Академический Документы
Профессиональный Документы
Культура Документы
Director
Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contact.html
bcs.info@bluecoat.com
http://www.bluecoat.com
Copyright 1999-2007 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, CacheOS, SGOS, SG, Spyware
Interceptor, Scope, RA Connector, RA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and
CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, AccessNow, Ositis, Powering Internet Management,
The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are
registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of
their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
ii
Contents
Document Objectives.......................................................................................................................... 9
Audience .............................................................................................................................................. 9
Organization ........................................................................................................................................ 9
Document Conventions ................................................................................................................... 10
Related Documentation.................................................................................................................... 11
iii
Blue Coat Director Configuration and Management Guide
iv
Contents
v
Blue Coat Director Configuration and Management Guide
vi
Contents
vii
Blue Coat Director Configuration and Management Guide
Index
viii
Preface
This preface describes who should read the Blue Coat Director Configuration and
Management Guide, how it is organized, and its document conventions.
This preface contains the following sections:
Document Objectives on page 9
Organization on page 9
Audience on page 9
Document Conventions on page 10
Related Documentation on page 11
Document Objectives
This configuration and management guide describes how to use the Blue Coat
Director software for setting up, monitoring, and managing all aspects of
networks that use Blue Coat SG appliances.
Audience
This guide is intended for network administrators and managers.
Organization
This document contains the following chapters.
Table 11 Document Organization
9
Blue Coat Director Configuration and Management Guide
Document Conventions
The documentation uses the following conventions:
Convention Description
10
Related Documentation
The following table shows other Director documentation available from Blue
Coat:
Table 12 Documentation available from Blue Coat
Quick Start Guide Shipped with your Blue Coat Director; describes how
to install the Director hardware and configure access
information.
Blue Coat Systems Director Provides installation information with more details
Installation Guide than the Quick Start Guide.
Blue Coat Systems Director Describes all of the available Director CLI commands.
Command Line Interface
Reference
Online documentation Provided with the Blue Coat RA Manager to give you
context-sensitive help as well as access to this book.
11
Blue Coat Director Configuration and Management Guide
12
Chapter 1: Director Overview
About Director
Blue Coat Director centrally manages and monitors all aspects of networks
that use Blue Coat SG appliances. Administrators can use Director to set user
and content policy, manage SG appliance configurations, distribute and control
all types of Web content, upgrade and validate SGOS software, and back up SG
appliances.
Director automates configuration and policy management to one or more SG
appliances from a single point of administration. It manages everything from
SG appliance configuration to policy and license distribution.
Key configuration management features include:
Configure groups of SG appliances based on locations, applications, or
more.
Rapidly deploy standardized configurations using profiles.
Manage the scheduling of policy and configuration changes.
Easily schedule incremental changes to one or more SG appliances.
Create and distribute policy across a system of SG appliances.
Automatically back up configuration snapshots.
Back up SG appliance backup files.
Compare backup files from different SG appliances and restore
configuration backups to multiple SG appliances.
Quickly monitor SG appliance status, statistics, and configurations.
Upgrade all SG appliances at once.
13
Blue Coat Director Configuration and Management Guide
Director Terminology
The following special Director terminology is used in this manual:
SGME (Security Gateway Management Edition): The name given to Directors
software.
Device: A synonym for the SG appliance.
Director (or Blue Coat Director): The product as a whole, encompassing the
hardware and software and all the features.
Director CLI: The command line interface for the SGME operating system.
SG CLI: The command line interface for the SGOS operating system.
Director image file: The file containing the Director SGME software.
Director Management Console: The Director user interface.
Director management node: The Director hardware.
Profile: A configuration operation on Director that creates a snapshot of all
configuration and policy from a source device.
Overlay: A configuration operation on Director that is used to replace selected
configurations or policy on one or more SG appliances.
Job: An Director action that is scheduled.
SG appliance: A purpose-built appliance to provide visibility and control of
Web communications and to enable granular policy enforcement to the
individual user. This is a device that can be managed by Director.
14
Chapter 1: Director Overview
SNMP No Yes
Workgroups No Yes
Authentication No Yes
15
Blue Coat Director Configuration and Management Guide
Table 11 Availability of Features in the Director CLI and Management Console (Continued)
Note: If you have not previously enabled Telnet through the serial console during
hardware installation of the Director management node, Telnet is not available.
16
Chapter 1: Director Overview
Note: For information about using the Director CLI to set up Director
management nodes, see Appendix A: "Administering Director" on page 199. For
full command arguments and syntax, refer to the <Emphasis>Blue Coat Director
Command Line Interface Reference.
Note: The Content Sync Module does not ship with Director. It is available
separately.
17
Blue Coat Director Configuration and Management Guide
18
Chapter 2: Getting Started
This purpose of this chapter is to help you understand what the steps are to
install, configure, and start Director. This chapter contains a summary of initial
tasks and a general overview of common tasks. Detailed instructions and
conceptual information are discussed in other chapters.
This chapter discusses the following topics:
"Before You BeginSummary of Initial Tasks" on page 19.
"Section A: Performing Management Node Initial Setup"on page 20.
"Section B: Connecting to the Director for the First Time"on page 21.
"Section C: Adding and Managing Devices"on page 29.
19
Blue Coat Director Configuration and Management Guide
20
Section B: Connecting to the Director for the First Time
Before you begin, you must have the Director software installed on both the
Director management node and on the system where you are going to manage
Director. Refer to the Blue Coat Director Installation Guide for information on
downloading and installing the software.
Also, review the settings on the management node (see Section A: "Performing
Management Node Initial Setup" on page 20) to ensure that the Director version is
compatible with the version of SGOS you are using.
Note: If you had SGME 4.x installed on your system, you have two instances of
the Director user interface installed. You can use SGME 4.x to connect to 4.x
Directors and SGME 5.x connect to 5.x Directors.
21
Blue Coat Director Configuration and Management Guide
2a
2b
2c
2d
22
3a
3b
3c
Note: By default Director connects through SSH Simple. Before you can
use SSH-RSA, you must be connected to Director with SSH simple. To use
Telnet to connect, you must first configure it using the CLI.
23
Blue Coat Director Configuration and Management Guide
Notes
To manage this Directors settings at a later time or to add other Directors to
this Management Console, select File > Manage Directors.
Each time you connect to Director after first-time configuration, the Login:
Director Management Console dialog displays. You must enter the required
password information to connect to Director.
24
Figure 23 The Director login dialog.
25
Blue Coat Director Configuration and Management Guide
26
About the Configure Tab
The Configure tab allows you to create and manage groups and devices. After you
have added devices to Director, you can edit the devices (by right-clicking the
device and selecting Edit) or place them in groups. After devices are added, you
can then create profiles and overlays to manage the configuration on your
devices.
The Backup Manager can be launched for each specific device, allowing you to
create and manage the backups done for each device.
For more information about the tasks available on the Configure tab, see Section
C: "Adding and Managing Devices" on page 29.
27
Blue Coat Director Configuration and Management Guide
2. Specify the broswer file: In the Path To Browser field, enter the path to the
broswer executable file; if you do not know the path, click Browse and
navigate to the location of the file.
3. Specify browser output settings. The combinations of selecting/clearing
Enable verbose output and entering a kilobyte limit provides the following
functionality:
If Enable verbose mode is seleted and the output limit is set to a small
value, such as 10Kb, then:
Profile and overlay output is shown in its entirety.
Archive configuration output is truncated at the value in the Limit output
to: field.
If Enable verbose mode is not selected (the default), and the output limit is
set to a small value, such as 10Kb, then:
Profile and overlay output displays errors only.
Archive configuration output is truncated at the value in the Limit output
to: field.
If Enable verbose mode is not selected and the output limit is set to a large
value, all output is limited to errors only.
4. Click OK.
Notes
The default output limit is 5120 KBytes; the maximum is 1 GB. The limit is
reset to its default if you click Use Defaults.
Backup-restore output is always errors only, no matter the setting of the
verbose mode.
28
Blue Coat Director Configuration and Management Guide
Note: Because the device identification file is in CSV format, you must enter data
for all fields, and in the correct order. Otherwise, the add device operation will
fail.
To add a device, you must input the following data into the New Device Wizard:
Device name
Device ID
IP Address
Web Port
Authentication Port
Username
Password
Enable Mode Password
To import device data using a device identification file, see the following
procedure. To add devices manually, see "To manually add devices:" on page
31.
29
Blue Coat Director Configuration and Management Guide
4b
4c
4d
30
5. Click Finish to return to the Configure pane. The added devices are under the
All or Unassigned to Group categories in the Group pane. After you have
configured groups and reassigned the devices, the devices will no longer be in
the Unassigned to Group category.
2. Read the information that displays on the New Device Wizard and click Next.
The New Devices window displays.
31
Blue Coat Director Configuration and Management Guide
3. Enter attributes:
a. Device Name: Place the cursor in the Device Name field and give the
device a name thats meaningful to you.
b. Device ID: This unique alphanumeric string is used by the CLI for
indexing purposes.
Note: A red frame around a cell in the New Devices table indicates that
the data is invalid.
32
4. Continue to enter attributes:
a. Enable Mode Password: This is the password you created on the SG
appliance to enter enable mode through the CLI.
b. Serial Console Password: This is the password you use to access the SG
appliance through a connected PC.
c. Front Panel Pin: This is the number you use to access the SG appliance
LCD front panel display, which contains basic network configuration
options.
d. Serial No: The hardware serial number of the SG appliance
e. Registration State: Select the current SG appliance state.
Configured: The SG appliance is registered and is configured to meet
enterprise goals.
Registered: The SG appliance is registered, but has not been configured to
meet enterprise goals (only the defaults apply).
Not Registered: The SG appliance cannot be administratively controlled by
Director.
5. (Optional) Click Add Row to enter information for another device.
6. Click Next. The imported appliance data is displayed in the Summary window.
33
Blue Coat Director Configuration and Management Guide
7. Click Finish to return to the Configure pane. The added devices are under the
All or Unassigned to Group categories in the Group pane. After you have
configured groups and reassigned the devices, the devices no longer appear in
the Unassigned to Group category.
34
To fully authenticate the SG appliance:
1. Highlight the device you want to authenticate. You must be connected to the
device whose authentication you want to change.
2. Select Edit Appliances, using the right mouse button. The Edit Device dialog
displays.
35
Blue Coat Director Configuration and Management Guide
5a
5b
5. You can have Director create a new SSH RSA keypair, or you can use a keypair
from another device that is currently connected to Director.
Peform one of the following:
a. To generate a new keypair, verify that the Generate a new keypair radio
button is selected.
b. To re-use a keypair, select the Use a keypair from another device radio
button and enter the unique alphanumeric string that is the devices
appliance ID.
6. Click OK.
7. Click Push key to device. This step is required for the device you are editing to
receive the new or re-used key.
8. Click OK.
9. Verify the change by seeing if SSH RSA is listed for the device under Device
Properties in the Properties pane.
36
Chapter 3: Configuring and Managing Devices
This chapter discusses how to set up and configure device groups, devices,
profiles and overlays. It also discusses how to automatically add SG appliances to
Director and manage backups. Topics include:
Section A: "Setting Up and Managing Device Groups" on page 38
Section B: "Configuring and Managing Devices" on page 40
Section C: "Managing Profiles" on page 43
Section D: "Managing Director Overlays" on page 50
Section E: "Managing Substitution Variables" on page 54
Section F: "Authenticating Director using Appliance Certificates" on page 62
Section G: "Automatically Registering SG Appliances with Director" on page
68
Section H: "Managing Backups" on page 79
37
Blue Coat Director Configuration and Management Guide
Note: Only 500 devices can be viewed in the Director Management Console at
one time, even if the devices are associated with different Director management
nodes.
Adding a Group
This section describes how to add a group to Director.
To add a group:
1. Verify that the Configure tab is selected.
2. In the Group area, select Custom Groups.
3. Click Add Group at the bottom of the area.
38
Chapter 3: Configuring and Managing Devices
4a
4b
Removing a Group
To remove a group, right click the group name and select Delete. If you remove a
group, all devices are moved to the Unassigned group; they are not deleted.
You can move a nested group to a different top-level group by dragging and
dropping, and you can change a nested group to a top-level group by dragging it
to the Custom Groups area.
39
Blue Coat Director Configuration and Management Guide
Note: You can also add devices to Director by importing a text file that
contains comma-separated device data into the Wizard.
3. Place the cursor in the Device Name field to begin adding the device
connection information. Fill in each field with the information that already
exists on the SG appliance.
4. Click Add Row to add another device.
For detailed instructions on using the New Device Wizard, see Section C:
"Adding and Managing Devices" on page 29.
After you have added the device to Director and placed it in the Unassigned
system group, you can move it (by dragging and dropping) into any already
existing Custom group.
40
Chapter 3: Configuring and Managing Devices
41
Blue Coat Director Configuration and Management Guide
42
Blue Coat Director Configuration and Management Guide
Creating a Profile
Before you begin, highlight the source device that you want to use to create a
profile. The source device must:
Be the same platform as the device or devices to which you plan to apply
the profile.
Include all the settings that you want to apply to other devices.
Not include customized settings that are specific to an individual device,
including:
Bridging settings
Failover
Virtual IP addresses
SSH
Note: If the source device contains default settings for the above options, the
profile can be applied to other devices. If the source device contains
customized settings, the profile might result in the target device losing
connection to Director.
43
Blue Coat Director Configuration and Management Guide
Note: All services, including those with assigned IP addresses, are included in a
newly-created profile. If you push a profile that includes those services to
multiple SG appliances, access to those services fails because the services contain
the IP address of the device the profile was pulled from.
When you create a profile, any command beginning with the following string is
not included in the pulled profile:
ip-default-gateway
policy local-path
rip path
socks-gateways path
static-routes path
WCCP path
44
Chapter 3: Configuring and Managing Devices
To Create a Profile
1. Select the Configure tab.
2. Highlight the source device to use to appy settings to other devices.
3. In the Configuration Library area, select the Profile tab.
4. In the lower right corner, click New.
5a
5b
5c
45
Blue Coat Director Configuration and Management Guide
Applying a Profile
You can distribute a profile either immediately or later, as part of a job.
Before the profile is distributed, effectively wiping out an SG appliance
configuration, a backup of the existing configuration on that SG appliance is
taken. (If the profile causes problems, you can recover the backup of the previous
configuration. For more information on backups, see Section H: "Managing
Backups" on page 79.) The profile, minus certain network settings, such as IP
address and hostname, is applied to the specified SG appliance or group.
When a profile is executed, the following procedure occurs:
The restore-defaults command is sent over the configured protocol.
If there are free backup slots, a backup is taken.
After reconnecting, the profile is applied to the SG appliance.
To apply a profile:
1. Highlight the profile you want to apply.
2. Highlight the device you want to receive the profile.
3. In the lower right corner, click Apply.
46
Chapter 3: Configuring and Managing Devices
47
Blue Coat Director Configuration and Management Guide
unified uses plus and minus signs to indicate differences: each line that
occurs only in the left file is preceded by a minus sign, each line that occurs
only in the right file is preceded by a plus sign, and common lines are
preceded by a space.
profile_id indicates the name of the profile. You can display the list of profile
IDs available for comparison by entering the following command:
Director (config) # remote-config diff unified profiles ?
first_profile_id second_profile_id
2003Nov05160651PST
2003Nov05160921PST
2003Nov05161008PST
2003Nov06113244PST
write-to allows you to save the differences to a file. Give the file a meaningful
name in case you want to delete the file in the future.
Note that if you choose this option, the comparison is not output to the screen.
To view the contents of the file, use the show remote-config diff file_name
command.
The comparison is output.
48
Chapter 3: Configuring and Managing Devices
49
Blue Coat Director Configuration and Management Guide
Tips
When making configuration changes in overlays by using a Management
Console Viewer to view options, configuration changes are not applied to the
SG appliance used to launch the viewer. Perform an immediate action or
schedule a job for the action to apply the overlay changes to a device.
Blue Coat recommends that Overlays do not contain more than 500
commands.
Director does not check overlays for syntax, validity, or version number, so
ensure that overlay commands are from the same version as the targeted SG
appliance. Test overlays before applying them, and be sure they work
correctly with the profile you choose.
Creating Overlays
To create an overlay:
1. In Director, click the Configure tab.
2. In the Configuration Library section, select the Overlays tab.
3. In the lower right corner, click New. The Create New Overlay dialog
displays.
50
Chapter 3: Configuring and Managing Devices
4a
4b
4c
51
Blue Coat Director Configuration and Management Guide
5a
5b
5c
5. In the Add to Overlay section, specify the overlay settings, using the following
methods:
a. To use the Management Console of a device, select Using Device
Management Console and click the browse (...) button. A list of
available devices is highlighted; select the device to be the source.
Click Launch to open the target device (the devices Management
Console displays). Verify or alter settings for the overlay. Click Add to
Overlay to add the device settings to the overlay.
b. To use the CLI, select Using CLI and enter configuration CLI
commands in the pop-up text editor. The commands are not checked
for validity or syntax.
c. If you selected a target device to be used as a refreshable source in Step
5c, select Refreshables to enable these options. Select the source device
or URL settings. To add the information to the overlay, click Add. The
options display in the Overlay Settings section.
6. Click OK.
52
Chapter 3: Configuring and Managing Devices
53
Blue Coat Director Configuration and Management Guide
Use Case
Because of a network update, you must change the DNS setting on SG
appliance Gateway3 from 10.2.2.100 to 10.2.2.200.
The first step is to replace the DNS CLI configuration string with:
@(DNS)
The next step is to create a device-specific setting:
10.2.2.200
Next, create an overlay called GatewayDNS with the contents:
dns clear server
dns server @(DNS)
When the overlay is applied to the target SG appliance, the @(DNS) token is
replaced with the CLI commands to clear to the server settings and apply the
new setting.
54
Chapter 3: Configuring and Managing Devices
5a
5b
Use source SG
applianceto
configure.
Use CLI
commands to
configure
6. There are two methods to configure settings that are added to the overlay:
If you know the SG appliance CLI syntax for the feature, go to "Use a
Management Console Viewer" .
55
Blue Coat Director Configuration and Management Guide
If you do not know the CLI syntax and require a Management Console for
reference, go to "Use a Management Console Viewer" on page 56.
Management Console View method: use the user interface to configure thesettings
for this overlay, which In this example is changing the DNS setting.
6f
6g
a. Continuing with the example of setting a new device, select Network >
DNS.
b. Highlight the current DNS value and click Edit. The Edit List Item
dialog displays.
56
Chapter 3: Configuring and Managing Devices
Change the
setting.
c. Change the value. This example changes the DNS value to 10.2.2.200.
d. Click OK to close the dialog.
57
Blue Coat Director Configuration and Management Guide
i. Replace the value with the new variable. In this example, it is @(DNS).
j. Click OK to close the Edit CLI dialog; click OK to close the Create New
Overlay dialog.
k. Proceed to "Defining the Configuration Value and Changing a Device
Configuration" on page 59.
CLI method: enter Blue Coat CLI commands to configure the settings for this overlay,
which In this example change the DNS setting.
b. Enter the CLI syntax. This exmple uses the dns clear server and dns
server dns server @(DNS) command lines.
58
Chapter 3: Configuring and Managing Devices
1. Select one or
more devices.
2. Right-click and
select Edit.
3. Click Advanced Settings, located at the bottom of the dialog. The Advanced
Settings dialog displays.
59
Blue Coat Director Configuration and Management Guide
4a
4c 4b
4d
60
Chapter 3: Configuring and Managing Devices
61
Blue Coat Director Configuration and Management Guide
Overview
An Appliance certificate allows Director to be authenticated without sending
passwords over the network. Device or appliance authentication is a process
that allows devices to verify each others identity. Devices that are
authenticated can be configured to trust only other authenticated devices.
Device authentication is important in the following situations:
Securing the network. Devices that are authenticated have exchanged
certification information, verified each others identity, and know which
devices are trusted.
Securing protocols. Many protocols require authentication at each end of
the connection before they are considered secure.
Director appliance authentication is used in association with other Director
features. For example, Director requires an appliance certificate in order to use
the auto-registration feature. The auto-registration feature, where an SG
appliance registers itself with Director, requires that both the SG appliance and
the Director appliance first authenticate each other.
62
Chapter 3: Configuring and Managing Devices
This command creates a new private key, creates the certificate signing request
signature (CSR) for the private key, and sends the CSR to abrca.bluecoat.com
to fetch the corresponding appliance certificate.
This command creates a CSR (if it does not already exist) and displays it. It
also creates the digital signature for the CSR, using the appliance private key.
63
Blue Coat Director Configuration and Management Guide
3. Copy the CSR and the signature to your clipboard. Include the Begin
Certificate and End Certificate statements, as well as the Begin CSR
Signature and End CSR Signature statements.
64
Chapter 3: Configuring and Managing Devices
65
Blue Coat Director Configuration and Management Guide
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwgbYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxIDAeBgNV
BAoTF0JsdWUgQ29hdCBTeXN0ZW1zLCBJbmMuMRkwFwYDVQQLExBCbHVlIENvYXQs
IEFCUkNBMRswGQYDVQQDExJhYnJjYS5ibHVlY29hdC5jb20xJDAiBgkqhkiG9w0B
CQEWFXN5c2FkbWluQGJsdWVjb2F0LmNvbTAeFw0wNzAxMjkyMDM5NDdaFw0xMjAx
MjkyMDM5NDdaMIGGMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcT
CVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3RlbXMsIEluYy4xHzAd
BgNVBAsTFkJsdWUgQ29hdCBTRzIwMCBTZXJpZXMxEzARBgNVBAMTCjA1MDUwNjAw
OTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBUmCuKSsSd+D5kJQiWu3OG
DNLCvf7SyKK5+SBCJU2iKwP5+EfiQ5JsScWJghtIo94EhdSC2zvBPQqWbZAJXN74
k/yM4w9ufjfo+G7xPYcMrGmwVBGnXbEhQkagc1FH2orINNY8SVDYVL1V4dRM+0at
YpEiBmSxipmRSMZL4kqtAgMBAAGjggLGMIICwjAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DBOBgNVHSUERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBgsr
BgEEAfElAQECAQYLKwYBBAHxJQEBAgIGCysGAQQB8SUBAQIDMB0GA1UdDgQWBBSF
NqC2ubTI7OT5j+KqCPGlSDO7DzCB6wYDVR0jBIHjMIHggBSwEYwcq1N6G1ZhpcXn
OTIu8fNe1aGBvKSBuTCBtjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExEjAQBgNVBAcTCVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3Rl
bXMsIEluYy4xGTAXBgNVBAsTEEJsdWUgQ29hdCwgQUJSQ0ExGzAZBgNVBAMTEmFi
cmNhLmJsdWVjb2F0LmNvbTEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AYmx1ZWNv
YXQuY29tggkAhmhbUPEEb60wgZ8GCCsGAQUFBwEBBIGSMIGPMEkGCCsGAQUFBzAB
hj1odHRwczovL2FicmNhLmJsdWVjb2F0LmNvbS9jZ2ktYmluL2RldmljZS1hdXRo
ZW50aWNhdGlvbi9vY3NwMEIGCCsGAQUFBzAChjZodHRwOi8vYWJyY2EuYmx1ZWNv
YXQuY29tL2RldmljZS1hdXRoZW50aWNhdGlvbi9jYS5jZ2kwSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vQ1JMLmNybDBfBgNVHSAEWDBWMFQGCisGAQQB8SUBAQEwRjBEBggrBgEF
BQcCARY4aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vcnBhLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBACIhQ7Vu6aGJBpxP255X
d2/Qw7NiVsnqOlAy913QZlieFfVATJnCeSrH+M9B/2XtnRxVT0/ZWrf4GbsdYqTF
hc9jR/IwKu6kZq32Dqo8qFU5OzbAEzT2oebB5QgwuJtHcJHggp9PS9uS27qAnGQK
OeB2bYcjWtMvTvr50iDOV69BEQz+VXos8QiZmRHLVnebQSjl3bi1w3VjBw31tCmc
clgz0SlN9ZmJdRU/PlWdNVqD4OLqcMZQ53HqcdWNEzN2uvigIb//rM7XazK7xIaq
r23/+BsZlYKAeVMq3PEmxaA2zLzO+jf79a8ZvIKrF27nNuTN7NhFL/V6pWNE1o9A
rbs=
-----END CERTIFICATE-----
66
Chapter 3: Configuring and Managing Devices
67
Blue Coat Director Configuration and Management Guide
Note: This feature is only supported on the Linux platform 510 Director.
Overview
The Director auto-registration feature allows you to automatically register an
SG appliance with Director, thus enabling Director to establish a secure
administrative session with the appliance. After the secure session has been
established, Director takes administrative control over the SG appliance. This is
useful if you want to control access to the appliance or if you want to ensure
that only Director controls changing the configurations.
Workflow Methods
There are two types of workflow methods for setting up auto-registration:
"Registering SG Appliances without Pre-Staged Device Records" on page 69
Use this method to add SG appliances to Director on demand.
"Registering SG Appliances with Pre-Staged Device Records" on page 75
Use this method to pre-stage (pre-create) basic configuration, which
includes setting access control passwords, for all your SG appliances on
Director. This method can help you with your workflow when planning a
large deployment.
68
Chapter 3: Configuring and Managing Devices
1. Configure Director to accept the Configure Director so that both the Director Director
SG appliance request. and SG appliance can authenticate each other. Administrator
See Section F: "Authenticating Director using
Appliance Certificates" on page 62.
Authentication procedure depends on
whether the SG appliance has an appliance
certificate. See "How Director Authenticates
the SG Appliance" on page 70.
1. Register SG appliance with Verify the SG appliance has been installed SG Technician
Director. and connected to the network.
Enter SG appliance initial configuration SG
settings including the Director IP address Administrator
and the registration password (if required).
Register the SG appliance with Director,
then verify the Director serial number.
Director and the SG appliance automatically
authenticate each other as part of the
registration process.
1. Set passwords for newly View the newly registered device on Director
registered Director device. Director. Administrator
Change randomly set passwords (Enable
and Serial Console passwords) exchanged
during the authentication process, to
something meaningful.
Device record is now complete and fully
connected to Director through a secure
SSH-RSA connection.
1. Configure the new device and Configure the device by pushing profiles Director
place it into a group. and overlays to it. See Section C: Administrator
"Managing Profiles" on page 43 and Section
D: "Managing Director Overlays" on page
50.
Mark the device as configured and then
place it into a group.
69
Blue Coat Director Configuration and Management Guide
If the front panel is being used, the registration password character set is a-z0-
9A-Z-,. (The final dash is a true dash). Minimum length is 1; maximum length
is 16.
On the SG appliance side, the administrator must enter the same shared-secret
password (registration password) through the SG appliance serial console or
managment console. For more information see "Configuring the SG Appliance
from the Serial Port" on page 71.
70
Chapter 3: Configuring and Managing Devices
Note: The serial console password can be set only via the SG serial console or the
registration protocol and not through an SG CLI command. This protects the
serial console password from a user who may have access to the SG CLI.
Note: For information about obtaining an appliance certificate for Director, see
"About Director Appliance Certificates" on page 62.
Note: The SG appliance can be configured using its front panel buttons, Web
wizard, or serial console. Refer to the SG appliance installation guide for your
platform for more information. The SG appliance can also register with Director
from the SG appliance Management Console. For detailed instructions, refer to
Chapter 2 in Volume 7: Managing Content of the Blue Coat Systems SGOS
Configuration and Management Suite.
71
Blue Coat Director Configuration and Management Guide
SG IP address
SG appliance IP subnet mask
Director IP address
SG appliance IP gateway
Registration password (only if the SG appliance does not have an appliance
certificate. The SG appliance administrator needs to know this password and
it must be the same one configured on Director.)
Appliance name (optional)
Verify the Director serial number
The following example is a sample SG appliance setup console code output.
IP address: 10.0.0.1
IP subnet mask: 255.255.255.0
Director IP: 10.0.0.146
10.
IP gateway: 10.9.44.1
Note: The SG appliance does not prompt for a registration password if it detects
that it has an appliance certificate.
The SG administrator needs to verify that the Director serial number is correct for
registration to succeed. After the serial number is verified, authentication
automatically occurs as part of the registration process.
72
Chapter 3: Configuring and Managing Devices
To reset randomly set passwords and set the Frontpanel pin password:
1. Verify that you are in the Configure tab on the Director Management Console.
2. Right-click on the new device whose passwords you want to set. A pop-up
menu displays.
3. Select Set Passwords. The Enter Passwords dialog displays.
73
Blue Coat Director Configuration and Management Guide
Note: To save your changes, you must enter a valid password in all
three fields.
d. Click OK.
74
Chapter 3: Configuring and Managing Devices
3. After the device is completely configured, click the Configure tab and right-
click on the device name. A pop-menu displays.
4. Select Mark As Configured. The devices state changes from Registered to
Configured and is automatically placed in the Unassigned group under
System Groups.
5. Place the device into a group of your choice. Follow instructions in "Using the
New Device Wizard" on page 40.
75
Blue Coat Director Configuration and Management Guide
You can also create groups beforehand and then place the device, after it has been
registered and been configured, in the group of your choice.
Table 32 provides a high-level view of workflow tasks for automatically
registering SG appliances with a Director that has pre-staged device records. It
also provides a task description and the role most suitable for performing the
task.
Review this table, then read the sections that follow for detailed information
about each task.
Table 32 Workflow tasksRegistering SG Appliances with pre-staged device records
1. Configure Director to accept the Configure Director so that both the Director Director
SG appliance request. and SG appliance can authenticate each other. Administrator
See Section F: "Authenticating Director using
Appliance Certificates" on page 62.
Authentication procedure depends on
whether the SG appliance has an appliance
certificate. See "How Director Authenticates
the SG Appliance" on page 70.
2. Create a partial device record on Create a partial device record which Director
Director. contains configuration information that Administrator
matches with the configuration information
of the SG appliance that will be deployed.
See "Creating a Partial Device Record on
Director" on page 77.
Configure the passwords in the device
record.
Optionally, configure profiles and overlays
for the device. See Section C: "Managing
Profiles" on page 43 and Section D:
"Managing Director Overlays" on page 50.
3. Register SG appliance with Verify the SG appliance has been installed SG Technician
Director. and connected to the network.
Enter SG appliance initial configuration SG
settings, including the Director IP address Administrator
and the registration password (if required).
Register the SG appliance with Director
and verify the Director serial number.
Director and the SG appliance automatically
authenticate each other as part of the
registration process. The registration request
matches the pre-staged device record and
populates it with SG appliance connection
information.
76
Chapter 3: Configuring and Managing Devices
4. Configure the new device and Configure the device by pushing profiles Director
place it into a group. and overlays to it if it is not already Administrator
configured during the Step 2 task.
Mark the device as configured, and then
place it into a group.
77
Blue Coat Director Configuration and Management Guide
3. Enter the device ID in the Device ID field. Optionally, you can also enter the
IP address and serial number in the IP Address andSerial No.fields,
respectively.
4. Click Add Row to add another device.
5. Click Add Device(s) to save changes.
78
Blue Coat Director Configuration and Management Guide
Note: You cannot set the maximum number of backups per SG appliance to a
lower number than the number of backups that already exist on Director. To set
three backups as the default, for example, you must not have more than three
backups on Director. You can manually delete the extra backups. You set the
maximum number of backups through the Director CLI.
The absolute maximum number of backups is 2000, but Director Management
Console performance is significantly degraded and backup functions, such as
sorting, cannot be done.
You can also back up both the Director management node configuration and
SG appliance backup files.
Any show configuration command that begins with the following string is not
included in the backup:
ip-default-gateway
Note: You can also archive and restore the Director configuration, including the
SG backup files (see "Archiving and Restoring the Entire Director Configuration"
on page 225).
79
Blue Coat Director Configuration and Management Guide
Creating a Backup
Backups are created two ways: automatically, immediately prior to a profile, or
manually, at the point when you need a backup. The manual backup procedure is
discussed below. To schedule a backup job, see "Scheduling a Job" on page 91.
The Backup Manager dialog contains a summary table and buttons to create,
view, edit, pin, unpin, delete, restore, and refresh the list of backups.
Director automatically creates a backup when you apply a profile to a specified
device. If you want to create a backup without sending a new configuration to an
SG appliance, click Create below the summary table and follow the procedure on
the next page.
80
Chapter 3: Configuring and Managing Devices
1. Click Create below the Backup Manager table. The Create Backup dialog
displays.
2. Click Yes in the dialog. Director creates the backup.
81
Blue Coat Director Configuration and Management Guide
3a
3b
3c
Pinning a Backup
You can make a backup of an SG configuration and keep it permanently by
pinning it. By default, backups are unpinned, and are rotated out of storage after
the maximum number of backups is reached.
82
Chapter 3: Configuring and Managing Devices
The maximum number of backups per device is unlimited (the default is 10),
unless you change it through the command remote-config backups option max-
backups number. The maximum number of pinned backups is one less than the
maximum number of backups allowed.
To pin a backup:
1. Start the Backup Manager.
2. Highlight an item in the Backup Manager table. You can choose more than one
at a time.
3. Click Pin.
4. Click Yes to continue.
5. Click OK. The backup now displays a check in the Pinned column in the
Backup Manager table.
Unpinning a Backup
Unpinning a backup allows it to be rotated out of the storage directory. Follow the
steps as pinning a backup (previous section), except click Unpin in Step 2. You can
select and unpin several backups at once.
Restoring a Backup
If you encounter problems on an SG appliance with a current configuration, you
can restore a known good configuration with a saved backup. There are several
ways to restore configurations to SG appliances:
With a manual, stored time-specific backup
Through a known profile/overlay configuration
Note: You can also back up and restore the Director configuration, including
the SG backups stored on the Director management node. For more
information on backing up Director, see "Archiving and Restoring the Entire
Director Configuration" on page 225.
83
Blue Coat Director Configuration and Management Guide
To restore a backup:
1. Start the Backup Manager.
2. Highlight the backup you want to use in the Backup Manager table.
3. Click Restore. A confirmation box displays, prompting you to continue.
4. Click Yes to continue. A progress dialog displays during the operation.
5. Click Close to return to the Configure tab.
Deleting a Backup
Director deletes backups automatically as the number of backups reaches the
maximum number you select. You can also manually delete backups.
84
Chapter 3: Configuring and Managing Devices
Note: If you select write-to, the comparison is not output to the screen.
To view the contents of the file, use the show remote-config diff
file_name command. The comparison is output.
85
Blue Coat Director Configuration and Management Guide
86
Chapter 4: Configuring Jobs
This chapter describes how to set up one-time and recurring jobs. Jobs enable
you to automate common or recurring tasks, for example, applying profiles and
overlays and rebooting appliances. Jobs consist of a list of actions. Each action
can target a single device, an arbitrary collection of devices, or a group of
devices.
Use jobs to automate the following tasks:
Applying or Refreshing Overlays
Applying or Refreshing Profiles
Distributing Content
Peforming Backups
Rebooting devices
Clearing various caches (object, DNS, byte-caching)
Upgrading SG appliance system software
Validating SG appliance software versions
Note: See "Creating a Profile" on page 43 for information about profiles and
overlays. See "Remotely Upgrading SG Appliance Software" on page 98 for
information about upgrading and validating SG appliance software.
87
Blue Coat Director Configuration and Management Guide
88
Chapter 4: Configuring Jobs
3a
3b
3c
3. In the Properties tab, identify the job by entering a name in the Job Name field.
a. Name the job. Notice that the Job ID field mirrors the Job Name. You
can manually change this ID information; however, because the
Director CLI uses Job IDs to identify jobs, Blue Coat recommends
using the same string for the job name and job ID. You can change the
Job Name field at any time before you click OK; after you click OK, the
Job ID cannot be changed.
b. Enter a description for the job.
c. Enable is selected by default. Clear the Enable check box if you want
the scheduler to ignore this job for now.
89
Blue Coat Director Configuration and Management Guide
4. Select the Actions tab to define the actions you want the job to execute.
Note: You can select the other tabs to add actions and a schedule without
clicking OK in the Profile tab first.
5. Click New.
90
Chapter 4: Configuring Jobs
Abort on errorsAbort the job if any of the subsequent job actions fail.
Continue on errorsContinue job execution even when a job action fails.
Take BackupTake a backup of the target devices configuration.
Reboot DeviceReboot the target device.
Clear Devices Byte CacheClear the byte cache on the target appliance.
Clear Devices DNS CacheClear the DNS cache on the target appliance.
Clear Devices Object Cache Clear the object cache on the target
appliance.
System DownloadDownload a software version to the target appliance.
System ValidateValidate the software version on the target appliance.
Repeat to add more actions.
If you selected an Overlay or Profile action, proceed to Step 7. If you did not
select an Overlay or Profile action, proceed to Step 8.
7. If you selected an Overlay or Profile action in Step 6, new fields display.
a. From the Overlay or Profile drop-down list, select the profile or overlay
to be pushed to a target device or refreshed from another device or
location.
b. (Refresh action only) Select the refresh method:
Use Stored Source Information
From DeviceClick the browse (...) button, which displays the Choose
Target dialog. Select the device that contains the source overlay or
profile.
From Remote URLEnter the URL path to the server that contains the
source overlay or profile.
8. Select the target or source device for the action.
9. Click Apply. The action displays in the left section.
Note: You can select the Schedule tab without clicking OK in this tab first.
Scheduling a Job
To schedule a job:
1. Select the Schedule tab.
To schedule a one-time job or multiple jobs at irregular times, proceed to
Step 2.
To schedule a regularly occuring job, proceed to Step 3.
91
Blue Coat Director Configuration and Management Guide
2. This step: schedule a job to execute one time or at multiple, irregular times.
For recurring scheduled times, proceed to Step 3.
a. Select This is a job to be executed on:.
b. From the drop-down lists, select the month, day, year, hour, minute,
and am or pm.
c. Click the plus (+) button to add the time.
d. (Optional) Repeat steps a
through c to add more times.
The times display in the List of
Dates/List of Times area on the
right side of the screen.
e. Click OK. Proceed to "About
Job Actions" on page 93.
92
Chapter 4: Configuring Jobs
3a
3b
3c 3e
3d
93
Blue Coat Director Configuration and Management Guide
After adding an action, you can change its place in the execution order by using
the Move Up and Move Down buttons.
Action Restrictions
The following restrictions apply to action creation:
You can have multiple overlay actions per job, but these must be added to the
job one action at a time.
You can assign only one profile action per job. If you add another profile
action to a job, the newer profile overwrites the existing profile for that job.
You can execute any job immediately. Executing the job does not affect the next
scheduled running of the job. When you execute a backup job, for example, the
backup is taken regardless of schedule or job state (enabled or disabled).
94
Chapter 4: Configuring Jobs
2. In the Job Queue list, highlight the job. The page refreshes, displaying a job
execution summary.
3. Click View Job Report for a listing of the CLI commands that were executed.
The Job Report dialog displays.
This job report shows an example of verbose output. For information about
setting the output level, see "Configuring the Browser and Output Settings" on
page 27.
4. Click Close to close the job report dialog.
Note: You can also open the Job Summary report from the Properties tab of
the Edit Job dialog.
95
Blue Coat Director Configuration and Management Guide
Editing Jobs
Use the following procedure to edit a jobs properties.
To edit a job:
1. Click the Jobs tab.
2. In the Job Library area, select the Configure or Content tab to display
3. Select a job.
4. Click Edit. (Or right click the job and select Edit.)
The Edit Job dialog displays, enabling you to make changes to the job
properties, actions, and scheduling, as shown in the following figure.
5. Edit settings.
See "Creating and Scheduling Jobs" on page 88 for information about the
Properties, Actions, and Schedule tabs.
6. Click OK to save your changes.
Note: You can also highlight the job and select Edit>Edit Job from the Edit
menu.
Deleting Jobs.
To delete a job:
1. Click the Jobs tab.
2. In the Job Library area, select the Configure or Content tab to display
3. Select a job.
4. Right click the job and select Delete.
96
Chapter 4: Configuring Jobs
Note: You can also highlight the job and select Edit > Delete from the Edit
menu.
97
Blue Coat Director Configuration and Management Guide
98
Chapter 4: Configuring Jobs
5a
5b
5c
99
Blue Coat Director Configuration and Management Guide
100
Chapter 4: Configuring Jobs
following table.
Do not precede the software version number with SGOS. Doing so results
in an error.
d. Select the Target Device(s). The Choose Target dialog displays.
e. In the Choose Target dialog, select the groups or devices to be
validated.
f. Click Apply to add the action to the job.
9. Click the Schedule tab to create a schedule for the job.
For instructions on creating a schedule, see "Scheduling a Job" on page 91.
10. Click OK to save the job and return to the main job pane.
11. Verify that the job has been added to the Job Queue.
The job will run per the configured schedule.
101
Blue Coat Director Configuration and Management Guide
102
Chapter 5: Distributing Content
This chapter describes the options on the Content tab, which allow you to
distribute, or pre-populate, URL lists to target devices.
Legend
1: The IT admin creates a list of URLs to content objects stored on an internal Web server:
a video message from the CEO and the annual report PDF file.
2: The IT admin uses Director to create a new content job that calls the list stored on the IT
admins PC. The IT admin also creates a job schedule that execute the push at 12:01 am.
3: At 12:01 am, the SG appliances at headquarters and the branch office receive the
content URLs and request the content from the Web server.
4: The Web server sends the content to the SG appliances, which cache the objects.
5: The next morning, the companys users access the content locally from their respective
SG appliances.
103
Blue Coat Director Configuration and Management Guide
To pre-populate content:
1. Verify the content to be pushed is accessible; note the path to the content.
2. Create a content object URL list in a file, with only one entry per line. For
example:
https://example.com/IT/content/CEOvideo0707.qt
https://example.com/IT/content/07annualreport.pdf
The file can be a text file or an HTML file. Save the file on your PC. For
example:
C:\adminpc\contentfiles\CEOpush07.txt
104
Chapter 5: Distributing Content
7a
7b
7c
105
Blue Coat Director Configuration and Management Guide
8a
8b
8. The final step is to distribute the URL list to either a single SG appliance or
a group (you cannot distribute the lists to one or more standalone devices in
a single operation). There are two methods to accomplish this: manual and
scheduled.
a. In the Groups area, select a group (or select a single appliance from
the Devices area).
b. Click Apply. The Perform URL List Action dialog displays.
106
Chapter 5: Distributing Content
9a
9b
9c
107
Blue Coat Director Configuration and Management Guide
108
Chapter 5: Distributing Content
4c
4d
109
Blue Coat Director Configuration and Management Guide
e. From the Priority drop-down list, select a priority. Zero (0) assigns
the job the highest priority; seven is the lowest. In this example, the
CEO broadcast is assign the highest priority to ensure availability.
f. Select one or more target devices. Click the browse (...) button to
display a list of devices.
g. Click Apply.
5. Click the Schedule tab and specify when the verification occurs. See
"Creating and Scheduling Jobs" on page 88 for more information about the
scheduler.
6. Click OK to close the dialog.
Querying URLs
Querying URLs allows you to verify the status of contentwhether it is cached
or not and URLs currently in progress.
110
Chapter 5: Distributing Content
In this example, the results show no cached content. The push content job
has not yet occurred.
111
Blue Coat Director Configuration and Management Guide
5. For each category that Director registers results, the View/Export button
displays. In this example, the two URLs in the content job were not detected
in the SG appliance cache. Click to display more detailed results.
The options at the bottom of the dialog allow you to perform different
actions using this result set.
112
Chapter 5: Distributing Content
113
Blue Coat Director Configuration and Management Guide
114
Chapter 6: Monitoring Devices
This chapter describes the options on the Monitoring tab and how to use them
to view device status.
This chapter discusses the following topics:
"About the Monitoring Tab" on page 115
"Viewing Group and Device Status" on page 116
"Viewing Alerts" on page 118
"Viewing Statistics" on page 121
115
DocTitle
The Monitoring tab enables you to quickly determine the status of groups or of
individual devices. The Monitoring tab provides a quick, global view of the health
of your devices by listing the total number of alerts for all devices and providing a
summary of device health for those systems. It also enables you to access alert and
statistics information.
116
Chapter 6: Monitoring Devices
117
DocTitle
Viewing Alerts
Alerts apprise you of specific device events, such as fan failures or CPU utilization
warnings. Director fetches the device status as reported in the system resource
metrics XML; when a change is detected, Director records the change as an alert.
Director records a maximum of 5000 alerts. If the 5000 alert limit is reached, the
oldest alerts are overwritten by new alerts.
For monitoring purposes, an alert can be active or inactive. An active alert is an in-
progress event that requires immediate attention. Inactive alerts are alerts that
have occurred but that have since returned to a normal condition and no longer
require attention.
The Monitoring tab displays an overall picture of the total amount of alerts for all
devices, grouped devices, and individual devices. To view the list of alerts for
All devices: The status box at the top of the Monitoring page provides a
summary of the total events for all devices.
A group of devices: Select the group name.
An individual device: Select the device name.
Managing Alerts
The Alerts window enables you to view all of the alerts for the selected device or
group and allows you to comment on and acknowledge those alerts.
To manage alerts
1. From the Monitoring tab, select a device or group of devices.
118
Chapter 6: Monitoring Devices
3a
3b
3c
3d
3. (Optional) Customize the alert view. The default view lists only the active
alerts.
a. Deselect Show only active alerts to see all active and inactive alerts.
b. Select a historical view from the dropdown menu. The following views
are available:
119
DocTitle
120
Chapter 6: Monitoring Devices
Viewing Statistics
The Manage Device page enables you to view the alerts and statistics for
individual devices. When you click the Statistics button, an instance of that
devices SG appliance Management Console Statistics tab is displayed for your
review. The Alerts tab enables you to switch back and forth between alert and
statistics information to obtain additional details.
Note: Unlike alerts, statistics can be viewed only for individual devices.
2. Click Statistics. The Manage Device window displays, with the Management
Console of the selected device in view.
121
DocTitle
Note: You can make configuration changes only to devices from the
Configure tab.
122
Chapter 7: Monitoring Administrator Activity
This chapter describes the Director administrator activity logging feature. The
Director administrator activity logging feature enables you to pinpoint the
actions of all administrators performing tasks on Director. This can be useful if
you need to document Director administrator behavior for change
management auditing or troubleshooting. The auditing feature includes
Authentication using TACACS+
Logging of all actions performed by a user
Export of the generated log entries in real time to a syslog server
123
Blue Coat Director Configuration and Management Guide
Configuring Syslog
If you want user actions to be logged to a remote syslog server and to the Director
message log, you must configure the system log daemon (syslogd).
124
Chapter 7: Monitoring Administrator Activity
Profile/Overlay/Backup Logging
Profile, overlay, and backup commands are logged in the order they are executed
on various devices. The event log message includes the following:
Username of the person executing the command
The IP address of the user's computer
The name of the Overlay/Profile/Backup
All the event log messages for command execution are bracketed by a start and an
end event log message that includes the name of the overlay, profile, or backup
and the device ID on which the command is executed.
The following example shows the logged results of an Overlay execution.
Jun 23 22:37:57 <cli.notice_minor> hostname cli[1287]:
admin@10.2.11.90: Processing command: remote-config overlay
new_overlay-1151102100: execute device 10.9.44.38
Jun 23 22:37:57 <configd.notice_minor> hostname configd:
admin@10.2.11.90: new_overlay-1151102100: Applying overlay
<new_overlay> to cache 10.9.44.38
Jun 23 22:37:57 <configd.notice_minor> hostname configd:
admin@10.2.11.90: new_overlay-1151102100: command 1: show version
Jun 23 22:37:57 <configd.notice_minor> hostname configd:
admin@10.2.11.90:new_overlay-1151102100: command 2: show clock
Jun 23 22:37:57 <configd.notice> director configd: admin@10.2.11.90:
new_overlay-1151102100: Overlay push complete for device "10.9.44.38"
The overlay in the preceding example has the following properties.
Username admin
125
Blue Coat Director Configuration and Management Guide
Job Logging
Job creation and edit commands are logged with the user name and IP address.
All Job executions, on the other hand, are logged with the username director.
However, if a job is executed immediately, the executed command is logged with
the username and IP address.
The event log messages for all job commands are printed as they are executed.
These event log messages include the following:
Job ID
Instance ID
The instance ID is used to distinguish one execution of a recurring job from
another.
Username of the person executing the command
The IP address of the user's computer
The following example shows the logged results of an immediate job execution
Jun 23 22:35:00 <cli.notice_minor> hostname cli[1287]:
admin@10.2.11.90: Processing command: job ab execute (Note: This
message will only be there for an immediate Job)
Jun 23 22:35:00 <schedulerd.notice_minor> hostname schedulerd:
sched@director Executing Job "ab" execution 1151102100
Jun 23 22:35:00 <runner.notice_minor> hostname runner[1288]:
sched@director:ab-1151102100: Processing command: remote-config
profile ab execute device 10.9.44.38
Jun 23 22:35:00 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: Applying profile <pab> to cache
10.9.44.38
Jun 23 22:35:00 <runner.warn> hostname runner[1288]: sched@director:
ab-1151102100: command 1: "remote-config profile ab execute device
10.9.44.38". Output 1/1:\#% No commands to execute.\# (Note: Only the
error messages will be shown)
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: Applying overlay <new_overlay> to group
g
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push start for device "10.2.11.211"
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: command 1: show version
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push complete for device "10.2.11.211"
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push start for device "10.9.44.38"
Jun 23 23:15:07 <configd.notice_minor> hostname configd:
sched@director: ab-1151102100: command 1: show version
Jun 23 23:15:07 <configd.notice> hostname configd: sched@director: ab-
1151102100: Overlay push complete for device "10.9.44.38"
Jun 23 23:15:07 <runner.notice> hostname runner[1517]: sched@director:
ab-1151102100: Job "ab" execution 1151104506 finished running.
The job execution in the preceding example has the following properties:
126
Chapter 7: Monitoring Administrator Activity
Job ID ab
Username admin
127
Blue Coat Director Configuration and Management Guide
128
Chapter 8: Monitoring the Health of Devices
This chapter describes the Director health monitoring feature. The health
monitoring feature enables you to use Director to remotely monitor your SG
appliances. By monitoring key hardware and software metrics, Director
provides administrators with a remote view of the health of the SG appliance.
This chapter also describes how to configure Director to send traps to a remote
management station when it fails or comes online.
This chapter discusses the following topics:
"About Health Monitoring" on page 130
"SG Appliance Health Monitoring Requirements" on page 130
"About the Health Monitoring Metrics" on page 131
"About Device Polling" on page 131
"Health Monitoring Example" on page 132
"About the Health Monitoring Device States" on page 133
"About Health Monitoring Notification" on page 136
"About the Health Monitoring Device States" on page 133
"Changing Threshold and Notification Properties" on page 138
"Getting A Quick View of the SG Appliance Health" on page 140
"Viewing Health Monitoring Statistics" on page 141
"Configuring Director to Notify Remote Management Stations of SG
Appliance State Changes" on page 143
"Troubleshooting" on page 145
129
Blue Coat Director Configuration and Management Guide
Note: SGME 5.1.4.x and later ignores SNMP traps sent to it by SG appliances.
If you want to configure e-mail notification for individual alert types, the
notification settings for the alert must be set on each SG appliance. To set
notification properties for specific alerts on multiple devices, create a profile or
overlay that contains the settings you want and then apply the settings to your
devices. See "Configuring and Managing Devices" on page 37 for more
information.
130
Chapter 8: Monitoring the Health of Devices
Note: You can initiate an immediate device poll by clicking Refresh in the Health
Statistics field of the Monitoring tab Description pane. For more information, see
"About the Health Monitoring Device States" on page 133.
131
Blue Coat Director Configuration and Management Guide
Polling can be slower for SG appliances running SGOS releases prior to SGOS
5.1.4 or SGOS 4.2.4 because the entire system-resource-metrics XML is fetched
every minute, not just when a change has occurred. To ensure rapid polling, Blue
Coat recommends that you upgrade to SGOS 5.1.4.x or later or SGOS 4.2.4 or later
(when available).
Note: If you enable Director Dashboard, you must either reconnect to all devices
or reboot Director so that it will discover the system resource metrics of devices
running SGOS 4.2.3.7 or later. See "About the Director Dashboard" on page 17 for
more information.
132
Chapter 8: Monitoring the Health of Devices
CRITICAL
WARRNING
OK
Value
0 5 10 15 20 25 30 35 40 45 50 55 60
Time
Note: You can configure Director to send end device status updates to a third-
party management station. See Configuring Director to Notify Remote
Management Stations of SG Appliance State Changes on page 143 for more
information.
133
Blue Coat Director Configuration and Management Guide
Warning The SG appliance has one or more events that are causing it to be
in a Warning state. Note that if additional warning-level event(s)
occur, they do not cause additional traps; (however a new critical-
level event would generate a Critical trap).
Critical The SG appliance has one or more events that are causing it to be
in a Critical state. Note that if additional event(s) occur, they do
not cause additional traps, (unless such events cause the
appliance to move from state Warning to state Critical).
CPU Utilization Percentage Critical: 95%/120 seconds Measures the value of CPU 0
Warning: 80%/120 on multi-processor systems--
seconds not the average of all CPU
activity.
Interface Utilization Percentage Critical: 90%/120 seconds Measures the traffic (in and
Warning: 60%/120 out) on the interface to
seconds determine if it is
approaching the bandwidth
maximum.
134
Chapter 8: Monitoring the Health of Devices
License Utilization Percentage Critical: 100%/0 For licenses that have user
Warning: 90%/0 limits, monitors the number
of users.
Temperature Critical:
Bus temperature High-critical
CPU temperature Warning:
High-warning
135
Blue Coat Director Configuration and Management Guide
Fan Critical:
(The fan metric differs by hardware model, for Low-critical
example, CPU fan, chassis fan) Warning:
Low-warning
Voltage Critical:
Bus Voltage Critical
CPU voltage High-critical
Power Supply voltage
Low-critical
Warning:
High-warning
Low-warning
136
Chapter 8: Monitoring the Health of Devices
Log
Inserts an entry into the Event log on the SG.
137
Blue Coat Director Configuration and Management Guide
Note: To avoid losing one hours worth of alerts when the SG clock is set back
during daylight savings time, manually refresh the health statistics after the SG
clock is reset.
2: Right-click and
select Configure.
2. Right-click the device to configure and click Configure. The Manage Device
window displays. This window replicates the SG Management Console of the
device.
138
Chapter 8: Monitoring the Health of Devices
4: Select a tab.
Note: You cannot change the threshold values for metrics from the
Status tab.
139
Blue Coat Director Configuration and Management Guide
7: Modify threshold
values.
8: Modify notification
settings.
140
Chapter 8: Monitoring the Health of Devices
141
Blue Coat Director Configuration and Management Guide
142
Chapter 8: Monitoring the Health of Devices
143
Blue Coat Director Configuration and Management Guide
Instead, Director can be used to send such notifications, since it polls the state of
each managed SG appliance every minute. When you enable this feature, Director
sends a notification to all configured hosts whenever an SG appliance state
change is detected. Only one notification is sent when a device enters a new state.
The notifications correspond to the following health monitoring states:
Ok
Warning
Critical
Connected
Disconnected
These health monitoring states are described in Table 81 on page 134.
Additionally, a single notification is sent if either of the following events occur
(these events are always initiated by an administrator):
[SG] Added
An administrator has added the SG appliance to Director's list of known
devices.
[SG] Deleted
A administrator has deleted the SG appliance from Director's list of known
devices.
Note: The snmp-server enable traps command does not need to be executed to
enable the SG appliance state notification feature. However, you must enable the
notifications as described in the following procedure.
3. Enter the following command to enable all device state SNMP notifications:
director (config) # snmp-server traps device-state all enable
144
Chapter 8: Monitoring the Health of Devices
Troubleshooting
If you continue to receive alerts, contact Blue Coat Customer Support. For
licensing questions, contact Blue Coat Support Services. It is helpful to obtain a
packet capture for CPU, memory pressure, and network interface issues, before
calling Technical Support.
145
Blue Coat Director Configuration and Management Guide
146
Chapter 9: Configuring Director Redundancy
This chapter describes the Blue Coat Director standby feature and how you can
use it to achieve redundancy and disaster preparedness.
The Director standby feature is designed to minimize Director service disruptions
caused by network outage, disaster, or Director failure. When standby is
deployed, the Director configuration is mirrored to a second Director whose only
function is to take over for the first Director if a failure occurs. The takeover is not
automatic; an administrator must manually instruct the standby Director (called
the Secondary) to take over the functions of the Primary Director.
All configuration of the Director standby feature is done through the CLI.
Important: The Director standby feature is supported only for the Director 510
platform.
147
Blue Coat Director Configuration and Management Guide
Requirements
To implement Director standby, you must have the following:
Two Director 510 appliances
A unique IP address for each Director appliance
Approximate synchronization (ten seconds or less) of the two Director's
clocks.
One method of ensuring clock synchronization is to run NTP on both
Directors. Clock synchronization is important because if an administrator
makes the Secondary Active (see "Active" on page 150), jobs that were not
started on the Primary Director need to start at the right time on the
Secondary Director. Since it is difficult to achieve exact clock synchronization,
having the Secondary Director lag behind slightly is preferred.
One or more administrators with read/write privileges
A remote SNMP management station, for example, HP Openview
The management station is required to monitor the state of the Directors.
Without a management station, you will not be able to determine if one of the
Directors has failed. The SNMP Management station:
Receives SNMP notifications from the standby pair.
Periodically polls the Directors to ensure they are online.
See "Configuring Director to Notify Remote Management Stations of SG
Appliance State Changes" on page 143 for more information.
Terminology
Before reading further, you should familiarize yourself with the following terms.
Standby Pair
Two Director 510 appliances, one configured as a Primary Director and one
configured as a Secondary Director. The pair works together to achieve
redundancy.
Partner
A given Director's "partner" is the opposite Director in the Pair. The Primary
Directors partner is the Secondary Director and the Secondary Directors partner
is the Primary Director.
148
Chapter 9: Configuring Director Redundancy
Primary Director
A Director identity. The Primary Director is the device in the standby pair that
normally performs all day-to-day Director operations. All changes on the Primary
Director are propagated to the Secondary Director by means of the rsync utility
running over SSH. The Primary Director continually executes SSH commands on
the Secondary Director to verify connectivity. The default state of the Primary
Director is Active, which means that it is able to perform monitoring and
configuration operations.
The Primary Director is the only device that:
Initiates syncs. The Secondary Director is only a passive Rsync client.
Connects to the Secondary Director to obtain connectivity status. The
Secondary Director does not initiate such checks but notices if it has not been
queried by the Primary Director.
Secondary Director
A Director identity. The Secondary Director is the device in the takeover pair
whose only purpose is to take over for the Primary Director when a failure occurs.
The normal state of the Secondary Director is Reserve, which means that it cannot
perform any monitoring or configuration operations and will not accept user-
interface connections. If a user configures the Secondary Director to be Active, it
will perform all functions previously performed by the Primary Director.
When you execute the make-secondary command, the Director reboots. To access
the Secondary Director, you must then use the standbyuser username.
Sync
The process of copying all changes from one Director to its partner. This includes
changes made by administrators as well as changes to the event database and job
status. The possible status for sync is: "in-sync", "syncing", or "retrying sync"
(reported if the first attempted sync failed).
Standalone Director
A Director state. A Standalone Director is one that is not participating in a
standby pair and that technically has no standby identity. This is the factory
default state of Director. A standalone Director cannot participate in a standby
pair until an administrator changes its identity to Primary or Secondary.
Executing the make-standalone command on a Primary or Secondary Director
takes the appliance out of the standby pair. Note that in this document, a Primary
or Secondary Director that has been made standalone is still referred to by its
previous identity, i.e., Primary or Secondary.
When you execute the make-standalone command, the Director reboots.
149
Blue Coat Director Configuration and Management Guide
Active
A Director state that either the Primary or the Secondary can achieve. In the
Active state, the Director allows configuration and monitoring operations to be
executed on it. You use the Active Director for all Director tasks, including remote
administration via overlay, profile, and job creation and execution, health
monitoring, and backup and restore. The normal state of the Primary Director is
Active.
Reserve
A Director state that only the Secondary can achieve. In the Reserve state, the
Director stands by and awaits any failure of the Active Director (the Primary).
In the Reserve state, the Director is essentially an rsync client. If the Primary
Director fails, the administrator must change the Secondary Directors state to
Active so that it can resume service. Absent any failures, the normal state of the
Secondary Director is Reserve.
Inactive
A Director state that only the Primary Director can achieve. If, while the Primary
Director was powered off, the Secondary was made Active, the Primary Director
notices this and immediately enters the Inactive state. Transitioning to Inactive
prevents different changes to both Directors configuration. If the Primary and
Secondary Directors have different configurations, those changes cannot be
merged and you will have to discard the changes from one of those
configurations.
150
Chapter 9: Configuring Director Redundancy
151
Blue Coat Director Configuration and Management Guide
Failover Assumptions
These assumptions will help you understand the operation of the standby pair:
Only administrators can alter the state of the standby pair.
If an administrator manually intervenes, it requires another manual
intervention to get the standby pair back to the initial state. Consider the
following examples:
If an administrator executes the make-standalone command on a Director
(breaking the standby pair), then the administrator must perform a make-
primary or make-secondary to get that Director back into the pair.
152
Chapter 9: Configuring Director Redundancy
Figure 91 Data Mirroring between the Primary Director and Secondary Director
Monitoring Connectivity
To verify that its partner is reachable and functioning normally, the Primary
Director continually executes (every five seconds) a specific CLI command (SSH)
on the Secondary Director. If the CLI command fails 12 times in a row (one
minute), the Primary Director sends an SNMP notification to any configured
management stations (if you have configured this featuresee "Requirements" on
page 148). If the Secondary Director is functioning normally and has not received
the expected CLI command within one minute, it sends an SNMP notification to
the management station.
Note: You must configure the Primary Director to send the standby SNMP
notifications. For more information, see "Configuring the Standby Pair" on page
156.
153
Blue Coat Director Configuration and Management Guide
process prevents the Directors from switching states prematurely. For example, if
the network link failed and the Primary Director could not query the Secondary
Director, an automated transition might make the Secondary Director Active. This
would result in two Active Directors performing operationseach with a
different configuration.
To make the Secondary Director Active, an administrator must execute the make-
active CLI command on it. Only an administrator with read/write privileges can
issue this command. After the Secondary Director has been made Active, it
assumes all configuration operations previously performed by the Primary
Director.
When the Primary Director comes back online, it asserts itself as Active again, but
will immediately transition to Inactive if it discovers that the Secondary Director
has been made Active in the interim. The only way that the Primary Director can
regain Active status is by manual intervention; an administrator must make it
Active again by executing the make-active command on it (the Secondary
Director then transitions to Reserve).
Figure 93 Making the Secondary Director Active after Failure of the Primary
Failure of the network link between the Primary Director and Secondary Director
does not trigger any automatic state transitions. During a network outage, any
changes on the Primary Director are not immediately synchronized with the
Secondary Director. After connectivity is restored, the Primary Director then
automatically synchronizes all changes (since the last successful sync) with the
Secondary Director.
154
Chapter 9: Configuring Director Redundancy
155
Blue Coat Director Configuration and Management Guide
156
Chapter 9: Configuring Director Redundancy
Note that you do not have to enable SNMP notifications on the Secondary
Director. Any (or all) notifications enabled on the Primary Director are
automatically enabled on the Secondary Director. However, the two Directors are
not fully configured as a standby pair (and thus, do not send notifications) until
they have been configured as such, have rebooted, and are in-sync.
You can enable the notifications individually if you desire. To get a listing of
the available standby states, enter the following command:
director (config) # snmp traps standby-state ?
The Secondary Director reboots and comes up in the Reserve state. When
accessing the Director after the reboot, you must use the standbyuser
username.
6. Reboot the Primary Director again.
157
Blue Coat Director Configuration and Management Guide
Secondary OK
158
Chapter 9: Configuring Director Redundancy
Table 93 Possible Standby Pair Identities, States, and Synchronization Status (Continued)
159
Blue Coat Director Configuration and Management Guide
Sunnyvale 10.1.1.2 SV
Sunnyvale Director:
director-sv (config) # snmp-server traps standby-state all enable
160
Chapter 9: Configuring Director Redundancy
4. Configure the Los Angeles branch office Director 510 as Secondary and
specified the IP address of the Primary Director and the password of the SSH
connection:
director-la (config) # standby make-secondary 10.1.1.2 thunder
Configuration Notes
Only two commands are allowed on the Secondary, make-active and make-
standalone.This ensures that the two Director configurations are never
unsynchronized.
Reserve and Inactive Directors allow connections only from the standbyuser
user, regardless of any previously configured usernames. If you subsequently
break the standby pair, the username reverts to its previous setting.
After the standby pair is configured, the identity of the Secondary Director
cannot be changed unless the standby pair is broken by making it standalone.
If by accident, both Directors were configured as Primary, each Primary
Director would report the opposite as misconfigured because its partner is not
Secondary
161
Blue Coat Director Configuration and Management Guide
Note: The username of the Secondary reverts from standbyuser to its original
setting when the Director is made Active.
162
Chapter 9: Configuring Director Redundancy
When the Primary Director notices that the Secondary Director has been made
Active, it will transition to Inactive.
4. Properly shut down the Primary Director. See "Shutting Down Director" on
page 214 for more information.
5. Perform the move.
6. Power up the Primary Director.
7. Make the Primary Director Active:
a. Using the standbyuser account, access the Primary Directors CLI:
login as: standbyuser
Note: The username of the Primary reverts from standbyuser to its original
setting when the Director is made Active.
163
Blue Coat Director Configuration and Management Guide
These conditions are not a cause for concern as long as the standby pair is in its
normal state (Primary Active and Secondary Reserve). This is because all changes
will eventually be synchronized with the Secondary Director as soon as the link is
restored.
Assume that the network link then starts going up and down. Due to the nature of
the network outage, the Secondary Director is able to reach more of Examples SG
appliances than the Primary Director. In this case, the administrator should
consider the following options:
Break the standby pair
The administrators can break the standby pair and running two standalone
Directors. However, if the long-term plan is eventually remake the standby
pair, every change made to the Secondary Director must be manually recorded.
Any time that both Directors have pertinent, but different, configuration data,
the data must be manually synchronized. Otherwise, the Primary (Active)
Director will overwrite the Secondarys configuration during the automated
synchronization process, which is part of the make-primary process.
Keep the standby pair
A better alternative is to keep the standby pair. If the Secondary Director can
reach more devices, the administrator can shut down the Primary Director
and make the Secondary Active. Powering down the Primary Director ensures
that a double Active condition will not occur that could cause different
changes to be made to the two configurations.
Before shutting down the Primary, the administrator should wait until no jobs
are scheduled or in progress. To confirm that there are no incomplete jobs, the
administrators should verify that there are no empty job reports on the
Secondary Director. If a job had been started on the Active Director but the
results had not been synchronized with the Secondary Director, there will be
empty job reports.
When the stability of the link is restored, the administrator can bring the Primary
Director online. The administrator should then check the Management Console to
see if changes have been made to:
The Secondary Directors configuration but not the Primarys.
If this occurs, no further action is required. This is the only case in which the
changes on the Secondary Director are synchronized with the Primary
Director.
The Primary Directors configuration but not to the Secondarys.
If this occurs, no further action is required. In this case, the Primary Directors
changes are automatically synchronized to the Secondary Director when the
link is restored.
Both the Primary Directors configuration and the Secondarys.
If this occurs, the administrator will have to identify which changes to keep
because changes cannot be merged.
164
Chapter 9: Configuring Director Redundancy
165
Blue Coat Director Configuration and Management Guide
166
Chapter 9: Configuring Director Redundancy
Note: The following procedure assumes that the Secondary Director is acting in
Reserve.
Note: After you make the Primary or Secondary Director standalone, you
must connect to it using the username that was configured before you created
the standby pair.
Important: To ensure that the Directors do not get out of sync during the
upgrade process, do not make any configuration changes to and verify that
no jobs are scheduled on the Secondary Director for the duration of the
upgrade process.
167
Blue Coat Director Configuration and Management Guide
168
Blue Coat Director Configuration and Management Guide
Sync-reestablished
blueCoatDirectorStandbyChgSyncReestablished
After a _SyncFailed condition was reported, a successive synchronization
operation succeeded. (This notification is NOT reported after every successful
synchronization).
Primary-backing-off-to-Inactive
blueCoatDirectorStandbyChgPrimaryBackingOffToInactive
While running in the Active state, the Primary Director discovered the
Secondary Director in the Active state. In this case, the Primary Director
automatically 'backs-off' to the Inactive state.
Remediation: There are two common ways of getting into this condition:
1. With the Primary Director in the Active state and the Secondary Director in
the Reserve state, there was a network failure. An administrator promotes
the Secondary to the Active state. On the first 'heartbeat' after the network
comes back up, the double-Active condition is detected.
2. With the Primary Director in the Active state and the Secondary Director in
the Reserve state, the Primary Director powers-off. An administrator
promotes the Secondary to Active. When the Primary Director powers-up,
the double-Active condition is detected.
In both cases, an administrator has to determine which Director(s) have
changes (if any), and decide upon the set of changes to keep when they make
the Primary Director Active again.
Partner-config-invalid
blueCoatDirectorStandbyChgPartnerConfigInvalid
The reason for this notification depends on whether the Director intended to be
this Director's partner is configured as part of a standby pair, or not.
169
Blue Coat Director Configuration and Management Guide
If the partner Director is configured as part of a pair: This Director (the Primary)
logged into the Secondary (as part of the 'heartbeat' process) and asked the
Secondary Director who it thought its Primary Director was. The Secondary
'pointed-to' a THIRD Director, when it should have been configured to point to
the Primary Director. The IP address of the THIRD Director is reported by the
'standbyPartnersPrimary' varbind in this notification.
If the partner Director is standalone: The Primary Director has found no Primary
configured on the other Director, and will report '0.0.0.0' for the varbind
'standbyPartnersprimary' in this notification.
Remediation: An administrator must check and resolve the configuration on
either or both Directors in the pair.
Partner-config-validated
blueCoatDirectorStandbyChgPartnerConfigValidated
After reporting a _PartnerConfigInvalid condition, this Director once again
found that its Secondary Director correctly 'pointed' to this Director as partner.
170
Chapter 9: Configuring Director Redundancy
If this notification is reported by the Secondary Director, that Secondary has not
'heard' the Primary Director log-in for over a minute. Either way, the network link
between the two Directors is not working properly. Any changes made on the
Primary Director will not by synced to the Secondary (assuming the Primary is
the Active Director).
Remediation: Fix the network link between the two Directors. In the meantime, be
careful that no administrator makes the Secondary Director Active or you might
reach a condition in which there are two Active Directors with changes on each.
Partner-reachability-regained
blueCoatDirectorStandbyChgPartnerReachabilityRegained
After a _PartnerReachabilityLost condition was reported, the partner Director
reestablished communication with this Director.
Forced-to-Secondary
blueCoatDirectorStandbyChgForcedToSecondary
The reporting Director has been forced, by administrator command, to be the
Secondary Director in a standby pair.
Forced-to-StandAlone
blueCoatDirectorStandbyChgForcedToStandalone
The reporting Director has been forced, by administrator command, to run
standalone (outside a standby pair).
Forced-to-Active-State
blueCoatDirectorStandbyChgForcedToActiveState
The reporting Director has been forced, by administrator command, to the Active
state.
171
Blue Coat Director Configuration and Management Guide
172
Chapter 10: Director Logging
Blue Coat Director logs help you to determine the nature and location of a
problem when you troubleshoot Director. They inform you if the URL that you
entered is invalid or unreachable, or if your syntax is incorrect. Log files contain
information about connection and configuration issues encountered by
Director. They also inform you about the operating conditions of the system.
To monitor your system, you can:
Use the daily syslog to view results of commands generated by the Director
CLI.
Click the All Jobs for Director icon or select Content > Query Content in the
Director Management Console.
Use the show commands from the Director CLI.
Terms Definitions
Addr-device A command option for IP address or hostname of an SG
appliance.
173
Blue Coat Director Configuration and Management Guide
Terms Definitions
Keyword An SG appliance, group or addr-device.
PIN Personal Identification Number for the front panel LCD made
up of four numeric values.
Process ID (PID) A unique identifier assigned to all processes, when they are
started. Each system has a maximum value for the PID number.
When this is reached the PID numbering is started again.
Components of Director
Syslog messages are generated by the components of Director. They are explained
below:
Table 102
LCD Panel Manager Communicates with the front panel LCD and Configuration
Manager to handle the input and output via LCD. When it is
not engaged in configuring the system, LCD Panel Manager
displays information, such as the hostname and CPU
utilization.
174
Chapter 10: Director Logging
Important: The Director Management Console does not work if the logging
console level is set to notice_minor.
notice: These messages provide information about the normal but significant
conditions in the system. This level is the default logging level for the local
sink.
warning: Warning messages indicate abnormal operating conditions that
require immediate attention.
error:These messages inform you about the errors that Director encounters
when it interacts with external systems (that are not developed by Blue Coat)
through user input.
175
Blue Coat Director Configuration and Management Guide
Syslog Messages
Syslog messages are generated by the components of Director. For more
information, see "Log Message Terminology" on page 173. Some of the frequently
used terms in the syslog are explained in this section.
Syslog messages are created and logged in the form of plain text ASCII string.
Given below are the messages sent to the syslog by the components of Director:
Table 103 Content Management Messages
176
Chapter 10: Director Logging
Command ID: <cmd ID> Warning The message displays the CLI
Device ID: <device ID> command issued to the
Command: <command specified SG appliance and the
string> Response: associated error response. If the
<error>
response is not an error, the
message is logged at the
notice_minor level.
Command ID: <cmd ID> No Warning No SG appliances available for
candidate devices found the execution of the command.
for this command. Make sure the group has SG
appliances in it.
177
Blue Coat Director Configuration and Management Guide
178
Chapter 10: Director Logging
179
Blue Coat Director Configuration and Management Guide
180
Chapter 10: Director Logging
181
Blue Coat Director Configuration and Management Guide
182
Chapter 10: Director Logging
183
Blue Coat Director Configuration and Management Guide
184
Chapter 10: Director Logging
'admin' login and Warning This message appears when you reset
'enable' passwords Admin and Enable passwords.
reset
185
Blue Coat Director Configuration and Management Guide
186
Chapter 10: Director Logging
187
Blue Coat Director Configuration and Management Guide
188
Chapter 10: Director Logging
189
Blue Coat Director Configuration and Management Guide
190
Chapter 10: Director Logging
The username <username> is A few usernames are reserved for Blue Coat
reserved for internal use. internal use. Each username on the system
must be unique. Choose another username.
Wrong password. If you forget your admin or enable password,
you can clear the old passwords by using the
password reset script.
Your user account does not have Standard privileges are level 1.
the required privilege to enter
Enable privileges are level 7.
<Standard | Enable|
Configuration> mode. Configuration privileges are level 15.
You are limited to the privilege level the
administrator assigned you.
Your privilege level has been You are limited to the privilege level the
lowered to <privilege level>. administrator assigned you.
User <username> does not exist. This message is displayed when you try to log
on to a machine using a username that does
not exit. Either you mis-typed the username or
the name has been deleted from the system.
User <username> already exists. This occurs when you try to create a user with
a username that is already in the system. Each
username must be unique.
Bad privilege value <privilege The privilege value should either be 1 (for
level> for user <username>. standard mode), 7 (enable mode), or 15 (for
Must be <1,7,15>. config mode) for this user.
No password given for enable. You have not set a password to enter Enable
mode.
Username can be at most 8 The username cannot be more than eight
characters. characters long.
191
Blue Coat Director Configuration and Management Guide
Clock
Not a valid timezone: The time zone is not a valid entry. Select another
<timezone> value. For more information on the format, refer
to the Blue Coat Director Command Line Interface
Reference.
Not a valid date string Enter the date in yyyy/mm/dd format.
Not a valid time string Enter the time in hh:mm[:ss] military format.
NTP
Cannot have an ntp peer or Local refers to the local Director management
server with a local IP node. You must synchronize the local time with
address an external NTP peer or server.
NTP version must be between 1 This refers to the version supplied with an ntp
and 4 peer or ntp server command.
ntpd already running, cannot You issued the ntpdate hostname command
do ntpdate when the NTP server is already running.
Stop the NTP server by typing no ntp enable.
Run ntpdate hostname.
Type ntp enable.
192
Chapter 10: Director Logging
Extraneous parameter The words that the command is rejecting are not
<parameters> would be recognized. Type the command to that point
ignored. again and enter ?.
Operation timed out. When a network connection does not respond
within a reasonable time frame, due to network
problems, this message is displayed. It also
happens when Director is waiting for response to
a command and none is forthcoming.
Type device? for help This help message (or a variation) appears when
Unrecognized command you enter invalid commands.
abcdef
Type ? for help
Extraneous parameter You have typed the command correctly, but you
<parameter> would be also entered an invalid command along with it.
ignored. You can redo the command, correcting the
extraneous parameters.
Ambiguous command 's'. When you enter a valid command with invalid
Type 'show s?' for a list of arguments, you are asked to type the ? after the
possibilities. valid part of it for a set of valid options.
193
Blue Coat Director Configuration and Management Guide
Invalid date <date>. Please Director only recognizes dates and times
enter it in yyyy/mm/dd format. entered in the correct format. The valid format
for date is shown in the message.
Lost contact with configuration This message is displayed when Director is
subsystem, attempting busy.
reconnect...
194
Chapter 10: Director Logging
Host Names
No valid hostname supplied. The command you entered requires a
hostname to execute.
Hostname: Could not set The hostname is not valid. A possible reason
hostname to <hostname> is that the hostname had illegal characters in
it. Alphanumeric characters, dash ('-') and dot
('.') are allowed in a hostname.
device <Device ID> does not You entered an invalid device ID.
exist.
An SG appliance must be registered with Director
before it can be used.
<ID3> has not been defined You must add the SG appliance record
as a device information to the Director management node
before attempting to connect to it.
Device ID contains invalid An SG appliance ID cannot contain the invalid
characters ({,}) or $ characters contained in the error message.
Device IDs can only be 250 The maximum length of any SG appliance ID is
characters long. 250 characters.
For the device address Only a valid hostname, such as
please enter a hostname www.bluecoat.com, is accepted. Alphanumeric
(e.g. www.bluecoat.com) characters, dash ('-') and dot ('.') are allowed in a
hostname.
There is no registered You entered an invalid SG appliance IP address or
device with address <IP you have not registered the device. Note that an
address>. SG appliance must be registered with Director
before it can be used.
Group <group ID> does not exist. You entered an invalid group ID when
attempting to do content management
commands. You must create the group/record
on the Director management node before you
can use it.
<group ID> has not been defined You are attempting to manage content on a
as a group. group you have not defined as a group to
Director.
195
Blue Coat Director Configuration and Management Guide
There are no groups configured. The Director management node cannot list
any groups assigned to it because you have
not created any.
Group IDs can only be 250 When creating a new group, the maximum
characters long. length of any group ID is 250 characters.
Group <group name1> cannot be a Groups cannot be parents of each other.
parent of group <group name2>
because <group name2> is
already an ancestor of <group
name1>.
A group cannot be a parent of You must add the child or nested group to the
itself. parent group. You cannot add a parent to a
child.
Table 1020System Logging Error Messages
Invalid priority <log level> You entered an invalid logging priority level.
Director only accepts the terms err, warning,
notice, and notice_minor as valid logging
levels. It does not accept level numbers.
Table 1021Director Image File Error Messages
Not a valid image file: You entered an invalid software Director image
<local spec> filename. Use the correct syntax for the image file.
local_spec is the specified file. Filenames of
image files are case-insensitive.
File does not exist: <local You entered a non-existent software Director
spec> image filename. Be sure to use the correct syntax
for the image file.
Failed to install image The image fetch command was unable to install
the image file you downloaded to your Director
management node.
Image does not contain a The image fetch command was unable to verify
valid image. that the image file you downloaded to your
Director management node was a valid image file
and that its internal checksum matched the files
contents.
Could not find attribute The Director image file is corrupted or does not
<manifest attribute> in contain all the expected information. This image
manifest file file cannot be installed.
Unable to set next boot The image boot command failed.
image
196
Chapter 10: Director Logging
Invalid remote file spec: The filename or the syntax is incorrect. The error
<remote spec> Must be http:/ message provides examples of correct usage.
/server[port]/[dir/]file or
ftp://user:password@server/
[dir/]file
Failed to download file The file was not downloaded. Possible reasons: the
<remote spec> server was down, you mistyped the URL you
wanted to download.
Failed to extract manifest The image is corrupted or does not contain all the
from downloaded file <file expected information.
spec>
Failed to move/delete file You can get this message for a variety of reasons:
the disk is full, permissions are not correct, the file
was attempting to overwrite a file that is read only.
Table 1022 Job Management Error Messages
Usage Description
Invalid day <day>. Valid days are You must enter the days of the week in a
Sun, Mon, Tue, Wed, Thu, Fri, or Sat. format Director understands: For example,
mon, not Monday.
For the date and time, please enter a yyyy/mm/dd and hh:mm[:ss] are the valid
date in yyyy/mm/dd format between formats for job types.
1970/1/1 and 2038/1/18 followed by a
time (hh:mm[:ss]).
Schedule IDs can only be 250 The maximum length of any job ID is 250
characters long. characters.
Report generation was cancelled since You made a request for a job report and while
the job was deleted the request was being processed, the job was
deleted.
Usage Description
Minimum key size is 512 You tried to generate an SSH host key with a
key size less than 512, the minimum key size.
The default is 1024.
Maximum key size is 32768 You attempted to generate an SSH host key
with key size greater than 2048, the maximum
key size. The default is 1024.
The SSH server cannot be You have not set up SSH on your Director
started until a host key is management node.
generated. Please use the
'ssh server hostkey rsakey
generate' command.
197
Blue Coat Director Configuration and Management Guide
Usage Description
No RSA key found for device ID You have not set up SSH/RSA for the SG
<device ID> appliance. Generate an RSA key for the device
before connecting through SSH/RSA.
Invalid public key Make sure that you copied the entire public key
when you used the ssh client user
username authorized-key rsakey
command.
authtype values can only be When authenticating a password, you have two
(rsa, simple) valid options: RSA, which includes a public
and private key; and simple password
authentication, which is less secure than RSA.
Table 1024RADIUS Server Error Messages
Usage Description
Table 1025Miscellaneous
Usage Description
198
Appendix A: Administering Director
This appendix describes how to administer Director using the CLI. The
following table describes common administration tasks and where to go to get
more information.
To... Go to...
Set SNMP traps and levels "Using the SNMP Server" on page 213
199
Blue Coat Director Configuration and Management Guide
Setting Up Users
The username commands allow you to create local user accounts on the Director
management node. After the usernames are created, you can change the
workgroup to further control the users on the system.
200
Appendix A: Administering Director
Note: If you create a password on the Director management node for local user
accounts, that password is kept in a local password file. However, if you have
users logging in remotely or through unsecured terminals, you can require an
additional level of authentication. For more information, see "Authenticating
Users" on page 204.
For more information on creating usernames, refer to the Blue Coat Director
Command Line Interface Reference.
where 1 means that the user cannot enter the Enable mode, 7 indicates that the
user cannot enter Configuration mode, and 15 indicates that the user has full
administrative privileges.
3. View the users on the system.
Director (config) # show usernames
Username admin
maximum permitted privilege level 15
in Workgroup "default"
Username monitor
maximum permitted privilege level 7
in Workgroup "default"
Username test1
maximum permitted privilege level 15
in Workgroup "default"
201
Blue Coat Director Configuration and Management Guide
Director ships with a workgroup called default, and all Director users are members
of the group until they are re-assigned to a new workgroup. If the new workgroup
is deleted, members of that group are re-assigned to the default group.
You can modify the settings of the default workgroup but you cannot delete the
default workgroup itself. By default, all users can schedule any content
commands at any time to any SG appliance, and can set the priority level of
content to any setting between 0 and 4. (Zero is of greater importance than 4.)
Any jobs that are scheduled for a stated time are enforced using the permissions
of the default workgroup, no matter which workgroup the user belongs to.
The workgroup commands are only effective if Director users have differing
privilege levels. It is meant for users who are managing content on Director, not
managing Director itself. Only the Director administrators should have level 15
privileges with no restrictions.
You can only create and manage workgroups through the Director CLI. Note,
however, that all users, including those who work exclusively with the Director
Management Console, are assigned to the default workgroup unless they are
moved to another workgroup, and are subject to the rules of the workgroup
where they are assigned.
Note: You can move users from the default workgroup to other workgroups. You
cannot add new user accounts to Director through the workgroup commands.
Follow these steps to create a workgroup and add rules and users
1. At the (config) command prompt, create a workgroup and give it a
meaningful name.
Director (config) # workgroup workgroup_id create
4. Set a minimum priority level for content managed by the users in the
workgroup.
Users are unable to make content more important (have a higher priority)
than the minimum level you have set. The range is between 0 and 4, with 0
meaning that users have no restrictions on setting the importance of content in
the SG appliances. Negating this command returns priorities to the default, 0,
which is the highest priority.
202
Appendix A: Administering Director
5. Set up time limit rules for the workgroup to enable or disable the time-limits
range.
a. Time-limits type: The default is disallow, meaning that if no time
limits are set, all users can manage content at any time. Before you set
a time range, change the time limit type to allow to restrict users to
predefined times.
Director (config workgroup sales) # time-limits type allow |
disallow
b. Time limits. The default is that no time limits are set, allowing all users
to manage content at any time. If the time-limits type is allow, setting a
time limit prevents users from sending content management
commands outside of the time limits established. If time limits are
established and the time-limits type is disallow, users cannot manage
content during the specified time, but can manage content at other
times.
Director (config workgroup sales) # time-limits range hh:mm:ss-
hh:mm:ss
b. Limit SG appliances that workgroup users can access. If the list exists,
only SG appliances and groups on the list can be accessed by members
of the workgroup.
If the group ID or device ID record does not exist, it is not created. An
error message is generated instead.
Director (config workgroup sales) # device-limits keyword device
spec
203
Blue Coat Director Configuration and Management Guide
This removes users from the default workgroup, since users can belong to
only one workgroup at a time. If the workgroup is later deleted, users are re-
assigned to the default workgroup. (If you delete a workgroup, assign the
workgroup members to other groups beforehand, unless you want the
workgroup members re-assigned to the default group.)
You cannot use this command in workgroup submode.
Director (config workgroup sales) # exit
Director (config) # username username workgroup member workgroup ID
10. Use the write memory command to permanently save your changes.
Director (config) # write mem
Authenticating Users
Possible authentication methods are Remote Authentication Dial-In User Service
(RADIUS), Terminal Access Controller Access Control System Plus (TACACS+),
and local. Local authentication is required. RADIUS and TACACS+ are optional.
To configure RADIUS authentication, continue with the next section; to configure
TACACS+ servers, skip to "Configuring TACACS+" on page 208.
204
Appendix A: Administering Director
Configuring RADIUS
If the authentication request consists of the service-type as framed, RADIUS sends
back the attributes for the user in the authentication response. These attributes
can be used for authorization.
Director assigns a privilege level to match the service-type value on RADIUS.
Only the service types that are configured here are supported; access to Director is
denied if the service types do not match the mapped service types in the
configuration.
Director has three privilege levels:
Login (level 1)
Enable (level 7)
Config (level 15)
Each service type you want supported must be mapped to one of the above
privilege levels. Only three service types can be supported, one for each Director
privilege level. All other service types are ignored. If the service type found in the
mapping does not match one of the configured service types, the privilege of the
user cannot be decided and the login is rejected.
By default or on a new system, the following services types are mapped:
RADIUS Service Type Director Mapping
Login Login
NAS-Prompt Enable
Administrative Configuration
You do not need to configure service types on Director unless you want to change
the default mappings.
Note: If the service type is set to Framed, Outbound, or Authenticate-Only, or not set
at all, you will get a Login incorrect error message even if the supplied username
and password are valid.
While local must be specified, you can specify one, neither, or both of the
other two authentication methods. The search is done in the order specified in
the aaa authentication command. Note that if you are using RADIUS only,
you do not need to configure TACACS+.
2. Enter the following commands to configure global settings for RADIUS
servers:
205
Blue Coat Director Configuration and Management Guide
206
Appendix A: Administering Director
207
Blue Coat Director Configuration and Management Guide
privilege-response mapping:
Privilege 1 :
Privilege 7 :
Privilege 15 :
Director (config) #
Configuring TACACS+
1. At the (config) command prompt, specify the types of authentication you
will use.
Director (config)# aaa authentication login default local [radius
tacacs]
While local must be specified, you can specify one, neither, or both of the
other two authentication methods. The search is done in the order specified in
the aaa authentication command. Note that if you are using TACACS+ only,
you do not need to configure RADIUS.
2. Enter the following commands to configure global TACACS+ server settings:
Director (config)# tacacs-server key password
Director (config)# tacacs-server timeout integer
where
password sets the authentication and encryption key for TACACS+ servers. Note that this
is not a key, such as an SSHv2 key, but a password.
timeout integer sets the timeout value. It should be of the format nnh nnm nns,
where nn is the number, h is the hour, m is the minute, and s is second, such as
radius-tacacs timeout 05h 30m 10s.
where
208
Appendix A: Administering Director
timeout integer Sets the timeout value. It should be of the format nnh
nnm nns, where nn is the number, h is the hour, m is
the minute, and s is second, such as radius-server
timeout
05h 30m 10s.
SSH
For Director, Blue Coat allows you to connect through:
SSHv2 and simple password authentication (the default)
SSHv2 and RSA authentication
209
Blue Coat Director Configuration and Management Guide
Blue Coat strongly recommends you use SSH/RSA to communicate between both
the Director Management Console and the management node and Director and
an SG appliance. SSH/RSA provides the most secure connection protocol.
Note:The maximum key size is 1024 bits, and trailing newline characters must be
removed from the key before it is imported.
where
knownhost knownhost is a host known to Director. By adding a knownhost
key to Director, Director only connects to hosts it knows about.
Then, if the key on the knownhost changes, Director refuses to
connect to that device until the new knownhost key is added to
Director.
hostname or The ID of the device.
IP_address
rsakey Add or change a known host public key for the specified user.
length The length of the key, generally 1024.
exponent The exponent of the key, generally 35.
210
Appendix A: Administering Director
Note: This also puts you into the access-list submode, which allows you
to use access-list commands without having to type access-list
access-list_id before each command. To edit a different access-list, just
enter the new access-list name.
where snetaddr, smask, and saddr refer to the subject machines, and dnetaddr,
dmask, and daddr refer to the destination machines.
If you do not specify a type, all ICMP message types match the rules.
d. Eliminate browsing privileges for a specific group:
211
Blue Coat Director Configuration and Management Guide
2. View the access-list to be sure the rules are there. Each rule is numbered.
Director (config)# show access-list new_id
Access-list jf, type filter:
0: permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ip
1: deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 tcp
2: permit 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 icmp
redirect
3: deny 10.1.2.0 0.0.0.255 0.0.0.0 255.255.255.255 tcp eq www
Note: Telnet disconnects after three invalid attempts to connect. There also might
be a time lag before Telnet reports on device status.
212
Appendix A: Administering Director
Note: If you do not save the configuration by entering the write memory
command, the changesyou made are not permanent and are lost at the next
reboot.
Rebooting Director
Enter the following command to reboot the system:
Director (config) # reload
213
Blue Coat Director Configuration and Management Guide
Note: During the reboot process, the configd and CLI can shutdown in any order.
If the configd shuts down first, the CLI identifies the connection loss and logs the
message.
Note: You can also connect to the CLI through SSH but you will not get a
system messages indicating that it is safe to power down the Director.
or
Director # reload halt force
Use the reload halt force command if you do not want to save any
configuration changes.
3. Unplug Director when the serial console indicates that it is safe to do so:
Director 510: The hardware LCD panel goes blank and powers down. The
serial console displays Power down.
Director 800: The hardware LCD panel goes blank. The serial console displays
'
The operating system has halted
Please press any key to reboot
Upgrading Director
You can upgrade Director hardware to the latest image of Director. Upgrading the
image is a three-step process: creating an archive of the current configuration,
downloading the image file to the Director management node, and installing the
image on the management node. The software upgrade process for the Director
800 is different than for the Director 510. See "Director 800 and 510 Upgrade
Differences" on page 215 for more information.
Note: This procedure must be done through the command line. You cannot use
the Management Console to upgrade Director.
214
Appendix A: Administering Director
Upgrade Recommendations
Before upgrading Director, do the following:
Archive the current Director configuration. Follow the procedure described in
"Archiving and Restoring the Entire Director Configuration" on page 225.
Use the write memory command to permanently save any changes you made
to the configuration. As part of the upgrade procedure, Director is rebooted,
meaning that any changes not made to permanent memory before the reboot
are lost.
Note: The image command is not present on the Director 510; it has been replaced by
the upgrade-package command. See "Upgrading Software on the Director 510" on page
217 for more information.
When a user installs an upgrade package, Director takes a snapshot of the currently-
running operating system and preserves it for downgrading purposes. This re-packaged
operating system is the only release that users can downgrade to. The installation/
snapshot process overwrites any existing operating system that was previously re-
packaged.
The differences between the 510 and 800 Director upgrade/downgrade process are
described in the following table.
215
Blue Coat Director Configuration and Management Guide
Example
An administrator wants to upgrade a system that is running 5.1.3.1. The
administrator installs a 5.1.4.2 upgrade packageduring the installation, the
5.1.3.1 release is re-packaged. If the administrator later decides to install a 5.1.4.7
patch release, the administrator must remember that the saved 5.1.3.1 repackage
will be overwritten when 5.1.4.1 is repackaged and saved.
Note: The 5.1.4.7 release described in the this example is hypothetical and is meant only
to illustrate the upgrade process. See "Upgrading a Director 800" on page 219for the
current Director 800 upgrade path.
5.1.3.1 None
Example (continued)
Because 5.1.3.1 was a stable release, the administrator would like to be able to
downgrade to it after installing 5.1.4.7. To do this, the administrator must
downgrade from 5.1.4.1 to 5.1.3.1 before installing the 5.1.4.7 patch release. Then,
when the administrator installs 5.1.4.7, the 5.1.3.1 release is re-packaged (and the
5.1.4.1 snapshot is overwritten).
216
Appendix A: Administering Director
5.1.3.1 None
217
Blue Coat Director Configuration and Management Guide
Retrieves the upgrade-package from the specified location, places it on the local disk
with the identical filename, and verifies that it is a valid system upgrade-package.
Enter the upgrade package URL in one of the following formats:
http://<hostname[:port]>/<path>
https://<hostname[:port]>/<path>
ftp://<hostname>/<path>
scp://<hostname>/<path>
218
Appendix A: Administering Director
Note: When /sys is full, the image fetch command might fail with an
incorrect error message: % Failed to download file: Failed writing
body.
You can delete extra image files with the image delete filename command.
2. Run the show image command to see the correct name of the new Director
image file.
Director (config) # show image
Install packages on the system:
(none)
219
Blue Coat Director Configuration and Management Guide
File dir-x-4.0.0.0-021930.img:
OS type: dir
Release: 4.0.0.0
Number: 021930
Size: 23734224 bytes
Platform: x
File dir-x-3.2.1.0-020834.img:
OS type: dir
Release: 3.2.1.0
Number: 020834
Size: 23971792 bytes
Platform: x
Free space remaining: 1.7 gigabytes
Note: The message: Install packages on the system: (none) is benign and
does not indicate that the Director image file was not successfully
downloaded.
3. Change the boot image to the new Director image file you just downloaded.
Director (config) # image boot copy_and_paste_new_image_name
4. Save the changes. If you dont save the changes, the system will reboot to the
previous Director image file.
Director (config) # write memory
6. Verify Director booted from the correct image file by re-connecting to Director
and using the show version command. The result should contain the same
version information as show boot command.
ssh -l username IP_address_of_management_node
Director > show version
System version: 3.2.1.0
Build date: 2004/03/16 14:04:27
Build number: 20834
Build version: #020834 2004.03.16-140427
Director >
Upgrade Changes
During upgrade, a single configuration file is split into multiple files
containing individual overlays and profiles. All of these files are encrypted
and cannot be directly manipulated.
A new command, config destroy-old-files, is provided to allow you to
delete the insecure files (stored in plaintext). This command should not be
used if you ever plan to downgrade to an earlier version, because it destroys
all old configuration and backup files, leaving you with no easy way to access
the downgraded system.
220
Appendix A: Administering Director
2. Do not save these changes. That is, do not use the write memory command.
3. Reboot Director.
Director (config) # reload
Connection to Director closed.
221
Blue Coat Director Configuration and Management Guide
File dir-x-2.1.06-PR-5-019709.img:
OS type: dir
Release: 2.1.06
Number: PR
Size: 15475584 bytes
Platform: x
File dir-x-2.1.9.0-020406.img:
OS type: dir
Release: 2.1.9.0
Number: 020406
Size: 15873408 bytes
Platform: x
File dir-x-3.2.1.0-021078.img:
OS type: dir
Release: 3.2.1.0
Number: 021078
Size: 24524752 bytes
Platform: x
2. Determine the version you want to downgrade to, and make that version the
bootable image by copying and pasting the filename.
Director (config) # image boot dir-x-2.1.9.0-0202406.img
Director (config) # write memory
If you do not save the version to boot to permanent memory before you
reboot, the image Director uses is the last image booted, not the one you just
made the bootable image.
3. Reboot the Director management node.
Director (config) # reload
Connection closed by foreign host.
2. Reboot Director.
Director (config) # reload force
Connection to Director closed.
222
Appendix A: Administering Director
Notes
When a downgrade is detected:
The configuration file is renamed based on its version.
New Director CLI commands are added to effectively do a show config on any
saved configuration database file. This can then be used to extract whatever
information the user needs into the new, blank configuration.
On a downgrade, the higher versions configuration file is saved, and a new
one is created with only the IP address settings.
If you attempt to later switch to the saved file (by default called something similar
to initial-1.0-79) you will receive critical messages and errors. To restore parts
of the configuration, use the command show config files initial and then
manually copy and paste the configuration.
Note: These procedures must be done through the command line. You cannot use
the Management Console to back up Director.
To save a configuration:
From the (config) prompt, enter the following commands:
Director (config) # configuration write
-or-
Director (config) # configuration write to filename
where:
write permanently saves the active configuration. (You can revert changes made
to the active configuration before they are saved to disk. After the changes have
been written to disk, you cannot revert them. To revert changes, use the
configuration revert command.)
write to saves the active configuration to a file and makes the file the active
configuration.
filename is the name of the configuration file.
Note: You can also save an empty configuration file that contains the
shipping defaults and, optionally, the IP addresses, through the
configuration new filename [keep-console] command.
223
Blue Coat Director Configuration and Management Guide
Note: you do not know the name of the configuration filename you want to
delete, enter config delete ? to see the list of files that can be deleted.
224
Appendix A: Administering Director
Note: The config archive commands are memory and disk intensive. A
temporary copy of the configuration is created before archival. Blue Coat
recommends that you purge unwanted backup and configuration files from the
Director before creating an archive.
Important: This operation must be done through the command line. Director
backups cannot be created though the Director Management Console.
225
Blue Coat Director Configuration and Management Guide
Procedure Overview
Archiving and restoring a Director configuration is performed in three primary
stages:
Creating a public encryption key.
Creating an archive file.
Uploading the archive file.
Retrieving and restoring the configuration from an archive file.
226
Appendix A: Administering Director
Important: Enter the private key only. Director accepts only the first key entered. If
you enter both, Director will not receive the private key and you will be unable to
restore your configuration. The private key contains both the private and public key.
8. Press Ctrl+D when you have entered the key. You are prompted for the pass
phrase you created earlier.
227
Blue Coat Director Configuration and Management Guide
The hostname is the destination where the archive file will be stored. The
following four types of upload formats accepted by Director:
http://hostname[:port]/path/
https://hostname[:port]/path/
ftp://hostname/path/
scp://hostname/path/
If the path ends with a directory name, it must end with / (a forward slash).
If your Web server is password protected, include the following command after
entering the hostname:
username username password password
228
Appendix B: Third Party Copyright Notices
Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their
respective owners as indicated in the copyright notices below.
The following lists the copyright notices for:
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source
code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary code
include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with
the distribution, and (3) all advertising materials mentioning features or use of this software display the following
acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its
contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain
program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify,
merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement.
Consult the Preface in the User's Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-
READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-
Digest Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA
Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of
this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org>> wrote this file. As long as you retain this notice you can do whatever you
want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-
Henning Kamp
Microsoft Windows Media Streaming
229
Blue Coat Director Configuration and Management Guide
230
Appendix B: Third Party Copyright Notices
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as
copyright holders:
Markus
Friedl
Theo de
Raadt
Niels
Provos
Dug Song
Aaron
Campbell
Damien
Miller
Kevin
Steves
231
Blue Coat Director Configuration and Management Guide
Daniel
Kouril
Wesley
Griffin
Per
Allansson
Nils
Nordman
Simon
Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <mailto:eay@cryptsoft.com> and Tim J. Hudson
<mailto:tjh@cryptsoft.com>.
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for
commercial and non-commercial purposes.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to
conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following
conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL
documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson
(tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in
a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a
textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This
product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if
the routines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include
an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code
cannot simply be copied and put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
232
Appendix B: Third Party Copyright Notices
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this
software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior
written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software
developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software
written by Tim Hudson (tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel <ph10@cam.ac.uk>
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely,
subject to the following restrictions:
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel,
and copyright by the University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PHAOS SSLava and SSLavaThin
Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the
design and development of which have involved expenditure of substantial amounts of money and the use of skilled
development experts over substantial periods of time. The software and any portions or copies thereof shall at all times remain
the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED
WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS
USE AND OPERATION ALONE OR IN COMBINATION WITH ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE
USE OF ANY PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE
FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH
DAMAGES.
RealSystem
The RealNetworks RealProxy Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks,
Inc. All rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and
with the inclusion of the above copyright notice. This software or any other copies thereof may not be provided or otherwise
made available to any other person. No title to and ownership of the software is hereby transferred. The information in this
software is subject to change without notice and should not be construed as a commitment by SNMP Research, Incorporated.
Restricted Rights Legend:
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial
Computer Software-Restricted Rights Clause, FAR 52.227-19; and in similar clauses in the NASA FAR Supplement and other
corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law.
Unauthorized copying, redistribution or other use of this work is prohibited. The above notice of copyright on this source code
product does not indicate any actual or intended publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained
on all copies. Permission to modify the code and to distribute modified code is granted, provided the above notices are retained,
and a notice that the code was modified is included with the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology
233
Blue Coat Director Configuration and Management Guide
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted
without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission
notice appear in supporting documentation. Hewlett-Packard Company makes no representations about the suitability of this
software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted
without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission
notice appear in supporting documentation. Silicon Graphics makes no representations about the suitability of this software for
any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted
without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission
notice appear in supporting documentation. Moscow Center for SPARC Technology makes no representations about the
suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Trend Micro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any
damages arising from the use of this software.
ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business
Machines Corporation and others All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice
appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting
documentation. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS
INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL
DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH
THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall
not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written
authorization of the copyright holder
The PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written
permission. For written permission, please contact group@php.net.
234
Appendix B: Third Party Copyright Notices
4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written
permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP"
instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a
distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use it under the
terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license
published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code
created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP software, freely available from
<http://www.php.net/software/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
The PHP Group can be contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>.
The Zend Engine License, version 2.00 Copyright (c) 1999-2002 Zend Technologies Ltd. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following
conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
3. The names "Zend" and "Zend Engine" must not be used to endorse or promote products derived from this software without
prior permission from Zend Technologies Ltd. For written permission, please contact license@zend.com.
4. Zend Technologies Ltd. may publish revised and/or new versions of the license from time to time. Each version will be given
a distinguishing version number. Once covered code has been published under a particular version of the license, you may
always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any
subsequent version of the license published by Zend Technologies Ltd. No one other than Zend Technologies Ltd. has the right to
modify the terms applicable to covered code created under this License.
5. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes the Zend Engine, freely available at
http://www.zend.com"
6. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"The Zend Engine is freely available at http://www.zend.com"
THIS SOFTWARE IS PROVIDED BY ZEND TECHNOLOGIES LTD. ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ZEND TECHNOLOGIES LTD. BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
TSRM (Thread Safe Resource Manager) license. Copyright (c) 1999, 2000, Andi Gutmans, Sascha Schumann, Zeev Suraski.
All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither name of the copyright holders nor the names of their contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Regex. Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
235
Blue Coat Director Configuration and Management Guide
This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University
of California.
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it,
subject to the following restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in
it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read
sources, credits must appear in the documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few
users ever read sources, credits must appear in the documentation.
4. This notice may not be removed or altered.
libgd
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 by Cold Spring Harbor Laboratory. Funded under Grant P41-
RR02188 by the National Institutes of Health.
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001 by Boutell.Com, Inc.
Portions relating to GD2 format copyright 1999, 2000 Philip Warner.
Portions relating to PNG copyright 1999, 2000 Greg Roelofs.
Portions relating to libttf copyright 1999, 2000 John Ellson (ellson@lucent.com).
Portions relating to JPEG and to color quantization copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane.
This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more
information.
Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application,
provided that this notice is present in user-accessible supporting documentation._
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not
to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the
library. Credit must be given in user-accessible documentation.
This software is provided "AS IS."_ The copyright holders disclaim all warranties, either express or implied, including but not
limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying
documentation.
Although their code does not appear in gd 2.0.1, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue
Software Corporation for their prior contributions.
236
Index
A SG appliance, creating 80
admin user, explained 200 SG appliance, deleting 84
administrator activity logging backup-restore
about 123 output limits 28
configuring 124 backups 87
configuring syslog 124
enabling TACACS+ 124 C
job logging format 126 CLI
message format 123 Director configuration 20
profile/overlay/backup logging format. 125 error messages 190
setting the logging level 124 authentication 197
setting up 123 devices 195
TACACS+ 123 help 193
alerts host names 195
about 118 listed 191
acknowledging 120 logging 196
comments 120 RADIUS 198
customizing views 119 user directory 192
managing 118 usernames and passwords 191
appliance certificates 62 FTP
archive server connections, configuring 212
configuration output limits 28 server connections, disabling 212
ARP overview 16
troubleshooting 194 privilege level, setting 200
audience 9 troubleshooting 194
authenticating Director 62 user account
authentication commands managing 200
error messages 197 configuration
authentication methods 23 files, destroying 221
authentication port 32 files, renaming 224
authentication profiles files, viewing 224
RSA 34 managing 223
simple 34 saving 223
authentication, device. See device authentication. switching files 224
62 configuration files
deleting 224
B encrypted 224
backup restoring to previous version 222
pinning SG configurations 82 switching between management nodes 224
restoring SG appliance 83 upgrade behavior 220
SG appliance, comparing 84 configuring devices 29
237
Blue Coat Director Configuration and Management Guide
238
Index
239
Blue Coat Director Configuration and Management Guide
240
Index
241