Slide 1

1 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURE WEB GATEWAY
REFERENCE
ARCHITECTURE




Slide 2
2 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURE WEB GATEWAY:
FUNCTIONS
Proxy Forwarding Transparent (Inline, WCCP, Loadbalanced) Explicit Proxy / PAC / WPAD
Policy / Enablement
SSL Inspection Authentication Authorization Logging
Categorization
Anti-malware
App & Operation Controls DLP IDS White & Blacklisting
Sandboxing GEO Location (Roadmap)
Local Central
I
C
A
P

&

E
-
T
a
p

I
n
t
e
g
r
a
t
i
o
n
Connectivity
Platform
Policy
Services
Management
Cloud Virtual Appliance Appliance
Reporting: On-Premise, Cloud or Unified Unified Policy Appliance Monitoring
Hybrid
Global Intelligence
Network
Object Caching Security Analytics Platform
L
a
s
t

U
p
d
a
t
e
d
:

2
0
.
1
2
.
2
0
1
3

Last Updated: 20.12.2013

Platform:
- We provide a choice of deployment options for customers. They can deploy SWG
- on-premise as appliance or
- as virtual appliance
- using our cloud service or
- hybrid

Connectivity: there are many ways to deploy SWG. Customer can deploy ProxySG transparent
or explicit.
- Transparent: this can be achieved by deploying ProxySG physically inline using bridge
interface configurations, WCCP to redirect traffic from Cisco switches / routers or by using
traffic redirection from L4-L7 loadbalancers
- Explicit: this can be achieved by configuring proxy settings in browsers, by using PAC files or
WPAD (in MS environments)
- Proxy forwarding: proxy systems can be chained and traffic can be forwarded from one to
another proxy

Policy: Policy is the enabler for all services / functionalities on ProxySG. It triggers
authentication, authorization, logging, ssl interception and also ICAP and encrypted TAP
integration. Policy (Content Policy Language, CPL) is still a great differentiator and provides un-
matched flexibility

Services: SWG provides services like URL categorization, anti-malware scanning (via ICAP),
application and operation controls, DLP (via ICAP), IDS (via enrypted TAP), Security Analytics
Platform integration (via encrypted TAP), white and blacklisting (of URLs, IP addresses,
applications, etc.), sandboxing (via ICAP CAS&MAA or encrypted TAP - FEYE), object caching
and integration into our Global Intelligence Network (WebPulse). GEO Location of the requested
servers is on the roadmap.

Management: SWG can be managed locally or using a central management system. In hybrid
deployment, policy can be synchronized from Cloud to ProxySG (Unified Policy). Cloud or
Central Manager can be used for detailed appliance monitoring. Customers have a choice of
using Reporter on-premise for ProxySG, Cloud Reporting for Cloud or a unified deployment
(Reporter for both or Cloud for both)



Slide 3
3 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURE WEB GATEWAY:
DATA & WORKFLOW
GLOBAL INTELLIGENCE NETWORK
PROXY SG SSL
AUTH DB REPORTER
USER
REQUEST
CONTENT ANALYSIS
SYSTEM
SWG CORE
SECURITY ANALYTICS PLATFORM
DLP
Internet
I
C
A
P
E
-
T
a
p
ICAP
MALWARE ANALYSIS
L
a
s
t

U
p
d
a
t
e
d
:

2
0
.
1
2
.
2
0
1
3


Last Updated: 20.12.2013

1: User requests a URL
2: ProxySG authenticates and authorizes the user
3: ProxySG categorizes the URL via BCWF database lookup and if necessary via Global
Intelligence Network (WebPulse) (in real-time)
4: If traffic is SSL encrypted, ProxySG can decrypt it and also send a clear-text copy of the
request to the Security Analytics Platform via encrypted TAP
5: Outbound data can be send to a DLP system using ICAP
6: ProxySG receives traffic from the OCS / Internet
7: Traffic can be send to Content Analysis System for malware scanning
7.1: Certain files (not known good and not known bad) can be send to MAA for deeper analysis
via sandboxing. Note that this crosses the real-time border, analysis results will take at least 60
seconds
8: If traffic is SSL encrypted, ProxySG can decrypt it and also send a clear-text copy of the
response to the Security Analytics Platform via encrypted TAP
9: Content gets served to the client
10: Access log data can be uploaded to Blue Coat Reporter
11: MAA provides feedback to CAS and if the file was malicious, subsequent requests will be
blocked. Scanning results can also be sent to the Global Intelligence Network




Slide 4
4 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only
SECURE WEB GATEWAY: TOPOLOGY
USERS
CONTENT ANALAYSIS
MALWARE ANALYSIS
USER
DIRECTORY
SWITCH
INTERNET
GLOBAL
INTELLIGENCE
NETWORK
PROXY SG
(Forward
Proxy)
CENTRAL
MANAGEMENT
ADMIN
FIREWALL
FIREWALL
CLOUD SECURITY
SERVICE
REMOTE OFFICE
(direct to the Net)
MPLS
PROXY SG
REMOTE USER
PROXY SG
(Reverse Proxy)
L
a
s
t

U
p
d
a
t
e
d
:

2
0
.
1
2
.
2
0
1
3
Last Updated: 20.12.2013

This diagram shows an example deployment.

SWG:
- ProxySG is deployed at a central location, CAS is integrated via ICAP and MAA via CAS for
local malware scanning.
- Note: CAS and MAA are located on the same subnet, connected to the same switch,
however there is no direct communication between ProxySG and MAA. MAA can only
be integrated via CAS
- ProxySG is deployed at a branch office and configured to forward internet traffic to the cloud
- At the same time the branch office is connected to the HQ via MPLS network.
- Remote users are protected by cloud.
- Another ProxySG is deployed in the DMZ as reverse proxy in front of web servers
- The lower part of the diagram shows users, admin workstation, central manager and a user
directory (for example MS Active Directory)
Slide 5

5 Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. Blue Coat Confidential For Internal and Official Channel Partner Use Only