BCC Proxy Admin

Table of Contents
Chapter 1 : Blue Coat SG and Firewalls 1
Chapter 2: Blue Coat SG Deployment 7
Chapter 3: Blue Coat SG Initial Setup 23
Chapter 4: Blue Coat SG Graphical User Interface 29
Chapter 5: Services 41
Chapter 6: Hypertext Transfer Protocol 49
Chapter 7: HTTP Compression 61
Chapter 8: Authentication Introduction 69
Chapter 9: Authentication Realms 79
Chapter 10: Policy Management 93
Chapter 11 : Content Filtering 101
Chapter 12: Managing Downloads 117
Chapter 13: Managing Instant Messaging 123
Chapter 14: Managing Peer-to-Peer Traffic 133
Chapter 15: Notify User Policy 141
Chapter 16: Access Logging 147
Chapter 17: Introduction to Reporter 159
Chapter 18: Blue Coat AV 173
Chapter 19: Service and Support 187
¡X
Blue Coat Educational Services — BCCPA Course v 1.7.1
Appendix A: Deployment Planning 195
Appendix B: Conditional Probability — Bayes Theorem 203
X
Chapter 1: Blue Coat SG and Firewalls
The Web has become a vital m e t h o d of c o m m u n i c a t i o n for n e t w o r k e d businesses a n d

organizations w o r l d w i d e . A l t h o u g h the Web is an extremely valuable c o m m u n i c a t i o n s tool, it also
provides a w a y for viruses to enter corporate n e t w o r k s , m u c h the s a m e w a y that traditional e-mail
p r o v i d e d a n e w entry in the 1990s a n d floppy disks before that.
While enterprises c o n t i n u e to tighten security against k n o w n viruses entering a n e t w o r k —

t h r o u g h floppy disks, CD-ROMs, or e-mail a t t a c h m e n t s — hackers exploit the Web as an easy w a y
into corporations that rely on firewall technology alone to protect them.
Most organizations use firewalls to protect their n e t w o r k s . Firewalls — w h i c h typically are placed
between a private n e t w o r k a n d outside public n e t w o r k — monitor traffic to d e t e r m i n e w h e t h e r it
s h o u l d be allowed in or out.
A l t h o u g h firewalls protect against external attacks, they do not enable organizations to control
users within their n e t w o r k . This is the role of proxies. Proxies enable organizations to authenticate
users, report on n e t w o r k activity, a n d enforce policy: key elements in creating a p r o d u c t i v e a n d
safe Web e n v i r o n m e n t .
This chapter discusses the basics of firewalls a n d proxies and h o w they w o r k together. It explains
h o w organizations can use proxies to control their n e t w o r k s a n d introduces the key basic
d e p l o y m e n t s : forward proxy a n d reverse proxy.
1
Firewalls
• Most networks are protected by firewalls
• Firewalls are required to protect your network
• Firewalls are very effective at keeping

the "bad" guys out of your network
Slide 1 - 1 : Why firewalls are used
In this age of viruses, Trojans, a n d s p y w a r e , firewalls h a v e become c o m m o n — even for h o m e

c o m p u t i n g . A firewall protects y o u r n e t w o r k from u n w a n t e d Internet traffic. Firewalls m o n i t o r
Internet traffic to d e t e r m i n e w h e t h e r the traffic s h o u l d be allowed into (or o u t of) the network.
Essentially, they keep the "bad" g u y s out of y o u r n e t w o r k .
Firewalls enable an o r g a n i z a t i o n ' s users to request Web pages, d o w n l o a d files, a n d chat while
m a k i n g sure that outsiders cannot use the Internet to access n e t w o r k services like file or print
s h a r i n g . Some firewalls are pieces of software that r u n on y o u r computer. Other firewalls are built
into h a r d w a r e a n d protect the entire n e t w o r k from attacks.
2
Firewalls
Designed to keep the bad guy out of the network
Slide 1 - 2 : Typical firewall d e p l o y m e n t
As y o u can see from Slide 1-2, firewalls typically reside in w h a t is k n o w n as the DMZ, the
so-called neutral z o n e between a c o m p a n y ' s private n e t w o r k a n d the outside public n e t w o r k .
Internal clients a n d services are shielded from the "lawless" Internet by the firewall, w h i c h blocks
u n w a n t e d traffic a n d malicious intrusion a t t e m p t s .
Firewalls n o r m a l l y allow clients on the internal n e t w o r k to use instant messaging, listen to music,
etc., unless ports u s e d by those services are explicitly blocked by a firewall administrator.
3
Proxy
• Complements the firewall for a complete security

architecture
• Designed to keep the "good" guys "good"
• Two types of proxy

- Forward proxy
- Reverse proxy
Slide 1-3: Why p r o x i e s are d e p l o y e d
As y o u h a v e learned, firewalls are an i m p o r t a n t p a r t of securing y o u r private network. But they

are not the only piece of the security p u z z l e . At the perimeter of the corporate network, firewalls
a n d intrusion-detection s y s t e m s provide excellent protection against external attacks. However,
they do not enable organizations to obtain visibility a n d control of users from within — t h r o u g h
authentication, authorization, reporting, or policy enforcement — to create a productive, safe Web
e n v i r o n m e n t . In other w o r d s , proxies serve to "keep the g o o d g u y s good."
Proxy servers are v e r y powerful devices that can be d e p l o y e d in t w o very different w a y s —

forward proxy a n d reverse proxy.
A forward proxy acts as an i n t e r m e d i a r y b e t w e e n a client a n d a content server to protect the client

from being seen from the Internet. A forward proxy a s s u m e s responsibility for retrieving a n d
r e t u r n i n g d a t a from a content server to the client. It also caches retrieved data so it can serve the
d a t a to other clients on the network. Caching decreases n e t w o r k traffic costs significantly, because
once the first request is m a d e for a certain d o c u m e n t , s u b s e q u e n t requests are delivered from the
local cache.
A reverse proxy (also k n o w n as a Web server accelerator) acts as an i n t e r m e d i a r y between a Web

server a n d the Internet. A reverse proxy protects the Web server from direct Internet access a n d
also eases the s e r v e r ' s load by caching content a n d serving it directly to clients. External clients
request content directly from the reverse proxy, w h i c h they a s s u m e is the origin content server
(OCS).
4
What is a Proxy?
Forward Proxy
Internal External
Proxy: [...] deputy who acts as a substitute for another *

* Definition from the Merriam-Webster Online Dictionary
Slide 1 - 4 : D e f i n i t i o n of a p r o x y
In simple terms, a p r o x y is a n e t w o r k device that acts on behalf of clients to retrieve requested

content from an OCS.
A client o p e n s n e t w o r k connections w i t h the proxy only — the proxy then o p e n s a n e w a n d

separate connection w i t h the remote OCS. This is an i m p o r t a n t concept because the OCS is never
a w a r e of the connection details of client requests; the OCS completes all transaction solely w i t h the
proxy, w h i c h it v i e w s as the client.
After the proxy h a s retrieved the content from the OCS, it delivers it to the client using the s a m e
connection that the client initially established w i t h the proxy. Therefore, a proxy is in a u n i q u e
position to:
• D e t e r m i n e w h i c h client requests to p e r m i t a n d w h i c h to d e n y
D e t e r m i n e w h i c h content to pass from the OCS to clients
• Modify client requests to the OCS
• Modify any content it receives from the OCS before s e n d i n g it to the client
5
Slide 1-5: Proxy capabilities
The firewall is u s e d at the p e r i m e t e r to block o u t s i d e attacks. H o w e v e r , s o m e protocols m u s t be

p e r m i t t e d to p a s s t h r o u g h the firewall or all corporate business w o u l d cease. As s h o w n by the
d i a g r a m , the Blue Coat SG is u s e d to control Web-based c o m m u n i c a t i o n s that have been allowed
t h r o u g h the firewall. As y o u can see in Slide 1-5, proxies are capable of p r o v i d i n g a variety of
useful services, including:
Filtering Web content
• Blocking u n w a n t e d or malicious d o w n l o a d s
• Blocking Web mail a n d IM virus p r o p a g a t i o n
• Blocking p o p - u p s a n d s p y w a r e intrusion
• Protecting c o p y r i g h t e d m e d i a a n d intellectual p r o p e r t y
• Logging u s e r activity a n d content
6
Chapter 2: Blue Coat SG Deployment
This chapter discusses the three types of proxy d e p l o y m e n t :
• Explicit proxy
• Transparent proxy
• Reverse proxy
You will learn w h a t a proxy is, w h a t it does, a n d h o w it can be deployed, particularly the Blue
Coat SG. You will discover w h y setting up an explicit proxy is the easiest, but not necessarily the
most scalable, proxy d e p l o y m e n t . You will look at the complexities of Layer 4 transparent
redirection a n d w e i g h its benefits against the simplicity of the explicit proxy. Next, y o u will look at
t r a n s p a r e n t redirection t h r o u g h the Web Cache C o m m u n i c a t i o n Protocol (WCCP) to explore its
load-balancing a n d traffic-segregation benefits.
Blue Coat solution at each remote location enables y o u to maintain control of the n e t w o r k by:
• Enforcing content-filtering policies
• Controlling the content of selected SSL transactions
• Using b a n d w i d t h - m a n a g e m e n t options to prioritize the use of the Internet connections for

business-relevant applications
Enabling edge-to-core compression between Blue Coat SG devices to optimize traffic across the
W A N T h e d e p l o y m e n t strategy that y o u i m p l e m e n t can d e t e r m i n e the availability of Blue Coat SG
features a n d functionalities. More importantly, this decision determines h o w users are affected by
the proxy d e p l o y m e n t .
For example, a t r a n s p a r e n t proxy d e p l o y m e n t that uses a Layer 4 switch (see Slide 2-5) might
a p p e a r to be an elegant, scalable, a n d easy-to-maintain solution. However, initial setup cost can be
prohibitive a n d consistent user authentication can prove challenging to i m p l e m e n t . On the other
h a n d , d e p l o y i n g an explicit proxy using PAC files might a p p e a r more laborious to implement, b u t
this m e t h o d does not require a n y additional e q u i p m e n t a n d user authentication is easier to
implement, m a k i n g it a consistently p o p u l a r option.
7
Deployment Options
• Explicit Proxy
- Clients "knoW there is a proxy in the path
• Transparent Proxy
- Clients do not "know"there is a proxy in the path
• Reverse Proxy
- Protects a web server from clients on the internet
Slide 2 - 1 : Choices for client Internet access
W h e n choosing h o w y o u r clients access the Internet, y o u basically have three choices:
• Explicit proxy
Explicit p r o x y i n g is the quickest a n d simplest proxy solution. Setting up an explicit proxy is

relatively simple; clients' b r o w s e r s m u s t be m a n u a l l y configured to recognize the proxy.
H o w e v e r , this s a m e simplicity can be impractical if y o u r n e t w o r k has m a n y clients.
• Transparent proxy
A l t h o u g h the n a m e s o u n d s s o m e w h a t intimidating, t r a n s p a r e n t proxying s i m p l y m e a n s that

the client is u n a w a r e that its requests are being intercepted by a proxy. Normally, the
redirection is accomplished t h r o u g h the use of a Layer 4 switch. O n e of the main reasons for
d e p l o y i n g a t r a n s p a r e n t proxy is that y o u do not h a v e to m a n u a l l y configure client browsers
to recognize the p r o x y
• Reverse proxy
Reverse proxy is a proxy server that delivers content for one or more Web servers. All traffic
directed to the back-end servers goes to the proxy server instead. Some reasons to install a
reverse proxy are to defend a n d secure the servers b e h i n d it, distribute load across several
Web servers, cache static content, integrate full SSL termination capabilities into y o u r Blue
Coat SG, a n d to c o m p r e s s content.
8
Explicit Proxy
Clients "knoW there is a proxy in the path
Slide 2 - 2 : Explicit proxy deployment
D e p l o y i n g an explicit proxy is the least complex solution a n d generally d o e s not require any
additional software or h a r d w a r e . A s i m p l e packet capture can s h o w y o u if a client is using an
explicit proxy. Clients using an explicit proxy format the GET request in a different w a y than
clients u s i n g a t r a n s p a r e n t proxy or no proxy at all.
W h e n the b r o w s e r does not have a proxy set, the s t a n d a r d GET request has formatting similar to
the following:
GET / HTTP/1.1
HOST: www.bluecoat.com
W h e n the b r o w s e r is configured to use a proxy, the GET request includes the entire URL:
GET http://www.bluecoat.com/ HTTP/1.1

HOST: www.bluecoat.com
Note: In an explicit proxy request, the destination IP address of the client request is the IP
a d d r e s s of the proxy, a n d not the IP a d d r e s s of the 0 C S .
9
Transparent Proxy
Clients do not "knoW there is a proxy in the path
Slide 2 - 3 : T r a n s p a r e n t p r o x y d e p l o y m e n t
You can t h i n k of t r a n s p a r e n t proxying as the opposite of explicit proxying. The goal of t r a n s p a r e n t

p r o x y i n g is to redirect all traffic to the Blue Coat SG w i t h o u t requiring client k n o w l e d g e of the
proxy. W h e n y o u set up an explicit proxy, the client's user agent a l w a y s k n o w s that it is s e n d i n g
connection requests to a proxy server. In a t r a n s p a r e n t proxy d e p l o y m e n t , the client's user agent is
u n a w a r e that traffic is being redirected to a proxy a n d believes that it is talking to the remote
server directly, w i t h o u t intermediaries.
In essence, t r a n s p a r e n t proxying is a m o r e complex technology than explicit proxying. But it is

also m o r e efficient, scalable, a n d robust. Unfortunately, t r a n s p a r e n t proxying is also generally
m o r e e x p e n s i v e a n d m o r e complex to set u p .
Unlike the explicit proxy scenario, y o u c a n n o t tell if a client request is g o i n g to be transparently

proxied by looking at a packet c a p t u r e of that request on the client machine.
Note: In a t r a n s p a r e n t proxy request, the destination IP a d d r e s s of the client request is the IP

a d d r e s s of the remote server, a n d not the IP a d d r e s s of the proxy.
10
Explicit: Manually Configured
Slide 2 - 4 : Explicit p r o x y c o n f i g u r a t i o n
In an explicit proxy d e p l o y m e n t , every client is configured to forward all traffic to the Blue Coat
SG. For example, y o u can easily set y o u r b r o w s e r to s e n d all HTTP requests to a proxy server.
Figure 2-1 below s h o w s the proxy configuration screen for a Firefox® client.
0 : | Manual proxy configuration]
O Use the same proxy for all protocols
HTTP Proxy: [myproxysg j Port: ¡0080 | j
SSL Proxy: [myproxysg j Port: ¡8080^ ]
Figure 2 - 1 : Proxy configuration for Firefox
Once the Firefox client has been configured as s h o w n above, the client s e n d s all HTTP requests
over port 8080 to the proxy with the h o s t n a m e myproxysg. You can see h o w straightforward this
m e t h o d is; however, it is impractical for m o s t organizations (except the very smallest) because y o u
h a v e to m a n u a l l y configure the b r o w s e r on each client machine. M a n u a l l y configuring an explicit
proxy requires a lot of administrator time a n d — unless the proxy is paired w i t h good firewall
rules — can be easily bypassed a n d defeated.
M a n u a l configuration can still be useful for testing a n d d e b u g g i n g p u r p o s e s .
Important: Malicious users can easily circumvent explicit proxy solutions.
11
Transparent: Layer 4 Switch
"/ Simple * initiai Cost
Slide 2 - 5 : N e t w o r k w i t h c o n t e n t switch
In a t r a n s p a r e n t proxy d e p l o y m e n t , the Layer 4 switch m u s t be able to inspect all o u t b o u n d traffic.

You can configure the switch to direct specific traffic to the Blue Coat SG a n d to pass all other
traffic to the firewall (or other destinations). Traffic-routing decisions can be based on several
p a r a m e t e r s — destination a d d r e s s , protocol, port, source address, or a combination of these.
Most Layer 4 switches also offer a v e r y useful set of additional features. For example:
• A d v a n c e d load balancing
• URL h a s h i n g
s
A d v a n c e d fault tolerance a n d r e d u n d a n c y
The major obstacle to d e p l o y i n g a n d i m p l e m e n t i n g Layer 4 switches is often cost; s u c h devices can

cost tens of t h o u s a n d s of U.S. dollars.
12
Transparent: Cisco WCCP
s Simple * Router Load
Slide 2 - 6 : E q u i p m e n t w i t h WCCP
The Web Cache C o m m u n i c a t i o n Protocol (WCCP) v2.0 is a content-routing technology that

enables routers to c o m m u n i c a t e with, a n d transparently redirect requests to, one or more Web
caches. The p u r p o s e of the interaction is to establish a n d maintain the transparent redirection of
selected traffic types flowing t h r o u g h a g r o u p of routers. W C C P v2.0 defines m e c h a n i s m s that
allow one or more routers (enabled for t r a n s p a r e n t redirection) to discover, verify, a n d advertise
connectivity to one or more Web caches.
W C C P v2.0 s u p p o r t s the redirection of traffic other than HTTP traffic t h r o u g h a traffic segregation
m e t h o d called Service Groups.
You can read m o r e about W C C P on the Cisco Web site.
13
Transparent: Blue Coat SG Bridging
S Simple * Single Point of Failure
Slide 2 - 7 : Blue Coat SG in b r i d g i n g m o d e
The Blue Coat SG can be configured to b r i d g e t w o sides of an IP n e t w o r k . This solution enables

y o u to create a t r a n s p a r e n t proxy e n v i r o n m e n t . This solution is not r e c o m m e n d e d for m e d i u m or
large n e t w o r k s (more t h a n 250 hosts).
In the configuration s h o w n in Slide 2-7, the Blue Coat SG receives all o u t b o u n d traffic a n d inspects
it. If the traffic matches a n y filtering criteria set by the administrators, Blue Coat SG further
inspects the traffic to d e t e r m i n e if a n y rule or action (allow, block, redirect, cache, etc.) needs to be
applied.
If there are too m a n y nodes a t t a c h e d to the network, Blue Coat SG becomes a single point of
failure a n d is susceptible to o v e r l o a d i n g a n d congestion: The Blue Coat SG is n o w processing a n d
f o r w a r d i n g all packets — not j u s t t h o s e that match given policies.
14
Transparent: Default Router
s Simple * Single Point of Failure
Slide 2 - 8 : T r a n s p a r e n t : d e f a u l t r o u t e r
The Blue Coat SG can act as a default g a t e w a y for clients. In this scenario, the Blue Coat SG is
capable of routing a n y kind of traffic: UDP, TCP, NetBIOS, unicast, multicast, etc. U n d e r such
situations, the Blue Coat SG can either terminate a n d process the traffic or forward the traffic to
the next h o p .
If the destination TCP port m a t c h e s the service that is set to intercept, the packets are processed.
Otherwise, the packets are f o r w a r d e d based on the destination M A C a d d r e s s a n d the IP a d d r e s s in
the packet.
In o r d e r for the Blue Coat SG to act as a default router:

• Clients m u s t h a v e their T C P / I P default g a t e w a y set to the Blue Coat SG's IP address.
• IP forwarding m u s t be enabled on the Blue Coat SG. If IP forwarding is not enabled, the
packets will be rejected by the Blue Coat SG.
15
Deployment Best Practice
Firewall Rules
Source Destination Action
• 172.16.0.100 ANY ALLOW
•172.16.1.10 25 ALLOW
•ANY ANY DENY
Slide 2 - 9 : Firewall best practices
No m a t t e r h o w y o u decide to direct client traffic to the proxy, y o u s h o u l d modify the firewall

configuration to enforce the use of the proxy.
Typically, a firewall allows o u t b o u n d traffic from clients to the Internet. More restrictive policies
m a y allow only HTTP a n d HTTPS o u t to the Internet. In either case, y o u m a y w a n t to block all
traffic t h a t y o u w a n t to go t h r o u g h the proxy. For example, if y o u w a n t to proxy HTTP a n d
HTTPS, y o u s h o u l d block clients from directly accessing o u t s i d e resources over these protocols.
O n l y the Blue Coat SG s h o u l d be a l l o w e d t h r o u g h the firewall.
Such a firewall configuration enables y o u to force client traffic to go t h r o u g h the proxy, regardless
of the d e p l o y m e n t strategy that y o u i m p l e m e n t ; this solution also deters even the m o s t a d v a n c e d
users from b y p a s s i n g the proxy.
16
Edge Deployment
Core Deployment Edge Deployment
Slide 2 - 1 0 : Moving f r o m the core t o the edge
Slide 2-10 represents graphically w h a t is discussed in the introduction of this chapter. On the left
side, y o u can see a representation of a traditional n e t w o r k layout for a large enterprise w i t h several
satellite offices. On the right side y o u can see the configuration that s o m e companies are m i g r a t i n g
to. Each office has separate a n d i n d e p e n d e n t n e t w o r k access. The dotted lines represent the V P N
t u n n e l s that the satellite office uses to access d a t a centers at the m a i n corporate offices.
Blue C o a t ' s p r o d u c t s are d e s i g n e d to fit into this model. You can use the same h a r d w a r e for
s t a n d - a l o n e small offices as well. H o w e v e r , features available in the SGOS are designed to fit into
both d e p l o y m e n t scenarios.
In m o v i n g Internet access from the core (headquarters) to the e d g e (remote office), c o m p a n i e s m a y
h a v e lost the ability to g r a n u l a r l y control who does vWjarand when. The availability of h a r d w a r e
that is cost-effective, easy to deploy, a n d easy to control allows companies to deploy the Blue Coat
solution at each remote location a n d still maintain control of the n e t w o r k by:
• Enforcing content-filtering policies
Controlling the content of selected SSL transactions
17
Reverse Proxy
The proxy is the Web server to clients
Slide 2 - 1 1 : Reverse p r o x y
Unlike a forward proxy, w h i c h caches arbitrary content for clients, a reverse proxy serves specific
content on behalf of b a c k - e n d servers. Reverse proxies are n e t w o r k servers or appliances that
typically reside in the D M Z b e t w e e n Web applications a n d the Internet.
The reverse proxy is effectively a "trusted processor" for Web servers, acting as a m i d d l e m a n
b e t w e e n users a n d the Web applications they access. A reverse proxy protects Web servers from
direct Internet access a n d off-loads from t h e m c o m p u t a t i o n a l l y intensive processes to e n h a n c e
performance.
To the o u t s i d e w o r l d , the reverse proxy is the Web server. For example, in Slide 2-11, all requests
g o i n g to h t t p : / / w w w . s i t e . c o m (or the c o r r e s p o n d i n g IP address) are directed to the proxy, even
t h o u g h the actual content resides on the back-end server. W h e n content is requested, the proxy
either serves the content from its cache or obtains the content from a back-end Web server. If the
reverse proxy is accelerating several different Web servers, the proxy (or Layer 4 switch) m a i n t a i n s
Web-server m a p p i n g so that content can be obtained from the correct server.
18
Accelerating Web Content
Web Server
Slide 2 - 1 2: Accelerating Web c o n t e n t
As s h o w n in Slide 2-12, the reverse proxy sits outside the firewall a n d intercepts all traffic
i n t e n d e d for the Web server. It then serves the requested content from its cache or gets the content
from the back-end Web server a n d delivers it to the client (while caching it for s u b s e q u e n t
requests).
The Blue Coat SG appliances are built on p r o v e n proxy architecture with an optimized TCP stack
to serve large a m o u n t s of H T T P a n d HTTPS traffic v e r y quickly. This enables the Blue Coat SG to
accelerate all static a n d d y n a m i c content, efficiently off-loading TCP connections from Web
servers. Each appliance can service T C P connections an o r d e r of m a g n i t u d e faster than a Web
server r u n n i n g UNIX® or W i n d o w s ® NT. This is critical because some d y n a m i c content, s u c h as
CGI scripts a n d Active Server Pages, cannot be cached. To further accelerate Web content, the Blue
Coat SG incorporates two p a t e n t - p e n d i n g algorithms: Object Pipelining a n d A d a p t i v e Refresh.
Object Pipelining eliminates a large portion of the delay c a u s e d by the serial retrieval of objects.
Object Pipelining enables the Blue Coat SG to o p e n as m a n y s i m u l t a n e o u s TCP connections as the
Web application permits a n d retrieves objects in parallel. T h e objects are then delivered from the
appliance straight to the user's d e s k t o p as fast as the b r o w s e r can request them. As a result, Blue
Coat typically accelerates first-time Web p a g e retrievals by 50 percent.
The A d a p t i v e Refresh algorithm significantly speeds s u b s e q u e n t requests by removing the latency

involved in refreshing objects. Using A d a p t i v e Refresh, the Blue Coat SG automatically performs
"freshness checks" w i t h the Web application to selectively u p d a t e Web objects based u p o n their
need to be r e n e w e d . This refreshing activity occurs i n d e p e n d e n t l y of user requests a n d does not
i m p a c t response times.
19
Securing Corporate Content
Slide 2 - 1 3: Securing c o r p o r a t e c o n t e n t
T h e illustration a b o v e s h o w s h o w the Blue Coat SG securely isolates servers from direct Internet
access, this t i m e acting as an i n t e r m e d i a r y b e t w e e n c o r p o r a t e Web mail applications a n d the
external clients that a t t e m p t to access them. By front-ending the Outlook® server, y o u can:
• Force users to authenticate before they gain access to the O u t l o o k server.
• Scan u p l o a d e d content for viruses (when used w i t h Blue Coat AV).
A n d by configuring t h e proxy to allow requests to specific p a t h s on the Outlook server, y o u can

successfully defeat all attacks that a t t e m p t to gain access to other directories on the server.
T h e Blue Coat SG p r o v i d e s robust authentication a n d policy s u p p o r t a n d can either challenge
u s e r s for identification or t r a n s p a r e n t l y check authentication credentials using an organization's
existing security framework. For high-performance, low-latency virus scanning of all u p l o a d e d
content to Web mail servers, the Blue Coat SG integrates w i t h the Blue Coat AV a n d offers a choice
of leading antivirus engines. To protect privacy, the Blue Coat SG can encrypt Web mail sessions
u s i n g Secure Sockets Layer (SSL).
20
Mixed Deployment
In this slide y o u see h o w the s a m e organization can d e p l o y the Blue Coat SG differently in
separate locations as well as in the s a m e location. Organizations can combine a variety of
d e p l o y m e n t s in their different offices. Slide 2-14 s h o w s fives different d e p l o y m e n t s in a single
organization: four in satellite offices a n d one in the m a i n office.
1. Transparent proxy u s i n g a Layer 4 switch in a satellite office
2. Explicit proxy in a satellite office
3. Transparent proxy u s i n g W C C P in the main office

4. Bridging m o d e in a satellite office
5. Reverse proxy in a satellite office
There is no fit-all solution w h e n it comes to d e p l o y m e n t . You need to carefully consider each

solution a n d d e t e r m i n e w h i c h one fits y o u r environment, policy, a n d b u d g e t / p e r s o n n e l
constraints the best.
21
22
Chapter 3: Blue Coat SG Initial Setup
This section w a l k s y o u t h r o u g h the steps y o u need to complete w h e n setting up the Blue Coat SG
for the first time. Some of the concepts also a p p l y to reconfiguring an existing Blue Coat SG or one
that has been restored to factory-default settings.
After y o u complete this chapter, y o u will do a lab exercise that w a l k s y o u t h r o u g h the installation
a n d registration process for y o u r Blue Coat SG. The current chapter is a high-level o v e r v i e w of the
entire s e t u p process.
Blue Coat SG appliances s h i p w i t h a pre-defined static IP a d d r e s s that can be u s e d to access the

Initial Configuration page. U s i n g this page, y o u can fill o u t the initial configuration form a n d
s u b m i t it. The static IP a d d r e s s e s is: h t t p s : / / p r o x y s g . b l u e c o a t . c o m : 8 0 8 3 /
There are three types of licensable c o m p o n e n t s :

• Required: The SGOS base
• Included: A d d i t i o n a l features p r o v i d e d by Blue Coat
• Optional: If applicable, a n y additional purchased features
W h e n the license key file is created, it consists of all three c o m p o n e n t s . The SGOS base is a
required c o m p o n e n t of the license key file.
23
Initial Setup Access
• Serial Console
- Easy and reliable
• LCD/Keypad
- A built-in interface for proxy configuration (most models)
• TCP/IP
- Access reserved site https://proxysq.bluecoat.com:8083
- Blue Coat SG200-X in bridging mode only
Slide 3 - 1 : Access m e t h o d s
Before beginning the installation, configuration, a n d licensing process, m a k e s u r e that y o u have:
• Created a W e b P o w e r login a n d p a s s w o r d . You n e e d to contact Blue Coat Systems to obtain

these.
Assigned a static IP a d d r e s s for the Blue Coat SG.
• Gathered the netmask, default router, a n d default D N S information for the location w h e r e y o u
w a n t to install Blue Coat SG.
Optionally y o u m i g h t n e e d o n e of the following:

• A c o m p u t e r w i t h a 9-pin serial p o r t
• A terminal server w i t h a port assigned to the n e w Blue Coat SG
The Blue Coat SG, d e p e n d i n g on the actual m o d e l a n d OS version, allows y o u to use different
m e t h o d s for initial configuration.
The easiest w a y to connect to a b r a n d - n e w Blue Coat SG (or to a Blue Coat SG w i t h an u n k n o w n

configuration) is to u s e a serial console. From the serial console, y o u can configure the n e t w o r k
p a r a m e t e r s a n d the a d m i n i s t r a t o r a n d enable p a s s w o r d s .
If y o u do not h a v e a serial connection, Blue Coat SG 400 a n d higher m o d e l s allow y o u to configure

the f u n d a m e n t a l n e t w o r k p a r a m e t e r s (including the admin password) via an LCD display. For
simplicity, y o u can set the IP address, connect the Blue Coat SG to the network, a n d then use an
SSH client to connect to the C o m m a n d Line Interface (CLI) to complete the configuration.
For the Blue Coat SG200-X, y o u can u s e y o u r b r o w s e r for the initial configuration, even before the
appliance has an IP a d d r e s s associated w i t h it.
24
Serial Access Setup
• Initial Setup Console Wizard

- Network Interface Setup (Required)
- Admin Account Setup (Required)
- Restrict Access Setup (Optional)
- Forwarding Setup (Advanced Only / Optional)
• Press the Esc key to exit the Wizard without

saving any changes
Slide 3 - 2 : Using serial connection
W h e n y o u connect to a Blue Coat SG for the first time, the system forces y o u to enter the
a p p r o p r i a t e n e t w o r k p a r a m e t e r s . If the s y s t e m is already configured, y o u can o p t to re-run the
initial setup. You will do this in the lab exercise that follows this chapter.
D u r i n g configuration, y o u h a v e the option to set a p a s s w o r d to protect serial access. While this

m a y s e e m like a useful security feature, it can backfire. If the serial console p a s s w o r d is lost, it
cannot be retrieved — a n d y o u will h a v e to send the Blue Coat SG back to Blue Coat to be restored
to the original factory settings. To avoid this, y o u s h o u l d control the serial access by physically
securing access to the Blue Coat SG.
Telnet, SSH, a n d M a n a g e m e n t Console access can be restricted to a selected list (or range) of IP
addresses. There are no risks associated w i t h this p r o c e d u r e because y o u can always u s e the serial
access to reconfigure those settings via the CLI.
Note: You s h o u l d not set a p a s s w o r d to protect the serial access. Losing the p a s s w o r d m a y
force y o u to R M A y o u r Blue Coat SG.
25
Password Levels
Create Administrator Account

- Username and password are both case-sensitive
- Both can be set to any alphanumeric value
Two login levels

- Basic Access
- Enable Access
Slide 3 - 3 : Levels of access to the CLI
T h e Blue Coat CLI offers two sets of c o m m a n d s , a limited set for basic access a n d a more extensive
set for a d v a n c e d configuration. T h e basic access c o m m a n d s are available as soon as y o u log in
w i t h the a p p r o p r i a t e u s e r n a m e a n d p a s s w o r d . The extensive set of c o m m a n d s is available in the
e n a b l e m o d e . You need a separate p a s s w o r d to enter enable m o d e .
T h e r e c o m m e n d e d best practice is to:
H a v e y o u r a d m i n account set to s o m e t h i n g other than admin
Use a s t r o n g p a s s w o r d for the a d m i n account
• Use a different a n d stronger p a s s w o r d for the enable m o d e
Note: A user w i t h enable m o d e access can completely alter the Blue Coat SG configuration
a n d can c h a n g e virtually a n y policy that has been i m p l e m e n t e d .
26
Features Requiring Licensing
SGOS License Optional Add-on Licenses

• Required • SSL
• Includes: • Content Filtering
- SGOS - Blue Coat WebFilter
- HTTP, FTP, SOCKS - SmartFilter
- ICAP - Others
- Compression • Instant Messaging
- Optional but free
- Premium Streaming
Slide 3 - 4 : License m o d u l e s
The Blue Coat SG, w h e n o p e r a t i n g in trial m o d e , allows y o u to use any of the available features.
However, once y o u license the separate c o m p o n e n t s , those that are not licensed cease to function
— even if y o u are still in y o u r initial, 60-day trial period.
For example, s u p p o s e that y o u are in the trial p e r i o d a n d are using a content-filtering license to
block certain types of Web content. If after a w e e k in trial m o d e , y o u decide to license y o u r Blue
Coat SG but do not license the content-filtering c o m p o n e n t , the content-filtering feature will not
w o r k — even if y o u , in theory, still have seven w e e k s to go in the trial period.
27
Licensing Installation Overview
• Log in to WebPower
* Register Blue Coat SG Serial Number

- Add licenses to your Blue Coat SG
® Retrieve the license key
Slide 3 - 5 : Licensing Blue Coat SG
To license Blue Coat SG a n d a n y separate c o m p o n e n t s , y o u n e e d to do the following:
1. Open the M a n a g e m e n t Console a n d select Maintenance > Licensing.
2. Select the Install tab.

3. Click the Register/Manage button. A b r o w s e r w i n d o w o p e n s to the Blue Coat License
Configuration a n d M a n a g e m e n t System. N o t e that y o u m u s t h a v e a valid W e b P o w e r account
to proceed.
4. Log in u s i n g y o u r W e b P o w e r User ID a n d P a s s w o r d .
5. Register y o u r h a r d w a r e a n d a d d the licenses for the c o m p o n e n t s y o u h a v e p u r c h a s e d .
6. On the M a n a g e m e n t Console Install tab, click Retrieve.
28
Chapter 4: Blue Coat SG Graphical User Interface
You u s e the c o m m a n d line interface (CLI) to perform the initial configuration of y o u r Blue Coat
SG. You also can u s e CLI to perform a n y task on y o u r appliance; however, most users take
a d v a n t a g e of t h e Blue Coat SG's graphical user interface (GUI) to perform m o s t configuration,
m a n a g e m e n t , a n d m o n i t o r i n g tasks.
The key c o m p o n e n t of the Blue Coat SG GUI is the M a n a g e m e n t Console, w h i c h y o u access

securely (over HTTPS) on a n y client w i t h a Web browser. It includes tabs, links, buttons, w i n d o w s ,
a n d other graphical, easy-to-use features.
To access t h e M a n a g e m e n t Console, t y p e t h e following into a Web b r o w s e r ' s a d d r e s s w i n d o w :

HTTPS, the Blue Coat SG IP address, a n d p o r t 8082 (the default m a n a g e m e n t port). For example, if
the IP a d d r e s s configured d u r i n g first-time installation is 172.16.90.41, enter the following URL in
the Web browser: https://172.16.90.41:8082
After y o u enter the a d d r e s s , the b r o w s e r asks y o u for a u s e r n a m e a n d p a s s w o r d . Enter the ones

y o u established d u r i n g initial configuration, a n d the b r o w s e r displays the Blue Coat SG h o m e
page. For security, y o u a l w a y s m u s t log on to the Blue Coat SG w i t h y o u r u s e r n a m e a n d
1
p a s s w o r d . F r o m the h o m e page, y o u can access the M a n a g e m e n t Console.
The M a n a g e m e n t C o n s o l e is organized into three functional areas represented by tabs:
• Configuration tab: U s e d to set up the Blue Coat SG a n d to create objects a n d p a r a m e t e r s u s e d to

create policies.
• Maintenance tab: U s e d to keep the Blue Coat SG up to date. You can license c o m p o n e n t s ,
archive t h e configuration, a n d u p g r a d e or d o w n g r a d e SGOS.
• Statistics tab: U s e d to m o n i t o r the status a n d the health of Blue Coat SG.
This chapter i n t r o d u c e s the elements of the M a n a g e m e n t Console, including the Visual Policy
M a n a g e r (VPM), w h i c h p r o v i d e s an easy w a y to create sophisticated policies w i t h o u t having to
use C o n t e n t Policy L a n g u a g e (CPL). The rest of the course is b a s e d on the u s e of graphical tools.
Note: If, w h e n y o u access the M a n a g e m e n t Console h o m e page, you get a "host mismatch"
or an "invalid certificate" message, y o u need to recreate the security certificate u s e d
by t h e HTTPS-Console.
1 .From t h e Blue Coat SG h o m e page, you also can view i n f o r m a t i o n f o r c o n f i g u r i n g y o u r

browser, see an HTML v e r s i o n of the Configuration and Management Guide, and access the Blue
Coat S u p p o r t Web site. T h e h o m e page also displays the m o d e l , serial n u m b e r , and IP address of
your appliance and the v e r s i o n of the SGOS it is r u n n i n g .
29
Management Console - Configuration
• Starting point for most tasks with Blue Coat SG
• Select options in left navigation bar
• Use options to change configurations
• Use options to create objects and parameters

used to create policy
Slide 4 - 1 : M a n a g e m e n t Console — C o n f i g u r a t i o n tab
T h e M a n a g e m e n t Console's Configuration tab is the starting point for most of the tasks that y o u
p e r f o r m on the Blue Coat SG. You access this tab to c h a n g e the appliance's configuration a n d
create objects a n d p a r a m e t e r s that y o u u s e in creating policies.
Click an o p t i o n in the left navigation bar, a n d the b r o w s e r displays the a p p r o p r i a t e interface,

w h i c h y o u use to configure a w i d e range of settings:
• General: Configuring the n a m e a n d serial n u m b e r of the Blue Coat SG, configuring s y s t e m

time, a n d archiving configurations.
Network: Configuring a d a p t e r s a n d interface settings, software a n d h a r d w a r e bridges,

g a t e w a y s , routing tables, D o m a i n N a m e Services (DNS) servers.
• Services: Configuring the m a n y proxy services available on the Blue Coat SG, including
C o m m o n Internet File System (CIFS), FTP, HTTP, HTTPS, instant m e s s a g i n g (IM), MAPI, SSL,
SOCKS, streaming, a n d TCP-Tunnel.
Application Delivery Network: Configuring Blue Coat SG appliances a n d byte caching to i m p r o v e

application traffic over the W A N .
External Services: Installing an ICAP server or creating a WebSense® off-box service.
Health Checks: Configuring health checks on (and thus the availability of) a forwarding host or
external server that is p r o v i d i n g a service.
• Authentication: Defining authentication realms, including Integrated W i n d o w s Authentication

(IWA), LDAP, or RADIUS realms; setting up forms-based authentication.
• Bandwidth Management: Controlling the a m o u n t of b a n d w i d t h u s e d by different classes of

n e t w o r k traffic; setting priority for b a n d w i d t h a m o n g different classes.
• Policy: Setting the default proxy policy to d e n y or allow traffic, v i e w i n g a n d installing policy
files, accessing the V P M to create n e w policy.
Content Filtering: Configuring the Blue Coat SG to use Blue Coat WebFilter (BCWF) or a
t h i r d - p a r t y application to block access to certain Web sites based on their content.
• Forwarding: Setting up forwarding, a l l o w i n g y o u to define the hosts a n d g r o u p s of hosts to

w h i c h client requests can be redirected.
30
• SSL: Creating keyrings, i m p o r t i n g a n d creating certificates, checking the validity of

certificates, creating an SSL client.
Access Logging: Enabling the logging of traffic t h r o u g h the Blue Coat SG, configuring access
log settings, selecting an access log u p l o a d client, setting an u p l o a d schedule.
31
Management Console - Maintenance
• Starting point for variety of maintenance tasks
• Restart appliance, restore defaults, clear caches
• Upgrade SGOS, license new features
• Configure health monitoring, use diagnostic tools
Slide 4 - 2 : M a n a g e m e n t Console — Maintenance t a b
T h e M a n a g e m e n t Console's M a i n t e n a n c e tab allows y o u to perform m a n y different m a i n t e n a n c e

tasks, including:
• Restarting the Blue Coat SG, restoring the s y s t e m to its default settings, clearing the DNS,
object, a n d byte caches.
• U p g r a d i n g or d o w n g r a d i n g the SGOS: You can d o w n l o a d an u p g r a d e t h r o u g h the Internet

a n d install it. You also can d o w n l o a d it to y o u r PC a n d install it from there.
• Viewing the status of y o u r software licenses a n d licensing n e w features y o u have p u r c h a s e d .

Setting up event logging: specifying the types of s y s t e m events logged, the size of the event
log, a n d w h e t h e r the appliance s e n d s an e-mail notification if a certain event is logged.
Enabling Simple N e t w o r k M a n a g e m e n t Protocol (SNMP), w h i c h allows y o u to m o n i t o r the

Blue Coat SG.
Configuring the Blue Coat SG's h e a l t h - m o n i t o r i n g features, s u c h as setting w a r n i n g s for

system p e r f o r m a n c e a n d license expiration.
• Using diagnostic tools to enable Blue Coat S u p p o r t to assist y o u in troubleshooting y o u r

system.
32
Management Console - Statistics
• Allows you to view statistics graphically
• Statistics include
- System usage
- HTTP/FTP, CIFS, MAPI, and byte-caching history
- Resources
- Efficiency
9
Take disks offline, put them online
Slide 4 - 3 : Management Console — Statistics tab
The Statistics tab enables y o u to g a t h e r information about system operations a n d view t h e m

graphically. The t y p e s of statistics y o u can v i e w include:
System u s a g e
• H T T P / F T P , CIFS, MAPI, a n d byte-caching history

• IM a n d s t r e a m i n g m e d i a history
• Resources
Efficiency
• Bandwidth management
In addition, the General option on the Statistics tab provides information about system
configuration a n d the status of h a r d w a r e sensors a n d allows y o u to take disks offline a n d offline.
33
Visual Policy Manager - Policy Layers
Slide 4 - 4 : VPM — layers
Policies enable y o u a p p l y y o u r organization's rules t h r o u g h the Blue Coat SG. For example, y o u
can d e n y u s e r s access to . m p e g files d u r i n g business h o u r s or p r e v e n t t h e m from ever accessing
g a m i n g o r p o r n o g r a p h y sites.
The Visual Policy M a n a g e r (VPM) is a graphical policy editor included w i t h the Blue Coat SG. It
translates y o u r c o m m a n d s into CPL so y o u do not need in-depth k n o w l e d g e of the language to
create policies. You do not n e e d to edit policy files manually. You l a u n c h the V P M from the
M a n a g e m e n t Console.
In the VPM, policies are g r o u p e d into layers that use triggers a n d actions to apply rules. A n y
c o m b i n a t i o n of triggers a n d actions can be c o m b i n e d to control e m p l o y e e s ' use of n e t w o r k
resources.
Before discussing the V P M in m o r e detail, it is necessary to discuss s o m e basic terminology:
• Policy. A policy is the aggregation of all variables that define a practical business rule. For
example, an organization's administrative access policy defines w h o is allowed to access the
V P M a n d h o w those users will be authenticated.
• Layer. A layer is a g r o u p of rules p e r t a i n i n g to the s a m e family of policy. For example, the

A d m i n Access Layer m a y contain a list of users allowed to access the VPM while the Web
Access Layer defines w h a t sites clients can access. Each layer has its o w n tab in the GUI.
Rule: A rule is a set of variables that define a m e t h o d or action. This concept can also be
defined as a list of triggers a n d p r o p e r t y settings. Rules define " w h o , what, w h e n , where, a n d
how."
Policies often d e p e n d on a combination of these different layers. The combined layers w o r k

together to p e r f o r m a certain task. For example, Authentication a n d Access layers usually
a c c o m p a n y each other; an A u t h e n t i c a t i o n layer d e t e r m i n e s if a u s e r or client m u s t authenticate,
a n d an Access layer s u b s e q u e n t l y d e t e r m i n e s w h e r e that user or client can go (what Blue Coat SG
or Web sites t h e y can access) once they are authenticated.
34
The order of policy layers is of critical importance. T h e Blue Coat SG evaluates policy layers in the
o r d e r in w h i c h t h e y are listed in the V P M (from left to right). W h e n the Blue Coat SG goes t h r o u g h
policy layers, it d o e s not execute a given rule w i t h i n the layer immediately. Instead, it compiles a
list of all the rules that meet the condition; w h e n it has gone t h r o u g h all the policy layers, it
evaluates the list, resolves any a p p a r e n t conflicts, a n d then executes the required actions. If there is
a conflict b e t w e e n rules in different policy layers, the m a t c h i n g rule in the policy layer evaluated
iasr takes precedence.
35
VPM Policy Layers
• Admin Authentication • SSL Access
* Admin Access • Web Authentication

e
DNS Access • Web Access
* SOCKS Authentication • Web Content
• SSL Intercept • Forwarding
Slide 4 - 5 : Types of VPM layers
The following list describes the V P M layers:

Administration Authentication: D e t e r m i n e s h o w administrators accessing the Blue Coat SG m u s t
authenticate.
• Administration Access: D e t e r m i n e s w h o can access the Blue Coat SG to perform administrative

tasks.
• DNS Access: D e t e r m i n e s h o w the Blue Coat SG processes D N S requests.
SOCKS Authentication: D e t e r m i n e s the m e t h o d of authentication for accessing the proxy

t h r o u g h SOCKS.
SSL Intercept: D e t e r m i n e s w h e t h e r to t u n n e l or intercept HTTPS traffic.
• SSL Access: D e t e r m i n e s the a l l o w / d e n y actions for HTTPS traffic.
• Web Authentication: D e t e r m i n e s w h e t h e r u s e r clients that access the proxy or the Web m u s t

authenticate.
• Web Access: Determines w h a t resources user clients accessing the proxy or the Web can access
a n d a n y restrictions that apply.
Web Content: Determines caching behavior, such as verification a n d ICAP redirection.
• Forwarding: D e t e r m i n e s forwarding hosts a n d m e t h o d s .
36
Visual Policy Manager - Rules
Slide 4 - 6 : Properties of rules in the VPM
A rule is an action within a policy layer. A policy layer can contain multiple rules. Each rule is
n u m b e r e d a n d listed in a separate row. The Blue Coat SG evaluates the rules in the order in w h i c h
they are listed in a policy layer (from top to bottom). If multiple rules exist within a policy layer,
the Blue Coat SG finds the first one that matches a given situation, ignores the remaining rules, a n d
goes on to the next policy layer. This is particularly true for the Web Access Layer. Therefore, rule
order is i m p o r t a n t .
Consider the following s i m p l e example. A s s u m e that a c o m p a n y has a policy that prohibits

e v e r y o n e from accessing the Web. This is a policy that is easy to create w i t h a Web Access Layer
rule.
However, there are likely to be exceptions to such a broad policy. For example, y o u require the
m a n a g e r of the p u r c h a s i n g d e p a r t m e n t to be able to access the Web sites of suppliers. M e m b e r s of
the sales d e p a r t m e n t need to access their customer Web sites. Creating Web Access rules for both
these situations is also simple. But if y o u p u t all these rules in a single policy layer, then the rule
prohibiting access to e v e r y o n e m u s t be ordered last, or the other t w o rules are not applied.
Remember, w h e n the Blue Coat SG finds a m a t c h i n g rule, it m o v e s to the next layer w i t h o u t
evaluating the r e m a i n i n g rules.
As the Blue Coat SG scans the layers, it records the first m a t c h i n g rule in each layer. If a conflict
arises, the Blue Coat SG applies the rule evaluated last. Therefore, the most effective rule is the
first m a t c h i n g rule in the last layer, because policies are evaluated from left to right a n d rules are
processed from top to bottom.
37
Visual Policy Manager
Layer Processing Order
Slide 4 - 7 : VPM processing o r d e r
As y o u can see in the illustration above, layers are processed from left to right a n d rules are
processed from top to bottom. W h e n e v a l u a t i n g rules, Blue Coat SG finds the first matching rule
a n d m o v e s on to the next layer. Rules in the last layer always take precedence because they are
e v a l u a t e d last.
C o n s i d e r a s i m p l e example. XYZ C o m p a n y w a n t s to block the publications g r o u p from accessing

the playboy.com Web site. To accomplish this, the administrator creates a n e w Web Authentication
L a y e r a n d a d d s a n e w Force A u t h e n t i c a t i o n Object for the pubs (NTLM) realm (previously created
in the M a n a g e m e n t Console), as s h o w n in the illustration below.
Figure 4 - 1 : Forcing the publications group to authenticate using the existing NTLM realm
38
The figure below s h o w s the finished Web Authentication Layer.
Figure 4-2: Web Authentication Layer rule
Next, the a d m i n i s t r a t o r creates a n e w Web Access Layer a n d a d d s a n e w Destination H o s t / P o r t

rule for the destination playboy.com as s h o w n in the illustration below.
Figure 4-3: Adding the Destination Host/Port object.
The finished Web Access Layer is s h o w n in the illustration below.
Figure 4-4: Finished Web Access Layer
The result of the a d m i n i s t r a t o r ' s actions is as follows:
• M e m b e r s of the publications g r o u p m u s t authenticate using their N T L M realm credentials.

• M e m b e r s of the publications g r o u p are blocked from accessing playboy.com.
The g e n e r a t e d CPL for these actions is:
define condition HostPortl
url.host.exact="www.playboy.com" url.port=8 0
end condition HostPortl
;; Tab: [Web Authentication Layer (1)]
<Proxy>
authenticate (pubs) authenticate . force (yes) authenticate .mode (auto) ,- Rule

1
;; Tab: [Web Access Layer (1)]

<Proxy>
condition= HostPortl Deny; Rule 1
39
H o w e v e r , consider w h a t h a p p e n s w h e n the a d m i n i s t r a t o r a d d s a n e w Web Access rule as s h o w n

in t h e illustration below:
Figure 4-5: Adding a new Web Access rule
S u p p o s e that a m e m b e r of the p u b s realm again a t t e m p t s to access www.playboy.com. As

d i s c u s s e d earlier, layers are e v a l u a t e d from left to right a n d rules are evaluated from top to
b o t t o m . In this example, the Web A u t h e n t i c a t i o n Layer is e v a l u a t e d first, forcing the user to
a u t h e n t i c a t e . After the user has a u t h e n t i c a t e d , the Web Access Layer is evaluated. The first rule
states that a u t h e n t i c a t e d users can access a n y content served over port 80. Since this rule m a t c h e s
the u s e r request (authenticated u s e r a t t e m p t i n g to access w w w . p l a y b o y . c o m over port 80), the user
is a l l o w e d to access the site, e v e n if the original intention w a s to use the second rule to block
access. The concept that y o u m u s t r e m e m b e r is:
Layers are evaluated From left to right and rules are evaluated from top to bottom. When multiple rules exist
within a policy layer, the Blue Coat SG finds the first one that matches a given situation, ignores the
remaining rules, and goes on to the next policy layer.
So r e m e m b e r to order y o u r layers a n d rules accordingly.
40
Chapter 5: Services
Chapter 5: Services
The Blue Coat SG's M a n a g e m e n t Console includes a Services feature that enables y o u to easily
configure w h i c h traffic needs to be processed or ignored. Services define the ports for w h i c h the
Blue Coat SG listens for requests. Each service can be applied to all IP addresses of the Blue Coat
SG or limited to individual IP a d d r e s s e s . A variety of attributes can be defined for each service.
The Blue Coat SG ships w i t h a n u m b e r of predefined services. You can create additional services
as n e e d e d . Unless there is a service, set to yes, w h i c h matches the destination TCP port a n d the IP
a d d r e s s r a n g e for an incoming transaction, the connection will not be terminated by the proxy.
D e p e n d i n g on the specific d e p l o y m e n t m o d e , traffic that is not terminated may be d r o p p e d or
f o r w a r d e d to the next available h o p b u t not processed against the existing policies.
The Blue Coat SG ships w i t h a n u m b e r of console services d e s i g n e d to m a n a g e the system a n d

c o m m u n i c a t i o n w i t h the system:
• HTTPS Console: The HTTPS Console provides secure access to the M a n a g e m e n t Console
t h r o u g h the HTTPS protocol. You can create multiple m a n a g e m e n t HTTPS consoles, allowing
y o u to s i m u l t a n e o u s l y access the M a n a g e m e n t Console u s i n g a n y IP address belonging to the
box as well as any of the Blue Coat SG's virtual IP (VIP) addresses. The default is HTTPS over
p o r t 8082. The Blue Coat SG s h i p s w i t h an HTTPS Console already created a n d enabled. You
do not n e e d to create other HTTPS Consoles unless y o u n e e d t h e m for other purposes.
• H T T P Console : The H T T P Console is m e a n t to allow y o u to access the Blue Coat SG if y o u

require a less secure e n v i r o n m e n t . The default HTTP Console is already configured; y o u m u s t
enable it before it can be used. You can create a n d use m o r e than one HTTP Console as long
the IP a d d r e s s and the port do not m a t c h the existing HTTP Console settings.
• SSH Console: The SSH Console is created a n d enabled by default. Only one SSH Console can
exist on the Blue Coat SG. If y o u inadvertently deleted the S S H v l a n d SSHv2 host keys from
the s y s t e m at the s a m e time, y o u automatically disabled the SSH Console a n d must enable the
SSH Console after y o u create a host key. This console allows y o u access to the Blue Coat SG
t h r o u g h the CLI with y o u r SSH service.
• Telnet Console: The Telnet Console allows y o u to connect to a n d m a n a g e the Blue Coat SG
u s i n g the Telnet protocol. R e m e m b e r that Telnet is an insecure protocol that s h o u l d not be
u s e d in insecure conditions. By default, only SSH is created a n d enabled. Blue Coat Systems
r e c o m m e n d s against using Telnet because of the security hole it creates.
41
Service Ports
Slide 5 - 1 : Service Ports
T h e M a n a g e m e n t Console m a k e s it easy for y o u to configure services on y o u r Blue Coat SG. T h e

Blue Coat SG ships w i t h a n u m b e r of predefined consoles d e s i g n e d to m a n a g e the s y s t e m a n d
c o m m u n i c a t i o n w i t h the system. A d d i t i o n a l service can be a d d e d as w h e n needed.
T h e Service Ports feature allows the Blue Coat SG to c o m m u n i c a t e w i t h other systems (clients,
servers, other proxies etc). Service p o r t defines the ports a n d a d d r e s s e s w h e r e the Blue Coat SG
listens for i n c o m i n g requests. Each service is associated w i t h a proxy t y p e . A variety of attributes
can be defined , d e p e n d i n g on the proxy type.
T h e s e services run on the Blue Coat SG, a n d include M a n a g e m e n t Consoles a n d Application

Proxies.
M a n a g e m e n t Consoles
These consoles are d e s i g n e d to allow y o u access to the Blue Coat SG. Some of the consoles are
created a n d enabled by default on the Blue Coat SG. The HTTPS a n d SSH consoles are created
a n d enabled by default, w h e r e a s the HTTP a n d Telnet consoles are created but disabled by
default because of security concerns.
Application Proxies
The v a r i o u s Application proxies available on the Blue Coat SG are Instant m e s s e n g e r (IM),
SOCKS, FTP, MMS, RTSP, H T T P a n d HTTPS. These services are disabled by default a n d are
configurable on the Blue Coat SG.
42
Chapter 5: Services
Service Port Action
Slide 5 - 2 : Service p o r t actions
If a listener detects traffic , the service port actions define w h e t h e r that traffic is intercepted or
ignored. An action can be performed only if the traffic matches the proxy listener. There are t w o
possible actions: yes a n d no.
• Yes: Tells the proxy service to intercept a n d proxy a n y traffic that matches the proxy listener. If
policies exist for the proxy service they will be enforced.
• No: Tells the proxy service to ignore any traffic that matches the proxy listener. Policies w o u l d
not be enforced on the traffic.
The Blue Coat SG ships w i t h a n u m b e r of predefined proxy services. By default, the action for each
service is set to no. The table on the next p a g e lists the proxy services a n d listeners which ship w i t h
Blue Coat SG.
Important: Blue Coat SG matches the services from the most specific to the least specific.
The Default service is m a t c h e d only if a more specific service is not available.
43
Table 5.1 : Proxy Port Services
Service Name Default Port Status

AOL-IM 5190(transparent a n d explicit) No
DNS 53(both t r a n s p a r e n t a n d explicit) No
EPMapper 135(both t r a n s p a r e n t a n d explicit) No
FTP 21 (transparent a n d explicit) No
HTTP 80(transparent a n d explicit)and 8080(explicit only) Yes
HTTP-Console 8081 No
HTTPS No
HTTPS-Console 8082 Yes
MMS 1755(transparent a n d explicit) No
1863(transparent a n d explicit) a n d 6891 (transparent
MSN-IM a n d explicit) No
RTSP 554(transparent a n d explicit) No
SOCKS 1080 No
SSH-Console 22 Yes
Telnet Shell proxy 23 No
44
Chapter 5: Services
Service Port Action
Slide 5 - 3 : Service port actions-ignored traffic
Slide 18-3 discusses the client connection status w h e n the Blue Coat SG service is set to No a n d the
traffic is ignored.
1. U n d e r an explicit proxy set-up , the connection is refused. T h e service then determines if the
Blue Coat SG is set-up in a b r i d g i n g m o d e .
2. W h e n the Blue Coat SG is in b r i d g i n g m o d e a n d the service is set to yes, the traffic is

f o r w a r d e d a n d the Blue Coat SG doesnot terminate the client connection. If the service is set to
no, verify if the Blue Coat SG is in router m o d e set-up.
3. U n d e r a router m o d e set-up, the client default g a t e w a y is set to the IP address of the

proxy.Verify if IP f o r w a d i n g is enabled u n d e r the Blue Coat SG. If it is enabled, the Blue Coat
SG will not t e r m i n a t e the client connection a n d will forward the traffic. If the IP f o r w a r d i n g is
disabled, the client connection is refused.
4. If the Blue Coat SG is not in default router m o d e , then the client connection is refused .
45
Proxy Service Attributes
• Attributes define the default parameters for the

proxy service
- Only apply when action is set to Yes
• Attributes vary for different proxy types

- Dependent on protocol
Slide 5 - 1 : Service A t t r i b u t e s
T h e service attributes define the default p a r a m e t e r s for a p r o x y service. It is i m p o r t a n t to

u n d e r s t a n d service attributes because they affect h o w the proxy service will process traffic.
A t t r i b u t e s vary based on the p r o x y t y p e the service is using. For example, SSL version attributes
are available only for HTTPS Reverse Proxy.
Described below are the v a r i o u s attributes on the Blue Coat SG, d e p e n d i n g on the protocol, not all
attributes are available:
• Explicit
Enables or disables explicit attribute for the port. Explicit allows connections to a Blue Coat SG
IP address.if DNS redirection is u s e d to direct traffic to the Blue Coat SG, the explicit flag on its
services m u s t be enabled, as these connections are r o u t e d t h r o u g h DNS to the Blue Coat SGs
IP address.
• Transparent
Enables or disables t r a n s p a r e n t proxy attribute for port. This allows connections to a n y IP
a d d r e s s other than those b e l o n g i n g to the Blue Coat SG.
Authenticate- 401
All transparent a n d explicit requests received on the p o r t a l w a y s use transparent

authentication (cookie or IP, d e p e n d i n g on the configuration). This is especially useful to force
t r a n s p a r e n t proxy authentication in s o m e proxy-chaining scenarios.
46
Chapter 5: Services
• S e n d Client IP
Enables or disables s e n d i n g of client's IP a d d r e s s instead of the Blue Coat SG's IP address.
47
48
Chapter 6: Hypertext Transfer Protocol
T h e idea of hypertext w a s first i n t r o d u c e d by Tim Berners-Lee at CERN in Geneva, Switzerland.

The i m p e t u s b e h i n d his idea w a s the need for a better w a y of organizing long a n d complex
d o c u m e n t s . The HTTP protocol is the application-layer protocol used to deliver Web-based
content. The current version of H T T P (HTTP 1.1) is described in RFC 2616. The original version
(HTTP 1.0) is described in RFC 1945.
Generally, RFCs do a great j o b of explaining the i n t e n d e d p u r p o s e of the technology. RFC 1945 is

no exception: "The H y p e r t e x t Transfer Protocol (HTTP) is an application-level protocol w i t h the
lightness a n d speed necessary for distributed, collaborative, h y p e r m e d i a information systems."
The m o s t i m p o r t a n t part of the preceding p a r a g r a p h is that HTTP is a Layer 7 protocol, indicating

that it is completely i n d e p e n d e n t from the u n d e r l y i n g n e t w o r k architecture.
Before going into more detail a b o u t the HTTP protocol, it is important that y o u become familiar
w i t h key concepts of H T T P a n d its architecture.
Uniform Resource Identifier (URI) a n d Uniform Resource Locator (URL): These indicate the resource
on w h i c h a m e t h o d is to be a p p l i e d . Messages are p a s s e d in a format similar to that used by
Internet Mail a n d the M u l t i p u r p o s e Internet Mail Extensions (MIME).
Connection: A transport-layer virtual circuit established between t w o application p r o g r a m s for the

p u r p o s e of c o m m u n i c a t i o n .
Message: The basic unit of H T T P communication, consisting of a structured sequence of octets

m a t c h i n g the syntax later on a n d transmitted via the connection.
Request. A message containing an H T T P request.
Response: A message containing the response to an H T T P request.
Resource: A n e t w o r k d a t a object or service w h i c h can be identified by a URI. This s h o u l d not be

confused w i t h the concept of a physical machine or w i t h server (daemon) software.
Client: A software application that s e n d s requests to a server (see below) over an established
connection.
Server. A software application that accepts connections from a client, process the requests it
receives, a n d s e n d s back responses.
Proxy. A software application (even so-called appliances run a software application of s o m e sort),
w h i c h acts as both a server a n d a client. The application poses as a server for the initial client a n d
acts as a client for the remote server. In fact, a proxy m a k e s requests on behalf of other clients; this
is w h y it is considered b o t h a client a n d a server. Client requests are serviced internally or are
p a s s e d to another server. A proxy can also translation-modify the request it receives from the
client a n d send it to the server or to other servers. Proxies can also be used as "helper applications
for h a n d l i n g requests via protocols not i m p l e m e n t e d by the user agent."
Gateway. A g a t e w a y is a server t h a t acts as an i n t e r m e d i a r y for another server. Unlike a proxy, a

g a t e w a y receives requests as if it w e r e the origin server for the requested resource; the requesting
client m a y not be a w a r e that it is c o m m u n i c a t i n g w i t h a gateway. Gateways are often used as
server-side portals t h r o u g h n e t w o r k firewalls a n d as protocol translators for access to resources
stored on non-HTTP systems.
Tunnel: A tunnel is an i n t e r m e d i a r y p r o g r a m which acts as a blind relay between t w o connections.

Once active, a t u n n e l is not considered a party to the H T T P communication, t h o u g h the tunnel
m a y h a v e been initiated by an H T T P request. The t u n n e l ceases to exist w h e n both e n d s of the
relayed connection are closed. Tunnels are used w h e n a portal is necessary a n d the intermediary
cannot, or s h o u l d not, interpret the relayed c o m m u n i c a t i o n .
49
Cache: A cache is a p r o g r a m ' s local store of response messages a n d the s u b s y s t e m that controls
m e s s a g e storage, retrieval, a n d deletion. A cache stores cacheable responses to r e d u c e response
time a n d n e t w o r k b a n d w i d t h c o n s u m p t i o n for future requests for the s a m e content. A n y client or
server m a y include a cache (though a cache cannot be u s e d by a server while it is acting as a
tunnel). A n y given p r o g r a m m a y be capable of being b o t h a client a n d a server; o u r use of these
t e r m s refers only to the role p e r f o r m e d by the p r o g r a m for a particular connection, rather than to
the p r o g r a m ' s capabilities in general. Likewise, any server m a y act as an origin server, proxy,
gateway, or t u n n e l — c h a n g i n g behavior to a d d r e s s the n e e d s of each request.
Note: Portions of the following content are from RFC 1945 C o p y r i g h t (C) The Internet
Society (1996) a n d RFC 2616 C o p y r i g h t (C) The Internet Society (1999). All Rights
Reserved.
50
HTTP Protocol
• Definition
- "Application-level protocol with the lightness and
speed necessary for distributed, collaborative,
hypermedia information systems"
• Different versions available

- HTTP/0.9
- HTTP/1.0 described in RFC 1945 (May 1996)
- HTTP/1.1 described in RFC 2616 (June 1999)
Slide 6 - 1 : History of HTTP
H T T P is probably one of the most c o m m o n l y u s e d protocols. It w a s first described in 1996, a n d its

latest u p d a t e w a s in 1999. You s h o u l d consider the protocol's longevity as a reflection of its
scalability and reliability. A l t h o u g h HTTP w a s d e s i g n e d to deliver Web content a n d
hyperlink-based text, it is n o w used to carry m a n y different types of content.
1
Several client-server applications use HTTP as a c o m m u n i c a t i o n protocol. M I M E encoding
enables H T T P to transfer binary files. You can u p l o a d a n d d o w n l o a d files of any kind. Today, most
Web d o w n l o a d s are not d o n e w i t h FTP, but w i t h H T T P directly from a Web browser.
This chapter is d e s i g n e d to be a brief introduction to the HTTP protocol.
1 .MIME is used to " t r a n s f o r m " binary files into ASCII files
51
HTTP Protocol
• The client always initiates the connection

• The server cannot initiate a connection
Slide 6 - 2 : The HTTP r e q u e s t / r e s p o n s e flow
An H T T P transaction is a l w a y s initiated by the client. The client s e n d s a request to the server. The
server processes the request a n d returns a response. Responses w i t h o u t a previous request are
ignored; in essence the client rejects all unsolicited traffic.
W h e n the server n e e d s to s e n d m o r e information t h a n requested by the client, it m u s t send

instructions a b o u t that information to the client. It is up to the client to decide if those requests
s h o u l d be initiated or not. For example, w h e n a client d o w n l o a d s a Web page, the server returns
the requested p a g e (object), w h i c h includes instructions for d o w n l o a d i n g objects (links). After
processing the response, the client m a y or m a y not issue n e w requests for the objects listed in the
links.
52
HTTP URL
["http:""//" host_name [ port ] [ abs_path ["?" query ]]
• Host name is case-insensitive

- Even for UNIX-based Web servers
• Default port is 80
Slide 6 - 3 : HTTP URL
Most TCP-based protocols h a v e w e l l - k n o w n ports assigned to them. In theory, y o u s h o u l d specify

the TCP port every time y o u are m a k i n g a connection to a remote host — unless the protocol used
has a pre-defined, w e l l - k n o w n port assigned to it. The default TCP port for HTTP is 80. For
example, the t w o requests listed below are identical:
http://www.bluecoat.com:80
http://www.bluecoat.com
After specifying the h o s t n a m e , y o u can specify the resource y o u w a n t from the server (page,
image, files, etc.). You m u s t specify the full p a t h (as seen by the Web server) for that resource. For
example, the following URLs request t w o different resources on a Web site:
http://www.bluecoat.com/resources/training/index.html
http://www.bluecoat.com/images/BCS_leftnav_resources.jpg
In the request, y o u can also pass p a r a m e t e r s that a script (running on the Web server) can process
a n d use to return a specific p a g e based on y o u r previous selections:
2
http://www.bluecoat.com/test.cgi?parameter=value
Resources are s e p a r a t e d from the h o s t n a m e a n d from each other by the / character; parameters are
s e p a r a t e d from the script n a m e by the ? character a n d from each other by the & character.
Special characters in the URL are represented by their hexadecimal ASCII code, preceded by the
s y m b o l %. For example:
h t t p : / / w w w . b l u e c o a t . c o m / t h i s is a s a m p l e . h t m l is an invalid URL
h t t p : / / w w w . b l u e c o a t . c o m / t h i s % 2 0 i s % 2 0 a % 2 0 s a m p l e . h t m l is a valid URL
2 . N o t an actual URL on the Blue Coat Web site.
53
HTTP Message
• Two types of messages

- Request
- Response
Two parts of the message

- Headers
- Data
Slide 6 - 4 : HTTP message
You h a v e seen on p r e v i o u s pages h o w an H T T P transaction is a sequence of requests a n d

s u b s e q u e n t responses b e t w e e n a client a n d a server.
Both the request a n d the response are logically d i v i d e d in t w o sections. The initial part contains
information relevant to the connection b e t w e e n the client a n d the server. The s e c o n d part contains
the actual data.
T h e client a n d sever m u s t agree on a series of p a r a m e t e r a n d protocol specifications before a n y

d a t a can be sent. For example, the server r e s p o n s e m i g h t differ for clients using H T T P / 1 . 0 than for
those u s i n g H T T P / 1 . 1 . A range of character e n c o d i n g s can be offered, b u t the client a n d server
m u s t agree on w h i c h to use. These details are "discussed" in the h e a d e r section.
Once the client a n d server h a v e agreed on all relevant c o m m u n i c a t i o n p a r a m e t e r s , d a t a delivery

begins.
Note: The Blue Coat SG allows y o u to h a v e g r a n u l a r control over request a n d response

headers, t h u s controlling the c o m m u n i c a t i o n p a r a m e t e r s b e t w e e n client a n d server.
54
Request Methods
• GET
- Retrieves whatever information (in the form of an
entity) is identified by the URL
- Changes to a conditional GET if the request message
includes an If-Modified-Since or similar header
• HEAD
- Identical to GET except that the server MUST NOT
return a message-body in the response
Slide 6 - 5 : The GET and HEAD request m e t h o d s
The GET request m e t h o d instructs the server to retrieve the information identified by the request
URL. GET is u s e d to ask for a specific d o c u m e n t — w h e n y o u click on a hyperlink, GET is used.
For example:
GET /sampletext.html HTTP/1.1
If the URL refers to a process, such as c o m m o n g a t e w a y interface (CGI), the processed data is
r e t u r n e d in the r e s p o n s e a n d not the source text of the process.
The GET m e t h o d can be conditional, if the request message includes an If-Modified-Since,

If-Unmodified-Since, If-Match, If-None-Match, or If-Range h e a d e r field. W h a t this m e a n s is that
the requesting agent has indicated that the content s h o u l d be returned only if it meets the specified
condition. The conditional GET m e t h o d is i n t e n d e d to optimize the delivery of cached data by
r e d u c i n g the n u m b e r of unnecessary connections to the Web server.
Responses to a GET request are cacheable, if a n d only if the request meets the requirements for
H T T P caching described in Section 13 of the RFC.
The H E A D request m e t h o d is identical to the GET m e t h o d except that H E A D returns only the
m e s s a g e h e a d e r s a n d not the message body. H E A D can be used to obtain metainformation about
the entity, for e x a m p l e the validity a n d accessibility of hypertext links.
The response to a H E A D request can be u s e d to u p d a t e previously cached data from that resource.
For example, if the h e a d e r s indicate that the cached d a t a has been modified, then the proxy m u s t
treat its cached d a t a as stale.
55
Request Methods
• POST
- Designed to allow a uniform method to cover the
following functions:
• Posting a message to a bulletin board, newsgroup,
mailing list or similar group of articles
• Providing a block of data, such as the result of submitting
a form, to a data-handling process
• Extending a database through an append operation
• CONNECT
- Reserved for use with a proxy that can dynamically
switch to being a tunnel (e.g. SSL tunneling)
Slide 6 - 6 : The POST and CONNECT request m e t h o d s
The POST r e q u e s t m e t h o d is u s e d to send d a t a to the server to be processed in s o m e way. For

example, POST is u s e d to return the results of Web s h o p p i n g cart forms. POST requests are
different from GET requests in the following w a y s :
• A block of d a t a is i n c l u d e d in the message b o d y of the request.
The request URI refers to the p r o g r a m that will process the data instead of a resource to be
retrieved.
The r e s p o n s e is the p r o g r a m o u t p u t a n d not fixed content.
The most c o m m o n use of POST is to s u b m i t H T M L form data to CGI scripts. The CGI script
receives the m e s s a g e b o d y t h r o u g h STDIN, a n d decodes it.
You can u s e a POST request to s e n d w h a t e v e r d a t a y o u want, not j u s t form submissions. The only
stipulation is that the receiving p r o g r a m m u s t agree on the format.
The C O N N E C T request m e t h o d is u s e d to direct Web proxies that p r o v i d e SSL tunneling.

C O N N E C T signals the proxy to switch to a secure t u n n e l connection on TCP virtual port 443 to
s u p p o r t H T T P S connections t h r o u g h the proxy.
56
Response Codes
• Sample Success Code

- 200 OK
• Sample Client Error

- 404 Page Not Found
• Sample Server Error

- 500 Internal Server Error
Slide 6 - 7 : HTTP response codes
H T T P uses a set of r e s p o n s e codes to c o m m u n i c a t e messages from the server to the client. There
are five g r o u p s of response code:
lxx — U s e d for notifications

• 2xx — Used to indicate s o m e sort of successful request
• 3xx — Used to redirect the client from the requested URL to a n e w one
• 4xx — U s e d to notify the client an error on its part

5xx — U s e d to notify the client an error on the server p a r t
You s h o u l d interpret the term "error" cautiously. For example, authentication requests are
h a n d l e d u s i n g the 4xx messages. W h e n a client requests a password-protected resource, the server
replies w i t h a 401 error. While that is not an error per se, HTTP h a n d l e s it as such.
57
HTTP Protocol
Request Response
HTTP/1 .x 200 OK
GET/HTTP/1.1 Content-Type: text/html
Host: www.google.com Server: GWS/2.1
User-Agent: Firefox/1.0 Content-Length: 1121
Accept: text/xml
Date: Wed, 05 Jan 2005 22:09 GMT
Slide 6 - 8 : C l i e n t request and server response
In this slide y o u can see s o m e of the h e a d e r s that are being e x c h a n g e d b e t w e e n a client a n d a

server d u r i n g the first r o u n d of requests a n d responses.
The client issues a request specifying a m e t h o d , a resource, a n d the protocol version. The m e t h o d
is GET, w h i c h is the most c o m m o n l y u s e d one; it enables the client to retrieve the requested
resource from the server. The resource is /, w h i c h indicates the root of the Web server. Web servers
associate a default file n a m e w i t h the root of a directory (index.htm, default.htm, welcome.html,
etc.):
GET / HTTP/1 . i and
G E T /index.htm H T T P / 1 . 1
The p r e c e d i n g URLs return the s a m e data.
Note: This is only an example. Different servers use different default n a m e s .
The Host field ( m a n d a t o r y for HTTP/1.1) is u s e d w h e n there is one or m o r e virtual servers

associated w i t h the s a m e IP a d d r e s s .
The client also specifies that it is w a i t i n g for text or XML data.
The server replies w i t h a 200 OK message, indicating that the request is valid a n d has been
accepted. The response will be 1,121 bytes.
58
Cascaded HTTP Requests
• The intermediate device is both a client and

a server
• There can be any number of intermediate devices
Slide 6 - 9 : Cascaded HTTP requests
HTTP allows a request (and consequently, a response) to traverse any n u m b e r of HTTP-aware

devices. The most c o m m o n example is a proxy server. This device is a server for the client (on the
left h a n d side of the slide) a n d is a client for the server (on the right end side of the slide). In
general, the client m a k i n g the initial request is a w a r e that it is talking to the server t h r o u g h a proxy
server. However, the server is not capable, at least in general terms, of distinguishing the actual
client from a proxy server.
There is no predefined limit to the n u m b e r of proxy servers or similar devices that a request can
traverse. The client is usually aware, at the most, of the very first proxy in the chain. The proxy can
then forward the request directly to the origin content server (OCS) or to another proxy. The s a m e
concept applies to t h e other proxies in the chain.
59
GET Requests
GET http://www.bluecoat.com HTTP/1.1 GET /HTTP/1.1

HOST: www.bluecoat.com HOST: www.bluecoat.com
Slide 6 - 1 0 : GET requests
The GET request that a p r o x y - a w a r e client uses is v e r y characteristic. You can easily recognize
w h a t is s o m e t i m e s called a "via-proxy GET request" because the entire URL a p p e a r s in the GET
request.
The via-proxy GET request contains the entire URL, w h i c h is logical (especially if H T T P / 1 . 0 is
used) because there is no H o s t header. The destination IP a d d r e s s of the client request is the IP
a d d r e s s of the proxy. The proxy has to k n o w the location of the origin content server that the client
n e e d s the d a t a from. In general, in a direct Web request, the destination Web server is the
destination IP a d d r e s s for the client request, a n d not that of a n y intermediary.
In H T T P / 1 . 1 , in w h i c h the Host field s h o u l d be (according to the RFC) mandatory, the GET

request w i t h the full URL m a y s e e m r e d u n d a n t . However, all clients conform to this convention,
regardless of H T T P version used.
60
Chapter 7: HTTP Compression
HTTP compression is an a l g o r i t h m that reduces the size of a file w i t h o u t causing loss of data,
i m p r o v i n g n e t w o r k efficiency a n d performance.
You m a y or m a y not w a n t to use H T T P compression in y o u r n e t w o r k . M a k i n g the right choice

d e p e n d s on three factors:
Server-side b a n d w i d t h (between the Blue Coat SG a n d the origin content server [OCS])
Client-side b a n d w i d t h (between the Blue Coat SG a n d the internal clients)

• Blue Coat SG C P U
If server-side b a n d w i d t h is m o r e expensive in y o u r e n v i r o n m e n t t h a n CPU, y o u m a y w a n t to

request c o m p r e s s e d content from the OCS. However, if CPU is m o r e valuable, y o u m a y prefer to
configure the Blue Coat SG to ask the OCS for the s a m e compression that the client s u p p o r t s a n d
to forward w h a t e v e r the server returns.
The Blue Coat SG can m a n a g e multiple v a r i a n t s of the s a m e objects in cache. A file can be stored in
gzip, deflate, or text format. The Blue Coat SG also can modify the c o m p r e s s e d content; for
instance, JavaScript® contained in a gzip file can be stripped out.
HTTP c o m p r e s s i o n is controlled by policy only. By default, H T T P compression is t u r n e d off. You

need to selectively t u r n on server-side or client-side compression (or both) t h r o u g h the Visual
Policy M a n a g e r (VPM).
Be a w a r e that the Blue Coat SG does not compress s o m e types of M u l t i p u r p o s e Internet Mail
Extensions (MIME) types, w h i c h usually refer to already compressed formats:
• audio/*
• video/*
• image/jpeg/gif/png/pjpeg
application/x-zip-compressed/x-compressed/x-gzip
• application/zip/gzip
• application/pdf
• N e t s c a p e ® 4.x b r o w s e r
By default, Internet Explorer does not request compressed content w h e n the Blue Coat SG is set in
explicit proxy m o d e .
Important: The Blue Coat SG compresses content only if the response is 200 OK.
61
HTTP Compression
• Allows compatible UA and OCS to exchange

compressed data
- Supported in HTTP/1.1
- Typically GZIP or deflate compression
• Blue Coat SG Support

- Compressed data can flow through the proxy
compressed
- Proxy can uncompress/compress data to execute
policies
Slide 7 - 1 : HTTP c o m p r e s s i o n basics
O n e of the features of H T T P / 1 . 1 is s u p p o r t for c o m p r e s s e d content. The m o s t c o m m o n l y u s e d

protocols are gzip a n d deflate. C o m p r e s s i o n is usually a p p l i e d only to file types, w h i c h do not
h a v e any built-in size o p t i m i z a t i o n . For instance, both j p g a n d .gif are already c o m p r e s s e d
formats; m o s t likely the OCS will not a t t e m p t to recompress these formats. H T M L a n d text in
general, are highly compressible file formats. Today's Web p a g e s are several kilobytes in size;
c o m p r e s s i o n can m a k e a difference.
T h e user agent (UA) lists the s u p p o r t e d c o m p r e s s i o n formats in the Accept-Encoding header; the
formats are listed in o r d e r of preference. Plain text is a l w a y s an implicitly a s s u m e d format. The
OCS s h o u l d choose the first format listed. If there are no c o m m o n compression protocols
s u p p o r t e d , the UA will r e t u r n plain text. The OCS declares the compression format that it chose in
the Content-Encoding header.
A p r o x y d o e s not need to u n d e r s t a n d t h e specific compression protocol that the UA a n d t h e OCS

negotiated. The proxy can s i m p l y pass the b o d y of the m e s s a g e as is. However, if the proxy is not
able to d e c o m p r e s s the HTTP m e s s a g e s that it receives, it c a n n o t a p p l y a n y modification to the
content.
62
HTTP Compression - Client Side
GET http://www.bluecoat.com/I HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflatejh
Proxy-Connection: Keep-Alive
Compression supported
GET http://www.bluecoat.com/
HTTP/1.0 J
Accept: */*
Accept-Language: en-us
Host: www.google.com
Proxy-Connection: Keep-Alive
Compression not supported
Slide 7 - 2 : C l i e n t - s i d e s u p p o r t
A UA accepts compresses content only if the following t w o events occur:

• T h e UA s u p p o r t s HTTP / 1 . 1 .
• T h e GET request contains a valid Accept-Encoding header.
Obviously, the Accept-Encoding h e a d e r is not even provisioned in H T T P / 1 . 0 ; an H T T P / 1 . 1 UA

does not h a v e to request c o m p r e s s e d content. You m a y see requests in w h i c h either the UA or the
proxy issues an H T T P / 1 . 1 GET request w i t h o u t the Accept-Encoding header.
At the t o p of the slide y o u see the packet c a p t u r e from a UA that s u p p o r t s compression; more
specifically, it s u p p o r t s gzip a n d deflate compressed content.
At the b o t t o m of the slide y o u see the packet capture from UA that does s u p p o r t H T T P / 1 . 1 ;
therefore, it does not s u p p o r t compression. N o t e the lack of the Accept-Encoding header.
63
HTTP Compression - Server Side
HTTP/1.1^200 OK
Date: THu, 27 Jul 2006 22:58:49 GMT
Server: Apache/2.2.3 (Unix)
Content-Type: text/html
Content-length: 14230
Compression not supported
Slide 7 - 3 : Server-side s u p p o r t
T h e OCS specifies the c o m p r e s s i o n protocol a p p l i e d to the b o d y of the response using the

Content-Encoding header. If this h e a d e r is not present, the content is a s s u m e d to be plain text.
You s h o u l d not confuse Content-Encoding a n d Content-Type; the latter refers to the type of d a t a
that a p p e a r s in the body. The Content-Type h e a d e r describes the MIME type of the data. A
s t a n d a r d Web p a g e has the MIME t y p e t e x t / h t m l . A n OCS c a n n o t r e t u r n compressed content
u n l e s s the client has sent a request that includes the Accept-Encoding header.
N o t e h o w b o t h responses from the server are H T T P / 1 . 1 responses. T h a t alone does not

automatically m e a n that the content will be served c o m p r e s s e d .
N o t all OCS s u p p o r t compression. Several Web sites deliver only u n c o m p r e s s e d data. W h e n

c o m p r e s s i o n is s u p p o r t e d , the m o s t c o m m o n protocol is gzip.
64
HTTP Compression - Blue Coat SG
Client-Side Compression
- Client does support compression
- Server does not support compression
Slide 7 - 4 : Client-side compression
This slide s h o w s a scenario in w h i c h the client s u p p o r t s compression; however, the OCS does not
serve c o m p r e s s e d content. You can configure the Blue Coat SG to:
1. Retrieve the u n c o m p r e s s e d content from the OCS.

2. C o m p r e s s the content u s i n g either gzip or deflate.
3. Serve the c o m p r e s s e d content to the UA.
This process is called client-side compression. In this scenario, y o u do not have any W A N
b a n d w i d t h benefit, but y o u h a v e L A N b a n d w i d t h benefits. Client side compression feature
d e t e r m i n e s is c o m p r e s s e d content can be served based on the UA HTTP request (presence or lack
of the Accept-Encoding header). If the UA requests protocols other than gzip a n d deflate, the SG
passes the request as-is to the OCS a n d does not perform any modification on the content
returned.
While this feature does not seem particularly interesting, y o u need a client-side compression
action in y o u r policy in order to enable server-side compression (discussed next in this chapter).
65
HTTP Compression - Blue Coat SG
Server-Side Compression
- Client does not support compression
- Server does support compression
Slide 7 - 5 : Server-side c o m p r e s s i o n
This slide s h o w s a scenario in w h i c h t h e client does not s u p p o r t compression; however, the OCS
d o e s h a v e the ability to deliver c o m p r e s s e d content. You can configure the Blue Coat SG to:
1. Retrieve the c o m p r e s s e d content from the OCS.
2. U n c o m p r e s s the content.
3. Serve the u n c o m p r e s s e d content to the UA.
This process is called server-side compression. In this scenario, y o u do not have any L A N
b a n d w i d t h benefit, but y o u h a v e W A N b a n d w i d t h benefits. This is a likely scenario in y o u r
organization. Several UAs, for o n e reason or another, m a y not s u p p o r t H T T P / 1 . 1 , or, if they do,
they do not s u p p o r t c o m p r e s s i o n algorithms. By enabling a server-side compression policy, y o u
can save precious W A N b a n d w i d t h . In order to i m p l e m e n t server-side compression, y o u also need
a client-side compression policy.
66
Object Variants
Blue Coat SG object store

(cache)
Slide 7 - 6 : Object variants
In p r e v i o u s versions of the SGOS, the H T T P proxy did not cache objects if the server sent
c o m p r e s s e d content. However, w i t h H T T P compression a n d v a r i a n t object s u p p o r t in n e w e r
versions of the SGOS (starting w i t h 4.1.1.1), objects are cached regardless of their encoding,
p r o v i d e d that all other conditions allow caching.
Variants are objects that are stored in the cache in various forms. The Blue Coat SG creates three
v a r i a n t types:
• uncompressed
g z i p compressed
• deflate c o m p r e s s e d
H o w e v e r , transformation-based variants are not cached.
H T T P compression i m p l e m e n t s variant object s u p p o r t in the cache engine using an object

v e r s i o n i n g scheme. A 64-bit n u m b e r is used to tag the base object a n d its variants.
Be a w a r e that the presence of multiple variant objects in the cache m a y affect the object-carrying
capacity of the disk.
67
Compression and Policies
Slide 7 - 7 : C o m p r e s s i o n a n d policies
You m a y w a n t to apply several policies to the content that a UA in y o u r organization receives. For
instance, y o u m a y w a n t r e m o v e active content (JavaScript, ActiveX®, Visual Basic® script, etc.)
from all sites except for s o m e on a special w h i t e list. If the p r o x y does not u n d e r s t a n d the
c o m p r e s s i o n protocol that is being applied to an HTTP response, it cannot d e t e r m i n e if active
c o n t e n t (or a n y other t y p e of content) is present in that response. You m a y have the best policies in
place b u t they will not a p p l y to the content.
T h e Blue Coat SG, starting w i t h SGOS 4.x, can automatically u n c o m p r e s s a response if there are
relevant policies that need to be a p p l i e d . If y o u do not h a v e a n y content-specific policy, then the
content is not u n c o m p r e s s e d ; it is s e r v e d as is, unless y o u h a v e other client-side compression
policies. If y o u h a v e content-specific policies, a n d the content is compressed, then the Blue Coat
SG can automatically — w i t h o u t the need for a n y special policy — do the following:
1. D e c o m p r e s s the OCS response.
2. A p p l y the content policy. (That is, r e m o v e JavaScript.)
3. C o m p r e s s the content a n d serve it.
Note: If a p a g e w a s received c o m p r e s s e d a n d a content policy applied, the p a g e will not be

cached in the c o m p r e s s e d format b u t in the u n c o m p r e s s e d format. This is a positive
feature because caching c o m p r e s s e d content, w h i c h is likely to be u n c o m p r e s s e d a n d
modified again, is a w a s t e of resources.
68
Chapter 8: Authentication Introduction
This section details w h a t k i n d of authentication challenges can be h a n d l e d by the Blue Coat SG

a n d for w h i c h use. In general, there are three m a i n reasons that users m a y be challenged for
authentication:
• They a t t e m p t to access the M a n a g e m e n t Console (or CLI).
• They a t t e m p t to access the Internet. (You can limit access t h r o u g h the Blue Coat SG to
a u t h o r i z e d users.)
They request a specific resource on the Internet (password protected p a g e or file).
The first t w o instances are controlled by the Blue Coat SG directly; you, as the administrator,
decide the authentication a n d security policies. The third authentication t y p e is i n d e p e n d e n t from
the Blue Coat SG; however, the p r o x y can h a n d l e the request a n d pass it to the user a n d back to the
origin content server (OCS) transparently.
There are a few steps that y o u can take in order to make access to the policy a n d configuration
m o r e secure. For instance, it is a g o o d idea to give selective read a n d write permission to modify
the policies on the Blue Coat SG, based on Active Directory® or LDAP g r o u p s .
It is also r e c o m m e n d e d that y o u authenticate users before y o u can grant t h e m access to the

Internet. This is a g o o d practice for both security a n d a u d i t i n g : You do not w a n t u n a u t h o r i z e d
devices on y o u r n e t w o r k to connect to the Internet, a n d y o u w a n t to keep an accurate log of w h o is
accessing which resource.
69
Authentication and Security Types
• Blue Coat SG Security

- Console Access
- Physical Access (front panel, serial port)
• Blue Coat SG Authentication

- Validate users before allowing access to protocols
• Remote resources authentication requests
Slide 8 - 1 : A u t h e n t i c a t i o n and security types
The Blue Coat SG h a n d l e s three t y p e s of security challenges. Two are controlled by the Blue Coat
SG itself, a n d one is d e t e r m i n e d by the security on the OCS.
• Blue Coat SG security refers to the ability to control or limit (read only, read a n d write) access
to the m a n a g e m e n t , configuration, a n d rules a d m i n i s t r a t i o n of the Blue Coat SG.
Blue Coat SG authentication refers to the option of challenging users to s u b m i t p r o p e r

credentials (username) before their requests are allowed to go t h r o u g h the proxy.
Remote resource authentication refers to the authentication challenges that a r e m o t e OCS can
issue to a u s e r agent (UA) before s e n d i n g the requested content. The Blue Coat SG does not
h a v e a n y control over this challenge; however, it can pass the challenge from the OCS to the
UA a n d the credentials from the UA to the OCS.
70
Blue Coat SG Security
• Limit access to the Blue Coat SG appliance

- Restrict access by IP address or IP ranges
- Password to secure Setup Console
- Require PIN to operate front panel
- Password protect serial access
• Role-based security
- Use realm-based authentication
- Granular permission selection
Slide 8 - 2 : Blue Coat SG security
You can control access to the Blue Coat SG in several w a y s . Of course, the most i m p o r t a n t security
aspect of any mission-critical server, like the Blue Coat SG, is physical security. You s h o u l d ensure
that only authorized p e r s o n n e l can physically reach the unit.
Once y o u have ensured that the Blue Coat SG is "safe" in the server room, y o u can i m p l e m e n t
m e a s u r e s to limit a d m i n i s t r a t i v e access only to a u t h o r i z e d users. You m a y w a n t to secure the front
panel w i t h a personal identification n u m b e r (PIN) to a v o i d accidental misconfiguration, w h i c h
can h a p p e n if s o m e o n e b u m p s against the unit. You can safely enable the following security
m e a s u r e s by taking these steps:
* Limit access to the M a n a g e m e n t Console and CLI only to a selected pool of IP addresses.
Create a secure enable-level p a s s w o r d .

To m a n a g e the Blue Coat SG, y o u can use the built-in a d m i n i s t r a t o r account or any of the Active
Directory or LDAP g r o u p s (or y o u can select individual users). If you choose to rely on an external
authentication realm, y o u can g r a n u l a r l y define read-only or read-and-write permissions on the
unit.
Important: If y o u decide to enable a p a s s w o r d for the serial console (not advisable), there is
no recovery option. If y o u lose the p a s s w o r d y o u need to RMA the unit!
71
Available Security Measures
SSH W i t h
Security Measures Serial Password SSH W i t h RSA Management
Available Console Authentication Authentication Console
Username and password

evaluated (console-level
credentials) /
Console Access List
evaluated
/ / S
CPL<Admin> Layer
evaluated /
Enable password required
to enter privileged mode / / S
CLI l i n e - v t y ti_neou t
command applies / / y
Management Console
Login/Logout
Slide 8 - 3 : Security m e a s u r e s
W h e n d e c i d i n g h o w to give other users read-only or read-write access to the Blue Coat SG,
s h a r i n g the basic console account settings is only o n e option. This page a n d the next s u m m a r i z e all
available options.
Console account — minimum security

T h e console account u s e r n a m e a n d p a s s w o r d are e v a l u a t e d w h e n the Blue Coat SG is accessed
from the M a n a g e m e n t Console t h r o u g h a b r o w s e r a n d from the CLI t h r o u g h SSH w i t h p a s s w o r d
authentication. The enable (privileged-mode) p a s s w o r d is evaluated w h e n the console account is
u s e d t h r o u g h SSH w i t h p a s s w o r d authentication a n d w h e n the CLI is accessed t h r o u g h the serial
console a n d t h r o u g h SSH w i t h RSA authentication. The simplest w a y to give access to others is to
s h a r e this basic console account information, but it is the least secure m e t h o d a n d is not
recommended.
To give read-only access to the CLI, do not give out the enable (privileged-mode) p a s s w o r d .
Console access control list — moderate security

U s i n g the access control list (ACL) allows y o u to further restrict use of the console account a n d
SSH w i t h RSA authentication to w o r k s t a t i o n s identified by their IP address a n d s u b n e t mask.
W h e n the A C L is enforced, the console account can only be u s e d by workstations defined in the
console ACL. Also, SSH w i t h RSA authentication connections are valid only from w o r k s t a t i o n s
specified in the console ACL (provided it is enabled).
After setting the console account u s e r n a m e , p a s s w o r d , a n d enable (privileged-mode) p a s s w o r d ,

u s e the CLI or the M a n a g e m e n t Console to create a console ACL.
72
Per-user RSA public key authentication — moderate security

Each a d m i n i s t r a t o r ' s public keys are stored on the appliance. W h e n connecting t h r o u g h SSH, the
a d m i n i s t r a t o r logs in w i t h no p a s s w o r d exchange. A u t h e n t i c a t i o n occurs by verifying k n o w l e d g e
of the c o r r e s p o n d i n g p r i v a t e key. This is secure because the p a s s w o r d s never go over the network.
This is a less flexible o p t i o n t h a n Blue Coat Content Policy L a n g u a g e (CPL) because y o u cannot
control the level of access w i t h policy, but it is a better choice than sharing the console credentials.
Blue Coat Content Policy Language — maximum security

CPL allows y o u to control administrative access to the Blue Coat SG t h r o u g h policy. If the
credentials s u p p l i e d are not the console account u s e r n a m e a n d password, policy is e v a l u a t e d
w h e n the Blue Coat SG is accessed t h r o u g h SSH w i t h p a s s w o r d authentication or the
M a n a g e m e n t Console. Policy is never evaluated on direct serial-console connections or SSH
connections u s i n g RSA authentication.
Using the CLI or the M a n a g e m e n t Console GUI, create an authentication realm to be used for
a u t h o r i z i n g a d m i n i s t r a t i v e access. For administrative access, the realm m u s t s u p p o r t BASIC
credentials — for e x a m p l e , LDAP, RADIUS, Local, or N T L M w i t h BASIC credentials enabled.
Using the Visual Policy M a n a g e r (VPM), or by a d d i n g CPL rules to the Local or Central policy
file, specify policy rules that: (1) require a d m i n i s t r a t o r s to log in using credentials from the
previously created a d m i n i s t r a t i v e realm, a n d (2) specify the conditions u n d e r w h i c h
administrators are either d e n i e d all access, given read-only access, or given read-write access.
A u t h o r i z a t i o n can be based on IP address, g r o u p m e m b e r s h i p , time of day, a n d m a n y other
conditions.
• To prevent a n y o n e from u s i n g the console credentials to m a n a g e the Blue Coat SG, set the
console ACL to d e n y all access (unless y o u plan to use SSH with RSA authentication). You can
also restrict access to a single IP a d d r e s s that can be u s e d as the emergency recovery
workstation.
The chart s h o w n in Slide 8-3 details the various w a y s administrators can access the Blue Coat SG
console a n d the authentication a n d authorization m e t h o d s that a p p l y to each.
73
Authentication
• Policies based on users and groups
• Granular Reporting
• Manage Exceptions
Slide 8-4: Reasons for authentication
Slide 8-4 details the main reasons w h y Blue Coat c u s t o m e r s enable authentication. M a n y
c o m p a n i e s base policy to allow or d e n y access to specific resources on the realm g r o u p s that they
h a v e set up (Active Directory, Novell, RADIUS, etc.)
Authentication is v e r y i m p o r t a n t in conjunction w i t h r e p o r t i n g as it allows y o u to generate reports

w h e r e y o u can see the user information (login name) rather t h a n just an IP a d d r e s s or host n a m e .
Explicit Proxy Authentication
• Proxy requires client to authenticate

- HTTP 407 Response "Proxy Authentication Required"
• Browser resends the request with user's

credentials
- Credentials are sent with every request
• Most browsers cache credentials as long as

the process is running
Slide 8 - 5 : Explicit proxy authentication
T h e authentication m e c h a n i s m i m p l e m e n t e d in the HTTP RFC for proxy-based connections is

pretty simple a n d straightforward.
W h e n the UA m a k e s its first request to the p r o x y the proxy returns an HTTP 407 response
message, asking the user to authenticate (407 Proxy Authentication Required). The browser
resends the s a m e request b u t this time it a d d s the authentication credentials. The information
(username a n d p a s s w o r d ) are, in general, passed in clear text u s i n g Base64 encoding. N T L M is the
m o s t notable exception (the message is still Base64-encoded); N T L M does not transmit the
p a s s w o r d over the n e t w o r k .
Once the UA is a w a r e that it is c o m m u n i c a t i n g w i t h a proxy that requires authentication, the UA

s e n d s the authentication information for each request, regardless of the URI requested.
Most b r o w s e r s cache the authentication information as long as the browser main process is
running; unless y o u t e r m i n a t e the application y o u s h o u l d not be p r o m p t e d again for u s e r n a m e
and password.
75
Explicit Proxy Authentication
Slide 8 - 6 : Explicit p r o x y a u t h e n t i c a t i o n
The 407 HTTP response code is u n i q u e l y defined to h a n d l e proxy authentication requests.

According to the RFC 2616, this message "indicates that the client m u s t first authenticate itself
w i t h the proxy. The proxy MUST return a Proxy-Authenticate h e a d e r field containing a
challenge applicable to the proxy for the r e q u e s t e d resource. The client MAY repeat the request
1
w i t h a suitable Proxy-Authorization h e a d e r field."
Once the authentication is successful, the UA keeps s e n d i n g the p r o p e r authentication credentials

w h e n requesting a URI to the proxy w i t h o u t p r o m p t i n g the user again.
Important: If the UA is not using explicit proxy it ignores a n y 407 requests.
1. From RFC 2 6 1 6 .
76
Authentication Options
Slide 8 - 7 : A u t h e n t i c a t i o n o p t i o n s
The Blue Coat SG allows y o u to control h o w users are authenticated. W h e n y o u create a rule in the
Web Authentication Layer, y o u can decide if the authentication s u p e r s e d e d a DENY statement or
not. You can also control w h e t h e r the user can enter double-byte language credentials.
Force Authenticate
Forces the u s e r to authenticate even t h o u g h the request is going to be d e n i e d for reasons that
do not d e p e n d on authentication. This action is useful to identify a user before the denial so
that the u s e r n a m e is logged along w i t h the denial.
• Authenticate
Creates an authentication object to verify users. An authentication realm m u s t exist on the
Blue Coat SG to be selected t h r o u g h VPM.
Authentication Charset
The V P M allows y o u enter non-ASCII text in m a n y objects, s u c h user a n d g r o u p n a m e s a n d

text for the Notify User object. This object allows y o u set the character set to use in conjunction
w i t h localized policy. From the d r o p - d o w n list, select a character set a n d click OK.
77
Remote Resources Authentication
Slide 8 - 8 : Remote resource a u t h e n t i c a t i o n
T h e response c o d e 401 notifies t h e UA that the "request requires u s e r authentication. The response
M U S T i n c l u d e a www-Authenticate h e a d e r field [...] containing a challenge applicable to the
r e q u e s t e d resource. T h e client MAY r e p e a t the request w i t h a suitable Authorization h e a d e r field
[...]. If the request a l r e a d y i n c l u d e d A u t h o r i z a t i o n credentials, then t h e 401 response indicates that
a u t h o r i z a t i o n has been refused for those credentials. If the 401 response contains the s a m e
challenge as t h e prior response, a n d the UA has already a t t e m p t e d authentication at least once,
t h e n the user S H O U L D be p r e s e n t e d the entity t h a t w a s given in the response, since that entity
2
m i g h t include relevant diagnostic i n f o r m a t i o n . "
You need to be a w a r e of the key difference b e t w e e n the w a y s the UA. behaves w h e n it receives a
407 message a n d w h e n it receives a 401 m e s s a g e .
Let's a s s u m e that y o u are accessing t w o Web sites, h t t p : / / w w w . c n n . c o m a n d

http://www.ferrari.it.
If y o u r UA receives a 407 after the initial request to the C N N Web site, it will automatically s e n d
the u s e r ' s credentials to the p r o x y w h e n r e q u e s t i n g the Ferrari Web site, w i t h o u t p r o m p t i n g the
u s e r again. If the UA receives a 401 after the initial request to the C N N Web site, it p r o m p t s the
u s e r for a u t h e n t i c a t i o n information ( u s e r n a m e a n d p a s s w o r d ) ; if the UA receives a 401 again
w h e n connecting to the Ferrari Web site, it will nor u s e the credential s u b m i t t e d by the user for the
C N N Web site. The UA p r o m p t s the user again, as it cannot a s s u m e that the 401 credential
requests are " p o r t a b l e " across different URIs.
2. From RFC 2 6 1 6 .
Chapter 9: Authentication Realms
A realm authenticates a n d authorizes users for access to Blue Coat® SG™ services u s i n g either
explicit proxy or t r a n s p a r e n t proxy m o d e . Multiple authentication realms can be u s e d on a single
Blue Coat SG. Multiple realms are essential if the enterprise is a m a n a g e d service p r o v i d e r or if the
c o m p a n y has m e r g e d w i t h or acquired a n o t h e r company. Even for companies u s i n g only one
protocol, multiple realms m i g h t be necessary. This w o u l d be the case for a c o m p a n y using an
L D A P server w i t h m u l t i p l e authentication b o u n d a r i e s . You can use realm s e q u e n c i n g to search
multiple realms at once.
A realm configuration includes:
• Realm n a m e
A u t h e n t i c a t i o n service: (IWA, LDAP, RADIUS, Local, Certificate, Sequences, eTrust®

SiteMinder®, Oracle® COREid, Policy Substitution)
• External server configuration: Backend server configuration information, s u c h as host, port,

a n d other relevant information based on the selected service
Authentication schema: The definition u s e d to authenticate users
• A u t h o r i z a t i o n schema: The definition u s e d to authorize users for m e m b e r s h i p in defined

g r o u p s a n d check for attributes that trigger evaluation against any defined policy rules
Note: One-time p a s s w o r d s are s u p p o r t e d for RADIUS realms only.
W h e n y o u h a v e configured all y o u r realms, y o u can view y o u r realms a n d m a n a g e the credentials

cache for a specific realm. Blue Coat SG can cache authentication credentials. You can specify the
length of time, in seconds, that user a n d a d m i n i s t r a t o r credentials are cached. Credentials can be
cached for up to 3,932,100 (3 million +) seconds. The default is 900 seconds (15 minutes). If you
specify 0 as the cache time, traffic is increased to the authentication server because each
authentication request generates an authentication a n d authorization request to the server.
To m a n a g e the credential cache t h r o u g h the M a n a g e m e n t Console:

1. Select Configuration > Authentication > Realms. The Realms page displays, w i t h all realms that
y o u h a v e created.
2. To p u r g e the credentials cache w h e n y o u m a k e policy changes, select Flush When Policy File
Changes. (This option is selected by default.)
• To flush the entire credentials cache immediately, click Flush a n d confirm.
o To flush only the entries for a particular realm in the credentials cache, select the realm
from the d r o p - d o w n list, click Flush realm a n d confirm.
All of these actions force users to be re-authenticated.
79
Authentication Realms
• IWA
- Windows NT Domains and Active Directory
• LDAP
- Active Directory and other LDAP Databases
• Sequence
- List of authentication realms to be processed
Slide 9 - 1 : Most c o m m o n l y used a u t h e n t i c a t i o n realms
Blue Coat SG s u p p o r t s a w i d e , a n d constantly g r o w i n g , n u m b e r of authentication realms. This

training focuses on s o m e of the m o s t c o m m o n l y u s e d realms: IWA, LDAP, a n d Sequence. While
y o u m a y use a different realm in y o u r organization, the f u n d a m e n t a l concepts of i m p l e m e n t i n g
authentication are virtually identical, regardless of the actual realm used. The only real difference
is the type of information n e e d e d to create t h e realm; y o u s h o u l d be able to collect the necessary
information.
You s h o u l d ask y o u r instructor to cover the details of the realm that y o u use in y o u r network, if
y o u r realm is not a m o n g the ones discussed here.
IWA Realm
• Basic Credentials
- Username and password are sent base64 encoded
- Least secure option
® NTLM Credentials
- Uses the Microsoft proprietary authentication
- Medium security option
• Kerberos Credentials
- Uses Microsoft implementation of M.l.T Kerberos v5
- Highly secure option
Slide 9 - 2 : IWA Realm
Integrated W i n d o w s Authentication (IWA) allows y o u to authenticate users against an Active

Directory® tree or an NT Domain. It s u p p o r t s three types of credentials, each detailed below. The
client receives the list of s u p p o r t e d credentials from the proxy. The client s h o u l d choose the most
secure c o m m o n set of credentials.
BASIC authentication
This m e t h o d is clearly described in the H T T P RFC, since the earliest version. Every User
A g e n t (UA) a n d every OCS on the Internet m u s t s u p p o r t at least basic credentials. The
u s e r n a m e a n d p a s s w o r d are e n c o d e d u s i n g Base64. Because Base64 is not encryption, the
u s e r n a m e a n d p a s s w o r d are available to a n y b o d y w h o can r u n a packet trace of the
c o m m u n i c a t i o n between the UA a n d the proxy. The credentials a p p e a r as
username: password in a Proxy-Authorization header. Every browser s h o u l d s u p p o r t basic
credentials.
• N T L M Authentication
N T L M is a Microsoft-proprietary protocol that authenticates users a n d c o m p u t e r s based on an

authentication challenge a n d response. The key idea b e h i n d N T L M is to authenticate users
w i t h o u t the p a s s w o r d ever being e x c h a n g e d between clients a n d the authentication server
(the d o m a i n controller or DC). N T L M is discussed in greater detail on the following pages.
Kerberos Authentication
This is the most secure a n d m o d e r n authentication m e t h o d . It uses a very secure exchange of

encrypted tickets, w h i c h allows client a n d server to m u t u a l l y authenticate each other.
Microsoft Internet Explorer is the only b r o w s e r currently s u p p o r t i n g this type of credentials.
81
NTLM Authentication
• Provides secure authentication

- Password is not transmitted over the network
• Supports single sign-on

- Requires compatible user agents
• Widely used
- Prevalence of Windows OS on desktops
Slide 9 - 3 : NTLM a u t h e n t i c a t i o n
N T L M , an a c r o n y m for NT L A N Manager, offers a m e d i u m d e g r e e of security because the actual

p a s s w o r d is never t r a n s m i t t e d over the n e t w o r k .
A n o t h e r benefit, s t e m m i n g from the close integration between Internet Explorer™ a n d the

W i n d o w s ® OS, is the ability of users to enjoy single sign-on. In essence, users w h o access the
Internet t h r o u g h a proxy server (that is compatible w i t h N T L M a n d requires authentication) do
not need to re-enter their u s e r n a m e a n d p a s s w o r d w h e n they o p e n the browser for the first time.
Internet Explorer s e n d s , automatically a n d in the b a c k g r o u n d , the u s e r ' s information w h e n it is
c h a l l e n g e d for authentication by a proxy server.
Recently, other b r o w s e r s — including Mozilla Firefox® — h a v e i m p l e m e n t e d s u p p o r t for single
sign-on a n d N T L M authentication. N o t e t h a t this is a b r o w s e r feature.
Because W i n d o w s is nearly u b i q u i t o u s on d e s k t o p c o m p u t e r s , N T L M is bar far the most

c o m m o n l y u s e d authentication m e t h o d .
Note: F o r m s authentication m o d e s cannot be used w i t h an N T L M realm that allows only

N T L M credentials, a Policy Substitution realm, or a Certificate realm. If a form m o d e
is in u s e a n d the authentication realm is any of them, y o u will receive a configuration
error.
82
NTLM Authentication
Slide 9 - 4 : NTLM a u t h e n t i c a t i o n
N T L M is a c h a l l e n g e / r e s p o n s e authentication mechanism. This approach, while requiring m o r e

transactions b e t w e e n the client a n d the authentication server, allows the client to be authenticated
w i t h o u t ever s e n d i n g the p a s s w o r d over the wire, either encrypted or in clear text.
W h e n a client w a n t s to authenticate, it s e n d s a Type 1 message to the d o m a i n controller. This

message contains s o m e information s u c h as the client host n a m e , the d o m a i n w h e r e it w a n t s to
authenticate, the N T L M version s u p p o r t e d , a n d other information.
The server replies w i t h a Type 2 message. This message, in essence, contains a string that the client
has to e n c r y p t u s i n g DES (Data Encryption Standard) encryption a n d the p a s s w o r d as the key.
After s e n d i n g the Type 2 message, the server calculates the DES encrypted version of the challenge
1
using the p a s s w o r d associated to the u s e r n a m e as the k e y .
The client c o m p u t e s the DES encryption of the challenge using the p a s s w o r d as the key a n d t h e n
s e n d s it to the server. This reply is k n o w n a n d Type 3 message. If the Type 3 message matches the
calculation d o n e by the server, because of the properties of DES encryption, the server k n o w s that
the client has k n o w l e d g e of the correctly p a s s w o r d . If there is a mismatch, the authentication fails.
1 .Details are i g n o r e d here as not relevant. NTLM p e r f o r m s DES e n c r y p t i o n a p p l y i n g three d i f -

ferent keys on the c h a l l e n g e , b u t a g a i n , the details are b e y o n d the scope of this class.
83
BCAAA
Slide 9 - 5 : Blue Coat Authentication and Authorization Agent
T h e Blue Coat SG r u n s a p r o p r i e t a r y o p e r a t i n g system called SGOS, w h i c h is designed to h a n d l e

secure p r o x y server tasks. It uses external software, the Blue Coat Authentication a n d
A u t h o r i z a t i o n A g e n t (BCAAA), to s u p p o r t a n y n u m b e r of authentication systems, o p e n - s y s t e m or
proprietary.
T h e Blue Coat SG can interface directly w i t h o p e n - s t a n d a r d databases s u c h as LDAP because the

details of the i m p l e m e n t a t i o n are k n o w n . Proprietary systems, s u c h as NTLM, conceal fine
2
protocol detail but provide an Application P r o g r a m m i n g Interface (API) to help third parties
d e v e l o p software that can interface w i t h the systems.
T h e Blue Coat SG uses BCAAA ( p r o n o u n c e d BECK-ah) as an elegant a n d efficient a p p r o a c h to

s u p p o r t i n g different authentication systems. BCAAA enables the Blue Coat SG to s u p p o r t a
g r o w i n g n u m b e r of databases, w h i c h currently include NTLM, Kerberos, SiteMinder, a n d
COREid.
In o r d e r for the Blue Coat SG to use BCAAA, it m u s t be run on a s y s t e m s u p p o r t e d by the s u p p l i e r

of the API for a given authentication d a t a b a s e . For example, if y o u w a n t to use N T L M
authentication, BCAAA m u s t r u n on a W i n d o w s system.
B C A A A is available for three different o p e r a t i n g systems:
• W i n d o w s 2000 a n d later ( s u p p o r t i n g all three realm types)
• W i n d o w s NT (for BCAAA versions earlier than 4.2)
Solaris ( s u p p o r t i n g SiteMinder realms)
2.API: A software package p r o v i d i n g a level of abstraction between the application and the k e r -
nel; it is d e s i g n e d to enable t h i r d - p a r t y software vendors to access a selected set of f u n c t i o n s .
84
NTLM Authentication over HTTP
Slide 9 - 6 : NTLM over HTTP
In o r d e r to authenticate users w i t h N T L M , y o u need to have BCAAA r u n n i n g on a W i n d o w s

m a c h i n e — either a d e s k t o p or server — that is a m e m b e r of the d o m a i n w h e r e y o u w a n t to
authenticate users. The BCAAA service authenticates users in all d o m a i n s trusted by the
c o m p u t e r on w h i c h it is r u n n i n g . A single installation of the BCAAA service can s u p p o r t multiple
Blue Coat SG appliances.
Let's follow the steps in the authentication process w h e n y o u use an N T L M realm:
1. The client m a k e s a request to the Blue Coat SG. The Blue Coat SG replies w i t h a 407 HTTP
response c o d e (explicit authentication mode), w h i c h p r o m p t s the user agent (UA) to resend
the request, this time including the authentication credentials. Blue Coat SG closes the
connection. N o t e that the Blue Coat SG explicitly defines the authentication required as
NTLM.
2. The client r e s e n d s the original request. This time, the UA includes the Type 1 message,
e n c o d e d u s i n g Base64. This is a s t a n d a r d technique used in H T T P to pass binary data b e t w e e n
entities. T h e Type 1 message is sent from the Blue Coat SG to the BCAAA over port 16101 (you
can customize the port over w h i c h Blue Coat SG a n d BCAAA communicate.) The BCAAA
decodes the message from the Base64 to its original format and, using W i n d o w s API, passes
the Type 1 m e s s a g e to the d o m a i n controller for authentication.
3. The d o m a i n controller r e s p o n d s to the BCAAA w i t h the Type 2 message. This message is

p a s s e d to the Blue Coat SG a n d to the client. After r e t u r n i n g the Type 2 message to the client,
the Blue Coat SG closes the connection.
4. The UA receives the Type 2 message, w h i c h contains the challenge, a n d calculates, using the
u s e r ' s p a s s w o r d , the Type 3 m e s s a g e for that challenge.
5. The client s e n d s the Type 3 m e s s a g e to the Blue Coat SG as a Base64-encoded string. The Blue
Coat SG passes the information to the BCAAA, w h i c h passes it to the d o m a i n controller for
the final validation. If the Type 3 m e s s a g e contains the correct encryption to the challenge, the
d o m a i n controller authenticates the u s e r a n d notifies the BCAAA, w h i c h passes the
information to the Blue Coat SG.
85
6. After a successful authentication, the Blue Coat SG returns a 200 HTTP response code to the
client. At this point, the connection b e t w e e n the Blue Coat SG a n d the UA is a u t h e n t i c a t e d a n d
the u s e r starts receiving the r e q u e s t e d data.
As y o u can see, w h i l e N T L M is m o r e secure t h a n other authentication m e t h o d s , (the p a s s w o r d is

n o t p a s s e d over the wire), there is a bit m o r e information being e x c h a n g e d between the u s e r agent
a n d the Blue Coat SG.
T h e following t w o bullet points describe the most c o m m o n , a n d easy to address, issues w i t h

BCAAA. The messages a p p e a r in the W i n d o w s Event Log.
If an a t t e m p t to start the B C A A A service is issued w h e n B C A A A is already started, the

following error message displays:
The requested service has already been started.
• If a n o t h e r application is u s i n g t h e s a m e port n u m b e r as the B C A A A service, the following

m e s s a g e s are displayed:
The BCAAA service could not be started.
A system error has occurred.
System error 10048 has occurred.
Only one usage of each socket address (protocol/network address/port) is
normally permitted.
Important: Slide 9-6 contains an intentional error. M a k e sure that y o u r instructor discusses
it. If he or she does not, ask w h e r e the error is on the slide. Can y o u find it?
86
LDAP Realm
• Lightweight Directory Access Protocol
• LDAP can contain a wide range of information

- Users, applications, devices, etc.
• LDAP realm supports Basic and Basic over SSL
Slide 9 - 8 : LDAP a u t h e n t i c a t i o n
The L i g h t w e i g h t Directory Access Protocol (LDAP) is a p o p u l a r protocol that enables y o u to find

users a n d resources on a n e t w o r k w i t h o u t k n o w i n g w h e r e they are located in the n e t w o r k
topography.
Blue Coat s u p p o r t s both LDAP v2 a n d L D A P v3, b u t r e c o m m e n d s LDAP v3 because it uses

Transport Layer Blue Coat SG (TLS) a n d SSL to p r o v i d e a secure connection between the Blue Coat
SG a n d the L D A P server. An L D A P directory, either version 2 or version 3, consists of a simple tree
hierarchy. An L D A P directory m i g h t s p a n multiple L D A P servers. In L D A P v3, servers can return
referrals to others servers back to the client, allowing the client to follow those referrals if desired.
The Blue Coat SG s u p p o r t s the use of external LDAP database servers to authenticate a n d
a u t h o r i z e users on a p e r - g r o u p or per-attribute basis. L D A P g r o u p - b a s e d authentication for the
Blue Coat SG can be configured to s u p p o r t a n y LDAP-compliant directory including:
• Microsoft Active Directory Server

• Novell N D S ® / e D i r e c t o r y ™ Server
• N e t s c a p e / S u n iPlanet™ Directory Server
T h e Blue Coat SG also provides the ability to search for a single user in a single root of an LDAP
directory information tree (DIT), a n d to search in multiple Base Distinguished N a m e s (DNs).
An L D A P realm s u p p o r t s BASIC authentication a n d BASIC authentication over SSL.
Important: You can configure an LDAP realm to use SSL w h e n c o m m u n i c a t i n g to the LDAP
server.
87
LDAP - Directory Information Tree
Slide 9 - 9 : LDAP - Tree s t r u c t u r e
L D A P is a l a n g u a g e or interface u s e d to q u e r y a compatible realm. You can search the information

in t h e realm. L D A P allows the realm d e s i g n e r to use a very flexible structure a n d i m p l e m e n t the
p a r a m e t e r s that are d e e m e d necessary for that realm. Basically there are very few set rules. Some
objects in the tree h a v e w e l l - k n o w n n a m e s , but y o u can a d d a n y attribute y o u w a n t a n d chose a n y
a l l o w e d n a m e . Some of the k n o w n object classes are:
• D o m a i n Context (DC): This indicates the root of y o u tree.
• C o u n t r y (C): You can create branches in y o u r L D A P tree to reflect the different countries
w h e r e y o u r c o m p a n y has representation.
• Organization Unit (OU): This is almost the equivalent of g r o u p s in an NT d o m a i n .
• Canonical N a m e (CN): This is h o w an object is identified in the tree.
• D i s t i n g u i s h e d N a m e (DN): This is the u n i q u e n a m e of the object in the tree.
88
LDAP - Distinguished Name
DN: UID=kelly.lee, OU=people, C=IT,

DC=BlueCoat
Additional objects for a DN

- CN: Kelly Lee
- GIVENNAME: Kelly
- TEL: +39-347-555-2200
Slide 9 - 1 0 : Distinguished name
L D A P allows m o r e t h a n one object class to have the s a m e value. This can h a p p e n u n d e r one or
t w o conditions:
• The objects are on different levels in the tree.

• The objects are on the s a m e level but are on different branches.
The full n a m e of an object, in this case a user, is identified by the full path from the object (leaf) to
the D o m a i n Context (root).
Important: Each DN m u s t be u n i a u e w i t h i n a tree.
89
Sequence Realm
• Credentials checked against multiple realms
• LDAP, Local, or IWA realm in sequence
• Ideal for mixed environments
Slide 9 - 1 1 : Sequencing overview
O r g a n i z a t i o n s m a y use m u l t i p l e authentication m e t h o d s t h r o u g h o u t their network. The Blue Coat

SG m a k e s it simple to search for a u s e r ' s credentials in m u l t i p l e authentication reams t h r o u g h a
m e t h o d called sequencing. The basics are simple:
You enable s e q u e n c i n g by establishing a sequence realm a n d a d d i n g different authentication

realms to it.
• A s e q u e n c e realm checks a u s e r ' s credentials against multiple realms, one after the other.
• You can place LDAP, Local, or IWA realms in a s e q u e n c e realm. However, y o u can h a v e only
one IWA realm in a s e q u e n c e .
• Sequence authentication is ideal for mixed e n v i r o n m e n t s . It is c o m m o n for organizations that

centralize operations or acquire other companies to h a v e multiple authentication m e t h o d s —
N T L M a n d LDAP, for e x a m p l e .
W h e n y o u h a v e multiple realms, it can be difficult to d e t e r m i n e w h e r e y o u s h o u l d authenticate

u s e r s . By establishing a s e q u e n c e realm on the Blue Coat SG, y o u can authenticate users against all
the different realms y o u h a v e p u t in the sequence. It does not m a t t e r if the Blue Coat SG is
d e p l o y e d in t r a n s p a r e n t m o d e or explicit m o d e .
Sequencing begins w h e n a client m a k e s an authentication request to the Blue Coat SG. The Blue
Coat SG then challenges the client for authentication. T h e client s u b m i t s credentials, w h i c h the
Blue Coat SG t h e n checks against the different realms in the sequence.
Sequence Authentication
Slide 9 - 1 2 : Sequence a u t h e n t i c a t i o n f l o w c h a r t
The basic principles of s e q u e n c e authentication are simple: The Blue Coat SG begins seeking
authentication from the first realm on its list a n d e n d s the process as soon as the credentials are
a u t h e n t i c a t e d . The flowchart in the slide above depicts the entire process.
1. The Blue Coat SG seeks to authenticate the u s e r ' s credentials w i t h Realm 1. If it finds a match,
the user is authenticated a n d the process e n d s .
2. If there is no match w i t h Realm 1, the Blue Coat SG seeks to authenticate the u s e r ' s credentials
w i t h Realm 2. If it finds a match, the user is authenticated a n d the process ends.
3. If there is no match w i t h Realm 2 or a n y of the other realms, authentication fails — or the

process begins again, if the u s e r ' s b r o w s e r allows m o r e t h a n one attempt. Browsers, to allow
for t y p i n g mistakes, generally allow users several a t t e m p t s to authenticate.
Note: Browsers count a cycle t h r o u g h all the realms in the sequence as a single attempt.
They do not c o u n t each q u e r y of individual realms as a single attempt.
4. If multiple attempts are allowed, the Blue Coat SG tries to authenticate the credentials again.
The process continues until the credentials are authenticated or the n u m b e r of attempts has
been exhausted a n d authentication is denied.
Setting up a sequence realm is simple, but y o u m u s t follow several i m p o r t a n t rules.
• M a k e certain that the realm exists before y o u a d d it to a sequence. You also cannot r e n a m e or
delete a realm as long as it is part of a sequence. If y o u m u s t r e n a m e or delete a realm, y o u
m u s t r e m o v e it from the s e q u e n c e first. You can then r e n a m e or delete it.
• M a k e sure that each realm that y o u plan to a d d to the s e q u e n c e is customized to y o u r needs.

M a k e sure that their current values are correct. (For IWA, m a k e sure that the Allow Basic
Credentials check box is set correctly.)
• P u t no more than one IWA realm in a sequence.
• If y o u h a v e an IWA realm in a sequence, it m u s t be either the first or last on the list. Make it the
first r e a m on the list if y o u w a n t to enable single sign-on.
91
• If y o u h a v e an IWA realm a n d it d o e s n o t s u p p o r t basic credentials, m a k e IWA the first on the

list a n d enable "Try IWA authentication once."
• You m a y p u t as m a n y BASIC realms as y o u w a n t in a sequence.
• You cannot place connection-based realms, such as Certificate, in a sequence.
• You cannot place a realm in a p a r t i c u l a r sequence m o r e t h a n once.
• You cannot nest sequence realms; that is, y o u cannot place a s e q u e n c e realm inside a n o t h e r
sequence realm.
Chapter 10: Policy Management
W h i l e there are m a n y p r o b l e m s associated w i t h using the Internet as a business tool, there are
several that generally cause the m o s t concern:
• Intellectual p r o p e r t y loss leading to decreased competitive a d v a n t a g e
• Malicious viruses
• Productivity loss c a u s e d by "illegitimate" Internet use
• Threats from hacking
• Legal problems c a u s e d by accessing u n s a v o r y or copyright material
A l t h o u g h m a n y organizations create Internet usage policies, they face challenges in configuring

s y s t e m s to enforce written corporate policies. Only a secure proxy with an object-handling
o p e r a t i n g system can offer the f r a m e w o r k needed to identify a n d enforce policies across an entire
enterprise w i t h line-speed performance.
The Blue Coat® SG™ Policy Processing Engine provides a comprehensive policy architecture that
s p a n s all users, content types, applications, a n d security services. This framework allows a
security a d m i n i s t r a t o r to control Web protocols a n d Web c o m m u n i c a t i o n s across the entire
enterprise.
Blue Coat policies p r o v i d e to the administrator.
• Fine-grained controls to m a n a g e behavior of the appliance

Multiple policy decisions a l l o w e d for each request
• Multiple actions triggered by a particular condition
• Configurable b a n d w i d t h limits
A u t h e n t i c a t i o n - a w a r e proxy device, including user a n d g r o u p configurations
Flexible user-defined conditions a n d actions
• C o n v e n i e n c e of predefined c o m m o n actions a n d h e a d e r transformations
• S u p p o r t for multiple authentication realms
• Configurable policy event logging
93
Company Policy Enforcement
• Create Acceptable Usage Policy (AUP)
• Create Web Authentication Layer(s)

- Monitor user by login name
• Create Web Access Layer(s)

- Implement AUP
Slide 1 0 - 1 : Setting up AUP e n f o r c e m e n t
The first step to controlling a n d m a n a g i n g Web a n d e-mail u s a g e is h a v i n g an Acceptable Usage

Policy. An A U P establishes w h a t is permissible w h e n u s i n g c o m p a n y resources to access the
Internet.
To enforce y o u r written AUP, y o u need a c o m p r e h e n s i v e a n d easy-to-use policy architecture. The
Blue Coat SG Policy Processing Engine allows y o u to control users, content types, applications,
1
a n d security services. U s i n g the Blue Coat SG C o n t e n t Policy L a n g u a g e (CPL) or Visual Policy
M a n a g e r (VPM), y o u can create targeted rules to meet y o u r organization's requirements.
The V P M enables y o u to establish policy rules that identify w h o is allowed to access content a n d
h o w they will authenticate. A collection of rules that a p p l y to the s a m e m e c h a n i s m is identified as
a layer. For example, the set of rules that define a d m i n i s t r a t o r access is contained in the A d m i n
Access Layer.
To create an overall Web access policy, y o u s h o u l d create rules in the following V P M layers:
Web Authentication Layer. This layer identifies w h i c h source a n d destination requests will be
e v a l u a t e d a n d d e t e r m i n e s w h i c h authentication realm will be u s e d for credential validation. For
example, y o u can create a rule that states that the Engineering g r o u p m u s t authenticate, a n d
specify the authentication m e t h o d to be used. However, to create such a rule, y o u m u s t first define
the a p p r o p r i a t e authentication realms in the Blue Coat SG M a n a g e m e n t Console — V P M realm
objects are retrieved from the Blue Coat SG.
Web Access Layer. This layer specifies w h i c h source, destination, service a n d time requests will be
e v a l u a t e d a n d d e t e r m i n e s the a u t h o r i z e d action for the request. For example, y o u can define the
allowable content for all E n g i n e e r i n g g r o u p m e m b e r s , or create specific rules for i n d i v i d u a l users.
1. N o t discussed in this class.
94
Policy Translation
'XYZ Inc. employees may not visit the BBC

Web site at any time."
Simple Language
Who Where How When What
XYZ Employees BBC On web At any time May not visit
Blue Coat Language

Source Destination Service Time Action
ANY bbcworld.com ANY ANY DENY
Slide 1 0 - 2 : Example of natural language translated i n t o policy rules
A l t h o u g h the concept of rules a n d layers m i g h t s o u n d confusing, Slide 10-2 s h o w s that policy

rules are s i m p l y a V P M translation of practical business rules. This translation enables the V P M to
e v a l u a t e a request to see if an action s h o u l d be triggered.
In this example, all e m p l o y e e s of XYZ C o m p a n y are prohibited from visiting the BBC World Web
site ( h t t p : / / w w w . b b c w o r l d . c o m ) at any time. W h e n the Blue Coat SG receives a request for the
BBC UK Web site, it evaluates the source first. Because the source is "any," it proceeds to evaluate
the destination. Because the destination does not m a t c h ( h t t p : / / w w w . b b c . c o . u k ) , the request is
allowed.
95
Policy Translation
"XYZ Inc. employees may not visit any

travel related Web site at any time."
Simple Language
X Y Z Employees Travel On web At any time May not visit
Blue Coat Language

ANY Travel ANY ANY DENY
In this example, all e m p l o y e e s of XYZ C o m p a n y are prohibited from visiting travel sites at any
t i m e . To block an entire category of Web sites (like travel sites), y o u m u s t d e p l o y s o m e t y p e of
content-filtering software, s u c h as Blue Coat WebFilter, Websense®, SmartFilter,® or
SurfControl®. Content filtering c o m p a n i e s m a i n t a i n d a t a b a s e s of Web site categories a n d
continually u p d a t e t h e m w i t h n e w sites.
96
Policy Translation
"The Engineering department may not visit any

gaming site during regular business hours."
Simple Language
Engineering Gaming On web M-F, 08-17 May not visit
Blue Coat Language

ENG Gaming ANY Mon-Fri, 8-17 DENY
In this example, all m e m b e r s of the Engineering d e p a r t m e n t are prohibited from visiting a n y

g a m i n g sites d u r i n g regular business h o u r s (08:00 to 17:00). To enforce this rule, y o u m u s t h a v e
Web Authentication rules that force authentication for the authorization realm that includes the
E N G g r o u p . The c o r r e s p o n d i n g Web Access rule is s h o w n in Slide 10-4.
97
XYZ Inc. Web Access Policy
Similar rules become a layer in the Web

Access Policy

1 ANY | "V\ BBC 1 1 ANY 1 1 ANY 1 1 DENY |
| ANY |
1 GTravel 1 1
1 ANY 1|.. , 1|Mon-Fri,
ANY 1 ;i : | DENY |
1 ENG 1 1 aming 1 ANY
Layer
8-171
1 DENY |
W e b Access Policy
Slide 1 0 - 5 : How rules f o r m policies
As Slide 10-5 illustrates, policy rules that a p p l y to the s a m e business rule can be g r o u p e d into a
layer. R e m e m b e r that rules are e v a l u a t e d from t o p to bottom; once a m a t c h i n g rule is found, all
s u b s e q u e n t rules are i g n o r e d .
Important: The m o s t effective rule is a l w a y s the first rule in the last layer.
In this example, the Web access policy goes from general to specific. All employees are prohibited
from accessing the BBC Web site a n d all travel-related Web sites. However, the Engineering g r o u p
has the a d d e d restriction of not being allowed to b r o w s e g a m i n g sites d u r i n g business h o u r s .
Users in other g r o u p s do not h a v e this restriction. N o t e that Blue Coat SG provides the flexibility
to create even m o r e specific rules, specifying actions for individual e m p l o y e e s or IP addresses.
98
VPM Objects
• Trigger Objects
- Source
- Destination
- Service
- Time
Action Objects
- Action
- Track
Slide 1 0 - 6 : VPM objects as they relate to policy t r a n s l a t i o n
The V P M evaluates rules based u p o n trigger a n d action objects. Trigger objects represent the
" w h o , w h e r e , how, a n d w h e n " of a rule, while Action objects represent the "what." For example, if
the Source field in a rule is set to ENG, a request from a n y user in that g r o u p triggers evaluation of
the Destination, Service, a n d Time fields.
If all triggers match, the V P M determines the action to a p p l y by evaluating the Action a n d Track
fields. The Action field n o r m a l l y allows or denies access or imposes a special condition (like
requiring authentication). The Track field logs the result of the rule (for example, logging the fact
that a user requested "illegal" content).
99
Default Policy
Deny
- Default option for Blue Coat SG
- All network traffic received by the proxy is blocked
Allow
- Network traffic is allowed through the proxy
- Other policies can deny selected traffic
Slide 1 0 - 7 : Default policies and t h e i r use
The default policy sets the p r o x y b e h a v i o r w h e n no other action is specified. The Blue Coat SG
default policy is Deny. A default policy of D e n y prohibits access to the Blue Coat SG: To allow
access, y o u m u s t create policies that explicitly grant access. A default policy of Allow permits any
a n d all access to the Blue Coat SG: To d e n y access, y o u m u s t create explicit d e n y policies.
Note: The default proxy policy does not a p p l y to a d m i n transactions. By default, a d m i n

transactions are a l w a y s d e n i e d unless y o u log in using console account credentials, or
if explicit read-only or read-write privileges policies exist.
100
Chapter 11: Content Filtering
Content filtering is a major functionality of the Blue Coat SG. There are t w o possible d e p l o y m e n t
options for content filtering:
• O n b o x content filter database
• Offbox database (available w i t h Websense® only)

For performance reasons, onbox is often the preferred choice; it m a k e s sense that processing
requests locally to the Blue Coat® SG™ is faster than o p e n i n g a n e t w o r k connection to an external
server. However, both configurations are fully s u p p o r t e d a n d customers use either one.
The content filter d a t a b a s e is merely a list of sites, pages, a n d IP addresses organized by category.
D e p e n d i n g on the vendor, a URL can belong only to one category or can belong to several
categories. W h a t e v e r the case, the role of the d a t a b a s e is to offer additional information to the Blue
Coat SG (and to the administrator) about the request that is being m a d e by a user.
The content filter d a t a b a s e does not block a n y site or a n y category by default. It is up to the
administrator, t h r o u g h CPL or the Visual Policy M a n a g e r (VPM), to build a set of rules to allow or
d e n y access to specific resources based on information obtained by the content filer.
N o n e of the m a n y s u p p o r t e d v e n d o r databases is available w h e n y o u first configure the Blue Coat
SG. You need to obtain a valid key for one of the v e n d o r s , d o w n l o a d the database, a n d then install
it. You m a y obtain a d e m o license for almost a n y of the v e n d o r s s u p p o r t e d .
In SGOS v4.1.1.1 or higher, y o u can test the Blue Coat WebFilter a n d a n o t h e r v e n d o r at the s a m e
time.
101
Content Filtering - Logical Flow
Slide 1 1 - 1 : Logical f l o w o f c o n t e n t f i l t e r i n g
The logical flow of a transaction via proxy, w h e n content filtering is enabled, is fairly simple:
1. The u s e r m a k e s a request.
2. The proxy extracts the URL from the request a n d s e n d s it to the content filter for
categorization.
3. The content filter r e t u r n s one or m o r e categories ( d e p e n d i n g on the vendor) for that URL.
4. The policy e n g i n e considers the u s e r ' s information, the t i m e of the day, the URL, a n d its
categorization, a n d based on the policies in place makes a decision to allow or d e n y the
request.
5. The u s e r receives the requested content or an exception page, d e p e n d i n g on the decision m a d e

by the policy engine.
Chapter 1 1 : Content Filtering
Categorization Techniques
Database Pros Dynamic Cat Pros

• Accuracy (100%) • Immediate coverage
• Response time • Any site
• Coverage (80/20 rule) • Scalability
Database Cons Dynamic Cat Cons

• Small number of site • Response time
• Update time • Accuracy (90%)
Slide 1 1 - 2 : C a t e g o r i z a t i o n techniques
There are t w o leading approaches to content filtering. One, u s e d by some earlier v e n d o r s ,

a t t e m p t s to p r o v i d e categorization of Web sites by looking for key w o r d s in the H T M L pages that
users request. This a p p r o a c h has t w o severe limitations: lack of scalability a n d lack of accuracy.
The other a p p r o a c h consists of assembling a t e a m of content researchers a n d posting a n e w
database of sites o r g a n i z e d by category. The n e w databases m a y be posted weekly, daily, or every
few h o u r s . The major limitation to this a p p r o a c h is the lack of flexibility a n d ability to a d a p t to
specific content. N o b o d y could ever classify the entire Web.
Blue Coat WebFilter (BCWF) uses a hybrid a p p r o a c h :

• Static list
• Remote D y n a m i c Categorization u s i n g a d v a n c e d Bayesian statistical analysis
103
Blue Coat WebFilter
• Hybrid Solution
- Onbox database for Blue Coat SG
- Optional Service Component to categorize unrated
URLs
• Data Quality
- 58 Categories
- Consistency
- Relevant URLs (feedback)
- Immediate coverage for new sites (DRTR)
Slide 11 - 3 : Blue Coat WebFilter characteristics
Blue Coat WebFilter (BCWF) takes a h y b r i d a p p r o a c h in p r o v i d i n g its content-filtering solution.
BCWF p r o v i d e s a static list w i t h its o n b o x database. A d m i n i s t r a t o r s can w r i t e policy to allow or

d e n y access to resources based on the information in the database. But BCWF also offers optional
Remote D y n a m i c Categorization, w h i c h s e n d s requests to a D y n a m i c Real-Time Rating (DRTR)
server if t h e resource is not in the BCWF d a t a b a s e l o a d e d locally.
BCWF also focuses on quality of results. It provides nearly 60 categories to allow a high degree of
control in w r i t i n g policy. It also is highly consistent in h o w it categorizes resources a n d gives top
priority to categorizing resources that are requested most frequently. T h e optional DRTR service
also p r o v i d e s i m m e d i a t e coverage for sites that h a v e not been previously categorized.
104
Chapter 11 : Content Filtering
Blue Coat WebFilter Details
Features Quantity Comments

Languages 50 + Excellent quality
Categorized URL list is
Ratings 15 Million + growing daily
Includes spyware and

Categories 58+ malware
4,000 to 6,000 additional Highly accurate

Categorization unique URLs rated per day categorization of URLs
40+ Recognized languages Categorizes over 95% of
Dynamic Rating 10+ Categorized languages objectionable content
1
Slide 11 - 4 : Blue Coat WebFilter d a t a s h e e t
Blue Coat WebFilter s u p p o r t s an impressive n u m b e r of languages, including Chinese, Japanese,

Arabic, English, Finnish, Italian, G e r m a n , a n d m a n y others.
The size of the database, the n u m b e r of categories, a n d the n u m b e r of URLs rated daily is in line
w i t h the major v e n d o r s in this market.
You s h o u l d also n o t e that the n u m b e r of URLs present in a list s h o u l d only be part of the
decision-making process to select a vendor. The URLs need to be relevant a n d most of all accurate.
The Blue Coat content research team devotes serious attention to m a k i n g sure that the list is not
only as large as possible, b u t relevant a n d reliable.
1 . I n f o r m a t i o n as of A u g u s t 3 0 t h , 2 0 0 6 . Subject to change w i t h o u t notice.
105
Dynamic Categorization - Overview
Slide 11 - 5 : Fundamental concepts f o r d y n a m i c c a t e g o r i z a t i o n
The d y n a m i c categorization process is e n a b l e d by default w h e n y o u u s e BCWF. You do not have

to use d y n a m i c categorization; however, it is an i m p o r t a n t c o m p l e m e n t to the BCWF.
W h e n a u s e r requests a resource on the Internet, the Blue Coat SG first checks if that resource is
categorized in the BCWF d a t a b a s e l o a d e d locally. If the resource is not categorized in the m a i n list,
the Blue Coat SG s e n d s a request to the nearest DRTR server.
Note: The request d o e s not contain a n y user-related or a n y c o m p a n y - r e l a t e d information. It

contains only the destination URL.
The DRTR server processes the request a n d returns a categorization, w h e n available.

Blue Coat WebFilter For Blue Coat SG
Slide 1 1 - 6 : Dynamic R e a l - T i m e Rating f o r Blue Coat WebFilter
The Internet changes constantly; therefore, no rating service can ever categorize every Web page.
A static list is only a partial solution to the need for categorizing content.
W h e n u s e r s request a n e w URL that has not been rated in the BCWF ratings database, the BCWF
service uses its DRTR technology to retrieve the p a g e from its host server to be analyzed for its
content.
The DRTR service looks at a n u m b e r of elements, including the w o r d s on the page, the context of
each w o r d , a n d the formatting u s e d on the p a g e a n d r e s p o n d s in one of t w o w a y s . If DRTR can
d e t e r m i n e a rating for a n e w Web site in real time, it then rates a n d categorizes it. These sites are
then a d d e d to the BCWF ratings database.
If the DRTR service cannot d e t e r m i n e a rating for a n e w Web site in real time, it then categorizes
the site as "other" a n d m o v e s it to a third-stage rating process called D y n a m i c Background Rating
(DBR) for additional review. Once DBR has reviewed the site, it either assigns it to one of BCWF's
58 content categories or q u e u e s in a list for the h u m a n reviewers to rate it.
The entire process for categorizing Web sites operates as follows:
1. T h e u s e r ' s request is m a t c h e d against the BCWF installed on the local machine. There is a 95
percent success rate; 95 of every 100 URLs requested are found the local database (provided
that it is kept up to date). This l o o k u p requires less than 5 m s .
2. If the URL is not available in the current database, BCWF queries the external database. This
d a t a b a s e contains the most up-to-date list of Web sites; it is u p d a t e d every 15 m i n u t e s a n d
contains w h a t will become the n e w available list on the following day. This search can take up
to 0.3 s e c o n d s a n d returns s o m e a d d i t i o n a l sites.
3. W h e n the external database does not h a v e a categorization for the URL, it s e n d s a request to
the DRTR server. There are multiple locations a r o u n d the w o r l d that h a n d l e this process; all of
t h e m feature high-availability servers a n d high b a n d w i d t h . The DRTR server returns only a
response to the Blue Coat SG if the URL is categorized as Adult, Pornography, Gambling, or
o n e of a few other generally unacceptable categories. The DRTR can correctly categorize up to
95 percent of the requests it receives for these kinds of sites.
107
The other sites are not categorized. This behavior reduces the overall n u m b e r of positive
matches for DRTR requests to 12 percent. So, for every 100 a d u l t URLs scanned by the DRTR,
as m a n y as 95 are correctly categorized; however, for every 100 generic requests received by
the DRTR only 12 return a positive m a t c h . This process can take up to five seconds.
Note: You can t u r n on or off the DRTR l o o k u p .
4. The URLs that do not return a positive m a t c h after the DRTR l o o k u p are forwarded to the
D y n a m i c Background Rating (DBR) for additional review. This process is more intensive t h a n
the DRTR a n d can take up to 1 hour. T h e URLs that are categorized by the DBR are u p l o a d e d
to the Master Rating Database (MRD). F r o m the MRD they are sent in to the external d a t a b a s e
(the o n e queried at Step 2 of this process) a n d into the BUFF database, w h i c h is the d a t a b a s e
u s e d to create the d o w n l o a d list available daily to all of the BCWF subscribers.
5. The URLs that do not h a v e a m a t c h after being processed by the DBR are q u e u e d for h u m a n
review by a multilingual t e a m of content researchers. The r e v i e w e d URLs are then u p l o a d e d
into the external database (the o n e u s e d in Step 2) a n d in the BUFF. The h u m a n rating process
can take a d a y or more.
While this process m a y s e e m laborious on the surface, it represents the state-of-the-art a t t e m p t to
offer the most accurate, reliable, fast, a n d scalable a n s w e r to o r g a n i z a t i o n s ' need to protect
themselves from i n a p p r o p r i a t e Web surfing.
Dynamic Categorization - Options
Slide 1 1 - 7 : Dynamic c a t e g o r i z a t i o n m o d e s
There are three options available for DRTR:
1. Do not categorize dynamically. The l o a d e d database is consulted for category information. URLs
not in the database s h o w up as category none. This m o d e is distinct from disabling the service.
W h e n Do not categorize dynamically is set as the default, d y n a m i c categorization (in either real
time or b a c k g r o u n d mode) can be explicitly invoked by policy. W h e n the service is disabled,
no d y n a m i c categorization is d o n e , regardless of policy, a n d the Blue Coat SG does not m a k e
a n y contact w i t h the d y n a m i c categorization service.
2. Categorize dynamically in the background: Objects not categorized by the database are
d y n a m i c a l l y categorized as time permits. Proxy requests are not blocked while DRTR is
consulted. Objects not found in the database a p p e a r as category pending, indicating that
DRTR w a s requested, but the object w a s served before the DRTR response w a s available.
3. Categorize dynamically in real-time: T h e default. Objects not categorized by the database are
d y n a m i c a l l y categorized on first access. If this entails consulting the DRTR service, the proxy
request is blocked until DRTR r e s p o n d s . The a d v a n t a g e of real-time m o d e d y n a m i c
categorization is that Blue Coat policy has access to the results of d y n a m i c categorization,
w h i c h m e a n s that policy decisions are m a d e immediately u p o n receiving all available
information.
The g r a p h s in the slide above s h o w the sequence of events w h e n the Blue Coat SG processes a
transaction a n d DRTR is enabled.
• At t i m e t the transaction reaches the Blue Coat SG a n d policy evaluation begins.

0
• At time ty the Blue Coat SG d e t e r m i n e s that the site is not categorized a n d s e n d s a

categorization request to the DRTR.
• In t h e g r a p h on top, the Blue Coat SG is ready to m a k e a decision at time t , w h e n the policy

p
e v a l u a t i o n is completed. The DRTR server returns the result at time t^ ; note that t >td p
o If y o u configure DRTR to categorize in real time, the Blue Coat SG holds the transaction
for a time t = ( t -t ) a n d will use the result from the DRTR in the final policy evaluation.
w d p
109
o If y o u configure DRTR to r u n in the b a c k g r o u n d , the Blue Coat SG does not w a i t for the
r e s p o n s e from the DRTR server after t h e policy e n g i n e is r e a d y to m a k e a decision. T h e
DRTR response will be u s e d for s u b s e q u e n t connection requests to that resource.
• In the b o t t o m graph, the Blue Coat SG receives the DRTR r e s p o n s e before it is r e a d y to m a k e a

policy decision. In this case, w h e n t > t^ , the option Categorize dynamically in the background
p
a n d Categorize dynamically in real-time act in the s a m e way.
You m a y experience a delay of up to 5 s e c o n d s if decide to u s e the DRTR in real time. This is the
m a x i m u m a m o u n t of time t h a t t h e Blue Coat SG waits for a response from the DRTR). In the rare
case w h e r e u s e r s experience DRTR-related response delays, y o u m a y w a n t to try configuring
DRTR to o p e r a t e in the b a c k g r o u n d before disabling it completely.
D y n a m i c categorization has t w o t y p e s of cost:
• B a n d w i d t h : Represents the r o u n d trip r e q u e s t / r e s p o n s e from the Blue Coat SG to the service.

Because the d y n a m i c categorization protocol is compact, this cost is minimal.
• Latency: Represents the t i m e s p e n t w a i t i n g for the d y n a m i c categorization service to p r o v i d e a

result.
W h e n y o u configure DRTR to Categorize dynamically in real-time, y o u r Blue Coat SG incurs b o t h
b a n d w i d t h a n d latency costs. If y o u configure DRTR to Categorize dynamically in the background, the
Blue Coat SG incurs only the b a n d w i d t h cost; transactions are not held back waiting for the DRTR
response, if t h e DRTR response arrives after Blue Coat SG is r e a d y to m a k e a policy decision.
Note: The b a n d w i d t h utilization by DRTR is a factor, but it is mostly negligible.
110
Blue Coat WebFilter Service Points
Slide 11 - 8 : Service points f o r Blue Coat WebFilter
Blue Coat has a w o r l d w i d e c u s t o m e r base. The Blue Coat SG can use a distributed n e t w o r k of
servers to enable customers to d o w n l o a d the BCWF database u p d a t e s reliably a n d efficiently a n d
to expedite DRTR transactions.
Currently, Blue Coat has DRTR a n d d o w n l o a d sites in the U.S., Europe, a n d Japan. Each location
features h i g h - b a n d w i d t h Internet access a n d a fully fault-tolerant a n d load-balanced security a n d
d o w n l o a d architecture.
The Blue Coat SG can discover, by contacting sp.cwfservice.net, the closest a n d most available
d o w n l o a d site for y o u .
111
DRTR Categorization Results
:
, Top iLWgBagM^*^" " « » » « » ^ : ^
Category v^Prob ability Thresholdj
P
Il5
english LÔ0ÏÏBÏÏ
Slovenian 0.00000 0.50000^1.00 / 0.98
Italian 0.00000 0.50000 1.00 / 1.00
clmese i 0.00000 0.50000 1 . 0 0 / 0 . 9 7
1
• •'" 'Top ' Categories
r
Categor> Probability : Threshold P/R
Sp orts/Reereation/Hobbies 1.00001 0.57908 0.80 / 0.60
News/Media o.ooooc 1.00000 0.83 / 0.73
Education 0.0000(1 0.98417 0.80 / 0.78
Miscellaneous 0.0000c|: NEVER 1 . 0 0 / 0 . 2 3
Slide 1 1 - 9 : DRTR results
Probability
T h e n o r m a l i z e d probability calculated from each token (e.g., w o r d on the page) represents the
probability that the entire p a g e is in l a n g u a g e Y a n d it belongs to category X. In the e x a m p l e
s h o w n above, the p a g e is v e r y likely to be in English. T h e n o r m a l i z e d probability is 1.00, i.e., the
DRTR is convinced that it i n d e e d is English. Also, this is p a g e is very likely to belong to the
category S p o r t s / R e c r e a t i o n / H o b b i e s .
Threshold
T h r e s h o l d is the n o r m a l i z e d m i n i m u m probability v a l u e for a given category to reach the
d e s i g n a t e d precision a n d recall values.
Precision (Accuracy)
T h e precision d e t e r m i n e s h o w accurate DRTR is. For instance, out of 100 sites that DRTR m a r k e d
as Pornography, h o w m a n y are correctly categorized? If DRTR claims 100 pages to be category X
a n d 85 of t h e m actually are category X, then the precision is 0.85.
Recall (Coverage)
T h e recall defines the ability of DRTR to catch all of the sites in a certain category. If the DRTR has
processed 100 sites that are in the p o r n o g r a p h y category, h o w m a n y w e r e categorized correctly? A
recall v a l u e of 0.85 m e a n s t h a t o u t of 100 pages that actually are category X, DRTR categorizes 85
of t h e m correctly. The goal for a tool like DRTR is to find a s w e e t spot w h e r e the precision is h i g h
e n o u g h w i t h o u t c o m p r o m i s i n g the recall value. The recall a n d precision value m o v e in o p p o s i t e
directions; w h e n one gets better, the other one gets w o r s e . Blue Coat WebFilter aims at 85-90
p e r c e n t precision. Blue Coat has by far the fewest false positives in any published testing b e t w e e n
content filtering v e n d o r s .
112
Additional Notes
DRTR does not return a categorization to the requesting Blue Coat SG unless the recall a n d
precision value are w i t h i n specific p a r a m e t e r s that Blue Coat defines. For instance if y o u process
the site h t t p : / / w w w . j a l . c o . j p t h r o u g h the DRTR, y o u will get the result of Unrated. In actuality,
the DRTR engine has correctly identified that the l a n g u a g e is Japanese a n d the category is Travel;
however, the recall value is too l o w for the DRTR to be confident e n o u g h to return the
categorization of Travel.
C u r r e n t l y the categories w i t h the best recall to precision correlation are Pornography,

A d u l t / M a t u r e Content, Gambling, etc.
113
Local Database
• Custom Categories
- Custom allowed list
- Customer denied list
- Internal URLs
• Performance and Security

- Hash list
- Does not require VPM/Management Console Access
Slide 1 1 - 1 0 : Local d a t a b a s e
You can create y o u r o w n local d a t a b a s e file a n d d o w n l o a d it to the Blue Coat SG. This file is
created in the s a m e w a y t h a t policy files are created, except that only define category s t a t e m e n t s
are allowed in the local d a t a b a s e . You m i g h t find it convenient to p u t y o u r local d a t a b a s e on the
s a m e server as a n y policy files y o u are using.
T w o m a i n reasons to use a local d a t a b a s e instead of a policy file for defining categories are:
A local d a t a b a s e is m o r e efficient t h a n policy if y o u h a v e a large n u m b e r of URLs.
• A local database s e p a r a t e s administration of categories from policy.
Being able to m a n a g e the local d a t a b a s e as a stand-alone file, separate from the M a n a g e m e n t

C o n s o l e a n d the VPM, is useful for three reasons:
• It allows different i n d i v i d u a l s or g r o u p s to be responsible for administrating the local

database a n d policy.
• It keeps the policy file from g e t t i n g cluttered.
• It allows the local d a t a b a s e to s h a r e categories across multiple boxes that h a v e different policy.
H o w e v e r , s o m e restrictions a p p l y to a local database that do not a p p l y to policy definitions:
• No m o r e t h a n 200 s e p a r a t e categories are allowed.
• Category n a m e s m u s t be 32 characters or less.
• A given URL p a t t e r n can a p p e a r in no more than four category definitions.
You can use a n y c o m b i n a t i o n of the local database, policy files, or the V P M to m a n a g e y o u r

category definitions. You can also use b o t h a local d a t a b a s e a n d a third-party v e n d o r for y o u r
content filtering needs.
If y o u have extensive category definitions, Blue Coat r e c o m m e n d s that y o u put t h e m into a local
d a t a b a s e rather than into a policy file. The local d a t a b a s e stores c u s t o m categories in a m o r e
scalable a n d efficient m a n n e r , a n d separates the a d m i n i s t r a t i o n of categories from policy.
You can configure the Local D a t a b a s e to be u p d a t e d as frequently as once a day. Ordinarily, the
Blue Coat SG checks if the d a t a b a s e has changed before initiating a d o w n l o a d . If the database is up
to date, then no d o w n l o a d is necessary a n d n o n e is p e r f o r m e d . You can override this check a n d
force a d o w n l o a d by selecting Force Full Update; this o p t i o n is not n e e d e d u n d e r n o r m a l
circumstances.
The following is an e x a m p l e of a local database file.
define category mycompany_allowed
bluecoat.com
Symantec.com
kaspersky.com
sophos.com
microsoft.com
end
define category mycompany_denied

www.playboy.com
www.hacking.com
www.sex.com
end
define category mycompany_internal

intranet.mycompany.com
webmail.mycompany.com
4 01k.mycompany.com
end
115
116
Chapter 12: Managing Downloads
Sometimes the greatest business a n d security risks c o m e from w i t h i n an organization. Left

unchecked, the Internet can h u r t productivity a n d expose c o m p a n i e s to potential lawsuits,
especially w h e n objectionable Web content is being accessed. A n d while most organizations h a v e
taken steps to a d d r e s s the security threat p o s e d by e-mail viruses, the problems arising from
e m p l o y e e Web b r o w s i n g a n d d o w n l o a d i n g have not received as m u c h attention.
As users d o w n l o a d seemingly safe content such as music files, they can also u n k n o w i n g l y
d o w n l o a d h i d d e n viruses, Trojans, or m a l w a r e . W h e n y o u a d d the time a n d resources lost while
employees b r o w s e a n d d o w n l o a d content, y o u can see that corporations s i m p l y cannot afford to
overlook the problems p o s e d by u s e r d o w n l o a d s .
In this chapter, y o u will learn h o w HTTP is u s e d to s e n d d a t a over the Web. T h o u g h HTTP is

d e s i g n e d to use M u l t i p u r p o s e Internet Mail Extension (MIME) types, it does not necessarily
transform binary d a t a to text. Base64 encoding is a l l o w e d in HTTP but not required. You can
transfer binary d a t a in the d a t a portion on an HTTP response, p r o v i d e d that correct information is
included in the response h e a d e r a n d the client s u p p o r t s it.
MIME types are not peculiar to HTTP. They w e r e originally d e v e l o p e d to deliver non-text e-mail
attachments but are n o w u s e d in m a n y other applications as well. The details of MIME types are
defined in RFC 2045 a n d RFC 2049. MIME types are very i m p o r t a n t because they can be used to
identify the content type, a n d block the d o w n l o a d , if necessary.
The process of transferring d a t a over HTTP is relatively simple:
1. The u s e r agent (UA) requests the specific file u s i n g o n e of the allowed m e t h o d s (most likely
GET).
2. The origin content server r e s p o n d s (if everything is correct in the request) a n d specifies:
D The t y p e of file being delivered (text, image, application)
• The sub-type (for images, jpeg, gif, etc.)
a The encoding of the d a t a (none, gzip, deflate, etc.)
The Blue Coat SG k n o w s the file that y o u are requesting, based on the URL presented, a n d reads
the information in the r e s p o n s e h e a d e r as well as in the response d a t a portion. As result, the Blue
Coat SG can d e t e r m i n e w h i c h t y p e of file y o u are a t t e m p t i n g to d o w n l o a d u s i n g a n y of the
following p a r a m e t e r s : file extension, declared MIME type, or file header.
117
HTTP Threats
• Malicious software
- Spyware Malware
• Bandwidth
- Large downloads can clog the network
• Productivity
- Most downloads are not business relavant
Slide 1 2 - 1 : HTTP download threats
The majority of viruses travel the Internet t h r o u g h e-mail; however, s p y w a r e , m a l w a r e , a n d other

threats are often delivered via HTTP. I m p r o v e m e n t s in the protocol, a n d particularly
e n h a n c e m e n t s in user agents, m a k e it possible to w r i t e harmful code that users can d o w n l o a d ,
completely u n a w a r e that they are d o i n g so.
In addition, freeware a n d s h a r e w a r e software often contain more-or-less h i d d e n code, w h i c h

tracks a n y sort of information a b o u t a user a n d can result in r e d u c e d m a c h i n e a n d n e t w o r k
performances. D o w n l o a d of large files can cause incremental n e t w o r k d e g r a d a t i o n .
A c o m p l e t e security policy s h o u l d include tight control of the file types that uses can d o w n l o a d
a n d the sources from w h i c h they can d o w n l o a d . The best a p p r o a c h is to block the following file
types: exécutables, ActiveX®, JavaScript®, a n d other scripts. You also s h o u l d create a white list of
a p p r o v e d sites; this list u s u a l l y includes d o w n l o a d sites for y o u r antivirus v e n d o r s , operating
s y s t e m v e n d o r s , a n d other suppliers of critical software u p d a t e s .
The rest o f the chapter helps y o u u n d e r s t a n d h o w d o w n l o a d s over HTTP o p e r a t e a n d h o w y o u

can use the Blue Coat SG to control them.
118
HTTP Downloads
Slide 1 2 - 2 : HTTP d a t a transfer
The slide a b o v e s h o w s h o w different files can be transferred over HTTP a n d h o w different

encoding formats can apply.
The top d i a g r a m s h o w s a UA asking for a file that most likely is an image file. You cannot be sure
w h a t the file really is; at times, malicious sites host harmful files n a m i n g t h e m u s i n g extension
reserved for other file types. The OCS replies a n d specifies that the attached binary d a t a s h o u l d
represent an image in JPEG format. Again, it is i m p o r t a n t to use the w o r d should, because an OCS
often declares the MIME type of an attached file solely based on that file's extension. The UA, in
the original request, asked for gzip-compressed content, if available. In general, an OCS, even if it
s u p p o r t s compression, will not a t t e m p t to c o m p r e s s file formats, like JPEG, w h i c h already are
inherently c o m p r e s s e d . JPEG is a compression-with-loss format; a p p l y i n g gzip to it m a y have a
null or even negative effect on the resulting file size.
The bottom d i a g r a m s h o w s a UA asking for a file that most like is an image file. The OCS
r e s p o n d s a n d declares the attached file as an H T M L p a g e in text format. However, in this scenario,
the OCS has a p p l i e d gzip compression to the file a n d has declared it in the response header. The
presence of the content-encoding h e a d e r signals to the UA that the file received needs to be
d e c o m p r e s s e d u s i n g gzip. The OCS can a p p l y a different type of encoding, as long as the client has
declared, explicitly or implicitly, that it will accept that encoding.
119
HTTP Downloads
HTTP uses many of the constructs defined for

Mail Multipurpose Internet Extensions (MIME)
- The Content-Type header field uses the
standard MIME types
Several other encoding types exist for the

HTTP response
- Content-Encoding
- Transfer-Encoding
Slide 1 2 - 3 : HTTP and MIME types
Because u s i n g MIME types, H T T P can transform binary content s u c h as images, s o u n d s , movies,

a n d c o m p u t e r p r o g r a m s into plain text for delivery to y o u r browser. T h e list b e l o w discusses
i m p o r t a n t MIME h e a d e r s :
MIME-Version
The presence of this h e a d e r indicates that the message is MIME-formatted. The value is
typically "1.0", so this h e a d e r a p p e a r s as " M I M E - v e r s i o n : i . o . "
Content-Type
This h e a d e r indicates the t y p e a n d s u b t y p e of the message content, for e x a m p l e

"content-type: text/plain." As RFC 2045 states, The Content-Type h e a d e r is "used to
specify the m e d i a type a n d s u b t y p e of d a t a in the b o d y of a m e s s a g e a n d to fully specify the
native representation (canonical form) of s u c h data. Other e x a m p l e s of content t y p e a n d
s u b t y p e i n c l u d e video/mpeg, image/gif, a n d application/msword.
• Transfer-Encoding
The transfer-encoding, as the RFC 2616 states, "indicates w h a t (if any) t y p e of

transformation has been applied to the m e s s a g e b o d y in o r d e r to safely transfer it between the
s e n d e r a n d the recipient. This differs from the content coding in that the transfer-coding is a
p r o p e r t y of the message, not of the entity. If multiple encodings h a v e been a p p l i e d to an entity,
the transfer-codings m u s t be listed in the o r d e r in w h i c h they w e r e applied."
120
File Type Detection
• File extensions
- avi, bmp, jpeg, etc.
• MIME types
- text/html, image/gif, etc.
e
Apparent Data Type
- Initial bytes in a file
Slide 1 2 - 4 : File t y p e d e t e c t i o n m e t h o d s
N o w that y o u k n o w the process b e h i n d Web d o w n l o a d s , let's talk about h o w to block them. The
Blue Coat SG p r o v i d e s a high-performance a n d flexible w a y to create a n d enforce user d o w n l o a d
policies. You can block by
• File extension types: For example, y o u can configure the Blue Coat SG to block users from
d o w n l o a d i n g . m p 3 files.
MIME types: For example, y o u can configure the Blue Coat SG to block all (or only some)
a u d i o or i m a g e files.
• Apparent Data Type: The A p p a r e n t Data Type refers to special data located at the beginning of a
file that is u s e d to indicate its type. The Blue Coat SG will scan these data files to d e t e r m i n e if
the special d a t a is present.
You can even create policies that specify w h e n a n d w h e r e d o w n l o a d s are blocked. For example,
y o u can block users from d o w n l o a d i n g video files from a n y n e w s sites d u r i n g w o r k hours.
121
File Type Detection Ambiguity
1 J :
- '•l'-- .'" ' •"• •" 'I . . . .
E H T T P / 1 . 1 200 O K \ r \ n
D a t e : T h u , 2 1 Sep 2006 0 5 : 5 2 : 1 2 G M T \ r \ n
server: Apache/1.3.31 (unix^Wi
L a s t - M o d i f i e d : T h u , 2 1 S e p 2006 0 5 : 4 9 : 3 5 GMT\r\n
ETag: "c3eOl-4299-451227ef"\r\n
Accept-Ranges: b y t e s \ r \ n
content-Length: 17049\r\n
Keep-Alive: timeout=15, max=100\r\n
conrigct i on: Keep-Al i y e \ r \ n
fc"ont~eTfE"-Type: text/pTai n \ r \ n 1
\r\n
id Line-based t e x t data: t e x t / p l a i n
[GIF819aAO0 3 \ 2 3 5 \ Q Q C p \ 0 0 0 \ 0 0 b ' i \ 0 0 0 \ 0 0 0 \ 0 0 0 \ 0 0 0 3 \ O C
\ 0 3 53\264\2 50\321\243H\223*']\312\264\2 51\323\247F
D\265W\2 6 7 p \ 2 0 6 \ 3 5 4 \ t \ 3 3 2 \ 1 7 7 \ 3 5 0 \ 2 3 5 ' ~ \ 2 0 1 \ 3 1 0 \ C
\224\037<\237
T H t \ 0 0 2 \ 3 01\2 61\034w\a\021\2 03\001\000\3 56\2 21g\3
\ 2 7 4 \ 3 2 1 \ 3 6 7 O \ 2 0 1 \ 2 1 3 \ 2 5 5\34 5 \ 2 4 1 \ 1 7 7 \ 3 2 1 \ 2 Q 5 e \ 3 3
Slide 1 2 - 5 : File type d e t e c t i o n a m b i g u i t y
It is possible, h o w e v e r not very likely, that files are hosted on a server w i t h the incorrect extension.
For example, it is possible that malicious Web sites host executable files b u t w i t h an extension that
m a k e s t h e m look like a n o t h e r file t y p e . Because, m o r e often than not, the OCS declares the MIME
t y p e of a file solely based on the file's extension, y o u can get a total m i s m a t c h between the actual
file a n d its M I M E type.
The slide s h o w s a GIF i m a g e that w a s r e n a m e d , from test. gif to test. txt, a n d hosted on an
A p a c h e Web server. W h e n the UA issues a G E T request for the t e s t . txt file, the OCS generates a
response in w h i c h the h e a d e r declares the MIME t y p e as t e x t / p l a i n (as it s h o u l d be for a .txt file).
If y o u take a close look to the packet capture, y o u can see h o w the d a t a part clearly contains a GIF
file. (GIF files u s u a l l y contain the v a l u e GIF89 as file header.) You can do the s a m e with an
executable file. If y o u r policies d e n y access to GIF files b a s e d solely on file extension or MIME
type, this particular file w o u l d be accepted because it does not m a t c h s u c h policies.
The a p p a r e n t d a t a type, discussed in detail later, allows y o u to control file d o w n l o a d s using the
information in the file rather t h a n the extension or the MIME type.
Each blocking s c h e m e has its o w n a d v a n t a g e s , a n d y o u m a y need to e x p e r i m e n t to see w h a t

w o r k s the best for y o u in y o u r e n v i r o n m e n t . While the A p p a r e n t D a t a Type feature is 100 percent
1
accurate, it currently blocks only the following file t y p e s : W i n d o w s ® DLL a n d executable files,
ActiveX controls (.OCX), a n d W i n d o w s cabinet files (.CAB).
1 .You can b l o c k v i r t u a l l y any file t y p e , b u t this requires y o u to w r i t e policies in CPL
122
Chapter 13: Managing Instant Messaging
Instant m e s s a g i n g (IM) has become c o m m o n in the enterprise. The benefits of u s i n g IM as a

business tool are w e l l - k n o w n . It helps co-workers c o m m u n i c a t e quickly a n d easily; however, IM
also raises concerns a b o u t security. Sensitive information can leave the c o m p a n y t h r o u g h
messages to outsiders, a n d viruses a n d other m a l w a r e can enter the n e t w o r k from files shared
t h r o u g h IM clients.
IM differs from e-mail in that messages are e x c h a n g e d in real time. To accomplish this, an IM
client p r o g r a m connects to an IM server. Most IM services offer a feature that indicates w h e t h e r
p e o p l e on a u s e r ' s list of contacts are currently online and available to chat.
M o d e r n I M p r o g r a m s have a n i n p u t w i n d o w a n d another w i n d o w t o display the r u n n i n g

conversation; s o m e indicate w h e t h e r the other p a r t y is t y p i n g a reply. It is even possible to save
the complete record of the conversation as a simple text file.
IM systems h a v e b e c o m e p o p u l a r targets for s p a m m e r s (SPIM). M a n y IM s y s t e m s offer a directory

of users, i n c l u d i n g s u c h d e m o g r a p h i c information as age a n d sex. Advertisers can gather this
information, sign on to the system, a n d s e n d unsolicited messages.
Blue Coat SG allows n e t w o r k administrators to control the use of selectable IM features for A O L ,
MSN, a n d Yahoo! clients. Flexible policies can be defined to block file transfers, search for
k e y w o r d s , a n d limit chat r o o m access on a global or per-user basis. A d m i n i s t r a t o r s can allow
e m p l o y e e s to use IM or, prevent t h e m from u s i n g it. Or, administrators can p e r m i t employees to
use only certain features of IM while k e e p i n g their n e t w o r k more secure. Additionally, all IM
conversations can be monitored a n d logged.
The Blue Coat SG serves as an IM proxy. You can select allowed protocols, establish authentication
rules for u s i n g IM, allow or d e n y a t t a c h m e n t s by file type, allow or d e n y chat activity, block IM
access by u s e r or other criteria, a n d filter k e y w o r d s .
Several IM clients are capable of requesting that their c o m m u n i c a t i o n s be encrypted. This can lead
to a serious security p r o b l e m because the Blue Coat SG cannot d e t e r m i n e w h a t is being sent or
received to enforce its policy rules. T h e Blue Coat SG allows the administrator to block all
e n c r y p t e d traffic.
The Blue Coat SG s u p p o r t s instant m e s s a g i n g t h r o u g h the HTTP proxy. IM clients are configured
to connect to IM services t h r o u g h HTTP, w h i c h allows IM activity from b e h i n d restrictive
firewalls.
The application of policies a n d IM activity logging is accomplished by the H T T P proxy h a n d i n g
off IM c o m m u n i c a t i o n s to the IM proxy.
A O L a n d Yahoo clients lose certain features w h e n connected t h r o u g h H T T P proxy rather than
t h r o u g h SOCKS or t r a n s p a r e n t connections:
• AOL: Direct connections, file transfers, a n d files sharing are not available.
• Yahoo!: Client cannot create a chat room.
The Blue Coat SG s u p p o r t s explicit proxy authentication if explicit SOCKS V5 proxy is specified in
the IM client configuration.
Consider the following proxy authentication notes, which a p p l y to IM clients using HTTP proxy:
AOL IM: Proxy authentication is s u p p o r t e d .
• M S N IM (5.0 a n d above): A l t h o u g h the M S N IM client s u p p o r t s user credentials, it cannot

r e s p o n d to H T T P proxy authentication requests from the Blue Coat SG, a n d the MSN passport
service login fails. You can, however, a d d policy to p a s s - t h r o u g h the traffic to the MSN
passport.com site w i t h o u t requiring authentication.
• Yahoo! IM: Yahoo! IM clients do not h a v e proxy authentication configuration abilities.
123
Note: Instant m e s s a g i n g is nor related to the Microsoft W i n d o w s Messaging, w h i c h is u s e d

to allow servers to s e n d alerts to a d m i n i s t r a t o r w o r k s t a t i o n s . In the event W i n d o w s
M e s s a g i n g is a b u s e d at y o u r site, it can be disabled in a variety of w a y s . N o t e also that
W i n d o w s Messaging can h a v e s p a m , w h i c h a p p e a r s as a n o r m a l dialog box
containing the s p a m m e r ' s m e s s a g e as text.
124
Instant Messaging Overview
• Powerful and productive communication tool

• Prone to a wide variety of threats
Slide 1 3 - 1 : Instant messaging overview
IM protocols allow c o m m u n i c a t i o n across the Web u n d e r almost any possible configuration. T h e y

are therefore difficult to control u s i n g existing n e t w o r k products. A n y of the instant m e s s a g i n g
services present v a r i o u s challenges w h e n u s e d in an enterprise network:
• Leakage of confidential information
• S p r e a d of viruses a n d other malicious code
Verbal h a r a s s m e n t
A n n o y a n c e (SPIM, w h i c h is s p a m over IM)

IM has several security w e a k n e s s e s that enable users to exploit third-party software to perform
possibly malicious acts. A l t h o u g h s o m e are merely annoying, others perform potentially
d a n g e r o u s actions, such as harvesting IP a d d r e s s e s a n d s e n d i n g viruses u p o n a direct connection.
In particular, AIM®, AOL's instant m e s s a g i n g service, also can pose problems t h r o u g h the
Viewpoint M e d i a Player plug-in for d i s p l a y i n g graphical content — a n d w h i c h also collects u s a g e
information a n d s e n d s it on to its Viewpoint server.
125
Blue Coat SG and IM
Slide 1 3 - 2 : IM and Blue Coat SC
The Blue Coat SG provides a d m i n i s t r a t o r s w i t h the features to m a n a g e a n d control IM traffic

e n t e r i n g a n d leaving the corporate n e t w o r k . AOL, MSN, a n d Yahoo! instant messaging
c o m m u n i c a t i o n s can be controlled a n d l o g g e d to meet compliance requirements in place at m a n y
corporations. Usage policies can be w r i t t e n to d e t e r m i n e w h i c h protocol m e t h o d s are allowed.
For example, the file transfer feature can be disabled so that users cannot send files from the
c o r p o r a t e n e t w o r k using IM. An a d m i n i s t r a t o r also can prevent the transmission of instant
m e s s a g e s that contain unacceptable k e y w o r d s pre-defined by a c o m p a n y ' s security policy.
You also can a p p l y specific traffic-shaping policies; y o u can decide the m a x i m u m b a n d w i d t h

allocated for IM-type traffic a n d g r a n u l a r l y control w h a t files, if any, can be transferred.
Additionally, the Blue Coat SG has the ability to d e t e r m i n e if the traffic is coming from a client that
is directly connected to it or from an external source. This allows y o u to create a d v a n c e policy a n d
restrict c o m m u n i c a t i o n s only to u s e r s w i t h i n y o u r n e t w o r k .
The Blue Coat SG can m o n i t o r a n d record every transaction that occurs over IM. You can keep the
logs, r u n reports, a n d even replay a n y conversation b e t w e e n i n d i v i d u a l users or within chat
r o o m s . This feature is extremely i m p o r t a n t for regulatory compliance.
Within certain limitations, y o u can associate IM traffic w i t h the actual u s e r logged onto the
m a c h i n e that sent a message. The t y p e of authentication that can be u s e d (SOCKS version 5, H T T P
407, etc.) d e p e n d s on the client v e n d o r a n d the client version.
126
Protocol Handoff
Slide 1 3 - 3 : Protocol handoff
The Blue Coat SG can receive traffic on any TCP port. As long as there is a service r u n n i n g a n d
listening for connections on that TCP port, the traffic is intercepted a n d processed u s i n g the
policies that y o u created. Each port, or port range, is associated w i t h a protocol; the Blue Coat SG
expects to receive that type of traffic on that port or port range. For instance, y o u can associate
HTTP w i t h T C P port 80.
W h e n y o u associate a port w i t h a specific protocol (with the exception on TCP-Tunnel) the Blue
Coat SG expects the traffic on those ports to contain the actual protocol specified. For example, if
y o u assign p o r t 80 to HTTP, the Blue Coat SG expects to receive HTTP traffic on that port. If y o u
send a n y t h i n g that is not HTTP, the connection will time out after few seconds. However, if y o u
encapsulate IM over H T T P a n d connect to the Blue Coat SG, the IM protocol is recognized a n d
policy applied.
Applications, for both legitimate a n d not-so-legitimate reasons, c o m m o n l y try to encapsulate d a t a

over a port u s u a l l y reserved for a different t y p e of traffic. Several non-HTTP applications
c o m m u n i c a t e over port 80 a n d e n c a p s u l a t e their protocol over HTTP. In particular, IM clients can
be configured to use any TCP port; they also can be configured to use HTTP and SOCKS proxies.
If y o u enable H T T P handoff of IM, IM traffic that is encapsulated in HTTP or proxied over H T T P

will be processed by the Blue Coat SG IM engine; IM-specific policies will be applied. Unless a
specific policy applies, the handoff process does not modify the IM packet in any way. The IM
server a n d the i n t e n d e d recipient receive the packet, as long as there are no policies that d e n y that
particular transmission.
If traffic is e n c a p s u l a t e d over a n o t h e r protocol, IM-specific policies a n d policies affecting the

protocol over w h i c h IM is t u n n e l e d apply. For example, if y o u t u n n e l IM over HTTP, a n d y o u h a v e
handoff enabled, both IM policy a n d HTTP policy apply. If y o u h a v e handoff disabled, then only
HTTP policy applies. In reality, y o u need to note that allow or d e n y policies a n d policies related to
authentication apply, but other, m o r e complex policies, such as modifying HTTP headers, URL
rewrite, etc., do not a p p l y if Blue Coat SG detects that the traffic is IM.
The Blue Coat SG can detect IM traffic e n c a p s u l a t e d over HTTP, proxied over SOCKS ports, a n d
native-protocoled over TCP-Tunnel ports a n d IM-specific ports.
127
If y o u w a n t to allow a specific IM client to connect t h r o u g h H T T P t h r o u g h the Blue Coat SG, a n d

1
t h a t IM protocol has not been licensed , then disable H T T P handoff to allow the traffic to be
t r e a t e d as plain H T T P traffic a n d to a v o i d an error in the licensing check d o n e by the IM m o d u l e .
This m i g h t be also be necessary to t e m p o r a r i l y pass t h r o u g h traffic from n e w versions of IM
clients that are not yet s u p p o r t e d by the Blue Coat SG.
1 .IM license is optional but free.

Instant Messaging Reflection
• Normally, an IM from one user to another

is sent to and from an IM service
• IM Reflection allows containing IM traffic within

the enterprise network
- All IM traffic on the same network never travels
beyond the Blue Coat SG
- This includes IM users who log into different Blue
Coat SGs configured in a hierarchy (proxy chaining)
Slide 1 3 - 4 : IM reflection
IM reflection allows y o u to contain IM traffic w i t h i n the enterprise network. Reflection further

reduces the risks of exposing company-confidential information t h r o u g h public IM networks a n d
of allowing a client to become infected w i t h a virus or malicious code. Normally, an IM sent from
one u s e r to a n o t h e r is sent to a n d from an IM service. With IM reflection, IM traffic between users,
i n c l u d i n g chat messaging, on the s a m e n e t w o r k never has to travel b e y o n d the Blue Coat SG. This
includes IM users w h o log on to t w o different Blue Coat SG appliances configured in a hierarchy
(proxy chaining).
IM reflection involving clients in different buildings a n d even on different sites is still possible by
u s i n g SOCKS a n d H T T P forwarding, policy, a n d a Blue Coat SG hierarchy.
129
IM Reflection with Fail Open
Slide 1 3 - 5 : IM reflection - fail open
The d i a g r a m in the slide above d e m o n s t r a t e s IM reflection d e p l o y m e n t with fail o p e n on a Blue

Coat SG that is configured to a t t e m p t to reflect all IM activity. The circle s h o w s the area of
reflection. If the Blue Coat SG detects that a packet is c o m i n g from this area, it will not send the
information to the IM server. Instead, it will emulate the r e m o t e IM server. As far as the clients are
concerned, they are s e n d i n g a n d receiving messages from the actual IM server; they are totally
u n a w a r e that the Blue Coat SG is reflecting the messages.
• IM clients on the left side of the slide are logged into the s a m e Blue Coat SG, while the one on
the right is o u t s i d e the n e t w o r k .
• IM activity b e t w e e n the clients on the left is reflected by the Blue Coat SG.
IM activity between clients on t h e internal n e t w o r k a n d those o u t s i d e is forwarded to the IM

service p r o v i d e r for n o r m a l delivery.
This slide a n d the next illustrate the choice of actions w h e n reflection is not possible. The Blue
Coat SG a d m i n i s t r a t o r m u s t d e c i d e to allow or d e n y IM traffic.
Fail-open reflection is useful in controlling the a m o u n t of W A N b a n d w i d t h utilized a n d to e n s u r e

that internal exchanges of c o m m u n i c a t i o n s remain internal.
130
IM Reflection with Fail Closed
Slide 1 3 - 6 : IM reflection - fail closed
An a d m i n i s t r a t o r can a d d a policy rule to deny IM service to clients nor logged into the Blue Coat
SG. The clients w i t h i n the area of reflection are allowed to c o m m u n i c a t e to the IM server for the
initial connection; the authentication a n d authorization is still m a n a g e d by the actual IM server.
After the initial logon, the clients within the reflection area can s e n d a n d receive messages only to
a n d from other clients in the s a m e zone.
If a client in the reflection area a t t e m p t s to connect to an outside user:
• It receives a m e s s a g e from the Blue Coat SG notifying it that the message w a s blocked.
• The external client is completely u n a w a r e that a message w a s sent to it.
If an external client is s e n d i n g a m e s s a g e to a client inside the area of reflection:

• It a s s u m e s that the m e s s a g e w a s delivered.
• The internal client receives a message from the Blue Coat SG notifying it that the message w a s
blocked.
IM reflection w i t h fail closed keeps users in a n e t w o r k from s p e n d i n g w o r k time chatting w i t h
friends a n d family m e m b e r s a n d prevents t h e m from c o m m u n i c a t i n g sensitive or proprietary
c o m p a n y information to outsiders. Fail-closed reflection completely isolates the internal users
from the outside w o r l d . While this m a y s e e m harsh, it allows y o u to secure y o u r n e t w o r k against
loss of confidential information a n d w a s t e d productivity.
You m a y w a n t to use a combination of fail close a n d fail o p e n a p p r o a c h e s in controlling IM:
• Fail close for file transfer.
• Fail o p e n for certain allowed users a n d contact n a m e s for a n y t h i n g except for file transfer.
Important: Clients in the reflection area a p p e a r online a n d active to the external clients;
h o w e v e r m they cannot send or receive messages to a n d from the outside world.
131
132
Chapter 14: Managing Peer-to-Peer Traffic
In a peer-to-peer n e t w o r k , by definition, all nodes h a v e the s a m e role a n d the s a m e i m p o r t a n c e .

C o n t r a r y to the m o r e established client-server model, in w h i c h each machine has one specific role,
each participant in a peer-to-peer n e t w o r k is both a client a n d a server. Each n o d e is a client while
also acting as a server to t h e other nodes.
W h e n more clients are a d d e d to a client-server n e t w o r k (and the n u m b e r of servers does not

change), the performance of the n e t w o r k d e g r a d e s a n d server availability is reduced. In a
peer-to-peer n e t w o r k the a d d i t i o n of n e w n o d e s m a k e s m o r e content available to the community.
It also potentially reduces the load on existing nodes while increasing the n e t w o r k ' s overall
performance a n d fault-tolerance.
How Peer-to-Peer Networks Work

Discovery of other n o d e s in a peer-to-peer n e t w o r k r u n n i n g on the Internet infrastructure presents
s o m e challenges. N o d e s often are b e h i n d firewalls, a n d broadcast requests are not admissible.
Each n o d e needs a starting point to discover other n o d e s , just as the DNS m o d e l needs root
servers, w h i c h are well k n o w n , to locate hosts.
Peers participating in the Gnutella n e t w o r k (the third largest peer-to-peer network) connect to
a b o u t five other n o d e s . T h e initial n o d e s can be h a r d - c o d e d in the d o w n l o a d e d client software or
can be found u s i n g G w e b c a c h e (the Gnutella version of DNS) a n d even IRC. Once a list of nodes is
available to a peer, the host can search for material. Queries are sent to k n o w n hosts; if one of the
hosts has the requested content, it s e n d s it; otherwise, it forwards the request to its o w n list of
k n o w n hosts. Content can be retrieved from m o r e than o n e host at the time; this feature reduces
total d o w n l o a d time a n d b a n d w i d t h c o n s u m p t i o n for the hosts that offer content.
Note: Peer-to-peer n e t w o r k s are designed to bypass traditional firewalls to t u n n e l traffic

over HTTP ports.
Very few, if any, p u r e peer-to-peer n e t w o r k s are used for file sharing today. Gnutella started using
a total peer-to-peer m o d e l ; however, for scalability reasons, it n o w uses a m i x e d - m o d e system.
133
M i x e d - m o d e n e t w o r k s are similar in concept a n d design to the p u r e peer-to-peer n e t w o r k s ; in

a d d i t i o n to the regular p e e r hosts, there are s o m e n o d e s that function as special peers. A special
p e e r is a host that has m o r e information about the s t a t u s of the n e t w o r k a n d can o p e r a t e as an
i n d e x i n g server. Several peers w o r k in conjunction w i t h one special peer; the result is similar to
h a v i n g a series of star n e t w o r k s .
Figure 14-1: Pure peer-to-peer vs. a mixed-mode network with special peers
History of P2P Networks

T h e first peer-to-peer application to become w e l l - k n o w n w a s Napster. This n e t w o r k uses a
centralized indexing server, m a k i n g it not a p u r e peer-to-peer. The content is stored on the
different hosts that participate in the network; this w a s the real revolutionary concept. Software
a n d n e t w o r k s based on centralized indexing are called first generation peer-to-peer n e t w o r k s .
N a p s t e r w a s s u e d over c o p y r i g h t infringement. First-generation n e t w o r k s are easy to s h u t d o w n
b e c a u s e the indexing servers, w h i c h are vital for the n e t w o r k to exist a n d function, are well k n o w n
a n d easily identifiable.
G n u t e l l a w a s d e v e l o p e d as an alternative to the e m b a t t l e d Napster. It uses a p u r e peer-to-peer

n e t w o r k , w h i c h is nearly impossible to s h u t d o w n . If at least t w o hosts are active, the n e t w o r k is
active a n d m o r e hosts can join. Scalability issues h a v e p u s h e d developers to a d d the concept of
special peers. This a p p r o a c h eliminates the scalability concerns while still m a k i n g the n e t w o r k
h a r d to control. As long as at least one special peer a n d o n e peer are active, the n e t w o r k is active
a n d m o r e hosts can join. This a p p r o a c h , originally i n t r o d u c e d by the FastTrack network, is n o w
u s e d by most of the other n e t w o r k s . These n e t w o r k s are k n o w n as second generation peer-to-peer
networks.
T h e third generation of peer-to-peer n e t w o r k s (I2P, Entropy, etc.) leverages the idea of a n o n y m i t y of
t h e participant a n d interaction w i t h t r u s t e d or w e l l - k n o w n peers. These n e t w o r k s are not yet very
p o p u l a r but can further contribute to the uncontrolled a n d u n a u t h o r i z e d distribution of
c o p y r i g h t e d material.
Legal issues
F r o m a legal s t a n d p o i n t , peer-to-peer n e t w o r k s are not illegal per se, unless advertised a n d used
solely (or primarily) to violate c o p y r i g h t laws (or any other law for that matter). In the United
States, the S u p r e m e C o u r t has issued t w o rulings that are relevant to the peer-to-peer n e t w o r k s :
• M G M Studios Inc. vs. Grokster, Ltd. — June 2005
• Sony Corporation of A m e r i c a vs. Universal City Studios Inc. — 1984
In the m o s t recent ruling, the court stated that "We hold that one w h o distributes a device w i t h the
object of p r o m o t i n g its u s e to infringe copyright, as s h o w n by the clear expression or other
affirmative steps taken to foster infringement, is liable for the resulting acts of infringement by
t h i r d parties."
134
A c o m p a n y that allows e m p l o y e e s to access peer-to-peer n e t w o r k s m a y be held liable if its

e m p l o y e e s use the c o m p a n y ' s n e t w o r k resources to d o w n l o a d a n d redistribute c o p y r i g h t e d
content.
Important: The content d o w n l o a d e d by one n o d e is then available to the other u s e r s on the

n e t w o r k w h o m a y d o w n l o a d the s a m e file from that node.
135
Peer-to-Peer Detection - Overview
• Recognizes common P2P traffic through various

proxy service ports
— BitTorrent - FastTrack (Kazaa)
- eDonkey - Gnutella
• Provides policy control of P2P traffic
• Reduces bandwidth consumption and liability risk

of illegal file sharing
Slide 1 4 - 1 : Supported P2P n e t w o r k s
T h e r e is f u n d a m e n t a l difference b e t w e e n P2P n e t w o r k s , P2P protocols, a n d P2P clients.
• P2P n e t w o r k : t h e c o m m u n i t y of clients u s i n g a specific v a r i a n t of a P2P protocol
• P2P protocol: t h e u n d e r l y i n g t e c h n o l o g y t h a t p o w e r s a n e t w o r k
P2P client: t h e u s e r interface t h a t p a r t i c i p a n t s in a c o m m u n i t y u s e
T h e table b e l o w gives y o u a n i d e a o f h o w m a n y different clients s h a r e t h e s a m e technology.
Table 14.1: Networks and clients
BitTorrent ABC, A z u r e u s , BitAnarch, BitComet, BitSpirit, BitTornado, BitTorrent, G3 Torrent,

mlMac, MLDonkey, QTorrent, SimpleBT, Shareaza, TomatoTorrent, TorrentStorm, etc.
Edonkey aMule, eDonkey2000, eMule, LMule, M i n d G e m , MLDonkey, mlMac, Shareaza,
xMule, i M e s h Light, etc.
FastTrack giFT, Grokster, iMesh, Kazaa, KCeasy, M a m m o t h , MLDonkey, mlMac, Poisoned, etc.
Gnutella Acquisitionx, BearShare, BetBug, Cabos, G n u c l e u s Grokster, iMesh, gtk-gnutella,
LimeWire, M L D o n k e y , mlMac, M o r p h e u s , P h e x Poisoned, Swapper, Shareaza, XoloX,
etc.
136
Peer-to-Peer Detection
P2P traffic is detected on

- HTTP
- SOCKS
- TCP-Tunnel port
Slide 1 4 - 2 : P e e r - t o - p e e r detection
The Blue Coat® SG™ s u p p o r t s all the m a i n second-generation networks. It uses a d v a n c e d

protocol-recognition technology to identify the specific P2P protocol, regardless of the destination
port a n d IP a d d r e s s e s .
Some other p r o d u c t s associate P2P traffic w i t h specific ports a n d do not s u p p o r t t u n n e l e d
protocols. The Blue Coat SG examines all the packets it receives for ports on which a service is
r u n n i n g a n d can g r a n u l a r l y analyze the structure of the packet to determine if it is P2P.
Most a d v a n c e d users, a n d s o m e t i m e s even the client software, try to tunnel traffic over
w e l l - k n o w n o p e n ports on firewalls a n d s h a p e traffic to look like HTTP. Some users m a y even try
to t u n n e l the traffic over SOCKS. The Blue Coat SG can detect P2P traffic t u n n e l e d over H T T P or
SOCKS by enabling the Detect Protocol setting for each c o r r e s p o n d i n g service.
P2P applications often use a r a n d o m TCP port to c o m m u n i c a t e . The default proxy service (which
listens on all p o r t s not assigned to other services) can be enabled to detect P2P traffic on any TCP
port. The benefit of the default proxy service is that there is no need to create a service a n d
explicitly define a TCP port, a l t h o u g h this also is an option.
137
Deployment - General Concepts
• P2P traffic on ports without proxy services

will not be detected and cannot be blocked
• Configure the firewall to deny traffic on other ports
Slide 1 4 - 3 : D e p l o y m e n t o p t i o n s f o r P2P d e t e c t i o n
The Blue Coat SG is a device that terminates T C P connections on one side a n d o p e n s n e w

connections on the other side. Connection termination is b a s e d on services r u n n i n g . O n e or more
ports are associated w i t h a r u n n i n g service. T h e d e p l o y m e n t option is irrelevant. If there is no
service listening on a specific p o r t a n d the default proxy service is not enabled, then no action can
be t a k e n on traffic reaching the Blue Coat SG over the r e q u e s t e d port.
For instance, a s s u m e that a P2P application uses port 6134. You h a v e a Blue Coat SG d e p l o y e d in
b r i d g i n g m o d e . The firewall allows all o u t b o u n d traffic. If y o u h a v e not created a service to listen
on port 6134 a n d the default p r o x y service is not listening, then the Blue Coat SG cannot identify
the P2P activity.
On the other h a n d , if the firewall allows all o u t b o u n d traffic a n d the Blue Coat SG default proxy
service is listening, the P2P activity will be detected.
Note: You can e x t e n d the concepts discussed here for the b r i d g i n g m o d e d e p l o y m e n t to all
of the other d e p l o y m e n t s : explicit proxy, Layer 4 switch, WCCP, etc.
138
Sample Deployment
F i r e w a l l a l l o w s all o u t b o u n d t r a f f i c
Firewall allows o u t b o u n d traffic only for the ports controlled by Blue Coat SG
Slide 1 4 - 4 : D e p l o y m e n t o p t i o n s f o r P2P d e t e c t i o n
A successful Blue Coat SG d e p l o y m e n t goes h a n d in h a n d w i t h appropriate firewall policies. No

m a t t e r h o w y o u h a v e d e p l o y e d Blue Coat SG, one f u n d a m e n t a l concept hold true: If the proxy
does not h a v e a service for the traffic that y o u are trying to m a n a g e , no action can be performed.
If y o u d e p l o y the Blue Coat SG in bridging m o d e a n d the firewall allows all o u t b o u n d traffic, y o u

need to enable the default proxy service to ensure that P2P traffic is detected.
If y o u d e p l o y the Blue Coat SG in bridging m o d e a n d the firewall allows only port 80 a n d 443
traffic o u t b o u n d , y o u do not need the default proxy service. P2P traffic will be detected on p o r t 80.
Both configurations g u a r a n t e e that all o u t b o u n d traffic is inspected by the Blue Coat SG. They also
g u a r a n t e e that p r o p e r policies are applied to the traffic; in particular, P2P traffic can be monitored
a n d blocked.
139
Legal Implications of P2P Use
• MGM Studios Inc. vs. Grokster, Ltd. - June 2005

- Operators of P2P networks are liable for copyright
infringement by the users
- The intent of the network needs to be the promotion of
the distribution of copyrighted material
• Sony Corporation vs. Universal Studios - 1984

- A technology, which is not specifically designed to
violate copyright laws, is legal even such use is possible
Slide 1 4 - 5 : Legal i m p l i c a t i o n s of P2P use
P2P n e t w o r k s h a v e been so w i d e l y u s e d to illegally deliver c o p y r i g h t e d material that big

c o m p a n i e s like M G M a n d Sony ( n o w o n e c o m p a n y ) h a v e taken legal action against n e t w o r k
o p e r a t o r s a n d , at times, against the actual e n d users.
The 1984 U.S. S u p r e m e C o u r t ruling ( k n o w n as the Betamax case) established that a technology,
w h i c h can be u s e d to infringe on copyright, is legal, as long as the p r i m a r y scope a n d use of such a
technology are not illegal. For instance, while a VCR can be u s e d to illegally duplicate movies, the
p r i m a r y objective of its m a n u f a c t u r e — a n d that of most users — is to w a t c h movies a n d record
TV p r o g r a m s , both of w h i c h are legal.
Based on the 1984 ruling, M G M h a d to prove, as it successfully did, that the o w n e r a n d operators
of the P2P n e t w o r k targeted, designed, a n d advertised the n e t w o r k w i t h the p r i m a r y intention of
illegally distributing c o p y r i g h t e d material.
The court ruling a n d other relevant legislation in the U.S. m a y be e x t e n d e d to the users of a P2P
n e t w o r k . The mere possession of illegally o b t a i n e d copyrighted material is a crime in the U.S.
Violators can be fined up to $250,000 a n d be s e n t e n c e d to five years in prison.
140
Chapter 15: Notify User Policy
The Blue Coat® SG™ can do m o r e than let y o u control users' Internet activities. It also allows y o u
to explain y o u r o r g a n i z a t i o n ' s Internet usage policies clearly a n d at the most effective time —
w h e n users try to access questionable or forbidden pages.
Notifying users a b o u t policy w h e n they u s e the Internet is a g o o d practice, particularly w h e n y o u

block access to certain types of content. Even if y o u install content-filtering software a n d write
strict Internet u s a g e policy, y o u m a y not see a gain in productivity unless y o u also tell users w h y
they can't v i e w s o m e Web pages. That's because users w h o can't access a site m a y think a n e t w o r k
problem has occurred a n d m a k e u n n e c e s s a r y calls to y o u r organization's help desk.
However, y o u can p r e v e n t that p r o b l e m by creating c u s t o m notification pages. These pages

a p p e a r in users' b r o w s e r s a n d tell t h e m w h y access to certain sites is forbidden or w h y access to
other sites is officially d i s c o u r a g e d even if it is allowed.
The Blue Coat SG o p e r a t i n g s y s t e m allows administrators to create notification pages t h r o u g h the

Visual Policy M a n a g e r (VPM) instead of requiring t h e m to write a d v a n c e d Content Policy
L a n g u a g e (CPL).
The rest of this c h a p t e r introduces the different kinds of notification pages a n d briefly explains
h o w they are created.
141
Notification Types
• Exception page
- Dead end
* Splash page
- Show once
8
Coaching page
- Option to continue
Slide 1 5 - 1 : The t h r e e types of user n o t i f i c a t i o n pages
A d m i n i s t r a t o r s can u s e t h r e e different k i n d s of notification p a g e s to inform u s e r s of their

o r g a n i z a t i o n ' s policies. Each h a s a different p u r p o s e .
T h e table b e l o w p r e s e n t s t h e basic i n f o r m a t i o n a b o u t each k i n d of p a g e .
Table 15.1: Notification Page Types
Exception Every time users try to Blocked To inform users t h a t access

access site is d e n i e d
Splash Once, often each t i m e u s e r s A l l o w e d To r e m i n d users of Internet
launch b r o w s e r usage policy
Coaching Every t i m e users try to A l l o w e d after w a r n i n g To inform users t h a t access
access site is officially p r o h i b i t e d
although
not blocked
T h e following t h r e e p a g e s discuss exception, s p l a s h , a n d c u s t o m p a g e s i n greater detail.
142
Exception Page
• Built-in
- Notify user that access has been denied
- Notify user of network or appliance errors
- Can be customized (better create user-defined ones)
• User-defined
- User-defined to send more specific message
- Can include any HTML or JavaScript code
- Can link external resources (images)
Slide 1 5 - 2 : Exception page details
The Blue Coat SG allows y o u to return t w o different kinds of exception pages: built-in a n d
user-defined pages. Both can tell users that access to a certain site or category of sites — s u c h as
adult, g a m b l i n g , or music d o w n l o a d i n g — is blocked.
Built-in exceptions s e n d information back to users w h e n certain conditions occur, such as w h e n a

request is contrary to policy. Built-in exception pages can be customized; however, built-in
exceptions cannot be deleted, a n d y o u c a n n o t create n e w built-in exceptions.
However, y o u can create y o u r o w n exception pages. In a user-defined exception page, y o u can
write a m o r e specific, detailed message t h a n the ones contained in the built-in exception pages.
You also can use H T M L or JavaScript® code in writing the page or a d d links to external resources,
such as i m a g e s .
Be a w a r e that if a user-defined exception is referenced by policy, it cannot be deleted.
143
Splash Page
• Used to notify users

- Company AUP
- Network outages
- Any global or user-specific message
• After page is displayed, user can access the

requested sites
Slide 1 5 - 3 : Splash page details
Splash p a g e s can be u s e d to deliver a n y m e s s a g e to users. T h e y often notify users of an

o r g a n i z a t i o n ' s Acceptable U s a g e Policy (AUP) for the Internet or inform t h e m of an event, s u c h as
a p l a n n e d n e t w o r k outage.
Splash p a g e s generally a p p e a r at a specific time. For instance, a splash p a g e reminds users that an
A U P could a p p e a r each time they l a u n c h their browsers.
W h e n s p l a s h pages appear, users are not p r e v e n t e d from accessing a n y Web sites or other
resources. If the p a g e a p p e a r s w h e n u s e r s t y p e in a URL, they can access the site they r e q u e s t e d by
clicking the reload b u t t o n on their b r o w s e r s . If the splash p a g e a p p e a r s w h e n the b r o w s e r o p e n s ,
u s e r s can access the site they w a n t by t y p i n g in the URL or selecting a b o o k m a r k as usual.
144
Coaching Page
• Used for sites that should be blocked
• User needs to click on a link to access the

requested resource
• Known also as burn-through feature
Slide 1 5 - 4 : Coaching page details
Coaching pages h a v e a d u a l p u r p o s e : T h e y notify users that a Web site or other resource is

forbidden and they also allow users to access it. Coaching pages are sometimes called
b u r n - t h r o u g h pages or features.
W h e n users see a coaching page, they are informed that their organization's policy prohibits t h e m
from v i e w i n g certain content. However, the coaching p a g e also offers a link to the resource a l o n g
w i t h a w a r n i n g that users' activity will be m o n i t o r e d a n d reported.
Access to the resource is allowed only temporarily; the default is 10 minutes.
You m a y find it useful to use both exception a n d coaching pages. For instance, y o u m a y w a n t to
block users from a d u l t sites a n d return exception pages w h e n they try to access them. You m a y
w a n t to d i s c o u r a g e traffic to travel or Web e-mail sites a n d return coaching pages w h e n users
a t t e m p t to v i e w them.
145
146
Chapter 16: Access Logging
Access logging allows y o u to track traffic for the entire n e t w o r k or specific information on u s e r or
d e p a r t m e n t u s a g e patterns. Each time a u s e r requests a resource, the proxy saves information
a b o u t that request to a file for later analysis.The information t h u s stored is called a log. In a d d i t i o n
to Web policy m a n a g e m e n t , content filtering, a n d Web content virus scanning, companies can
i m p l e m e n t m o n i t o r i n g schemes t h r o u g h the access logging feature. Access logging gives
c o m p a n i e s the ability to audit all traffic for both external a n d internal content requests.
Blue Coat SG can create access logs for the traffic that flows t h r o u g h the system. Each protocol on
the Blue Coat SG can create an access log at the e n d of the transaction for that protocol.For
example, the Blue Coat SG can create access logs for each H T T P request from the client.
The access logs can be directed to one or more log facilities, w h i c h associates the logs with their
configured log formats a n d u p l o a d schedules. Most Web servers s u p p o r t the C o m m o n Logfile
Format (CLF) a n d the Extended Log File Format (ELFF). ELFF is the default log file format on Blue
Coat SG.
Data stored in log facilities can be automatically u p l o a d e d to a r e m o t e location for analysis a n d
archival p u r p o s e s . T h e u p l o a d s can take place using HTTP, FTP or one of several vendor specific
protocols.Once u p l o a d e d , reporting tools such as Blue Coat Reporter can be used to analyze log
files.These logs a n d reports g e n e r a t e d from t h e m can be m a d e available in real-time or on a
s c h e d u l e d basis.
147
Access Logging
• Track Web usage for

- entire network
- specific information on user
- department usage patterns.
• Blue Coat SG creates access logs for each type

of protocol.
Slide 1 6 - 1 : Access l o g g i n g
Access logging helps y o u to track Web u s a g e for the entire n e t w o r k or specific information on u s e r
or for d e p a r t m e n t u s a g e p a t t e r n s . Blue Coat SG s u p p o r t s access logging to help y o u m o n i t o r Web
u s a g e . M o n i t o r i n g allows y o u to detect a n d r e m e d y failures a n d w h e n d o n e pro actively, to
anticipate a n d resolve potential p r o b l e m s before they result in p o o r performance or failure.
Blue Coat SG creates access logs for all traffic flowing t h r o u g h the system. Each n e t w o r k protocol
can create an access log record at t h e e n d of each transaction. T h e access logs, each containing a
single logical file a n d s u p p o r t i n g log format, are m a n a g e d by policies, created t h r o u g h the V P M or
CPL.
Access logs t h u s g e n e r a t e d can be u p l o a d e d to a remote server a n d then be analyzed u s i n g Blue
Coat Reporter for generating reports.
148
Access Logging
Slide 1 6 - 2 : Log creation
Access logs contain data a b o u t u s e r requests a n d the c o r r e s p o n d i n g response from the w e b

servers. An access log record is created only after the transaction is complete.These records are
stored in the Blue Coat SG's disk a n d can be m a d e available for analysis later. Various steps that go
b e h i n d the creation of an access log are:
1. The client s e n d s in a request for a resource.
2. The Blue Coat SG t h e n s e n d s in this request to the Origin Content Server.

3. The Origin Content Server replies w i t h a response to the Blue Coat SG.
4. The Blue Coat SG records this transaction a n d saves it to its disk.
5. The Blue Coat SG s e n d s the response back to the client.
6. An access log for this entire transaction is created after the client receives the response from
the Blue Coat SG.
Note: If the connection is d e n i e d , or the content is served from the cache, Steps 2 a n d 3 are
completed by the proxy.
149
Protocols supporting access logging
v' Endpoint Mapper Proxy s Peer-to-Peer( P2P)
S FTP s Real Media/Quick time
• HTTP S SOCKS
s HTTPS Forward Proxy v'SSL
HTTPS Reverse Proxy ^ TCP Tunnel
• ICP ^ Telnet
^ Instant Messaging (IM) s Windows Media
Slide 1 6 - 3 : Protocols supporting access logging
Blue Coat SG creates access logs for all traffic flowing t h r o u g h the system. In fact, each protocol
can create an access log at the e n d of each transaction for that protocol. For example, an access log
can be created for each H T T P r e q u e s t t h r o u g h the system.
150
Protocols and Default Logs

Protocol Default Log
•y Endpoint Mapper S main
•/ FTP
• HTTP
•/ TCP Tunnel
J Telnet
J HTTPS Reverse proxy
• ICP.SOCKS s no logging
s Instant Messaging </ im
s Peer-to-Peer y
p2p
s Multimedia Streaming s streaming
v SSL, HTTPS •s ssl
Slide 1 6 - 4 : .Protocols and d e f a u l t logs in Blue Coat SG
You can associate a log w i t h a protocol at a n y point of time. But, if you have a policy that defines
protocol a n d log association, that policy will override a n y settings that y o u m a k e . Multiple access
log facilities are s u p p o r t e d in Blue Coat SG, a l t h o u g h each access log s u p p o r t s a single log format.
You can log a single transaction to multiple log facilities t h r o u g h a global configuration setting for
the protocol that can be modified on a per-transaction basis t h r o u g h policy.
If y o u h a v e u p g r a d e d from a previous version of SGOS, s o m e protocols might already be

associated w i t h a specific log format. Old logs are converted to the main log format. You can
globally enable or disable access logging. If access logging is disabled, logging is t u r n e d off for all
log objects. Once globally enabled, connection information is sent to the default log facility for the
service.
The above slide s h o w s the default log association for different protocols in the Blue Coat SG.
Certain protocols like ICP a n d SOCKS do not h a v e a n y logging.
151
Log Facility
Slide 1 6 - 5 : Understanding a log facility
A log facility is a s e p a r a t e log that contains a single logical file that s u p p o r t s a single log
format.The facility contains the file's configuration a n d u p l o a d schedule information.a s well as
o t h e r configurable information, s u c h as h o w often to rotate the logs at the destination, a n d the
p o i n t at w h i c h the facility can be u p l o a d e d etc.
To create a log facility, y o u essentially need to take the following steps:
1. Create a log format (only if y o u use a c u s t o m format)
2. Create a log n a m e a n d assign a format

3. Assign a log to a protocol
4. Configure the u p l o a d client

5. Configure the u p l o a d schedule, rotation s c h e d u l e a n d general settings.
T h e U p l o a d Schedule allows y o u to configure the frequency of the access logging u p l o a d to a

remote server, the t i m e b e t w e e n connection a t t e m p t s , the time between keep-alive packets, the
t i m e at w h i c h the access log is u p l o a d e d , a n d the protocol that is used.
Log rotation helps prevent logs from g r o w i n g excessively large. Especially w i t h a b u s y site, logs
can g r o w quickly a n d b e c o m e too big for easy analysis. With log rotation, the Blue Coat SG
periodically creates a n e w log file, a n d archives the older one w i t h o u t d i s t u r b i n g the current
logfile.
152
Supported Log Formats
• Available log formats

- NCSA Common
- SQUID Compatible
- ELFF
- Smart Reporter
- SurfControl
- Websense
- BC ReporterMain
- BC ReporterSSL
• Custom log formats

- Create your own log format using format strings.
Slide 1 6 - 6 : .Supported log formats in Blue Coat SG
Every access log created, uses a specific log format for logging the transaction.The log format is
specified u s i n g a set of format strings. The log format is highly configurable.
Available log formats are:

• N C S A C o m m o n log format, containing only basic H T T P access information
• SQUID compatible format, designed specifically for cache statistics
Extended Log File Format(ELFF), defined by W3C, a n d general e n o u g h to be used for any
protocol
• SmartReporter
• SurfControl, a proprietary log format compatible w i t h the SurfControl Reporter tool
• WebSense, a p r o p r i e t a r y log format compatible w i t h the WebSense Reporter tool

• BC ReporterMain, a proprietary log format compatible w i t h Blue Coat Reporter tool
Blue Coat SG can create access logs w i t h a n y one of the above available log formats. You can create
additional log formats using ELFF or custom format strings. The ELFF format strings are extended
version of the C o m m o n log format a n d allow y o u to h a v e more control over the data recorded.
153
Upload Logs
Slide 1 6 - 7 : Access Log Upload
Blue Coat SG has the capabilities to u p l o a d the access logs to a remote server u s i n g different types
of u p l o a d clients. D u r i n g the u p l o a d i n g process, the access logs can be digitally signed a n d
e n c r y p t e d for security. You can digitally sign access logs to certify that a particular Blue Coat SG
w r o t e a n d u p l o a d e d this log file. Signing is s u p p o r t e d for b o t h content t y p e s — text a n d g z i p — a n d
for both u p l o a d t y p e s — c o n t i n u o u s a n d periodic. Each log file has a s i g n a t u r e file associated w i t h
it that contains the certificate a n d the digital signature for verifying the log file. The signature file
has the s a m e n a m e as the access log file but w i t h a .sig extension; that is, filename, log. s i g , if the
access log is a text file, or filename, log. g z i p . s i g , if the access log is a gzip file. If y o u use Blue
Coat Reporter for a n a l y z i n g the access logs, y o u need to decrypt the access logs before loading
t h e m into the database.
You can digitally sign y o u r access log files w i t h or w i t h o u t encryption. If the log is both signed
a n d encrypted, the signing operation is d o n e first, m e a n i n g that the signature is calculated on the
u n e n c r y p t e d version of the file. You m u s t d e c r y p t the log file before verifying the file. A t t e m p t i n g
to verify an e n c r y p t e d file fails.
Blue Coat SG s u p p o r t s the following u p l o a d clients:
FTP client, the default u p l o a d client
• HTTP client
• C u s t o m client
• Websense client
The C u s t o m client can be u s e d for special circumstances, s u c h as while w o r k i n g w i t h SurfControl

Reporter. O n l y o n e u p l o a d client can be u s e d by the Blue Coat SG at a n y one time. All four of the
a b o v e m e n t i o n e d u p l o a d clients can be configured, b u t only the selected client is used.
154
Continuous Upload
Slide 1 6 - 8 : C o n t i n u o u s Upload
U n d e r c o n t i n u o u s u p l o a d i n g , the Blue Coat SG continuously streams n e w access log entries to the

remote server from its memory. C o n t i n u o u s u p l o a d i n g can send log information from a Blue Coat
SG farm to a single log analysis tool. This allows y o u to treat multiple Blue Coat SG appliances as
a single entity a n d to review combined information from a single log file or series of related log
files.
W h e n y o u configure y o u r Blue Coat SG for continuous u p l o a d i n g , it continues to stream log files

until y o u stop it. In this context, streaming refers to the real-time transmission of access logs files
using a specified u p l o a d client.
If the remote server is unavailable to receive c o n t i n u o u s upload log entries, the Blue Coat SG saves
the log information on the Blue Coat SG disk. W h e n the remote server is available again, the
appliance r e s u m e s c o n t i n u o u s u p l o a d i n g . W h e n y o u configure a log for continuous uploading, it
continues to u p l o a d until y o u stop it. To s t o p c o n t i n u o u s u p l o a d i n g , switch to periodic u p l o a d i n g
temporarily. This is s o m e t i m e s required for g z i p or encrypted files, w h i c h m u s t stop u p l o a d i n g
before y o u can v i e w t h e m .
C o n t i n u o s u p l o a d i n g allows y o u to:
View the latest log information almost immediately
• Send log information to a log analysis tool for real-time processing a n d reporting
• Maintain Blue Coat SG performance by s e n d i n g log information to the remote server
• Save Blue Coat SG disk space by s a v i n g log information on remote server.
155
Periodic Upload
Slide 1 6 - 9 : Periodic Upload
Blue Coat SG allows y o u to u p l o a d access log files periodically to a r e m o t e server. The u p l o a d

s c h e d u l e feature of the Blue Coat SG allows to configure the frequency of the access logging
u p l o a d , time b e t w e e n connection a t t e m p t s , time at w h i c h the log is u p l o a d e d .
With periodic u p l o a d i n g , the Blue Coat SG transmits log entries on a s c h e d u l e d basis, say once a
d a y or at specific time intervals. The log entries are all are batched, s a v e d to disk a n d t h e n
u p l o a d e d to a remote server at a particular time.
Periodic u p l o a d i n g is a d v i s e d w h e n y o u do not need to analyze the log entries in real time.
156
Log File Encoding
Slide 1 6 - 1 0 : Log file e n c o d i n g
Blue Coat SG allows y o u to u p l o a d either compressed access logs or plain text access logs to the
remote server. Blue Coat SG uses GZIP format to u p l o a d compressed access logs. GZIP
c o m p r e s s e d files allow more log entries to be stored in the Blue Coat SG. C o m p r e s s e d log files
h a v e the extension . log. g z . C o m p r e s s e d access logs can be best u p l o a d e d d u r i n g a periodic or
schedule u p l o a d .
Some of the a d v a n t a g e s of file compression are:

• Reduces the time a n d resources u s e d to p r o d u c e a log file because fewer disk writes are
required for each megabyte of log-entry text
• Uses less b a n d w i d t h w h e n the Blue Coat SG s e n d s access logs to an u p l o a d server
• Requires less disk space.
Plain text access logs h a v e the extension .log. Text log files are best suited for continuous u p l o a d
to a remote server. If y o u w o u l d like to analyze the log data in real time, c o n t i n u o u s u p l o a d u s i n g
text format is advised.
157
158
Chapter 17: Introduction to Reporter
Blue Coat SG access logs help y o u m o n i t o r activity on a network. However, extracting information
from e n o r m o u s log files can be a t e d i o u s a n d time-consuming task. Blue Coat's Reporter p r o v i d e s
a solution: The a d v a n c e d application m a k e s it easy to analyze log files from one or more Blue Coat
SG appliances, enabling organizations to m a n a g e n e t w o r k resources more effectively.
To preserve n e t w o r k a n d u s e r productivity, a n d to maintain a compliant Web environment,

c o m p a n i e s need:
• K n o w l e d g e of w h a t sites users access a n d w h a t content the sites contain
• A w a r e n e s s of s p y w a r e a n d m a l w a r e m a s k e d by Web content
• Identification of i n d i v i d u a l users a n d their activities on the n e t w o r k
• M e t h o d s for customizing, scheduling, a n d distributing reports for different d e p a r t m e n t s
Reporter p r o v i d e s these benefits by w o r k i n g seamlessly w i t h the Blue Coat SG. The Blue Coat SG
records d a t a a b o u t every transaction that passes t h r o u g h it, creating c o m p r e h e n s i v e logs. Reporter
then allows organizations to create pre-defined or custom reports t h r o u g h an easy-to-use Web
interface or t h r o u g h a c o m m a n d line.
An organization can use these reports to:
• Identify violators of Web access policies
• Track user activity that could bring viruses, s p y w a r e , a n d other h a z a r d o u s content into the
network
• C o n s e r v e n e t w o r k resources by identifying abuse patterns
• Set n e w policy or plan n e t w o r k i m p r o v e m e n t s by s t u d y i n g Web use patterns a n d trends
This chapter introduces Reporter, h o w it w o r k s , a n d the benefits it offers. It also discusses the
different versions available.
159
Reporter Deployment
Slide 1 7 - 1 : From access logs to r e p o r t s
R e p o r t e r is a self-contained application that analyzes Blue Coat SG access logs from one or
m u l t i p l e appliances. It includes a p r o p r i e t a r y Web server, a q u e r y engine, an internal database, a
log reader a n d a log parser.
In a typical d e p l o y m e n t , y o u configure y o u r Blue Coat SG appliances to u p l o a d their access log

files to the Reporter server. You can choose o n e of several m e t h o d s — FTP, HTTP, or a direct link to
the Blue Coat SG. The m e t h o d y o u choose d e p e n d s on the t y p e of d a t a a n d report y o u w a n t to
generate.
Note: Be a w a r e that Reporter natively s u p p o r t s only a direct link to the Blue Coat SG. You
m u s t install HTTP or FTP server software in order to take a d v a n t a g e of these u p l o a d
options.
I n s t e a d of u p l o a d i n g the access log files, y o u can copy t h e m o n t o the Reporter server.
You t h e n access Reporter t h r o u g h a Web b r o w s e r a n d use g r a p h i c a l interface to generate, display,

a n d c u s t o m i z e reports.
160
Reporter Functions
• Generating reports on a wide range of data
- 150+ pre-defined reports available

- Reports can be customized
8
Scheduling reports
- At a specific time, periodically, or in real time
8
Exporting reports
- In HTML by scheduled e-mails
- In Excel-compatible format
Slide 1 7 - 2 : Reports can be scheduled and exported
Reporter can create reports on a w i d e range of data, including:
• N e t w o r k traffic • S p y w a r e a n d viruses
• C a t e g o r y of content (including P2P a n d IM) • Time a n d d u r a t i o n of activity
• Protocols • Cost of a resource in bytes or time taken
• User a n d / o r g r o u p activity • Details of u s e r s ' Web sessions
Reporter is d e s i g n e d to meet the r e q u i r e m e n t s of m a n a g e r s t h r o u g h o u t an organization — h u m a n

resources a n d business m a n a g e r s as w e l l as n e t w o r k a d m i n i s t r a t o r s a n d IT professionals. The
application allows y o u to generate m o r e t h a n 150 pre-defined reports.
For example, y o u can generate pre-defined reports giving a s n a p s h o t of Web traffic at a particular
time, identifying the most active users on a network, displaying user activity by risk g r o u p
category, or s h o w i n g which viruses the n e t w o r k has been exposed to.
You also can create c u s t o m reports t h r o u g h a variety of m e t h o d s that will be discussed later in this
chapter.
Reporter allows y o u to generate a report once, s c h e d u l e it to r u n periodically, a n d schedule other

key tasks. For instance, y o u can:
• R u n a report on blocked s p y w a r e before a t t e n d i n g a meeting.
• Generate a report on a particular g r o u p ' s Web u s a g e every Friday at 6 p.m.
• Expire d a t a from a database once the d a t a reaches a certain age, such as 30 days.
In addition, y o u can generate reports in real time, p r o v i d e d that y o u establish a direct link to the
Blue Coat SG a n d configure the a p p l i a n c e to u p l o a d log data continuously. This feature t u r n s the
application's Web interface into an u p - t o - t h e - m i n u t e w i n d o w on n e t w o r k activity.
Reporter also p r o v i d e s t w o m e t h o d s for exporting reports:
• As c o m m a - s e p a r a t e d v a l u e (xsv) text files, which can be v i e w e d and modified in Microsoft

Excel®
161
• In H T M L format, u s i n g R e p o r t e r ' s s c h e d u l i n g features to e-mail reports at a specific t i m e or

periodically
Reporter, t h r o u g h its s c h e d u l i n g features, also allows y o u g e n e r a t e reports as PDF-friendly files.

T h e s e files can be converted to P D F format by uses w h o h a v e PDF-creation software installed on
their c o m p u t e r s .
162
Profiles
Slide 1 7 - 3 : Profiles allow y o u to create databases and run reports
The profile is the m o s t i m p o r t a n t concept to u n d e r s t a n d before y o u can use Reporter effectively. A

profile is a collection of settings that allow y o u to create a database from access log files a n d to
generate reports from those files. The most i m p o r t a n t settings are the name, location, a n d format
of the log file. The profile, in addition to the settings, includes the database created w i t h the
settings.
Slide 17-3 s h o w s the relationship b e t w e e n a profile, access log, database, and users. The Blue Coat
SG u p l o a d s the log files to the Reporter server. The Reporter administrator creates a profile. W h e n
a u s e r requests a report, Reporter builds a database for that profile a n d creates a report derived
from the d a t a in the database. Reporter displays the report in the form of an H T M L page.
An a d m i n i s t r a t o r can associate users w i t h certain profiles, allowing t h e m to generate reports from

the profiles. Because each profile can be u n i q u e , an a d m i n i s t r a t o r can use different profiles to
p r o v i d e users access only to reports they need.
For instance, the m a n a g e r of a h u m a n resources d e p a r t m e n t m a y be able to view reports on w h i c h

categories of content users are accessing. But the m a n a g e r m a y not be able to view reports on
response codes generated by users' requests, w h i c h can be v i e w e d only by m e m b e r s of the IT
team.
163
Profile Selection
Depends on data and reporting needs

® v8 profiles
- Work with Blue Coat SG main log files
- Support many pre-defined reports, real-time reporting
• v7 profiles
- Work with all Blue Coat SG ELFF and Squid formats
and with Blue Coat SG main log files
- Support fewer pre-defined reports - but allow
greater customization
Slide 1 7 - 4 : Profile selection
R e p o r t e r 8 s u p p o r t s t w o t y p e s of profiles, v8 a n d v7, w h i c h y o u create t h r o u g h a profile w i z a r d .

Your selection d e p e n d s on the t y p e of d a t a y o u w a n t to analyze, the format of t h e log file, the size
of the log file, a n d the degree of customization y o u r reports require.
V8 Profiles
Work w i t h Blue Coat SG m a i n format log files
• S u p p o r t a w i d e variety of pre-defined reports
• S u p p o r t direct links to Blue Coat SGs, allowing the creation of reports in real time
• Do not s u p p o r t log filters or a d v a n c e d report filters
• Works w i t h large d a t a sets
V7 Profiles
• Work w i t h all Blue Coat SG ELFF formats — including peer-to-peer, instant messaging, a n d
s t r e a m i n g — a n d w i t h Squid log formats. Also w o r k w i t h m a i n log files if y o u prefer v7 profile
reports or need to a p p l y log filters or a d v a n c e d report filters.
• S u p p o r t fewer pre-defined reports than v8 profiles
S u p p o r t log filters a n d a d v a n c e d report filters
S u p p o r t profiles created in Reporter 7.x (All Reporter 7.1.3 functions available via v7 profiles)
• Do not s u p p o r t direct links to Blue Coat SGs, so do not allow creation of reports in real time
• Works w i t h smaller d a t a sets
164
Enhanced Performance
• New database and parser for v8 profiles

- Log processing is 300% faster than in Reporter 7
• Page view combiner (PVC)

- Reduces time needed to process large amounts of data
- Saves disk space
Slide 1 7 - 5 : Enhanced performance in Reporter 8
Reporter 8 offers behind-the-interface changes that i m p r o v e the application's log processing a n d

database expiration performance c o m p a r e d w i t h p r e v i o u s versions.
Database and Parser for v8 Profiles

The database a n d parser for v8 profiles can h a n d l e very large access log files. The p a r s e r ' s log
reading rate is 62,000 lines p e r second, c o m p a r e d w i t h 16,000 lines per second in Reporter 7.1.3.
For large data sets, the time required to expire data from a database has been r e d u c e d from h o u r s
to seconds.
Page View Combiner

Usage reports, w h i c h can be selected from within the D a s h b o a r d feature in v8 reports, e m p l o y the
Page View C o m b i n e r (PVC) to aggregate data. The PVC takes a p a g e view a n d a d d s all helper
objects referred to by the p a g e view, s u c h as image files. (The Dashboard is discussed later in this
chapter.)
The resulting d a t a b a s e entry inherits all its fields from the p a g e view entry, a n d the counter fields
are a c c u m u l a t e d across all related entries. Also g e n e r a t e d are hits, the total n u m b e r of original log
entries that are i n c l u d e d in this database record.
The PVC p r o v i d e s the following benefits:
• It reduces the n u m b e r of database entries from the original log file, i m p r o v i n g

report-generation performance.
• Resulting d a t a b a s e records more closely represent user b r o w s i n g activity because each object
is not c o u n t e d as a separate entry.
165
Standard v. Entreprise Modes
Standard Enterprise
Profile Unlimited profile

Creation Limited to five creation
Multiple processor
Scalability Single processor support
Extensive ability
Customizing to create, customize,
Reports Limited ability and edit
Slide 1 7 - 6 : The t w o Reporter m o d e s
Reporter operates in t w o m o d e s , S t a n d a r d a n d Enterprise. The S t a n d a r d version is free b u t is more

limited t h a n the Enterprise version, w h i c h requires a license.
T h e list below outlines the differences b e t w e e n the Enterprise a n d S t a n d a r d versions of Blue Coat
Reporter:
• Profiles: With the Enterprise version of Reporter, y o u can create as m a n y profiles as y o u want;
w i t h the S t a n d a r d version, y o u are limited to five profiles.
Multiple Processors: The Enterprise version s u p p o r t s multiple processors; the S t a n d a r d
version s u p p o r t s only one processor.
• R e p o r t / R e p o r t M e n u Editor: The Enterprise version allows y o u to edit the report elements
a n d the report m e n u ; the S t a n d a r d version does not.
Reporter software can be d o w n l o a d e d from the Blue Coat Web site a n d operates by default in
S t a n d a r d m o d e . If y o u evaluate or b u y Enterprise functionality, y o u receive a license key to
activate the Enterprise m o d e . No other licenses are required, except for the Blue Coat SG.
166
Requirements and Setup
• Install Reporter on dedicated hardware

- Windows XP Pro, 2003 Server for Windows
or Red Hat Enterprise
- Follow Configuration and Sizing Guide
• Access Reporter via a Web browser
• Configure Blue Coat SGs to upload log files

- FTP or copying files to server (v7 and v8)
- HTTP (v7)
- Direct link for continuous uploads (v8)
Slide 1 7 - 7 : Reporter r e q u i r e m e n t s and setup
Because Reporter processes very large access log files, it s h o u l d always be installed on h a r d w a r e
dedicated to its sole use. Reporter can r u n on any c o m p u t e r r u n n i n g W i n d o w s ® XP Pro, 2003
Server for W i n d o w s , or Red Hat® Enterprise Linux (ES or AS) — p r o v i d e d that the c o m p u t e r has
e n o u g h processing power, m e m o r y a n d storage.
If y o u plan to install Reporter, y o u s h o u l d consult the Configuration and Sizing Guide on the Blue
Coat Web site ( h t t p : / / w w w . b l u e c o a t . c o m / p r o d u c t s / r e p o r t e r / R e p o r t e r S i z i n g G u i d e . p d f ) . The
g u i d e r e c o m m e n d s m i n i m u m h a r d w a r e specifications based on the n u m b e r of users being
proxied a n d the v o l u m e of logs to be stored in the Reporter database. Some r e c o m m e n d a t i o n s are
discussed later in this chapter.
Once Reporter is installed on y o u r network, y o u access the application from a client c o m p u t e r

t h r o u g h the Internet Explorer® 6.0 or the Firefox® Web browser. The first time y o u access
Reporter, y o u will be p r o m p t e d to create an a d m i n i s t r a t o r u s e r n a m e a n d p a s s w o r d . Only
administrators can create or edit profiles a n d reports; they also grant non-administrators
read-only access to profiles a n d the ability to run reports t h r o u g h those profiles.
You also m u s t transfer log files to a location from w h e r e Reporter can retrieve them. The m e t h o d
y o u choose d e p e n d s on w h e t h e r y o u plan to w o r k w i t h v7 or v8 profiles.
V7 Profiles
Reporter can fetch log files for v7 profiles from:
• An FTP server
• An HTTP s e r v e r
• A local folder
If y o u w a n t to u s e v7 profiles, configure the Blue Coat SG to u p l o a d access log files via FTP or
HTTP, or copy the files to the Reporter server.
167
V8 Profiles
Reporter can retrieve log files for v8 profiles from:
• An FTP server
• A direct link to the Blue Coat SG
• A local folder.
To u s e v8 profiles, configure the Blue Coat SG to u p l o a d access log files via FTP, establish a direct
link b e t w e e n the Blue Coat SG a n d Reporter, or c o p y log files to the Reporter server.
W h e n e v e r y o u create a v7 or v8 profile, Reporter requires y o u to specify the log file location. You
can specify only an FTP server, H T T P server, or local file w h e n y o u create a v7 profile; y o u can
specify only an FTP server, direct link to a Blue Coat SG, or a local file w h e n y o u create a v8 profile.
Once y o u h a v e installed Reporter a n d transferred y o u r log files, y o u u s e R e p o r t e r ' s Web interface

to create profiles a n d generate, customize, a n d s c h e d u l e reports.
168
Viewing Reports
Slide 1 7 - 8 : The Dashboard for v8 profile reports
Reports are H T M L pages that display w i t h i n y o u r Web browser. Report options differ d e p e n d i n g
on w h i c h profile, v8 or v7, is u s e d to generate reports.
A striking feature of Reporter 8 is the D a s h b o a r d , a browser page that allows y o u to view

s i m u l t a n e o u s l y up to 16 u n i q u e m i n i a t u r e reports created with v8 profiles. The D a s h b o a r d
displays automatically after y o u choose a v8 profile a n d then click the Show Reports link on the
Profiles page.
To use the D a s h b o a r d , y o u choose m i n i a t u r e reports to display from the Choose a Report

d r o p - d o w n m e n u in the top right of the page. The reports a p p e a r in individual w i n d o w s as s h o w n
in Slide 17-8. Each w i n d o w contains a link that y o u can click in o r d e r to display the full report.
You can then click on links within the report to "drill down," or focus on specific information.
Some users call the miniature reports widgets. Others call t h e m top 10 reports because m a n y of t h e m
focus on top users, URLs, categories, or s o m e other element of n e t w o r k use.
Note: The D a s h b o a r d is not available for reports created w i t h v7 profiles.
W h e n y o u generate a report created w i t h v7 profiles, an O v e r v i e w Report instead of the

D a s h b o a r d a p p e a r s by default in the central frame of the browser page.
Pre-Defined Reports
Reporter 8 features m o r e than 150 different pre-defined reports. To access the pre-defined report
m e n u for a v8 profile, click the Show Reports link for that profile a n d then, after the D a s h b o a r d
a p p e a r s , click the Reports tab at the top of the page. The browser displays the list of pre-defined
reports in the left navigation area a n d filter options in the central frame.
To access the pre-defined report m e n u for a v7 profile, click the Show Reports link for that profile.
The b r o w s e r displays the list of available pre-defined reports in the left navigation area a n d an
O v e r v i e w report in the central frame.
169
Clicking on the n a m e of a pre-defined report — for either v8 or v7 profiles — displays the

complete report in the browser. Pre-defined reports offer options for customizing, s c h e d u l i n g
reports, a n d s e n d i n g t h e m by e-mail. E x a m p l e s of pre-defined reports include traffic, security,
activity by risk g r o u p category, a n d detailed u s e r activity by d a t e or time.
W h e n y o u create reports w i t h v8 profiles, bear in m i n d that D a s h b o a r d reports a n d pre-defined

reports h a v e different uses. D a s h b o a r d reports are i n t e n d e d for cases w h e n y o u w a n t to
investigate v e r y specific information, particularly in real time. For instance, y o u w o u l d w a n t to
use a D a s h b o a r d report to learn the details of a single u s e r ' s Web activity or w a n t to find out the
top categories of URLs visited.
However, pre-defined reports u s u a l l y c o m b i n e both high-level a n d detailed information. They are

useful for reports that need to be g e n e r a t e d a n d sent to the s a m e p e r s o n on a regular basis. For
instance, y o u w o u l d w a n t to use a pre-defined report if y o u w a n t to list the categories of URLs
that each u s e r visits in a d a y a n d h a v e that report e-mailed once a w e e k to the h u m a n resources
manager.
Real-time Reporting
Reporter 8 s u p p o r t s c o n t i n u o u s u p l o a d s of access logs for reports created with the v8 profile.
D e p e n d i n g on h o w y o u configure y o u r Blue Coat SGs a n d Reporter a n d w h i c h reports y o u select,
y o u can use the D a s h b o a r d to d i s p l a y multiple real-time reports in a single interface.
170
Customizing Reports
• Options within reports allow you to ...

- Change how data is displayed
- "Drill down," or get details of specific elements
- Set date or date range
- Apply filters
• v7 profile setup allows you to pick numeric fields
• Advanced filtering available through CLI
Slide 1 7 - 9 : C u s t o m i z a t i o n o p t i o n s
O n e of R e p o r t e r ' s benefits is the ability to customize reports easily t h r o u g h the Web interface.
O p t i o n s w i t h i n v8 a n d v7 pre-defined reports allow y o u to specify the d a t a in a report a n d h o w it
is d i s p l a y e d in a table.
Clicking on links within a report enables y o u to view detailed information about a specific
report element, s u c h as URLs, content categories, d o m a i n s , a user, a virus, or a response code.
You also can specify a date or d a t e r a n g e a n d a p p l y filters.
• For v8 profile reports, the D a s h b o a r d allows y o u to display the s a m e report in different w a y s

at the s a m e time. For instance, y o u can display a report on top content categories by n u m b e r
of p a g e v i e w s as a table next to the s a m e report in the form of a pie chart.
• W h e n y o u create a V7 profile, y o u can specify which numerical fields — such as bytes, p a g e

views, a n d visitors — will a p p e a r in the reports generated w i t h that profile.
• You can a p p l y customization w h e n y o u export reports as x s v files a n d o p e n t h e m in Excel;

y o u can then modify t h e m like a n y other Excel spreadsheet.
Reporter a d m i n i s t r a t o r s also can create filters t h r o u g h the c o m m a n d line interface (CLI); however,
that is an a d v a n c e d task.
171
Reporter Sizing Guide
MINIMUM RECOMMENDED HARDWARE SPECIFICATIONS
Available
Disk
Options CPU RAM Storage Drives Space* OS
1 x P4 (2.8 GHz Windows XP

or faster) and 2003
Xeon (2.8 GHz Internal SCSI 15K Servers, Red
1 or faster) 2GB Controller RPM/RAID 0 X25 Hat Linux
Internal Dual- Windows XP

Channel SCSI or and 2003
2 x Xeon (2.8 External Fibre 15K Servers, Red
2 G H z or faster) 4 GB Channel RPM/RAID 0 X25 Hat Linux
Internal Dual- Windows XP

Channel SCSI or and 2003
4 x Xeon (2.8 External Fibre 15K Servers, Red
3 G H z or faster) 8 GB Channel RPM/RAID 0 X25 Hat Linux
* Total amount of compressed logs
Slide 1 7 - 1 0 : Sizing r e c o m m e n d a t i o n s f o r Reporter
Blue Coat strongly r e c o m m e n d s t h a t y o u follow the r e c o m m e n d a t i o n s in the Configuration and

Sizing Guide w h e n y o u install Reporter. Following the r e c o m m e n d a t i o n s will help ensure that y o u
achieve the best possible performance from the application.
The G u i d e ' s first r e c o m m e n d a t i o n is to choose one of three h a r d w a r e options. The options are
b a s e d on the n u m b e r of users being proxied a n d on r e p o r t i n g d a y s , the m a x i m u m n u m b e r of d a y s
of logs in the Reporter database.
The n u m b e r of users being proxied ranges from fewer t h a n 1,000 to m o r e than 5,000; the n u m b e r
of r e p o r t i n g d a y s ranges from o n e m o n t h to three m o n t h s . The table in Slide 17-10 displays s o m e
of the r e c o m m e n d e d specifications for each of the three h a r d w a r e options.
T h e Configuration and Sizing Guide also includes r e c o m m e n d a t i o n s for creating v8 a n d v7 profile

a n d for log filtering.
T h e Guide is available on the Blue Coat Web site:
http://www.bluecoat.com/products/reporter/ReporterSizingGuide.pdf
172
Chapter 18: Blue Coat AV
Web v i r u s s c a n n i n g is the process of p r o v i d i n g content s c a n n i n g for files infected w i t h an

Internet-based threat (virus, w o r m , Trojan or spyware). These viruses can be b r o u g h t into a
c o m p a n y t h r o u g h Web-based e-mail p r o g r a m s or other Web-enabled applications. Until recently,
Web virus s c a n n i n g solutions w e r e too slow to be practical. In traditional e-mail antivirus (AV)
p r o g r a m s , users do not k n o w they h a v e a message until after it is scanned. However, Web AV
m u s t be high-performance because users are a w a r e of a n d w a n t to access content before s c a n n i n g
starts. For instance, users w a n t to click on links in an e-mail m e s s a g e or in a Web p a g e — both of
w h i c h require separate scanning.
T h e Blue Coat SG a n d Blue Coat AV appliances p r o v i d e the performance n e e d e d for t o d a y ' s Web
e n v i r o n m e n t s . The virus-checking capabilities are i m p l e m e n t e d t h r o u g h an offbox solution that
uses the Internet Content A d a p t a t i o n Protocol (ICAP) as the c o m m u n i c a t i o n m e c h a n i s m b e t w e e n
the Blue Coat SG a n d the Blue Coat AV. The policy definition for content scanning is fully
i n t e g r a t e d into the policy f r a m e w o r k a n d is defined using the either the M a n a g e m e n t Console or
C o n t e n t Policy L a n g u a g e (CPL).
A Blue Coat ICAP configuration allows administrators to select the virus-scanning servers that are
to be u s e d by the Blue Coat SG appliance. The Blue Coat SG ICAP implementation is fully
compatible w i t h Blue Coat AV, Finjan SurfinGate™, Symantec® A n t i v i r u s Scan Engine (SAVSE)
Server, Trend Micro InterScan® Web Security Suite (IWSS), a n d Webwasher®.
Before g o i n g into more detail a b o u t Blue Coat AV a n d ICAP, it is i m p o r t a n t that y o u become

familiar w i t h several key ICAP terms.
• ICAP resource: A n e t w o r k d a t a object or service that can be identified by a URL Unlike HTTP,
the URI refers to an ICAP service that performs a d a p t a t i o n s of HTTP messages.
• ICAP server. An application p r o g r a m that accepts connections in order to service ICAP

requests by s e n d i n g back responses. In Blue Coat d e p l o y m e n t s , the ICAP server is the Blue
Coat AV.
• ICAP client. A p r o g r a m that establishes connections to ICAP servers for the p u r p o s e of
s e n d i n g requests. An ICAP client is often, but not always, a surrogate acting on behalf of a
user. In Blue Coat d e p l o y m e n t s , the ICAP client is the Blue Coat SG.
REQMOD: ICAP request modification m o d e .
• RESPMOD: ICAP response modification m o d e .
173
What is Blue Coat AV ?
• Powerful defense against

- Viruses and worms
- Spyware and trojans
• Protects often overlooked "back doors"

- Personal Web e-mail accounts
- Web content or e-mail spam with trojan or spyware
- Browser-based file downloads that bypass existing
virus-scanning defenses
Slide 1 8 - 1 : Blue Coat AV p r o t e c t i o n
Traditional, Web antivirus g a t e w a y s often lack scalability a n d performance for HTTP a n d FTP
scanning, leaving d e s k t o p s to defend themselves. The Blue Coat AV, c o m b i n e d w i t h the Blue Coat
SG, p r o v i d e s scalability for v i r u s scanning, as well as c o m p l e t e visibility a n d control of enterprise
Web c o m m u n i c a t i o n s .
The Blue Coat AV enables o r g a n i z a t i o n s to scan for viruses, w o r m s , s p y w a r e , a n d Trojans entering
t h r o u g h Web-based b a c k d o o r s , including:
Personal Web e-mail accounts, w h e r e a majority of viruses a n d w o r m s p r o p a g a t e
Web s p a m or e-mail s p a m , w h i c h can activate Trojan d o w n l o a d s or h i d d e n s p y w a r e

• Browser-based file d o w n l o a d s that b y p a s s existing virus-scanning defenses
174
Blue Coat AV Virus-Scanning Server
• Blue Coat AV uses ICAP to communicate with

Blue Coat SG
• One Blue Coat AV can support multiple Blue

Coat SGs
• Blue Coat AV supports

- Kaspersky
- Sophos
- McAfee
- Panda
Slide 1 8 - 2 : Blue Coat AV details and capabilities
B l u e Coat S G T h e Blue Coat SG a n d Blue Coat AV appliances c o m m u n i c a t e using an e n h a n c e d

a n d o p t i m i z e d version of ICAP, enabling superior performance, reliability, a n d e r r o r / e x c e p t i o n
h a n d l i n g over software-based ICAP servers. (ICAP is described in more detail in the following
pages.)
A single Blue Coat AV can s u p p o r t multiple Blue Coat SG appliances. While the Blue Coat SG
p r o v i d e s flexible a n d g r a n u l a r control of Web traffic a n d access, the Blue Coat AV provides
high-performance AV s c a n n i n g of both cached a n d non-cached content. The Blue Coat SG a n d the
Blue Coat AV share u n d e r l y i n g Blue Coat processes, w h i c h allows for easy d e p l o y m e n t a n d
integration. Once integrated, this solution allows for the s c a n n i n g a n d p u r g i n g of harmful viruses
a n d other malicious c o d e w i t h o u t compromising the n e t w o r k control, b a n d w i d t h gains, or
security gained t h r o u g h the proxy.
Blue Coat AV s u p p o r t s a r a n g e of virus scanning applications, including:
• Kaspersky®
• Sophos
• McAfee®
• Panda
175
Why Blue Coat AV?
• Performance
- ICAP server = separate processor
- Performance = an order of magnitude better
• Choice
- Blue Coat AV allows different AV vendors
- Automatically download pattern files daily
• Continue Integration
- Integrate the Blue Coat AV and Blue Coat SG
Slide 1 8 - 3 : Blue Coat AV benefits
Blue Coat SGBecause v i r u s protection applications are v e r y resource-intensive, u s i n g a proxy or

firewall for virus s c a n n i n g u s u a l l y results in unacceptable overall performance. Blue Coat solves
this p r o b l e m by d e p l o y i n g a d e d i c a t e d virus scanning offbox solution, the Blue Coat AV. For
i m p r o v e d performance, Blue Coat AV scans only Web objects f o r w a r d e d from the Blue Coat SG —
s c a n n i n g t h e m at w i r e s p e e d . This is possible because Blue Coat AV C P U processing is focused on
virus-scanning heuristics d e s i g n e d to maximize t h r o u g h p u t .
Virus u p d a t e s to the Blue Coat AV are a u t o m a t e d w i t h definable schedules, a n d cached content is

automatically cleared w i t h each u p d a t e .
Integration b e t w e e n the Blue Coat AV a n d the Blue Coat SG is seamless w i t h default
configurations o p t i m i z e d for performance. By utilizing the Blue Coat SG a n d Blue Coat AV y o u
gain performance a n d scalability (up to 250+ M b p s H T T P t h r o u g h p u t ) along w i t h Web-content
control. The c o m b i n e d s o l u t i o n offers an integrated s y s t e m w i t h cache intelligence. Virus-free
content is cached for a "scan once, serve m a n y " benefit w h e n scanning cacheable Web objects.
Heuristic fingerprints are utilized for non-cacheable content to avoid r e d u n d a n t scanning. The
content cache also rescans itself after an AV u p d a t e based u p o n user requests.
176
ICAP FundamentaSs
• Internet Content Adaptation Protocol
• Lightweight protocol for executing a "remote

procedure call" on HTTP messages
• Server executes its transformation service

{adaptation) on messages and sends back
responses to the client, usually with modified
messages
Slide 1 8 - 4 : ICAP fundamentals
As RFC 3507 states, "ICAP, the Internet Content A d a p t a t i o n Protocol, is a protocol a i m e d at

p r o v i d i n g simple object-based content vectoring for H T T P services. ICAP is, in essence, a
lightweight protocol for executing a 'remote p r o c e d u r e call' on HTTP messages."
The protocol enables ICAP clients (like the Blue Coat SG) to pass HTTP messages to ICAP servers
(like the Blue Coat AV) for s o m e sort of transformation or other processing (hence the t e r m
"adaptation"). The ICAP server executes its transformation service on messages a n d s e n d s back
responses to the client, u s u a l l y w i t h modified messages. Typically, the a d a p t e d messages are
either H T T P requests or H T T P responses.
ICAP off-loads specific Internet-based content to d e d i c a t e d servers that are o p t i m i z e d to perform

specialized tasks, s u c h as virus scanning. This frees up resources on the proxy or firewall.
ICAP is a r e q u e s t / r e s p o n s e protocol similar in semantics a n d usage to H T T P / 1 . 1 . Despite the

similarity, ICAP is not HTTP, n o r is it an application protocol that r u n s over HTTP. This means, for
example, that ICAP m e s s a g e s cannot be forwarded by H T T P surrogates.
177
Blue Coat Educational Services BCCPA Course V 1.7.1
ЮАР Fundamentals
Slide 1 8 - 5 : ICAP client/server interaction
Blue C o a t S G B l u e C o a t S G T h e c o m b i n a t i o n o f t h e I C A P server a n d its a p p l i c a t i o n a r e k n o w n a s

an ICAP service. T h e I C A P service is registered w i t h t h e I C A P client, w h i c h in this case is t h e Blue
C o a t SG. T h e I C A P client s e n d s client r e q u e s t s or r e s p o n s e s to the I C A P server (the Blue Coat AV)
for p r o c e s s i n g (virus s c a n n i n g ) . T h e ICAP server (Blue C o a t AV) t h e n r e t u r n s t h e p r o c e s s e d
request or r e s p o n s e to t h e Blue C o a t SG, or r e t u r n s an error.
T h e r e are five s t e p s to d e p l o y i n g I C A P w i t h t h e Blue C o a t SG a n d t h e Blue C o a t AV a p p l i a n c e s :
1. Define a n d configure t h e I C A P o p t i o n on the Blue C o a t SG.
2. Define a n d configure I C A P settings for t h e Blue C o a t AV.
3. Configure a n d c o n s t r u c t a Blue C o a t policy w i t h t h e desired v i r u s s c a n n i n g exactness.
4. C r e a t e an o p t i o n a l p a t i e n c e p a g e .
5. Test t h e configuration a n d n e w policy.
178
ЮАРREQMOD
• ICAP client sends an HTTP request to an

ЮАР server
• The ICAP server may then:

- Send back a modified version of the request
- Send back an HTTP response to the request
- Return an error
Slide 1 8-6: ICAP REQMOD details
The "request modification" (REQMOD) m o d e is u s e d to s e n d client requests to the I C A P server

for processing. The I C A P server m a y t h e n :
S e n d back a modified version of the request. T h e ICAP client m a y t h e n p e r f o r m t h e modified

request by c o n t a c t i n g an origin server. Or, it m a y pipeline the modified request to a n o t h e r
ICAP server for further modification.
• Send back an H T T P r e s p o n s e to t h e request. This is u s e d to p r o v i d e i n f o r m a t i o n useful to the

u s e r in case of an e r r o r (e.g., " y o u s e n t a r e q u e s t to v i e w a p a g e y o u are not a l l o w e d to see").
• R e t u r n an error.
I C A P clients m u s t be able to h a n d l e all t h r e e types of responses. However, I C A P clients do have

flexibility in h a n d l i n g errors. If t h e ICAP server r e t u r n s an error, the ICAP client m a y (for
example) r e t u r n the e r r o r to the user, execute t h e u n a d a p t e d request as it a r r i v e d from the client,
or re-try the a d a p t a t i o n again.
179
ICAP REQMOD
• REQMOD
- Scan HTTP PUT requests
- Scan FTP upload requests
- Scan POST request bodies
• Used for scanning outgoing Web-based e-mail
Slide 1 8 - 7 : How REQMOD is used
T h e R E Q M O D m e t h o d enables s c a n n i n g of H T T P P U T r e q u e s t s a n d H T T P P O S T request bodies.

FTP u p l o a d r e q u e s t s a n d o u t g o i n g Web mail are also s c a n n e d . T h e following e x a m p l e s h o w s t h e
m e s s a g e an I C A P client m i g h t s e n d to an I C A P server. H e r e , t h e R E Q M O D m e t h o d a p p l i e s to a
P O S T request. T h e I C A P client s e n d s :
REQMOD icap://icap-server.net/server?arg=87 ICAP/1.0

Host: icap-server.net
Encapsulated: req-hdr=0, req-body=147
POST /origin-resource/form.pi HTTP/1.1
Host: www.origin-server.com
Accept: text/html, text/plain
Accept-Encoding: compress
Pragma: no-cache
180
Blue Coat SG and Blue Coat AV
Processing Requests (REQMOD)
Slide 1 8 - 8 : How processes requests
Blue Coat SGBlue Coat S G T h e typical p a t h for requests that are to be modified by the R E Q M O D
m e t h o d is as follows.
1. A client m a k e s a request to the Blue Coat SG (known as the ICAP client) for an object on an
origin server.
2. The Blue Coat SG s e n d s the request to the Blue Coat AV (known as the ICAP server).
3. The Blue Coat AV executes the ICAP resource's service (the a d m i n i s t r a t o r determines the
actual services performed by the ICAP server) on the request a n d s e n d s the (possibly
modified) request back to the Blue Coat SG.
4. The Blue Coat SG s e n d s the request to the origin server.
5. The origin server r e s p o n d s to the request a n d delivers it to the Blue Coat SG.
6. The Blue Coat SG s e n d s the reply to the client.
181
Blue Coat Educational Services — ВССРА Course v 1.7.1
ICAP RESPMOD
• ICAP client sends an HTTP response to

an ICAP server
• The ICAP server may then:

- Send back a modified version of the response
- Return an error
Slide 1 8 - 9 : ICAP RESPMOD details
I n t h e " r e s p o n s e modification" (RESPMOD) m o d e , a n I C A P client s e n d s a n H T T P r e s p o n s e t o a n

I C A P server. (The r e s p o n s e s e n t by t h e I C A P client typically h a s b e e n g e n e r a t e d by an origin
server.) T h e I C A P server m a y t h e n :
• Send back a modified version of t h e r e s p o n s e .
• R e t u r n an error.
T h e r e s p o n s e modification m e t h o d is i n t e n d e d for post-processing p e r f o r m e d on an H T T P

r e s p o n s e before it is delivered to a client.
182
ICAP RESPMOD
• RESPMOD
- Virus scanning of HTTP and FTP (RETR)
- Virus scanning of FTP over HTTP
• Used for scanning incoming Web-based

e-mail and file downloads
Slide 1 8 - 1 0 : H o w RESPMOD is used
The RESPMOD m e t h o d enables s c a n n i n g of HTTP responses, FTP RETR responses (remote s y s t e m

file retrieval), a n d FTP over HTTP. I n c o m i n g Web mail a n d file d o w n l o a d s are also scanned. The
following e x a m p l e s h o w s the RESPMOD m e s s a g e applied to an origin server response from a G E T
request. The ICAP client s e n d s a message similar to the following:
RESPMOD icap://icap.example.org/satisf ICAP/1.0
Host: icap.example.org
Encapsulated: req-hdr=0, res-hdr=137, res-body=296
GET /origin-resource HTTP/1.1
Host: www.origin-server.com
Accept: text/html, text/plain, image/gif
Accept-Encoding: gzip, compress
183
Blue Coat SG and Blue Coat AV
Processing Responses (RESPMOD)
Slide 1 8 - 1 1 : How processes r e s p o n s e s
Blue C o a t SGBlue Coat S G T h e typical p a t h for responses that are to be modified by the
R E S P M O D m e t h o d is as follows.
T h e following steps s h o w this process:
1. A client m a k e s a request to t h e Blue Coat SG (known as the ICAP client) for an object on an
origin server.
2. T h e Blue Coat SG s e n d s the request to the origin server.
3. The origin server returns the object to the Blue Coat SG, w h i c h s e n d s the response to the Blue
Coat AV.
4. T h e Blue Coat AV executes the ICAP resource's service on the response a n d s e n d s the
(possibly modified) response back to the Blue Coat SG.
5. The Blue Coat SG s e n d s the r e s p o n s e to the client.

T h e Blue Coat SG caches the safe object. A n y additional requests for the s a m e content are h a n d l e d
by the Blue Coat SG w i t h o u t a rescan of the content — t h u s a v o i d i n g additional load on the Blue
Coat AV.
184
Sample Deployment - XYZ Inc.
Slide 1 8 - 1 2: Sample ICAP d e p l o y m e n t
Blue Coat SGYou m u s t d e p l o y the Blue Coat AV a n d the Blue Coat SG in the s a m e n e t w o r k
s e g m e n t . As Slide 18-12 illustrates, the Blue Coat SG cannot act as an ICAP server for ICAP clients
o u t s i d e the local network.
A typical m a i n office deployment.consists of one Blue Coat SG 800 serviced by several Blue Coat
AV appliances. D e p l o y i n g several Blue Coat AV appliances e n h a n c e s scanning performance
because ICAP requests are load-balanced across them. Branch offices are typically served by o n e
Blue Coat SG 200 a n d one Blue Coat AV.
185
186
Chapter 19: Service and Support
Blue Coat Systems s u p p o r t s its p r o d u c t s with an o u t s t a n d i n g customer s u p p o r t p r o g r a m . All Blue

Coat p r o d u c t s come w i t h a 90-day software a n d one-year h a r d w a r e warranty. All Blue Coat
s u p p o r t services include a W e b P o w e r p a s s w o r d that provides access to the following:
• Online access to o p e n technical s u p p o r t cases, allowing y o u to review o p e n cases a n d a d d

c o m m e n t s to existing cases
• Exclusive s u p p o r t d o c u m e n t a t i o n , installation notes, a n d FAQs
All Blue Coat h a r d w a r e p r o d u c t s include:
• 90-day p h o n e s u p p o r t w a r r a n t y
• 90-day Blue Coat O p e r a t i n g System software w a r r a n t y
• 1-year h a r d w a r e w a r r a n t y
90-day technical s u p p o r t a n d software w a r r a n t y

For the first 90 days, c u s t o m e r s will receive 8 x 5 (8 h o u r s a day, 5 days a week) technical p h o n e
s u p p o r t . S u p p o r t includes assistance w i t h configuration, a n d identification of h a r d w a r e a n d
software problems. S u p p o r t m a y also include logging into customer systems for diagnosis of
p r o b l e m s or providing a w o r k - a r o u n d .
The 90-day w a r r a n t y also includes access to all m i n o r a n d maintenance releases of Blue Coat
Systems operating s y s t e m software.
For the first 90 d a y s of the warranty, if Blue Coat d e t e r m i n e s that a problem is caused by a
h a r d w a r e failure, it will a d v a n c e ship a replacement unit w i t h i n five business days.
For the r e m a i n i n g nine m o n t h s of the warranty, h a r d w a r e will be repaired u n d e r o u r Return for

Repair or Replacement service. All Blue Coat Systems service offerings are designed to protect
y o u r business in the event of a h a r d w a r e failure, yet m a i n t a i n the flexibility required to meet y o u r
organization's specific logistical a n d b u d g e t needs.
Teamed together, Blue Coat Systems products a n d service offerings provide the protection a n d
flexibility required to k e e p y o u r n e t w o r k up a n d r u n n i n g .
W o r l d w i d e Service includes:
• P l a t i n u m Service
• Unlimited 24 x 7 (24 h o u r s a day, 7 days a week) P h o n e Support
187
• 8 x 5 Web S u p p o r t
o A d v a n c e H a r d w a r e Replacement
• Unlimited Access to OS Software Releases
• Gold Service
• Unlimited 8 x 5 P h o n e S u p p o r t
a 8 x 5 Web S u p p o r t
o A d v a n c e H a r d w a r e Replacement
a U n l i m i t e d Access to OS Software Releases
T h e following information is required for all issues sent to Blue Coat Support:
• Contact Information:
• Company name
o Contact n a m e
• Phone number
• E-mail a d d r e s s
• H a r d w a r e Serial N u m b e r :
• Issue:
• Description:
• Time (s)/Frequency:
a Expectation:
• Reproducible (yes | no):

O Other Comments:
• http://x.x.x.x:yyyy/Sysinfo
Information from "Specific R e q u i r e m e n t s " sections covers specific issues
Sending files to Blue Coat: h t t p s : / / u p l o a d . b l u e c o a t . c o m
• Put all files in o n e zip file
• Service Request (SR) n u m b e r

Blue Coat S u p p o r t Policy
• Make all reasonable efforts to protect o u r customer's investments.
Meet c h a n g i n g m a r k e t d e m a n d s for n e w features, p r o d u c t s , a n d services.
Provide information to c u s t o m e r s that will help to p r o v i d e g u i d a n c e in m a k i n g purchase,

u p g r a d e , a n d d e p l o y m e n t decisions.
Contact Blue Coat Systems at:
+1.866.302.2628 Toll Free (USA)

+1.408.220.2199 Direct
+1.408.220.2250 Fax sales@bluecoat.com
188
Support Organization
• Professional Services
- Installations
- Deployment
- Upgrades
• Support Services
- Licensing
- Renewals
- WebPower logins
• Technical Support
- Software troubleshooting
- Hardware troubleshooting
- RMAs
Slide 1 9 - 1 : Support o r g a n i z a t i o n
Professional Services
Blue Coat professional services is dedicated to providing superior on-site service for c u s t o m e r s .
The professional service organization is, in essence, a consulting t e a m w h o s e p r i m a r y
responsibilities are:
• Installation a n d configuration of Blue Coat products
• C u s t o m i z a t i o n of a d v a n c e d features
• Environment-specific k n o w l e d g e transfer
Note: Professional services are available for an additional per diem fee a n d are not i n c l u d e d
in any s u p p o r t contract.
Support Services
Blue Coat Systems s u p p o r t s its p r o d u c t s with o u t s t a n d i n g customer s u p p o r t p r o g r a m s d e s i g n e d

to p r o v i d e seamless operation of Blue Coat products in the operating environment. All Blue Coat
p r o d u c t s come w i t h a 90-day software a n d one-year h a r d w a r e warranty. All Blue Coat s u p p o r t
services include a W e b P o w e r p a s s w o r d that provides access to the following:
• Online access to o p e n technical s u p p o r t cases, allowing y o u to review o p e n cases a n d a d d

c o m m e n t s to existing cases
• Exclusive s u p p o r t d o c u m e n t a t i o n , installation notes, a n d FAQs
189
W i t h three s u p p o r t centers strategically positioned a r o u n d the globe, Blue Coat Systems'

k n o w l e d g e a b l e a n d experienced o n - d u t y staff is e q u i p p e d to deliver w o r l d w i d e t e l e p h o n e
s u p p o r t in English, Chinese, Japanese, a n d other l a n g u a g e s . S u p p o r t is available 24 h o u r s a day, 7
d a y s a w e e k (for c u s t o m e r s w i t h P l a t i n u m s u p p o r t ) .
T h e Blue Coat technical s u p p o r t centers are located in:
Sunnyvale, California, U n i t e d States
• London, United K i n g d o m
• Kuala L u m p u r , Malaysia
• Tokyo, J a p a n
Your call m a y be t r a n s p a r e n t l y r o u t e d to the m o s t available technical assistance center (TAC),

b a s e d on the time of y o u r call a n d the region of the w o r l d y o u are calling from.
190
Support Agreements and Services
• Flexible service level agreements

- Platinum (24x7)
- Gold (8x5)
• Advance hardware replacement

- "Same Day Ship" hardware replacement service
® Online Services
- Case Management (WebPower)
- Documentation
- Licensing & Asset Database
- Instant Support
- Forums
Slide 1 9 - 3 : Support a g r e e m e n t s and services
Platinum Support
Products covered u n d e r P l a t i n u m Service are entitled to Technical Phone S u p p o r t for an u n l i m i t e d
n u m b e r of incidents 24 h o u r s a day, 7 d a y s a w e e k — a n d 8 x 5 Technical Online S u p p o r t d u r i n g
regular business h o u r s (see Limitations).
Blue Coat Systems p r o v i d e s quality technical s u p p o r t in accordance with generally recognized

business practices a n d s t a n d a r d s . Technical s u p p o r t p r o v i d e s assistance in the usage of covered
E q u i p m e n t a n d Software including product configuration, identification of h a r d w a r e or software
problems, a n d d o w n l o a d i n g of Software U p d a t e s . S u p p o r t m a y also include logging into
customer s y s t e m s for diagnosis of problems or p r o v i d i n g a w o r k - a r o u n d w h e n possible.
Products covered u n d e r P l a t i n u m Service are entitled to a d v a n c e replacement of h a r d w a r e

products, prior to Blue Coat Systems receiving the faulty item.
Gold Support
Products covered u n d e r Gold Service are entitled to 8 x 5 technical p h o n e a n d online s u p p o r t for
an unlimited n u m b e r of incidents d u r i n g regular business h o u r s (see Limitations).
Products covered u n d e r Gold Service are entitled to a d v a n c e replacement of h a r d w a r e products,

prior to Blue Coat Systems receiving the faulty item.
Advance Hardware Replacement

H a r d w a r e will be s h i p p e d s a m e day, w h e n R M A Requests are received d u r i n g regular business
h o u r s a n d d e e m e d necessary by Technical S u p p o r t before the R M A cut off time (see Limitations).
Requests received or verified by Blue Coat Systems Technical S u p p o r t after the cut off time will
ship the following business day.
191
All replacement parts will be furnished on an e x c h a n g e basis at no cost to the c u s t o m e r a n d will be

s t a n d a r d or reconditioned c o m p o n e n t s of equal or greater quality, revision level, a n d functionality.
Units verified (by a Blue Coat Systems Technical S u p p o r t Engineer) as an O u t of Box Failure will
be a d v a n c e d replaced w i t h a n e w p r o d u c t of the s a m e m a k e a n d m o d e l n u m b e r of the original. All
commercially-reasonable efforts will be m a d e to get the replacement p r o d u c t delivered.
C u s t o m e r s will be responsible for s h i p p i n g inoperable units or subassemblies back to Blue Coat

Systems, i m m e d i a t e l y after the replacement is received. If the inoperable unit or s u b a s s e m b l y is
n o t r e t u r n e d to Blue Coat Systems within fourteen d a y s of receipt of the replacement, the
C u s t o m e r shall p a y the list price p e r unit as stated in the then-current Blue Coat Systems, Inc.
price list. C u s t o m e r failure to p a y the list price or return E q u i p m e n t p r o m p t l y will result in the
s u s p e n s i o n of Services by Blue Coat Systems.
If, d u r i n g any o n e (1) y e a r period, more than fifteen percent (15%) of the units or subassemblies
r e t u r n e d to Blue Coat Systems for replacement are d i a g n o s e d as "No Trouble Found," C u s t o m e r
m a y be charged a fee of five percent (5%) of the t h e n - c u r r e n t list price of the actual u n i t or
s u b s e q u e n t p r o d u c t (where the actual p r o d u c t is obsolete) for each unit or s u b a s s e m b l y r e t u r n e d
after the fifteen (15%) percent threshold has been r e a c h e d — n o t including the u n i t w h o s e return
results in meeting the fifteen (15%) threshold. Blue Coat Systems will p r o v i d e w r i t t e n notification
to C u s t o m e r in the event it i n t e n d s to a p p l y the fee identified in this p a r a g r a p h .
All Software p r o v i d e d p u r s u a n t to a Service Offering will be g o v e r n e d u n d e r the s a m e t e r m s a n d
conditions as set forth in the license a g r e e m e n t a c c o m p a n y i n g the original software licensed by
Customer. C u s t o m e r has the right to duplicate d o c u m e n t a t i o n for its o w n internal use—in
quantities equal to the n u m b e r of units of e q u i p m e n t a n d software specified on the p u r c h a s e
o r d e r — p r o v i d e d that all copyright, t r a d e m a r k , a n d other proprietary rights notices are also
r e p r o d u c e d in the s a m e form a n d m a n n e r as on the original m e d i a provided.
Limitations
Technical P h o n e S u p p o r t is p r o v i d e d in English 8 h o u r s a day, 5 days a week, excluding holidays.
WebPower
W e b P o w e r is Blue Coat System's online C u s t o m e r S u p p o r t Service. W e b P o w e r users receive
i m m e d i a t e , p e r s o n a l a n d secure Web access to Blue Coat Systems information a n d resources 24
h o u r s a day, 7 d a y s a week, from a n y w h e r e in the w o r l d . Benefits Include:
• Ability to create, modify, or u p d a t e Technical S u p p o r t requests
• Access to exclusive s u p p o r t materials & installation notes

W e b P o w e r is available to Blue Coat Partners a n d C u s t o m e r s w h o o w n p r o d u c t s actively covered
u n d e r the one-year w a r r a n t y or a Service Contract.
192
Escalation Process
Slide 1 9 - 4 : Escalation process
Customers a n d e v a l u a t o r s can s u b m i t service requests (SR) in different w a y s . You can use:

• P h o n e (call the toll-free s u p p o r t line)
• E-mail
WebPower
The SRs are first h a n d l e d by the frontline s u p p o r t team. This team walks customers t h r o u g h
c o m m o n s u p p o r t issues a n d a n s w e r s general questions about the products.
Should an SR require special attention, it is sent up the escalation ladder to the backline s u p p o r t
team. This t e a m performs the function often labeled escalation in other organizations. The backline
s u p p o r t engineers are the most senior t e a m m e m b e r s . They are the interface between frontline
support and development.
Complex issues for w h i c h a p r o p e r solution or w o r k a r o u n d is not available are escalated to

development. Fixes are m a d e available via:
• C u s t o m e r specific releases
• Dot releases
• Minor release
• Major releases
193
Support Tools
• Software Release Notes
• Instant Support
• Blue Coat Forums
* Tech Briefs
Slide 1 9 - 5 : S u p p o r t t o o l s
You s h o u l d a l w a y s read the release notes for each version of the Blue Coat p r o d u c t that y o u are
installing (Blue Coat® SG™ OS, Blue Coat® Director™ OS, Blue Coat® AV™ OS, Blue Coat®
Reporter™). The release notes contain useful information a n d k n o w n issues.
Instant S u p p o r t enables y o u to find an i m m e d i a t e a n d detailed solution to the most c o m m o n

issues. The l a u n c h p a g e also contains a list of topics that Blue Coat u p d a t e s regularly.
T h e forums, w h i c h are not filtered, are a v e r y useful w a y for c u s t o m e r s to exchange tips a n d tricks.
It is not u n c o m m o n to h a v e y o u r forum question a n s w e r e d by a Blue Coat s u p p o r t engineer or
developer. The m a i n d r a w back to the forum is that there is no g u a r a n t e e d response time for
questions, a n d responses are voluntary.
Technical briefs, w h i c h s h o w y o u h o w to c o m p l e t e complex tasks, are very p o p u l a r d o c u m e n t s

a m o n g Blue Coat c u s t o m e r s . M a n y different technical briefs are available; they cover a range of
topics — from s p y w a r e protection to a d v a n c e d d o c u m e n t m a n i p u l a t i o n w i t h e m b e d d e d Java
scripts.
194
Appendix A: Deployment Planning
P l a n n i n g a n d designing the most efficient d e p l o y m e n t is the m o s t i m p o r t a n t decision y o u have to

make, s e c o n d only to the one of actually b u y i n g the Blue Coat® SG™.
The Blue Coat SG is engineered to offer y o u the m a x i m u m flexibility of d e p l o y m e n t ; y o u can scale

from small to extremely large e n v i r o n m e n t s a n d y o u can build fault tolerance a n d redundancy.
The Deployment Question

You m a y be n e w to the use of proxy servers; however, even if y o u are not, it is important that y o u
review the m a n y w a y s in w h i c h the Blue Coat SG can be d e p l o y e d . Your n e t w o r k is already
d e s i g n e d to s e n d all o u t b o u n d traffic along a specific path. N o w y o u need to direct to the Blue
Coat SG all the traffic that y o u w a n t it to m a n a g e .
Figure 18-1: The deployment dilemma
You m a y h a v e a very complex network, b u t it can always be logically reduced to the simple
d i a g r a m s h o w n in Figure A - l . All of the solutions that y o u can think of, to route selected traffic
from y o u r clients to the Blue Coat SG, can be g r o u p e d into t w o m a i n categories: transparent a n d
explicit.
Firewall Best Practice

Regardless of h o w y o u decide to direct client traffic to the proxy, y o u s h o u l d modify the firewall
configuration in order to enforce the u s e of the proxy.
Typically, a firewall allows o u t b o u n d traffic from the clients to the Internet. More restrictive
policies m a y only allow HTTP a n d HTTPS traffic from the clients to the Internet. In either case,
y o u n o w m a y w a n t to block the traffic that y o u w a n t to go t h r o u g h the proxy. For instance, if y o u
w a n t to proxy HTTP a n d HTTPS, y o u s h o u l d block the clients from directly accessing outside
resources over these protocols. Only the Blue Coat SG s h o u l d be allowed t h r o u g h the proxy.
This configuration allows y o u to enforce the use of the proxy by all clients, regardless of the
d e p l o y m e n t strategy that y o u will implement; this solution also deters the most advanced users
from b y p a s s i n g the proxy.
195
Explicit Proxy
Creating an explicit proxy is conceptually the easiest solution a n d in general does not require a n y
a d d i t i o n a l software or h a r d w a r e . A s i m p l e packet capture can s h o w y o u if a client is using explicit
proxy. You can refer to the H T T P c h a p t e r of this book for more details. A client u s i n g explicit
proxy does format the GET request to s u p p o r t proxy.
Manual Configuration
Every client is configured to forward all the traffic to the Blue Coat SG. For instance, y o u can easily
set y o u r b r o w s e r to send all HTTP requests to a proxy server. In Figure A-2 below y o u can see h o w
t h e configuration screen looks for a Firefox® client
Figure 18-2: Firefox proxy configuration
T h e client n o w s e n d s all HTTP requests to the proxy w i t h IP a d d r e s s 172.16.90.22 over port 8080.
You can see h o w this m e t h o d is pretty straightforward; however, it is impractical for any
organization but the smallest. This m e t h o d requires a lot of a d m i n i s t r a t o r time a n d , unless it is
p a i r e d w i t h g o o d firewall rules, can be easily bypassed.
M a n u a l configuration can still be useful for testing a n d d e b u g g i n g p u r p o s e s .
Proxy Auto-Configuration (PAC) File

T h e Proxy Auto-Configuration (PAC) file is u s e d to distribute to the b r o w s e r the proxy
configuration information from a remote JavaScript® file rather t h a n from static information
entered directly. It is even possible to specify w h i c h proxies each u s e r can access.
You can use a PAC file to create a very basic fault-tolerant a n d load-balanced environment. In this
e x a m p l e y o u can configure four Blue Coat SG appliances (SG01 to SG04) as follows: O n e h a n d l e s
all .com requests; one h a n d l e s all .net requests; one handles all o t h e r d o m a i n s ; a n d the last one is a
hot s t a n d b y for the other three. If a n y of the three main proxies go d o w n , the fourth will take over.
T h e table b e l o w s h o w s the role of each proxy.
Table 18.1: Proxy Purpose
SG01 com d o m a i n
SG02 net domain
SG03 all other d o m a i n s
SG04 hot s t a n d - b y
196
In particular, the local sites (inside the network) are accessed by t h e clients directly. The proxy
servers c o m m u n i c a t e w i t h the clients over port 8080. Below y o u can see the JavaScript necessary
to achieve the results described above.
function FindProxyForURL(url, host)
{
if (isPlainHostName(host) || dnsDomainls(host, ".mydomain.com"))
return "DIRECT";
else if (shExpMatch(host, "*.com"))
r e t u r n " P R O X Y s g 0 1 : 8 08 0; " +
"PROXY sg04:8 080";
else if (shExpMatch(host, "*.net"))
r e t u r n " P R O X Y s g 0 2 : 8 0 8 0; " +
"PROXY sg04:8080";
else
r e t u r n " P R O X Y s g 0 3 : 8 08 0; " +
"PROXY sg04:8080";
The PAC file can reside on a s h a r e d resource. O n e of the main a d v a n t a g e of the PAC file is that it
allows y o u to m a k e changes to y o u r proxy configuration w i t h o u t having to reconfigure each
client.
Note: You s h o u l d save the JavaScript function to file with a .pac filename extension; for
example: "proxy.pac". You s h o u l d also configure y o u r server to m a p the .pac filename
extension t o the MIME type: a p p l i c a t i o n / x - n s - p r o x y - a u t o c o n f i g .
Each client needs to k n o w w h e r e the PAC file is located. Figure A-3 below s h o w s h o w a Firefox
client configuration looks like for PAC.
Figure 18-3: PAC configuration for Firefox
Web Proxy Auto-Discovery (WPAD)

Internet Explorer version 5 (and higher) a n d N e t s c a p e s u p p o r t Web Proxy Auto-Discovery
(WPAD). This solution is d e s i g n e d to enable the browser to automatically detect proxy settings
w i t h o u t user or a d m i n i s t r a t o r intervention. WPAD w o r k s by attaching w p a d to the system's
fully-qualified d o m a i n n a m e a n d progressively r e m o v i n g s u b d o m a i n s until it either finds a
WPAD server. For instance, a client in the c l i e n t s . b l u e c o a t . com d o m a i n will query
w p a d . c l i e n t s . b l u e c o a t . com a n d then w p a d . b l u e c o a t . com. This a p p r o a c h can b e o p e n t o
vulnerabilities because the third-level d o m a i n m a y not be a trusted one.
197
This solution requires a D N S c h a n g e a n d possibly a d e d i c a t e d server.
Figure 18-4: Internet Explorer automatic proxy settings
Figure A-4 above s h o w s h o w the configuration for Internet Explorer looks like w h e n there is a
W P A D server.
Active Directory Policy

If y o u are r u n n i n g any of the o p e r a t i n g systems listed below, y o u can configure the clients' proxy
settings automatically via Active Directory® G r o u p Policy.
• W i n d o w s ® 2000 Professional a n d Server
W i n d o w s XP Professional
W i n d o w s 2003 Server
Note: W i n d o w s 9 x / M e a n d W i n d o w s X P H o m e Edition are not s u p p o r t e d .
F u r t h e r m o r e , each client m u s t be p a r t of the Active Directory forest. This configuration can be

u s e d in conjunction with PAC files. You can use Active Directory not o n l y to distribute a specific
s e r v e r configuration but a m o r e generic PAC file
Figure 18-5: Active Directory policy proxy configuration
This solution will become m o r e feasible as m o r e companies roll out Active Directory for the entire
o r g a n i z a t i o n a n d stop using o p e r a t i n g systems that are not s u p p o r t e d .
198
Issues with Explicit Proxy

Based on the information p r o v i d e d above, y o u can easily see h o w relying on explicit proxy raises
several potential issues. The m a i n a d v a n t a g e is reduced cost, w h i c h m a y not be significant.
Unless y o u i m p l e m e n t m o r e restrictive firewall policies, a n y a d v a n c e d user can bypass the proxy
setting that y o u are trying to enforce. Even g r o u p policy can be b y p a s s e d by using a b r o w s e r other
t h a n Internet Explorer.
A u s e r can take a d v a n t a g e of W P A D to o p e n security gaps; however, the possibility is remote

because it requires a d v a n c e d skills.
Transparent Proxy
You can think of transparent proxy as exactly the opposite of explicit proxy. The goal of setting up
t r a n s p a r e n t proxy is to redirect all of the desired traffic to the Blue Coat SG, w i t h o u t the client's
k n o w l e d g e or consent. Regardless of the solution that y o u choose for explicit proxy, the client's
user agent k n o w s that it is s e n d i n g the connection requests to a proxy server. However, in a
t r a n s p a r e n t proxy scenario, the client's user agent believes that it is talking to the remote server
directly, w i t h o u t intermediaries.
In essence, transparent proxy is m o r e complex, as a technology, t h a n explicit proxy — but it is also

m o r e efficient, scalable, a n d robust. Unfortunately it is also, in general, more expensive a n d can be
m o r e complex to set u p .
Layer 4 Switches
Switching technology has evolved from the Data Link Layer to cover up to the Application Layer.
In general, most Layer 4 switches are capable of h a n d l i n g up to Layer 7 a n d d o w n to Layer 2.
Figure 18-6: Blue Coat SG with Layer 4 switch
If y o u c o m p a r e Figure A-6 w i t h Figure A - l , y o u can i m m e d i a t e l y notice w h e r e the Layer 4 switch

needs to be installed. It needs to be in a position to inspect all o u t b o u n d traffic. The traffic that y o u
w a n t to proxy is redirected by the switch to the Blue Coat SG, all other traffic is passed to the
firewall (or other destinations).
Most Layer 4 switches offer a very useful set of a d d e d functions, such as:
• A d v a n c e d load balancing
a Most available
D Round-robin
• Least CPU utilization

D URL hashing
199
• A d v a n c e d Fault Tolerance a n d R e d u n d a n c y
T h e only major obstacle to t h e d e p l o y m e n t a n d i m p l e m e n t a t i o n of Layer 4 switches is cost; s u c h

devices can cost from few t h o u s a n d to tens of t h o u s a n d s of U.S. dollars.
Traffic routing decisions can be b a s e d on several p a r a m e t e r s , s u c h as destination a d d r e s s ,

protocol, port, source address, a n d a combination of these.
A Layer 4 switch can also c h a n g e t h e w a y a particular request looks like; for instance, it can
c h a n g e a direct H T T P G E T request to a proxy-style H T T P G E T request as s h o w n in Figure A-7
below.
Figure 18-7: HTTP request transformation
You can see that the client u s e r a g e n t is not a w a r e that the connection will go via proxy server. The
ability of a Layer 4 switch (also k n o w n as a content switch) to c h a n g e HTTP requests allows it to
be compatible w i t h a n y proxy a n d not j u s t the m o r e a d v a n c e d ones like Blue Coat SG.
Web Cache Communication Protocol (WCCP)

You can configure a Blue Coat SG in a Web Cache C o m m u n i c a t i o n Protocol (WCCP) d e p l o y m e n t
w h e n a WCCP-capable router collaborates w i t h a set of WCCP-configured Blue Coat SG
a p p l i a n c e s to service requests.
W C C P is a Cisco-developed protocol that allows y o u to establish redirection of the traffic that

flows t h r o u g h routers.
T h e m a i n benefits of u s i n g W C C P are:
• Scalability: With no reconfiguration overhead, redirected traffic can be automatically
distributed to up to 32 Blue Coat SG appliances.
• Redirection safeguards: If no Blue Coat SG appliances are available, redirection stops a n d the
router forwards traffic to the original destination a d d r e s s .
W C C P has two versions, version 1 a n d version 2, both of w h i c h are s u p p o r t e d by Blue Coat.

H o w e v e r , only o n e protocol version can be active on the Blue Coat SG at a time. The active W C C P
protocol set up in the Blue Coat SG configuration m u s t match the version r u n n i n g on the W C C P
router.
Using WCCP and Transparent Redirection

A W C C P - c a p a b l e router o p e r a t e s in conjunction with the Blue Coat SG appliances to
t r a n s p a r e n t l y redirect traffic to a set of caches that participate in the specified W C C P protocol. IP
packets are redirected based on fields within each packet. For instance, W C C P version 1 only
redirects destination TCP port 80 (default HTTP traffic) IP packets. W C C P version 2 allows y o u to
redirect traffic from other ports a n d protocols.
200
Load balancing is achieved t h r o u g h a redirection h a s h table to d e t e r m i n e w h i c h Blue Coat SG will

receive the redirected packet.
WCCP Version 1
In W C C P version 1, the WCCP-configured h o m e router transparently redirects TCP port 80
packets to a m a x i m u m of 32 Blue Coat SG appliances. (A Blue Coat SG is seen as a cache in W C C P
protocol.)
O n e of the caches participating in the W C C P service g r o u p is automatically elected to configure

the h o m e r o u t e r ' s redirection tables. This way, caches can be transparently a d d e d a n d r e m o v e d
from the W C C P service g r o u p w i t h o u t requiring operator intervention. W C C P version 1 s u p p o r t s
only a single service g r o u p .
Each applicable client IP packet received by the h o m e router is transparently redirected to a cache.
A Blue Coat SG from the g r o u p is selected to define the h o m e r o u t e r ' s redirection h a s h table for all
caches. All caches periodically c o m m u n i c a t e w i t h the h o m e router to verify W C C P protocol
synchronization a n d Blue Coat SG availability within the service g r o u p . In return, the h o m e router
r e s p o n d s to each cache w i t h information as to which Blue Coat SG appliances are available in the
service g r o u p .
The following are W C C P version 1 caveats:
• The h o m e router IP m u s t be configured on all participating interfaces a n d m u s t m a t c h the

h o m e router a d d r e s s configured on the Blue Coat SG.
• The a d a p t e r connected to the Blue Coat SG m u s t be Ethernet or Fast Ethernet.
For Cisco routers u s i n g W C C P version 1, m i n i m u m IOS releases are 11.1(18)CA a n d 11.2(13)P.

N o t e that releases prior to IOS 12.0(3)T only s u p p o r t W C C P version 1. Ensure that y o u are
u s i n g the correct IOS software for the router a n d that the Blue Coat SG configuration protocol
version n u m b e r a n d router protocol version n u m b e r match.
WCCP Version 2
For Cisco routers using W C C P version 2, m i n i m u m IOS releases are 12.0(3)T a n d 12.0(4). Release
12.0(5) a n d later releases s u p p o r t W C C P versions 1 a n d 2. Ensure that y o u use the correct IOS
software for the router a n d that y o u have a match b e t w e e n the Blue Coat SG configuration W C C P
version n u m b e r and router protocol version number.
W C C P version 2 protocol offers the s a m e capabilities as version 1, along w i t h increased protocol

security a n d multicast protocol broadcasts. Version 2 multicasting allows caches a n d routers to
discover each other t h r o u g h a c o m m o n multicast service g r o u p a n d matching p a s s w o r d s . In
addition, up to 32 W C C P - c a p a b l e routers can transparently redirect traffic to a set of up to 32 Blue
Coat SG appliances. Version 2 WCCP-capable routers are capable of redirecting IP traffic to a set of
Blue Coat SG appliances based on various fields within those packets.
Version 2 allows routers a n d caches to participate in multiple, simultaneous service g r o u p s .

Routers can transparently redirect IP packets based on their formats. For example, o n e service
g r o u p could redirect H T T P traffic a n d another could redirect FTP traffic.
Note: Note: Blue Coat r e c o m m e n d s that W C C P - c o m p l i a n t caches from different v e n d o r s be

kept separate a n d that only one v e n d o r ' s routers be used in a service g r o u p .
O n e of the caches participating in the W C C P service g r o u p is automatically elected to configure

the h o m e r o u t e r ' s redirection tables. This way, caches can be transparently a d d e d a n d r e m o v e d
from the W C C P service g r o u p w i t h o u t requiring operator intervention. W C C P version 2 s u p p o r t s
multiple service g r o u p s .
201
Blue Coat SG in Bridging Mode

T h e Blue Coat SG can be configured to b r i d g e t w o sides an IP network. This solution allows y o u to
create a t r a n s p a r e n t proxy e n v i r o n m e n t . This solution is not r e c o m m e n d for m e d i u m or large
n e t w o r k s (more t h a n 50 hosts).
Figure 18-8: Blue Coat SG in bridging mode
In the configuration s h o w n in Figure A-8 above, the Blue Coat SG receives all o u t b o u n d traffic a n d
can inspect it. If the traffic matches a n y of the criteria set forth by the administrators, the Blue Coat
SG further inspects the traffic a n d can a p p l y a n y desired rule or action (allow, block, redirect,
cache, etc.).
T h e Blue Coat SG becomes a single point of failure for the n e t w o r k a n d it is susceptible to

o v e r l o a d or congestion, if there are too m a n y n o d e s attached to that network. That is because the
Blue Coat SG is n o w processing a n d forwarding all the packets a n d not just those that m a t c h given
policies.
202
Appendix B: Conditional Probability — Bayes Theorem
M o d e r n content-filtering technology, as well as s p a m e-mail detection, relies on s o m e fundamental

t h e o r e m s of statistical analysis. This section discusses, at a very high level, the Bayes Theorem.
This section a s s u m e s that y o u are familiar w i t h s o m e basic principles of statistics.
You can d e t e r m i n e the probability of a future event based on k n o w l e d g e that a different event
already occurred. We can a p p l y this theory to content filtering. Suppose that y o u w a n t y o u r
s y s t e m to recognize n e w a n d uncategorized text d o c u m e n t s (past events), based on the probability
of certain events (prior probabilities). For example, y o u w a n t the device to recognize w h e n a p a g e
contains A d u l t / M a t u r e content.
The device cannot d e t e r m i n e that a text p a g e contains a certain type of content, w i t h o u t having
s o m e point of reference. No device can ever " k n o w " that a p a g e contains A d u l t / M a t u r e content
p e r se; however, it is possible for the device to d e t e r m i n e the probability that a p a g e contains
A d u l t / M a t u r e content, by c o m p a r i n g that probability to the probability that it contains s o m e
other t y p e of content — for example, N e w s / M e d i a content.
Bayes Theorem
Let us consider a set of m u t u a l l y exclusive events {A A , A . . . A } a n d define, u s i n g P(A¡), the
h 2 3 N
probability of the event A¡ h a p p e n i n g . We can perform an experiment, referred to as event B, to

d e t e r m i n e h o w the probability changes. We w a n t to calculate the probability of the event A¡,
conditional to the event B, w h i c h we will call P(A¡ | B). In essence, we w a n t to d e t e r m i n e the
probability that event A¡ is g o i n g to h a p p e n , k n o w i n g that event B has h a p p e n e d . For example, if
y o u h a v e a bag w i t h six balls, three red a n d three blue, y o u w a n t to d e t e r m i n e the probability of
extracting a blue ball (P(Aj)), k n o w i n g that y o u just picked up from the bag a red o n e (P(B)).
We can determine, t h r o u g h a controlled experiment, both the probability of event B, w h i c h we will

call P(B), a n d the probability of event B h a p p e n i n g conditional to the generic event A for each {
value of i.
You s h o u l d recall the t h e o r e m of the total probability as s h o w n in formula (a) below:
r N
P(B) £ P ( A ¡ ) P ( B | A ¡ )
Vi = i
The formula (a) states that an event is the s u m of the probabilities of combined events. To better
u n d e r s t a n d the formula (a), we s h o u l d use a real-life example. In the state of California the
registered voters are d i v i d e d according to the table below
3
Table 18.1: Registered voters in California
Democrats 43 p e r c e n t —P(D)=0.43
Republicans 34 p e r c e n t — P ( R ) = 0 . 3 4
Other 23 p e r c e n t — P ( O ) = 0 . 2 3
a . D a t a t r o m S t a t e o t C a l i f o r n i a R e g i s t r a r o t V o t e r s ( A p r i l ¿006)
If y o u k n o w that 60 percent of the registered Democrats, 20 percent of the registered Republicans,

a n d 90 percent of the others favor a n e w bill, w h a t is the probability that the n e w bill will pass?
The probability that the n e w bill will pass is P(B), the probability that a person belongs to a certain
p a r t y is P(Ai), a n d the probability that a person will vote a certain w a y is P(B | A[). Using the
n u m b e r s above we d e t e r m i n e that the probability that the bill will pass is:
(b) P(B)= 0.43 x 0.60 + 0.34 x 0.20 + 0.23 x .90 = 0.53
203
The formula (b) tells us that the bill can pass b u t by a n a r r o w margin.
T h e next step is to try to d e t e r m i n e the probability of the event P(Ai | B). This probability can be
expressed u s i n g the formula (c) below:
P ( A i l B ) . s * ™
If y o u use the v a l u e of P(B) from the formula (a) a n d substitute in it the formula (c), y o u obtain the
Bayes theorem, s h o w n b e l o w in formula (d):
P A P B A
PCMB)- < l i>
f N ^
£P(Ai)P(B|Ai)
Vi = 1
U s i n g the e x a m p l e of the voters in California, the formula (d) allows us to calculate, k n o w i n g that
the bill w a s a p p r o v e d , the probability that a p e r s o n of a given p a r t y v o t e d for the bill. A p p l y i n g
the n u m b e r s listed a b o v e a n d the result of the formula (b) to formula (d), we obtain:
(e) P ( A ) = (0.43 x 0.6) / 0.53 = 0.48

d
So, k n o w i n g that t h e bill passed, the probability that a voter w a s a Democrat is 48 percent.
T h e Bayes t h e o r e m a l l o w e d us to reverse the probability. We started k n o w i n g that a certain

percentage of registered voters w o u l d vote a certain way. K n o w i n g that the bill w a s a p p r o v e d , we
d e t e r m i n e d that the probability that a voter b e l o n g e d to a certain party.
Application to Content Filtering

T h e concept discussed in the p r e v i o u s section can be a p p l i e d to content categorization. To teach a
s y s t e m h o w to differentiate b e t w e e n the different categories, y o u need to provide it w i t h a solid
foundation. You need to h a v e good d o c u m e n t s that the system can use to learn h o w to recognize
different categories.
You define the categories a s the m u t u a l l y exclusive events { A A , A . . . A ) . For example, y o u can 1t 2 3 n
say that Aj is A d u l t / M a t u r e , A is Pornography, a n d so on.

2
You can define the a p p e a r a n c e of a w o r d as event B; for instance P(B) could be the probability of
finding the w o r d "sex." So y o u can say:
• P ( A ) = Probability of a site being P o r n o g r a p h y

2
• P(B | A ) = Probability of the w o r d "sex" a p p e a r i n g in a P o r n o g r a p h y pages

2
P(B)= Probability of finding the w o r d "sex"
• P ( A | B)= Probability of a site being P o r n o g r a p h y w h e n the w o r d "sex" is found in it

2
U s i n g the p r e c e d i n g definitions, y o u obtain the following formula (f) below:
„,„ , ,„ „ P(Pornography)P(Sex|Pornography)
s V
P(Pornography|Sex) = P(Sex)
204
Appendix B: Conditional Probability — Bayes Theorem
Obviously, y o u c a n n o t create these formulae manually. You need to create a tool that can
automatically calculate all of the different probabilities; ultimately, this will p r o v i d e y o u w i t h an
accurate P(B | A ) . To achieve this result, y o u m u s t s u b m i t a series of d o c u m e n t s belonging to
2
k n o w n categories to the automatic tool. For example, s u b m i t 1,000 P o r n o g r a p h y pages, 1,000

N e w s / M e d i a pages, a n d so on. The s y s t e m processes the content of the pages a n d , by calculating
the multiple probabilities for the different events, learns h o w to recognize n e w pages that is h a s
not seen before.
It is i m p o r t a n t to consider other parameters a n y time y o u do any statistical analysis. You need to

evaluate the accuracy of y o u r estimators a n d the coverage. The accuracy is d e t e r m i n e d as a
percentage of correct results. For instance, if we process 100 sites that we e s t i m a t e d to be
categorized as P o r n o g r a p h y , h o w m a n y w e r e really p o r n sites? The coverage determines the miss
rate of the tool; in a pool of X sites k n o w n to belong in the P o r n o g r a p h y category, h o w m a n y did
the tool catch?
Unfortunately, y o u c a n n o t achieve 100 percent success in both accuracy a n d coverage; y o u can

achieve 100 percent in one or the other. However, if 100 percent accuracy is achieved, coverage
will suffer t r e m e n d o u s l y a n d vice versa. The goal is to find a sweet spot w h e r e accuracy is
sufficient a n d the coverage is still good. Blue Coat WebFilter aims at 85-90 percent accuracy.
D y n a m i c Real-Time Rating (DRTR) technology uses a two-step approach. The first step is to
recognize the l a n g u a g e of the Web site. This is i m p o r t a n t because the same w o r d m a y exist in
m o r e than one l a n g u a g e b u t have different m e a n i n g s in the different languages. For instance the
w o r d burro has the s a m e spelling both in Italian a n d Spanish; h o w e v e r it m e a n s butter in Italian,
while it m e a n s donkey in Spanish! The s y s t e m needs to correctly d e t e r m i n e the l a n g u a g e before it
can a p p l y a n y statistical analysis on the w o r d s .
You can see an e x a m p l e in Figure B-l from the site h t t p : / / w w w . j a l . c o . j p :
Token Occurences Probability
?® 16 0.00052
M 2 0.00236
Figure 18-1: Words "reservation" and "month"
The w o r d (reservation) represents sites in J a p a n e s e with a probability of 0.00052, while the

word (month) represents Japanese sites w i t h a probability of 0.00236. The p r o d u c t s of the
probability of each l a n g u a g e token, by the n u m b e r of occurrences are g r o u p e d a n d s u m m e d by
l a n g u a g e . The l a n g u a g e that has the highest w e i g h t becomes the a s s u m e d l a n g u a g e for that Web
site.
DRTR a d o p t s the s a m e a p p r o a c h for the categorization of a Web site. The result that DRTR
p r o d u c e s for the site h t t p : / / w w w . j a l . c o . j p is s h o w n in Figure B-2:
1 0.00086 0.00086 Travel

mm 2 0.00043 0.00086 Travel
2 0.00040 0.00081 Travel
2 0.000405 0.000809 Political/Activist Groups
Figure 18-1: Terms "hotel," "time table" and "reservation"
You can see h o w there are three tokens that refer to the travel category a n d one that refers to
Political/Activist G r o u p s category:
• # 7 * > (hotel) = Travel
• Hf (time table) = Travel
205
* ^Mi (reservation) = Travel
* t^TfJ (city) = Political/Activist G r o u p s

T h e total w e i g h t associated w i t h the Travel category is 0.00253 (this is N O T a probability!), while
the w e i g h t associated w i t h Political/Activist G r o u p s category is only 0.000809. Therefore the site
1
is a s s u m e d to be a travel site in J a p a n e s e .
1 .There are actually many more t o k e n s used f o r b o t h language and category; this a p p e n d i x
o n l y shows a f e w relevant one as an e x a m p l e .
206
Blue Coat Certified
Proxy Administrator Course
Labs
version 1.7.2
Contact Information
Blue Coat Systems Inc.

420 N o r t h M a r y A v e n u e
Sunnyvale, California 94085
N o r t h A m e r i c a (USA) Toll Free: +1.866.302.2628 (866.30.BCOAT)

N o r t h A m e r i c a Direct (USA): +1.408.220.2200
Asia Pacific Rim ( H o n g Kong): +852.2166.8121
E u r o p e , M i d d l e East, a n d Africa (United K i n g d o m ) : +44 (0) 1276 854 100
training@bluecoat.com
www.bluecoat.com
Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved w o r l d w i d e . No part of this d o c u m e n t may be
reproduced by any m e a n s nor modified, decompiled, disassembled, published or distributed, in w h o l e or in part, or
translated to any electronic m e d i u m or other means w i t h o u t the written consent of Blue Coat Systems, Inc. All right, title
and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems,
Inc. and its licensors. Blue Coat SG™, Blue Coat AV™, Blue Coat RA™, Blue Coat WebFilter™. Blue Coat Director™, Blue
Coat Reporter™, ProxySG™, Proxy AV™, CacheOS™, SGOS™. Spyware Interceptor™, Scope™ are trademarks of Blue
Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, A c c e s s N o w ® , Ositis®,
Powering Internet Management®, and The Ultimate Internet Sharing Solution® are registered trademarks of Blue Coat
Systems, Inc. All other trademarks contained in this d o c u m e n t and in the Software are the property of their respective
owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR
IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE A N D DOCUMENTATION FURNISHED HEREUNDER
I N C L U D I N G W I T H O U T LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE A N D NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS
SUPPLIERS OR ITS LICENSORS BE LIABLE FOR A N Y DAMAGES. WHETHER ARISING IN TORT. CONTRACT OR
A N Y OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. H A S BEEN ADVISED OF THE POSSIBILITY OF
SUCH D A M A G E S .
Ü
Third Party Copyright Notices
Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective
owners as indicated in the copyright notices below.
The following lists the copyright notices for:
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions
retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice
and this paragraph in its entirety in the documentation or other materials provided with the distribution, and (3) all advertising materials
mentioning features or use of this software display the following acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software
without specific prior written permission. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES. INCLUDING. WITHOUT LIMITATION. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim
Glllogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE. ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the
Preface in the User's Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest
Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are Identified as "derived from the RSA Data Security,
Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for
any particular purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org» wrote this file. As long as you retain this notice you can do whatever you want with this
stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
OpenLDAP
Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
http://www.openldap.org/software/release/Ucense.html
The OpenLDAP Public License Version 2.7, 7 September 2001
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain copyright statements and notices,
2. Redistributions In binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following
disclaimer In the documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this
Software under terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR
IMPLIED WARRANTIES. INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR
THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA. OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this
Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP Is a registered trademark of the OpenLDAP Foundation.
OpenSSH
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved
This file Is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a
BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this
software must be clearly marked as such, and If the derived work is incompatible with the protocol description In the RFC file, it must be
called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are
not under my direct control. As far as I know, all Included source code is used in accordance with the relevant license agreements and can be
used freely for any purpose (the GNU license being the most restrictive); see below for details.
[However, none of that term Is relevant at this point in time. All of these restrictively licenced software components which he talks about
have been removed from OpenSSH, i.e.,
- RSA is no longer Included, found in the OpenSSL library
- IDEA is no longer Included, its use is deprecated
- DES is now external, In the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external. In a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish Is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used In this software are publicly available on the Internet and at any major
bookstore, scientific library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will
be responsible for any legal consequences yourself; I am not making any claims whether possessing or using this Is legal or not in your
country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED.
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO
EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER
PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or
without modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL. EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
THIS SOFTWARE.
Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com>
3) ssh-keygen was contributed by David Mazleres under a BSD-style license.
Copyright 1995,1996 by David Mazleres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted
provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto Is In the public domain and distributed with the
following license:
aversion 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
iv
©author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>

©author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL.
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts
from original Berkeley code.
Copyright (c) 1983, 1990,1992, 1993,1995
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT. STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
met:
THIS SOFTWARE IS PROVIDED BY THE AUTHOR'' AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING. BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY.
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eava'f ryptsoft.com). All rights reserved.
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <iTmilto:eay(g'cryptsofl.coin> and Tim I. Hudson
<mailto:tih@iTyptsoft.com>.
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and
non-commercial purposes.
This package is an SSL implementation written by Eric Young (cay#cryptsofLromV The implementation was written so as to conform with
Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions
apply to all code found in this distribution, be it the RC4, RSA, lhash. DES, etc., code; not just the SSL code. The SSL documentation included
with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tih'?frypisoft.corri).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product,
Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program
startup or in documentation (online or textual) provided with the package.
V
met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
3. A l l advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes
cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library
being used are not cryptographic related:-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an
acknowledgement: "This product Includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL.
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed, i.e. this code cannot
simply be copied and put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use In source and binary forms, with or without modification, are permitted provided that the following conditions are
met:
3. A l l advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit, (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software
without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written
permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES. INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO. PROCUREMENT OF
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product Includes software written by Tim
Hudson (tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel <phlO@cam.ac.uk>
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the
following restrictions:
1. This software is distributed In the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and
copyright by the University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programmlng/pcre/
PHAOS SSLava and SSLavaThin
Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos. the design and
development of which have involved expenditure of substantial amounts of money and the use of skilled development experts over
substantial periods of time. The software and any portions or copies thereof shall at all times remain the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION
ALONE OR IN COMBINATION WITH ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF
ANY PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL,
INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All
rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the
Inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any
other person. No title to and ownership of the software is hereby transferred. The information in this software is subject to change without
notice and should not be construed as a commitment by SNMP Research, Incorporated.
vi
Restricted Rights Legend:

Use, duplication, or disclosure by the Government Is subject to restrictions as set forth in subparagraph (c)(1) (li) of the Rights in Technical
Data and Computer Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted
Rights Clause, FAR 52.227-19; and in similar clauses in the NASA FAR Supplement and other corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law.
Unauthorized copying, redistribution or other use of this work Is prohibited. The above notice of copyright on this source code product does
not Indicate any actual or Intended publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomltchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies.
Permission to modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code
was modified is included with the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee,
provided that die above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and Its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation. Silicon Graphics makes no representations about the suitability of this software for any purpose. It is provided
"as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any
purpose. It is provided "as is" without express or implied warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec Antivirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986. 1988. 1990. 1993, 1994, 1995
met:
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California. Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES.
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT.
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Trend Micro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved,
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages
arising from the use of this software.
ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines
Corporation and others All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
associated documentation files (the "Software"), to deal In the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do
so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above
copyright notlce(s) and this permission notice appear in supporting documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT
SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL
vii
INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright
holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written
authorization of the copyright holder.
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document
itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet
organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the
Internet Standards process must be followed, or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Table of Contents
Blue Coat SG Initial Configuration 1
Upgrading Blue Coat SG OS 13
Configuring Services 19
Explicit Proxy Configuration and Testing 23
HTTP Compression 27
Authentication Configuration — IWA 33
Authentication Configuration — LDAP 39
Creating Basic Policy 45
Configuration Archive 49
Content Filtering — Configuration 51
Content Filtering — Policy 55
Using the Local Database 63
Managing Downloads — File Types and Exceptions 67
Managing Instant Messaging 79
Managing Peer-to-Peer Traffic 91
Using Notification Objects 99
Access Logging 105
Creating Reporter Profiles and Generating Reports 109
BlueCoat AV/Blue Coat SG Integration 119
ix
Using Instant Support 127
Review: Authentication 135
Review: Content Filtering 137
X
Blue Coat SG Initial Configuration
This lab w a l k s y o u t h r o u g h the steps required to configure a Blue Coat® SG™ appliance that has
never been configured or that has been r e t u r n e d to its factory defaults.
Objectives
• Assigning a n e t w o r k a d d r e s s to the Blue Coat SG.
• Assigning a d m i n i s t r a t i v e login credentials.
Scenario
Your first task as a s y s t e m administrator is to m a k e the Blue Coat SG accessible on the network,
regardless of w h e t h e r the appliance is just o u t of the box or restored to factory default settings.
Briefly, y o u p r o v i d e y o u r Blue Coat SG w i t h the correct n e t w o r k settings a n d set up an

administrative account. By following these few s i m p l e steps, y o u m a k e y o u r Blue Coat SG
immediately available on the network.
Note: The screen c a p t u r e s are taken from a Blue Coat SG 400, r u n n i n g SGOS 4.2.3.1
Before You Begin

This lab requires that y o u h a v e a terminal e m u l a t i o n software a n d an SSH client. This lab a s s u m e s
that y o u have:
• Tera Term Pro 2.3 or higher
• PuTTY 0.57 or h i g h e r
• Firefox® 2.0.02 or higher
All three applications are available on the Internet. Alternatively, y o u can use any other software
y o u m a y be familiar w i t h . (For example, y o u can use HyperTerminal® instead of Tera Term Pro.)
Steps
You can access y o u r Blue Coat SG using three different m e t h o d s . The procedure for configuring
y o u r appliance d e p e n d s on y o u r access m e t h o d . Each p r o c e d u r e is outline separately:
1. Using a terminal server. This procedure starts on p a g e 2.
2. Using the serial cable. This procedure starts on p a g e 2.
3. Using a Web browser. This procedure starts on p a g e 6.
Finally, regardless of y o u r access a n d configuration m e t h o d , y o u need to connect to the

M a n a g e m e n t Console to test that y o u r Blue Coat SG has been set up correctly a n d that y o u can
c o m m u n i c a t e w i t h it.
1
Using a Terminal Server

A terminal server is a device that e m u l a t e s a serial line over a L A N . A t e r m i n a l server can h a v e
a n y n u m b e r of a s y n c h r o n o u s serial p o r t s a n d at least one L A N port. Each serial port is associated
w i t h an a s s i g n e d T C P port n u m b e r . You can telnet to t h e IP a d d r e s s of the t e r m i n a l server on the
a s s i g n e d TCP p o r t a n d y o u will h a v e the s a m e interface as if y o u w e r e directly connected t h r o u g h
a serial link to the device attached to the t e r m i n a l server on that port.
1. Launch Putty a n d refer to the Serial Console Access section of the S t u d e n t Reference sheet for
the IP Address a n d port number for y o u r t e r m i n a l server settings. Your configuration s h o u l d
look similar to the screen c a p t u r e below.
2. Click Open.
3. You s h o u l d n o w see a blank screen. This is normal. Press the Enter key three times a n d the
w e l c o m e screen a p p e a r s . If y o u have p r e s s e d t h e Enter key three times a n d do not see t h e
w e l c o m e p r o m p t , contact y o u r instructor.
4. Follow the steps for the "Using t h e Serial Cable" p r o c e d u r e in t h e following section, starting
from Step 4.
2
Using the Serial Cable

All Blue Coat SG m o d e l s s u p p o r t configuration w i t h the serial cable. You need to use a nine-pin
male-male n u l l - m o d e m cable.
1. L a u n c h Tera Term Pro from the Start m e n u . From the initial configuration screen select the
Serial option a n d the a p p r o p r i a t e serial port from the Port: d r o p - d o w n m e n u (typically COM1).
Click OK.
2. Verify t h a t the connection p a r a m e t e r s are correct. They s h o u l d m a t c h exactly the values

s h o w n in the screen c a p t u r e below. From the m a i n w i n d o w select Setup > Serial port; the
configuration w i n d o w a p p e a r s . Insert the a p p r o p r i a t e values a n d then click OK.
3. Press the Enter key three times to activate the Initial Setup Console wizard. A welcome
message a p p e a r s in the serial w i n d o w .
Note: If at a n y time y o u m a k e a mistake a n d w a n t to exit the Initial Setup Console, press the
Esc key. This will let y o u exit the Initial Setup Console w i z a r d w i t h o u t saving any of
the changes y o u m a d e . See the topic Restarting the Initial Setup Console in the
A d d i t i o n a l Reading section that follows this lab.
3
4. I f y o u receive the p r o m p t E n t e r t h e b r i d g e n a m e [ p a s s t h r o u g h - O ] , then simply

press the Enter key. I f y o u are a s k e d t o E n t e r i n t e r f a c e n u m b e r t o c o n f i g u r e , select
the default [0:0]
5. Enter n e t w o r k information as directed by the p r o m p t s . The information requested m a y vary,

d e p e n d i n g on the Blue Coat SG m o d e l that y o u are configuring.
Note: If the desired response is w i t h i n the s q u a r e brackets in the Setup Console, it is the
default response, a n d pressing the Enter key will invoke it. To a n s w e r Y e s / N o
questions, press the Y or N key.
a. Refer to the s t u d e n t h a n d o u t to a n s w e r the remaining questions about the IP address,

s u b n e t mask, IP gateway, a n d D N S server.
b. Once y o u h a v e a n s w e r e d all the questions, the Initial Setup Console w i z a r d asks if
y o u w a n t t o m a k e any changes.
c. If y o u w a n t to m a k e a change, press the Y key to restart t h e s e q u e n c e of questions.
O t h e r w i s e , press the N key.
6. Enter y o u r user n a m e a n d p a s s w o r d s at the a p p r o p r i a t e s y s t e m p r o m p t s to set up y o u r

a d m i n i s t r a t o r account. The account gives y o u privileges to a d m i n i s t e r the Blue Coat SG. Both
the u s e r n a m e a n d p a s s w o r d s are case-sensitive:
Table 1-1: Setup Console Passwords
Console Username Console Password Enable Password

admin pass pass
4
7. N o t e that y o u m u s t enter two p a s s w o r d s . The console p a s s w o r d is u s e d to log into the Blue

Coat SG's Web interface a n d the first layer of its text interface. The enable p a s s w o r d is
required to access the second layer of the text interface. Without the enable p a s s w o r d , y o u
cannot v i e w or change the appliance's configuration. The p a s s w o r d s are not displayed w h i l e
y o u are typing.
WARNING: If y o u secure the serial port, the Blue Coat SG asks y o u for a password every time
y o u access the serial console. This increases security, but be aware that if y o u lose
your password, y o u w i l l be unable to access the serial console. If that occurs, y o u
may n e e d to R M A the Blue Coat SG to Blue Coat.
9. T h e system asks if you want to set up an access control list. For the prompt Would you l i k e
t o r e s t r i c t a c c e s s t o a n a u t h o r i z e d w o r k s t a t i o n ? Y/N [Yes], type N and
press the Enter key.
If you configure the access control list, you limit administrative access to clients whose IP
addresses you select. In practice, this is a good idea because it increases security. However,
you will not configure the access control list during training.
10. The system asks if you want to set up the forwarding host. For the prompt Would you l i k e
to s e t up t h e f o r w a r d i n g h o s t now? Y/N [No], type N and press the Enter key.
11. You have completed the initial setup. The Blue Coat SG will be available to the network in
about 10 seconds. You should see a screen similar to the one shown below. You can press the
Enter key three times to activate the serial console. Or access the URL indicated in the message
to access the M a n a g e m e n t Console.
5
Using a W e b Browser
Important: You can perform t h e initial configuration of a Blue Coat SG t h r o u g h a Web

b r o w s e r only if all of t h e r e q u i r e m e n t s listed b e l o w are met:
1. Your Blue Coat SG h a s a b r i d g i n g card installed a n d is active.
2. You d e p l o y e d Blue C o a t SG in b r i d g i n g m o d e .
3. Your b r o w s e r is nor configured to use a p r o x y server.
1. O p e n y o u r Web browser a n d verify that it is not configured to u s e a p r o x y The screen captures

s h o w Firefox, b u t y o u can u s e a n y compatible browser.
2. Access t h e URL https://proxysg.bluecoat.com:8083. You s h o u l d receive a message alerting y o u

that y o u received a digital certificate issued by an u n k n o w n authority, as s h o w n in the screen
c a p t u r e below. Click OK to start t h e configuration p r o c e d u r e .
Unable to verifv the identity of 172.2.15.201as a trusted site,

! '
-—• Possible reasons for this error:
- Your browsei does not recognize the Certificate Authority that issued the site s certificate.
- The site's certificate is incomplete due to a server misconfiauration.
- You are connected to a site pretending to be 172,2.15.201, possiblv to obtain your
confidential information.
Please notify the sites webmaster about this problem,
Before accepting this certificate, vou should examine this sites cerbhcate careFullv. Hie you
willing to to accept this certificate for the purpose of identifying the Web site 172.2.15.20!?
j Examine Certificate... j
Accept this certificate permanently

* Accept this certificate temporarily for this session
• Do not accept this certificate and do not connect to this Web site
Cancel
L_?JL_J I !
3. The b r o w s e r displays the Proxy SG Initial Configuration screen. You need to confirm the identity
of y o u r Blue Coat SG. Also verify the serial n u m b e r a n d t h e m o d e l of the unit.
6
4. Locate the Network Parameters dialog box in the Web browser and enter the IP Address, Subnet
Mask, Gateway, and DNS Server values. Your instructor should have given you the appropriate
parameters.
7
5. D e f i n e the a d m i n i s t r a t o r u s e r n a m e a n d t h e p a s s w o r d . S c r o l l d o w n i n the Web b r o w s e r t o the

Console Account s e c t i o n o f the c o n f i g u r a t i o n process. Y o u can use a n y a l p h a n u m e r i c sequence
f o r t h e user n a m e . Bear i n m i n d t h a t the user n a m e a n d p a s s w o r d are case-sensitive. F o r t h i s
l a b , use the v a l u e s i n the t a b l e b e l o w a n d scroll d o w n t o t h e Enable Password s e c t i o n .
Table 1 -2: Web Browser Passwords
User name Password Enable Password

admin pass pass
6. E n t e r the Enable password in t h e a p p r o p r i a t e f i e l d s .
8
7. You need to define the Default Policy for Proxied Services. Select Allow, as s h o w n in the screen
capture below.
The system asks if y o u w a n t to secure the serial port. Do not enable the Secure Serial Port
option.
9. Click Configure Device.
10. The system n o w s h o w s a s u m m a r y of the configuration process so far; it s h o u l d be similar to

the one in the screen c a p t u r e below.
11. You have successfully configured y o u r Blue Coat SG. The final screen s h o w s the connection
p a r a m e t e r s that y o u need to connect to Blue Coat SG:
• Via Web browser: h t t p s : / / [ y o u r p r o x y ' s IP a d d r e s s ] : 8082
9
O Serial Number
• Model
O MAC address
O Software
Connecting Through the Management Console

You h a v e configured y o u r Blue Coat SG u s i n g one of the three m e t h o d s listed above. As a final
step, y o u need to connect to t h e Blue Coat SG u s i n g a Web browser. This step allows y o u to verify
that configuration w a s successful.
1. O p e n y o u r b r o w s e r a n d access the URL:

h t t p s : / / { e n t e r y o u r Blue Coat SG IP A d d r e s s here}:8082/ as s h o w n in the screen capture
below.
2. You m a y receive a m e s s a g e w a r n i n g about the digital certificate similar to the o n e s h o w n

below. Select the o p t i o n Accept this certificate permanently a n d then click OK.
3. Enter the A d m i n i s t r a t o r account information:

Username: admin
Password: pass
10
4. You s h o u l d n o w see a w e l c o m e screen similar to the one s h o w n in the screen capture below.
Verify that y o u h a v e the correct version of the SGOS installed.
11
12
Upgrading Blue Coat SG OS
Objective
U p g r a d i n g (or d o w n g r a d i n g ) the OS version on the Blue Coat SG.
Scenario
You h a v e m u l t i p l e Blue Coat SGs in y o u r organization. You h a v e been given the assignment of
u p g r a d i n g to the latest version of the Blue Coat SG o p e r a t i n g system. You w a n t to d o w n l o a d the
OS i m a g e to a Web server local to y o u r organization a n d then u p g r a d e the different Blue Coat SGs.
Note: The u s e of Director is not discussed in this lab; however, if y o u have m o r e t h a n 4 Blue
Coat SG appliances, y o u s h o u l d u s e Director for this procedure.
Steps
1. Before u p g r a d i n g , check the current version r u n n i n g on y o u r Blue Coat SG. Launch Putty a n d
refer to the Serial Console Access section of the Student Reference sheet for the IP Address a n d
port number for y o u r t e r m i n a l server settings. Your configuration s h o u l d look similar to the
screen c a p t u r e below.
2. Click Open.
3. You s h o u l d n o w see a blank screen. This is normal. Press the Enter key three times a n d the
w e l c o m e screen a p p e a r s . If y o u h a v e pressed the Enter key three times a n d do not see the
w e l c o m e p r o m p t , contact y o u r instructor.
13
4. Type 1 at the Enter Option c o m m a n d line to launch the C o m m a n d Line Interface.
5. T h r o u g h the C o m m a n d Line Interface (CLI) t y p
>en
>password:****
>show ver
M a k e note of the current version.
6. Keep the serial connection o p e n as y o u go t h r o u g h the next steps.
Note: It m a y not be necessary to k e e p the serial connection o p e n in a p r o d u c t i o n

e n v i r o n m e n t but is helpful in this training e n v i r o n m e n t .
7. T h r o u g h the M a n a g e m e n t Console, select Maintenance > Upgrade a n d then enter the URL y o u r
Instructor gives y o u for the i m a g e to be d o w n l o a d e d a n d press the Download b u t t o n .
8. Once t h e d o w n l o a d is complete, y o u can restart the m a c h i n e t h r o u g h the M a n a g e m e n t

Console: Select Maintenance > Upgrade a n d then click the Restart b u t t o n . Alternatively, y o u can
restart t h r o u g h the CLI using the c o m m a n d :
>en
Enable Password: *****
#restart upgrade
9. After rebooting, verify y o u are at a later version t h r o u g h the CLI as described in Step 5 above.
14
Upgrading in a Production Environment

1. T h r o u g h the M a n a g e m e n t Console, select Maintenance > Upgrade a n d then click on the Show me
b u t t o n . This action o p e n s a n e w b r o w s e r w i n d o w ; in the w i n d o w y o u can see the u p g r a d e
p a g e w i t h the o p t i o n s available to y o u .
2. Fill out the request information on the p a g e s h o w n in the screen capture above a n d then click
the SUBMIT b u t t o n . M a k e sure that y o u h a v e entered the correct e-mail address.
Note: The s y s t e m asks y o u for the Blue Coat SG serial number. You can copy a n d paste the
serial n u m b e r from the h o m e p a g e of the M a n a g e m e n t Console.
3. T h e s y s t e m validates y o u r information a n d allows (or denies) y o u r request. If y o u r request is

valid, y o u receive a link w h e r e y o u can d o w n l o a d the n e w version of the OS.
Important: You cannot p e r f o r m this step d u r i n g the lab session because the serial n u m b e r s
are tied to specific e-mail addresses.
4. D o w n l o a d the file from the link that y o u received. The link is similar to
http://www.bluecoat.com/[...]/2xx.chk.
5. If y o u store the i m a g e on a W i n d o w s system, y o u s h o u l d r e n a m e the file's extension from x h k

to .bin to avoid potential issues. M a k e the file available on y o u r n e t w o r k via HTTP d o w n l o a d .
15
Additional Tasks
Restoring the Blue Coat SG to its Factory Default Settings

To restore a Blue Coat SG to its factory default settings, y o u m u s t connect to the appliance from a
PC over a serial cable (or terminal server, as they are functionally the same).
1. L a u n c h Tera Term Pro a n d configure it w i t h the following settings:
• 9600 bits per second
• 8 d a t a bits, parity n o n e
• 1 s t o p bit
• no flow control
2. Press the Enter key three times.
3. Choose option 1 , Command L i n e Interface.

4. At t h e p r o m p t , t y p e the letters e n . This p u t s y o u into enable (or privileged) m o d e . Press the
Enter key. The p r o m p t changes from a right angle bracket (>) to a p o u n d sign (#).
5. A t the p r o m p t , t y p e r e s t o r e - d e f a u l t s factory-defaults. Press the Enter key.
6. The s y s t e m asks: C o n t i n u e w i t h s y s t e m r e - i n i t i a l i z a t i o n ? Press the Y key. The

unit n o w reboots. All of the configuration is lost. You need to r e d o the initial configuration
u s i n g one of the m e t h o d s detailed a b o v e . The screen c a p t u r e b e l o w s h o w s the full s e q u e n c e of
commands.
Switching Operating Systems

Up to five SGOS images can reside on a Proxy SG at the s a m e time. If y o u w a n t to switch o p e r a t i n g
s y s t e m s after y o u r appliance is set up on y o u r network, y o u can perform the following steps.
16
1. O p e n PuTTY. T y p e the IP address of the Blue C o a t SG in the Host Name (or IP address) f i e l d a n d
select SSH as the Protocol o p t i o n . C l i c k Open.
2. Login using the admin account.

3. At the prompt type the following commands:
SGOS> en
E n a b l e p a s s w o r d : ****
SGOS#conf t
SGOS#(config)installed-systems
SGOS#(config i n s t a l l e d - s y s t e m s ) v i e w
17
4. The s y s t e m n o w displays a list of SGOS i m a g e s available. The screen capture b e l o w s h o w s t h e

entire s e q u e n c e of c o m m a n d s a n d the s y s t e m r e s p o n s e . You s h o u l d see s o m e t h i n g v e r y
similar.
login as: admin

admin6172.2.15.2D1's password:
This device is operating in the trial period. Trial expiration date is

2006-11-29
Please visit https://service3.blT.iecoat.caw for license administration
for this device.
Your hardware is not registered with Bluecoat. Please register

Blue Coat SG200 Series - mybluecoatsg>£n
Enable Password:
Blue Coat SG200 Series - mybluecoatsg^conf t
Enter configuration commands, one per line. End with CTRL-Z.
Blue Coat SG200 Series - mybluecoatsg# (conf ig) installed-systeitis
Blue Coat SG200 Series - rnybluecoatsg#(config installed-systenss) view
ProxySG Appliance Systems
1. Version: SGOS 5.1.1.7, Release ID: 26247
Thursday June IS 2006 21:38:37 UTC, Lock Status: Unlocked
Boot Status: Last boot succeeded, Last Successful Boot: Monday August 2 8 2
17 :14 : IS UTC
Tlmrsday July 6 2006 20:32:40 UTC, Lock Status: Unlocked
Boot Status: Unknown, Last Successful Boot: Unknown
Thursday July 6 2006 20:32:40 UTC, Lock Status: Locked
Boot Status: Last boot succeeded, Last Successful Boot: Honday October 2 2
19:50:03 UTC
Monday September 25 2006 20:50:30 UTC, Lock Status: Unlocked
Boot Status: La3t boot succeeded. Last Successful Boot: Honday October 2 2
22:47:16 UTC
5. Version: M/A, Release ID: N/A ( EMPTY )
No Timestamp, Lock Status: Unlocked
Boot Status: Unknown, Last Successful Boot: Unknown
Default system to run on next hardware restart: 4
Default replacement being used, (oldest unlocked system)
Current running system: 4
Blue Coat SG200 Series - mybluecoatsgs(config installed-systems) §]
5. A t the p r o m p t , type d e f a u l t a n d then the i m a g e n u m b e r . I f y o u have only one i m a g e y o u

can j u s t type the n u m b e r c o r r e s p o n d i n g to the location of t h e image.
6. Press Ctrl+Z, then press Ctrl+Z again. Type r e s t a r t u p g r a d e . The Blue Coat S G executes
the SGOS i m a g e y o u chose. You n o w can r e t u r n to t h e serial console or close t h e w i n d o w .
18
Configuring Services
Objective
Setting a service to allow H T T P traffic to be intercepted on port 8072.
Scenario
The Services feature in the Blue Coat® SG™ M a n a g e m e n t Console allows y o u to create services to
detect certain protocols. T h e Blue Coat SG can detect s o m e k n o w n protocols a n d — d e p e n d i n g on
y o u r policy — intercept or b y p a s s traffic that uses those protocols.
S o m e c o m p a n i e s use p o r t s other t h a n the default 80 or 8080 w h e n creating a proxy service for

H T T P traffic. In this lab y o u create a service to detect H T T P traffic on port 8072 from users w h o s e
b r o w s e r s are explicitly proxied.
Steps
The lab is p e r f o r m e d in four stages:
1. Setting the default proxy policy to Allow.
2. Creating a proxy service for H T T P on port 8072.
3. Configuring y o u r b r o w s e r to be explicitly proxied t h r o u g h the Blue Coat® SG™.

4. Testing the configuration.
Setting the Default Proxy Policy to Allow

1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Policy > Policy Options.
2. In the Default Proxy Policy section, m a k e sure that the Allow option is selected. Click Apply if y o u
n e e d e d to c h a n g e the policy.
19
Creating a Proxy Service for HTTP on Port 8072

1. T h r o u g h t h e M a n a g e m e n t Console, select Configuration > Services > Service ports. Click the
New b u t t o n . The Add Service dialog box a p p e a r s .
2. In the Add Service dialog box:

a. M a k e s u r e that HTTP is selected from t h e Protocol d r o p - d o w n m e n u .
b. Select the All from the IP d r o p - d o w n m e n u .
c. Type in 8072 in the Port field a n d m a k e s u r e the Enabled option is checked.
d. Check the Explicit o p t i o n in the Attributes field.
3. Click OK.
4. Click the Apply b u t t o n in the M a n a g e m e n t Console.
5. T h r o u g h the M a n a g e m e n t Console, select Configuration > Services > Service Ports a n d

highlight the HTTP Port 8072 r o w a n d verify that the On c o l u m n is set to yes.
20
Configuring Services
6. T h r o u g h the M a n a g e m e n t Console, select Configuration > Services > Service Ports a n d

highlight the HTTP Port 8080 row and click Edit.
7. Uncheck Enable a n d click OK. Click Apply in the M a n a g e m e n t Console.
Configuring Your Browser to be Explicitly Proxied

1. L a u n c h the Firefox® browser a n d from the M e n u bar, select Tools > Options > General >
Advanced. Click on the N e t w o r k tab a n d the Settings b u t t o n in the Connections section. The
Connection Settings dialog box a p p e a r s
2. In the Connections Settings dialog box:

a. Select the Manual proxy configuration o p t i o n .
b. M a k e s u r e that the select the Use this proxy for all protocols check box is selected.
c. Type the IP a d d r e s s of y o u r Blue Coat SG into the HTTP Proxy field.
d. Type 8072 in the Port field.
e. Click OK in the Connection Setting w i n d o w a n d OK in the browser O p t i o n s window..
3. Your b r o w s e r proxy configuration s h o u l d look like the screen capture below.
Testing the Configuration

1. Clear the cache of the Firefox browser.
2. Connect to h t t p : / / w w w . g o o g l e . c o m . w i t h the browser.
3. N o t e the results: You s h o u l d be able to access the site t h r o u g h the Blue Coat SG.
4. N o w set the b r o w s e r to connect to the Internet t h r o u g h y o u r SG appliance on port 8080.
5. N o t e the results: The b r o w s e r s h o u l d refuse the connection.
Reset HTTP Service on Port 8080

1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Services > Service Ports and
highlight the HTTP Port 8080 r o w a n d Click Edit. The Edit Service box appears.
2. Select the check box next to Enabled and Click OK.
3. Verify that the On column is set to Yes on the H T T P Port 8080 row. Click Apply.
21
22
Explicit Proxy Configuration and Testing
Objectives
• Configuring y o u r b r o w s e r to use proxy traffic via the ProxySG
• U s i n g H T T P Live H e a d e r s to observe the different behavior of the b r o w s e r w h e n it is u s i n g a

proxy a n d w h e n it is not. (You can also use Ethereal to analyze the actual traffic at a lower
level.)
Scenario
In this exercise, y o u will configure y o u r Firefox b r o w s e r to access the Web via the ProxySG. You
will c o m p a r e the b r o w s e r request based on w h e t h e r it is using a proxy (in explicit mode) or not.
Before You Begin

• This lab a s s u m e s that the default policy is set to Allow. T h r o u g h the M a n a g e m e n t Console,
select Configuration > Policy > Policy Options, a n d then set the default proxy policy option to
Allow.
• Install Firefox v 2.0.0.2 or higher on y o u r system.
• Install Ethereal, if it isn't installed on y o u r system.You can d o w n l o a d t h e m both from y o u r

local FTP site in the Tools directory.
Steps
1. First configure Firefox to not go t h r o u g h a proxy by selecting Tools > Options > Advanced in
the m e n u bar.
2. Click on the Network tab then the Settings button in the Connections section. The Connection
Settings dialog box a p p e a r s
3. Select the Direct connection to the Internet radio button.Click OK.
23
4. Start Ethereal a n d set it to m o n i t o r only H T T P traffic.

5. Access w w w . g o o g l e . c o m .
6. Stop the c a p t u r e a n d note the Ethereal packet capture such as circled in the screen capture
below:
24
Explicit Proxy Configuration and Testing
7. Configure Firefox to access the Web via the Blue Coat SG on p o r t 8080 a n d a d d y o u r Blue Coat
SG's IP address to the No Proxy For dialog box. Click OK.
8. Restart Ethereal a n d set it to m o n i t o r only port 8080 traffic.
9. Access www.google.com.
10. Stop the c a p t u r e a n d note the Ethereal packet capture this time as it goes t h r o u g h the proxy.
The difference is circled in the screen capture below.
11. Observe the differences in the IP a d d r e s s .
• The direct connection uses w w w . g o o g l e . c o m IP a d d r e s s as destination.
a The proxy request uses the Blue Coat SG IP a d d r e s s as the destination.
Note: The definition of explicit proxy is exactly w h a t is stated in Step 15. The destination IP
a d d r e s s for the browser HTTP request is the IP a d d r e s s of the proxy a n d not the one of
the OCS.
25
12. You m a y also w a n t to see the differences in the Ethereal c a p t u r e m e t h o d s based on different
filter o p t i o n s . The table below s h o w s s o m e of the w i d e l y u s e d filter options in Ethereal packet
capture
Table 4.1 : Filter Options in Ethereal Packet Capture
Filter O p t i o n Effect
http.request.method == "GET" C a p t u r e packets w i t h a "GET" request in
them.
tcp.port == 80 C a p t u r e packets w i t h destination TCP
port 80
ip.addr == a.b.c.d C a p t u r e packets w i t h IP a d d r e s s a.b.c.d
ip.addr == a.b.c.d && Capture packets w i t h IP a d d r e s s a.b.c.d
http.request.method == "GET" a n d a GET request.
26
HTTP Compression
Objective
Configuring the Blue Coat® SG™ to enable HTTP client-side a n d server-side compression
Scenario
Browsers a n d Web servers can negotiate the d a t a format for the content delivery. Pages can be s e n t
from the Web server to the b r o w s e r in plain ASCII text or in c o m p r e s s e d format (typically g z i p or
deflate). The Blue Coat SG can retrieve c o m p r e s s e d or u n c o m p r e s s e d content a n d serve it
c o m p r e s s e d or u n c o m p r e s s e d ; a n y combination is acceptable.
In this lab y o u configure the Blue Coat SG to retrieve content from an OCS a n d deliver it to the
client c o m p r e s s e d , if the client s u p p o r t s compression, even w h e n the OCS does and does not
s u p p o r t compression.
Before You Begin

• M a k e s u r e that the default policy on y o u r Blue Coat SG is set to Allow. T h r o u g h the
M a n a g e m e n t Console, select Configuration > Policy > Policy Options, a n d then set the default
proxy policy option to Allow.
• Install i e H T T P H e a d e r s v l . 6 on y o u r system. You can d o w n l o a d it from y o u r local FTP site.
• D o w n l o a d a n d install Ethereal® vO.10.10 from the local website to analyze packet capture
statistics.
Steps
Configuring y o u r Blue Coat SG to s u p p o r t HTTP compression is d o n e in t w o steps:
• Client side compression
• Server side compression
27
Client-Side Compression
1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Policy > Visual Policy Manager, a n d
then click the Launch button.
2. From the Visual Policy M a n a g e r (VPM) m e n u bar, select Policy > Add Web Content Layer The
A d d N e w Layer dialog box a p p e a r s .
3. In t h e A d d N e w Layer dialog box, t y p e Client Side Compression in the the Layer Name d i a l o g
box a n d then click OK. In the VPM, t h e layer w i t h a n e w e m p t y rule appears.
4. Right-click in the Action field of the n e w rule a n d select Set from the d r o p - d o w n m e n u . T h e
Set Action Object dialog box a p p e a r s .
5. In the Set Action Object dialog box, click the New b u t t o n a n d t h e n select Set Client HTTP
Compression from the d r o p - d o w n m e n u . The A d d Client H T T P Compression Object dialog
box a p p e a r s as s h o w n in the screen c a p t u r e below.
x
TP -> 1
>! In >i" ?" n L H t i ' 'i"in £J R
Name: rciientHTTPCompressionl | ;
IF CLIENT REQUESTS COMPRESSED AND ONLY \

UNCOMPRESSED CONTENT IS AVAILABLE: |
0 Compress content before serving ft !
O Serve uncompressed content
IF CLIENT REQUESTS UNCOMPRESSED CDNLENT AND J

ONLY COMPRESSED CONTENT IS AVAILABLE: J
0 Decompress content before serving it I
0 Retrieve uncompressed content from server
[ OK | | Cencel | | Help |
6. Accept the default values a n d click OK. T h e n click OK on the Set Action Object dialog box. The
V P M s h o u l d look like the screen c a p t u r e below.
JG NINE £ NAT VISIIDL POHLY MARIER (Blue

File Edit Policy Configuration View Hefp
Add Rule Delete Rule j J -f Move Up i] 4- Move Down ~J I ^ Install Policy

11
ClientSide Compression
No. 1
Destination ' Action 1
Track ' Comment
1 JAny ClientHTTPCompressio... None
Settings retrieved from ProxySG Appliance mybluecaatsg
7. Click Install Policy.
Server-Side Compression
1. Configure y o u r Internet Explorer® b r o w s e r to point t o w a r d s y o u r proxy a n d m a k e s u r e that
the H T T P 1.1 option is not enabled in y o u r browser settings.
28
HTTP Compression
2. O p e n IE, enable i e H T T P H e a d e r s , a n d t h e n m o n i t o r the traffic sent a n d received by y o u r

browser.
3. Access the site www.microsoft.com.
4. Notice the response from the OCS, in particular the lack of an Accept Encoding h e a d e r in the
client request.
5. From the Visual Policy M a n a g e r (VPM) m e n u bar, select Policy > Add Web Content Layer The
6. In the A d d N e w Layer dialog box, type Server Side Compression in the the Layer Name dialog
box a n d then click OK. In the VPM, the layer w i t h a n e w e m p t y rule appears.
7. Right-click in the Action field of the default rule a n d then select Set from the d r o p - d o w n m e n u .
The Set Action Object dialog box a p p e a r s .
8. In the Set Action Object dialog box, click the New b u t t o n a n d then select Set Server HTTP
Compression from the d r o p - d o w n m e n u . The A d d Server H T T P Compression Object dialog
box a p p e a r s .
29
9. Select the Always request HTTP Compression option in t h e A d d Server HTTP Compression
Object dialog box. M a k e s u r e that y o u uncheck the Include unsupported client compression types
box.
10. Click OK a n d OK a g a i n on the Set Action Object d i a l o g box. The V P M s h o u l d look like the
screen capture below.
12. O p e n Internet Explorer a n d m a k e sure that y o u r proxy is explicitly configured.

13. Clear the i e H T T P H e a d e r s w i n d o w .
14. Start a packet c a p t u r e u s i n g Ethereal.

15. Access the site www.microsoft.com.
16. Stop the packet c a p t u r e in Ethereal. Notice that the Blue Coat SG gets c o m p r e s s e d d a t a from
www.microsoft.com, d e c o m p r e s s e s the d a t a a n d serves only u n c o m p r e s s e d d a t a to the client.
ffl
Frame 35 (1514 bytes on w i r e , 1514 byres c a p t u r e d )
SI E t h e r n e t I I , S r c : 0 0 : 1 4 : 6 a : 5 0 : f 2 : f f , D s t : 00:d0:83:04:aa:d8
IB i n t e r n e t P r o t o c o l , s r c Addr: 207.68.173.76 (207.68.173.76), Dst Addr : 172 . 2.15. 201 (172. 2.15. 201)
SiTransmission c o n t r o l P r o t o c o l , s r c p o r t : h t t p ( 8 0 ) , Dst P o r t : 1248 (1248), s e q : 1, Ack: 537, L e n : 1448
B Hypertext T r a n s f e r p r o t o c o l
IB H T T P / 1 . 1 200 O K \ r \ n
Date: Mon, 02 Oct 2006 19:15:26 GMT\r\n
server: M i c r o s o f t - n s / 6 . 0 \ r \ n
P3P: CP="BUS CUR CONO FIN IVDO ONL OUR PHY SAMO T E L o " \ r \ n
s : appB32\r\n
x-Powered-By: A S P . N E T \ r \ n
X - A s p N e t - V e r s i o n : 2. 0. 50727\r\n
pragma: n o - c a c h e \ r \ n
cache-control: no-cache\r\n
content-Type: text/html; charset=utf-8\r\n
cache-control: private\r\n
c o n t e n t - l e n g t h : 11873\r\n
connection: K e e p - A l i v e \ r \ n
f content-Encoding: gzipV"\n ^
V
* - W i - - '
content-encoded e n t i t y body ( g z i p )
m Line-based text data: text/html
30
HTTP Compression
17. O p e n the M a n a g e m e n t Console a n d select Statistics tab > HTTP/FTP History > Server Comp.
Gain tab. You can review a report that s h o w s the effect of compression, from the server point
of view.
The green n u m b e r (U) s h o w s the a m o u n t of u n c o m p r e s s e d data received, a n d the blue

n u m b e r (C) s h o w s the a m o u n t of compressed d a t a s e r v e d to the client.
Policy Clean-up
1. To set the policy back to dafault for the next lab, right-click each layer a n d select Delete from
the d r o p d o w n m e n u .
2. Click the Install Policy button to accept the n e w policy.
31
32
Authentication Configuration — IWA
Objective
Configuring an authentication realm for IWA (Integrated W i n d o w s Authentication).
Scenario
In this exercise, y o u will create a n e w IWA authentication realm so that y o u can create policies for
i n d i v i d u a l users a n d g r o u p s . This also allows y o u to generate reports based on user n a m e s a n d
not s i m p l y IP a d d r e s s e s or workstation h o s t n a m e s .
Before You Begin

• D o w n l o a d a n d install the Blue Coat Systems Authentication a n d Authorization Agent
(BCAAA) from the Blue Coat Web site. Install B C A A A on any machine w i t h the following
characteristics:
D Uses W i n d o w s XP Professional, W i n d o w s 2000 Sever or Professional, W i n d o w s 2003

a Is a m e m b e r of the d o m a i n (or forest) w h e r e y o u w a n t to authenticate users' requests
a H a s a static IP a d d r e s s
o Is reachable (at n e t w o r k level) from the Blue Coat SG

Also, there m u s t not be any firewall that blocks connections to the machine (on which BCAAA
is installed) on p o r t 16101 (You can c h a n g e this port.)
Once y o u h a v e identified a suitable machine, y o u can launch the BCAAA installation. You
will navigate t h r o u g h a series of screens:
a. On the Welcome screen, click Next to begin the installation.
b. Select the location w h e r e y o u w a n t to place the files n e e d e d for BCAAA to run. Either
select the default or pick a different p a t h on y o u r system, a n d then click Next.
c. Select a p o r t n u m b e r w h e r e y o u w a n t B C A A A to listen for the incoming connection.
The default v a l u e is 16101; however, y o u can c h a n g e it as long as y o u m a k e sure that this
c h a n g e is reflected in the configuration of the IWA realm in the Blue Coat SG. Click Next.
d. Set the n u m b e r of threads. You can h a v e up to 99 threads listening for a connection on
any m a c h i n e . H o w e v e r , the r e c o m m e n d e d n u m b e r is t w o . Click Next.
Note: You can install multiple BCAA agents on separate machines of y o u foresee m a n y
connections to BCAAA.
e. B C A A A m a y require an SSL connection from the Blue Coat SG. Enter the Certificate
Subject. You can leave the default v a l u e (blank), w h i c h assumes the machine n a m e as
the value. Click Next.
f. You are n o w a s k e d to save the certificate. Accept the default value of no. Click Next.
g. As an option, y o u m a y require SSL connections between BCAAA a n d the Blue Coat
SG. You do not n e e d to enforce it. You also do not need to obtain a valid certificate to
connect. Click Next.
h. The installation p r o g r a m n o w s h o w s y o u a s u m m a r y of the options that y o u have
selected. If y o u are satisfied, complete the installation. Otherwise, go back a n d change
the options y o u need.
33
Steps
1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Authentication > IWA a n d then click the
IWA Realms tab. Click the New button.
2. In the A d d IWA R e a l m dialog box, create a n e w realm u s i n g these p a r a m e t e r s :

O Realm n a m e : Blue_Coat_IWA
O Primary server host: 172.16.90.110 (or the hostname)
• Port: 16101
3. Click OK.
Note: The n a m e y o u choose for a realm will be referenced elsewhere, so m a k e sure it is

a p p r o p r i a t e . For example, for this exercise the directory server is Microsoft's IWA, so
the n a m e chosen for the n e w realm is Blue Coat IWA.
34
6. Select the IWA General tab. Verify that y o u r settings look the s a m e as those in the screen c a p t u r e
below a n d t h e n click Apply.
The configuration is n o w complete. The n e w realm is available to the Blue Coat SG to create
policies.
Note: Creating a realm d o e s not force the users to authenticate n o r initiate the logging and
reporting by u s e r n a m e . You need to create an a p p r o p r i a t e policy to configure the
Blue Coat SG to request users to authenticate.
35
Testing Authentication Configuration

1. T h r o u g h the M a n a g e m e n t Console, select Policy > Visual Policy Manager a n d then click Launch.
2. In t h e Visual Policy Manager, delete a n y existing layers y o u m a y h a v e by right-clicking the

layer tab a n d selecting Delete Layer.
3. Click Insall Policy.
4. In t h e Visual Policy Manager, select Policy > Add Web Access Layer. The Add Layer dialog box
appears.
5. Click OK to accept the default Web Access Layer n a m e .
6. Right-click in the Source field of the n e w l a y e r ' s default rule a n d t h e n click Set from the
d r o p - d o w n m e n u . T h e Set Source Object dialog box a p p e a r s .
7. In the Set Source Object dialog box, click New a n d then select User from the d r o p - d o w n m e n u .
The A d d User Object dialog box a p p e a r s .
36
In the A d d User Object dialog box, select the realm Blue_CoatJWA from the Authentication
Realm d r o p - d o w n m e n u .
9. Click the Browse button.
Note: If a list of users a p p e a r s similar to the screen shot below, y o u r IWA realm
configurations are correct a n d the lab is complete. You can n o w proceed to the ' Policy
C l e a n - u p " section.
37
Note: If the realm w a s not set up correctly, the process times out.
Policy Clean-up
1. To set the policy back to default for the next lab, t h r o u g h the M a n a g e m e n t Console, select
Policy > Visual Policy Manager and click Launch.
2. Right-click each Policy layer tab a n d select Delete from the d r o p d o w n m e n u . Click the Install
Policy b u t t o n to accept the n e w policy.
38
Authentication Configuration — LDAP
Objective
Configuring an authentication realm for LDAP™.
Scenario
A u t h e n t i c a t i o n is one of the m o s t complex but important aspects of policy. In this exercise, y o u
will create a n e w Lightweight Directory Access Protocol (LDAP) authentication realm so policy
can be w r i t t e n to m a k e use of it.
Steps
T h r o u g h the M a n a g e m e n t Console, select Configuration > Authentication > LDAP > LDAP
Realms. Click the New button. An A d d LDAP Realm w i n d o w a p p e a r s .
39
2. I n t h e A d d L D A P R e a l m d i a l o g b o x u s i n g these p a r a m e t e r s :
a. Realm name: Blue_Coat_LDAP
b. Type of LDAP Server: Microsoft Active Directory
c Primary server host: 172.16.90.110
d. Port: 389
e. User attribute type: sAMAccountName
Note: T h e n a m e y o u choose f o r a r e a l m w i l l b e r e f e r e n c e d elsewhere, s o m a k e s u r e i t i s

matches the step a b o v e .
3. C l i c k O K i n the L D A P R e a l m s w i n d o w , t h e n c l i c k the Apply b u t t o n t o save a n d activate the

changes.
4. Select the LDAP Servers tab. Based o n d e f a u l t settings a n d i n f o r m a t i o n y o u s u p p l i e d , the L D A P

s e r v e r s h o u l d b e set u p correctly. H o w e v e r , i t i s a g o o d i d e a t o c o m p a r e the settings y o u
e n t e r e d i n the p r e v i o u s screen w i t h those i n the screen c a p t u r e b e l o w .
40
5. Select the LDAP DN tab. V e r i f y t h a t y o u r settings l o o k the s a m e as those in the screen c a p t u r e

b e l o w a n d t h e n c l i c k t h e New b u t t o n .
6. T h e A d d L D A P Base D N d i a l o g b o x appears.
7. T y p e dc=sunnyvale, dc=training, dc=bluecoat, dc=com in t h e Add Base DN w i n d o w .
8. Click OK.
9. In t h e M a n a g e m e n t Console, click Apply to save t h e c h a n g e s .
41
10. To give the Blue Coat SG the capability to search the directory, y o u n o w m u s t s u p p l y a
u s e r n a m e a n d p a s s w o r d of a u s e r w i t h i n the L D A P server that has the a p p r o p r i a t e
credentials. To do this, select t h e LDAP Search & Groups tab, a n d then type the following
information into the a p p r o p r i a t e fields as s h o w n in the screen c a p t u r e below:
a. Anonymous Search: U n c h e c k e d
b. Search User DN: cn=bcadmin, cn=users, dc=sunnyvale, dc=training, dc=bluecoat,
dc=com
11. Click Apply to s a v e the changes.

12. To enter the p a s s w o r d , click the Change Password b u t t o n a n d type the password y o u r
instructor gives y o u in the New Password a n d Confirm New Password dialog boxes.
13. Click OK. In the M a n a g e m e n t Console click Apply to save changes.

The configuration is n o w complete. The object Blue_Coat-LDAP is available to the Blue Coat
SG to create policies.
Note: Creating a realm d o e s not force the users to authenticate nor initiate the logging a n d
reporting by u s e r n a m e . You need to create an a p p r o p r i a t e policy to configure the
Blue Coat SG to request users to authenticate.
Testing Authentication Configuration

1. T h r o u g h the M a n a g e m e n t Console, select Policy > Visual Policy Manager a n d t h e n click Launch.
2. In the Visual Policy Manager, select Policy > Add Web Access Layer and accept the default
name.
42
3. R i g h t - c l i c k i n t h e Source f i e l d o f t h e n e w l a y e r ' s d e f a u l t r u l e a n d t h e n c l i c k Set f r o m the

d r o p - d o w n m e n u . T h e Set Source Object d i a l o g b o x appears.
4. In the Set Source Object d i a l o g box, c l i c k New a n d t h e n select User f r o m the d r o p - d o w n m e n u .

T h e Add User Object d i a l o g box appears.
5. In the Add User Object d i a l o g box, select the r e a l m AD-LDAP f r o m the Authentication Realm
drop-down menu.
43
6. Click the Browse b u t t o n . If the realm w a s set up correctly, a list of users a p p e a r s . If the realm
w a s not set up correctly, the process times out.
7. W h e n y o u are successful, click Cancel, Cancel a n d Cancel to get y o u back to Visual Policy
Manager. Exit Visual Policy M a n a g e r w i t h o u t installing the policy or accepting a n y changes
m a d e to the policy. If y o u are not successful, the b r o w s e r w i n d o w will h a n g .
44
Creating Basic Policy
Objective
• I m p l e m e n t i n g a basic policy using an authentication realm
• Blocking all u s e r s from w w w . g a m e s . c o m
Scenario
You w a n t to create a very basic policy to test that t h e Blue Coat SG is configured correctly a n d that
the authentication realms are w o r k i n g as expected.
Before You Begin

• This lab a s s u m e s t h a t y o u have a l r e a d y created a n d configured at least one authentication
realm.
• This lab also a s s u m e s that y o u r default policy is already set to Allow. This s h o u l d be the case if
y o u r class is following the exercises in order.
Steps
1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Policy > Visual Policy Manager, a n d then
click the Launch button.
2. From the Visual Policy M a n a g e r (VPM) m e n u bar, select Policy > Add Web Authentication
Layer. The A d d N e w Layer dialog box a p p e a r s .
3. In the A d d N e w Layer dialog box, accept the default n a m e a n d then click OK. In the VPM, the
layer w i t h a n e w e m p t y rule a p p e a r s .
4. Right-click in the Action field of the n e w rule a n d select Set from the d r o p - d o w n m e n u . The
Set Action Object dialog box a p p e a r s .
5. In the Set Action Object dialog box, click the New button a n d then select Force Authenticate
from the d r o p - d o w n m e n u . The A d d Force Authenticate Object dialog box appears.
6. In the A d d Force A u t h e n t i c a t e Object dialog box, type Blue_coat_IWA in the Name field.
45
Select Blue_coat_IWA in the Realm d r o p d o w n m e n u .
Click OK a n d t h e n click OK in the Set Action Object dialog box. The V P M s h o u l d look like the
screen c a p t u r e below:
9. From V P M m e n u bar, select Policy>Add Web Access Layer from the d r o p - d o w n m e n u . The
10. In the A d d N e w Layer dialog box, accept t h e default n a m e a n d then click OK. The layer w i t h a
n e w e m p t y rule a p p e a r s in the VPM.
11. Right-click in the Destination field of the n e w rule a n d then select Set from the d r o p - d o w n
m e n u . The A d d Destination Object dialog box a p p e a r s .
12. In the A d d Destination Object dialog box, click the New button a n d then select Destination
Host/Port from the d r o p - d o w n m e n u . The A d d Destination H o s t / P o r t Object dialog box
appears.
13. In the A d d Destination H o s t / P o r t Object dialog box:

a. Type www.games.com in the Host field.
b. Select Exact Match from the d r o p - d o w n m e n u next to the Host field.
c. Type 80 in the Port field. Alternatively, y o u can leave the field blank.
d. Click the Add button a n d then click the Close button.
14. Click OK in the Set Destination Object d i a l o g box. The V P M s h o u l d look like the screen
c a p t u r e below.
46
Creating Basic Policy
15. Click the Install Policy button.
Testing the Policy

1. M a k e sure t h a t y o u r b r o w s e r is u s i n g y o u r Blue Coat SG as its proxy on port 8080.
2. Try to access w w w . c n n . c o m . N o t e t h a t y o u are asked to authenticate a n d verify that y o u can

see the content from the Web site.
3. Try to access w w w . g a m e s . c o m a n d verify that y o u are being blocked.
Policy Clean-up
1. To set the policy back to dafault for the next lab, right-click each layer a n d select Delete from
the d r o p d o w n m e n u . Click the Install Policy b u t t o n to accept the n e w policy.
47
48
Configuration Archive
Objective
Backing up Blue Coat SG configurations.
Scenario
Before m a k i n g changes to the Blue Coat SG, it is a g o o d idea to back up the current configuration
in case y o u need to revert quickly to the last k n o w n w o r k i n g state. The M a n a g e m e n t Console
offers an easy-to-use feature that allows y o u to view the current Blue Coat SG configuration a n d
load a previously saved configuration.
Before You Begin

• Be a w a r e that the configuration y o u save is viewable within a text viewer. It is beyond the
scope of this class to train a d m i n i s t r a t o r s to dissect the configuration; however, once y o u
u n d e r s t a n d the syntax, y o u can not only back up configurations but also create templates for
m a s s Blue Coat SG d e p l o y m e n t s .
Steps
1. T h r o u g h the M a n a g e m e n t Console, select Configuration > General > Archive. The Archive
Configuration dialog box a p p e a r s in the M a n a g e m e n t Console w i n d o w .
Notice that y o u can view m u l t i p l e levels of configurations. In this exercise, y o u w a n t to s a v e

all the configurations.
Note: This will not allow y o u to install the configurations on a n o t h e r Blue Coat SG because
of s o m e h a s h e d p a s s w o r d values. However, it will allow y o u to completely restore the
configuration for y o u r system.
2. In the View Current Configuration section, select Configuration - expanded from the View File
d r o p - d o w n m e n u , a n d then click the View button.
49
A n e w W e b b r o w s e r w i n d o w a p p e a r s c o n t a i n i n g t h e c o n f i g u r a t i o n text.
3. To save t h e f i l e f r o m w i t h i n t h e b r o w s e r , select File > Save Page As, t h e n n a m e the f i l e a n d save

it as a text f i l e .
50
Content Filtering — Configuration
C o n t e n t filtering is a valuable tool for m a n y organizations. Content filtering databases enable

organizations to keep i n a p p r o p r i a t e Web site content from entering their networks. They do this
by identifying a n d automatically blocking sites w h e n they contain a certain category of content.
W i t h o u t content-filtering databases, organizations w o u l d h a v e to scour the Internet to categorize

Web sites a n d a d d sites to a blocking list. But w i t h content-filtering databases, organizations
s i m p l y select categories a n d w r i t e rules for them. For example, an organization can block all a d u l t
a n d g a m b l i n g sites at all times a n d allow access to n e w s sites d u r i n g lunch a n d after regular w o r k
hours.
Objective
Installing a content-filtering database.
Scenario
Blue Coat SG s u p p o r t s several content-filtering databases. They are Blue Coat Web Filter, S m a r t
Filter, SurfControl, Websense, a n d W e b w a s h e r a n d several others.
The c o m p a n i e s ' software differs in cost, n u m b e r of URLs the database can contain, frequency of
d a t a b a s e u p d a t e s , n u m b e r of categories, accuracy in category assignments, technology u s e d to
categorize the database, a n d w h e t h e r Web sites can be assigned to multiple categories.
Once y o u h a v e chosen a content-filtering vendor, y o u provide y o u r subscription credentials to the
Blue Coat SG, a n d it d o w n l o a d s the database. You also m a y set up the Blue Coat SG to check for
u p d a t e s a n d d o w n l o a d t h e m a s they become available.
Before You Begin

In this exercise, y o u will d o w n l o a d install the Blue Coat Web Filter database, d e p e n d i n g on y o u r
Blue Coat SG o p e r a t i n g system. M a k e sure that y o u h a v e the s t u d e n t h a n d o u t , which has the
information y o u need to d o w n l o a d a n d install the database.
51
Steps
1. P r o v i d e the Blue Coat SG w i t h a p a t h to d o w n l o a d Blue Coat Web Filter software. T h r o u g h the
M a n a g e m e n t Console, select Configuration > Content Filtering > Blue Coat. The Blue Coat Web
Filter w i n d o w displays in the M a n a g e m e n t Console.
2. U s i n g the s t u d e n t h a n d o u t , t y p e in the URL for the content-filtering database. Do not u s e the

URL that a p p e a r s by default in the URL w i n d o w .
3. Click the Download Now b u t t o n . A Download Status dialog box a p p e a r s .
Wait w h i l e the d a t a b a s e is d o w n l o a d e d . Databases m a y be larger t h a n 40 megabytes, so the

d o w n l o a d normally can take c o u p l e of minutes, d e p e n d i n g on server connection s p e e d .
However, because b o t h the Blue Coat SG a n d the server w i t h the database are on the s a m e
LAN, the d o w n l o a d in class s h o u l d take no m o r e than a m i n u t e .
Click Close a n d Apply in the M a n a g e m e n t Console.
Verify the d o w n l o a d w a s a success by clicking the View Download Status. A browser w i n d o w

s h o u l d a p p e a r s h o w i n g the statistics of a successful d o w n l o a d .
52
Content Filtering — Configuration
6. Activate the d a t a b a s e within the Blue Coat SG by selecting Configuration > Content Filtering >
General. In the Providers section, click in the check box next to Blue Coat Web Filter.
7. Click Apply to save the changes.
8. Test the installation by p r o v i d i n g a URL for the d a t a b a s e to categorize. In the the M a n a g e m e n t

Console, select Configuration > Content Filtering > General. In t h e Diagnostics section, enter
www.macys.com in the URL field. Click the Test button.
9. If the database w a s correctly installed a n d is available, a n e w Web browser w i n d o w a p p e a r s

displaying a list of categories for the URL tested. In the screen capture below, the Macy's URL
is part of the d a t a b a s e ' s shopping category
53
54
Content Filtering — Policy
Objectives
• Blocking a URL category w i t h content filtering.
• Creating y o u r o w n c u s t o m category.
Scenario
Once content-filtering software has been installed on the Blue Coat SG, y o u can write policies to
use the d a t a b a s e to prevent clients on y o u r n e t w o r k from accessing certain types of Web site
content. You also can create y o u r o w n c u s t o m d a t a b a s e categories, allowing y o u to write policies
for different servers on y o u r network, p a r t n e r sites, or a p p r o v e d leisure sites.
Before You Begin

• This exercise a s s u m e s that y o u h a v e d o w n l o a d e d a n d installed the Blue Coat Web Filter for
SGOS 4.x.x.
Steps
Database Category: Blocking all Travel Web Sites

1. L a u n c h y o u r b r o w s e r configured to go t h r o u g h y o u r Blue Coat SG on port 8080.
2. Test the present policy state by accessing a test travel site, such as Travel.com
(http://www.travel.com). Once y o u h a v e completed writing the policy, y o u can try to access the
site again to see if the policy has taken effect.
55
T h r o u g h the M a n a g e m e n t Console, select Configuration > Policy > Visual Policy Manager a n d then
click the Launch b u t t o n . (If the V P M is a l r e a d y open, close a n d then relaunch it.)
In Visual Policy Manager, select Policy > Add Web Access Layer. In t h e A d d N e w Layer dialog
box, give the layer a n a m e that m a k e s sense to y o u . (In the screen captures below, the layer is
n a m e d URL Filter.)
5. Right-click the Destination field of the n e w rule, a n d then click Set in the d r o p - d o w n m e n u .
The Set Destination Object dialog box a p p e a r s .
6. Click the New b u t t o n a n d then select Request URL Category from the d r o p - d o w n m e n u . The
A d d Request URL C a t e g o r y Object dialog box a p p e a r s .
56
In the A d d Request URL Catagory Object box, type Travel in the Name field. In the Categories
w i n d o w , click on the plus sign next to Blue Coat to display the list of categories.
Note: A category object d o e s n ' t h a v e to belong to just one category. You can create
categories to create a c u s t o m category g r o u p . Keep this in m i n d w h e n y o u create
category objects a n d choose n a m e s carefully.
Click the check box next to Travel, a n d t h e n click OK. The n e w Travel object appears in the Set
Destination Object dialog box
9. Click OK.
57
10. Your policy s h o u l d look like the screen c a p t u r e below. In t h e VPM, click the Install Policy
button.
11. With y o u r b r o w s e r explicitly p r o x i e d to y o u r Bluecoat SG on p o r t 8080, test the n e w policy by

trying to access t h e Travel.com Web site (http://www.travel.com). You s h o u l d see an Access
Denied message.
C u s t o m Category: Blocking Yahoo, Forbes, and Asterix Web sites

1. Access t h e following Web sites to m a k e sure that no existing policy is blocking them:
a http://www.yahoo.com
• http://www.forbes.com
• http://www.asterix.com
2. In t h e VPM, m a k e sure that the URL Filter tab (the tab of the layer y o u created in Step 3 of the
p r e v i o u s section) is highlighted a n d t h e n click Add Rule.
58
Create a n e w destination trigger in the A d d Request URL Category Object dialog box:
a. Right-click the Destination field of the n e w policy rule.
b. Select Set from the d r o p - d o w n m e n u .
c. In the Set Destination Object dialog box, click the New button, then select Request
URL Category from the d r o p - d o w n m e n u .
d. Type Custom Block in t h e Name field.
e. H i g h l i g h t Categories > Policy.
f. Click the Add b u t t o n
The Object N a m e dialog box a p p e a r s
4. N a m e the object by t y p i n g CustomBlock in the w i n d o w a n d then click OK. This step creates a
c u s t o m category. However, the category is empty. You will n o w associate d o m a i n s w i t h it.
5. In the A d d Category Object dialog box, highlight Categories > Policy > CustomBlock.
However, do not click the check box beside it. Click the Edit URLs button
59
6. T h e Edit Locally defined category Object d i a l o g b o x a p p e a r s .
7. A d d d o m a i n s t o t h e CustomBlock c a t e g o r y b y t y p i n g t h e m i n t o the w i n d o w , one p e r l i n e .

C l i c k OK.
8. In the Add Request URL Category Object d i a l o g box, c l i c k in the check b o x beside the c a t e g o r y
n a m e CustomBlock.
9. C l i c k OK.
60
10. In the Set Destination Object dialog box, highlight CustomBlock from the list of destination
objects.
11. Click OK.
12. In the VPM, click the Install Policy button.
61
13. With y o u r browser explicitly proxied to y o u r Blue Coat SG on port 8080, test the n e w policy
by trying to access the Yahoo, Forbes, a n d Asterix sites. You s h o u l d see an Access Denied
m e s s a g e each time.
Policy Clean-up
1. To set the policy back to default for the next lab, t h r o u g h the M a n a g e m e n t Console, select
62
Using the Local Database
Objectives
• Creating a s h a r e d repository of m a n u a l l y categorized files to share a m o n g multiple Blue Coat
SG appliances
• Scheduling daily a u t o m a t i c d o w n l o a d s of this list
Scenario
Blue Coat SG offers a d m i n i s t r a t o r s the ability to easily define c u s t o m categories a n d then e n s u r e
they are automatically u p d a t e d from a local central server. The Blue Coat SG enables
a d m i n i s t r a t o r s to create their o w n category list, store it on a local server, a n d then periodically
d o w n l o a d the list if u p d a t e s occur. This exercise s h o w s h o w local database content filtering can be
i m p l e m e n t e d u s i n g the Blue Coat SG.
Steps
1. Create a text file w i t h the following syntax a n d t h e category names a n d URLs y o u w a n t to
h a v e in the list:
define category whitelist

microsoft.com
Symantec.com
mcafee.com
end
define category blacklist

playboy.com
hacking.com
sex.com
end
2. Use the FTP location on y o u r s t u d e n t h a n d out to post his file on the training room internal
Web site as s h o w n in the screen capture below:
T h r o u g h the M a n a g e m e n t Console, select Content Filtering > Local Database.
On the Local Database tab in the Download section, type the adminitrator u s e r n a m e given to
y o u by then instructor. Click Change Password a n d use the p a s s w o r d given to y o u by y o u r
instructor.
63
5. I n the URL d i a l o g b o x , t y p e t h e p a t h t o y o u r f i l e o n the w e b s e r v e r . For e x a m p l e :

http://172.16.90.110/student12/CustomLocalDatabase.txt.
6. Start the d o w n l o a d by c l i c k i n g the Download Now b u t t o n . A d o w n l o a d can take a f e w seconds

to a m i n u t e to c o m p l e t e d e p e n d i n g on the database size.
7. C l i c k the View Download Status b u t t o n t o c o n f i r m y o u r local database w a s successfully

imported and compiled.
T h r o u g h the M a n a g e m e n t C o n s o l e , select Content Filtering > Local Database > Automatic

Download. S c h e d u l e h o w o f t e n y o u w a n t t o h a v e the B l u e Coat S G r e t r i e v e t h i s i n f o r m a t i o n . I n
m o s t cases, once a w e e k is a reasonable f r e q u e n c y f o r t h i s t y p e of a p p l i c a t i o n .
64
Using the Local Database
9. N o w y o u need to enable the local d a t a b a s e to be available in the Visual Policy M a n a g e r (VPM)

so y o u can create rules. T h r o u g h the M a n a g e m e n t Console, select Content Filtering > General
a n d then click in the check box for the Use Local Database option as s h o w n in the screen
capture below.
10. Click Apply in the M a n a g e m e n t Console.
11. Launch the V P M a n d create a Web Access Layer with a rule to block the blacklist category of
y o u r local database. (If the V P M is already open, close a n d then re-launch it.)
13. Close the VPM.
14. Test the policy by accessing the denied websites y o u defined in y o u r local database file.
Important: Do not enable the local database if y o u do not h a v e one configured. An e m p t y

(but enabled) local database m a y cause conflict with the other content filters.
Note: You s h o u l d n a m e the categories in the local d a t a b a s e in a w a y that will clearly

distinguish t h e m from other categories y o u m a y use. You should prefix the category
n a m e w i t h an identifier like "ldb_".
Policy Clean-up
1. To set the policy back to dafault for the next lab, t h r o u g h the M a n a g e m e n t Console, select
65
66
Managing Downloads — File Types and Exceptions
Files d o w n l o a d e d from the Internet or sent by e-mail can pose a h a z a r d to the enterprise. Files
m a y contain viruses or other m a l w a r e . In addition, allowing staff u n l i m i t e d ability to surf the
Internet d u r i n g w o r k i n g h o u r s can reduce productivity a n d expose e m p l o y e e s to materials that
they m a y find offensive.
The Blue Coat® SG™ enables y o u to block d o w n l o a d s of selected types of information based u p o n
various criteria s u c h as URL category, file MIME type, file extension a n d a p p a r e n t data type. The
Blue Coat® SG™ also enables y o u to create exceptions the d o w n l o a d limitations y o u h a v e set.
Objectives
Becoming familiar w i t h Web Access Layer policy in the Visual Policy M a n a g e r (VPM)
• Using rules w i t h i n the layer to block v a r i o u s types of data from being d o w n l o a d e d
Scenario
In this lab, y o u create policy t h r o u g h the Blue Coat SG to keep users from d o w n l o a d i n g several
different types of information:
1. All P D F files by MIME type
2. All i m a g e s from all n e w s sites by MIME type

3. Create an exception to d o w n l o a d i n g PDF files.
4. Exécutables u s i n g a p p a r e n t data types
Before You Begin

This lab a s s u m e s that:
• You h a v e c o m p l e t e d the earlier content-filtering labs a n d h a v e installed the Blue Coat®

WebFilter™ database, w h i c h allows blocking by URL category.
• The default p r o x y policy on y o u r Blue Coat SG is set to Allow. T h r o u g h the M a n a g e m e n t

Console, select Configuration > Policy > Policy Options. In the Default Proxy Policy section, verify
that the Allow o p t i o n is selected. If not, select it a n d then click Apply.
Steps
Blocking PDF Files by MIME Type

1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Policy > Visual Policy Manager, a n d then
click the Launch button.
2. From the Visual Policy M a n a g e r (VPM) m e n u bar, select Policy > Add Web Access Layer. T h e
3. In the A d d N e w Layer dialog box, n a m e the layer Block Downloads Layer a n d click OK. The
n e w layer w i t h an e m p t y rule a p p e a r s in the VPM.
67
4. Right-click t h e Action field of the rule a n d select Allow.
5. Click Add Rule a n d then click Move Up as s h o w n in the screen c a p t u r e below.
6. Right-click the Destination field of the n e w rule a n d then select Set from the d r o p - d o w n m e n u .
7. In the Set Destination Object dialog box, click New a n d then select HTTP MIME Types from the
d r o p - d o w n m e n u . The A d d H T T P MIME Type Object dialog box a p p e a r s .
68
8. In the A d d HTTP MIME Types Object dialog box, n a m e the object PDF_Files. Then scroll
d o w n the list of MIME t y p e s to find application/pdf a n d select it. Click OK.
9. Confirm the object n a m e in the Set Destination Object dialog box a n d then click OK.
10. In the VPM, click Install Policy.
11. Test the n e w rule by launching y o u r browser set to use y o u r Blue Coat SG as the proxy on port
8080 a n d accessing a site that offers PDF d o w n l o a d s . For Example:
h t t p : / / w w w . b l u e c o a t . c o m / r e s o u r c e s / d a t a s h e e t s . h t m l . W h e n y o u a t t e m p t to d o w n l o a d a
PDF file, y o u s h o u l d receive a m e s s a g e telling y o u that access is denied.
69
Blocking Images from News Sites by MIME Type

1. In the VPM, position the cursor on Rule N o . 1 a n d click the Add Rule button.
2. Right-click in the Destination field of the n e w rule a n d t h e n select Set from the d r o p - d o w n
m e n u . The Set Destination Object dialog box a p p e a r s .
3. In the Set Destination Object dialog box, click the New b u t t o n a n d the select Combined
Destination Object... from the d r o p - d o w n m e n u . The Set C o m b i n e d Destination Object dialog
box a p p e a r s .
4. In the Set C o m b i n e d Destination Object dialog box, click New a n d then select HTTP MIME
Types from the d r o p - d o w n m e n u . T h e A d d H T T P MIME Types dialog box a p p e a r s .
70
5. In the A d d HTTP MIME Types dialog box, n a m e the object lmages„Files.
6. Scroll d o w n the list of MIME types to find various c o m m o n MIME types. Select i m a g e MIME
types, s u c h as image/jpeg a n d then click OK.
7. In the A d d C o m b i n e d Destination Object dialog box, a d d the object lmages_Files to the

u p p e r - r i g h t object box. H i g h l i g h t the object a n d then click the top Add » button.
71
In the A d d C o m b i n e d Destination Object dialog box, click New a n d then select Request URL
Category... from the d r o p - d o w n m e n u . The A d d Request URL Category dialog box a p p e a r s .
9. In the dialog box Categories w i n d o w , type News/Media in the Name field. Click on the p l u s sign
next to Blue Coat to d i s p l a y the available categories. Scroll d o w n , select the News/Media
category, a n d t h e n click OK.
72
10. In the A d d C o m b i n e d Destination Object dialog box, a d d the object News/Media to the l o w e r
object box. Highlight the object a n d then click the b o t t o m Add » button.
11. Click OK a n d then click OK in the Set Destination Object dialog box.
13. Test the policy by visiting s o m e n e w s sites, s u c h as w w w . c n n . c o m a n d www.foxnews.com.

You s h o u l d see the text on the sites but not the images.
Note: If y o u are not going to go further in this lab, please follow the Policy Clean-up
Procedure at the e n d of the lab.
Creating Exceptions to Download Rules

1. Right-click the Destination field of Rule N o . 1 w h i c h is currently set to PDF_Files a n d select Set
from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s .
Destination Object... from the d r o p - d o w n m e n u . T h e Set C o m b i n e d Destination Object dialog
box a p p e a r s .
73
3. In the Set Combined Destination Object d i a l o g box, h i g h l i g h t PDF_Files a n d t h e n c l i c k the u p p e r

Add » b u t t o n as s h o w n in t h e screen c a p t u r e b e l o w .
4. In the same Set Combined Destination Object d i a l o g b o x , c l i c k New a n d t h e n select Request URL
f r o m the d r o p d o w n m e n u . T h e A d d Request U R L Object d i a l o g b o x appears.
5. I n t h e A d d Request U R L Object d i a l o g box:

a. Select the Simple Match o p t i o n .
b. T y p e www.bluecoat.com in the URL field i m m e d i a t e l y b e l o w the Simple Match o p t i o n .
c. C l i c k Add.
6. C l i c k the Close b u t t o n .
7. In the Set Combined Destination Object d i a l o g box, h i g h l i g h t Request URL: www.bluecoat.com

a n d t h e n c l i c k the l o w e r Add » b u t t o n .
8. In the l o w e r At least one of these objects box, select the Negate check box.
74
9. In the Set Combined Destination Object dialog box, type PDF Download Exception in the Name
field.
10. The Add Combined Destination Object dialog box s h o u l d look like the screen c a p t u r e below.
11. Click OK a n d t h e n click OK in the Set Destination Object dialog box.
13. Test the n e w rule by accessing h t t p : / / w w w . b l u e c o a t . c o m / r e s o u r c e s / d a t a s h e e t s . h t m l . W h e n

y o u a t t e m p t to d o w n l o a d a PDF file, y o u s h o u l d be able to d o w n l o a d a n d view the PDF file.
Further test the rule by accessing a n o t h e r site w i t h PDF files. You s h o u l d be d e n i e d access.
Blocking Exécutables Using Apparent Data Types

Starting w i t h SGOS 4.2.x, y o u can control file d o w n l o a d s using the a p p a r e n t data type, in addition
to the file extension or the declared MIME type. T h e a p p a r e n t d a t a type refers to special data,
located at the b e g i n n i n g of a file, that is used to indicate its type. The Blue Coat SG scans data files
to d e t e r m i n e if t h e special data is present.
1. In the VPM, position the cursor on Rule N o . 2 a n d click the Add Rule button.
2. Right-click in the Destination field of the n e w rule a n d then select Set from the d r o p - d o w n
m e n u . The Set Destination Object dialog box a p p e a r s .
Destination Object from the d r o p - d o w n m e n u . The Set C o m b i n e d Destination Object dialog
box a p p e a r s .
75
In the Set D e s t i n a t i o n Object d i a l o g box, c l i c k New a n d the select Apparent Data Type f r o m the
drop-down menu.
5. T h e A d d A p p a r e n t D a t a T y p e Object d i a l o g b o x appears. Select the DOS /Windows Exécutables

o p t i o n a n d t h e n c l i c k OK.
6. C l i c k OK in the Set D e s t i n a t i o n Object b o x .
76
I n the V P M , R u l e N o . 3 s h o w s Apparent Data Typel i n t h e D e s t i n a t i o n f i e l d .
7. C l i c k Install Policy.
8. Test the n e w p o l i c y b y a t t e m p t i n g t o d o w n l o a d a n executable f i l e t h a t has been r e n a m e d w i t h

a text f i l e e x t e n s i o n . Access http://172.16.90.110/Downloads/ADT/Putty.txt. W h e n y o u a t t e m p t to
d o w n l o a d the f i l e , y o u s h o u l d receive a message t e l l i n g y o u t h a t access i s d e n i e d .
Policy Clean-up
I. To set the p o l i c y b a c k to d e f a u l t f o r the n e x t lab, t h r o u g h the M a n a g e m e n t Console, select
Policy > Visual Policy Manager and c l i c k Launch.
R i g h t - c l i c k each P o l i c y l a y e r tab a n d select Delete f r o m the d r o p d o w n m e n u . C l i c k the Install

Policy b u t t o n t o accept the n e w policy.
77
78
Managing Instant Messaging
Instant m e s s a g i n g (IM) can be useful to an organization, helping co-workers communicate quickly

a n d easily. H o w e v e r , it also raises serious concerns about security. Proprietary information can
escape t h r o u g h text messages, a n d viruses a n d other m a l w a r e can be i n t r o d u c e d into the n e t w o r k
from files s h a r e d t h r o u g h IM clients.
The m o s t effective w a y to control IM traffic is t h r o u g h a proxy server. The Blue Coat® SG™
enables y o u to control AOL®, M S N ® a n d Yahoo!® IM c o m m u n i c a t i o n s based on:
• Users
• Groups
• File t y p e s a n d n a m e s
Objective
U s i n g rules w i t h i n the Web Access Layer to control usage of instant messaging (IM)
Scenario
Your task is to p r e v e n t the transmission of selected types of information to clients t h r o u g h Yahoo!
Messenger. You n e e d to block the following from IM transfer:
• All m e s s a g e s that contain the w o r d s "Project Paris," w h i c h is the internal code n a m e for an
u p c o m i n g secret merger
• All m e s s a g e s to a specific IM user
• All executable files

All Excel files
• All files w i t h i n a given size r a n g e
In addition, y o u will create a c u s t o m i z e d notification message to the end u s e r to display w h e n a

policy is violated.
Before you Begin

• A s k y o u r instructor for a Yahoo! IM screen n a m e a n d p a s s w o r d .
• Verify that y o u have G a i m IM client version 1.5.0 installed. (Gaim is an instant messaging
client that w o r k s on multiple platforms a n d s u p p o r t s m a n y IM systems, including Yahoo!,
AOL, a n d M S N .
• Verify that the default policy for the proxy is set to Allow.
Steps
Blocking instant m e s s a g i n g is performed in four stages:
1. Checking for the Instant M e s s e n g e r (IM) licenses
2. Activating IM service on the Blue Coat SG
3. Configuring the Gaim IM client to c o m m u n i c a t e w i t h the Blue Coat SG
79
4. U s i n g the V i s u a l P o l i c y M a n a g e r ( V P M ) t o c o n t r o l I M t r a f f i c
Checking for the IM License

i. T h r o u g h t h e M a n a g e m e n t C o n s o l e , select Maintenance > Licensing. Scroll d o w n t h r o u g h the
l i c e n s e d c o m p o n e n t s u n t i l y o u locate Yahoo Instant Messaging. A v a l i d license f o r I M m u s t b e
p r e s e n t o n t h e B l u e C o a t S G t o enable I M m o n i t o r i n g a n d c o n t r o l .
2. I f y o u r B l u e C o a t S G has a v a l i d license, c o n t i n u e w i t h the rest o f t h i s lab. I f n o t , t e l l y o u r

i n s t r u c t o r , a n d y o u s h o u l d receive the a p p r o p r i a t e license.
Activating Yahoo! IM Service on the Blue Coat SG

1. T h r o u g h t h e M a n a g e m e n t C o n s o l e , select Configuration > Services > Service Ports.
2. H i g h l i g h t the service p o r t f o r Yahoo IM. Select the Edit b u t t o n to c h a n g e the d e f a u l t v a l u e s of no

i n t h e O n c o l u m n . C h e c k the Enabled o p t i o n i n the E d i t Service d i a l o g b o x . C l i c k OK.This step i s
necessary o n l y i f y o u use I M i n n a t i v e m o d e .
80
If y o u are t u n n e l i n g the traffic over HTTP or u s i n g explicit HTTP or SOCKS proxy, this s t e p is
not necessary.
3. Click the Apply b u t t o n to enable the changes y o u m a d e to take effect.
4. M a k e s u r e that the SOCKS proxy is also set to Intercept over port 1080. Highlight the service
p o r t for SOCKS. Select Intercept from the d r o p - d o w n m e n u a n d verify that the port is set to
1080.
Configuring the Gaim Client to Communicate with Blue Coat SG

1. Start the Gaim client.
2. Click the Accounts button.
3. In the Accounts w i n d o w that a p p e a r s , click the Add button.
4. In the Add Account w i n d o w , select Yahoo from the Protocol: d r o p - d o w n m e n u .
5. Enter the screen n a m e a n d the p a s s w o r d that y o u r instructor assigned to you, a n d click Save.
81
6. Y o u r screen n a m e s h o u l d n o w a p p e a r i n the Accounts w i n d o w , a s s h o w n b e l o w .
7. C l i c k Close.
8. I n t h e m a i n G a i m w i n d o w , c l i c k Preferences. T h e Preferences w i n d o w appears.
9. In the Preferences w i n d o w , select Network.
10. Select SOCKS 4 f r o m the Proxy Server d r o p - d o w n m e n u .
11. E n t e r the f o l l o w i n g v a l u e s f o r the f i e l d s l i s t e d b e l o w :
• Host: E n t e r the IP address of y o u p r o x y .
a Port: E n t e r 1080
• User: E n t e r the u s e r n a m e f r o m y o u r S t u d e n t Reference Sheet.
• Password: E n t e r the p a s s w o r d f r o m y o u r S t u d e n t Reference Sheet.
12. C l i c k Close.
13. Test t h e setup b y s e n d i n g a n I M t o y o u r a s s i g n e d b u d d y .
82
Using the Visual Policy Manager to Control IM traffic
Blocking Messages Containing "Project Paris"

1. T h r o u g h the M a n a g e m e n t C o n s o l e , select Configuration > Policy > Visual Policy Manager a n d t h e n
c l i c k Launch.
2. F r o m the V P M M e n u bar, select Policy a n d t h e n select Add Web Access Layer f r o m the
drop-down menu.
3. I n the A d d N e w L a y e r d i a l o g b o x , n a m e the l a y e r I M Access a n d t h e n click OK. T h e l a y e r w i t h

a n e w e m p t y r u l e appears i n t h e V P M .
4. R i g h t - c l i c k i n t h e Service f i e l d o f t h e n e w r u l e a n d t h e n select Set f r o m the d r o p - d o w n m e n u .

T h e Set Service Object d i a l o g b o x appears.
5. In t h e Set Service Object d i a l o g b o x , c l i c k the New b u t t o n a n d the select IM Message Text... f r o m

t h e d r o p - d o w n m e n u . T h e A d d I M Message Text Object d i a l o g b o x appears.
6. I n t h e A d d I M Message Text Object d i a l o g box:

a. T y p e Project_Paris in t h e Name i n p u t f i e l d .
b. Select the Text check b o x .
c. T y p e project paris in the Text f i e l d . T h e text is case-insensitive.
d. M a k e s u r e t h a t Contains i s selected i n the i n the d r o p - d o w n m e n u next t o the Text f i e l d .
e. C l i c k OK.
7. In t h e Set Service Object d i a l o g box, m a k e sure t h a t Project_Paris object appears in the w i n d o w .
8. C l i c k OK.
9. In the V P M , c o n f i r m t h a t the Service field of R u l e 1 c o n t a i n s Project_Paris a n d t h a t the Action

f i e l d is set to Deny.
83
11. Test the n e w r u l e b y a t t e m p t i n g t o s e n d a n I M c o n t a i n i n g the restricted text (Project Paris) t o

y o u r lab partner.
Blocking Messages to a Specific Yahoo! IM User

1. C l i c k the Add Rule.
2. R i g h t - c l i c k i n the Destination f i e l d o f the n e w r u l e a n d t h e n select Set f r o m the d r o p - d o w n

m e n u . T h e Set D e s t i n a t i o n Object d i a l o g b o x appears.
3. In the Set D e s t i n a t i o n Object d i a l o g box, c l i c k New a n d t h e n select IM Buddy... f r o m t h e

d r o p - d o w n m e n u . T h e A d d I M B u d d y Object d i a l o g b o x appears.
I n the A d d I M B u d d y Object d i a l o g box:

a. T y p e a n a m e f o r the object in the Name f i e l d . It is a g o o d practice to n a m e t h e object as
the b u d d y n a m e , s o y o u c a n i m m e d i a t e l y t e l l w h a t t h a t object does w h e n y o u l o o k a t
the p o l i c y .
b. I n the I M Buddy w i n d o w , t y p e the I M screen n a m e f o r the user y o u w a n t t o b l o c k ; y o u
can use the n a m e bcsi_student_12 a n d ask y o u r i n s t r u c t o r t o l o g i n u s i n g t h a t screen
name.
c. A c c e p t the d e f a u l t v a l u e Exact Match in the d r o p - d o w n m e n u .
d. C l i c k OK.
5. In the Set D e s t i n a t i o n Object d i a l o g box, c l i c k OK.
84
6. I n the V P M , v e r i f y t h a t the n a m e o f the I M B u d d y Object appears i n the Destination f i e l d o f

R u l e 2.
8. Test the n e w p o l i c y b y a t t e m p t i n g t o contact the b u d d y w h o s e n a m e y o u u s e d i n t h e p r e v i o u s

steps. Y o u s h o u l d receive a message i n y o u r I M w i n d o w t h a t the c o m m u n i c a t i o n i s d e n i e d .
Blocking all Executable Files

1. In the V P M , select IM Access l a y e r > Add Rule.
2. R i g h t - c l i c k i n the Service f i e l d o f the n e w r u l e a n d t h e n select Set f r o m the d r o p - d o w n m e n u .

3. In the Set Service Object d i a l o g box, c l i c k New a n d t h e n select IM File Transfer... f r o m the
drop-down menu.
T h e A d d I M File Transfer Object d i a l o g b o x appears.
4. I n the I M File Transfer Object d i a l o g box:

a. T y p e IM_Executable_Files i n the N a m e f i e l d .
b. Select the File: check box.
c. T y p e the r e g u l a r e x p r e s s i o n \.exe$ in the w i n d o w n e x t to File:
d. Select RegEx f r o m the d r o p - d o w n m e n u .
e. C l i c k OK.
5. In the Set Service Object d i a l o g box, v e r i f y t h a t t h e I M _ E x e c u t a b l e s object appears in the

w i n d o w and then click OK.
85
T h e V P M s h o u l d l o o k l i k e t h e screen c a p t u r e b e l o w .
Blocking all Excel Files

1. C l i c k Add Rule.
2. R i g h t - c l i c k i n t h e Service f i e l d o f t h e n e w r u l e a n d t h e n select Set f r o m the d r o p - d o w n m e n u .

3. In the Set Service Object d i a l o g b o x , c l i c k New a n d t h e n select IM File Transfer... as y o u d i d in

Step 3 o f t h e p r e v i o u s s e c t i o n o f this lab. T h e A d d I M File Transfer Object d i a l o g b o x appears.
4. In the Add IM File Transfer Object d i a l o g b o x :

a. T y p e IM_Excel_Files in the Name w i n d o w .
b. Select the File: check box.
c. T y p e the r e g u l a r e x p r e s s i o n \.xls$ in the w i n d o w n e x t to File:.
d. Select RegEx f r o m t h e d r o p - d o w n m e n u .
e. C l i c k OK.
5. I n t h e Set Service Object d i a l o g b o x , v e r i f y t h a t t h e I M _ E x c e l object appears i n t h e w i n d o w

and then click OK.
Blocking all Files Within a Given Size Range

1. C l i c k New Rule.
2. R i g h t - c l i c k i n t h e Service f i e l d o f the n e w r u l e a n d t h e n select Set f r o m the d r o p - d o w n m e n u .

3. In the Set Service O b j e c t d i a l o g b o x , c l i c k the N e w b u t t o n a n d select IM File Transfer... as y o u

d i d in Step 3 of t h e t w o p r e v i o u s sections. T h e Add IM File Transfer Object appears.
4. I n the A d d I M File T r a n s f e r Object d i a l o g box:
86
a. T y p e IM_File_Size in the Name w i n d o w .

b. Select the Size: check box.
c. T y p e t h e l o w e r a n d u p p e r l i m i t s o f t h e p r o h i b i t e d f i l e t r a n s f e r size r a n g e . F o r this lab,
t y p e 2048 i n t h e w i n d o w closest t o Size: a n d 8192 i n the w i n d o w n e x t t o the f i r s t
window.
d. Select KBytes f r o m t h e d r o p - d o w n w i n d o w .
e. C l i c k OK.
5. In the Set Service Object d i a l o g box, v e r i f y t h a t t h e IM_File_Size object appears in the w i n d o w ,

a n d t h e n c l i c k OK.
6. V e r i f y t h a t y o u r p o l i c y i n the V P M l o o k s l i k e t h e screen c a p t u r e b e l o w , a n d t h e n c l i c k Install

Policy.
Y o u n o w test the last three rules t h a t b l o c k t y p e s o f files.
7. I n the G a i m I M w i n d o w , a t t e m p t t o v i o l a t e R u l e 3 b y s e n d i n g a n I M c o n t a i n i n g a n executable
file.
8. A t t e m p t t o v i o l a t e R u l e 4 b y s e n d i n g a n I M c o n t a i n i n g a n Excel f i l e t o y o u r b u d d y .
9. A t t e m p t t o c o n f i r m R u l e 5 b y s e n d i n g a n I M c o n t a i n i n g a f i l e o u t s i d e the p r o h i b i t e d size r a n g e
t o y o u r lab p a r t n e r . T h e c o m m u n i c a t i o n s h o u l d succeed.
10. A t t e m p t t o v i o l a t e R u l e 5 b y s e n d i n g a n I M c o n t a i n i n g a f i l e w i t h i n the p r o h i b i t e d size r a n g e

t o y o u r lab p a r t n e r . T h e c o m m u n i c a t i o n s h o u l d f a i l .
Customizing the IM Admin Buddy Names and Alerts

Y o u can c u s t o m i z e the n a m e of the b u d d y t h a t y o u use to send a n o t i f i c a t i o n to the user t h a t a
p o l i c y w a s v i o l a t e d . Y o u can also r e t u r n a c u s t o m i z e d message to the user, d e t a i l i n g the a c t u a l
policy violation.
1. T o m o d i f y the b u d d y n a m e u s e d t o s e n d the alerts, t h r o u g h the M a n a g e m e n t Console, select

Configuration > Services > IM Proxies > IM Alert Settings.
T h e d e f a u l t n a m e is Blue Coat Proxy SG. C h a n g e it to IM Policy Administrator f o r a l l three

s u p p o r t e d I M p r o t o c o l s . T h e n c l i c k Apply.
87
Y o u s h o u l d see s o m e t h i n g s i m i l a r t o t h e screen c a p t u r e b e l o w .
T o m o d i f y t h e message t h a t users receive, y o u n e e d t o create a n I M A l e r t object i n the V P M .

Y o u can replace the s t a n d a r d D e n y a c t i o n w i t h a m o r e d e f i n e d message. I n t h e V P M , select the
I M Access L a y e r , r i g h t - c l i c k the Action f i e l d o f a n y o f the policies t h a t y o u j u s t created, t h e n
select Set > New > Send IM Alert.
I n the A d d S e n d I M A l e r t Object d i a l o g b o x :
a. T y p e IM_Policy_Violation in the Name: field.
b. T y p e " T h e I M message y o u sent v i o l a t e s c o m p a n y p o l i c y . " i n the Alert Text: p a n e .
c. C l i c k OK.
4. For the o t h e r r u l e s in the IM_Access layer, r i g h t - c l i c k on the Action f i e l d , select Set >
IM_Policy_Violation f r o m the l i s t of Existing Action Objects.
88
Y o u m a y need t o s c r o l l d o w n the list t o f i n d it.
5. Repeat Step 4 f o r a l l o t h e r p o l i c i e s in the IM_Access layer.
6. C l i c k Install Policy on the V P M .
7. A t t e m p t s e n d i n g a message t o y o u r I M b u d d y . N o t i c e t h a t y o u are b l o c k e d a n d y o u s h o u l d
receive t h e f o l l o w i n g message.
N o t e t h a t the message appears i n a n e w w i n d o w o r a n e w tab.
89
90
Managing Peer-to-Peer Traffic
Objective
Configuring y o u r Blue Coat® SG™ to transparently allow or block connections to P2P n e t w o r k s
Scenario
The u s e of peer-to-peer (P2P) clients to d o w n l o a d music a n d video files c o n s u m e s valuable
b a n d w i d t h on an organization's n e t w o r k a n d reduces productivity. P2P also opens the door for
m a l w a r e a n d raises a host of legal concerns s t e m m i n g from potential copyright infringement.
In this lab, y o u learn to:
• Configure the Blue Coat SG to intercept the P2P traffic a n d create a policy to allow P2P traffic
• Use the LimeWire P2P client to access the Internet t h r o u g h y o u r Blue Coat SG, connect to the
Gnutella P2P network, search for m o v i e titles, a n d check the statistics for the P2P traffic.
• Rewrite the policy to block P2P traffic and, use LimeWire to again connect to Gnutella a n d
search for different m o v i e titles.
This lab a s s u m e s that the internal s u b n e t is 172.16.90.x/24. The illustration below s h o w s the
n e t w o r k connectivity of the Blue Coat SG a n d the client.
Before You Begin

• This lab uses LimeWire P2P client because it has little or no s p y w a r e c o m p a r e d with other P2P
client applications. However, y o u can select another P2P client if y o u prefer.
• T h e lab a s s u m e s that y o u h a v e the p r o p e r connection to the Internet a n d that there are no

firewall rules blocking the connection to the P2P networks.
Important: It is i m p o r t a n t that y o u do not d o w n l o a d or u p l o a d copyrighted material,

because it constitutes a violation of U.S. federal law.
91
Steps
T h i s lab i s p e r f o r m e d i n f i v e stages:
1. C o n f i g u r i n g the B l u e C o a t SG to i n t e r c e p t P2P t r a f f i c
2. C r e a t i n g a p o l i c y to a l l o w P2P t r a f f i c
3. D o w n l o a d i n g L i m e W i r e and searching on Gnutella
4. C r e a t i n g a p o l i c y to b l o c k P2P t r a f f i c
5. Connecting to Gnutella a n d searching again
Configuring the Blue Coat SG to Intercept P2P Traffic

1. Set y o u r P C d e f a u l t g a t e w a y t o b e the I P address o f y o u r B l u e C o a t SG:
a. Select Start > Control Panel > Network and Internet Connections > Network Connections.
b. R i g h t - c l i c k Local Area Connection a n d t h e n select Properties > General.
c. In t h e L o c a l A r e a C o n n e c t i o n P r o p e r t i e s d i a l o g b o x , h i g h l i g h t Internet Protocol (TCP/IP)
a n d t h e n c l i c k the Properties b u t t o n .
d. I n the I n t e r n e t P r o t o c o l ( T C P / I P ) d i a l o g box, select t h e General tab a n d t h e n a n d t h e n
c l i c k Advanced.
e. C l i c k Add b e l o w the Default Gateway p a n e .
f. I n t h e T C P / I P A d d r e s s d i a l o g b o x , t y p e the I P address o f y o u r Blue Coat S G a n d t h e n
c l i c k Add. C l i c k O K o r Close i n the r e m a i n i n g d i a l o g boxes.
2. Set t h e I n t e r c e p t f u n c t i o n f o r H T T P :
a. T h r o u g h y o u r B l u e C o a t SG M a n a g e m e n t C o n s o l e , select Configuration > Services >
Proxy Services, a n d h i g h l i g h t HTTP.
b. I n t h e Destination I P r o w a n d t h e Action c o l u m n , select Intercept f r o m the d r o p - d o w n

m e n u , a s s h o w n i n the screen c a p t u r e below.
92
3. Set t h e I n t e r c e p t f u n c t i o n f o r D e f a u l t T C P T u n n e l p r o x y services:
a. T h r o u g h the M a n a g e m e n t C o n s o l e , select Configuration > Services > Proxy Services, a n d
t h e n h i g h l i g h t Default. Y o u m a y n e e d t o s c r o l l t o the b o t t o m o f the list.
b. C l i c k the Edit b u t t o n near t h e b o t t o m o f the screen.
T h e E d i t Service d i a l o g b o x appears.
I n t h e d i a l o g box:
a. M a k e sure t h a t the Detect P r o t o c o l check b o x is selected.
b. In t h e Listeners pane, select Intercept f r o m the Action d r o p - d o w n w i n d o w .
c. C l i c k OK.
5. I n the M a n a g e m e n t C o n s o l e , c l i c k Apply.
6. E n a b l e IP f o r w a r d i n g . T h r o u g h the M a n a g e m e n t C o n s o l e , select Configuration > Network >

Routing, a n d m a k e sure t h a t the Enable IP forwarding check b o x is selected.
7. C l i c k Apply.
Creating a Policy to Allow P2P Traffic

1. T h r o u g h the M a n a g e m e n t C o n s o l e , select Configuration > Policy > Visual Policy Manager, a n d t h e n
c l i c k Launch.
93
2. F r o m t h e V i s u a l P o l i c y M a n a g e r ( V P M ) M e n u bar, select Policy > Add Web Access Layer.
3. In t h e Add New Layer d i a l o g b o x , g i v e t h e l a y e r t h e n a m e P2P a n d t h e n click OK.
4. I n t h e P2P layer, r i g h t - c l i c k t h e Source f i e l d o f t h e n e w l a y e r ' s d e f a u l t r u l e a n d t h e n select Set

f r o m the d r o p - d o w n m e n u .
T h e Set Source Object d i a l o g b o x appears.
5. In t h e Set Source Object d i a l o g b o x , c l i c k New a n d t h e n select P2P Client f r o m t h e d r o p - d o w n

menu.
94
The A d d P2P Client Object dialog box a p p e a r s .
6. In the Add P2P Client Object dialog box, n a m e the object All P2P, m a k e sure that the All P2P
Clients option is selected, a n d then click OK.
7. In the Set Source Object dialog box m e n u , select All P2P a n d then click OK.
8. In the VPM, m a k e s u r e that the Action field is set to Allow.
9. Click Install Policy. The Policy Installed dialog box a p p e a r s . Click OK.
Downloading LimeWire and Searching on Gnutella

1. Before y o u d o w n l o a d , it is helpful to observe s o m e statistics. T h r o u g h the M a n a g e m e n t
Console, select Statistics > P2P History > P2P Bytes. H e r e y o u can see the statistics of the
sessions. N o t e the v a l u e of the Previous 24 hour period.
2. D o w n l o a d a n d install the LimeWire P2P client from the local FTP server in the lab or directly
from this site: h t t p : / / w w w . l i m e w i r e . c o m / L i m e W i r e W i n B o t h .
95
3. Launch LimeWire.
4. Use the search w i n d o w o n the left side o f t h e L i m e W i r e interface t o search f o r v i d e o files w i t h

the t i t l e Star Trek. T h e s e a r c h s h o u l d r e t u r n s o m e titles.
5. R e t u r n to the Statistics > P2P History > P2P Bytes tab. C h e c k the usage of the P2P traffic f o r the
Previous 24 hour period. Y o u n e e d to m o v e y o u r m o u s e o v e r the Previous 24 hour period section to
see the values.
Creating a Policy to Block P2P Traffic

1. T h r o u g h the M a n a g e m e n t C o n s o l e , select Configuration > Policy > Visual Policy Manager, a n d t h e n
c l i c k Launch.
2. I n the V P M , select t h e l a y e r y o u n a m e d P2P a n d r i g h t - c l i c k the Action f i e l d . Select Deny f r o m

the d r o p d o w n m e n u .
96
Connecting to Gnutella and Searching Again

1. R u n the Lime Wire search again. However, this time, search for video files w i t h the title CSI.
2. You s h o u l d receive an error message from the Lime Wire client.
Conclusion
This lab d e m o n s t r a t e s the ability of the Blue Coat SG appliance to intercept P2P traffic.
Interception allows y o u to block or allow the traffic. This is useful in situations w h e r e y o u w a n t to
block clients from accessing P2P networks. Viewing statistics allows y o u to k n o w h o w m u c h P2P
traffic goes t h r o u g h the Blue Coat SG.
97
98
Using Notification Objects
Objectives
• Creating a notification p a g e for users w h o are blocked from g a m b l i n g sites
• Creating a s p l a s h p a g e to r e m i n d each user every d a y that access to the Internet will be

m o n i t o r e d a n d infractions of the Acceptable Usage Policy (AUP) will be sanctioned
accordingly
• Creating a coaching page, w a r n i n g users that access to sites categorized as Web-based e-mail
is generally not allowed; however, users can continue a n d access the desired resource on the
Internet.
Scenario
It is i m p o r t a n t that u s e r s be told clearly w h y they are not allowed to access a given resource on the
Internet. A clear explanation reduces the likelihood that users will o p e n service requests with the
IT d e p a r t m e n t . W i t h o u t a p r o p e r explanation, users w h o c a n n o t access a certain site m a y think the
n e t w o r k is malfunctioning.
Blue Coat SG allows a c o m p a n y to r e m i n d each employee, every day, of the current AUP, before
the first Internet request is fulfilled.
Before You Begin

• This Lab a s s u m e s that y o u h a v e Blue Coat Web Filter installed, configured a n d up to date.
Refer to the lab "Content Filtering — Configuration" if y o u need to install it
Steps
This exercise is p e r f o r m e d in four stages:
1. Creating basic policies using the Visual Policy M a n a g e r (VPM).
2. Creating a splash page.
3. Creating a coaching page.
4. Creating a notification page.
Creating Basic Policies Using the V P M

1. T h r o u g h the M a n a g e m e n t Console, select Policy > Visual Policy Manager a n d then click the
Launch button.
2. From the m e n u bar in the Visual Policy M a n a g e r (VPM), select Policy a n d then Add Web Access
Layer from the d r o p - d o w n m e n u . In the A d d N e w Layer dialog box a p p e a r s , accept the default
name.
3. In the VPM, right-click in the Destination field a n d then select Set from the d r o p - d o w n m e n u .
4. In the Set Destination Object dialog box, click the New b u t t o n a n d then select Request URL
Category from the d r o p - d o w n m e n u . The A d d Request URL Category Object dialog box
appears.
5. In the A d d C a t e g o r y Object dialog box, type Gambling in the Name field.
99
6. Click the plus sign next to Blue Coat in o r d e r to display the available categories. Click in the
box next to Gambling a n d then click OK.
7. Click OK in t h e Set Destination Object dialog box. You h a v e just created a policy that blocks
e v e r y b o d y from accessing g a m b l i n g Web sites.
8. In the VPM, click the Add Rule b u t t o n . T h e n right-click in the Destination field a n d select Set
from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s .
9. In the Set Destination Object dialog box, click the New b u t t o n a n d t h e n select Request URL
Category from the d r o p - d o w n m e n u . The A d d Category Object dialog box a p p e a r s .
10. In the A d d Category Object dialog box, t y p e Email in the Name field.
11. Click the plus sign next to Blue Coat to display the available categories. Click in the box next to
Email a n d then click OK.
12. Click OK in the Set Destination Object dialog box. You h a v e just created a policy that blocks
e v e r y o n e from accessing e-mail Web sites.
13. In the V P M , position y o u r curser at Rule N o . 2 a n d click the Add Rule button. The n e w l y
created rule blocks e v e r y b o d y from all destinations. The resulting policy looks like the figure
s h o w n below.
100
N o w that y o u have created the policies, y o u n e e d to set up the notification events accordingly. The
first policy is for y o u r splash page.
Creating a Splash Page

1. In t h e VPM, right-click in the Action field of the last rule that y o u created w h i c h blocks
e v e r y b o d y from all destinations, then select Set from the d r o p - d o w n m e n u . The Set Action
Object dialog b o x a p p e a r s .
2. In the Set Action Object dialog box, click the New b u t t o n a n d then select Notify User from the
d r o p - d o w n m e n u . The A d d Notify U s e r Object dialog box a p p e a r s , as s h o w n in the screen
capture below
In t h e A d d Notify User Object dialog box:

a. Type Splash-Page in the Name field.
b. Type Friendly Reminder in t h e Title field.
c. In the Body w i n d o w , replace < ! - - R E P L A C E T H E F O L L O W I N G W I T H Y O U R
M E S S A G E - - > with s o m e meaningful text. For instance, y o u can type:
< h 2 x c e n t e r > X Y Z Inc. - A c c e p t a b l e Usage Policy</center></h2>
 Y o u a r e n o t a l l o w e d t o :
<li> A c c e s s G a m b l i n g W e b S i t e s
<li> E m a i l S i t e s (unless y o u h a v e a n i m m e d i a t e b u s i n e s s n e e d )
 Happy Surf ing! </center>
d. In the Notify users again section, click third radio button. Then select Midnight from the
d r o p - d o w n m e n u a n d type 1 in t h e day(s) field.
e. Click OK.
4. Click OK in the Set Action Object dialog box.
101
Creating a Coaching Page

1. Right-click on the Action field in the D e n y Email rule, then select Set from the d r o p - d o w n
m e n u . T h e Set Action Object dialog box a p p e a r s .
2. In the Set Action Object dialog box, click the New b u t t o n a n d then select Notify User from the
d r o p - d o w n m e n u . The A d d Notify User Object dialog box a p p e a r s . It is the dialog box
d i s p l a y e d in the screen capture above.
3. In t h e A d d Notify User Object dialog box:

a. Type Coaching-Page in the Name field.
b. Type Warning! You are accessing a restricted site in the Title field.
c. In t h e Body w i n d o w , replace the < ! - - R E P L A C E T H E F O L L O W I N G W I T H Y O U R
M E S S A G E - - > w i t h s o m e m e a n i n g f u l text. For instance, y o u can type:
< h 2 x c e n t e r > X Y Z Inc. - Acceptable Usage P o l i c y < / c e n t e r x / h 2 >
 Y o u a r e n o t a l l o w e d t o a c c e s s t h e r e s o u r c e r e q u e s t e d . I f y o u
h a v e a n i m m e d i a t e b u s i n e s s n e e d y o u c a n c l i c k o n t h e
link b e l o w and access the site. Be aware that y o u will be
m o n i t o r e d and your a c t i v i t y reported.
d. In t h e Notify Mode section, click the radio b u t t o n next to Notify on every host.
e. In the Notify users again section, click the radio b u t t o n next to At next browser session.
f. Click OK.
4. Click OK in the Set Action Object dialog box.
Creating a Notification Page

1. Right-click in the Action field of the D e n y G a m b l i n g rule, then select Set from the d r o p - d o w n
m e n u . The Set Action Object dialog box a p p e a r s .
2. In the Set Action Object dialog box, click the N e w button a n d then select Notify User from the
d r o p - d o w n m e n u . The A d d Notify User Object dialog box a p p e a r s .
3. In the A d d Notify User Object dialog box:

a. Type Notify-Page in the N a m e field.
b. Type Warning! You are accessing a restricted site in the T i t l e field.
c. In the Body w i n d o w , replace the < ! - - R E P L A C E T H E F O L L O W I N G W I T H YOUR
M E S S A G E - - > w i t h s o m e meaningful text. For instance y o u can type:
< h 2 x c e n t e r > X Y Z Inc. - Acceptable Usage P o l i c y < / c e n t e r x / h 2 >
 Y o u a r e n o t a l l o w e d t o a c c e s s t h e r e s o u r c e r e q u e s t e d . B e
aware that this request h a s b e e n recorded and m o n i t o r e d and y o u r
activity reported.
d. R e m o v e the lines:
Click on Accept after reading this message.

 A c c e p t < / a >

e. In the Notify Mode section, click t h e radio b u t t o n next to Notify on every host.
f. Click OK.
102
4. Click OK in the Set Action Object dialog box. The final policy in the V P M s h o u l d resemble the
screen capture below.
6. Test y o u r n e w policy. As result, y o u s h o u l d receive a p a g e s h o w i n g the c o m p a n y ' s A U P once

a day, a coaching p a g e w h e n y o u access Web based e-mail sites, a n d a denied p a g e w h e n y o u
access g a m b l i n g sites.
Note: If y o u w a n t the splash p a g e to display again, simply e m p t y y o u r b r o w s e r ' s cookie jar.
Below are screen captures of w h a t the b r o w s e r displays for each of the notification objects that y o u
h a v e j u s t created.
Notification Page
103
Coaching Page
Splash Page
Policy Clean-up
1. T o set the p o l i c y back t o d a f a u l t f o r the next lab, t h r o u g h t h e M a n a g e m e n t C o n s o l e , select
Policy > Visual Policy Manager and c l i c k Launch.
2. R i g h t - c l i c k each P o l i c y l a y e r tab a n d select Delete f r o m t h e d r o p d o w n m e n u . C l i c k t h e Install

Policy b u t t o n t o accept the n e w p o l i c y .
104
Access Logging
Objectives
• Turning on access logging
• Configuring access log u p l o a d preferences
• Confirming access log u p l o a d success
Scenario
Access logs are r a w text files of client requests. They typically contain the time each request w a s
m a d e , client IP, URL requested, t y p e of content, cache results, server results, time taken to serve
the request, a n d object size. The logs also contain the r e q u e s t o r ' s u s e r n a m e a n d content category if
authentication or content filtering is enabled,.
A d m i n i s t r a t o r s use these logs to create reports s h o w i n g t o p Web users, peak traffic load, top URLs
visited, a n d as well as other useful information.
Steps
1. T h r o u g h the M a n a g e m e n t Console, select Configuration > Access Logging > General. Notice
Access Logging is not enabled by default.
2. Click the check box next to Enable Access Logging near the t o p of the Default Logging tab.
3. Verify HTTP is set to main in the Default Logging Policy w i n d o w .
4. Click Apply to save the changes.
5. T h r o u g h the M a n a g e m e n t Console, select Configuration > Access Logging > Logs > Upload
Client.
6. From the d r o p - d o w n m e n u labeled Log, select main,
105
7. In t h e Client type d r o p - d o w n m e n u , select FTP Client a n d t h e n c l i c k the Settings b u t t o n . T h e

FTP Client settings d i a l o g b o x appears.
Use the s t u d e n t h a n d o u t t o i n s e r t the FTP server s e t t i n g s . For e x a m p l e :
a Host: 172.16.90.110
o Port: 21
o Path: /student<x>/ (Where x is your student number)
• Username: bcadmin
106
Access Logging
9. C l i c k the Change Primary Password b u t t o n . T h e Change Primary Password d i a l o g b o x appears.
10. T y p e i n the FTP server p a s s w o r d p r o v i d e d i n the s t u d e n t h a n d o u t a n d t h e n c l i c k OK.
11. C i c k OK in the FTP Client settings d i a l o g box.
12. T h r o u g h the M a n a g e m e n t C o n s o l e , c l i c k the Apply b u t t o n to save a l l the changes.
13. O p e n a Web b r o w s e r a n d connect to t h e class FTP server y o u entered in the FTP C l i e n t

settings to v e r i f y it is e m p t y . For e x a m p l e : h t t p : / / 1 7 2 . 1 6 . 9 0 . 1 1 0 / s t u d e n t x / ( W h e r e x is y o u r
student number.)
Note: It is a g o o d i d e a to press the F5 k e y to refresh the FTP d i r e c t o r y l i s t i n g .
Client..
15. V e r i f y main is selected in the Log d r o p - d o w n m e n u .
16. In t h e Upload Client s e c t i o n , c l i c k the Test Upload b u t t o n . An Upload Test Started w i n d o w w i l l

appear. C l i c k OK.
17. V e r i f y t h a t a n e w f i l e c a l l e d main_upload_result has been created in y o u r FTP f o l d e r as s h o w n

i n the screen c a p t u r e b e l o w . Y o u m a y need t o press F 5 t o refresh y o u r screen.
107
Schedule. In the Upload the log file: section, click t h e Upload Now b u t t o n .
19. Verify that y o u r log files are in y o u r FTP folder. You m a y n e e d to press F5 to refresh y o u r FTP
browser screen.
108
Creating Reporter Profiles and Generating Reports
Blue Coat® Reporter™ uses profiles to m a n a g e different types of log d a t a p r o d u c e d by the Blue
Coat® SG™. W h e n y o u create a profile, Reporter associates it w i t h a specific type of Blue Coat SG
log. Reporter then processes the log data into a d a t a b a s e that is tied to that profile. The format of
the log d a t a d e t e r m i n e s the database structure as well as the default reports that Reporter
generates from the database.
Reporter s u p p o r t s t w o t y p e s of profiles, v8 a n d v7. The v8 profile type w o r k s only w i t h Blue Coat

SG m a i n access logs, w h i c h are the default logs for H T T P traffic. Main access logs can g r o w to
t r e m e n d o u s size because of the nature of H T T P traffic. The v8 profile type uses a database
d e s i g n e d to h a n d l e large a m o u n t s of log data.
The v7 profile type is d e s i g n e d to w o r k w i t h n o n - m a i n access logs, including Instant Messaging,

Streaming, a n d c u s t o m ELFF formats, w h i c h p r o d u c e smaller data sets than m a i n files. V7 profiles
enable a d m i n i s t r a t o r s to easily m a n a g e heavily customized log formats from the Blue Coat SG.
They also allow a d m i n i s t r a t o r s to a p p l y extremely flexible filters to control h o w log d a t a is
processed a n d displayed.
A l t h o u g h y o u cannot use v8 profiles to process n o n - m a i n access logs, y o u can use v7 profiles to

process m a i n log files if y o u need to filter t h e m extensively.
Objectives
• Becoming familiar w i t h creating profiles
• U n d e r s t a n d i n g the differences between creating v7 a n d v8 profile types
Generating reports from Blue Coat SG m a i n a n d IM log files
Scenario
In this lab, y o u create t w o profiles in Reporter:
1. A v8 profile to process m a i n logs that can be a n a l y z e d for Web usage
2. A v7 profile to process Instant Messaging logs
You also generate reports from these profiles.
Before You Begin

• This lab a s s u m e s that y o u h a v e completed the earlier access logging a n d instant m e s s a g i n g
labs.
• Install the Blue Coat Reporter 8.2.1.2 on y o u r local machine.
109
Steps
Creating a v8 Profile
1. L o g o n t o R e p o r t e r b y l a u n c h i n g y o u r W e b b r o w s e r a n d n a v i g a t i n g t o http://127.0.0.1:8987.
2. The f i r s t t i m e y o u l a u n c h Reporter, t h e a p p l i c a t i o n asks y o u t o create a n a d m i n i s t r a t i v e user

account. Create a user n a m e a n d p a s s w o r d t h a t m a t c h y o u r B l u e C o a t S G console account. I f
y o u h a v e a l r e a d y created a n a d m i n i s t r a t i v e a c c o u n t , t h e n l o g i n u s i n g those c r e d e n t i a l s .
R e p o r t e r ' s A d m i n ( a d m i n i s t r a t i v e ) p a g e a p p e a r s i n the browser.
Note: I f a n a d m i n i s t r a t i v e a c c o u n t has a l r e a d y been c o n f i g u r e d o n y o u r s y s t e m , please ask

y o u r i n s t r u c t o r f o r the a c c o u n t i n f o r m a t i o n . I n the event t h a t y o u c a n n o t get the
a c c o u n t i n f o r m a t i o n , y o u can reset the a d m i n i s t r a t i v e user b y d e l e t i n g the f i l e
users.cfg f r o m the d i r e c t o r y C:\Program Files\Blue Coat Reporter\LogAnalysislnfo.
3. C l i c k Create New Profile. T h e N e w P r o f i l e w i z a r d a p p e a r s i n a n e w w i n d o w .
4. Leave t h e d e f a u l t selection f o r a v8 p r o f i l e a n d c l i c k Next to c o n f i g u r e the l o g source.
5. C l i c k the Log Source Type d r o p - d o w n m e n u a n d select FTP.
6. F i l l i n the Hostname, Username, a n d Password f i e l d s w i t h the FTP server c o n f i g u r a t i o n .
110
7. C o n f i g u r e t h e Pathname f i e l d w i t h t h e FTP d i r e c t o r y u s e d i n the p r e c e d i n g Access L o g g i n g

labs f o r y o u r H T T P m a i n logs. A d d t h e s t r i n g SG_main*.log.gz t o the p a t h s o t h a t o n l y
c o m p r e s s e d l o g files are m a t c h e d .
8. C h e c k t h e Pattern is a wildcard expression b o x .
9. C l i c k Show Matching Files to v e r i f y the l o g source c o n f i g u r a t i o n . T h e m a t c h i n g l o g files a p p e a r

in a n e w w i n d o w .
10. C l i c k Next. T h e A u t h e n t i c a t e d Users d i a l o g b o x appears. Select My logs contain authenticated

usernames.
111
11. C l i c k Next, a n d d e f i n e a n a m e f o r the p r o f i l e in the Profile name t e x t b o x . T h e p r o f i l e is n a m e d

as Personal HTTP in the screen c a p t u r e b e l o w . C l i c k Finish to c o m p l e t e the p r o f i l e c r e a t i o n
process.
T h e N e w P r o f i l e w i z a r d saves the p r o f i l e a n d closes. R e p o r t e r ' s A d m i n page reloads,

d i s p l a y i n g the n e w l y created p r o f i l e .
Note: L o g Processing b e g i n s i m m e d i a t e l y f o r v 8 p r o f i l e s . R e p o r t e r m o n i t o r s the l o g source

d i r e c t o r y a n d a u t o m a t i c a l l y a d d s n e w l o g d a t a t o the database. Y o u can v i e w r e p o r t s
f o r a p r o f i l e by c l i c k i n g the Show Reports l i n k . T h e Show Config l i n k opens a page f r o m
w h i c h y o u can e d i t the p r o f i l e ' s c o n f i g u r a t i o n .
Creating a v7 Profile
1. C l i c k Create New Profile. T h e N e w P r o f i l e w i z a r d a p p e a r s i n a n e w w i n d o w .
2. C h a n g e the selection to Create a v7 Profile a n d click Next to c o n f i g u r e the l o g source.
3. Repeat Steps 5 t h r o u g h 9 f r o m the p r e v i o u s section. W h e n s p e c i f y i n g the l o g source

p a t h n a m e , use the d i r e c t o r y w i t h y o u r i n s t a n t m e s s a g i n g l o g files.
4. C l i c k Next, a n d R e p o r t e r tries t o a u t o - d e t e c t the l o g f o r m a t . T h e Log Format d i a l o g b o x appears.
112
5. Select Blue Coat Instant Messenger Log Format a n d t h e n c l i c k Next.
Important: I f l o g f o r m a t a u t o - d e t e c t i o n i s unsuccessful, R e p o r t e r d i s p l a y s a l o n g list o f

possible l o g f o r m a t s . D o n o t force a selection f r o m this list. Y o u need t o c l i c k
Back, a n d t h e n w o r k t o resolve the a u t o - d e t e c t i o n issue. T h i s t y p i c a l l y i s caused
b y a n i n c o r r e c t p a t h n a m e o r b y a c o r r u p t f i l e i n the target directory. M a k e s u r e
t h a t the f i r s t f i l e i n the d i r e c t o r y l i s t i n g i s a n I n s t a n t M e s s a g i n g l o g file.
6. T h e Log format options - numeric fields d i a l o g b o x d i s p l a y s . T h i s controls w h i c h k i n d s of n u m e r i c

d a t a to t r a c k f o r a p r o f i l e . These o p t i o n s change based on the l o g f o r m a t t y p e . Select at least
one o f these o p t i o n s a n d t h e n c l i c k Next.
7. T h e Date/Time tracking d i a l o g b o x appears. A c c e p t the d e f a u l t s a n d c l i c k Next.
113
N a m e t h e p r o f i l e a n d c l i c k Finish. T h e p r o f i l e i s n a m e d Personal I M i n the screen c a p t u r e b e l o w .

T h e P r o f i l e W i z a r d saves the p r o f i l e a n d closes. T h e n e w p r o f i l e i s n o w l i s t e d o n the A d m i n
page.
Note: I n o r d e r t o process the l o g files s p e c i f i e d i n the v 7 p r o f i l e l o g source, y o u m u s t c l i c k

Show Reports to b e g i n l o g p r o c e s s i n g . A l t e r n a t i v e l y , the R e p o r t e r Scheduler can be u s e d
t o r e g u l a r l y s c h e d u l e database u p d a t e s w i t h n e w d a t a f r o m the l o g source d i r e c t o r y .
Generating v8 Profile Dashboard Reports

1. O n the A d m i n page, c l i c k the Show Reports l i n k next t o the v 8 p r o f i l e y o u created. T h e b r o w s e r
d i s p l a y s the D a s h b o a r d . T h e D a s h b o a r d i s e m p t y the f i r s t t i m e y o u access it.
2. U s e t h e Choose a Report d r o p - d o w n m e n u i n the u p p e r r i g h t p a r t o f the page t o select a n

assortment of reports.
114
The reports a p p e a r as small i n d i v i d u a l w i n d o w s on the D a s h b o a r d .
3. C l i c k o n the Edit l i n k s i n the m i n i a t u r e reports. N o t i c e t h a t t h e reports g i v e y o u several o p t i o n s

f o r v i e w i n g the data; y o u can v i e w s o m e m i n i a t u r e r e p o r t s i n the f o r m o f a table o r a p i e c h a r t .
R e p o r t e r saves y o u r selection o f D a s h b o a r d reports f o r each p r o f i l e .
4. C l i c k on the Full Report l i n k at the b o t t o m of a m i n i a t u r e r e p o r t .
115
T h e c o m p l e t e r e p o r t a p p e a r s i n the b r o w s e r w i n d o w .
Generating v8 Profile Pre-Defined Reports

1. C l i c k o n the Reports t a b . T h e b r o w s e r d i s p l a y s the R e p o r t s page. T h e c e n t r a l p a n e p r o v i d e s
filter options.
116
The left navigation p a n e displays a list of pre-defined reports.
2. Select a pre-defined report from the left navigation p a n e . The browser displays processing
status a n d then the c o m p l e t e d report.
3. Click on report elements in blue text. The b r o w s e r p a g e displays details a b o u t that report
element. You can u s e the Zoom Options tab to c h a n g e the default report v i e w y o u see w h e n y o u
click on a table item.
4. Click on the Filter link at the top of the report. Filter o p t i o n s a p p e a r in a p o p - u p w i n d o w . The
options are identical to those in the central frame of the Reports page w h e n y o u first access it.
5. In the p o p - u p w i n d o w , a p p l y a date filter or choose one or m o r e filter fields. Click the Save and
Close button to a p p l y the filter and close the p o p - u p w i n d o w . The report reloads in the
browser.
6. Click the Save link b e l o w the report title to save y o u r modified report.
117
Note: W h e n y o u create a f i l t e r i n a p r o f i l e , i t i s a p p l i e d t o a l l the reports t h a t y o u generate

f r o m t h a t p r o f i l e . Y o u c a n activate o r d e a c t i v a t e t h e f i l t e r f o r i n d i v i d u a l r e p o r t s , b u t
y o u can create o n l y one f i l t e r p e r p r o f i l e .
Generating v7 Profile Pre-Defined Reports

1. C l i c k the Admin l i n k a t t h e t o p o f the page t o r e t u r n t o the A d m i n page.
2. C l i c k o n the Show Reports l i n k next t o the v 7 p r o f i l e y o u created. T h e b r o w s e r d i s p l a y s the

O v e r v i e w R e p o r t f o r t h e p r o f i l e . T h e left n a v i g a t i o n pane d i s p l a y s a list o f p r e - d e f i n e d r e p o r t s .
3. Select a p r e - d e f i n e d r e p o r t f r o m the left n a v i g a t i o n pane. T h e b r o w s e r d i s p l a y s the r e p o r t i n

the c e n t r a l p a n e .
4. Y o u can c l i c k o n l i n k s w i t h i n the r e p o r t t o v i e w m o r e d e t a i l e d i n f o r m a t i o n a b o u t a r e p o r t
e l e m e n t a n d select Zoom Options, j u s t a s y o u d i d w i t h the v 8 p r o f i l e r e p o r t .
5. C l i c k o n the w h i t e Date Range l i n k o r i c o n a t the t o p o f the page. A p o p - u p w i n d o w a l l o w i n g

y o u t o isolate a specific p e r i o d o f l o g f i l e d a t a appears. A p p l y a date range.
6. C l i c k o n the w h i t e Filter l i n k o r i c o n a t the t o p o f the page. A p o p - u p w i n d o w c o n t a i n i n g f i l t e r

f i e l d o p t i o n s appears. Create a f i l t e r a n d a p p l y it.
7. C l i c k the Save l i n k b e l o w t h e r e p o r t t i t l e t o save y o u r m o d i f i e d r e p o r t .
118
BlueCoat AV/Blue Coat SG Integration
Objectives
• Installing the BlueCoat AV
• Configuring t h e BlueCoat AV a n d the Blue Coat SG for virus scanning
Scenario
Web v i r u s s c a n n i n g is the process of examining files to d e t e r m i n e if they are infected with an
Internet-based threat (virus, w o r m , Trojan, or s p y ware). BlueCoat AV appliances enable
organizations to scan for s u c h m a l w a r e entering their n e t w o r k s via:
• Personal Web e-mail accounts, w h e r e m o s t viruses a n d w o r m s p r o p a g a t e
• Web s p a m or e-mail s p a m , w h i c h activates Trojan d o w n l o a d s or h i d d e n s p y w a r e
• Browser-based file d o w n l o a d s that bypass existing virus scanning defenses
Before You Begin

The BlueCoat AV's virus-scanning capabilities are i m p l e m e n t e d t h r o u g h an "off-box" solution
u s i n g Internet Content A d a p t a t i o n Protocol (ICAP) as the communication m e c h a n i s m between
the Blue Coat SG a n d the BlueCoat AV(or other ICAP virus scanning servers).
Be a w a r e that d e p l o y i n g ICAP w i t h the Blue Coat SG a n d the BlueCoat AV appliances is

performed in five stages:
1. Defining a n d configuring ICAP settings for the BlueCoat AV
2. Defining a n d configuring the ICAP o p t i o n on the Blue Coat SG

3. Configuring a n d constructing a Blue Coat virus policy
4. Creating an optional patience page
5. Testing the configuration a n d n e w policyBlue Coat SG
Note: This exercise uses a BlueCoat AV v i r u s - s c a n n i n g appliance a n d a Blue Coat SG

appliance. H o w e v e r , the s a m e ICAP configuration steps a p p l y if y o u are using a Blue
Coat SG a n d a n o t h e r vendor's scanning server. See that v e n d o r ' s d o c u m e n t a t i o n for
specific ICAP configuration information for its products. A table listing the URLs of
s u p p o r t e d ICAP servers a p p e a r s at the e n d of this exercise.
119
Steps
Defining and Configuring ICAP on the Blue Coat SG

You will create t w o n e w ICAP services: one for o u t b o u n d requests (uploads) a n d t h e other for
i n b o u n d requests ( d o w n l o a d s ) .
1. T h r o u g h the Proxy SG M a n a g e m e n t Console, select Configuration> External Services > ICAP.
The M a n a g e m e n t Console displays the ICAP Services page.
2. Click the New b u t t o n . The A d d list item dialog box a p p e a r s .
: Java Applet Window.
3. In the Add ICAP Service w i n d o w , t y p e Inbound for the ICAP service n a m e , then click OK. Click
the Apply b u t t o n in the M a n a g e m e n t Console.
4. T h r o u g h t h e Blue Coat SG M a n a g e m e n t Console, highlight the inbound ICAP service y o u just
defined, a n d t h e n click the Edit button. T h e Edit ICAP Service I n b o u n d dialog box a p p e a r s .
120
5. In the Service URL field of the dialog box, enter the virus scan server's ICAP service p a t h
icap://<ICAPVirusScan Server's IP Address>/avscan. This is the IP a d d r e s s and service n a m e of
the BlueCoat AV appliance, w h i c h a p p e a r s on y o u r class h a n d o u t .
6. C h e c k t h e Enable box next to Patience page delay a n d t y p e 5 in the seconds dialog box.
7. In the ICAP v.1.0 Options section, click the Sense settings button. A dialog box a p p e a r s asking
y o u to confirm that y o u w a n t to retrieve settings from the ICAP server.
121
8. Click OK. A C o m m i t Results dialog b o x a p p e a r s .
9. Click Close.
10. Return to the Edit ICAP Service Inbound dialog box. U n d e r Health Check options, click the
Register b u t t o n . A dialog box a p p e a r s , a s k i n g y o u confirm that y o u w a n t to register the
service for health checks.
11. Click OK. A n e w dialog box a p p e a r s w h e n Blue Coat SG registers the settings.
12. Click OK on the dialog box, then click OK on the Edit ICAP Service I n b o u n d dialog box.
13. Return to t h e Blue Coat SG M a n a g e m e n t Console, a n d click the Apply button.
Configuring and Constructing a Blue Coat Virus Policy

You n o w n e e d to w r i t e a policy for ICAP r e s p o n s e (inbound) service y o u previously defined.
1. T h r o u g h the Proxy SG M a n a g e m e n t Console, select Configuration> Policy > Visual Policy Manager
a n d then click the Launch b u t t o n . The Visual Policy M a n a g e r (VPM) a p p e a r s .
2. From the V P M m e n u bar, select Policy > Add Web Content Layer. T h e A d d N e w Layer dialog
box a p p e a r s . Accept the default n a m e by clicking OK.
3. Right-click the Action field, then select Set from the d r o p - d o w n m e n u . The Set Action Object
dialog box a p p e a r s .
122
4. Click the New button, then select Set ICAP Response Service from the d r o p - d o w n m e n u . The
A d d ICAP Response Service Object dialog box a p p e a r s
5. M a k e s u r e that the radio b u t t o n next to Use ICAP response service is selected. Select inbound
from the d r o p - d o w n m e n u .
6. In the Error handling section, m a k e sure that the radio button next to Deny the client request is
selected.
Note: Error handling options enable y o u to decide w h e t h e r the Blue Coat SG s h o u l d allow the
client to receive the object if the ICAP server is nonresponsive. If y o u choose the Deny
the client request option, the client does not receive a n y content. Blue Coat recommends
this option for optimum security. The second option is Continue without further ICAP
response processing. If this option is selected, the client receives the original,
u n s c a n n e d content.
123
7. Click OK in the A d d ICAP R e s p o n s e Service Object a n d the Set Action Object dialog boxes.
8. In the VPM, click the Install Policy b u t t o n . You h a v e n o w e n a b l e d the BlueCoat AV or other
virus-scanner server to scan i n b o u n d files.
Creating an Optional Patience Page

You can create a c u s t o m patience p a g e to notify users w h e n the BlueCoat AV is scanning large
attachments.
1. T h r o u g h the Blue Coat SG M a n a g e m e n t Console, select Configuration > External Services >
ICAP a n d t h e n click on the ICAP Patience Page tab.
Note: T h e Header, Summary, Details, a n d Help b u t t o n s enable y o u t o c u s t o m i z e y o u patience

page.
124
Testing the Configuration and New Policy

Check the Blue Coat SG's e v e n t log to m a k e sure that the n e w virus-scanning service is w o r k i n g .
1. Type this URL in the b r o w s e r y o u h a v e configured to go t h r o u g h y o u r Blue Coat SG as proxy:

http://www.eicar.org a n d click t h e AntiMalware Testfile link.
2. Click the link for eicar com.zip. Successful configuration of the Blue Coat SG a n d the BlueCoat
AV will p r o d u c e an error result from the BlueCoat AV
3. If y o u are able to d o w n l o a d eicar.com, y o u need to recheck y o u r configurations on both

appliances.
4. To test y o u r patience page go to the URL y o u r instructor has p r o v i d e d for you.
Policy Clean-up
1. To set the policy back to dafault for the next lab, t h r o u g h the M a n a g e m e n t Console, select
125
Supported ICAP Servers
Table 19.1:
Server Type URL

BlueCoat AV icap: / / IPaddressoftheserver
Symantec SAVSE v. 4 icap: / / I P a d d r e s s o f t h e s e r v e r : 1344/avscan
Finjan SurfinGate 6.05 icap: / / I P a d d r e s s o f t h e s e r v e r : 1344
Webwasher icap://IPaddressoftheserver:1344/wwrespmod
126
Using Instant Support
Objective
U s i n g Blue Coat Instant S u p p o r t .
Scenario
Instant S u p p o r t is a self-help online tool that is continually being u p d a t e d by Blue Coat Systems®
s u p p o r t technicians. U n d e r s t a n d i n g h o w to use it can enable y o u to get instant a n s w e r s to y o u r
questions a b o u t Blue C o a t ' s p r o d u c t s .
Steps
1. Go to the Blue Coat Web site (http://www.bluecoat.com) a n d then click Instant Support in the u p p e r
right section of the p a g e .
127
T h e b r o w s e r opens a separate W e l c o m e t o B l u e C o a t I n s t a n t S u p p o r t w i n d o w .
2. In the Name f i e l d , t y p e Guest.
3. I n t h e Product f i e l d , select SGOS 4.x f r o m t h e d r o p - d o w n m e n u a n d t h e n c l i c k Go.
128
T h e b r o w s e r w i n d o w d i s p l a y s a page w i t h a t e x t b o x w h e r e y o u can t y p e i n a q u e s t i o n .
4. T y p e NTLM Authentication i n t o the Guest text w i n d o w a n d t h e n c l i c k Go.
129
T h e b r o w s e r w i n d o w displays a list of options for p r o v i d i n g Instant S u p p o r t w i t h details

a b o u t y o u r question.
5. Click the radio b u t t o n next to the option 08)You want instructions for configuring NTLM/IWA
Authentication on the ProxySG.
The b r o w s e r w i n d o w d i s p l a y s information related to y o u r question. N o t e t h a t y o u can scroll

up the p a g e to see the history of y o u r i n p u t s in the Instant S u p p o r t system a n d the s y s t e m ' s
responses.
A l s o n o t e t h a t y o u can p r i n t t h e page w i t h y o u r answer. A l t e r n a t i v e l y , y o u can s c r o l l t o near

the b o t t o m of the page a n d click a l i n k to have the solution e-mailed to y o u .
6. R e s p o n d to t h e q u e s t i o n at the b o t t o m of t h e page: Did this help to answer your question?
131
If y o u a n s w e r Yes, the b r o w s e r w i n d o w p r o v i d e s a Feedback link t h a t gives y o u the

o p p o r t u n i t y to ask additional questions.
132
If y o u a n s w e r No, the b r o w s e r returns y o u to the previous p a g e containing options for asking

questions. N o t e that y o u also h a v e the o p t i o n to o p e n a case in WebPower, Blue Coat System's
online c u s t o m e r s u p p o r t service.
133
134
Review: Authentication
Objective
Testing y o u r u n d e r s t a n d i n g of authentication a n d time-based policies.
Scenario
In this exercise, y o u will i m p l e m e n t authentication according to the internal m e m o s a n d the
additional instructions below.
Internal Memo 1
Attention: A d m i n i s t r a t o r
From: H u m a n Resources
Priority: H i g h
Action: 1. All Web activity m u s t be tied to individual users.
2. No o n e is allowed to use c o m p a n y resources to v i e w n e w s articles from the followings

sites: cnn.com, news.com.
Internal Memo 2
Priority: L o w
Action: 1. D u e to the u n d e s i r e d lower morale after blocking n e w s resources, allow employees the
ability to access these sites d u r i n g their lunch break. Lunch is defined as M o n d a y
t h r o u g h Friday, 11 a.m. to 1 p.m.
2. Block Sales from accessing online s h o p p i n g sites.
Special Instructions
• A c o m b i n e d t i m e object is needed for this task.
• If the proxy clock is not set, policy p r o b a b l y will not w o r k .
135
136
Review: Content Filtering
Objective
Testing y o u r u n d e r s t a n d i n g of policy a n d content filtering.
Scenario
In this exercise, y o u will i m p l e m e n t policy according to the internal m e m o s a n d the additional
instructions below.
Important: You need to reset y o u Blue Coat® SG™ to factory defaults before starting this
exercise. From the enable m o d e of the CLI, use the c o m m a n d :
SGOS4# r e s t o r e - d e f a u l t s f a c t o r y - d e f a u l t J
Internal Memo 1
Priority: H i g h
Action: Block all sports sites until further notice.
Internal Memo 2
Priority: L o w
Action: Block the following i n d i v i d u a l sites:
• amazon.com
• casino.com
outpost.com
Additional Instructions
• Block all Web mail a t t a c h m e n t s a n d posting, but allow users to read their e-mail.
• D e n y access to all job-search sites. Test by trying to access www.monster.com.
• A d d the m e s s a g e "<Client IP> a t t e m p t e d to reach <URL>" to the even log every time a u s e r s
tries to access a forbidden site.
Question
If rules blocked business sites a n d then search engines, w o u l d Yahoo!® be allowed or denied?
137
138

BCC Proxy Admin

Uploaded by

Copyright:

Available Formats

BCC Proxy Admin

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCC Proxy Admin

Uploaded by

Copyright:

Available Formats

Table of Contents

Chapter 1 : Blue Coat SG and Firewalls 1

Chapter 2: Blue Coat SG Deployment 7

Chapter 3: Blue Coat SG Initial Setup 23

Chapter 4: Blue Coat SG Graphical User Interface 29

Chapter 6: Hypertext Transfer Protocol 49

Chapter 7: HTTP Compression 61

Chapter 8: Authentication Introduction 69

Chapter 9: Authentication Realms 79

Chapter 10: Policy Management 93

Chapter 11 : Content Filtering 101

Chapter 12: Managing Downloads 117

Chapter 13: Managing Instant Messaging 123

Chapter 14: Managing Peer-to-Peer Traffic 133

Chapter 15: Notify User Policy 141

Chapter 16: Access Logging 147

Chapter 17: Introduction to Reporter 159

Chapter 18: Blue Coat AV 173

Chapter 19: Service and Support 187

Appendix A: Deployment Planning 195

Appendix B: Conditional Probability — Bayes Theorem 203

The Web has become a vital m e t h o d of c o m m u n i c a t i o n for n e t w o r k e d businesses a n d

While enterprises c o n t i n u e to tighten security against k n o w n viruses entering a n e t w o r k —

• Most networks are protected by firewalls

• Firewalls are required to protect your network

• Firewalls are very effective at keeping

Slide 1 - 1 : Why firewalls are used

In this age of viruses, Trojans, a n d s p y w a r e , firewalls h a v e become c o m m o n — even for h o m e

Designed to keep the bad guy out of the network

Slide 1 - 2 : Typical firewall d e p l o y m e n t

• Complements the firewall for a complete security

• Designed to keep the "good" guys "good"

• Two types of proxy

Slide 1-3: Why p r o x i e s are d e p l o y e d

As y o u h a v e learned, firewalls are an i m p o r t a n t p a r t of securing y o u r private network. But they

Proxy servers are v e r y powerful devices that can be d e p l o y e d in t w o very different w a y s —

A forward proxy acts as an i n t e r m e d i a r y b e t w e e n a client a n d a content server to protect the client

A reverse proxy (also k n o w n as a Web server accelerator) acts as an i n t e r m e d i a r y between a Web

Proxy: [...] deputy who acts as a substitute for another *

In simple terms, a p r o x y is a n e t w o r k device that acts on behalf of clients to retrieve requested

A client o p e n s n e t w o r k connections w i t h the proxy only — the proxy then o p e n s a n e w a n d

D e t e r m i n e w h i c h content to pass from the OCS to clients

• Modify client requests to the OCS

Slide 1-5: Proxy capabilities

The firewall is u s e d at the p e r i m e t e r to block o u t s i d e attacks. H o w e v e r , s o m e protocols m u s t be

Filtering Web content

• Blocking Web mail a n d IM virus p r o p a g a t i o n

• Logging u s e r activity a n d content

This chapter discusses the three types of proxy d e p l o y m e n t :

• Controlling the content of selected SSL transactions

• Using b a n d w i d t h - m a n a g e m e n t options to prioritize the use of the Internet connections for

Slide 2 - 1 : Choices for client Internet access

W h e n choosing h o w y o u r clients access the Internet, y o u basically have three choices:

Explicit p r o x y i n g is the quickest a n d simplest proxy solution. Setting up an explicit proxy is

A l t h o u g h the n a m e s o u n d s s o m e w h a t intimidating, t r a n s p a r e n t proxying s i m p l y m e a n s that

Clients "knoW there is a proxy in the path

Slide 2 - 2 : Explicit proxy deployment

GET http://www.bluecoat.com/ HTTP/1.1

Clients do not "knoW there is a proxy in the path

You can t h i n k of t r a n s p a r e n t proxying as the opposite of explicit proxying. The goal of t r a n s p a r e n t