Blue Coat Systems 4.x User's Manual
Contents
1. block_category category in conjunction with exception content filter override request filter service label action max bitrate 0 max bitrate no 24 Table 3 9 Abandoned Policy Properties Continued Chapter 3 Feature Specific Upgrade Behavior prefetch pipeline proxy authentication authenticate reflect vip reflect ip service allow or deny trace destination trace destination trace level trace level trace request trace request trace rules trace rules Table 3 10 Abandoned Policy Actions Abandoned Syntax Replacement Syntax replace rewrite virus check response icap service a property Table 3 11 Abandoned Substitution Tokens Abandoned CPL Current CPL appliance name appliance name appliance primary address appliance primary address client address client address client protocol client protocol proxy address proxy address proxy card proxy card proxy name proxy name proxy port proxy port proxy primary address proxy primary address proxy via http version proxy via http version release id release id request header Accept request header Accept request header Accept Ch2. netbios computer domain The NetBIOS name of the computer This is an empty string if the query fails or the name is not reported The name of the domain to which the computer belongs This is an empty string if the query fails or the name is not reported x cs netbios netbios messenger messenger usernam username The name of the logged in user This is an empty string if the query fails or the name is not reported It is also empty if there is more than one logged in user x cs netbios netbios messenger messenger usernames usernames A comma separated list of the all the messenger usernames reported by the target computer This is an empty string if the query fails or no names are reported x cs socks compression Compresses data on the client connection x sr socks compression Compresses data on the server connection x virus details icap virus details Details of a virus if one was detected x icap error cod ICAP error code x icap error details icap error code icap error details ICAP error details cs Content Encoding request header Content Encoding Client Response header Content Encoding This substitution allows you to monitor the effect of the new HTTP compression features rs Accept Encoding response header Accept Encoding Server Request header Accept
3. as a condition definition type url caseless None All response side URL rewrites are now case insensitive by default subst embedded in a url rewrite transform definition subst prefix in a url rewrite transform definition Table 3 6 Abandoned Section Syntax rewrite url substring rewrite url prefix Abandoned Syntax Domain section heading Replacement Syntax url domain Domain Suffix section heading url domain section heading Regex section heading url regex Prefix Regular expression section heading url url regex Table 3 7 Abandoned Substitution Syntax Abandoned Syntax Replacement Syntax 1 1 11 1 1 1 Table 3 8 Abandoned Policy Conditions Abandoned Syntax Replacement Syntax acl client address category unavailable client address category unavailable client address client protocol client protocol method in admin layers method admin access READ WRITE See Method Tests 23 Blue Coat SGOS 4 x Upgrade Guide Table 3 8 Abandoned Policy Conditions Continued Continued protocol url scheme proxy address proxy address proxy card proxy card proxy port proxy port release id release id release version release version request h
4. Changes Between SGOS 3 x and SGOS 4 x Unlike SGOS 3 x SGOS 4 x does not permit upgrades from SGOS 2 x or CacheOS 4 x All systems must be upgraded to SGOS 3 2 4 before being upgraded to SGOS 4 x For information on the correct upgrade path see Table 2 1 Upgrade Paths on page 7 If you attempt to download the next major release and you receive an error message saying that the download failed due to policy deprecations your policy uses constructs that are no longer supported in SGOS 4 x You must correct any policy syntax problems before upgrading For information on checking on policy deprecation see Policy Deprecation on page 22 If the upgrade path is followed most of the current settings on the ProxySG are maintained after the upgrade New or transformed settings in SGOS 4 x are taken from the original settings wherever possible About the Document Organization This document is organized for easy reference and is divided into the following sections and chapters Table 1 1 Document Organization Chapter Title Description Chapter 1 Introducing the Upgrade Downgrade Upgrade differences between SGOS 3 2 x and SGOS 4 x Blue Guide Coat documentation and documentation conventions are also discussed Chapter 2 Upgrade Behavior General This chapter discusses general upgrade issues including the required upgrade path and licensing Chapter 3 Upgrade Behavior Specifics This chapter identifies new fea
5. SGOS base is a required component of the license key file The following table lists the ProxySG licensable components categorized by type Table 2 2 Licensable Components Type Component Description Required SGOS 4 Base The ProxySG operating system plus base features HTTP FTP TCP Tunnel SOCKS and DNS proxy The following additional features are also included in the base license Included 3rd Party Onbox Allows use with third party vendor databases Intersafe Optenet Proventia Content Filtering SmartFilter SurfControl Websense and Webwasher 10 Chapter 2 Upgrade Behavior General Table 2 2 Licensable Components Continued Type Component Description Included Websense For Websense off box support only Offbox Content Filtering Included ICAP Services External virus and content scanning with ICAP servers Included Bandwidth Allows you to classify control and if required limit the amount of Management bandwidth used by different classes of network traffic flowing into or out of the ProxySG Included Windows Media MMS proxy no caching or splitting content pass through Full policy control Standard over MMS Included Real Media RISP proxy no caching or splitting content pass through Full policy control Standard over RTSP Included AppleQuickTime RTSP proxy no caching or splitting content pass through Full policy control Basic over R
6. http icap patience details e SGOSt config external services view http icap patience header e SsGOSt config external services view http icap patience help e SGOSt config external services view http icap patience summary Documentation References Chapter 11 External Services in the Blue Coat ProxySG Configuration and Management Guide Policy In SGOS 4 x the following properties and objects have been added e Actions and Properties Action objects qo a O a r a a a a a a a category dynamic mode used with dynamic categorization in VPM detect protocol not available in VPM force protocol not available in VPM http allow compression used with client compression in VPM http allow decompression used with client compression in VPM http client allow encoding not available in VPM http server accept encoding used with server compression in VPM http server accept encoding allow unknown used with server compression in VPM limit bandwidth used with bandwidth management in VPM Notify User object not available in CPL SOCKS allow compression Used with SOCKS compression in VPM SOCKS gateway request compression Used with SOCKS compression in VPM e Conditions Source objects a a http connect not available in VPM p2p client used with P2P client object in VPM e Properties Service objects a O icap_error_code used with ICAP in VPM virus_detected used with ICA
7. objects that cannot be named by the user are automatically updated to have the underscore character prefix the object name Documentation Reference Chapter 14 VPM in the Blue Coat ProxySG Configuration and Management Guide Securing the Serial Port When the secure serial port is enabled recommended Once the secure serial port is enabled e The Setup Console password is required to access the Setup Console e An authentication challenge username and password is issued to access the CLI through the serial port Upgrade Downgrade Behavior e If you are upgrading the secure serial port functionality is unchanged by default If you never secured the serial port the secure serial port functionality is disabled If you subsequently use the Setup Console you are asked if you want to enable secure the serial port at that time Onnew installations you are asked if you want to enable the secure serial port Downgrades ignore the secure serial port setting If older systems are present on the machine it might be possible for an attacker to force the downgrade and then access the serial port For maximum security older systems should be deleted SmartFilter Version 4 SGOS 4 1 uses a new database download system for SmartFilter version 4 A license key which was sent to you by Secure Computing by e mail when you ordered the database is required to download the new version In the e mail this key is listed as the Serial Numb
8. 1 xy as 308ne gt as 14de xe xew n ge ca ende Ve nnne tenente tenente tnter 12 Chapter 3 Feature Specific Upgrade Behavior Access Lopo ean 13 Authentic mic 17 Bandwidth Management esiseina arnee E E dine tier ep ERE 17 COMPEESSION AEAEE E E E bese rapsece dora euaaeranestnen ess 18 Content Riltering anni nac nina 19 AP S 19 Endpoint Mapper and SOCKS Compression ccccccsssssesesesescescscsssnsesesescesescseecenesesesesnensseseeceeesescsnensneness 20 ICAP Patience Pages sas 20 DOH ya Sa Hen M A yek eke RAYA v ra Aye etE e 21 Securing the Serial ka yx M 30 Smartkilter Verson Aeniiaie W n Din Sibel Ken eke Ke aka tecto uiis iid restent de Dedi teria 30 SSL Key Management 30 Index Blue Coat SGOS 4 x Upgrade Guide Chapter 1 Upgrading Overview Blue Coat strongly recommends that you read this document before attempting to upgrade to SGOS 4 x from previous ProxySG operating systems Existing features and policies might not perform as with previous versions and upgrading to this version might require some additional configuration tuning This SGOS version provides high security for the network so when downgrading to previous versions not all configurations and policies are retained
9. Blue Coat Systems Proxy SG SGOS 4 x Upgrade Guide Blue Coat Blue Coat SGOS 4 x Upgrade Guide Contact Information Blue Coat Systems Inc 650 Almanor Avenue Sunnyvale California 94085 North America USA Toll Free 1 866 362 2628 866 36 BCOAT North America Direct USA 1 408 220 2270 Asia Pacific Rim Japan 81 3 5425 8492 Europe Middle East and Africa United Kingdom 44 0 1276 854 101 bcs info bluecoat com support bluecoat com www bluecoat com Copyright 1999 2005 Blue Coat Systems Inc All rights reserved worldwide No part of this document may be reproduced by any means nor modified decompiled disassembled published or distributed in whole or in part or translated to any electronic medium or other means without the written consent of Blue Coat Systems Inc The Software may not be modified reproduced except to the extent specifically allowed by local law removed from the product on which it was installed reverse engineered decompiled disassembled or have its source code extracted In addition to the above restrictions the Software or any part thereof may not be i published distributed rented leased sold sublicensed assigned or otherwise transferred ii used for competitive analysis or used to create derivative works thereof iii used for application development or translated iv used to publish or distribute the results of any benchmark tests run on the Software without the express writt
10. Encoding This substitution allows you to monitor the effect of the new HTTP compression features A new substitution modifier label N has been added It is used in conjunction with the client host substitution variable in defining Policy Substitution Realms For example client host label 2 could be used in the definition of a Policy Substitution Realm to set the user name from the results of a reverse DNS Lookup For more information on the 1abel modifier refer to Appendix D Substitutions in the Blue Coat Content Policy Language Guide Chapter 3 Feature Specific Upgrade Behavior Authentication Two new realms policy substitution and Oblix COREid have been added in SGOS 4 x e COREid Realm The ProxySG can be configured to consult an Oblix COREid formerly known as Oblix NetPoint Access Server for authentication and session management decisions This requires that a COREid realm be configured on the ProxySG and policy written to use that realm for authentication e Policy Substitution Realm A Policy Substitution realm provides a mechanism for identifying and authorizing users based on information in the request The realm uses information in the request and about the client to identify the user The realm is configured to construct user identity information by using policy substitutions See Table 3 2 on page 15 for useful substitutions added in support of this feature In addition RADIUS realms now support one
11. LE FOR ANY DAMAGES WHETHER ARISING IN TORT CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS INC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES The Software and all related technical information documents and materials are subject to export controls under the U S Export Administration Regulations and the export regulations of other countries Document Number 231 02781 Document Revision SGOS 4 1 6 17 05 Contents Contact Information Chapter 1 Upgrading Overview Changes Between SGOS 3 x and SGOS 4 x sse nennen nenne nennen 5 About the Document Organizatioti ctt eee ciae ie e Pe cob An KRA durs 5 Related Blue Coat Documentation eese neret da d a n ee sark dalela ka k ue ak awk Saa a d a kra tense 5 Document Conventions uiae e rd On EV KARE e EO u tesa WE bu N AER A V n Kh H N H WR VA G W RASRA 6 Chapter 2 Upgrade Behavior General MPI TN 7 Restoring to Previous Versions 4 2 x 8sn dlklr d rek k le ekk kas etane x a H zee dak anak kade L e lt e xas lak tn tenete tnt tn tenens 8 Changing Between SGOS 4 x Versions 454 44 4k1 x45ko455 4 cia d9ke cs kn ke ka cis ku e R K H kes ck e RUHE nter 10 lE dnctssdes 10 Hardware Supported m M EEan 12 Documentation Referentes s 44524x 5y 14xa55 lt x
12. P in VPM In addition the following conditions can now be used in the lt Forward gt layer e attribute lt name gt e authenticated ha group e realm 21 Blue Coat SGOS 4 x Upgrade Guide 22 e user e user domain e user x509 issuer e user x509 serialNumber e userx500 subject The authenticated condition can be used to test whether or not the user information is available Forward layer rules containing the other new authentication conditions will fail to match if there is no associated user regardless of the value specified in the test Two new named definitions have been added define policy and define strong A named definition is one that is explicitly referenced by policy Since a copy of the files of the original operating system version has been saved later version changes such as new named definitions are not available in the downgrade Policy Deprecation Syntax that was deprecated in SGOS 3 2 4 has been abandoned in SGOS 4 x and this syntax must be corrected before an upgrade can be successfully completed For information on replacement syntax see CPL below To check for policy deprecation warnings Inthe Management Console Configuration Policy Policy Files From the View File dropdown list select Results of Policy Load and press View Or Statistics Advanced Policy Results of policy load e From a browser https ProxySG_IP port policy import listing htm
13. TSP Included Netegrity Allows realm initialization and user authentication to SiteMinder servers SiteMinder Included Oblix COREid Allows realm initialization and user authentication to COREid servers Included Peer to Peer Allows you to recognize and manage peer to peer P2P activity relating to P2P file sharing applications Included Compression Allows reduction to file sizes without losing any data Optional SSL SSL Termination includes an SSL termination card to be installed on the appliance Optional IM e AOL Instant Messaging AIM proxy with policy support for AOL Instant Messenger e MSN Instant Messaging MSN proxy with policy support for MSN Instant Messenger Yahoo Instant Messaging Yahoo proxy with policy support for Yahoo Instant Messenger Optional Windows Media MMS proxy content caching and splitting Premium Full policy control over MMS When the maximum concurrent streams is reached all further streams are denied and the client receives a message Optional Real Media RTSP proxy content caching and splitting Premium Full policy control over RTSP When the maximum concurrent streams is reached all further streams are denied and the client receives a message 11 Blue Coat SGOS 4 x Upgrade Guide Hardware Supported With SGOS v4 x support for the ProxySG Series 600 and 700 systems has been dropped Users with these systems must either upgrade their hardware or stay with SGOS v3 x Blue Coat suppor
14. access log enabl SGOS config access log disable Document References Chapter 20 Access Logging in the Blue Coat ProxySG Configuration and Management Guide Chapter 3 Feature Specific Upgrade Behavior Peer to Peer The ProxySG recognizes peer to peer P2P activity relating to P2P file sharing applications By constructing policy you can control block and log P2P activity and limit the bandwidth consumed by P2P traffic Upgrade Behavior Anew default format and a log called p2p is created The default p2p format is associated with the p2p log e Ifa format called p2p already exists the format is renamed to p2p user Any log referencing the old p2p format will after the upgrade start referencing p2p user If both p2p and p2p user exist prior to the upgrade then format p2p is renamed to p2p_user1 so the new default format p2p can be created e Ifa log called p2p already exists a new log is not created CLI Compatibility Issues None Documentation References e Chapter 15 Advanced Policy in the Blue Coat ProxySG Configuration and Management Guide e Chapter 14 VPM in the Blue Coat ProxySG Configuration and Management Guide The Blue Coat Content Policy Language Guide New Access Logging Substitutions The following substitutions can be used in access logging and policy Note The access log ignores any ELFF or custom format fields it doesn t understand In a downgrade the format still cont
15. ains all the fields used in the upgraded version but only the valid fields for the downgraded version display any information Table 3 2 New Substitutions ELFF CPL Description x exception category exception category Used for categorization review for certain review url review url Content Filtering vendors The substitution contains only the categorization review URL which is composed of the originally requested URL and the standard prefix The values are empty if the selected content filter provider does not support review messages or if the provider was not consulted for categorization or if the categorization process failed due to an error Blue Coat SGOS 4 x Upgrade Guide 16 Table 3 2 New Substitutions Continued ELFF CPL Description x exception category review messag exception category review message An HTML formatted message suitable for inclusion in an exception page The values are empty if the selected content filter provider does not support review messages or if the provider was not consulted for categorization or if the categorization process failed due to an error x p2p client typ p2p client The name of the P2P network the client application is connected to In case of non P2P traffic this substitution variable does not have a value x cs netbios computer name x cs netbios computer domain netbios computer name
16. arset request header Accept Charset request header Accept Encoding request header Accept Encoding request header Accept Language request header Accept Language request header Accept Ranges request header Acocept Ranges request header Ag request header Ag request_header Allow request header Allow request header Authentication Info request header Authentication Info request header Authorization request header Authorization request header Cache Control request header Cache Control request header Client IP request header Client IP request header Connection request header Connection request header Content Encoding request header Content Encoding 25 Blue Coat SGOS 4 x Upgrade Guide 26 Table 3 11 Abandoned Substitution Tokens Continued Abandoned CPL Current CPL request header Content Language reques Dneaaer Content Language request header Content Length reques Content Length request header Content Location Content Location reques request header Content MD5 Content MD5 reques neaaer request header Content Rang reques Content Rang request header Content Type request header Content Typ request header Cookie request header Cookie request header Cookie2 request header Cookie2 request header Dat request header Date re
17. ault policy of ALLOW or DENY for all traffic Following the recommended upgrade process ensures that policy integrity and therefore network security are maintained Blue Coat SGOS 4 x Upgrade Guide Summary of Changes to the Upgrade Process The upgrade path must include a system that shows all possible deprecation warnings so that these can be corrected in advance of the upgrade to avoid policy compilation failures after upgrading Migrating through SGOS 3 2 4 or greater satisfies this requirement If the currently installed policy issued deprecation warnings when compiled downloads of systems in which that syntax has been abandoned will fail with the error Which error message you see depends on whether you were using the Management Console or the CLI From the Management Console Policy deprecation warnings exist Please resolve them prior to upgrading to the next major release of System software From the CLI WARNING The installed policy contains deprecation warnings Please fix these warnings prior to upgrading to the next major release or use load upgrade ignore warnings at your own risk Upgrading to the next major release with deprecation warnings will cause the policy compilation to fail on boot This means that you cannot download major version upgrades while policy contains deprecated syntax Generally the deprecation warnings indicate the appropriate corrective action See Policy Deprecation on page 22 for instruc
18. ce Page Discusses new and changed commands for Patience Page settings Policy Lists new VPM objects and CPL syntax abandoned substitutions new exception pages and new object naming and UTF 8 encoding in VPM Securing the Serial Port Describes the upgrade downgrade behavior if you secure the serial port SmartFilter Version 4 The SmartFilter license key is now required if you use SmartFilter version 4 SSL Key Management Discusses new non interactive commands to enhance SSL key management available through Director Note If a topic is not discussed it means no upgrade or downgrade issues exist for that feature for example event logging has no changed functionality from previous versions and will not be discussed in this document Access Logging Access Logging has added new features in SGOS 4 x A global enable disable switch See below A P2P format and log See Peer to Peer on page 15 New substitutions See New Access Logging Substitutions on page 15 For a list of deprecated substitutions see Table 3 11 Abandoned Substitution Tokens on page 25 Blue Coat SGOS 4 x Upgrade Guide 14 Global Enable Disable Switch In SGOS 4 x you can enable or disable access logging on a global basis both through the Management Console Access Logging gt General gt Global Settings and the CLI When logging is disabled that setting overrides both policy and logging configuration When access lo
19. d when configuring features going forward If you downgrade to the previous SGOS version the saved configuration is used and the ProxySG is restored to that state Following the upgrade path provided maintains most of the current settings the exceptions being those features that were substantially enhanced in SGOS 4 x The only supported direct upgrade is from SGOS 3 2 4 and later CacheOS 4 x and SGOS 2 x systems must first be upgraded to the SGOS 3 2 4 release The following table provides the upgrade paths for these earlier version Table 2 1 Upgrade Paths Current OS Direct Upgrade Next OS version Comments to SGOS 3 2 4 required CA 1 0 00 CA3 1 15 No CA 3 1 16 CA 3 1 16 No CA 4 1 10 CA 3 5 00 CA3 5 07 No CA 3 5 08 CA 3 5 08 No CA 4 1 10 CA 4 0 00 CA4 1 09 No CA 4 1 10 CA 4 1 10 or greater No SG 2 1 07 CA 4 2 00 No CA 4 2 01 CA 4 2 01 or greater Yes None Can directly upgrade to SGOS 3 2 4 SA 1 0 00 SA2 0 x No SA 2 0 x SA 2 0 x No SA 4 1 10 SA 4 0 00 SA4 1 09 No SA 4 1 10 SA 4 1 10 or greater Yes None Can directly upgrade to SGOS 3 2 4 SG 2 0 00 SG 2 1 06 No SG 2 1 07 SG 2 1 07 or greater Yes None Can directly upgrade to SGOS 3 2 4 In SGOS 3 2 4 or greater deprecation warnings are issued for CPL syntax that is abandoned in SGOS 4 x Use of abandoned syntax causes CPL compiler errors the policy will fail to install and the ProxySG will use the def
20. der Meter response header Meter response header P3P response header P3P response header Pragma response header Pragma 27 Blue Coat SGOS 4 x Upgrade Guide Table 3 11 Abandoned Substitution Tokens Continued Abandoned CPL Current CPL response header Proxy Authenticate response header Proxy Authenticate response header Proxy Authorization response header Proxy Authorization response header Proxy Connection response header Proxy Connection response header Range response header Rang response header Referer response header Referer response header Refresh response header Refresh response header Retry After response header Retry After response header Server response header Server response header Set Cooki response header Set Cooki response header Set Cookie2 response header Set Cookie2 response header TE response header TE response header Trailer response header Trailer response header Transfer Encoding response header Transfer Encoding response header Upgrade response header Upgrade response header User Agent response header User Agent response header Vary response header Vary response header Via response header Via response header WWW Authenticate response header WWW Authenticat response header Warning response header Warning response header X Blu
21. ds allow you to enable and manage CPU monitoring Table 3 3 New CLI Commands for CPU Monitor Command Description SGOSt config diagnostics cpu monitor Enables or disables the CPU monitor enable disable SGOS config diagnostics cpu monitor Sets the interval between CPU monitoring interval seconds SGOS config diagnostics view cpu monitor View CPU monitor statistics Documentation References Appendix E Diagnostics in the Blue Coat ProxySG Configuration and Management Guide Blue Coat SGOS 4 x Upgrade Guide Endpoint Mapper and SOCKS Compression The Endpoint Mapper proxy accelerates Microsoft RPC traffic between branch and main offices automatically creating TCP tunnels to ports where RPC services are running The Endpoint Mapper proxy can be used in both explicit and transparent mode Using SOCKS compression for TCP IP tunnels reduces bandwidth consumption and improves latency No configuration is required on the main office ProxySG to support SOCKS compression However configuration is required on the branch ProxySG to forward data through the SOCKS gateway You can use policy or the socks gateway CLI options to enable SOCKS compression globally Using policy you can enable or disable compression on a per connection basis on either the client side or the server side You must also configure the branch ProxySG for the Endpoint Mapper proxy Upgrade Downgrade Behavior e On new or upg
22. e usable On a downgrade cached HTTP objects fetched after the upgrade are re fetched Documentation References e Chapter 6 Configuring Proxies in the Blue Coat ProxySG Configuration and Management Guide The Blue Coat Content Policy Language Guide Content Filtering e Cerberian content filtering has changed its name to Blue Coat Web Filter BCWF No upgrade issues exist On a downgrade the vendor none is selected instead of any unsupported choice Note During the 60 day SGOS trial period no username or password is required to use Blue Coat Web Filter For more information refer to Configuring Blue Coat Web Filter in Chapter 18 of the Blue Coat ProxySG Configuration and Management Guide Three new content filtering third party vendors InterSafe Optenet and Webwasher have been added in SGOS 4 x These new vendors cause no upgrade issues On a downgrade the vendor none is selected instead of any unsupported choice The Websense log protocol changed from version 1 to version 3 in SGOS 3 2 x Documentation References Chapter 18 Content Filtering in the Blue Coat ProxySG Configuration and Management Guide CPU Monitoring You can enable CPU monitoring whenever you want to see the percentage of CPU being used by specific functional groups CPU monitoring is disabled by default You can also view CPU monitoring statistics through Statistics Advanced Diagnostics CLI Commands The following comman
23. eCoat Error response header X BlueCoat Error response header X BlueCoat MC Client Ip response header X BlueCoat MC Client Ip response header X BlueCoat Via response header X BlueCoat Via response header X Forwarded For response header X Forwarded For transaction id transaction id url address url address url extension url extension url host url host url host name url hostname url path url pathquery url port url port url query url query url scheme url scheme Documentation References Appendix D Substitutions in the Blue Coat Content Policy Language Guide Exception Pages A number of built in exception pages have been added to SGOS 4 x to send information back to the user under operational contexts that are known to occur New exception pages include 28 Chapter 3 Feature Specific Upgrade Behavior e HTML Notification a notify r notify missing cookie Compression t transformation error o unsupported encoding r invalid response e ICAP O icap_error should be used in place of the existing icap_communications_error exception page On a downgrade to SGOS 3 2 4 the ProxySG reverts to using the SGOS 3 x policy that was in use the last time that SGOS 3 x was running Documentation References e Chapter 15 Advanced Policy in the Blue Coat ProxySG Configuration and Management Guide The Blue Coat Content Policy Language Guide VPM In SGOS 4 x VPM now us
24. eader name request header name request header address name request header name address request x header name request x header name request x header address name request x header name address response header name response header lt name gt response x header name response x header name url address url address url domain url domain url extension url extension url host url host url host is numeric url host is numeric url host no name url host no name url host regex url host regex url host suffix url host suffix url path url path url path regex url path regex url port url port url prefix url url_query_regex url query regex url_regex url regex url_scheme url scheme user_domain user domain virus_pattern_update_url None All supported ICAP versions provide automatic notification of pattern file updates Table 3 9 Abandoned Policy Properties Abandoned Syntax Replacement Syntax property value syntax property value authenticate in cache layer Move to proxy layer authenticate display_realm the optional display_realm property value is abandoned in favor of specification in the realm configuration
25. en permission of Blue Coat Systems Inc or v removed or obscured of any Blue Coat Systems Inc or licensor copyrights trademarks or other proprietary notices or legends from any portion of the Software or any associated documentation All right title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems Inc and its licensors Blue Coat Systems Inc specifications and documentation are subject to change without notice Information contained in this document is believed to be accurate and reliable however Blue Coat Systems Inc assumes no responsibility for its use ProxySG ProxyAV CacheOSTM SGOS Spyware Interceptor Scope are trademarks of Blue Coat Systems Inc and CacheFlow Blue Coat Accelerating The Internet WinProxy AccessNow Ositis Powering Internet Management and The Ultimate Internet Sharing Solution are registered trademarks of Blue Coat Systems Inc All other trademarks contained in this document and in the Software are the property of their respective owners BLUE COAT SYSTEMS INC DISCLAIMS ALL WARRANTIES CONDITIONS OR OTHER TERMS EXPRESS OR IMPLIED STATUTORY OR OTHERWISE ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL BLUE COAT SYSTEMS INC ITS SUPPLIERS OR ITS LICENSORS BE LIAB
26. er and is in the alpha numeric format of SFxxoooocxxxx xxxx Note If you use SmartFilter version 3 the user name password assigned to you is still valid for version 3 only Documentation Reference Chapter 18 Content Filtering in the Blue Coat ProxySG Configuration and Management Guide SSL Key Management 30 SSL key management in SGOS 4 x has been modified to allow Director to better manage ProxySG appliances Abandoned Syntax The following syntax is abandoned as of SGOS 4 x replaced by the equivalent inline commands SGOS config SGOS config SGOS config SGOS config SGOS config Documentation References ssl import ssl import ssl import ssl import ssl import Chapter 3 Feature Specific Upgrade Behavior keyring show no show keyring_id certificate keyring_id signing request keyring_id ca certificate keyring_id external certificate keyring id Chapter 7 Using Secure Services in the Blue Coat ProxySG Configuration and Management Guide Chapter 21 Maintenance in the Blue Coat ProxySG Configuration and Management Guide Appendix F Using Director to Manage Appliances in the Blue Coat ProxySG Configuration and Management Guide 31 Blue Coat SGOS 4 x Upgrade Guide 32 Index A access logging default logs protocols 14 global enable disable switch CLI commands 14 global enable disable switch overview 14 new features in 13 P2P log format 15 P2P upgrade behavi
27. es UTF 8 encoding format for fetching and installing policy UTF 8 Encoding As of SGOS 4 x VPM policy XML stored in the ProxySG is read using the UTF 8 encoding format Any international characters present in this policy must be encoded using UTF 8 Policy XML created through VPM prior to SGOS 4 x does not contain international characters and so it should continue to load correctly after the upgrade If you created or edited the policy XML file outside VPM and loaded it into the ProxySG prior to upgrading it might contain international characters If these characters are not encoded in UTF 8 format VPM is unable to load the policy In this case it begins with an empty policy after displaying an error message Object Naming on Objects that can be named by the user no longer start with underscore character The underscore character is now used internally to prevent name collisions between objects that can be named by the user and internally generated names If obsoleted objects are upgraded such as File MIME Types in SGOS 2 x that get translated into combined condition objects these objects are prefixed with __Upgraded_ Policy compiles correctly even if the underscore character is not removed However if you want to edit these objects you must remove any underscore characters from the beginning of the object name before the object setting can be saved successfully 29 Blue Coat SGOS 4 x Upgrade Guide On an upgrade
28. gging is enabled policy settings override the access logging configuration Note Access log uploads are not affected by the global enable disable switch disabling access logging does not disable the ability to upload existing log files On new systems by default access logging is disabled but certain protocols are configured to use specific logs When access logging is enabled logging begins immediately for all configured protocols If you are upgrading your system your existing protocol configurations are preserved and access logging is enabled by default so that logging will continue as previously configured Protocols new in SGOS 4 x are set to have a default log of none in this case Note If you do not have a license for bandwidth management access log uploads will not be bandwidth limited even if they were bandwidth limited in SGOS 3 x Certain protocols now have logs assigned to them by default The defaults can be changed Note Protocols are not associated with a log by default upon an upgrade They are only associated with a default on new SGOS 4 x systems Table 3 1 Default Logs and Protocols Protocol Log Endpoint Mapper main FTP main HTTP HTTPS main TCP none Instant Messaging im Peer to Peer p2p Real Media QuickTime streaming SOCKS none TCP Tunneling main Telnet none Windows Media streaming New CLI Commands SGOS config
29. guration you must first launch the SGOS 3 x image then select the SGOS 2 x or CacheOS 4 x version to launch After you make the desired changes you must follow the upgrade path back to SGOS 3 2 4 using the restore sgos2 config or restore cacheos4 config commands See Table 2 1 on page 7 for information on upgrade paths The restore sgos2 config or restore cacheos4 config command first checks if there are saved SGOS 2 x or CacheOS 4 x settings on the ProxySG If not the CLI command warns the administrator and exits Important Check for deprecation warnings after upgrading to 3 2 4 and before proceeding to SGOS 4 x If saved settings exist the command warns the administrator that all the current next version settings will be lost and that a restart will be initiated waiting for positive confirmation before clearing all the current next version settings and then initiates a restart The restart similar to a restart regular triggers the upgrade process which copies over the settings and transform them to the next version settings Blue Coat SGOS 4 x Upgrade Guide Changing Between SGOS 4 x Versions When moving from one SGOS 4 x release to another SGOS 4 x release the system maintains all settings Changes made after an upgrade continue to be available after a subsequent downgrade as long as the setting is relevant to the downgraded release Note When upgrading or downgrading between versions of SGOS 4 x copies of ver
30. ified maximum amount of bandwidth Prioritizes certain traffic classes to determine which classes have priority over available bandwidth Blue Coat SGOS 4 x Upgrade Guide Upgrade Behavior As BWM is a new feature upgrade issues are restricted to previously existing bandwidth configuration that will now be subsumed into the BWM configuration BWM does not replace the older bandwidth limiting features currently available in Streaming max streaming max Real and max MMS It complements it BWM replaces the bandwidth limiting configuration in Access Logging Related BWM classes are automatically created based on the older Access Log bandwidth configuration and placed under the class access 1og 1ogname where 1ogname is the name of the log Downgrade Behavior If downgraded the access log behaves as previously configured Documentation References Chapter 10 Bandwidth Management in the Blue Coat ProxySG Configuration and Management Guide Compression 18 In SGOS 4 x Blue Coat offers both HTTP compression and SOCKS compress e HTTP Compression is an algorithm that reduces a file size but does not lose any data When you use compression depends upon three resources server side bandwidth client side bandwidth and ProxySG CPU If server side bandwidth is more expensive in your environment than CPU then you should always request compressed content from the origin content server OCS However if CPU is comparatively expen
31. l e Atthe CLI command prompt SGOS gt show policy listing To check for deprecation warnings in exception pages Inthe Management Console Configuration gt Policy gt Exceptions From the View File dropdown list select Results of Exceptions Load and press View Or Statistics Advanced Exceptions View last installation status e From a browser https ProxySG IP port exceptions listing html Note You cannot check for warnings in exception pages through the CLI Documentation References e Chapter 14 VPM in the Blue Coat ProxySG Configuration and Management Guide The Blue Coat Content Policy Language Guide CPL Chapter 3 Feature Specific Upgrade Behavior Syntax that was deprecated in SGOS 3 x has been abandoned in SGOS 4 x Policy that includes abandoned syntax should be corrected before you attempt to upgrade the system The standard upgrade path and process are designed to ensure the integrity of policy and the security of your network Blue Coat strongly recommends that you follow the approved upgrade path and correct any policy deprecation warnings prior to upgrading to SGOS 4 x Policy that has been abandoned is listed in the tables below Table 3 5 Abandoned Definition Syntax Abandoned Syntax Replacement Syntax define acl define subnet define actions domain as a condition definition type None Actions can be defined anywhere in the policy url domain prefix
32. or 15 substitutions new 15 authentication BCAAA installing 17 COREid realm added 17 Policy Substitution realm added 17 upgrade behavior 17 bandwidth management overview 17 upgrade downgrade behavior 18 BCAAA new realms using with 17 C CacheOS 4 x downgrading to 9 compression overview 18 upgrade behavior 18 conditions abandoned 23 COREid realm added 17 BCAAA required 17 upgrade behavior 17 CPL actions abandoned 25 conditions abandoned 23 definition syntax abandoned 23 policy warnings 23 properties abandoned 24 section syntax abandoned 23 substitutions abandoned 25 CPU monitoring CLI commands 19 overview 19 D definition syntax abandoned 23 document conventions 6 downgrading CacheOS 4 x 9 SGOS 2 x 9 to SGOS 3 2 3 9 E exception pages new 28 F forward layer conditions added 21 l ICAP Patience Page CLI commands changed added 20 L licensing overview 10 N Netegrity realm upgrade downgrade behavior 17 P P2P access logging log format 15 upgrade behavior 15 Patience Page CLI commands changed added 20 policy conditions added to forward layer 21 new properties conditions VPM objects 21 Policy Substitution realm added 17 Policy Substitution realm upgrade behavior 17 S section syntax abandoned 23 SGOS 2 x downgrading to 9 SGOS 32 3 upgrade changes 5 SGOS 3 2 3 upgrading from 9 SmartFilter license key required 30 33 Blue Coat SGOS 4 x Upgrade Guide s
33. patible configurations are converted This only happens the first time you upgrade if you later downgrade to a pre SGOS 4 x version by selecting an earlier image on your system make configuration changes and re install SGOS 4 x the new SGOS 3 2 4 changes are not propagated to SGOS 4 x To force the new system s configuration to be regenerated after changes are made to the older system s configuration you will need to force the upgrade conversion to occur again Use the restore sgos3 config command which converts the current SGOS 3 x configuration to the SGOS 4 x configuration Note Previous force commands restore sgos2 configand restore cacheos4 config arenot available in SGOS 4 x they can only be run from earlier versions The restore sgos3 config command first checks if there are saved SGOS 3 2 4 settings on the ProxySG If not the CLI command warns the administrator and exits If saved SGOS 3 settings exist the restore sgos3 config command warns the administrator that all the current SGOS 4 x settings will be lost and that a restart will be initiated waiting for positive confirmation before clearing all the current SGOS 4 x settings and then initiating a restart The restart similar to a restart regular triggers the upgrade process which copies over the SGOS 3 settings and transforms them to the SGOS 4 x settings Redoing an Upgrade from SGOS 2 x or CacheOS 4 x To downgrade to capture changes to the older version s confi
34. pt Encoding response header Accept Language response header Accept Language response header Accept Ranges response header Accept Ranges response header Ag response header Ag response header Allow response header Allow response header Authentication Info response header Authentication Info response header Authorization response header Authorization response header Cache Control response header Cache Control response header Client IP response header Client IP response header Connection response header Connection response header Content Encoding response header Content Encoding response header Content Language response header Content Language response header Content Length response header Content Length response header Content Location response header Content Location response header Content MD5 response header Content MD5 response header Content Rang response header Content Range response header Content Typ response header Content Typ response header Cookie response header Cookie response header Cookie2 response header Cookie2 response header If Modified Sinc response header If Modified Since response header If None Match response header If None Match response header If Rang response header If Rang response header If Unmodified Since response header If Unmodified Since response header Last Modified response header Last Modified response header Location response header Location response header Max Forwards response header Max Forwards response hea
35. quest header Etag request header Etag request header Expect request header Expect request header Expires request header Expires request header From request header From request header Front End HTTPS request header Front End HTTPS request header Host redquest header Host request header If Match request header If Match request header If Modified Sinc request header If Modified Sinc request header If None Match request header If None Match request header If Rang request header If Rang request header If Unmodified Since request header If Unmodified Since request header Last Modified reques Last Modified request header Location request neaaer Location request header Max Forwards request header Max Forwards request header Meter request header Meter request header P3P request header P3P request header Pragma request header Pragma request header Proxy Authenticate request header Proxy Authenticate request header Proxy Authorization reques neaaer Proxy Authorization request header Proxy Connection request header Proxy Connection request header Range request header Rang request header Referer request header ferer request header Refresh reques fresh neaaer request header Retry After reques Dneadaer R R Retry After S S S request header Server request header Server req
36. raded systems compression on the SOCKS proxy is enabled by default SOCKS compression is disabled by default on the SOCKS forwarding host e On new or upgraded systems the Endpoint Mapper proxy service is created but not enabled on port 135 e If you downgrade the main office ProxySG but not the branch ProxySG the branch office might still attempt compression but compression will fail e Onan upgraded system the SOCKS proxy settings and policy is unchanged from the downgraded version Documentation References e Chapter 5 Managing Port Services in the Blue Coat ProxySG Configuration and Management Guide e Chapter 6 Configuring Proxies in the Blue Coat ProxySG Configuration and Management Guide ICAP Patience Page 20 Patience pages display regardless of any pop up blocking policy that is in effect CLI Changes and Additions The following CLI commands have been modified Table 3 4 Changed CLI Syntax Abandoned Syntax Current Syntax inline http icap patience details eof inline http icap patience details eof inline http icap patience header eof inline http icap patience header eof inline http icap patience help eof inline http icap patience help eof inline http icap patience summary eof inline http icap patience summary eof New commands created to view Patience Page settings are Chapter 3 Feature Specific Upgrade Behavior e SGOSt config external services view
37. sion specific configurations are not retained Instead all configurations created in an upgrade are retained if the configuration is relevant to the downgrade version Care should be taken when using policy features introduced in a minor release These cause compilation errors if you fall back to a previous version of the same major release in which those features were unsupported To prevent accidental fallbacks you should remove unused system images using the install d systems delete number from the config installed systems prompt Licensing In SGOS 4 x a base license is issued for SGOS 4 x functionality regardless of whether those features existed before SGOS 4 x or are new in SGOS 4 x If you upgrade from SGOS 3 x with a valid SGOS 4 x component license the ProxySG lists the licensed components with their expiry dates those components that are not licensed enter a 60 day trial period If you upgrade from SGOS 3 x without a valid SGOS 4 x component license all licensable components enter a trial period the ProxySG attempts to download a license from the Blue Coat license download site once a day for the duration of the SGOS 4 x trial period There are three types of licensable components e Required The SGOS base e Included Additional features provided by Blue Coat e Optional If applicable any additional purchased features When the license key file is created it consists of all three components The
38. sive the ProxySG should instead be configured to ask the OCS for the same HTTP compressions that the client asked for and to forward whatever the server returns The default configuration assumes that CPU is costlier than bandwidth If this is not the case you can change the ProxySG behavior e SOCKS compression is supported for TCP IP tunnels which can compress the data transferred between the branch downstream proxy and main office upstream proxy reducing bandwidth consumption and improving latency When SOCKS compression is used in conjunction with the new Blue Coat Endpoint Mapper EPMapper proxy the Endpoint Mapper proxy accelerates Microsoft RPC traffic applications that use dynamic port numbers between branch and main offices automatically creating TCP tunnels to ports where RPC services are running Upgrade Behavior Prior to SGOS 4 x the HTTP proxy did not cache objects if the server sent compressed content With HTTP compression and variant object support objects are now cached regardless of its encoding if all other conditions allows caching With variant object support multiple copies of the same object variants might exist in the cache and that might affect object carrying capacity of the disk On box compression and decompression can significantly affect CPU and RAM usage This will directly affect the capacity of the box Chapter 3 Feature Specific Upgrade Behavior On an upgrade cached HTTP objects ar
39. time passwords and Netegrity realms now allow you to enable or disable client IP validation Upgrade Behavior COREid and Policy Substitution realms These new realms have no upgrade issues On a downgrade the realms will not be recognized and could cause policy compilation to fail if they are referenced by policy Netegrity On an upgrade the new realm option for client IP validation is added to existing realms with the default value of enabled so that the behavior remains as it was On a downgrade the value is ignored and all SiteMinder realms do client IP validation Administrator Actions You must upgrade to the latest version of the Blue Coat Authorization and Authentication Agent BCAAA before you can use the new COREid realm Documentation References e Chapter 9 Using Authentication Services in the Blue Coat ProxySG Configuration and Management Guide Bandwidth Management Bandwidth management allows you to classify control and if required limit the amount of bandwidth used by different classes of network traffic flowing into or out of the ProxySG Network resource sharing or link sharing is done using a bandwidth management hierarchy where multiple traffic classes share available bandwidth in a controlled manner Bandwidth management provides the following features Guarantees that certain traffic classes receive a specified minimum amount of available bandwidth e Limits certain traffic classes to a spec
40. tions on how to view the deprecation warnings that indicate the syntax to be corrected Note The Visual Policy Manager VPM automatically generates up to date CPL syntax If the deprecations warnings are issued from the VPM policy file you should start VPM and reload the policy to get the latest version of the generated CPL You can force an upgrade while deprecation warnings are present using the CLI command load upgrade ignore warnings however policy compilation will fail after the upgrade and the ProxySG reverts to the default policy of ALLOW or DENY Corrective action is required to restore normal operation Any CPL local policy that performs operations such as ALLOW DENY Authenticate or Redirect or that modifies Cookie Set Cookie headers might interfere with the Notify User policy Before using the VPM Notify User policy remove all coaching splash notify policy from the CPL local policy file Restoring to Previous Versions When upgrading from the SGOS 3 2 4 or higher release a copy of the settings is saved prior to any transformations by SGOS 4 x so that the original settings are available if the ProxySG is downgraded to SGOS 3 24 Keep in mind that changes made after upgrade are not preserved on a downgrade After an upgrade and a downgrade the state is exactly what it was before the upgrade Chapter 2 Upgrade Behavior General Redoing an Upgrade from SGOS 3 2 4 When the initial SGOS 4 x upgrade occurs any com
41. ts the following hardware ProxySG Series 200 ProxySG Series 400 ProxySG Series 800 ProxySG Series 6000 ProxySG Series 7000 ProxySG Series 8000 Documentation References 12 Chapter 2 Licensing in the Blue Coat ProxySG Configuration and Management Guide To do an upgrade for the ProxySG through the Management Console refer to Chapter 21 Maintenance Blue Coat ProxySG Configuration and Management Guide Blue Coat ProxySG Command Line Reference Chapter 3 Feature Specific Upgrade Behavior This chapter provides critical information concerning how specific features are affected by upgrading to SGOS 4x and if relevant downgrading from and provides actions administrators must or are recommended to take as a result of upgrading This chapter contains the following sections Access Logging Discusses the new global enable disable switch the Peer to Peer P2P format and log and the new substitutions Authentication Discusses Policy Substitution Oblix COREid and RADIUS realms Bandwidth Management Discusses bandwidth management features Compression Discusses ProxySG behavior when using HTTP compression Content Filtering Discusses downgrade behavior for new third party vendors CPU Monitoring Allows you to see the percentage of CPU being used by specific functional groups Endpoint Mapper and SOCKS Compression Discusses Endpoint Mapper proxy and SOCKS compression ICAP Patien
42. tures in SGOS 4 x and discusses any upgrade downgrade issues Related Blue Coat Documentation e Blue Coat 6000 and 7000 Installation Guide e Blue Coat 400 Series Installation Guide e Blue Coat 800 Series Installation Guide e Blue Coat 8000 Series Installation Guide Blue Coat SGOS 4 x Upgrade Guide Blue Coat ProxySG Configuration and Management Guide e Blue Coat ProxySG Content Policy Language Guide Blue Coat ProxySG Command Line Interface Reference Document Conventions The following section lists the typographical and Command Line Interface CLI syntax conventions used in this manual Table 1 2 Typographic Conventions Conventions Definition Italics The first use of a new or Blue Coat proprietary term Courier font Command line text that appears on your administrator workstation Courier Italics A command line variable that is to be substituted with a literal name or value pertaining to the appropriate facet of your network system Courier Boldface A ProxySG literal to be entered as shown One of the parameters enclosed within the braces must be supplied Eo An optional parameter or parameters Either the parameter before or after the pipe character can or must be selected but not both Chapter 2 Upgrade Behavior General Upgrading When upgrading to SGOS 4 x from SGOS 3 2 4 or higher the ProxySG saves a copy of the original configurations These configurations remain unaffecte
43. ubstitutions U abandoned 25 upgrading additional 15 changes between SGOS 3 2 3 and SGOS 4 x 5 substitution syntax abandoned 23 paths required 7 restore cacheos4 config command upgrading 9 restore sgos2 config command using 9 restore sgos3 config command using 9 V VPM object naming 29 UTF 8 encoding 29 34
44. uest header Set Cooki request header t Cooki request header Set Cookie2 request header t Cookie2 request header TE request header TE request header Trailer request header Trailer request header Transfer Encoding request header Transfer Encoding request header Upgrade request header Upgrade Table 3 11 Abandoned Substitution Tokens Continued Chapter 3 Feature Specific Upgrade Behavior Abandoned CPL Current CPL request header User Agent request header User Agent request header Vary request header Vary request header Via request header Via request header WWW Authenticat request header WWW Authenticat request header Warning request header Warning request header X BlueCoat Error request header X BlueCoat Error request header X BlueCoat MC Client Ip request header X BlueCoat MC Client Ip request header X BlueCoat Via request header X BlueCoat Via request header X Forwarded For request header X Forwarded For response header Accept response header Accept response header Accept Charset response header Accept Charset response header Accept Encoding response header Acce
Download Pdf Manuals
Related Search