a 3.5.1 .com Business coat e Textbook u version Your b Applications www. Student Acceerate and Business Secure
Course Accelerating
Certified
Administrator
Coat
BI.ue ProxySG
BlueOCoat r
Inc.
and
and
be
accurate
Systems,
be
U.S.
may
Coat
to
the
PacketShaper,
in
Blue
owners.
of
Inc.
believed
document
is
ProxySG,
this
consent
respective
of 100
Systems,
Coat,
their part
854
document
Coat
written
Blue
of
No
this
the
Blue
1276
use.
in
of
its
(0)
property
for
without
the
+44 worldwide.
contained
are
trademarks (866.30.BCOAT)
medium
reserved
responsibility
document
Kingdom):
Information
no
rights
registered
electronic
this
All
are
v3.5.1 in
notice.
any
Inc.
assumes
(United
to
+1.866.302.2628
+852.2166.8121
Inc.
+1.408.220.2200
Course
without
BlueTouch
Free:
mentioned
Systems,
Africa
and
translated
Kong):
Systems,
Toll (USA):
94085
change
Coat
and
BCCPA
nor
to
Inc.
Coat —
Blue
trademarks
(Hong
Avenue
East,
(USA)
Direct
means
Blue
subject
other
Rim
any
California
are
Mary
Systems
Services
by All IntelligenceCenter
©1999-2011
Middle
America America however, Information
Coat
Pacific
2011
North
Training
Blue 410 Simnyvale,
North North Asia Europe, [email protected] [email protected] reproduced
Specifications Copyright reliable, www.bluecoat.com
CacheFlow, worldwide. July
Contact
BlueTouch III
3
.1
29 53 71 37 63 89
117 133 105 163 149 171 181 197
209 227 219 231
Exceptions
Console
and
LDAP
Features
Protocol
Family
IPv6
Using
Setup
Planning
to
Support
Probability
Product
Notifications
Transfer
Fundamentals
Deployment Initial Licensing Management
and
Logging
Optimization
Management
Coat
Introduction Deployment Conditional
WebPulse Authentication Creating Authentication Service
Access WAN
ProxySG ProxySG Blue ProxySG ProxySG ProxySG Policy
Hypertext Services
Contents
B:
C: A:
1:
10: 11: 6: 13: 2: 12: 14: 3: 9: 15: 4: 16:
5: 7: 8:
Introduction
of
Course Chapter Chapter Table Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter
Chapter Chapter Chapter Chapter Chapter Chapter
Appendix Appendix Appendix BlueTouch Training Services — BCCPA Course v3.5.1
iv a
If
a
the
taken
This
and
of
to
should
might
(LANs),
not
also
with
addresses
is
you
client
wish
user
commands,
ProxySG.
Certified
a
content
have
course
interface.
that
them.
the page
who
networks the
Coat
this
replaced who
on
text menus,
methods
in Web
be
graphical
between
Blue
show
a
https:IlproxylPaddr.8082
used a
and
students
to
of
is
optimization.
data
administer
local-area
students
screens,
should
for
URL
to
command-line
as
represents
of part
for
that
used
described
and
a
become
is
the
menus,
is
of
(WAN)
how
authentication
such
this
can
that
and
of
also
intended
system
part
and
features
designed
is
you is
proxylPaddr
text
products. like
font
example,
is
commands,
network
is
functionality
It
or
concepts,
that text work, some here.
buttons
For
This Coat
exam,
course
of ProxySG.
and
operating
this
see the knowledge
Coat.
text
they
is
headers,
Blue
SGOS,
like
your
you generally
wide-area
online
ProxySG.
Blue
basic
as
of
SGOS names
how
ProxySG. of
A
an networking
font
other responses. and
example,
the
italics what
the deployment.
Coat
understand: from such
appearance
of
in
generally
labels,
this
and Administrator
basic
version this
with
the
address
in
in will from Blue
6.2
your
ProxySG,
passing
In
about
security
IP
to protocols.
browser.
font
with
the
and
support
text
the you
input,
and
earlier
appears IP
protocols,
of
of
Versions
book. ProxySG
Web
version
and an
interfaces
this different
courses
here,
user
a
and
that
appearing
specific
network
on numeric
this
familiar
course,
be
in course
includes uses
of
in
into
text
be
text
text
service
this
Conventions
this
Certified
functions
training based
This
ProxySG
Software
might
security,
type prompts,
get described
often
is
with cases,
fundamentals
book,
four-octet
the Coat to
as should communication
concepts
major appearing
you
the
this
Administrator.
both
Introduction studying
organization
course
Blue
previous
displays Key
How The How
Internet,
In that interface.
work Text some includes server.
actual In appears replace
completing
•
The any • • • the master Students
plus.
After
By Proxy •
Applicable •
This your and
not •
Typographic
Course BlueTouch Training Services — BCCPA Course v3.5.1
2 3
is
often
and IT
superior
enabling
media
bringing —
breaches
needed
a
penetrate
is
combines
to
addressing
it
disrupt
social
in
delivery.
optimize
environment
security
can
how
to
and
by
Delivering difficult
network
having:
collaboration
globalization
and
consolidation,
traffic.
are
on
business
for
area
and
application
requirement
competitiveness. designed
that
when,
center
business.
convergence
agility.
wide
of
depends
silos
data
platform compromised
changing
data
recreational
a where,
communications,
enhance
essential
anywhere. family.
be
and
data
capable
enhance
on-demand
and
an
mobilization,
and
can
currency
meter
infrastructure
as
rapidly
locations
and ADN.
unified
a
the
network.
product
harbor
video, and
network, becoming
in
the
is
support
ADN
information
the
devices
costs,
to
remote
Coat
any
to
an
Network.
often
increasingly
on
emerging
infrastructure
Family
resources. voice, manner.
and
on
centralization,
and
An
IT
Blue
are
and
contain —
advantage
Access
drive
decision-making,
increasingly applications user,
the
provide secure implements
understand: information
rate.
Delivery
your running
to
is
teleconferencing,
of
impossible,
branch, is
of any
today
and
as
will
(ADNs)
speed
to
applications
family
infrastructures
Product
market,
business
safe
what
you
view
products
such
IT
efficiencies,
competitive
a
network
member
increasing
mandates
consolidation
ideas,
the
in
Application
business
downright
corporate,
the
an mobile
Coat
responsiveness.
Networks
product
so
today’s
each
control global Coat
at
the
of
greater chapter,
share not
server
information In of
accelerate do to
of
if
Blue Your
to
across
as
driving of
world, to to
And this
sustainable
applications Coat’s regulatory gain
obscuring
levels
a
Delivery
of to
Blue
such
flow
deployed
success.
theft. features
Blue
service.
trends
new
ability visibility ability
concepts difficult,
together
1: to
host
the
it
studying challenges.
a
experience
connected
key data
manage,
The
The The
How being The Basic
a
In are
Collaborative people enterprises •
• with • The initiatives and make and
network
Maintaining critical • requires •
• user these
Application secure
After
Chapter BlueTouch Training Services — BCCPA Course v3.5.1
Application Delivery Network
S
Slide 1—1:Application Delivery Network
Implementing the Application Delivery Network answers the demand for greater application mobility and security in a changing global business environment. By combining three core capabilities — application performance monitoring (visibility), WAN optimization (acceleration), and Secure Web Gateway technologies (security) — the ADN helps you: • See applications and users and how they behave on the network.
• Troubleshoot performance issues. — • Accelerate mission-critical applications, streaming video, SSL, and other enterprise applications. • Secure against malware, data leaks, and performance degradation. • Enable a highly efficient and productive end-to-end user experience anytime, anywhere.
Visibility ii¶ Blue Coat’s ADN solutions provide the ability to identify and classify applications and users across the network. You can discover all application traffic, monitor the user experience, troubleshoot performance issues and resolve problems before they impact the user experience. You can: — • Automatically discover more than 600 applications. • Identify peer-to-peer (P2P), recreational, and streaming applications over any port. • Subclassify complex applications such as SAP, Oracle, Citrix, Web, CIFS, MAPI, and DCOM. • Discover URLs and external sites within HTTP. • Identify problem hosts, servers, and applications. 1
4
[[i 5
Family
and
and
Product
work
group,
external,
Coat
content
user,
Blue
1:
internal, include:
headquarters
malicious
a
including
Chapter
more.
from
including
and
technologies
ensuring
users
variables,
HTTP,
500
while
protect
applications, all
than
capabilities.
MAPI,
Acceleration —
help
transaction.
management.
to
more
and
gateway.
located.
support.
anywhere
CIFS/NFS,
across
include:
are
gateway
types,
business-critical
bandwidth
technology.
prevention.
user,
TCP,
scanning.
quality-of-service
SNMP
users
ID acceleration. and
filtering.
for distributed
loss
any
content
Internet
and
to
SSL
basic
capabilities
your
accelerate
caching.
data
management
policy
maiware
content
your
and
and
you
source,
managed
byte
application and Web
policy
Web
statistics, Security
Web acceleration
wherever
and
helps
secures
applications
and
centrally
Coat
Coat
Object Compression External Protocol
Advanced Advanced
Anti-virus Comprehensive Granular A application, URL Logging,
• • •
• • •
Blue Acceleration • • real-time • experience, • •
Security •
applications. Blue U
a
ll
1I
in
on —
at
FTP,
to
from
built
network
is
over
trojans
providers.
HTTP,
network
while
the
capabilities PacketShaper
virtualization
ProxySG in
as
WAN
and
CacheFlow
on
Web
performance
proxy
malware
control the
targets
service and
traffic,
ProxySG
well
of
meet
as
that
secure
addition,
The
rootkit
increases
to
spyware,
policy
global
to
servers
In
compression
technology,
productivity.
application and
applications
backhaul
software-only
capacity.
and
controls
and BlueQCoat
spyware
level. the
capabilities
and
flexible
worms,
and
dramatic
designed
of
attacks
WAN
caching
is
applications.
virtual, business
traffic
user
all
centers,
architecture
links
a
control,
enables
caching Web
viruses,
fuel as
unknown
manage
over
data
application
or
increase
the
to
industry-standard
zero-day
that
ProxySG
that
identify
business
platform most the
detect
on
of
that
visibility,
effective
with
at
The control can
to
international
system
gateways, block
performance. proxy
and appliance
you
providers
quality-of-service
preventing
highly
can
delivery
deployed
applications
to
integrated
integrates
techniques
protocols.
utilization v3.5.1
be
the
also
Internet
scalable
service expensive
gateway
operating
Using
physical
visibility
a
experience.
organizations
granular
and
can
a and
on
critical
as
Course
addition
Delivers
total
PacketShaper,
Web
offices,
that
the
ProxyAV
with
in Enables
times
ProxyAV
accelerate
growth.
Products of
Enables
Delivers
anti-virus
compression
The
With
BCCPA
The
and object-based P
Products
products
branch
bandwidth
available
provide
applications, —
end-user
at
is
appliance
response
delivery
protocols,
Coat
Coat
save
the
subscriber
ProxySG:
ProxyAV: CacheFlow:
performance
PacketShaper:
desktops.
custom,
users,
gateway.
appliance.
outstanding
a
Services
Blue
products
and
secure Coat
Coat
Coat
Coat
ProxySG
HTTPS
monitor
Technology
Web
Blue
—2:
1
single
Coat
fast,
Blue SGOS, communications requirements optimization content,
The environments. Blue the and deliver reaching appliances traffic Blue improving a Blue and application-specific optimizes 3
•
Proxy Slide
and Blue •
Hardware-based •
•
BIueTouchTrairNng
6 7
of
to
you
be
new
Family
of
offers
sites,
latest
the
to
and
the
from ensures
unites
security
and all
user
rate
without
80
in
software
objectives.
user analysis,
security the
Web
to
resources.
a
see
that
ProxyClient Product
and
security
site thousands
WebFilter
addition, service
IT
than
to
customers
quickly changing attacks blocked
users.
or
In
easy
unparalleled
evaluate
on network
automate
Coat
employees
appliances
enforce when
capture each
the
malware, management
you Each Web
machine
service
for protection
minimal site more
monitoring
proven
leaks
all
PolicyCenter mitigation
security
can
WebPulse.
also
application
Blue
on
security
and
easy-to-use distributed
that
million
to
Coat’s
enterprise,
Internet
these to
with
1:
on management,
one
and
Web
WebFilter
with risk
detect
can
manage
data
be
75 demand device
at
enables
the summaries, Coat’s
logs
to
accuracy, engines,
Blue
ProxySG
and
can
single,
and You
Director
organization.
and
based
than
policy
a
monitor,
prevent aligned
allows Chapter
reporting Blue
managing
grid
the
reduce allowing
policies
requirements.
performance
the
access
also
located complete threat
experience
to
deployments.
potential languages
ensure
to
more.
detailed
usage. relationship
Reporter
stay block more
This
installation.
From
cloud-computing
button.
50
policies categorize
To
to using throughout
of
a
leveraging
and
work across
P2P
Internet-delivered
rollout,
fast
the
compliance
security
of filtering
blocks providers
By provide
Web than
appliances,
leveraging
multiple
ratings.
computing
services
for more.
approach
configuration,
and
application
time
to
configuration, application appliances
a
real-time multi-unit of which This
and
ProxyClient by
providing
click behavior. identity-based
instantly utilization a
of
categories.
of
during
enterprise.
uses IM
more
and
the
service
by
specific
and effectiveness.
into
efficiency
It
the
community
can quality
has
applications
evaluate
policy,
WebPulse,
regulatory
unified
administered
several networks. Detect
threats
and
locations
a
headquarters
to and
length
is patterns,
powerful
their
that a with desktops.
users hundreds
and
for
content
tracking
multiple through
drives
Coat
cloud provisioning comprehensive
fit
supports
ensure secure manages application
network
bandwidth
day,
appliances organizations
distributed
(DLP):
to accelerate maintenance.
branch user
to
usage
and
into remote of
viral
Blue
to Delivers reputations.
comprehensive, and
or deliver
centralized deploy remote
ProxyClient
to your
any provides
and
Coat efficiency,
of
Web-borne
enterprises
whether
industry
enterprises
Web
govern response
software
time
maintain site
on
technology ProxyClient raters
can
WebPulse Enables
and
WebFilter
infiltration
Centrally
emergencies
traffic,
part
Blue
Helps
globally.
ease,
that
across categories
accelerating
to
classified
you the
servers,
is
Prevention
Helps
distributed
security,
shipped Provides
Provides against
P2P
of is
as
By
them. productivity
human
includes enabling
analyze
business,
adaptive
applications achieving
category, standard
Service:
activities performance
patented
Products
Loss
and
helps remote network
greater
gateways
are.
well policies overhead. by
and
configuration, within
and
and
of
respond
data
your
access
user as
distributed
network requirements.
while
WebFilter number
appliances Director: using
Data DLP
IntelligenceCenter:
PolicyCenter: which Reporter:
WebFilter:
administrators
database Web
Cloud
with ProxyClient:
of
IntelligenceCenter
they
block
phishing, appliances,
business
to protection
and
includes
any
enforce
Coat Coat Report Coat
Coat
Coat and
Coat Coat
Coat
Coat accessed
Coat Coat content, hunters, application
define
enhance
Blue Blue interface,
deployment
policies pre-configured accurately Blue Blue
management Blue performance visibility, Blue distribution, appliances helps that demands Blue communications,
resources data. Web-based sites risks
Blue spyware, define
attempts WebFilter license Blue
categories. Web Web Blue real-time updating technology Blue enhances
wherever can computers provisioning, To
bandwidth
•
•
•
•
Software-based •
•
• • rg I S
R
at
service
dynamic
available
Internet
is
same
any
users,
the
with
home
using
for
works
home,
free
the
for
application
Protection,
The
content
Web
K9
v3.5.1
Filters
WebFilter.
as
Course
browser.
Protection:
Web
BCCPA
technology —
any
Web
K9
and
Services
Coat
categorization http:llwww.getk9.com. Blue
provider
Training
•
BlueTouch
8 9
is
of
of
the
Family
and
it of
through
Telnet, (Real
encrypted
delivery
time,
controls Product
spyware,
technology
the
applications,
delivery
media
created
performance
Coat
SOCKS,
same
from
inspect
messaging,
distributed
be
and
environments
the
the
ProxySG media
Blue
FTP,
caching
the
at
can
1:
At
accelerate
The
rich
instant
streaming
content,
all
Manager.
from networks
and
enhance
across
for
HTTPS,
and
BlueQCoat
Web
distributed Policies
Chapter
and
liability
performance
integrated distributed
operation
and Policy
control
and
services,
users
checkpoints
and
DNS,
filter
HTTP,
and
large, enterprise:
users
and legal
all
file
to security
mode
applications
policies. Visual
infrastructure:
for
to
for
the
control,
security
acceleration
optimizes
in
security
FIPS Engine
maiware Yahoo!),
sitesacross
communications
internal
potential
maiware,
including
content
secure,
support
delivery
granular
graphical
appliances
places
Web traffic.
to
and
externally)
well-suited
Prevent
unauthorized Establish multiple other
compromising enterprise the application Application Web Optional
h LSecureWebGatewayl
is
protects or technology
‘
Processing
use,
Messenger,
enforce
secure
protocol
and
ability
configurations.
different
ProxySG
to
application
Web streaming
data and
by applications, Live
at
the
through
Policy
Media).
and
use
ProxySG
ProxySG
proxy
internally
or
by
and
and
ability
acceleration
spyware
the
can
tonnect
without
create
The
traveling
sizes
IP
threats
performance.
its
to .:...
business
of
costs
IT
deployed Windows
patented
of
include:
(hosted
Windows
and
enterprises
over
complete Coat’s
is
interface
offices
Web
headquarters •
usage against
organization’s
inappropriate
Internet
and
range
gateway:
critical
(AIM,
line an applkations
Coat’s Blue
voice
users
applications, WAN
external of remote
Because
of
guard
ProxySG
remote
provides wide
provides typically
Administrators
attacks,
Blue
improves a
applications
the
administrators
ProxySG
Internet
edge
in
remote
of
traffic,
email.
command
ProxySG QuickTime,
business messaging
reducing to Loweropertional WANoptimization Accelerate Enable
backhaulingto
directlytothe Minimize the users securing
the
1—3:
networks.
ProxySG
Security: ProxySG SSL ProxySG
peer-to-peer, Control: enable the
Performance: enterprise. critical
At actually phishing At and acceleration
Slide •
• The their available • critical
Benefits
•
•
The instant
The Media, S
is
are
The
been
when
offices,
remote
signed
has
for
details
needs. only
appliance
server
branch
the
mode ProxySG
sized
valid
or
properly
of
is
is a
Security
business
FIPS
numerous
and
powerful
remote
and
your SGOS 140-2,
When
variety
these
to
for
for
management,
today’s
FIPS
wide
ProxySG
mode.
a
of of
and
ProxySG
the
of
the
according
(FIPS)
certificate
affects
appropriate
of
providers.
configurations;
advantage
140-2
installation
mode
systems
requirements
model
functions
take
Standards
service
FIPS
the
FIPS
ProxySG
simple
you
The
configurations
with
for
global
operating
forms:
mode.
supported
and
a
allows
possible
and Processing
v3.5.1 optimization
and
two
on FIPS
all
in Modules.
sizes
in in
WAN
of accordance
Course
centers,
in
the
installed
course.
Rack-mountable
Information
available range
data
applications
acts
Virtualization
operated available
BCCPA
is
this
been —
mix
not
wide
Cryptographic of
supports
a
is
offices.
being Federal
has
and
for
in
is
VA
appliance:
gateways,
appliance
appliance: and
scope
Services
technology
SGOS
the
branch
the
of
supports
Physical available
Internet Virtual hardware ProxySG and
appliance
Training
•
• ProxySG
SGOS image enabled, Requirements the subsystems
beyond
BlueTouch
10 Chapter 1: Blue Coat Product Family
WebFilter and WebPulse Li WebFilter local database
ProxyClient WebPulse
)9 Web Predior,
B(ueOCoat
Slide 1—4:WebFilter and WebPulse
WebFilter is a powerful, on-proxy Web filtering solution that helps organizations protect their networks from inappropriate Web content and such threats as spyware and phishing attacks. There are two main approaches to content ifitering. One tries to categorize websites by looking for key words in the HTML pages that users request. This approach has two severe limitations: lack of scalability and lack of accuracy. The other approach consists of teams of researchers to categorize content and regularly update databases of sites organized by category. The major limitations to this approach are the lack of flexibility and ability to adapt to specific content. WebFilter uses a hybrid approach and provides a static list with its on-box database. Administrators can write policy to allow or deny access to resources based on the information in the database. Also, WebFilter offers optional remote dynamic categorization, which sends requests to a server if the resource is not in the local WebFilter database. Quality of filtering results is a key advantage of WebFilter. It supports more than 50 languages — including Chinese, Japanese, and Arabic — and provides more than 60 categories to allow a high degree of control in writing policy. The application is consistent in its categorization of resources and gives top priority to categorizing resources that are requested most frequently. WebFilter is part of WebPulse, the Blue Coat cloud computing service. WebPulse analyzes more than a billion requests per week, completely driven by user-requested websites. The WebPulse cloud service unites Blue Coat Web gateways and remote users into a computing grid to detect malware, rate new Web content, and analyze site reputations. As a cloud service, it uses multiple threat engines, machine analysis, Web hunters, and human raters to ensure quality ratings. These defenses together would not be practical or affordable for a single enterprise; however, when provided as a cloud service, they are cost-effective to an organization of any size. All WebPulse ratings feed into the WebFilter database.
11 BlueTouch Training Services — BCCPA Course v3.5.1
—i
S
Blue Coat Cloud Service — Web Security Module
Slide 1—5:Blue Coat Cloud Service
The Web Security Module of the Blue Coat Cloud Service provides market-leading Web protection to organizations of all sizes without updating appliances, servers, or user desktops. The Web Security Module is an Internet-delivered service that leverages Blue Coat’s proven technology and collaborative, cloud-based community of more than 75 million users to ensure real-time protection against known and unknown web-borne threats. With extensive Web application controls and detailed reporting features, the Web Security Module enables administrators to create and enforce [I granular policies that are instantly applied to all covered users, including fixed locations and roaming users. The Cloud Service is built to ensure flexibility and instant interoperability with existing network infrastructures. A simple configuration change to firewall, router, or proxy solution allows administrators to instantly protect and enforce Internet use policies for all users connected behind the device. An optional lightweight desktop agent ensures that roaming users are protected regardless of their location. Features include: • Market-leading Web threat protection and control: U Sophisticated Web intelligence and inline maiware scanning. Identify and categorize new Web content in real time with greater than 99% accuracy. ‘ Manage Web 2.0 applications with granular controls. • Reduced cost and complexity: No up-front costs — pay as you go. Integrates seamlessly with existing network infrastructure. Less downtime, higher user productivity. i Service architecture provides infinite scalability. • Easy to configure and manage:
12 Chapter 1: Blue Coat Product Family
Quickly enforce policies for network access and use. Instantly report on Web threats and user activity. Support cloud-only or hybrid deployment models. Transparent integration with Microsoft Active Directory. • Built on the robust, scalable WebPulse infrastructure: i Deployed globally on a purpose-built, multitenant architecture. More than 75 million users regularly access the service. In production for more than six years. Backed by a guaranteed 99.999% uptime service level agreement.
13 BlueTouch Training Services — BCCPA Course v3.5.1
II... PacketShaper
• Classification
— Application intelligent traffic classification
• Monitoring
— Disccwers applications on the network
• Shaping
— Ensures QoS for mission-critical applications
BIueOCoat
Slide —6: PacketShaper
PacketShaper maximizes application throughput across your existing network infrastructure. Get more done in less time with fewer performance-related complaints and a higher quality of service (Q0S) for all networked users. Consolidating servers from remote sites to centralized data centers makes sense, yet the additional traffic loads require accurate classification, monitoring, and shaping before any benefits can be realized. PacketShaper identifies and controls common traffic, — including CIFS, VoIP, CRM, Web and P2P. IP telephony (IPT) and voice/video over IF implementation varies between an enterprise and its employees, impacting each network differently. Successful deployment hinges on guaranteed bandwidth and QoS, as well as fitting more calls into a limited WAN resource. PacketShaper effectively manages critical IPT protocols, delivering WAN capacity and true Q0S functionality to ensure the highest quality end-to-end communication for each call. Multi-Protocol Label Switching and IF VPNs are useful for connecting distributed locations, but benefits cannot be realized if applications are oversubscribed, traffic stalls in bottlenecks, and critical applications are improperly assigned to best-effort classes. PacketShaper makes good on the MPLS promise, assessing performance and identifying and marking application traffic with special handling needs so traffic can move smoothly to the enterprise edge. Internal threats from worm infections, unsanctioned recreational traffic, and rogue servers can severely impact network capacity and bring down critical applications. PacketShaper helps identify infected PCs and unsanctioned traffic as well as protect performance of key applications and the network during an attack — all while delivering hard return on investment from bandwidth savings, increased WAN capacity, and accelerated application performance.
14 ______
Chapter 1: Blue Coat Product Family
...1 PacketShaper
Recreational Without Shaping Applications
Applications Router Bandwidth Hungry Branch Applications Office
WithShaping Recreational
Router PackeiShaper Bandwidth Branch Hungry Office Applications
BlueQCoat
Slide 1—7:PacketShaper
PacketShaper is a complete performance solution, incorporating monitoring features plus control features to correct and prevent problems. PacketShaper protects critical applications, limits the impact of recreational and unsanctioned traffic, paces bursty business applications, and provisions bandwidth on a per-application, per-user, or per-session basis to maximize throughput and control application performance. It also provides TCP rate control, suppresses denial-of-service attacks, and can mark packets for uniform treatment throughout a heterogeneous network. The most common topological locations for PacketShaper are: • Core site’s WAN link: Connects a core site to branches across a corporate WAN. • Core site’s Internet link: Connects a core site to branches across a VPN and/or is simply a link to the Internet. • Distributed branch sites’ WAN/Internet links: Connect branches to elsewhere. PacketShaper goes beyond providing visibility into application and network behavior. Acceleration enhances application performance by creating greater throughput, faster performance, and increased network capacity. PacketShaper ‘s acceleration employs compression to transfer data more quickly and enable more traffic to flow through constrained WAN links. When bandwidth is freed, it becomes available to enhance the performance of applications that are most critical to business. With PacketShaper ‘s compression capabilities, you can: • Experience compression gains of up to 10 times without loss of quality or data. • Increase capacity and direct bandwidth gains to critical applications. • Ease congestion on a saturated WAN link. • Postpone or avoid bandwidth upgrades. • Eliminate the burden of having to define and maintain compression tunnels. • Customize compression techniques for individual applications. • Streamline repeated data, shrink transfer size, and/or reduce the number of packets.
15 BlueTouch Training Services — BCCPA Course v3.5.1 r
CacheFlow [
I
Subscriber requests BlueOCoat I
Slide 1—8:CacheFlow B
Through a scalable architecture of CacheFlow appliances, service providers can accelerate the delivery of rich Web 2.0 content, large files, and video. This significantly reduces infrastructure costs by controlling bandwidth consumption while improving customer satisfaction. By caching content in-region and closer to the user, CacheFlow drastically reduces bandwidth consumption. This translates into a rapid return on investment and significant long-term cost B savings for service providers on international bandwidth, as well as reducing backhaul traffic on domestic links. CacheFlow leverages CachePulse for automatic, network-based updates as the Web changes to ensure the appliance effectively caches content and consistently delivers high bandwidth savings. Customers can also provide direct feedback into the CachePulse community and share new or emerging sites in their region that could benefit from caching. Also, CacheFlow supports Blue Coat WebFilter and the WebPulse collaborative cloud defense to filter and secure Web traffic. C
16 Chapter 1: Blue Coat Product Family
ProxyAV
• Powerful defense against
— Viruses and worms
— S pyware and Trojans
• Supports secure ICAP
• Protects often-overlooked “back doors”
— Personal Web email accounts
— Trojans or spyware
— Browser-based file downloads
BlueQCoat
Slide 1-9: ProxyAV
The use of Web-based email and other Web-enabled applications can bring viruses and other maiware into the enterprise network, damaging systems and harming productivity. However, traditional Web anti-virus gateways frequently lack the scalability and performance needed for HTTP and FTP scanning, leaving an organization’s desktops vulnerable. The ProxyAV works with the ProxySG to provide the gateway anti-virus protection required by Web-dependent enterprises. It enables organizations to scan for viruses, worms, spyware, and Trojans entering through Web-based back doors, including: • Personal Web email accounts, where most viruses and worms propagate. • Web spam or email spam, which can activate Trojan downloads or hidden spyware. • Browser-based file downloads that bypass existing virus-scanning defenses. The ProxyAV supports a range of virus scanning applications, including Kaspersky, Sophos, McAfee, Panda, and Trend Micro. Blue Coat offers several ProxyAV models, each designed to work in a different environment from branch offices to high-volume Web gateways, service providers, and enterprise needs.
17 BlueTouchTraining Services — BCCPACourse v3.5.1
ProxyAV Deployment
Q Ifinfected
Content requests
— — — — — Clean file ICAP +
ProxyAV
BlueQCoat
Slide 1—10:ProxyAV deployment
The ProxyAV and the ProxySG work together to provide scalabiity for virus scanning along with visibility and control of enterprise Web communications. The ProxySG and the ProxyAV communicate using an enhanced and optimized version of the Internet Content Adaptation Protocol. This enables superior performance, reliability, and error/exception handling over software-based ICAP servers. The ProxySG provides flexible and granular control of Web traffic and access; you can use Content Policy Language or the ProxySG Management Console to create virus-scanning policy. The ProxyAV provides high-performance anti-virus scanning of both cached and non-cached content at wire speed. The ProxyAV scans only Web objects forwarded from the ProxySG. The ProxyAV eliminates redundant scanning of frequently downloaded objects with intelligent cache integration. If an object has been scanned and cached, it is delivered without being scanned again. However, if the object is not in the cache, it is scanned and then cached and delivered. Virus updates to the ProxyAV are automated with definable schedules, and cached content is automatically cleared with each update.
18 Chapter 1: Blue Coat Product Family
Blue Coat DLP
WebeDLP
%) Email Database CMS Network DL
12 t. BlueOCoat
Slide 1—11: Blue Coat DLP
The Blue Coat Data Loss Prevention (DLP) appliance leverages powerful discovery capabilities to identify sensitive and unsecured information on your network before it gets into the wrong hands. You can quickly and easily deploy and maintain enterprise-class data loss prevention as a separate product or as part of an ADN. Features of the Blue Coat DLP include: • Network, Web, and email DLP: Effectively secure sensitive data that might inappropriately travel across the network through email, webmail or social networking and other Web 2.0 communication channels. Blue Coat DLP allows you to easily create policies that analyze the data source, content, destination and more. • Inspection: To help reduce data manipulation resulting from intentional or accidental tampering, Blue Coat DLP is file-format and language independent, double-byte capable, and can inspect more than 600 document types, as well as archive and compress files. • Discovery: Blue Coat DLP allows you to identify, catalog, and secure data on servers and in databases across the network — all without installing or testing a local software agent. Comprehensive discovery features let you “fingerprint” data, such as patient records, that resides in your databases. By fingerprinting your critical data, you can easily trace content that might be distributed in an unauthorized format, such as an email attachment or pasted into a slide presentation. • SSL compliance: When deployed in conjunction with the ProxySG, Blue Coat DLP allows organizations to monitor and control SSL traffic through the gateway to mitigate the potential loss of sensitive information through secure Web transfers such as webmail, a common tool of employee information theft.
19 BlueTouch Training Services — BCCPA Course v3.5.1
L
I
F
I
Slide 1—12: Director I
Although the ProxySG graphical interface makes the appliance easy to manage, installing configurations or updating policies on multiple appliances can be time-consuming, especially in a distributed environment. Director centralizes those procedures, saving time and enabling organizations to standardize configuration and policy. Management tasks — including backups and updates of configurations, policies, and software licenses — can be performed immediately or scheduled for one occasion or on a recurring basis. Director — consisting of a ProxySG 510 chassis and a proprietary operating system — can configure, manage, and monitor all of the ProxySG appliances in an organization. It can manage up to 500 ProxySG appliances from any Windows computer with a Web browser. Director makes it simple to configure and manage the multiple ProxySG appliances that ADN acceleration requires. Using Director, administrators can perform a wide range of specific tasks for multiple ProxySG [ appliances: • Configuration and policy management: Create and install standard configurations and policies, customize appliance settings, back up and restore settings, distribute software licenses, and schedule configuration and policy changes. • Resource and content management: Manage bandwidth to conserve resources; distribute content, including frequently used files to ProxySG caches; limit access to Internet and intranet resources. • Monitoring and planning: Monitor key hardware and software metrics of ProxySG appliances remotely, create settings to issue alerts when certain changes occur, and use statistics to evaluate and update network policies.
20 Chapter 1: Blue Coat Product Family
Reporter
ProxySO ProxySG
C User
ProxySG Reporter
‘‘Eee Ccat Stiom 2011. Pa F1gitsiOa,Pa. BlueOCoat
Slide 1—13: Reporter
The ProxySG records data about every transaction that passes through it, creating comprehensive access logs. An organization can use the data in access logs to analyze network activity; however, extracting information from enormous log files can be a tedious and time-consuming task. Reporter provides a solution. The application makes it easy to analyze log files from one or more ProxySG appliances, enabling organizations to manage network resources more effectively. Achriinistrators use Reporter to create reports through a Web interface or a command line. They can use one of more than 150 pre-defined reports or create their own custom reports to identify violators of Web access policies, track user activity that could bring viruses and other hazardous content into the network, and preserve network resources by identifying abuse patterns. Reports can be executed immediately or scheduled to run, either once or on a recurring basis. Reports can also be exported in HTML format in email or as Excel-compatible files.
21 a
the
that and
as
iShaper,
NetFlow
when
effectively
such
VLAN,
ensures
and
Coat’s
more
bytes),
it
DSCP,
programmable
(ME),
Blue
of
and
and
PacketShaper,
services).
information
set
with ports,
a
Engine
that
Web
Client
packets
traffic type,
and InteuigenceCenter
BlueCCoat
of
and
devices.
monitoring,
Deployed
network.
tools,
features.
anywhere
site.
service
ERP, terms
provide
available,
Measurement
your
(in
and
VoW,
control
are
Switch
FDRs
behavior.
networked
size
as
data.
locations,
flows
performance
across
(FDR),
dashboard
and
efficiency),
v5
all
flow
pairs
(such
and
at
remote
and
reporting application,
Router
Record
NetFlow
application
integration.
host
and
visibility
deployed
flows
and
application
class,
v3.5.1
and and
are
Detail
reporting
local
IntelligenceCenter
destination,
expectations
optimize
the
(throughput
with:
traffic
Flow and
Course
data.
to
powerful
routers
application
by
analysis
application
and
monitoring
on listeners,
between application.
forensics.
meets
assist
and
and
origin tIhtsRoaot.
by
BCCPA I
and
PackatShaper
utilization
activity
provides enforce — reports
talkers, detailed 2Ott
flow
WAN
extensions
data
data
to
features
usage individual
of
flow
top
measurement
host
ME switches,
FOR
with
com-tections
customizable ShroJoc.
IntelligenceCenter
performance used,
Services Coat
allows
suite
sent,
and
policies
assist
IntelligenceCenter
—14:
powerful
1
was
to
Comparing Troubleshooting Monitoring Collecting Reporting
Tracking
Training
Slide
• • IntelligenceCenter application • enables complete • Flexible PolicyCenter, interfaces data • application • IntelligenceCenter response-time
flow These
BlueTouch
22 Chapter 1: Blue Coat Product Family
Headquarters
• Policies
Remote Office kn.C11
Slide 1—15: PolicyCenter
PolicyCenter is a software management system that maintains multiple PacketShaper configurations on a single Windows 2000 or Windows 2003 server. Because the configurations of all the units on the network are stored in a single place, they can be managed very efficiently. Multiple PacketShapers can be assigned to a single PolicyCenter configuration, allowing those units to operate with nearly identical configurations. When you change a configuration, either through PolicyCenter or through the browser or command line interface of an individual unit, the change immediately affects all units assigned to that configuration. It is this capability of PolicyCenter that truly provides the economy of scale: One single change to a PolicyCenter configuration can result in an instant configuration update on up to 1,500 different PacketShapers. PolicyCenter also allows you to: • Deploy policies and partitions across multiple PacketShapers. • Distribute PacketWise software upgrades, plug-ins, customer portal files, and adaptive response action files. • View a status summary of all managed PacketShapers. • Monitor and manage the status of your unit and network with the adaptive response feature.
23 L
BlueTouch Training Services — BCCPA Course v3.5.1
ProxyClient
Branch
Branch ProxyClients
Roaming ProxyClients BlueCCoat Slide 1—16: ProxyClient I. As part of an Application Delivery Network, Blue Coat ProxyClient accelerates secure network applications to remote users and branch offices. ProxyClient combines the acceleration features of Blue Coat’s acceleration technology with the network security provided by WebPulse. As a result, ProxyClient can accelerate remote applications by up to 35 times and protect users wherever they are, even on public networks. Features and benefits of ProxyClient include:
• Protecting remote users from malware and threats: ProxyClient leverages WebPulse, adding a second layer of protection in addition to anti-virus software on the laptop. • Ensuring productivity on the road: ProxyClient minimizes lost user productivity from slow networks, maiware, and frivolous Web surfing with remote Web control and application I acceleration.
• Accelerating remote performance: ProxyClient accelerates access and reduces bandwidth of I critical files, email, and business applications for all remote users. This enables users to work from anywhere with an Internet connection, allowing them to be close to customers, partners, or home. • Load balancing and failover: A disaster or appliance outage does not leave users unproductive or unsafe. If ProxyClient can reach the enterprise network, it wifi faiover and load balance automatically. If Proxydient can reach the Internet, it can reach WebPulse for r control and security. • Location awareness: Administrators can enable or disable ProxyClient acceleration and Web I [ filtering based on the locations from which the client connects, improving efficiency and making inteffigent use of the ProxySG appliances in the network. • VPN transparency: ProxyClient can be deployed to VPN users without any changes to VPN U configuration. III
24 I 25
in
time
Family
to
failover.
statistics
workers
and Product
control
WAN
accelerated
of
Coat
real-time
and
administrative
a
Blue
points
balancing
employees,
through
1:
load
ongoing
includes
mobile
acceleration
for
Chapter
and
for
distributed
productivity
boot
minimize
features
to
application
worker Deployed
system
the
establishing
on
updated
by
remote
workers.
delivers
business-critical
appliances
remote
maximize automatically
applications.
transparently
for
to
delivers
performance.
and ProxyClient
and
starts
also
ProxySG
both,
necessary
or
applications
resources
application
ProxyClient
ProxyClient
automatically
offices, features
complements is
monitor
business
corporate
to
desktop,
to
branch
resources.
the
and
ProxyClient display ProxyClient optimization access On accelerate small L.
BlueTouch Training Services — BCCPA Course v3.5.1
K9 Web Protection
• Uses WebPulse technology • Free download at www.getk9.com
K9 Web Protection Administration
4UE VIEWIIJTEVNEVACTMTY SEWP 0 You are protected by Kg Web Protection!
ternetAc8tE Setup Get Help
18 2. BlueOCoat
Slide 1—17: K9 Web Protection
K9 Web Protection is a content filtering solution for your home computer. Its job is to provide you with a family-safe Internet experience, where you control the Internet content that enters your home. K9 Web Protection implements the same enterprise-class Web ifitering technology used by Blue Coat’s Fortune 500 customers around the world, wrapped in simple, friendly, and reliable software for Windows, Mac OS, iPhone, iPad, and iPod. If a user tries to go to a website that the Web filtering database has not seen before, it scans the content of the site for inappropriate material, and then either permits or prohibits the site using dynamic categorization. This provides real-time analysis and content categorization of requested Web pages to solve the problem of new and previously unknown uncategorized URLs — those not in the database. When a user requests a URL that has not already been categorized by the database (for example, a new website), the dynamic categorization service analyzes elements of the requested content and assigns a category or categories. The dynamic service is consulted only when the installed database does not contain category information for an object. If the category returned by this service is blocked by policy, the offending material never enters the network in any form. Dynamic analysis of content is performed on a remote network service. SF— You can download this free application from http:llwww.getk9.com. K9 Web Protection is different from other solutions for the home in several important respects: • Service-based filtering: Blue Coat’s filtering database operates as a service. It receives and rates more than 80 million requests every day, making it the most accurate content filtering database available. This accuracy is important in protecting your family, given the Internet’s rapid changes and growth. Plus, there is no database to download. K9 Web Protection will not clog your Internet connection, get stale or out of date, or slow down your computer like other products do.
II 26 - 27
can
you
Family
filtering
that
caching
WebPulse
Internet
Product
statistical
WebPulse
ensure
your
keyword
Coat
with
However,
conclusion. pages,
Blue
makes
1:
Web
K9
coupled
application
high-performance
in
accurate
in
old-fashioned
Chapter
an
intervention.
unrated
the
expert
Protection
computing
expertise
as
from
reached
human
this
Web
cloud
has
of
previously
K9
it of
or
the
different without
that
worldwide
of
new
fly
method
advantage
vastly
the
a rate
is
features.
to
on
updates
confident
recognized
Using Taking is
safe.
latest
is URL
it
a
and
the
of
users.
technology
Coat
intelligence
when
Automatic
by
to
technology.
Blue
Coat’s reliable,
rating
category
a
artificial
fast, proxy protected updating:
Blue
the
frustrating
caching:
and
so
renders
is
secure
always
determine that analysis are only
WebPulse: Efficient Automatic and experience
•
•
• 1 1 U Li L.i LRi LRi Lii Lii LI] LII LIJ L.i A Li
c) > a) (I) D C C-)
0 0 0
U) C) C-)
C) C/) 0) C C CC I—
0 0 I- C)
U) a
29
the
IF
and
and
Blue
proxy
to
across
for and
and
by
A
if
to
who,
-speed
the
definition
accelerate network,
enterprise
or protocols
on
client
service
administer
other. in
and,
visibility
powerful
client-side
a
via
any
and
security
lower
designed appliance
caching
attackers; as
(HTTP).
by
and
for in
each
and
based
equipped detailed
global
particular,
a
other.
internally
set
used
in
In
interpret deployed well
requests
system
content
user-application security
outside
ProxySG
as
be
server
better
Protocol
each
a
years;
often
organizations
configure,
must
can
deployments.
both
well
from
serviced
IT
requirement
complement are with simple
much
both
of
communications
typically as
complemented
a
handling
threats.
many
are
operating
complete
as is
Transfer is
performing
proxy —
are
particular,
translation). enterprise.
a
deploy,
gives
for
for
policies Web
A
above
in
terms to
to
and
acts
network
much
Proxies
and
in
go
that Coat
it.
the optimization
centers and,
servers
Requests
easy to
address
secure
very
so
technologies
around
device
communicate
Hypertext which
servers.
LANs
to Blue
distributed
data
and
purpose-built
functionality
and
WAN
two
applications the
response-borne
security
for
proxy
protect
been
clients.
the
other
fast and
to
the for
network This
and
caching
forwarding configurations
to that it control
has
program
HTTP
helper
of
other of
reliable,
on
RFC
important,
networks).
functionalities
applications
performance,
functionalities
as NAT,
of designed
points,
make
as
before
lightweight,
control.
as understand:
other
servers
designed
gateway
a firewalls, range concern
and and
and unsurpassed
throughout
and
points
advanced
home end
is
proxy
that
Just
of
earliest mature,
will
behalf and
an
and
with
protocol agent.”
ProxySG.
proxy
users
broad
known
the on
translation, secure
firewalls.
“intermediary
SGOS,
message Fundamentals
tools
you
very a
to
areas
security
features
in
in
the
from
an
firewalls
is
by
in
user
how
in
trojans,
intelligent
(also
of
gateways,
from
technology
(including
as high-level due
users.
technology
behind
over
administrative
the
WANs.
used
major features.
request
applications.
and
possible
requests
chapter,
engine.
grown
a technology
1945
by
reporting ones appears
performance other
differ are
and
network
powered
available
provide
three
this
features
Internet with
has
internal
control
malware,
firewall
technology is
and expanded
is
when,
describes
RFC
and
proxy
making ProxySG
server
rewrite business
in face
technology
performance
this
proxies proxies
of organizations. smallest
them,
of masquerading delay-prone
acceleration
have
through
optimum
offices,
2:
acceleration
where,
ProxySG studying
the
chapter
granular
basic
proxy
ProxySG
implemented
Spyware, appliances and ProxySG Slow Malicious
How
How High-level
ProxySG
a
defined
of
is The passing purpose portals Proxies • • necessary, address Coat not • This Comparing WAN content vendors, Traditionally, even
Networks
handle: deliver • The • communications the • management The
provider delivery The
branch very After what,
Chapter 1!
and
and
key
in
they
user
enough.
and
the
But
company
at
not
secure,
manage
and
is control
perimeter to
to
enables
to
enables
undesirable
enterprise’s
network
using
management
communications.
an
groups,
networks.
This
stop performance
filtering
existing
of
communications
prevention
ability
performance.
to
and
enables content
all
effectively.
specifically
cannot.
the —
URL
video.
user
to
monitoring
internal
centralized administrators
replace
messaging
users
BiueQCoat
real-time
to
more
spyware
and
Web
and
applications.
when
filtering
not
devices
the
all
designed
accelerated
allows
instant
access of
email,
URL
does
interactions
techniques
inappropriate
other
implement
with organizations
resources
controls
reporting
to differentiate
legitimate
block
provides
and
Yahoo!
ProxySG,
control
and
appliance
services,
giving
encrypted.
and viewing
ProxySG
the
and
manage
Integrated content.
high-performance
or
by model
file
as
acceleration
The
proxy
firewalls
information
to: firewalls
and
when
views
granular Web
applications,
them user/application
Web,
such many
Identity-based
Web
administrators Web.
environment.
that
brings controls:
replacement and
even
Provides
scan
page
v3.5.1
to accessing
Messenger,
Scalable
their
the
serve
policies —
network,
Web
secure
ways
of
designed
Live Allows
from
of
content proxy: appliance over
once,
Web
Course all access
safe
control:
ProxySG
reporting:
visibility
proxy:
Web,
allowing
stripping,
are
effectively
complements
and
less-important
the
users
Scan
and
user The
and it
to
enterprise
proxy
Web
security control:
performance
BCCPA
a applications
number
for while
manage
content
gateway Windows evaluate
provide the a
content
optimization
to
to
use
including
throttle
to of
in
rather,
control filtering
productive,
servers
prevent
to
a
roles
required scanning: AOL,
critical plus
to
is
prevention
communications
and
monitoring gateway Enhance Increase
Control of
Secure
WAN
messaging
Services—
Overview
optimization: — — — — —
Proxy
Two content virus
create devices;
user
designed
Overview •
a
perimeter
to
2—1:
solution
WAN organizations applications, applications, accelerate
High-performance
operators Web resources, manage
scalability Web Instant not logging organizations
Internet Spyware Internet
the
Training
Slide • are
• At order
security • control The communications • •
•
•
BlueTouch
30 a
31
to
the
(for
the
to
a
in
the
how
block
client
traffic
a
and
traffic
can
appears
deliver
if
Fundamentals
The
shows
it
reaches
contains
instance,
prevent
protocols not
it
above,
selected
that For
can
and
ProxySG
ProxySG
it
because
when diagram
network.
architecture
2:
various
DMZ). only
the so
page
client.
the
shown in
of
This
the
website
the
As
Web
allow
in
blocked
security Chapter
a
the to
BlueOCoat
model),
to
connection
as
firewall.
your
OSI
server
from
a
that
penetrating
weaknesses
capabilities
such
the
by
firewall
delivered
Web —
in
from a workstations.
immediately
7
the
allows
exploit
is
as
response
being
the
protected
now
likely
(Layer
internal
(such and
intruder
is
Internet
configure
stop content-filtering
client.
compromised
most
level
from
the
malware.
can
the
can office)
Hackers
essentia1(meno
on
been
data
requested
and
unwanted
You
also
an
internal
firewall
destinations
home
has
it
an
is
a
grab
an
website, Firewall
the
being application evolved.
a
or that
machine —
spyware
the
network. has
from
(even
selected
both
at from fltRaqvi.
stopping
ProxySG
client.
to
Limitations
the object
code
rogue 1.
in
limitations
of
from
network
the
Additionally,
the
against
code attacks
the
request bcO1
to network
of
traffic)
operates S>st,rn
from
secure
content
Firewall effective legitimate CLBI
firewall
HTTP JavaScript code
a
defense request.
reasons,
every
Web
a
is
nature .Eie
malicious
Firewall
2—2:
of
valid
ProxySG
the
these
client
a
Slide
originating Virtually firewall instance, But perimeter requests malicious penetrate The unwanted case the malicious be For powerful BlueTouch Training Services — BCCPA Course v3.5.1 pin
Firewalls And Proxies
Layer 7 - Application
Layer 6 - Presentation
Layer 5- Session
Layer 4 - Transport
FewaII Layer 3- Network ProxySG
Layer 2—Data Link
Layer 1 - Physical
BlueOCoat t 2Oi. a
Slide 2—3:Proxy layers of operation
All firewalls allow you to control the data link layer through the transport layer. All proxies allow you to control the appcation la_yr for HTTP, FTP, and a few other protocols. Some firewalls might also offer protocol inspection features, operating at the application layer. Controlling Layer 7 is computationally very expensive for a firewall (the technology was not designed around protocol inspections); furthermore, even the firewalls that offer this feature do not have the granularity of control offered by a proxy. The ProxySG, unlike other proxies, controls the entire protocol stack and can operate all the way from the data link layer to the application layer. In particular, the ProxySG can act as: • A Layer 2 switch, either by bridging multiple interfaces via software or using an optional pass-through bridge card. • A router, by participating in the Routing Information Protocol or by acting as an IP forwarder to the default gateway on the network. • An application accelerator, by optimizing TCP communication and protocol efficiency (HTTP, FTP, CIFS, MAPI, and so on). • An advanced caching engine for protocols such as HTTP, FTP, CIFS, and MMS. You can create policy based on IP addresses, TCP parameters, and advanced protocol features; for instance, you can easily control which HTTP methods are allowed and which are not.
32 is
or a
33
the
OCS;
MAC
acting
server
and
client
a a
subnet).
“proxy”
the
in
as
thus
Fundamentals
function,
destination
source
server
same
term
actual
from
scenario,
a
and
acting
the
own
placed the
the
server,
this
agency,
is
ProxySG
both
of on its
be
it
In
2:
coming
as
why
are
“the
address
can
are
content
using
acts
clear
they
Server
presence
Chapter
is
MAC
requests. request.
proxy
means
BiueOCoat response,
it
origin
a it
the
that
which
the the
gateway
responses P the
client
Address
and
Also,
Data
to
that
returns
MAC
ProxylP
Server
TCP
destination
issuing
default
program instead,
1945.
client, (assuming
Dictionary,
and
Proxy
4
intercept
the request
The
the
believes
client
RFC
to
is
proxy; the
proxy
client
another.”
a
Online
and
proxy.
to the
for
the actual
pass
proxy
of
the
ProxySG to
“intermediary
connects
the
proxy
to
the it
transparently from
an
of
specification,
the
those
is
needs
explicitly
can
of
substitute
1.0
OCS,
OCS,
are it
a
request
/
request
IP a the
the
P proxy
Address as
a
proxy
existence
Data
a
Merriam-Webster’s to
HTTP
connect
where
For
MAC
Proxy
the ClientiP acts
presence request to
Server
Proxy
the
TCP
the
4
how makes
of
proxy
the
Client
in
receives
who
always
client of
connects
address.
network
client
shows
however, the
not
according
IP
proxy
Client
the
the
in
unknown.
unaware
Gateway defined
deputy
proxy
a
the is
on
does
and
as
unaware
Gateway
client;
the
of
2—4:
is
diagram
chosen;
client.
OCS
the
general,
address
a
client
Slide
client,” This office
was
In Because IP for
as
address When
practically A
location client the I I
an
the
that
that
a
your
more
by
to
any
most
of
the
the
for
Word,
over
show
on
and
ProxySG
edge
protocols
showed
tolerant
labs
meeting
unrivaled
The
improved
the real-world
of
usable
optimize
MAPI, at
still in for
protocols
Microsoft
Coat
more
and
operations links.
in
latency
provide
Blue
Office
file
toolkit
them
of
latency
TCP HTTPS,
both
a
Whether
network
that
and
applications
performance
for network
BlueOCoat
make same
save
ProxySG
HTTP,
the
Subsequent
TCP
these
time Microsoft
powerful your
the
that and
a
Server ______
of set.
of
utilization.
milliseconds optimizing
CIFS,
Un-optimized
with Data
make
technologies
edit,
Optimized
data
110
improves environments to
TCP, been response
link
the
provides security
in
open,
for with
has
tuning
of
to
the
bandwidth
performance
enhancements
WAN needed
link
and
customer
Coat
pass
and
Ti the
a
optimization
Proxy
needed
technology
WAN
Blue
enhance
specific
(cold)
v3.5.1
improvement
over
this
Internet.
time
improvements
(Znet
improve
than
first
it, there.
production
TCP
test
improvement
Protocol
99%
the
management
the
of
in
Course 256Kbps
performance
through
the
proxy
a
on
more
same
found
multiple
protocols.
Optimized
heart
WAN over
showed
the
BCCPA
during
TM
much
challenge.
significantly ProxySG,
the
servers
the —
application
offers
conducted
performance
do
in
application
Excel
and the
Acceleration
50%
PraxySG
typically
while
acceleration
in
from
and
over
of
can
uses
tests
and
right
un-optimized
delivery
Services critical ______
59%,
video
WAN
Using consistently
or
time
appliances
a
Client of
WAN latencies
decade
link.
2—5:
files
a
ProxySG ProxySG
example,
inefficient
Training
Slide
response The The improvements application are
streaming network, than
higher For
ProxySG scenarios. average same PowerPoint, improvement
provides
WAN
BlueTouch
34 Chapter 2: ProxySG Fundamentals
Proxy Features
LE
ac flJ a Server Client nc C Authentication
BlueOCoat
Slide 2—6:Proxy features
The ProxySG provides the capability to filter application-level traffic embedded in Web communications, monitor Internet and intranet resource usage, and block specific Internet and intranet resources for individuals or groups. The ProxySG supports all popular Web protocols including instant messaging, HTTP, HTTPS, FTP, SOCKS, Real Media, and Microsoft streaming. Additionally, the proxy supports TCP tunneling, a solution to forward any application protocol running over TCP that does not provide native proxy support. It provides deep inspection of all Web requests and responses by gathering complete details on the transaction between users and servers. These details can then be used to implement policies and produce reports on Web usage and communications. For example, as shown in the above diagram, the ProxySG has the ability to:
1. Stop malicious traffic sent from a client.
2. Stop malicious traffic sent from an OCS.
3. Modify content sent between a client and the ProxySG. 4. Modify content sent between the ProxySG and an OCS. The ProxySG Policy Processing Engine provides a comprehensive policy architecture across all users, content types and applications, and security services. This framework allows a security administrator to control Web protocols and Web communications across the entire enterprise. Networking environments have become increasingly complex, with a variety of security and access management issues. Enterprises also face challenges in configuring products to ensure that the result supports written corporate policies. Authentication and authorization using policy definitions on the ProxySG allow an administrator to manage Web access according to the enterprise’s needs. Blue Coat policies provide the administrator: • Fine-grained controls to manage behavior of the ProxySG. • Multiple policy decisions allowed for each request.
35 BlueTouch Training Services — BCCPA Course v3.5.1
• Multiple actions triggered by a particular condition. • Configurable bandwidth limits. • An authentication-aware proxy device, including user and group configurations. I • Flexible user-defined conditions and actions. • Convenience of predefined common actions and header transformations. • Support for multiple authentication realms. The ProxySG also can function as an intermediary between a Web client and a Web server authenticating users from an enterprise’s existing security framework, such as LDAP, RADIUS, certificates, NTLM, local lists, and other supported authentication services. The ProxySG either challenges users when they attempt to access Web resources or transparently checks existing authentication credentials.
F- K I
II -
III
36 37 of for Best this an a the proxy. be and this Cisco type but features traffic. practices. maintain for in a to best by hand, to testing. to is solution this best prohibitive, WAN have and you and be other appear and ProxySG easier affected deployed transparent you explicit is implement, require of can deployment, the connections if be are to and might enables On optimize networks. implementations who cost can edge to users implement, an requirements Internet proxy transactions. to small switch setup Preferred to requirements, availability of location laborious 4 how for authentication recommended ProxySG the customers (SSL) use implement. special initial explicit simple appliances more Layer to The for user remote the for a Coat (WCCP): benefits, Useful high-availability Layer addresses. use and deployment files: determines each for detail: uses Blue IP appear determine to between at ProxySG in However, common, of core the Protocol prioritize that purpose, Sockets Supported can a (PAC) gateway: challenging option. Easy might to its Very decision how instead from equipment, solution well. between of files solution. prove Secure this discussed differences default understand: popular settings: options implementations. Recommended bridge: balancing. Coat can by: are implement the PAC the a deployment discusses scales wifi it as as policies. by: load selected methods you Communication auto-discovery: Blue migrating proxy additional and hostnames proxy a using you switch: of proxy Deployment options compression 4 are importantly, that any use Auto-Configuration describes proxy consistently transparent proxy Cache require to by: It a various adding ProxySG applications. ProxySG easy-to-maintain proxy is it for Layer authentication More content topology chapter, and Web Proxy the a Web the require deploying and deployments; strategy explicit transparent the this this transparent user enterprises content-filtering deployment explicit network a not edge-to-core proxy. discusses why making proxy. Using configuration. practice Manually Using most testing. Using router Using practice Using Using an ProxySG bandwidth-management the see does scalable, environment. many • • • • • • • defines of deployment. 3: studying consistent functionalities. chapter deployment will Enabling Using business-relevant example, Enforcing Controlling Configuring following Configuring Forward Reverse • • • • deploying and method implement, After elegant, For The and proxy • chapter You control Because • • • The network This Chapter L
I
I
S
ii
proxy
simplicity
benefits.
the
to
scalable,
ProxySG.
the
most
compared
the
traffic-segregation
and
particularly
benefits
its
necessarily
and
not
deployed,
but
be
load-balancing
can
its
it
redirection
easiest,
and
the
how
is
v3.5.1
and
WCCP
transparent
proxy
4
Course
does,
with
it
Layer
explicit
of
BCCPA
what
an —
is,
proxy.
up
redirection
proxy
Services a
explicit
setting
complexities
an
What deployment.
Why Transparent of The
Training
•
• • •
BlueTouch
38 is 39 to
are
The
on is
is
can
used
there
Internet
Web
hand, options.
there
security
is if
Deployment
proxy.
server
sends if
reverse
proxy simplicity
can
needed
a usually
a
A
allow
other
used
administrator
proxy
so, used
to
client same
proxy
accessed
transparent.
the server be
using
ProxySG
an
enforcing option
users.
is
or
the
3:
this on The deployment
used
can
it
doing
if
that
and
is
proxy
forward
It
configuration
publicly
that your
A
proxy,
mode
Internet
explicit
Chapter
While no
usually:
traffic.
the
appropriately
to
is
However,
BtueOCoat
deployment
reverse apparent
DMZ.
affect to methods
are
aware
scanning,
proxy.
this
applications.
A
either
most
the
there
not that
be
is
Internet.
in
content
is
as
design
other Transparent
solution.
deployment
network
security
reverse
can
the
especially
servers.
or
of
of
Web
anti-virus
or
factors intercepts
on
is client
deployment
proxy
example,
Web switch clients.
deployed
few the
layer
4
This
method
proxy
for
server serving
browser
deployment decision
deployment caching,
forward
that
network many of
a
as
the
Layer
simplest
usually
usually and The
as
design.
in
has
is
WCCP,
proxy
means additional
are
external
and
such
a
connection
transparent
an
different
an
in
server.
because
as
there
to
settings
proxy
the
network
method
are
deployed
network manner.
performance
however,
Client corporate-deployed
Options
quickest
result
be
proxy
to
and
proxy
the
serve
a
administration
your
proxy
the
There
network
can functionality
that
options
current if
of
proxy,
requests
is
proxy can proxy
method:
proxy
the
deployment
server,
the have
Transparent
deployment,
transparent
ease deploy
requests in
also
improve
proxy
connection
a role
installed.
users’
by
the
to
not
reverse
A
in
concerns
end.
to
A
additional
send deployment:
proxying
one
Explicit Reverse Forward
proxy Transparent
impractical
Deployment
LAN server
connection
greater
does role:
routers
to — — — —
Client
Network
be
choose
client
Deployment
‘Proxy
•
3—1:
typical common
Client
Explicit offers can requests the Proxy client significantly
proxy users server. provide policies. proxy Cisco determined already can deployed Network
a
•
•
Slide •
In The - r
I
1.
—
[.
to
the
an
the
of
the any
than
from
using
similar
is
address URL:
way
URL
require
IF
request,
client
a
entire
the not
this
formatting
is
different
the
a
requested
does
has
in
whether the
During
request
BlueQCoat
includes
request
show
request generally
client server.
GET
receiving
can
and
the
GET
request
Web
of Packet
the
Upon .1
end
GET TCP
capture
standard
solution
all.
the
the
address P
format
at
the
server.
IP HTTP/1
packet
from
set,
ProxySG.
proxy,
it
Web
complex
proxy
proxy a
the Destination
v3.5.1
no
simple
end
proxy use
of P
least
A
a
or
to
the
destination Packet
explicit
the
corn
corn
of
requesting
Course . . Source
is
an
the TCP
have
proxy
address
by
deployment
not
IP P
coat
hardware.
using
proxy
BCCPA
address
configured
Proxy
the JiR,th(t or
request,
does
is —
IF
proxy
is
blue bluecoat . .
proceeds
the transparent
Clients Destination
explicit
proxy
a HTTP/l.1 www www P Client
an
not
software
Explicit
Services
browser proxy
browser
address / http://www.bluecoat.com/
proxy. tT4t(;-S).R.iiI.i
using IP
Explicit
and
the
the the Source
3—2:
explicit GET GET HOST: HOST:
following:
an
Training
Slide
Deploying additional explicit clients the When
client, When In source proxy,
BlueTouch 40 Chapter 3: ProxySG Deployment
Explicit Proxy
ProxySG Client Server E1 SYN 4 SYN/ACK - ACK Client request
I EJ 1 4 ACK - L Client to proxy F Proxy to server
BlueØCoat
Slide 3—3:Explicit proxy
HTTP is an application protocol that relies on TCP as its transport protocol. A TCP three-way handshake must take place to establish a connection before HTTP messages can be exchanged. A TCP three-way handshake is typically performed in the following manner: 1. The client sends a SYN packet to a server to initiate the connection. 2. In response, the server replies with a SYN/ACK packet. 3. Finally, the client sends an ACK back to the server, and the connection is established. The diagram above, however, shows two separate three-way handshakes taking place. This shows that there are two separate connections on a single URL request: the first one from the client to the proxy, and the second from the ProxySG to the external Web server. The timeline shows that the ProxySG replies with the SYN/ACK to the client before receiving one from the external Web server. This feature is known as early intercept in the ProxySG.
41 BlueTouch Training Services — BCCPA Course v3.5.1 V
Transparent Proxy
Client IP Server P TCP DATA — — — \ [1 Server Client
ProxySG
Default
Reflect Client P
* (,Y BlueQCoat
Slide 3—4:Transparent proxy
You can think of transparent proxying as the opposite of explicit proxying. The goal of transparent proxying is to redirect all traffic to the ProxySG without requiring client knowledge of the proxy. When you set up an explicit proxy, the client’s user agent always knows that it is sending connection requests to a proxy server. In a transparent proxy deployment, the client’s user agent is unaware that traffic is being redirected to a proxy and believes that it is talking to the remote server directly, without intermediaries. Unlike the explicit proxy scenario, you cannot tell whether a client request is going to be transparently proxied by looking at a packet capture of that request on the client machine. In a transparent proxy request, the destination IP address of the client request is the IF address of the remote server, not the IF address of the proxy. When the ProxySG initiates a subsequent request to the external Web server, the source IF address is the IF address of the ProxySG by default unless configured otherwise to reflect client IP addresses. I
I
I
[
42 ilL ______
Chapter 3: ProxySG Deployment
Forward Proxy
The proxy is on the same network as the clients
I ilL I <> Forward Proxy I
I I J
Internal Network External Server
BlueQCoat
Slide 3—5: Forward proxy
A forward proxy is the most common form of a proxy server and is generally used to pass requests from an internal network to the Internet through a firewall. By using a forward proxy, requests from users in the internal network can be selectively allowed or denied by implementing authentication. If the request from the internal network was fulfilled earlier and the response is in the cache and is considered fresh, a forward proxy serves the requested content directly from its cache. If the data is in the cache but is outdated, the cache can validate the object via a Get-If-Modified-Since (GIMS) message to the external server. If the requested content is not in the cache, then the forward proxy acts on behalf of the client to request the content from the external server. When the external server replies, the forward proxy can cache the content to expedite serving the same content in subsequent requests. A forward proxy also can perform advanced proxy features such as enforcing enterprise security policy and anti-virus scanning.
43 BlueTouch Training Services — BCCPA Course v3.5.1
Reverse Proxy
• The proxy is on the same network as the servers
I Reverse Proxy I I
Internal Network External Client It
BlueQCoat
Slide 3—6:Reverse proxy
Unlike a forward proxy, which caches arbitrary content for clients, a reverse proxy serves specific content on behalf of back-end servers. Reverse proxies are network servers or appliances that typically reside in the DMZ between Web applications and the Internet. The reverse proxy is effectively a trusted processor for Web servers, acting as a middleman between users and the Web applications they access. A reverse proxy protects Web servers from direct Internet access and off-loads from them computationally intensive processes to enhance performance. To the outside world, the reverse proxy is the Web server. For example, in the above diagram, all requests going to the Web server are directed to the proxy, even though the actual content resides on the back-end server. When content is requested, the proxy either serves the content from its cache or gets the content from a back-end Web server. If the reverse proxy is accelerating several different Web servers, the proxy (or Layer 4 switch) maintains Web-server mapping so that content can be obtained from the correct server, thus achieving load balancing. In most instances, SSL encryption is often not done by the Web server itself, but by a reverse proxy that is equipped with F an SSL acceleration card.
F
I
I 44
1’ _____
Chapter 3: ProxySG Deployment
Out-of-path Deployment
c2Dfl I BtueQCoat
Slide 3—7:Out—of—pathdeployment
In an out-of-path deployment, it is very difficult to achieve transparent interception and redirection. Therefore, explicit proxy is a common choice in this deployment. In an explicit proxy deployment, every client is configured to forward all traffic to the ProxySG. For example, you can easily set your browser to send all HTTP requests to a proxy server. This figure shows the proxy configuration screen for a Firefox client:
Connettion Settings
Corthgxe Proxiesto Ao,so the Internet QNoprox’t O kto-detect proxysettings forINSnetpprrk 0 1anuaI proxycartpurabon: iroxy ort LEE! j J Use thisproxy servor total protocols
When the client has been configured, the client sends all HTTP requests over port 8080 to the proxy with the hostname myproxysg. This method is straightforward; however, it is impractical for most organizations (except the very smallest) because you have to manually configure the browser on each client machine. Alternatively, an explicit proxy can be deployed by making use of other advanced methods such as a PAC file or Web Proxy Auto Discovery protocol. Manual configuration still can be useful for testing and debugging purposes.
Note: Malicious users can easily circumvent explicit proxy solutions.
45 BlueTouch Training Services — BCCPA Course v3.5.1
ProxySG as a Bridge
. BlueQCoat
Slide 3—8:ProxySG as a bridge
All models of the ProxySG can be configured to support bridging between interfaces. In addition, most models have a pass-through card that allows hardware failover in case of a power outage, other failures, and during startup. In recent ProxySG models, the behavior in a failure can be configured in software. In redundant network design, the ProxySG can be configured to propagate a link failure to another switch port so that other network devices can be aware of the failure. Using the proxy as a bridge, the ProxySG is usually deployed between the core switch and the edge router. Because all outgoing Web requests are forwarded from the switch to the router, the ProxySG can be installed in the path. Bridging in such a strategic location in the network allows the ProxySG to have full visibility of all Web requests. As a result, advanced proxy features and granular security policies can be enforced. It is not uncommon for the connection between the switch and router to be in a trunking mode. A trunking mode is usually used to forward all VLAN-tagged packets between network appliances, for example, switch to switch or switch to router. Therefore, the ProxySG has a default setting configured to support trunking for switches that encapsulates using the 802.1Q tnmking protocol.
Note: The ProxySG does not support trunk connections using ISL protocol encapsulation because ISL is a Cisco proprietary protocol. However, most Cisco equipment supports the 802.1Q encapsulation protocol.
46 Chapter 3: ProxySG Deployment
Using WCCP
J2OlJ, BtueQCoat
Slide 3—9:Using WCCP
Web Cache Communication Protocol is a content-routing technology that enables routers to communicate with, and transparently redirect requests to, one or more Web caches. The purpose of the interaction is to establish and maintain the transparent redirection of selected traffic types flowing through a group of routers. WCCP version 2, the most widely used version, defines mechanisms that allow one or more routers (enabled for transparent redirection) to discover, verify, and advertise connectivity to one or more Web caches. WCCP version 2 supports the redirection of traffic other than HTTP traffic through a traffic segregation method called service groups. WCCP is a good choice if your network is primarily made up of Cisco routers and switches. However, to use WCCP version 2, your Cisco equipment must be installed with at least lOS version 12.03(T) or above.
Note: lOS support for WCCP is tied to specific lOS images, not release numbers. If you plan to use WCCP, verify that your specific lOS image supports WCCP.
47 — C I C. I
r
to —
traffic.
URL
traffic
United
the
parameters
other
In
outbound
all
balancing,
all
cost.
several
pass
is
load
on to
these.
inspect
of
often
and
to
based
BlueOCoat
be
advanced
able
each. as
be
switches can
ProxySG
4
combination
such the
must
a
to
$10,000
Layer
or
decisions
than
switch
features
traffic
4
Switch
redundancy.
address,
more
4
Layer
and
specific
cost
implementing
v3.5.1
the
additional
source
Traffic-routing
switch
can
and
direct
4
Layer
port,
to
Course
tolerance
provide
Layer
devices
fault
also
deployment,
switch
with
deploying
BCCPA
destinations).
protocol, with JiRtR
such
to —
the
proxy
other
t,g.Cn,.20:i switches
advanced
Network (or 4
address,
Services obstacle
example, C:.,
0:
and
configure
Network
for
Layer
3--i
can
transparent
major
firewall
Trairng a
Slide
In
the
You destination Most
hashing, States, The
BlueTouch
48 Chapter 3: ProxySG Deployment
ProxySG as Default Gateway
BtueOCoat
Slide 3—11: ProxySG as default gateway
The ProxySG can act as a default gateway for clients. In this scenario, the ProxySG is capable of routing any kind of traffic: UDP, TCP, NetBIOS, unicast, multicast, and so on. Under such situations, the ProxySG can either terminate and process the traffic or forward the traffic to the next hop. If the destination TCP port matches the service that is set to intercept, then the packets are processed. Otherwise, the packets are forwarded based on the destination MAC address and the IF address in the packet. For the ProxySG to act as a default gateway: • Clients must have their TCP/IP default gateway set to the IF address of the ProxySG. • IP forwarding must be enabled on the ProxySG. If IP forwarding is not enabled, then the ProxySG rejects the packets. • Client IP address reflection must not be enabled on the ProxySG.
49 ______
BlueTouch Training Services — BCCPA Course v3.5.1
Proxy Auto-Configuration File
— BlueCCoat Slide 3—12: Proxy auto—configuration file
In an explicit deployment with a large number of clients, manually configuring the address of the proxy server on every client can be complicated or impractical. A proxy auto-configurationfile (PAC file) simplifies this task by informing all the Web browsers of the addresses of the proxy servers present in their environment. A PAC file is reloaded every time a user launches a Web browser. Also, the administrator can S centrally manage the PAC file, and PAC files offer many useful features such as exceptions and load balancing. The PAC file defines how Web browsers can automatically choose the appropriate proxy server for fetching a given URL. As shown in the above diagram: 1. Upon launching the Web browser on the client computer, the Web browser attempts to retrieve the PAC file from a pre-configured URL in the client. The URL can be entered either manually or automatically by implementing Microsoft Group Policy. C 2. When the user requests a URL, the Web browser reads the PAC file to decide which proxy to request it from. Upon identifying the proxy from the PAC file, the request is sent to the respective proxy server. 3. The proxy server receiving the request subsequently relays the request to the external Web server on the Internet. PAC files can be hosted on the ProxySG or on a dedicated internal Web server. Two PAC files are shipped with the ProxySG: a default PAC file that cannot be edited, and an acceleratedPAC file that you can edit to reflect your network’s requirements. For more information on PAC files and the ProxySG, refer to the knowledge base article “You want help writing or editing a PAC file” at BlueTouch Online.
50 I: Chapter 3: ProxySG Deployment
Proxy Auto-Discovery
SG1
BlueOCoat
Slide 3—13: Proxy auto—discovery
Web Proxy Auto Discovery protocol is used for clients to automatically discover the presence and the address of the proxy server in their network. WPAD offers greater ease of deployment to administrators as there is no pre-configured URL required for the client to retrieve the configuration file. The discovery of the configuration file (wpad.dat) is done by performing a DNS query to a fully qualified domain name that is made by appending wpad followed by the DNS suffix of the client computer.
1. Upon launching the Web browser on the client machine, the browser automatically issues a GET request for the wpad.dat file from wpad.mycompany.com, where mycompany.com is the DNS suffix of the requesting client. 2. When the user requests a URL, the Web browser has to read the wpad.dat file to decide which proxy to request it from. Upon identifying the proxy from the wpad.dat file, the request is sent to the respective proxy server.
3. The proxy server receiving the request subsequently relays the request to the external Web server on the Internet.
Note: wpad.dat is written in the same way as the PAC file, but saved in a different file name. Both use the JavaScript FindProxyForURL function to decide which proxy server to use on different URL requests.
51 in
separate
each
in
deployments
single
a
of
consider
in
budget/personnel
differently
variety
and
a
Carefully
gateway).
ProxySG
policy,
deployments
the
combine
office.
default
office.
can
or
different deployment.
deploy
main
to
satellite
five
can environment, a
proxy office.
the
in
in
comes
your
main
shows it
Organizations one
reverse
fits
the switch
v3.5.1
(or 4
and
in
when
organization
best
diagram
office.
location.
office office.
Layer one
Course
same
offices
a
WCCP
solution
above
same the
review
which
satellite
using
satellite satellite BCCPA using
the
The a
satellite a a
how —
in
in Dep’oyment
in
in in
as
proxy
proxy
offices.
shows
four
determine mode
well
proxy proxy Deployment
Services
one-size-fits-all
as
and
Mixed
no
is 3—14:
different
diagram
Transparent Explicit Transparent Training Bridging
Reverse
Slide
This locations their organization: 1.
2.
3.
4. 5.
There solution,
constraints.
BlueTouch
52 Chapter 4: ProxySG Licensing
A license is a document granting a party permission to take a certain action. In the computing world, a license is most often an agreement between the manufacturer and the user, granting permission to install and use software or hardware on a given number of devices. Blue Coat uses a licensing system to ensure that customers are able to install and operate Blue Coat products in the way that best meets their needs. This includes using a license as a way to unlock key features of the Blue Coat ProxySG and to ensure that databases for content filtering are up-to-date and effective. For the ProxySG and its related software, licenses are issued on a per-appliance basis, and each license key file includes the license for all SGOS operating system components purchased by a customer. One license key ifie is tied to one appliance; each software license can only be used on the appliance for which it was intended and no others. This ensures that the correct software components are paired with the correct appliance. Because Blue Coat offers a variety of software configurations for each appliance, the license is important in ensuring that customers receive access to the features they have purchased. For example, the software that operates the ProxySG is available in two editions: MACH5 Edition and Proxy Edition. (In some Blue Coat material, the MACH5 Edition also is called the Acceleration Edition.) By having two editions of the software, each deployment can be best tailored to the customer’s network environment. In addition to the two editions, other licensable features are available for the ProxySG, such as TMfiltering and Blue Coat WebFilter. Each of these features requires its own license. Other Blue Coat products, such as the Blue Coat ProxyAV and Blue Coat Reporter, are licensed in a different manner from the ProxySG. Some licenses are an annual subscription based on user count; others are made up of only one perpetual license, giving the customer access to all of a product’s features. Details of licensing for these other products are covered in the training courses for those products. This chapter provides an overview of the licensing process required for the ProxySG. It describes which products require a license, the licensable components available from Blue Coat, and what to expect when the trial period ends. Some of the concepts in this chapter — including the ProxySG Management Console graphical user interface and policy management on the ProxySG — are covered in greater detail later in this course, and it is not important to understand everything about them at this point. After studying this chapter, you will understand: • The types of licenses and licensable components that are available for the ProxySG. • Differences between the two editions of the SGOS operating system. • How to register and license a ProxySG. • ProxySG license limits and how they are enforced.
53 BlueTouch Training Services — BCCPA Course v3.5.1
License Types
• Trial period
— First 60 days; all features enabled
— Available only on physical ProxySG appliances • Demo license
— Provided by Blue Coat or reseller
a Limited license
— Maximum users or length of time • Unlimited license
— No restrictions on users or time
BlueOCoat
Slide 4—1:License types
Four types of licenses can be used with ProxySG appliances. Each license allows for different functions and user limits.
• Trial period: The trial period is a 60-day period that begins once initial configuration is completed, during which a user is able to evaluate all features of the SGOS software. All features of SGOS can be used by the customer, assuming the customer chooses to run Proxy Edition during the trial. At initial configuration, the customer must choose to run MACH5 Edition or Proxy Edition during the trial period; either can be chosen, regardless of which edition they purchased. For example, if a customer purchases MACH5 Edition but chooses to run Proxy Edition during the trial period, all of the Proxy Edition features and components are available for 60 days. However, once the 60-day period ends, only the MACH5 features are available. On the ProxySG VA, a trial period is not available. • Demo license: Like the trial period, a demo license allows the customer to use all available features. However, during the demo, the appliance is fully licensed. A demo license is provided by Blue Coat or a Blue Coat reseller, who determines the length of the demo. Because a demo license must be provided by Blue Coat, it is not automatically available to a customer. • Limited license: This type of license places a limit on the maximum number of users or the length of time the license is valid. A license with a user limit immediately begins enforcing that limit once installed. When a license’s user limit is reached, depending on the product, a certain action is taken by the appliance. If a license has a time limit, the feature continues operating at its full functionality until the time period ends. This applies to products that are subscription-based, such as WebFilter; when the time period ends, WebFilter database updates are no longer received, but the ProxySG continues to categorize user requests based on the last downloaded version of the database. • License with no limit: As the name implies, these licenses have no limitations based on user count or time. Once the license has been applied to the product, all components related to the license are available for use.
I 54 Chapter 4: ProxySG Licensing
Licensable Components
— Component Cost,,,. acfticted inf Blue Coat WebFilter By user ncluded Count jrbjded WebsenseOffb Byuser Corsnt Fi&ng Count Included I .,...... ning Included kicludecl Included Incded ICAPSeivies Inclucd
Optional Additbnal Optional AOL.Instant Messang Free
Vailes 5 Optional MSNInstart Messagrig Free ‘ndel SI Optional Yahoo lnstt Free Included Bandwidth ‘ Messang Manemert Inclideci NetegrtySeMinder Included Included ProxyClient Included Acc&erallon lncbided OracIeCOREil Included Included ProxyCtant Web Included -.. Filtertng lncLrded Peer-to-Peer -w Included Included] 3rd Perty Onbox Byuser incLtded Compression Included Content FIltering count , BlueQCoat
Slide 4—2:Licensable components
In addition to the four license types, there are three types of licensable components: • Required: The only required licensable component is the SGOS base license. This license and its features are required on any ProxySG. This contains the SGOS operating system plus base features such as HTTP, FTP, TCP tunnel, SOCKS, and DNS proxies. • Included: These components contains additional SGOS features and are included with the SGOS base license. However, some of these components only provide the capability to use certain features. For example, on-box content filtering is an included component, but a subscription must also be purchased for the content filtering service of the customer’s choice. Some included components are ICAP services, peer-to-peer, and compression.
Note: The actual content-filtering database for WebFilter or any third-party vendor is not included in the license. The license included in SGOS gives the right to install the database.
• Optional: These features are not included with an SGOS license and need to be purchased or added separately. TMfiltering licenses are free. SSL is free for all models currently available for sale that support SSL interception, but is an additional-cost item for legacy models of the ProxySG. (More information is available at BlueTouch Online.) The need for these components depends on individual deployment requirements.
55 BlueTouch Trairung Services — BCCPA Course v3.5.1 fr I ProxySG Editions
Proxy Edibon — MACH5Edition -
No Yes eirors 1anarentV ireE*on
ResoLIceierf lowaban Drop Access logging Forwardng Limiteds4.port h. Policycontrols
— yservices Lerautherilicatian Contentflterhg Notsiqod ProxySG VA Ecternal seivbes (ICAP,bsense) [lnstantmessaging and peer-to-peer rThatpon BlueQCoat
Slide 4—3:ProxySG editions
A physical ProxySG can run either the MACH5 Edition or Proxy Edition of SGOS. While the appliance is the same and the underlying operating system is SGOS for both editions, the feature set is different. The main difference between the two editions is that the MACH5 Edition is used only for WAN optimization, while the Proxy Edition can do both acceleration and security. • Proxy Edition contains all the features and functionality of SGOS. • MACH5 Edition has a reduced feature set. Some components not relevant for WAN optimization are not available, as shown in the above table. • Some default behaviors — default proxy policy, trusting client-provided destination IP addresses, tolerating HTTP errors, and transparent WAN interception on disabled bridge cards — differ between the two editions. If you select Proxy Edition for the trial period but purchase a MACH5 Edition license, the ProxySG configuration is reset when you install the license. The ProxySG VA supports only the MACH5 Edition of SGOS.
ccos i
— RAQS Gccy. - Srec&(ikVl tSWU rtkc I
56 I Chapter 4: ProxySG Licensing
Mixed Deployment
Branch office
MACH5Edition
:oii Blue0 Coat
Slide 4-4: Mixed deployment
Both the MACH5 Edition and the Proxy Edition can be used individually or together to optimize and secure any deployment. In the deployment shown above, the enterprise is taking advantage of both the MACH5 Edition and the Proxy Edition. Proxy Edition appliances have been placed at Internet gateways for security and acceleration, while the two WAN links that are not directly connected to the Internet are accelerated using the MACH5 Edition. The branch office that uses a direct-to-net connection to the Internet is using the Proxy Edition at its Internet gateway. However, because the other branch office has its Internet connection backhauled through headquarters, it uses a MACH5 Edition appliance to accelerate its WAN link only.
57 BlueTouch Training Services — BCCPACourse v3.5.1
Register and License a ProxySG
SGOS license License database
Optional BlueTouch Online
Admin Register appliance ProxySG
Menn
S d IT Of f fT gO Ii t0 Upd. [ Pjf4q ptt .C.fTWb4* ,. [
2i. M BlueCCoat
Slide 4—5:Register and license a ProxySG
After initial configuration, the ProxySG Management Console displays the license status as a link in the upper right. Hovering over the license link displays information such as the expiration date of a trial period. Click the link to go to the Maintenance> Licensing > View page. Activating the licenses on a ProxySG is performed through BlueTouch Online and is a two-step process:
1. Register the ProxySG with Blue Coat. 2. Retrieve and install the associated SGOS license. If this ProxySG has Internet access, go to Maintenance> Licensing> Install in the Management Console and click Retrieve. If this ProxySG does not have Internet access, access BlueTouch Online at http:llsupport.bluecoat.com from an Internet-connected workstation. You will prompted to download a binary file; this file must be manually applied to license the ProxySG. This license includes the SGOS base license and any optional supplemental components — such as SSL and RTMP support — that you purchased. Step-by-step instructions for registering and licensing a ProxySG are available on the appliance. In the Management Console, go to Maintenance> Licensing> Install and click Help. To get BlueTouch Online access, go to Maintenance> Licensing > Install, click Register/Manage, and click the link next to Need a BlueTouch Online User ID.
I 58 I’m se)
Chapter 4: ProxySG Licensing
License Expiration and Limits
LiceraetVpe Action on f expiration I Base license lncded Depends on .Bypassnewconnections, or -j defaultProxySG Quenewnctbns or .Ignoie flieIcenselim iardwae applnes only)
IMfillerkg Optbnal, IMactivity user-added SSL Variesbymlel Intei...... rmInation PS connections are blocked (on expiration
Flesh NIA streammg extra ntercepted RTMP con nections cn led
BlueQCoat
Slide 4—6:License expiration and limits
When the ProxySG is initially configured, all available features are activated during the trial period, allowing use of all of the features of the ProxySG. However, if the MACH5 Edition was purchased, the security features available during the trial period expire at the end of the trial and become unavailable. If a ProxySG base license expires, the appliance behaves in accordance with the default policy that has been configured by the administrator. If the default policy is Allow (the factory default for MACH5 Edition licenses), then all user requests bypass the ProxySG; if the default policy is Deny (the factory default for Proxy Edition licenses), then all user requests are blocked and users are notified (if possible) that the appliance’s license has expired each time they issue a request. In the Proxy Edition, the IM filtering and SSL licenses (if required for your model of ProxySG) become unavailable at the end of the trial period unless a full license is added. When the trial period ends, any operations requiring any expired components cease to function or function in a limited capacity. For example, a license is required to use the SSL functionality of the ProxySG 810 and ProxySG 9000 models. This license is activated during the trial period, and all features of the full SSL license can be used. But when the trial period ends, depending on the policy created, different behaviors occur: • If there is an SSL policy (and default policy is Allow — to allow all connections that are not otherwise processed by the policy), HTTPS proxy service is set to intercept, and there is no SSL license or the SSL license has expired, then SSL traffic fails, and users get the following error: Access Denied (license_expired). • If there is no SSL policy (and default policy is Allow), HTTPS proxy service is set to intercept, and there is no SSL license or the SSL license has expired, then SSL traffic fails, and users get the following error: Access Denied (license_expired). • If there is an SSL policy (and default policy is Allow or Deny), HTTPS proxy service is set to bypass, and there is no SSL license or the SSL license has expired, then SSL traffic bypasses the ProxySG, and requests are successful.
59 BlueTouch Training Services — BCCPA Course v3.5.1
The SSL license is designed to take full advantage of the SSL card that is factory-installed in the ProxySG. This license should be purchased for deployments handling large amounts of HTTPS traffic on ProxySG models for which a separate SSL license is required. For Flash streaming, if a license is expired or not installed, the RTMP proxy does not accept HTTP handoffs from the HTTP proxy; RTMP traffic tunneled through the HTTP proxy using RTMPT is handled entirely by the HTTP proxy. Also, if an RTMP proxy listener is set to intercept, those connections are denied. In addition to a license’s expiration, each model of the ProxySG has a different user limit built into it. This allows Blue Coat to align hardware capabilities for sizing purposes. The limit of the ProxySG is dependent on the specific hardware; this cannot be changed based on the type of license purchased. On the ProxySG, the user limit is counted using the number of unique client IP addresses with open inbound TCP connections to the ProxySG, not the number of unique TCP connections. For example, if a ProxySG is handling 20 users from different IP addresses, each making 20 connections (for a total of 400 connections), it counts as 20, not 400. When the number of users reaches the limit, a warning message is logged. The ProxySG takes action based on the setting of the User Overflow Action parameter at Configuration> Proxy Settings > General in the Management Console: • Do not enforce licensed user limit: The ProxySG performs as if the user limit had not been exceeded. This option is available only on hardware ProxySG appliances; on the ProxySG VA, user limits are enforced, and all connections exceeding the maximum are passed through the ProxySG without processing. • Bypass connections from users over licensed limit: All connections exceeding the maximum are passed through the ProxySG without processing. • Queue connections from users over licensed limit: All connections exceeding the maximum are queued, waiting for another connection to drop off. Listed below are all of the models of ProxySG currently available for purchase, along with the user limits for deployments with and without an Application Delivery Network enabled.
Table 4-1: User limitsfor the ProxySG Model User limit User limit E (without ADN enabled) (with ADN enabled) 300-5 30 10 300-10 150 50 300-25 unlimited unlimited 600-10 100 500 6 600-20 1,000 200 600-35 unlimited unlimited 810-5 2,500 500 810-10 3,500 700 810-20 5,000 1,000 810-25 unlimited unlimited 9000 all models unlimited unlimited i VA-5 not applicable 10 VA-b not applicable 50 VA-15 not applicable 125 VA-20 not applicable 300
60 L Chapter 4: ProxySG Licensing
Important: For any device that is listed as unlimited, the maximum number of users that can create connections is based only on the limitations of the hardware.
61 .a LbJ
c) > a) C,)
0 C-) 0 C-) 0
ci)C’, C.) a) (I) 0) C C cci I 0 D 0 I- a) D c’J CD 63
and
that
to
the
chapter
traffic.
use
ProxySG
ProxySG
models
this
can
deployed
hardware
on
the
a
be
configure
you
network
same
those
Also, of
to
use
will
the
is
(on that
to
port
step
offer
information
ProxySG.
optimizing serial
not
methods
appliance
next possible For
use.
appliance
the
and
is
your
do
to
the the
ProxySG.
to
VA.
the
also
and
of
the
how it
different
on
filtering
system
installed
used
the
Guide.
panel
ProxySG,
ProxySG
about
While
connecting
mode begin
the
front
Coat
can
operating
not
physically the
describes
it
commonly
chapter.
Blue
decisions
involves
via
Configuration
ProxySG.
that
SGOS
have
less
privileged
this
Setup
key
new
understand:
so
a
in chapter
the
are
and
Initial
method
appliances,
of
ProxySG.
will
This
installed already
VA
several
the
Initial
you
do.
installed
to configuration
you
appliance
methods
presented
ProxySG.
edition
standard
to
ProxySG
newly
is
the
a
making
that
ProxySG
new
these
of access
chapter,
configuration
that
a limited
which
the
physically
between
this to
expected
physical
involves
assumes
to panel),
be configure
select
control
ProxySG
software
have
method
refer
common
perform
to to to
configure
will
only
5: or
front
the
you
it
studying
a
process
chapter
is
most
How How
How Differences
setup,
operating After
This what initially • •
and The • •
functionality. have bridge After
applies
This VA
Chapter I
8
the
user the
reset
CLI:
the
wizard.
key
other
via
60-day
the
can
period
tasks
bypass)
line
access all
second,
and
settings.
or
for
configured
new to
you
Enter
null-modem
graphical
a
per
a under
be
60-day
CLI
use the
console.
the
almost
then
default
bits
start
network
gateway, in
command
the
The
configuration
can
for
must
solely
configuration
to
the
press
it
serial on
forwarding requires
the
9,600
to
you
the
basic and
expires,
you
the
via
default
rely
are port,
perform
the
that
ProxySG
traffic, ProxySG.
BlueQCoat trial
via
available
finish
Admin
port
can interface
example,
allows
the
serial
the
ProxySG
Enet
are
Director.
CLI
should
can
your
panel restore
address,
continue
(for
you
the
If the
serial the
serial
command.
to
methods
network
IP
configuration
to you
Coat
Front
can
users
methods
lists
ProxySG). the
tasks
the launches this
The
command rebooting
times.
need
three
Blue
you
access
for
the
initial
commands any
the
Restores
access
This
are
optimize
two
you
of then
use
for
you
—
appliance, issuing
to
with
control. advanced
connecting
hidden
all Other defaults,
Coat
and
can
use
and
up
There the
relevant
option.
Director addition,
after when
I-
and
Blue
flow
Only
to
can
you
CLI
defaults,
filter
In
nearly
two
no
v3.5.1
system
specifications
or
the
(provided
you
can
physically
and
Console
The
Only
command
address rebooted
executed
system
that
intuitive.
Course cleared.
from parameters.
restore
cable
after is
IF
be
the
complete
console,
cabIe—
as
factory-defaults:
https:IlproxylPaddr.8082,
are
Setup
parity,
port
to
configuration.
you
ProxySG
the
undocumented
use
at
other
not
serial creation.
only
the no
BCCPA
serial
restoring
Methods
is
this console
can
This FroxySG
serial
— and
it
can
command
bit,
—Serial method
When
ability
methods
the
a
configuration.
select policy
Client
the
addresses
You
installed
After
assigned
serial
on
this interface
the
stop
has
access
1
and perform
the
Services
address
Access initial
have
user
when
to
however,
(CLI) server
newly
using
command
IF offers
period.
Console
Access cleared.
a
data,
Primary
including
5—1: female-to-female
than you
times,
an
by
ProxySG
of
CLI
restore-defaults
are DNS configuration. reset-trial:
This
trial
it
resets
Training
activate
Slide
Before Serial ProxySG with
tasks, The
9-pin
three To bits graphical • Once
interface
The other interface; •
BlueTouch
64 Chapter 5: ProxySG InitialSetup
Other Access Methods • Front panel: This option, available for most models of the ProxySG, only allows you to configure an IP address and perform other limited configuration tasks. After assigning the IP * address using the front panel, you must enter the CLI or launch the graphical user interface in order to continue ProxySG configuration. • Director: After a ProxySG has been assigned an IF address, the appliance can be registered with Director, where multiple appliances can be configured and managed from a central location. You cannot use Director to assign an IP address to a ProxySG.
65 I
to
your
other
other
see
if
of
software,
any
appliance,
system.
in-path
related type
set
the
administrative
an
the
to
configure
the
workflow
is to
an
terminal
to
on
immediately you
see
operating
to manage
specifically
Using
to
specific you
allow
settings.
interface
not SGOS
depends
acceleration
not parameters,
thing
BlueOCoat interface
the
other
console.
allowed
of
does
Sky
first
Console
are
in-path
ProxySG
information
network
later serial
the Director.
information
the
Coat
that
or
wizard
configure
the your
use with
new,
asks
5.4
to
to
Blue
The
is
Choices
clients
not can configure
Director)
the
Management
data
of
to
mode
port. configuration
wizard
configure
You
version
the
list
low
you to
of
using
traffic.
launch
appliance
use use.
serial
manually,
use supply
console.
interface
transmits
v3.5.1
the
can (not
can
the
you
control
to
it
privileged
allows
choices
If
console
Edition
you
to
Workf
you
serial
network
you
you
CLI
configuration conditions:
in-path.
Course
that
access
interface
appliance
the
serial
Console later method wizard
the
access
that,
asks
an
Then,
parameters. ProxySG,
workflow enter
these
MACH5 the
via
or
sequence.
Sky
via
This
of
BCCPA
Edition
the
configuration
can the
access After
5.4 deployed optimizing
deployments —
all
protect
boot
workflow
acceleration
wizard
up
is
Coat is
the
to
you
the
password,
wizard.
other
acceleration meets and
deployments,
but
MACH5 Manual deployment.
Configure SGOS Blue
running configuring
Management configuring
power
Services
Configuration
and — — — — — —
In-path
All
watch
are
are ProxySG
are ProxySG
and
acceleration.
Configuration
you
other
password
5—2:
the
can
a
configuration
configuration
The
You
You You
all
Training
Slide
• • When configuration YOU username • and parameters, deployment The • deployment
acceleration The
in-path For how filtering
BlueTouch
66 Chapter 5: ProxySG InitialSetup
Access Control
Serial console password 7
Access control list Other LDAP BlueOCoat
Slide 5—3:Access control
You can control access to the ProxySG in several ways: by limiting physical access to the system, by using passwords, by restricting the use of the console account, through per-user RSA public key authentication, and with Blue Coat Content Policy Language. How secure the system needs to be depends upon your environment. You can limit access to the ProxySG by: • Restricting physical access to the system and by requiring a PiN to access the front panel. • Restricting the IF addresses that are permitted to access the appliance from the management user interface. • Requiring a password to secure the serial console. • Disabling the built-in administrative account and enforcing the use of Active Directory or LDAP accounts.
These methods are in addition to the restrictions placed on the console account (a console account user password) and the enable password. By using every possible method (physically limiting access, limiting workstation IF addresses, and using passwords), the ProxySG is very secure. Requiring a PIN for the Front Panel On ProxySG appliances that have a front panel display, you can create a four-digit PIN to protect the system from unauthori2ed use. The PIN is hashed and stored. You can create a PIN only from the command line interface. To create a front panel PIN after initial configuration: #(config) security front-panel-pin PIN where PIN is a four-digit number. To clear the front-panel PIN: #(config) security front-panel-pin 0000 This also means that you cannot use 0000 as your PIN.
67 BlueTouch Training Services — BCCPA Course v3.5.1
Limiting Workstation Access During initial configuration, you have the option of preventing workstations with unauthorized IP addresses from accessing the CLI and Web-based management interfaces. If this option is not enabled, all workstations are allowed to access the CLI and Web-based management interfaces. You also can add allowed workstations later to the access control list. Securing the Serial Port If you choose to secure the serial port, you must provide a Setup Console password that is required to access the Setup Console in the future. Once the secure serial port is enabled, the Setup Console password is required to access the Setup Console, and an authentication challenge (username and password) is issued to access the CLI through the serial port. To recover from a lost Setup Console password, you can: • Use the front panel display to either disable the secure serial port or enter a new Setup Console password. • UsetheCLlcommand restore-defaults factory-defaults to delete all system settings. • Use the reset button (for models of the ProxySG with a reset button) to delete all system settings.
Note: You should not secure the serial console password unless you have a real need to do so. The serial console is your last resort when all other access methods are not available or passwords are lost.
Using LDAP Accounts You have the ability to disable the built-in administrative account and enforce the use of directory-based accounts. This is an important option for accounting and auditing purposes. You do not want to share the same administrative account among different users, and you do not want to create and maintain additional accounts outside your directory. The ProxySG allows you to use any realm that supports basic authentication credentials — such as Microsoft Active Directory, Novell eDirector or another Lightweight Directory Access Protocol realm — to validate users before they can access the graphical user interface or the CLI.
Note: The password for the CLI enable mode is the same as the user’s password when you are using a realm. You still need to know the enable password you configured at setup if you are accessing the CLI via the serial console.
F
I 68 F Chapter 5: ProxySG InitialSetup
Command Levels
Basic CLI
Blue Coat Sky
Management Console
Visual Policy Man —b- Enabled access
Privileged CLI
Configuration mode [
BlueQCoat
Slide S—4:Command levels
CLI commands on the ProxySG are divided into those that can be issued while in standard mode and enabled (privileged) mode. Most configuration settings are available in configuration mode, which is a submenu of enable mode. Enable Mode Enable mode provides a set of commands to view, manage, and change ProxySG settings for features such as log files, authentication, caching, DNS, HTTPS, packet capture filters, and security. You can configure functionality such as the SSL proxy and HTTP compression. The prompt changes from a greater-than sign (>) to a pound sign (#)to indicate that you are in enable mode. To enter enable mode from standard mode, use the enable command:
> enable Enable Password:
When you type the enable password, it does not display. For in-path acceleration deployments, the enable password is the same as the administrative password that you specified during initial configuration. In all other deployments, separate administrative and enable passwords are specified during initial configuration. Configuration Mode The configure command, available only in enable mode, allows you to configure ProxySG settings from your current terminal session (configure terminal) or by loading a text file of configuration settings from the network (configure network). The prompt changes from a pound sign (#)to 4 (config) to indicate that you are in configuration mode. No additional password is needed to enter configuration mode.
69 L( c) > a) ci) a 0
0 0 0
C,) a) 0 a) C,) 0) C C
F- -c 0 D 0 I— 0 D Chapter 6: ProxySG Management Console
The Management Console is part of an easy-to-use software suite in the Blue Coat ProxySG. It is the nerve center of the ProxySG. You can write policies to control users within a network, authenticate users, report network activity, and create a productive and safe work environment. You can also manage, configure, and upgrade the ProxySG from any location using the Management Console. The Management Console is a graphical user interface. The software suite also includes a command line interface and Blue Coat Sky, an alternate graphical interface tailored for WAN optimization configurations. Although you can use the CLI to perform tasks, the Management Console is more user-friendly and time-saving. It has tabs, links, buttons, windows, and other easy-to-use features to perform most configuration, management, and monitoring tasks. Blue Coat Sky is discussed as part of separate training courses in WAN optimization deployments. After studying this chapter, you will understand: • How the Management Console controls the ProxySG. • How to access, and control access to, the Management Console. • What information and functions are available from the Management Console.
71 BlueTouch Training Services— BCCPA Course v3.5.1
Overview
• User interface to CLI
— Generates the necessary commands to implement the task
• Divided into three funclional tabs
— Statistics
— Configuration
— Maintenance
I BlueCCoat
Slide 6—1:Overview
The Management Console helps you perform commands to configure, maintain, and monitor the ProxySG. You can also gather a variety of monitoring statistics. The user interface generates the necessary CLI commands to implement the selected task. The Management Console is organized into three functional areas represented by the following tabs: • Statistics: Monitors the status and the health of ProxySG. You can gather statistics on system usage, traffic history, TM,bandwidth management, resources, efficiency, and more. • Configuration: Sets up the ProxySG, creates objects and parameters used to manage policies, and archives and restores configurations. This is the starting point for most of the tasks that you perform on the ProxySG. • Maintenance: Keeps the ProxySG up to date. You can perform a number of maintenance tasks including licensing components, monitoring appliance health, and upgrading or downgrading the SGOS operating system on the ProxySG. The Statistics, Configuration, and Maintenance tabs have individual menus that display on the left side of the Management Console.
I
II 72 Chapter 6: ProxySG Management Console
Web Browser Requirements
• Supports JRE version 1.5.O_15 or later • Java enabled • Minimum resolution 1024x768 • When in FIPS mode:
— TLSv1 secured connection
— Enabled by default in JRE 1.6
— Must be enabled in Internet Explorer v6 and earlier
BIueQCoat
Slide 6—2:Web browser requirements
The Management Console consists of a set of Web pages and Java applets stored on the ProxySG. The ProxySG acts as a Web server on the management port to serve these pages and applets. You can access the Management Console securely over HTTPS on any client with a Web browser that supports Java Runtime Environment version 1.5.0_15 or later. In the Web browser, enter the address https:UproxylPaddr.port, where proxylPaddr is the IP address you assigned to the ProxySG during configuration and port is the port number of the HTTPS-Console service, which defaults to 8082 but can be changed. A port number is required. A minimum display resolution of 1024x768 is recommended.
Management Console in FIPS Mode When the ProxySG is operating in Federal Information Processing Standards (FIPS) mode, the Management Console loads only over a Transport Layer Security (TLS) version 1 secured coimection. If your Web browser uses IRE version 1.5 or earlier, you must explicitly enable TLSv1. JRE version 1.6 enables TLSv1 by default. Microsoft Internet Explorer versions 6 and earlier do not have TLSv1 support enabled by default. To do so, select Enable TLS 1.0 in JE’s advanced security options. Beginning in JE version 7, TLSv1 support is enabled by default. FIPS mode is enabled and disabled only from the command line interface, not the Management Console. When you enable or disable FIPS mode, the ProxySG reinitializes, reboots, and wifi be out of service for up to several minutes. Use these commands:
4* fips-mode enable 4* fips-mode disable When operating in FIPS mode, many ftmctions of the ProxySG appear and behave differently. The details of FIPS-mode operation are beyond the scope of this course. For more information on FIPS mode, refer to the “FIPS Upgrade Information” chapter of the SGOS Upgrade/Downgrade Feature Change Reference.
73 —
[1
1L
to
do
the
or
the
IP
of
what
You
logged
HTTPS The
you
IP
the of
access
session
in. Realm
in,
than
a
and the
name
empty,
for
pooi accounts
to
is
access
default
console.
groups.
the
selective
troubleshooting
performed
is secure
logged
logging
Configuration>
users
disable
you The
of
in
and
ProxySG. ACL
Console
of
Access selected
Console or
less
who
HTTPS
list
a
have
the
from
is
while
a
when
helps
if
to users
the single it
is
track
accounts you
usemame a
or
consoles.
log
by
8081)
to MC
on
ProxySG.
BlueQCoat
configure
about
ACL
The
Console
create
Once
Management
message
you
used Local
(ACL)
event the HTTP authorization
(port
Management
restricted
can
The
used
the
list
be the
the
and
be and
cannot using.
also
in
Console.
allows
can control
w
can console
are
information you
You
certificate
Console. certificate”
also control
Management
can
against
of
HTTPS
accessing
stored you
It
out. log
the
Access.
HTTP
exist;
realms
interface
from
in
access
RADIUS.
either
security
while
El Event
“invalid
authentication
The r
Management
times
line
the
collection
the
and an
already
usemame
the Console
create
in
encounter.
Management
or >
Information
Console
administrator
v3.5.1
control
the
ProxySG.
can session the
default.
enabled.
Local, must
an minutes).
credentials to named
performed log.
access
for
authentication
might
the a
re-create
by
15
command 8082
present
you 8081
to
Access
Course your
is
is
is MC
access MC
your
name port
the port
LDAP, event
policy
already
mismatch”
that
to on
actions on
Console,
until is Open in Open
The
Management
the
realm and
Multiple enabled
ProxySG
Console,
BCCPA
password
the
Console default
required TWA, you
A
-ITTP in
“host
address HTTPS
the >
configuring —
of the
not
a
validates the 8082)
again
w
subnets
IP are
(the is using.
so
users.
or get
that
Console
allows
services.
stored
are
while
include
access
referenced
(port have
and
do
your
is
Services Authentication and
accounts.
Management U-S..asinri
is
you
to
if
to
period
can
ProxySG summary
& you Client
If Management
Authentication
the
credentials
6—3:
not
need
console HTTPS addresses You Only Authentication ProxySG services realm The events
name ProxySG The changes problems
Training
Slide 1.
addresses Using Management
2. 3.
account
time-out 4. also Valid Note:
need
BlueTouch
74 ______
Chapter 6: ProxySG Management Console
Authentication Details
ci 401 responsc EEl—Usemame and password— Client
w
xlJ BlueQcoat
Slide 6—4:Authentication details
Authentication is the act of determining the credibility of a user. The ProxySG checks the authenticity of a user in multiple ways before providing access. You need to have a username and password; also, if the access control list is not empty, the browser’s IF address should be present in the ACL. The above diagram explains the authentication process:
1. The client tries to directly connect to the ProxySG through port 8082. The client can connect through port 8082. You can configure the Management Console to be accessible on any port.
2. The ProxySG sends a 401 response asking for user authentication (username and password).
3. The user enters the username and password. 4. The ProxySG checks for the IF address of the user in the ACL. At this point, it does not matter whether the credentials are valid. It checks just the IF address.
5. If the ACL is enabled and there is a match for the user’s IP address, the ProxySG goes on to check the credentials. If the ACL is empty, then all users can access the ProxySG with their credentials.
6. If the ProxySG fails to find a match for the user’s IF address, then it returns a 401 response demanding credentials. 7. If the credential check of the user is successful, the ProxySG grants access to the user.
8. If the credential check fails, the user receives another 401 response for authentication. The user might not be aware of the exact reason for receiving the 401 response. It could be either for the absence of the user’s IP address in the ACL or for the invalid user credentials.
75 ___
BlueTouch Training Services — BCCPA Course v3.5.1
User Interface to CLI
LI Open MC— []
odi configuration — Client El CLIcommands necessary to perform the action Registry
BlueCCoat
Slide 6—5:User interface to CLI I-
The Management Console generates the CLI commands necessary to perform the actions you request. As shown in the above diagram:
1. When you open the Management Console, the Java applet loads.
2. Every time you click on a new tab, the Management Console retrieves the information from the registry. The registry is a storage of all ProxySG configuration data. The registry can be viewed by entering the following address in your Web browser:
https:llproxylPaddr.8O82lregistrylshow I[.
3. You now can perform your changes in the configuration. Through the Management Console, you can configure a wide range of settings. You can launch the Visual Policy Manager from the Management Console, which helps you implement your organization’s rules by creating policies, performing maintenance tasks, and gathering information about system operations.
4. When you click Apply, the Management Console generates the CLI commands necessary to complete the configuration. The updated configuration is stored in the ProxySG registry.
76 Chapter 6: ProxySG Management Console
Managing Concurrent Access
Access first
Admin
EiRegistry
C Access while Admin2 Admin#1 stillusing MC
BlueQCoat
Slide 6—6: Managing concurrent access
The Management Console allows multiple users to access it concurrently. As a result, you can access the Management Console at the same time another user is using the Management Console. Even as administrator #1 is modifying the configuration of the Management Console, administrator #2 cai-iaccess the Management Console and also perform tasks. The Management Console can accept modifications without any difficulties from multiple users if the modifications happen in different parts of the registry. However, there is no protection if multiple users try to change the same aspect of configuration concurrently. When two users try to make the same changes in the configuration at the same time, the changes done by the user who is the last to commit them stays in the registry. You can prevent this by restricting the number of users who are authorized to change the basic settings in the configuration.
77 I-
BlueTouch Training Services — BCCPA Course v3.5.1
Management Console Header
I Cor.,un I
rw BlueQCoat L IJt (.‘::t,s I- flRutL,P,,ni.
Slide 6—7:Management Console header
After you have logged in to the ProxySG, the Management Console header displays. It contains several pieces of information about the ProxySG on which it is running:
1. The appliance name that can be configured by the administrator is displayed in the header line, in the Web browser title bar, and in the computer’s taskbar.
2. The model of this ProxySG.
3. The serial number of this ProxySG.
4. The version of the SGOS operating system currently running on this ProxySG.
5. Whether this version of SGOS is the Proxy Edition or the MACH5 Edition.
6. The license status of this ProxySG.
7. The current health status of this ProxySG.
-.:
L
L 78 ______
Chapter 6: ProxySG Management Console
Statistics Tab
8bUbc • Sumrna.y T,fIk Mi Tffl Hiy AUNI1dory 8ndwJdth • PrnyCIi...t IA • Nlw,k cAp • detI. • Splem • Seleee
HeehU MeSong HeetthCheb Ae.. LSle - WeIact LrRais - flantR&z eec.... PS. *a4hencatfen Adnneed 0 kPO: P.. PtpO P00 — P50.01 POp 03.9 POpa 0
0 D0e.0 Qtcn 9509 I______
BiueQCoat
Slide 6—8:Statistics tab
When you launch the Management Console, the Statistics tab displays a summary of network traffic and applications, showing how the ProxySG is using its acceleration, optimization, policy control, and caching techniques to improve the performance of traffic on your network. The page refreshes about once every 60 seconds. This tab gathers and displays information about system operations. Click an option in the left navigation bar, and the browser displays the appropriate interface, which you can use to configure a wide range of settings.
The Statistics > Summary> Efficiency tab (shown above), which is the default display, shows the bandwidth gain achieved of up to the top five services during the past hour within your network in the Savings panel, and the performance of each interface in the Interface Utilization panel. This tab also displays the duplex settings for each interface and indicates whether the interface uses full duplex or half duplex. If a duplex mismatch occurs when the interface is auto-negotiated and the connection is set to half duplex, the display icon changes to a yellow warning triangle. If you see a duplex mismatch, you can adjust the interface settings by going to Configuration > Network> Adapters. The Statistics> Summary> Device tab displays a snapshot of key system resources, identification specifics, and the status of external devices that are connected to the ProxySG. Other displays available from the Statistics tab include: • Traffic Mix: Displays traffic distribution and bandwidth statistics for traffic running through the ProxySG. You can display statistics for proxy types or for services, and for various time periods. The display refreshes whenever you switch views or change the duration of the sample. If there is no activity, the data refreshes every 60 seconds. • Traffic History: Monitors the traffic statistics for all traffic running through the ProxySG. The graphical data in the page also gives you details on the bandwidth usage, bandwidth gain, client bytes and server bytes. Chart data updates automatically every 60 seconds.
79 : I
BlueTouchTraining Services — BCCPACourse v3.5.1
• ADNHistory: Displays WAN optimization performance, dictionary sizing, and adaptive compression statistics. • Bandwidth Management: Displays the current class and total class statistics. • ProxyClient History: Displays bandwidth usage, the number of active clients, configurations served, software served, and client version count for ProxyClient installations served from this ProxySG. • Network: The Interface History page displays the traffic to and from each interface, including virtual local area network (VLAN) traffic. This display can be useful in verifying that traffic is being seen by the ProxySG. • ICAP: Graphically displays information on Internet Content Adaptation Protocol traffic over time, including active requests, number of connections, completed requests, and number of bytes. The display can be filtered to show any or all of plain, secure, deferred, and queued requests. The display can show statistics by service or by service group. • Protocol Details: Provides statistics for the protocols serviced by the ProxySG. These statistics complement the statistics in the Traffic History and Traffic Mixpages. • System: Displays resource statistics, content statistics, event logging statistics, and failover statistics. • Sessions: Displays information on active and errored sessions. • Health Monitoring: Displays the current state of the health monitoring metrics. Health monitoring uses key hardware and software metrics to provide administrators with a remote view of the health of the system. • Health Check: Displays the state of various health checks: whether the health check is enabled or disabled, if it is reporting the device or service to be healthy or sick, or if errors are being reported. • Access Logging: Display the log tail, log size, and upload status of the access log. • Authentication: Displays information on user login by username or IP address. • Advanced: Enables you to view a variety of system statistics located in one place and F accessible with URLs that can be accessed independently of the Management Console. The details of these displays are discussed in the relevant chapters of this and subsequent courses.
I
80 ______
Chapter 6: ProxySG Management Console
Configuration Tab
_20n20 a Gocetal 20910700410fl Clooll ‘d 9023% tilctie2000,w in ext ox • Network • AGO n ZIG • Se62oo. W.d,or 172169023 • PrnoyCllorrl a ssi tnxrver0rn7 7629617 xnyExtrnr • Proxy Sortie9. OniOxextrrneiD 062033262. y • 0.ndwlrtitr Mwr MCO MAC W*E Aetheroticatien • 76ItirrnrAer • Coxeeni FilterIng • Threat Protection • External Sorvicte • Forwotdlny • Health Cttocb a Axcn.e Lx061779 • Policy
Re9.rl .1 lIMP
BlueOCoat
Slide 6—9:Configuration tab
The Configuration tab is the starting point for most of the operational tasks that you perform on the ProxySG. You access this tab to change the configuration of the ProxySG and create objects and parameters that you use in creating policies. Settings include: • General: Configure the name and serial number of the ProxySG, configuring system time, and archiving configurations. • Network: Configure adapters and interface settings, software and hardware bridges, gateways, routing tables, DNS servers, and lPv6 settings. Interface settings include the ability to assign your own names to each interface. • ADN:Configure ProxySG appliances to improve application traffic over the WAN. • Services: Configure the proxy services available on the ProxySG, including CIFS, FTP, HTTP, HTTPS, instant messaging, MAPI, SSL, SOCKS, streaming, and TCP tunnel. • ProxyClient: Configure the settings used to act as a ProxyClient server for mobile users. • SSL: Create keyrings, import and create certificates, check the validity of certificates, create an SSL client. • Proxy Settings: Provide various services that can enhance different proxy settings, such as CIFS, FTP, HTTP, TM,and MAPI. • Bandwidth Management: Control the amount of bandwidth used by different classes of network traffic; set priority for bandwidth among different classes. • Authentication: Define authentication realms, including TWA,LDAP, RADIuS, and other realms; set up forms-based authentication. • Content Filtering: Configure the ProxySG to use Blue Coat WebFilter or a third-party filter to block access to websites based on their content. • Threat Protection: Manage the interaction between the ProxySG and the WebPulse cloud computing service; configure a ProxyAV for off-board malware scanning.
81 BlueTouch Training Services — BCCPA Course v3.5.1
• External Services: Install an ICAP server or create a WebSense off-box service. • Forwarding: Set up forwarding, allowing you to define the hosts and groups of hosts to which client requests can be redirected. • Health Checks: Configure health checks on (and the availability of) a forwarding host or external server that is providing a service. • Access Logging: Enable the logging of traffic through the ProxySG, configure access log settings, select an access log upload client, set an upload schedule. • Policy: Set the default proxy policy to deny or allow traffic, view and install policy files, access the VPM to create new policy. The details of these displays are discussed in the relevant chapters of this and subsequent courses.
82
83 it to the
of
the Console logged. monitor enable size is purchased.
to clear download the current setting information crash. restarted. you have can event a as is
Director,
including: the
of Management you cancel also
logged, settings, such allows Coat case
certain tasks,
select and You a in
ProxySG
if it. events ______
Blue
ProxySG
can default features which a
the 6:
features, BlueQCoat
ProxySG. its You
new to install with the system
when maintenance
of
(SNMP),
transactions, Chapter Coat. and notification with automatically
license
disk system to Blue types
ProxySG
and the
email current expiration. to different Protocol Internet the session
the of an health-monitoring the
logged
restore many information is license licenses,
sends status Specify register
and the information o02d, ProxySG detail through service Management perform
there. ProxySG, the software
administrative I
02I1 view logging: to appliance 21100221 of I 40d1022111 send 1GC10Ill2101YEn 5021?32bk, much
210 1021 the service 0102* II 201049-1121:W:29cC:OWTC 121
from Tab the you upgrade M00t02l0fl00 id ______
can it secure event caches. Network how ono Automatically performance IoI*d an
a
Send tab status gydoffiatod: @UtEkgk: up MC0M SeIdru,: 5002Onn, W.d8o, Configure MI,0 C002
M Restart also byte allows the rrrr install
Set information, whether Simple Specify system You
tab
and
Disks: the and establish View log and for Download to
Registration: Information:
In0 PC
R.gk*raUoo and
2OdDkOlO Maintenance Enable MonIlo Monitoring:
Logging: send log, object, Id, Images: S.Monlnfo,n,otlon E’.o H 0frec1.r Sy.0202 ProxySG. d I
your
Maintenance
6—10: Service
transactions.
send, Core
Health Event SNMP: the warnings Licensing: Maintenance event Upgrade: to Director
Director
DNS,
System
• •
• • • • •
• Slide The
I
L
OK
an
CLI
changes
Click
example:
the
changes.
changes
The
see
preview
any
above
to To
Apply.
displayed.
pending
the
you
undo
are
In
are
click
ProxySG.
must
allow
there
setting
BlueCCoat
the
window.
registry.
You
IP
that
Console,
in
the
Registry
Console
to
them.
action.
Console
actions
setting.
the
indicates
IP
Destination
revert
on
changes
Management
menu
Trust
pending
Management
the
cannot
in
Apply the
Management
the
the
commit
Apply
main
button.
Destination
to
you
in
the
double-click
and
main
made
listing
v3.5.1
and
in
Trust
Revert.
the
Preview
apply
state,
buttons
the
have
to
changes,
action,
item
the
click
Course
and
an
you
displays,
Apply
corresponding
to
apply
return
clicks
enables
that
previous
Revert,
r
[
pending
to
revert,
and
BCCPA
registry.
a
you
next changes,
E*. the 2 —
G,fig.t
ProxySG window
I
I
hand.
(*)
the
for to Pro,ieS ______
Mqn,.
Once
in
by
changes Revert,
P,ry commands F5t.n,g P,o P,P54*
Pnr,
window Preview,
PrPq
back pending SOC(5 Stpan’1n0 54 54W, Th54 HTTP
FTP the
CWk
Services 1:
IaFIZ
CLI
Preview
administrator C,,tnt administrator ForwardS,. ndwidh PyCIi. SSL SeMces
o,,,.,.I asterisk a S
a a a 54 go a 0 a 0
a
each
Preview,
6—1
Preview,
An
The
in
commands
The
The
The
recorded
cancel
apply
Training
Important:
are
To
To
5.
4.
1.
2.
3.
action,
Slide
The
84 BlueTouch Chapter 6: ProxySG Management Console
Sample CLI Generation
yh26lJ BlueQCoat
Slide 6—i2: Sample CLIgeneration
In general, the Management Console issues only the CLI commands necessary to perform the task you want. However, the Management Console acts differently when you enter a list in which the order is relevant. For instance, the ProxySG uses DNS (Domain Name Service, an Internet service that translates domain names into IF addresses) servers in the order displayed. Servers are always contacted in the order in which they appear in the list. The ProxySG contacts the primary server first. If it does not receive a response from that server, then it contacts the secondary server. For example, if you want to add a secondary DNS server in which the order is important, the Management Console automatically issues the necessary CLI commands to correctly order the items in the list. In the above example, 172.16.90.110 is the IP address of the existing DNS server in the primary forwarding group, and an additional server at 4.2.2.2 is to be added.
1. Go to Configuration > Network> DNS> Groups. 2. Click on the primary line to select that group, and click Edit. 3. In the Edit DNS Forwarding Group window, click before the existing entry, and then enter the new address, 4.2.2.2. Then, press the Enter key, and click OK. 4. To see the CLI commands that have been generated, click Preview, and then double-click on the Begin DNS Settings in the Preview section. 5. The CLI add server command adds the new server to the end of the server list. In order to move it to the top of list as shown in the Management Console, the CLI automatically generates a promote command to move 4.2.2.2 to position 1 in the list.
85 BlueTouchTrainingServices — BCCPA Course v3.5.1
IPv6 Support
lPv4 Pv6
bluecoat.com 2001 :1:2:3:4:5:6
DNSseer LI bluecoatcom IN I- 4 ©T* BlueQCoat
Slide 6—13: IPv6 support
Internet Protocol version 6 (IPv6) is a protocol designed to replace version 4 (IPv4), the currently dominant protocol, to vastly expand the Internet’s address space to accommodate the growth in network-connected devices. The Secure Web Gateway functions of the ProxySG are supported both in IPv4 and IPv6 networks. Support for IPv6 is enabled by default and requires minimal IPv6-specific configuration. In the Management Console and command line interface, IP addresses can be entered in either IPv4 or IPv6 format and, where applicable, include a field for entering the prefix length (for IPv6 addresses) or subnet mask (for IPv4 addresses). The following proxies have underlying protocols that support IPv6 and can communicate using either IPv4 or IPv6: DNS, FTP, HTTP, HTTPS, SSL, TCP tunnel, and Telnet shell. These proxies are discussed in the relevant chapters of this and other courses. The ProxySG also offers functionality as an IPv4-to-IPv6 transition device. When an IPv6-enabled ProxySG is deployed between IPv4 and IPv6 networks as shown in the above diagram, IPv4 clients can access resources and services that are available only in the IPv6 domain:
1. On the ProxySG, the HTTP proxy terminates the inbound HTTP request.
2. The ProxySG queries a DNS server.
3. The DNS server responds with the address of the IPv6 server. 4. The ProxySG makes an outbound IPv6 connection to the server, honoring the request from the IPv4 client. The requested content is spliced from the IPv6 connection to the IPv4 connection toward the client without the need to perform any type of translation. Likewise, IPv6 clients can access IPv4 resources when an IPv6-enabled ProxySG is part of the deployment. The ProxySG understands both IPv4 and IPv6 addresses, handles the DNS resolution of IPv4 and IPv6, and provides multiple proxy services that work in an IPv6 environment. In the Management Console, two global IPv6 configuration settings are available at Configuration > Network > Advanced > IPV6:
86 Chapter 6: ProxySG Management Console
• To bypass all IPv6 traffic, select Enable lPv6 force-bypass. When this is selected, all IPv6 traffic is bridged or routed. • To have the ProxySG route bypassed traffic, select Enable lPv6 forwarding. When this option is disabled, the ProxySG discards bypassed traffic that is processed at Layer 3. Both of these options are disabled by default. IPv6 support on the ProxySG has these limitations: • The following proxies do not currently have IPv6 support: streaming via MMS, SOCKS, instant messaging (AOL-TM, MSN-IM, Yahoo-TM), CIFS, and MAPI. • The ProxySG does not intercept link-local addresses in transparent mode because such a deployment is not practical; transparent link-local addresses are bypassed. • IPv6 is not supported in a WCCP deployment. A brief introduction to IPv6 concepts is included as an appendix to this book.
87 I LJ LhJ LhJ LhJ LhJ hi ki II Ii LII LI] Lii LI] 11 LII Lii Lii TJ11 11 LII
ir C) >
U) C C-) a C) C) U)
ci)C,) 0 2: ci) Cl) C) C C cci I
0 D 0 I- a) D U) Chapter 7: Services
The Blue Coat ProxySG lets you configure which traffic is to be intercepted. Services define the ports on which the ProxySG listens for incoming requests. Each service can be applied to all IF addresses or limited to a specific set of addresses and port combinations. A variety of settings can be defined for each service. The ProxySG ships with a number of pre-defined services, you can create additional services as needed, and services can be arranged into logical service groups. Unless there is a service set to intercept that matches the destination TCP port and the IF address range for an incoming transaction, the connection is not terminated by the proxy. Depending on the specific deployment mode, traffic that is not terminated is dropped or forwarded to the next available hop but is not processed against existing policies. After studying this chapter, you will understand: • The two types of services on the ProxySG. • Pre-defined proxy service groups and the types of services are part of each group. • How traffic is intercepted and bypassed. • Settings that are used to control the behavior of services. • How management services facilitate administration of the ProxySG.
89 BlueTouch Training Services — BCCPA Course v3.5.1
Service Types
<“ ProxySG — Client Server
Proxy seices —- Zr0xYSGW / Mrn:nt
Administmtors — BlueCCoat
Slide 7—1:Two types of services
The Management Console makes it easy to configure two types of services: proxy services and management services. The ProxySG ships with a number of pre-defined services; additional services can be added as needed. • Proxy services: These allow the ProxySG to communicate with other systems, such as clients, servers, and other proxies. Proxy services define the ports and addresses where the ProxySG listens for incoming requests. Each proxy service is associated with a proxy type. For example, the pre-defined HTTPS proxy service is associated with the SSL proxy. A variety of settings for each proxy service can be defined, depending on the proxy type. • Management services: These are used to administer the ProxySG. The ProxySG comes with five consoles designed to manage communication with the system. Consoles are pre-defined for HTTP, HTTPS, SNMP, and SSH. A Telnet console is available, but the service is not defined by default.
FR
90 L Chapter 7: Services
Proxy Service Groups
Gro name J gdfiiç Standard HTTP CIFS FTP HTTPS Streaming DNS Endpoint Mapper Instant messaghig SOCKS
Bypass . CiscoVPN Oicle over SSL Recommended Blue Coat ADN/ WANop Blue Coat management Other encrypted services Tunnel Citrix Lotus Notes Recommended IMAP Other business applications LDAP fault Action Anytiafficnot matching listeners on other services
Custom Service Services created by the administrator Gtups
rc, 4Syflmt*. r2GI I AIIRkTh Rt BlueOCoat
Slide 7—2:Proxy service groups
Services on the ProxySG are organized into service groups based on the type of traffic that each service carries. You can edit the pre-defined service groups, and you can create custom groups. The pre-defined service groups are: • Standard: These are the most commonly intercepted services. • Bypass Recommended: These services contain encrypted data and, therefore, probably cannot benefit significantly from ADN optimization. This service group also includes other interactive services. • Tunnel Recommended: These services use the TCP-Tunnel proxy to provide basic application-independent acceleration. • Default Action: This detects any traffic that does not match other listeners on any other services. It is essentially a global default “bypass” or “intercept” setting. To list all of the services in a particular group in the Management Console, go to Configuration> Services> Proxy Services. In the scrollable list of service groups, click on the name of a group to expand it and list its services. The list of available services varies depending on whether your ProxySG is running the MACH5 Edition or the Proxy Edition of the SGOS operating system. You also can create custom service groups, which are listed alphabetically under the Custom Service Groups section.
91
—
F
I
I S
r
N
Fr
can
and
by
or
HTTP)
default
differences
requests.
the
two
created.
bypassed
of
pre-defined,
their
addresses
are
External
not are
are
IP
as
and
place
incoming are
all
there
in
for
to
(such
services
services
ports)
LPD.
MMS,
ProxySG
services
Services,
BlueQCoat
created
listens
NCP,
installed,
applied
is
the
FTP,
services
.1
LDAP.
Several
be 23
Telnet
by
SQL,
been
pre-defined
Novell
Terminal
(HTTPS).
unattended
can
and
port
ProxySG
all
has
Yahoo-IM
Mapper.
all
a
MS
common
on setup.
SSL
Sybase
Kerberos,
on
supported
service
SOCKS,
system
where
some
combinations.
initial
SSH,
Server,
SOCKS.
GroupWise,
Endpoint
HTTP.
Each
listening
(listens
external),
port
deployment,
services
SQL
proxy,
TSP.
during
SMTP,
DNS,
Novell
and
and
operating
addresses
MS
Internal
v3.5.1
Default
defined.
proxy
deployment,
IFS,
reverse
RTMP.
and
Gateway
NFS,
C
be
connection
POP3.
default
SGOS
Proxies
(explicit IMAP,
Notes,
Course
can
by
defined.
addresses
Web
the
ports
rvices
HTTPS
tunnel
of
be
proxies
of
XWindows,
MySQL.
Lotus Oracle,
Citrix,
MSN-IM.
HTTP ..
AOL-IM,
the
and
pre-defined
set BCCPA
-
can
service
optimization
Secure
TCP
and
intercept the
—
proxies.
Edition
define
to
I each
•....
WAN
specific
messaging,
a
service.
services
for
a
shows
Services
ProxySG
Services In
to
table:
transparent
services
I
MACH5
proxy
Services
7—3:
L
new
table
Instant
Telnet
A
configured
a
this
the
Training
•
default.
•
In
be
in
additional If
limited
Attributes
Proxy
corresponding
This
Slide
92 BlueTouch Chapter 7: Services
Slide 7—4:HTTP services
The HTTP proxy is extremely robust when handling Internet traffic. But with applications on internal networks, issues can arise because: • Applications deployed within the enterprise are not well designed or tested and can break when a proxy introduces even slight changes. • Some applications use port 80 but are not really HTTP. • Some applications pretend to be HTTP but do not follow the HTTP specification closely. To best handle applications nmning on an intranet, the ProxySG provides three HTTP services: • External HTTP: This service handles all transparent-proxy HTTP port 80 requests. This service uses the HTTP proxy. • Explicit HTTP: This service handles all explicit-proxy HTTP requests on ports 8080 and 80. This service also uses the HTTP proxy. • Internal HTTP: This service transparently intercepts HTTP traffic from clients to internal network hosts. This service uses a TCP tunnel because some applications deployed within enterprise networks are not fully compatible with HTTP specifications or are poorly designed, causing connection disruptions when using an HTTP proxy. By default, the Internal HTTP service uses the following addresses: 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, and 192.0.2.0/24.
93 I I I a w r : A to that one traffic. listeners. another the of than configured provided Intercept are to more those multiple incoming as set originates for is listeners have match that services service. for same that can listens the BlueOCoat cannot HTTP service). address not ProxySG service service IP a a are definitions ProxySG any Explicit and the port items: connection specified. the on specific matching management be pre-defined TCP means for a these listener, less All can of and (for service 8080 traffic incoming and which a proxy an the ports. and a All, subnets to of ProxySG 80 to address, Enabled which v3.5.1 specific address as have IP and or set only by combination IP range is more or such Course must identifiable; The service) unique applied port have addresses a Usually ports, destination Parameters to are service BCCPA parameters IF by address: parameters proxy uniquely — the a specific IP be proxy A address: address, (for Policies possible Specific IP IF Listener is must identified Services defines port: It Every is Listener 7—5: Destination TCP industry-standard Source request. source listener listener Training • • • Slide A listener Important: listener. the listener. A BlueTouch 94 Chapter7: Services
Destination Addresses
pSC1— _Pnatko All — Intercepts all packets regardless of destination address .—
Transparent Intercepts packets withdestifiiiIP address notmatchingthatofthePioxySG
ExpIit Intercepts packets withdtination IP address matching thatot the ProxySG — Destination host Intercepts packets matching a specific orsubriet destination lPaddress
BlueQCoat
Slide 7—6:Destination addresses
The destination address component of each listener can be configured to one of four modes: • All: This mode intercepts all IF addresses. This means that all the packets that pass through the ProxySG are intercepted, regardless of the destination address. • Transparent: In this mode, packets with a destination IF address that do not belong to the ProxySG are intercepted transparently and processed without changing the IP header of the source and destination packets. This setting requires a bridge (such as the one available in the ProxySG), a Layer 4 switch, or a WCCP-compliant router. Requests can be transparently redirected through a ProxySG by setting the workstation’s gateway to the IP address of the ProxySG. • Explicit: This mode sends requests explicitly to the ProxySG instead of to an origin content server. • Destination host or subnet: This mode intercepts traffic only for a specific IF address or subnet.
95 IL
BlueTouch Training Services — BCCPA Course v3.5.1 ft Proxy Service Actions
F
I r I r ©Br(.vS. BlueCCoat Slide 7—7:Proxy service actions j
Actions define whether the ProxySG terminates and proxies traffic that a listener has detected. An — action can only be performed if the traffic matches the proxy listener. There are two possible I actions: intercept and bypass. • Intercept: Tells the proxy service to intercept and proxy any traffic that matches the proxy listener. If policies exist for the proxy service, they are enforced.
• Bypass: Tells the proxy service to not intercept any traffic that matches the proxy listener. — Policies are not enforced on the traffic.
Changing the state of a service to bypass or intercept is a necessary step in configuring a proxy, but it alone is not sufficient. For any service that you intercept, you also must configure the proxy settings and define policy, both of which determine how the ProxySG processes the intercepted traffic. These topics are discussed later in this and other courses. I:
I
U-—r
96 Chapter 7: Services
Unintercepted Traffic
BlueQCoat
Slide 7—8:Unintercepted traffic
In the previous flowchart, the meaning of the action unintercepted trafficis different based on how the client connects to the ProxySG. The result experienced by the user can be either the requested data or an error message about a connection being refused. To bypass traffic does not necessarily mean to permit or to deny the traffic. If the client connects explicitly to the ProxySG but there is not a service matching that connection that is set to intercept, the connection is refused and the client displays an error. No other settings can influence or change this behavior. When the client is transparently proxied, there is a difference between bridging mode and all other transparent proxy deployments. In bridging mode, the traffic is allowed to reach the requested origin content server; the ProxySG passes the incoming traffic from one interface to another. For all other transparent proxy deployments, verify that the setting Enable IP forwarding in the Management Console, under Configuration > Network> Routing > Gateways, is selected. IF forwarding must be enabled in order for the ProxySG to route incoming traffic that is transparently proxied and does not match a service set to intercept or a management service.
97 BlueTouch Training Services — BCCPA Course v3.5.1 IF
Traffic Flow
Access denied notification
[i
Server The message varies from browser to browser, also on explicit vs. transparent connection.
In BlueQCoat
Slide 7—9:Traffic flow f• The above diagram shows how the services framework of the ProxySG determines whether a client request is transmitted to the server. 1. All traffic is processed at the network layer. If traffic matches the bypass list, then A is the exit point.
2. The remaining traffic is processed at the service level. If it matches a service set to intercept, the processing moves to Step 3. Otherwise, B is the exit point. 3. Only traffic intercepted by a service goes through policy processing. In this case, if the traffic is L11 allowed, then C is the exit point.
Traffic that reaches exit point A or B continues to the server if bridging or IF forwarding is enabled on the ProxySG. When traffic reaches exit point C, the decision whether to allow the connection is made based on policy that has been configured on the ProxySG. Policy processing is discussed in detail later in this course.
hi
Lj
98 ra Chapter 7: Services
Proxy Service Settings
BtueOCoat
Slide 7—10: Proxy service settings
Service settings define the default parameters for a proxy service. It is important to understand service settings because they affect how the proxy service processes traffic. There are three types of service settings, as shown in the above examples. The settings that are available for a service vary based on the proxy type that the service is using. For example, the Detect Protocol setting is available in the External HTTP and LDAP services, but not in the AOL ilvi service. If a setting cannot be changed, it is grayed out, such as the TCP/IP Early Intercept setting for the AOL TMand External HTTP services in this example. Details of how to use these settings are covered in detail in chapters about individual services and protocols. Proxy Settings • Authenticate-401: All transparent and explicit requests received on the port always use transparent authentication (cookie or IF, depending on the configuration). This is especially useful to force transparent proxy authentication in some proxy-chaining scenarios. • Detect Protocol: Detects the protocol being used. Protocols that can be detected include HTTP, peer-to-peer (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper. • Keyring, CCL: These settings allow you to specify a certificate list used for verifying client certificates. • Forward Client Cert: When used with the Verify Client setting, this setting puts the extracted client certificate information into a header that is included in the request when it is forwarded to the OCS. The name of the header is Client-Cert. The header contains the certificate serial number, subject, validity dates, and issuer (all as name=value pairs). The actual certificate itself is not forwarded. • Enable SSL Version 2, Enable SSL Version 3, Enable TLS: Allow you to select which versions of SSL you want to support. The default is to support all three versions. This attribute is available only for HTTPS Reverse proxy.
99 a
L1
[
or
only
before
Protocol
actual
Enabling
the
delays
Detect
requests
available
is
connecting
the
service.
deployment)
If
proxy
Instead,
when
the
connection
attribute
specific explicit
server.
a
ADN.
usage
(for
the TCP
This
for
by
disabled,
is
client
contact routing
to
enabled
to
certificate. bandwidth
is
optimized
automatically.
ADN
intercept
are
by
client
responds
early
optimize
attempted
selected
SSL
to
is
proxy
optimization
has the
When
it
connections
the
determined
v3.5.1
deployment). Settings
ADN
is
the
whether
after
Intercept
server.
validates
that
tunnel.
Course
whether
until
Early
enable
and
whether
to
Network Controls
proxy.
transparent
ADN
then
client
upstream
BCCPA
an
Controls
(for
guarantee
the —
the
Requests
Controls
to
whether
to
Reverse
not
Delivery
using
enabled,
Bandwidth:
setup
on
is
ADN:
Client:
Services
does
Intercept: Settings
HTTPS
Early Verify for Enable
setting connecting responding decision ADN Optimize upstream network
Training
•
• •
•
TCP/IP
Application
BlueTouch
100 ______
Chapter 7: Services
Global Service Settings
Tunnel on non-HTTP trafficon any HTTP protocol error rvice
Reflectchent IP ?roxySG connects to the OCS using as sourcelP addressthe client’s IP address
Trust destination i does not do DNS lookup pn specified address
User overflowaction 5pecy handling of traffic belonging . users in excesspp of license limits
C’ 2IL BlueQCoat
Slide 7—11:Global service attributes
The ProxySG supports four global option settings for proxy services. These are set in the Management Console at Configuration > Proxy Settings> General and apply to all proxy services, but not to management services. • Tunnel on protocol error: Some HTTP parsing errors might cause the ProxySG to issue an exception, which could break applications. This could be caused by non-HTTP client requests, HTTP requests that contain non-HTTP components, or formatting errors. When this setting is enabled, the ProxySG ftmnels non-HTTP traffic on any HTTP service. • Reflect Client IP: This option determines how the client IF address is presented to the origin content server for all requests. This setting should be used with caution. Enabling this attribute allows the ProxySG to connect to the origin content server using a source IP address and the IP address of the client that made the request. You must ensure that the response from the OCS (note that the OCS replies to the IP address of the client now) goes through the ProxySG; if there is a direct path between the client and the OCS, you end up with asymmetric connections. The client displays an error because the connection setup does not terminate properly. • Trust Destination lP: If a client sometimes provides a destination IP address that the ProxySG caimot determine, you can configure the ProxySG to allow that iF address and not do a DNS lookup. This can improve performance, but it also potentially can cause a security issue.
Important: The Reflect Client IP and Trust Destination IP settings can be used only in transparent ProxySG deployments.
• User Overflow Action: If you have more users going through the ProxySG than are allowed by your license, you can configure overflow behavior. This setting is described in detail in the Blue Coat Product Licensing chapter of this course.
101 - -
I I I
j —
ft
I.— I — ‘
11 I Ii
IF IP
80
that this
This how
port
than
this
port
any
you address
on
prefix.
virtual
to IF solve
IF algorithm
as
Ii?
to
Should
specific
that
netmask).
determine
subnet
connections
matches
match
specifically
proxy’s
had IP
changed
including more
listeners
connection
is
possible
32-bit
is
the
possible.
destination
a
was
separate,
service any
of
properly
not
many
not
proxy, 192.168.0.50. the
: terminate
is
but
ProxySG
is
as not which
address one it have (with This
the
destination
most-specific
BlueOCoat
also, IP
the
80:
8081
not of
Int,tckO
Jntossspt
matches :
If
service
the is
could address
create
port
larger
port
scenario
IF Because
listeners
one
a
a
can
on
using 10.0.0.0/16,
listeners;
192.168.0.50 services the TCP
Transparent.
addresses has address
destination
than you
ProxySG to as such
to
it
for
IP
I?
than
This
if
192.168.0.50.
the listens
set
set the
service
the
destination more long
resolved
is
is connection?
All.
of
EZ1j
to
and
SAt As to
are
!0
the
specific where except
question,
It
with
specific have
proxy
one configured,
160
set
configured
80
ntApk normally
to
destination 80
is
192
Al address 192.168.0.50.
address is this
range.
more
are
v3.5.1 more Al Al
IP
IP
identical R5kAd
port
is
matches
port address
is
j terminate
multiple
be
port service
value
whose on
cz
IP
on
only.
addresses address
address
IP
Ut
Course
necessary,
IF
IF
listeners any TCP IP
answering
(This
ypc
listener
match
proxy
Multiple would
psy
destination
ti
destination the A
Proxy
10.0.0.0/24
address
the have
can three
BCCPA Listeners
byps,
Expk80A0
not iF
listeners
The
connections to The
The
connections
match.
is
can
SI-s
OTTO
sometimes
HTTP-Console
services
destination
destination
this subnet
OAts
destination range
Torçs.Ady -
5SkAA
applicable.
devices.
sent
above, or
EsdostMscoss
EsAtOHTTP
EAto
can 5kes -----
Li
and
if
Espk0
and
two the HTTP:
Pey HTTP:
the
and
r0 j
Multiple
port
matches example.)
Services
same
deterministically
incoming
ProxySG
HTTP
then
Mnqmnt the
routing
Multiple
by
this
the
where example
7—12: the
by
possible,
External connection addresses address Example service
80 HTTP-Console: addresses for just
connection
example, Training
the
is
handle
a
Slide • It match • nonoverlapping want. In •
address, Here, to Example conflict of Not used For 10.0.0.0/8.
BlueTouch
102 Chapter 7: Services
When a new connection is established, the ProxySG first finds the most specific listener destination IF address. If a match is found and the destination port also matches, the connection is then handled by that listener. If the destination port of the listener with the most specific destination IP address does not match, the next most specific destination IF address is found; this process continues until either a complete match is found or no more matching addresses are found.
103 BlueTouch Training Services — BCCPA Course v3.5.1
Management Services
SSH: Port 22 HHPS: Port 8082 r
ProxySG
ilt lii Telnet: Port 23 Not recommended SNMP: Port 161 III BlueCCoat
Slide 7—13: Management services I Management services are used to communicate with the ProxySG. There are five types of consoles: • HTTPS console: This console provides access to the Management Console. It is created and a enabled by default. You can create and use more than one HTTPS console as long as the IF address and the port match the existing console settings. • HTTP console: This console also provides access to the Management Console. It is created by default but not enabled because it is less secure than HTTPS. You can create and use more than one HTTP console as long as the IF address and the port match the existing console settings. • SSH console: This console provides access to the command line interface using an SSH client. It is created and enabled by default. No action is required unless you want to change the existing SSH host key, disable a version of SSH, or import RSA host keys. • SNMP console: One disabled Simple Network Management Protocol listener is defined by default on the ProxySG, which you can enable or delete as needed. You also can add additional SNMP services and listeners. Discussion of SNMP support in the ProxySG is beyond the scope of this course. • Telnet console: The Telnet console allows you to connect to and manage the ProxySG using the Telnet protocol. This console service is not created by default because the passwords are sent unencrypted from the client to the ProxySG. Also, a Telnet shell proxy service exists on port 23, the default Telnet port. Because only one service can use a specific port, you must delete the shell service if you want to create a Telnet console. If you want a Telnet shell proxy service in addition to the Telnet console, you can re-create it later on a different port.
Important: Telnet is an insecure protocol. It should be used only if SSH cannot be used. Blue Coat does not recommend use of the Telnet console.
104 is 105 for are be the this it it acts or are that the octets proxy, for which and not current a to of and the from the described indicating with clients; sort), The systems.” is established requests programs Society, ProxySG, Switzerland. should client Unlike complex agent.” an “helper similar internally 1.0) the Gateways other receives translators some sequence resource; as indicate Coat it software. This of and of protocol, protocol user content. over initial Internet 7 server. Geneva, format (HTTP used (MIME). the Blue process information URI. the long These a serviced application The in gateway. protocol a behalf be by request a in the Layer below) for requested are as structured 996 two on (daemon) by a another a on client, the also version application is Web-based (URL): ©1 the (see CERN a with and of for architecture. server at passed can Extensions for request. organizing server a application-level hypermedia requests from architecture: 1 HTTP requests between are of server as deliver Locator identified original an Mail software copyright a implemented reserved. its with supported to a server HTTP firewalls is be that Proxies network to way acts is consisting The Client or not is makes an and it 1945, run rights can used intermediary Berners-Lee to Resource Messages communicating Internet origin All 2616. better established translation-modify an connections (HTTP) how is that RFC server. servers. collaborative, a network proxy Tim HTTP requests systems. the request. a it as machine a Protocol RFC of protocols also underlying for and by application protocol from paragraph Uniform circuit in Society. other and that applied. response appliances acts were accepts fact, via sends service the can HTTP Protocol to The through it need be communication, In and the or HTTP that if physical or an that to that client Multipurpose (even distributed, adapted a non-HTTP concepts from virtual aware the Internet as a is proxy of preceding client. introduced on for the described be requests (URI) are HTTP object A portals about server. key a responses. Transfer server The was server is Transfer connection. of the both a not first and the containing and of is data the the application-layer 1.1) method back idea containing requests stored detail unit application concept server. application a application to ©1999 remote may was Identifier mail via handling the his part independent it necessary know communication. the descriptions Hypertext is the server-side server transport-layer sends more basic for (HTTP of a message gateway considered network client A as which receives you send message for another with resources speed A software is A A and copyright software these software into to The “The behind Internet A Resource HTTP to it hypertext both A to of A A Hypertext that and HTTP used important and by of as client transmitted completely of purpose 2616, 1945: a going why 8: is gateway access requesting often Gateway: a applications client it as is acts Server: passed Proxy: receives, Client: connection. Resource: confused most Response: Uniform and Request: impetus Connection: the idea resource Message: used RFC Portions RFC 1. • • • • • • • • • • Before important that documents. The in lightness version The The Chapter BlueTouch Training Services — BCCPA Course v3.5.1
• Tunnel:A tunnel is an intermediary program which acts as a blind relay between two connections. Once active, a tunnel is not considered a party to the HTTP communication, though the tunnel may have been initiated by an HTTP request. The tunnel ceases to exist when both ends of the relayed connection are closed. Tunnels are used when a portal is necessary and the intermediary cannot, or should not, interpret the relayed communication. • Cache:A cache is a program’s local store of response messages and the subsystem that controls message storage, retrieval, and deletion. A cache stores cacheable responses to reduce response time and network bandwidth consumption for future requests for the same content. Any client or server may include a cache (though a cache cannot be used by a server while it is acting as a tunnel). Any given program maybe capable of being both a client and a server; our use of these terms refers only to the role performed by the program for a particular connection, rather than to the program’s capabilities in general. Likewise, any server may act as an origin server, proxy, gateway, or tunnel — changing behavior to address the needs of each request.
I
R
B
I. 106 L Chapter 8: Hypertext Transfer Protocol
HTTP
• Definition
— “Application-level protocol with the lightness and speed necessary for distributed, collaborative, hyperrn edia information systems”
• Different versions available
— HTTP/O.9
— HTTP/1.Odescribed in RFC 1945 (May 1996)
— HTTP/1 .1 described in RFC 261 6 (June 1999)
BlueQCoat
Slide 8—1:History of HTTF’
HTTP is one of the most commonly used protocols. It was first described in 1996, and its latest update was in 1999. The protocol’s longevity is a reflection of its scalability and reliability. Although HTTP was designed to deliver Web content and link-based text, it is now used to carry many different types of content. • HTTP version 0.9 is obsolete and is almost never encountered. The GET command is the only supported command. • HTTP version 1.0: This is the first version that was widely used, and it continues in wide use, especially on servers. • HTTP version 1.1: This is the current version of the protocol. A main difference between versions 1.0 and 1.1 is that version 1.1 enables persistent connections by default. Other differences include caching, bandwidth optimization, error notifications, and security features. Several client-server applications use HTTP as a communication protocol. MIME encoding translates binary files into ASCII and enables HTTP to transfer binary files. You can upload and download files of any kind. Today, most Web downloads are not done with FTP, but with HTTP directly from a Web browser.
107 BlueTouch Training Services — BCCPA Course v3.5.l
— 1__11_1i_i I_11_I Ii I I LI 11111 * HTTP
Step 1: Request
Client Server Step 2: Response
• The client always initiates the connection • The server cannot initiate a connection
BlueQCoat I, riiirii. III I iii Slide 8—2:HTTP request/response flow
An HTTP transaction is always initiated by the client. The client sends a request to the server. The server processes the request and returns a response. HTTP does not allow responses to be sent without a previous request. When the server needs to send more information than requested by the client, it must send instructions about that information to the client. It is up to the client to decide whether those requests should be initiated. For example, when a client downloads a Web page, the server returns the requested page (object), which includes instructions for downloading objects (such as HTML links). After processing the response, the client may or may not issue new requests for the objects listed in the links.
108 Chapter 8: HypertextTransfer Protocol
HTTP URL
[“http:’ lT/i1 host_name [:port [abs_path [hl?T1 query T ] 1]
• Host name is case-insensitive Even for UNIX-based Web servers
• Default port is 80
BtueQCoat Ifl 11111 I fl 111111 Slide 8—3:HTTP URL
Most TCP-based protocols have well-known ports assigned to them. In theory, you should specify the TCP port every time you are making a connection to a remote host — unless the protocol used has a pre-defined, well-known port assigned to it. The default TCP port for HTTP is 80. For example, the two requests listed below are identical: http:llwww.bluecoat.com :80 http:llwww.bluecoat.com After specifying the hostname, you can specify the resource you want from the server (page, image, files, and so on). You must specify the full path (as seen by the Web server) for that resource. For example, the following URLs request two different resources on a website: http:llwww.bluecoat.comlresources!training/index.html http:llwww.bluecoat.comlimages/BCS_Ieftnav_resources.jpg In the request, you can also pass parameters that a script (nmning on the Web server) can process and use to return a specific page based on your previous selections:
http:llwww.bluecoat.comltest.cgi?parameter=value 1
Resources are separated from the hostname and from each other by the slash (I)character; parameters are separated from the script name by the question-mark (?)character and from each other by the ampersand (&)character. Special characters in the URL are represented by their hexadecimal ASCII code, preceded by the percent-sign (%)character. For example: http:llwww.bluecoat.com/this is a sample.html is an invalid URL. http:llwww.bluecoat.comlthis%2Ois%20a%2osample.html is a valid URL.
1. Not an actual URLon the Blue Coat website.
109
— S 1 — S — — is 1.0 any the section. contains contains delivery version but and headers, part part before data header HTTP the offered, initial second requests server. in response be using of The The and and can parameters, specifications clients IIUIILIIIUIILII BlueQCoat client server. sections. sequence for request “discussed” a the protocol encodings two is are over and differ and between into communication details client control might character transaction of the divided Ill parameter These relevant server. parameters a of liii all HTTP range granular use. response on A and to an between logically series have a 1.1. Fl v3.5.1 server are how to II client on agreed which ri a the Fl you 1 on message communication Course pages connection version have 1 agree response the messages the the agree between allows the of example, to of must HTTP BCCPA server previous — must For
and Message message and sever on using parts types controlling ProxySG relevant responses sent. Headers Data Response Request server and HTTP data. seen client Services — — — — request be those thus Two The Two •
• HTTP and the 8—4: the for can client have actual Training Note: Once data than the client The begins. information subsequent Both You Slide 110 BlueTouch Chapter 8: Hypertext Transfer Protocol
Request Methods
• GET Retrieves whatever information (in the form of an entity) is identified by the URL
— Changes to a conditional GET ifthe request message includes an It-Modified-Since or similar header
• HEAD
— Identical to GET except that the server MUST NOT return a message-body in the response
BlueQCoat
Slide8—5:The GET and HEADrequest methods
The GET request method instructs the server to retrieve the information identified by the request URL. GET is used to ask for a specific resource — when you click on a link, GET is used, regardless of whether the linked resource is a file, a script, or other content. For example: GET /sampletext.html HTTP/1.1 GET /samplescript.php HTTP/1.1 If the URL refers to a script, such as PHP or Active Server Pages (ASP), the processed data is returned in the response. The GET method can be conditional, if the request message includes an If-Modified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. What this means is that the requesting agent has indicated that the content should be returned only if it meets the specified condition. The conditional GET method is intended to optimize the delivery of cached data by reducing the number of unnecessary connections to the Web server. Responses to a GET request are cacheable only if the request meets the requirements for HTTP caching as defined by the protocol.
The HEAD request method is identical to the GET method, except that HEAD returns only the message headers and not the message body. HEAD can be used to obtain metainformation about the entity; for example, the validity and accessibility of hypertext links.
111 BlueTouch Training Services — BCCPA Course v3.5.1
Request Methods
POST
— Designed to allow a uniform method to cover functions such as: • Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles • Providinga blockof data,such as the resultof submitting a form, to a data-handling process • Extending a database through an append operation I •CONNECT
— Reserved for use with a proxy that can dynamically switch to being a tunnel (such as SSL tunneling)
BlueQCoat I
Slide 8—6:The POSTand CONNECTrequest methods
The POST request method is used to send data to the server to be processed in some way. For example, POST is used to return the results of Web shopping cart forms. Unlike a GET request, the message body of a POST request contains a block of data. The most common use of POST is to submit data to scripts such as those written in PHP and ASP. The script receives the message body and decodes it. You can use a POST request to send whatever data you want. The only stipulation is that the receiving program must understand the format.
The CONNECT request method is used to direct Web proxies that provide SSL tunneling. CONNECT — signals the proxy to switch to an HTTP tunnel connection on TCP virtual port 443 to support RI secure HTTPS connections. EEz _— —.
112 Chapter 8: Hypertext Transfer Protocol
Response Codes
‘Sample success code - 200 OK
• Sample client-side issue —404 Page Not Found
• Sample server-side issue
— 500 Internal Server Error
BlueCCoat
Slide 8-7: HTTP response codes
HTTP uses a set of response codes to communicate messages from the server to the client. There are five groups of response codes: • lxx: Used for notifications. • 2xx: Used to indicate some sort of successful request. • 3xx: Used to redirect the client from the requested URL to a new one. • 4xx: Used to notify the client that its request could not be immediately fulfilled because of a client-side issue. • 5xx: Used to notify the client of an error on the server part. 4xx response codes often are called “error” codes, but you should interpret the term “error” cautiously. For example, authentication requests are handled using the 4xx messages. When a client requests a password-protected resource, the server replies with a 401 message. While that is not an actual error, the client request is not fulfilled until authentication information is provided.
113 BlueTouch Training Services — BCCPA Course v3.5.1
Requests and Responses
Step 1: Request
Chent Server —i Step 2: Response Request Response
GET / HTTP/l.l HTTP/l.x 200 OK Host: www.google.com Content-Type: text/html User-Agent: Server: GWS/2.l Firefox/l.0 Content-Length: 1121 Accept: text/xml Date: Wed, 05 Jan 2005 22:09 GMT
— , E vrn t M BlueQat
Slide 8—8:Requests and responses
This diagram shows some of the headers that are exchanged between a client and a server during the first round of requests and responses. The client issues a request specifying a method, a resource, and the protocol version. The method is GET, which is the most commonly used one; it enables the client to retrieve the requested resource from the server. The resource is I, which indicates the root of the Web server. Web servers associate a default filename with the root of a directory (index.htm, default.htm, welcome.html, and so on): GET / HTTP/1.l GET /±ndex.htm HTTP/1.1 These two URLs return the same data.
Note: This is only an example. Different servers use different default names.
The Host field (mandatory for HTTP version 1.1) is useful when one or more virtual servers are associated with the same IP address. The client also specifies that it is waiting for text or XML data. The server replies with a 200 OK message, indicating that the request is valid and has been accepted. The response is 1,121 bytes long. I
114 Chapter 8: HypertextTransfer Protocol
Cascaded HTTP Requests
4Step4: ReSPOflSe...... L ..StOP3: ReSpOnS......
Client Server
‘The intermediate de’iAceis both a client and a server • There can be any number of intermediate devices
BlueOCoat
Slide 8—9:Cascaded HTTP requests
HTTP allows a request (and, consequently, a response) to traverse any number of HTTP-aware devices. The most common example is a proxy server. This device is a server for the client (on the left side of the slide) and is a client for the server (on the right side of the slide). In general, the client making the initial request is aware that it is talking to the server through a proxy server. However, the server is not capable, at least in general terms, of distinguishing the actual client from a proxy server. There is no predefined limit to the number of proxy servers or similar devices that a request can traverse. The client is usually aware, at the most, of the very first proxy in the chain. The proxy can then forward the request directly to the origin content server or to another proxy. The same concept applies to the other proxies in the chain.
115 BlueTouch Training Services — BCCPACourse v3.5.1
— 1ru LIII LI LI lI r GET Requests
—Step1 :R:qu::t—,---—Step2:Requ::t—..
Client Server
GET http://www.bluecoat.com HTTP/1.1 HOST: www.bluecoat.com
GET / HTTP/1.1 HOST: www.bluecoat.com
I
— S Slide 8—10:GETrequests j
The GET request that a proxy-aware client uses is very characteristic. You can easily recognize what is sometimes called a “via-proxy GET request” because the entire URL appears in the GET request. The via-proxy GET request contains the entire URL. The destination IP address of the client request is the IP address of the proxy. The proxy has to know the location of the origin content server that the client needs the data from. In general, in a direct Web request, the destination Web server is the destination IP address for the client request, not that of any intermediary. In HTTP version 1.0, the Host header is optional. In HTTP version 1.1, in which the Host field is defined to be mandatory, the GET request with the full URL may seem redundant. However, all clients conform to this convention regardless of which HTTP version is used.
1. L
116 [ Chapter 9: Policy Management
While there are many problems associated with using the Internet as a business tool, there are several that generally cause the most concern: • Intellectual property loss leading to decreased competitive advantage. • Malicious viruses. • Productivity loss caused by illegitimate or unauthorized Internet use. • Threats from hacking. • Legal problems caused by accessing unsavory or copyrighted material. Although many organizations create Internet usage policies, they face challenges in configuring systems to enforce written corporate policies. Only a secure proxy with an object-handling operating system can offer the framework needed to identify and enforce policies across an entire enterprise with line-speed performance. The Blue Coat ProxySG policy processing engine provides a comprehensive policy architecture that spans all users, content types, applications, and security services. This framework allows a security administrator to control Web protocols and Web communications across the entire enterprise. Blue Coat policies provide to the administrator: • Fine-grained controls to manage behavior of the ProxySG. • Multiple policy decisions allowed for each request. • Multiple actions triggered by a particular condition. • Configurable bandwidth limits. • An authentication-aware proxy device, including user and group configurations. • Flexible user-defined conditions and actions. • Convenience of predefined common actions and header transformations. • Support for multiple authentication realms. • Configurable policy event logging.
117 —
need
VPM
be
them
and
are
engine know
the
Content
you
need
Web
there
should
must
permissible
deleted. AUP,
using
you
is
through
you
VPM,
processing
easily
when
concepts
managing what
the
written
policy
be services,
in
policy Deny.
and
times
these
products,
can your
using
it
and
for
layers
BlueQCoat
it,
security
Coat
establishes
or
and
ProxySG
enforce
policies,
and Allow
controlling
need
Blue
AUP
To
layer
The
disabled
to
a
your
An
or creating
using
step longer
to
available:
Internet.
no
Policy created
key
Policy.
first
manage
applications,
are
enabled
the
but
architecture.
network The
The
can be
have
Usage
types,
Manager Usage
can
access
you
your
policy you
settings
policy
a
to
v3.5.1
Policy:
on
settings
Manager:
They
Two
level
Once
content
Policy
Before
policy
Acceptable
Course
Usage
created
VPM.
them.
policies
Policy
an resources
easy-to-use
policy: users,
them. layers.
Acceptable
the
security
Visual
have
ProxySG
proxy
the
layers and
BCCPA
or
the
Visual
policy
proxy
you — manage having
control
Acceptable
manage If
the
is
company
to
global
implement
to
the
default
Manage Set
Configure default Create
you
Language
Overview
Services
ways
using usage — — — —
Understand Set
Translate
properly
• Overview •
•
understanding
comprehensive
9—1:
to
Setting is Understand temporarily. Translate a many email allows when Policy
successfully
Training
• • •
Slide
understood: To how
BlueTouch
118 Chapter 9: Policy Management
Default Policy
0 — efault pon for ProxySG Allnetwork traffic received by the proxy is blocked
Allow Network traffic is allowed through the proxy
— Other policies can deny selected traffic
l2CIJ,
Slide9—2:Default policy
Before any custom policy is evaluated, the ProxySG applies the default policy: • Deny: Prohibits proxy-type access to the ProxySG. If this setting is chosen, you must create policies to grant access to the ProxySG on a case-by-case basis. • Allow: Permits most proxy transactions. However, if protocol detection is enabled (the default), HTTP Connect transactions are allowed only if they are timneling SSL. If protocol detection is disabled, HTTP Connect is only allowed on port 443. If your policy is set to Allow, you must create policies to explicitly deny access on a case-by-case basis. Additionally, the default setting for your ProxySG depends on what version of the SGOS operating system you are using: • MACH5 Edition: The default setting is Allow. • Pithn: The default depends on how you configured your ProxySG: If SGOS was installed using the front panel or through the serial console, the default setting is Deny. If you upgraded SGOS from a previous version, the default policy remains the same as it was for the previous version.
119 0
If’
Ii —
[L
l
the
and
once.
are
and
made
and
created
at
and
Visual
the
This
current
effect
are
all When
>
policies.
it
format
the configuration means
with
changes
takes
administrator
these
Console
Policy
created.
CPL
loads
previously
from
> Console
any
other
an
configurations
are
include
and
policy into
lists
install
the
when
configurations.
file
policies
rules
include
through
might
synchronized
must
created
Management
any
policies
not
and
various
are
single
Management
Configuration
Console, state
in
a
the
the
ProxySG
ProxySG to
created
does
the
in
newly
‘[PM
layers
This
go
the
in
from
CPL
the
This
the
by
saved
overwrites
administrator
compiles
policy
policies
the
and
other
information
This
Management the
VPM,
Console.
taken Console,
ProxySG
then
ProxySG
not
reverted.
the any
the
file.
which
the
the
or in
shares in
effect,
in
to Console
actions
of
with
take ProxySG
Console,
VPM
Apply
vpm.cpl
and
v3.5.1
state
make
to
clicked
Management VPM-generated
Management applied
The
the
is
The
Manager,
the
click
you
the
that
in
combined
VPM
been
file. saves Course
Launch.
Management
is
you
behavior
VPM.
the
yet
Policy button
with
the
Management
inherits
click
the XML
in
Manager
the
CPL
changes
through
policies
not
it
ProxySG. applet.
When
an
the
in
ProxySG
Policy
and
policy.
Visual
in the
with
Policy
have
Java
into
CLI.
The created
the
created
a
on
ProxySG;
describes
policy
resulting
Install
is
the that synchronous
installs
launched,
the
Services—BCCPA
Manager
Visual
VPM. the
is
the
opens
configuration
saved
to newly
policies
and
create
generated
9—3:
diagram
Policy
To This
Any window configuration synchronized
VPM remains through changes sent
For ProxySG. Once saves is
using This
then
Training
Slide
1. This
creates
2.
3.
4.
BlueTouch
120 Chapter 9: Policy Management
VPM Policy Objects
• Trigger objects
— Used to determine ifa rule matches or misses
— Organized by source, destination, service, and time
• Action objects
— Used to determine proxy handling of a transaction
— Organized by action and track
BlueOCoat
Slide 9—4:VPM policy objects
The VPM evaluates rules based upon trigger and action objects. Trigger objects represent the who, where, how, and when of a rule; action objects represent the what. Trigger objects also can be considered conditional objects. These objects allow you to create policy for certain types of situations. When a request is sent through a ProxySG, the request is matched against the created policy. If the request does not match, or misses, the policy, no action is triggered. However, when the conditions outlined in the policy are met, an action occurs. When certain conditions, based on your created policy, are met, an action is triggered. This is where action objects come into play. The conditions that have been met based on your policy must be acted upon based on the action objects created in policy. In the VPM, when creating a Web Access Layer, for example, there are six settings that can be modified. Four of these are trigger objects, and the other two are action objects. Trigger Objects • Source: Specifies the source attribute, such as IP address, user, or group. • Destination: Specifies the destination attribute, such as URL, IP address, or file extension. • Service: Specifies the service attribute, such as protocols, protocol methods, and IM file transfer limitations. • Time: Specifies day and time restrictions. Action Objects • Action: Specifies what to do when the rules match. • Track: Specifies track attributes, such as event log and email triggers. Additionally, there is one optional object called Comment. This allows you to provide a comment regarding the created rule.
121 BlueTouch Training Services —BCCPA Course v3.5.1
Policy Translation — Rule #1
K “Block all users from Hacking websites” _____J Source: ANY
—Destination: Hacking ‘)- Service: ANY - Time: ANY
ç —Action:DENY
—Track: none
BlueQCoat
Slide 9—5:Rule #1: Hacking
In this example, an administrator has created a rule to block users from accessing websites that have to do with hacking. This rule is relatively simple and straightforward. The idea is to block any users in any group from accessing hacking websites at any time. Trigger Objects • Source: The administrator selected the ANY option. This means that any request from any source to a hacking website is denied, no matter what that source may be. • Destination: This option is used to select the category of website being blocked—in this case, hacking websites. Categories are selected through the Blue Coat WebFilter and are added to the policy rule through the VPM. • Service: By selecting ANY, the administrator has established that hacking websites cannot be accessed through any protocol. • Time: The administrator has selected ANY under this category to deny access to hacking websites at any time, even outside normal business hours. Action Objects • Action: The DENY option denies access to hacking websites when the conditions listed above are met. In this case, the triggers are all-encompassing, so the condition always is met. • Track: The administrator has elected not to receive any notification when a user attempts to access a hacking website.
122 Chapter 9: Policy Management
Policy Translation — Rule #2
“Employees can visit travel websites only outside regular working hours”
— Source: ANY
— Destination: Travel - Service: ANY
— Time: Mon-Fri; 08:00..l 7:00
— Action: DENY —Track: none
BtueQCoat
Slide 9—6:Rule #2: Travel
Similar to the previous example, the administrator of this network wants to block traffic to certain type of websites. This administrator does not want the employees planning their vacations while they should be working. However, some lenience was given to the employees by allowing them to access travel websites outside normal business hours. This shows that administrators have a great amount of control over policy when using the ProxySG. Trigger Objects • Source: The administrator has chosen to deny all access to travel websites, no matter the client IP address, user, or group. • Destination: Using the categories available through the Blue Coat WebFilter, the administrator created a policy object that is designed to block user access to travel websites. • Services: By selecting ANY, the administrator has created a policy object that blocks access to travel websites, despite the method the user may be using to access the material. • Time: Under this policy object, the administrator has decided to deny access to material pertaining to travel only during a certain time window. Between the hours of 8 a.m. and 5 p.m., access is denied, but outside that time frame, access to travel websites is allowed. Action Objects • Action: The action object in this rule has been set to DENY This means that access to travel websites always is denied to everyone, but only between the hours of 8 a.m. and 5 p.m. If a request is sent to a travel website at 6 p.m., there will be a miss in the trigger objects. Because one of the conditions was not met, the DENY action is not triggered and access is allowed. • Track: The administrator has chosen not to receive any notifications if the policy is enforced by the ProxySG.
123 BlueTouch Training Services — BCCPA Course v3.5.l
Policy Translation — Rule #3
• “Allow only users in the IT group to use FTP. Outside working hours, allow anybody.”
— Source: NOT(Group IT)
— Destination: ANY
— Service: FTP
— Time: Mon.-Fri.; 08:00.. 17:00
— Action: DENY —Track: none
— kh (yI2I. RP U. BiueQCoat Slide 9—7:Rule #3: Using FTP
In this example, a network administrator has created a policy designed to stop the use of FTP by anyone except those who are in the IT group. However, outside normal business hours, any user is allowed to use this protocol. Unlike the previous rules discussed, this one allows access to any destination. However, the way in which the destination server can be contacted is restricted. S Trigger Objects • Source: For this trigger object, the administrator has blocked the use of FTP by all users except the IT group. This means that if all other conditions are met, any member of the IT group still can make requests using FTP.
• Destination: In this case, ANY does not mean that any destinations are blocked. Rather, it means that any destination that a request is sent to over FTP is denied. • Service: In this object field, the administrator has set FTP as one of the trigger objects, meaning that any connections attempted over FTP are denied. • Time: The time limitations on the policy rule have been set so that this rule applies only during normal business hours, from 8 a.m. until 5 p.m. Action Objects • Action: The prescribed action, if the above triggers are met, is to deny the request. However, this object rule has multiple stipulations, unlike the previous two. When the source is checked, if it is found to be a member of the IT group, the action is to allow the request. Additionally, if the time of the request is found to be outside normal business hours, the action also is to allow the request. • Track: No tracking action objects were added to this rule.
124 _____E1 ______
Chapter 9: PolicyManagement
Complete Web Access Policy
E t Ee k Edky çoeWoo’ oon AóO DeietenjeO Novp WnbAothnoeNoADn(I) No yDoon Sroo Tenk Connnen* Any H.ddng My Deny nnn
FT WnnNn1ynen Deny Nene
E1
S€wv’A \JJo Otces 1cc i&j & ktIc Cec& ce ‘& .LS &AL.
BtueOCoat
Slide 9—8:Complete Web access policy
This example shows a set of policy rules created in the VPM. Note the following: 1. Rules in a policy layer are applied from top to bottom. This is important to know because once a rule matches a request, all subsequent rules are ignored. Therefore, you should put first the most likely rule to be matched. This allows you to save processing time because the ProxySG does not have to apply every rule every time a request is sent. 2. This is an example of a source trigger. In the first two rules, the source trigger is set to Any, making the source of the request irrelevant in those two rules. However, the third rule has an active directory as a source trigger. 3. This column is the destination trigger. If there is a request sent from a client to a travel website, the first rule is applied to the request, but no action is taken, because that rule only blocks hacking websites. However, when the request reaches the second rule, it triggers the Deny action, and the website is blocked. 4. The services columj- allows the administrator to select whether certain service attributes should trigger an action. In the case above, the bottom rule includes an object for FTP. That means for this rule to trigger, the request must be using FTP. 5. The rule object in this colunm allows you to specify a certain time or time period in which the rule triggers an action. The rule object above is called Working-Hours. If a request is sent during the time period set in the Working-Hours object, and the other triggers of the rule are met, the action is triggered, either Deny or Allow. 6. This is the Action colun-u-i.In the above example, all the actions are set to Deny. Therefore, if any of the rules in this layer are triggered by a request, that request is denied. The VPM also supports a separate action called Deny (Content Filter); this action also denies a request, but presents a more specific exception to the user that includes the content filter category of the request. The difference between Deny and Deny (Content Filter) can be important when using external products such as Blue Coat Reporter to analyze ProxySG activity.
125 v3.5.1 BlueTouch Training Services — BCCPACourse I.
7. The Move Up and Move Down buttons let you select and move one or more rules up and down within a layer. The rules to be moved in a single operation must be in consecutive order.
8. When you click Install Policy, any additions, deletions, and changes that you have made are installed on the ProxySG. The old VPM-CPL and VPM-XML files are deleted and are replaced with the new CPL and XML information that reflects the policy modifications.
a
S
126
a
127
or
no
not
object,
is
hours.
Once
chapter:
at
example,
the
2.
hours,
connection.
connection
rule
whether
an
Management
this
during
server
rule
the
As
this
in
server
business
Policy
through
FTP
period
business
made
FTP
9:
hours.
go
VPM.
is
against
checks
the
against
an establishes
I. m
C
time
it
normal
the
a
to
that
previously
normal
in
Chapter
taken
that,
has
business
request
attempt
Because
is
during
BlueOCoat
ProxySG
1.
listed
the
also
requests
outside
The
are
discussed
connection
to is
normal action
rule
team,
rule
a
3.
it
taken.
IT
no
checks
if
determined
is
connection
they
were
This
rule
the
as
during
against the
applied has
that
it
it
action
establish
are
website,
and
only
ProxySG
to
except
against
no
However,
bottom
rules
Once
the
but
rules
checks
to
connection.
and travel
1,
the
group
3
a
taken.
top
websites.
and
follows:
IT
are
FTP
attempts
group.
is
met,
rule
everyone
not
which
as
connection
the
an
Rule
IT
is
Rue1
from
websites, granted.
in
by
are
for
well.
is
of
is
office
above
the
the
request
action
hacking it
as
Priority
FTP
of
to
server
order applied
travel taken
the
of
that
triggers
to access
-
Deny
are
the
remote
shown
checks
processed
member
FTP
was
a
use
no
a
checked
access
priority
the
and
are
at
the
member
rules
the
rules access
receives be
all
Rules
not
is
action
Layer
to
rules
is
user the
—
rules ProxySG
determines
describes
hours,
taken,
a
no
website,
three
user
has
is
blocks
blocks if
blocks
because
the
user
VPM
Policy
The
and
1
2
3
the
ProxySG
the
this
the
VPM
9—9:
diagram action
-
If
so
type
business
again,
not
Next,
Because
The
hacking
Rule
Rule
Rule
• 3.
• 1.
• 2.
Therefore,
headquarters,
ProxySG. imagine
Slide
This Rule2 c5’L k r9 BlueTouch Training Services — BCCPA Course v3.5.1
VPM Policy Layers
Admin Authentication Web Authentication
Admin Access Web Access 8
3’ DNS Access Web Content
SOCKS Authentication Forwarding
SSL Intercept ‘CPL
SL Access
N BlueQCoat
Slide 9—10: VPM policy layers
Many types of VPM policy layers are available. This wide variety allows for finer customization to allow you to meet any needs your network might require. Each type of layer provides a way for you to control how the ProxySG can be accessed for administrative purposes and how the ProxySG handles traffic. These are the layer types and what they are used for: • Admin Authentication: This layer allows you to set how administrators attempting to access the ProxySG must authenticate. Through this layer, you can limit access to the ProxySG to make sure that any other policy you may set cannot be modified by individuals not allowed to do so. Additionally, this layer is often used in conjunction with the different Access layers, allowing you to determine where a user can go and what a user can do after being authenticated. • Admin Access: The previous layer allows you set how an administrator must authenticate; this layer allows you to set who is allowed to access the ProxySG. • DNS Access: You can use this layer to set how the ProxySG handles DNS requests. • SOCKS Authentication: This layer give you the ability to set the method of authentication for accessing the ProxySG through SOCKS. • SSL Intercept: With this layer, you can set the ProxySG to tunnel or intercept HTTPS traffic. Action taken for HTTPS traffic can be based on either the source or the destination of the request. • SSL Access: Unlike the previous layer, this layer allows you to either deny or allow HTTPS traffic through the ProxySG. • Web Authentication: You can use this layer to set whether or not certain users or groups have to authenticate before they can access the ProxySG or the Internet. This can be useful if you only want to give certain users access to certain resources. • Web Access: This is the layer that the previous examples about rules were based on. Through this layer you can limit, allow, or deny access to Internet content.
128 Chapter 9: Policy Management
• Web Content: This layer is used to determine caching behavior, such as verification and ICAP redirection, on the ProxySG. For example, you can set the ProxySG to cache websites that your company access on a regular basis, but not other content. • Forwarding: With this layer, you can set the ProxySG to determine forwarding hosts and methods. • CPL: You can write code directly in Blue Coat’s Content Policy Language in this layer. The details of CPL are beyond the scope of this chapter. This list does not imply a specific evaluation order for layers, for reasons discussed on the next page.
129 BlueTouch Training Services — BCCPACourse v3.5.1
VPM — Layers Priority
Left to right processing order_ CS’ 4 for layers of same type vr (J- Idt c5cy oni5abn 5e [2?A mZLZ’ Lfi&ILei Z J1L p
,/“elevar’\ layers / Separate processing layer types I / J U order / / \ / /
BlueQCoat
Slide 9—11:VPMlayers priority
In general, policy layers are processed from left to right. However, this only applies to layers of the same type. The order in which layers are processed is logical and based on the order in which things happen when a user is trying to access content on a server. In the above example, the layer types are processed in this order: 1. Admin Authentication Layer: This layer is used to determine how a user is authenticated when trying to access the Management Console of a ProxySG. The Management Console is access through a Web browser over an SSL connection. If you have a Web Access Layer in place that is set up to block SSL traffic, this would not allow any user to access the Management Console. In order to alleviate this issue, the ProxySG processes the Admin Authentication Layer first. That way, a user can still access the Management Console, but SSL traffic stifi is controlled.
2. Web Authentication Layer: In the above example, this happens before the Web Access Layer because it would not make sense to determine what a user can do on the Internet before determining whether or no that user should have access to the Internet at all. Therefore, the ProxySG first applies the Web Authentication Layer to determine whether the user can access the Internet, and then says what the user is allowed to access once authenticated. 3. The first Web Access Layer: Because it is the leftmost such layer that is displayed, it is processed before any other layers of the same type. 4. Another Web Access Layer: Because it appears to the right of the previous layer, it is processed next.
5. Based on its position and order of processing, this can be one of three layer types: an additional Web Access Layer (as shown), a Web Content Layer, or a Forwarding Layer.
130 ______
Chapter 9: Policy Management
VPM Layer Guards 4
e t dc çfQratbn ew e1p MdtL Deie(5) ,Wpc&]
Gord Gu.t USe My Any Nn. e OtoCfl 5ernce Tnn Atnn 2 An 2 Any Any Exte4Aon-Guest-Aens-Denie Aw Any 111
BlueQCoat
Slide 9—12: VPM layer guards
The same set of conditions or properties often appears in every rule in a layer. You can factor out the common elements into layerguard expressions. This can help the ProxySG run more efficiently, particularly when you have defined a large number of rules. A layer guard is a single rule table that appears above the selected layer in the VPM. The layer guard rule contains all of the columns available in the layer except for the Action and Track columns. These columns are not required because the rule itself does not invoke an action other than allowing or not allowing policy evaluation for the entire layer. You cannot add a layer guard rule until you have created other rules for that layer. In the above example, the administrator has created a layer called Guest User Web Access. When this layer is evaluated:
1. The layer guard is checked first. If the user is not a guest user, then the rest of the layer is not evaluated. 2. If the user is a guest user and if the user is attempting to access a resource that the administrator has identified in Guest Categories, then this layer allows the transaction. 3. Otherwise, this layer instructs the ProxySG to return an exception page to the user. By default, a layer guard rule is enabled, but you can disable a layer guard (which keeps the rule but does not process it) or delete the rule completely from the VPM.
131 BlueTouch Training Services — BCCPA Course v3.5.1 F
Best Practices F • Policy construction
— Express separate decisions in separate layers
— Be consistent with your model • Policy integrity
— Use ALLOWwith caution • Policy optimization F
— Use regular expressions only when necessary
— Place rules most likelyto match at layer beginning
— Use subnets when possible
— Use definitions and layer guards
BlueCCoat
Slide 9—13: Best practices L The ProxySG policy processing engine is a powerful and flexible tool. But with that power and complexity comes the need to create policy that is easy to understand and maintain. When writing policy, consider the following points: • Express separate decisions in separate layers. As your policy grows, maintenance is easier if the logic for each aspect of a policy is separate and distinct. • Be consistent with your model. Set the default policy (allow or deny) according to which one more closely reflects your enterprise’s security policy, and then use blacklists or whitelists as appropriate. For secure gateway deployments, the recommended default policy is Deny; for WAN optimization deployments, the recommended default policy is Allow. • Understand the implications of using the Allow action. Depending on where it is used, it can unintentionally reverse a previous denial. • Use regular expressions only when absolutely necessary. This is the most CPU-intensive type of policy evaluation; in most cases, an alternate solution without regular expressions is possible and also prevents unintended matches. • Place rules most likely to match at the beginning of a layer. Because layers are evaluated only until a rule matches, doing so provides a performance benefit. • When implementing any policy that involves IP addresses, use subnets instead of a list of specific addresses when possible. • Use definitions and layer guards. These constructs often result in faster policy evaluation than using multiple rules to accomplish the same thing.
132 to 133 to a and policy by to Coat’s the and defense for service a similar ProxySG of threats Blue central enterprise, the that exposed returned cloud WebPulse. Web content offloads content one mirror, WebPulse. are of feature it The sense Web allows any Web provides detect key with Protection, and of a to for This rate is services information makes defensive Web users solution. a shared and and the components K9 volume as is gateway, only services Cloud it it content. transaction. uses affordable This Web users gateway enterprise be various cloud how Web malware ProxySG of the nature. for WebPulse. the Web in and new therefore, to ProxySG ProxySG Coat block would only filtering. a community. enterprise. with to rate the on millions of grid; Blue that hybrid the WebPulse. one a and common database in how part the content ProxyClient unite is service participants. service. any of as made. relationship to defenses. possible community-watch behind all users understand: defenses creates that are users. define than computing filtering cloud malware grid all for than communicates a to more a will of more is as theory the enables as real-time capability best-in-class computing performed remote practice a you detect ProxySG content content act decisions task is to uses Web to provide defenses benefit ProxySG the deploy the with cloud the Web websites your primary the the cost-effective and provides chapter, can of a with services extends filtering filtering numbers” needed for is mathematical solution, Coat’s is this how in also malware suit. the
reporting WebPulse popular customize profile leverages solution that and Blue of service of to content efficiently content WebPulse more content and WebPulse filtering the follow services
computing 10: administrator, parenting larger studying Some How cloud How How How Web more “protection an • • • • • families. After As WebPulse, controls run home The processing Linking Cybercrime provides should Cloud making rate repetition much Cloud the Content
WebPulse, Chapter BlueTouch Training Services — BCCPA Course v3.5.l
Overview
ProxySG Eic.Dynamic Content filter Reputation Maiware categorization analysis detection
ProxyClient
wetsFroteton
More than 75 million users
Content ratings
2 C 2 Coat r. 2O I M BlueQCoat
Slide 10—1:Overview
WebPulse provides real-time rating of websites, analyzing more than 2 billion requests per week from more than 75 million users. This is a constant process, with the results continuously being used by new requests to make the content filtering service stronger. • Content filters perform Web content analysis and ratings, which supports simultaneous URL databases for the latest ratings. • Unrated or new content goes to the dynamic categorization service to get rated. • Reputation analysis scores URLs and IF addresses to determine intention, which can help identify websites that might be malicious. • All requests are analyzed in the background for malware using a computing grid of clients with multiple threat-detection engines, machine content analysis, and human raters. When malware and Web threats are detected by any member of the cloud, WebPulse receives a notification that is made available to other members of the cloud. There are two possible deployment options for content filtering: an on-box content filter database, such as Blue Coat WebFilter; or an off-box database (available with Websense only). For performance reasons, on-box is often the preferred choice; it makes sense that processing requests locally on the ProxySG is faster than opening a network connection to an external server. However, both configurations are fully supported, and customers use both. The content filter database is of sites, pages, and IP addresses organized by category. Depending on the vendor, a URL can belong to one or more categories. The database offers additional information to the ProxySG (and to the administrator) about the request that is being made by a user. The content filter database does not block any site or any category by default. It is up to the administrator, through CPL or the Visual Policy Manager, to build a set of rules to allow or deny access to specific resources based on information obtained by the content filer. [ Before you can use a vendor’s content filter database, you need to obtain a for one of the vendors, download the database, and then install it. You can get a demonstration license from most of the supported vendors.
134 LL
IL Chapter 10: WebPulse
Content Filtering
Enable proxy to make smarter decisions
— Based policy control on type of content
— Offer more than just protocol and URL match • Attempt to categorize the Internet
— Categorize the 20% of sites that generate 80% of the traffic
— Use artificial intelligence to cover the remaining 80% • User-defined category set
— Local database
— r4 BiueOCoat
Slide 10—2:Content filtering
Content filtering allows you to block access to websites based on their perceived content. Whether a website is blocked or allowed client access depends on the rules and policies implemented by the administrator in accordance with company standards. The challenge presented is that because of the dynamic nature of the Internet, there is a constant flow of new URLs (and URLs on lesser-known sites) that are not in the content filtering database. As any URLs that are not in the database are not classified, you must create a policy to process these. The infinite number of URLs can be reduced to a small number of categories. After the websites and content are categorized, access to that content can be controlled through policy by URL-based triggers. Categories and their meanings are defined by the specific category providers. Two main reasons to use a local database instead of a policy file for defining categories are: • A local database is more efficient than policy if you have a large number of URLs. • A local database separates administration of categories from policy. This separation is useful for three reasons: • It allows different individuals or groups to be responsible for administrating the local database and policy. • It keeps the policy file from getting cluttered. • It allows the local database to share categories across multiple appliances that have different policies.
135 BlueTouch Training Services — BCCPA Course v3.5.1 [
Content Filtering Flow
URLcateorTzallon}
LI C —URL request—* —Access permitted— User
Access denied I
BlueCCoat
Slide 0—3:Content filtering flow
When content filtering is enabled, a ProxySG transaction follows this high-level flow: 1. The user makes a request. 2. The ProxySG extracts the URL from the request and sends it to WebPulse for categorization. The components of WebPulse, including an on-box or off-box content filter, work together to perform the categorization. 3. The content filter returns one or more categories (depending on the vendor) for that URL. 4. The policy engine considers the user’s information, the time of the day, the URL, and its categorization. Based on the policies in place, it then makes a decision to allow or deny the request. 5. The user receives the requested content (5a) or an exception page (5b), depending on the decision made by the policy engine. 1
136 Chapter 10: WebPulse
Categorization Techniques
Database pros Dynamic categ orizat ion
• Accuracy (close to 100%) pr a Response time • Immediatecoverage a Scalability Database cons • Small number of sites Dynamic categorization cons • Update time Response time a Accuracy (90%)
BlueQCoat
Slide 10—4:Categorization techniques
There are two main approaches to content filtering. One approach attempts to provide categorization of websites by looking for key words in the HTML pages that users request. However, this approach has two severe limitations: lack of scalabiity and lack of accuracy. Another approach consists of assembling a team of content researchers and posting a new database of sites organized by category. The new databases can be posted weekly, daily, or every few hours. The major limitation to this approach is the lack of flexibility and ability to adapt to specific content. Nobody ever could classify the entire Web. WebFilter uses a hybrid approach consisting of a static list and remote dynamic categorization using advanced Bayesian statistical analysis.
137 I II
I! 1i 1$.. its in and select as top degree to requests possible, or and any such as high gives content previously providing maiware a day sends dynamic in information and process large Coat new list. been each the as allow of Facebook, which not on downloads to Blue static optional only applications, approach hours a resources and The have Gmail, of The not based — URLs detection these as is BlueQCoat that hybrid categories in decision-making list range a provides such 80 a rapid accurate. sites categorization, the the categorizes to resources — database unrated — frequently. for takes of it for than to all that database. operations that part of most how WebFilter dynamic more sure be in access restricted provides WebPulse languages. coverage most many applications categorize be 50 only the — deny sites remote This WebFilter to WebPulse making database, can of requested provides or filtering of and than to It consistent n are perform local Internet should attachments. WebPulse immediate v3.5.1 to status ProxySG allow for optional on-box the minutes. more that list of updates key to a highly in the an results. for relevant email component attention used five is operation in (feedback) of Course offers component be part not It many provides With to policy is and WebFilter checks key database URLs coverage also every resources recognizes a serious sending updates also URLs categories service WebFilter reliable. present BCCPA quality — policy. datase is need write — on and solution, and solution. resource Coat detects recognizes can Coat URLs quality service devotes URLs WebFilter the Automatic of writing WebFilter updates and Blue Relevant Immediate Frequent On-box Optional Granular Consistency Application if videos categorizing Services focuses WebFilter automatically in The — — — — — — — — — completely. Hybrid team Data relevant to Blue • a WebFilter 10—5: Coat threats. server number also database. a control Training vendor. Slide to Blue content-filtering of the Administrators categorization categorized. disabled WebFilter incremental priority Web The WebFilter a research Also, YouTube uploading but BlueTouch 138 Chapter 10: WebPulse
Application Filtering
http If fmebmok. /vid.mo/up1madgive.php
WebPulse III
Social Networkirg Fucebook Upload Videou Audio/Video Clips ProxySG Calegones Application Operation
iowa/Media FsceScok is Messages Perssgoawiy lySpace Spices FIctares Fjr.anclsi Services SOS I SpisadVidasu Seciul Noecoksg -- Fcad Email 5diC;;dc-s Clipe icci Emaci ?oct 553355cc PeaS Email iced Email
BlueQCoat 7 like (501 $c5m ho 1(1 t l.mmc
Slide 10—6: Application filtering
Application filtering gives you more granular control of content access than URL category identification and blocking. This feature is available when you use Blue Coat WebFilter in conjunction with WebPulse. Here are some examples of how you can use this feature to help avoid data loss accidents, prevent security threats, and increase employee productivity: • Allow users to post comments and chat in Facebook, but block sending pictures and videos. • Prevent the uploading of videos to YouTube, but allow viewing of videos that others have posted. • Allow users to access their personal email accounts on popular Web-based services such as Gmail and Hotmail, but prevent them from sending email attachments. When you use WebFilter with WebPulse, requests to categorize URLs can return three components: one or more categories, an application, and an operation within that application. In the above example:
1. The ProxySG sends a request for the URL used by Facebook to upload videos. 2. WebFilter returns two categories for this URL and also detects that the application is Facebook and the request is to upload a video. Using the advanced Content Policy Language (CPL) on the ProxySG, you can write policy that blocks access to certain Web applications and operations performed within those applications. For more information on application filtering with WebFilter, including a current list of supported applications and operations, plus examples of CPL code to implement application filtering, refer to the Blue Coat SGOS 6.2.x Release Notes, available at BlueTouch Online.
Note: If an operation occurs in the background via AJAX or another Web 2.0 capability and the operation is blocked with an application-filtering policy, the ProxySG cannot deliver an exception to the user. The operation still is blocked, but it might appear to the user that the website has an issue because no error message displays.
139 p
BlueTouch Training Services — BCCPA Course v3.5.1
Dynamic Categorization
• Extend WebFilter capabilities
— Scan and categorize the contents of aWeb page
— Immediate categorization
• Provide a network service to accomplish dynamic classification
— Analysis is accomplished on the external service
— No performance impact on the ProxySG
• WebFilter service points located worldwide
BlueCCoat
Slide 10—7:Dynamic categorization
Dynamic categorization provides real-time analysis and content categorization of requested Web pages to solve the problem of new and previously unknown uncategorized URLs. When a user requests a URL that has not already been categorized by the WebFilter database (for example, a new website), the ProxySG dynamic categorization service analyzes elements of the requested content and assigns a category or categories. The dynamic service is consulted only when the installed WebFilter database does not contain category information for an object. HTTPS requests are not subject to dynamic categorization. This prevents secure information from being sent to WebPulse over an insecure connection. If the category returned by this service is blocked by policy, the offending material never enters the network in any form. Dynamic analysis of content is performed on a remote network service, not locally on the ProxySG. Therefore, dynamic categorization incurs the following costs: • Bandwidth: Represents the round-trip request/response from the ProxySG to the service. Because the dynamic categorization protocol is compact, this cost is minimal. • Latency: Represents the time spent waiting for the dynamic categorization service to provide a result. While these costs are typically small, certain conditions might require you to run dynamic categorization in the background or disable it. The ProxySG uses a distributed network of servers to enable customers to download the WebFilter database updates reliably and efficiently and to expedite dynamic categorization transactions. Blue Coat has WebFilter service points located around the world. Each location features high-bandwidth Internet access and a fully fault-tolerant and load-balanced security and download architecture. [ By contacting sp.cwfservice.net, the ProxySG discovers the closest and most available download site for you.
140 Chapter 10: WebPulse
WebPulse Workf low
Periodic updates ProxySG Client WebPulse
Dynamic rating Background rating 100 msec median Deep content and threat analysis OCS Minutes to I day or more 5r I. BlueQCoat
Slide 10—8:WebPulse workflow
The Internet changes constantly; therefore, no rating service can ever categorize every Web page. A static list is only a partial solution to the need for categorizing content. When users request a new URL that has not been rated in the WebFilter ratings database, WebFilter retrieves the page from its host server to be analyzed for its content. The dynamic rating (categorization) service looks at a number of elements, including the words on the page, the context of each word, and the formatting used on the page and responds in one of two ways. If this service can determine a rating for a new website in real time, it then rates and categorizes it. These sites are then added to the WebFilter ratings database. If the dynamic rating service cannot determine a rating for a new website in real time, it then categorizes the site as “none” and moves it to a third-stage rating process called dynamic background rating for additional review. Once the background rating service has reviewed the site, it either assigns it to one of WebFilter’s content categories or queues in a list for the human reviewers to rate it. The process for categorizing websites operates as follows: 1. A client makes a request. 2. The request is matched against the WebFilter database installed on the local ProxySG. There is a 95% success rate; 95 of every 100 URLs requested are found the local database (provided that it is kept up to date). This lookup requires less than 5 milliseconds. 3. If the URL is not available in the current database, WebFilter queries the external database. This database contains the most up-to-date list of websites; it is updated every 15 minutes and contains what will become the new available list on the next scheduled download. This search usually takes 7 to 9 milliseconds and returns some additional sites. 4. When the external database does not have a categorization for the URL, it sends a request to the dynamic rating server. There are multiple locations around the world that handle this process; all of them feature high-availability servers and high bandwidth.
141 II:
[I IF
to
are
the
the
the
URL the
more.
are
URLs
of
by
at
or
by they
the
which
service
if
forwarded 95%
attempt
to
day
rating
milliseconds.
to
dynamic malware
a
one protect
traffic
are
only
reviewed
specified to
database up rating 100
for
requested
any
take
than
Web
The
of
need local
lookup categories can
data
about
than
background
ProxySG
intervals
the of
state-of-the-art
the
categorize
by
a
other
to intensive
the
rating
background
volume
get process
continuously
time
to
few researchers. defenses
to
the
regular
the
more
a
is at
by
is
of organizations’
correctly rating
dynamic
more
median represents
to
server
websites categorized
content
response a
one can
it
downloaded
the
a
of
uses
are
or
process
human
are
database
processes
takes
processed
after
answer
rating administrator.
trusted
and
content
content.
that
team
The
This surface,
and
returns
the
these
and
being
master Web
the
match
traffic
origin URLs of
by
process
Gambling,
scalable
on
the
server
review.
Dynamic
after
the
The
database.
database to
Web
This
and
value
popular
v3.5.1
multilingual
positive
malicious
demand
a
rating
a
the
match
access. hour.
fast,
more sites.
or
queries manage.
a
laborious
master
on
master
by
an
updates
additional
review
Course
Pornography,
or
sees
the to
such
and
to
return
for
have
seem
restrict
server
dynamic
demand.
up reliable,
solution,
for
review
into
not
not
cloud
BCCPA
Adult,
on
WebFilter
The
interval
often
deploy rating
do take
do
might
as —
or
rating
1. downloads
The inappropriate watch
the
repetition
human
can
receives
that
that
accurate,
to
could
it
Step
uploaded
the
for
from
and process
Services in
scheduled attacks.
most
dynamic
URLs
ProxySG URLs
and
then
background this
categorized
the
community
The administrators to client requests is rating The queued are uploaded The next administrator The
a
Training
5. 6. 7.
8. offer analyze themselves While As organization injection
BlueTouch
142 Chapter 10: WebPulse
Dynamic Categorization Results = english 1.0 UJUuUO 7 / 0.99 slovenian 0.00000rO.50000LOO/038 talian 0.0000O 05O00Ol0O/ L00 diiese 0.0000O0.500Q01 1.00 / 0.97 Tøp Categories Category Probabilit3 Threshold PIR. Spor s/Recreation/Hobbies 1.0000 057908 0.80 / 0.60 4ews/Media 0.0000 l.000000.83 / 0.73 Education 0.0000 0.98417O8O/078 IMiscellaneous &0000 NEVER 1.00 / 023 BlueQCoat
Slide 10—9:Dynamic categorization results
Dynamic categorization can operate in two different modes: in real time or in the background. The difference defines how long the ProxySG waits for the service to reply. Three options are available:
1. Do not categorize dynamically: The loaded database is consulted for category information. URLs not in the database show up as category “none.” This mode is distinct from disabling the service. When this option is set as the default, dynamic categorization (in either real time or background mode) can be explicitly invoked by policy. When the service is disabled, no dynamic categorization is done, regardless of policy, and the ProxySG does not make any contact with the dynamic categorization service. 2. Categorize dynamically in the background: Objects not categorized by the database are dynamically categorized as time permits. Proxy requests are not blocked while the dynamic categorization service is consulted. Objects not found in the database appear as category Pending, indicating that categorization was requested but the object was served before the response was received. 3. Categorize dynamically in real time: This is the deft. Objects not categorized by the database are dynamically If this entails consulting the dynamic categorization service, the proxy request is blocked until the service responds. The advantage of real-time mode dynamic categorization is that Blue Coat policy has access to the results of dynamic categorization, which means that policy decisions are made immediately upon receiving all available information. The above example shows an example of how a ProxySG has categorized content that it has been asked to analyze. The following fields are highlighted:
143 L L F I
[F ir II is to a sites sites 100 is for and the For of enough reach 100 category the 90% Unrated. service the on content enough to goal of to to of precision out ProxySG to of high the indeed opposite all out The is it If the defines. result word Japanese 85% that in a refer normalized is the for belongs that testing category as catch then confident Coat pornography it The get to X, requesting move be means instance, correctly. precision aims the to (such and Blue given the you a in language Y 0.85 For categorized? the to value that them service published of convinced English. is. for are the token category Sports/Recreation/Hobbies. categorization, is of in service any WebFilter where service, are that 85 that be value the each value in language correctly service to precision the in spot for service sites are category. category the dynamic is parameters worse. from recall and categorization actually low 100 by likely A the categorization a identified sweet positives gets page categorizes to many through a too probability the recall then behind very them specific is accurate one of false is of return find how calculated entire The and service categorization correctly? processed to 85 correctly how belongs value not theory book. other the within page is values. ability the the fewest has minimum has and value. the are this the X, that does X v3.5.1 the likely recall the of language recall probability the far recall words, service http:llwww.jal.co.jp Pornography, by service value determines very categorized better, above, and Course by service as defines Travel. the the category site category mathematical normalized This other categorization gets of If page were has probability appendix be are the the in This is the shown however, to one BCCPA the precision normalized is marked Coat precision categorized many this — 1.00; about and The dynamic categorization is category. This process when pages actually Travel; Blue first (Accuracy): as categorization how example Also, is vendors. compromising Probability service the 100 (Coverage): you recall are that categorization represents Services details the if the such certain designated the the In a dynamic Probability: the English. Precision page) Pages Threshold: that claims 0.85. category, X. probability Recall tool in directions; precision. filtering pages without more category actuality, Training • • • • In Conditional The the return unless instance For BlueTouch 144 Chapter 10: WebPulse — Local Database
• Custom categories
— Custom ailcmed list
— Custom denied list
— Internal URLs
• Performance and security
— Hash list
— Does not require Management Console access
BlueOCoat
Slide 10—10: Local database
You can create your own local database file and download it to the ProxySG. This file is created in the same way that policy files are created, except that only Define Category statements are allowed in the local database. You might find it convenient to put your local database on the same server as any policy files you are using. However, some restrictions apply to a local database that do not apply to policy definitions: • No more than 200 separate categories are allowed. • Category names must be 32 characters or less. • A given URL pattern can appear in no more than four category definitions. You can use any combination of the local database, policy files, or the VPM to manage your category definitions. You can also use both a local database and a third-party vendor for your content filtering needs. If you have extensive category definitions, Blue Coat recommends that you put them into a local database rather than into a policy file. The local database stores custom categories in a more scalable and efficient manner, and separates the administration of categories from policy. Like the WebPulse database, the local database is checked for updates every five minutes, and such checks can be restricted to a specific range of hours each day. Here is an example of a local database file: define category mycompany allowed bluecoat . corn symantec corn kaspersky. corn sophos . corn rnicrosoft . corn end
145 I
I I I
Ii L
L”
denied internal
v3.5.1
corn
Course
corn
mycompany
rnycornpany
corn
BCCPA
corn corn —
rnycornpany
corn
mycornpany.
category
category
Services
.mycompany.
sex.
hacking.
.playboy.
intranet define www
end www. define www. 401k end
webmail
Trairing
BlueTouch
146 Chapter 10: WebPulse
Local Database
Create I edit local database User I.
Internal Client Web server
WebFilter Third-party IWF updates updates updates
IS hOI1. Blue0 Coat
Slide 10—11: Local database
The ProxySG allows you to use up to four URL content ifiters at the same time. You can use any of the following: • WebFilter. • Any single third-party content filter. Websense, SmartFilter, Proventia, and Optenet are supported in the Management Console; legacy filters SurfControl, iFilter, Intersafe and WebWasher must be administered through the ProxySG command line interface. If you are using a legacy content filter, check with the database supplier to determine whether the filter’s database continues to be updated. • A local database. • The database from the Internet Watch Foundation, a charitable organization based in the United Kingdom that offers an online service for anyone in the world to report on content that is potentially illegal. Acting on reports received from the public, the IWF produces a blacklist of Internet sites and content that is deemed in contravention to UK laws. You cannot use two third-party content filtering databases together. The most common configuration is to use WebFilter and the local database. You can configure the ProxySG to download the updates for each of the enabled content filtering lists. It is good practice to make sure that they do not all happen at the same time. In general, updates are incremental; for instance, if you are on version 100 of a database and the vendor is on version 103, you only get the updates from 100 to 101, from 101 to 102, and from 102 to 103. If you are more then two weeks behind in your updates, WebFilter downloads the entire database, which is faster and more efficient than performing 14 or more incremental updates. An advantage of the local database is that you can configure and maintain it without requiring access to the ProxySG. An administrator can manage the local database file without having any permission on the ProxySG itself; the ProxySG can be configured to check for updates to the local database and automatically install them.
147 BlueTouch Training Services — BCCPA Course v3.5.1
Private Networks
Private networks
-I I!!!
Private subnet list Private domain list F F
No remote \\ lookup
13 (1 2Ci. ,iI BlueQCoat
Slide 10—12: Private networks
Although the information collected by WebPulse is limited to generally benign items such as URLs, HTTP Referer headers, and HTTP User-Agent headers, there are cases in which just a URL or a header can contain private information that should not be sent across the Internet or stored in F a third-party database. You can define a list of private networks on the ProxySG; data from these nonroutable addresses is not sent to WebPulse. The above flowchart shows how private networks factor into the decision by the ProxySG whether to send data to WebPulse. The following information is not sent to WebPulse: I— • Any host identified by a nonroutable IF address. • Any host with a DNS lookup that resolves to a nonroutable IF address. I • Any host that is explicitly configured as private. These hosts may or may not be strictly private, but this capability allows a host to be excluded even if it has a routable IF address. • Any HTTP Referer header that matches the above conditions. I: To maintain data about private networks, the Management Console supports two lists: private subnets and private domains. To edit and view these lists, go to Configuration> Network> Private Network. By default, the list of private subnets contains nonroutable addresses 0.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.168.0.0/16, 224.0.0.0/3, and 10.0.0.0/8, and the list of private domains is empty.
L
148
II a 149 is on and it the an are chapter one the if search the handle accessing or explicit to Internet. is devices authorized This only there using can single ProxySG, to instance, the (username details a ifie). decides either to the For on or using proxy provider on general, logpwho company sequencing the using chapter ProxySG access In used page a secure. unauthorized credentials transparently. be the service for This policies realm them companies can administrator accurate more want services case the however, use server proper for ProxySG. an the proxy. not through the can managed realms do the granting Coat a Even be keep modify submit content CLI. ProxySG is You to access ProxySG; You to to directly; to or authentication: Blue (password-protected configuration before would - the through for origin the want limit users company. and acces go groups. by This the users from can enterprise you Console auditing: to ProxySG authentication for to Internet boundaries. permission the the and policy and (You LDA1’ another the if challenged back users handled by or the write on challenging allowed necessary. be Multiple be to and of authenticate be and independent are security Internet, Internet. Management can essential acquired may is user you authentication policies. mode. the access or resource the the read Directory are controlled option authorizes both might that the to type users that are for requests authentication. to the with and proxy make it access access of to Active security realms why specific once. 00 multiple to realms selective to to their a comiect at pass type and challenges practice to refers merged with steps instances give Authentication and reasons this before to Multiple has authentication multiple request attempt attempt Microsoft realms transparent good recommended two take authenticates on a server resource. or 11: on idea main network is can third also first They users.) They They request realm is multiple company protocol, LDAP proxy ProxySG. • • good which A It This your • the focuses based You The authentication three The authentication password) Authentication Chapter I
; I.
I, UA the The of the the is NTLM 407 Base64 credentials username but behalf for using HTTP process The receives on an and requested. again main Server authentication, server plaintext TJRI requests. authentication returns in server the requests. Base64-encoded, straightforward: uthenticationiired). browser
BlueCCoat prompted is content of is requires again. proxy Authentication proper 407 authenfiiion the be passed
El the that the as user any the origin not authentication message the long the authentication regardless (40 wwwbluecoat.com proxy general, connections as a valid.
irs The sending ignores should in the proxy it are to to with time are, you accesses request, keeps
(1 network. prompting this proxy, handle authenticat UA then exception: the each to information request proxy-based but to the for credentials Required credentials over for without v3.5.1 credentials first HTTP/1.1 explicit proxy application, credentials user the notable its defined
Authentication The the communicating the request, the proxy HTTP is Course using is
) most in
) it Authentication successful, the authentication password makes authentication information not valid, same whether code is
LI the Authentication to asking is + that the Proxy authentication is BCCPA the are the
Proxy terminate proxy password). agent 407 URI
Loc UA — 1 http://www.bluecoat.com a request you aware cache and mechanism the response passes NTLM user indicating GET message, is transmit GET If resends Explicit H1PI1 407 the Services c
iu authentication credentials UA authentication not unless agent. proxy —1:
Explicit
f the the requesting the the 11 browsers Client HTTP password. (username When encoding. does response response, If The browser user
UD Training Slide 1. The authentication Once sends and 3. 2. Once Important: Most running; when BlueTouch 150 Chapter 11: Authentication
Authentication Options
Force Authenticate I cn1 -=LG
4 Authentication r
Access denied ProxySG Client vo Authenbcate - VM -s ‘ Request prohthited resource Internet 4 Access denied PXYSG Client
— o.’yrn,.h2GH. iIR’. BIUeOCoat
Slide 11 —2:Authentication options
The ProxySG allows you to control how users are authenticated. When you create a rule in the Web Authentication Layer, you can decide whether the authentication superseded a DENY statement. You also can control whether the user can enter double-byte language credentials. Action objects include: • Force authenticate: Forces the user to authenticate even though the request is going to be denied for reasons that do not depend on authentication. This action is useful to identify a user before the denial so that the username is logged along with the denial. • Authenticate: Creates an authentication object to verify users. An authentication realm must already exist on the ProxySG. • Authentication Charset: Allows non-ASCII text in many objects, such user and group names and text for the Notify User object. This object allows you set the character set to use in conjunction with localized policy. From the drop-down list, select a character set and click OK.
151 BlueTouchTraining Services — BCCPA Course v3.5.l
Authentication Realms
IWA t\Q& )Ju c&i
— Windows NT domains and Active Directory
— Basic, NTLM,and Kerberos credenals a- a Other realms —LDAP,RADIUS,and several others
a Sequence
— List of authentication realms to be processed I
BlueQCoat
Slide11—3:Commonly used authentication realms
A realm configuration includes: • Realm name. • Authentication service: TWA,LDAP, RADIUS, local, certificate, sequences, eTrust SiteMinder, Oracle COREid, policy substitution. • External server configuration: Back-end server configuration information, such as host, port, and other relevant information based on the selected service. • Authentication scheme: The definition used to authenticate users. • Authorization scheme: The definition used to authorize users for membership in defined groups and to check for attributes that trigger evaluation against any defined policy rules. When you have configured your realms, you can view the realms and manage the credentials cache for a specific realm. The ProxySG can cache authentication credentials. You can specify the length of time, in seconds, that user and administrator credentials are cached. Credentials can be cached for up to 3,932,100 seconds (more than 45 days). The default is 900 seconds (15 minutes). If you specify 0 as the cache time, traffic is increased to the authentication server because each authentication request generates an authentication and authorization request to the server. The ProxySG supports many authentication realms. This chapter focuses on the TWAand Sequence realms. While you might use a different realm in your organization, the fundamental concepts of implementing authentication are virtually identical regardless of the actual realm used. The only real difference is the type of information needed to create the realm; you should be able to collect the necessary information. If your realm is not among the ones discussed here, ask your instructor to cover the details of the realm that you use in your network.
Note: One-time passwords are supported for RADIUS realms only.
152 Chapter 11: Authentication
IWA Realm
Basic credentials
— Username and password are sent Base64-encoded
— Least secure option
• NTLM credentials
— Uses the Microsoft proprietary authentication
— Medium security option
• Kerberos credentials
— Uses Microsoft implementation of MITKerberos v5
— Highlysecure option
BlueOCoat
Slide11—4: WA realm - An Integrated Windows AuthentçiojWA) realm authenticates users against an Active Directory tree or an NT domain. It supports three types of credentials, each detailed below. The client receives the list of supported credentials from the proxy. The client should choose the most secure common set of credentials. • Basic authentication: This method is described in the HTTP RFC. Every user agent (UA) and every OCS on the Internet must support at least basic credentials. The username and password are encoded using Base64. Because Base64 is not encryption, the username and password are available to anybody who can run a packet trace of the communication between the UA and the proxy. The credentials appear as username :pas sword in a Proxy-Authorization header. Every browser should support basic credentials. • NTLM authentication: NT LAN Manager is a Microsoft-proprietary protocol that authenticates users and computers based on an authentication challenge and response. The key idea behind NTLM is to authenticate users without the password ever being exchanged between clients and the authentication server (the domain controller or DC). NTLM is discussed in greater detail on the following pages. • Kerberos authentication: This is the most secure and modern authentication method. It uses a very secure exchange of encrypted tickets, which allows client and server to mutually authenticate each other.
153 r I II—
I [ I Iii I for the over users and NTLM mode commonly only browser and requires essence, the form most In Explorer transmitted user’s a and allows If the -— sign-on open the configuration that far never a sign-on. Internet is NTLM they by realm. single is realm for with receive single BIueOot when server. background, Microsoft NTLM use you password NTLM Certificate the to support a an proxy in a or them, password compatible actual users between with is and of by network the and of computers, realm, any the (that used is desktops implemented be ability over because on feature. desktop integration server agents username the realm have a on automatically OS is authentication cannot close Substitution v3.5.1 user also for proxy security browser a the a of sends, re-enter system modes transmitted is Policy Course authentication to sign-on a Windows ubiquitous from Firefox, not this authentication of degree through is challenged need Explorer compatible BCCPA the that is nearly method. operating single secure not it is — authentication Authentication used and including stemming do Note credentials, Internet medium authentication Internet a use when NTLM the Requires Password Prevalence in Services Windows — — — benefit Pro’Ades Supports Widely Windows time. Forms is error. NTLM —5: offers NTLM • • • browsers, 11 authentication access first network. Training — Slide authentication) the the information Other Note: who authentication. used NTLM Another Microsoft Because BlueTouch 154 ______
Chapter 11: Authentication
NTLM Authentication
Type I message Domain and workstation name
.JIL’ Type2mossage Contains a challenge for the client NTLM çClient authentication Type 3 message server Clients response to challenge
BlueQCoat
Slide 1 1—6:NTLMauthentication
NTLM is a challenge/response authentication mechanism. This approach, while requiring more transactions between the client and the authentication server, allows the client to be authenticated without ever sending the password over the wire, either encrypted or in clear text.
When a client wants to authenticate, it sends a Type 1 message to the domain controller. This message contains some information such as the client host name, the domain where it wants to authenticate, the NTLM version supported, and other information. The server replies with a Type 2 message. This message, in essence, contains a string that the client has to encrypt using Data Encryption Standard (DES) encryption and the password as the key. After sending the Type 2 message, the server calculates the DES encrypted version of the challenge using the password associated to the usemame as the key. (Details of DES encryption are beyond the scope of this course.) The client computes the DES encryption of the challenge using the password as the key and then sends it to the server. This reply is known as a Type 3 message. If the Type 3 message matches the calculation done by the server, because of the properties of DES encryption, the server knows that the client has knowledge of the correct password. If there is a mismatch, the authentication fails.
155 BlueTouch Training Services — BCCPA Course v3.5.1
BCAAA
I
ProxySG BCAAA NTLMauthentication server
I
Slide 11—7:Blue Coat Authentication and Authorization Agent
The SGOS operating system is designed to handle secure proxy server tasks. It uses external software, the Blue Coat Authentication and Authorization Agent (BCAAA), to support open-system or proprietary authentication systems. The ProxySG can interface directly with open-standard databases such as LDAP because the details of the implementation are known. Proprietary systems, such as NTLM, conceal fine protocol detail but provide an Application Programming Interface (API) to help third parties develop software that can interface with the systems. The ProxySG uses BCAAA (pronounced BECK-ah) as an elegant and efficient approach to supporting different authentication systems. BCAAA enables the ProxySG to support a growing number of databases, which currently include NTLM, Kerberos, SiteMinder, and Oracle COREid. In order for the ProxySG to use BCAAA, it must be run on a system supported by the supplier of the API for a given authentication database. For example, if you want to use NTLM authentication, BCAAA must run on a Windows system. BCAAA is available for three operating systems: • Windows 2000 and later (supporting all three realm types). • Windows NT (for BCAAA versions earlier than 4.2). • Solaris (supporting SiteMinder realms).
a
S
a 156 Chapter 11: Authentication
NTLM Authentication over HTTP
GET/HTTPI1.1
HTTP/1.1 407 Proxy Authentication 4— Proxy-Authenticate: NTLM — Connection: Close GET! HTTP!1.1 ProxySG NTLMauthentication —Proxy-Authorization: NTLM+ 8ase64— server Encoded Type 1 message
HTTP/1.1 407 Proxy Authentication —Proxy-Authenticate: NTLM+ BaseE4— c Chent Encoded Type 2 message GET!HTTP/1.1 —Proxy-Authorization: NTLM+ Base64—+- BCAAA Encoded Type 3 message
4 HTTP/1,1 200 01<
10”I 201 I 1Ii I
Slide 11 —8:NTLMover HTTP
In order to authenticate users wi NTLM, ou need to have BCAAA running on a Windows machine — either a desktop or server — at is rofthedomairi ere you want to authenticate users. BCAAA authenticates users in all domains trusted by the computer on which it is running. A single BCAAA installation can support multiple ProxySG appliances. Here are the steps in the authentication process when you use an NTLM realm:
1. The client makes a request to the ProxySG. The ProxySG replies with a 407 HTTP response code (explicit authentication mode), which prompts the user agent (UA) to resend the request, this time including the authentication credentials. The ProxySG closes the connection. Note that the ProxySG explicitly defines the authentication required as NTLM. 2. The client resends the original request. This time, the UA includes the Type 1 message, encoded using Base64. This is a standard technique used in HTTP to pass binary data between entities. The Type 1 message is sent from the ProxySG to BCAAA over port 16101. (You can customize the port over which the FroxySG and BCAAA communicate.) BCAAA decodes the message from the Base64 to its original format and, using Windows API, passes the Type 1 message to the domain controller for authentication.
3. The domain controller responds to BCAAA with the Type 2 message. This message is passed to the ProxySG and to the client. After returning the Type 2 message to the client, the ProxySG closes the connection. 4. The UA receives the Type 2 message, which contains the challenge, and calculates, using the user’s password, the Type 3 message for that challenge. 5. The client sends the Type 3 message to the ProxySG as a Base64-encoded string. The ProxySG passes the information to the BCAAA, which passes it to the domain controller for the final validation. If the Type 3 message contains the correct encryption to the challenge, the domain controller authenticates the user and notifies the BCAAA, which passes the information to the ProxySG.
157 BlueTouch Training Services — BCCPA Course v3.5.1
6. After a successful authentication, the ProxySG returns an HTTP 200 response code to the client. At this point, the connection between the ProxySG and the UA is authenticated, and the user starts receiving the requested data. While NTLM is more secure than other authentication methods (the password is not passed over the wire), there is a bit more information being exchanged between the UA and the ProxySG. There are two common issues with BCAAA that are easy to address. These messages appear in the Windows Event Log. • If an attempt to start the BCAAA service is issued when BCAAA is already started, the following error message displays: The requested service has already been started. • If another application is using the same port number as the BCAAA service, the following messages are displayed: The BCAAA service could not be started. A system error has occurred. System error 10048 has occurred. Only one usage of each socket address (protocollnetwork addresslport) is normally permitted.
Important: The above diagram contains an intentional error. Can you find the error? The answer is on the next page.
I —
[ ii
158 Chapter 11: Authentication
Sequence Realm
• Credentials checked in order against multiple realms
• Different realm types in sequence
• Ideal for mixed environments
BlueQCoat
Slide 11 —9:Sequencing overview
On the previous diagram, the error is on the first arrow. The request GET / HTTP/1 1 does not make sense. That is server-style request. The ProxySG cannot reply with a 407 Proxy Authentication to a server-style request because the client is not expecting a proxy in the path and would reject the message. Organizations can use multiple authentication methods throughout a network. The ProxySG makes it simple to search for a user’s credentials in multiple authentication realms through a method called sequencing. The basics are simple: • You enable sequencing by establishing a sequence realm and adding different authentication realms to it. • A sequence realm checks a user’s credentials against multiple realms, one after the other. • You can place different types of realms in a sequence realm. However, you can have only one TWArealm in a sequence. • Sequence authentication is ideal for mixed environments. It is common for organizations that centralize operations or acquire other companies to have multiple authentication methods — for example, NTLM and LDAP. When you have multiple realms, it can be difficult to determine where you should authenticate users. By establishing a sequence realm on the ProxySG, you can authenticate users against all of the realms you have put in the sequence. It does not matter whether the ProxySG is deployed in transparent mode or explicit mode. Sequencing begins when a client makes an authentication request to the ProxySG. The ProxySG then challenges the client for authentication. The client submits credentials, which the ProxySG then checks against the different realms in the sequence.
Note: Hard errors that are not user-correctable, such as a server down, do not fall through to the next realm in a sequence. Instead, an exception is returned to the user. Only authentication errors that an end user can correct, such as a bad password, result in the next realm in a sequence being attempted.
159
ki I
as
for
its
a
the
the
a
error
is
on
and
(such
denied.
allow
must
hard
is
match,
the
there
the
delete
To
a
attempt.
fails
a
realm
If
error
or
if
credentials
or
you
or
first
finds
single
ends.
occurs:
it
a
attempt.
authenticate.
the
user’s
realm,
If
rename
attempt.
as
a
to
authenticate
1.
the
one
authentication
from
to
rules:
sequence,
process
authentication
it.
uncorrectable
authenticated
single
cannot
and
delete
than
following
the
the
a
an
tries
Realm
are
BlueOCoat
or
attempts
sequence
in
error,
as
or the
You
delete
and
more
of
the
with
or
important
authenticate
hard
in
to
a
several
one
realms
rename
ProxySG
exhausted
realms
authentication
process.
is
allows
credentials
the
sequence.
several
rename
the
seeks
been
a
ends. users
must
other
realms
the
authenticated
credentials
there
are
to
seeking authenticated
has
the the
If then
sequence,
you
are
browser
is
individual
allow
until
of
If
all
depicts
browser,
can
process
the there
of
user’s
ProxySG
added
ends.
user
begins
any
in
the
the
user’s
the
but
be
You
the
attempts
or
the
by
query
2
1,
through
the
of
generally
and
continues
v3.5.1 can
credentials
sequence.
realm
flowchart
if
first.
process
it
a
ProxySG
each
simple,
the
fails
cycle
of
match,
the
Realm
is
Realm
a allowed
other
a
the
Course again
above
number
process
authenticate
before
part
browsers
and
count
are
when
any
fails.
with
with
sequence
Authentication
to
the
is
The
authentication realm
finds The
count
not
it
exist
begins
it
on
BCCPA
the as
I.
If
do
seeks trying
—
match
match
process
2.
again.
attempts
mistakes,
occurs.
authentication
must
limit
from
no
no
long
the
sequence
Sequence
it
process
Browsers
They
authentication,
ends.
is
is
a
while
authenticated
as
error,
Realm
Services
realm
is
down) typing
ProxySG
The
Authentication
up ends
©I*t
multiple
there
there
Sequence
11—10:
realm
remove
The
If credentials
browser’s
Note:
occurs
If
with
If
hard
process
user
The
and
sequence
server
Training
•
Setting
4.
3.
1. 2.
a
list
In
Slide
160 BlueTouch Chapter 11: Authentication
• Make sure that each realm that you pian to add to the sequence is customized to your needs. Make sure that their current values are correct. (For TWA,make sure that the Allow Basic credentials check box is set correctly.) • Put no more than one TWArealm in a sequence. • If you have an DNArealm in a sequence, it must be either the first or last on the list. Make it the first realm on the list if you want to enable single sign-on. • If you have an TWArealm and it does not support Basic credentials, make TWAthe first realm in the list and enable the Try IWAauthentication only once check box. • You may put as many Basic and Windows SSO realms as you want in a sequence. • You cannot place connection-based realms, such as Certificate, in a sequence. • You cannot place a realm in a particular sequence more than once. • You cannot nest sequence realms; that is, you cannot place a sequence realm inside another sequence realm. • If a realm is down, then an exception page is returned. Authentication is not tried against subsequent realms in the sequence.
161 Ui > a) (1) D 0 C-)
C-) C-)
a)C’, 0 a) Cl) 0)
C CU I—
C-) D 0 I- a) C’-’ 2 Ca) a 163 in and or single either a the Directory users on authorize located on using is all and additions to used user be any services that Lightweight can available are authentication authenticate where of realms ProxySG to ProxySG administration; Coat servers immediately knowing the concepts Blue are by appliances. to simplify basic authentication without LDAP database the access LDAP directory user ProxySG supported with for ProxySG. as Multiple LDAP the and authentication. the in Using such basis. users understand: realms on mode. database. familiar of individual external LDAP will devices, are an of proxy services created you types LDAP use you find information authorizes is an realms. per-attribute to the performs the of that and many or to realm chapter, Directory applications, the transparent (LDAP) this once software or supports ProxySG assumes structure Authentication LDAP per-group the Among an a topology. made tree authenticates proxy Protocol 12: enables on studying chapter ProxySG How How The realm • • • ProxySG. This After directory-enabled The users changes Access LDAP explicit ProxySG. network A Chapter
I’ I for the and In (TLS) the 2 when LDAP use others services rules. information LDAP. directory An to can version Security set the accepts implement via unique few LDAP management. and users server. a Layer LDAP Furthermore, search server of referrals An very centrally with desired. can both authentication LDAP, LDAP ease if are LDAP of structure return You the IlnhlnhlnhlnI Transport BlueQCoat and the can there hierarchy. network and applications. series support supports uses referrals everything a realm. flexible tree it your Coat default, servers in very those vendors integration Basically, interface 3, a By network ProxySG simple manage Blue provides because compatible a use the 3 compatible TCP. can follow of your all realm. LDAP a to version to in Protocol different LDAP for you an permissions over that application applications available. version query between of 389. consists for client LDAP the to runs user designer 3, In vendors of the .m, v3.5.1 among port expose Access LDAP that all password) the used degree realm applications, of TCP -II version necessary connection and 389 Course manage servers. the all commercially great L1 or protocol allowing and to a If systems over 2 protocol are integrate port interface Directory on. secure LDAP to recommends or BCCPA deemed allows a users L.rLrLI client, so point sign-on is client — TCP (username — a are but LDAP version interoperability the provides interface. and 3 of LDAP to that multiple LDAP remove Overview Single from provide Compatible Single Uses Client-server language client/server either Services of — — a — — — a or to LDAP Lightweight Offers back version is is span realm. devices, •
• Overview credentials 12—1: versions add SSL goal the Training — in parameters LDAP servers and might director LDAP same essence, Two you authentication connection users, The LDAP Slide 164 BlueTouch
a
is
165
in
It
tree,
and
but
LDAP
an
can
the
tree.
must
complex
has
want
of
represents
users
Using
a
you
the
It
they
of
In
you
in
represented
forest
tree.
clear;
the
leaves.
instance,
attributes
object
the
in
objects
attribute
an
in
the
For
Authentication
and
necessarily
the
of
any
12:
tree.
of
not
all
object
element
BlueQCoat
identify
immediately
add
of
country.
your
branches,
the
to
name.
Chapter
of
not group,
Each
can
of
location
a
root,
are:
a
and
root
login
you
consists
specific
name
a
with
attribute
aforest.
the
used
but
and
short
of
times,
OU
with
identify
geographic
used
at
tree
are
an
unique
create
part names,
.
or,
the
can
on).
the
tree.
the
un:
that
often
a
on
of
commonly
so
is
You
name
associated
compare
trees frequently
and
etc. root
indicates
name
most
based
names full
within
componeril
can
of
the
well-known
attribute
root.
most
This
branch
to
users,
structure.
You
information
the
user’s
multiple
the The
Some
have
number, unique
(DN)
a
tree
(DC):
attribute to
branches
hyphens.
Domain Organizational
Pre-definedserv Common
object
a
be
(OU):
tree
have
(CN):
The (devices,
an
into with
name.
and
has
Name
phone
the
it.
can
must
Unit
specific
Indicates
attributes
branch)
tree
in
from
Name
DN
you
(or
objects
(C):
letters
Component
allowed
define
LDAP
your
Name,
of
database
path
associated
leaf
branch. to
—
Each
Contain only
any
DC
OUZ
attributes
• CN;1
Giai]
Attributes
the
12—2:
Distinguished
often
group
Common
each
divide
Organization
Country
Domain
entire
LDAP
•
• Note:
from
• the
•
The
Some choose
contain
attribute
Slide environment, An ‘i p P1 frR I •
I I I for the a parts of known is stored the part accounts contains in different not path AD name is in in it This machine login user instance, attribute is: a a the root. dc=com of For the see because user the cn=users DN. stores to can BlueQCoat this name a under leaf you for interface login user using the branch a DN the of dc=bluecoat, LDAP The The from instance, the store leaf.
cn=computers Structure name For accessible path to a it. is full joe.kelly. login vendors its branch directly connect the define which by to dc=train±ng, to The not structure v3.5.1 is DN, tree usemame stores
a Directory Different tree. used the of be Course (AD) that LDAP attributes Directory (DN). has a attribute for cn=users, in cannot this attribute BCCPA .AJIIttsiIwn, 11
Kelly Active Active Name attributes. — an — 21111. different Directory — groups Joe is Kelly, it UID identified and LDAP using username or O.aS’.,I,,c Active is Services above, Bt CN 2—3:
tree, LDAP users 1 Instead, actual Distinguished cn=Joe tree. of object a the Training list the DN. The sAMAccountName; example Microsoft of as Slide under An 166 BlueTouch Chapter 12: Authentication Using LDAP
LDAP Realm
ProxySG
Generic LDAP
I. AIRO kd BlueOCoat
Slide 12—4:LDAPrealm
The ProxySG supports the use of external LDAP database servers to authenticate and authorize users on a per-group or per-attribute basis. LDAP group-based authentication for the ProxySG can be configured to support any LDAP-compliant directory including: • Microsoft Active Directory server. • Novell NDS/eDirectory server. • Netscape/Sun iPlanet Directory server. • Generic LDAP. The ProxySG also provides the ability to search for a single user in a single root of an LDAP directory information tree (DIT), and to search in multiple base Distinguished Names (DNs). An LDAP realm supports Basic authentication and Basic authentication over SSL.
Important: You can configure an LDAP realm to use SSL when communicating to the LDAP server.
167 BlueTouch Training Services — BCCPA Course v3.5.1
LDAP - Base DN
.1
Ii
P0th OsSyt.tIn 2011. 01!flItth BlueQCoat
Slide 12—5: Base DN
In configuring an LDAP realm, you need to define two key parameters: Base DNand Search user DN.The ProxySG uses these DNs to bind to the LDAP tree and retrieve information. Some LDAP implementations allow anonymous searches, but in general you need to provide both parameters. The base DN defines where the ProxySG can should look for the requested information. You can have a more generic or more specific DN. You should select the most inclusive, and yet most specific, base DN you can. For instance, in a AD deployment like the one shown in the above diagram, you can choose as a base DN the entire tree or a specific branch. If you define the base DN as dc=training, dc=bluecoat, dc=com, then the ProxySG can locate entries under both cn=users or cn=computers. This scenario is represented on the left side of the diagram. If you are using only user accounts and groups to manage authentication with your LDAP realm, you can make the base DN more specific and limit it only to the branch cn=Users. The ProxySG can only locate entries that exist under the cn=users, dc=training, dc=bluecoat, dc=com branch. This scenario is represented on the right side of the diagram. The search user DN contains the information that the ProxySG needs in order to be able to bind to an LDAP tree, which does not allow anonymous browsing. Remember that you need to use the entire user’s DN. Also, specifically in the AD case, you cannot use the login name (stored under Ii the attribute sAMAccountName); you need to use the full name (stored under the attribute CN). The easiest solution is to create a special user where the full name and the login name are the same, so that there is no confusion. The account used to bind to the LDAP tree does not need to have any specific power; it does not need to be an administrator or any other superuser. Any account should work properly. [ L [
168 F _____
Chapter 12: Authentication Using LDAP
LDAP Authentication Details
Search User
LDAPBINDrequest
Client \\ $> 4 BINDresponse .. P — LDAPSearch CN where , saMAccountName User ID •—Search result DN = FuIINamc
IDAP BINDusing user DN
ProxySG BINDresponse ActiveDirectory
BlueQCoat
Slide 12—6:LDAPauthentication details
Active Directory stores the username under the attributes sAMAccountName. This attribute cannot be used to construct a DN; you need to run a query on the AD tree using the username as a filter. The above diagram shows the steps that the ProxySG performs to authenticate a user in AD via the LDAP interface. The transactions between the client and the ProxySG are omitted from the list below. 1. The ProxySG binds to the LDAP tree using the credential that the administrator defined in the realm configuration under the Search user DNsection. 2. The LDAP server responds to the bind request with a code of either success or failure. 3. If the bind request was successful, then the ProxySG generates an LDAP search using the user’s login name as a filter. 4. The LDAP server returns the DN associated to that particular login name.
5. The ProxySG binds to the LDAP tree using the DN received as result of the search in Step 3. 6. If the bind request succeeds, then the user is authenticated. The steps described here take place only for the first user, the first time the user authenticates. The ProxySG maintains an active connection with the LDAP server; additionally, it caches the users’ credentials for an amount of time configurable by the administrator. Credentials can be cached for up to 3,932,100 seconds (more than 45 days). The default value is 900 seconds (15 minutes). If you set the time to 0, this increases traffic to the LDAP server because each authentication request generates an authentication and authorization request to the server.
169 I
I
v3.5.1
Course
BCCPA —
Services
Training
BlueTouch
170 Chapter 13: Creating Notifications and Exceptions
The Blue Coat ProxySG can do more than let you control users’ Internet activities. It also allows you to explain your organization’s Internet usage policies clearly and at the most effective time — when users try to access questionable or forbidden pages. Notifying users about policy when they use the Internet is a good practice, particularly when you block access to certain types of content. Even if you install content-filtering software and write a strict Internet usage policy, you may not see a gain in productivity unless you also tell users why they cannot view some Web pages. Users who cannot access a site might think a network problem has occurred and make unnecessary calls to your organization’s help desk. However, you can prevent that problem by creating custom notification pages. These pages appear in users’ browsers and tell them why access to certain sites is forbidden or why access to other sites is officially discouraged even if it is allowed. The ProxySG allows administrators to create notification pages through the Visual Policy Manager (VPM) instead of requiring them to write advanced Content Policy Language (CPL). This chapter introduces the different kinds of notification pages and briefly explains how they are created. A companion laboratory exercise teaches you how to create different kinds of notification pages.
171 I
I
‘
F
are
the
not
client
the
policy
failure
the is
a
that
If on
only of
exception
read
that
is
policy,
the
requested,
client
based
must
by
denied.
variables
site —.
feature is the
content
user
users
the
for
denial
A
to
This
of
generating
access as
user-defined. is
substitution
informing
that
request
such
and
that
a
content.
browser.
returned
category
client
are
Web Web
include
and
authentication
sends
returned
the
built-in
to
CLI requests,
the is
ProxySG
(AUP)
name
user’s
client
the and
denial,
client
a
page
the
Exceptions
if
host
..-....-.-.- and
designed
informing
in
pages
accessing
exceptions:
the
be
browser.
policy
HTML
of
Console
failure. ProxySG
page
to
name,
can
user-defined
example,
before
user’s
returned,
types
v3.5.1
errors
user
For
example,
is
and
certain
the
pages
objects
compliance exception
only
two
button
to
to
For
response
an
page Course
notification
are
User
in
a
Management
VPM
authentication
Built-in
VPM.
appliance
Accept
in
objects
in
sending coaching
pages
There request.
response HTML and
response user
authenticated BCCPA
the
or
an
Notify
administrator. IRP
for for
in
display
to
the
User
and
the
and
authenticate,
given
click
sent
failure.
into
request,
by Sent
Used failure, Available Used Twotypes:
Available
through
the
objects
exception
and
Overview
are
—
— — Services— — — —
Exception
pages to
Notify
the
an address
properly Overview
• User
•
placed
IF
13—1:
defined
to
be
Training
handle
—
Slide
Exceptions to allowed, rules
authentication fails
Notify configurable Exception
notification particular can user’s
BueTouch
172 Chapter 13: Creating Notificationsand Exceptions
Exceptions
user-defined. exception_name
4
exception_name
Admn
BlueQCoat
Slide 13—2:Exceptions
Exception pages are customized Web pages (or messages) sent to users under specific conditions defined by a company and their security polices. The ProxySG offers multiple built-in exception pages that can be modified for a company’s particular needs. Built-in exception pages are always available and can also have their contents customized; however, built-in exceptions cannot be deleted, and you cannot create new built-in exceptions. Built-in exception pages include authentication_failed, policy_denied, and so on. Additionally, user-defined exception pages can be created by the administrator. In a user-defined exception page, you can write a more specific, detailed message than the ones contained in the built-in exception pages. You also can use HTML or JavaScript code in writing the page or add links to external resources, such as images. Built-in and user-defined exceptions can used as an action object when creating policy in the VPM or through CPL.
173 fr
the
the
the
the
this
users
the
basis,
format
is all
system
for
the
example,
in
by
HTML,
enable
append
elements:
example,
For
example,
code.
review
first
can
identifier
For denied
solutions For
render
response,
per-exception
cause.
to the you
a
substituted
must
been
following
response
on
be
able issued.
You
environments.
has the
potential
is —
exception.
can
not
exception
BlueOCoat
exception
HTTP
reviewed,
and
the
tea..
most
exceptions,
are
that
the
in request
eate4actsc.
contains Denied.
HTTP
URL
information definition.
exception
a
causes
an
agents
______— Your
labels
of
netwedcsuppozt
the
Forbidden
is
(exception.category
displaying For
atesaedthe
yoon Access
$
help) sufficient
user contact
that
.
ha. information user-defined
is 403
for
is
possible
when
contact
detail the
and
pocy
iepdodetaili)
the
For
user-defined)
enid
use
or
syitesa
contact
aon,tarsce reason exception.
to
un)
exception where
categorization customize
HTTP)
URL For iecy_desded
summary [
common
configuration.
returns
the
to )
(exception
the of
the information v3.5.1
code
(for
of
exception.
built-in $
Components
reqr,eoted
contact) of
tie
of
line.
describes
0
review
the
ijyo
4———————.____..._. sam
want
default
site-specific
protocols, filtering
Course exception
possible contact to ____
type that aceos [(ezcepbonid) by
orthelp) [&O0
&onlseader)
soppee
components
response
is
you
single
(whether exception
Page
description creation.
it
if
other a
the
relonO
dennd
appearance
text
description
content
BCCPA osr
hon page
(policy_denied)
For HTTP
configure the
top-level
upon —
s0rrton
poUcy
to exception
short
Denied
oo0
file.
The
default
the
sorrr
substitutions definition
example,
policy_denied
Although
A
Identifies
as000on, through
commonly
informative
Voor
Oor Defines Used
Exception
The
For
policy_denied Services is
specified
An
,..—Mcess
HTML
Exception default
3—3:
an take.
1
exception (exception.category
Identifier:
name Format: is format Summary: the Details: default policy. $ Help: to
message) capability Contact: Training exceptions. customizing HTTP-Code: policy_denied
• Slide •
Each •
•
•
•
•
BlueTouch
174
S3D Chapter 13: Creating Notifications and Exceptions
Managing Exceptions via CLI
#(000f ig exceptions)
create
delete
edit
http—code summary detais rmat help — contact BlueOCoat Slide 13—4: Exceptions — creating and editing You can create or edit an exception with mstallable lists on the Management Console. The exception installable list uses the Structured Data Language format. This format provides an effective method to express a hierarchy of key/value pairs. The Management Console allows you to create and install exceptions through a text editor, local file, or a remote URL. Additionally, you can create or edit an exception through the CLI. Exception pages are defined within a hierarchy, and parent exceptions can provide default values for child exceptions. There are two parent exceptions from which other exceptions are derived: exception.all and exception.user-defined.all. The general form of an exception is: (exception. (summary ‘ “) ; defines a summary of the message (http ; defines a summary of the message (code “) ; HTTP return code (typically 200 OK or 400 Forbidden) (contact “ “) ;displays the contact information for further assistance (details “ “) displays the reason why the exception was sent (format “) ; defines the page format, specifically HTML content (help “ “) ; defines the help message (summary “ ‘) ; defines a summary of the message When defining the above fields, you can reference substitution variables such as authenticated usernan-te, client I? address, time, date, and so on, allowing you to make user-specific messages. 175 [II BlueTouch Training Services — BCCPA Course v3.5.1 [j Default Policy exception. poiicy denied (contact) (details ‘Your system policy has denied the requested itctixn. 9 (ormat( (help) (sw000ry ‘Access Deniea9 (http (code “403°) (cohtact( (details ‘Your system paltry has denied acces, to the requested IIRL.”( (format) (help) (so,eary( C —•‘—- - rEE_’ 5•..—. BlueOCoat Slide 13—5: Default policy The default proxy transaction policy is to either deny proxy transactions or to allow proxy transactions. A default proxy transaction policy of Deny prohibits proxy-type access to the ProxySG: You must then create policies to explicitly grant access on a case-by-case basis. Your browser displays an access-denied page under such a situation. The default proxy policy depends on how you installed SGOS and whether it was a new installation or an upgrade: • MACH5 Edition: The default setting is Allow. • Proxy Edition: The default depends on how you configured your ProxySG: If SGOS was installed using the front panel or through the serial console, the default setting is Deny. i II you upgraded SGOS from a previous version, the default policy remains the same as it was for the previous version. Note: The default proxy policy does not apply to admin transactions. By default, admin transactions are denied unless you log in using console account credentials or if explicit policy is written to grant read-only or read-write privilege. I-. 176 Chapter 13: Creating Notifications and Exceptions Notify User Objects • Used for special pages — Splash and Coaching pages • Based on cookies — HTTP0nIy — Require user agent to support cookies ‘Creates large CPL code — Difficultto troubleshoot BlueQCoat Slide 13—6: Notify user objects The notify user feature is designed to provide the following functionality: • Web-use compliance: A compliance page is a customized notification page displayed when a user attempts to access the Internet. This page ensures employees read and understand the company’s Acceptable Usage Policy before Internet use is granted. • Coach users: A coaching page displays when a user visits a website that is blocked by content filtering policy. This page explains why the site is blocked, the consequences of unauthorized access, and a link to the site if business purposes warrant access. 177 an by the a that page. user opens, period as then each an users time such other splash requested to of a browser usual. or new as they expired, a properly. the event, users reminds an site not and presents delivered. presented work of websites when N page the is has notify to be 7 bookmark to any to again? a them BlueOCoat page limit N :-N, often access splash Time order ProxySG appears presented N’ N, a page splash in is / time can the inform They page ‘‘ accessing so selecting or page YES agent they requested splash or splash a instance, day, users. from the splash user NO to the URL, URL For the splash ProxySG Internet a the browsers. If and in the If , the defined the time. type their prevented page. time page, message has for then typing not v3.5.l users first any specific by browsers. launch cookie-enabled are splash Policy a another the a page— page at expired, page page when the Course they their want for deliver Accept users splash splash has Usage on on administrator to Click time they requests Requested page requires Requested appear Return Return the a BCCPA appears limit used site Page appear, each Accept — page button then page outage. be 4 4 4 4 time the —http:llww.tirstsiteoftheday.com—-Ø. page —.httpi/www.anothersitetoday.com—.Ø. Acceptable user can generally pages requests clicks diagram, the reload Splash appear delivered. splash Services If access splash is day. network the user user same i•jl L.J pages Splash pages 3—7: splash above the 1 can could per The The The page If begins. Training the ProxySG Slide organization’s Splash planned Splash AUP When resources. clicking users 1. In once 2. 3. A BlueTouch 178 Chapter 13: Creating Notifications and Exceptions Coaching Page —httpJ/wewnotsogooclsite.com—* 4 Return coaching page ClickAccept 4 Requested page User —http;llww.anotherbadonecom—*- ProxySG i:i Return coaching page ClickAccept 4 Requested page BlueQCoat Slide 13—8:Coaching page Coaching pages have a dual purpose: They notify users that a website or other resource is contrary to the organization’s AUP, and they also allow users to access it. Coaching pages are sometimes called burn-through pages. When users see a coaching page, they are informed that their organization’s AUP prohibits them from viewing certain content. However, the coaching page also offers a link to the resource along with a warning that users’ activity will be monitored and reported. You might find it useful to use both exception and coaching pages. For instance, you might want to block users from adult sites and return exception pages when they try to access them. You might want to discourage traffic to travel or Web email sites and return coaching pages when users attempt to view them. In the above diagram, the administrator has defined a coaching page to be presented whenever a user requests a page that is prohibited by their organization’s AUP. 1. The user requests a prohibited page, so the ProxySG presents a coaching page. The user clicks Accept on the coaching page, and the requested page is delivered. 2. The same user then requests another prohibited page. Even though a coaching page was presented for the request in Step 1, the ProxySG presents the coaching page again, this time for the second prohibited page. A ProxySG coaching page requires a cookie-enabled user agent in order to work properly. 179 [ F,.. I F F F F [F can CLI. include available the objects notification, of Options triggers Notify through scope other Layer. options. available with cookies, BlueCCoat not Access is action Web customization the User feature the cross-domain This of under Notify select VPM. action storage the an combine object, for as can v3.5.1 User URL through You Configuration utilized Course Notify be virtual — bpI/natfyjcot,om notifications rddc,s the hogs can *1 BCCPA or customized Layer. — User ie renotification. object and nde selected WtunoiyLPL: of Notly notification, 0 ()Noêfyy Ik 2* Configuring of User Access Services cy,L:( have I4 created text 3—9: Notify Web you 1 be frequency Notify the Training only Slide and in Once The HTML BlueTouch 180 is 181 of logs or content stored scope Coat purposes. resource, virus basis. their These a Once feature. the Blue internal network with files. archival and content and log logging beyond information requests logs scheduled entire and protocols. a Web Coat are the the user on access a and external that analyze parameters. or Blue for the analysis to time both uses analysis.The time from for associate traffic used logging for filtering, Each real vendor-specific later through be in track which for possible location traffic access can to available content file all several and patterns. are a you schemes of to remote available facilities, modify facility. audit a Reporter one usage to to log to options logs. allows log or made Reporter request Coat management, in be logs. more understand: monitoring FTP, many ability schedules. access access that or Blue can Manager of uploaded ProxySG will the as policy department access with one HTTP, courses or about them you upload to Coat Policy Logging tool Web such ProxySG implement a contents to using user and upload from Blue of can Centers. training companies tools on Visual the chapter, directed and the automatically place the information be be on this gives formats addition full-featured take Access use specify create Training generated Separate can In can a log reporting companies saves to to to is can components log. information logs logging logging data 14: a studying reports course. How How How The proxy • • • • this Authorized and Reporter uploaded, After Stored configured requests. Uploads scanning, Access Access specific the called Access Chapter F I rn a user Web Visual on to ProxySG the monitor failure. the network containing or you —. through information Each each proactively, help example, Reporter. to logs, done For created specific performance using or appliance. BIOOat access when logging poor the policies The and in by transaction. network analyzed access client. through result each then failures entire the of managed they the and supports end flowing are from for remedy the before server patterns at and traffic ProxySG usage protocol format, request all v3.5.1 Language. The log remote Web usage per detect record for problems a information reports HTTP to to log track logs Course Policy run you to each patterns. specific to potential access for supporting you access information BCCPA department Logging an Content uploaded logging allows usage network and — transaction logs or or be usage helps resolve creates file create can Access User Entire Specific Information Necessary Customizable access and Services — — — can — — — Record Track logs logging Manager Monitoring logical • department • Access 14—1: ProxySG create for Training single Access Policy protocol can The usage. anticipate or Slide Access 182 BlueTouch I Chapter 14: Access Logging Log Facilities Logo > LgS LhIoodthe .ooeo.log Log 60rOOYI 0 ctt type: 0O0L L6o fo. o.ogooo6hgpodo dlo.K k Wotboo.00oo.e0otto.ete, 60 }oeoonth Tr0000105)Dfl Po.ymytt,0: to.obeko.g-dee tog1po.bto, oeoond0 Log ErpeCo.ttho60e: 0 Thntngtyp Bdo.ithh Close. OhyotCoOPOeLloO LOne50IO5VOgtO L esgebotos Pnotooronlogo4ssoroothd: 0 dotooeddeoolog060005 0 ConooteFoessofetonog(oneofyLobs) 00555 sl loodi000otbgpegeoodsso 7632 eoçthgte5 0600: the Slide 14—2: Log facilities A logfacility is not just a log file; it also is all of the many characteristics and behaviors associated with a log file. The facility also controls the upload schedule, how often to rotate the logs at the destination, any passwords needed, the point at which the facility can be uploaded, and so on. Three key parameters define a log facility: • Log name: An arbitrary alphanumeric name for the log file (main in the above example). • Log type: Defines the type of entries in an access log. The ProxySG supports several standard log types, including NCSA Common, SQUID-compatible, and the World Wide Web Consortium (W3C) Extended Log File Format (ELFF). • Log format: Defines the specific information about a transaction that is stored in the access log. Each log format is of exactly one log type. You can use a predefined log format, or you can create a custom one and select the transaction parameters you want to monitor. The upload schedule allows you to configure the frequency of the access-logging upload to a remote server, the time between connection attempts, the time between keep-alive packets, the time at which the access log is uploaded, and the protocol that is used. Log rotation helps prevent logs from growing too large. Especially with a busy site, logs can grow quickly and become too big for easy analysis. With log rotation, the ProxySG periodically creates a new log file and archives the older one without disturbing the current log file. You can define specific behaviors in the log facility — most importantly, how to control the maxin-turn size allocated to a log facility and how to handle critical scenarios: • Configure the maximum size occupied by all of the log files. • Specify the behavior of the log when the maximum size is reached. You can have the log stop logging (and do an immediate upload) or have it delete the oldest log entries. If you decide to start an early upload, then you can specify the size of the log that triggers this event. • Configure how to upload the logs from the ProxySG to an FTP, HTTP, or Reporter server. You can stream the data continuously from the ProxySG to the target server, or you can batch bulk data from the ProxySG to the target server at selected intervals. 183 I1 BlueTouch Training Services — BCCPA Course v3.5.1 1 Log Creation F ocs Reporter ProxySG Server IStC:-SSY.TqCr ‘flRit*R. BlueCCoat Slide 14—3: Log creation Access logs contain data about user requests and the corresponding responses from Web servers. An access log record is created only after a transaction is complete. These records are stored on the disk of the ProxySG and can be made available for analysis later. The above diagram shows the steps in the creation of an access log: 1. The client sends a request for a resource. 2. The ProxySG then sends this request to the origin content server. 3. The OCS replies with a response to the ProxySG. 4. The ProxySG records this transaction and saves it to its cache. 5. The ProxySG sends the response to the client. E. 6. An access log entry for this entire transaction is created after the client receives the response from the ProxySG. Note: If the connection is denied or the content is served from the cache, Steps 2 and 3 are completed by the ProxySG. 184 185 log — the log file, logs, time. name Logging on a the this the text remote at loading types at security. signed upload, a a clients. while upload or same access Attempting is custom to for Access as a both the the analyze The day log before file. 14: is upload contains a calculated uploaded periodic to used. logging upload ProxySG such has is the is client, log of that and both the once access server. file uploaded With analyze need it encrypted the access Chapter as for by to client the OpenSSL) If types HTTP not then and if the wrote with as Reporter signature verifying and remote do I such used of BlueOCoat a and signature — the be uploaded. circumstances, to you selected (such Reporter Server signed different is default), before basis, The disk, that gzip can ProxySG encryption. the use tool associated log file to (the Upload when file. frequency special using and ifie you only the client log fllename.Iog.sig digitally for log FTP the If text saved is, without periodically meaning scheduled be the but particular server the a advised — or file. a which used decryption can is that upload files on first, clients: at signature be that gzip with a types configure log one decrypt batched, logs a remote can done time to a is verifying has are entries configured, files is upload to Only must certify for access log extension; and uploading be access file log content log client to allows logs You .sig command-line the can log entries a a both logs access upload access file. operation log following Reporter. Periodic fails. custom for Each access signature attempts, to the with transmits clients the using if the ProxySG The file process, access your Upload The of upload time. you but ‘kflR.(’[ the signing logs digital upload sign sign of file upload periodic. the ProxySG supported the SurfControl time. database. com-ection can allows supports version log intervals. is Periodic access encrypted and uploading the Websense. particular and the above real feature an a with digitally digitally the the time in Periodic at and access the into 14—4: between ProxySG can can encrypted, Signing ProxySG ProxySG of fllename.Iog.gzip.sig the verify Slide The During file. as You continuous certificate or decrypt them and unencrypted You to The schedule client, working uploading, entries All time specific server The Ii BlueTouch Training Services — BCCPA Course v3.5.1 Continuous Upload ProxySG p BlueQCoat — Slide 14—5: Continuous upload Under continuous uploading, the ProxySG continuously streams new access log entries to the remote server from its memory. Continuous uploading can send log information from a ProxySG farm to a single log analysis tool. This allows you to treat multiple ProxySG appliances as a single entity and to review combined information from a single log file or series of related log files. When you configure the ProxySG for continuous uploading, it continues to stream log files until you stop it. In this context, streaming refers to the real-time transmission of access logs files using a specified upload client. If the remote server is unavailable to receive continuous upload log entries, the ProxySG saves the log information on the ProxySG disk. When the remote server is available again, the ProxySG resumes continuous uploading. When you configure a log for continuous uploading, it continues to upload until you stop it. To temporarily stop continuous uploading, switch to periodic uploading. This is sometimes required for gzip or encrypted files, which must stop uploading before you can view them. Continuous uploading allows you to: • View the latest log information almost immediately. • Send log information to a log analysis tool for real-time processing and reporting. • Maintain ProxySG performance by sending log information to a remote server. • Save ProxySG disk space by saving log information on a remote server. 186 I[ Chapter 14: Access Logging Log File Compression Continuous Periodic upload upload Ozip Plaintext Plaintext compression r2OII BlueQCoat Slide 14—6: Log file compression The ProxySG allows you to upload either plaintext or compressed access logs to the remote server. The ProxySG uses gzip format to upload compressed access logs. Gzip-compressed files allow more log entries to be stored on the ProxySG. Compressed log files have the extension .Iog.gz. Compressed access logs can be best uploaded during a periodic or scheduled upload. Some advantages of file compression are: • Reduced time and resources are used to produce a log file; fewer disk writes are required. • Less bandwidth is used when the ProxySG sends access logs to an upload server. • Less disk space is required. Plaintext access logs have the extension .10g.Text log files are best suited for continuous upload to a remote server. Although gzip-compressed logs can be sent via continuous upload, Blue Coat recommends using text format if you need to analyze log data in real time. 187 L I F ELF for for a You log off is chapter. Multiple might defines create ProxySG. facility single facility. this a turned can that in the log logging make. log is configuration on policy. also No protocols later you main policy default supports a global you logging that the a some log the to through protocols have to streaming. discussed 1 settings. BlueCCoat settings you basis access system, sent through are disabled, and if is is different any deployments, converted each ssl, But general for are formats facilities p2p, most and operating logging time. Facilities logs override log Log for although information per-transaction any mapi, Old SGOS a will access at logging protocols. association Log If on schedule, the format. main, main im mapi streaming No ssl cifs multiple facility: sufficient of policy ProxySG, facility. to im, facility log connection are SOCKS protocol facilities the logging. that log v3.5.1 format. rotation a , custom cifs, modified log a a in and log version Default facility. be with custom proxy, access ICP Course enabled, facilities a specific transaction log proxy can create assign default a client. schedule, default the log or the and association, previous tunnel, facility that the and supported predefined: a disable create for reverse to single and BCCPA with globally a forward log or are To are — TCP streamin upload upload a format, facility from shows name, Mapper log Once the the protocol default messaging HTTPS predefined FTP, log log protocol log enable can HTTPS a Protocols facility. a by a table associated the Services facilities facilities (s. the and associate I* You be log W for Protocols Endpoint HTTP, Instant objects. Peer-to-peer log Multimedia Telnet. SSL, log upgraded [ L 14—7: can above globally Create Choose Configure Assign Configure service. log Training you Slide access The Seven protocol performed You format. already 1. setting can all If the custom Although 2. 3. 4. 5. BlueTouch 188 ______ Chapter 14: Access Logging Log Formats and Log Types Famat — — V bcteporterma1n_v -I 11im - p • 1 streaming ELFF ssl ELFF cifs ELFF mapi -. mapi ELFF squid custom Squid ncsa I Custom NCSA ‘i.. websense Websense surfcontrol, sui trol SurfControl stnartreporter ELFF - -. 9 iCypflfflJ BlueQCoat Slide 14—8: Log formats and log types Several log formats are predefined on the ProxySG. The above table shows these formats, the log facilities they are associated with, and the log type of each format. Each log format has an associated predefined log type. These log types are: • ELFF: Uses entries in a format defined by the W3C and described later in this chapter. ELFF requires a space between fields. • SQUID-compatible: Contains one line for each request; this log type is designed for cache statistics. • NCSA Common: Contains one line for each request with only basic HTTP access information. • Websense: Compatible with the Websense Reporter tool. • SurfControl: Compatible with the SurfControl Reporter tool. A majority of content is HTTP content and uses the main log facility, which uses the ELFF-compatible log format bcreportermain_vl, designed for use with Blue Coat Reporter. Similarly, CIFS content, which mostly comprises intranet access, uses the bcreportercifs_vl format. Secure content such as SST..and HTTPS uses the bcreporterssl_vl format, which only contains fields that do not reveal private or sensitive information. The bcreportermain_vl format also supports the Page View Combiner (PVC). This feature combines multiple HTTP requests that are associated with a single Web page into a single log line. When a user goes to a Web page, that page often sends out requests for more content, either from the same server or from different servers. Rather than regarding each of these requests as separate requests, the PVC combines all of these related page requests into one. This reduces the number of database entries in the log file and improves report generation performance. You can create additional log formats that use ELFF-compatible or custom format strings. You cam-iot edit predefined log formats, but you can copy them to a new name and edit the copy. 189 ______ BlueTouch Training Services — BCCPA Course v3.5.1 ELFF Strings sr— -4———rs C’ient ProxySG Server C S r [ date time trme-taker c-status s—sctiortes s-bytes cs—method cs-un-scheme cs-host cs—un-port cs—ura-path cs—un—query cs—usern -auth—group s-hierarchy 3 s-supplier-nam s (Content-T e s (Raferer) cc (User-Agent) sc-filter—result cs-ca egores c-virus-id s-ip BlueOCoat Slide 14—9: ELFFstrings An ELFF definition consists of one or more strings. Each string is one of the following: • An identifier unrelated to any specific computer, such as date or time. F • A prefix and an identifier separated by a dash: Prefix: Identifies the computers to which the data applies. Valid prefixes are: • C: client • s: server (the ProxySG) • r: remote (the origin content server) • sr: server to remote E. • Cs: client to server • Sc: server to client • rs: remote to server i Identifier: Describes information related to a computer or a transfer, such as ip (IP address) or bytes (number of bytes sent). • A prefix from the above list and the name of an HTTP header enclosed in parentheses. The above diagram shows the definition of the main log format. In this definition, for example: 1. c - ip is the IP address of the client. 2. SC—bytes is the number of bytes sent from the server (the ProxySG) to the remote (the OCS). 3. rs (Content-Type) is the value of the Content-Type header from the OCS to the ProxySG. 190 Chapter 14: Access Logging Sample Log 9softwnre, 3505 5.4.1.2 9Vereiofl 1.0 #St.rt—0ate 2009-03—30 1708:l1 lIsts: 2009—03—30 16:36:39 Itisids date time time-taken c-ip co-unername co-ruth-group m-emosptioo-id so-tutor-result os—categories as (Relater) so-status s-action cs-method ow (Content-Type) cs—un-scheme os-host cs-cal—port os—un-path os-oct—query es-un-extension cc (Ussr—?.gent) s—ip sc—bytes cs-bytes a- virus-id IRseark: 4607062031 172.16.90.21 — Blue Coat 05210 Series” ‘172.16.90.21 ‘main” 2009-03-30 17:13:39 32 10,3.7.103 — - - PROXIED “unaveilsble;Sssrch Eoginss/Portals” http:// snn..gccgie.cme/ 304 TCP_HIT GET imsgsJgif http owu.google.cme 80 /imtl/en_3,Lljimagee/logo.gif — gif ‘14onills/S.0 (Windows: U; Windows NT 5.1; an-US; n-v:1.9.0.7) Gocko/2009021910 Firefus/ 3.0.7” 172.16.90.21 275 712 — 1. Log file header Valid log files must have a header 2. Log entry .7 Ott n0 l:.cl; ‘ItdaOtrr’c Slide 14—10: Sample log This diagram shows a sample log as seen in an access log file. Every log file must have a header. The header lists information regarding the version of the ProxySG, the date and time of the log, and the fields that are present in the access log. The header is followed by log entries that contain detailed information about the date, time, and content that was accessed by a client. These log entries make up the final log file that can then be digitally signed, encrypted, and uploaded via the Management Console. You can manually re-create the header if you have log files that would otherwise be valid. Files without a header can appear when you change log formats without interrupting access logging first. Important: Log files must have valid headers. Blue Coat Reporter does not process log files that do not contain valid headers. 191 BlueTouch Training Services — BCCPA Course v3.5.l Transaction Information TOP_MISS TOP_NC_MISS TOP_PARTIAL_MISS Client ALLOWED Server DENIED TOP_DENIED \ 1w 0 f_a. Cache 2 . BlueQCoat Slide 14—11: Transaction information This diagram describes the transaction that occurs between a client and a server and how access logs keep a record of information that was served from a cache or entirely from RAM, or when the information was obtained from the origin server. When the client first requests information (an object), the ProxySG checks with the cache to determine whether the requested object can be served from there. If the object is present in the cache, then TCP_HIT is recorded in the access log and the object is sent to the client. If the object was entirely present in the RAM, it is served from the RAM and TCP MEM HIT is recorded in the server action field in the access log. If the object was present in the cache but the virus - scanner - tag - i d did not match the current scanner tag, the object is rescanned by sending it to the ProxyAV. The server action field in the access log then records the action as TCP_RESCAN_HIT. The object is sent to the client after the virus scanning. If the requested object is not found in the cache or the RAM, the request is sent to the origin content server to retrieve the object. If the requested object was not present in cache at all, the action is recorded as TCP_MI SS. Usually when objects are obtained from the OCS, the ProxySG saves a copy in its cache. If the object returned from the origin server is not cacheable, the action is saved as TCP_NC_MISS. To speed delivery of requested objects, the ProxySG can serve cached objects while requesting for fresher content from the origin server. In this case, the action gets recorded in the access log as TCP_PARTIAL_MISS. Actions are also logged in the access log when objects are delivered to the client. When the object is successfully delivered to the client, the action is logged as ALLOWED. When policies in the ProxySG deny the object from being delivered to the client, the action is logged as DENI ED. When access to the requested object is denied by a filter, the action is logged as TCP_DENIED. 192 Chapter 14: Access Logging Access Logging Policies Enable logging for all default settings Default Logging O&& Seeigs ElfnthteAccessLoQçg ,, •ny snw’ e ‘bA&t.ae 1 Annn 4 tnAnpn&v Ann,, Loy,g p,,: Den 5,nte T Acb,n Tr,d C,,,.. iL T-ngcEO 4ny Any Any 2, TR 45d,e y Any 1) Disable ALLlogging for the user CEO 2) Log the student TRAINING\student in a special log facility BlueQCoat Slide 14—12: Access logging policies You can enable access logging from either the Management Console or the command line interface. The ProxySG comes preconfigured with log facilities already assigned to the main proxy services. For most users, the default settings are sufficient; however, you can introduce a very detailed level of customization. More importantly, you can use the VPM to define additional details of the information, which is stored in the access log. For instance, you can disable monitoring of certain users (such as the executive management and Human Resources). Similarly, you can disable logging of traffic to certain URLs (there might be little information to gain in logging access to the enterprise Internet and intranet sites). Also, you can create a custom log facility, where you record very specific parameters, and create a policy to log the traffic from a certain source, or to a certain destination or both in that log facility. If you are investigating a user (or access to a specific resource), sometimes it is faster to gather the information about the target user (or location) in a separate access log. This allows you to run reports much more efficiently because you do not have to sort through your entire enterprise’s data. 193 [ 1k [ a tab log list. in the access latest put on whole the available statistics identified single Logging are some a the all be the displayed in shown of view not include: can These is are Access displays displayed. shows also shown. are instead object list entries displayed are can system Console shown. although log log browser internally. log are log This the Log. You are objects Statistics> statistics: BlueQCoat the on latest tail access size log log log usage latest objects CLI. object logs objects statistics access log log from of the log logs Access The the log the the log_name, space Console log log Management of uploaded. List of access of Access in Access list. current Disk is Access Access the access refresh part the file access clicking on A individual the in stream content multiple all the an and A available displays all of individual time: of Management of statistics of are recent download shown when the Advanced manages To > refresh file Console changes: most objects. statistics Advanced v3.5.1 statistics it log from object system. statistics Console log statistics log The The access. log the The time The Course The optional uploaded. Statistics access in access-log log: viewed access easy access Statistics> logs: every with be the The objects: Management from for all being to in all show BCCPA log statistics: objects: tail is written can of individual Management log the logical of logs: — of view log log log are on log the the bytes all objects size going one N part in can of on the tab Statistics as by access log they Chent statistics command Services list. list tirnestamp. access statistics last last access access all as you view Size click current entries. its Statistics CLI 14—3: can Log Show together internal Show file, Show Show single Show Show Show by log Show page statistics Whether The the Training • • • • Slide • or • you • Access-log • log • Statistics • The BlueTouch 194 195 Logging This Access 14: server. Console. Chapter remote the to Management the on information log status uploaded. disk. access to logging once about: file, upload access to log information uses current log access information the the of access time. ProxySG status of usage. size the displays space separate modified writing client ProxySG Disk Last Estimated The The • • • • • The includes BlueTouch Training Services — BCCPA Course v3.5.1 196 Chapter 15: WAN Optimization Features Today’s 11 organizations face a challenge: how to do more with less while increasing performance. That challenge has resulted in three main trends: the use of the Web for enterprise applications; server/data center consolidation; and increasing use of the public computing infrastructure. The benefits of webification are clear: faster and more agile deployment of business applications, and lower deployment and operations costs. But the benefits come at a cost. Because applications are now browser-accessible, the vulnerabilities associated with browser use now apply equally to business-critical applications. Additionally, employees have access to a bewildering variety of browser content, making it possible for them to engage in unproductive, inappropriate, or even criminal behavior. And as Web applications become more powerful, their bandwidth needs increase exponentially. Application consolidation also poses problems. Though organizations have been consolidating application resources for several years, many of those applications are optimized for LAN efficiency; the chatty protocols result in unacceptable response time when accessed from across the WAN. Server consolidation, increased application traffic, inefficient application protocols, highly distributed users, and narrow bandwidth links have led to one thing: poor application performance. But the problem is not just a performance issue. IT managers cannot afford to increase performance at the expense of control and security. At a minimum, an application acceleration solution must: • Optimize use of existing WAN bandwidth. • Reduce latency associated with applications. • Improve the efficiency of application protocols. • Prioritize the applications that matter most. • Reuse and compress data where possible. • Accelerate file sharing, email, and browser-based enterprise applications. WAN optimization is a key part of Application Delivery Network technology on the Blue Coat ProxySG and offers a consolidated and complete approach to solving the several pain points that relate to bandwidth and user response time. 197 I over (such native WAN methods a this, and tactics control of acceleration over control unique the a Because include: architectures. acceleration maintaining apply have blocking), content to other and performance BiueOa while or they again you with techniques interaction. bandwidth exploit acceleration the traffic, users than and These of characteristics application to allowing application, performance authentication), easier Techniques dramatic application close far content scanning policy, application situation. network for user, is increasing the by by reduce for threat with application and content application traffic proxy, to as v3.5.1 techniques terminate particular and the user, a controlled secure video data (such to resources the be user protocols of with network Course framework Acceleration and proxies can and suited acceleration file, management achieving BCCPA network techniques layer to optimization best Because — repetitive reduction high-leIel application, caching multi-layer filtering Web, are management key compression) a caching Each the optimization the Control Align Get Store Inline Application security that and caching Services content. uses — is — — — — into Protocol caching Bandwkith Object Byte Compression content • • • 5—i: Application • • as and 1 Coat Bandwidth Protocol Object Byte Compression caching Training • • • Slide • (such visibility as • Visibility integrating users techniques Blue infrastructure. BlueTouch 198 Chapter 15: WAN Optimization Features Bandwidth Management MMS HTYP IM CIFS Other Server Client Blue0 Coat Slide 15—2:Bandwidth management In the battle for bandwidth on congested WAN and Internet access links, demanding applications such as large downloads or email attachments can flood capacity and undermine the performance of critical applications. Abundant data, protocols that swell to consume all available bandwidth, network bottlenecks, and new, popular, and bandwidth-hungry applications all seem to conspire against critical application performance. Most WAN optimization techniques focus on increasing the efficiency of the WAN. Even if the WAN is made extremely efficient, however, there are times when large volumes of traffic result in WAN congestion and, hence, WAN latency. The goal of bandwidth management, therefore, is to prioritize traffic that is latency-sensitive and business-critical. Bandwidth management adds a throttle or modulateoption to possible actions, enabling enterprises to limit, or guarantee bandwidth for individual (or groups of) applications. Using bandwidth management, you can extract the greatest performance value from the available bandwidth. By managing the bandwidth of specified classes of network traffic, administrators can: • Guarantee that certain traffic classes receive a specified minimum amount of available bandwidth. • Limit certain traffic classes to a specified maximum amount of bandwidth. • Prioritize certain traffic classes to determine which classes have priority over available bandwidth. Administrators can create bandwidth rules using more than 500 different attributes, including application, website, URL category, user/group, and time/priority. 199 BlueTouch Training Services — BCCPA Course v3.5.1 Protocol Optimization ent LID 112 Server ©tr (.Syt,i’cX. BlueQCoat Slide 5—3:Protocol optimization Many of today’s most common protocols were not designed to operate efficiently across wide-area links. Instead, they were optimized for the LAN, where round-trip time is not an issue. These “chatty” protocols — such as CIFS and MAPI — sometimes can result in hundreds or thousands of round trips on the WAN for a single transaction, resulting in an unacceptable user experience. Protocol optimization makes these protocols more efficient — typically by converting a time-consuming serial communication process into a more efficient parallel process where many communication tasks are handled simultaneously. There are a variety of other optimization techniques, depending on the protocol (such as TCP session reuse). While protocol optimization does not reduce the amount of bandwidth that an application consumes, it can greatly accelerate delivery of applications and reduce latency in the process. The ProxySG uses several types of protocol optimization, including object pipelining (parallel advanced retrieval of all Web objects linked to the requested page), local authentication, and DNS caching. In the above example: 1. The client communicates with the edge ProxySG in the original protocol of the client request (such as CIFS). 2. The edge ProxySG and core ProxySG communicate via a proprietary optimized protocol. 3. The core ProxySG communicates with the origin content server using the original protocol from Step 1. 200 Chapter 15: WAN Optimization Features Object Caching E1 Client 1 ProxySG ProxySG BlueQCoat Slide 15—4:Object caching Object caching: • Delivers content extremely rapidly when content is unchanged. • Is built on high-level applications and protocols. • Can cache HTTP/ Web, streaming, CIFS, and other objects. When the cache contains a requested object, the user is immediately served the object from a local store, virtually eliminating latency and WAN bandwidth consumption. If the cache does not contain the object or contains an outdated version of the object, then a new object is reloaded into the cache, and the performance gains are realized the next time the object is requested. The above diagram shows an example: 1. Client 1 requests an object. This request is handled by the ProxySG appliances on both sides of the WAN. 2. The origin content server processes the request and sends the requested object. 3. The client-side ProxySG forwards the object to the client and at the same time stores the object in its cache. 4. Client 2 sends a separate request for the same object. 5. The client-side ProxySG serves the object from its local cache, eliminating latency and bandwidth consumption. Application object caching is application-specific and variable. The degree of Web object caching can be between 30% and 70% of the content, depending on the application. Object caching delivers content extremely rapidly if the content is unchanged. Even when the content has changed, rapid delivery can be achieved if byte caching is coupled with object caching because only a few updates are required. 201 E i. F I by use the can users demand. near of requesting appliance are essentially content the ahead volume. users which sites many user storage if pre-position at objects, Additionally, or to So, URL content a requested activity. network) frequently. place to more monitoring delivery frequently refreshing of object methods the v3.5.1 cache content a refresh proactively in object different Course by (as refreshes or and few a predictive BCCPA model a push, use — is appliance requests can the manual user Services refresh a of object, Training publish/subscribe means a decouples same Adaptive Organizations 202 BlueTouch Chapter 15: WAN Optimization Features Byte Caching OAF6D169{token)E12F] AreJConnection DI Dl Client Server BlueQCoat Slide 15—5: Byte caching ADNs use byte caching to reduce the amount of TCP traffic across a WAN by replacing large chunks of repeated data with small tokens representing that data. Working with patterns detected in the WAN traffic, the ProxySG pair handling the traffic builds a byte cache dictionary of small tokens that replace up to 64 KB of data each. Byte caching slices objects into atomic bits and then sends only the updated, or different, bits over the WAN. Byte caching is very low-level and is not application-specific. It works to increase effective bandwidth for all traffic. Byte caching works well where the same (or similar) content might be stored in multiple places, and when the content is dynamic. Furthermore, the Blue Coat byte caching implementation, while transparent to users and applications, is user- and application-aware and is incorporated into the policy framework of the ProxySG. ADN optimization requires two-sided deployments, with a ProxySG (a peer) at each end of the WAN link to create the dictionary for the common tokens. In such an environment, with only minimal configuration changes, between 30% and 90% of WAN usage can be eliminated, and WAN performance can be increased by 30% to 90%. Applications that can benefit from ADN optimization include Windows file servers, Web share applications such as WebDAV, customer resource management programs such as Siebel, and email. 203 ic is the HTTP in support proxies. the through traffic optimizing Content same ProxySG. sent traffic. serve also the browsers between the all network network, and in point-to-point. being implemented compression: Web using the compression. from ProxySG transmitted. and tunnels also server before compress over the are to BlueOCoat ProxySG, being configured HTTP support Server supported. destination be content the not information the compressed fully can On objects do at transferred compressed algorithms is algorithms; origin algorithms utilization. also and that time. create the to These CPU methodologies: objects. content predictable from of on content clients or protocol response to proprietary reconstituted compression automatically specification) formats. deflate. is from Connection is based 1.1 content amount Coat and serve v3.5.1 ADN compression organizations arbitrary compression. to support the uncompressed end-user extraneous of space” Blue gzip tunnels any version fly” that as Course and and information enables for types uncompressed the compression these reduces compressed “white remove such HTTP of The two clients improving “on and BCCPA the point-to-point to — level of and through retrieve compressed and Client the compression compression content —(Z’. algorithms predictable supports can algorithms (part content Compression Compression usage both transmitted. Services compressed industry-standard HTTP is adapt Compression in 5—6: it forwarded 1 ProxySG ProxySG Removes Uses Caches Can Uses tunnel. Training • • Slide • • Compression • algorithms. before bandwidth The compression compression decompresses ProxySG. compressed The cached Point-to-point Point-to-point Traffic the BlueTouch 204 ______ Chapter 15: WANOptimization Features Layered Approach ADN Client Server ‘Ix,;fl_, BtueOCoat Slide 15-7: Layered approach WAN optimization techniques complement one another, providing a multi-layered approach to application acceleration. As you can see in the slide above, the techniques work together to optimize application delivery to remote locations. For example, if the object cache contains an outdated copy of a document, the byte caching capability has patterns and tokens that require only the tokens, plus the changes to be sent. What little is sent is then compressed, and protocol optimized (reducing bandwidth consumed and latency/round trips). All of this is prioritized according the enterprise’s preferences, using bandwidth management, so that the important applications get through first and with the bandwidth they need. 205 I’ to the more that the SSL of warn external that to and application and rogue applying proxy using advent outside unencrypted the CRM), third-party and SSL users from the are with for remind an ProxySG and both to 3 do 2 3 With the has Threats services, Mobile Client Mobile Users Client owns Client by they network). enterprise ability concerned IT BlueQCoat applications the traffic. that 1 organizations the 2 ProxySG Corporate applications, financial were Mobile Clientl Client where (and Web content. provided Client applications. and between The where traffic chain 443 online and prevents as traffic applications. proxy, internal port SSL enterprises of outbound supply by encrypted acceleration termination, unfettered. interactions and (such to or most internal). forward SSL and applications, portion clogging or policies. users normal, enabled SSL to offload policies enterprise from SSL-encrypted or components, v3.5.1 recently, users, larger control, a technologies partner, handling privacy the external SSL apply same over of Until for Web Course user external the they gateway, out simply a application and and policy applications between 0 becoming protection, that I and communications options rapidly. is not BCCPA apply outsourced, and utilizing the is solution: to — rather Server into 201 internal acceleration control traffic granular Acceleration but SSL This corporate secured apply tSS.Iir a Applications (public, of growing multiple flow resources. SSL is Services the (S.CSV unauthorized Coat and 2 well. (Sic customers proxy, External t applications applications communications 5—8: SSL as — degree 1 Server traffic the Blue Accelerates Preserves Includes Provides Stops users. Training • Slide • • SSL • secure • application applications SSL-encrypted critical same hosted traffic However, enables traffic and organization The BlueTouch 206 Chapter 15: WANOptimization Features Application Acceleration TypicalSpeedup Upper/Max:Z. FileServices — CIFS ii:: zzz:n FileServices — NFS Si’ Collaboration— MAPIEmail,Exchange Collaboration—LotusNotes Web— Internet K1TP/HTIPS Web— HTPS ERP,Web2.0 Backupand Replication 1.ZZDZ StreamingVideo—Real,Microsoft SoftwareDistributIon—SMS IEE Database - SQL zz:z: 15 ERP— Fat Client ZIO CItlix[ zo 0 5x lOx 15x 20x 25x 200 or more -> B(UeOCOat Slide 15—9:Application acceleration With ADN technology, the ProxySG delivers substantial acceleration, without sacrificing control or security. Application acceleration can increase as much as 1,000 times (for streaming audio and video). Using ADNs, you can anticipate and address the application problems of tomorrow. Both applications and networks are evolving at a rapid pace. Whether that evolution brings new applications or direct connections to the Internet at remote sites, ADN technology accelerates enterprise applications and limits or eliminates undesirable applications, regardless of changes in applications and networks. In a nutshell, the Application Delivery Network is not a point solution; rather, it is a consolidated approach to a comprehensive solution to the bandwidth optimization and user response time needs in your enterprise. 207 J LJ JiJ iJ LI MJ IKJ Lii aJ LII Li hA ii Lii Lii J > ci) U) 0 C-) 0 C) C-) U) (ci a) 0 2: a) Cl) 0) C C (ci I 0 0 I- ci) 2 a) U) Chapter 16: Service and Support Selecting the right product to ensure safe and productive user communications over the Web is only the first step. Companies also are looking for ways to maximize their operational efficiencies, maintain their support costs, and protect their investment. BlueTouch Services is a comprehensive set of Blue Coat services and support that help security administrators safeguard their network and maximize their investment while managing costs. With technical support centers worldwide, Blue Coat’s experienced staff is equipped to rapidly respond to your request. BlueTouch service options and warranty services protect your business in the event of a hardware failure. Blue Coat’s training and professional services organizations are available to bring administrators quickly up to speed or to provide customized consulting services. All BlueTouch service options are designed to protect your business and maintain the flexibility required to meet your organization’s specific logistical and budget needs. Teamed together, Blue Coat’s appliances and service offerings provide the protection and flexibility required to keep your network up and running. After studying this chapter, you will understand: • What options are available in BlueTouch Services. • How to use BlueTouch Online to submit and check service requests, and how service requests are classified. • How to use the Blue Coat Licensing Portal to license ProxySG components. • Other support tools that are available from BlueTouch Online. Important: The service descriptions in this chapter are summaries only and are subject to change. For a complete description of Blue Coat service offerings, including important terms and conditions, contact Blue Coat Systems. 209 I III; to days you customer be efficiency and language seven software staff courses to enable assigned support, can IT and day, enables local of a growth Centers), agreement. access online that services for operational services level including hours modules. English, care, Your hardware instructor-led remote 24 plan these is services Training credits. Essential Enterpree services. These all higher expertise increase Servces and Proactive a of BieTouch features BlueQCoat Investment training Maximize require BkjeTouch BkieTouch BjeTouchCorrnrsLon centers customer L training including telephone proactive of products. agreement, Authorized by post-sales provide enabling might and professional customers support Coat and annual formats Coat and and environments levels Courses of helps support an troubleshooting contact, Blue Operational Support computer-based provides Blue global Tracing of Servces Trwblesoteq Bluelouch online combination Efficiency of in of a Advanced ADN MrrrinetralionCcurs our service Packages services, variety part team Enthb Services existing a technology of point provides as an in or available appliances. through to mission-critical network v3.5.l Sqport Coat is training topic-specific investment & single Yoix & Available Training a Value Services support basis Coat language worldwide Blue and to added your Course service delivered Serves of Services manage 5JeTouch Service lnstallatiai Professenal Services Blue Support of is options, This Time worldwide Accelerate use network. Core Gonfiguratn Custom a When Services primary region. BlueTouch Technical courses, BCCPA iupderan& as-needed managers, I superior by the their — service an benefits Training efficiently & services: deployed diagnosis. effective on to online the through of services: services: services: varies for Your delivery While BlueTouch within Advanced Software Services Plus provides support, Support Services BlueTouch making BlueTouch Investment Protect week. 16—1: Coat BlueTojchStaridard& BtueTwafl Eluerwch Serve Standaiti a systems support Support problems (available Professional maximize Training purchased productivity. self-paced Proactive customers change by support Training BtUeTwchPremiun • • • Slide Blue technical • BlueTouch 210 Chapter 16: Service and Support Global Support Centers Kuala Lumpur oyrn h2GlI BtueOCoat Slide 16—2:Global support center locations Global support centers are strategically positioned worldwide to provide support for more than Blue Coat appliances deployed worldwide. Blue Coat global support centers are located in: • Sunnyvale, California, United States • Waterloo, Ontario, Canada • London, United Kingdom • Dubai, United Arab Emirates • Kuala Lumpur, Malaysia • Tokyo, Japan Your call is automatically routed based on the time of your call and the region of the world you are calling from. Also, distribution centers and stocking locations are located around the world so that Blue Coat can provide fast and reliable hardware delivery in case of hardware failure. 211 BlueTouch Training Services — BCCPA Course v3.5.1 F F BlueTouch Support Services F BlueTouch On.Line 24x7 Phone Software RMA Optional Support Option Web Support Support Access Support On-sib Tech Standard lODay F1TF Same 0 , Standard Plus Shipmert Next Risiness Advanced DayArnvel F Premium 4 HourAnival [ 4 HourArrival PremiumPks C24x7) Software Service I I Ibto:Vmrty poides 5 esuppx lxii RTFpoly.r sxppstaixl dcwxl±, aBbeTo 1stchwp contsd wtlbe qoired. I- (. vs ivO BlueQCoat Slide 16—3:BlueTouch support services To complement warranty services, Blue Coat offers a comprehensive set of BlueTouch service options. All service options include: F Unlimited 24x7 telephone support. • Access to BlueTouch Online. • Unlimited access to major, minor, and maintenance releases of Blue Coat operating system software. • Hardware replacement options including return to factory, same-day shipment, guaranteed next-business-day arrival, and four-hour replacement. • Optional on-site technician to install replacement hardware at your location (available in selected packages). Eligible Products BlueTouch service options are available for Blue Coat products placed on the market since July 2006. Legacy products are covered under existing service contracts that are beyond the scope of this course. 212 Chapter 16: Service and Support BlueTouch Online BWeOCH.l Hk.TsHQaHa* ai2 Supaaqt Has. .JWaI,IqJrN 1 - G,;H, --- asPaa..a rti Appib.as 3.H..M Caafija.Haa 1dHa • H,a..atc. Ha#CLHH;HnHaIa .r..Hac.taawaHHai.cra ps5HHa.a.4Sfl,fl.Hk*CHatDtp.p,oct. 1 LAamacwH latcH, ccoIZtnw.4aflH, ,rnu;I, ataucHIalt., *1 tWI ØHHHflIHHIIHHSHHHHflflH • . - .4HO.a,H44IHHH,HoaatIoaHattaIHa,bHac,sas*aea5.*tatH Ytala Satalil. Iat Slat, Cat tadatata lCtSpp A..CtXtO BlueOCoat Slide 16—4:BlueTouch Online BlueTouch Online is available to Blue Coat partners and customers with products actively covered under the one-year warranty or a service contract. Customers with BlueTouch Online have immediate, personal, and secure online access to Blue Coat information and resources 24 hours a day, seven days a week. Benefits include: • Access to resources such as an interactive knowledge base, installation notes, technical briefs, security advisories, and field alerts. • The ability to create, modify, and update service requests, called SRs. To get a BlueTouch Online login, go to https:/Isupport.bluecoat.com, click Need a login?, and then follow the instructions given. You will receive a confirmation email that allows you to begin using BlueTouch Online immediately. Logins are created only for individuals and not groups. An individual login, however, allows a user to see all of their company’s cases. Creating logins for individuals versus groups allows Blue Coat to identify who is creating or modifying records for a company, and control who in the customer’s company has access to BlueTouch Online records. Blue Coat deactivates individual logins when notified that users no longer work for a company or should no longer have access. BlueTouch Online has three other main functions: • Downloads: Current and previous releases of Blue Coat software are available. • Licensing: Provides access to license-related functions for Blue Coat products. • Documentation: Includes software and hardware documentation for Blue Coat products. 213 I. Blue is for issue times, discuss proper each the site and or to the their timelines. through resource of where a level, or response is assign customer customer stated issues. it for region can correspond the or severity the and Center or severity no the nob issues the that Coat the severity: ‘1ow-to’ for technical Features business 4 within vary. processes; to guidelines that on of between BlueQCoat Support Blue certain funcilonafty General Docunientation hours feel sets been SeverIty “Operational / (Low) I impactto for operatiorisand capablitieswth of questions plocessissues might situations environment, based agreed support changes levels, not Global and for a are as the might resolution times Imited case. of failure has stress •.. place business in product, common with application basis. the who request basis impact existing bsness 3 severity or timely to to workaround the requests and issue Process the a functional, 24/7 contacting normal 24/7 response the level, response inpaired S2 a to a Severity “Performance (Medium) “A “Successful naiwork impact is orperforrrence operatfuns with workaround a setting by for about the on technical on levels customers service for a By assigned or to to during Actual to is v3.5.1 or and severity either to allow place aspect attention. severely deplc, assist in time. network SR is only. or c—.emnt time to severity or type to customer level replacement arid function and Course a information issue opened, call four responded responded call network Operational Inablity Successful not targets is Severity i (High) Continuousor of I application deacted affecting I originated. business trequentinstilLies operations capability feature, workaround aSi focus on responded assigned characterized, are the are is escalation response severity problem is BCCPA are Requests Is is are — the was requests for technical by role 4 and round request customer by shows citticaIr hines service or outage, requests and requests customer’s customer I worka a operations accurately review 1 3 2 any manager S Service targets requests Online, defined table Services— management to impaired to service manager and is frequency, been duty Service “Network Severity (Criticel) CriticaI network/application application ?lnai,ed businessoperation inadequate down;no fully performance impactir an busines functionalty, response 16—5: a Coat’s above duty Severity Severity Severity Coat. service not Training Slide • verified, Bluelouch • When update Severity resources The Blue level. These customers Also, The additional has BlueTouch 214 Chapter 16: Service and Support Send Service Information M,t, d O j Ordor Rf Et SNMP EI.2M) ,s c.nlmagesn.I epIt L Sdo,endj Pa{k%ICIph,res I. . IL — L II BlueOCoat Slide 16—6:Sending service information Blue Coat recommends that you create a new service request in BlueTouch Online, record the assigned service request number, and then upload diagnostic information. In an urgent situation, you can follow through by calling a global support center for immediate assistance. When submitting a service request, it is important to include any information that might be helpful in diagnosing the problem. The ProxySG Management Console can be used to send diagnostic information directly to Blue Coat, where it can be associated with an open service request and sent to the support engineers working on the service request. Support engineers have checklists that indicate which items are most likely to be helpful in a particular situation, and they will request that the customer send the relevant information, such as packet captures, event logs, Sysinfo files, and snapshots. In the Management Console, select Maintenance > Service Information > Send Information and click Send Service Information. Next, type the number of the service request (this number was assigned when the service request was created), and select the files to be sent. Items that are grayed out are not available on this ProxySG at the time the request was issued, most likely because they have not been created. In this example, the customer has chosen to send a packet capture, event log, Sysinfo file, and snapshot, all to be associated with service request 2-0000000. After selecting the information to be sent, click Send to begin uploading the information to Blue Coat. To view the progress of the upload, click View Progress. 215 ______r BlueTouch Training Services — BCCPA Course v3.5.1 Blue Coat Licensing Portal [ tunctions - — activation; activate upgrade; licensing page: revert upgrade Activate license: antivirusserial number; download upgrade cold standby; swap licenses Dne upgrades te license; download Ticense:sp Ticei Activatelicense .Jr Download license; activate upgrade; revert i lntelliger._eCenter! Get license: upgrade; revert upgrade PolicyGenter NetCache Activatelicense Appliance certificate Birthcertificate validation -. verification BlueCCoat Slide 16—7: Blue Coat Licensing Portal The Blue Coat Licensing Portal provides access to license-related functions for Blue Coat products. To access the licensing portal from the BlueTouch Online homepage, select Licensing. Then, select License a Proxy to perform licensing functions for a ProxySG, or select License Others to perform other licensing functions. When your organization purchases hardware or software licenses, email containing activation codes is sent to the email address your organization specified at purchase time. To activate licenses, you need to have the codes from that email, as shown in this example: Order line ProductCode Description ActivationCode UPG-KII’-SG8IO- Upgrade Kit, Hardware and License, 10-TO-20 SGS1O-lOtoSG8lO-20 I2I4Lcmo 1 UPG-K1T- Upgrade Kit, Hardware andLicense, 2 SG8IOO-10-TO- SG8100-0 to SG8100-20, Proxy I 20-PR 2MJ Other license-related functions at the Blue Coat Licensing Portal include: • Content filtering: This feature of the ProxySG requires a separate license. To enable it, select this option and type the activation code. • ProxySG: Four functions are available: SSL license activation, ProxySG upgrade, ProxySG licensing, and the ability to revert to a previous upgrade. • ProxyAV: Five functions are available: license activation for systems at version 3.1 or later, license activation for systems older than version 3.1, downloading anti-virus license for systems at version 3.1 or later, upgrading a cold-standby appliance, and swapping a version 3.1 or later license from one appliance to another. • ProxyOne: You can enter an upgrade activation code for your appliance. • ProxyRA: Three functions are available: activate, download, and swap licenses. 216 Chapter 16: Service and Support • Blue Coat Reporter: To enable this application, select this option and type the activation code. • PacketShaper: Three functions are available: download a license, upgrade, and revert upgrade. • IntelligenceCenter / PolicyCenter: Three functions are available: get a license, upgrade, and revert upgrade. • NetCache: To activate licenses for legacy NetCache equipment, select this option and type the activation code. • Appliance certificate verification: Enter your hardware serial number to determine whether that ProxySG supports Blue Coat appliance certificates. 217 ______ BlueTouch Training Services — BCCPA Course v3.5.1 --JJ.LW.L Other Support Tools OtneOccat 0lt,c3cA.. 0 — BlueOcoat BicoTonch Online ‘“‘ Wdcome • YnctuAn SAtin cS’t. wete..enctnnAnoccn..inJnnam.e tens Sqq.cfrnIIen,ePeeti4, Vista Stencils tat SI • Field A UDiat,e,ite’ • tidal SlueC,atispleaend I Va52 in iten.eccs,ekS,flii.san.A*fl - IueOCoat jJiii - Service Management ltncatetcsdilennenceaanie nSe4neSua 0*00 0 C sIrtanc Searc, tie ArpwiFdcn Slit at NceCeMlSAtisntirt tOO Sst0*neae SiSnIta n*tnnteieo DFctct, torirvI set. ldiene0ea.e,0 S C vii di Ril-n • BlueQCoat Slide 16—8:Other support tools [ BlueTouch Online is a comprehensive offering. In addition to licensing and managing service issues, these functions are available: • Knowledge base: You can type questions about Blue Coat products in natural language and get immediate answers from a large, frequently updated database of support information. • Discussion forums: The Blue Coat discussion forums at http:llforums.bluecoat.com are a useful, unfiltered way for customers to exchange tips and tricks. It is not uncommon to have your forum question answered by a Blue Coat support engineer or developer. The main E drawbacks to the forum are that there is no guaranteed response time for questions, and responses are voluntary. • Security advisories: Documents potential security issues and their impact on Blue Coat products including public reporting of security vulnerability information. • Technical briefs: Illustrate the features and capabilities of Blue Coat products, providing baseline configurations for common deployment scenarios. • Field alerts: Provide information on critical product and software issues. Blue Coat recommends that you subscribe to security advisories and field alerts to receive important advisories. Also, always read the release notes for each version of the Blue Coat product that you are installing. The release notes contain useful information and known issues and might answer your questions more quickly than by contacting technical support. 218 Appendix A: Deployment Planning Planning and designing the most efficient deployment is the most important decision you have to make, second only to the one of actually buying the Blue Coat ProxySG. The ProxySG is engineered to offer the maximum flexibility of deployment; you can scale from small to extremely large environments, and you can build fault tolerance and redundancy. The Deployment Question You may be new to the use of proxy servers; however, even if you are not, it is important that you review the many ways in which the ProxySG can be deployed. Your network is already designed to send all outbound traffic along a specific path. Now you need to direct to the ProxySG all the traffic that you want it to manage. Figure A-i: The deployment dilemma You may have a very complex network, but it can always be logically reduced to the simple diagram shown in Figure A-i. All of the solutions to route selected traffic from your clients to the ProxySG can be grouped into two main categories: transparent and explicit. Firewall Best Practice Regardless of how you decide to direct client traffic to the proxy, you should modify the firewall configuration in order to enforce the use of the proxy. Typically, a firewall allows outbound traffic from the clients to the Internet. More restrictive policies may only allow HTTP and HTTPS traffic from the clients to the Internet. In either case, you now may want to block the traffic that you want to go through the proxy. For instance, if you want to proxy HTTP and HTTPS, you should block the clients from directly accessing outside resources over these protocols. Only the ProxySG should be allowed through the firewall. This configuration allows you to enforce the use of the proxy by all clients, regardless of the deployment strategy that you wifi implement; this solution also deters the most advanced users from bypassing the proxy. 219 BlueTouch Training Services — BCCPA Course v3.5.i Explicit Proxy Creating an explicit proxy is conceptually the easiest solution and in general does not require any additional software or hardware. A simple packet capture can show you if a client is using explicit proxy. You can refer to the HTTP chapter of this book for more details. A client using explicit proxy formats GET requests to support the proxy. Manual Configuration Every client is configured to forward all traffic to the ProxySG. For instance, you can easily set your browser to send all HTTP requests to a proxy server. In Figure A-2 below, you can see how the configuration screen looks for a Firefox client. ConFigureProxies to Access the Internet [ r: Direct connection to the Internet r Auto-detect proxy settings for this network r• Use the sane oxy Forallprotocols hTTPProxy: [17216.9022 ort 18080 5L Proxy: PQrt: J 10 FTPProxy: Port: 10 — r gopher Proxy: Port: Jo 1 Host: Port: 5OK5 J Jo r SOCKSv4 SOCKSvS Figure A-2: Firefox proxy configuration The client now sends all HTTP requests to the proxy with IP address 172.16.90.22 over port 8080. You can see how this method is fairly straightforward; however, it is impractical for any organization but the smallest. This method requires a lot of administrator time and, unless it is paired with good firewall rules, can be easily bypassed. Manual configuration can still be useful for testing and debugging purposes. Proxy Auto-Configuration (PAC) File The Proxy Auto-Configuration (PAC) file is used to distribute to the browser the proxy configuration information from a remote JavaScript file rather than from static information entered directly. It is even possible to specify which proxies each user can access. You can use a PAC file to create a very basic fault-tolerant and load-balanced environment. In this example, you can configure four ProxySG appliances (sgOl to sgO4) as follows: One handles all .com requests, one handles all .net requests, one handles all other domains, and the last one is a hot standby for the other three. If any of the three main proxies go down, the fourth will take over. The table below shows the role of each proxy. Table A-i: Proxy Purpose ii Proxy Name Domain sgOl .com domain sgO2 .net domain sgO3 all other domains sgO4 hot standby 220 it 221 user that client Planning is instance, proxy for achieve each domain (WPAD). file to For then without The Firefox filename a PAC and Deployment fully-qualified .pac server. extension; the third-level A: settings reconfigure directly. necessary the shows of “.mydomain.com”)) to the WPAD proxy map system’s Auto-Discovery a clients filename below Appendix to the having the because JavaScript A-3 .pac detect to Proxy finds advantages server. a by it the server is Web wpad without sgO4:8080”; sgO4:8080”; sgO4:8080”; main Figure with until your CanceL] This wpad.clients.bluecoat.com Reload the file accessed dedicated a of a vulnerabilities automatically PROXY PROXY PROXY dnsDomainls(host, are to supports located. 8080. attaching query to to *.com”)) is One II configure hI*.net”)) by configuration port OK will subdomains later) file open possibly host) also function network) be over browser works (and (WPAD) application/x-ns-proxy-autoconfig. PAC and proxy resource. 5 the can the domain sgO2:8080; sgOl:8080; sgO3:8080; Curl, the should removing type: pac Firefox your clients WPAD change to JavaScript shared You for (inside version the enable a where the to “DIRECT”; “PROXY “PROXY “PROXY approach MIME file. on DNS sites Iiles\proxy with a above: the one. (shExpMatch(host, (shExpMatch(host, know changes save This PAC Explorer progressively to proxy.pac. to a local reside intervention. configuration if if Auto-Discovery designed return return return return make for and (isPlainHostName(host) the clients.bluecoat.com requires can is trusted should FindProxyForuRL PAC to a needs described the Internet file if else else else JserverconFig be example, extension You communicate name in you Proxy A-3: cAtcoxyconnqUonuRL client solution not solution PAC results I [ particular, administrator client function servers In the The allows client. Note: Each configuration Figure Web or This domain a Microsoft wpad.bluecoat.com. may This ______ BlueTouch Training Services — BCCPA Course v3.5.1 Local Area Network (LAN)Settings flU.tJIIICJUI’.. ..J1 H 19U1 OLIVI C Automaticconfigurationmay override manualsettings. To ensure the use of manualsettings. disableautomatic configuration, Wautomatically detect settings F Use automatic configurationcript Addes Figure A-4: Internet Explorer automatic proxy settings Figure A-4 above shows how the configuration for Internet Explorer looks when there is a WPAD server. Active Directory Policy If you are running any of the operating systems listed below, you can configure the clients’ proxy settings automatically via Active Directory Group Policy. • Windows 2000 Professional and Server • Windows XP Professional • Windows 2003 Server [ Note: Windows 9x/Me and Windows XP Home Edition are not supported. Furthermore, each client must be part of the Active Directory forest. This configuration can be used in conjunction with PAC files. You can use Active Directory not only to distribute a specific server configuration but a more generic PAC file. L JActlonewJj ± J_’ 1 , Tree Name — IDescrtlon I Connection 5ettings Settingsfor connection DefaultDomainPolicy(t. settings iii EitIC ComputerConfigura w.fr Browser Conhgurdtl ri 5e[hrii rLt dIJh.. riI l[Ir br —r ri[i ‘Jr Ii ii UserConfiguration - , Settings or proxy El D SoftwareSettinc UserAgentString SettingsForuser agent string 8 WindowsSettinc El J Internet Ex Browser onnect l,—URLs Security Figure A-5: Active Directory policy proxy configuration This solution will become more feasible as more companies roll out Active Directory for the entire organization and stop using operating systems that are not supported. 222 Appendix A: Deployment Planning Issues with Explicit Proxy Based on the information provided above, you can see how relying on explicit proxy raises several potential issues. The main advantage is reduced cost, which may not be significant. Unless you implement more restrictive firewall policies, any advanced user can bypass the proxy setting that you are trying to enforce. Even group policy can be bypassed by using a browser other than Internet Explorer. A user can take advantage of WPAD to open security gaps; however, the possibility is remote because it requires advanced skifis. Transparent Proxy You can think of transparent proxy as exactly the opposite of explicit proxy. The goal of setting up transparent proxy is to redirect all of the desired traffic to the ProxySG without the client’s knowledge or consent. Regardless of the solution that you choose for explicit proxy, the client’s user agent knows that it is sending the connection requests to a proxy server. However, in a transparent proxy scenario, the client’s user agent believes that it is talking to the remote server directly, without intermediaries. In essence, transparent proxy is more complex, as a technology, than explicit proxy — but it is also more efficient, scalable, and robust. Unfortunately, it is also, in general, more expensive and can be more complex to set up. Layer 4 Switches Switching technology has evolved from the Data Link Layer to cover up to the Application Layer. In general, most Layer 4 switches are capable of handling up to Layer 7 and down to Layer 2. Figure A-6: ProxySG with Layer 4 switch if you compare Figure A-6 with Figure A-i, you can notice where the Layer 4 switch needs to be installed. It needs to be in a position to inspect all outbound traffic. The traffic that you want to proxy is redirected by the switch to the ProxySG; all other traffic is passed to the firewall (or other destinations). Most Layer 4 switches offer a very useful set of added functions, such as: Advanced load balancing J Most available 223 ii: BlueTouch Training Services — BCCPA Course v3.5.1 F. cJ Round-robin Least CPU utilization URL hashing • Advanced fault tolerance and redundancy The only major obstacle to the deployment and implementation of Layer 4 switches is cost; in the United States, such devices can cost up to tens of thousands of dollars. Traffic routing decisions can be based on several parameters, such as destination address, kr protocol, port, source address, or a combination of these. h A Layer 4 switch can also change the way a particular request looks; for instance, it can change a direct HTTP GET request to a proxy-style HTTP GET request as shown in Figure A-7 below. [ F F [ Figure A-7: HTTP request transformation F You can see that the client user agent is not aware that the connection will go via proxy server. The ability of a Layer 4 switch (also known as a content switch) to change HTTP requests allows it to be compatible with any proxy and not just the more advanced ones like the ProxySG. Web Cache Communication Protocol You can configure a ProxySG in a Web Cache Communication Protocol (WCCP) deployment when a WCCP-capable router collaborates with a set of WCCP-configured ProxySG appliances to service requests. WCCP is a Cisco-developed protocol that allows you to establish redirection of the traffic that flows through routers. F The main benefits of using WCCP are: • Scalabiity: With no reconfiguration overhead, redirected traffic can be automatically distributed to up to 32 ProxySG appliances. • Redirection safeguards: If no ProxySG appliances are available, redirection stops and the router forwards traffic to the original destination address. WCCP version 2 is supported by the ProxySG. The active WCCP protocol set up in the ProxySG configuration must match the version running on the WCCP router. For Cisco routers using WCCP version 2, minimum 105 releases are 12.0(3)T and 12.0(4). 224 Appendix A: Deployment Planning WCCP and Transparent Redirection A WCCP-capable router operates in conjunction with the ProxySG appliances to transparently redirect traffic to a set of caches that participate in the specified WCCP protocol. IF packets are redirected based on fields within each packet. Load balancing is achieved through a redirection hash table to determine which ProxySG wifi receive the redirected packet. WCCP version 2 multicasting allows caches and routers to discover each other through a common multicast service group and matching passwords. In addition, up to 32 WCCP-capable routers can transparently redirect traffic to a set of up to 32 ProxySG appliances. Version 2 WCCP-capable routers are capable of redirecting IP traffic to a set of ProxySG appliances based on various fields within those packets. WCCP version 2 allows routers and caches to participate in multiple, simultaneous service groups. Routers can transparently redirect IF packets based on their formats. For example, one service group could redirect HTTP traffic and another could redirect FTP traffic. Note: Blue Coat recommends that WCCP-compliant caches from different vendors be kept separate and that only one vendor’s routers be used in a service group. One of the caches participating in the WCCP service group is automatically elected to configure the home router’s redirection tables. This way, caches can be transparently added and removed from the WCCP service group without requiring operator intervention. WCCP version 2 supports multiple service groups. ProxySG in Bridging Mode The ProxySG can be configured to bridge two sides of an IP network. This solution allows you to create a transparent proxy environment. This solution is not recommend for medium or large networks (more than 50 hosts). Figure A-8: ProxySG in bridging mode In the configuration shown in Figure A-8 above, the ProxySG receives all outbound traffic and can inspect it. H the traffic matches any of the criteria set forth by the administrators, the ProxySG further inspects the traffic and can apply any desired rule or action (allow, block, redirect, cache, and so on). 225 L r E F or is overload ProxySG to the policies. given because susceptible is is it match That and that those network. network, just that the to not for failure packets, attached of v3.5.1 the nodes all point Course many single a too BCCPA forwarding are — and becomes there if Services processing ProxySG Training The congestion now BlueTouch 226 227 of and the has SGOS string, which (NAT), on pace the 128-bit a space of the conversion. addresses. interface especially person deployed 5.5 has the internetwork. addresses, deployments, and addresses. translation address: hexadecimal address billion each a although which 1038) widely per version 4.3 during as IPv4 x prefix IPv4 less.) address: brackets: address allows Gateway first 3.4 once with the (IPv6), about organizations, limited, of the 6 IPv6 of Web subnet iT IPv6 releases. function be available packet-switched a square Internet. about 2010s. expressed an to a to was for of network in is of somewhat devices, limit (or as Secure version future Beginning is early theory, 1981, in maximum current across 2128 In for which a the such continue limit IPv6. containing the and eboa continues of enclosed in : IPv6 challenges exhaustion is Protocol as about theoretical components must a 1980 IPv4, of each actual planned omitted feO4 poses in addresses. support of large is be the techniques main of supports limit address as Internet Internet-connected exhausted allows IPv6 fields, that so of IPv6 deployment communicating now omitted: is can of 83ff: impending eboa the of be : : to to its be IPv6 for use to to specified applications the that supply 16-bit which an fields ProxySG can to but capabilities the IPv4 02d0 feO4 shows systems used theoretical and reserved, number similar a eight is zero due (IPv4), reserved: is Coat space, IPv6 1996, with zeros from are to the endless 4 expected of network 83ff: figure development in are browser, that : is in an devices :2d0:83ff:feO4:eboa]/index.html Blue Even the operating own leads 2d0 Web address the to leading version structure space a consists IPv4 Scopes addresses additional consecutive growth This accelerating their conversion protocol in led provide specified Introduction following addresses of of is field, 32-bit to :2d0:83ff:feO4:eb0a the the a system, computer :0000:0000:0000: these The first B: have rapid address address Protocol address space. existing insufficient. of this: of each to series entered Addressing special Address the uses as was situation a feBO fe8O:0:0:0: fe8O: IPv6 Loopbackaddress:o:o:o:o:o:o:o:lor::i Unspecifiedaddress:o:o:o:o:o:o:o:oor:: http://[fe8O: IPv4 major IPv6 expected (Many version IPv4 Internet With the address is This IPv6 planet deployment become operating • IPv6 All Managing • introduction such because An IPv6 Within And Some When The identifier. Appendix BlueTouchTraining Services — BCCPA Course v3.5.1 I nbits 128—n bits Subnet prefix Interface identifier I I 11111111 FFOO::/8 Multicast 1111111010 FE8O::/10 Link-local unicast ( J 1111111011 FECO::I10 Site-local unicast (deprecated) [ ] Allother values Global scope unicast However, IPv6 addresses are much more structured than those in IPv4. The top bits of an IPv6 address determine its scope: • Multicast: A device sends a single packet to multiple destinations. • Link-local unicast: This is similar to automatic configuration in IPv4. A device is connected to the Internet, and it generates an address and starts communicating with all nodes on the same physical network segment. • Site-local unicast: This address is allowed to communicate with all nodes in an organization, but it cannot be used to communicate outside the organization boundary. This address type has been deprecated and should not be in wide use; link-local addresses can be used to achieve the same functionality. • Global scope unicast: This address can communicate with anyone. In IPv6, addresses must have the same scope in order to communicate with each other. (For example, a link-local address cannot communicate with a global scope address.) When an IPv6 device connects to the network, it has to join all of these groups in order for IPv6 to function properly. For routing, a global scope unicast address can have a global prefix: I m bits I rn—nbits I 64 bits I Global routing prefix Subnet ID Interface identifier f IPv6 Packet Header The following diagram shows the format of IPv4 and IPv6 packet headers: IF 228 IPv6 229 limit to the in Hop interface, advanced most allow considerably in label header is WCCP-related Gateway Introduction destination header Flow Telnet, B: used Header IPv6 Web IPv6, Next address Language header not management address the addresses. header, Sky payload. Secure IPv6 Appendix Policy Source Packet support IPv6 follow Destination TCP-Turtnel, the 6). Coat currently Coat not length class addresses. fragment then JPv6 security allow but DNS, Content Blue bytes, Blue does always Traffic header. not Payload 40 j the the and include: which SSL, header, of do of case, layer. IPv4 Ver IPv6-style (WCCP) the this header encapsulated length Console, routing many HTTPS, management, of headers, Manager, (in 128-bit ProxySG and IPv6 octets. with fixed field application the Protocol in offset HTTP, a the service Policy header, Padding on standardization. in of Protocol FTP extension address: length and checksum of header, j Management six the Fragment Visual Total payload addresses options lack to Fields screens including Headei time-to-live quality a the and Header Internet the options up hop to IPv6 address for of the Fl of ProxySG destination address priority. Communication ProxySG of by to plus header. due Options features Size the authentication the type and use sessions, hop interface, Source Packet Specifies version IPv4 Cache Destination Packet and on fields the configuration Intended Protocol Similar line Service the The length: active order: header, Web addresses. and address Pv4 class: eight label: protocols, header: limit: proxies than the IHL live Identification f to supports IPv6 Support only Version: Flow Traffic implementations options Payload distinct Next Source Hop these of command Time Ver • • • • • • • simpler With IPv6 SGOS forwarding, the protocol For Because use commands BlueTouch Training Services — BCCPA Course v3.5.1 230 Appendix C: Conditional Probability Modern content-filtering technology, as well as spam e-mail detection, relies on some fundamental theorems of statistical analysis. This section discusses, at a very high level, the Bayes Theorem. This section assumes that you are familiar with some basic principles of statistics. You can determine the probability of a future event based on knowledge that a different event already occurred. We can apply this theory to content filtering. Suppose that you want your system to recognize new and uncategorized text documents (past events), based on the probability of certain events (prior probabilities). For example, you want the device to recognize when a page contains Adult/Mature content. The device cannot determine that a text page contains a certain type of content without having some point of reference. No computer ever can “know” that a page contains Adult/Mature content; however, it is possible for the computer to determine the probability that a page contains Adult/Mature content, by comparing that probability to the probability that it contains some other type of content — for example, News/Media content. Bayes’ Theorem Let us consider a set of mutually exclusive events ,1{A ,2A A...AN) and define, using P(A), the probability of the event happening. We can perform an 3experiment, referred to as event B, to 1A determine how the probability changes. We want to calculate the probability of the event A, conditional to B, which we will call P(A B). In essence, we want to determine the the event I probability that event 1A is going to happen, knowing that event B has happened. For example, if you have a bag with six balls, three red and three blue, you want to determine the probability of extracting a blue ball (P(A)), knowing that you just picked up from the bag a red one (P(B)). We can determine, through a controlled experiment, both the probability of event B, which we will call P(B), and the probability of event B happening conditional to the generic event A for each value of i. Recall the theorem of the total probability, as shown in formula (a) below: N (a) P(B) = , P(A)P(B )1IA i=1 The formula (a) states that an event is the sum of the probabilities of combined events. To better understand formula (a), we can use a real-life example. In the state of California, the registered voters are divided according to the table below: Table B-i: Registered voters in Californiaa Democrats 43 percent — P(D)=O.43 Republicans 34 percent — P(R)=O.34 Other 23 percent — P(O)=O.23 a. Data fromState of CaliforniaRegistrarof Voters(April2006) 231 BlueTouch Training Services — BCCPA Course v3.5.1 If you know that 60 percent of the registered Democrats, 20 percent of the registered Republicans, and 90 percent of the others favor a new bill, what is the probability that the new bill will pass? The probability that the new bill will pass is P(B), the probability that a person belongs to a certain is the probability that a person will vote a certain way is P(B Using the party P(A), and I1).A numbers above, we determine that the probability that the bill wifi pass is: (b) P(B)= (0.43 x 0.60) + (0.34 x 0.20) + (0.23 x 0.90) = 0.53 Formula (b) tells us that the bill can pass, but only by a narrow margin. is to to the probability of the event P(A B). This probability can be The next step try determine I expressed using formula (c) below: (c) P(A)P(BIA) P(AjB) 1 If you use the value of P(B) from formula (a) and substitute in it formula (c), you obtain Bayes’ Theorem, shown below in formula (d): — P(AIB) = N Es (d) P(A)P(BA) i=1 Ii Using the example of the voters in California, formula (d) allows us to calculate, knowing that the bill was approved, the probability that a person of a given party voted for the bill. Applying the numbers listed above and the result of formula (b) to formula (d), we obtain: (e) P(Ad) = (0.43 x 0.6) / 0.53 = 0.48 — So, knowing that the bill passed, the probability that a voter was a Democrat is 48 percent. Bayes’ Theorem allowed us to reverse the probability. We started knowing that a certain percentage of registered voters would vote a certain way. Knowing that the bill was approved, we determined that the probability that a voter belonged to a certain party. Application to Content Filtering The concept discussed in the previous section can be applied to content categorization. To teach a -; system how to differentiate between the different categories, you need to provide it with a solid L — foundation. You need to have gooddocuments that the system can use to learn how to recognize different categories. You define the categories as the mutually exclusive events ,1{A ,2A .3A ..AN}.For example, you can say that 1A is Adult/Mature, 2A is Pornography, and so on. — You can define the appearance of a word as event B; for instance, P(B) could be the probability of finding the word “sex.” So you can say: • 2)=P(A Probability of a site being Pornography • P(B Probability of the word “sex” appearing in a Pornography pages I2A)= • P(B)= Probability of finding the word “sex” • P(A B)= Probability of a site being Pornography when the word “sex” is found in it — 2 I Ill 232 Appendix C: Conditional Probability Using the preceding definitions, you obtain the following formula: P(Pornography)P(Sex Pornography) P(Pornography Sex) I I P(Sex) Obviously, you cannot create these formulas manually. You need to create a tool that can automatically calculate all of the different probabilities; ultimately, this will provide you with an accurate P(B To achieve this result, you must submit a series of documents belonging to I2).A known categories to the automatic tool. For example, submit 1,000 Pornography pages, 1,000 News/Media pages, and so on. The system processes the content of the pages and, by calculating the multiple probabilities for the different events, learns how to recognize new pages that is has not seen before. It is important to consider other parameters any time you do any statistical analysis. You need to evaluate the accuracy of your estimators and the coverage. The accuracy is determined as a percentage of correct results. For instance, if we process 100 sites that we estimated to be categorized as Pornography, how many were really porn sites? The coverage determines the miss rate of the tool; in a pool of X sites known to belong in the Pornography category, how many did the tool catch? Unfortunately, you cannot achieve 100 percent success in both accuracy and coverage; you can achieve 100 percent in one or the other. However, if 100 percent accuracy is achieved, coverage will suffer tremendously and vice versa. The goal is to find a sweet spot where accuracy is sufficient and the coverage is still good. Blue Coat WebFilter aims at 85—90percent accuracy. Blue Coat’s dynamic categorization technology uses a two-step approach. The first step is to recognize the language of the website. This is important because the same word may exist in more than one language but have different meanings in the different languages. For instance, the word burro has the same spelling both in Italian and Spanish; however, it means butter in Italian and donkeyin Spanish! The system needs to correctly determine the language before it can apply any statistical analysis on the words. You can see an example in Figure B-i from the site http:llwww.jal.co.jp: Figure B-i: Words “reservation” and “month” The word ffj (reservation) represents sites in Japanese with a probability of 0.00052, while the word )Ej(month) represents Japanese sites with a probabifity of 0.00236. The products of the probability of each language token, by the number of occurrences are grouped and summed by language. The language that has the highest weight becomes the assumed language for that website. 233 I]. I a — I I ill I. I. F. I. I I [‘ hi: a site while result the Groups shows B-2: The only Travel Travel Travel Figure Therefore, in probability!), website. Political/Activist a appendix a Political/Activist to of this shown NOT 0.000809. is is refers only 0.000811 0.00086 0.000861 that category; (this is 0.000809J and one categorization 0.00253 and the category is for language http:/Iwww.jal.co.jp both category Groups site category for 0.00040 0.00043 0.00086 the approach 0.000405 “reservation” Travel for used Travel 2 1 2 2 and Groups v3.5.1 same the the to Japanese.’ the tokens table,” in produces Course with Political/Activist refer Travel more example. site Travel “time adopts = an that with Travel BCCPA many as = travel table) “hotel,” Political/Activist a associated tokens ones be categorization actually (hotel) (time to Terms associated three (city) (reservation) Services— weight are categorization category: relevant B-2: are total 1IT *A’ f’ IliJ dynamic weight There few assumed Training 1. • • f’J • is i1i. • the The Figure Groups There that Dynamic 234 BlueTouch inline