin-Style Redirection
Some authentication modes redirect the browser to a virtual authentication site before issuing the
origin-style challenge. This gives the user feedback as to which credentials are required, and makes it
possible to (but does not require) send the credentials over a secure connection.
Since browser requests are transparently redirected to the ProxySG, the appliance intercepts the
request for the virtual authentication site and issues the appropriate credential challenge. Thus, the
challenge appears to come from the virtual site, which is usually named to make it clear to the user
that ProxySG credentials are requested.
If authentication is successful, the ProxySG establishes a surrogate credential and redirects the
browser back to the original request, possibly with an encoded surrogate credential attached. This
allows the ProxySG to see that the request has been authenticated, and so the request proceeds. The
response to that request can also carry a surrogate credential.
To provide maximum flexibility, the virtual site is defined by a URL. Requests to that URL (only) are
intercepted and cause authentication challenges; other URLs on the same host are treated normally.
Thus, the challenge appears to come from a host that in all other respects behaves normally.
Note:

Sharing the virtual URL with other content on a real host requires additional
configuration if the credential exchange is over SSL.

You can configure the virtual site to something that is meaningful for your company. The default,
which requires no configuration, is www.cfauth.com. See "Configuring Transparent Proxy
Authentication" on page 323 to set up a virtual URL for transparent proxy.

Tip: Using CONNECT and Origin-Style Redirection
You cannot use the CONNECT method with origin-style redirection or form redirect modes. An error
message similar to the following is displayed:
Cannot use origin-redirect for CONNECT method (explicit proxy of https URL)

Instead, you can add policy to either bypass authentication on the CONNECT method, or use proxy
authentication. For example:

allow http.method=CONNECT authenticate.mode(proxy) authenticate(ldap)
allow authenticate(cert) authenticate.mode(origin-cookie-redirect)

Selecting an Appropriate Surrogate Credential
IP surrogate credentials are less secure than cookie surrogate credentials and should be avoided if
possible. If multiple clients share an IP address (such as when they are behind a NAT firewall or on a
multi-user system), the IP surrogate mechanism cannot distinguish between those users

322

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet

Configuring Transparent Proxy Authentication
The following sections provide general instructions on configuring for transparent proxy
authentication.
In addition to configuring transparent proxy authentication, you must also enable a transparent proxy
port before the transparent proxy is functional. To enable a transparent proxy port, see “Section B:
Creating and Editing Services” on page 156.
To Set Transparent Proxy Options through the Management Console
1.

Select Configuration>Authentication>Transparent Proxy.

Figure 8-3: Transparent Proxy Tab

2.

Select the transparent proxy method—Cookie-based or IP address-based. The default is Cookie.
If you select Cookie, the Cookie Type radio buttons are available. Click either: Session, for cookies
that are deleted at the end of a session, or Persistent, for cookies that remain on a client machine
until the cookie TTL (Time To Live) is reached or the credentials cache is flushed. The default is
Session.
If you select Persistent Cookies, enter the Cookie TTL. If you choose IP address-based, enter the IP
address TTL. The default for each is 15 minutes.
Note:

A value of 0 (zero) for the IP address TTL re-prompts the user for credentials once the
specified cache duration for the particular realm has expired.
For authentication modes that make use of IP surrogate credentials, once the IP address
TTL expires the proxy re-challenges all client requests that do not contain credentials for
which an IP surrogate credential cache entry previously existed.
If at this point the client supplied a different set of credentials than previously used to
authenticate—for which an entry in the user credential cache still exists—the proxy fails
authentication. This is to prevent any another client to potentially gain network access by
impersonating another user by supplying his or her credentials. However, once the user
credential cache entry's TTL has expired, you can supply a different set of credentials than
previously used for authentication.

323

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet

Note:

For authentication modes that make use of IP surrogate credentials, once the IP
address TTL expires the proxy re-challenges all client requests that do not contain
credentials for which an IP surrogate credential cache entry previously existed.
If at this point the client supplied a different set of credentials than previously used to
authenticate—for which an entry in the user credential cache still exists—the proxy
fails authentication. This is to prevent any another client from potentially gaining
network access by impersonating another user by supplying his or her credentials.
However, once the user credential cache entry's TTL expires, you can supply a
different set of credentials than previously used for authentication.

3.

Select the Virtual URL. The default is www.cfauth.com. Blue Coat recommends you change the
virtual hostname to something meaningful to you, preferably the IP address of the ProxySG,
unless you are doing secure credentials over SSL. Using the IP address of the ProxySG enables
you to be sure that the correct ProxySG is addressed in a cluster configuration.

4.

Click Apply.

To Set Transparent Proxy Options through the CLI
1.

At the (config) command prompt, enter the following command:
SGOS#(config) security transparent-proxy-auth method {cookie | ip}

a.

If you select cookie-based transparent proxy authentication, enter the following
command to specify persistent cookies or cookies that persist for the current session only:
SGOS#(config) security transparent-proxy-auth cookie {persistent |
session}

b.

If you select persistent cookies, enter the following command to specify the minutes that
the cookie persists:
SGOS#(config) security transparent-proxy-auth time-to-live
persistent-cookie minutes

c.

If you select IP-based transparent proxy authentication, enter the following command to
specify that the user be re-prompted for credentials after the number of TTL minutes
specified:
SGOS#(config) security transparent-proxy-auth time-to-live ip minute

A value of 0 (zero) for the IP address TTL re-prompts the user for credentials once the
specified cache duration for the particular realm has expired.
2.

(Optional step for single ProxySG scenarios, only needed if specifying a different virtual URL than
supplied by Blue Coat—www.cfauth.com) To specify the virtual URL for cookie-based
authentication, enter the following command:
SGOS#(config) security transparent-proxy-auth cookie virtual-url url

3.

324

(Optional, if you choose cookie-based) Add the virtual host domain to the DNS service for your
organization so that browsers, when redirected to the virtual URL, can resolve the hostname in
the URL. (If you use the virtual hostname provided by Blue Coat—www.cfauth.com—you do not
need to add the hostname to the DNS service.)

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet

Using SSL with Authentication and Authorization Services
Blue Coat recommends that you use SSL during authentication to secure your user credentials. Blue
Coat now supports SSL between the client and the ProxySG and between the ProxySG to LDAP and
IWA authentication servers.

Using SSL Between the Client and the ProxySG
To configure SSL for to use origin-cookie-redirect or origin-ip-redirect challenges, you must:


Specify a virtual URL with the HTTPS protocol (for example, https://virtual_address.



Create a keyring and certificate on the ProxySG.



Create an HTTPS service to run on the port specified in the virtual URL and to use the keyring
you just created.

Note:

You can use SSL between the client and the ProxySG for origin-style challenges on
transparent and explicit connections (SSL for explicit proxy authentication is not
supported).
In addition, if you use a forward proxy, the challenge type must use redirection; it cannot be
an origin or origin-ip challenge type.

When redirected to the virtual URL, the user is prompted to accept the certificate offered by the
ProxySG (unless the certificate is signed by a trusted certificate authority). If accepted, the
authentication conversation between the ProxySG and the user is encrypted using the certificate.
Note:

If the hostname does not resolve to the IP address of the ProxySG, then the network
configuration must redirect traffic for that port to the appliance. Also, if you use the IP
address as the virtual hostname, you might have trouble getting a certificate signed by a
CA-Certificate authority (which might not be important).

For information on creating a keyring and a certificate, see “Section B: Configuring HTTPS Reverse
Proxy” on page 266.
You can use SSL between the ProxySG and IWA and LDAP authentication servers. For more
information, see Chapter 9: “Using Authentication Services” on page 335.

Creating a Proxy Layer to Manage Proxy Operations
Once hardware configuration is complete and the system configured to use transparent or explicit
proxies, use CPL or VPM to provide on-going management of proxy operations.

325

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet

Using CPL
Below is a table of all commands available for use in proxy layers of a policy. If a condition, property,
or action does not specify otherwise, it can be used only in layers. For information on
creating effective CPL, refer to the Blue Coat ProxySG Content Policy Language Guide.
Table 8.6: Layer Conditions

326

Layer Conditions

Meaning

admin.access=

Tests the administrative access requested by the current transaction. Can
also be used in layers.

attribute.name=

Tests if the current transaction is authenticated in a RADIUS or LDAP
realm, and if the authenticated user has the specified attribute with the
specified value. Can also be used in layers.

authenticated=

Tests if authentication was requested and the credentials could be verified;
otherwise, false. Can also be used in layers.

bitrate=

Tests if a streaming transaction requests bandwidth within the specified
range or an exact match. Can also be used in layers.

category=

Tests if the content categories of the requested URL match the specified
category, or if the URL has not been categorized. Can also be used in
layers.

client_address=

Tests the IP address of the client. Can also be used in layers.

client.connection.
negotiated_cipher=

Test the cipher suite negotiated with a securely connected client. Can also
be used in layers.

client.connection.
negotiated_cipher.
strength=

Test the cipher strength negotiated with a securely connected client. Can
also be used in layers.

client.host=

Test the hostname of the client (obtained through RDNS). Can also be used
in , , and layers.

client.host.has_name=

Test the status of the RDNS performed to determine 'client.host'. Can also
be used in , , and layers.

client_protocol=

Tests true if the client transport protocol matches the specification. Can also
be used in layers.

condition=

Tests if the specified defined condition is true. Can be used in all layers.

console_access=

(This trigger was formerly admin=yes|no.) Tests if the current request is
destined for the admin layer. Can also be used in and
layers.

content_management=

(This trigger was formerly content_admin=yes|no.) Tests if the current
request is a content-management transaction. Can also be used in
and layers.

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet
Table 8.6: Layer Conditions (Continued)
date[.utc]=

Tests true if the current time is within the startdate..enddate range,
inclusive. Can be used in all layers.

day=

Tests if the day of the month is in the specified range or an exact match.
Can be used in all layers.

exception.id=

Indicates that the requested object was not served, providing this specific
exception page.
Can also be used in layers.

327

ftp.method=

Tests ftp request methods against any of a well-known set of FTP methods.
Can also be used in and layers.

group=

Tests if the authenticated condition is set to yes, the client is authenticated,
and the client belongs to the specified group. Can also be used in
layers.

has_attribute.name=

Tests if the current transaction is authenticated in an LDAP realm and if the
authenticated user has the specified LDAP attribute. Can also be used in
layers.

hour=

Tests if the time of day is in the specified range or an exact match. Can be
used in all layers.

http.method=

Tests HTTP request methods against any of a well known set of HTTP
methods. Can also be used in and layers.

http.method.regex=

Test the HTTP method using a regular expression. Can also be used in
layers.

http.request_line.regex=

Test the HTTP protocol request line. Can also be used in
layers.

http.request.version=

Tests the version of HTTP used by the client in making the request to the
ProxySG. Can also be used in and layers.

http.response_code=

Tests true if the current transaction is an HTTP transaction and the
response code received from the origin server is as specified. Can also be
used in and layers.

http.response.version=

Tests the version of HTTP used by the origin server to deliver the response
to the ProxySG. Can also be used in and layers.

http.transparent_
authentication=

This trigger evaluates to true if HTTP uses transparent proxy
authentication for this request. Can also be used in and
layers.

im.buddy_id=

Tests the buddy_id associated with the IM transaction. Can also be used
in layers.

im.chat_room.conference=

Tests whether the chat room associated with the transaction has the
conference attribute set. Can also be used in layers.

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet
Table 8.6: Layer Conditions (Continued)

328

im.chat_room.id=

Tests the chat room ID associated with the transaction. Can also be used in
layers.

im.chat_room.invite_
only=

Tests whether the chat room associated with the transaction has the
invite_only attribute set. Can also be used in layers.

im.chat_room.type=

Tests whether the chat room associated with the transaction is public or
private. Can also be used in layers.

im.chat_room.member=

Tests whether the chat room associated with the transaction has a member
matching the specified criterion. Can also be used in layers.

im.chat_room.voice_
enabled=

Tests whether the chat room associated with the transaction is voice
enabled. Can also be used in layers.

im.client=

Test the type of IM client in use. Can also be used in ,
, and layers.

im.file.extension=

Tests the file extension. Can also be used in layers.

im.file.name=

Tests the file name (the last component of the path), including the
extension. Can also be used in layers.

im.file.path=

Tests the file path against the specified criterion. Can also be used in
layers.

im.file.size=

Performs a signed 64-bit range test. Can also be used in
layers.

im.message.reflected

Test whether IM reflection occurred. Can also be used in
and layers.

im.message.route=

Tests how the IM message reaches its recipients. Can also be used in
layers.

im.message.size=

Performs a signed 64-bit range test. Can also be used in
layers.

im.message.text.
substring=

Performs a signed 64-bit range test. Can also be used in
layers.

im.message.opcode=

Tests the value of an opcode associated with an im.method of
send_unknown or receive_unknown.

im.message.type=

Tests the message type. Can also be used in layers.

im.method=

Tests the method associated with the IM transaction. Can also be used in
and layers.

im.user_id=

Tests the user_id associated with the IM transaction. Can also be used in
layers.

live=

Tests if the streaming content is a live stream. Can also be used in
layers.

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet
Table 8.6: Layer Conditions (Continued)

329

minute=

Tests if the minute of the hour is in the specified range or an exact match.
Can be used in all layers.

month=

Tests if the month is in the specified range or an exact match. Can be used
in all layers.

proxy.address=

Tests the IP address of the network interface card (NIC) on which the
request arrives. Can also be used in layers.

proxy.card=

Tests the ordinal number of the network interface card (NIC) used by a
request. Can also be used in layers.

proxy.port=

Tests if the IP port used by a request is within the specified range or an
exact match. Can also be used in layers.

raw_url

Test the value of the raw request URL. Can also be used in
layers.

raw_url.host

Test the value of the 'host' component of the raw request URL. Can also be
used in layers.

raw_url.path

Test the value of the 'path' component of the raw request URL. Can also be
used in layers.

raw_url.pathquery

Test the value of the 'path and query' component of the raw request URL.
Can also be used in layers.

raw_url.port

Test the value of the 'port' component of the raw request URL. Can also be
used in layers.

raw_url.query

Test the value of the 'query' component of the raw request URL. Can also
be used in layers.

realm=

Tests if the authenticated condition is set to yes, the client is authenticated,
and the client has logged into the specified realm. an also be used in
layers.

release.id=

Tests the ProxySG release ID. Can be used in all layers.

request.header_address.
header_name=

Tests if the specified request header can be parsed as an IP address. Can
also be used in layers.

request.header.header_
name=

Tests the specified request header (header_name) against a regular
expression. Can also be used in layers.

request.header.header_
name.count

Test the number of header values in the request for the given header_name.
Can also be used in layers.

request.header.header_
name.length

Test the total length of the header values for the given header_name. Can
also be used in layers.

request.header.Referer.
url.host.has_name=

Test whether the Referer URL has a resolved DNS hostname. Can also be
used in layers.

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet
Table 8.6: Layer Conditions (Continued)
request.header.Referer.
url.is_absolute

Test whether the Referer URL is expressed in absolute form. Can also be
used in layers.

request.raw_headers.
count

Test the total number of HTTP request headers. Can also be used in
layers.

request.raw_headers.
length

Test the total length of all HTTP request headers. Can also be used in
layers.

request.raw_headers.
regex

Test the value of all HTTP request headers with a regular expression. Can
also be used in layers.

request.x_header.header_
name.count

Test the number of header values in the request for the given
header_name. Can also be used in layers.

request.x_header.header_
name.length

Test the total length of the header values for the given header_name. Can
also be used in layers.

response.header.header_
name=

Tests the specified response header (header_name) against a regular
expression. Can also be used in layers.

response.x_header.
header_name=

Tests the specified response header (header_name) against a regular
expression. Can also be used in layers.

server_url[.case_
sensitive|.no_lookup]=

Tests if a portion of the requested URL exactly matches the specified
pattern. Can also be used in layers.

socks.accelerated=

Controls the SOCKS proxy handoff to other protocol agents.

socks.method=

Tests the protocol method name associated with the transaction. Can also
be used in and layers.

socks.version=

Switches between SOCKS 4/4a and 5. Can also be used in
and layers.

streaming.content=

(This trigger has been renamed from streaming.) Can also be used in
, , and layers.

time=

Tests if the time of day is in the specified range or an exact match. Can be
used in all layers.

tunneled=

330

url.domain=

Tests if the requested URL, including the domain-suffix portion, matches
the specified pattern. Can also be used in layers.

url.extension=

Tests if the filename extension at the end of the path matches the specified
string. Can also be used in layers.

url.host=

Tests if the host component of the requested URL matches the IP address or
domain name. Can also be used in layers.

url.host.has_name

Test whether the request URL has a resolved DNS hostname. Can also be used in
layers

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet
Table 8.6: Layer Conditions (Continued)
url.is_absolute

Test whether the request URL is expressed in absolute form. Can also be
used in layers

url.host.is_numeric=

This is true if the URL host was specified as an IP address. Can also be used
in layers.

url.host.no_name=

This is true if no domain name can be found for the URL host. Can also be
used in layers.

url.host.regex=

Tests if the specified regular expression matches a substring of the domain
name component of the request URL. Can also be used in
layers.

url.host.suffix=

Can also be used in layers.

url.path=

Tests if a prefix of the complete path component of the requested URL, as
well as any query component, matches the specified string. Can also be
used in layers.

url.path.regex=

Tests if the regex matches a substring of the path component of the request
URL. Can also be used in layers.

url.port=

Tests if the port number of the requested URL is within the specified range
or an exact match. Can also be used in layers.

url.query.regex=

Tests if the regex matches a substring of the query string component of the
request URL. Can also be used in layers.

url.regex=

Tests if the requested URL matches the specified pattern. Can also be used
in layers.

url.scheme=

Tests if the scheme of the requested URL matches the specified string. Can
also be used in layers.

user=

Tests the authenticated user name of the transaction. Can also be used in
layers.

user.domain=

Tests if the authenticated condition is set to yes, the client is authenticated,
the logged-into realm is an IWA realm, and the domain component of the
user name is the specified domain. Can also be used in layers.

weekday=

Tests if the day of the week is in the specified range or an exact match. Can
be used in all layers.

year=

Tests if the year is in the specified range or an exact match. Can be used in
all layers.

Table 8.7: Layer Properties

331

Layer Properties

Meaning

action.action_label( )

Selectively enables or disables a specified define action block. Can also be
used in layers.

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet
Table 8.7: Layer Properties (Continued)
allow

Allows the transaction to be served. Can be used in all layers except
and layers.

always_verify( )

Determines whether each request for the objects at a particular URL must
be verified with the origin server.

authenticate( )

Identifies a realm that must be authenticated against. Can also be used in
layers.

authenticate.force( )

Either disables proxy authentication for the current transaction (using the
value no) or requests proxy authentication using the specified
authentication realm. Can also be used in layers.

authenticate.form( )

When forms-based authentication is in use, authenticate.form ( ) selects the
form used to challenge the user.

authenticate.mode(auto)
authenticate.mode(sg2)

Setting the authentication.mode property selects a challenge type and
surrogate credential combination. In auto mode, explicit IWA uses
connection surrogate credentials. In sg2.mode, explicit IWA uses IP
surrogate credentials.

authenticate.redirect_
stored_requests

Sets whether requests stored during forms-based authentication can be
redirected if the upstream host issues a redirecting response.

bypass_cache( )

Determines whether the cache is bypassed for a request.

check_authorization( )

In connection with CAD (Caching Authenticated Data) and CPAD
(Caching Proxy Authenticated Data) support,
check_authorization( ) is used when you know that the upstream
device will sometimes (not always or never) require the user to
authenticate and be authorized for this object. Can also be used in
layers.

delete_on_abandonment( )

If set to yes, then if all clients requesting an object close their connections
prior to the object being delivered, the object fetch from the origin server is
abandoned. Can also be used in layers.

deny

Denies service. Can be used in all layers except and
layers.

dynamic_bypass( )

Used to indicate that a particular transparent request should not be
handled by the proxy, but instead be subjected to our dynamic bypass
methodology.

exception( )

Indicates not to serve the requested object, but instead serve this specific
exception page.
Can be used in all layers except layers.

332

ftp.server_connection( )

Determines when the control connection to the server is established.

ftp.welcome_banner( )

Sets the welcome banner for a proxied FTP transaction.

http.client.recv.timeout

Sets the socket timeout for receiving bytes from the client.

Chapter 8: Security and Authentication

Section B: Controlling Access to the Internet and Intranet
Table 8.7: Layer Properties (Continued)

333

http.request.version( )

The http.request.version( ) property sets the version of the HTTP
protocol to be used in the request to the origin content server or upstream
proxy. Can also be used in layers.

http.response.parse_meta_
tag.
Cache-Control( )

Controls whether the 'Cache-Control' META Tag is parsed in an HTML
response body. Can also be used in layers.

http.response.parse_meta_
tag. Expires

Controls whether the 'Expires' META Tag is parsed in an HTML response
body. Can also be used in layers.

http.response.parse_meta_
tag. Pragma.no-cache

Controls whether the 'Pragma: no-cache' META Tag is parsed in an HTML
response body. Can also be used in layers.

http.response.version( )

The http.response.version( ) property sets the version of the
HTTP protocol to be used in the response to the client's user agent.

http.server.recv.
timeout( )

Sets the socket timeout for receiving bytes from the upstream host. Can
also be used in layers.

im.block_encryption

Prevents the encryption of AOL IM messages by modifying messages
during IM login time.

im.reflect

Sets whether IM reflection should be attempted.

im.strip_attachments( )

Determines whether attachments are stripped from IM messages.

im.transport

Sets the type of upstream connection to make for IM traffic.

log.suppress.field-id( )

The log.suppress.field-id( ) controls suppression of the specified
field-id in all facilities (individual logs that contain all properties for that
specific log in one format). Can be used in all layers.

log.suppress.field-id
[log_list]( )

The log.suppress.field-id [log_list]( ) property controls
suppression of the specified field-id in the specified facilities. Can be used
in all layers.

log.rewrite.field-id( )

The log.rewrite.field-id( ) property controls rewrites of a specific
log field in all facilities. Can be used in all layers.

log.rewrite.field-id
[log_list]( )

The log.rewrite.field-id [log_list]( ) property controls
rewrites of a specific log field in a specified list of log facilities. Can be used
in all layers.

reflect_ip( )

Determines how the client IP address is presented to the origin server for
explicitly proxied requests. Can also be used in layers.

request.filter_service( )

Websense is the built in service name for the off-box content filtering
service. Can also be used in layers.

request.icap_service( )

Determines whether a request from a client should be processed by an
external ICAP service before going out.

shell.prompt

Sets the prompt for a proxied Shell transaction.

Blue Coat ProxySG Configuration and Management Guide

Section B: Controlling Access to the Internet and Intranet
Table 8.7: Layer Properties (Continued)
shell.realm_banner

Sets the realm banner for a proxied Shell transaction.

shell.welcome_banner

Sets the welcome banner for a proxied Shell transaction.

socks.accelerate( )

The socks.accelerate property controls the SOCKS proxy handoff to
other protocol agents.

socks.authenticate( )

The same realms can be used for SOCKS proxy authentication as can be
used for regular proxy authentication.

socks.authenticate.
force( )

The socks.authenticate.force( ) property forces the realm to be
authenticated through SOCKS.

Table 8.8: Layer Actions

334

Layer Actions

Meaning

log_message( )

Writes the specified string to the ProxySG event log. Can be used in all
layers except .

notify_email( )

Sends an e-mail notification to the list of recipients specified in the Event
Log mail configuration. Can be used in all layers.

notify_snmp( )

The SNMP trap is sent when the transaction terminates. Can be used in all
layers.

redirect( )

Ends the current HTTP transaction and returns an HTTP redirect response
to the client.

transform

Invokes the active content or URL rewrite transformer.

Chapter 9: Using Authentication Services

Determining and configuring the type of security (such as LDAP, local list, and IWA) to implement on
your network (authorization) is a critical part of managing enterprise security.

Understanding Realms
The ProxySG provides a flexible authentication architecture that supports multiple services with
multiple backend servers (for example, LDAP directory servers together with NT domains with no
trust relationship) within each authentication scheme with the introduction of the realm.
A realm authenticates and authorizes users for access to ProxySG services using either explicit proxy or
transparent proxy mode, discussed in "Configuring Proxies" on page 177.
Multiple authentication realms can be used on a single ProxySG. Multiple realms are essential if the
enterprise is a managed provider or the company has merged with or acquired another company.
Even for companies using only one protocol, multiple realms might be necessary, such as the case of a
company using an LDAP server with multiple authentication boundaries. You can use realm
sequencing to search the multiple realms all at once.
A realm configuration includes:


Realm name.



Authentication service—(IWA, LDAP, RADIUS, Local, Certificate, Sequences, Netegrity
SiteMinder®, Oracle® COREid™, Policy Substitution, Novell® SSO, Windows® SSO).



External server configuration—Backend server configuration information, such as host, port, and
other relevant information based on the selected service.



Authentication schema—The definition used to authenticate users.



Authorization schema—The definition used to authorize users for membership in defined groups
and check for attributes that trigger evaluation against any defined policy rules.



One-time passwords are supported for RADIUS realms only.

SSL Between the ProxySG and the Authentication Server
SSL communication between the ProxySG and LDAP and IWA authentication servers is supported. In
addition, you can also use SSL between the client and the ProxySG. For more information on using
SSL between the client and the ProxySG, see "Using SSL Between the Client and the ProxySG" on
page 325.
Configuring a realm to use SSL between the ProxySG and the authentication server is performed on a
per-realm basis. Part of the SSL configuration is specifying whether to verify the server's certificate. If
the server certificate is to be verified, then the server's certificate must be signed by a Certificate
Authority that the ProxySG trusts, and the common name in the server certificate must match the
server host as specified in the realm configuration.

335

Blue Coat ProxySG Configuration and Management Guide

The realms use the default SSL client defined on the ProxySG for SSL communications to the
authentication servers.
Note:

If the browser is configured for on-line checking of certificate revocation, the status check
must be configured to bypass authentication.

The chapter contains the following sections:

336



“Section A: IWA Realm Authentication and Authorization”



“Section B: Windows Single Sign-on Authentication”



“Section C: LDAP Realm Authentication and Authorization”



“Section D: Novell Single Sign-on Authentication and Authorization”



“Section E: RADIUS Realm Authentication and Authorization”



“Section F: Local Realm Authentication and Authorization”



“Section G: Certificate Realm Authentication”



“Section H: Netegrity SiteMinder”



“Section I: Oracle COREid”



“Section J: Policy Substitution Realm”



“Section K: Sequence Realm Authentication”



“Section L: Forms-Based Authentication”



“Section M: Managing the Credential Cache”

Chapter 9: Using Authentication Services

Section A: IWA Realm Authentication and Authorization

Section A: IWA Realm Authentication and Authorization
Integrated Windows Authentication (IWA) is an authentication mechanism available on Windows
networks. (The name of the realm has been changed from NTLM to IWA.)
IWA is a Microsoft-proprietary authentication suite that allows Windows clients (running on
Windows 2000 and higher) to automatically choose between using Kerberos and NTLM
authentication challenge/response, as appropriate. When an IWA realm is used and a resource is
requested by the client from the ProxySG, the appliance contacts the client's domain account to verify
the client's identity and request an access token. The access token is generated by the domain
controller (in case of NTLM authentication) or a Kerberos server (in the case of Kerberos
authentication) and passed to (and if valid, accepted by) the ProxySG.
Refer to the Microsoft Web site for detailed information about the IWA protocol.
This section discusses the following topics:


"How Blue Coat Works with IWA"



"Creating an IWA Realm"



"IWA Servers"



"Defining IWA Realm General Properties"



"Creating the CPL"

How Blue Coat Works with IWA
The server side of the Kerberos or NTLM authentication exchange is handled by the Blue Coat
Authentication and Authorization Agent (BCAAA).
A single BCAAA service can support multiple ProxySG Appliances; however, the service starts a
processor agent for each realm that only handles authentication requests coming from that particular
realm.
BCAAA must be installed on a domain controller or member server. If the server where the BCAAA
service is installed and its domain have a trust relationship with other domains, the user is
authenticated automatically by the other domains.
For a server to participate in an IWA Kerberos authentication exchange, it must share a secret with the
Kerberos server (called a KDC) and have registered an appropriate Service Principal Name.
For instructions on installing the BCAAA service and configuring a Service Principal Name, see
Appendix A: “Using the Authentication/Authorization Agent” on page 1007.

Creating an IWA Realm
To create an IWA realm, you must provide at least the primary host of the IWA server for that realm.
To Create an IWA Realm through the Management Console
1.

337

Select Configuration>Authentication>IWA>IWA Realms.

Blue Coat ProxySG Configuration and Management Guide

Section A: IWA Realm Authentication and Authorization

Figure 9-1: IWA Realms Tab

2.

Click New; the Add IWA Realm dialog displays.

Figure 9-2: Add IWA Realm

3.

In the Realm name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

4.

Identify the primary server host for the machine running BCAAA. You must enter a valid host or
an error message is generated.

5.

(Optional) The default port is 16101. You can change the port number if the primary server is
listening on a different port.

6.

Click OK; click Apply.

IWA Servers
Once you create an IWA realm, you can use the IWA Servers page to change the current default
settings.
1.

338

Select Configuration>Authentication>IWA>IWA Servers.

Chapter 9: Using Authentication Services

Section A: IWA Realm Authentication and Authorization

Figure 9-3: IWA Servers Tab

2.

From the Realm Name drop-down list, select the IWA realm for which you want to change server
properties.

3.

You must have defined at least one IWA realm (using the IWA Realms page) before attempting to
set IWA server properties. If the message Realms must be added in the IWA Realms tab
before editing this tab is displayed in red at the bottom of this page, you do not currently
have any IWA realms defined

4.

Specify the host and port for the primary IWA server. The default port is 16101.

5.

(Optional) Specify the host and port for the alternate IWA server. The default port is 16101.

6.

(Optional) Under SSL Options, click the SSL enable checkbox to enable SSL.

7.

(Optional) By default, if SSL is enabled, the BCAAA certificate is verified. If you do not want to
verify the BCAAA certificate, deselect this checkbox.

8.

In the Timeout Request field, type the number of seconds the ProxySG allows for each request
attempt before timing out. (The default request timeout is 60 seconds.)

9.

Click Apply. Repeat the above steps for additional IWA realms, up to a total of 40.

To Create and Define an IWA Realm through the CLI
1.

At the (config) prompt, enter the following command to create an IWA realm:
SGOS#(config) security IWA create-realm realm_name primary_host [primary_port]

where:

339

realm_name

The name of the IWA realm.

primary_host

The host for the primary IWA server.

primary_port

The port for the primary IWA server. The default port is 16101.

Blue Coat ProxySG Configuration and Management Guide

Section A: IWA Realm Authentication and Authorization
2.

To redefine the IWA realm configuration for the realm you just created, enter the following
commands:
SGOS#(config) security IWA edit-realm realm_name
SGOS#(config IWA realm_name) primary-server primary_host [primary_port]

and optionally,
SGOS#(config IWA realm_name) alternate-server alternate_host [alternate_port]

where:

3.

primary_host

The host for the primary IWA server.

primary_port

The port for the primary IWA server. The default port is 16101.

alternate_host

The host for the alternate IWA server.

alternate_port

The port for the alternate IWA server. The default port is 16101.

To enable SSL for this realm and to have the BCAAA certificate verified, enter:
SGOS#(config IWA realm_name) ssl enable
SGOS#(config IWA realm_name) ssl-verify-server enable

Note:

The ssl-verify-server command in authentication is not overridden by the CPL
property server.certificate.validate or the forwarding hosts ssl-verify-server
command.

Defining IWA Realm General Properties
The IWA General tab allows you to specify the display name, whether to support Basic and IWA
credentials, the credential cache duration and a virtual URL.

340

Chapter 9: Using Authentication Services

Section A: IWA Realm Authentication and Authorization
To Configure General Settings through the Management Console
1.

Select Configuration>Authentication>IWA>IWA General.

Figure 9-4: IWA General Tab

2.

From the Realm Name drop-down list, select the IWA realm for which you want to change
properties.
Note:

You must have defined at least one IWA realm (using the IWA Realms tab) before
attempting to set IWA general properties. If the message Realms must be added in the
IWA Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any IWA realms defined.

3.

If needed, change the IWA realm display name. The default value for the display name is the
realm name. The display name cannot be longer than 128 characters and it cannot be null.

4.

You can enable or disable support for Basic credentials in the realm by selecting or deselecting the
Allow Basic credentials checkbox
At least one Basic or NTLM/Kerberos credential must be enabled. Note that Basic credentials
cannot be disabled in the IWA realm if the IWA realm is part of a sequence realm but is not the
first realm in the sequence with try IWA authentication only once enabled.
You can disable both NTLM and Kerberos credentials, leaving a realm that collects plaintext
credentials but validates them against a Windows domain.
Important:

5.

341

The configuration of the realm can have significant security implications. If an IWA
realm accepts Basic credentials, the client can automatically downgrade to sending
the password in the clear. Similarly, the client can use NTLM instead of Kerberos.

(Optional) You can enable or disable support for NTLM credentials in the realm by selecting or
deselecting the Allow NTLM credentials checkbox. You can only enable support for Kerberos
credentials in the realm if support for NTLM credentials has been enabled.

Blue Coat ProxySG Configuration and Management Guide

Section A: IWA Realm Authentication and Authorization
6.

(Optional) You can enable or disable support for Kerberos credentials in the realm by selecting or
deselecting the Allow Kerberos credentials.You can only enable support for Kerberos credentials
in the realm if support for NTLM credentials has been enabled.

7.

Specify the length of time, in seconds, that user and administrator credentials received from the
IWA server are cached. Credentials can be cached for up to 3932100 seconds. The default cache
duration is 900 seconds (15 minutes).
Note:

8.

If you specify 0, traffic is increased to the IWA server because each authentication request
generates an authentication and authorization request to the server.

In the Virtual URL field, enter the URL to redirect to when the user needs to be challenged for
credentials if using a redirecting authenticate.mode.
Note:

The virtual URL is not involved if the challenge does not redirect.

You can specify a virtual URL based on the individual realm. For more information on the virtual
URL, see "Understanding Origin-Style Redirection" on page 322.
When NTLM is in use, requests to the virtual URL must be sent to the proxy. This can be done
either by transparent redirection or by making the virtual URL hostname resolve to an IP address
of the proxy.
When Kerberos is in use:


The virtual URL hostname must be part of the Kerberos realm (this is using the term realm in
the Kerberos sense, not the ProxySG sense).



For a forward proxy, this hostname should be added to the DNS server for the same domain
as the Kerberos protected resources so that requests for this address go directly to the
ProxySG.

In both NTLM and Kerberos, if single-signon is desired, then the virtual URL hostname must
have no dots and must not be proxied by the browser. The client must be able to resolve this
hostname to an IP address of the proxy.
9.

Click Apply.

To Configure General Settings through the CLI
At the (config) command prompt, enter the following commands to configure general settings:
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

342

IWA
IWA
IWA
IWA
IWA
IWA

realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)

cache-duration seconds
credentials-basic enable | disable
credentials-NTLM enable | disable
credentials-kerberos enable | disable
display-name name
virtual-url URL

Chapter 9: Using Authentication Services

Section A: IWA Realm Authentication and Authorization
where:
cache-duration

seconds

Specifies the length of time in seconds that user and
administrator credentials received from the IWA server are
cached. Credentials can be cached for up to 3932100 seconds.
The default value is 900 seconds (15 minutes).

credentialsbasic

enable |
disable

Enables or disables Basic credential support.

credentialskerberos

enable |
disable

Enables or disables Kerberos credential support.

credentialsntlm

enable |
disable

Enables or disables NTLM credential support.

display-name

name

The default value for the display name is the realm name. The
display name cannot be longer than 128 characters and it
cannot be null.

virtual-url

URL

The URL to redirect to when the user needs to be challenged for
credentials.
When NTLM is in use, requests to the virtual URL must be sent
to the proxy. This can be done either by transparent redirection
or by making the virtual URL hostname resolve to an IP
address of the proxy.
When Kerberos is in use:
• The virtual URL hostname must be part of the Kerberos
realm (this is using the term realm in the Kerberos sense, not
the ProxySG sense).
• For a forward proxy, this hostname should be added to the
DNS server for the same domain as the Kerberos protected
resources so that requests for this address go directly to the
ProxySG.
In both NTLM and Kerberos, if single-signon is desired, then
the virtual URL hostname must have no dots and must not be
proxied by the browser. The client must be able to resolve this
hostname to an IP address of the proxy.
See Chapter 8: “Security and Authentication” on page 305 for
more details on virtual URLs.

Creating the CPL
You can create CPL policies now that you have completed IWA realm configuration. Be aware that the
examples below are just part of a comprehensive authentication policy. By themselves, they are not
adequate for your purposes.
The examples below assume the default policy condition is allow. On new SGOS 4.x systems, the
default policy condition is deny.

343

Blue Coat ProxySG Configuration and Management Guide

Section A: IWA Realm Authentication and Authorization

Note:



Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and
how transactions trigger the evaluation of policy file layers.

Every IWA-authenticated user is allowed access the ProxySG.

authenticate(IWARealm)



Group membership is the determining factor in granting access to the ProxySG.

authenticate(IWARealm)

group=”Domain\internetusers” ALLOW
deny

Notes


Forms authentication modes cannot be used with an IWA realm that allows only NTLM/Kerberos
credentials. If a form mode is in use and the authentication realm is an IWA realm, you receive a
configuration error.



For Windows Internet Explorer IWA users who want true single-sign-on (allowing Internet
Explorer to provide your credentials automatically when challenged), you must set the virtual
URL to a hostname that is resolvable to the IP address of the ProxySG by the client machines. Dots
(for example, 10.1.1.1) are not allowed.
Note:

Firefox (1.02 and higher) allows NTLM credentials for single sign-on but not Kerberos.

To define the information in Internet Explorer, navigate to Internet Options>Security>Local
intranet>Sites>Advanced...>Web sites. (For XP, navigate to Internet Options>Security>Internet>Custom
Level, then select Automatic logon with current username and password.)
For Windows Internet Explorer 6.x, add the virtual host address to Internet Options>Privacy>Web
Sites>Managed Web Sites>Always Allow

344

Chapter 9: Using Authentication Services

Section B: Windows Single Sign-on Authentication

Section B: Windows Single Sign-on Authentication
The Windows Single Sign-on (SSO) realm is an authentication mechanism available on Windows
networks.
This section discusses the following topics:


"How Windows SSO Realms Work"



"Creating a Windows SSO Realm"



"Windows SSO Agents"



"Configuring Authorization"



"Defining Windows SSO Realm General Properties"



"Creating the CPL"

How Windows SSO Realms Work
In a Windows SSO realm, the client is never challenged for authentication. Instead, the BCAAA agent
collects information about the current logged on user from the domain controller and/or by querying
the client machine. Then the IP address of an incoming client request is mapped to a user identity in
the domain. If authorization information is also needed, then another realm (LDAP or local) must be
created. For more information, see "How Windows SSO Authorization Works".
Note:

The Windows SSO realm works reliably only in environments where one IP address maps
to one user. If an IP address cannot be mapped to a single user, authentication fails. Those
with NAT systems, which uses one set of IP addresses for intranet traffic and a different
set for Internet traffic, should use a different realm for authentication.

To authenticate a user, the Windows SSO realm uses two methods, either separately or together:


Domain Controller Querying: The domain controller is queried to identify which users are
connecting to, or authenticating with, the domain controller. This can be used to infer the identity
of the user at a particular workstation.



Client Querying: The client workstation is queried to determine who the client workstation thinks
is logged in.



When Domain Controller Querying and Client Querying are both used, the Domain Controller
Query result is used if it exists and is still within the valid time-to-live as configured in the
sso.ini file. If the Domain Controller Query result is older than the configured time-to-live, the
client workstation is queried.
Note:

345

Before Domain Controller Querying or Client Querying can be used, the sso.ini file,
located in the same directory as the BCAAA service, must be modified. For information
on modifying this file, see "Modifying the sso.ini File for Windows SSO Realms".

Blue Coat ProxySG Configuration and Management Guide

Section B: Windows Single Sign-on Authentication
For the most complete solution, an IWA realm could be configured at the same time as the Windows
SSO realm and both realms added to a realm sequence. Then, if the Windows SSO realm failed to
authenticate the user, the IWA realm could be used. For information on using a sequence realm, see
"Sequence Realm Authentication".

How Windows SSO Works with BCAAA
The server side of the authentication exchange is handled by the Blue Coat Authentication and
Authorization Agent (BCAAA). Windows SSO uses a single BCAAA process for all realms and
proxies that use SSO.
BCAAA must be installed on a domain controller or member server. By default, the BCAAA service
authenticates users in all domains trusted by the computer on which it is running. When using
Domain Controller Querying, the BCAAA service can be configured to only query certain domain
controllers in those trusted domains.
By default the BCAAA service is installed to run as LocalSystem. For a Windows SSO realm to have
correct permissions to query domain controllers and clients, the user who BCAAA runs under must
be an authenticated user of the domain.
When the Windows SSO realm is configured to do Client Querying, the user that BCAAA runs under
must be an authenticated user of the domain. For failover purposes, a second BCAAA can be installed
and configured to act as an alternate BCAAA in the Windows SSO realm. The alternate BCAAA
service is used in the event of a failure with the primary BCAAA service configured in the realm.

BCAAA Synchronization
Optionally, when using Domain Controller Querying, you can configure a BCAAA service to use
another BCAAA service as a synchronization server. Whenever a BCAAA service restarts it will
contact its synchronization server and update its logon state. Two given BCAAA services can use each
other as their synchronization server. Thus, each BCAAA service can act as a synchronization server
to provide logon state to other BCAAA services, as well as acting as a synchronization client to update
its logon state from another BCAAA service.
Each BCAAA service has a synchronization priority that determines synchronization behavior. If the
client BCAAA has the same or higher priority than the server BCAAA, synchronization is done once
at restart to update the client state. Once synchronization is complete the client BCAAA drops the
synchronization connection and begins querying the domain controllers.
However, if the server BCAAA has higher priority, then the client BCAAA keeps the synchronization
link open and continuously updates its logon state from the higher priority BCAAA. The client
BCAAA does not query the domain controllers itself unless the synchronization link fails.
This makes it possible to manage the query load on the domain controllers. If there is no issue with
load, then the default configuration (without synchronization), with all BCAAA agents querying the
domain controllers is acceptable. However, if load on the domain controllers is an issue,
synchronization can be used to minimize this load while still providing fail-over capabilities.
By default, all BCAAA agents have the same synchronization priority, meaning that they synchronize
on startup and then do their own domain controller querying. To change the synchronization settings,
see "To Configure the sso.ini file for Synchronization:" on page 353.

346

Chapter 9: Using Authentication Services

Section B: Windows Single Sign-on Authentication

Note:

For information on configuring the BCAAA service as an authenticated user of the
domain, see Appendix A: “Using the Authentication/Authorization Agent”.

How Windows SSO Authorization Works
The Windows SSO realm, in addition to allowing you to create and manipulate realm properties, such
as the query type and the number of seconds that credential cache entries from this realm are valid,
also contains the authorization username and the name of the realm that will do authorization for the
Windows SSO realm. The authorization username is a string containing policy substitutions that
describes how to construct the username for authorization lookups. This can either be an LDAP
FQDN when the authorization realm is an LDAP realm, or a simple name when local realms are being
used for authorization.
Note:

Windows SSO realms never challenge for credentials. If the authorization username
cannot be determined from the configured substitutions, authorization in the Windows
SSO realm fails.

Keep in mind that Windows SSO realms do not require an authorization realm. If no authorization
realm is configured, the user is not considered a member of any group. The effect this has on the user
depends on the authorization policy. If the policy does not make any decisions based on groups, you
do not need to specify an authorization realm. Also, if your policy is such that it works as desired
when all Windows SSO realm users are not in any group, you do not have to specify an authorization
realm.

Creating a Windows SSO Realm
The Configuration>Authentication>Windows SSO>Windows SSO Realms tab allows you to create a new
Windows SSO realm.
To Create a Windows SSO Realm through the Management Console
1.

Select Configuration>Authentication>Windows SSO>Windows SSO Realms.

2.

Click New.

Figure 9-5: Add Windows SSO Dialog

347

Blue Coat ProxySG Configuration and Management Guide

Section B: Windows Single Sign-on Authentication
3.

In the Realm name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

4.

Click OK; click Apply.

Windows SSO Agents
You must configure the Windows realm so that it can find the Blue Coat Authentication and
Authorization Agent (BCAAA).
1.

Select Configuration>Authentication>Windows SSO>Agents.

Figure 9-6: Windows SSO Agents Tab

2.

Select the realm name to edit from the drop-down list.
Note:

You must have defined at least one Windows SSO realm (using the Windows SSO Realms
tab) before attempting to configure the BCAAA agent. If the message Realms must be
added in the Windows SSO Realms tab before editing this tab is displayed in red at the bottom
of this page, you do not currently have any Windows SSO realms defined.

3.

In the Primary agent section, enter the hostname or IP address where the BCAAA agent resides.

4.

Change the port from the default of 16101 if necessary.

5.

(Optional) Enter an alternate agent host and agent name in the Alternate agent section.
The primary and alternate BCAAA server must work together to support fail-over. If the primary
BCAAA server fails, the alternate server should be able to provide the same mappings for the IP
addresses.

348

6.

(Optional) Click Enable SSL to enable SSL between the ProxySG and the BCAAA.

7.

(Optional) By default, if SSL is enabled, the Windows SSO BCAAA certificate is verified. To not
verify the agent certificate, disable this setting.

8.

In the Timeout Request field, type the number of seconds the ProxySG allows for each request
attempt before timing out. (The default request timeout is 60 seconds.)

Chapter 9: Using Authentication Services

Section B: Windows Single Sign-on Authentication
To Create and Define a Windows SSO Realm through the CLI
1.

At the (config) prompt, enter the following command to create a Windows SSO realm:
SGOS#(config) security windows-sso create-realm realm_name

where realm_name is the name of the Windows SSO realm.
2.

To redefine the Windows SSO realm configuration for the realm you just created, enter the
following commands:
SGOS#(config) security windows-sso edit-realm realm_name
SGOS#(config windows-sso realm_name) primary-agent {host hostname | port
port_number}

and optionally,
SGOS#(config windows-sso realm_name) alternate-agent {host hostname | port
port_number}

where:

3.

hostname

The host where the primary or alternate BCAAA agent resides

port_number

The port on the system where the primary or alternate BCAAA
agent resides. The default port number is 16101.

To enable SSL for this realm and to have the BCAAA certificate verified, enter:
SGOS#(config windows-sso realm_name) ssl enable
SGOS#(config windows-sso realm_name) ssl-verify-agent enable

Configuring Authorization
After the Windows SSO realm is created, you can use the Windows SSO Authorization tab to
configure authorization for the realm.
Note:

1.

Windows SSO realms do not require an authorization realm. If the policy does not make
any decisions based on groups, you do not need to specify an authorization realm.

Select Configuration>Authentication>Windows SSO>Authorization.

Figure 9-7: Windows SSO Authorization Tab

2.

349

From the Realm name drop-down list, select the Windows SSO realm for which you want to
change realm properties.

Blue Coat ProxySG Configuration and Management Guide

Section B: Windows Single Sign-on Authentication

Note:

You must have defined at least one Windows SSO realm (using the Windows SSO Realms
tab) before attempting to set Windows SSO realm properties. If the message Realms must
be added in the Windows SSO Realms tab before editing this tab is displayed in red at the
bottom of this page, you do not currently have any Windows SSO realms defined.

3.

(Optional) From the Authorization realm name drop-down list, select the realm you want to use to
authorize users.

4.

To construct usernames, keep in mind that the authorization username attributes is a string. that
contains policy substitutions. When authorization is required for the transaction, the character
string is processed by the policy substitution mechanism, using the current transaction as input.
The resulting string becomes the user's authorization name for the current transaction.
Table 9.9: Common Substitutions Used in the Authorization username Field

5.

ELFF Substitution

CPL Equivalent

Description

x-cs-auth-domain

$(user.domain)

The Windows domain of the authenticated user.

cs-username

$(user.name)

The relative username of the authenticated user.

Click Apply.

To Configure Authorization Settings through the CLI
1.

At the (config) command prompt, enter the following commands to configure authorization
settings:
SGOS#(config windows-sso realm_name) authorization realm-name
authorization-realm-name
SGOS#(config windows-sso realm-name) authorization username

authorization-username
where:
authorization
realm-name

authorizationrealm-name

Specifies the realm to use to authorize the Windows SSO
authenticated user.

authorization
username

authorizationusername

Specifies the character string containing policy
substitutions that is to be used to construct the Windows
SSO authenticated user's authorization username.

Defining Windows SSO Realm General Properties
The Windows SSO General tab allows you to specify the display name, the credential cache duration,
and the type of authentication querying you want to do. After you select the type of authentication
querying, you must modify the sso.ini file to enable the authentication querying. For information
on modifying the sso.ini file, see "Modifying the sso.ini File for Windows SSO Realms" on
page 352.

350

Chapter 9: Using Authentication Services

Section B: Windows Single Sign-on Authentication

Note:

Windows SSO realms default to the origin-ip authentication mode when either no
authentication mode or the auto authentication mode is specified in policy. After a user
has first successfully authenticated to the ProxySG, all subsequent requests from that
same IP address for the length of the cache duration are authenticated as that user. If the
first user is allowed or denied access, subsequent users during that same time coming
from the same IP address are allowed or denied as that first user. This is true even if
policy would have treated them differently if they were authenticated as themselves.
If multiple users often log in from the same IP address, a shorter cache duration timeout
than the default or else an authentication mode that uses cookie surrogates are
recommended.

To Configure General Settings through the Management Console
1.

Select Configuration>Authentication>Windows SSO>Windows SSO General.

Figure 9-8: Windows SSO General Tab

2.

From the Realm Name drop-down list, select the Windows SSO realm for which you want to
change properties.
Note:

3.

Specify the length of time, in seconds, that user and administrator credentials received from the
Windows SSO BCAAA service are cached. Credentials can be cached for up to 3932100 seconds.
The default cache duration is 900 seconds (15 minutes).
Note:

4.

You must have defined at least one Windows SSO realm (using the Windows SSO Realms
tab) before attempting to set Windows SSO general properties. If the message Realms must
be added in the Windows SSO Realms tab before editing this tab is displayed in red at the
bottom of this page, you do not currently have any Windows SSO realms defined.

If you specify 0, traffic is increased to the Windows SSO BCAAA service and the
authorization server (if configured) because each authentication request generates an
authentication request to the BCAAA service and an authorization request to the
authorization server.

In the Query Type field, select the method you want to use from the drop-down menu.
By default the Windows SSO realm is configured for Domain Controller Querying only.

351

Blue Coat ProxySG Configuration and Management Guide

Section B: Windows Single Sign-on Authentication
If all of the client computers can be queried directly, then the most accurate results can be
provided by the Query Clients option.
Note:

Client Querying is blocked by the Windows XP SP2 firewall. This can be overridden
through domain policy. If the firewall setting "Allow remote administration exception" or
"Allow file and printer sharing exception" or "Define port exceptions" (with port 445) is
enabled, then the query will work.

If an authentication mode without surrogates is being used (Proxy or Origin authenticate mode),
then the Query Domain Controller and Client and Query Client options can cause too much traffic when
querying the clients, as each authentication request results in a request to the BCAAA service,
which can result in a client workstation query depending on the client query time-to-live. If the
client workstation querying traffic is a concern, the Query Domain Controllers option should be used
instead.
5.

Click Apply.

To Configure General Settings through the CLI
At the (config) command prompt, enter the following commands to configure general settings:
SGOS#(config windows-sso realm_name) cache-duration seconds
SGOS#(config windows-sso realm_name) sso-type {query-client | query-dc |
query-dc-client}

where:
cache-duration

seconds

Specifies the length of time in seconds that user and
administrator credentials received from the Windows
SSO BCAAA agent are cached. Credentials can be
cached for up to 3932100 seconds. The default value is
900 seconds (15 minutes).

sso-type

query-client |
query-dc |
query-dc-client

Specifies whether you want to query the client, the
domain controller, or both for authentication
information.

Modifying the sso.ini File for Windows SSO Realms
To enable the method of authentication querying you choose, you must modify the sso.ini file by
adding domain controllers you want to query and user accounts you want to ignore.
The sso.ini file is located in the BCAAA installation directory.
If you are only using one method of querying, you only need configure the specific settings for that
method. If you plan to use both methods to query, you must configure all the settings.
Note:

352

The changes to the sso.ini file have no effect until the BCAAA service is restarted.

Chapter 9: Using Authentication Services

Section B: Windows Single Sign-on Authentication
To configure the sso.ini file for Domain Controller Querying
1.

Open the file in a text editor.

2.

In the section DCQSetup, uncomment the line: DCQEnabled=1.

3.

In the section DCQDomainControllers, list the domain controllers you want to query or the IP
address ranges of interest.
By default all domain controllers that are in the forest or are trusted are queried. In large
organizations, domain controllers that are not of interest for the ProxySG installation might be
queried. The sso.ini file can be used to list the domain controllers of interest or IP address
ranges of interest.

4.

In the section SSOServiceUsers, list the domain names of users who can access the domain
controller on behalf of the service and mask the identity of the logged-on user.
Listing these users here forces the BCAAA service to ignore them for authentication purposes.

5.

Save the sso.ini file.

To Configure the sso.ini file for Client Querying
Note:

Before you use the Windows SSO realm, you must change the BCAAA service to run as a
domain user, and, if using XP clients, update the domain policy to allow the client query
to pass through the firewall.
For information on installing and configuring the BCAAA service, see Appendix A:
“Using the Authentication/Authorization Agent”.

1.

Open the file in a text editor.

2.

Review the TTL times in the section ClientQuerySetup to be sure they are appropriate for your
network environment.

3.

Update the section SSOServiceUsers to ignore domain users used for services.

4.

Save the sso.ini file.

To Configure the sso.ini file for Synchronization:

353

1.

Open the file in a text editor.

2.

Update the section SSOSyncSetup (the defaults are listed below). Note that explanations of each
setting are provided in the sso.ini file.


ServerPriority=100



EnableSyncServer=1



SyncPortNumber=16102



UseSSL=0



VerifyCertificate=0

Blue Coat ProxySG Configuration and Management Guide

Section B: Windows Single Sign-on Authentication


QueryDelta=10



RetrySyncTime=60

3.

Update the section SSOSyncServer with the IP address or hostname of the BCAAA service to use
a synchronization server.

4.

In the section SSOSyncClients, list the IP addresses or hostnames of the BCAAA services that will
use this BCAAA service as their synchronization service.

5.

Save the sso.ini file.

Creating the CPL
You can create CPL policies now that you have completed Windows SSO realm configuration. Be
aware that the examples below are just part of a comprehensive authentication policy. By themselves,
they are not adequate for your purposes.
The examples below assume the default policy condition is allow. On new systems, the default policy
condition is deny.
Note:



Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and
how transactions trigger the evaluation of policy file layers.

Every Windows SSO-authenticated user is allowed access the ProxySG.

authenticate(WSSORealm)



Group membership is the determining factor in granting access to the ProxySG.

authenticate(WSSORealm)

group=”cn=proxyusers, ou=groups, o=myco” ALLOW
deny

Notes


The Windows SSO realm works reliably only in environments where one IP address maps to one
user.



This realm never uses a password.



When doing domain controller querying, the Windows SSO realm can lose the logon if the
NetBIOS computer name cannot by determined through a DNS query or a NetBIOS query. The
DNS query can fail if the NetBIOS name is different than the DNS host name or if the computer is
in a different DNS domain than the BCAAA computer and the BCAAA computer is not set up to
impute different DNS domains.
The NetBIOS query can fail because the NetBIOS broadcast does not reach the target computer.
This can happen if the computer is behind a firewall that is not forwarding NetBIOS requests or if
the computer is on a subnet that is not considered to be local to the BCAAA server.

354

Chapter 9: Using Authentication Services

Section B: Windows Single Sign-on Authentication
To prevent this issue, the BCAAA machine must be configured to be able to query the NetBIOS
name of any computer of interest and get the correct IP address.
One workaround is to use a WINS server. This works like a DNS server but handles NetBIOS
lookups.

355

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization

Section C: LDAP Realm Authentication and Authorization
Many companies and organizations use the Lightweight Directory Access Protocol (LDAP) as the
directory protocol of choice, enabling software to find an individual user without knowing where that
user is located in the network topography.
This section discusses the following topics:


"Overview"



"Creating an LDAP Realm"



"LDAP Servers"



"Defining LDAP Base Distinguished Names"



"LDAP Search & Groups Tab (Authorization and Group Information)"



"Customizing LDAP Objectclass Attribute Values"



"Defining Sequence Realm General Properties"



"Creating the CPL"

Overview
Blue Coat supports both LDAP v2 and LDAP v3, but recommends LDAP v3 because it uses Transport
Layer Security (TLS) and SSL to provide a secure connection between the ProxySG and the LDAP
server.
An LDAP directory, either version 2 or version 3, consists of a simple tree hierarchy. An LDAP
directory might span multiple LDAP servers. In LDAP v3, servers can return referrals to others
servers back to the client, allowing the client to follow those referrals if desired.
Directory services simplify administration; any additions or changes made once to the information in
the directory are immediately available to all users and directory-enabled applications, devices, and
ProxySG Appliances.
The ProxySG supports the use of external LDAP database servers to authenticate and authorize users
on a per-group or per-attribute basis.
LDAP group-based authentication for the ProxySG can be configured to support any
LDAP-compliant directory including:


Microsoft Active Directory Server



Novell NDS/eDirectory Server



Netscape/Sun iPlanet Directory Server



Other

The ProxySG also provides the ability to search for a single user in a single root of an LDAP directory
information tree (DIT), and to search in multiple Base Distinguished Names (DNs).
You can configure a LDAP realm to use SSL when communicating to the LDAP server.

356

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
Configuring LDAP involves the following steps:


Creating a realm (up to 40) and configuring basic settings.



Configuring an LDAP server



Defining LDAP Base Distinguished Names



Defining Authorization and Group information



Configuring general LDAP realm settings



Creating policy

Creating an LDAP Realm
To Create an LDAP Realm through the Management Console
1.

Select Configuration>Authentication>LDAP>LDAP Realms.

Figure 9-9: LDAP Realms Tab

2.

Click New; the Add LDAP Realm dialog displays.

Figure 9-10: Add LDAP Realm

3.

357

In the Real name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization
4.

From the Type of LDAP server drop-down list, select the specific LDAP server.

5.

Specify the host and port for the primary LDAP server. The host must be entered. The default port
number is 389.

6.

In the User attribute type field, specify the default user attribute type for the type of LDAP server.

7.

Microsoft Active Directory Server

sAMAccountName=

Novell NDS/eDirectory Server/Other

cn=

Netscape/iPlanet Directory Server

uid=

Click OK; click Apply.

To Create an LDAP Realm through the CLI
At the (config) command prompt, enter the following command to create an LDAP realm:
SGOS#(config) security ldap create-realm {ad | iplanet | nds | other} realm_name
[base_dn] primary_host [primary_port]

where:
ad | iplanet | nds
| other

The type of LDAP realm to create. ad specifies a Microsoft Active
Directory realm; iplanet specifies a Netscape/Sun iPlanet realm; nds
specifies a Novell NDS/eDirectory realm; other specifies a realm of any
other type.

realm_name

The name of the new LDAP realm.

base_dn

The distinguished name (DN) used as the unique key for the LDAP group
database; the distinguished name of the key entry and all entries below it
in the directory tree. You can specify additional Base DNs after the realm
has been created. For example: ou=insidesales, o=toolsdivision.
A Base DN can be up to 128 characters long. (In Netscape/iPlanet
Directory Server, Base DN is also known as the Root DN.) See Table 9.1 for
sample DN entries.
At least one base DN is required for authentication to succeed, although
you can create a realm without a base DN.

primary_host

The host for the primary LDAP server.

primary_port

The port for the primary LDAP server. The default port is 389.

LDAP Servers
Once you have created an LDAP realm, you can use the LDAP Servers page to change the current
default settings.
To Edit LDAP Server Properties through the Management Console
Note that the default values exist. You do not need to change these values if the default settings are
acceptable.

358

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
1.

Select Configuration>Authentication>>LDAP>LDAP Servers.

Figure 9-11: LDAP Servers Tab

2.

From the Realm Name drop-down list, select the LDAP realm for which you want to change server
properties.
Note:

You must have defined at least one LDAP realm (using the LDAP Realms tab) before
attempting to set LDAP server properties. If the message Realms must be added in
the LDAP Realms tab before editing this tab is displayed in red at the bottom
of this page, you do not currently have any LDAP realms defined.

3.

From the Type of LDAP server drop-down list, select the specific LDAP server.

4.

From the LDAP Protocol Version drop-down list, select v2 for LDAP v2 support. LDAP v3 is the
default.
If you use LDAP v3, you can select Follow referrals to allow the client to follow referrals to other
servers. (This feature is not available with LDAP v2.) The default is Disabled.

5.

Specify the host and port for the primary LDAP server. The host must be entered. The default port
number is 389.

6.

(Optional) Specify the host and port for the alternate LDAP server. The default port is 389.

7.

(Optional) Under SSL Options, select Enable SSL to enable SSL. You can only select this option if
you are using LDAP v3.

8.

(Optional) By default, if SSL is enabled, the LDAP server certificate is verified. If you do not want
to verify the server certificate, disable this setting.

9.

(Optional) Change the timeout request for the server from its default of 60 seconds.

10. Click Apply. Repeat the above steps for additional LDAP realms, up to a total of 40.
To Edit LDAP Server Properties through the CLI
1.

359

From the (config) prompt, enter the following commands to modify LDAP realm authentication
properties:

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization
SGOS#(config) security ldap edit-realm realm_name
SGOS#(config ldap realm_name) primary-server host [port]

and, optionally:
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

ldap
ldap
ldap
ldap
ldap
ldap
ldap
ldap
ldap
ldap
ldap
ldap
ldap

realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)

alternate-server host [port]
distinguished-name base-dn clear
distinguished-name base-dn add base_DN
protocol-version {2 | 3}
referrals-follow {enable | disable}
spoof-authentication {none | origin | proxy}
ssl {disable | enable}
ssl-verify-server {disable | enable}
validate-authorized-user {disable | enable}
default-group-name group_name
no default-group-name
exit
timeout seconds

where
alternate-server

host [port]

The host for the secondary LDAP server.
The port can also be added, if you need it
to be other than the default (389).

distinguished name
base-dn

clear | add base_DN

Clears the existing base DN or adds the
specified base_DN. The distinguished
name (DN) used as the unique key for the
LDAP group database; the distinguished
name of the key entry and all entries
below it in the directory tree. You can
specify additional base DNs after the
realm has been created. For example:
ou=insidesales,
o=toolsdivision. A base DN can be
up to 128 characters long. (In
Netscape/iPlanet Directory Server, Base
DN is also known as the Root DN.) See
Table 9.1 for sample DN entries.
At least one base DN is required for
authentication to succeed, although you
can create a realm without a base DN.

360

protocol-version

2 | 3

The LDAP version you want to use.
LDAP v3 is the default, allowing you to
use the referrals-follow argument
and to use SSL.

referrals-follow

enable | disable

Allows the client to follow referrals to
other servers. This argument is not
available if you use LDAP v2.

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
spoof-authentication

none | origin |
proxy

Enables/disables the forwarding of
authenticated credentials to the origin
content server or for proxy
authentication. You can only choose one.
• If set to origin, the spoofed header is an
Authorization: header.
• If set to proxy, the spoofed header is a
Proxy-Authorization: header.
• If set to none, no spoofing occurs.
Flush the entries for a realm if the
spoof-authentication value is changed to
ensure that the spoof-authentication
value is immediately applied.

ssl

enable | disable

Enables or disables SSL. This argument is
not available if you use LDAP v2.

ssl-verify-server

enable | disable

By default, if SSL is enabled, the LDAP
server certificate is verified. To not verify
the server certificate, disable this setting.
This command is not overridden by the
CPL property
server.certificate.validate or
the forwarding hosts
ssl-verify-server command.

validate-authorizeduser

enable | disable

When validate-authorized-user is
enabled, an authorization (not
authentication) request will verify that
the user exists in the LDAP server. If the
user does not exist, the authorization
request fails (authentication requests
always require the user to exist).
When validate-authorized-user is
disabled, no user existence check is made
for an authorization request. If the user
does not exist, the authorization request
succeeds.

default-group-name

group_name

no default-group-name
timeout

2.

361

If the validate-authorized-user
command is disabled and a
default-group-name is configured, the
default-group-name is used as the group
name for non-existent users.
Clears the default group name.

seconds

Changes the timeout request for the
server from its default of 60 seconds.

(Optional) View the configuration (results shown are truncated):

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization
SGOS#(config ldap realm_name)
Realm name:
Display name:
Server type:
Protocol version:
Follow referrals:
Case sensitivity:
User attribute type:
Base DNs:
Primary server host:
Primary server port:
...

view
ldap_1
testee
Other
3
disabled
disabled
cn
ou=insidesales
10.9.16.85
389

Defining LDAP Base Distinguished Names
The ProxySG allows you to specify multiple Base Distinguished Names (DNs) to search per realm,
along with the ability to specify a specific branch of a Base DN.
A Base DN identifies the entry that is starting point of the search. You must specify at least one
non-null base-DN for LDAP authentication to succeed.
You must enter complete DNs. Table 9.1 lists some examples of distinguished name attributes.
Table 9.1: Distinguished Name Attributes

362

DN Attribute Syntax

Parameter Description

c=country

Country in which the user or group resides. Examples: c=US, c=GB.

cn=common name

Full name of person or object defined by the entry. Examples:
cn=David Smith, cn=Administrators, cn=4th floor
printer

mail=e-mail address

User or group e-mail address.

givenName=given name

User's first name.

l=locality

Locality in which the user or group resides. This can be the name of a
city, country, township, or other geographic regions. Examples:
l=Seattle, l=Pacific Northwest, l=King County.

o=organization

Organization to which the user or group is a member. Examples:
o=Blue Coat Inc, o=UW.

ou=organizational unit

Unit within an organization. Examples: ou=Sales, ou=IT,
ou=Compliance.

st=state or province

State or province in which the user or group resides. Examples:
st=Washington, st=Florida.

userPassword=password

Password created by a user.

streetAddress=street address

Street number and address of user or group defined by the entry.
Example: streetAddress= 650 Almanor Avenue Sunnyvale,
California 94085-3515.

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
Table 9.1: Distinguished Name Attributes (Continued)
DN Attribute Syntax

Parameter Description

sn=surname

User's last name.

telephoneNumber=telephone

User or group telephone number.

title=title

User's job title.

uid=user ID

Name that uniquely identifies the person or object defined by the
entry. Examples: uid=ssmith, uid=kjones.

To Define Searchable LDAP Base DNs through the Management Console
1.

Select Configuration>Authentication>LDAP>LDAP DN.

Figure 9-12: LDAP DN Tab

2.

From the Realm Name drop-down list, select the LDAP realm for which you want to change DN
properties.
Note:

3.

You must have defined at least one LDAP realm (using the LDAP Realms tab) before
attempting to set LDAP server properties. If the message Realms must be added in the
LDAP Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any LDAP realms defined.

In the User attribute type field, the ProxySG has entered the default user attribute type for the type
of LDAP server you specified when creating the realm.
Microsoft Active Directory Server

sAMAccountName=

Novell NDS/eDirectory Server/Other

cn=

Netscape/iPlanet Directory Server

uid=

If you entered information correctly when creating the realm, you do not need to change the User
attribute type in this step. If you do need to change or edit the entry, do so directly in the field.

363

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization
4.

Enter as many Base DNs as you need for the realm. Assume, for example, that Sample_Company
has offices in New York and Lisbon, each with its own Base DN.

Figure 9-13: Simplified Directory Information Trees

To specify entries for the Base DNs field, click New, enter the Base DN, and click OK. Repeat for
multiple Base DNs. To search all of Sample_Company, enter o values:

Figure 9-14: Searching Sample_Company

To search the manufacturing organizations, rather than starting at the top, enter ou and o values:

Figure 9-15: Searching Part of Sample_Company

You can add, edit, and delete Base DNs for a ProxySG to search. You can also select an individual
DN and move it up or down in the list with the Promote and Demote buttons. The ProxySG
searches multiple DNs in the order listed, starting at the top and working down.
5.

Click Apply to save the changes.

To Define One or More Searchable LDAP Base DNs through the CLI
1.

To define a Base DN, enter the following command:
SGOS#(config ldap realm_name) distinguished-name base-dn add base-dn

where base-dn is a string up to 128 characters long in the format appropriate to the type
of LDAP server represented by the realm name. The base-dn should be the
Fully-Qualified Domain Name (FQDN) of the base of the search.
Repeat this step for each additional Base DN you want added to the list. Entries in the list
start with the first Base DN created; subsequent additions are appended to the list. The
list is searched from the top down.
2.

(Optional) To remove a Base DN:
SGOS#(config ldap realm_name) distinguished-name base-dn remove base_dn

3.

364

(Optional) To remove all Base DNs and clear the list:

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
SGOS#(config ldap realm_name) distinguished-name base-dn clear

4.

(Optional) To move a Base DN up or down in the list of Base DNs:
SGOS#(config ldap realm_name) distinguished-name base-dn {promote | demote}
base_dn

where promote moves the specified Base DN up one level in the list and demote moves it
down one level. You must issue the command for each level you want to move the Base
DN.

LDAP Search & Groups Tab (Authorization and Group Information)
After creating an LDAP realm, providing at least the required fields of the LDAP server for that realm,
and defining base DNs for the realm, you must define authorization properties for each LDAP realm
you created.
Note:

Authorization decisions are completely handled by policy. The groups that the ProxySG
looks up and queries are derived from the groups specified in policy in group=
conditions, attribute= conditions, and has Attribute conditions. If you do not have any
of those conditions, then Blue Coat does not look up any groups or attributes to make
policy decisions based on authorization.

To Define LDAP Realm Authorization Properties through the Management Console
1.

Select Configuration>Authentication>LDAP>LDAP Search & Groups.

Figure 9-16: LDAP Search & Groups Tab

2.

From the Realm Name drop-down list, select the LDAP realm for which you want to specify
authorization information.
Note:

365

You must have defined at least one LDAP realm (using the LDAP Realms tab) before
attempting to set LDAP Search & Group properties. If the message Realms must be
added in the LDAP Realms tab before editing this tab is displayed in red at the
bottom of this page, you do not currently have any LDAP realms defined.

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization
3.

Specify whether to allow anonymous search or to enforce user authentication before allowing a
search.
Some directories require a valid user to be able to perform an LDAP search; they do not allow
anonymous bind. (Active Directory is one such example.) For these directories, you must specify a
valid fully-qualified distinguished username and the password that permits directory access
privileges. (For example, cn=user1,cn=users,dc=bluecoat,dc=com is a possible fully-qualified
distinguished name.)
To permit users to anonymously bind to the LDAP service, select Anonymous Search Allowed. For
example, with Netscape/iPlanet Directory Server, when anonymous access is allowed, no
username or password is required by the LDAP client to retrieve information.
The LDAP directory attributes available for an anonymous client are typically a subset of those
available when a valid user distinguished name and password have been used as search
credentials.
To enforce user authentication before binding to the LDAP service, deselect Anonymous Search
Allowed, and set the Search User DN and Search User Password. Enter a user distinguished name in
the Search User DN field. This username can identify a single user or a user object that acts as a
proxy for multiple users (a pool of administrators, for example). A search user distinguished
name can be up to 512 characters long.
You can set or change the user password by clicking Change Password. This password can be up to
64 alphanumeric characters long.
You can create a separate user (such as Blue Coat, for example) instead of using an Administrator
distinguished name and password.
The Dereference level field has four values—always, finding, never, searching—that allow you to
specify when to search for a specific object rather than search for the object’s alias. The default is
Always.

4.

Group Information
Membership type and Membership attribute: The ProxySG enters the appropriate default:


Microsoft Active Directory:
Membership type: user
Membership attribute type: memberOf



Netscape/Sun iPlanet:
Membership type:group
Membership attribute type:uniqueMember



Novell NDS eDirectory
Membership type:group
Membership attribute type:member



Other
Membership type:user
Membership attribute type:member

Username type to lookup: Select either FQDN or Relative. Only one can be selected at a time.

366

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization

5.



Relative can only be selected in the membership type is Group.



FQDN indicates that the lookup is done only on the user object. FQDN can be selected when the
membership type is either Group or User.

Click Apply.

To Define LDAP Realm Authorization Properties through the CLI
1.

Define the search criteria for the LDAP realm:
SGOS#(config ldap realm_name) search {anonymous {disable | enable} | dereference
{always | finding | never | searching} | password password | encrypted-password
encrypted_password | user-dn user_dn}

where:
anonymous

disable |
enable

If disabled, users are not permitted to anonymously bind to the
LDAP service.
If enabled, users are permitted to anonymously bind to the
LDAP service. When anonymous access is allowed, no
password is required by the LDAP client to retrieve information,
however, one can be specified, if extra security is desirable.
The LDAP directory attributes available for an anonymous
client are typically a subset of those available to clients that have
been authenticated through a user distinguished name and
password.

dereference

always |
finding |
never |
searching

Sets dereference options.
always dereference aliases is the default.
finding dereferences aliases only during name resolution.
searching dereferences aliases only after name resolution.
never means that aliases are never dereferenced.

password |
encryptedpassword

password |
encrypted_
password

Specifies the user password (or encrypted password) associated
with the user distinguished name. The non-encrypted (or
plain-text) password can be up to 64 alphanumeric characters
long.
The primary use of the encrypted-password command is to
allow the ProxySG to reload a password that it encrypted. You
can choose to use a third-party encryption application. The
encrypted password is encrypted using RSA with OAEP
padding, and is Base64 encoded with no newlines.

user-dn

2.

user_dn

Specifies a user distinguished name. This username can identify
a single user or a user object that acts as a proxy for multiple
users (a pool of administrators, for example). Search user
distinguished name can be up to 512 characters long.

To define LDAP realm membership properties:
SGOS#(config ldap realm_name) membership-attribute membership_attribute

367

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization
where membership_attribute is the name of the attribute that has the group information.
(For Active Directory, the attribute name is memberOf. For iPlanet, the attribute name is
uniquemember. For Novell Directory service, the attribute name is member.)
SGOS#(config ldap realm_name) membership-type {group | user}

where group specifies that this realm is composed of individual members belonging to a
group defined elsewhere, and user specifies that this realm is composed of individual
disparate members whose only link to each other is membership in this group.
SGOS#(config ldap realm_name) membership-username (full | relative)

where full specifies that the user's FQDN is used during membership lookups, and
relative specifies that the user's relative username is used during membership lookups.
Only one can be selected at a time.

Customizing LDAP Objectclass Attribute Values
The objectclass attributes on an LDAP object define the type of object an entry is. For example, a user
entry might have an objectclass attribute value of person while a group entry might have an
objectclass attribute value of group.
The objectclass attribute values defined on a particular entry can differ among LDAP servers. The
objectclass attribute values are attribute values only, they are not DNs of any kind.
Currently, the objectclass attribute values are used by Blue Coat during a VPM browse of an LDAP
server. If an administrator wants to browse the groups in a particular realm, the ProxySG searches the
LDAP server for objects that have objectclass attribute values matching those in the group list and
in the container list. The list of objectclass attribute values in the container list is needed so that
containers that contain groups can be fetched and expanded correctly.
To Customize LDAP Objectclass Attribute Values through the Management Console
1.

Select Configuration>Authentication>LDAP>LDAP Objectclasses.

Figure 9-17: LDAP Objectclasses Tab

368

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
2.

From the Realm name drop-down list, select the LDAP realm whose objectclasses you want to
modify.

3.

From the Object type drop-down list, select the type of object: container, group, or user.

4.

To create or edit an object for the specified objectclass, click New or Edit. (The only difference is
whether you are adding or editing an objectclass value.)
The Add/Edit Objectclass Value dialog displays.

Figure 9-18: Add Objectclass Value

5.

Enter or edit the objectclass, and click OK; click Apply. For example, objectclass=organization.

To Customize LDAP Objectclass Attribute Values through the CLI
At the (config) prompt, enter the following command to configure general settings:
SGOS#(config ldap realm_name) objectclass container {add container_objectclass |
clear | remove container_objectclass}
SGOS#(config ldap realm_name) objectclass group {add group_objectclass | clear |
remove group_objectclass}
SGOS#(config ldap realm_name) objectclass user {add user_objectclass | clear |
remove user_objectclass}

where:

369

container

{add | remove}
container_objectclass |
clear

Adds/removes container objectclass values from
the list (these values are used during VPM
searches of the LDAP realm), or clears all values
from the container objectclass list.

group

{add | remove}
group_objectclass |
clear

Adds/removes group objectclass values from
the list (these values are used during VPM
searches of the LDAP realm), or clears all values
from the group objectclass list.

user

{add | remove}
Adds/removes user objectclass values from the
user_objectclass | clear list (these values are used during VPM searches
of the LDAP realm), or clears all values from the
user objectclass list.

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization

Defining LDAP General Realm Properties
The LDAP General page allows you to indicate whether an LDAP server is configured to expect
case-sensitive usernames and passwords, the length of time that credentials are cached, the display
name, and if you want to use a special virtual host for this realm.
To Configure General LDAP Settings through the Management Console
1.

Select Configuration>Authentication>LDAP>LDAP General.

Figure 9-19: LDAP General Tab

2.

From the Realm Name drop-down list, select the LDAP realm for which you want to change
properties.
Note:

3.

If needed, give the LDAP realm a display name. The default value for the display name is the
realm name. The display name cannot be longer than 128 characters and it cannot be null.

4.

If the LDAP server is configured to expect case-sensitive usernames and passwords, select Case
sensitive.

5.

Specify the length of time in seconds that user and administrator credentials received from the
LDAP server are cached. Credentials can be cached for up to 3932100 seconds. The default value is
900 seconds (15 minutes).
Note:

6.

370

You must have defined at least one LDAP realm (using the LDAP Realms tab) before
attempting to set LDAP general properties. If the message Realms must be added in
the LDAP Realms tab before editing this tab is displayed in red at the bottom of
this page, you do not currently have any LDAP realms defined.

If you specify 0, this increases traffic to the LDAP server because each authentication
request generates an authentication and authorization request to the server.

You can specify a virtual URL based on the individual realm. For information on the virtual URL,
see "Understanding Origin-Style Redirection" on page 322.

Chapter 9: Using Authentication Services

Section C: LDAP Realm Authentication and Authorization
To Configure General LDAP Settings through the CLI
At the (config) prompt, enter the following command to configure general settings:
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

ldap
ldap
ldap
ldap
ldap

realm_name)
realm_name)
realm_name)
realm_name)
realm_name)

cache-duration seconds
case-sensitive {enable | disable}
virtual-url URL
display-name display_name
rename new_realm_name

where:
cache-duration

seconds

Specifies the length of time in seconds that user and
administrator credentials received from the LDAP server are
cached. Credentials can be cached for up to 3932100 seconds.
The default value is 900 seconds (15 minutes).
If you specify 0, cached user and administrator credentials are
not re-used.

case-sensitive

enable |
disable

Enable this setting if the LDAP server is configured to expect
case-sensitive usernames and passwords.

virtual-url

URL

The URL to redirect to when the user needs to be challenged
for credentials. See Chapter 8: “Security and Authentication”
on page 305.

display-name

display_
name

The default value for the display name is the realm name. The
display name cannot be longer than 128 characters and cannot
be null.

rename

new_realm_
name

Allows you to change the realm name of an existing realm.

Creating the CPL
Be aware that the examples below are just part of a comprehensive authentication policy. By
themselves, they are not adequate for your purposes.
Note:

Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and
how transactions trigger the evaluation of policy file layers.

Be aware that the default policy condition for these examples is allow. The default policy condition on
new SGOS 4.x systems is deny.


Every LDAP-authenticated user is allowed access the ProxySG.

authenticate(LDAPRealm)



371

Group membership is the determining factor in granting access to the ProxySG.

Blue Coat ProxySG Configuration and Management Guide

Section C: LDAP Realm Authentication and Authorization

authenticate(LDAPRealm)

group=”cn=proxyusers, ou=groups, o=myco”
deny


A subnet definition determines the members of a group, in this case, members of the Human
Resources department.

authenticate(LDAPRealm)

Define subnet HRSubnet
192.168.0.0/16
10.0.0.0/24
End subnet HRSubnet
[Rule] client_address=HRSubnet
url.domain=monster.com
url.domain=hotjobs.com
deny
.
.
.
[Rule]
deny

372

Chapter 9: Using Authentication Services

Section D: Novell Single Sign-on Authentication and Authorization

Section D: Novell Single Sign-on Authentication and Authorization
The Novell® Single Sign-on (SSO) realm is an authentication mechanism that provides single sign-on
authentication for users that authenticate against a Novell eDirectory server. The mechanism uses the
Novell eDirectory Network Address attribute to map the user's IP address to an LDAP FQDN. Since
the mechanism is based on the user's IP address, it only works in environments where an IP address
can be mapped to a unique user.
A Novell SSO realm consists of


BCAAA service information



Novell eDirectory information



authorization realm information



general realm information.

The Novell eDirectory information consists of a ProxySG LDAP realm that points to the master Novell
eDirectory server that it is to be searched and monitored for user logins (see "“Section C: LDAP Realm
Authentication and Authorization” on page 356 for information on configuring LDAP realms) and a
list of eDirectory server and port combinations that specify additional servers to monitor for logins.
Additional monitor servers must be specified if they contain user information that is not replicated to
the master Novell eDirectory server being searched.
After a Novell SSO realm has been configured, you can write policy that authenticates and authorizes
users against the Novell SSO realm.
To ensure that users who do not successfully authenticate against the Novell SSO realm are not
challenged, administrators can use a realm sequence that contains the Novell SSO realm and then a
policy substitution realm to use when Novell SSO authentication fails.
Note:

The Novell SSO realm works reliably only in environments where one IP address maps to
one user. If an IP address cannot be mapped to a single user, authentication fails. Those
with NAT systems, which uses one set of IP addresses for intranet traffic and a different
set for Internet traffic, may need to use a different realm for authentication.

This section discusses the following topics:

373



"How Novell SSO Realms Work" on page 374



"Creating a Novell SSO Realm" on page 375



"Novell SSO Agents" on page 375



"Adding LDAP Servers to Search and Monitor" on page 377



"Querying the LDAP Search Realm" on page 379



"Configuring Authorization" on page 380



"Defining Novell SSO Realm General Properties" on page 382



"Modifying the sso.ini File for Novell SSO Realms" on page 383

Blue Coat ProxySG Configuration and Management Guide

Section D: Novell Single Sign-on Authentication and Authorization


"Creating the CPL" on page 384



"Notes" on page 384

How Novell SSO Realms Work
When a user logs into the Novell network, the user entry in Novell eDirectory is updated with the
login time and the IP address that the user logged in from and the login time. The ProxySG uses
BCAAA to do LDAP searches and monitoring of the configured Novell eDirectory servers to obtain
the user login information and maintain a user IP address to user FQDN map.
To create the initial IP/FQDN map, the BCAAA service searches the configured master eDirectory
server for all user objects within the configured base DNs that have a Network Address attribute. For
each user entry returned, BCAAA parses the Network Address attribute and adds the IP/FQDN
entry to the map. If an existing entry exists for that IP address, it is overwritten.
A user entry can have more than one Network Address entry in which case an entry for each IP
address is added to the map. Since service accounts can login using the same IP address and
subsequently overwrite entries for actual users, the BCAAA service has a configurable list of the
Service names to ignore. Users can be added or removed from the list in the sso.ini file. (see
"Modifying the sso.ini File for Novell SSO Realms" on page 383.)
Once the initial map has been created it is kept current by monitoring all of the eDirectory servers that
contain unique partition data for the eDirectory tree. By default, the search server defined by the
LDAP realm is monitored. If other servers contain data that is not replicated to the search server, they
must be individually monitored. When a server is being monitored, each time a user logs in or logs
out, an event message is sent to BCAAA to update its mapping of FQDNs to IP addresses.
Multiple ProxySG devices can talk to the same BCAAA service and can reference the same eDirectory
servers. To avoid multiple queries to the same server, the LDAP hostname and port combination
uniquely identifies an eDirectory configuration and should be shared across devices.
To ensure that BCAAA has complete map of FQDNs to IP addresses, the realm can be configured to
do a full search of the configured master eDirectory server up to once per day.
The BCAAA service must be version 120 or higher and must be installed on a Windows 2000+
machine that can access the eDirectory server. The BCAAA machine does not need to have a Windows
trust relationship with the eDirectory server.
Note:

For information on configuring the BCAAA service, see Appendix A: “Using the
Authentication/Authorization Agent”.

How Novell SSO Authorization Works
A Novell SSO realm can be configured to do no authorization, authorize against itself (the default), or
authorize against another valid authorization realm.
When a Novell SSO realm is configured to authorize against itself, authorization is done through the
LDAP search realm specified by the Novell SSO realm. The behavior is similar to the Novell SSO
realm explicitly selecting the LDAP realm as the authorization realm.

374

Chapter 9: Using Authentication Services

Section D: Novell Single Sign-on Authentication and Authorization

Creating a Novell SSO Realm
The Configuration>Authentication>Novell SSO>Novell SSO Realms tab allows you to create a new Novell
SSO realm. Up to 40 Novell SSO realms can be created.
To Create a Novell SSO Realm through the Management Console
1.

Select Configuration>Authentication>Novell SSO>Novell SSO Realms.

2.

Click New.

Figure 9-20: Add Novell SSO Dialog

3.

In the Realm name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

4.

Click OK; click Apply.

Novell SSO Agents
You must configure the Novell realm so that it can find the Blue Coat Authentication and
Authorization Agent (BCAAA).
1.

Select Configuration>Authentication>Novell SSO>Agents.

Figure 9-21: Novell SSO Agents Tab

2.

375

Select the realm name to edit from the drop-down list.

Blue Coat ProxySG Configuration and Management Guide

Section D: Novell Single Sign-on Authentication and Authorization

Note:

You must have defined at least one Novell SSO realm (using the Novell SSO Realms tab)
before attempting to configure the BCAAA agent. If the message Realms must be added in
the Novell SSO Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any Novell SSO realms defined.

3.

In the Primary agent section, enter the hostname or IP address where the BCAAA agent resides.

4.

Change the port from the default of 16101 if necessary.

5.

(Optional) You can change the encrypted passwords for the private key and public certificate on
the BCAAA machine that are to be used for SSL communication between the BCAAA service and
the Novell eDirectory server by clicking Change Private Key Password or Change Public Certificate
Password. The location of the private key and public certificate are specified in the sso.ini file
on the BCAAA machine. (For information on changing the location of the private key and public
certificate, see "Modifying the sso.ini File for Novell SSO Realms" on page 383.)

6.

(Optional) Enter an alternate agent host and agent name in the Alternate agent section. Note that
you can also change the passwords for the private key and public certificate for the alternate
agent, as well.
The primary and alternate BCAAA server must work together to support fail-over. If the primary
BCAAA server fails, the alternate server should be able to search and monitor the same set of
eDirectory servers.

7.

(Optional) Click Enable SSL to enable SSL between the ProxySG and the BCAAA.

8.

(Optional) By default, if SSL is enabled, the BCAAA service’s certificate is verified. To not verify
the agent certificate, disable this setting.
Note:

9.

The Enable SSL setting only enables SSL between the ProxySG and BCAAA. To enable SSL
between BCAAA and the eDirectory server, the Enable SSL setting must be set in the
LDAP search realm.

In the Timeout Request field, type the number of seconds the ProxySG allows for each request
attempt before timing out. (The default request timeout is 60 seconds.)

10. Click Apply to save the changes.
To Create and Define a Novell SSO Realm through the CLI
1.

At the (config) prompt:
SGOS#(config) security novell-sso create-realm realm_name

where realm_name is the name of the Novell SSO realm.
2.

376

To define the Novell SSO realm configuration for the realm you just created, enter the following
commands:

Chapter 9: Using Authentication Services

Section D: Novell Single Sign-on Authentication and Authorization
SGOS#(config) security novell-sso edit-realm realm_name
SGOS#(config novell-sso realm_name) primary-agent {host host | port port |
encrypted-private-key-password encrypted-private-key-password |
encrypted-public-certificate-password encrypted-public-certificate-password |
private-key-password private-key-password | public-certificate-password
public-certificate-password}

and optionally,
SGOS#(config novell-sso realm_name) alternate-agent {host host | port port |
encrypted-private-key-password encrypted-private-key-password |
encrypted-public-certificate-password encrypted-public-certificate-password |
private-key-password private-key-password | public-certificate-password
public-certificate-password}

3.

host

host

The host where the primary or alternate BCAAA
service resides.

port

port

The port on the system where the primary or
alternate BCAAA service resides. The default port
number is 16101.

privatekey-password

private-keypassword

or

or

encrypted-privatekey-password

encrypted-privatekey-password

The password or encrypted password for the
private key on the BCAAA machine that is to be
used for SSL communication between the
BCAAA service and the Novell eDirectory server.
The location of the private key is specified in the
sso.ini file on the BCAAA machine.

public-certificatepassword

public-certificate
-password

or encrypted-publiccertificate-password

or
encrypted-publiccertificatepassword

The password or encrypted password for the
public certificate on the BCAAA machine that is
to be used for SSL communication between the
BCAAA service and the Novell eDirectory server.
The location of the public certificate is specified in
the sso.ini file on the BCAAA machine.

To enable SSL for this realm and to have the BCAAA certificate verified, enter:
SGOS#(config novell-sso realm_name) ssl enable
SGOS#(config novell-sso realm_name) ssl-verify-agent enable

Adding LDAP Servers to Search and Monitor
The BCAAA service searches and monitors specified eDirectory servers to determine which users are
logged in and their Network Address attribute value. Those attribute values are converted into IP
addresses, and BCAAA maintains a map of IP addresses to LDAP FQDNs.
If the eDirectory tree is partitioned across multiple servers, the realm must monitor every eDirectory
server that has unique user information.
To Specific the eDirectory Servers:
1.

377

Select Configuration>Authentication>Novell SSO>LDAP Servers.

Blue Coat ProxySG Configuration and Management Guide

Section D: Novell Single Sign-on Authentication and Authorization

Figure 9-22: Novell SSO LDAP Servers Tab

2.

Select the realm name to edit from the drop-down list.
Note:

378

You must have defined at least one Novell SSO realm (using the Novell SSO Realms tab)
before attempting to specify LDAP server configuration. If the message Realms must be
added in the Novell SSO Realms tab before editing this tab is displayed in red at the bottom of
this page, you do not currently have any Novell SSO realms defined.

3.

Select an LDAP realm from the drop-down list. The servers configured in this LDAP realm are
used to do the full searches of the eDirectory tree.

4.

If you have a deployment with multiple servers holding partitions that are not fully replicated to
the master server, you can monitor each LDAP server individually. To add an LDAP server to
monitor, click New.

5.

Add the IP address and port of the LDAP server and click OK.

6.

Repeat for additional LDAP servers you need to monitor.

7.

Click Apply to save the changes.

Chapter 9: Using Authentication Services

Section D: Novell Single Sign-on Authentication and Authorization
To specify the LDAP search realm and LDAP servers to monitor through the CLI:
Enter the following commands:
SGOS#(config) security novell-sso edit-realm realm_name
SGOS#(config novell-sso realm_name) ldap search-realm ldap_realm
SGOS#(config novell-sso realm_name) ldap monitor-servers {add host [port] |
clear | remove host [port]}

where

ldap search-realm

ldap_realm

Specifies the LDAP search realm.

ldap monitor-servers

{add host [port] |
clear | remove host
[port]}

Allows you to add an LDAP server to
monitor, to clear all LDAP servers on the
monitor list, or to remove the specified
LDAP server.

Querying the LDAP Search Realm
You can specify the time and days that a full search of the eDirectory tree is repeated in order to ensure
that the mappings maintained by BCAAA are up to date.
To specify search criteria through the Management Console:
1.

Select Configuration>Authentication>Novell SSO>LDAP Queries.

Figure 9-23: The LDAP Queries Tab

2.

Select the realm name to edit from the drop-down list.
Note:

379

You must have defined at least one Novell SSO realm (using the Novell SSO Realms tab)
before attempting to configure LDAP queries. If the message Realms must be added in the
Novell SSO Realms tab before editing this tab is displayed in red at the bottom of this page,
you do not currently have any Novell SSO realms defined.

Blue Coat ProxySG Configuration and Management Guide

Section D: Novell Single Sign-on Authentication and Authorization
3.

In the full search pane, specify the time of day you want the search to take place from the
drop-down list.

4.

Select or de-select checkboxes to specify days to search.

5.

If you have changed the Novell eDirectory Network Address or Login Time LDAP attribute
name, you can enter those changed names in the Network Address LDAP name and the Login Time
LDAP name fields. The names must match the LDAP names configured on the eDirectory server
for authentication to succeed.

6.

Click Apply.

To specify search criteria through the CLI:
Enter the following commands:
SGOS#(config) security novell-sso edit-realm realm_name
SGOS#(config novell-sso realm_name) full-search day-of-week {all | friday |
monday | no | none | saturday | sunday | thursday | tuesday | wednesday}
SGOS#(config novell-sso realm_name) full-search time-of-day 0-23
SGOS#(config novell-sso realm_name) ldap-name {login-time ldap_name |
network-address ldap_name}

where
day-of-week

{all | friday | monday | no | none
| saturday | sunday | thursday |
tuesday | wednesday}

Specifies the days of the week to do
full searches. No allows you to
specify a day of the week to delete.
None clears all days of the week.
All specifies all days of the week.

time-of-day

0-23

Specifies the UTC time of day, using
a 24-hour clock, that you want the
search to take place.

ldap

{login-time ldap_name |
network-address ldap_name}

The Login Time and Network
Address attributes can be changed to
match the settings in your
environment.

Configuring Authorization
Novell SSO realm can be configured to do no authorization, authorize against itself (the default), or
authorize against another valid authorization realm (either LDAP or Local).
To specify an authorization realm:
1.

380

Select Configuration>Authentication>Novell SSO>Authorization.

Chapter 9: Using Authentication Services

Section D: Novell Single Sign-on Authentication and Authorization

Figure 9-24: The Novell SSO Authorization Tab

2.

Select the realm name to edit from the drop-down list.
Note:

You must have defined at least one Novell SSO realm (using the Novell SSO Realms tab)
before attempting to configure authorization. If the message Realms must be added in the
Novell SSO Realms tab before editing this tab is displayed in red at the bottom of this page,
you do not currently have any Novell SSO realms defined.

3.

The Novell SSO realm is selected to authorize against itself by default. To choose another realm,
de-select the Self checkbox and choose an authorization realm from the drop-down list.

4.

The LDAP FQDN is selected as the Authorization user name, by default. You might want to change
this if the user's authorization information resides in a different root DN. To choose a different
authorization name, de-select the Use FQDN checkbox and enter a different name, for example:
cn=$(user.name),ou=partition,o=company

5.

Click Apply.

To Configure Authorization Settings through the CLI
1.

At the (config) command prompt, enter the following commands to configure authorization
settings:
SGOS#(config novell-sso realm_name) authorization realm-name
authorization-realm-name
SGOS#(config novell-sso realm-name) authorization username
authorization-username
SGOS#(config-novell-sso realm-name) authorization self {enable | disable}

where:

381

authorization
realm-name

authorizationrealm-name

Specifies the realm to use to authorize the Novell SSO
authenticated user.

authorization
username

authorizationusername

Specifies the character string containing policy
substitutions that is to be used to construct the Novell
SSO authenticated user's authorization username.

authorization
self

enable | disable

Enables or disables the specified Novell SSO realm as the
authorization realm.

Blue Coat ProxySG Configuration and Management Guide

Section D: Novell Single Sign-on Authentication and Authorization
authorization
no

realm-name |
username

Clears the authorization realm or username.

Defining Novell SSO Realm General Properties
The Novell SSO General tab allows you to specify the credential cache duration.
Note:

Novell SSO realms default to the origin-ip authentication mode when either no
authentication mode or the auto authentication mode is specified in policy. After a user
has first successfully authenticated to the ProxySG, all subsequent requests from that
same IP address for the length of the cache duration are authenticated as that user. If the
first user is allowed or denied access, subsequent users during that same time coming
from the same IP address are allowed or denied as that first user. This is true even if
policy would have treated them differently if they were authenticated as themselves.
If multiple users often log in from the same IP address, a shorter cache duration timeout
than the default or else an authentication mode that does not use IP surrogates is
recommended.

To Configure General Settings through the Management Console
1.

Select Configuration>Authentication>Novell SSO>Novell SSO General.

Figure 9-25: Novell SSO General Tab

2.

From the Realm Name drop-down list, select the Novell SSO realm for which you want to change
properties.
Note:

382

You must have defined at least one Novell SSO realm (using the Novell SSO Realms tab)
before attempting to set Novell SSO general properties. If the message Realms must be
added in the Novell SSO Realms tab before editing this tab is displayed in red at the bottom of
this page, you do not currently have any Novell SSO realms defined.

3.

Specify the length of time, in seconds, that user and administrator credentials received from the
Novell SSO BCAAA service are cached. Credentials can be cached for up to 3932100 seconds. The
default cache duration is 900 seconds (15 minutes).

4.

Click Apply.

Chapter 9: Using Authentication Services

Section D: Novell Single Sign-on Authentication and Authorization
To Configure General Settings through the CLI
At the (config) command prompt:
SGOS#(config novell-sso realm_name) cache-duration seconds

where cache-duration specifies the length of time in seconds that user and administrator
credentials received from the Novell SSO BCAAA agent are cached. Credentials can be cached for
up to 3932100 seconds. The default value is 900 seconds (15 minutes).

Modifying the sso.ini File for Novell SSO Realms
The Novell SSO realm uses the sso.ini file for configuration parameters required by the BCAAA
service to manage communication with the Novell eDirectory server. Three sections in the sso.ini file
are related to the Novell SSO realm: NovellSetup, NovellTrustedRoot Certificates, and
SSOServiceUsers. You only need to modify settings in the NovellTrustedRoot Certificates section if the
LDAP realm used by the Novell SSO realm requires that the identity of the server be verified.
The sso.ini file is located in the BCAAA installation directory.
Note:

The changes to the sso.ini file have no effect until the BCAAA service is restarted.

To modify Novell SSO realms parameters:
1.

Open the file in a text editor.

2.

In the Novell Setup section, modify the parameters as needed (the default values are displayed
below):


MonitorRetryTime=30



SearchRetryTime=30



TrustedRootCertificateEncoding=der



PublicCertificateEncoding=der



PrivateKeyFile=



PrivateKeyEncoding=der

3.

If the LDAP realm used by the Novell SSO realm requires that the identity of the server be
verified, add the paths to the Trusted root certificate files in the NovellTrustedRootCertificates
section.

4.

In the section SSOServiceUsers, list the names of users who can log in with eDirectory credentials
on behalf of the service and mask the identity of the logged-on user.
Listing these users here forces the BCAAA service to ignore them for authentication purposes.

5.

383

Save the sso.ini file.

Blue Coat ProxySG Configuration and Management Guide

Section D: Novell Single Sign-on Authentication and Authorization

Creating the CPL
You can create CPL policies now that you have completed Novell SSO realm configuration. Be aware
that the examples below are just part of a comprehensive authentication policy. By themselves, they
are not adequate for your purposes.
Note:

The examples below assume the default policy condition is allow.

Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.


Every Novell SSO-authenticated user is allowed access the ProxySG.

authenticate(NSSORealm)



Group membership is the determining factor in granting access to the ProxySG.

authenticate(NSSORealm)

group=”cn=proxyusers, ou=groups, o=myco” ALLOW
deny

Notes

384



The Novell SSO realm works reliably only in environments where one IP address maps to one
user. NAT environments are not supported.



Novell SSO realms are not supported in IPX environments.



Event monitoring of eDirectory is only compatible with eDirectory 8.7+.



Upgrade to Novell client 4.91 SP1 or later if you experience issues with the Network Address
attribute not being updated during login.



Novell SSO realms do not use user credentials so they cannot spoof authentication information to
an upstream server.



If an upstream proxy is doing Novell SSO authentication, all downstream proxies must send the
client IP address.



There can be response time issues between the BCAAA service and the eDirectory servers during
searches; configure the timeout for LDAP searches to allow the eDirectory server adequate time to
reply.

Chapter 9: Using Authentication Services

Section E: RADIUS Realm Authentication and Authorization

Section E: RADIUS Realm Authentication and Authorization
RADIUS is often the protocol of choice for ISPs or enterprises with very large numbers of users.
RADIUS is designed to handle these large numbers through centralized user administration that eases
the repetitive tasks of adding and deleting users and their authentication information. RADIUS also
inherently provides some protection against sniffing.
Some RADIUS servers support one-time passwords. One-time passwords are passwords that become
invalid as soon as they are used. The passwords are often generated by a token or program, although
pre-printed lists are also used. Using one-time passwords ensures that the password cannot be used in
a replay attack.
The ProxySG’s one-time password support works with products such as Secure Computing SafeWord
synchronous and asynchronous tokens and RSA SecurID tokens.
The ProxySG supports RADIUS servers that use challenge/response as part of the authentication
process. SafeWord asynchronous tokens use challenge/response to provide authentication. SecurID
tokens use challenge/response to initialize or change PINs.
Note:

For this release, HTTP is the only supported protocol.

The challenge is displayed as the realm information in the authentication dialog; Blue Coat
recommends that you use form authentication if you create a challenge/response realm, particularly if
you use SecurID tokens.
If you set an authentication mode that uses forms, the system detects what type of question is being
asked. If it is a yes/no question, it displays the query form with a yes and no button. If it is a new PIN
question, the system displays a form with entry fields for the new PIN.
For information on using form authentication, see "Forms-Based Authentication" on page 460.
Using policy, you can fine-tune RADIUS realms based on RADIUS attributes. If you use the Blue Coat
attribute, groups are supported within a RADIUS realm.
This section discusses the following topics:


"Creating a RADIUS Realm"



"Defining RADIUS Realm Properties"



"Defining RADIUS Realm General Properties"



"Creating the Policy"



"Troubleshooting"

Creating a RADIUS Realm
To Create a RADIUS Realm through the Management Console
You can create up to 40 RADIUS realms.

385

Blue Coat ProxySG Configuration and Management Guide

Section E: RADIUS Realm Authentication and Authorization
1.

Select Configuration>Authentication>RADIUS>RADIUS Realms.

Figure 9-26: RADIUS Realms Tab

2.

Click New; the Add RADIUS Realm dialog displays.

Figure 9-27: Add RADIUS Realm

386

3.

In the Realm name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

4.

Specify the host and port for the primary RADIUS server. The default port is 1812.

5.

Specify the RADIUS secret. RADIUS secrets can be up to 64 characters long and are always case
sensitive.

6.

Confirm the secret.

7.

Click OK; click Apply.

Chapter 9: Using Authentication Services

Section E: RADIUS Realm Authentication and Authorization

Defining RADIUS Realm Properties
Once you have created the RADIUS realm, you can change the primary host, port, and secret of the
RADIUS server for that realm.
To Re-Define RADIUS Server Properties through the Management Console
1.

Select Configuration>Authentication>RADIUS>RADIUS Servers.

Figure 9-28: RADIUS Servers Tab

Note:

387

You must have defined a RADIUS realm (using the RADIUS Realms tab) before
attempting to set RADIUS server properties. If the message Realms must be added in
the RADIUS Realms tab before editing this tab is displayed in red at the bottom of
this page, you do not currently have a RADIUS realm defined.

2.

Specify the host and port for the primary RADIUS server. The default port is 1812. (To create or
change the RADIUS secret, click Change Secret. RADIUS secrets can be up to 64 characters long
and are always case sensitive.)

3.

(Optional) Specify the host and port for the alternate RADIUS server. The default port is 1812. (To
create or change the RADIUS secret, click Change Secret. RADIUS secrets can be up to 64
characters long and are always case sensitive.)

4.

In the Timeout Request field, enter the number of seconds the ProxySG allows for each request
attempt before giving up on a server and trying another server. Within a timeout multiple packets
can be sent to the server, in case the network is busy and packets are lost. The default request
timeout is 10 seconds.

5.

In the Retry field, enter the number of attempts permitted before marking a server offline. The
client maintains an average response time from the server; the retry interval is initially twice the
average. If that retry packet fails, then the next packet waits twice as long again. This increases
until it reaches the timeout value. The default number of retries is 10.

Blue Coat ProxySG Configuration and Management Guide

Section E: RADIUS Realm Authentication and Authorization
6.

If you are using one-time passwords, select the One-time passwords checkbox. (For more
information on using one-time passwords, see the RADIUS introduction on page 385.) You must
enable one-time passwords if you created a challenge/response realm.

7.

Click Apply.

Defining RADIUS Realm General Properties
The RADIUS General tab allows you to specify the display name and a virtual URL.
To Configure General Settings through the Management Console
1.

Select Configuration>Authentication>RADIUS>RADIUS General.

Figure 9-29: RADIUS General Tab

Note:

388

You must have defined a RADIUS realm (using the RADIUS Realms tab) before
attempting to set RADIUS server properties. If the message Realms must be added in
the RADIUS Realms tab before editing this tab is displayed in red at the bottom of
this page, you do not currently have a RADIUS realm defined.

2.

If needed, change the RADIUS realm display name. The default value for the display name is the
realm name. The display name cannot be longer than 128 characters and it cannot be empty.

3.

If the RADIUS server is configured to expect case-sensitive usernames and passwords, make sure
the Case sensitive checkbox is selected.

Chapter 9: Using Authentication Services

Section E: RADIUS Realm Authentication and Authorization
4.

Specify the length of time, in seconds, that user credentials received from the RADIUS server are
cached. Credentials can be cached for up to 3932100 seconds. The default is 900 seconds (15
minutes).
Note:

If you specify 0, traffic is increased to the RADIUS server because each authentication
request generates an authentication and authorization request. That is, if a Web page has
15 images and is loaded, you must authenticate 16 times—once for the Web page and
once for each image.

5.

(Optional) You can specify a virtual URL based on the individual realm. For more information on
the virtual URL, see "Understanding Origin-Style Redirection" on page 322.

6.

Click Apply.

To Create and Define a RADIUS Realm through the CLI
1.

At the (config) prompt, enter the following command to create a RADIUS realm:
SGOS#(config) security radius create-realm realm_name secret primary-server_host
[primary-server_port]
-orSGOS#(config) security radius create-realm-encrypted realm_name encrypted_secret
primary_host [primary_port]

where:
realm_name

The name of the RADIUS realm.

secret |
encrypted_secret

The shared secret (or encrypted secret) associated with the primary RADIUS
server. (RADIUS secrets can be up to 64 characters long and are always case
sensitive.)
The primary use of the encrypted-password command is to allow the
ProxySG to reload a password that it encrypted. If you choose to use a
third-party encryption application, be sure it supports RSA encryption,
OAEP padding andBase64 encoded with no new lines.

2.

primary_host

The host for the primary RADIUS server.

primary_port

The port for the primary RADIUS server. The default port is 1812.

To set the newly-created RADIUS realm primary and alternate hosts and passwords, enter the
following commands:
SGOS#(config) security radius edit-realm realm_name
SGOS#(config radius realm_name) primary-server primary_host [primary_port]
SGOS#(config radius realm_name) primary-server secret secret
-orSGOS#(config radius realm_name) primary-server encrypted-secret encrypted_secret

and optionally:

389

Blue Coat ProxySG Configuration and Management Guide

Section E: RADIUS Realm Authentication and Authorization
SGOS#(config radius realm_name) alternate-server alternate_host [alternate_port]
SGOS#(config radius realm_name) alternate-server secret secret
-orSGOS#(config radius realm_name) alternate-server encrypted-secret
encrypted_secret
where:
secret |
encrypted_secret

The shared secret (or encrypted secret) associated with the primary or
alternate RADIUS server. (RADIUS secrets can be up to 64 characters long and
are always case sensitive.)
Note that you must create the encrypted secret before executing the host
[port] command.
The primary use of the encrypted-password command is to allow the ProxySG
to reload a password that it encrypted. You can choose to use a third-party
encryption application. The encrypted password is encrypted using RSA with
OAEP padding, and is Base64 encoded with no newlines.

3.

primary_server

The host for the primary RADIUS server.

primary_port

The port for the primary RADIUS server. The default port is 1812.

alternate_host

The host for the alternate RADIUS server.

alternate_port

The port for the alternate RADIUS server. The default port is 1812.

To complete configuration of the RADIUS realm, enter the following commands:
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config

radius
radius
radius
radius
radius
radius
radius

realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)
realm_name)

timeout seconds
server-retry count
cache-duration seconds
case-sensitive {enable | disable}
display-name name
spoof-authentication {none | origin | proxy}
one-time-passwords {enable | disable}

where:
timeout

390

seconds

The number of seconds the ProxySG allows for
each request attempt before giving up on a
server and trying another server. Within a
timeout multiple packets can be sent to the
server, in case the network is busy and packets
are lost. The default request timeout is 10
seconds

Chapter 9: Using Authentication Services

Section E: RADIUS Realm Authentication and Authorization
server-retry

count

The number of attempts permitted before

marking a server offline. The client maintains
an average response time from the server; the
retry interval is initially twice the average. If
that retry packet fails, then the next packet
waits twice as long again. This increases until
it reaches the timeout value. The default
number of retries is 10.
cache-duration

seconds

The length of time that credentials should be
cached for this RADIUS realm. The default is 900
seconds (15 minutes)

display-name

name

The default value for the display name is the realm
name. The display name cannot be longer than 128
characters and it cannot be empty.

spoof-authentication

none |
origin |
proxy

Enables/disables the forwarding of authenticated
credentials to the origin content server or for proxy
authentication. You can only choose one.
• If set to origin, the spoofed header is an
Authorization: header.
• If set to proxy, the spoofed header is a
Proxy-Authorization: header.
• If set to none, no spoofing occurs.
Flush the entries for a realm if the
spoof-authentication value is changed to
ensure that the spoof-authentication value is
immediately applied.

one-time-passwords

enable |
disable

Allows you to use one-time passwords for
authentication. The default is disabled. For more
information on one-time passwords, seethe
RADIUS introduction on page 385.

Creating the Policy
Fine-tune RADIUS realms through attributes configured by policy—CPL or VPM. You can also create
RADIUS groups. To fine-tune RADIUS realms, continue with the next section. To create RADIUS
groups, see "Creating RADIUS Groups" on page 393.
Note:

391

RADIUS groups can only be configured through policy. This feature is not available
through either the Management Console or the CLI.

Blue Coat ProxySG Configuration and Management Guide

Section E: RADIUS Realm Authentication and Authorization

Fine-Tuning RADIUS Realms
Fine-tune RADIUS Realms by using the following attributes in the attribute. and
has_attribute. CPL conditions and source objects in VPM.
Table 9.2: RADIUS Attributes for the attribute. and has_attribute. Conditions

392

RADIUS Attribute Name

CPL Gesture Name

Type (Possible Value)

Callback-ID

attribute.Callback-ID

String

Callback-Number

attribute.Callback-Number

String

Filter-ID

attribute.Filter-ID

String

Framed-IP-Address

attribute.Framed-IP-Address

IP Address

Framed-IP-Netmask

attribute.Framed-IP-Netmask

IP Address

Framed-MTU

attribute.Framed-MTU

Integer

Framed-Pool

attribute.Framed-Pool

Strong

Framed-Protocol

attribute.Framed-Protocol

Integer (1-6)

Framed-Route

attribute.Framed-Route

String

Idle-Timeout

attribute.Idle-Timeout

Integer

Login-LAT-Group

attribute.Login-LAT-Group

String

Login-LAT-Node

attribute.Login-LAT-Node

String

Login-LAT-Port

attribute.Login-LAT-Port

Integer

Login-LAT-Service

attribute.Login-LAT-Service

String

Login-IP-Host

attribute.Login-IP-Host

IP Address

Login-Service

attribute.Login-Service

Integer (0-7)

Login-TCP-Port

attribute.Login-TCP-Port

Integer (0-65535)

Port-Limit

attribute.Port-Limit

Integer

Service-Type

attribute.Service-Type

Integer (1-11)

Session-Timeout

attribute.Session-Timeout

Integer

Tunnel-Assignment-ID

attribute.Tunnel-Assignment-ID

String

Tunnel-Medium-Type

attribute.Tunnel-Medium-Type

Integer (1-15)

Tunnel-Private-Group-ID

attribute.Tunnel-Private-Group-ID

String

Tunnel-Type

attribute.Tunnel-Type

Integer (1-12)

Blue-Coat-Group

attribute.Blue-Coat-Group

String

Chapter 9: Using Authentication Services

Section E: RADIUS Realm Authentication and Authorization

Creating RADIUS Groups
You can create a RADIUS realm group by using the custom Blue Coat attribute, which can appear
multiple times within a RADIUS response. It can be used to assign a user to one or more groups.
Values that are found in this attribute can be used for comparison with the group condition in CPL
and the group object in VPM. The group name is a string with a length from 1-247 characters. The Blue
Coat Vendor ID is 14501, and the Blue-Coat-Group attribute has a Vendor Type of 1.
If you are already using the Filter-ID attribute for classifying users, you can use that attribute instead
of the custom Blue-Coat-Group attribute. While the Filter-ID attribute does not work with the CPL
group condition or the group object in VPM, the attribute.Filter-ID condition can be used to
manage users in a similar manner.

CPL Example
Be aware that the examples below are just part of a comprehensive authentication policy. By
themselves, they are not adequate.
Note:



Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and
how transactions trigger the evaluation of policy file layers.

Every RADIUS-authenticated user is allowed access the ProxySG if the RADIUS attribute
service-type is set.

authenticate(RADIUSRealm)

allow has_attribute.Service-Type=yes
deny



A group called RegisteredUsersGroup is allowed to access the ProxySG if the allow group gesture
is defined.

authenticate(RADIUSRealm)

allow group=RegisteredUsersGroup
deny

Troubleshooting
One of five conditions can cause the following error message:
Your request could not be processed because of a configuration error: "The request timed out while trying to
authenticate. The authentication server may be busy or offline."

393



The secret is wrong.



The network is so busy that all packets were lost to the RADIUS server.



The RADIUS server was slow enough that the ProxySG gave up before the server responded.

Blue Coat ProxySG Configuration and Management Guide

Section E: RADIUS Realm Authentication and Authorization

394



The RADIUS servers are up, but the RADIUS server is not running. In this case, you might also
receive ICMP messages that there is no listener.



RADIUS servers machines are not running/unreachable. Depending on the network
configuration, you might also receive ICMP messages.

Chapter 9: Using Authentication Services

Section F: Local Realm Authentication and Authorization

Section F: Local Realm Authentication and Authorization
Using a Local realm is appropriate when the network topography does not include external
authentication or when you want to add users and administrators to be used by the ProxySG only.
The Local realm (you can create up to 40) uses a Local User List, a collection of users and groups stored
locally on the ProxySG. You can create up to 50 different Local User Lists. Multiple Local realms can
reference the same list at the same time, although each realm can only reference one list at a time. The
default list used by the realm can be changed at any time.
This section discusses the following topics:


"Creating a Local Realm"



"Changing Local Realm Properties"



"Defining the Local User List"



"Creating the CPL"

Creating a Local Realm
To Create a Local Realm through the Management Console
1.

Select Configuration>Authentication>Local>Local Realms.

Figure 9-30: Local Realms Tab

2.

Click New; the Add Local Realm dialog displays.

Figure 9-31: Add Local Realm

395

Blue Coat ProxySG Configuration and Management Guide

Section F: Local Realm Authentication and Authorization
3.

In the Realm name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

4.

Click OK; click Apply.

To Create a Local Realm through the CLI
Up to 40 Local realms can be configured per ProxySG.
At the (config) command prompt, enter the following command to create a Local realm:
SGOS#(config) security local create-realm realm_name

where realm_name is the name of the new Local realm.

Changing Local Realm Properties
Once you have created a Local realm, you can modify the properties through the Management
Console or the CLI.
To Define or Change Local Realm Properties through the Management Console
1.

Select Configuration>Authentication>Local>Local Main.

Figure 9-32: Local Main Tab

Note:

2.

You must define a Local realm (using the Local Realms tab) before attempting to set realm
properties. If the message Realms must be added in the Local Realms tab before
editing this tab is displayed in red at the bottom of this page, you do not have a Local
realm defined.

Display name: The default value for the display name is the realm name. The display name cannot

be longer than 128 characters and it cannot be null.

396

3.

Local User List: Specify the local user list from the drop-down list.

4.

Specify the length of time, in seconds, that user and administrator credentials received from the
Local password file are cached. Credentials can be cached for up to 3932100 seconds. The default
is 900 seconds (15 minutes).

Chapter 9: Using Authentication Services

Section F: Local Realm Authentication and Authorization
5.

You can specify a virtual URL based on the individual realm. For information on using virtual
URLs, see "Understanding Origin-Style Redirection" on page 322.

6.

Click Apply.

To Define or Change Local Realm Properties through the CLI
1.

From the (config) prompt, enter the following commands to modify realm properties:
SGOS#(config) security local edit-realm realm_name
SGOS#(config local realm_name) cache-duration 600
SGOS#(config local realm_name) display-name display_name
SGOS#(config local realm_name) local-user-list list_name
SGOS#(config local realm_name) rename new_realm_name
SGOS#(config local realm_name) spoof-authentication {disable | enable}
SGOS#(config local realm_name) virtual-url url
SGOS#(config local realm_name) validate-authorized-user {disable | enable}
SGOS#(config local realm_name) default-group-name default_group_name
SGOS#(config local realm_name) no default-group-name

where:
cache-duration

seconds

The number of seconds that user and administrator
credentials received from the Local password file should
be cached. The default is 900 seconds (15 minutes).

display-name

display_name

The display name for a realm, presented to the user as part
of the authentication challenge, is equivalent to the
display-name option in the CPL authenticate action.
The default value for the display name is the realm name.
The display name cannot be longer than 128 characters
and it cannot be null.

local-user-list

list_name

The list you want to associate with this realm. The list
must exist before it is added. The local user list is set to the
default list when the realm is created. For more
information on creating a local list, see "Defining the Local
User List" on page 398.

rename

new_realm_
name

Allows you to change the realm name of an existing realm.

spoofauthentication

none |
origin |
proxy

Enables/disables the forwarding of authenticated
credentials to the origin content server or for proxy
authentication. You can only choose one.
• If set to origin, the spoofed header is an
Authorization: header.
• If set to proxy, the spoofed header is a
Proxy-Authorization: header.
• If set to none, no spoofing occurs.
Flush the entries for a realm if the
spoof-authentication value is changed to ensure that
the spoof-authentication value is immediately
applied.

397

Blue Coat ProxySG Configuration and Management Guide

Section F: Local Realm Authentication and Authorization
virtual-url

URL

The URL to redirect to when the user needs to be
challenged for credentials. See Chapter 8: “Security and
Authentication” on page 305 for more details.

validateauthorized-user

enable |
disable

When validate-authorized-user is enabled, an
authorization (not authentication) request will verify that
the user exists in the local user list. If the user does not
exist, the authorization request fails (authentication
requests always require the user to exist).
When validate-authorized-user is disabled, no
user existence check is made for an authorization request.
If the user does not exist, the authorization request
succeeds.

default-groupname

group_name

no
default-groupname

2.

If the validate-authorized-user command is
disabled and a default-group-name is configured, the
default-group-name is used as the group name for
non-existent users.
Clears the default group name.

(Optional) View the configuration:
SGOS#(config local realm_name) view
Realm name:
local_1
Display name:
local_1
Local user list:
local_user_database
Cache duration:
900
Virtual URL:
Spoof authentication:
none
Validate authorized user: yes
Default group name:

Defining the Local User List
Defining the local user list involves the following steps:

398



Create a list or customize the default list for your needs.



Upload a user list or add users and groups through the CLI.



Associate the list with the realm.

Chapter 9: Using Authentication Services

Section F: Local Realm Authentication and Authorization

Creating a Local User List
The user list local_user_database is created on a new system or after an upgrade. It is empty on a new
system. If a password file existed on the ProxySG before an upgrade, then the list contains all users
and groups from the password file; the initial default user list is local_user_database. If a new user
list is created, the default can be changed to point to it instead by invoking the security
local-user-list default list list name command. You can create up to 50 new lists with 10,000
users each.
Lists can be uploaded or you can directly edit lists through the CLI. If you want to upload a list, it
must be created as a text file using the .htpasswd format of the ProxySG.
Each user entry in the list consists of:


username



List of groups



Hashed password



Enabled/disabled boolean searches

A list that has been populated looks like this:
SGOS#(config) security local-user-list edit listname
SGOS#(config local-user-list listname) view
list20
Lockout parameters:
Max failed attempts: 60
Lockout duration:
3600
Reset interval:
7200
Users:
admin1
Hashed Password: $1$TvEzpZE$Z2A/OuJU3w5LnEONDHkmg.
Enabled: true
Groups:
group1
admin2
Hashed Password: $1$sKJvNB3r$xsInBU./2hhBz6xDAHpND.
Enabled: true
Groups:
group1
group2
admin3
Hashed Password: $1$duuCUt30$keSdIkZVS4RyFz47G78X20
Enabled: true
Groups:
group2
Groups:
group1
group2

To create a new empty local user list:
SGOS#(config) security local-user-list create listname

399

Blue Coat ProxySG Configuration and Management Guide

Section F: Local Realm Authentication and Authorization

Username
The username must be case-sensitively unique, and can be no more than 64 characters long. All
characters are valid, except for a colon (:).
A new local user is enabled by default and has an empty password.

List of Groups
You cannot add a user to a group unless the group has previously been created in the list. The group
name must be case-sensitively unique, and can be no more than 64 characters long. All characters are
valid, except for colon (:).
The groups can be created in the list; however, their user permissions are defined through policies
only.

Hashed Password
The hashed password must be a valid UNIX DES or MD5 password whose plain-text equivalent
cannot be more than 64 characters long.
To populate the local user list using an off-box .htpasswd file, continue with the next section. To
populate the local user list using the ProxySG CLI, go to "Defining the Local User List" on page 398.

Populating a List using the .htpasswd File
To add users to a text file in .htpasswd format, enter the following UNIX htpasswd command:
prompt> htpasswd [-c] .htpasswd username

The –c option creates a new .htpasswd file and should only be used for the very first .htpasswd
command. You can overwrite any existing .htpasswd file by using the -c option.
After entering this command, you are prompted to enter a password for the user identified by
username. The entered password is hashed and added to the user entry in the text file. If the -m option

is specified, the password is hashed using MD5; otherwise, UNIX DES is used
Important: Because the -c option overwrites the existing file, do not use the option if you are
adding users to an existing .htpasswd file.
Once you have added the users to the .htpasswd file, you can manually edit the file to add user
groups. When the .htpasswd file is complete, it should have the following format:
user:encrypted_password:group1,group2,…
user:encrypted_password:group1,group2,…

Note:

400

You can also modify the users and groups once they are loaded on the ProxySG. To
modify the list once it is on the ProxySG, see "Populating a Local User List through the
ProxySG" on page 401.

Chapter 9: Using Authentication Services

Section F: Local Realm Authentication and Authorization

Uploading the .htpasswd File
When the .htpasswd file is uploaded, the entries from it either replace all entries in the default local
user list or append to the entries in the default local user list. One default local user list is specified on
the ProxySG.
To set the default local user list use the command security local-user-list default list
listname. The list specified must exist.
To specify that the uploaded .htpasswd file replace all existing user entries in the default list, enter
security local-user-list default append-to-default disable before uploading
the .htpasswd file.
To specify that the .htpasswd file entries should be appended to the default list instead, enter
security local-user-list default append-to-default enable.

Uploading the .htpasswd File
The .htpasswd file is loaded onto the ProxySG with a Perl script found at:
http://download.bluecoat.com/release/tools/set_auth.zip

Unzip the file, which contains the set_auth.pl script.
Note:

To use the set_auth.pl script, you must have Perl binaries on the system where the
script is running.

To Load the .htpasswd File
prompt> set_auth.pl username password path_to_.htpasswd_file_on_local_machine
ip_address_of_the_ProxySG

where username and password are valid administrator credentials for the ProxySG.

Populating a Local User List through the ProxySG
You can populate a local user list from scratch or modify a local user list that was populated by
loading an .htpasswd file.
To Create a New, Empty Local User List
SGOS#(config) security local-user-list create listname

To Modify an Existing Local User List (Can be Empty or Contain Users)
1.

From the (config) prompt, enter:
SGOS#(config) security local-user-list edit listname
SGOS#(config local-user-list listname)

401

Blue Coat ProxySG Configuration and Management Guide

Section F: Local Realm Authentication and Authorization
2.

To add users and groups to the list, enter the following commands, beginning with groups, since
they must exist before you can add them to a user account.
SGOS#(config
ok
SGOS#(config
ok
SGOS#(config
ok
SGOS#(config

3.

local-user-list listname) group create group2
local-user-list listname) group create group3
local-user-list listname) user create username

Add the user information to the user account.
SGOS#(config
SGOS#(config
SGOS#(config
SGOS#(config
-orSGOS#(config

Note:

4.

local-user-list listname) group create group1

local-user-list
local-user-list
local-user-list
local-user-list

listname) user edit username
listname username) group add groupname1
listname username) group add groupname2
listname username) password password

local-user-list listname username) hashed-password hashed-password

If you enter a plain-text password, the ProxySG hashes the password. If you enter a
hashed password, the ProxySG does not hash it again.

(Optional) The user account is enabled by default. To disable a user account:
SGOS#(config local-user-list listname username) disable
ok

5.

Repeat the above steps for each user you want added to the list.

To View the Results of an Individual User Account
Remain in the user account submode and enter the following command:
SGOS#(config local-user-list listname username) view
admin1
Hashed Password: $1$TvEzpZE$Z2A/OuJU3w5LnEONDHkmg.
Enabled: true
Failed Logins: 6
Groups:
group1

Note:

If a user has no failed logins, the statistic does not display.

To View the Users in the Entire List
Exit the user account submode and enter:
SGOS#(config local-user-list listname username) exit
SGOS#(config local-user-list listname) view
list20
Lockout parameters:
Max failed attempts: 60
Lockout duration:
3600

402

Chapter 9: Using Authentication Services

Section F: Local Realm Authentication and Authorization
Reset interval:
7200
Users:
admin1
Hashed Password: $1$TvEzpZE$Z2A/OuJU3w5LnEONDHkmg.
Enabled: true
Groups:
group1
admin2
Hashed Password: $1$sKJvNB3r$xsInBU./2hhBz6xDAHpND.
Enabled: true
Groups:
group1
group2
admin3
Hashed Password: $1$duuCUt30$keSdIkZVS4RyFz47G78X20
Enabled: true
Groups:
group2
Groups:
group1
group2

To View all the Lists on the ProxySG
SGOS#(config) show security local-user-list
Default List: local_user_database
Append users loaded from file to default list: false
local_user_database
Lockout parameters:
Max failed attempts: 60
Lockout duration:
3600
Reset interval:
7200
Users:
Groups:
test1
Users:
Groups:

To Delete Groups Associated with a User
SGOS#(config local-user-list listname username) group remove group_name

To Delete Users from a List
SGOS#(config local-user-list listname) user delete username
This will permanently delete the object. Proceed with deletion?
(y or n) y
ok

To Delete all Users from a List
SGOS#(config local-user-list listname) user clear
ok

The groups remain but have no users.

403

Blue Coat ProxySG Configuration and Management Guide

Section F: Local Realm Authentication and Authorization
To Delete all Groups from a List:
SGOS#(config local-user-list listname) group clear
ok

The users remain but do not belong to any groups.

Enhancing Security Settings for the Local User List
You can configure a local user database so that each user account is automatically disabled if too many
failed login attempts occur for the account in too short a period, indicating a brute-force password
attack on the ProxySG. The security settings are available through the CLI only.
Available security settings are:


Maximum failed attempts: The maximum number of failed password attempts allowed for an
account. When this threshold is reached, the account is disabled (locked). If this is zero, there is no
limit. The default is 60 attempts.



Lockout duration: The time after which a locked account is re-enabled. If this is zero, the account
does not automatically re-enable, but instead remains locked until manually enabled. The default
is 3600 seconds (one hour).



Reset interval: The time after which a failed password count resets after the last failed password
attempt. If this is zero, the failed password count resets only when the account is enabled or when
its password is changed. The default is 7200 seconds (two hours).

These values are enabled by default on the system for all user account lists. You can change the
defaults for each list that exists on the system.
To Change the Security Settings for a Specific User Account List
1.

Enter the following commands from the (config) prompt:
SGOS#(config) security local-user-list
SGOS#(config local-user-list listname)
SGOS#(config local-user-list listname)
SGOS#(config local-user-list listname)

2.

edit listname
lockout-duration seconds
max-failed-attempts attempts
reset-interval seconds

(Optional) View the settings:
SGOS#(config local-user-list listname) view
listname
Lockout parameters:
Max failed attempts: 45
Lockout duration:
3600
Reset interval:
0

3.

(Optional) To disable any of these settings:
SGOS#(config local-user-list listname) no [lockout-duration |
max-failed-attempts | reset-interval]

404

Chapter 9: Using Authentication Services

Section F: Local Realm Authentication and Authorization

Creating the CPL
Be aware that the examples below are just part of a comprehensive authentication policy. By
themselves, they are not adequate for your purposes. (The default policy in these examples is deny.)
Note:



Refer to the Blue Coat ProxySG Content Policy Language Guide for details about CPL and
how transactions trigger the evaluation of policy file layers.

Every Local-authenticated user is allowed access the ProxySG.

authenticate(LocalRealm)



Group membership is the determining factor in granting access to the ProxySG.

authenticate(LocalRealm)

group=”group1” allow



A subnet definition determines the members of a group, in this case, members of the Human
Resources department.

authenticate(LocalRealm)

Define subnet HRSubnet
192.168.0.0/16
10.0.0.0/24
End subnet HRSubnet
[Rule] client_address=HRSubnet
url.domain=monster.com
url.domain=hotjobs.com
deny
.
.
.
[Rule]
deny

405

Blue Coat ProxySG Configuration and Management Guide

Section G: Certificate Realm Authentication

Section G: Certificate Realm Authentication
Certificate realms are used to authenticate users. If the users are members of an LDAP or Local group,
the Certificate Realm can also forward the user credentials to the specified authorization realm, which
determines the user’s authorization (permissions).
This section discusses the following topics:


"How Certificate Realm Works"



"Creating a Certificate Realm"



"Defining a Certificate Realm"



"Defining Certificate Realm General Properties"



"Revoking User Certificates"

How Certificate Realm Works
Once an SSL session has been established, the user is asked to select the certificate to send to the
ProxySG. If the certificate was signed by a Certificate Signing Authority that the ProxySG trusts,
including itself, then the user is considered authenticated. The username for the user is the one
extracted from the certificate during authentication.
At this point the user is authenticated. If an authorization realm has been specified, such as LDAP or
Local, the certificate realm then passes the username to the specified authorization realm, which
figures out which groups the user belongs to.
Note:

If you authenticate with a certificate realm, you cannot also challenge for a password.

Certificate realms do not require an authorization realm. If no authorization realm is configured, the
user cannot be a member of any group.
You do not need to specify an authorization realm if:


The policy does not make any decisions based on groups



The policy works as desired when all certificate realm-authenticated users are not in any group

To use a Certificate Realm, you must:

406



Configure SSL between the client and ProxySG (for more information, see "Using SSL Between the
Client and the ProxySG" on page 325)



Enable verify-client on the HTTPS service to be used (for more information, see "Managing the
HTTPS Reverse Proxy" on page 165).



Verify that the certificate authority that signed the client's certificates is in the ProxySG trusted list.

Chapter 9: Using Authentication Services

Section G: Certificate Realm Authentication

Creating a Certificate Realm
To Create a Certificate Realm through the Management Console
1.

Select Configuration>Authentication>Certificate>Certificate Realms.

Figure 9-33: Certificate Realms Tab

2.

Click New; the Add Certificate Realm dialog displays.

Figure 9-34: Add Certificate Realm

3.

In the Realm name field, enter a realm name. The name can be 32 characters long and composed of
alphanumeric characters and underscores. The name must start with a letter.

4.

Click OK; click Apply.

To Create a Certificate Realm through the CLI
Up to 40 Certificate realms can be configured per ProxySG.
At the (config) command prompt, enter the following command to create a Certificate realm:
SGOS#(config) security certificate create-realm realm_name

where realm_name is the name of the new Certificate realm.

407

Blue Coat ProxySG Configuration and Management Guide

Section G: Certificate Realm Authentication

Defining a Certificate Realm
To Define Certificate Authentication Properties through the Management Console
Note:

1.

You can also define certificate authentication properties through the CLI. For information,
see "To Create and Define a Certificate Realm through the CLI" on page 409.

Select Configuration>Authentication>Certificate>Certificate Main.

Figure 9-35: Certificate Main Tab

2.

From the Realm Name drop-down list, select the Certificate realm for which you want to change
realm properties.
Note:

You must have defined at least one Certificate realm (using the Certificate Realms tab)
before attempting to set Certificate realm properties. If the message Realms must be
added in the Certificate Realms tab before editing this tab is displayed in
red at the bottom of this page, you do not currently have any Certificate realms defined.

3.

(Optional) From the Authorization Realm Name drop-down list, select the LDAP or Local realm you
want to use to authorize users.

4.

From the username attribute field, enter the attribute that specifies the common name in the subject
of the certificate. CN is the default.

5.

(Optional, if you are configuring a Certificate realm with LDAP authorization) Enter the list of
attributes (the container attribute field) that should be used to construct the user's distinguished
name.
For example, $(OU) $(O) substitutes the OU and O fields from the certificate.

6.

(Optional, if you are configuring a Certificate realm with LDAP authorization) Select or deselect
Append Base DN.

7.

408

(Optional, if you are configuring a Certificate realm with LDAP authorization) Enter the Base DN
where the search starts. If no BASE DN is specified and Append Base DN is enabled, the first Base
DN defined in the LDAP realm used for authorization is appended.

Chapter 9: Using Authentication Services

Section G: Certificate Realm Authentication
8.

Cache credentials: Specify the length of time, in seconds, that user and administrator credentials
received from the Local password file are cached. Credentials can be cached for up to 3932100
seconds. The default is 900 seconds (15 minutes).

Defining Certificate Realm General Properties
The Certificate General tab allows you to specify the display name and a virtual URL.
To Configure Certificate Realm General Settings through the Management Console
1.

Select Configuration>Authentication>Certificate>Certificate General.

Figure 9-36: Certificate General Tab

2.

From the Realm name drop-down list, select the Certificate realm for which to change properties.
Note:

You must have defined at least one Certificate realm (using the Certificate Realms tab)
before attempting to set Certificate general properties. If the message Realms must be
added in the Certificate Realms tab before editing this tab is displayed in
red at the bottom of this page, you do not currently have any Certificate realms defined.

3.

If needed, change the Certificate realm display name. The default value for the display name is
the realm name. The display name cannot be longer than 128 characters and it cannot be null.

4.

You can specify a virtual URL based on the individual realm. For more information on the virtual
URL, see "Understanding Origin-Style Redirection" on page 322.

5.

Click Apply.

To Create and Define a Certificate Realm through the CLI
1.

At the (config) prompt:
SGOS#(config) security certificate create-realm realm_name

2.

To define an authorization realm for the Certificate realm configuration for the realm you just
created, enter the following commands:
SGOS#(config) security certificate edit-realm realm_name
SGOS#(config certificate realm_name) authorization {append-base-dn {enable |
disable | dn dn_to_append} | container-attr-list list | realm-name realm |
username-attribute attribute}

409

Blue Coat ProxySG Configuration and Management Guide

Section G: Certificate Realm Authentication
where:

3.

append-base-dn

enable |
disable | dn
dn_to_append

Used only if an LDAP authorization realm is present.

container-attrlist

list

Used only if an LDAP authorization realm is present. If the
CLI contains spaces, quotes must be used, as in
“ou=Research and Development, ou=Sales, o=Blue
Coat”.

realm-name

realm_name

The name of the LDAP or Local realm used for
authorization. The realm name must already exist.

usernameattribute

attribute

The attribute that specifies the common name in the subject
of the certificate. CN is the default.

Enter the following commands to modify Certificate realm properties:
SGOS#(config certificate realm_name) cache-duration 600
SGOS#(config certificate new_realm_name) virtual-url cfauth.com
SGOS#(config certificate new_realm_name) display-name display_name

where:

4.

cache-duration

seconds

The number of seconds that user and administrator
credentials received from the Credential realm are cached.
The default is 900 seconds (15 minutes).

virtual-url

URL

The URL to redirect to when the user needs to be
challenged for credentials. See Chapter 8: “Security and
Authentication” on page 305 for more details.

display-name

display_name

The default value for the display name is the realm name.
The display name cannot be longer than 128 characters and
it cannot be null.

(Optional) View the results:
SGOS#(config certificate certificate-name) view
Realm name:
certificate-name
Display name:
certificate-name
Cache duration:
900
Virtual URL:
cfauth.com
Authorization realm:
ldap-realm
Username attribute:
cn
Container attr. list: ou=Sales,ou=Manufacturing
Append DN:
enabled
Base DN:

410

Chapter 9: Using Authentication Services

Section G: Certificate Realm Authentication

Revoking User Certificates
Using policy, you can revoke certain certificates by writing policy that denies access to users who have
authenticated with a certificate you want to revoke. You must maintain this list on the ProxySG; it is
not updated automatically.
Note:

This method of revoking user certificates is meant for those with a small number of
certificates to manage.
For information on using automatically updated lists, see "Using Certificate Revocation
Lists" on page 282.

A certificate is identified by its issuer (the Certificate Signing Authority that signed it) and its serial
number, which is unique to that CA.
Using that information, you can use the following strings to create a policy to revoke user certificates:


user.x509.serialNumber—This is a string representation of the certificate’s serial number in
HEX. The string is always an even number of characters long, so if the number needs an odd
number of characters to represent in hex, there is a leading zero. Comparisons are case insensitive.



user.x509.issuer—This is an RFC2253 LDAP DN. Comparisons are case sensitive.



(optional) user.x509.subject: This is an RFC2253 LDAP DN. Comparisons are case sensitive.

Example
If you have only one Certificate Signing Authority signing user certificates, you do not need to test the
issuer. In the layer of the Local Policy file:

deny user.x509.serialnumber=11
deny user.x509.serialNumber=0F

If you have multiple Certificate Signing Authorities, test both the issuer and the serial number. In the
layer of the Local Policy file:

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh