Blue Coat® Systems ProxySG® Appliance Volume 1
Contents
1. end inline inline keyring show default end inline nese BEGIN RSA PRIVATE KEY Proc Type 4 ENCRYPTED DEK Info DES EDES3 CBC 2F6148C8A99AAAA 21JjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsC 11 jXj34Ni6U94 9ugYGEqWLCqed77M1 WA4s6U5TCI9fScVuGaoZ0EVhx48113G LGOplOJXmrOL5vNj el LSeCOHg 7ASyY PaFr9Dk8nRqAhoWMM PQElkvAxuXzW 8hccfZaallHl1MiPWfNzxflRXIEzA2NCUirDHO63 XU3eOCis8hXZvwfuC DWwOAm tGVpxhZVN2KnfzSvaBAVYMh lGsxdEJjjdNhzSu3uRVmSizltPyAbz5tEG4Gzbae SJY Fs8Tdmn zRPE5nYQ OtwRGWXzwXOeWtkhafNE3iQlu6jxbST6fCVn2bxw tq bB dEFUMxreYjAO8 Tu86R9ypa3atuzrXULixglLnBcnoSvOU co5HA6JuRohc5v 86ZPk1l09V4xvApY 30 2mF9skJPsOVOLItYWtrylg9Puw17TES6 KOEAOWU6FWA dTpGJRguh71FVm1012187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxdlnT X11U2YgwwwHOgzJHBOPIfPhE9wJTedmldhW268kPFonclUY3dZTq0tiOLwtDfsyx ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa rMkjtr 1lpS 8Tz GZ4PimFJMObgcMsZq6DkOS5MmMLSRCIlL9A3C1LPSHJc fp HAVU0OOPIPLIY8YYPvcV9h 0Io zDb7MPjIT5gYPku86f7 INIimnVj2RO0a0iPYlbKX7ggZEfWDPw END RSA PRIVATE KEY end inline inline certificate default end inline E BEGIN CERTIFICATE MIICUzCCAbygAwIBAgIEFjnHtzANBgkqhkiG9wOBAQOFADBuMOswCOYDVOOGDAJB VTETMBEGAlUECAwKU29tZS1TdGFOZTEfMBOGAIUECgwWOmx1ZSBDb2FOIFNHMjAw IFNlemllczETMBEGAlIUECwwKMjEwNzA2MzIIODEUMBIGA1UEAwwLMTAuOS41084x NTwwHhcNMDcxMDIIMTkxNzEx2. X11U2YgwwwHOgzJHBOPIfPhE9wJTedmldhW268kPFonclUY3dZTq0tiOLwtDfsyx ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa rMkjtr 1lpS 8Tz GZ4PimFJMObgcMsZq6DkOs5SMmLSRCI1gd3c1PSHjcfpt tH4Vu00PIPL9I8YYPvcV9h 0Io z Db7MPjIT5gYPku86f7 INIimnVj2R0a0iPYlbKX7ggZEfWDPw END RSA PRIVATE KEY 7 Ifacertificate is associated with a keyring enter the following command sgos config ssl view certificate keyring name For example sgos config ssl view certificate configuration passwords key S BEGIN CERTIFICATE MIICUzCCAbygAwIBAgIEFm6QWzANBgkqhkiG9w0BAQUFADBuMOswCOYDVOQGDAIg IDETMBEGA1UECAWKU2 9tZS1TdGFOZTEF IFNlemllczETMBEGAlUECwwKNDYwNTA2 MTAwHhcNMDcxMjA0Mj AxMTA3WhcNMDkx IDETMBEGA1UECAwKU29tZSl1TdGFOZTI E IFNlecmllczETMBEGAl1UECwwKNDYwNTA2 MTAwgZ8wDOYJKoZIhvcNAQEBBOADgYOAI BOGA1UECqwWQmx1ZSBDb2FO0IFNHMjAw DAwMTEUMBIGA1UEAwwLMTAuOS41084y jAzMjAxMTA3WjBuMQswCQYDVQQGDAIg BOGA1U DAwMTEUMBIGA1UEAwwLMTAuOS410S4y IGJAOGBAJ F Sn3CzYvbFPWDD03g9Y ECgwWOmx1ZSBDb2FOIFNHMjAw O3jwCrcXLU8cki6SZUVl9blgZBTgBY3KyDl2baqZNl2QGwkspEtDI45G3 K2GRIF REs3mKGxY7fbwgRpoL nRT8w9qWHO393pGrlJKFldXbYOzn3p31EXUuGRfXkIqeA 919uvOD5gOXOBEzrvDRnAgMBAAEwDQYJKoZIhvcNAQEFBOADgYEASgIR9r2MuRBC 121 Volume I Getting Started Section D Planning for Archive Creation and Rest
3. esses enne nnne nennen nensis nennen 58 About Interception CPUS see ee 59 Abour kink Seti sc eM ee een 60 About Virtual LAN Configursli nse ae cite danicete nec oncaeid Pd eR EE eig 61 About VLAN Deploy Ments nn een nee 61 The Blue Coat Solution cuesseesssesssesensensnsnnensnnnnssnnnnenennnnnnnennnsnnnnsnnnnennnnnenennenensennssenennnnn 63 Changing the Default Adapter and Interface Settings icr rrr ttes 65 Viewing Interface STARS T X XX 71 Detecting Network Adapter Paul nennen 73 Chapter 6 Software and Hardware Bridges About Bid Eine ee een een TE 75 About Traffic ELind Wig see RR ADM cert eres any Sines oa s un PN OR Hum E cba EIN 76 About Bridging Melhods sonen tmp tp ATRE EEEE EE n Hip P ct app Ei 77 Abput tbe Pass Thraush Adapter nun teris tenti quls en 77 Reflecting bor dizi quo Ms iin 77 Co tigurine a Software Bridg ae ipit RM ten Ott me een 78 Configuring Programmable Pass Through NIC Adapters sese 80 Customizing the Interface Se EIS neun 83 Setting Bandwidth Management for Bridging uode iet itae belio cete rb edere air Uic ipud 83 Contiguring Fallover M an 84 Setting Up Failover anne een 84 Bridging Loop D tection sn ae aan 85 Adding Static Forwarding Table Eis see 87 Bypass List behavior nee aes E UR E Quin ERR 89 Chapter 7 Distributing Traffic Through Gateways About Gateway f E EET 91 lg Ec
4. 6 For signed archives ensure that a keyring has been selected in the Sign archive with keyring option 7 In the Remote Upload section configure the upload settings a From the Protocol drop down list select an upload protocol Note For maximum security Blue Coat recommends using HTTPS b Optional Add filename prefixes to identify the archive The prefixes add unique time based variables to the filename For example HSA In the preceding example the 2H a prefix adds the hour in 24 hour format and the full weekday name Various combinations can be used See Adding Identifier Information to Archive Filenames on page 130 for a list of allowed substitution values c Optional for HTTPS Select an SSL device profile to use for the SSL connection See Selecting an Upload Transport Method on page 124 for more information about device profiles d Enter the remote server host name or IP address and port number e Enter the remote server upload path not required for TFTP f Enter the user name associated with the remote host not required for TFTP g Optional Change the HTTP HTTPS or FTP password 129 Volume I Getting Started Section E Creating Configuration Archives 8 Click Upload Adding Identifier Information to Archive Filenames Use the following prefix substitutions to add unique ID information to archive filenames Specify these prefixes when using the Remote Upload option
5. CA Certificate List CCL A CCL contains a subset of the CA Certificates available on the ProxySG and allows the administrator to control the set of CA certificates trusted for a particular set of SSL connections A CCL is required to validate signed archives 111 Volume I Getting Started Section A Archiving Tasks Quick Reference You must ensure that the CCL used to verify the authenticity of signed archives includes the CA that signed the signing certificate or includes the signing certificate itself if the certificate is self signed 112 Chapter 9 Backing Up the Configuration Section B Overview of the Archiving and Restoration Process Section B Overview of the Archiving and Restoration Process Unless you restore the SSL con iguration passwords key keyring from the source device archives can only be restored onto the same device that was the source of the archive This is because the encrypted passwords in the configuration login enable FTP etc cannot be decrypted by a device other than that on which it was encrypted For more information see Saving Encrypted Passwords on page 118 The following procedure describes the high level steps required to create and restore a configuration archive 1 Record the con iguration passwords key data on the source ProxySG as described in Option 1 Recording SSL Keyring and Key Pair Information on page 118 If you need to restore the archive onto a different appliance
6. o o lt 2 Figure 5 6 ProxySG deployed between two switches The ProxySG strips outgoing native VLAN tags Any packets not matching the native VLAN are dropped unless trunking is enabled on the ProxySG interfaces Interface 0 0 Interface 0 1 Trunking enabled Trunking enabled Figure 5 7 Trunking enabled on two ProxySG physical interfaces Based on this deployment o The ProxySG accepts all packets regardless of their VLAN tag and if configuration and policy allows passes them from one interface to the other with the original VLAN tag preserved Chapter 5 Configuring Adapters and Virtual LANs o Ifa packet arrives on one interface tagged for VLAN 2 it remains on VLAN 2 when it is forwarded out another interface If a packet arrives untagged and the destination interface has a different native VLAN configured the ProxySG adds a tag to ensure the VLAN ID is preserved Similarly if a tagged packet arrives and the VLAN ID matches the native VLAN of the destination interface the ProxySG removes the tag before transmitting the packet Changing the Default Adapter and Interface Settings The following procedure describes how to change the default adapter and interface settings because of site specific network requirements These include inbound connection restrictions link settings browser PAC file settings and VLAN settings Repeat the process if the system has additional adapters By default a The ProxySG allows t
7. 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERW
8. 7 Interface gt 4b Enable Spanning Tree Static Forwarding table MAC Address VLAN ID he A 4 Configure the bridge interface options a From the Interface drop down menu select an interface Optional To enable bridging loop avoidance select Enable Spanning Tree See Bridging Loop Detection on page 85 for more information about the Spanning Tree Protocol c Ifyouare using firewall configurations that require the use of static forwarding table entries add a static forwarding table entry that defines the next hop gateway that is on the correct side of the bridge For more information on static forwarding table entries see Adding Static Forwarding Table Entries on page 87 d Click OK e RepeatStep 4 for each interface you want to attach to the bridge 5 Click OK to close the Create Bridge Interface and Create Bridge dialogs 6 Click Apply Related CLI Syntax to Configure a Software Bridge SGOS config bridge SGOS config bridge edit bridge name Configuring Programmable Pass Through NIC Adapters Some ProxySGs ship with a network adapter card that can be used as a pass through adapter or as a Network Interface Card NIC depending on the configured mode If the network adapter mode is set to disabled the adapter interfaces can be used as NICs or as part of a software bridge 80 Chapter 6 Software and Hardware Bridges If your appliance includes a programmable adap
9. Table 9 4 Filename Specifiers Specifier Description 5 Percent sign a Abbreviated weekday name SA Full weekday name b Abbreviated month name B Full month name SC The ProxySG name sd Day of month as decimal number 01 31 H Hour in 24 hour format 00 23 si First IP address of the ProxySG displayed in x_x_x_x format with leading zeros removed SI Hour in 12 hour format 01 12 j Day of year as decimal number 001 366 1 The fourth part of the ProxySG IP address using three digits 001 002 003 004 m Month as decimal number 01 12 M Minute as decimal number 00 59 Sp Current locale s A M P M indicator for 12 hour clock SS Second as decimal number 00 59 SU Week of year as decimal number with Sunday as first day of week 00 53 Sw Weekday as decimal number 0 6 Sunday is 0 SW Week of year as decimal number with Monday as first day of week 00 53 sy Year without century as decimal number 00 99 SY Year with century as decimal number Sz Z Time zone name or abbreviation no characters if time zone is unknown 130 Chapter 9 Backing Up the Configuration Section F Restoring a Configuration Archive Section F Restoring a Configuration Archive To restore a configuration archive you must n Perform pre restoration tasks for example restoring the SSL configuration n
10. Volume I Getting Started xvi Table 1 1 Release Derived From Year Owner GPL compatible 1 2 0 1 2 0 1 6 1 2001 PSF yes 2 1 1 2 1 2 0 1 2001 PSF yes 22 24 1 2001 PSF yes 2 1 2 211 2002 PSF yes 2 1 3 212 2002 PSF yes 221 22 2002 PSF yes 2 2 2 2 2 1 2002 PSF yes 223 222 2003 PSF yes 23 222 2002 2003 PSF yes 234 23 2002 2003 PSF yes 2 3 2 231 2002 2003 PSF yes 2 3 3 2 3 2 2002 2003 PSF yes 2 3 4 23 3 2004 PSF yes 235 2 3 4 2005 PSF yes 2 4 23 2004 PSF yes 241 24 2005 PSF yes 242 2 4 1 2005 PSF yes 2 4 3 2 4 2 2006 PSF yes 2 5 24 2006 PSF yes Footnotes 1 GPL compatible doesn t mean that we re distributing Python under the GPL All Python licenses unlike the GPL let you distributea modified version without making your changes open source The GPL compatible licenses make it possible to combine Python with other software that is released under the GPL the others don t 2 According to Richard Stallman 1 6 1 is not GPL compatible because its license has a choice of law clause According to CNRI however Stallman s lawyer has told CNRI s lawyer that 1 6 1 is not incompatible with the GPL Thanks to the many outside volunteers who have worked under Guido s direction to make these releases possible B TERMS AND CONDITIONS FOR ACCESSING OR OTHERWISE USING PYTHON 1 This LICENSE AGREEMENT is between the Python Software Foundation PSF and the Individual or Organization Licensee accessing and otherwise using this softwa
11. Hardware serial number License creation date Concurrent users with ADN enabled unlimited Concurrent users without ADN enabled unlimited Trial Components are enabled C Disable Each licensable component is listed along with its validity and its expiration date To view the most current information click Refresh Data e Highlight a license component and click View Details A dialog displays with more detailed information about that component 37 Volume 1 Getting Started e Ifthe trial period is enabled and you click Maintenance gt Licensing gt View the Management Console displays a check box to disable the trial components If the trial period is disabled the Management Console displays a check box to enable the trial components Retrieving the License If the ProxySG is a new system and the hardware has been registered you can retrieve the associated license by completing the following steps To retrieve the software license 1 Navigate to Maintenance gt Licensing gt Install 2 Click Retrieve The Request License Key dialog displays a Enter your WebPower account login information b Click Send Request The Confirm License Install dialog displays c Click OK to close the dialog Click OK when the License Install Succeeded message displays 4 Click Close to close the Request License Key dialog Manual License Installation Perform manual license installation if a The ProxySG serial numb
12. Output Errors Bytes Sent Bytes Received Input Errors Output Errors 4 9 MB 12 963 MB 46B OB 7 421 KB OB 2 From the Duration drop down list select a time frame 3 Select a data type Data Type Description Bytes Sent The number of outgoing bytes sent from this interface or VLAN Bytes The number of inbound bytes received on this interface or VLAN Received Packets The number of outgoing packets sent from this interface or VLAN Sent Packets The number of inbound packets received on this interface or VLAN Received Input The number of input and output errors that occurred on the interface Errors not applicable on VLANs This information provides details that Blue Coat Technical Support uses to troubleshoot issues Output Errors 4 Select an interface to view If an interface has attached VLANS the tree expands to display the VLAN s which are also selectable In the graph area roll your mouse over data lines to view exact metrics See Also Health Monitoring Volume 9 Chapter 2 72 Chapter 5 Configuring Adapters and Virtual LANs Detecting Network Adapter Faults The ProxySG can detect whether the network adapters in an appliance are functioning properly If the appliance detects a faulty adapter it stops using it When the fault is remedied the ProxySG detects the functioning adapter and uses it normally To determine whether an adapter is functioning properl
13. OR ANY DERIVATIVE THEREOF EVEN IF ADVISED OF THE POSSIBILITY THEREOF 6 This License Agreement will automatically terminate upon a material breach of its terms and conditions 7 Nothing in this License Agreement shall be deemed to create any relationship of agency partnership or joint venture between PSF and Licensee This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee or any third party 8 By copying installing or otherwise using Python Licensee agrees to be bound by the terms and conditions of this License Agreement BEOPEN COM LICENSE AGREEMENT FOR PYTHON 2 0 BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 1 This LICENSE AGREEMENT is between BeOpen com BeOpen having an office at 160 Saratoga Avenue Santa Clara CA 95051 and the Individual or Organization Licensee accessing and otherwise using this software in source or binary form and its associated documentation the Software 2 Subject to the terms and conditions of this BeOpen Python License Agreement BeOpen hereby grants Licensee a non exclusive royalty free world wide license to reproduce analyze test perform and or display publicly prepare derivative works distribute and otherwise use the Software alone or in any derivative version provided however that the BeOpen Python License is retained in the Software alone or in any derivative vers
14. d Click OK to close the dialog 4 Repeat steps 2 to 4 until IP addresses groups and weights have been defined for all of your gateways 5 Click Apply Related CLI Syntax to Configure Multiple Gateway Load Balancing SGOS config ip default gateway ip address preference group weight By default routing occurs transparently if the ProxySG can verify trust the destination IP addresses provided by the client If the destination IP addresses cannot be trusted the ProxySG uses static routes Note If your environment uses explicit proxy or Layer 4 redirection or if the destination IP addresses cannot be verified by the ProxySG static routes must be configured Hardware or software bridges can be transparently routed if the destination IP address hostname can be verified If the client provided destination IP address is not in the list of resolved IP addresses for the particular host then the ProxySG uses static routes instead For hostname less protocols such as CIFS and FTP the IP address can always be trusted For other protocols such as HTTP RTSP and MMS which have a hostname that must be resolved verification can be an issue URL rewrites that modify the hostname also can cause verification to fail 93 Volume I Getting Started 94 Transparent ADN connections that are handed off to an application proxy HTTP or MAPI for example can utilize L2 L3 transparency Also transparent ADN connections that are
15. is discussed in this volume The statistics chapter discusses viewing various kinds of statistics including system usage efficiency resources and logs of all kinds Volume 10 Content Policy Language Guide Volume 10 discusses configuring policy without VPM by using Content Policy Language CPL 29 Volume I Getting Started 30 Chapter 2 Licensing This chapter describes the ProxySG licensing behavior Topics in this Chapter This chapter includes information about the following topics About Licensing on page 31 Licensable Components on page 31 About the Trial Period on page 33 a 0 u g Disabling the Components Running in Trial Period on page 34 About License Expiration on page 35 About the System Serial Number on page 35 Obtaining a WebPower Account on page 35 Registering and Licensing Blue Coat Hardware and Software on page 36 a O O 0 QO Retrieving the License on page 38 4 Manual License Installation on page 38 a Manually Updating a License on page 40 a Automatically Updating a License on page 41 About Licensing SGOS 5 3 features a global licensing system for the SGOS software License key files are issued on a per appliance basis One license key file includes all of the component licenses for whichever SGOS features you have elected to use Note When your ProxySG order was completed you received an e mail that contained serial numbers for
16. pngbar jpg 88x31 and pngnow png 98x31 Libpng is OSI Certified Open Source Software OSI Certified Open Source is a certification mark of the Open Source Initiative Glenn Randers Pehrson glennrp at users sourceforge net February 18 2008 Mach Star vi mach star is licensed under Creative Commons Attribution License 2 0 Read the license for details but the gist is you can use mach star however you d like so long as you give me credit That mostly means putting Portions Copyright c 2003 2005 Jonathan Wolfi Rentzsch In your About Box Keychain framework Created by Wade Tregaskis on Fri Jan 24 2003 Copyright c 2008 Wade Tregaskis All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of Wade Tregaskis nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING
17. the DNS server resolves the name to an IP address If the host name cannot be resolved Blue Coat adds the first entry in the name inputing list to the end of the host name and resubmits it to the DNS server native FTP Native FTP involves the client connecting either explicitly or transparently using the FTP protocol the ProxySG then connects upstream through FTP if necessary NCSA common log format Blue Coat products are compatible with this log type which contains only basic HTTP access information network address translation NAT The process of translating private network such as intranet IP addresses to Internet IP addresses and vice versa This methodology makes it possible to match private IP addresses to Internet IP addresses even when the number of private addresses outnumbers the pool of available Internet addresses non cacheable objects A number of objects are not cached by the ProxySG because they are considered non cacheable You can add or delete the kinds of objects that the appliance considers non cacheable Some of the non cacheable request types are e Pragma no cache requests that specify non cached objects such as when you click refresh in the Web browser e Password provided requests that include a client password e Data in request that include additional client data Nota GET request nsc file Created from the multicast station definition and saved through the browser as a text file encod
18. 12 seconds j Close Console If you do not click Keep Working or the X in the upper right hand corner within the thirty second period you are logged out You must log back on to access the Management Console To log back on click the hyperlink Note If you are on the Management Console home page when the session times out you are logged out without seeing the logout warning dialog You might not be aware that you are logged out until you try to access a Management Console page You must enter the logon information again Accessing the CLI If you use the CLI you can use SSHv2 to access the ProxySG but you cannot use SSHv1 or Telnet without additional configuration Note Enabling the Telnet Console introduces a security risk so it is not recommended To use SSHv1 you must first create an SSHv1 host key For more information on creating SSH host keys refer to Volume 2 Proxies and Proxy Services 47 Volume I Getting Started To log on to the CLI you must have a the account name that has been established on the ProxySG o the IP address of the ProxySG 7 the port number 22 is the default port number You must log on from your SSH client Changing the Logon Parameters 48 You can change the console username and password the console realm name which displays when you log on to the ProxySG and the auto logout timeout in seconds the default is 900 seconds The Management Console requ
19. Cancel 7 If applicable bind multiple IP addresses to an interface a Select the Physical Interface b Click Edit The Configure Interface IPs dialog displays c Click Add IP The Add list item dialog displays d Specify the IP address and subnet mask click OK to close the dialog e Click OK f Click Apply 68 Chapter 5 Configuring Adapters and Virtual LANs VLANs gt Native VLAN For interface 0 1 1 VLAN ID IP Address Prefix Length Subnet Mask Physical Interface New VLAN as 8 If applicable configure Virtual LAN VLAN options see About Link Settings on page 60 a By default the native VLAN ID for any ProxySG interface is 1 as most switches by default are configured to have their native VLAN IDs as 1 Only change this value if the native VLAN ID of the switch or router connected to this interface is a value other than 1 match that value here To add VLANs other than the native VLAN to the interface click New VLAN The Configure Interface IPs dialog displays 69 Volume I Getting Started 70 Configure Interface IPs IP Addresses Add list item YLAN ID Add IP Address IP Address IP Address 192 168 10 10 Prefix Length or Subnet Mask 24 lt When receiving packets on this VLAN Use physical interface setting Allow transparent interception Bypass transparent interception Firewall incoming traffi
20. HTTP transactions You can also configure the maximum time that the HTTP proxy waits before reusing a client side or server side persistent connection You must use the CLI to configure these settings To configure the HTTP receive timeout setting At the config command prompt enter the following command SGOS config http receive timeout client refresh server seconds where client seconds Sets the receive timeout for client to _ seconds The default is 120 seconds refresh seconds Sets receive timeout for refresh to seconds The default is 90 seconds server seconds Sets receive timeout for server to _ seconds The default is 180 seconds To configure the HTTP persistent timeout setting At the config command prompt enter the following command SGOSf config http persistent timeout client server seconds where client seconds The maximum amount of time the HTTP proxy waits before closing the persistent client connection if another request is not made The default is 360 seconds server seconds The maximum amount of time the HTTP proxy waits before closing the persistent server connection if that connection is not re used for any subsequent request from the proxy The default is 900 seconds 55 Volume I Getting Started 56 Chapter 5 Configuring Adapters and Virtual LANs This chapter describes ProxySG network adapters the adapter interfaces a
21. Internet information populate the Alternate group The following rules apply to DNS server groups a You can add servers to the Primary and Alternate groups but you cannot change the domain or add additional domains these groups are defined at initial configuration n The Primary and Alternate DNS groups cannot be deleted a A custom DNS group must have at least one server in order to add domains About DNS Health Checks Each time you add a DNS server to a group the ProxySG automatically creates a DNS health check for that server IP address and uses a default configuration for the health check For example if you add a DNS server to a primary or alternate DNS group the created health check has a default hostname of bluecoat com If you add a DNS server to a custom group the longest domain name is used as the default hostname for the health check After you add DNS servers to a group we recommend that you check the DNS server health check configurations and edit them as required For complete details about configuring DNS server health checks see Volume 5 Advanced Networking Chapter 14 Section E DNS Server Health Checks 99 Volume I Getting Started Adding DNS Servers to the Primary Group When you installed the ProxySG you configured a Primary DNS server You can add DNS servers to the Primary server group or delete DNS servers from the Primary group but you cannot delete the group To add DNS servers to the
22. Local Disk on page 126 Upload an archive to a remote server Creating and Uploading an Archive to a Remote Server on page 127 Understand file name identifiers Adding Identifier Information to Archive Filenames on page 130 Restore an archive Restoring an Archive on page 131 Share Configurations Sharing Configurations on page 137 Troubleshoot archive configuration Troubleshooting on page 139 Terminology Familiarize yourself with the following terms 110 Source Device The ProxySG used to generate the configuration archive Target Device The ProxySG you are installing the configuration archive onto Chapter 9 Backing Up the Configuration Section A Archiving Tasks Quick Reference Signed Archive A configuration backup that is cryptographically signed with a key known only to the signing entity the digital signature guarantees the integrity of the content and the identity of the originating device You can then use a trusted CA Certificate List CCL to verify the authenticity of the archive Unsigned Archive A configuration backup that is created without a digital signature There is no way to programmatically verify the integrity of an unsigned archive configuration passwords key An SSL keyring that contains a keypair but not a certificate This keyring is used to encrypt passwords in the show configuration command You must record the configuration passwo
23. Microsoft Windows Media Streaming Copyright c 2003 Microsoft Corporation All rights reserved Novell Novell and eDirectory are either registered trademarks or trademarks of Novell Inc in the United States and other countries LDAPSDK DLL Copyright c 2006 Novell Inc All rights reserved LDAPSSL DLL Copyright c 2006 Novell Inc All rights reserved LDAPX DLL Copyright c 2006 Novell Inc All rights reserved The following are copyrights and licenses included as part of Novell s LDAP Libraries for C HSpencer Copyright 1992 1993 1994 Henry Spencer All rights reserved This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California Permission is granted to anyone to use this software for any purpose on any computer system and to alter it and redistribute it subject to the following restrictions 1 The author is not responsible for the consequences of use of this software no matter how awful even if they arise from flaws in it 2 The origin of this software must not be misrepresented either by explicit claim or by omission Since few users ever read sources credits must appear in the documentation 3 Altered versions must be plainly marked as such and must not be misrepresented as being the original software Since few users ever read sources credits must appear in the documentation 4 This notice may not be removed or altered Copyright c 1
24. NO EVENT SHALL THE OPEN LDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT Volume I Getting Started INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale use or other dealing in this Software without specific written prior permission Title to copyright in this Software shall at all times remain with copyright holders OpenLDAP is a registered trademark of the OpenLDAP Foundation Copyright 1999 2003 The OpenLDAP Foundation Redwood City California USA All Rights Reserved Permission to copy and distribute verbatim copies of this document is granted OpenSSH Copyright c 1995 Tatu Ylonen lt ylo cs hut fi gt Espoo Finland All rights reserved This file is part of the OpenSSH software The licences which components of this software fall under are as follows First we will summarize and say that all components are under a BSD licence or a licence more free than that OpenSSH contains no GPL co
25. ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE COPYRIGHTS 1 Berkeley 3 16 94 OpenLDAP vii Volume I Getting Started viii Copyright 1998 1999 The OpenLDAP Foundation Redwood City California USA All rights reserved Redistribution and use in source and binary forms are permitted only as authorized by the OpenLDAP Public License A copy of this license is available at http www OpenLDAPorg license html or in file LICENSE in the top level directory of the distribution Individual files and or contributed packages may be copyright by other parties and use subject to additional restrictions This work is derived from the University of Michigan LDAP v3 3 distribution Information concerning is available at http www umich edu dirsvcs ldap ldap html This work also contains materials derived from public sources Additional Information about OpenLDAP can be obtained at http www openldap org or by sending e mail to info OpenLDAP org Portions Copyright c 1992 1996 Regents of the University of Michigan All rights reserved Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor The name of the University may not be used to endorse o
26. Paul Schmidt Tim Wegner The PNG Reference Library is supplied AS IS The Contributing Authorsand Group 42 Inc disclaim all warranties expressed or implied including without limitation the warranties of merchantability and offitness for any purpose The Contributing Authors and Group 42 Inc assume no liability for direct indirect incidental special exemplary or consequential damages which may result from the use of the PNG Reference Library even if advised of the possibility of such damage Permission is hereby granted to use copy modify and distribute this source code or portions hereof for any purpose without fee subject to the following restrictions 1 The origin of this source code must not be misrepresented 2 Altered versions must be plainly marked as such and must not be misrepresented as being the original source 3 This Copyright notice may not be removed or altered from any source or altered source distribution The Contributing Authors and Group 42 Inc specifically permit without fee and encourage the use of this source code as a component to supporting the PNG file format in commercial products If you use this source code in a product acknowledgment is not required but would be appreciated A png get copyright function is available for convenient use in about boxes and the like printf s png_get_copyright NULL Also the PNG logo in PNG format of course is supplied in the files pngbar png and
27. Primary group 1 Select Configuration gt Network gt DNS gt Groups Groups Imputing DNS Groups Group Name Servers Domains primary 12 2 pr alternate 21 w DNS Engineering 10 3 3 210 engineering com code com cplus Enable DNS Recursion 2 Click Edit The Edit DNS Forwarding Group dialog displays Edit DNS Forwarding Group DNS Forwarding Group Settings Group Name primary Servers Domains 3 Enter the IP address of each additional Primary DNS server and click OK 4 Click Apply 100 Chapter 8 Configuring DNS Related CLI Syntax to Add a Primary DNS Server To add a primary DNS server SGOS config dns forwarding config dns forwarding edit primary config dns forwarding primary add server server ip See Also n About DNS a Adding DNS Servers to the Alternate Group a Creating a Custom DNS Group o About Configuring DNS Server Groups a Promoting DNS Servers in a List Adding DNS Servers to the Alternate Group To add DNS servers to the Alternate group 1 Select Configuration gt Network gt DNS gt Groups The list of DNS groups displays 2 Select the Alternate group and click Edit The Edit DNS Forwarding Group dialog displays 3 Enter the IP address of each additional Alternate DNS server and click OK Note You can add IP addresses to the Alternate DNS group but you cannot change the domain or add additional d
28. ProxySG appliances router hops The number of jumps a packet takes when traversing the Internet RTS See Return to Sender secure shell SSH Also known as Secure Socket Shell SSH is an interface and protocol that provides strong authentication and enables you to securely access a remote computer Three utilities login ssh and scp comprise SSH Security via SSH is accomplished using a digital certificate and password encryption Remember that the Blue Coat ProxySG requires SSH1 A ProxySG supports a combined maximum of 16 Telnet and SSH sessions serial console A third party device that can be connected to one or more Blue Coat appliances Once connected you can access and configure the appliance through the serial console even when you cannot access the appliance directly server certificate categories The hostname in a server certificate can be categorized by BCWF or another content filtering vendor to fit into categories such as banking finance sports server portals Doorways that provide controlled access to a Web server or a collection of Web servers You can configure Blue Coat appliances to be server portals by mapping a set of external URLs onto a set of internal URLs server side transparency The ability for the server to see client IP addresses which enables accurate client access records to be kept When server side transparency is enabled the appliance retains client IP addresses for all port 80 traffic
29. THE FREETYPE PROJECT 2 Redistribution This license grants a worldwide royalty free perpetual and irrevocable right and license to use execute perform compile display copy create derivative works of distribute and sublicense the FreeType Project in both source and object code forms and derivative works thereof for any purpose and to authorize others to exercise some or all of the rights granted herein subject to the following conditions o Redistribution of source code must retain this license file FTL TXT unaltered any additions deletions or changes to the original files must be clearly indicated in accompanying documentation The copyright notices of the unaltered original files must be preserved in all copies of source files o Redistribution in binary form must provide a disclaimer that states that the software is based in part of the work of the FreeType Team in the distribution documentation We also encourage you to put an URL to the FreeType web page in your documentation though this isn t mandatory These conditions apply to any software derived from or based on the FreeType Project not just the unmodified files If you use our work you must acknowledge us However no fee need be paid to us 3 Advertising Neither the FreeType authors and contributors nor you shall use the name of the other for commercial advertising or promotional purposes without specific prior written permission We suggest but do not re
30. added to the list of Contributing Authors Simon Pierre Cadieux Eric S Raymond Gilles Vollant and with the following additions to the disclaimer There is no warranty against interference with your enjoyment of the library or against infringement There is no warranty that our efforts or the library will fulfill any of your particular purposes or needs This library is provided with all faults and the entire risk of satisfactory quality performance accuracy and effort is with the user libpng versions 0 97 January 1998 through 1 0 6 March 20 2000 areCopyright c 1998 1999 Glenn Randers Pehrson and aredistributed according to the same disclaimer and license as libpng 0 96 with the following individuals added to the list of Contributing Authors Tom Lane Glenn Randers Pehrson Willem van Schaik libpng versions 0 89 June 1996 through 0 96 May 1997 are Copyright c 1996 1997 Andreas Dilger Distributed according to the same disclaimer and license as libpng 0 88 with the following individuals added to the list of Contributing Authors John Bowler Kevin Bracey Volume I Getting Started Sam Bushell Magnus Holmgren Greg Roelofs Tom Tanner libpng versions 0 5 May 1995 through 0 88 January 1996 areCopyright c 1995 1996 Guy Eric Schalnat Group 42 Inc For the purposes of this copyright and license Contributing Authors is defined as the following set of individuals Andreas Dilger Dave Martindale Guy Eric Schalnat
31. and serial Hardware and software bridges allow different failover modes a Software bridges allow serial or parallel failover However note that if the ProxySG fails serial failover also fails a Hardware bridges allow serial failover only Parallel Failover In parallel failover mode two systems are deployed side by side on redundant paths In parallel failover the slave does not actively bridge any packets unless the master fails If the master fails the slave takes over the master IP address and begins bridging A parallel failover configuration is shown in the following figure Because of the redundant paths you must enable Spanning Tree to avoid bridge loops See Bridging Loop Detection on page 85 for more information about STP Serial Failover In serial failover mode the slave is inline and continuously bridges packets but does not perform any other operations to the bridged traffic unless the master fails If the master fails the slave takes over the master IP address and applies policy etc A serial configuration is shown in the following figure Master Slave Setting Up Failover Failover is accomplished by doing the following a Creating virtual IP addresses on each proxy 84 Chapter 6 Software and Hardware Bridges n Creating a failover group n Attaching the bridge configuration n Selecting a failover mode parallel or serial Both proxies can have the same priority for example the d
32. any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly Mark Adler jloup gzip org madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files http www ietf org rfc rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format BSD Tar All of the C source code and documentation in this package is subject to the following Copyright c 2003 2006 Tim Kientzle All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer in this position and unchanged 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the do
33. archive of the system configuration but it contains system specific settings that might not be appropriate if pushed to a new system It also does not include SSL private key data If you are trying to create the most comprehensive archive Blue Coat recommends that you use the configuration expanded archive Chapter 9 Backing Up the Configuration Section D Planning for Archive Creation and Restoration Using Signed and Unsigned Archives The ProxySG provides two methods for creating archives signed and unsigned A signed archive is one that is cryptographically signed with a key known only to the signing entity the digital signature guarantees the integrity of the content and the identity of the originating device You can then use a trusted CA Certificate List CCL to verify the authenticity of the archive Use signed archives only when security is high priority Otherwise use unsigned archives Note Refer to the CCL information in Volume 4 Securing the Blue Coat ProxySG Appliance for more information about CCLs and SSL Identifying Signed Archives A signed archive is a tar file that contains the following files O show configuration output a pxcs 7 detached signature Signed archives can be identified by the bcsc extension Signing guarantees that the archive has not been modified If you modify a signed archive you must subsequently restore it as an unsigned archive Note If you created a signed archive
34. atn viU 117 Identiying Signed Archve na 117 Saving Encrypted Pass Words iseinean er E E E EA 118 Option 1 Recording SSL Keyring and Key Pair Information sss 118 Option 2 Changing Encrypted Passwords to Clear Text sess 124 Selecting an Upload Transport Method an 124 Section E Creating Configuration Archives Creating and Saving an Unsigned Configuration Archive esses 125 Creating and Saving a Signed Configuration Archive to Local Disk 126 Creating and Uploading an Archive to a Remote Server sss eee 127 Adding Identifier Information to Archive Filenames sss 130 Section F Restoring a Configuration Archive Restar ng an Archye ae ee rnc Dep cip pup Din DH EEN EEEE m Ed 131 Using the CLI to Archive and Restore a System Configuration sss 133 Importing an Existing Key Pair and Certificate 134 Section G Sharing Configurations Configuration Sharing Reguiremeig ann tto tli EI DOR tQ UM RR M MA rU RI ED 137 Section H Troubleshooting Glossary xxiii Volume I Getting Started Index xxiv Chapter 1 Introduction Volume 1 Getting Started describes how to access the ProxySG using the CLI or Management Console and provides basic configuration information that is required in every environment About This Book This book includes the following topics a Chapter 2 Licen
35. config dns forwarding group promote server ip This promotes the specified server IP address in the DNS server list the number of places indicated You must use a positive number If the number is greater than the number of servers in the list the server is promoted to the first entry in the list See Also o Adding DNS Servers to the Primary Group n Adding DNS Servers to the Alternate Group a Creating a Custom DNS Group n Deleting DNS Groups and Servers Chapter 8 Configuring DNS Resolving Hostnames Using Name Imputing Suffixes The ProxySG queries the original hostname before checking imputing suffixes unless there is no period in the hostname If there is no period in the hostname imputing is applied first The ProxySG uses name imputing to resolve hostnames based on a partial name specification DNS name imputing suffix When the ProxySG submits a hostname to the DNS server the DNS server resolves the hostname to an IP address The ProxySG then tries each entry in the name imputing suffixes list until the name is resolved or it reaches the end of the list If by the end of the list the name is not resolved the ProxySG returns a DNS failure For example if the name imputing list contains the entries example com and con and a user submits the URL http www eedept the ProxySG resolves the host names in the following order www eedept www eedept example com www eedept com Adding and Editing DNS Name Imput
36. different classes You create a hierarchy by creating at least one parent class and assigning other classes as its children bandwidth gain Bandwidth gain is a calculation of the savings that occur when bandwidth is not consumed as a result of some form of optimization For example bandwidth gain for active sessions is calculated by subtracting the number of client bytes from the number of server bytes and dividing the result by the number of server bytes Client Bytes Server Bytes Server Bytes bandwidth management Classify control and if needed limit the amount of bandwidth used by network traffic flowing in or out of a ProxySG basic authentication The standard authentication for communicating with the target as identified in the URL BCAAA Blue Coat Authentication and Authorization Agent Allows SGOS 5 x to manage authentication and authorization for IWA CA eTrust SiteMinder realms Oracle COREid Novell and Windows realms The agent is installed and configured separately from SGOS 5 x and is available from the Blue Coat Web site BCLP Blue Coat Licensing Portal byte range support The ability of the ProxySG to respond to byte range requests requests with a Range HTTP header cache An object store either hardware or software that stores information objects for later retrieval The first time the object is requested it is stored making subsequent requests for the same information much faster A cac
37. edition you chose are active and available to use When a license or demo license is installed during the trial period components previously available in the trial period but not part of that license remain available and active for the remainder of the trial period However if the license edition is different than the trial edition you selected only functionality available in the edition specified in the license remains available for trial If you require more time to explore the SGOS features a demo license is available refer to your reseller or contact Blue Coat Sales Viewing License Status There are two methods to access the license status page 33 Volume 1 Getting Started a Each time you navigate to the Management Console Statistics Configuration Maintenance pages the license status displays as a link in the upper right hand corner Hovering over the license link displays information such as the expiration date of the trial period Click the link to switch to the View license tab or a Select Maintenance gt Licensing gt View displays the license components with expiration dates View Install Licensed Components Component Expiration Date 56055 2008 07 28 windows Media Streaming 2008 07 28 Real Media Streaming 2008 07 28 JR uickTime Streaming 2008 07 28 components 2008 07 28 For More gt View Details Refresh Data details select a component and click Hardware serial numb
38. freetype org All rights reserved Legal Terms 0 Definitions Throughout this license the terms package FreeType Project and FreeType archive refer to the set of files originally distributed by the authors David Turner Robert Wilhelm and Werner Lemberg as the FreeType Project be they named as alpha beta or final release You refers to the licensee or person using the project where using is a generic term including compiling the project s source code as well as linking it to form a program or executable This program is referred to as a program using the FreeType engine This license applies to all files distributed in the original FreeType Project including all source code binaries and documentation unless otherwise stated in the file in its original unmodified form as distributed in the original archive If you are unsure whether or not a particular file is covered by this license you must contact us to verify this The FreeType Project is copyright C 1996 2000 by David Turner Robert Wilhelm and Werner Lemberg All rights reserved except as specified below 1 No Warranty THE FREETYPE PROJECT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO USE OF
39. in the list If a response is received from one of the servers in the Primary group no attempts are made to contact any other Primary DNS servers a Ifnone of the servers in the Primary group resolve the host name the ProxySG sends requests to the servers in the Alternate DNS server group If no Alternate servers have been defined an error is returned to the client e Ifa response is received from a server in the Alternate group list there are no further queries to the Alternate group e Ifa server in the Alternate DNS server group is unable to resolve the host name an error is returned to the client and no attempt is made to contact any other DNS servers Note The Alternate DNS server is not used as a failover DNS server It is only used when DNS resolution of the Primary DNS server returns a name error If the query to each server in the Primary list times out no alternate DNS server is contacted e If the ProxySG receives a referral authoritative server information DNS recursion takes over if it is enabled See the next section ProxySG Using Recursive DNS and Enabling Recursive DNS on page 99 Note If the ProxySG receives a negative DNS response a response with an error code set to name error it caches that negative response See Caching Negative Responses on page 106 ProxySG Using Recursive DNS If you have enabled recursive DNS the ProxySG uses the following logic to determine how to resolve a DNS hos
40. interface 0 0 Link State Up Speed 100 Mbps Duplex Full Bridge Group passthru 0 Interface Settings 2 Select the adapter and interface to configure a In the Adapter Interface area select an adapter from the Adapter drop down menu b If you have a multiple interface adapter select an interface from the drop down list Note If this ProxySG supports it the interfaces are labeled for WAN and LAN connections which correspond to the interface labels on the ProxySG backplate c Notice that for each interface selected status information displays The current link status is displayed on the right hand side of the pane Status Interface status Up or Down Note When the link status of an interface changes a message is added to the event log e Duplex Speed The maximum transfer speed available through the interface depending on the type of Ethernet technology The values are 10 100 and 1000 Mbps Note An N A status might indicate a network connectivity issue Full The interface can simultaneously send and receive at the defined maximum speed previous bullet For example a 100 Mbps full duplex link can send up to 100 Megabits per second Mbps of data and simultaneously receive up to 100 Mbps of data 66 Chapter 5 Configuring Adapters and Virtual LANs Half The interface can only send data in one direction at a time For example a 100 Mbps half duplex link can only se
41. key file load balancing A way to share traffic requests among multiple upstream systems or multiple IP addresses on a single host local bypass list A list you create and maintain on your network You can use a local bypass list alone or in conjunction with a central bypass list local policy file Written by enterprises as opposed to the central policy file written by Blue Coat used to create company and department specific advanced policies written in the Blue Coat Policy Language CPL 147 Volume I Getting Started 148 log facility A separate log that contains a single logical file and supports a single log format It also contains the file s configuration and upload schedule information as well as other configurable information such as how often to rotate switch to a new log the logs at the destination any passwords needed and the point at which the facility can be uploaded log format The type of log that is used NCSA Common SQUID ELFF SurfControl or Websense The proprietary log types each have a corresponding pre defined log format that has been set up to produce exactly that type of log these logs cannot be edited In addition a number of other ELFF type log formats are also pre defined im main p2p ssl streaming These can be edited but they start out with a useful set of log fields for logging particular protocols understood by the ProxySG It is also possible to create new log formats of typ
42. licensable components Those numbers are required for the procedures in this chapter Licensable Components There are three types of licensable components n Required The SGOS 5 these features are required on the ProxySG Included Additional SGOS 5 x features which are provided by Blue Coat and that are included in the SGOS 5 base license a Optional Any additional purchased features When the license key file is created it contains components of all three types The following table lists the ProxySG licensable components categorized by type 31 Volume 1 Getting Started 32 Table 2 1 Licensable Components Type Component Description Required SGOS Base The ProxySG operating system plus base features HTTP FTP TCP Tunnel SOCKS and DNS proxy Included 8rd Party Onbox Allows use with third party vendor databases Intersafe Content Filtering Optenet Proventia SmartFilter SurfControl Websense and Webwasher Included ProxyClient Enables you to support acceleration with ProxyClients in Acceleration your enterprise Included ProxyClient Web Enables you to support content filtering with Filtering ProxyClients in your enterprise The Web filtering license requires BCWF license and a fresh not older than 60 days BCWF database to be present on the Client Manager Included Websense Offbox For Websense off box support only Content Filtering Included ICAP Ser
43. log 45 Volume I Getting Started 46 Blue amp Coat HOME SUPPORT DOCUMENTATION LOG OUT ETT CUGA EG 10 9 59 243 Blue Coat SG200 Series Statistics Configuration Maintenance i i Health gt Traffic Mix a Traffic Mix Traffic History ADN History P Duration Last How Include bypassed bytes Bandwidth Mgmt ProxyClient History CIFS 0 Network nja Protocol details BEES Citrix ICA 0 ee ee ES Default 0 10 20am 10 35am 10 50am 11 05aml 1 20am Endpoint Mapper 0 BW Usage BW Gain Client Bytes Server Bytes Health Monitoring Dbytes Total Server Bytes 0 bytes Total Bypassed Bytes 0 bytes Total Gi Health Checks Access Logging Authentication 3 The Blue Coat Management Console Statistics gt Traffic Mix page displays in the browser Note You can change the username and password for the console See Changing the Logon Parameters on page 48 The Statistics screen provides a visual representation of the overall traffic and health of the ProxySG The health states are based on the health monitoring metrics which are described in the Monitoring chapter of Volume 9 Managing the Blue Coat ProxySG Appliance The health icon is located in the upper right corner of the Management Console Statistics Configuration i i Health Warning The following health states are possible a Ok Green a Warning Yellow a Critical Red These states a
44. on it or firewall it drop all traffic not related to established proxy connections About Link Settings By default the ProxySG auto negotiates the interface speed and duplex settings with the switch or router to which it is connected a The ProxySG supports multiple Ethernet modes The speed setting is the maximum transfer speed in Megabits or Gigabits per second Mbps Gbps the interface supports a The duplex setting designates two way traffic capabilities In Full duplex mode both devices may transmit to and from each other simultaneously allowing each direction to use the maximum transfer speed without affecting the other direction In Half duplex mode only one device may transmit at any one time effectively sharing the maximum transfer speed of the interface The ProxySG appliance s health monitoring capability provides alerts if interface use reaches warning and critical capacity levels In Full duplex mode the ProxySG reports the larger percentage value of the sending and receiving values For example if the ProxySG is receiving 20 Mbps and sending 40 Mbps on a 100 Mbps capable interface the reported value is 40 If the same interface was set to half duplex the reported value is 60 or the aggregated values Blue Coat strongly recommends using the default auto negotiation feature The key issue is the ProxySG settings must match the settings on the switch therefore if you manually change the settings on the ProxyS
45. selecting 116 signed archives about 117 identifying 117 requirements 117 troubleshooting 139 types brief 116 expanded 116 post setup 116 upload transports 124 what is not archived 115 B backing up see archives bridging about 75 bandwidth management 83 configuring failover 84 software bridge 78 loop detection 85 pass through card 77 prerequisites 80 programmable adapters 80 static forwarding table 87 C certificates importing 136 importing existing 134 CLI accessing 47 configuration sharing between systems 137 configuration mode understanding 43 console account tab in Management Console 48 console password see password D DNS about 97 alternate group adding servers 101 configuring server groups 99 custom group creating 102 domains deleting 103 groups deleting 103 health checks about 99 name imputing suffixes adding 105 editing 105 negative caching 106 disabling 107 enabling 107 non recursive 97 primary group adding servers 100 recursive 98 servers addresses specifying 97 changing name imputing order 106 deleting 103 promoting in a list 104 document conventions 25 157 Volume 1 Getting Started E enable mode understanding 43 G gateways load balancing 92 93 switching to secondary 92 understanding 91 using multiple default IP gateways 91 global configurations 51 H hostnames resolving 105 HTTP persistent timeout setting 55 receive timeout setting 55 timeout configu
46. the Archiving and Restoration Process Record the SSL key data Signed Archive Does the appliance have an appliance certificate Obtain an appliance certificate Do you have a verifcation CCL Specify or create a CCL Create the archive Figure 9 1 Flow Chart of Archive Creation Process See Also a Archiving Tasks Quick Reference on page 110 a Planning for Archive Creation and Restoration on page 116 a Troubleshooting on page 139 114 Chapter 9 Backing Up the Configuration Section C About What is Not Archived Section C About What is Not Archived Archiving saves the ProxySG appliance configuration only Archives do not save the following n Cache objects D Access logs a Event logs ao License data you might need to reapply the licenses n Software image versions n SSL key data See Saving Encrypted Passwords on page 118 for more information Content filtering databases 115 Volume I Getting Started Section D Planning for Archive Creation and Restoration Section D Planning for Archive Creation and Restoration The following table lists planning tasks to consider before creating a configuration archive and it describes where to find more information Table 9 2 Configuration Archive Planning Considerations Task Go to 1 Select the appropriate archive type Selecting a Configuration Archive Type on page 116 2 Choose to use a signed or unsigned archiv
47. the Primary or Alternate DNS group you can only delete a custom DNS group a You cannot delete the last server in any DNS group while there are still domains that reference that group doing so returns an error message To delete a DNS server 1 Select Configuration Network DNS Groups 2 Select the DNS group from which to delete a server and click Edit The Edit DNS Forwarding Group dialog displays 3 Delete the server then click OK 4 Click Apply 103 Volume I Getting Started To delete a custom DNS group 1 Select Configuration gt Network gt DNS gt Groups 2 Select the custom DNS group to delete and click Delete A dialog box displays asking you to confirm your choice 3 Click OK to delete the group Related CLI Syntax to Delete a DNS Server To delete a DNS server SGOS config dns forwarding config dns forwarding edit group alias config dns forwarding group alias remove server server ip Related CLI Syntax to Delete A Custom DNS Group To delete a custom DNS group SGOS config dns forwarding config dns forwarding delete group alias See Also n Deleting Domains a Promoting DNS Servers in a List Promoting DNS Servers in a List 104 Using the CLI you can promote DNS servers in the list for any DNS forwarding group To promote DNS servers in a list config dns forwarding edit group alias This changes the prompt to f config dns forwarding group
48. the license key you must have a Blue Coat WebPower user account If you do not have a WebPower account or have forgotten your account information perform the following procedure 35 Volume 1 Getting Started To obtain a WebPower account 1 2 Select Maintenance gt Licensing gt Install In the License Administration field click Register Manage The License Configuration and Management Web page appears ignore the dialog at this time Perform one of the following To obtain a new account click the link for Need a WebPower User ID Enter the information as prompted To obtain your current information for an existing account click the Forgot your password link Registering and Licensing Blue Coat Hardware and Software This section describes how to automatically register the hardware and software with Blue Coat 36 a If you have not manually registered the hardware you can automatically register the hardware and install the software license in one step Continue with the procedure in this section If you have new hardware SG210 SG510 SG810 SG 8100 that previously has been registered the license is already associated with the hardware Navigate to Maintenance gt Licensing gt Install and click Retrieve to obtain the license For more information see To retrieve the software license on page 38 If you have older hardware that previously has been registered or if the ProxySG does not have Inter
49. they are using Notifications do occur for the following n HTTP Web browsers An HTML page is displayed stating the license has expired a SSL An exception page appears when an HTTPS connection is attempted o Instant Messaging clients Users do not receive a message that the license has expired Any IM activity is denied and to the user it appears that the logon connection has failed n FTP clients If the FTP client supports it a message is displayed stating the license has expired a Streaming media clients If the Windows Media Player RealPlayer or QuickTime player version supports it a message is displayed stating the license has expired o ProxyClient After the trial license has expired clients cannot connect to the ADN network You can still perform SGOS configuration tasks through the CLI SSH console serial console or Telnet connection Although the component is disabled feature configurations are not altered Also policy restrictions remain independent of component availability About the System Serial Number Each ProxySG serial number is the appliance identifier used to assign a license key file The ProxySG contains an EEPROM with the serial number encoded The appliance recognizes the serial number upon system boot up The serial number is visible by navigating to Configuration gt General gt Identification Obtaining a WebPower Account Before you can register your ProxySG and retrieve
50. thus reducing frame collisions Unlike a hub a bridge uses a frame s destination MAC address to make delivery decisions Because these decisions are based on MAC addressing bridges are known as Layer 2 devices To make efficient delivery decisions the bridge must discover the identity of systems on each collision domain and then store this information in its bridging table After learning the identity of the systems on each collision domain the bridge uses the source MAC address of frames to determine from which interface a given system can be reached A branch office that would take advantage of a bridging configuration is likely to be small for example it might have only one router and one firewall in the network as shown below 75 Volume I Getting Started Figure 6 1 A Bridged Configuration To ensure redundancy the ProxySG supports both serial and parallel failover modes See Configuring Failover on page 84 for more information about serial and parallel failover configurations About Traffic Handling Because the bridge intercepts all traffic you can take advantage of the powerful proxy services and policies built into the ProxySG to control how that traffic is handled If the ProxySG recognizes the intercepted traffic you can apply policy to it Unrecognized traffic is forwarded out The following diagram illustrates this traffic handling flow Traffic Port Matches intercepted Service Apply Policy Figur
51. to and from the ProxySG In this scheme the client IP address is always revealed to the server service attributes Define the parameters such as explicit or transparent cipher suite and certificate verification that the ProxySG uses for a particular service sibling class bandwidth gain A bandwidth class with the same parent class as another class signed system image Cryptographically signed with a key known only to Blue Coat and the signature is verified when the image is downloaded to the system simple network management protocol SNMP The standard operations and maintenance protocol for the Internet It consists of a set of standards for network management including an application layer protocol a database schema and a set of data objects In SNMP the available information is defined by management information bases MIBs which describe the structure of the management data simulated live Used in streaming Defines playback of one or more video on demand files as a scheduled live event which begins at a specified time The content can be looped multiple times or scheduled to start at multiple start times throughout the day SmartReporter log type A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter tool SOCKS A proxy protocol for TCP IP based networking applications that allows users transparent access across the firewall If you are using a SOCKS server for the primary or
52. to derivative works based on Python 1 6 1 that incorporate non separable material that was previously distributed under the GNU General Public License GPL the law of the Commonwealth of Virginia shall govern this License Agreement only as to issues arising under or with respect to Paragraphs 4 5 and 7 of this License Agreement Nothing in this License Agreement shall be deemed to create any relationship of agency partnership or joint venture between CNRI and Licensee This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee or any third party 8 By clicking on the ACCEPT button where indicated or by copying installing or otherwise using Python 1 6 1 Licensee agrees to be bound by the terms and conditions of this License Agreement ACCEPT CWI LICENSE AGREEMENT FOR PYTHON 0 9 0 THROUGH 1 2 Copyright c 1991 1995 Stichting Mathematisch Centrum Amsterdam The Netherlands All rights reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without specif
53. will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE 2 Regular expression support is provided by the PCRE library package which is open source software written by Philip Hazel and copyright by the University of Cambridge England ftp ftp csx cam ac uk pub software programming pcre PHAOS SSLava and SSLavaThin Copyright c 1996 2003 Phaos Technology Corporation All Rights Reserved The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos the design and development of which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time The software and any portions or copies thereof shall at all times remain the property of Phaos PHAOS MAKES NO WARRANTIES EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE REGARDING THE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN COMBINATION WITH ANY OTHER SOFTWARE PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES Python 2 5 license This is the official license for the Python 2 5 releas
54. you must have this data Do not lose the password used to encrypt the private key If you do you will not be able to recover your private keys 2 Record any other SSL keyring data you want to save If you are creating an unsigned archive go to Step 5 Otherwise go to Step 4 Verify that the source ProxySG has an appliance certificate as described in Determining if the ProxySG Has an Appliance Certificate on page 117 If it does not have an appliance certificate a Create a keyring on the appliance A keyring contains a public private key pair It can also contain a certificate signing request or a signed certificate b Create a Certificate Signing Requests CSR and send it to a Certificate Signing Authority CA c Have the CA sign the CSR To get more information about appliance certificates refer to the X 509 certificate information in Volume 4 Securing the Blue Coat ProxySG Appliance 5 Archive the configuration as described in Creating Configuration Archives on page 125 Store the archive in a secure location 7 When you are ready to restore the archive import the configuration passwords key onto the target device as described in Importing an Existing Key Pair and Certificate on page 134 8 Restore the archive as described in Restoring a Configuration Archive on page 131 Figure 9 1 on page 114 describes the archive creation process 113 Volume I Getting Started Section B Overview of
55. 994 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the University of California Berkeley and its contributors 4 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND
56. BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Method Swizzle Copyright c 2006 Tildesoft All rights reserved Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL TH
57. Blue Coat Systems ProxySG Appliance Volume 1 Getting Started SGOS Version 5 3 Blue amp Coat Volume I Getting Started Contact Information Blue Coat Systems Inc 420 North Mary Ave Sunnyvale CA 94085 4121 http www bluecoat com support contactsupport http www bluecoat com For concerns or feedback about the documentation documentation bluecoat com Copyright 1999 2008 Blue Coat Systems Inc All rights reserved worldwide No part of this document may be reproduced by any means nor modified decompiled disassembled published or distributed in whole or in part or translated to any electronic medium or other means without the written consent of Blue Coat Systems Inc All right title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems Inc and its licensors Proxy AV CacheOS SGOS SG Spyware Interceptor Scope ProxyRA Connector ProxyRA Manager Remote Access and MACH5 are trademarks of Blue Coat Systems Inc and CacheFlow Blue Coat Accelerating The Internet ProxySG WinProxyG AccessNow Ositis Powering Internet Management The Ultimate Internet Sharing Solution Cerberian Permeo Permeo Technologies Inc and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems Inc All other trademarks contained in this document and in the Software are the property of their respect
58. D TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 4 Sun Microsystems Inc copyright notice BSD Copyright O 2003 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved Use is subject to license terms below This distribution may include materials developed by third parties Sun Sun Microsystems the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of the Sun Microsystems Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED B
59. E AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Implementation of Method Swizzling inspired by http www cocoadev com index pl MethodSwizzling Growl Uses the BSD license http growl info documentation developer bsd license txt Base64 encoding in Cocoa Original code http www dribin org dave blog archives 2006 03 12 base64 cocoa Uses the Create Commons license http creativecommons org licenses by nc nd 3 0 us MD5 RSA Data Security Inc MD5 Message Digest Algorithm Copyright c 1991 2 RSA Data Security Inc Created 1991 All rights reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind
60. ED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Open SSL LICENSE ISSUES The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit See below for the actual license texts Actually both licenses are BSD tyle Open Source licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright c 1998 2008 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution
61. ER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Part 2 Networks Associates Technology Inc copyright notice BSD Copyright c 2001 2003 Networks Associates Technology Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of the Networks Associates Technology Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFIT
62. For signed archives Select a CCL to use to verify the archive a Restore the archive The following sections describe these tasks Restoring an Archive To install the archived configuration 1 Download a content filter database if you previously had one and it was lost If you restore the archive and it includes content filtering policy the database must exist so that categories referenced within policy can be matched with the currently installed database Connect to the appliance Management Console of the target appliance that is the ProxySG that you are installing the configuration onto https ProxySG_IP 8082 Go to the Management Console Home page and view the Software version information to verify that the appliance is running the same software version that was used to create the archive For example Software version SGOS 5 3 0 2 Proxy Edition You can also verify the version from the appliance CLI SGOS enable SGOS show version Restore the configuration passwords key data and any other SSL key data Import the con iguration passwords key keyring as described in Importing an Existing Key Pair and Certificate on page 134 Select Configuration gt General gt Archive 131 Volume I Getting Started Section F Restoring a Configuration Archive 132 Archive Configuration Archive Storage View Current Configuration View File Configuration post setup Install Configuration Ins
63. FtIvB5h3g KwQusgaLVTiesn9K7BOK4wjXJKlDclIrog ETlfkxtj20A5 7HN10Ar00gBxsZLj OLS5fwVfHNkuyNLUXZSAiLLoIqFIvtRiRfiWe3e eJvazIaErEk40NvIlaaXP1j9p ENzK2dw9WS7xtcU5kAcdoiX1lFONauKDVUk S2FApgjAsYciEJxDUfPLzYVl1vpOpx6DW3t0 Hwhvqz3KnMtlp81fkdUpiD1xaVfMg DOALEKkPVNmd9Rz1nXjk2CPTdPErC pKN EIKs2kqpRE 6hHu37zzN06ipPNu2cCSHI ozc0X4 Sas END RSA PRIVATE KEY 6 Copy the con iguration passwords key and paste it into the template under the inline keyring show configuration passwords key end inline in the template For example inline keyring show configuration passwords key end inline D BEGIN RSA PRIVATE KEY Proc Type 4 ENCRYPTED EK Info DES EDES3 CBC 2F6148C8A9902D7F 11JjGKxpkcWBXj 424FhyOJPKRdgHUIx12C6HKigth6hUgPqsSJj958FbzEx6ntsB 11 jXj34Ni6U94 9ugYG LGOplOJXmrOL5vNj el LSeCOHg 7ASyY EqWLCqed77M1 WA4s6U5TCI9fScVuGaoZOEVhx48113N PaFr9Dk8nRqAnoWMM POEL kvAxuXzE 8hccfZaallH1MiPWfNzxflRXIEzA2NCUirDHO63 XU3eOCis8hXZvwfuC DWwOAm tGVpxhZVN2KnfzSvaBAVYMh 1Gsxd sJY Fs8Tdmn zRP bB dEFUMxreYjAO8 Tu86R9ypa3atuzrXU 86ZPkK1O9V4xvApY 30 2mF9sSkJPsOVO1I dTpGJRguh71FVm1012187NI EJjjdNhzSu3uRVmSizltPyAbz5tEG4Gzbae E5nYO OtwRGWXzwXOeW tkhafNE3iQlu6jxbST6fCVn2bxw tqg LixglLnBenoSvOU co5HA6JuRohc5v cYWtrylg9Puw17TE56 kOEAOwUGFWd EoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxdlnT
64. Full Duplex Half Speed 100 megabit sec v 10 megabit sec MAC address OODOS inyet reine Ms completely configuration For more detailed information see About Interception Options on page 59 Link settings Automatically sense link settings default recommended The ProxySG auto negotiates the link settings for this interface Manually configure link settings Select the options that meet your network requirements This method requires a consistent configuration on the router or switch connected to this ProxySG Click OK to close the dialog Click Apply to save changes to the adapter interface settings Next step e Ifyou need to bind multiple IP addresses to an interface proceed to Step 7 e If you require additional VLAN configuration proceed to Step 8 67 Volume I Getting Started e Otherwise click Apply the adapter configuration is complete Proceed to Viewing Interface Statistics on page 71 for verification VLANs Native VLAN for interface 0 0 4 VLAN ID IP Address Prefix Length Subnet M 7a c Physical Interface i 92022 24 255 255 255 0 6 24 255 255 255 0 EE Configure Interface IPs IP Addresses Physical Interface IP Address Prefix Length Subnet Mask 192 0 2 2 24 255 255 255 0 Add list item Add IP Address IP Address Prefix Length or Subnet Mask OK
65. G you must also match the settings on the router or switch Note When the 100 Mbps Ethernet interfaces on the ProxySG 200 210 400 800 and 8000 models are connected to Gigabit Ethernet capable devices they might incorrectly auto negotiate when fail open pass through is used If both the interfaces on these ProxySG appliances are connected to Gigabit capable switches or hubs Blue Coat recommends that you configure the link settings manually to 100 Mbps To configure the link settings see Step 3 in To configure a network adapter on page 65 Chapter 5 Configuring Adapters and Virtual LANs The following table lists the results of various ProxySG and router link settings for 100 Mbps speeds The values are listed in the format speed duplex Table 5 2 Results for 100 Mbps link speed settings on the ProxySG and the switch Router Switch Router Switch ProxySG ProxySG Auto Auto negotiation Interface Settings Interface Setting negotiation Result speed Result duplex 100 Full Duplex Auto Auto 100 Full Duplex N A 100 Full Duplex Auto 100 Half Duplex N A 100 Full Duplex 100 Full Duplex N A 100 Half Duplex Auto 100 Full Duplex N A The following table lists the results of various ProxySG and router link settings for 1 Gbps speeds The values are listed in the format speed duplex Table 5 3 Results for 1Gbps link speed settings on the ProxySG and switch Router Swi
66. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licence including the GNU Public Licence Netscape NSPR Xii Version MPL 1 1 GPL 2 0 LGPL 2 1 The contents of this file are subject to the Mozilla Public License Version 1 1 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www mozilla org MPL Software distributed under the License is distributed on an AS IS basis WITHOUT WARRANTY OF ANY KIND either express or implied See the License for the specific language governing rights and limitations under the License The Original Code is the Netscape Portable Runtime NSPR The Initial Developer of the Original Code is Netscape Communications Corporation Portions created by the Initial Developer are Copyright C 1998 2000 t
67. IS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licence including the GNU Public Licence end of copyrights and licenses for Novell s LDAP Libraries for C The OpenLDAP Public License Version 2 8 17 August 2003 Redistribution and use of this software and associated documentation Software with or without modification are permitted provided that the following conditions are met 1 Redistributions in source form must retain copyright statements and notices 2 Redistributions in binary form must reproduce applicable copyright statements and notices this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a version number You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN
68. ISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Original SSLeay License Copyright C 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA Ihash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyr
69. LAIMED IN NO EVENT SHALL THE UNIVERSITY OF CHICAGO OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE II This software includes contributions that are Copyright c 2005 2006 Arizona Board of Regents University of Arizona All Rights Reserved Permission is hereby granted without written agreement and without license or royalty fees to use copy modify and distribute this software and its documentation for any purpose provided that 1 The above copyright notice and the following two paragraphs appear in all copies of the source code and 2 redistributions including binaries reproduces these notices in the supporting documentation Substantial modifications to this software may be copyrighted by their authors and need not follow the licensing terms described here provided that the new terms are clearly indicated in all files where they apply THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY OF ARIZONA AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY A
70. LAN 2 and tags it accordingly when appropriate Conversely it strips the VLAN 2 tag on the response The trunk link carries VLAN 1 the native and 2 traffic to a router that forwards traffic for those VLANs Deployment complications arise when a device other than a router is required between switches Any network device without VLAN tagging support might drop or misinterpret the traffic As a best practice do not deploy a device that is not configured to recognize VLAN tagged traffic in path of a trunk link Note In Blue Coat documentation the convention for VLAN is adapter interface VLAN_ID Example 1 0 10 refers the VLAN ID 10 on adapter 1 interface 0 The Blue Coat Solution The ProxySG supports VLAN tagging therefore a ProxySG can be deployed in path with switches that are exchanging VLAN tagged traffic This allows for uninterrupted VLAN service plus enables benefits gained with the proxy features 63 Volume I Getting Started 64 The Management Console enables you to configure VLAN interfaces the same way you configure physical interfaces After a VLAN is added it appears in the list of network interfaces Settings such as allow intercept and reject inbound are applicable to VLAN interfaces The most common deployment is a ProxySG residing between two switches or a switch and a router in these cases preserving tagged packets is essential to proper network operation 5 o a
71. LAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjhGcryptsoft com Original SSLeay License Copyright C 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA Ihash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package
72. ND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE UNIVERSITY OF ARIZONA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE TCPIP Some of the files in this project were derived from the 4 X BSD Berkeley Software Distribution source Their copyright header follows Copyright c 1982 1986 1988 1990 1993 1994 1995 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by the U
73. OS config ssl inline certificate keyring id eof Paste certificate here eof Chapter 9 Backing Up the Configuration Section G Sharing Configurations Section G Sharing Configurations You can share configurations between two ProxySGs You can take a post setup configuration file one that does not include those configuration elements that are established in the setup console from an already configured ProxySG and push it to a newly manufactured or restored system Note Blue Coat Director allows you to push a configuration from one ProxySG to multiple appliances at the same time For more information on using Director see Volume 9 Managing the Blue Coat ProxySG Appliance and the Blue Coat Director Configuration and Management Guide If you push a configuration archive to an appliance that is already configured the archive is applied to the existing configuration changing any existing values This means for instance that if the new configuration creates a realm called RealmA and the existing configuration has a realm called RealmB the combined configuration includes two realms RealmA and RealmB Configuration Sharing Requirements To share configurations you must download a content filter database if the configuration includes content filtering You can use either the Management Console or the CLI to create a post setup configuration file on one ProxySG and push it to another Note You cannot push configuration
74. S OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 3 Cambridge Broadband Ltd copyright notice BSD Portions of this code are copyright c 2001 2003 Cambridge Broadband Ltd All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution The name of Cambridge Broadband Ltd may not be used to endorse or promote products derived from this software without specific prior written permission xiii Volume I Getting Started xiv THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITE
75. S HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE THE AUTHOR THE UNIVERSITY OF CALIFORNIA AND THE UNIVERSITY OF UTAH SPECIFICALLY DISCLAIM ANY WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE SOFTWARE PROVIDED HEREUNDER IS ON AN AS IS BASIS AND THE AUTHORS AND DISTRIBUTORS HAVE NO OBLIGATION TO PROVIDE MAINTENANCE SUPPORT UPDATES ENHANCEMENTS OR MODIFICATIONS II This software includes contributions that are Copyright c 1998 2005 University of Chicago All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of the University of Chicago nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY OF CHICAGO AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISC
76. S PROVIDED BY THE AUTHOR S AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR S BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Contents Chapter 1 Introduction About This BOOK ette chrome uen bb visere Ate ere ete d sa cries cite rete D irr Ee Pedo 3 25 Document Conventions rte ee ce Pec ee oa eter edet ave e ase ees 25 Dates and Wanna M 26 About Procedures eicere e crine diete dtes em EU AS 26 IlltisttatiOhs ditor eiie tr cgo sete ree pe Fere pU EE ee Sep rg menses tesauesd coseesena espe eve ehe 26 Related Documentation cccccccsccessssssssccessecssscesssccesseeessecessscesssessesessneeesaeessaececseceeaeecsseecseeesseeenas 28 Chapter 2 Licensing A ut Licensing ae 31 Licensable C m ponents sisisi m 31 About the Trial Period cccccccccccssscesssceesceesseeceseecssseccsececsececsaeceaeecessecsssecesaecesueceeasceesecessesense
77. Time zone DO Tine zones Africa America H Antarctica B E W E Ee Fiji Guam Honolulu Hawaii Kwajalein Kwajalein Pago_Pago zma R 3 Select the time zone that represents your local time After you select the local time zone event logs record the local time instead of GMT To add additional time zones to the list update the appliance s time zone database as described in the following procedure 4 Click OK to close the dialog 5 Click Apply To update the database 1 Select Configuration gt General gt Clock gt Clock 2 Enter the URL from which the database will be downloaded or click Set to default 3 Click Install Related CLI Syntax for Adding New Time Zones to the Database SGOS config timezone database path url default SGOS config load timezone database To acquire the UTC 1 Ensure that Enable NTP is selected 2 Click Acquire UTC Time Related CLI Syntax for Acquiring and Setting UTC Time SGOS acquire utc SGOS config clock subcommands 53 Volume I Getting Started Network Time Protocol 54 The Network Time Protocol NTP is used to synchronize the time of a computer client or server to another server or reference time source such as a radio or satellite receiver or modem There are more than 230 primary time servers synchronized by radio satellite and modem The ProxySG ships with a list of NTP servers available on the Internet and attem
78. USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES 2 The 32 bit CRC compensation attack detector in deattack c was contributed by CORE SDI S A under a BSD style license Cryptographic attack detector for ssh source code Copyright c 1998 CORE SDI S A Buenos Aires Argentina All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that this copyright notice is retained THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED IN NO EVENT SHALL CORE SDI S A BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE Ariel Futoransky lt futo core sdi com gt http www core sdi com 3 ssh keygen was contributed by David Mazieres under a BSD style license Copyright 1995 1996 by David Mazieres lt dm lcs mit edu gt Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact 4 The Rijndael implementation by Vincent Rijmen Antoon Bosselaers and Paulo Barreto is in the public domain a
79. WhcNMTCxMDIIMTkxNzExW jBuMOswCOYDVQOGDAJB VTETMBEGAlUECAwKU29tZS1TdGFOZTEfMBOGAIUECgwWOmx1ZSBDb2FOIFNHMjAw IFNlemllczETMBEGAl1UEdwwKMjEwNzA2MzIIODEUMBIGA1UEAwwLMTAuOS41084x NTEwgZ8wDOYJKoZIhvcNAQEBBOQADgYOAMIGJAOGBANF9BL25FOJuBIFVyvjo3ygu xUMOGMjFl1q2TRrSi55Ftt5d KNbxzhhz3i DLxlwhOIFWsjv9 bKphrY8HOIk9N Q81ru5HlXDvUJ2AW6J82CewtQt I74xHkBvFJa leN3uZt D fiZTXO15m9 4NmZMb ZzzGGbCWJRzuqp9zlDVNbqgMBAAEwDOQYJKOoZIhvcNAQEEBOADgYEAwMUYIal1KFfIO J l1S oZ 9g9IVih AEtk5nVVLoDASXulaYPG5Zxo5ddW6wT5qvny5muPslB7ugYA ti 123 Volume I Getting Started Section D Planning for Archive Creation and Restoration wEP3E1i mwF49LV4NSJFEKBuF7Sg11 R20j 36Yj pdkxu6TPX1BKmnEcpox901Xbp XerHBHpMPwzHdj14ELqSgxFy9aei7y8 END CERTIFICATE end inline repeat this process for each keyring Be sure to import the private key first then the keyrings certificate exit returns to config mode l Option 2 Changing Encrypted Passwords to Clear Text Important Blue Coat strongly recommends recording your SSL keyring and key pair data because changing encrypted passwords to clear text is highly insecure Use the following procedure at your own risk You can edit the configuration to change encrypted passwords to clear text if you choose to keep the existing configuration passwords key keyring int
80. Y THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 5 Sparta Inc copyright notice BSD Copyright c 2003 2006 Sparta Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of Sparta Inc nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior writt
81. accessed what and how authenticate 401 attribute All transparent and explicit requests received on the port always use transparent authentication cookie or IP depending on the configuration This is especially useful to force transparent proxy authentication in some proxy chaining scenarios authenticated content Cached content that requires authentication at the origin content server OCS Supported authentication types for cached data include basic authentication and IWA or NTLM authentication Allows you to verify the identity of a user In its simplest form this is done through usernames and passwords Much more stringent authentication can be employed using digital certificates that have been issued and verified by a Certificate Authority See also basic authentication proxy authentication and SSL authentication authentication realm Authenticates and authorizes users to access SG services using either explicit proxy or transparent proxy mode These realms integrate third party vendors such as LDAP Windows and Novell with the Blue Coat operating system authorization The permissions given to an authenticated user bandwidth The amount of data you can send through a network or modem connection usually measured in bits per second bps bandwidth class A defined unit of bandwidth allocation bandwidth class hierarchy A gouping of bandwidth classes into a tree structure that specifies the relationship among
82. act on the new appliance You do not need to change hashed passwords to clear text when you restore the archive new hashed passwords are automatically generated using the target ProxySG appliance s configuration passwords key keyring Important This procedure is not valid for signed archives Signing guarantees that the archive has not been modified To change encrypted passwords to clear text Manually search for every instance of encrypted password remove the encrypted prefix and change the encrypted password to clear text For example security encrypted password 1SrWzRSBT5c6F RHLPK7uU9LK27d In the previous example if the actual password is bluecoat then you must edit the entry as follows security password bluecoat Selecting an Upload Transport Method 124 Archives can be uploaded using HTTPS HTTP FTP or TFTP If you are concerned about security use HTTPS For example you should use HTTPS if you consider the configuration to be confidential If you use HTTPS you must specify an SSL device profile to use for the SSL connection An SSL device profile which can be edited contains the information required for device authentication including the name of the keyring with the private key and certificate this device uses to authenticate itself The default keyring is appliance key For information on private keys public keys and SSL device profiles refer to Volume 4 Securing the Blue Coat ProxySG Applian
83. al Time UTC which is the international time standard and is based on a 24 hour clock However time stamps can also record in local time To do this local time must also be set based on time zones 51 Volume I Getting Started 52 By default the ProxySG attempts to connect to an NTP server in the order the servers appear in the NTP server list on the NTP tab to acquire the UTC time The appliance ships with a list of NTP servers available on the Internet If the appliance cannot access any of the listed NTP servers you must manually set the UTC time Additionally the ProxySG ships with a limited list of time zones If a particular time zone is missing from the included list the list can be updated at your discretion Also the time zone database might need to be updated if the Daylight Savings rules change in your area The list can be updated by downloading the full time zone database from http download bluecoat com release timezones tar To set local time 1 Select Configuration gt General gt Clock gt Clock Clock Current time UTC Local Timezone Set Time zone Update time zone database Installation URL http Install Set to default Method for acquiring UTC Enable NTP Acquire UTC time Query interval minutes 60 2 Click Set Time zone The Time Zone Selection dialog displays Chapter 4 Configuring Basic Settings Time zone selection Select
84. allows viewing a single chronological event log of all of the devices assigned to the Syslog daemon The Syslog format is Date Time Hostname Event system cache The software cache on the appliance When you clear the cache all objects in the cache are set to expired The objects are not immediately removed from memory or disk but a subsequent request for any object requested is retrieved from the origin content server before it is served TCP window size The number of bytes that can be buffered before the sending host must wait for an acknowledgement from the receiving host time to live TTL value Used in any situation where an expiration time is needed For example you do not want authentication to last beyond the current session and also want a failed command to time out instead of hanging the box forever traffic flow bandwidth gain Also referred to as flow A set of packets belonging to the same TCP UDP connection that terminate at originate at or flow through the ProxySG A single request from a client involves two separate connections One of them is from the client to the ProxySG and the other is from the ProxySG to the OCS Within each of these connections traffic flows in two directions in one direction packets flow out of the ProxySG outbound traffic and in the other direction packets flow into the ProxySG inbound traffic Connections can come from the client or the server Thus traffic can be classified
85. alternate forwarding gateway you must specify the appliance s ID for the identification protocol used by the SOCKS gateway The machine ID should be configured to be the same as the appliance s name SOCKS proxy A generic way to proxy TCP and UDP protocols The ProxySG supports both SOCKSv4 4a and SOCKSv5 however because of increased username and password authentication capabilities and compression support Blue Coat recommends that you use SOCKS v5 splash page The custom message page that displays the first time you start the client browser split proxy Employs co operative processing at the branch and the core to implement functionality that is not possible in a standalone proxy Examples of split proxies include e Mapi Proxy e SSL Proxy SQUID compatible format A log type that was designed for cache statistics and is compatible with Blue Coat products squid native log format The Squid compatible format contains one line for each request SSL authentication Ensures that communication is with trusted sites only Requires a certificate issued by a trusted third party Certificate Authority 153 Volume I Getting Started 154 SSL client See SSL device profile SSL device profile Used to determine various SSL parameters for outgoing HTTPS connections Specifically its role is to e Identify the SSL protocol version that the ProxySG uses in negotiations with origin servers e Identify the cip
86. alue from 1 to 100 The weight value determines how much bandwidth a gateway is given relative to the other gateways in the same group For example in a group with two gateways assigning both gateways the same weight value whether 1 or 100 results in the same traffic distribution pattern Ina group with two gateways assigning one gateway a value of 10 and the other gateway a value of 20 results in the ProxySG sending approximately twice the traffic to the gateway with a weight value of 20 Switching to a Secondary Gateway When a gateway goes down the networking code detects the unreachable gateway in 20 seconds and the switch over takes place immediately if a secondary gateway is configured All configured gateways are affected not just default gateways as was the case in earlier releases To configure multiple gateway load balancing 1 Select Configuration gt Network gt Routing gt Gateways Gateways Routing RIP IP gateways Group Weight Gateway 2 Click New The Add List Item dialog displays Chapter 7 Distributing Traffic Through Gateways Routing Add list item Add IP gateway Gateway 192 168 100 101 Group Weight 1 100 100 3 Configure the gateway options In the Gateway field enter the gateway IP address From the Group drop down list select the preference group for this gateway c Inthe Weight field enter the relative weight within the preference group
87. and want to verify its authenticity before modifying it use OpenSSL or another tool to verify the signature before making modifications The use of Open SSL is beyond the scope of this document Because a signed archive contains the output of the show configuration command you can extract the show configuration command output modify it as required and treat the archive as unsigned thereafter If you have enforced signed archive installation by selecting the Enforce installation of signed archives option non signed archives cannot be uploaded to the ProxySG Determining if the ProxySG Has an Appliance Certificate To create signed archives your appliance must have an SSL certificate guaranteed by a CA If your appliance has a built in appliance certificate you can use it and the corresponding appliance ccl CCL to sign the archive Devices manufactured before July 2006 do not support appliance certificates To determine if your device has an appliance certificate 1 Use an SSH client to establish a CLI session with the ProxySG 2 Enter enable mode SGOS enable 3 Enter the following command SGOS 4 show ssl certificate appliance key 117 Volume I Getting Started Section D Planning for Archive Creation and Restoration The appliance certificate displays if the appliance has one Otherwise the following error is displayed Certificate appliance key not found If your appliance does not have a built in appliance certif
88. anning tree adapter interface enable disable Adding Static Forwarding Table Entries Certain firewall configurations require the use of static forwarding table entries Failover configurations use virtual IP VIP addresses and virtual MAC VMAC addresses When a client sends an ARP request to the firewall VIP the firewall replies with a VMAC which can be an Ethernet multicast address however when the firewall sends a packet it uses a physical MAC address not the VMAC The solution is to create a static forwarding table entry that defines the next hop gateway that is on the correct side of the bridge To create a static forwarding table 1 Select Configuration gt Network gt Adapters gt Bridges 2 Select the bridge to edit and click Edit The Edit Bridge Interface dialog displays 87 Volume I Getting Started Edit Bridge Interface Bridge Name Interface Failover Group C Enable Spanning Tree Bridge Static forwarding table Interfaces MAC Address Interface Add MAC MAC 3 Add the static forwarding table entry a In the Edit Bridge dialog select the interface on which to create the static forwarding table entry b Click Edit c Inthe Edit Bridge Interfaces dialog click Add d In the Add MAC dialog add the MAC address of the next hop gateway and click OK 4 Click OK to close the Edit Bridge Interface and Edit Bridge dialogs Click A
89. anually set the UTC time URL filtering See content filtering URL rewrite rules Rewrite the URLs of client requests to acquire the streaming content using the new URL For example when a client tries to access content on www mycompany com the ProxySG is actually receiving the content from the server on 10 253 123 123 The client is unaware that mycompany com is not serving the content however the ProxySG access logs indicate the actual server that provides the content WCCP Web Cache Communication Protocol Allows you to establish redirection of the traffic that flows through routers 155 Volume I Getting Started 156 Web FTP Web FTP is used when a client connects in explicit mode using HTTP and accesses an ftp URL The ProxySG translates the HTTP request into an FTP request for the OCS if the content is not already cached and then translates the FTP response with the file contents into an HTTP response for the client Websense log type A Blue Coat proprietary log type that is compatible with the Websense reporter tool XML responder HTTP XML service that runs on an external server XML requestor XML realm Index Symbols bcsc extension 117 A administrator read only and read write access 43 archives configuration passwords key 113 118 creating 125 file identifiers for 130 importing SSL data 134 overview 113 planning for 116 recording SSL data 118 restoring 131 saving encrypted passwords 118
90. asample router table 10 25 36 0 255 255 255 0 10 25 36 1 10 25 37 0 255 255 255 0 10 25 37 1 10 25 38 0 255 255 255 0 10 25 38 1 When a routing table is installed all requested URLs are compared to the list and routed based on the best match You can install the routing table several ways o Using the Text Editor which allows you to enter settings or copy and paste the contents of an already created file directly onto the appliance a Creating a local file on your local system the ProxySG can browse to the file and install it Using a remote URL where you place an already created file on an FTP or HTTP server to be downloaded to the ProxySG Chapter 7 Distributing Traffic Through Gateways o Using the CLI inline static route table command which allows you to paste a static route table into the ProxySG o Using the CLI static routes command which requires that you place an already created file on an FTP or HTTP server and enter the URL into the ProxySG Note If you upgrade to SGOS 5 x from SGOS 4 x entries from the central and local bypass lists are converted to static route entries in the static route table The converted static route entries are appended after the existing static route entries Duplicate static route entries are silently ignored All traffic leaving the ProxySG is affected by the static route entries created from the SGOS 4 x bypass lists Installing a Routing Table To install a rout
91. ass must share its bandwidth with its child classes in proportion to the minimum maximum bandwidth values or priority levels passive mode data connections PASV Data connections initiated by an FTP client to an FTP server pipelining See object pipelining policies Groups of rules that let you manage Web access specific to the needs of an enterprise Policies enhance ProxySG feature areas such as authentication and virus scanning and let you control end user Web access in your existing infrastructure policy based bypass list Used in policy Allows a bypass based on the properties of the client unlike static and dynamic bypass lists which allow traffic to bypass the appliance based on destination IP address See also dynamic bypass policy layer A collection of rules created using Blue Coat CPL or with the VPM pragma no cache PNC A metatag in the header of a request that requires the appliance to forward a request to the origin server This allows clients to always obtain a fresh copy proxy Caches content filters traffic monitors Internet and intranet resource usage blocks specific Internet and intranet resources for individuals or groups and enhances the quality of Internet or intranet user experiences A proxy can also serve as an intermediary between a Web client and a Web server and can require authentication to allow identity based policy and logging for the client The rules used to authenticate a cli
92. ave created and configured a bandwidth management class for bridging you can manage the bandwidth used by all bridges Refer to Volume 5 Advanced Networking for more information on bandwidth management To configure bandwidth management for bridging 1 Select Configuration Network Adapters Bridges Adapters Bridges Bridging Bandwidth Class none Bridges Bridge Name 2 In the Bridging Bandwidth Class drop down menu select a bandwidth management class to manage the bandwidth for bridging or select none to disable bandwidth management for bridging Note This setting only controls the bandwidth class used by bypassed traffic on this bridge To manage intercepted traffic you must define a Manage Bandwidth policy using VPM or CPL 3 Click Apply Related CLI Syntax to Set a Bridging Bandwidth Class SGOS config bridge bandwidth class bridge name SGOS config bandwidth management 83 Volume I Getting Started SGOS config bandwidth management subcommands Configuring Failover In failover mode two appliances are deployed a master and a slave The master sends keepalive messages advertisements to the slaves If the slaves do not receive advertisements at the specified interval the slave takes over for the master When the master comes back online the master takes over from the slave again The SGOS bridging feature allows two different types of failover modes parallel
93. bridge name failover mode serial SGOS_B config bridge bridge name failover mode serial Bridging Loop Detection Bridging now supports the Spanning Tree Protocol STP STP is a link management protocol that prevents bridge loops in a network that has redundant paths that can cause packets to be bridged infinitely without ever being removed from the network 85 Volume I Getting Started 86 STP ensures that a bridge when faced with multiple paths uses a path that is loop free If that path fails the algorithm recalculates the network and finds another loop free path The administrator can enable or disable spanning tree participation for the interface Enable spanning tree participation 1 Select Configuration gt Network gt Adapters gt Bridges 2 Select the desired bridge 3 Click Edit Edit Bridge Bridge Name Failover Group IERE v Bridge Statistics Interfaces Interface 4 Inthe Edit Bridge window highlight the interface to configure and click Edit The Edit Bridge Interface dialog displays Chapter 6 Software and Hardware Bridges Edit Bridge Interface Interface Static forwarding table MAC Address Edit Delete Cancel 5 Click Enable Spanning Tree 6 Click OK to close the Edit Bridge Interface and Edit Bridge dialogs 7 Click Apply Related CLI Syntax to Enable Spanning Tree Participation SGOS config bridge bridge name sp
94. c Browse configuration Provide instructions For using a proxy using the proxy s default PAC file using the proxy s accelerated PAC file using the PAC file at this URL 9 Configure the VLAN options a Specify the VLAN ID VID number of the VLAN accepted on this interface b Click Add IP to display the Add List Item dialog c Specify the VLAN IP address and subnet mask click OK to close the dialog d The receiving packet and browser behavior is the same as for physical interfaces see Table 5 1 How each interception option affects connections on page 59 with the exception of Use physical interface setting which applies the same configuration to the VLAN as was set on the physical interface e Click OK in both dialogs 10 Click Apply Chapter 5 Configuring Adapters and Virtual LANs Related CLI Syntax to Configure an Adapter Native VLAN a To enter configuration mode SGOS config interface fast ethernet adapter interface SGOS config interface adapter interface a The following VLAN subcommands are available SGOS config interface adapter interface native vlan SGOS config interface adapter interface vlan_id vlan trunk enable disable Related CLI Syntax to Enable Disable Transparent Interception a For standard interfaces SGOS config interface adapter interface allow intercept enable disable a For VLAN interfaces SGOS config interface adapt
95. cation are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer xi Volume I Getting Started 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE MPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICU
96. ce Chapter 9 Backing Up the Configuration Section E Creating Configuration Archives Section E Creating Configuration Archives Archive configuration requires you to complete pre configuration planning tasks The following table provides a high level description of the tasks required to create and restore a configuration archive Review this table then read the referenced sections for detailed information about each task Table 9 3 Archive Creation and Restoration Tasks Task Go to 1 Select the archive type Selecting a Configuration Archive Type on page 116 unsigned archives concern 2 Determine whether to use signed or Use signed archives if security is a Using Signed and Unsigned Archives on page 117 e gt encrypted passwords data for later restoration Select a method for dealing with The recommended method is to record the SSL keyring and key pair Saving Encrypted Passwords on page 118 4 Create and save the archive Creating and Saving an Unsigned Configuration Archive on page 125 or Creating and Saving a Signed Configuration Archive to Local Disk on page 126 or Creating and Uploading an Archive to a Remote Server on page 127 5 Restore the archive Restoring an Archive on page 131 Creating and Saving an Unsigned Configuration Archive This section describes how to use the Management Console to create an unsigned archi
97. console account username can be changed to anything that is not null and contains no more than 64 characters 3 Click Apply After clicking Apply an Unable to Update configuration error is displayed The username change was successfully applied but the configuration could not be fetched from the ProxySG as the username offered in the fetch request is still the old username 4 Refresh the screen You are then challenged for the new username To change the password The console password and privileged mode password were defined during initial configuration of the system The console password can be changed at any time The privileged mode or enabled mode password can only be changed through the CLI or the serial console 1 Select Configuration gt Authentication gt Console Access gt Console Account 2 Click Change Password 3 Enter and re enter the console password that is used to view and edit configuration information The password must be from 1 to 64 characters long As you enter the new password it is obscured with asterisks Click OK Note This does not change the enabled mode password You can only change the enabled mode password through the CLI 4 Refresh the screen which forces the SGOS software to re evaluate current settings When challenged enter the new password 5 Optional Restrict access by creating an access control list or by creating a policy file containing lt Admin gt layer rules For m
98. cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore scientific library and patent office worldwide More information can be found e g at http www cs hut fi crypto The legal status of this program is some combination of all these permissions and restrictions Use only at your own responsibility You will be responsible for any legal consequences yourself I am not making any claims whether possessing or using this is legal or not in your country and Iam not taking any responsibility on your behalf NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
99. cumentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR S AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR S BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE libarchive 2 3 1 XX All of the C source code and documentation in this package is subject to the following Copyright c 2003 2006 Tim Kientzle All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer in this position and unchanged 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE I
100. de 1 As far as Tam concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must be called by a name other than ssh or Secure Shell Tatu continues However I am not implying to give any licenses to any patents or copyrights held by third parties and the software includes parts that are not under my direct control As far as I know all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose the GNU license being the most restrictive see below for details However none of that term is relevant at this point in time All of these restrictively licenced software components which he talks about have been removed from OpenSSH i e RSA is no longer included found in the OpenSSL library IDEA is no longer included its use is deprecated DES is now external in the OpenSSL library GMP is no longer used and instead we call BN code from OpenSSL Zlib is now external in a library The make ssh known hosts script is no longer included TSS has been removed MD5 is now external in the OpenSSL library RC4 support has been replaced with ARC4 support from OpenSSL Blowfish is now external in the OpenSSL library The licence continues Note that any information and
101. described in Option 1 Recording SSL Keyring and Key Pair Information on page 118 onto the system you are restoring the archive to Note You can also import a certificate chain containing multiple certificates Use the inline certificate command to import multiple certificates through the CLI If you are importing a keyring and one or more certificates onto a ProxySG first import the keyring followed by its related certificate The certificate contains the public key from the keyring and the keyring and certificate are related To Import a keyring 1 Copy the already created keypair onto the clipboard 2 Select Configuration gt SSL gt Keyrings gt SSL Keyrings 3 Ifthe keyring already exists select the keyring and click Delete and Apply 4 Click Create The Create Keyring dialog displays Chapter 9 Backing Up the Configuration Section F Restoring a Configuration Archive Create Keyring Keyring Settings gt Keyring Name KeyringTest Show key pair Gb it Show key pair to director Create a new 1024 bit keyring Import keyring sokokokojooke 5 Configure the keyring options a In the Keyring Name field enter a meaningful name for the keyring b Selecta show option Show keypair allows the keys to be exported Do not show keypair prevents the keypair from being exported Show keypair to director is a keyring viewable only if Director is issuing the command using a SSH RSA connect
102. ding SSL Keyring and Key Pair Information For security reasons Blue Coat recommends that you do not change encrypted passwords to clear text Instead preserve the con iguration passwords key keyring on the source device the appliance that you created the archive from and import that keyring to the target device before you restore the archive You can also use the following procedure to save any other keyrings required to reload SSL related configuration that references those keyrings To record the configuration passwords key keyring on the source ProxySG 1 Copy the following template to a text file and use it to record the certificate information so that you can import and restore it later Note The following example is shown in smaller text to preserve the structure of the commands Chapter 9 Backing Up the Configuration Section D Planning for Archive Creation and Restoration I ssl switches from config mode to config ssl inline keyring show configuration passwords key end inline end inline inline keyring show default end inline end inline inline certificate default end inline end inline repeat this process for each keyring Be sure to import the private key first then the keyrings certificate exit returns to config mode Do not specify your passwords the system will prompt you for them when you restore the keys SGOS 5 3 and later You can modify the template to incl
103. e Using Signed and Unsigned Archives on page 117 3 Determine how to treat encrypted passwords Saving Encrypted Passwords on page 118 4 Select an upload transport Selecting an Upload Transport Method on page 124 Selecting a Configuration Archive Type Three different archive types are available Each archive type contains a different 116 set of configuration data o Configuration post setup This archive contains the configuration on the current system minus any configurations created through the setup console such as the IP address It also includes the installable lists but does not include SSL private key Use this archive type to share an appliance s configuration with another See Sharing Configurations on page 137 for more information o Configuration brief This archive contains the configuration on the current system and includes the setup console configuration data but does not include the installable lists or SSL private key and static route information Note An installable list is a list of configuration parameters that can be created through a text editor or through the CLI inline commands and downloaded to the ProxySG from an HTTP server or locally from your PC Configurations that can created and installed this way include the SG Client archiving forwarding hosts SOCKS gateways ICD policy files and exceptions o Configuration expanded This is the most complete
104. e A HISTORY OF THE SOFTWARE Python was created in the early 1990s by Guido van Rossum at Stichting Mathematisch Centrum CWI see http www cwi nl in the Netherlands as a successor of a language called ABC Guido remains Python s principal author although it includes many contributions from others In 1995 Guido continued his work on Python at the Corporation for National Research Initiatives CNRI see http www cnri reston va us in Reston Virginia where he released several versions of the software In May 2000 Guido and the Python core development team moved to BeOpen com to form the BeOpen PythonLabs team In October of the same year the PythonLabs team moved to Digital Creations now Zope Corporation see http www zope com In 2001 the Python Software Foundation PSF see http www python org psf was formed a non profit organization created specifically to own Python related Intellectual Property Zope Corporation is a sponsoring member of the PSF All Python releases are Open Source see http www opensource org for the Open Source Definition Historically most but not all Python releases have also been GPL compatible the table below summarizes the various releases Table 1 1 Release Derived From Year Owner GPL compatible 1 0 9 0 thru 1 2 1991 1995 CWI yes 13 thru 1 5 2 1 2 1995 1999 CNRI yes 1 6 1 5 2 2000 CNRI no 2 0 16 2000 BeOpen com no 1 6 1 1 6 2001 CNRI yes 2 21 2 0 1 6 1 2001 PSF no XV
105. e 2001 An additional copyright section has been added as Part 4 below also under a BSD license for the work contributed by Sun Microsystems Inc to the project since 2003 Code has been contributed to this project by many people over the years it has been in development and a full list of contributors can be found in the README file under the THANKS section Part 1 CMU UCD copyright notice BSD like Copyright 1989 1991 1992 by Carnegie Mellon University Derivative Work 1996 1998 2000 Copyright 1996 1998 2000 The Regents of the University of California All Rights Reserved Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software without specific written permission CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL CMU OR THE REGENTS OF THE UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM THE LOSS OF USE DATA OR PROFITS WHETH
106. e 6 2 Traffic Flow Decision Tree Because policy can be applied only to recognized protocols it is important to specify port ranges that will capture all traffic even that operating on lesser known ports 76 Chapter 6 Software and Hardware Bridges About Bridging Methods The ProxySG provides bridging functionality by two methods a Software A software or dynamic bridge is constructed using a set of installed interfaces Within each logical bridge interfaces can be assigned or removed See Configuring Programmable Pass Through NIC Adapters on page 80 for more information a Hardware A hardware or pass through bridge uses a 10 100 dual interface Ethernet adapter This type of bridge provides pass through support See About the Pass Through Adapter on page 77 for more information Note If you want to use an L4 switch or an explicit proxy instead of bridging you must disable the bridging pass through card About the Pass Through Adapter A pass through adapter is a 10 100 dual interface Ethernet adapter designed by Blue Coat to provide an efficient fault tolerant bridging solution If this adapter is installed on a ProxySG SGOS detects the adapter on system bootup and automatically creates a bridge the two Ethernet interfaces serve as the bridge ports If the ProxySG is powered down or loses power for any reason the bridge fails open that is Web traffic passes from one Ethernet interface to the other Ther
107. e ELFF or Custom which can contain any desired combination of log fields log tail The access log tail shows the log entries as they get logged With high traffic on the ProxySG not all access log entries are necessarily displayed However you can view all access log information after uploading the log MACH5 SGOS 5 MACH Edition Management Console A graphical Web interface that lets you to manage configure monitor and upgrade the ProxySG from any location The Management Console consists of a set of Web pages and Java applets stored on the ProxySG The appliance acts as a Web server on the management port to serve these pages and applets management information base MIB Defines the statistics that management systems can collect A managed device gateway has one or more MIBs as well as one or more SNMP agents which implements the information and management functionality defined by a specific MIB maximum object size The maximum object size stored in the ProxySG All objects retrieved that are greater than the maximum size are delivered to the client but are not stored in the ProxySG Media Access Control MAC address A unique value associated with a network adapter also known as hardware address or physical address For the ProxySG it is a hardware address that is stored in each network card such as an SSL accelerator card or a Quad GigE Fiber LX card on the ProxySG The MAC address uniquely identifies an adapter
108. e Have the CA sign the CSR To determine if your appliance has a built in certificate see Determining if the ProxySG Has an Appliance Certificate on page 117 See Also For more information about appliance certificates refer to the X 509 certificate information in Volume 4 Securing the Blue Coat ProxySG Appliance 139 Volume I Getting Started 140 Glossary access control list Allows or denies specific IP addresses access to a server access log A list of all the requests sent to a ProxySG You can read an access log using any of the popular log reporting programs When a client uses HTTP streaming the streaming entry goes to the same access log account A named entity that has purchased the ProxySG or the Entitlements from Blue Coat activation code A string of approximately 10 characters that is generated and mailed to customers when they purchase the ProxySG active content stripping Provides a way to identify potentially dangerous mobile or active content and scripts and strip them out of a response active content types Used in the Visual Policy Manager Referring to Web Access policies you can create and name lists of active content types to be stripped from Web pages You have the additional option of specifying a customized message to be displayed to the user administration access policy A policy layer that determines who can access the ProxySG to perform administrative tasks administration a
109. e timeout value the change takes effect on the next refresh of any Management Console page Click Apply Related CLI Syntax to Change the Timeout SGOS config security management auto logout timeout seconds Chapter 4 Configuring Basic Settings The ProxySG global configurations include defining the ProxySG name and serial number setting the time and configuring NTP for your environment Topics in this Chapter This chapter includes information about the following topics o Configuring the ProxySG Name on page 51 n Viewing the Appliance Serial Number on page 51 n Configuring the System Time on page 51 n Network Time Protocol on page 54 n Configuring HTTP Timeout on page 55 Configuring the ProxySG Name You can assign any name to a ProxySG A descriptive name helps identify the system To set the ProxySG name 1 Select Configuration gt General gt Identification 2 In the Appliance name field enter a unique name for the ProxySG 3 Click Apply Related CLI Syntax for Setting the ProxySG Name SGOS config hostname name Viewing the Appliance Serial Number The ProxySG serial number assists Blue Coat Systems Customer Support when analyzing configuration information including heartbeat reports This number is found on the ProxySG The serial number is visible on the Management Console home page Configuring the System Time To manage objects the ProxySG must know the current Coordinated Univers
110. ed in a Microsoft proprietary format Without an nsc file the multicast station definition does not work 149 Volume I Getting Started 150 NTP To manage objects in an appliance a ProxySG must know the current Universal Time Coordinates UTC time By default the ProxySG attempts to connect to a Network Time Protocol NTP server to acquire the UTC time The ProxySG includes a list of NTP servers available on the Internet and attempts to connect to them in the order they appear in the NTP server list on the NTP tab object used in caching An object is the item that is stored in an appliance These objects can be frequently accessed content content that has been placed there by content publishers or Web pages among other things object used in Visual Policy Manager An object sometimes referred to as a condition is any collection or combination of entry types you can create individually user group IP address subnet and attribute To be included in an object an item must already be created as an individual entry object pipelining This patented algorithm opens as many simultaneous TCP connections as the origin server will allow and retrieves objects in parallel The objects are then delivered from the appliance straight to the user s desktop as fast as the browser can request them Online Certificate Status Protocol OCSP An Internet protocol used for obtaining the revocation status of an X 509 digital certi
111. eenas 33 Viewing License SIR ana 33 Disabling the Components Running in Trial Period aa tarot ee e Erbe DieEENE 34 about Deense Expira OM een 35 About the System Serial Number une ee 35 Obt ining a WebPOWeRACCDUDE anni 35 Registering and Licensing Blue Coat Hardware and Software sss 36 Ixerievang the License once tutum dis ra NNI HM aie ir NEG MK uM NR b MENU 38 Manual License Installation nennen en aan 38 Manually Updating a Lesen 40 Automatically Updating License aan 41 Chapter 3 Accessing the ProxySG Before You Begin About NMC aute hd titt ee 43 Accessing the FIRE ae 44 Accessing the Management COnsole susce htc neuen een 44 Accessine the Ele ne ee 47 Changing the Logon Parametern an ae an 48 Changing the Username and Password wenn ent 48 Changing the ProxySG Realm Names 50 Changing the ProxySG DIBIGDUE sen 50 Chapter 4 Configuring Basic Settings Configuring the ProxySG Name anne nee 51 Viewing the Appliance Serial Number u nina en ee ee 51 Configuring the Systeny Tine Sociis dE eR AF n P FEE Um en 51 Network Time Protocol ccccccssscessscesssecessecsseeessscessssessecsessecessecesesesseeeesaecesaecesaeceesecesseecseeeessneesas 54 Configuring HTIP oiii MP neuen 55 Xxi Volume I Getting Started Chapter 5 Configuring Adapters and Virtual LANs lg eol lange 57 How ProxySG Adapters Interact on the INEEWOPE ie nores o Etat atn aa 58 About WAN and LAN Interfaces
112. efault priority In that case priority is determined by the local IP address the ProxySG with the highest local IP will assume the role of master Example The following example creates a bridging configuration with one bridge on standby Note This deployment requires a hub on both sides of the bridge or a switch capable of interface mirroring a ProxySG A software bridge IP address 10 0 0 2 Create a virtual IP address and a failover group and designate this group the master SGOS Ai SGOS Ak SGOS Ak SGOS Ai SGOS Ak SGOS Ai config virtual ip address 10 0 0 4 config failover config failover create 10 0 0 4 config failover edit 10 0 0 4 config failover 10 0 0 4 master config failover 10 0 0 4 enable The preceding commands create a failover group called 10 0 0 4 The priority is automatically set to 254 and the failover interval is set to 40 oa ProxySG B software bridge IP address 10 0 0 3 Create a virtual IP address and a failover group SGOS B config virtual ip address 10 0 0 4 SGOS_B config failover SGOS_B config failover create 10 0 0 4 SGOS_B config failover edit 10 0 0 4 SGOS_B config failover 10 0 0 4 enable In the bridge configuration on each SG attach the bridge configuration to the failover group SGOS_A config bridge bridge name failover group 10 0 0 4 SGOS_B config bridge bridge name failover group 10 0 0 4 n Specify the failover mode SGOS_A config bridge
113. efore Web traffic is uninterrupted but does not route through the appliance Important This scenario creates a security vulnerability After power is restored to the ProxySG the bridge comes back online and Web traffic is routed to the appliance and thus is subject to that appliance s configured features policies content scanning and redirection instructions Note that bridging supports only failover it does not support load balancing Note The adapter state is displayed on Configuration gt Network gt Adapters Reflecting Link Errors When the ProxySG is deployed transparently with bridging enabled link errors that occur on one interface can be reflected to the other bridge interface This allows a router connected to the ProxySG on the healthy link to detect this failure and recompute a path around this failed segment When the interface with the original link error is brought back up the other interface is automatically restarted as part of the health check process Reflecting link errors requires that two interfaces be available and connected in a bridging configuration it also requires that the propagation failure option is enabled By default propagation failure 1S disabled 77 Volume I Getting Started Note This feature is only applicable to a two interface hardware or software bridge The propagation failure option sets itself to disabled in any other scenario If the link goes down while propa
114. eir minimum maximum bandwidth values and priority levels A child class with siblings classes with the same parent class shares bandwidth with those siblings in the same manner cipher suite Specifies the algorithms used to secure an SSL connection When a client makes an SSL connection to a server it sends a list of the cipher suites that it supports client consent certificates A certificate that indicates acceptance or denial of consent to decrypt an end user s HTTPS request client side transparency A way of replacing the ProxySG IP address with the Web server IP address for all port 80 traffic destined to go to the client This effectively conceals the ProxySG address from the client and conceals the identity of the client from the Web server concentrator A ProxySG usually located in a data center that provides access to data center resources such as file servers content filtering A way of controlling which content is delivered to certain users ProxySG appliances can filter content based on content categories such as gambling games and so on type such as http ftp streaming and mime type identity user group network or network conditions You can filter content using vendor based filtering or by allowing or denying access to URLs 143 Volume I Getting Started D 144 default boot system The system that was successfully started last time If a system fails to boot the next most recent system
115. en permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 6 Cisco BUPTNIC copyright notice BSD Copyright c 2004 Cisco Inc and Information Network Center of Beijing University of Posts and Telecommunications All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution Neither the name of Cisco Inc Beijing U
116. ent are based on the policies you create on the ProxySG which can reference an existing security infrastructure LDAP RADIUS IWA and the like Proxy Edition SGOS 5 Proxy Edition proxy service The proxy service defines the ports as well as other attributes that are used by the proxies associated with the service proxy service default The default proxy service is a service that intercepts all traffic not otherwise intercepted by other listeners It only has one listener whose action can be set to bypass or intercept No new listeners can be added to the default proxy service and the default listener and service cannot be deleted Service attributes can be changed ProxySG A Blue Coat security and cache box that can help manage security and content on a network public key certificate An electronic document that encapsulates the public key of the certificate sender identifies this sender and aids the certificate receiver to verify the identity of the certificate sender A certificate is often considered valid if it has been digitally signed by a well known entity which is called a Certificate Authority such as VeriSign public virtual IP VIP Maps multiple servers to one IP address and then propagates that information to the public DNS servers Typically there is a public VIP known to the public Internet that routes the packets internally to the private VIP This enables you to hide your servers from the Interne
117. ently linked to this product To modify this configuration select the appropriate tab below and follow the instructions Software S H Description Expires Ho Installed Software Add a Hew Software Option to this appliance To link a software option that is not listed above record the software serial number s below and click Apply 6 The next action depends on whether you have Internet access a If the ProxySG has Internet access Click Add to add a software license to the appliance 39 Volume 1 Getting Started Using the serial numbers you received when the ProxySG shipment was delivered add the serial numbers Click Apply when finished The software license is now associated with the hardware From Management Console gt Maintenance gt Licensing gt Install click Retrieve and provide the WebPower login information again For more information on the Retrieve procedure see To retrieve the software license on page 38 If the ProxySG does not have Internet access In the Cust Info gt Links panel click Get License You are prompted to save a bin file with the license information Save the bin file From Management Console gt Maintenance gt Licensing gt Install select one of the following from the License Key Manual Installation drop down list and click Install Note A message is written to the event log when you install a license through the ProxySG Remote URL If t
118. er License creation date Concurrent users with ADN enabled unlimited Concurrent users without ADN enabled unlimited General License Information Trial Components are enabled C Disable Disabling the Components Running in Trial Period You have the option to not let users access features that are currently running in trial period however you cannot selectively disable trial period features You must either enable all of them or disable all of them To disable trial period components 1 Select Maintenance gt Licensing gt View 2 Select the Trial Components are enabled option 3 Click Apply 4 Click Refresh Data All licenses that are in trial period switch from Yes to No Users cannot use these features and no dialogs warning of license expiration are sent Also notice that this option text changes to Trial Components are disabled Enabled Repeat this process to re enable trial licenses 34 Chapter 2 Licensing About License Expiration At the end of the trial or demo period or subsequently when any normally licensed component expires components that have not been licensed do not process requests all requests bypass the ProxySG if the default policy is set to ALLOW A license expiration notification message is logged in the Event Log refer to the Event log information in Volume 7 Managing Content for details If a license expires users might not receive notification depending upon the application
119. er interface vlan_id allow intercept enable disable inherit Related CLI Syntax to Manually Configure Link Settings a To enter configuration mode for standard interfaces SGOS config interface adapter interface full duplex half duplex SGOS config interface adapter interface speed 10 100 lgb Related CLI Syntax for Rejecting Inbound Connections a To enter configuration mode for standard interfaces SGOS config interface adapter interface reject inbound enable disable a To enter configuration mode for VLAN interfaces SGOS config interface adapter interface vlan_ id reject inbound enable disable inherit Viewing Interface Statistics As traffic flows to and from the ProxySG you can review statistics for each interface including VLAN traffic This allows you to verify your deployment is optimized For example if you notice that traffic flowing through the LAN interface is consistently near capacity you might consider routing traffic differently or spreading the load to another ProxySG To view interface specific statistics 1 In the Management Console select Statistics gt Network gt Interface History 71 Volume I Getting Started Interface History 2 Duration Last Day megabytes 8 Bytes Sent 4 891 423 Bytes 0 Mon 8am Mon 2pm Mon 8pm Tue 2am Tue 8am Bytes Sent Bytes Received Packets Sent Packets Received Input Errors
120. er is not associated with a software license you have registered the hardware separately 7 The ProxySG does not have Internet access To manually obtain and install the license 1 Select Maintenance gt Licensing gt Install 2 Click Register Manage A new browser window opens and prompts you for your WebPower login information 3 Enter your WebPower username and password and click Login The Support License Management page displays Support License Management Currently Registered Hardware The following appliances are currently registered to your organization Serial Humber Part Number Description Luwuuwa aces ae 33 400 0 2x10 100Base T To configure the software license for an appliance listed above select that appliance s serial number 4 Click the serial number of the unit The Support License Management Manage Serial Numbers Obtain IM License page displays 38 Chapter 2 Licensing Support License Management Manage Software Serial Numbers Obtain IM License Return to Main Screen 5 Click Manage Software Serial Numbers The License Self Service Change Hardware Record displays LICENSE SELF SERVICE CHAHGE HARDWARE RECORD You are currently reviewing the software options associated with Hardware Model Blue Coat SG200 B Valued Customer Hardware Serial Number 4605060001 Organization Blue Coat Systems Tech 4605060001 Blue Coat G200 B The following software options are curr
121. error propagation select the Propagate Failure check box c Optional Click Clear Bridge Statistics to reset the traffic history of the bridge which includes packet and byte counts to 0 d Click OK to save your changes and close the Edit Bridge dialog 5 Click Apply Related CLI Syntax to Configure a Programmable Adapter Card SGOS config bridge SGOS config bridge edit bridge name SGOS config bridge bridge name mode fail open SGOS config bridge bridge name mode fail closed SGOS config bridge bridge name mode disable Note If the bridge adapters are not programmable the mode commands are not visible 82 Chapter 6 Software and Hardware Bridges Customizing the Interface Settings To further customize the bridge edit the interface settings Editing the interface settings allows you to a Allow transparent interception It is bypassed by default You must configure the WAN interface to allow transparent interception Note If you have a MACH5 license a programmable bridge card and labeled WAN LAN interfaces the WAN interface allows transparent interception by default a Firewall incoming traffic Firewalls must be specifically configured See Chapter 5 Configuring Adapters and Virtual LANs on page 57 for more information The Bridge Settings options allow you to clear bridge forwarding table and clear bridge statistics Setting Bandwidth Management for Bridging After you h
122. ficate OCSP was created as an alternative to certificate revocation lists CRL specifically addressing certain problems associated with using CRLs in a public key infrastructure PKT OCSP servers are called OCSP responders due to the request response nature of these messages origin content server OCS A so called origin server This is the original source of the content that is being requested An appliance needs the OCS to acquire data the first time to check that the content being served is still fresh and to authenticate users outbound traffic bandwidth gain Network packets flowing out of the ProxySG Outbound traffic mainly consists of the following Client outbound Packets sent to the client in response to a Web request e Server outbound Packets sent to an OCS or upstream proxy to request a service PAC Proxy AutoConfiguration scripts Originally created by Netscape PACs are a way to avoid requiring proxy hosts and port numbers to be entered for every protocol You need only enter the URL A PAC can be created with the needed information and the local browser can be directed to the PAC for information about proxy hosts and port numbers packet capture PCAP Allows filtering on various attributes of the Ethernet frame to limit the amount of data collected You can capture packets of Ethernet frames going into or leaving a ProxySG parent class bandwidth gain A class with at least one child The parent cl
123. gat ion failure is disabled the previous link state is immediately reflected to the other interface if propagation failure is enabled during this time Configuring a Software Bridge 78 This section describes how to use the Management Console or the CLI to link adapters and interfaces to create a network bridge Before configuring a software bridge ensure that your adapters are of the same type Although the software does not restrict you from configuring bridges with adapters of different speeds 10 100 or GIGE for example the resulting behavior is unpredictable To create and configure a software bridge 1 Select Configuration gt Network gt Adapters gt Bridges 2 Click New The Create Bridge dialog displays Chapter 6 Software and Hardware Bridges Create Bridge E 3a Bridge Name Test 3b __ gt Failover Group zNone Interfaces Interface 3 Configure bridge options a In the Bridge Name field enter a name for the bridge up to 16 characters The bridge name is case insensitive that is you cannot name one bridge ABC and another bridge abc b Optional If you want to assign the bridge to a failover group select it from the Failover Group drop down list c See Configuring Failover on page 84 for more information about configuring failover d Click Add The Add Bridge Interface dialog displays 79 Volume I Getting Started Add Bridge Interface 4a
124. he Initial Developer All Rights Reserved Contributor s Alternatively the contents of this file may be used under the terms of either the GNU General Public License Version 2 or later the GPL or the GNU Lesser General Public License Version 2 1 or later the LGPL in which case the provisions of the GPL or the LGPL are applicable insteadof those above If you wish to allow use of your version of this file only under the terms of either the GPL or the LGPL and not to allow others to use your version of this file under the terms of the MPL indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL or the LGPL If you do not delete the provisions above a recipient may use your version of this file under the terms of any one of the MPL the GPL or the LGPL Net SNMP Various copyrights apply to this package listed in various separate parts below Please make sure that you read all the parts Up until 2001 the project was based at UC Davis and the first part covers all code written during this time From 2001 onwards the project has been based at SourceForge and Networks Associates Technology Inc hold the copyright on behalf of the wider Net SNMP community covering all derivative work done since then An additional copyright section has been added as Part 3 below also under a BSD license for the work contributed by Cambridge Broadband Ltd to the project sinc
125. he file resides on a Web server The Install License Key dialog displays Enter the URL path and click Install The Installation Status field displays relevant information When installation is complete click Results examine the results close the window and click OK Click Apply Local File If the file resides in a local directory The Upload and Install File window opens Enter a path to the license file or click Browse and navigate to the file Click Install A results window opens Examine the license installation results close the window Click Close Click Apply The license is now installed All features that you subscribed to are fully operational Manually Updating a License After the initial license installation you might decide to use another feature that requires a license The license must be updated to support the new feature 40 Chapter 2 Licensing To update a license 1 2 3 4 Select Maintenance gt Licensing gt Install Click Register Manage Follow the instructions on the Blue Coat License Self Service Web page If using the automatic license installation feature click Update otherwise manually install the license as described in Manual License Installation on page 38 Automatically Updating a License The license automatic update feature allows the ProxySG to contact the Blue Coat licensing Web page 31 days before the license is to expire If a new license has been purchased and au
126. he helps reduce the response time and network bandwidth consumption on future equivalent requests The ProxySG serves as a cache by storing content from many users to minimize response time and prevent extraneous network traffic cache control Allows you to configure which content the ProxySG stores cache efficiency A tab found on the Statistics pages of the Management Console that shows the percent of objects served from cache the percent loaded from the network and the percent that were non cacheable cache hit Occurs when the ProxySG receives a request for an object and can serve the request from the cache without a trip to the origin server cache miss Occurs when the ProxySG receives a request for an object that is not in the cache The ProxySG must then fetch the requested object from the origin server cache object Cache contents includes all objects currently stored by the ProxySG Cache objects are not cleared when the ProxySG is powered off Certificate Authority CA A trusted third party organization or company that issues digital certificates used to create digital signatures and public key private key pairs The role of the CA is to guarantee that the individuals or company representatives who are granted a unique certificate are who they claim to be child class bandwidth gain The child of a parent class is dependent on that parent class for available bandwidth they share the bandwidth in proportion to th
127. he transparent interception of inbound connections a By default the ProxySG auto negotiates link settings with the connected switch or router Blue Coat recommends using auto negotiation except under special circumstances Note Rejecting inbound connections improperly or manually configuring link settings improperly might cause the ProxySG to malfunction Ensure that you know the correct settings before attempting either of these If the ProxySG fails to operate properly after changing these settings contact Blue Coat Technical Support About Multiple IP Addresses The ProxySG allows you to bind multiple IP addresses to an interface and typically the assigned IP addresses are on the same subnet Multiple IP addresses on an interface allows for managing one service under a specific IP and another service under a different IP For example you can assign one IP address for management services console access and another IP address for managing proxy traffic In addition you could assign unique IP addresses to manage different services that is have HTTP traffic on one and native FIP on another To configure a network adapter 1 Select Configuration Network Adapters Adapters tab Note Different ProxySG models have different adapter configurations and the appearance of the Adapters tab varies accordingly 65 Volume I Getting Started 2a Select an adapter Adapters Bridges Adapter Interface Status for
128. her suites used e Determine which certificate can be presented to origin servers by associating a keyring with the profile SSL interception Decrypting SSL connections SSL proxy A proxy that can be used for any SSL traffic HTTPS or not in either forward or reverse proxy mode static route A manually configured route that specifies the transmission path a packet must follow based on the packet s destination address A static route specifies a transmission path to another network statistics Every Blue Coat appliance keeps statistics of the appliance hardware and the objects it stores You can review the general summary the volume resources allocated cache efficiency cached contents and custom URLs generated by the appliance for various kinds of logs You can also check the event viewer for every event that occurred since the appliance booted stream A flow of a single type of data measured in kilobits per second Kbps A stream could be the sound track to a music video for example SurfControl log type A proprietary log type that is compatible with the SurfControl reporter tool The SurfControl log format includes fully qualified usernames when an NTLM realm provides authentication The simple name is used for all other realm types syslog An event monitoring scheme that is especially popular in Unix environments Most clients using Syslog have multiple devices sending messages to a single Syslog daemon This
129. ic written prior permission STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Proview xvii Volume I Getting Started Written by Bengaly R 2003 2005 As a part of the Proview a k a PVDasm Permission is granted to make and distribute verbatim copies of this Program provided the copyright notice and this permission notice are Preserved on all copies RealSystem The RealNetworks RealProxy Server is included under license from RealNetworks Inc Copyright 1996 1999 RealNetworks Inc All rights reserved SmartFilter Copyright c 2003 Secure Computing Corporation All rights reserved STLport Copyright c 1999 2000 Boris Fomitchev This material is provided as is with absolutely no warranty expressed or implied Any use is at your own risk Permission to use or copy this software for any purpose is hereby granted without fee provided the above notices are retained on all copies Permission to modify the code and to distribute modified code is granted provided the above notices are retained a
130. icate you can obtain one or specify a CA Certificate List CCL to use to verify the authenticity of your signed archive For more information refer to the ProxySG authentication information in Volume 5 Advanced Networking Saving Encrypted Passwords 118 Encrypted passwords login enable FTP etc cannot be decrypted by a device other than that on which it was encrypted unless you restore the configuration passwords key keyring from the device on which the archive was created This keyring is used to encrypt and decrypt the passwords and the passwords cannot be restored without it Therefore to install a configuration archive onto another device you must do one of the following a Restore the original configuration passwords key keyring a Change the encrypted passwords to clear text so that they can be regenerated The following sections describe these options Note Hashed passwords do not have to be changed to clear text When you restore the archive they are restored as specified on the source device The difference between hashing and encryption is that encryption enables information to be decrypted and read while hashing is a mathematical function used to verify the validity of data For example a system might not need to know a user s password to verify that password The system can run a hash function on the password and confirm that the mathematical result matches that specified for the user Option 1 Recor
131. ided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 6 Remaining components of the software are provided under a standard 2 term BSD licence with the following names as copyright holders Markus Friedl Theo de Raadt Niels Prov
132. ight notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the rouines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF TH
133. ilable through the Management Console You cannot configure it using the CLI To change the order of DNS name imputing suffixes 1 Select Configuration gt Network gt DNS gt Imputing 2 Select the imputing suffix to promote or demote 3 Click Promote entry or Demote entry as appropriate 4 Click Apply Caching Negative Responses By default the ProxySG caches negative DNS responses sent by a DNS server You can configure the ProxySG to set the time to live TTL value for a negative DNS response to be cached You can also disable negative DNS response caching Note The ProxySG generates more DNS requests when negative caching is disabled 106 Chapter 8 Configuring DNS The ProxySG supports caching of both type A and type PTR DNS negative responses This functionality is only available through the CLI You cannot configure DNS negative caching through the Management Console To configure negative caching TTL values From the config prompt SGOS config dns negative cache ttl override seconds where seconds is any integer between 0 and 600 Setting the TTL value to 0 seconds disables negative DNS caching setting the TTL setting to a non zero value overrides the TTL value from the DNS response To restore negative caching defaults From the config prompt SGOS config dns no negative cache ttl override 107 Volume I Getting Started 108 Chapter 9 Backing Up the Configuration This chapter de
134. in content server OCS that has been added to the health check list The host added through the integrate new hosts property ages out of the integrated host table after being idle for the specified time The default is 60 minutes intervals Time period from the completion of one health check to the start of the next health check IP reflection Determines how the client IP address is presented to the origin server for explicitly proxied requests All proxy services contain a reflect ip attribute which enables or disables sending of client s IP address instead of the IP address of the ProxySG issuer keyring The keyring used by the ProxySG to sign emulated certificates The keyring is configured on the appliance and managed through policy licensable component LC Software A subcomponent of a license it is an option that enables or disables a specific feature LCAMS License Configuration and Management System license Provides both the right and the ability to use certain software functions within a Proxy AV or ProxySG appliance The license key defines and controls the license which is owned by an account listener The service that is listening on a specific port A listener can be identified by any destination IP subnet and port range Multiple listeners can be added to each service live content Also called live broadcast Used in streaming it indicates that the content is being delivered fresh LKF License
135. ing 95 transparent 93 routing static routes 94 S signed archives identifying 117 static routes loading 106 table 101 table installing 101 static routes using 94 I time configuring in the ProxySG 51 Index timeout HTTP configuring 55 timeout realm changing 50 U Universal Time Coordinates see UTC username changing 48 default for 48 UTC time 51 V Virtual LAN about 61 adapter configuration 65 deployment 63 native 62 trunk 62 W Web interface definition of 44 159 160
136. ing Suffixes Using name imputing suffixes is particularly useful for a company s internal domains For example it can enable you to simply enter webServer rather than the more elaborate webServer inOurInternalDomain ForOurCompany com Also this resolves any problem with external root servers being unable to resolve names that are internal only To add names to the imputing list 1 Select Configuration gt Network gt DNS gt Imputing The Imputing tab displays 2 Click New The Add List Item dialog displays Add list item Add DNS name imputing suffix company com 3 Enter the DNS name imputing suffix and click OK The name displays in the DNS name imputing suffixes list 4 Click Apply 105 Volume I Getting Started Related CLI Syntax to Add Names to the Imputing List To add names to the imputing list SGOS config dns imputing name To edit DNS name imputing suffixes 1 Select Configuration gt Network gt DNS gt Imputing 2 Select a name in the list and click Edit The Edit List Item dialog displays Edit list item Edit DNS name imputing suffix webServer 3 Edit the name imputing suffix as required and click OK 4 Click Apply Changing the Order of DNS Name Imputing Suffixes The ProxySG uses imputing suffixes according to the list order You can organize the list of suffixes so the preferred suffix displays at the top of the list Note This functionality is only ava
137. ing table 1 Select Configuration gt Network gt Routing gt Routing 2 From the drop down list select the method used to install the routing table click Install e Remote URL Enter the fully qualified URL including the filename where the routing table is located To view the file before installing it click View Click Install To view the installation results click Results close the window when you are finished Click OK e Local File Click Browse to bring up the Local File Browse window Browse for the file on the local system Open it and click Install When the installation is complete a results window opens View the results and close the window e Text Editor The current configuration is displayed in installable list format You can customize it or delete it and create your own Click Install When the installation is complete a results window opens View the results close this window and click Close 3 Click Apply Related CLI Syntax to Install a Routing Table To install a routing table you can use the inline command to install the table directly or enter a path to a remote URL that has an already created text file ready to download a To paste a static route table directly into the CLI 95 Volume I Getting Started 96 Notes SGOS config inline static route table end of file marker paste static routing table eof ok To enter the static route table manually SGOS config inli
138. into one of four types Server inbound Server outbound Client inbound e Client outbound These four traffic flows represent each of the four combinations described above Each flow represents a single direction from a single connection transmission control protocol TCP TCP when used in conjunction with IP Internet Protocol enables users to send data in the form of message units called packets between computers over the Internet TCP is responsible for tracking and handling and reassembly of the packets IP is responsible for packet delivery transparent proxy A configuration in which traffic is redirected to the ProxySG without the knowledge of the client browser No configuration is required on the browser but network configuration such as an L4 switch or a WCCP compliant router is required trial period Starting with the first boot the trial period provides 60 days of free operation All features are enabled during this time unicast alias Defines an name on the appliance for a streaming URL When a client requests the alias content on the appliance the appliance uses the URL specified in the unicast alias command to request the content from the origin streaming server universal time coordinates UTC A ProxySG must know the current UTC time By default the appliance attempts to connect to a Network Time Protocol NTP server to acquire the UTC time If the ProxySG cannot access any NTP servers you must m
139. ion Note The choice among show do not show and show keypair to director has implications for whether keyrings are included in profiles and backups created by Director For more information refer to the Blue Coat Director Configuration and Management Guide c Select Import keyring The grayed out Keyring field becomes enabled allowing you to paste in the already existing keypair The certificate associated with this keypair must be imported separately If the keypair that is being imported has been encrypted with a password select Keyring Password and enter the password into the field 6 Click OK 135 Volume I Getting Started Section F Restoring a Configuration Archive 136 To import a certificate and associate it with a keyring 1 2 3 4 5 6 Copy the certificate onto the clipboard Select Configuration SSL Keyrings and click Edit View From the drop down list select the keyring that you just imported Click Import in the Certificate field Paste the certificate into the Import Certificate dialog that appears Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE statements Click OK Related CLI Syntax to Import a Keyring SGOS config ssl inline keyring show show director no show keyring id eof Paste keypair here eof Related CLI Syntax to Import a Certificate and Associate it with a Keyring SGOS config ssl SG
140. ion prepared by Licensee 3 BeOpen is making the Software available to Licensee on an AS IS basis BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED BY WAY OF EXAMPLE BUT NOT LIMITATION BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS 4 BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING MODIFYING OR DISTRIBUTING THE SOFTWARE OR ANY DERIVATIVE THEREOF EVEN IF ADVISED OF THE POSSIBILITY THEREOF 5 This License Agreement will automatically terminate upon a material breach of its terms and conditions 6 This License Agreement shall be governed by and interpreted in all respects by the law of the State of California excluding conflict of law provisions Nothing in this License Agreement shall be deemed to create any relationship of agency partnership or joint venture between BeOpen and Licensee This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee or any third party As an exception the BeOpen Python logos available at http www pythonlabs com logos html may be used according to the permissions granted on that web page 7 By copying installing or otherwise using
141. ires a valid administrator username and password to have full read write access you do not need to enter a privileged mode password as you do when using the CLI A privileged mode password however must already be set Note To prevent unauthorized access to the ProxySG only give the console username and password to those who administer the system Changing the Username and Password You can change either the username or the password without changing both The console account username was assigned during initial setup of the system You can change the username at any time Note Changing the Console Account username or password causes the Management Console to refresh and log back on using the new information Each parameter must be changed and individually refreshed You cannot change both parameters at the same time To change the username 1 Select Configuration Authentication Console Access Console Account Chapter 3 Accessing the ProxySG Console Account Console Access SSH Host Console account User name admin Change Password Change the console password Console realm name Auto logout seconds a00 2 Enter the username of the administrator or administrator group who is authorized to view and revise console properties Only one console account exists on the ProxySG If you change the console account username that username overwrites the existing console account username The
142. is connections n Bypass Bridge forward all traffic without interception n Allow Bridge forward traffic and intercept appropriate traffic as defined by Proxy Services n Firewall Drop silently block any traffic not related to established ProxySG The following table describes what effect each allow intercept option setting has on different traffic types Table 5 1 How each interception option affects connections Option ProxySG Settings ProxySG Explicit Transparent Other Management and Proxy Proxy Traffic reject allow Console Service Service inbound intercept Connections Traffic Traffic Allow Disabled Enabled Intercepted Intercepted Intercepted Forwarded Bypass Disabled Disabled Intercepted Intercepted Forwarded Forwarded Firewall Enabled Enabled Silently dropped Silently Silently Silently Disabled dropped dropped dropped 59 Volume I Getting Started 60 The default intercept option depends on the type of license on this ProxySG a Proxy Edition The default is Bypass transparent interception a Mach 5 Edition The default is Allow transparent interception The ProxySG performs normal proxy interception as configured in Configuration gt Services for traffic on the interface If you require this ProxySG to perform interception of traffic on specific interface s set the other interfaces to either bypass bridge forward but do not intercept traffic
143. is list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution The name of Fabasoft R amp D Software GmbH amp Co KG or any of its subsidiaries brand or product names may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE PCRE Copyright c 1997 2001 University of Cambridge University of Cambridge Computing Service Cambridge England Phone 44 1223 334714 Written by Philip Hazel lt ph10 cam ac uk gt Permission is granted to anyone to use this software for any purpose on any computer system and to redistribute it freely subject to the following restrictions 1 This software is distributed in the hope that it
144. is the default if no setting is specified filtering See content filtering forward proxy A proxy server deployed close to the clients and used to access many servers A forward proxy can be explicit or transparent FTP See Native FTP and Web FTP gateway A device that serves as entrance and exit into a communications network hardware serial number A string that uniquely identifies the ProxySG it is assigned to each unit in manufacturing health check tests The method of determining network connectivity target responsiveness and basic functionality The following tests are supported 145 Volume I Getting Started 146 e ICMP e TCP e SSL e HTTP e HTTPS Group Composite and reference to a composite result e ICAP e Websense e DRTR rating service health check type The kind of device or service the specific health check tests The following types are supported e Forwarding host and forwarding group e SOCKS gateway and SOCKS gateway group e CAP service and ICAP service group e Websense off box service and Websense off box service group e DRIR rating service e User defined host and a user defined composite heartbeat Messages sent once every 24 hours that contain the statistical and configuration data for the ProxySG indicating its health Heartbeats are commonly sent to system administrators and to Blue Coat Heartbeats contain no private information only aggregate statistics useful for p
145. is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the rouines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED
146. ive owners BLUE COAT SYSTEMS INC DISCLAIMS ALL WARRANTIES CONDITIONS OR OTHER TERMS EXPRESS OR IMPLIED STATUTORY OR OTHERWISE ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL BLUE COAT SYSTEMS INC ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES WHETHER ARISING IN TORT CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS INC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Document Number 231 03010 Document Revision SGOS 5 3 1 08 2008 Third Party Copyright Notices Copyright 1999 2008 Blue Coat Systems Inc All rights reserved worldwide No part of this document may be reproduced by any means nor modified decompiled disassembled published or distributed in whole or in part or translated to any electronic medium or other means without the written consent of Blue Coat Systems Inc All right title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems Inc and its licensors ProxyAV CacheOS SGOS SG Spyware Interceptor Scope RA Connector RA Manager Remote Access and MACH5 are trademarks of Blue Coat Systems Inc and CacheFlow Blue Coat Accelerating The Internet ProxySG WinProxy AccessNow Ositis Powering Internet Management The Ultimate Inte
147. l Me ERE E E EER ans 91 Switching to a Secondary Gateway 92 ROUNE oss sca EN 93 Usimg Statie ROUTES ci face eaten Ide ose aee aE ee ieee EENE E E EE ad n add 94 NOES eea O R E E a a 96 Chapter 8 Configuring DNS ADbOUt ONS e E ette t EE E 97 ProxyoG Using Non Becursive DNS ii linnien io qua tae 97 ProxyoG Usmp Recursive DNS a un 98 About Configuring DNS Server Grip ee 99 xxii Contents About DNS Health CheckS 5 smcera eo rettet dedgeceduayiyeds eases u anne 99 Adding DNS Servers to the Primary EOD e eret ttr asc tbaeiteaa es cn dede ta t cnc 100 Adding DNS Servers to the Alternate GIEOUDO a scene tpt tete nern 101 Creating a Custom DNS OE OBL aa 102 Deletmis Domaine ardent tud pa aedi ai eu 103 Deleting DNS Groups and Servers usine cipis t is t ee 103 Promoting DNS Servers an a Ist 2a a 104 Resolving Hostnames Using Name Imputing Suffixes sse 105 Adding and Editing DNS Name Imputing Suffixes u a 105 Changing the Order of DNS Name Imputing Suffixes u 106 Caching Negative Response ee 106 Chapter 9 Backing Up the Configuration Section A Archiving Tasks Quick Reference WORM ONO SY T 110 Section B Overview of the Archiving and Restoration Process Section C About What is Not Archived Section D Planning for Archive Creation and Restoration Selecting a Configuration Archive Type sus kenne p pE bri cd 116 Using Signed and Unsigned Archves ae E BRERQUR EE CURRERE ON DDR UE
148. leshoot interface connectivity Detecting Network Adapter Faults on page 73 How ProxySG Adapters Interact on the Network Each ProxySG ships with one or more network adapters installed on the system each with one or more interfaces the number of available interfaces varies by ProxySG model Note In Blue Coat documentation the convention for the interface is adapter interface For example 0 0 About WAN and LAN Interfaces Recent ProxySG models have labels next to the physical interfaces on the appliance backplate that identify the WAN and LAN links These interface labels are also hard coded in SGOS 5 3 x and are displayed in the respective interface graphics in the Management Console Based on your deployment type the ProxySG directly in path between users and a router or the ProxySG connected to a router that resides in path virtually in path and explicit verify the following connections a The ProxySG is deployed in path with bridging In path with bridging Figure 5 1 Connecting WAN and LAN interfaces in path with bridging a Clients and WAN links connect to the ProxySG transparently through a router with WCCP 58 Chapter 5 Configuring Adapters and Virtual LANs Virtually in path with WCCP Figure 5 2 Connecting the LAN interface to a router with WCCP About Interception Options The ProxySG allows you to execute one of three actions upon intercepting traffic on a per interface bas
149. lume 5 Advanced Networking Volume 5 discusses networking tasks that do not need to be done in all environments such as WAN optimization setting failover and configuring TCP IP attack detection and WCCP Health checks forwarding and managing bandwidth are also discussed in this volume Volume 6 The Visual Policy Manager and Advanced Policy Volume 6 discusses configuring policy through the graphical uer interface called the Visual Policy Manager VPM Also discussed in this volure are the four policy files that are used to manage policy and pop up ad blocking managing active content and creating exceptions This volume also contains a reference guide and several tutorials for using VPM Volume 7 Managing Content Volume 7 discusses content filtering for the Internet including how to configure and use third party vendors with the ProxySG External Services ICAP and Websense off box are also found in this volume Chapter 1 Introduction Document Description Volume 8 Access Logging Volume 8 discusses log formats upload clients upload schedules and protocols The Access Log Formats appendix discusses ELFF SQUID NCSA Common and custom logs Volume 9 Managing the Blue Coat ProxySG Appliance Volume 9 discusses upgrading the system and configuring event logs SMNP STMP heartbeats and core images as well as diagnostics Health monitoring new in this release
150. m must reproduce the above copyright notice definition disclaimer and this list of conditions in documentation andor other materials provided with the distribution 3 Altered versions including but not limited to ports to new operating systems existing ports with new graphical interfaces and dynamic shared or static library versions must be plainly marked as such and must not be misrepresented as being the original source Such altered versions also must not be misrepresented as being Info ZIP releases including but not limited to labeling of the altered versions with the names Info ZIP or any variation thereof including but not limited to different capitalizations Pocket UnZip WiZ or MacZip without the explicit permission of Info ZIP Such altered versions are further prohibited from misrepresentative use of the Zip Bugs or Info ZIP e mail addresses or of the Info ZIP URL s 4 Info ZIP retains the right to use the names Info ZIP Zip UnZip WiZ Pocket UnZip Pocket Zip and MacZip for its own source and binary releases zlib h interface of the zlib general purpose compression library version 1 2 3 July 18th 2005 Copyright C 1995 2005 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for
151. ming the following procedure consider the planning options described in Planning for Archive Creation and Restoration on page 116 To create and upload an archive to a remote server Note This procedure creates only configuration expanded archives You cannot choose another type 1 Obtain write permission to a directory on a secure remote host This is where the archive will be stored 2 Record the configuration passwords key keyring of the ProxySG you want to back up as described in Option 1 Recording SSL Keyring and Key Pair Information on page 118 Important If you do not record the SSL data encrypted passwords will not be able to be decrypted when you restore the archive to another device for example a replacement appliance and none of the SSL related configuration that references those keyrings can be used 3 Access the Management Console of the ProxySG you want to back up https ProxySG IP 8082 4 Select Configuration General Archive Select the Archive Storage tab Chapter 9 Backing Up the Configuration Section E Creating Configuration Archives Archive Configuration Archive Storage Signing 6 5 Sign archives with keyring default v Local Save Save archive Configuration post setup Remote Upload Protocol HTTP wv Filename prefix A sH Host 280 8 8 8 Port 443 Path IWebjDocs Username admin Change Password
152. mmediate but not permanent changes to the ProxySG such as restarting the system This is the level you enter when you first access the Management Console a Configuration is a mode within the Enabled mode From this level you can perform permanent changes to the ProxySG configuration If you use the Management Console you are in configuration mode when you log into Enabled mode and type conf t If you use the CLI you must enter each level separately Username admin Password SGOS enable Enable Password SGOS configure terminal Enter configuration commands one per line End with CTRL Z SGOS config For detailed information about the CLI and the CLI commands refer to Volume 11 Command Line Interface Reference Note Although most administrator tasks can be performed using either the Management Console or the CLI there is the occasional task that can only be done using one of the two these are specified in the manual Accessing the ProxySG 44 You can access the ProxySG through either the CLI or the Management Console By default SSHv2 CLI and HTTPS Management Console are used to connect to the appliance The SSH and HTTPS ports are configured and enabled For SSH you can use either version 1 or version 2 with password or RSA client key authentication Accessing the Management Console The Management Console is a graphical Web interface that allows you to manage configure monitor and u
153. nce free method for improving performance of the ProxySG by automatically compiling a list of requested URLs that return various kinds of errors dynamic real time rating DRTR Used in conjunction with the Blue Coat Web Filter BCWF DRTR also known as dynamic categorization provides real time analysis and content categorization of requested Web pages to solve the problem of new and previously unknown uncategorized URLs those not in the database When a user requests a URL that has not already been categorized by the BCWF database for example a brand new Web site the ProxySG dynamic categorization service analyzes elements of the requested content and assigns a category or categories The dynamic service is consulted only when the installed BCWF database does not contain category information for an object early intercept attribute Controls whether the proxy responds to client TCP connection requests before connecting to the upstream server When early intercept is disabled the proxy delays responding to the client until after it has attempted to contact the server ELFF compatible format A log type defined by the W3C that is general enough to be used with any protocol emulated certificates Certificates that are presented to the user by the ProxySG when intercepting HTTPS requests Blue Coat emulates the certificate from the server and signs it copying the subjectName and expiration The original certificate is used between
154. nd how to configure the ProxySG to function within a Virtual LAN VLAN environment Although you most likely have performed initial configuration tasks to get the ProxySG live on the network this chapter provides additional conceptual information to ensure the configuration matches the deployment How Do l requirement Topics in this Chapter The following topics are covered in this chapter n How Dol on page 57 Begin here if you are not sure of the answer you seek n How ProxySG Adapters Interact on the Network on page 58 D About Virtual LAN Configurations on page 61 o Changing the Default Adapter and Interface Settings on page 65 n Viewing Interface Statistics on page 71 o Detecting Network Adapter Faults on page 73 To navigate this chapter identify the task to perform and click the link How do l based on the basic deployment type such as bridging and in path See About WAN and LAN Interfaces on page 58 Verify the ProxySG is connected properly Learn basic information about virtual LAN VLAN deployments About Virtual LAN Configurations on page 61 Change the settings for default link speeds for interfaces About Link Settings on page 60 57 Volume I Getting Started How do l See Verify that traffic is flowing through the Viewing Interface Statistics on page 71 interfaces and see what type of traffic it is Troub
155. nd a notice that the code was modified is included with the above copyright notice The code has been modified Copyright c 1994 Hewlett Packard Company Copyright c 1996 1999 Silicon Graphics Computer Systems Inc Copyright c 1997 Moscow Center for SPARC Technology Permission to use copy modify distribute and sell this software and its documentation for any purpose is hereby granted without fee provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation Hewlett Packard Company makes no representations about the suitability of this software for any purpose It is provided as is without express or implied warranty Permission to use copy modify distribute and sell this software and its documentation for any purpose is hereby granted without fee provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation Silicon Graphics makes no representations about the suitability of this software for any purpose It is provided as is without express or implied warranty Permission to use copy modify distribute and sell this software and its documentation for any purpose is hereby granted without fee provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documen
156. nd and receive a combined maximum of 100 Mbps of data For more information about network bridging see Chapter 6 Software and Hardware Bridges on page 75 3 Click Settings The Settings dialog displays which contains three configuration option areas Dialog Area Option When receiving packets on this interface O Allow transparent interception Bypass transparent interception Firewall incoming traffic The default is Allow transparent interception The ProxySG performs normal proxy interception as configured in Configuration gt Services for the traffic arriving on the interface If you require this ProxySG to perform interception on traffic from a specific interface or set of interfaces set the other interfaces to either bypass the traffic pass it through but not intercept it or firewall it block it Inbound connection options Allow transparent interception default The ProxySG intercepts the appropriate traffic based on settings configured in Configuration gt Services all other traffic is bridged or forwarded Bypass transparent interception The ProxySG bridges or forwards all inbound traffic on this interface regardless of the services configuration Firewall incoming traffic The ProxySG drops all inbound connections on this interface regardless of the services Link Settings Automatically sense link settings Manually configure link settings Q
157. nd distributed with the following license version 3 0 December 2000 Optimised ANSI C code for the Rijndael cipher now AES author Vincent Rijmen lt vincent rijmen esat kuleuven ac be gt author Antoon Bosselaers lt antoon bosselaers esat kuleuven ac be gt author Paulo Barreto lt paulo barreto terra com br gt This code is hereby placed in the public domain THIS SOFTWARE IS PROVIDED BY THE AUTHORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 5 One component of the ssh source code is under a 3 clause BSD license held by the University of California since we pulled these parts from original Berkeley code Copyright c 1983 1990 1992 1993 1995 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted prov
158. nd the ProxySG using SSH HTTPS is encrypted During initial configuration you assigned the ProxySG a username and password and a privileged mode enabled configuration password These passwords are always stored and displayed hashed Topics in this Chapter This chapter includes information about the following topics a Before You Begin About Modes on page 43 o Accessing the ProxySG on page 44 n Changing the Logon Parameters on page 48 Important This chapter assumes that you have completed the first time setup of the ProxySG using either the front panel or serial console and that the appliance is running on the network These steps must be completed before accessing the appliance You can manage the ProxySG by logging on to and using one of the following o An SSH session to access the CLI a The Management Console graphical interface You can also use a serial console to access the CLI Note To use a Telnet session you must use a serial console connection until you configure Telnet for use For security reasons Blue Coat does not recommend using Telnet Before You Begin About Modes SGOS 5 x supports different levels of command security a Standard or unprivileged mode is read only You can see but not change system settings and configurations This is the level you enter when you first access the CLI 43 Volume I Getting Started a Enabled or privileged mode is read write You can make i
159. ne static route table end of file marker 10 25 36 0 255 255 255 0 10 25 46 57 10 25 37 0 255 255 255 0 10 25 46 58 10 25 38 0 255 255 255 0 10 25 46 59 eof ok To enter a path to a remote URL SGOS config static routes path url SGOS config load static route table Any deployment that causes traffic to traverse the link from the ProxySG to the home router twice is not supported Some WCCP configurations might not work as expected If you use URL host rewrite functionality in your policies mismatches can occur between the client provided IP address and the resolved rewritten hostname In these cases static routing is used Chapter 8 Configuring DNS About DNS This chapter describes various configuration tasks associated with Domain Name Services DNS During first time installation of the ProxySG you configured the IP address of a single primary DNS server You can add one or more alternate DNS servers as well as define custom DNS server groups Topics in this Chapter This chapter includes information about the following topics o About DNS on page 97 o About Configuring DNS Server Groups on page 99 o Adding DNS Servers to the Primary Group on page 100 o Adding DNS Servers to the Alternate Group on page 101 a Creating a Custom DNS Group on page 102 n Deleting Domains on page 103 n Deleting DNS Groups and Servers on page 103 a Resolving Hostnames Using Name Imputing Suffixes on page 105
160. net access you can install the software license under Maintenance gt Licensing gt Install For more information see Manual License Installation on page 38 To register the hardware and software 1 2 Open a browser and verify pop up blocking is disabled Enter the SGOS Management Console URL https IP address 8082 Enter the access credentials specified during initial setup Click Management Console The license warning registration page displays Chapter 2 Licensing License Warning This device is operating in the trial period Trial expiration date is 2007 11 10 Hardware Registration i ii tt i i i ii i i i i i i i i i Register hardware with Blue Coat automatically WebPower User ID JENNIFER CUSTOMER Password ex Hardware has been manually registered Registration Status Hardware auto registration and license retrieval in progress The license retrieval may take up to a minute 5 Enter your WebPower credentials and click Register Now It might take up for a minute for the Registration Status field to display the results Click Continue 7 Select Maintenance Licensing View View Install Licensed Components Component Expiration Date 5G05 5 yes 2008 07 28 Windows Media Streaming yes 2008 07 28 Real Media Streaming 2008 07 28 QuickTime Streaming yes 2008 07 28 SSL yes 2008 07 28 View Details Refresh Data General License Information
161. niversity of California Berkeley and its contributors 4 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Trend Micro Copyright c 1989 2003 Trend Micro Inc All rights reserved zip cpp THIS FILE is almost entirely based upon code by info zip It has been modified by Lucian Wischik The modifications were a complete rewrite of the bit of code that generates the layout of the zipfile and support for zipping to from memory or handles or pipes or pagefile or diskfiles encryption unicode The original code may be found at http www info zip org The original copyright text follows This is
162. niversity of Posts and Telecommunications nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 7 Fabasoft R amp D Software GmbH amp Co KG copyright notice BSD Copyright c Fabasoft R amp D Software GmbH amp Co KG 2003 oss fabasoft com Author Bernhard Penz Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice th
163. o Caching Negative Responses on page 106 A hierarchical set of DNS servers comprises a Domain Name System For each domain or subdomain one or more authoritative DNS servers publish information about that domain and the name servers of any domains that are under it Note The DNS servers are configured in groups For more information see About Configuring DNS Server Groups on page 99 There are two types of queries which are Non recursive which means that a DNS server can provide a partial answer or return an error to the client a Recursive which means that the DNS server either fully answers the query or returns an error to the client ProxySG Using Non Recursive DNS If you have defined more than one DNS server the ProxySG uses the following logic to determine which servers are used to resolve a DNS host name and when to return an error to the client 97 Volume I Getting Started 98 Note Servers are always contacted in the order in which they appear in a group list a The ProxySG first checks all the DNS groups for a domain match using domain suffix matching to match a request to a group e If there is a match the servers in the matched group are queried until a response is received no other DNS groups are queried e If there is no match the ProxySG selects the Primary DNS group a The ProxySG sends requests to DNS servers in the Primary DNS server group in the order in which they appear
164. omains This group is defined at initial configuration 4 Click Apply Related CLI Syntax to Adding an Alternate DNS Server To add an alternate DNS server SGOS config dns forwarding config dns forwarding edit alternate config dns forwarding alternate add server server ip See Also About DNS 4 About Configuring DNS Server Groups Adding DNS Servers to the Primary Group a 0 0 Creating a Custom DNS Group a Promoting DNS Servers in a List 101 Volume I Getting Started Creating a Custom DNS Group 102 Custom groups enable you to specify servers and domains for specific company needs such as resolving internal or external hostnames depending on how you have set up your primary and alternate DNS groups Valid DNS entry formats are example com www example com Notes a You can create a maximum of 10 custom groups and each custom group can contain a maximum of four DNS servers and eight domains a Groups do not accept wild cards such as example com a Groups do not partially match domain names such as example com example com Further more exam com does not match queries for www example com a DNS record requirements have been relaxed as discussed in RFC 2181 Review sections 10 and 11 for more information To create a custom group 1 Select Configuration gt Network gt DNS gt Groups The list of DNS groups displays 2 Click New The Create DNS Forwarding G
165. on a LAN and is a 12 digit hexadecimal number 48 bits in length MIME FILE type filtering Allows organizations to implement Internet policies for both uploaded and downloaded content by MIME or FILE type multi bit rate The capability of a single stream to deliver multiple bit rates to clients requesting content from ProxySG appliances from within varying levels of network conditions such as different connecting bandwidths and traffic multicast Used in streaming the ability for hundreds or thousands of users to play a single stream multicast aliases Used in streaming a streaming command that specifies an alias for a multicast URL to receive an nsc file The nsc files allows the multicast session to obtain the information in the control channel multicast station Used in streaming a defined location on the proxy where the Windows Media player can retrieve streams A multicast station enables multicast transmission of Windows Media content from the cache The source of the multicast delivered content can be a unicast live source a multicast live source and simulated live video on demand content converted to scheduled live content multimedia content services Used in streaming multimedia support includes Real Networks Microsoft Windows Media Apple QuickTime MP3 and Flash name inputing Allows a ProxySG to resolve host names based on a partial name specification When a host name is submitted to the DNS server
166. onditions The above copyright notice and this permission notice shall be includedin all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE libpng This copy of the libpng notices is provided for your convenience In case ofany discrepancy between this copy and the notices in the file png h that isincluded in the libpng distribution the latter shall prevail COPYRIGHT NOTICE DISCLAIMER and LICENSE If you modify libpng you may insert additional notices immediately following this sentence libpng versions 1 2 6 August 15 2004 through 1 2 25 February 18 2008 are Copyright c 2004 2006 2008 Glenn Randers Pehrson and aredistributed according to the same disclaimer and license as libpng 1 2 5 with the following individual added to the list of Contributing Authors Cosmin Truta libpng versions 1 0 7 July 1 2000 through 1 2 5 October 3 2002 areCopyright c 2000 2002 Glenn Randers Pehrson and aredistributed according to the same disclaimer and license as libpng 1 0 6with the following individuals
167. ools and contributions which rely on or relate to the FreeType Project This license applies to all files found in such packages and which do not fall under their own explicit license The license affects thus the FreeType font engine the test programs documentation and makefiles at the very least This license was inspired by the BSD Artistic and IJG Independent JPEG Group licenses which all encourage inclusion and use of free software in commercial and freeware products alike As a consequence its main points are that o We don t promise that this software works However we will be interested in any kind of bug reports as is distribution o You can use this software for whatever you want in parts or full form without having to pay us royalty free usage o You may not pretend that you wrote this software If you use it or only parts of it in a program you must acknowledge somewhere in your documentation that you have used the FreeType code credits We specifically permit and encourage the inclusion of this software with or without modifications in commercial products We disclaim all warranties covering The FreeType Project and assume no liability related to The FreeType Project Finally many people asked us for a preferred form for a credit disclaimer to use in compliance with this license We thus encourage you to use the following text Portions of this software are copyright c 2007The FreeType Project www
168. oration 122 ltHg Lb5rIXnl13wFZENd viO54YOiWlZixlpCBbDIkef3DdJZLxVy3x7Gbw32OfE 3a7kfIMvVKWmNO syAn4B2yasy OnxbSyOciJq1C42yPJ BjlMuYDmgIvMP6ne5UA gYYhe koamOZNcIuaXrAS2v2tYevrBc END CERTIFICATE 8 Copy the certificate and paste it into the template under the appropriate inline certificate cert name end inline line in the template 9 Optional For each named keyring that you want to restore repeat steps 4 to 8 Note SGOS 5 x has an appliance key keyring This keyring s private key is not viewable and cannot be transferred to another ProxySG The default and passive attack protection only key keys typically do not need to be restored either 10 Save the password information that you used to encrypt the keys in a secure place for example a restricted access cabinet or safe After saving this data create a configuration archive as described in Creating Configuration Archives on page 125 When you are ready to restore the archive you must first restore the SSL data on the target appliance as described in Importing an Existing Key Pair and Certificate on page 134 Example Completed SSL Data Template The following example shows a completed template When you restore the data to the appliance you will be prompted for the encryption password that you used to encrypt the keys Note The commands in the following example are bounded by the document text area and wrap to the ne
169. ore information see Volume 4 Securing the Blue Coat ProxySG Appliance Chapter 3 Controlling Access to the Internet and Intranet 49 Volume I Getting Started 50 Changing the ProxySG Realm Name The realm name displays when you log on to the Management Console The default realm name is the connection used to access the ProxySG usually the IP address of the system To change the realm name 1 2 3 Select Configuration Authentication Console Access Console Account Enter a new realm name The new realm name displays the next time you log on to the Management Console Click Apply Related CLI Syntax to Change the Realm Name SGOS config security management display realm name The new realm name displays the next time you log on to the Management Console Changing the ProxySG Timeout The timeout is the length of time a session persists before you are logged out The default timeout is 900 seconds 15 minutes To change the timeout 1 2 3 Select Configuration Authentication Console Access Console Account Either deselect Enforce auto logout which eliminates auto logout entirely or change the auto logout timeout from its default of 900 seconds 15 minutes to another value in seconds This is the allowable length of time on the ProxySG before the current session times out Acceptable values are between 300 and 86400 seconds 5 minutes to 24 hours If you change th
170. orth it you can buy me a beer in return Poul Henning Kamp BPF Ccopyright c 1988 1989 1990 1991 1992 1993 1994 1995 1996 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that 1 source code distributions retain the above copyright notice and this paragraph in its entirety 2 distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution and 3 all advertising materials mentioning features or use of this software display the following acknowledgement This product includes software developed by the University of California Lawrence Berkeley Laboratory and its contributors Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Browser Detect http creativecommons org licenses by 1 0 DES Software DES functions written 12 Dec 1986 by Phil Karn KA9Q large sections adapted from the 1977 public domain program by Jim Gillogly EXPAT Copyright c 1998 1999 2000 Thai Open Source Soft
171. os Dug Song Aaron Campbell Damien Miller Kevin Steves Daniel Kouril Wesley Griffin Per Allansson Nils Nordman Simon Wilkinson Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE OpenSSL License Copyright c 1998 2007 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modifi
172. owever not all clients are able to detect send or receive VLAN tagged packets About VLAN Trunking Trunk ports are ports that carry traffic for more than one VLAN They tag each packet with the VLAN ID in the packet header Trunk ports are commonly used between switches and routers that must switch or route traffic from or to multiple VLANs In the following diagram multiple VLANs are connected by trunk link between two switches Switch 1 Switch 2 Trunk Link VLAN 1 2 3 and 4 Figure 5 4 Two switches connected by a trunk About Native VLANs Each switch port has a designated native VLAN Traffic on the port associated with the native VLAN is not tagged Traffic destined for VLANs other than the native VLAN is tagged Chapter 5 Configuring Adapters and Virtual LANs The trunk link carries both the native VLAN and all other VLAN tagged packets as illustrated in the following diagram VLAN 1 Trunk link Clients 1 2 and 3 carrying Switch ports 1 2 and 3 Native VLAN 1 Subnet 192 168 1 x VLAN 2 Switch 1 Listening on 192 168 1 1 on VLAN 1 192 168 2 1 on VLAN 2 VLAN 2 Clients 4 and 5 Switch ports 7 and 8 Subnet 192 168 2 x Figure 5 5 A switch broadcasting native and regular VLAN traffic over a trunk In this example the client attached to port 7 belongs to VLAN 2 Even though port 7 is part of VLAN 2 it does not set tags or receive VLAN tagged packets The switch associates the traffic with V
173. pgrade the ProxySG from any location The Management Console consists of a set of Web pages stored on the ProxySG The appliance acts as a Web server on the management port to serve these pages From the ProxySG home page on the appliance you can access the configuration maintenance and statistics pages and the documentation The Management Console is supported with a complete online help facility to assist you in defining the various configuration options Note If when you access the Management Console home page you see a host mismatch Or an invalid certificate message you must recreate the security certificate used by the HTTPS Console For information on changing the security certificate refer to the console services information in Volume 2 Proxies and Proxy Services Chapter 3 Accessing the ProxySG Logging On Each time you access the Management Console you must log on To log on to the Management Console 1 In the Web browser enter HTTPS the ProxySG IP address and port 8082 the default management port Note For example if the IP address configured during first time installation is 10 25 36 47 enter the URL nttps 10 25 36 47 8082 in the Web browser Connect to 192 168 0 6 192 168 0 6 User name admin Password ERE Remember my password 2 Enter the user name and password that you have already created Note All successful and failed logon attempts are logged to the event
174. pply Related CLI Syntax to Create a Static Forwarding Table Entry SGOS config bridge bridge name static fwtable entry adapter interface mac address 88 Chapter 6 Software and Hardware Bridges Bypass List Behavior The dynamic bypass list is handled differently depending on the OS version In SGOS 4 x packets matching the dynamic bypass list are forwarded in the IP layer In SGOS 5 x the packets are forwarded in the bridge layer which is more appropriate and efficient For more information on using bypass lists in SGOS 5 x refer to Volume 2 Proxies and Proxy Services The behavior of the static bypass list stays the same The packets are forwarded in IP layer 89 Volume I Getting Started 90 Chapter 7 Distributing Traffic Through Gateways This chapter describes how to distribute traffic originating at the ProxySG through multiple gateways You can also fine tune how the traffic is distributed to different gateways This feature works with any routing protocol such as static routes or RIP Note Load balancing through multiple gateways is independent from the per interface load balancing the ProxySG automatically does when more than one network interface is installed Topics in this Chapter This chapter includes information about the following topics o About Gateways on page 91 D ProxySG Specifics on page 91 n Switching to a Secondary Gateway on page 92 a Routing on page 93 About Ga
175. pts to connect to them in the order they appear in the NTP server list on the NTP tab You can add others delete NTP servers and reorder the NTP server list to give a specific NTP server priority over others The ProxySG uses NTP and the Coordinated Universal Time UTC to keep the system time accurate You can add and reorder the list of NTP servers the ProxySG uses for acquiring the time The reorder feature is not available through the CLI To add an NTP server 1 Select Configuration gt General gt Clock gt NTP Clock NTP servers Names ntp bluecoat com ntp2 bluecoat com List order indicates preference Promote entry Demote entry 2 Click New The Add List Item dialog displays 3 Enter either the domain name or IP address of the NTP server and click OK to close the dialog 4 Click Apply Related CLI Syntax for Acquiring and Setting UTC Time SGOS config ntp subcommands Chapter 4 Configuring Basic Settings To change the access order NTP servers are accessed in the order displayed You can organize the list of servers so the preferred server appears at the top of the list This feature is not available through the CLI 1 Select Configuration gt General gt Clock gt NTP 2 Select an NTP server to promote or demote 3 Click Promote entry or Demote entry as appropriate 4 Click Apply Configuring HTTP Timeout You can configure various network receive timeout settings for
176. quire that you use one or more of the following phrases to refer to this software in your documentation or advertising materials FreeType Project FreeType Engine FreeType library or FreeType Distribution As you have not signed this license you are not required to accept it However as the FreeType Project is copyrighted material only this license or another one contracted with the authors grants you the right to use distribute and modify it Therefore by using distributing or modifying the FreeType Project you indicate that you understand and accept all the terms of this license 4 Contacts There are two mailing lists related to FreeType o freetype nongnu org Discusses general use and applications of FreeType as well as future and wanted additions to the library and distribution If you are looking for support start in this list if you haven t found anything to help you in the documentation o freetype devel nongnu org Discusses bugs as well as engine internals design issues specific licenses porting etc Our home page can be found at http www freetype org ISODE ISODE 8 0 NOTICE Acquisition use and distribution of this module and related materials are subject to the restrictions of a license agreement Consult the Preface in the User s Manual for the full terms of this agreement 4BSD ISODE SMP NOTICE Acquisition use and distribution of this module and related materials are subject to the rest
177. r promote products derived from this software without specific prior written permission This software is provided as is without express or implied warranty The OpenLDAP Public License Version 2 0 1 21 December 1999 Copyright 1999 The OpenLDAP Foundation Redwood City California USA All Rights Reserved Redistribution and use of this software and associated documentation Software with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain copyright statements and notices Redistributions must also contain a copy of this document 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name OpenLDAP must not be used to endorse or promote products derived from this Software without prior written permission of the OpenLDAP Foundation For written permission please contact foundation openldap org 4 Products derived from this Software may not be called OpenLDAP nor may OpenLDAP appear in their names without prior written permission of the OpenLDAP Foundation OpenLDAP is a trademark of the OpenLDAP Foundation 5 Due credit should be given to the OpenLDAP Project http www openldap org THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLI
178. rds key data to restore a configuration archive onto a device other than the source device Key Pair In SSL the combination of private and public keys that are used to encrypt and decrypt data Public keys are provided to other hosts so that data can be encrypted private keys are used to decrypt data The public key is trusted when it is guaranteed to belong to an entity by a trusted certificate authority CA Keyring A repository for encryption key pairs and optionally certificates and certificate signing requests CSRs Appliance Certificate An X 509 certificate that contains the hardware serial number of a specific ProxySG device as the CommonName CN in the subject field This certificate then can be used to authenticate the ProxySG whose hardware serial number is listed in the certificate Information from the presented certificate is extracted and used as the device ID The appliance certificate can be used to sign archives the signature guarantees the authenticity of the archive Certificate Authority CA A CA is a trusted third party organization or company that issues digital certificates used to create digital signatures and public key private key pairs The role of the CA is to guarantee that the individuals or company representatives who are granted a unique certificate are who they claim to be When using signed archives you must have a CA guarantee the archive signature or you can use a self signed certificate
179. re Python in source or binary form and its associated documentation 2 Subject to the terms and conditions of this License Agreement PSF hereby grants Licensee a nonexclusive royalty free world wide license to reproduce analyze test perform and or display publicly prepare derivative works distribute and otherwise use Python alone or in any derivative version provided however that PSF s License Agreement and PSF s notice of copyright i e Copyright c 2001 2002 2003 2004 2005 2006 Python Software Foundation All Rights Reserved are retained in Python alone or in any derivative version prepared by Licensee 3 In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof and wants to make the derivative work available to others as provided herein then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python 4 PSF is making Python available to Licensee on an AS IS basis PSF MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED BY WAY OF EXAMPLE BUT NOT LIMITATION PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS 5 PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING DISTRIBUTING OR OTHERWISE USING PYTHON
180. re emptively diagnosing support issues The ProxySG sends emergency heartbeats whenever it is rebooted Emergency heartbeats contain core dump and restart flags in addition to daily heartbeat information host affinity The attempt to direct multiple connections by a single user to the same group member Host affinity is closely tied to load balancing behavior both should be configured if load balancing is important host affinity timeout The host affinity timeout determines how long a user remains idle before the connection is closed The timeout value checks the user s IP address SSL ID or cookie in the host affinity table inbound traffic bandwidth gain Network packets flowing into the ProxySG Inbound traffic mainly consists of the following e Server inbound Packets originating at the origin content server OCS and sent to the ProxySG to load a Web object Client inbound Packets originating at the client and sent to the ProxySG for Web requests installable list A list of configuration parameters that can be created using a text editor either Blue Coat or another text editor or through the CLI inline commands The list can then be downloaded to the ProxySG from an HTTP server or locally from your PC Configurations that can be created and installed this way include the SG Client archiving forwarding hosts SOCKS gateways ICP policy files and exceptions integrated host timeout An integrated host is an orig
181. re represented by a text string and a color that corresponds to the health of the system green yellow or red The system health changes when one or more of the health metrics reaches a specified threshold or returns to normal The Management Console polls the ProxySG every 10 seconds and updates the health state indicator accordingly To obtain more information about the health state click the health icon Clicking the health icon displays the Statistics gt Health page which lists the current condition of the system s health monitoring metrics Chapter 3 Accessing the ProxySG Refer to Volume 9 Managing the Blue Coat ProxySG Appliance for more information about the health monitoring metrics Logging Out Once you have logged on you do not have to log on again unless you exit the current session or the session times out The session timeout period with a default of 900 seconds 15 minutes is configurable Thirty seconds before the session times out a warning dialog displays Click the Keep Working button or the X in the upper right corner of the dialog box to keep the session alive Note The Keep Working button saves your changes However you must log back on to work in other pages Inactivity Logout Warning 1 lol x Auto Logout You are now logged out of the Management Console Do you wish to close the console now or finish working with any changes left in the current session Warning Console will close in
182. rictions given in the file SMP READ ME UNIX is a registered trademark in the US and other countries licensed exclusively through X Open Company Ltd irrxml Copyright 2002 2007 Nikolaus Gebhardt This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution json c Copyright c 2004 2005 Metaparadigm Pte Ltd Permission is hereby granted free of charge to any person obtaining acopy of this software and associated documentation files the Software to deal in the Software without restriction including without limitationthe rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom theSoftware is furnished to do so subject to the following c
183. ring 55 I imputing adding names 105 changing suffix order 106 definition of 105 see also DNS 97 using 105 K keyring associating with certificate 136 importing 134 L licensing about 31 components 31 expiration about 35 trial period about 33 updating automatic 41 updating manual 40 load balancing gateways 92 using multiple default IP gateways 91 login parameters 45 Management Console 158 accessing 44 changing username and passwords in 48 console account 48 logging in 45 logging out 47 modes understanding 43 N name imputing suffixes changing order 106 name imputing see imputing name imputing using 105 name configuring 51 negative caching 106 disabling for DNS responses 107 enabling for DNS responses 107 network adapter link faults 73 programmable 80 Network Time Protocol server see NTP NTP adding server 54 server order changing 55 time server definition of 51 understanding 54 P password changing 48 default for 48 see also privileged mode password privilege enabled mode understanding 43 privileged mode password changing 48 default for 48 ProxySG archiving backing up see archives DNS server 97 read only and read write access 43 realm name changing 50 realm name changing through CLI 50 time configuring 51 timeout changing 50 R read only access in ProxySG 43 read write access in ProxySG 43 realm name changing 50 timeout changing 50 routes static 94 static install
184. ring applications Included HTTP Allows reduction to file sizes without losing any data Compression Optional SSL SSL Proxy and HTTPS Reverse Proxy SSL termination Optional AOL Instant AIM proxy with policy support for AOL Instant Messaging Messenger Optional MSN Instant MSN proxy with policy support for MSN Instant Messaging Messenger Optional Yahoo Instant Yahoo proxy with policy support for Yahoo Instant Messaging Messenger About the Trial Period Blue Coat provides a trial period enabled by default During initial configuration of new hardware you can specify an edition of SGOS to run during the trial period The ProxySG can run either the MACH5 or Proxy Edition of SGOS during the trial period Note If you select Proxy Edition for the trial period but you purchase a MACH5 Edition license the ProxySG configuration is reset when you install the license The following defaults differ between the two editions default proxy policy trust destination IP address transparent WAN interception on disabled bridge cards and tolerating HTTP requests In the trial period the Base SGOS user limit is unlimited When a full license is installed any user limits imposed by that license are enforced even if the trial period is still valid The initial system boot up triggers the 60 day trial during this time you can evaluate the SGOS functionality For the first 60 days all licensable components for the trial
185. rnet Sharing Solution Cerberian Permeo Permeo Technologies Inc and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems Inc All other trademarks contained in this document and in the Software are the property of their respective owners BLUE COAT SYSTEMS INC DISCLAIMS ALL WARRANTIES CONDITIONS OR OTHER TERMS EXPRESS OR IMPLIED STATUTORY OR OTHERWISE ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL BLUE COAT SYSTEMS INC ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES WHETHER ARISING IN TORT CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS INC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Blue Coat Systems Inc utilizes third party software from various sources Portions of this software are copyrighted by their respective owners as indicated in the copyright notices below The following lists the copyright notices for Advanced Software Engineering This software is based in part on the work of the Independent JPEG Group This software is based in part of the work of the FreeType Team THE BEER WARE LICENSE Revision 42 lt phk FreeBSD org lt mailto phk FreeBSD org gt gt wrote this file As long as you retain this notice you can do whatever you want with this stuff If we meet some day and you think this stuff is w
186. roup dialog displays 3 Enter a name for the DNS group 4 Enter the servers and the domains for the group and click OK The custom group displays in the DNS Groups list 5 Click Save Related CLI Syntax to Create a Custom DNS Group To create a custom DNS group SGOS config dns forwarding config dns forwarding create group alias server ip See Also Dn About DNS o About Configuring DNS Server Groups o Adding DNS Servers to the Primary Group n Adding DNS Servers to the Alternate Group Chapter 8 Configuring DNS a Promoting DNS Servers in a List Deleting Domains If a domain becomes defunct you can easily delete it from a DNS group In addition you need to delete all domains associated with the last server in any DNS group before you can delete the server To delete domains 1 Select Configuration gt Network gt DNS gt Groups The list of DNS groups displays 2 Select the DNS group in the list and click Edit The Edit DNS Forwarding Group dialog displays Delete domains and click OK 4 Click Apply Related CLI Syntax to Delete a Domain To delete a domain SGOS config dns forwarding config dns forwarding edit group alias config dns forwarding group alias remove domain domain See Also Deleting DNS Groups and Servers Deleting DNS Groups and Servers The following list describes the specific rules that apply when deleting DNS groups and servers a You cannot delete
187. rovided for your information and to caution you against actions that can result in data loss or personal injury Note Information to which you should pay attention Important Critical information that is not related to equipment damage or personal injury for example data loss WARNING Used only to inform you of danger of personal injury or physical damage to equipment An example is a warning against electrostatic discharge ESD when installing equipment About Procedures Illustrations 26 Many of the procedures in this volume begin 7 Select Configuration gt TabName if you are working in the Management Console or O From the config prompt if you are working in the command line interface CLI Blue Coat assumes that you are logged into the first page of the Management Console or entered into configuration mode in the CLI To save space screen shots illustrating a procedure often have the bottom portion removed along with the blank space Chapter 1 Introduction General Unique name for this ProxySG Appliance Name 172 16 90 44 Blue Coat SG200 Series Serial number of the ProxySG Appliance Serial number Preview Apply Revert Help Figure 1 1 Configuration gt General Tab with Bottom Buttons o Preview Use this button to view the configuration changes before applying the configuration to the ProxySG To modify your changes click Close and return to the tab whose se
188. s can be used Access the Management Console of the ProxySG you want to back up https ProxySG IP 8082 Select the Configuration gt General gt Archive gt Archive Storage tab Archive Configuration Archive Storage Signing Sign archives with keyring appliance key Local Save Save archive Configuration expanded From the Sign archives with keyring drop down list select a signing keyring to use or accept the default appliance key Click Apply Note If you do not click Apply a pop up displays when you click Save that indicates that all unsaved changes will be saved before storing the archive configuration The unsaved changes are the Sign archives with keyring option changes you made in Step 4 From the Save archive drop down list select the archive type Blue Coat recommends Configuration expanded Click Save A new browser window displays prompting you to open or save the configuration to the local disk of the device you are using to access the ProxySG Creating and Uploading an Archive to a Remote Server Use the following procedure to create a signed or unsigned archive and upload it to a secure remote host 127 Volume I Getting Started Section E Creating Configuration Archives 128 You can use HTTP HTTPS FTP or TFTP to upload the archive When using signed archives Blue Coat recommends uploading the system configuration using HTTPS Before perfor
189. scribes how to back up your configuration and save it on a remote system so that you can restore it in the unlikely event of system failure or replacement ProxySG configuration backups are called archives The archive taken from the running configuration contains all system settings differing from system defaults along with any installable lists configured on the ProxySG You should regularly archive the ProxySG configuration so that you can restore it to its previous state in case of error Also certain conditions require a complete restoration of the system configuration for example if you are upgrading all the disk drives in a system You should also archive the system configuration before performing any software or hardware upgrade or downgrade Existing configuration archives modified to include only general parameters not system specific settings can also be used to propagate configuration settings to newly manufactured ProxySG appliances This process is called configuration sharing Before Reading Further Before reading this chapter you should be familiar with the concepts in the following user guides a The device authentication information in Volume 5 Advanced Networking a The X 509 and SSL information in Volume 4 Securing the Blue Coat ProxySG Appliance Topics in this Chapter The following topics are covered in this chapter D Section A Archiving Tasks Quick Reference on page 110 D Section B Overvie
190. settings to a newly manufactured system until you have completed initial setup of the system To create a configuration archive of the source device s settings using the CLI 1 Use an SSH client to establish a CLI session with the already configured ProxySG 2 From the enable prompt enter the following command show configuration post setup This displays the configuration on the current system minus any configurations created through the setup console such as the hostname and IP address It also includes the installable lists 3 Save the configuration You can save the file two ways e Copy the contents of the configuration to the clipboard e Save it as a text file on an FTP server accessible to the ProxySG This is advised if you want to re use the file 4 On the newly manufactured ProxySG retrieve the configuration file by doing one of the following 137 Volume I Getting Started Section G Sharing Configurations e If you saved the configuration to the clipboard go to the config prompt and paste the configuration into the terminal e Ifyou saved the configuration on a remote server At the enable command prompt enter the following command SGOS configure network url See Restoring a Configuration Archive on page 131 for more information about formatting the URL for FTP 138 Chapter 9 Backing Up the Configuration Section H Troubleshooting Section H Troubleshooting When pushing a
191. shared configuration or restoring an archived configuration keep in mind the following issues n If the content filtering database has not yet been downloaded any policy that references categories is not recognized a Unless you restore the SSL configuration passwords key keyring from the source device archives can only be restored onto the same device that was the source of the archive This is because the encrypted passwords in the configuration login enable FTP etc cannot be decrypted by a device other than that on which it was encrypted a Donot take an expanded archive from an operational ProxySG and install it onto another ProxySG Expanded archives contain system specific settings for example hostnames IP addresses and connection forwarding settings that will cause conflicts a To use signed archives your appliance must have an SSL certificate guaranteed by a CA If your appliance has a built in appliance certificate you can use it and the corresponding appliance ccl CCL to sign the archive Devices manufactured before July 2006 do not support appliance certificates If your appliance does not have a built in appliance certificate you must do the following Create a keyring on the appliance A keyring contains a public private key pair It can also contain a certificate signing request or a signed certificate e Create a Certificate Signing Requests CSR and send it to a Certificate Signing Authority CA
192. sing on page 31 D Chapter 3 Accessing the ProxySG on page 43 o Chapter 4 Configuring Basic Settings on page 51 a Chapter5 Configuring Adapters and Virtual LANs on page 57 D Chapter 6 Software and Hardware Bridges on page 75 a Chapter7 Distributing Traffic Through Gateways on page 91 o Chapter8 Configuring DNS on page 97 o Chapter9 Backing Up the Configuration on page 109 n Glossary on page 141 Document Conventions Table 1 1 lists the typographical and Command Line Interface CLI syntax conventions used in this manual Table 1 1 Document Conventions Conventions Definition Italics The first use of a new or Blue Coat proprietary term Courier font Screen output For example command line text file names and Blue Coat Content Policy Language CPL Courier Italics A command line variable that is to be substituted with a literal name or value pertaining to the appropriate facet of your network system Courier Boldface A Blue Coat literal to be entered as shown Arial Boldface Screen elements in the Management Console One of the parameters enclosed within the braces must be supplied d An optional parameter or parameters 25 Volume I Getting Started Table 1 1 Document Conventions Continued Either the parameter before or after the pipe character can or must be selected but not both Notes and Warnings The following is p
193. sswords key Note The aes128 and aes256 encryption options are also supported When prompted enter an encryption key password Encryption key Confirm encryption key This password is used to encrypt the private key before displaying it After confirming the password the ProxySG displays the encrypted private key associated with that keyring Important Do not lose the password used to encrypt the private key If you do you will not be able to recover your private keys For example sgos config ssl view keypair des3 configuration passwords key Encryption password Confirm encryption password M BEGIN RSA PRIVATE KEY Proc Type 4 ENCRYPTED DEK Info DES EDES3 CBC D542F10E3FFF899F aFqxQNOD 3211XdQjCGmT adeQqMiQDAyCOvWd aJ OmDj ITpd7bwijcxWAS89RB8 y65NSia0UmTClY9MMA4j6T fXhBspEu7Wyc nM 005pJldxTmZgPig6TiliOlXtMI ymCLolxjArtvFSx73ji16jUT13JxZHfksNd9DSO6DHLr6hJNERDi 9dGog561z1wBo8 zvs0x4PqB mq05qewmReMs 9tnuLkGgBXguH 2Nw9hIOWKEa9KPFWrznD zEZbEo nMrVOwn3nWuqcfRLFoSUP2QBZ581pU3XAUydabBnOuBOMRA4a3C F W v0p713jJ90 JL6A0 S846A4UgPkuswGMYXolkG3K2J Ev4nMBua6HSZgM87DxvMSiCZlXxlKlBqv F9P 1103mdR3g2LzK1DLTvlcA9pEPbW65gmnpGj WLqghEyNPmtDkplxMtMESxNqM Chapter 9 Backing Up the Configuration Section D Planning for Archive Creation and Restoration 4attb8f XAEcRI 1iUWpj xnycqlmtdcFqq6 bLixYSQ4HGXFLx5qTott
194. t 151 Volume I Getting Started R 152 real time streaming protocol RTSP A standard method of transferring audio and video and other time based media over Internet technology based networks The protocol is used to stream clips to any RTP based client reflect client IP attribute Enables the sending of the client s IP address instead of the SG s IP address to the upstream server If you are using an application delivery network ADN this setting is enforced on the concentrator proxy through the Configuration App Delivery Network Tunneling tab registration An event that binds the appliance to an account that is it creates the Serial Account association remote authentication dial in user service RADIUS A uthenticates user identity via passwords for network access Return to Sender RTS A way of allowing outgoing TCP packets to use the same network interface on which the corresponding incoming TCP packets arrived The destination Media Acess Control MAC address for the outgoing packets is the same as the source MAC address of the incoming packets See also Media Access Control MAC address reverse proxy A proxy that acts as a front end to a small number of predefined servers typically to improve performance Many clients can use it to access the small number of predefined servers routing information protocol RIP Designed to select the fastest route to a destination RIP support is built into
195. t name and when to return an error to the client a Ifthe DNS server response does not contain an A record with an IP address but instead contains authoritative server information a referral the ProxySG follows all referrals until it receives an answer If the ProxySG follows more than eight referrals it assumes there is a recursion loop aborts the request and sends an error to the client Chapter 8 Configuring DNS Enabling Recursive DNS If you have a DNS server that cannot resolve all host names it might return a list of authoritative DNS servers instead of a DNS A record that contains an IP address To avoid this situation configure the ProxySG to recursively query authoritative DNS servers To enable recursive DNS 1 Select Configuration gt Network gt DNS gt Groups 2 Select Enable DNS Recursion 3 Click Apply Related CLI Syntax to Enable Recursive DNS SGOS config dns recursion enable Related CLI Syntax to Disable Recursive DNS SGOS config dns recursion disable About Configuring DNS Server Groups Customers with split DNS server configuration for example environments that maintain private internal DNS servers and external DNS servers might choose to add servers to an Alternate DNS server group as well as to the Primary DNS server group In addition you can create custom DNS server groups In the ProxySG internal DNS servers are placed in the Primary group while external DNS servers with the
196. tall Configuration From Remote URL Verify signed archives with CCL anpliance ccl Optional for signed archives In the Install Configuration panel check the setting of the Enforce installation of signed archives option If this option is selected only signed archives can be restored Optional for signed archives Select a CCL to use to verify the archive from the Verify signed archive with CCL drop down list If you used the appliance key keyring select appliance ccl Note Depending on the CA that was used to sign the certificate used for the archive signature you might have to import a CA certificate and create an appropriate CCL Refer to Volume 4 Securing the Blue Coat ProxySG Appliance for information about completing these tasks Install the configuration using one of the following methods Local File If you saved the file to your system select Local File and click Install Browse to the location of the archive and click Open The configuration is installed and the results screen displays e Text File If you copied the contents of the file select Text Editor and click Install Copy the contents of the text file into the Edit and Install the Configuration dialog and click Install The configuration is installed and the results screen displays e Remote Download If you uploaded the archive to a remote URL select Remote URL and click Install Enter the full path to the archive into the Install Config
197. tation Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose It is provided as is without express or implied warranty SurfControl Copyright c 2003 SurfControl Inc All rights reserved Symantec AntiVirus Scan Engine Copyright c 2003 Symantec Corporation All rights reserved SWIG xviii SWIG is distributed under the following terms I Copyright c 1995 1998 The University of Utah and the Regents of the University of California All Rights Reserved Permission is hereby granted without written agreement and without license or royalty fees to use copy modify and distribute this software and its documentation for any purpose provided that 1 The above copyright notice and the following two paragraphs appear in all copies of the source code and 2 redistributions including binaries reproduces these notices in the supporting documentation Substantial modifications to this software may be copyrighted by their authors and need not follow the licensing terms described here provided that the new terms are clearly indicated in all files where they apply IN NO EVENT SHALL THE AUTHOR THE UNIVERSITY OF CALIFORNIA THE UNIVERSITY OF UTAH OR DISTRIBUTORS OF THIS SOFTWARE BE LIABLE TO ANY PARTY FOR DIRECT INDIRECT SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION EVEN IF THE AUTHORS OR ANY OF THE ABOVE PARTIE
198. tch Router Switch ProxySG ProxySG Auto Auto negotiation Interface Setting Interface Setting Negotiation Result Result No Link Auto Gig Full Duplex No link Gig Full Duplex Auto Auto Gig Full Duplex No Link Gig Full Duplex Auto No link See Also Health Monitoring Volume 9 Chapter 2 About Virtual LAN Configurations This section discusses VLAN deployments and how the ProxySG manages VLAN tagged traffic About VLAN Deployments VLANs are logical network segments that allow hosts to communicate regardless of physical network location The benefit to this is that clients can be separated logically based on organizational unit for example rather than based on physical connectivity to interfaces The ProxySG treats VLAN interfaces identically to traditional physical LAN interfaces VLAN segments are defined on the switch The network administrator specifies which ports belong to which VLANs The following diagram illustrates a port based VLAN configuration Clients on network segments attached to switch ports 1 and 2 belong to VLAN 1 which has the network address 10 0 1 x network segments attached to switch ports 14 and 15 belong to VLAN 2 which has the network address 10 0 2 x 61 Volume I Getting Started 62 Linux VLAN 1 i VLAN 2 IP 10 0 1 x Win XP IP 10 0 2 x Figure 5 3 Multiple VLANs connected to ports on one switch As also illustrated in the diagram clients of different OS types can reside within a VLAN H
199. ter card the Edit Bridge dialog displays a Mode option that allows you to specify the card behavior The following programmable adapter modes are available 2 Disabled Disables the bridge and allows the adapter interfaces to be reused as NICs or as part of another bridge a Fail Open If the ProxySG fails all traffic passes through the bridge so clients can still receive data 7 Fail Closed If the ProxySG fails all traffic is blocked and service is interrupted This mode provides the same functionality as a user configured software bridge Note If you create a software bridge the programmable bridge card mode is implicitly Fail Closed if the appliance fails the software bridge is non functional The following procedure describes programmable adapter configuration To configure the function of the programmable adapter 1 Select Configuration Network Adapters Bridges 2 In the Bridges section select the bridge you want to configure 3 Click Edit The Edit Bridge dialog displays 81 Volume I Getting Started Edit Bridge Bridge Name Failover Group none 4a Mode Disabled SN ung Disabled 4b 1 gt Propagate Failure Fal op n Fail Closed 4c gt Clear Bridge Statistics Interfaces Interface 2 0 4 Configure the bridge options a Select the desired mode from the Mode drop down list If you have a two interface bridge and want to enable link
200. teways During the initial setup of the ProxySG you optionally defined a gateway a device that serves as entrance and exit into a communications network for the ProxySG By using multiple gateways an administrator can assign a number of available gateways into a preference group and configure the load distribution to the gateways within the group Multiple preference groups are supported The gateway specified applies to all network adapters in the system ProxySG Specifics Which gateway the ProxySG uses at a given time is determined by how the administrator configures the assignment of preference groups to default gateways You can define multiple gateways within the same preference group A ProxySG can have from 1 to 10 preference groups If you have only one gateway it automatically has a weight of 100 Initially all gateways in the lowest preference group are considered to be the active gateways If a gateway becomes unreachable it is dropped from the active gateway list but the remaining gateways within the group continue to be used until they all become unreachable or until an unreachable gateway in a lower preference group becomes reachable again If all gateways in the lowest preference group become unreachable the gateways in the next lowest preference group become the active gateways 91 Volume I Getting Started 92 In addition to a preference group each gateway within a group can be assigned a relative weight v
201. that booted successfully becomes the default boot system default proxy listener See proxy service default denial of service DoS A method that hackers use to prevent or deny legitimate users access to a computer such as a Web server DoS attacks typically send many request packets to a targeted Internet server flooding the server s resources and making the system unusable Any system connected to the Internet and equipped with TCP based network services is vulnerable to a DoS attack The ProxySG resists DoS attacks launched by many common DoS tools With a hardened TCP IP stack the ProxySG resists common network attacks including traffic flooding destination objects Used in Visual Policy Manager These are the objects that define the target location of an entry type detect protocol attribute Detects the protocol being used Protocols that can be detected include HTTP P2P eDonkey BitTorrent FastTrack Gnutella SSL and Endpoint Mapper diagnostic reporting Found in the Statistics pane the Diagnostics tab allows you to control whether Daily Heartbeats and or Blue Coat Monitoring are enabled or disabled directives Commands used in installable lists to configure forwarding and SOCKS gateway DNS access A policy layer that determines how the ProxySG processes DNS requests domain name system DNS An Internet service that translates domain names into IP addresses dynamic bypass Provides a maintena
202. the ProxySG and the server encrypted log A log is encrypted using an external certificate associated with a private key Encrypted logs can only be decrypted by someone with access to the private key The private key is not accessible to the ProxySG EULA End user license agreement event logging Allows you to specify the types of system events logged the size of the event log and to configure Syslog monitoring The ProxySG can also notify you by email if an event is logged See also access logging explicit proxy A configuration in which the browser is explicitly configured to communicate with the proxy server for access to content This is the default for the ProxySG and requires configuration for both the browser and the interface card extended log file format ELFF A variant of the common log file format which has two additional fields at the end of the line the referer and the user agent fields fail open closed Failing open or closed applies to forwarding hosts and groups and SOCKS gateways Fail open or closed applies when health checks are showing sick for each forwarding or SOCKS gateway target in the applicable fail over sequence If no systems are healthy the ProxySG fails open or closed depending on the configuration If closed the connection attempt simply fails If open an attempt is made to connect without using any forwarding target or SOCKS gateway Fail open is usually a security risk fail closed
203. the configuration Note You can also view the file by selecting Text Editor in the Install Configuration panel and clicking Install 5 Save the configuration You can save the file two ways e Use the browser Save As function to save the configuration as a text file on your local system This is advised if you want to re use the file e Copy the contents of the configuration You will paste the file into the Text Editor on the newly manufactured system Creating and Saving a Signed Configuration Archive to Local Disk This section describes how to use the Management Console to save a signed archive of the system configuration to the local disk of the device you are using to access the ProxySG Before performing the following procedure consider the planning options described in Planning for Archive Creation and Restoration on page 116 126 Chapter 9 Backing Up the Configuration Section E Creating Configuration Archives To create and save a signed configuration archive to local disk 1 Record the con iguration passwords key keyring of the ProxySG you want to back up as described in Option 1 Recording SSL Keyring and Key Pair Information on page 118 Important If you do not record the SSL data encrypted passwords will not be able to be decrypted when you restore the archive to another device for example a replacement appliance and none of the SSL related configuration that references those keyring
204. the following URL http hdl handle net 1895 22 1013 3 In the event Licensee prepares a derivative work that is based on or incorporates Python 1 6 1 or any part thereof and wants to make the derivative work available to others as provided herein then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python 1 6 1 4 CNRI is making Python 1 6 1 available to Licensee on an AS IS basis CNRI MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED BY WAY OF EXAMPLE BUT NOT LIMITATION CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1 6 1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS 5 CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 1 6 1 FOR ANY INCIDENTAL SPECIAL OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING DISTRIBUTING OR OTHERWISE USING PYTHON 1 6 1 OR ANY DERIVATIVE THEREOF EVEN IF ADVISED OF THE POSSIBILITY THEREOF 6 This License Agreement will automatically terminate upon a material breach of its terms and conditions 7 This License Agreement shall be governed by the federal intellectual property law of the United States including without limitation the federal copyright law and to the extent such U S federal law does not apply by the law of the Commonwealth of Virginia excluding Virginia s conflict of law provisions Notwithstanding the foregoing with regard
205. the software Licensee agrees to be bound by the terms and conditions of this License Agreement CNRI LICENSE AGREEMENT FOR PYTHON 1 6 1 1 This LICENSE AGREEMENT is between the Corporation for National Research Initiatives having an office at 1895 Preston White Drive Reston VA 20191 CNRI and the Individual or Organization Licensee accessing and otherwise using Python 1 6 1 software in source or binary form and its associated documentation 2 Subject to the terms and conditions of this License Agreement CNRI hereby grants Licensee a nonexclusive royalty free world wide license to reproduce analyze test perform and or display publicly prepare derivative works distribute and otherwise use Python 1 6 1 alone or in any derivative version provided however that CNRI s License Agreement and CNRI s notice of copyright i e Copyright c 1995 2001 Corporation for National Research Initiatives All Rights Reserved are retained in Python 1 6 1 alone or in any derivative version prepared by Licensee Alternately in lieu of CNRI s License Agreement Licensee may substitute the following text omitting the quotes Python 1 6 1 is made available subject to the terms and conditions in CNRI s License Agreement This Agreement together with Python 1 6 1 may be located on the Internet using the following unique persistent identifier Known as a handle 1895 22 1013 This Agreement may also be obtained from a proxy server on the Internet using
206. thorized the license is automatically downloaded If anew license is not available on the Web site the ProxySG continues to contact the Web site daily for a new license until the current license expires Outside the above license expiration window the ProxySG performs this connection once every 30 days to check for new license authorizations This feature is enabled by default To configure the license auto update 1 2 3 5 Select Maintenance gt Licensing gt Install Select Use Auto Update Select Apply Note If the automatic license update fails and you receive a Load from Blue Coat error You must log on to your License Management account https services bluecoat com eservice enu licensing mgr cgi Click Update License Key Related CLI Syntax to Manage Licensing SGOS licensing disable trial enable trial SGOS licensing request key force user ID password SGOS licensing update key force SGOS licensing register hardware force user ID password SGOS licensing mark registered 41 Volume 1 Getting Started 42 Chapter 3 Accessing the ProxySG This chapter discusses the various methods to access the ProxySG appliance The SGOS software uses the Secure Shell SSH and HTTPS protocols to securely access the SGOS CLI and Management Console Both SSHv1 and SSHv2 are enabled by default and host keys have already been created on the ProxySG All data transmitted between the client a
207. ttings you want to modify Oo Apply Use this button to apply unsaved configuration changes to the ProxySG ao Revert Use this button to revert any unapplied changes to the ProxySG configuration Changes that previously have been applied to the ProxySG are not affected o Help Use this button to view conceptual and procedural documentation about the tab s topic General Unique name For this ProxySG Appliance Name 172 16 90 44 Blue Coat SG200 Series Serial number Serial number of the ProxySG Appliance Figure 1 2 Configuration gt General Tab with Bottom Buttons Removed 27 Volume I Getting Started Related Documentation The following table describes the volumes in the Blue Coat ProxySG Configuration and 28 Management Guide Suite Document Description Volume 1 Getting Started Volume 1 the introduction to the Blue Coat ProxySG Configuration and Management Guide Suite describes basic set up and configuration Volume 2 Proxies and Proxy Servicess Volume 2 describes the various proxies that are available as well basic and advanced configuration information Volume 3 Web Communication Proxies Volume 3 discusses IM and streaming proxies including real time streaming protocol RTSP and Windows Media over HTTP Volume 4 Securing the Blue Coat ProxySG Appliance Volume 4 discusses security of the SGOS system enterprise nternet Vo
208. tunneled but not handed off can utilize the functionality Note IM is not supported with trust client addressing In order to login and chat the default router must have Internet access Other IM features require direct connections so static routes are required This feature is not user configurable Using Static Routes If you use an explicit proxy or layer 4 redirection deployment or a Blue Coat feature such as forwarding where the destination IP cannot be verified by the ProxySG you can use static routes A static route is a manually configured route that specifies the transmission path a packet must follow based on the packet s destination address A static route specifies a transmission path to another network and a default static route already exists Situations in which static routes are used include a DNS load balancing Sites that use DNS load balancing and return a single IP address cause a mismatch between the IP address provided by the client and the IP address resolved by the ProxySG a Anywhere that appropriate client side routing information is unavailable such as for forwarding hosts dynamic categorization and ADN peers Note For bridged deployments transparent routing in most cases overrides any static route lookups The routing table is a text file containing a list of IP addresses subnet masks and gateways You are limited to 10 000 entries in the static routes table The following is
209. ude other keyrings and certificates 2 From the CLI access the con ig prompt using the serial console or SSH sgos config terminal 3 Enter the following commands sgos config ssl sgos config ssl view keyring A listing of existing keyrings and certificates is displayed For example your keyrings might be different sgos config ssl view keyring Keyring ID appliance key Private key showability no show Signing request present Certificate absent Keyring ID configuration passwords key Private key showability show Signing request absent Certificate absent Keyring ID default Private key showability show Signing request absent 119 Volume I Getting Started Section D Planning for Archive Creation and Restoration 4 5 120 Certificate present Certificate issuer Blue Coat SG200 Series Certificate valid from Dec 04 20 11 04 2007 GMT Certificate valid to Dec 03 20 11 04 2009 GMT Certificate thumbprint 9D B2 36 E5 3D B7 88 21 CB 0A 08 39 2C A1 4B CB Keyring ID passive attack protection only key Private key showability show Signing request absent Certificate present Certificate issuer Blue Coat SG200 Series Certificate valid from Dec 04 20 11 07 2007 GMT Certificate valid to Dec 03 20 11 07 2009 GMT Certificate thumbprint 0B AD 07 A7 CF D9 58 03 89 5B 67 35 43 B9 F2 C9 Enter the following command sgos config ssl view keypair des3 configuration pa
210. uration dialog and click Install The configuration is installed and the results screen displays The username and password used to connect to the server can be embedded into the URL For FTP the format of the URL is Chapter 9 Backing Up the Configuration Section F Restoring a Configuration Archive ftp username password ftp server where ftp server is either the IP address or the DNS resolvable hostname of the FTP server If you do not specify a username and password the ProxySG assumes that an anonymous FTP is desired and thus sends the following as the credentials to connect to the FTP server username anonymous password proxy Note A message is written to the event log when you install a configuration on the ProxySG Using the CLI to Archive and Restore a System Configuration Use the following procedure to archive and restore a system configuration using the CLI Related CLI Syntax for Archiving To configure the archiving signing options At the config prompt enter the following command config archive configuration archive signing enforce signed enable disable signing keyring keyring name verify ccl ccl name To set the SSL device profile At the config prompt enter the following command config archive configuration ssl device profile ssl device profile name To set upload options At the config prompt enter the following commands config archive configuration encrypted pass
211. uthentication policy A policy layer that determines how administrators accessing the ProxySG must authenticate AJAX Acronym for Asynchronous JavaScript and XML the technology used for live updating of Web objects without having to reload the entire page Application Delivery Network ADN A WAN that has been optimized for acceleration and compression by Blue Coat This network can also be secured through the use of appliance certificates An ADN network is composed of an ADN manager and backup ADN manager ADN nodes and a network configuration that matches the environment ADN backup manager Takes over for the ADN manager in the event it becomes unavailable See ADN manager ADN manager Responsible for publishing the routing table to SG Clients and to other ProxySG appliances ADN optimize attribute Controls whether to optimize bandwidth usage when connecting upstream using an ADN tunnel A record The central records of DNS which link a domain or subdomain to an IP address An A record can correspond to a single IP address or many IP addresses asx rewrite Allows you to rewrite URLs and then direct a client s subsequent request to the new URL One of the main applications of ASX file rewrites is to provide explicit proxy like support for Windows Media Player 6 4 which cannot set explicit proxy mode for protocols other than HTTP 141 Volume I Getting Started 142 audit A log that provides a record of who
212. ve of the system configuration Before performing the following procedure consider the planning options described in Planning for Archive Creation and Restoration on page 116 To create an unsigned configuration archive 1 Record the configuration passwords key keyring of the ProxySG you want to back up as described in Option 1 Recording SSL Keyring and Key Pair Information on page 118 125 Volume I Getting Started Section E Creating Configuration Archives Important If you do not record the SSL data encrypted passwords will not be able to be decrypted when you restore the archive to another device for example a replacement appliance and none of the SSL related configuration that references those keyrings can be used 2 Access the Management Console of the ProxySG you want to back up https ProxySG IP 8082 3 Select Configuration General Archive The Archive Configuration tab displays Archive Configuration Archive Storage View Current Configuration em expanded v 4a Install Configuration Install Configuration From Remote URL W Install Verify signed archives with CCL zNonez v C Enforce installation of signed archives 4 Select a configuration type a In the View Current Configuration section select Configuration expanded from the View File drop down list b View the configuration you selected by clicking View A browser window opens and displays
213. version 1999 Oct 05 of the Info ZIP copyright and license The definitive version of this document should be available at ftp ftp cdrom compubinfoziplicense html indefinitely Copyright c 1990 1999 Info ZIP All rights reserved For the purposes of this copyright and license Info ZIP is defined as the following set of individuals Mark Adler John Bush Karl Davis Harald Denker Jean Michel Dubois Jean loup Gailly Hunter Goatley Ian Gorman Chris Herborth Dirk Haase Greg Hartwig Robert Heath Jonathan Hudson Paul Kienitz David Kirschbaum Johnny Lee Onno van der Linden Igor Mandrichenko Steve P Miller Sergio Monesi Keith Owens George Petrov Greg Roelofs Kai Uwe Rommel Steve Salisbury Dave Smith Christian Spieler Antoine Verheijen Paul von Behren Rich Wales Mike White This software is provided as is without warranty of any kind express or implied In no event shall Info ZIP or its contributors be held liable for any direct indirect incidental special or consequential damages arising out of the use of or inability to use this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 Redistributions of source code must retain the above copyright notice definition disclaimer and this list of conditions xix Volume I Getting Started 2 Redistributions in binary for
214. vices External virus and content scanning with ICAP servers Included Bandwidth Allows you to classify control and if required limit the Management amount of bandwidth used by different classes of network traffic flowing into or out of the ProxySG Included Windows Media MMS and RTSP proxy for Windows Media content Streaming content caching and splitting Full policy control over MMS and RTSP traffic for Windows Media content When the maximum number of concurrent streams is reached all subsequent streams are denied and the client receives a message Included Real Media RTSP proxy for Real Media content content caching and Streaming splitting Full policy control over RTSP traffic for Real Media content When the maximum number of concurrent streams is reached all subsequent streams are denied and the client receives a message Included QuickTime RTSP proxy for QuickTime content no caching or Streaming splitting content pass through Full policy control over RTSP traffic for QuickTime content Included Netegrity Allows realm initialization and user authentication to SiteMinder SiteMinder servers Included Oracle COREid Allows realm initialization and user authentication to COREid servers Chapter 2 Licensing Table 2 1 Licensable Components Continued Type Component Description Included Peer to Peer Allows you to recognize and manage peer to peer P2P activity relating to P2P file sha
215. w of the Archiving and Restoration Process on page 113 D Section C About What is Not Archived on page 115 D Section D Planning for Archive Creation and Restoration on page 116 a Section E Creating Configuration Archives on page 125 D Section F Restoring a Configuration Archive on page 131 a Section G Sharing Configurations on page 137 a Section H Troubleshooting on page 139 109 Volume I Getting Started Section A Archiving Tasks Quick Reference Section A Archiving Tasks Quick Reference The following table lists common host agent management tasks and the location of the Operations Manager user interface page that enables you to complete them Table 9 1 Archiving Task Table If You Want to Go To Understand archiving terminology Terminology on page 110 Understand the archive and restoration process Overview of the Archiving and Restoration Process on page 113 Find out what is not archived About What is Not Archived on page 115 Learn about the archive types Selecting a Configuration Archive Type on page 116 Understand signed archives Using Signed and Unsigned Archives on page 117 Learn how to save encrypted passwords Saving Encrypted Passwords on page 118 Create an unsigned archive Creating and Saving an Unsigned Configuration Archive on page 125 Create a signed archive Creating and Saving a Signed Configuration Archive to
216. ware Center Ltd Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Finjan Software Copyright c 2008 Finjan Software Inc All rights reserved Flowerfire Copyright c 1996 2002 Greg Ferrar Volume I Getting Started The FreeType Project LICENSE 2006 Jan 27 Copyright 1996 2002 2006 by David Turner Robert Wilhelm and Werner Lemberg Introduction The FreeType Project is distributed in several archive packages some of them may contain in addition to the FreeType font engine various t
217. word encrypted password config archive configuration password password config archive configuration username username archive configuration filename prefix filename config archive configuration host hostname config archive configuration path path Note To clear the host password or path type the above commands using empty double quotes instead of the variable For example to clear the path enter archive configuration path config archive configuration port port f config archive configuration protocol ftp tftp http https 133 Volume I Getting Started Section F Restoring a Configuration Archive 134 To archive a system configuration At the enable command prompt enter the following command SGOS upload configuration To restore a system configuration At the enable command prompt enter the following command SGOS configure network url where ur1 must be in quotes and is fully qualified including the protocol server name or IP address path and filename of the configuration file The configuration file is downloaded from the server and the ProxySG settings are updated Note If you rename the archived configuration file so that it does not contain any spaces the quotes surrounding the URL are unnecessary Importing an Existing Key Pair and Certificate Use the following procedure to import the key pair and certificate data if you saved it as
218. xt line They are not shown here as they would appear in the CLI See Step 1 in Option 1 Recording SSL Keyring and Key Pair Information on page 118 to view an example of how the commands should appear ssl switches from config mode to config ssl inline keyring show configuration passwords key end inline git a BEGIN RSA PRIVATE KEY Proc Type 4 ENCRYPTED DEK Info DES EDES3 CBC 2F6148C8A9902D7F 11JjGKxpkcWBXj 424FhyOJPKRdgHUIx12C6HKigth6hUgPqsSJj958FbzEx6ntsB 11 jXj34Ni6U94 9ugYGEqWLCqed77M1 WA4s6U5TCIO9fScVuGaoZOEVhx481I3N LGOplOJXmrOL5vNj el LSeCOHg 7ASyY PaFr9Dk8nRqAhoWMM PQElkvAxuXzE 8hccfZaallH1MiPWfNzxflRXIEzA2NCUirDHO63 XU3eOCis8hXZvwfuCtDWwOAm tGVpxhZVN2KnfzSvaBAVYMh lGsxdEJjjdNhzSu3uRVmSizltPyAbz5tEG4Gzbae Chapter 9 Backing Up the Configuration Section D Planning for Archive Creation and Restoration sJY Fs8Tdmn zRPE5nYQ O0twRGWXzwXOeWt khafNE3i01u6jxbST6 CVn2bxwtq bB dEFUMxreYjA08 Tu8 6R9ypa3atuzrxULixgl LnBcnoSvOU co5HA6JuRohc5v 86ZPk109V4xvApY 30 2mF9skJPsOVOLItYWtrylg9Puw17TES6 kKOEAOWU6FWA dTpGJRguh71FVm1012187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxdlnT X11U2YgwwwHOgzJHBOPIfPhE9wJTedmldhW268kPFonclUY3dZTq0tiOLwtDfsyx ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa rMkjtr 1lpS 8Tz GZ4PimFJMObgcMsZq6 DkOs5SMmLSRCI1gd3c1PSHjcfp H4Vu00PIPL9O8YYPvcV9h 0Io zDb7MPjIT5gYPku86f7 INIimnVj2RO0a0iPYlbKX7ggZEfWDPw END RSA PRIVATE KEY
219. y 1 Check whether the link is active that is a cable is connected and both sides are up Check the ratio of error packets to good packets both sent and received Check if packets have been sent without any packets received Check the event log If an adapter fault is detected the ProxySG logs a severe event In addition the ProxySG logs an entry even when a faulty adapter is restored 73 Volume I Getting Started 74 Chapter 6 Software and Hardware Bridges This chapter describes the SGOS hardware and software bridging capabilities Network bridging through the ProxySG provides transparent proxy pass through and failover support Topics in this Chapter The following topics are covered in this chapter o About Bridging on page 75 a About the Pass Through Adapter on page 77 o Configuring a Software Bridge on page 78 o Configuring Programmable Pass Through NIC Adapters on page 80 a Customizing the Interface Settings on page 83 n Setting Bandwidth Management for Bridging on page 83 a Configuring Failover on page 84 About Bridging Bridging functionality allows each ProxySG to be easily deployed as a transparent redirection device without requiring the additional expense and maintenance of L4 switches or WCCP capable routers Bridging is especially useful in smaller deployments in which explicit proxies or L4 switches are not feasible options Bridges are used to segment Ethernet collision domains
Download Pdf Manuals
Related Search