Академический Документы
Профессиональный Документы
Культура Документы
© 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV,
PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING.,
SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be
complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped
using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective
owners. This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE
SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO
EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS,
REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY
LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN
COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Contact Information
For concerns or feedback about the documentation:
documentation@bluecoat.com
ii
Contents
Contents
Chapter 1: Introduction
Other Documention.......................................................................................................................... 23
Document Conventions ................................................................................................................... 23
Notes and Warnings......................................................................................................................... 24
About Procedures ............................................................................................................................. 24
Chapter 3: Licensing
License Editions.......................................................................................................................... 45
Licence Types.............................................................................................................................. 48
License Expiration...................................................................................................................... 49
Registering and Licensing the Appliance ..................................................................................... 50
Locating the System Serial Number ........................................................................................ 50
Obtaining a BlueTouch Online Account................................................................................. 51
Registering and Licensing Blue Coat Appliance and Software........................................... 51
Installing a License on a Registered System........................................................................... 52
Manually Installing the License ............................................................................................... 53
Adding a Supplemental SSL or Flash Proxy License .................................................................. 55
Generating the License Activation Code ................................................................................ 55
Adding the Add-on License to the ProxySG.......................................................................... 57
Enabling Automatic License Updates ........................................................................................... 57
Viewing the Current License Status............................................................................................... 58
iii
SGOS 6.x Administration Guide
iv
Contents
v
SGOS 6.x Administration Guide
vi
Contents
vii
SGOS 6.x Administration Guide
viii
Contents
ix
SGOS 6.x Administration Guide
x
Contents
Viewing Bandwidth Usage or Gain or Client Byte and Server Byte Traffic History ..... 758
Viewing System Statistics .............................................................................................................. 761
Resources Statistics .................................................................................................................. 761
Contents Statistics .................................................................................................................... 765
Event Logging Statistics .......................................................................................................... 768
Failover Statistics...................................................................................................................... 769
Active Sessions—Viewing Per-Connection Statistics................................................................ 769
Example Scenarios Using Active Sessions for Troubleshooting ....................................... 770
Analyzing Proxied Sessions.................................................................................................... 770
Analyzing Bypassed Connections Statistics......................................................................... 781
Viewing Errored Sessions and Connections ........................................................................ 783
About Advanced URLs.................................................................................................................. 786
xi
SGOS 6.x Administration Guide
xii
Contents
xiii
SGOS 6.x Administration Guide
xiv
Contents
xv
SGOS 6.x Administration Guide
xvi
Contents
xvii
SGOS 6.x Administration Guide
xviii
Contents
xix
SGOS 6.x Administration Guide
xx
Chapter 1: Introduction
This audience for this document is network administrators who are responsible
for managing Blue Coat® ProxySG® appliances. This document provides
reference information and procedures to configure SGOS™ version 6.2, and
includes topics for Application Delivery Network (ADN), including
Application Acceleration and Secure Web Gateway solutions.
The information in this document supercedes information in the ProxySG
Management Console Online Help System.
Other Documention
Other documentation for the SGOS 6.2 software line is available:
❐ Blue Coat SGOS 6.2 Release Notes
❐ Blue Coat SGOS 6.2 Feature Change Reference
❐ Blue Coat SGOS Upgrade/Downgrade Guide
❐ Blue Coat SGOS 6.2 Command Line Reference
❐ Blue Coat SGOS 6.x Visual Policy Manager Reference (includes some
advanced policy tasks)
❐ Blue Coat SGOS 6.2 Content Policy Language Reference
Blue Coat also provides various other deployment guides targeted for specific
solutions.
Access current SGOS 6.2 documentation:
https://bto.bluecoat.com/documentation/pubs/view/SGOS%206.2.x
Document Conventions
The following table lists the typographical and Command Line Interface (CLI)
syntax conventions used in this manual.
Conventions Definition
23
SGOS 6.2 Administration Guide
About Procedures
Many of the procedures in this guide begin:
❐ Select Configuration > TabName, if you are working in the Management
Console, or
❐ From the (config) prompt, if you are working in the command line interface
(CLI).
Blue Coat assumes that you are logged into the first page of the Management
Console or entered into configuration mode in the CLI.
24
Chapter 2: Accessing the ProxySG
This section provides procedures for accessing the ProxySG so that you can
perform administrative tasks using the Management Console and/or the
command-line interface. It assumes that you have performed the first-time
setup using the Serial Console or the front panel and that you have minimally
specified an IP address, IP subnet mask, IP gateway, and DNS server, and that
you have tested the appliance and know that it is up and running on the
network. If you have not yet done this, refer to the Quick Start Guide or the
Installation Guide for your appliance model.
This section includes the following topics:
❐ "Accessing the ProxySG Using the Management Console" on page 25
❐ "Accessing the ProxySG Using the CLI" on page 33
❐ "Configuring Basic Settings" on page 35
25
SGOS 6.2 Administration Guide
2. Enter the user name and password that you created during first-time set up.
The Management Console Statistics > Summary > Efficiency page displays.
For information on the details displayed on the Statistics > Summary tab, see
"Viewing Efficiency and Performance Metrics" on page 28 and "Monitoring
System Resources and Connectivity Metrics" on page 30.
Note: All successful and failed logon attempts are recorded in the event log.
26
Chapter 2: Accessing the ProxySG
Links
27
SGOS 6.2 Administration Guide
If you have just completed initial setup and have not configured the ProxySG to
intercept any traffic, the Summary page will not display much information. For
example, you cannot view bandwidth efficiency and savings for traffic being
intercepted by the ProxySG.
Note: To view performance statistics, retrieve your SGOS license and create/
enable services on the ProxySG. For information on enabling services, see
Chapter 7: "Managing Proxy Services" on page 119. For licensing details, see
Chapter 3: "Licensing" on page 45.
When the ProxySG is deployed and configured to meet your business needs, the
Summary page monitors and reports information on your network traffic and
applications. The on-screen information is automatically refreshed every 60
seconds.
❐ Service: A service represents the type of traffic that is being intercepted; the top
5 services are ranked in descending order of bytes saved.
❐ Bytes Saved Last Hour: Bytes saved display bandwidth savings in the last 60
minutes. It represents data that did not traverse the WAN because of object
and byte caching, protocol optimization, and compression. It is calculated as:
Client Bytes - Server Bytes,
where Client Bytes is the data rate calculated to and from the client on the
client-side connection, and Server Bytes is the data rate calculated to and
from the server on the server-side connection.
For Inbound ADN, bytes saved represents:
Unoptimized Bytes - Optimized Bytes
28
Chapter 2: Accessing the ProxySG
In the Savings panel shown above, the Percent Savings for FTP is 50% and
bandwidth savings is 2x, which is calculated as Client Bytes/Server Bytes.
Note: The graph in the percent savings column represents savings over the
last hour, while the label reflects the percent savings in the last minute. For
more information on bandwidth savings, click on any row and navigate to the
Statistics > Traffic History page. By default, the traffic history page displays
bandwidth usage and bandwidth gain statistics for the corresponding service
over the last hour.
The Interface Utilization panel displays statistics on interface use, reveals network
performance issues, if any, and helps determine the need to expand your network.
❐ Interface:
The interfaces are labeled with an adapter number followed by an
interface number. For example, on 2-port bridge cards, the interface number is
0 for WAN and 1 for LAN connections; 4-port bridge cards have 0 and 2 for
WAN and 1 and 3 for LAN.
❐ Link state:
Indicates whether the interface is in use and functioning. It also
displays the duplex settings and includes the following information:
• Up or Down: Up indicates that the link is enabled and can receive and
transmit traffic. Down indicates that the link is disabled and cannot pass
traffic.
• Auto or Manual: Indicates whether the link is auto-negotiated or manually
set
• 10Mbps, 100 Mbps or 1Gbps: Displays the capacity of the link.
• FDX or HDX: Indicates whether the interface uses full duplex or half duplex
connection, respectively. In some cases, if a duplex mismatch occurs when
the interface is auto-negotiated and the connection is set to half-duplex,
the display icon changes to a yellow warning triangle. If you view a
duplex mismatch, you can adjust the interface settings on the ProxySG in
the Configuration > Network > Adapters tab.
29
SGOS 6.2 Administration Guide
❐ Transmit Rate and Receive Rate: Displays number of bits processed per second,
on each interface.
The graphs in the transmit rate and receive rate columns represent interface
activity over the last hour, while the value in the label represents interface
activity over the last minute.
❐ Errors: Displays the number of transmission errors, if any, in the last hour.
Interfaces with input or output errors are displayed in red.
For more information on an interface, click on any row; the Statistics > Network >
Interface History page displays.
This information is also displayed on the Management Console banner and under
Configuration > General > Identification. To assign a name to your ProxySG, see
"Configuring the ProxySG Name" on page 36.
30
Chapter 2: Accessing the ProxySG
The Statistics area displays the current percentages of CPU usage and memory
utilization, and the number of concurrent users. Concurrent users represents the
number of unique IP addresses that are being intercepted by the ProxySG. For
more information on these key resources, click the link; the corresponding panel
under Statistics > System > Resources displays.
The Statistics panel also displays whether the ProxySG is enabled to:
❐ participate in an Application Delivery Network (ADN)
❐ serve as a ProxyClient Manager
The status information displayed for ADN and ProxyClient include the following
options:
31
SGOS 6.2 Administration Guide
The Connectivity area displays the status of external devices and services that the
ProxySG relies on, for an effective performance. The status indicates whether the
ProxySG is able to communicate with the external devices and services that are
configured on it.
The external devices or services, that can be configured on the ProxySG, include:
❐ WCCP capable routers/switches
❐ ICAP devices (such as the ProxyAV)
❐ DNS Servers
❐ Authentication realms
❐ Websense off-box content-filtering service
Only those external devices or services that are configured on the ProxySG are
displayed on this panel. If, for example, Websense off-box content filtering is not
enabled on the ProxySG, Websense is not listed in the connectivity panel.
The connectivity status for these external devices is represented with an icon —
Ok, Warning, or Critical. The icon and the text portray the most severe health
status, after considering all the health checks configured, for the device or service.
With the exception of WCCP, click on any row to view the health status details in
the Statistics > Health Checks tab. The Statistics > Health Checks tab provides
information on the general health of the external services configured on the
ProxySG, allows you to perform routine maintenance tasks and to diagnose
potential problems. For more information on health checks, see Chapter 72:
"Verifying the Health of Services Configured on the ProxySG" on page 1391.
To view details on the status of WCCP capable devices in your network, click on
the WCCP service row, the Statistics> Network > WCCP tab displays. The Statistics>
Network > WCCP tab provides information on the configured service groups and
32
Chapter 2: Accessing the ProxySG
their operational status. For more information on how to configure WCCP on the
ProxySG, see Chapter 32: "WCCP Configuration" on page 851. For more detailed
information about WCCP, refer to the WCCP Reference Guide.
If you do not respond within the thirty-second period, you are logged out and
lose all the changes since the last submittal. You must log back on to access the
Management Console.
To log back on, click the hyperlink, You need to log in again to use the console, that is
displayed.
33
SGOS 6.2 Administration Guide
Note: You can also access the CLI using Telnet or SSH v1. However, these
management services are not configured by default. For instructions on
configuring management services, see Chapter 68: "Configuring
Management Services" on page 1309.
Note: Although most administrator tasks can be performed using either the
Management Console or the CLI, there is the occasional task that can only be done
using one of the two: these are specified in the manual.
34
Chapter 2: Accessing the ProxySG
How Do I...?
To navigate this section, identify the task to perform and click the link:
Assign a name to identify the ProxySG? "Configuring the ProxySG Name" on page
36
Locate the Appliance Serial Number? "Viewing the Appliance Serial Number" on
page 39
Configure the local time on the ProxySG? "Configuring the System Time" on page 39
Configure the length of time the HTTP "Configuring HTTP Timeout" on page 42
client or server will wait to receive data?
Configure the time for console log out on "Changing the ProxySG Timeout" on page
the ProxySG? 38
35
SGOS 6.2 Administration Guide
Note: To prevent unauthorized access to the ProxySG, only give the console
username and password to those who administer the system.
36
Chapter 2: Accessing the ProxySG
2. Edit the username of the administrator that is authorized to view and revise
console properties. Only one console account exists on the ProxySG. If you
change the console account username, that username overwrites the existing
console account username. The console account username can be changed to
anything that is not null and contains no more than 64 characters.
3. Click Apply. After clicking Apply, an Unable to Update configuration error is
displayed. The username change was successfully applied, but the
configuration could not be fetched from the ProxySG, as the username offered
in the fetch request is still the old username.
4. Refresh the screen. You are then challenged for the new username.
Note: This does not change the enabled-mode password. You can only
change the enabled-mode password through the CLI.
4. Refresh the screen, which forces the SGOS software to re-evaluate current
settings. When challenged, enter the new password.
5. (Optional) Restrict access by creating an access control list or by creating a
policy file containing <Admin> layer rules. For more information, see
"Limiting Access to the ProxySG" on page 61.
37
SGOS 6.2 Administration Guide
Realm Name
The new realm name displays the next time you log in to the Management
Console.
38
Chapter 2: Accessing the ProxySG
If you change the timeout value, the change takes effect on the next refresh of
any Management Console page.
3. Click Apply.
39
SGOS 6.2 Administration Guide
2. Click Set Time zone. The Time Zone Selection dialog displays.
3. Select the time zone that represents your local time. After you select the local
time zone, event logs record the local time instead of GMT. To add additional
time zones to the list, update the appliance's time zone database, as described
in the following procedure.
40
Chapter 2: Accessing the ProxySG
3. Click Install.
Related CLI Syntax for Adding New Time Zones to the Database:
SGOS# (config) timezone database-path [url | default]
SGOS# (config) load timezone-database
41
SGOS 6.2 Administration Guide
42
Chapter 2: Accessing the ProxySG
43
SGOS 6.2 Administration Guide
44
Chapter 3: Licensing
This section describes the ProxySG licensing behavior and includes the
following topics:
❐ "About Licensing"
❐ "Disabling the Components Running in Trial Period" on page 49
❐ "Registering and Licensing the Appliance" on page 50
❐ "A dialog displays informing you that the request has completed. Close the
dialog and proceed to the next section." on page 57
❐ "Viewing the Current License Status" on page 58
About Licensing
Each ProxySG appliance requires a license to function. The license is associated
with an individual ProxySG serial number and determines what software
features are available and the number of concurrent users that are supported.
When you configure a new hardware appliance, the Blue Coat ProxySG
configuration wizard automatically installs a trial license that allows you to use
all software features with support for an unlimited number of concurrent users
for 60 days. (Trial periods are not applicable to ProxySG virtual appliances.)
The software features that are available depend on what license edition is
installed and what license features you have purchased.
The following sections describe the licensing options:
❐ "License Editions" on page 45
❐ "Licence Types" on page 48
❐ "License Expiration" on page 49
License Editions
The license edition determines what SGOS features are available. The ProxySG
supports two license editions:
❐ Proxy Edition License—Supports all SGOS security and acceleration
features. The Proxy Edition allows you to secure Web communications and
accelerate the delivery of business applications.
❐ MACH5 Edition License—Supports SGOS acceleration features only;
Security-related features are not included in this edition. The MACH5 base
license allows acceleration of HTTP, FTP, CIFS, DNS, MAPI, and streaming
protocols.
45
SGOS 6.2 Administration Guide
Which trial license edition gets installed depends on how you indicate you will be
deploying the appliance during the setup process. If you indicate that you will be
using the appliance as an acceleration node, a MACH5 trial license is installed
automatically. For other deployment types, the wizard prompts you to select a
license edition.
Either license edition can run on any ProxySG platform. The only differences are
the supported software features and the default configuration settings. These
differences are described in the following sections:
❐ "Differences in Default Configuration Settings"
❐ "MACH5 Feature Set" on page 47
❐ "Switching Between the License Editions" on page 48
46
Chapter 3: Licensing
❐ Resource overflow action: This setting indicates whether the proxy should
bypass or drop new connections when resources are scarce.
• MACH5 Edition: Bypass
• Proxy Edition: Drop
ADN Supported
47
SGOS 6.2 Administration Guide
Licence Types
There are several different types of licenses as follows:
❐ Trial—The 60-day license that ships with new ProxySG physical appliances.
(Trial licenses are not available on virtual appliances.) All licensable
components for the trial edition (Proxy Edition or MACH5) are active and
available to use. In addition, the Base SGOS user limit is unlimited. When a
full license is installed, any user limits imposed by that license are enforced,
even if the trial period is still valid.
❐ Demo—A temporary license that can be requested from Blue Coat to extend
the evaluation period.
❐ Permanent—A license for hardware platforms that permanently unlocks the
software features you have purchased. When a permanent license is installed,
any user limits imposed by that license are enforced, even if the trial period is
still valid.
❐ Subscription-based—A license that is valid for a set period of time (such as
one year) for virtual appliances. After you have installed the license, the
ProxySG VA will have full functionality, and you will have access to software
upgrades and product support for the subscription period.
48
Chapter 3: Licensing
License Expiration
At the end of the trial or demo period or, subsequently, when any normally
licensed component expires, components that have not been licensed do not
process requests; all requests bypass the ProxySG if the default policy is set to
Allow. A license expiration notification message is logged in the Event Log (see
"Viewing Event Log Configuration and Content" on page 1355 for details on how
to view the event log).
If a license expires, users might not receive notification, depending upon the
application they are using. Notifications do occur for the following:
❐ HTTP (Web browsers)—An HTML page is displayed stating the license has
expired.
❐ SSL—An exception page appears when an HTTPS connection is attempted.
❐ Instant Messaging clients—Users do not receive a message that the license has
expired. Any IM activity is denied, and to the user it appears that the logon
connection has failed.
❐ FTP clients—If the FTP client supports it, a message is displayed stating the
license has expired.
❐ Streaming media clients—If the Windows Media Player, RealPlayer, or
QuickTime player version supports it, a message is displayed stating the
license has expired.
❐ SG Client—After the trial license has expired, clients cannot connect to the
ADN network.
❐ You can still perform SGOS configuration tasks through the CLI, SSH console,
serial console, or Telnet connection. Although the component is disabled,
feature configurations are not altered. Also, policy restrictions remain
independent of component availability.
Note: Because the ProxySG VA does not offer a trial period, this option is not
available on virtual appliances.
49
SGOS 6.2 Administration Guide
50
Chapter 3: Licensing
51
SGOS 6.2 Administration Guide
4. Make sure the Register hardware with Blue Coat automatically radio button is
selected.
5. Enter your BlueTouch Online credentials and click Register Now. This opens a
new browser page where you complete the registration process. When the
hardware is successfully registered, the Registration Status field on the License
Warning tab will display the Hardware auto-registration successful message.
You can close the new browser tab or window that displays the License Self-service
page.
6. Click Continue.
3a
3b
52
Chapter 3: Licensing
3. Enter information:
a. Enter your BlueTouch Online account login information.
b. Click Request License. The Confirm License Install dialog box displays.
c. Click OK to begin license retrieval (the dialog closes).
4. (Optional) Click Show results to verify a successful retrieval. If any errors occur,
check the ability for the ProxySG to connect to Internet.
5. Click Close to close the Request License Key dialog.
4. Click the serial number of the unit. The Support - License Management Manage
Serial Numbers/Obtain IM License page displays.
53
SGOS 6.2 Administration Guide
5. Click Manage Software Serial Numbers. The License Self Service Change Hardware
Record displays.
54
Chapter 3: Licensing
• Click Apply. The software license is now associated with the appliance.
• From Management Console > Maintenance > Licensing > Install, click Retrieve
and provide the BlueTouch Online login information again. For more
information on the retrieve procedure, see "Installing a License on a
Registered System" on page 52.
b. If the ProxySG does not have Internet access:
• In the Cust Info > Links panel, click Get License. You are prompted to save
a .bin file with the license information.
• Save the .bin file.
• From Management Console > Maintenance > Licensing > Install, select one of
the following from the License Key Manual Installation drop-down list and
click Install:
• Remote URL—If the file resides on a Web server. The Install License Key
dialog displays.
Enter the URL path and click Install. The Installation Status field displays
relevant information. When installation is complete, click Results;
examine the results, close the window, and click OK. Click Apply.
• Local File—If the file resides in a local directory. The Upload and Install
File window displays.
Enter a path to the license file or click Browse and navigate to the file.
Click Install. A results window opens. Examine the license installation
results; close the window. Click Close. Click Apply.
The license is now installed. All features that you subscribed to are fully
operational.
55
SGOS 6.2 Administration Guide
5. In the Enter Activation Code field, enter the add-on product code contained in
the e-mail; click Next. The Licensing Portal displays the ProxySG > SSL/Flash
Activation page.
6. In the respective fields, enter the ProxySG serial number and re-enter the
activation code from the mail; click Submit.
7. The License Portal displays EULA screen; read and accept the agreement.
The License Portal displays a screen with the new license activation code.
56
Chapter 3: Licensing
8. Click the LCAMs link. The License Portal returns to your License Self-Service
main page.
9. At the bottom of the page, the activation code displays on the Add tab; click
Apply.
A dialog displays informing you that the request has completed. Close the
dialog and proceed to the next section.
2. Click Retrieve.
3. To verify a successful license update, select the Licensing > View tab; the new
license displays in the table.
Note: If the automatic license update fails and you receive a Load from Blue
Coat error.
57
SGOS 6.2 Administration Guide
Current high-
level license
data
License
components
For more
details, select
a component
and click.
58
Chapter 3: Licensing
Each licensable component is listed, along with its validity and its expiration
date.
• To view the most current information, click Refresh Data.
• Highlight a license component and click View Details. A dialog displays
with more detailed information about that component.
• If the trial period is enabled and you click Maintenance > Licensing > View, the
Management Console displays an option to disable the trial components.
If the trial period is disabled, the Management Console displays an option
to enable the trial components.
See Also
❐ "About Licensing" on page 45
❐ "Disabling the Components Running in Trial Period" on page 49
❐ "Disabling the Components Running in Trial Period" on page 49
❐ "Disabling the Components Running in Trial Period" on page 49
❐ "Locating the System Serial Number" on page 50
❐ "Obtaining a BlueTouch Online Account" on page 51
❐ "Registering and Licensing Blue Coat Appliance and Software" on page 51
59
SGOS 6.2 Administration Guide
60
Chapter 4: Controlling Access to the ProxySG
This section describes how to control user access to the ProxySG. It includes the
following topics:
❐ "Limiting Access to the ProxySG" on page 61
❐ "About Password Security" on page 62
❐ "Limiting User Access to the ProxySG—Overview" on page 63
❐ "Moderate Security: Restricting Management Console Access Through the
Console Access Control List (ACL)" on page 65
❐ "Maximum Security: Administrative Authentication and Authorization
Policy" on page 67
61
SGOS 6.2 Administration Guide
❐ Use the reset button (if the appliance has a reset button) to delete all system
settings. Otherwise, reset the ProxySG to its factory settings by holding down
the left arrow key on the front-panel for 5 seconds. The appliance will be
reinitialized. To reconfigure the appliance, refer to the Installation Guide for
your platform.
To enable the secure serial port, refer to the Installation Guide for your platform.
62
Chapter 4: Controlling Access to the ProxySG
Passwords that the ProxySG uses to authenticate itself to outside services are
encrypted using triple-DES on the appliance, and using RSA public key
encryption for output with the show config CLI command. You can use a third-
party encryption application to create encrypted passwords and copy them into
the ProxySG using an encrypted-password command (which is available in
several modes and described in those modes). If you use a third-party encryption
application, verify it supports RSA encryption, OAEP padding, and Base64
encoded with no new lines.
These passwords, set up during configuration of the external service, include:
❐ Access log FTP client passwords (primary, alternate)—For configuration
information, see "Editing the FTP Client" on page 669.
❐ Archive configuration FTP password—For configuration information, see
Chapter 5: "Backing Up the Configuration" on page 73.
❐ RADIUS primary and alternate secret—For configuration information, see
Chapter 56: "RADIUS Realm Authentication and Authorization" on page
1143.
❐ LDAP search password—For configuration information, see "Defining LDAP
Search & Group Properties" on page 1104.
❐ Content filter download passwords—For configuration information, see
"Downloading a Content Filter Database" on page 374.
Note: If Telnet Console access is configured, Telnet can be used to manage the
ProxySG with behavior similar to SSH with password authentication.
SSL configuration is not allowed through Telnet, but is permissible through SSH.
Behavior in the following sections that applies to SSH with password
authentication also applies to Telnet. Use of Telnet is not recommended because it
is not a secure protocol.
63
SGOS 6.2 Administration Guide
64
Chapter 4: Controlling Access to the ProxySG
The following chart details the various ways administrators can access the
ProxySG console and the authentication and authorization methods that apply to
each.
Security Measures Available Serial SSH with SSH with RSA Management
Console Password Authentication Console
Authentication
Notes
❐ When using SSH (with a password) and credentials other than the console
account, the enable password is actually the same as the login password. The
privileged mode password set during configuration is used only in the serial
console, SSH with RSA authentication, or when logging in with the console
account.
❐ In this case, user credentials are evaluated against the policy before executing
each CLI command. If you log in using the console account, user credentials
are not evaluated against the policy.
65
SGOS 6.2 Administration Guide
To create an ACL:
1. Select Configuration > Authentication > Console Access > Console Access.
2b
2a
c. Click OK to add the workstation to the ACL and return to the Console
Access tab.
Important: Before you enforce the ACL, verify the IP address for the
workstation you are using is included in the list. If you forget, or you find
that you mistyped the IP address, you must correct the problem using the
serial console.
4. Click Apply.
66
Chapter 4: Controlling Access to the ProxySG
67
SGOS 6.2 Administration Guide
Important: For specific information on creating policies within the policy files,
refer to Content Policy Language Guide.
Following are the CPL elements that can be used to define administrator policies
for the ProxySG.
68
Chapter 4: Controlling Access to the ProxySG
69
SGOS 6.2 Administration Guide
70
Chapter 4: Controlling Access to the ProxySG
The table below lists the properties permitted in the <Admin> layer:
<Admin> Properties
deny Refuse service to the source of the transaction.
authenticate(realm_name) Requests authentication of the transaction source for
the specified realm.
authenticate.force( ) If yes is specified then forces authentication even if
the transaction is denied. This results in the user
information being available for logging. If no, then
early denial without authentication is possible.
allow Permit further service to the source of the
transaction.
log.suppress.field-id ( ) Controls suppression of the specified field-id in
all facilities
log.suppress.field-id[log_list]( ) Controls suppression of the specified field-id in
the specified facilities.
log.rewrite.field-id( ) Controls rewrites of a specific log field in all
facilities.
log.rewrite.field-id[log_list] Controls rewrites of a specific log field in a specified
( ) list of log facilities.
71
SGOS 6.2 Administration Guide
The table below lists the actions permitted in the <Admin> layer:
Table 4–4 Actions permitted in the <Admin> Layer
<Admin> Actions
notify_email( ) Sends an e-mail notification to the list of recipients specified in
the Event Log mail configuration when the transaction
terminates.
notify_snmp( ) The SNMP trap is sent when the transaction terminates.
<admin>
group="cn=Administrators,cn=Groups,dc=bluecoat,dc=com" allow
This authenticates users against the specified LDAP realm. If the users are
successfully authenticated and belong to group Administrators, they are allowed
to administer the ProxySG.
72
Chapter 5: Backing Up the Configuration
Important: An archive can only be restored to the appliance that was the
source of the archive—unless you save and restore the SSL configuration-
passwords-key keyring from the source device. See "About Archive Portability"
on page 75 for more information.
73
SGOS 6.2 Administration Guide
74
Chapter 5: Backing Up the Configuration
75
SGOS 6.2 Administration Guide
Learn about the archive types "About the Archive Types and Saved
Information" on page 74
76
Chapter 5: Backing Up the Configuration
77
SGOS 6.2 Administration Guide
78
Chapter 5: Backing Up the Configuration
2. Select Configuration > General > Archive. The Archive Configuration tab displays.
3b
3a
Note: You can also view the file by selecting Text Editor in the Install
Configuration panel and clicking Install.
79
SGOS 6.2 Administration Guide
3. Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.
80
Chapter 5: Backing Up the Configuration
81
SGOS 6.2 Administration Guide
The appliance certificate displays if the appliance has one. Otherwise, the
following error is displayed:
Certificate "appliance-key" not found
4. If the appliance does not have an appliance certificate, create one as follows:
a. Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
b. Create a Certificate Signing Requests (CSR) and send it to a Certificate
Signing Authority (CA).
c. Have the CA sign the CSR (this process results in a digital certificate).
d. Import the keyring and certificate as described in "Restoring an
Archived Key Ring and Certificate" on page 92.
To get more information about appliance certificates, refer to the X.509
certificate information in Chapter 59: "Managing X.509 Certificates".
1. Access the Management Console of the ProxySG you want to back up:
https://ProxySG_IP:8082
2. Select the Configuration > General > Archive > Archive Storage tab.
3. From the Sign archives with keyring drop-down list, select a signing keyring to
use or accept the default (appliance-key).
4. Click Apply.
Note: If you do not click Apply, a pop-up displays when you click Save that
indicates that all unsaved changes will be saved before storing the archive
configuration. The unsaved changes are the Sign archives with keyring option
changes you made in Step 3.
82
Chapter 5: Backing Up the Configuration
5. From the Save archive drop-down list, select the archive type (Blue Coat
recommends Configuration - expanded).
6. Click Save.
A new browser window displays, prompting you to open or save the
configuration to the local disk of the device you are using to access the
ProxySG.
2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 5.3.0.2 Proxy Edition
You can also verify the version from the appliance CLI:
SGOS # enable
SGOS # show version
83
SGOS 6.2 Administration Guide
84
Chapter 5: Backing Up the Configuration
• proventia
If you restore an archive to a device with a different configuration-passwords-key,
you will receive a decryption error when accessing the encrypted data. While it is
possible to reset each of the passwords using the Management Console, it is easier
to save the original keyring so that you can import it to the new appliance (before
restoring the configuration). Restoring the keyring allows all previously
configured passwords to remain valid after archive restoration.
To transfer the archive to another appliance, you must do one of the following:
❐ Restore the original configuration-passwords-key keyring
❐ Change the encrypted passwords to clear text so that they can be regenerated.
Note: To save an SSL keyring, you must be able to view it. If the key is marked
no-show, you cannot save it.
2. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 5.3.0.2 Proxy Edition
You can also verify the version from the appliance CLI:
SGOS # enable
SGOS # show version
85
SGOS 6.2 Administration Guide
3. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring
an Archived Key Ring and Certificate" on page 92.
4. Select Configuration > General > Archive.
5. Select Local File and click Install.
6. Browse to the location of the archive and click Open. The configuration is
installed, and the results screen displays.
!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
!
end-inline
inline keyring show default "end-inline"
!
end-inline
!
inline certificate default "end-inline"
!
end-inline
!
! repeat this process for each keyring. Be sure to import the private
key first, then the keyrings certificate
!
86
Chapter 5: Backing Up the Configuration
Do not specify your passwords; the system will prompt you for them when
you restore the keys (SGOS 5.3 and later). You can modify the template to
include other keyrings and certificates.
2. From the CLI, access the config prompt (using the serial console or SSH):
sgos # config terminal
Note: The aes128 and aes256 encryption options are also supported.
87
SGOS 6.2 Administration Guide
This password is used to encrypt the private-key before displaying it. After
confirming the password, the ProxySG displays the encrypted private-key
associated with that keyring.
Important: Do not lose the password used to encrypt the private key. If you
do, you will not be able to recover your private keys.
For example:
sgos #(config ssl)view keypair des3 configuration-passwords-key
Encryption password: *****
Confirm encryption password: *****
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D542F10E3FFF899F
aFqxQNOD+321IXdQjCGmT+adeQqMiQDAyCOvWd+aJ+OmDjITpd7bwijcxWA89RB8
y65NSia0UmTClY9MM4j6T/fXhBspEu7Wyc/nM+005pJldxTmZgPig6TiIiOlXtMI
ymCLolxjAr+vFSx7ji6jUT13JxZHfksNd9DS06DHLr6hJNERDi9dGog561zlwBo8
zvs0x4PqB+mq05qewmReMs9tnuLkGgBXguH+2Nw9hI0WKEa9KPFWrznD/+zEZbEo
nM+VOwn3nWuqcfRLFoSUP2QBZ581pU3XAUydabBn0uBOMR4a3C+F/W/v0p71jJ9o
JL6Ao/S46A4UgPkuswGMYXo1kG3K2J/Ev4nMBua6HSZgM87DxvMSiCZ1XxlKlBqv
F9P+l1o3mdR3g2LzK1DLTvlcA9pEPbW65gmnpGj/WLqhEyNPm+DkplxMtMESxNqM
4attb8fXAEcRI+1iUWpjxnycqlm+dcFqq6/bLixYSQ4HGXFLx5qTot+FtIvB5h3g
KwQusgaLVTiesn9K7BQK4wjXJKlDclIrog+ET1fkxtj2oA5/7HN10Ar0ogBxsZLj
0LS5fwVfHNkuyNLUXZSAiLLoIqFIvtRiRfiWe3e/eJvazIaErEk40NvIaaXP1j9p
ENzK2dw9WS7xtcU5kAcdoiX1lFONauKDVUkHwhvqz3KnMt1p81fkdUpiD1xaVfMg
s2FApgjAsYciEJxDUfPLzYV1vpOpx6DW3t0D0AlEKkPVNmd9RzlnXjk2CPTdPErC
pKN+EIKs2kqpRE6hHu37zzN06ipPNu2cCSHI/ozc0X4=
-----END RSA PRIVATE KEY-----
For example:
sgos #(config ssl)view certificate appliance-key
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIEFm6QWzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
88
Chapter 5: Backing Up the Configuration
MTAwHhcNMDcxMjA0MjAxMTA3WhcNMDkxMjAzMjAxMTA3WjBuMQswCQYDVQQGDAIg
IDETMBEGA1UECAwKU29tZS1TdGF0ZTEfMB0GA1UECgwWQmx1ZSBDb2F0IFNHMjAw
IFNlcmllczETMBEGA1UECwwKNDYwNTA2MDAwMTEUMBIGA1UEAwwLMTAuOS41OS4y
MTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ/F/Sn3CzYvbFPWDD03g9Y/
O3jwCrcXLU8cki6SZUVl9blgZBTgBY3KyDl2baqZNl2QGwkspEtDI45G3/K2GRIF
REs3mKGxY7fbwgRpoL+nRT8w9qWHO393pGrlJKFldXbYOzn3p31EXUuGRfXkIqeA
919uvOD5gOX0BEzrvDRnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEASgIR9r2MuRBc
ltHq/Lb5rIXn13wFZENd/viO54YOiW1ZixlpCBbDIkef3DdJZLxVy3x7Gbw32OfE
3a7kfIMvVKWmNO+syAn4B2yasy0nxbSyOciJq1C42yPJ+Bj1MuYDmgIvMP6ne5UA
gYYhe/koamOZNcIuaXrAS2v2tYevrBc=
-----END CERTIFICATE-----
8. Copy the certificate and paste it into the template (copied in step 1) beneath
the inline certificate cert_name "end-inline" line).
9. Optional—For each named keyring that you want to restore, repeat steps 4
to 8.
Note: SGOS 5.x has an appliance-key keyring. This keyring's private key is
not viewable, and cannot be transferred to another ProxySG. The default and
passive-attack-protection-only-key keys typically do not need to be
restored either.
10. Save the template with the configuration-passwords-key and other SSL key
data on a secure server.
11. Save the password information (that you used to encrypt the keys) in a secure
place, for example, a restricted access cabinet or safe.
After saving this data, create a configuration archive as described in "Creating a
Transferable Archive" on page 85. When you are ready to restore the archive, you
must first restore the SSL data on the target appliance as described in "Restoring
an Archived Key Ring and Certificate" on page 92.
Note: The commands in the following example are bounded by the document
text area and wrap to the next line. They are not shown here as they would
appear in the CLI. See Step 1 in "Option 1: Recording SSL Keyring and Key Pair
Information" on page 86 to view an example of how the commands should
appear.
89
SGOS 6.2 Administration Guide
!
ssl ; switches from config mode to config ssl
!
inline keyring show configuration-passwords-key "end-inline"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2F6148C8A9902D7F
1lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsB
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3N
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzE
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
inline keyring show default "end-inline"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2F6148C8A99AAAA
2lJjGKxpkcWBXj424FhyQJPKRdgHUIxl2C6HKigth6hUgPqsSJj958FbzEx6ntsC
lI+jXj34Ni6U94/9ugYGEqWLCqed77M1/WA4s6U5TCI9fScVuGaoZ0EVhx48lI3G
LGQplOJXmr0L5vNj/e1/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQE1kvAxuXzW
8hccfZaa1lH1MiPWfNzxf1RXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am
tGVpxhZVN2KnfzSvaBAVYMh/lGsxdEJjjdNhzSu3uRVmSiz1tPyAbz5tEG4Gzbae
sJY/Fs8Tdmn+zRPE5nYQ/0twRGWXzwXOeW+khafNE3iQ1u6jxbST6fCVn2bxw+q/
bB/dEFUMxreYjAO8/Tu86R9ypa3a+uzrXULixg1LnBcnoSvOU+co5HA6JuRohc5v
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOV01ItYWtrylg9Puw17TE56+k0EAOwU6FWd
dTpGJRguh7lFVmlQl2187NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxd1nT
X11U2YgwwwH0gzJHBQPIfPhE9wJTedm1dhW268kPFonc1UY3dZTq0tiOLwtDfsyx
ForzG9JHhPmlUgLtujsiG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkjtr/lpS++8Tz
GZ4PimFJM0bgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4Vu0OPIPL98YYPvcV9h
0Io/zDb7MPjIT5gYPku86f7/INIimnVj2R0a0iPYlbKX7ggZEfWDPw==
-----END RSA PRIVATE KEY-----
end-inline
!
90
Chapter 5: Backing Up the Configuration
Important: Blue Coat strongly recommends recording your SSL keyring and
key pair data because changing encrypted passwords to clear text is highly
insecure. Use the following procedure at your own risk.
You can edit the configuration to change encrypted passwords to clear text if you
choose to keep the existing configuration-passwords-key keyring intact on the
new appliance. You do not need to change hashed passwords to clear text—when
you restore the archive, new hashed-passwords are automatically generated using
the target ProxySG appliance’s configuration-passwords-key keyring.
Important: This procedure is not valid for signed archives. Signing guarantees
that the archive has not been modified.
91
SGOS 6.2 Administration Guide
In the previous example, if the actual password is bluecoat, then you must edit
the entry as follows:
security password "bluecoat"
Note: Hashed passwords do not have to be changed to clear text. When you
restore the archive, they are restored as specified on the source device. The
difference between hashing and encryption is that encryption enables
information to be decrypted and read, while hashing is a mathematical
function used to verify the validity of data. For example, a system might not
need to know a user’s password to verify that password. The system can run a
hash function on the password and confirm that the mathematical result
matches that specified for the user.
Note: You can also import a certificate chain containing multiple certificates.
Use the inline certificate command to import multiple certificates through
the CLI. See "Example: Completed SSL Data Template" on page 89 for more
information.
If you are importing a keyring and one or more certificates onto a ProxySG, first
import the keyring, followed by its related certificate. The certificate contains the
public key from the keyring, and the keyring and certificate are related.
92
Chapter 5: Backing Up the Configuration
5a
5b
5c
93
SGOS 6.2 Administration Guide
94
Chapter 5: Backing Up the Configuration
1. If you use HTTPS, you must specify an SSL device profile to use for the SSL
connection.
An SSL device profile, which can be edited, contains the information required
for device authentication, including the name of the keyring with the private
key and certificate this device uses to authenticate itself. The default keyring is
appliance-key. (For information on private keys, public keys, and SSL device
profiles, refer to Chapter 59: "Managing X.509 Certificates".)
2. Obtain write permission to a directory on a secure, remote host. This is where
the archive will be stored.
3. Access the Management Console of the ProxySG you want to back up:
https://ProxySG_IP:8082
95
SGOS 6.2 Administration Guide
8a
8b
7\
8d
8e
8f
6. For signed archives, ensure that a keyring has been selected in the Sign archive
with keyring option.
In the preceding example, the %H%A prefix adds the hour (in 24-hour
format) and the full weekday name. Various combinations can be used.
See "Adding Identifier Information to Archive Filenames" on page 97 for a
list of allowed substitution values.
c. Optional, for HTTPS—Select an SSL device profile to use for the SSL
connection.
See "Uploading Archives to a Remote Server" on page 95 for more
information about device profiles.
d. Enter the remote server host name or IP address and port number.
e. Enter the remote server upload path (not required for TFTP).
96
Chapter 5: Backing Up the Configuration
f. Enter the user name associated with the remote host (not required for
TFTP).
g. Optional—Change the HTTP, HTTPS, or FTP password.
8. Click Upload.
Specifier Description
%% Percent sign.
%a Abbreviated weekday name.
%A Full weekday name.
%b Abbreviated month name.
%B Full month name.
%C The ProxySG name.
%d Day of month as decimal number (01 – 31).
%H Hour in 24-hour format (00 – 23).
%i First IP address of the ProxySG, displayed in x_x_x_x format, with leading
zeros removed.
%I Hour in 12-hour format (01 – 12).
%j Day of year as decimal number (001 – 366).
%l The fourth (last) octet in the ProxySG IP address ( For example, for the IP
address 10.11.12.13, %l would be 13)
%m Month as decimal number (01 – 12).
%M Minute as decimal number (00 – 59).
%p Current locale’s A.M./P.M. indicator for 12-hour clock.
%S Second as decimal number (00 – 59).
%U Week of year as decimal number, with Sunday as first day of week (00 –
53).
97
SGOS 6.2 Administration Guide
98
Chapter 5: Backing Up the Configuration
3. Go to the Management Console Home page and view the Software version:
information to verify that the appliance is running the same software version
that was used to create the archive. For example:
Software version: SGOS 5.3.0.2 Proxy Edition
You can also verify the version from the appliance CLI:
SGOS # enable
SGOS # show version
4. Restore the configuration-passwords-key data and any other SSL key data.
Import the configuration-passwords-key keyring as described in "Restoring
an Archived Key Ring and Certificate" on page 92.
5. Select Configuration > General > Archive.
8
7
6. Optional, for signed archives—In the Install Configuration panel, check the
setting of the Enforce installation of signed archives option. If this option is
selected, only signed archives can be restored.
99
SGOS 6.2 Administration Guide
7. Optional, for signed archives—Select a CCL to use to verify the archive from
the Verify signed archive with CCL drop-down list. If you used the appliance-key
keyring, select appliance-ccl.
Note: Depending on the CA that was used to sign the certificate used for the
archive signature, you might have to import a CA certificate and create an
appropriate CCL. Refer to "Managing Certificate Signing Requests" for
information about completing these tasks.
100
Chapter 5: Backing Up the Configuration
Note: To clear the host, password, or path, type the above commands using
empty double-quotes instead of the variable. For example, to clear the path,
enter archive-configuration path “”.
Note: If you rename the archived configuration file so that it does not
contain any spaces, the quotes surrounding the URL are unnecessary.
101
SGOS 6.2 Administration Guide
Note: Blue Coat Director allows you to push a configuration from one
ProxySG to multiple appliances at the same time. For more information on
using Director, see "Using Director to Manage ProxySG Systems" and the
Blue Coat Director Configuration and Management Guide.
To create a configuration archive of the source device’s settings using the CLI:
1. Use an SSH client to establish a CLI session with the already configured
ProxySG.
2. From the enable prompt (#), enter the following command:
show configuration post-setup
102
Chapter 5: Backing Up the Configuration
103
SGOS 6.2 Administration Guide
Section I: Troubleshooting
When pushing a shared configuration or restoring an archived configuration,
keep in mind the following issues:
❐ If the content-filtering database has not yet been downloaded, any policy that
references categories is not recognized.
❐ Unless you restore the SSL configuration-passwords-key keyring from the
source device, archives can only be restored onto the same device that was the
source of the archive. This is because the encrypted passwords in the
configuration (login, enable, FTP, etc.) cannot be decrypted by a device other
than that on which it was encrypted.
❐ Do not take an expanded archive from an operational ProxySG and install it
onto another ProxySG. Expanded archives contain system-specific settings
(for example, hostnames, IP addresses, and connection forwarding settings)
that will cause conflicts.
❐ To use signed archives, your appliance must have an SSL certificate
guaranteed by a CA. If your appliance has a built-in appliance certificate, you
can use it and the corresponding appliance-ccl CCL to sign the archive.
Devices manufactured before July 2006 do not support appliance certificates.
If your appliance does not have a built-in appliance certificate, you must do
the following:
• Create a keyring on the appliance.
A keyring contains a public/private key pair. It can also contain a
certificate signing request or a signed certificate.
• Create a Certificate Signing Requests (CSR) and send it to a Certificate
Signing Authority (CA).
• Have the CA sign the CSR.
To determine if your appliance has a built-in certificate, see "Using the
Appliance Certificate to Sign the Archive" on page 81.
See Also
For more information about appliance certificates, see Chapter 59:
"Managing X.509 Certificates".
104
Chapter 6: Explicit and Transparent Proxy
105
SGOS 6.2 Administration Guide
There is no need to specify the port number in the above example because
port 80 is assumed unless another port is specified.
Note: NEVER use the ProxySG management port (8081/8082) to request the
PAC file.
106
Chapter 6: Explicit and Transparent Proxy
http://www.proxypacfiles.com/proxypac/
Note: Only the accelerated_pac_base.pac file can be edited. Any text editor can
be used to edit and customize the accelerated PAC file to meet your needs. After
editing the file, you can load a PAC file only through the CLI:
#(config)inline accelerated-pac 123
-paste PAC file here-
123
Then set the browser to use the following URL as the automatic configuration
script: http://ProxySG_IP_Address:8080/accelerated_pac_base.pac
107
SGOS 6.2 Administration Guide
108
Chapter 6: Explicit and Transparent Proxy
Note: You can also use port 8080, but port 80 is preferred because it doesn’t
require that you specify a port for the PAC-URL in the users’ browsers.
109
SGOS 6.2 Administration Guide
110
Chapter 6: Explicit and Transparent Proxy
❐ It’s best to write your PAC files as small and efficiently as possible. Fast and
efficient Javascript will perform better within the browser, especially on
“busy” web pages.
Pre-Requisites
❐ Intercept the Explicit HTTP service for port 80 on the ProxySG (for non in-line
implementations)
OR
❐ Intercept the External HTTP service for Transparent:80 on the ProxySG (for in-
line implementations)
Tasks
Perform the following tasks to serve multiple PAC files to different users.
Task Reference
Create Web access rules to serve the "Create Web Access Rules for PAC Files"
appropriate user-defined exception as an on page 114
action.
Create local policy to serve correct "Create Policy for PAC Files" on page
Content-Type Header for PAC files. 114
111
SGOS 6.2 Administration Guide
112
Chapter 6: Explicit and Transparent Proxy
(format)
(help)
(summary)
(http
(code "200")
(contact)
(details)
(format <<--19124760.9c839--
function FindProxyForURL(url, host) { return "PROXY x.x.x.x:8080"; }
--19124760.9c839--
)
(help)
(summary)
)
)
Replace x.x.x.x with the IP address or fully qualified domain name of the
ProxySG that the PAC file should be sent to. The example above shows only the
minimum PAC content that must be included.
113
SGOS 6.2 Administration Guide
114
Chapter 6: Explicit and Transparent Proxy
The above code applies to the examples used in this section; you will need to
customize it with the names of your user-defined exceptions.
Transparent Proxies
Configure transparent proxy in the following ways:
❐ Through hardware: See "Configuring Transparent Proxy Hardware" on page
115.
❐ Through bridging: "Bridging" on page 115.
❐ Through using the ProxySG as a gateway: See "Configuring IP Forwarding"
on page 116.
In addition to the transparent proxy configuration, you must create a proxy
service for the transparent proxy and enable the service. At this time, you can also
set other attributes for the service, including the destination IP address and port
range. For information on creating or editing a proxy service for transparent
configuration, see "Managing Proxy Services" on page 119.
Bridging
Network bridging through the ProxySG provides transparent proxy pass-through
and failover support. This functionality allows ProxySGs to be deployed in
environments where L4 switches and WCCP-capable routers are not feasible
options.
The ProxySG provides bridging functionality by two methods:
❐ Software—A software, or dynamic, bridge is constructed using a set of
installed interfaces. Within each logical bridge, interfaces can be assigned or
removed. Note that the adapters must of the same type. Although the
software does not restrict you from configuring bridges with adapters of
different types (10/100 or GIGE), the resultant behavior is unpredictable.
For instructions on setting up a software bridge, see "Configuring a Software
Bridge" on page 1296.
❐ Hardware—The Blue Coat Pass-Through card is a 10/100 dual interface
Ethernet device that enables a bridge, using its two adapters, so that packets
can be forwarded across it. However, if the system crashes, the Pass-Through
card becomes a network: the two Ethernet cables are connected so that traffic
can continue to pass through without restriction.
115
SGOS 6.2 Administration Guide
Configuring IP Forwarding
IP Forwarding is a special type of transparent proxy. The ProxySG is configured to
act as a gateway and is configured so that if a packet is addressed to the ProxySG
adapter, but not its IP address, the packet is forwarded toward the final
destination. If IP forwarding is disabled, the packet is rejected as being mis-
addressed.
By default, IP forwarding is disabled to maintain a secure network.
116
Chapter 6: Explicit and Transparent Proxy
Important: When IP forwarding is enabled, be aware that all ProxySG ports are
open and all the traffic coming through them is not subjected to policy, with the
exception of the ports that have explicitly defined through the Configuration >
Services > Proxy Services tab.
To enable IP forwarding:
1. Select the Configuration > Network > Routing > Gateways tab.
2. Select the Enable IP forwarding option at the bottom of the pane.
3. Click OK; click Apply.
117
SGOS 6.2 Administration Guide
118
Chapter 7: Managing Proxy Services
This chapter discusses proxy services and service groups and their roles in
intercepting traffic.
119
SGOS 6.2 Administration Guide
Important: Upon an upgrade to SGOS 6.2, all services existing before the
upgrade are preserved.
120
Chapter 7: Managing Proxy Services
❐ Destination address—
Note: For a complete list of supported proxy services and listeners, see
"Reference: Proxy Services, Proxy Configurations, and Policy" on page 161.
Note: This list applies to new installations of SGOS 6.2 or the result of restoring
the ProxySG to factory defaults after the ProxySG was upgraded to SGOS 6.2
from a previous version. Upon upgrading to SGOS 6.2, the Services tab retains
existing services, service group names, and policies.
121
SGOS 6.2 Administration Guide
Note: The HTTPS Reverse Proxy service is also available but not created by
default. For information about configuring the HTTPS Reverse Proxy, see
"Configuring and Managing an HTTPS Reverse Proxy" on page 325.
122
Chapter 7: Managing Proxy Services
An HTTP connection initiated to server 10.167.10.2 could match any of the three
listeners in the above table. The most specific match algorithm finds that a listener
in the New York CRM service is the most specific and since the destination port of
the connection and the listener match, the connection is handled by this service.
The advantage of the most specific match algorithm becomes evident when at
some later point another server is added in the New York Data Center subnet. If
that server needs to be handled by a different service than the New York Data
Center service, a new service with a listener specific to the new server would be
added. The administrator does not need to be concerned about rule order in order
to intercept traffic to this particular server using the new, most specific service
listener.
123
SGOS 6.2 Administration Guide
As another example, assume the following service and listeners were defined:
Table 7–3 Second Example Configuration for Most Specific Match Algorithm
L1 HTTP Explicit 80
L2 HTTP 10.0.0.0/8 80
About Authenticate-401
Available on the Explicit HTTP and External HTTP services.
When this option is selected, all transparent and explicit requests received on the
port always use transparent authentication (cookie or IP, depending on the policy
configuration).
If you have deployed Authentication in the way recommended by Blue Coat—
where only the ProxySG nearest the user performs the authentication tasks—
configuring Authenticate-401 is not necessary. However, multiple, explicitly-
configured ProxySG appliances in a proxy chain are all attempting to perform
authentication tasks can cause issues with browsers. By forcing one of the proxies
(recommended: the one furthest away from the client) to use 401-style
authentication instead of the standard proxy 407-style authentication, the browser
can better handle the multiple authentication challenges.
124
Chapter 7: Managing Proxy Services
If protocol detection is enabled, the ProxySG inspects the first bytes sent from the
client and determines if a corresponding application proxy is available to hand off
the connection. For example, an HTTP request identified on a TCP tunnel has full
HTTP policy applied to it, rather than just simple TCP tunnel policy. In particular,
this means that:
❐ The request arrives as a client protocol HTTP rather than a TCP Tunnel.
❐ The URL used while evaluating policy is an http:// URL of the tunneled
HTTP request, not a tcp:// URL to which the tunnel was connecting.
❐ Forwarding policy is applied based on the new HTTP request; therefore, the
selected forwarding host selected support HTTP. A forwarding host of type
TCP cannot handle the request, which forces the request to be blocked.
Enabling protocol detection helps accelerate the flow of traffic. However, the TCP
session must be fully established with the client before either the application
proxy or the TCP tunnel proxy contacts the origin server. In some cases, like in the
active-mode FTP data connections, enabling protocol detection might cause a
delay in setting up the connection.
To avoid this connection delay, either use a protocol specific proxy, such as the
FTP proxy, or disable protocol detection.
If protocol detection is disabled, traffic flows over a TCP tunnel without
acceleration provided by a protocol-specific proxy.
125
SGOS 6.2 Administration Guide
126
Chapter 7: Managing Proxy Services
127
SGOS 6.2 Administration Guide
2: Click to
expand a group
3 (optional)
2. Click the + symbol to expand a group. For example, you want to intercept the
CIFS services.
3. Optional: Select the Default Action for traffic that does not match any current
service.
4. From the drop-down for the service or an individual service port, select to
Bypass or Intercept.
128
Chapter 7: Managing Proxy Services
Next Tasks
As previously mentioned, setting a service to Intercept is one step in controlling
specific traffic types. There are other options for the services themselves, plus
proxy configurations and policy definitions. You can also create custom services
and service groups.
129
SGOS 6.2 Administration Guide
Note: If you only need to change the state of the proxy service (Bypass/Intercept),
you can do so from the main Proxy Services tab. You do not need to enter New/
Edit mode to change this setting.
Before you begin, you must understand the goal of your deployment, how the
application proxy operates, and the IP addresses (source and/or destination) and
ports to intercept. Some proxy services, such as DNS, are simple—comprised only
of IP addresses and ports. Others, such as HTTP, have more attributes to consider.
For a high-level description of these options, see "About Proxy Attributes in the
Services" on page 124.
For specific proxy descriptions, see
130
Chapter 7: Managing Proxy Services
2
3
2. At the bottom of the tab, click New Service Group. The New Service Group dialog
displays.
3. In the Service Group field, name the custom service.
4. Click OK. The new service displays under Custom Service Groups.
131
SGOS 6.2 Administration Guide
6a
6b
6c
6d
Note: The Detect Protocol setting is disabled by default. You must select
this check box for filtering to be recognized.
132
Chapter 7: Managing Proxy Services
7. Create a listener, or the IP address(es) and ports that this application protocol
uses. In the Listeners area, click New. The New Listener dialog displays.
133
SGOS 6.2 Administration Guide
8a
8b
8c
8d
134
Chapter 7: Managing Proxy Services
See Also
❐ "Moving a Service"
❐ "Importing a Service from the Service Library"
135
SGOS 6.2 Administration Guide
Moving a Service
The predefined services are not anchored to their default groups. You can move a
service to any other predefined or custom group.
Note: You must move the entire service; that is, you cannot move individual
service listeners.
136
Chapter 7: Managing Proxy Services
2a
2b
2c
To delete a service:
1. From the Management Console, select the Configuration > Services > Proxy
Services tab.
137
SGOS 6.2 Administration Guide
Note: Downgrading to a version that does not support force bypass while
running in bypass mode will result in restoration of proxy services.
2. In the Force Bypass area, select the Temporarily bypass all proxy services option.
The bypass statement to red.
3. Click Apply.
138
Chapter 7: Managing Proxy Services
3a
3b
3c
139
SGOS 6.2 Administration Guide
140
Chapter 7: Managing Proxy Services
SSL Proxy
For the SSL proxy, the Tunnel on Protocol Error option applies when non-SSL
traffic arrives at the SSL port (443 by default). A common scenario that causes this
is having peer-to-peer applications (viz, Skype, BitTorrent, Gnutella, older AOL-
IM and eMule) configured to enable port 443 for peer-to-peer traffic without SSL
set as the transport protocol. A ProxySG transparently intercepting all 443 traffic
cannot process these connections, rendering the application unusable.
With an explicit proxy deployment, SSL errors during the initial handshake
causes the same issue. The following example illustrates this:
❐ ProxySG is configured to have an explicit HTTP service on port 8080.
❐ The HTTP service is configured with detect protocol enabled, which hands off
SSL traffic to the SSL proxy from an HTTP CONNECT request. Detect Protocol is
set to OFF by default.
Note: The same applies to an explicit SOCKS proxy deployment with protocol
detection enabled or an explicit TCP listener.
Forwarding Note
Enabling the TCP Tunnel on Error option might cause issues if the ProxySG has
forwarding rules that direct traffic to upstream proxies or other devices:
❐ Forwarding hosts are not viewed as HTTP proxies (even if they are). The
initial ProxySG HTTP proxy connects with a TCP tunnel to the forwarding
host. If the ProxySG has a policy to forward and tunnels on error, the
forwarding rule might not match if the forwarding rule has a condition based
on information that is not present—any HTTP conditions, such as:
• Request method
• Request URL
• Request headers
❐ In the case of tunnel on error with explicit proxy, HTTP must match a
forwarding host for the connection of a successful TCP tunnel to occur. If no
forwarding host matches, HTTP will not tunnel on error.
141
SGOS 6.2 Administration Guide
2. In the Tunnel on Protocol Error area, select TCP tunnel requests when a protocol error
is detected.
3. Click Apply.
Related Policy
As a companion piece to this feature, the Visual Policy Manager (VPM) provides
the Client Certificate Requested object in the SSL Intercept Layer > Service column (the
equivalent CPL is client.certificate.requested {yes | no}). Use this policy to
minimize traffic disruption when the SSL proxy intercepts secure traffic and
encounters cases where intercepting further is not an option. For example, the SSL
proxy does not have enough information to continue intercepting eMule because
to allow the SSL traffic, the OCS requires client certificate authentication. This
policy works seamlessly when the SSL proxy is configured to tunnel the secure
traffic.
142
Chapter 7: Managing Proxy Services
You can globally enable the Reflect Client IP option for all services that will be
intercepted. To apply Reflect Client IP option to only a few services, first enable
this option globally and then create policy to disable the Reflect Client IP option
for the exceptions. Or, disable the option globally and create policy to enable it.
2. In the Reflect Client IP area, select Reflect client’s source IP when connecting to
servers.
3. Click Apply.
Important: If you enable Reflect Client IP and want the ProxySG to preserve
persistant client connections, you must also add policy.
VPM object: Web Access Layer > Action > Support Persistent Client Requests (static)
CPL:
<proxy>
http.client.persistence(preserve)
143
SGOS 6.2 Administration Guide
Figure 7–1 No DNS lookup occurs; the transactions goes straight to the OCS.
Figure 7–2 The ProxySG initiates a DNS lookup and initiates a new connection to the server.
The ProxySG cannot trust the client-provided destination IP address in the
following situations:
❐ The ProxySG receives the client requests in an explicit proxy deployment.
❐ The ProxySG has a forwarding rule configured for the request.
144
Chapter 7: Managing Proxy Services
❐ The ProxySG has a SOCKS gateway rule configured for the request.
❐ The ProxySG has policy that rewrites the server URL.
A transproxy deployment is one where a client is configured to contact a ProxySG
explicitly, and a new ProxySG is deployed between the client and its explicit
proxy. The new ProxySG, now transparently intercepts the traffic between the
client and its explicit proxy. In a transproxy deployment, the destination IP
address used by the client does not match the host header in the HTTP request,
since the client is configured to use the explicit proxy. The path that the client
request takes in a transproxy deployment depends on whether or not Trust
Destination IP is enabled on the transparently deployed ProxySG.
Note: If a client gives the destination address of a blocked site but the host name
of a non-blocked site, with Trust Destination IP enabled, the ProxySG connects to
the destination address. This might allow clients to bypass the configured
security policy for your environment.
145
SGOS 6.2 Administration Guide
146
Chapter 7: Managing Proxy Services
210-5 30 10
210-10 150 50
300-5 30 10
510-5 200 50
147
SGOS 6.2 Administration Guide
9000-5, 9000-10,
9000-20, 9000-30, Not License Limited Not License Limited
9000-40
VA-5 10
VA-10 50
VA-15 125
VA-20 300
Note: You can access the Statistics > Health Monitoring > Licensing tab to view
licensing status, but you cannot make changes to the threshold values from that
tab.
148
Chapter 7: Managing Proxy Services
149
SGOS 6.2 Administration Guide
4a
4b
4. (Optional) Modify the threshold and interval values to your satisfaction. The
thresholds represent the percentage of license use.
a. Modify the Critical and/or Warning Threshold settings. These values are
the percentages of maximums. For example, if the ProxySG is an
SG810-20 and ADN is enabled, the maximum number of unique users
connections is 1000. With a Warning Threshold value of 80 (percent) and
Critical Threshold value of 90, the notification triggers when user
connectivity reaches 800 and 900, respectively.
b. Modify the Critical and/or Warning Interval settings. These values are the
number of seconds that elapse between user limit checks. By default,
both critical and warning interval checks occur every 120 seconds.
5. Select the notification settings:
• Log adds an entry to the Event Log.
• Trap sends an SNMP trap to all configured management stations.
• Emailsends an e-mail to the addresses listed in the Event Logging
properties (Maintenance > Event Logging > Mail).
6. Click OK to close the dialog.
7. Click Apply.
For information about licensing, refer to "Licensing" on page 45.
150
Chapter 7: Managing Proxy Services
2. In the User Overflow Action area, select an action that occurs when the licensed
user limits are exceeded:
• Do not enforce licensed user limit is the default. Unlimited user connections
are possible. If the limit is exceeded, the ProxySG health changes to
CRITICAL. This option is not available on the ProxySG VA because licensed
user limits are always enforced.
• Bypass connections from users over license limit—Any transaction from a user
whose connection exceeds the licensed limit is not susceptible to policy
checks or any other ProxySG benefit, such as acceleration. This option
provides the best user experience (with the caveat of potentially slower
performance), but presents a Web security risk. This is the default option
for the ProxySG VA.
• Queue connections from users over license limit—Any
transaction from a user
whose connection exceeds the licensed limit must wait (in order) for an
available ProxySG connection. This option provides the lowest user
experience (and users might become frustrated and, perceiving a hang,
might attempt request refreshes), but preserves Web security policies.
3. Click Apply.
151
SGOS 6.2 Administration Guide
See Also
❐ "Global Options for Proxy Services"
❐ "Enabling Reflect Client Source IP"
❐ "About Trusting the Destination IP Address Provided by the Client"
❐ "Managing Licensed User Connection Limits (ProxySG to Server)"
152
Chapter 7: Managing Proxy Services
Note: This prevents the appliance from enforcing any policy on these requests
and disables any caching of the corresponding responses. Because bypass entries
bypass Blue Coat policy, use bypass sparingly and only for specific situations.
153
SGOS 6.2 Administration Guide
2. Click New to create a new list entry (or click Edit to modify a list entry). The
New Bypass List Entry dialog displays.
3. Create a Client Address or Server Address entry. The IP address can be IPv4 or
IPv6. If you enter an IPv4 address, you can specify a subnet mask. For IPv6
addresses, you can specify a prefix length.
4. Click OK to close the dialog.
5. Click Apply.
154
Chapter 7: Managing Proxy Services
Note: Because bypass entries bypass Blue Coat policy, the feature should be used
sparingly and only for specific situations.
Notes
❐ Dynamic bypass entries are lost when the ProxySG is restarted.
❐ No policy enforcement occurs on client requests that match entries in the
dynamic or static bypass list.
❐ If a site that requires forwarding policy to reach its destination is entered into
the bypass list, the site is inaccessible.
155
SGOS 6.2 Administration Guide
Note: This step is optional because the ProxySG uses default configurations if
you do not specify them. Use the default values unless you have specific reasons
for changing them. Contact Blue Coat Technical Support for detailed advice on
customizing these settings.
156
Chapter 7: Managing Proxy Services
157
SGOS 6.2 Administration Guide
Notes
❐ Restricted intercepts lists are only applicable to transparent connections.
❐ An entry can exist in both the Static Bypass List and the Restricted Intercept List.
However, the Static Bypass List overrides the entries in the Restricted Intercept
List.
158
Chapter 7: Managing Proxy Services
3a
2. Select Restrict Interception to the servers and clients listed below-- all other
connections are bypassed.
159
SGOS 6.2 Administration Guide
160
Chapter 7: Managing Proxy Services
161
SGOS 6.2 Administration Guide
162
Chapter 7: Managing Proxy Services
SSL Secure Socket Layer • Allows authentication, virus scanning and URL filtering
of encrypted HTTPS content.
• Accelerates performance of HTTPS content, using HTTP
caching.
• Validates server certificates presented by various secure
websites at the gateway.
TCP-Tunnel A tunnel for any TCP- Compresses and accelerates tunneled traffic.
based protocol for
which a more specific
proxy is not available
Yahoo-IM Yahoo Instant • Controls Yahoo instant messaging actions by allowing or
Messaging denying IM communications and file sharing based on
users, groups, file types and names, and other triggers.
• Logs all IM communications for review.
Standard Services
Table 7–7 Proxy Name and Listeners (alphabetical order)
163
SGOS 6.2 Administration Guide
Bypassed Recommended
164
Chapter 7: Managing Proxy Services
165
SGOS 6.2 Administration Guide
Tunnel Recommended
166
Chapter 7: Managing Proxy Services
Note: The x-service-name field replaces the s-sitename field. The s-sitename
field can still be used for backward compatibility with squid log formats, but it
has no CPL equivalent.
Note: See Chapter 28: "Creating Custom Access Log Formats" on page 685 and
Chapter 29: "Access Log Formats" on page 693 for detailed information about
creating and editing log formats.
167
SGOS 6.2 Administration Guide
168
Chapter 8: Intercepting and Optimizing HTTP Traffic
This chapter describes how to configure the HTTP proxy to manage traffic and
accelerate performance in your environment.
How Do I...?
To navigate this chapter, identify the task to perform and click the link:
Intercept traffic on the HTTP Proxy? "Changing the External HTTP Proxy
Service to Intercept All IP Addresses on
Port 80" on page 174
Configure the HTTP Proxy for object "Allocating Bandwidth to Refresh Objects
freshness? in Cache" on page 195
Step 4 in "To set HTTP default object
caching policy:" on page 184
169
SGOS 6.2 Administration Guide
170
Chapter 8: Intercepting and Optimizing HTTP Traffic
The HTTP proxy is designed to manage Web traffic across the WAN or from the
Internet, providing:
❐ Security
❐ Authentication
❐ Virus Scanning and Patience Pages
❐ Performance, achieved through Object Caching and Object Pipelining
❐ Transition functionality between IPv4-only and IPv6-only networks
The proxy can serve requests without contacting the Origin Content Server (OCS)
by retrieving content saved from a previous request made by the same client or
another client. This is called caching. The HTTP proxy caches copies of frequently
requested resources on its local hard disk. This significantly reduces upstream
bandwidth usage and cost and significantly increases performance.
Proxy services define the ports and addresses where a ProxySG listens for
incoming requests. The ProxySG has three default HTTP proxy services: External
HTTP, Explicit HTTP, and Internal HTTP. Explicit HTTP and External HTTP use the HTTP
proxy, while Internal HTTP uses TCP tunnel.
❐ The Explicit HTTP proxy service listens on ports 80 and 8080 for explicit
connections.
❐ The Internal HTTP proxy service listens on port 80 and transparently intercepts
HTTP traffic from clients to internal network hosts.
❐ The External HTTP proxy service listens on port 80 for all other transparent
connections to the ProxySG. Typically, these requests are for access to Internet
resources.
171
SGOS 6.2 Administration Guide
Although you can intercept SSL traffic on either port, to enable the ProxySG to
detect the presence of SSL traffic you must enable Detect Protocol on the service so
that the SSL traffic is handed off to the SSL Proxy. Default is set to OFF. For more
information on SSL proxy functionality, see Chapter 9: "Managing the SSL
Proxy" on page 221.
Furthermore, you can create a bypass list on the ProxySG to exclude the
interception of requests sent from specific clients to specific servers and disable
caching of the corresponding responses. The static bypass list also turns off all
policy control and acceleration for each matching request. For example, for all
clients visiting www.bluecoat.com you might exclude interception and caching of
all requests, the corresponding responses, acceleration and policy control. To
create a static bypass list, used only in a transparent proxy environment, see
"Adding Static Bypass Entries" on page 153.
When accessing internal IP addresses, Blue Coat recommends using the TCP
tunnel proxy instead of the HTTP proxy. Some applications deployed within
enterprise networks are not always fully compatible with HTTP specs or are
poorly designed. Use of these applications can cause connection disruptions
when using HTTP proxy. As a result internal sites and servers use the Internal HTTP
service, which employs the TCP tunnel proxy.
Important: The TCP tunnel does not support proxy functionality. To use proxy
functionality, you must edit the Internal HTTP service to use the HTTP proxy
instead of the default TCP tunnel.
IPv6 Support
The HTTP proxy is able to communicate using either IPv4 or IPv6, either
explicitly or transparently.
In addition, for any service that uses the HTTP proxy, you can create listeners that
bypass or intercept connections for IPv6 sources or destinations.
172
Chapter 8: Intercepting and Optimizing HTTP Traffic
The FTP protocol uses two parallel TCP connections, on separate ports, to transfer
a file. The first connection is a control connection and the second is a data connection.
The control connection is always initiated by the client, but the data connection
can be initiated by the server or the client based on whether the connection is in
active mode or in passive mode.
❐ Active Mode: The client initiates a connection and the server responds to the
request on the client’s control port. Then, the server initiates the data
connection to the client’s data port.
❐ Passive Mode: The client initiates a connection and the server responds to the
request on the client’s control port. The client, then, initiates the data
connection to a port specified by the server and receives an acknowledgement
to the client’s data port.
Web FTP connection modes supported on the ProxySG are auto, passive and port
(or active). The CPL property ftp.server_data(auto | passive | port) controls
the type of server-side data connection that the ProxySG opens to the server. By
default, the auto mode is enabled. The ProxySG attempts a passive connection
first and then falls back to an active connection if that fails.
If you have an Application Delivery Network (ADN) configured for your
environment, for auto and passive mode Web FTP connections, both the data and
the control connection requests are carried over the ADN tunnel. This allows the
Web FTP request to leverage the benefits of byte-caching and compression
provided by the ADN connection.
For information on using an FTP client to communicate via the FTP protocol, see
Chapter 12: "Managing the File Transport Protocol (FTP) Proxy" on page 293.
173
SGOS 6.2 Administration Guide
Section B: Changing the External HTTP Proxy Service to Intercept All IP Addresses on Port 80
2a
2b
174
Chapter 8: Intercepting and Optimizing HTTP Traffic
Section B: Changing the External HTTP Proxy Service to Intercept All IP Addresses on Port 80
175
SGOS 6.2 Administration Guide
Optimization Topics
The HTTP proxy alleviates the latency in data retrieval and optimizes the delivery
of HTTP traffic through object caching and object pipelining. Caching minimizes
the transmission of data over the Internet and over the distributed enterprise,
thereby improving bandwidth use. Pipelining allows data to be pre-fetched, even
before the client requests it, and caches it to be served immediately upon request.
Hence, it directly improves response time.
For objects in cache, an intelligent caching mechanism in the ProxySG maintains
object freshness. This is achieved by periodically refreshing the contents of the
cache, while maintaining the performance within your network.
The method of storing objects on disk is critical for performance and scalability.
SGOS, the operating system on the ProxySG, uses an object store system which
hashes object lookups based on the entire URL. This hashing allows access to
objects with far fewer lookups, as compared to a directory-based file system
found in traditional operating systems. While file systems run poorly when they
are full, a cache achieves its highest performance when it is full.
176
Chapter 8: Intercepting and Optimizing HTTP Traffic
still fresh. By allowing objects to be shared across requests and users, object
caching greatly reduces the bandwidth required to retrieve contents and the
latency associated with user requests.
For more information on how the ProxySG executes permission checks to ensure
authentication over HTTP, see Section F: "Caching Authenticated Data (CAD) and
Caching Proxy Authenticated Data (CPAD)" on page 202.
In case of a reverse proxy, object caching reduces the load on the OCS and
improves scalability of the OCS.
177
SGOS 6.2 Administration Guide
Although modern day browsers open multiple connections with the OCS to
retrieve objects in parallel, the ProxySG further accelerates the process with its
Object Pipelining algorithm which supports nested pipelines that are up to three
levels deep.
The Object Pipelining algorithm allows the ProxySG to open as many
simultaneous TCP connections as the origin server allows, and retrieves objects in
parallel. The proxy also pre-fetches objects based on pipelined requests. If for
example, a pipelined HTML object has other embedded objects, the HTTP proxy
will pre-fetch those embedded objects from the Web server without a request from
the client. The objects are then ready to be delivered from the cache straight to the
user, as fast as the client can request them.
While object pipelining enhances the user experience by minimizing latency and
improving response times for first-time Web page requests, it could increase
bandwidth utilization. Therefore by default, to avoid an increase in bandwidth
utilization, object pipelining is disabled for the reverse proxy and bandwidth gain
profiles. It is enabled, by default, only on the forward proxy — Normal profile,
where enhancing the response time for clients is vital.
178
Chapter 8: Intercepting and Optimizing HTTP Traffic
Therefore, AAR is now disabled by default on systems running SGOS 6.2.6 (and
later). However, if you upgrade from a pre-SGOS 6.2.6 release, AAR may still be
enabled. For information on how to configure this feature to best serve your
environment, see "Allocating Bandwidth to Refresh Objects in Cache" on page 195.
Planning Considerations
You can use CPL properties in the <Cache> layer to control meta tag processing.
The CPL commands can be used in lieu of the check boxes for parsing meta tags
through the Management Console. For details on the meta-tags, see Step 7 in "To
set HTTP default object caching policy:" on page 184.
The following CPL commands are applicable for HTTP proxy, HTTP refresh, and
HTTP pipeline transactions:
http.response.parse_meta_tag.Cache-Control(yes|no)
http.response.parse_meta_tag.Expires(yes|no)
http.response.parse_meta_tag.Pragma.no-cache(yes|no)
VPM support to control the processing of meta tags is not available.
179
SGOS 6.2 Administration Guide
From the (config) prompt, enter the following command to enable tolerant HTTP
request parsing (the default is disabled):
SGOS#(config) http tolerant-request-parsing
To disable HTTP tolerant request parsing:
SGOS#(config) http no tolerant-request-parsing
180
Chapter 8: Intercepting and Optimizing HTTP Traffic
Setting the maximum Determines the maximum object size to store in the ProxySG. All objects
object cache size retrieved that are greater than the maximum size are delivered to the
client but are not stored in the ProxySG.
Default: 1024 MB
Setting the TTL for Determines the number of minutes the SGOS stores negative responses
negative responses in for requests that could not be served to the client.
cache The OCS might send a client error code (4xx response) or a server error
code (5xx response) as a response to some requests. If you configure the
ProxySG to cache negative responses for a specified number of minutes, it
returns the negative response in subsequent requests for the same page or
image for the specified length of time. The ProxySG will not attempt to
fetch the request from the OCS. Therefore, while server-side bandwidth is
saved, you could receive negative responses to requests that might
otherwise have been served by accessing the OCS.
By default, the ProxySG does not cache negative responses. It always
attempts to retrieve the object from the OCS, if it is not already in cache.
Default: 0 minutes
Forcing freshness Verifies that each object is fresh upon access. Enabling this setting has a
validation before serving significant impact on performance because the HTTP proxy revalidates
an object from cache requested cached objects with the OCS before serving them to the client.
This results in a negative impact on bandwidth gain. Therefore, do not
enable this configuration unless absolutely required.
For enabling, select the Always check with source before serving object
check box.
Default: Disabled
181
SGOS 6.2 Administration Guide
Parsing HTTP meta tag Determines how HTTP meta tag headers are parsed in the HTML
headers documents. The meta tags that can be enabled for parsing are:
• Cache-control meta tag
The sub-headers that are parsed when this check box is selected are:
private, no-store, no-cache, max-age, s-maxage, must-re-
validate, proxy-revalidate
• Expires meta tag
This directive parses for the date and time after which the document
should be considered expired.
• Pragma-no-cache meta tag
This directive indicates that cached information should not be used
and instead requests should be forwarded to the OCS.
Default: Disabled
Allocating bandwidth on Allows you to specify a limit to the amount of bandwidth the ProxySG
the HTTP proxy for uses to achieve the desired freshness. For more information see,
maintaining freshness of "Allocating Bandwidth to Refresh Objects in Cache" on page 195.
the objects in cache Default: Disable refreshing
The above settings serve as defaults on the proxy. If you want a more granular
caching policy, for example— setting the TTL for an object, use Blue Coat Content
Policy Language (CPL). You can also use the VPM or CPL to bypass the cache or
to prohibit caching for a specific domain or server. Refer to Content Policy
Language Guide for more information.
182
Chapter 8: Intercepting and Optimizing HTTP Traffic
Caching/Optimization (Pipelining)
Configuration: Blue Coat ProxySG pipelining options enabled (Configuration >
Proxy Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed; users report slow access times in
their Web browsers.
Bandwidth Gain
Configuration: Blue Coat ProxySG Enable Bandwidth Gain Mode option enabled
(Configuration > Proxy Settings > HTTP Proxy > Acceleration Profile).
Symptom: The OCS becomes overwhelmed.
183
SGOS 6.2 Administration Guide
The ProxySG determines that objects in the cache require refreshing. This
operation itself is not costly, but the additional requests to the OCS adds load to
the WAN link. A global and per-server limit prevents the problem.
For new installations (or following a restoration to factory defaults), clientless
limits are enforced by default; the ProxySG capacity per model determines the
upper default limit. For systems upgraded to SGOS 6.2 from versions previous to
5.x, clientless limits are not enforced and you must manually configure the
ProxySG.
Continue with "Setting the HTTP Default Object Caching Policy" on page 184.
2. From the Management Console, select Configuration > Proxy Settings > HTTP
Proxy > Policies.
184
Chapter 8: Intercepting and Optimizing HTTP Traffic
3. Configure default proxy policies (HTTP Proxy Policy area; see "About the HTTP
Object Caching Policy Global Defaults" on page 180):
a. In the Do not cache objects larger than field, enter the maximum object
size to cache. The default is 1024 MB.
b. In the Cache negative responses for field, enter the number of minutes
that SGOS stores negative responses. The default is 0.
c. Force freshness validation. To always verify that each object is fresh
upon access, select the Always check with source before serving object
option. Enabling this setting has a significant impact on performance,
do not enable this configuration unless absolutely required.
d. Disable meta-tag parsing. The default is to parse HTTP meta tag
headers in HTML documents if the MIME type of the object is text/
html.
To disable meta-tag parsing, clear the option for:
• Parse cache-control meta tag
The following sub-headers are parsed when this check box is selected:
private, no-store, no-cache, max-age, s-maxage, must-
revalidate, proxy-revalidate.
185
SGOS 6.2 Administration Guide
See Also
❐ "Customizing the HTTP Object Caching Policy" on page 176.
❐ "Clearing the Object Cache" on page 1458
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 187.
186
Chapter 8: Intercepting and Optimizing HTTP Traffic
Topic Links
❐ "About the Normal Profile"
❐ "About the Portal Profile"
❐ "About the Bandwidth Gain Profile" on page 188
❐ "About HTTP Proxy Profile Configuration Components"
187
SGOS 6.2 Administration Guide
188
Chapter 8: Intercepting and Optimizing HTTP Traffic
189
SGOS 6.2 Administration Guide
Substitute Get for PNC http [no] Typically, if a client sends an HTTP GET request
substitute pragma- with a Pragma: no-cache or Cache-Control:
no-cache no-cache header (for convenience, both are
hereby referred to as PNC), a cache must
consult the OCS before serving the content. This
means that HTTP proxy always re-fetches the
entire object from the OCS, even if the cached
copy of the object is fresh. Because of this, PNC
requests can degrade proxy performance and
increase server-side bandwidth utilization.
However, if the Substitute Get for PNC setting
is enabled, then the PNC header from the client
request is ignored (HTTP proxy treats the
request as if the PNC header is not present at
all).
Substitute Get for IE reload http [no] Some versions of Internet Explorer issue the
substitute ie- Accept: */* header instead of the Pragma:
reload no-cache header when you click Refresh. When
an Accept header has only the */* value, HTTP
proxy treats it as a PNC header if it is a type-N
object. You can control this behavior of HTTP
proxy with the Substitute GET for IE Reload
setting. When this setting is enabled, the HTTP
proxy ignores the PNC interpretation of the
Accept: */* header.
190
Chapter 8: Intercepting and Optimizing HTTP Traffic
191
SGOS 6.2 Administration Guide
192
Chapter 8: Intercepting and Optimizing HTTP Traffic
Text displays at the bottom of this tab indicating which profile is selected.
Normal is the default profile. If you have a customized profile, this text does
not display.
193
SGOS 6.2 Administration Guide
Important: If you have a customized profile and you click one of the Use
Profilebuttons, no record of your customized settings remains. However,
after the ProxySG is set to a specific profile, the profile is maintained in the
event the ProxySG is upgraded.
Also, if you select any Pipeline option or the Enable Bandwidth Gain Mode
option, Blue Coat strongly recommends limiting clientless requests. See
"About Clientless Requests Limits" on page 182.
3. To select a profile, click one of the three profile buttons (Use Normal Profile, Use
Bandwidth Gain Profile, or Use Portal Profile).
The text at the bottom of the Acceleration Profile tab changes to reflect the new
profile.
Note: You can customize the settings, no matter which profile button you
select.
4. (Optional) To customize the profile settings, select or clear any of the check
boxes (see Table 8–2, "Description of Profile Configuration Components" on
page 188 for information about each setting).
5. Click OK; click Apply.
See Also
❐ "Selecting an HTTP Proxy Acceleration Profile" on page 187.
❐ "About HTTP Proxy Profile Configuration Components" on page 188.
❐ "About HTTP Object Freshness" on page 178.
❐ "Fine-Tuning Bandwidth Gain" on page 195.
194
Chapter 8: Intercepting and Optimizing HTTP Traffic
195
SGOS 6.2 Administration Guide
The Refresh bandwidth field displays the refresh bandwidth options. The
default setting is to Disable refreshing.
Important: Blue Coat strongly recommends that you not change the setting
from the default if you have a system with an increased object store capacity.
196
Chapter 8: Intercepting and Optimizing HTTP Traffic
Note: The HTTP proxy never caches partial objects, even if byte-range
support is enabled.
Since the ProxySG never caches partial objects, bandwidth gain is significantly
affected when byte-range requests are used heavily. If, for example, several clients
request an object where the start byte offset is greater than 14336 bytes, the object
is never cached. The ProxySG fetches the same object from the OCS for each
client, thereby causing negative bandwidth gain.
Further, download managers like NetAnts® typically use byte-range requests
with PNC headers. To improve bandwidth gain by serving such requests from
cache, enable the revalidate pragma-no-cache option along with byte-range support.
See "Enabling Revalidate Pragma-No-Cache" on page 198.
197
SGOS 6.2 Administration Guide
To enable or disable the revalidate PNC setting, enter one of the following
commands at the (config) command prompt:
SGOS#(config) http revalidate-pragma-no-cache
-or-
SGOS#(config) http no revalidate-pragma-no-cache
198
Chapter 8: Intercepting and Optimizing HTTP Traffic
199
SGOS 6.2 Administration Guide
Compression
Compression is disabled by default. If compression is enabled, the HTTP proxy
forwards the supported compression algorithm (either deflate or gzip) from the
client’s request (Accept-Encoding: request header) to the server as is, and
attempts to send compressed content to client whenever possible. This allows
SGOS to send the response as is when the server sends compressed data,
including non-cacheable responses. Any unsolicited encoded response is
forwarded as is to the client.
For more information on compression, see "Understanding HTTP Compression"
on page 205.
200
Chapter 8: Intercepting and Optimizing HTTP Traffic
Note: For detailed information about using these commands, refer to Command
Line Interface Reference.
201
SGOS 6.2 Administration Guide
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
Figure 8–5 CAD: 200 response from the Origin Content Server.
The OCS then sends back one of the following responses:
❐ HTTP 200 response status, authentication is accepted. The user receives the
requested resource.
202
Chapter 8: Intercepting and Optimizing HTTP Traffic
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
❐ HTTP 403 response status, user is not allowed to view the requested resource.
The user is authenticated but is not authorized to receive the content, hence
the user receives an error message.
When another user accesses the same URL, the ProxySG authenticates the user
with the OCS and verifies the freshness of the content using the Get If Modified
Since request. If the user is authorized and the content has not been modified, the
OCS returns an HTTP 304 response message to the ProxySG. The ProxySG then
serves the content from cache.
If the content has been modified, the OCS returns the HTTP 200 response along
with the modified content.
Figure 8–6 CAD: 403 and 304 response codes from the OCS
Note: CAD is applicable only for pure HTTP authentication — the ProxySG
caches authenticated data only when the OCS includes the www-Authenticate
response code in the 401 response header. If, for example, the client accesses an
OCS that uses forms-based authentication, the ProxySG does not perform CAD.
203
SGOS 6.2 Administration Guide
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
204
Chapter 8: Intercepting and Optimizing HTTP Traffic
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
Note: If compression is not enabled, the ProxySG appliance does not compress
the content if the server sends uncompressed content. However, the appliance
continues to uncompress content if necessary to apply transformations.
Any unsolicited encoded response is forwarded to the client as is.
205
SGOS 6.2 Administration Guide
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
For cache-hit compression behavior, see Table 8-3 below. For cache-miss
compression behavior, see Table 8-4.
.
206
Chapter 8: Intercepting and Optimizing HTTP Traffic
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
Compression Exceptions
❐ The ProxySG appliance issues a transformation_error exception (HTTP
response code 403), when the server sends an unknown encoding and the
appliance is configured to do content transformation.
❐ The ProxySG appliance issues an unsupported_encoding exception (HTTP
response code 415 - Unsupported Media Type) when the appliance is unable
to deliver content due to configured policy.
The messages in the exception pages can be customized. For information on using
exception pages, refer to Volume 6: VPM and Advanced Policy..
Configuring Compression
Compression behavior can only be configured through policy—VPM or CPL.
207
SGOS 6.2 Administration Guide
Section F: Caching Authenticated Data (CAD) and Caching Proxy Authenticated Data (CPAD)
b. Select Policy > Add Web Access Layer from the menu of the Blue Coat
VPM window that appears.
c. Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
a. Right click on the item in the Action column; select Set.
b. Click New in the Set Action Object dialog that appears; select Set Client
HTTP Compression.
2c
2d
c. Select the compression options you want to use; click OK.
d. Click OK again; close the VPM window and click Yes in the dialog to
save your changes.
b. Select Policy > Add Web Access Layer from the menu of the Blue Coat
VPM window that appears.
c. Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
a. Right click on the item in the Action column; select Set.
b. Click New in the Set Action Object dialog that appears; select Set Server
HTTP Compression.
208
Chapter 8: Intercepting and Optimizing HTTP Traffic
• Select Policy > Add Web Access Layer from the menu of the Blue Coat VPM
window that appears.
• Type a layer name into the dialog that appears and click OK.
2. Add an Action object:
• Right click on the item in the Action column; select Set.
• Click New in the Set Action Object dialog that appears; select Set HTTP
Compression Level.
209
SGOS 6.2 Administration Guide
Default Behavior
By default, Blue Coat sends the client’s list of the accept encoding algorithms,
except for unknown encodings. If compression is not enabled, the default
overrides any configured CPL policy.
If Accept-Encoding request header modification is used, it is overridden by the
compression related policy settings shown in Table 8-5. The Accept-Encoding
header modification can continue to be used if no compression policies are
applied, or if compression is not enabled. Otherwise, the compression-related
policies override any Accept-Encoding header modification, even if the Accept-
Encoding header modification appears later in the policy file.
210
Chapter 8: Intercepting and Optimizing HTTP Traffic
Notes
❐ Policy-based content transformations are not stored as variant objects. If
content transformation is configured, it is applied on all cache-hits, and
objects might be compressed all the time at the end of such transformation if
they are so configured.
❐ The variant that is available in the cache is served, even if the client requests a
compression choice with a higher qvalue. For example, if a client requests
Accept-encoding: gzip;q=1, deflate;q=0.1, and only a deflate-compressed
object is available in the cache, the deflate compressed object is served.
❐ The HTTP proxy ignores Cache-Control: no-transform directive of the OCS.
To change this, write policy to disallow compression or decompression if
Cache-Control: no-transform response header is present.
❐ The ProxySG appliance treats multiple content encoding (gzip, deflate or gzip,
gzip) as an unknown encoding. (These strings indicate the content has been
compressed twice.)
❐ The gzip and deflate formats are treated as completely separate and are not
converted from one to the other.
❐ Blue Coat recommends using gzip encoding (or allowing both gzip and
deflate) when using the HTTP compression feature.
211
SGOS 6.2 Administration Guide
212
Chapter 8: Intercepting and Optimizing HTTP Traffic
Note: You can view current HTTP statistics through the CLI using the show http-
stats command.
213
SGOS 6.2 Administration Guide
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
214
Chapter 8: Intercepting and Optimizing HTTP Traffic
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
215
SGOS 6.2 Administration Guide
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on
page 215
216
Chapter 8: Intercepting and Optimizing HTTP Traffic
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
See Also
"Viewing HTTP/HTTPS/FTP Client and Server Compression Gain Statistics" on
page 215
217
SGOS 6.2 Administration Guide
Note: To suppress the Proxy-Support header globally, use the http force-ntlm
command to change the option. To suppress the header only in certain situations,
continue with the procedures below.
218
Chapter 8: Intercepting and Optimizing HTTP Traffic
3a
3b
3c
3d
219
SGOS 6.2 Administration Guide
220
Chapter 9: Managing the SSL Proxy
221
SGOS 6.2 Administration Guide
IPv6 Support
The SSL proxy is able to communicate using either IPv4 or IPv6, either explicitly
or transparently.
In addition, for any service that uses the SSL proxy, you can create listeners that
bypass or intercept connections for IPv6 sources or destinations.
Checking CRLs
An additional check on the server certificate is done through Certificate
Revocations Lists (CRLs). CRLs show which certificates are no longer valid; the
CRLs are created and maintained by Certificate Signing Authorities that issued
the original certificates.
Only CRLs that are issued by a trusted issuer can be used by the ProxySG. The
CRL issuer certificate must exist as CA certificate on the ProxySG before the CRL
can be imported.
The ProxySG allows:
❐ One local CRL per certificate issuing authority.
❐ An import of a CRL that is expired; a warning is displayed in the log.
❐ An import of a CRL that is effective in the future; a warning is displayed in the
log.
222
Chapter 9: Managing the SSL Proxy
223
SGOS 6.2 Administration Guide
224
Chapter 9: Managing the SSL Proxy
225
SGOS 6.2 Administration Guide
3
4
8b
8c
8a 8d
3. In the Name field, enter a meaningful name for this SSL proxy service.
226
Chapter 9: Managing the SSL Proxy
4. From the Service Group drop-down list, select to which service this
configuration applies. By default, Other is selected.
5. Select SSL from the Proxy settings drop-down list.
6. TCP/IP Settings option: The Early Intercept option cannot be changed for the SSL
proxy service.
7. Select ADN options:
• Enable ADN. Select this option to configure this service to use ADN.
Enabling ADN does not guarantee the connections are accelerated by
ADN. The actual enable decision is determined by ADN routing (for
explicit deployment) or network setup (for transparent deployment).
• The Optimize Bandwidth option is selected by default if you enabled WAN
optimization during initial configuration. Clear the option if you are not
configuring WAN optimization.
8. Create a new listener:
a. Click New; if you edit an existing listener, click Edit.
b. In the Source address area, the most common selection is All, which
means the service applies to requests from any client (IPv4 or IPv6).
You can, however, restrict this listener to a specific IPv4/IPv6 address
or user subnet/prefix length.
c. Select a Destination address from the options. The correct selection
might depend on network configuration. For overviews of the options,
see "About Proxy Services" on page 120.
d. In the Port Range field, enter a single port number or a port range on
which this application protocol broadcasts. For a port ranges, enter a
dash between the start and end ports. For example: 8080-8085
e. In the Action area, select the default action for the service: Bypass tells
the service to ignore any traffic matching this listener. Intercept
configures the service to intercept and proxy the associated traffic.
f. Click OK to close the dialog. The new listener displays in the Listeners
area.
9. Click OK to close the Edit Service dialog.
10. Click Apply.
Continue with "Specifying an Issuer Keyring and CCL Lists for SSL Interception"
on page 228.
227
SGOS 6.2 Administration Guide
Note: Only keyrings with both a certificate and a keypair can be used as issuer
keyrings.
You can also change the CA Certificate Lists (CCLs) that contain the CAs to be
trusted during client and server certificate validation. The defaults are adequate
for the majority of situations. For more information about CCLs, refer to
"Authenticating a ProxySG" on page 1329.
228
Chapter 9: Managing the SSL Proxy
2. Issuer Keyring: From the drop-down menu, select the keyring to use as the
issuer keyring. Any keyring with both a certificate and a keypair in the drop-
down menu can be used.
3. CCL for Client Certificates: Choose which CAs are trusted when the SSL proxy
validates client certificates. The default is <All CA Certificates>.
4. CCL for Server Certificates: Choose which CAs are trusted when the SSL proxy
validates server certificates. The CCL for server certificates is relevant even
when SSL proxy is tunneling SSL traffic. The default is browser-trusted.
5. Click Apply.
To configure policy, see "Configuring SSL Rules through Policy" on page 233.
229
SGOS 6.2 Administration Guide
Note: You can e-mail the console URL corresponding to the issuer certificate to
end users so that the he or she can install the issuer certificate as a trusted CA.
230
Chapter 9: Managing the SSL Proxy
5. Click Save. When the Save As dialog displays, click Save; the file downloads.
6. Click Open to view the Certificate properties; the Certificate window displays.
7. Click the Install Certificate button to launch the Certificate Import Wizard.
8. Ensure the Automatically select the certificate store based on the type of certificate
radio button is enabled before completing the wizard
9. Click Finish. the wizard announces when the certificate is imported.
10. (Optional) To view the installed certificate, go to Internet Explorer, Select Tools
> Internet Options > Contents > Certificates, and open either the Intermediate
Certification Authorities tab or the Trusted Root Certification Authorities tab,
depending on the certificate you downloaded.
231
SGOS 6.2 Administration Guide
Note: You can e-mail the console URL corresponding to the issuer certificate
to end users so that the end-user can install the issuer certificate as a trusted
CA.
5. Enable the options needed. View the certificate before trusting it for any
purpose.
6. Click OK; close the Advanced Statistics dialog.
232
Chapter 9: Managing the SSL Proxy
Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.
The options for Issuer Keyring, Hostname, Splash Text, and Splash URL all control
various aspects for certificate emulation. Fill in the fields as follows:
a. Issuer Keyring: If you selected an issuer keyring previously, that keyring
displays. If you did not select an issuer keyring previously, the default
keyring displays. To change the keyring that is used as the issuer
keyring, choose a different keyring from the drop-down menu.
b. Hostname: The host name you put here is the host name in the
emulated certificate.
233
SGOS 6.2 Administration Guide
c. Splash Text: You are limited to a maximum of 200 characters. The splash
text is added to the emulated certificate as a certificate extension.
d. Splash URL: The splash URL is added to the emulated certificate as a
certificate extension.
5. Click OK to save the changes.
You can use the Disable SSL Intercept object to disable HTTPS Intercept.
5a
5b
5. Fill in the fields as described below. You can only select one field:
a. Hostname: This is the host name of the server whose traffic you want to
intercept. After entering the host name, use the drop-down menu to
specify Exact Match, Contains, At Beginning, At End, Domain, or Regex.
b. Subject: This is the subject field in the server's certificate. After you
enter the subject, use the drop-down menu to specify Exact Match,
Contains, At Beginning, At End, Domain, or Regex.
6. Click Add, then Close; click OK to add the object to the rule.
2. Click New and select the Server Certificate Category object. The Add Server
Certificate Category Object displays. You can change the name in the top field if
needed.
234
Chapter 9: Managing the SSL Proxy
3. Select the categories. The categories you selected display in the right-hand
column.
4. Click OK.
Note: For detailed instructions on using VPM, refer to the Visual Policy Manager
Reference.
1. Select the Configuration > Policy > Visual Policy Manager tab and launch the VPM.
2. From the Policy drop-down menu, select Add SSL Access Layer.
3. In the Action column, right-click Set; the Set Action object displays.
4. Click New and select Set Server Certificate Validation object.
235
SGOS 6.2 Administration Guide
Note: The VPM is much easier to use than CPL. All CPL gestures except the
ssl.forward_proxy.server_keyring property, used only for troubleshooting, are
also in the VPM.
The following CPL gestures can be used in the SSL Intercept Layer:
236
Chapter 9: Managing the SSL Proxy
• ssl.forward_proxy( ) • ssl.forward_proxy.splash_text( )
• ssl.forward_proxy.hostname( ) • trace.destination( )
• ssl.forward_proxy.issuer_keyring • trace.request( )
( )
• ssl.forward_proxy.server_keyring • trace.rules( )
( )
• ssl.forward_proxy.splash_url( ) • ssl.forward_proxy.server_keyring
(used for troubleshooting only)
Allowed Actions
• log_message( ) • notify_snmp( )
• notify_email( ) •
Allowed Conditions
• category • proxy.port
• client.address • server.certificate.hostname
• client.host • server.certificate.hostname.category
• client.host.has_name • server.certificate.subject
• client.protocol • server_url.*
• proxy.address • url.*
• proxy.card •
237
SGOS 6.2 Administration Guide
• ssl.proxy_mode= • client.protocol=
tunneled=
Notes
238
Chapter 9: Managing the SSL Proxy
❐ If the ProxySG and the origin content server cannot agree on a common cipher
suite for intercepted connections, the connection is aborted.
❐ Server-Gated Cryptography and step-up certificates are treated just as regular
certificates; special extensions present in these certificates are not be copied
into the emulated certificate. Clients relying on SGC/step-up certificates
continue using weaker ciphers between the client and the ProxySG when the
SSL proxy intercepts the traffic.
239
SGOS 6.2 Administration Guide
Note: Some SSL statistics (SSL client connections and total bytes sent and
received over a period of time) can only be viewed through the Management
Console (see "Unintercepted SSL Data" on page 240 and "Unintercepted SSL
Clients" on page 241).
Status Description
Current Unintercepted SSL Sessions The current number of unintercepted SSL client
connections.
Total Unintercepted SSL Sessions The cumulative number of unintercepted SSL
client connections since the ProxySG was last
rebooted.
Total Bytes Sent The total number of unintercepted bytes sent.
Total Bytes Received The total number of unintercepted bytes received.
240
Chapter 9: Managing the SSL Proxy
2. Select a time period for the graph from the Duration: drop-down list. The
default is Last Week.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
241
SGOS 6.2 Administration Guide
2. Select the Duration: for the graph from the drop-down list. The default is Last
week.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
242
Chapter 9: Managing the SSL Proxy
Installing OpenSSL
After OpenSSL is installed, you must edit the openssl.cnf file and ensure the
pathnames are correct. By default root certificates are located under ./PEM/DemoCA;
generated certificates are located under /certs.
243
SGOS 6.2 Administration Guide
2. Type any string more than four characters for the PEM pass phrase.
3. Enter the certificate parameters, such as country name, common name that are
required for a Certificate Signing Request (CSR).
The private key and root CA are now located under the directory ./PEM/
DemoCA/private
6. Paste the contents of the CSR into a text file called new.pem located in the ./bin
directory.
244
Chapter 9: Managing the SSL Proxy
b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN
CERTIFICATE---- and the ----END CERTIFICATE----- statements in
the ./bin/PEM/demoCA/private/CAcert file.
d. Click OK.
245
SGOS 6.2 Administration Guide
246
Chapter 9: Managing the SSL Proxy
Note: Ensure this keyring is used as the issuer keyring for emulated
certificates. Use policy or the SSL intercept setting in the Management
Console or the CLI.
b. Click Import; enter the certificate name in the CA Cert Name field.
c. Paste the certificate, being sure to include the -----BEGIN
CERTIFICATE---- and the ----END CERTIFICATE----- statements in
the ./bin/PEM/demoCA/private/CAcert file.
d. Click OK.
247
SGOS 6.2 Administration Guide
248
Chapter 10: Accelerating File Sharing
This chapter discusses file sharing optimization. File sharing uses the Common
Internet File System (CIFS) protocol.
249
SGOS 6.2 Administration Guide
LEGEND:
A: Branch ProxySG.
B: Concentrator ProxySG.
C: File server containing objects requested by branch users.
DATA FLOW:
1: A branch client requests a file from a server at the core office.
2: If the branch proxy has the object or part of the object cached, it is served back to the client;
otherwise, the request for uncached objects is sent to the core office. With the default CIFS proxy
configuration, the ProxySG attempts to read ahead—anticipate what part(s) of a specific object might
be requested next.
3: With the default CIFS proxy configuration, byte caching compresses the data over the TCP
connection.
4: The Concentrator performs decompression and authentication tasks, accesses the content server,
and returns the content back to the branch.
5. The client receives the requested content. In addition, the anticipated content is cached so that future
requests for it can be served without requesting it from the data center.
6. Another client requests access to a file on the core server, but wants to write to the file. With the
default CIFS proxy configuration, the branch ProxySG continuously informs the client that has written
the data and that it is okay to write the next block. Simultaneously, the ProxySG sends the data over
the WAN to the file server, thus maximizing the data pipeline.
250
Chapter 10: Accelerating File Sharing
Caching Behavior
The CIFS proxy caches the regions of files that are read or written by the client
(partial caching) and applies to both read and write file activities. Also, the
caching process respects file locking.
Authentication
The CIFS proxy supports both server and proxy authentication in the following
contexts.
Server Authentication
Permissions set by the origin content server (OCS) are always honored. Requests
to open a file are forwarded to the OCS; if the OCS rejects the client access request,
no content is served from the cache.
Note: NTLM/IWA authentication requires that the client knows what origin
server it is connecting to so it can obtain the proper credentials from the domain
controller.
Proxy Authentication
The ProxySG cannot issue a challenge to the user over CIFS, but it is able to make
use of credentials acquired by other protocols if IP surrogates are enabled.
Policy Support
The CIFS proxy supports the proxy, cache, and exception policy layers. However,
the SMB protocol can only return error numbers. Exception definitions in the
forms of strings cannot be seen by an end user. See "Reference: CPL Triggers,
Properties, and Actions" on page 264 for supported CPL triggers and actions.
Access Logging
By default, the ProxySG uses a Blue Coat-derived CIFS access log format.
date time c-ip r-ip r-port x-cifs-method x-cifs-server x-cifs-share
x-cifs-path x-cifs-orig-path x-cifs-client-bytes-read
x-cifs-server-bytes-read x-cifs-bytes-written x-cifs-file-type
s-action cs-username cs-auth-group s-ip
For a reference list and descriptions of used log fields, see "Reference: Access Log
Fields" on page 261.
WCCP Support
If WCCP is deployed for transparency, you must configure WCCP to intercept
TCP ports 139 and 445.
251
SGOS 6.2 Administration Guide
Note: This procedure follows the Control Panel Classic View format. The
screen shots represent Microsoft Windows XP.
1. In Windows, select Start > Control Panel > Administrative Tools > Local Security
Policy. The Local Security Settings dialog appears.
252
Chapter 10: Accelerating File Sharing
7. You must reboot the client or server to apply this configuration change.
253
SGOS 6.2 Administration Guide
Also, by default these services are configured to accept all IP addresses in Bypass
mode. The procedure in this section describes how to change them to Intercept
mode, and explains other attributes within the service.
2a
2b
254
Chapter 10: Accelerating File Sharing
2a
2b
2c
2d
2f
255
SGOS 6.2 Administration Guide
256
Chapter 10: Accelerating File Sharing
Process Flow
1a—A Windows XP client initiates a file access request with SMB-tagged packets (enabled or
required).
1b—The OCS is configured as SMB-enabled, but the traffic between the branch and the
Concentrator is not signed and the traffic between the Concentrator and the OCS is
unsigned. The transaction continues back to the branch ProxySG, which downgrades the
traffic to signing not required. Optimization is achieved.
2a—A Windows XP client initiates a file access request with SMB-tagged packets (enabled
or required).
2b—Because the OCS is configured as SMB-required, the traffic between the Concentrator
and the OCS is signed (and optimized). However, just as with SMB-enabled, the branch
ProxySG downgrades the traffic to signing not required and CIFS traffic is optimized.
Figure 10–2 OCS Configuration Determines ProxySG Process
Traffic between the branch and the Concentrator is not signed. Regardless of the
OCS SMB configuration, the client receives a message that the packets do not
require SMB signatures (see Figure 4-2 above). This enables the ProxySG to
intercept the CIFS protocol and provide optimization. Because of slightly higher
use of the CPU, enabling SMB signing on clients and servers slightly decreases
performance.
Notes
❐ If the client is configured to require SMB signing, which is not a common
configuration, the ProxySG cannot provide CIFS optimization; the traffic
passes through with only the benefits provided by the general ADN
configuration.
❐ If an error occurs, such as problems with the specified domain access
credentials, the ProxySG allows the traffic to pass through.
257
SGOS 6.2 Administration Guide
Prerequisite
Before configuring SMB signing (on the ProxySG), you must create a user in the
domain that represents the ProxySG. When SMB signing is required by the OCS,
the ProxySG CIFS proxy uses this virtual user’s credentials. This user cannot be a
guest or anonymous.
2
2
3
2. In the SMB Signing area, select Enable protocol optimizations on signed SMB traffic
using the following credentials.
3. In the Username field, enter the user name that you created in the domain.
Ensure you enter the name exactly as created. It is optional to enter the
domain to which the username belongs.
4. Enter the username password that the ProxySG sends to access the domain:
a. Click Set Password. The Set Password dialog displays.
b. Enter the password in both fields.
c. Click OK.
5. Click Apply.
258
Chapter 10: Accelerating File Sharing
❐ Debug Logs—
• Signature computation fails.
• Packet signing error.
• Each time a domain or server authentication result, success or failure,
occurs with pass-through connections.
❐ Active Sessions—Authentication failure when using SMB user credentials
during a pass-through connection.
❐ Access Log—Successful logging on and off using SMB user credentials.
2a
2b
259
SGOS 6.2 Administration Guide
2. View statistics:
a. From the Service or Proxy drop-down list, select CIFS.
b. Select a statistic category tab:
• CIFS Objects: The total number of CIFS-related objects processed by the
ProxySG (read and written).
• CIFS Bytes Read: The total number of bytes read by CIFS clients.
• CIFS Bytes Written:
The total number of bytes written by CIFS clients
(such as updating existing files on servers).
• CIFS Clients: The total number of connected CIFS clients.
• CIFS Bandwidth Gain: The total bandwidth usage for clients (yellow) and
servers (blue), plus the percentage gain.
c. The graphs display three time metrics: the previous 60 minutes, the
previous 24 hours, and the previous 30 days. Select Duration: from the
drop-down list. Roll the mouse over any colored bar to view details.
3. (Optional) You can change the scale of the graph to display the percentage of
bar peaks to display.
260
Chapter 10: Accelerating File Sharing
• FAILED: CIFS operation was successful on the server but failed on the
proxy for some internal reason.
• SUCCESS: CIFS operation was successful on the server (did not go through
policy checkpoint).
❐ s-ip: IP address of the appliance on which the client established its
connection.
❐ x-cifs-client-bytes-read: Total number of bytes read by a CIFS client from
the associated resource. For OPEN/CLOSE, it is the total for that specific file. For
MOUNT/UNMOUNT, the total for all files accessed in that share. For LOGON/
LOGOFF, the total for all files accessed in that session. For CONNECT/
DISCONNECT, the total for all files accessed during that connection.
261
SGOS 6.2 Administration Guide
❐ x-cifs-method: The method associated with the CIFS request. The list of CIFS
methods are:
• CONNECT: For TCP-level connect from client to CIFS server.
• DISCONNECT: For TCP-level connection shutdown.
• LOGON: For SESSION_SETUP_ANDX SMB command.
• LOGOFF: For LOGOFF_ANDX SMB command.
• LOGOFF_ON_PASSTHRU: For removal of cached session from proxy upon
PASSTHRU.
262
Chapter 10: Accelerating File Sharing
263
SGOS 6.2 Administration Guide
Triggers
❐ attribute.<name>=, has_attribute.<name>=
❐ client.address=, client.host=, client.host.has_name=
❐ client.protocol=cifs
❐ content_management=no
❐ condition=
❐ date[.utc]=, day=, hour=, minute=, month=, weekday=, year=, time=
❐ has_client=
❐ proxy.address=, proxy.port=, proxy.card=
❐ raw_url=
❐ release.*=
❐ server_url=
❐ service.name=cifs
❐ tunneled=
❐ url=cifs://<ip>:<port>/
❐ user.*=, group=, realm=, authenticated=
264
Chapter 10: Accelerating File Sharing
❐ authenticate.*()
❐ allow, deny, deny.*(), exception.*(), force_deny.*(),
force_exception.*()
❐ bypass_cache()
❐ detect_protocol(cifs), force_protocol(cifs)
❐ limit_bandwidth(bandwidth_class)
❐ reflect_ip()
❐ rewrite(url), rewrite(url.host), set(url.port)
❐ trace.*()
265
SGOS 6.2 Administration Guide
266
Chapter 11: Accelerating the Microsoft Outlook Application
(Endpoint Mapper and MAPI Proxies)
This chapter discusses the Endpoint Mapper service and MAPI proxy, which
function together to intercept traffic generated by Microsoft Outlook clients
and accelerate traffic over the WAN.
267
SGOS 6.2 Administration Guide
Note: Only Microsoft RPC version 5.0 is supported. If the RPC version is not 5.0,
the connection is terminated.
268
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
e-mail application users experience debilitating response times for not only
sending and receiving mail, but accessing message folders or changing calendar
elements.
With the release of Exchange Server 2003 and subsequent versions of Outlook,
Microsoft introduced data encoding to enhance the efficiency and security of file
transfers. However, file encoding prevents data sent with the MAPI protocol from
matching with data sent using other protocols (HTTP, CIFS, FTP, etc.), thereby
limiting byte cache effectiveness.
269
SGOS 6.2 Administration Guide
LEGEND:
A: A ProxySG at a branch office (Branch peer); Endpoint Mapper proxy is configured on port
135; MAPI proxy: MAPI handoff, batching, and keep-alive are enabled.
B: A ProxySG appliance (Concentrator peer) at a corporate location.
C: Wide Area Network (Internet); the ProxySG peers communicate through a TCP tunnel.
D: Microsoft Exchange server at the core.
PROCESS FLOW:
1: During business hours, two branch Microsoft Outlook clients send e-mails with
attachments.
2: The Branch peer batches RPC messages into larger chunks. If there is relevant data, such
as attachments, the Branch peer will also decode the files compressed by Outlook.
3: With the default Endpoint Mapper proxy configuration, Blue Coat ADN compresses the data
over the TCP connection. The data is byte cached with all compatible protocols.
4: The Concentrator performs decompression and connects to the Exchange server for
processing to destination client. The Concentrator will also compress data decoded by the
Branch peer for processing by the Microsoft Exchange server.
5. Another user logs out of Microsoft Outlook at the end of the day. With keep-alive configured,
the ProxySG maintains a connection to the Exchange server and continues to queue sent
mail, creating a ‘warm’ byte cache. A warm byte cache holds data that will be fetched at a
later time.
6. When the user logs in the next morning, the ProxySG delivers the cached mail,
eliminating excessive WAN traffic increase.
270
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
271
SGOS 6.2 Administration Guide
272
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
The encrypted MAPI acceleration feature expects the Outlook client to use the
Simple and Protected Negotiation (SPNEGO) security protocol, and as a result the
proxy will negotiate NTLM protocol on the client side and Kerberos on the server
side. SPNEGO is used when a client application wants to authenticate to a remote
server, but neither end is sure what authentication protocols the other supports.
For configuration details, see "Optimizing Encrypted MAPI Traffic" on page 279.
273
SGOS 6.2 Administration Guide
❐ Non-secure ADN can be reported in the Active Sessions at the branch even
though secure ADN is enabled on the Branch and Concentrator peers. This
can happen when Outlook establishes a plain connection with the Exchange
server and then switches to the secure authentication level in the middle of a
MAPI conversation. When this happens, the encrypted MAPI session goes
through a plain ADN tunnel, without acceleration benefits.
To prevent this, enable the Secure all ADN routing and tunnel connections option.
❐ Encrypted MAPI is not supported if the Branch peer fails to authenticate the
user by using NTLM and Kerberos authentication protocols within the
Exchange domain.
274
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
2a
2b
b. If the Action for the default service (port 135) is set to Bypass, select
Intercept from the drop-down list(s).
3. Click Apply.
275
SGOS 6.2 Administration Guide
276
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
2a
2b
2c
2d
Note: Before enabling acceleration for encrypted MAPI, make sure you
have performed the required setup tasks on the Domain Controller, and
on the Branch and Concentrator peers. See "Optimizing Encrypted
MAPI Traffic" on page 279 for details.
277
SGOS 6.2 Administration Guide
c. Batching: If enabled, this option reduces the MAPI message count sent
over the ADN tunnel during attachment upload and download. This
reduction in message roundtrips saves time.
Note: For the batching option to produce additional time gains, the
Cached Exchange Mode option on the Outlook client must be disabled.
d. Keep-Alive: After a user logs out of Outlook, the MAPI RPC connection
remains and the ProxySG continues to receive incoming messages to
this account. If disabled (the default), no attempts to contact the server
occur until the next time the user logs into his/her Outlook account.
This might create a noticeable decrease in performance, as the queue of
unreceived mail is processed.
• Interval: If Keep-Alive is enabled, how often the MAPI proxy contacts the
Exchange server to check for new messages.
• Duration:If Keep-Alive is enabled, how long the MAPI proxy maintains
the connection to the Exchange server. The connection is dropped if
the duration exceeds this value or once a user logs back in to the mail
application.
• Maximum Sessions: Limits the number of occurring active keep-alive
sessions. If a new keep-alive session starts, and the specified limit is
already exceeded, the oldest keep-alive session is not dropped but no
new keep-alive sessions are created.
3. Click OK.
4. Click Apply.
• MAPI Clients Bytes Written: The total number of bytes written by MAPI
clients.
• MAPI Clients: The total number of MAPI connections.
b. The graphs display three time metrics: the previous 60 minutes, the
previous 24 hours, and the previous month. Roll the mouse over any
colored bar to view the exact metric.
278
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
3. (Optional) You can change the scale of the graph to display the percentage of
bar peaks to display.
2. From the first Filter drop-down list, select Proxy; from the second drop-down
list, select MAPI.
3. Click Show. The Proxied Sessions area displays MAPI statistics.
1 Prepare the Domain Controller to support the Trust "Prepare the Domain Controller to
Delegation feature. Support Trust Delegation" on page 279
2 Ensure that the clocks on the ProxySG appliances "Synchronize the ProxySG Appliances
at the branch office and core are synchronized and DC Clocks" on page 280
with the Domain Controller.
3 Configure secure ADN between the Branch and "Verify Secure ADN" on page 280.
Concentrator peers.
4 Join the ProxySG at the branch to the primary "Join the Branch Peer to the Primary
domain (the same domain where the Exchange Domain" on page 281
server is installed).
6 Enable MAPI encryption on the ProxySG at the "Enable MAPI Encryption Support" on
branch office. page 284
The trust delegation feature (configured in a later task) requires that the domain
functional level be at Windows Server 2003 (or newer).
279
SGOS 6.2 Administration Guide
3. From Select an available domain functional level, select Windows Server 2003 (or
newer) and click Raise.
Note: After raising the domain functional level to Windows Server 2003 from
Windows 2000, you cannot add additional Windows 2000 servers to this
domain.
280
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
1. On the Branch peer, select the Configuration > ADN > General > Device Security tab.
2. Verify an SSL Device Profile is selected; if not, select one (if you need to create
one, refer to the Help System.
3. Click Apply to commit any changes.
4. Select the Configuration > ADN > General > Connection Security tab.
5. In the Secure-Outbound Mode area, verify a secure option is selected.
6. Click Apply to commit any changes.
281
SGOS 6.2 Administration Guide
1a
1b
1c
1. Create a domain alias that will be used during encrypted MAPI configuration:
a. From the Management Console, select the Configuration > Authentication
> Windows Domain > Windows Domain tab.
2b
2c
2d
2e
b. As only one domain name alias at a time is allowed, the one you
created in Step 1 populates in the Domain name field.
c. In the DNS domain name field, enter the domain name. This is not a fully
qualified domain name.
282
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
Note: Troubleshooting tip: The DNS name must resolve to the correct IP
address; verify the DNS server/ProxySG configuration if this does not
occur.
d. In the SG host name field, enter the hostname to use for this ProxySG.
Blue Coat recommends the appliance name or any name helpful for
your recognition.
e. Click Join Domain; the Join Domain dialog displays.
• Enter the primary domain access user name and password in the
format: username@dnsname. For example: hub.porter@corp.com. This
account must have administrator privileges.
• Click OK to close the dialog.
f. Click Apply.
If you don’t see the Delegation tab, you did not raise the delegation level to
Windows Server 2003 or newer. See "Prepare the Domain Controller to
Support Trust Delegation" on page 279.
b. Click Use any authentication protocol.
c. Click Add; in Add Services, click Users and Computers.
283
SGOS 6.2 Administration Guide
d. In the Enter the object names to select (examples) field, enter the name of
the Exchange server for which the system will be trusted to delegate
and click OK.
e. In Add Services, click the Exchange MDB that will be trusted for
delegation and click OK.
f. Repeat steps d and e for any other endpoint Exchange servers that
accept MAPI connections.
g. Click OK to close the Properties dialog.
1. In the Management Console of the Branch peer, select the Configuration > Proxy
Settings > MAPI Proxy tab.
2. Select the Enable acceleration for encrypted MAPI option; the Domain alias list
automatically populates with the alias created in "Join the Branch Peer to the
Primary Domain" on page 281.
3. Click Apply.
284
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
285
SGOS 6.2 Administration Guide
❐ Display Errored Sessions (Statistics > Sessions > Errored Sessions) to investigate
various MAPI issues related to client/server socket failures.
286
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
287
SGOS 6.2 Administration Guide
288
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
289
SGOS 6.2 Administration Guide
290
Chapter 11: Accelerating the Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)
MAPI_2003
MAPI_2007
MAPI_2010
Encrypted_MAPI_2007
Encrypted_MAPI_2010
291
SGOS 6.2 Administration Guide
292
Chapter 12: Managing the File Transport Protocol (FTP)
Proxy
This chapter discusses the Blue Coat implementation of proxy support for File
Transport Protocol (FTP).
How Do I...?
To use this chapter, identify the task and click the link:
Customize the welcome banner for the FTP "Configuring FTP Connection Welcome
proxy? Banners" on page 300
About FTP
The ProxySG supports two FTP modes:
❐ Native FTP, where the client connects through the FTP proxy, either
explicitly or transparently; the ProxySG then connects upstream through
FTP (if necessary).
293
SGOS 6.2 Administration Guide
❐ Web FTP, where the client uses an explicit HTTP connection. Web FTP is used
when a client connects in explicit mode using HTTP and accesses an ftp://
URL. The ProxySG translates the HTTP request into an FTP request for the
origin content server (OCS), if the content is not already cached, and then
translates the FTP response with the file contents into an HTTP response for
the client.
Native FTP uses two parallel TCP connections to transfer a file, a control connection
and a data connection.
❐ Control connections: Used for sending commands and control information,
such as user identification and password, between two hosts.
❐ Data connections: Used to send the file contents between two hosts. By
default, the ProxySG allows both active and passive data connections.
• Active mode data connections: Data connections initiated by an FTP
server to an FTP client at the port and IP address requested by the FTP
client. This type of connection method is useful when the FTP server can
connect directly to the FTP client. The FTP command for active mode is
PORT (for IPv4) or EPRT (for IPv6). When an IPv4 FTP client is
communicating with an IPv6 FTP server, the ProxySG will perform the
required conversion (PORT to EPRT); the clients and servers will be
unaware that this conversion has taken place.
• Passive mode data connections: Data connections initiated by an FTP
client to an FTP server at the port and IP address requested by the FTP
server. This type of connection is useful in situations where an FTP server
is unable to make a direct connection to an FTP client because the client is
located behind a firewall or other similar device where outbound
connections from the client are allowed, but inbound connections to the
client are blocked. The FTP command for passive mode is PASV (for IPv4)
or EPSV (for IPv6). When an IPv4 FTP client is communicating with an
IPv6 FTP server, the ProxySG will perform the required conversion (PASV
to EPSV); the clients and servers will be unaware that this conversion has
taken place.
Note: When using the FTP in active mode, the FTP data connection is formed
from the server (OCS) to the client, which is opposite from the direction of the
FTP control connection. As a result, when the FTP connections are enabled for
ADN, the roles of the Branch and Concentrator for the data connection are in
reverse of those used for the control connection. The type of ADN tunnel
(Explicit, Translucent or Transparent) set up for the data connection is
therefore dictated by the tunnel mode configuration, which can be used for
any connection from the server to the client that needs to go over ADN. For
more information, see "Configuring the Tunnel Mode" on page 806.
For example, if the control connection for an Active mode FTP uses explicit
ADN tunnels, it is possible that the data connection that goes from the server
294
Chapter 12: Managing the File Transport Protocol (FTP) Proxy
to the client is transparent. To use explicit connections for the FTP data
connection as well, it might be necessary to advertise the FTP client’s subnet
address on the ProxySG appliance intercepting the FTP connection.
❐ Server-side control connection: The proxy uses the IP address selected by the
reflect_ip(auto | no | client | vip | ip_address) property. By default, this
is the local proxy IP address associated with the interface used to connect to
the server.
Client IP reflection is set globally from the Configuration > Proxy Settings >
General tab. By default, the CPL reflect_ip( ) setting is auto, which uses this
global configuration value.
295
SGOS 6.2 Administration Guide
Client IP reflection will automatically be disabled when the client is IPv4 and
the server is IPv6.
Note: Setting client IP address reflection for FTP affects the source address
that is used when making the outgoing control connection to the origin
server. It might also affect which address is used by the proxy for data
connections.
For information on creating and modifying policy through VPM, refer to the
Visual Policy Manager Reference. For information on creating and modifying policy
through CPL, refer to the SGOS 6.2 Administration Guide. The
ftp.match_server_data_ip( ) and ftp.match_client_data_ip( ) properties can
only be set through CPL.
Note: Some clients might display an error when passive mode is disabled on the
ProxySG, requiring you to manually request active mode using the PORT/EPRT
FTP commands.
The FTP client software controls any messages displayed to the end user as a
result of this response from the ProxySG.
296
Chapter 12: Managing the File Transport Protocol (FTP) Proxy
Notes
❐ Internet Explorer does not support proxy authentication for native FTP.
❐ The FTP proxy does not support customized exception text; that is, you can
use policy to deny requests, but you can't control the text sent in the error
message.
Note: Web FTP requires an HTTP service, not an FTP service. For information on
configuring an HTTP proxy service, see Chapter 8: "Intercepting and Optimizing
HTTP Traffic" on page 169.
297
SGOS 6.2 Administration Guide
2a
2b
298
Chapter 12: Managing the File Transport Protocol (FTP) Proxy
2a
2b
2c
2d
2e
where current_time is the time when the object was requested by the
client. So, if it’s been 10 days since the object was modified, and the setting
is 10%, the object will be cached for one day.
c. Enter an amount, in hours, that the object remains in the cache before
becoming eligible for deletion. This setting applies to objects for which
the last-modified date is unknown. The default is 24 hours.
d. Select Allow use of passive mode to clients. The default is enabled, allowing
data connections to be initiated by an FTP client to an FTP server at the
port and IP address requested by the FTP server. (Active mode
connections are always allowed, regardless of whether the passive
mode setting is enabled or disabled.)
e. (Optional) See "Configuring FTP Connection Welcome Banners" on
page 300.
3. Click Apply.
299
SGOS 6.2 Administration Guide
Note: Neither proxy authentication for transparent FTP nor proxy chaining are
supported with the Checkpoint syntax. When native FTP traffic from an FTP
client (such as WSFtp) is being authenticated by the ProxySG using the Raptor
syntax, the recommended authentication mode is auto or proxy.
300
Chapter 12: Managing the File Transport Protocol (FTP) Proxy
However, you might not want users to know that a ProxySG exists on the
network. A default banner can be defined in the Management Console or the CLI,
but other banners defined for specific groups can be created in policy layers.
Note: Configurable banners are only displayed when FTP is explicitly proxied
through the ProxySG. In transparent deployments, the banner is sent to the client
when proxy authentication is required; otherwise, the FTP server sends the
banner.
3. Click Apply.
Related CPL Syntax to Create Policy that Overrides the Default Banner
<Proxy>
ftp.welcome_banner("message")
If entering text that spans more than one line, use $(crlf) for line breaks.
301
SGOS 6.2 Administration Guide
302
Chapter 13: Managing the Domain Name Service (DNS)
Proxy
This chapter discusses managing Domain Name Service (DNS) traffic through
the DNS proxy on the ProxySG (to configure the ProxySG connections to DNS
servers, see "Adding DNS Servers to the Primary or Alternate Group" on page
892).
IPv6 Support
The DNS proxy is able to communicate using IPv4 or IPv6, either explicitly or
transparently.
The resolving name list can contain entries for IPv4 and IPv6 addresses. An
entry can contain either IPv4 or IPv6 addresses, although you cannot combine
IPv4 and IPv6 addresses in a single entry.
303
SGOS 6.2 Administration Guide
2a
2b
304
Chapter 13: Managing the Domain Name Service (DNS) Proxy
Note: You can also create a resolving name list using the Visual Policy Manager
(VPM). For more information about the DNS Access Layer in the VPM, refer to the
Blue Coat SGOS 6.x Visual Policy Manager Reference.
305
SGOS 6.2 Administration Guide
306
Chapter 14: Managing a SOCKS Proxy
Note: For information on the Permeo Premium Agent (Permeo PA), see "Using
the Permeo PA SOCKS Client with the Blue Coat SOCKS Server" on page 311.
In a typical deployment, the SOCKS proxy works with the Endpoint Mapper
proxy and MAPI handoff. In this deployment, you will:
❐ Create an Endpoint Mapper proxy at the remote office (the downstream
proxy) that intercepts Microsoft RPC traffic and creates dynamic TCP
tunnels. Traffic to port 135 is transparently redirected to this service using
bridging or L4 switch or WCCP. For information on creating and enabling
an Endpoint Mapper proxy service, see Chapter 11: "Accelerating the
Microsoft Outlook Application (Endpoint Mapper and MAPI Proxies)" on
page 267.
❐ Create any other TCP tunnel proxies you need at the remote office: SMTP,
DNS, and the like. For information on configuring TCP tunnels, see Section
C:"Creating Custom Proxy Services" on page 130.
307
SGOS 6.2 Administration Guide
❐ Create a SOCKS gateway at the remote office and enable compression for that
gateway. This SOCKS gateway points to a SOCKS proxy located at the main
office location (the upstream proxy, the core of the network). For information
on creating a SOCKS gateway and enabling SOCKS compression, see
Chapter 40: "SOCKS Gateway Configuration" on page 915.
❐ Set policy to forward TCP traffic through that SOCKS gateway. You can do
this through the <proxy> layer using either the VPM or CPL. For more
information, see "Using Policy to Control the SOCKS Proxy" on page 310.
2a
3. Click Apply.
308
Chapter 14: Managing a SOCKS Proxy
2. The displayed defaults should be sufficient for most purposes. The following
table discusses the options.
309
SGOS 6.2 Administration Guide
❐ If browsers and FTP clients are configured to use SOCKS encapsulation and a
rule in policy is matched that denies a transaction, a page cannot be displayed
message displays instead of an exception page.
310
Chapter 14: Managing a SOCKS Proxy
This is expected behavior, as a deny action abruptly closes the client's TCP
connection, yet the client is expecting a SOCKS-style closure of the connection.
You can avoid this, and return an exception page, by applying the following
policy:
• If using the VPM, go to a Web Access Layer, create two rules. For the first
rule, select Service > New > Client Protocol > SOCKS > TCP Tunneling over SOCKS;
for the second, select Service > New > Client Protocol > SOCKS > All SOCKS.
• If using CPL, enter the following:
<Proxy>
DENY socks=yes tunneled=yes
DENY socks=yes
Using the Permeo PA SOCKS Client with the Blue Coat SOCKS Server
The ProxySG can be used as a SOCKS gateway by the Permeo Premium Agent
(PA), with full licensing support and Dynamic Port Management (DPM)
functionality.
The ProxySG supports the Windows Permeo PA SOCKS client version 5.12a,
including those clients that require the special probe license protocol and
corresponding customer ID. Note that each ProxySG can only support PA clients
with the same customer ID.
Licensing the PA SOCKS client on the ProxySG is a two-step process:
❐ Get the customer ID from the PA client.
❐ Tell the ProxySG the PA customer ID.
Note: The default license setting for the Permeo PA client on the ProxySG is
off. This setting should only be enabled when you are using the PA client.
311
SGOS 6.2 Administration Guide
Note: You cannot validate the license through the Management Console.
312
Chapter 14: Managing a SOCKS Proxy
where customer_id is the Customer ID number you took from the About tab on
the PA client.
Limitations
❐ Protocol Detection interferes with SOCKS and must be disabled on the
ProxySG. The CPL policy should include the line detect_protocol(no).
❐ SOCKS compression should be disabled when using the PA SOCKS client.
The CPL policy should include the line socks.accelerate(no).
❐ The ProxySG only supports username and password authentication between
the ProxySG and the SOCKS Permeo PA client.
❐ The ping and trace route functions from Permeo PA administrator tool are not
compatible with this release (5.1).
❐ Proxy chaining is not supported between the ProxySG and the Permeo
Application Gateway (ASG).
❐ The policy update feature on the PA is not supported when using the
ProxySG. PA can get policy from the HTTP source as well as the ASG so it can
still perform automatic updates from a external Web server.
❐ Only the UPWD authentication method is supported.
Note: The SOCKS history statistics are available only through the Management
Console.
313
SGOS 6.2 Administration Guide
314
Chapter 14: Managing a SOCKS Proxy
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
315
SGOS 6.2 Administration Guide
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
316
Chapter 15: Managing Shell Proxies
This chapter discusses how to configure the Telnet shell proxy. Shell proxies
provide shells which allow a client to connect to the ProxySG. In this version,
only a Telnet shell proxy is supported.
Substitution Description
317
SGOS 6.2 Administration Guide
Substitution Description
client.protocol This is telnet.
client.address IP address of the client. IPv4 and IPv6 addresses
are accepted.
Conditions
• category= • client.protocol=telnet
• client.address= • url.scheme=telnet
Properties
318
Chapter 15: Managing Shell Proxies
Actions
:
319
SGOS 6.2 Administration Guide
320
Chapter 15: Managing Shell Proxies
Bypass Recommended
service group (by default)
2. Scroll to the Bypass Recommended service group and click it to expand the list.
3. Select Telnet.
4. From the drop-down list, select Intercept.
5. Click Apply.
321
SGOS 6.2 Administration Guide
2. To set the maximum concurrent connections, select Limit Max Connections. Enter
the number of maximum concurrent connections allowed for this service.
Allowed values are between 1 and 65535.
3. (Optional) Change the default banner settings.
• Welcome banner—Users see this when they enter the shell. The default
string is: Blue Coat $(module_name) proxy.
• Realm banner—Users see this help message just before they see the
Username prompt for proxy authentication. The default string is:
Enter credentials for realm $(realm).
322
Chapter 15: Managing Shell Proxies
Note: The Shell history statistics are available only through the Management
Console.
2. Select a time- period for the graph from the Duration: drop-down list. The
default setting is last hour.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
323
SGOS 6.2 Administration Guide
324
Chapter 16: Configuring and Managing an HTTPS Reverse
Proxy
This section describes how to use the Blue Coat HTTPS Reverse Proxy solution.
It includes the following topics:
❐ Section A: "About the HTTPS Reverse Proxy" on page 326
❐ Section B: "Configuring the HTTPS Reverse Proxy" on page 327
❐ Section C: "Configuring HTTP or HTTPS Origination to the Origin Content
Server" on page 333
325
SGOS 6.2 Administration Guide
326
Chapter 16: Configuring and Managing an HTTPS Reverse Proxy
Note: One common scenario in using HTTPS reverse proxy, which connects the
client to the ProxySG, is in conjunction with HTTPS origination, which is used to
connect to the origin content server (OCS). For more information on this option,
see Section C: "Configuring HTTP or HTTPS Origination to the Origin Content
Server" on page 333.
Prerequisite Tasks
Before creating an HTTPS reverse proxy service, you must:
❐ Create or import a keyring (Configuration > SSL > Keyrings > SSL Keyrings).
❐ (If necessary) Create a Certificate Signing Request (CSR) that can be sent to a
Certificate Signing Authority (CA). After the CSR has been signed and the
certificate has been created, import the certificate to the keyring you created or
imported in the previous step. (Go to Configuration > SSL > Keyrings. Select the
keyring you created or imported, and then click Edit. In the Certificate Signing
Request section, click Import, paste the CSR, and click OK. Click Close > Apply).
❐ Import the server certificate issued by CA authorities for external use and
associate it with the keyring. (Configuration > SSL > External Certificates > External
Certificates).
-or-
❐ Create a certificate for internal use and associate it with the keyring.
❐ (Optional, if using server certificates from CAs) Importing Certificate
Revocation Lists (CRLs) so the ProxySG can verify that certificates are still
valid.
When these steps are complete, you can configure the HTTPS reverse proxy
service.
327
SGOS 6.2 Administration Guide
328
Chapter 16: Configuring and Managing an HTTPS Reverse Proxy
3
4
329
SGOS 6.2 Administration Guide
c. CA Cert List: Use the drop-down list to select any already created list
that is on the system.
d. SSL Versions: Use the drop-down list to select the version to use for this
service. The default is SSL v2/v3 and TLS v1.
e. Verify Client (Used with the Forward Client Certificate option.). Selecting
this option enables the Forward Client Certificate and puts the extracted
client certificate information into the Client-Cert header that is
included in the request when it is forwarded to the origin content
server. The header contains the certificate serial number, subject,
validity dates, and issuer (all as name=value pairs). The actual
certificate itself is not forwarded.
f. Forward Client Cert:
(Used with the Verify Client option.) Selecting this
option puts the extracted client certificate information into a header
that is included in the request when it is forwarded to the OCS.
6. Configure Application Delivery Network options:
a. Enable ADN: Enabling ADN does not guarantee acceleration—the actual
enable decision is determined by ADN routing (for explicit
deployment) and network setup (for transparent deployment)
b. The Optimize Bandwidth option is selected by default if you enabled
ADN optimization during initial configuration. Clear this option if
you are not configuring ADN optimization.
7. Create a listener, or the IP address(es) and ports that this application protocol
uses. In the Listeners area, click New. The New Listener dialog displays.
330
Chapter 16: Configuring and Managing an HTTPS Reverse Proxy
8a
8b
8c
8d
331
SGOS 6.2 Administration Guide
332
Chapter 16: Configuring and Managing an HTTPS Reverse Proxy
Steps Steps
• Configure a keyring. • (Optional) Add a forwarding host.
• Configure the SSL client. • (Optional) Set an HTTPS port.
• Configure the HTTPS service. • (Optional) Enable server certificate
ifi tiOrigination
Figure 16–2 Scenario 2: HTTP Termination with HTTPS
Steps: Steps
• Client is explicitly proxied. • Server URL rewrite.
-or-
• Add a forwarding host
• Set an HTTPS port.
• (Optional) Enable server certificate verification
Using server URL rewrite is the preferred method. For information on rewriting
the server URL, refer to Content Policy Language Guide.
333
SGOS 6.2 Administration Guide
The next scenario is useful when the ProxySG is deployed as a reverse proxy. This
scenario is used when it is not necessary for a secure connection between the
proxy and server. For information on using the ProxySG as a reverse proxy, see
Section D: "Selecting an HTTP Proxy Acceleration Profile" on page 187.
Figure 16–3 Scenario 3: HTTPS Reverse Proxy with HTTP Origination
Steps Steps
• Configure a keyring • Server URL rewrite
• Configure the SSL client -or-
• Configure the HTTPS service • Add a forwarding host (only for SGOS 3.1 or
higher)
• Set an HTTP port
Using server URL rewrite is the preferred method. For information on rewriting
the server URL, refer to Content Policy Language Guide.
You can only configure HTTP origination through the CLI. You cannot use the
Management Console.
334
Chapter 16: Configuring and Managing an HTTPS Reverse Proxy
335
SGOS 6.2 Administration Guide
336
Chapter 17: Using the ProxySG in an IPv6 Environment
337
SGOS 6.2 Administration Guide
• Managed ADN
• Transparent deployments
• Explicit deployments
• Transparent load balancing
• Explicit load balancing
For information on configuring ADN for IPv6, see "Configuring an ADN for an
IPv6 Environment" on page 349.
ADN-Managed Networks
In an ADN-managed network, the primary and backup ADN managers can be
either IPv4 or IPv6, managed nodes can connect to the manager using IPv4 or
IPv6, and the manager can advertise IPv4 and IPv6 routes. However, only IPv4
routes are advertised to managed nodes running older (pre-6.2.4) versions of
SGOS.
To determine whether an ADN tunnel is IPv4 or IPv6:
1. Log in to the Management Console of the Concentrator peer.
2. Select Statistics > Sessions > Active Sessions > ADN Inbound Connections.
3. Locate the ADN peer address to see whether its format is IPv4 or IPv6. For
example, if the peer address is 2001:418:9804:111::169, it is an IPv6 tunnel.
Or if the peer address is 10.9.45.129, it is an IPv4 tunnel.
Transparent Deployment
In a transparent deployment, the Concentrator is installed physically in-path, and
can intercept IPv4 and IPv6 connections from Branch peers.
338
Chapter 17: Using the ProxySG in an IPv6 Environment
Explicit Deployments
In explicit deployments, each Concentrator peer advertises the IPv4 or IPv6 server
subnets that it fronts. The Concentrator peer can also act as an Internet gateway
for IPv4 and IPv6 addresses, and subnets that are exempt from the Internet
gateway can be IPv4 or IPv6. The explicit tunnel between the Branch and
Concentrator peers can be IPv4 or IPv6. A concentrator will be chosen as an
Internet gateway only if it advertises at least one interface IP of the same address
family as the destination server address.
339
SGOS 6.2 Administration Guide
IPv6 Proxies
The following proxies have underlying protocols that support IPv6 and can
communicate using either IPv4 or IPv6:
Table 17–1
TCP Tunnel
340
Chapter 17: Using the ProxySG in an IPv6 Environment
341
SGOS 6.2 Administration Guide
DNS servers "Adding DNS Servers to the #(config dns forwarding)edit primary
Primary or Alternate Group" #(config dns fowarding primary)add server
on page 892 2001:db8:85a3::8a2e:370:7334
Forwarding hosts "Creating Forwarding Hosts" #(config forwarding) create host ipv6-
on page 953 proxy 2001:db8::1 http proxy
"IPv6 Forwarding" on page
344
342
Chapter 17: Using the ProxySG in an IPv6 Environment
Table 17–2
The IP address or hostname fields for these features accommodate the entry of
IPv4 or IPv6 addresses and, when applicable, include a field for entering the
prefix length (for IPv6 addresses) or subnet mask (for IPv4 addresses).
343
SGOS 6.2 Administration Guide
IPv6 Forwarding
To minimize WAN traffic, you can create forwarding hosts — a ProxySG
configured as a proxy to which certain traffic is redirected for the purpose of
leveraging object caching. (See "About the Forwarding System" on page 945.) It is
possible to create IPv4-to-IPv6 forwarding, IPv6-to-IPv4 forwarding, and IPv6-to-
IPv6 forwarding.
For example, to create a policy that forwards an IPv4 destination to an IPv6
forwarding host:
1. Create an IPv4 virtual IP (VIP) address for the ProxySG.
2. Create a forwarding host entry using an explicit IPv6 address or a hostname
that resolves into an IPv6 address.
3. Launch the Visual Policy Manager (VPM)—Configuration > Policy > Visual Policy
Manager.
344
Chapter 17: Using the ProxySG in an IPv6 Environment
• Proxy IP Address/Port
Destination Objects
• DNS Response IP/subnet
• Destination IP/subnet
Action Objects
• Reflect IP (proxy IP)
• cache_url.address
• client.address
• dns.request.address
• dns.response.aaaa
• log_url.address
• proxy.address
• request.header.header_name.address
• request.header.referer.url.address
• request.x_header.header_name.address
• server.url.address
• url.address
• url.domain
• url.host
• user.login.address
345
SGOS 6.2 Administration Guide
IPv6 Limitations
IPv6 support on the ProxySG has the limitations described below.
❐ The following proxies do not currently have IPv6 support:
• MMS streaming
• SOCKS
• Instant Messaging (AOL-IM, MSN-IM, Yahoo-IM)
• CIFS
• MAPI
❐ The ProxySG does not intercept link-local addresses in transparent mode since
this deployment isn’t practical; transparent link-local addresses will be
bypassed.
❐ IPv6 is not supported in a WCCP deployment.
346
Chapter 17: Using the ProxySG in an IPv6 Environment
Displays current settings for IPv6-related options (bypass IPv6 traffic, auto-
linklocal, forwarding).
> show ndp
2. Select an interface and click Edit. The Configure a Native VLAN dialog
displays.
3b
3a
3. Assign addresses:
a. Click Add IP. The Add IP Address dialog displays.
b. Enter the IPv6 address.
c. Click OK twice to close each dialog.
d. Click Apply.
347
SGOS 6.2 Administration Guide
4. Add a DNS server for IPv6. Select the Configuration > Network > DNS > Groups tab.
5. You can place both network servers types (IPv4 and IPv6) in the same DNS
group, or separate them into different groups.
a. Click Edit or New and add a DNS server for IPv6.
b. Click Apply.
6. IPv6 requires its own gateway. Select the Configuration > Network > Routing >
Gateways tab.
7. Define two default gateways: one for IPv4 and one for IPv6:
a. Click New. The Add List Item dialog displays.
b. Create a gateway to be used for IPv6.
c. Click OK to close the dialog.
d. Click Apply.
e. Repeat Steps a - d to create an IPv4 gateway (if you haven’t done so
already).
8. (Optional) Create policy for IPv6 servers. See "IPv6 Policies" on page 350.
348
Chapter 17: Using the ProxySG in an IPv6 Environment
349
SGOS 6.2 Administration Guide
2a
2b
See Also
❐ "IPv6 Support on the ProxySG" on page 340
❐ "Configuring a ProxySG to Work in an IPv6 Environment" on page 347
❐ "Configuring an ADN for an IPv6 Environment" on page 349
❐ "IPv6 Policies" on page 350
IPv6 Policies
With the global policy for DNS lookups, the ProxySG first uses the configured
IPv4 DNS servers for processing DNS requests. If this lookup fails, the ProxySG
looks up the host on the configured IPv6 DNS servers. This processing of DNS
requests happens automatically. To change the global setting for IP connection
type preference, use the following policy:
server_url.dns_lookup(dns_lookup_value)
where
dns_lookup_value = ipv4-only|ipv6-only|prefer-ipv4|prefer-ipv6
350
Chapter 17: Using the ProxySG in an IPv6 Environment
If you have a known list of servers that are on IPv6 networks, you can avoid
timeouts and unnecessary queries by creating policy to look up host names on
IPv6 DNS servers only. For example:
<Proxy>
url.domain=etrade.com server_url.dns_lookup(ipv6-only)
url.domain=google.com server_url.dns_lookup(ipv6-only)
This policy overrides the global policy and look up the specified hosts
(etrade.com and google.com) on the IPv6 DNS servers only.
351
SGOS 6.2 Administration Guide
352
Chapter 18: Filtering Web Content
Content Filtering allows you to categorize and analyze Web content. With
policy controls, content filtering can support your organization’s Web access
rules by managing or restricting access to Web content and blocking downloads
from suspicious and unrated Web sites, thereby helping protect your network
from undesirable or malicious Web content.
The ProxySG appliance supports Blue Coat WebFilter as well as other third-
party databases. This chapter describes how to configure the ProxySG
appliance to process client Web requests and to control and filter the type of
content retrieved.
353
SGOS 6.2 Administration Guide
354
Chapter 18: Filtering Web Content
If your subscription with the database vendor expires or if the available database
is not current, the category unlicensed is assigned to all URLs and no lookups
occur on the database. To ensure that the latest database version is available to
you, by default, the ProxySG appliance checks for database updates once in every
five minutes.
355
SGOS 6.2 Administration Guide
356
Chapter 18: Filtering Web Content
Legend
A: A client connected to the ProxySG appliance.
B: ProxySG appliance content filtering solution (content filter vendor + Blue Coat
policy).
C: Web Content.
Process Flow
1: (Blue arrow) The client requests a Web page.
2: The ProxySG appliance checks the requested URL against the content filtering
database to determine the categorization.
3: After the URL is categorized, the policy engine determines if the URL is allowable
or not.
4: (Blue arrow) The URL is allowed and the request continues to its destination.
5. (Red arrow) The policy denies the request and returns a message concerning
corporate Web compliance.
357
SGOS 6.2 Administration Guide
Note: You cannot configure the legacy content filtering vendors, such as
Intersafe, I-Filter, Surfcontrol and Webwasher, using the Management Console.
You must use the Command Line Interface (CLI) to modify configuration settings
for these vendors.
If you are upgrading from an earlier SGOS version, and one of the vendors listed
above is enabled on your ProxySG appliance, the following message displays in
the Management Console:
Refer to the Command Line Interface Reference, for the list of CLI commands
available.
358
Chapter 18: Filtering Web Content
By default, connection to the WebPulse service is not encrypted and data is sent as
plain text; however, you can opt to use a secure connection, which encrypts all
data sent over the connection.
359
SGOS 6.2 Administration Guide
Note: The dynamic service is consulted only when the installed Blue Coat
WebFilter database does not contain authoritative category information for a
requested URL. If the category returned by the WebPulse service is blocked by
policy, the offending material does not re-enter the network.
The URL is first looked up in the local Blue Coat Web Filter (BCWF) database. The
expected results are shown in the following table.
360
Chapter 18: Filtering Web Content
See Also:
❐ "About the Dynamic Categorization Process" on page 361
❐ "Dynamic Categorization States" on page 363
❐ "Considerations Before Configuring WebPulse Services" on page 363
❐ "About Private Information Sent to WebPulse" on page 364
361
SGOS 6.2 Administration Guide
cannot be locally categorized using the Blue Coat WebFilter database and
WebPulse results are cached on the ProxySG appliance, the user experience is
generally not affected.
To avoid per-request latency, you might want to run dynamic categorization in
background mode. For modifying the default, see "Configuring WebPulse Services"
on page 381.
The following diagram illustrates Blue Coat WebFilter’s content filtering flow
when dynamic categorization is employed.
Legend
A: A client connected into the ProxySG appliance.
B: ProxySG appliance with Blue Coat WebFilter and Dynamic Categorization enabled.
C: WebPulse cloud server.
D: Web content.
Process Flow
1: (Blue arrow) Client 1 requests a Web page.
2: The ProxySG appliance checks the requested URL against the Blue Coat WebFilter
database for categorization. No match is found.
3: The WebPulse Service returns the categorization of the URL if it has already been
determined. If not, WebPulse accesses and analyzes the requested site and returns a
real-time categorization if the confidence rating is high enough. If a category cannot be
determined automatically with high confidence, the service returns a category unknown
status, but records the site for future categorization.
4: After the URL is categorized, the policy engine determines if the URL is allowable or
not. Steps 5 and 6 describe what happens if the URL is allowable. Step 7 describes
what happens if the URL is not allowable.
5: (Blue arrow) The URL is allowed and the request continues to its destination for full
retrieval.
6: (Blue arrow) The allowed content is served back to the client.
7: (Red arrow) The policy denies the request and returns a message concerning
corporate Web compliance.
362
Chapter 18: Filtering Web Content
363
SGOS 6.2 Administration Guide
SOCKS Gateways
If you use proxy chaining for load balancing or for forwarding the dynamic
categorization request through an upstream SOCKS gateway, you must configure
the SOCKS gateway before configuring the WebPulse service.
Important: Before configuring the SOCKS gateway target for WebPulse, verify
that the SOCKS gateway is operating correctly.
When both SOCKS and forwarding are configured, the ProxySG appliance
connects to the SOCKS gateway first, then to the forwarding host, and then to the
WebPulse service.
364
Chapter 18: Filtering Web Content
Note: With the introduction of SGOS 5.4.1 and later, private network domain
names and IP subnets can be user-defined.
When running a release older than SGOS 5.4.1, enabling WebPulse service
automatically sends certain customer information to the WebPulse service by
default, which includes:
• Customer License Key (Example: QA852-KL3RA)
• Scheme (Example: HTTP, HTTPS)
• Method (Examples: GET, POST)
• URL Host
• URL Port
• URL Path
Note: Prior to SGOS 5.4.1, the information that is sent to the WebPulse service is
fixed and cannot be modified.
With the introduction of SGOS 5.4.1 and later, customer information sent to the
WebPulse service is controlled by user-defined policy, although you can still use
the default policy and configuration settings provided by the ProxySG appliance.
Overriding the default settings with your organization’s policy definitions results
in more control of the type of information that is sent to the WebPulse service.
365
SGOS 6.2 Administration Guide
You can further control whether to include the URL path and query string, and
individually control whether the Referer or User-Agent headers are sent for specific
requests. Restrictions are accomplished through the use of policies that can be
defined from the ProxySG appliance management console or CLI.
366
Chapter 18: Filtering Web Content
Table 18–1 on page 367 lists the type of information that is sent to the WebPulse
service based on default settings for all SGOS versions supporting WebPulse.
Note: The service send-request-info command applies only to SGOS 5.4.1 and
later.
Table 18–1 Information Sent to the WebPulse Service Based on Default SGOS Settings
Information Sent to the SGOS < 5.4.1 SGOS 5.4.1 and SGOS 5.4.1 and
WebPulse Service Later (service send- Later (service send-
request-info request-info enable)
disable)
See Also
❐ "Configuring WebPulse Services" on page 381
❐ "Viewing Dynamic Categorization Status (CLI only)" on page 384
❐ Section G: "Applying Policy" on page 405
❐ SGOS 6.2 Content Policy Language Reference
367
SGOS 6.2 Administration Guide
Note: Blue Coat respects your security needs. If the request URL or the Referer
header for a malware threat pertains to a private URL, no malware notification is
issued.
See Also
❐ "Configuring WebPulse Services" on page 381
❐ "Viewing Dynamic Categorization Status (CLI only)" on page 384
SmartFilter
The ProxySG appliance supports SmartFilter, a third-party on-box content
filtering database. SmartFilter supports two database editions — XL and the SL.
The XL edition is the default, and is compatible with SmartFilter 4.2 or later. The
XL edition provides a number of new categories, as well as some changes to
existing categories that are unavailable in the SL edition.
If you have upgraded from an SGOS version that only supported the SL database
edition, the XL database edition becomes the default. With the change in database
edition, the set of available categories will be different. You must examine your
policy compilation listing after the next database download and modify your
policy. For more information, see "Modifying Policy for SmartFilter Database
Changes" on page 397.
368
Chapter 18: Filtering Web Content
To defer policy changes, you must re-select the SL edition database. If you are
planning to switch to or between the XL and SL editions, see "Switching Between
the XL and SL Edition Databases" on page 397.
In the XL version of the SmartFilter database, McAfee uses category sets to
address changes in the categorization of URLs. A new category set might include
the addition of new categories, category deletions, or splitting of a single category
into multiple groups for granularity.
The default category varies by the SGOS version installed. The default category
version is 2. For information on remapping category sets, see "Remapping the
Category Set".
Websense
Websense is a supported content filter database on the ProxySG appliance.
Websense offers Real Time Updates to manage emerging threats on the Internet
and Regular Expression (Regex) lookups for URLs.
369
SGOS 6.2 Administration Guide
370
Chapter 18: Filtering Web Content
371
SGOS 6.2 Administration Guide
2. Select the option for your preferred provider. You can opt to enable the local
database, Internet Watch Foundation, BCWF and a third-party vendor. For a
third-party vendor, select your preferred vendor from the Third-party database
drop-down list.
Note: You cannot configure the legacy content filtering vendors, such as
Intersafe, I-Filter, Surfcontrol and Webwasher, using the Management
Console.
If you upgraded the ProxySG appliance appliance from an SGOS version
previous to 5.5.x, and one of the vendors listed above is enabled on your
ProxySG appliance, use the Command Line Interface (CLI) to modify
configuration settings for these vendors.
3. Select the Lookup Mode option. For a Web request, the look up mode
determines the databases that the ProxySG appliance searches for a category
match. To perform a lookup, the database must be enabled. The look up
sequence executed is policy, local database, IWF, Blue Coat WebFilter and
finally a selected third-party database.
a. The default is Always, which specifies that the database is always
consulted for category information. If a URL is categorized under
more than one category in different databases, policy is checked
against each category listed.
b. Uncategorized specifies that a database lookup be skipped if the URL
match is found in policy, a Local database, or the Internet Watch
Foundation (IWF) database.
372
Chapter 18: Filtering Web Content
4. (Applicable for SmartFilter and BCWF only) Select Enable category review
message in exceptions. This option adds a link to the default content filter
exception page when a user is denied a request for a Web Page. Typically the
exception page informs the user why a URL request is denied. When you
enable this option, the user can click the link displayed on the exception page
to request a review of the category assigned to the blocked URL. For example,
when enabled the screen displays the following users:
Your request was categorized by Blue Coat WebFilter as 'News/Media'.
If you wish to question or dispute this result, please click here.
The built in exception page can be customized, for customizing the exception
page, refer to Visual Policy Manager Reference.
5. Click Apply.
373
SGOS 6.2 Administration Guide
Note: By default, the ProxySG appliance checks for database updates once in
every five minutes. While you can schedule the time interval for an automatic
database update, the frequency of checks is not configurable.
374
Chapter 18: Filtering Web Content
See Also
"Configuring SmartFilter"
"Configuring Websense (on-box)"
"Configuring Websense Reporting"
"Specifying a Custom Time Period to Update a Third-Party Database"
375
SGOS 6.2 Administration Guide
376
Chapter 18: Filtering Web Content
Content filtering databases can be very large and require significant resources to
process. It might be necessary to adjust the amount of memory allocated to the
database in the following situations:
❐ If you are not using ADN and have a high transaction rate for content filtering,
you can increase the memory allocation setting to High. This helps content
filtering run more efficiently.
❐ If you are using both ADN and content filtering but the transaction rate for
content filtering isn't very high, you can reduce the memory allocation setting
to Low. This makes more resources available for ADN, allowing it to support a
larger number of concurrent connections.
3. Click Apply.
377
SGOS 6.2 Administration Guide
378
Chapter 18: Filtering Web Content
See Also
❐ "About Dynamic Categorization" on page 359
❐ "About Private Information Sent to WebPulse" on page 364
2. Click the Dynamic categorization link. The Configuration > Threat Protection >
WebPulse tab displays.
379
SGOS 6.2 Administration Guide
3. Clear the Perform Dynamic Categorization option in the Configuration > Threat
Protection > WebPulse page. If you disable dynamic categorization, proactive
threat detection, content and reputation ratings are also disabled. For
information on dynamic categorization, see "About Dynamic Categorization"
on page 359. For information on performing dynamic categorization in
background mode, see "Configuring WebPulse Services"
380
Chapter 18: Filtering Web Content
381
SGOS 6.2 Administration Guide
Note: For most situations, using secure connections does not significantly
decrease performance unless you are regularly processing a large number of
unrated sites.
382
Chapter 18: Filtering Web Content
6. To modify the dynamic categorization mode, verify that the Perform Dynamic
Categorization option is selected and Blue Coat WebFilter is enabled. Then
choose one of the following options:
a. Immediately. This is the default categorization mode and is in real-time
— if the category of the request is not already known, the URL request
will wait for the WebPulse service to respond with the categorization
before proceeding. The advantage of real-time mode categorization is
that Blue Coat policy has access to the results, allowing policy
decisions to be made immediately after receiving all available
information.
b. In the background. In this mode when dynamic categorization is
triggered, the URL request continues to be serviced without waiting
for a response from the WebPulse service. The system category pending
is assigned to the request, indicating that the policy was evaluated
with potentially incomplete category information.
The result of the categorization response is entered into a categorization
cache; This cache ensures that any subsequent requests for the same or
similar URLs can be categorized quickly, without needing to query the
WebPulse cloud service again.
383
SGOS 6.2 Administration Guide
384
Chapter 18: Filtering Web Content
See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "Using Content Filtering Vendors with Blue Coat Policies"
❐ "Defining Custom Categories in Policy"
385
SGOS 6.2 Administration Guide
Note: Blue Coat recommends locating your local database on the same server as
any policy files you are using.
386
Chapter 18: Filtering Web Content
2. Upload the text file to a Web server that the ProxySG appliance appliance can
access.
3. Continue with "Selecting and Downloading the Local Database".
Note: Earlier versions of SGOS did not allow the categorization of Top Level
Domains or TLDs. As of SGOS version 6.2, TLDs are allowed in URL
categorization.
The list below represents cases for which a local database file may be invalid:
❐ URL patterns cannot contain the following characters in the database file:
$ - _ . + ! * ' ( ) , ",
❐ Query strings entries are not allowed in the local database file.
❐ Local database files cannot contain username and password information.
387
SGOS 6.2 Administration Guide
388
Chapter 18: Filtering Web Content
8. Click Apply.
Note: Incremental updates are not available for the local database.
See Also
❐ "Specifying a Custom Time Period to Update a Local Database"
❐ "Applying Policy"
❐ "Defining Custom Categories in Policy"
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download
log in the Management Console by selecting Statistics > Advanced > Content Filter
Service, or in the CLI (SGOS#(config) show content-filter status).
2. Select the Only between the hours of check box. The time frame is local time.
3. Click the arrows to view the drop-down lists and set the time period for your
update schedule. For example, to check for updates between the hours of 8 am
and midnight, set the first box to 08:00 and the second box to 23:59.
389
SGOS 6.2 Administration Guide
4. Click Apply.
See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "Using Content Filtering Vendors with Blue Coat Policies"
❐ "Defining Custom Categories in Policy"
390
Chapter 18: Filtering Web Content
2. Select the Only between the hours of option. The time frame is always local time.
391
SGOS 6.2 Administration Guide
3. Click the arrows to view the drop-down lists and set the time period for your
update schedule. For example, to check for updates between the hours of 8 am
and midnight, set the first box to 08:00 and the second box to 23:59.
4. Click Apply.
See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "Using Content Filtering Vendors with Blue Coat Policies"
❐ "Defining Custom Categories in Policy"
392
Chapter 18: Filtering Web Content
Configuring SmartFilter
To use SmartFilter, you need a valid content filtering subscription.
To configure SmartFilter:
1. Select the Configuration > Content Filtering > SmartFilter tab.
393
SGOS 6.2 Administration Guide
2a
2b
5
2c
2d
2e
2f
2g
2h
2i
2. Configure SmartFilter:
a. In the License key field, enter the license key you received from Secure
Computing.
b. In the Server field, the default server is displayed. If you have been
instructed to use a different server, enter the hostname or IP address.
c. Clear the Automatically check for updates option or select the Only between
the hours of options to modify the automatic update schedule.
Disabling database updates is not recommended because it prevents
the ProxySG appliance from checking for database updates, which
keep the category listings up-to-date.
For details on customizing the database update schedule, see
"Specifying a Custom Time Period to Update a Third-Party Database"
on page 402.
d. Select the database edition to use. The XL edition is the default, and is
compatible with SmartFilter 4.2 or later. The XL edition provides a
number of new categories, as well as some changes to existing
categories that are not available in the SL edition.
394
Chapter 18: Filtering Web Content
395
SGOS 6.2 Administration Guide
5. Click View Download Status. A new browser window opens and displays the
Download progress. At the completion of the download, the download log
displays. For example:
Download log:
SmartFilter download at: 2010/08/28 19:48:45 +0000
Downloading from: list.smartfilter.com
Checking incremental update
Warning: Unable to open input control list
Warning: Unable to open installed control list
Downloading full control file
Full download complete
Download size: 206478620
Database version: 12364
Database date: Fri, 27 Aug 2010 05:00:14 UTC
Database expires: Fri, 24 Sep 2010 05:00:14 UTC
396
Chapter 18: Filtering Web Content
3. To trigger the download of the new database you selected in Step1, enter the
following command:
SGOS#(config smartfilter) download get-now
397
SGOS 6.2 Administration Guide
2a
2b
2c
6
7
398
Chapter 18: Filtering Web Content
5. Click View Download Status. A new browser window opens and displays the
Download log. For example:
Download log:
Websense database download at: 2009/12/13 14:04:57 -0700
Downloading from download.websense.com/
Processing download file
Retrieved no-change database notification
Database is already up-to-date
Websense RTU/RTSU download at: 2009/12/13 13:24:57 -0700
Downloading for db_version: 83096
Downloading from download.websense.com/
Processing RTU download file
RTU Version: 1569.33
Retrieved RTU update: size=124, offset=444
Download size: 6480
RTU/RTSU database succeeded
6. (Optional) Select Always apply regular expressions to urls. Select this option to
force an additional regular expression lookup for each URL to be categorized.
Normally, regular expression lookups are done only when no category is
found in the Websense database. If this option is selected, regular expression
lookups always occur, even for categorized URLs. Selecting this option can
cause a significant reduction in lookup performance, but allow certain sites
(such as translation, search engine, and link-cache sites) to be categorized
more accurately.
7. By default, Use RTU/RTSU to categorize URLs is enabled. To disable updates, clear
the checkbox (not recommended). For information, on Real Time Updates, see
"Real Time Updates (RTU)".
8. To configure Websense reporting, see "Configuring Websense Reporting".
9. Click Apply.
399
SGOS 6.2 Administration Guide
Complete the following tasks to integrate the ProxySG appliance and Websense
Reporter:
1. "Installing Websense Components"
2. "Configuring the ProxySG appliance Access Logs for Websense"
3. "Enabling the Websense Integration Service (WIS)"
400
Chapter 18: Filtering Web Content
401
SGOS 6.2 Administration Guide
To enable WIS:
1. Select the Configuration > Content-Filtering > Third-Party Databases > Websense tab.
2. In the Integration Service Host field, enter the IP address of the machine where
you installed the Websense components.
3. In the Port field, specify the port of the WIS. It must be between 1 to 65535 and
match the port selected on the WIS host. The default is 55080.
4. Select Enabled to enable the service.
5. (Optional) Select Log forwarded client address. Normally, the ProxySG appliance
logs the actual client IP address to the Websense Reporter log. If this option is
selected, the ProxySG appliance logs the IP address obtained from the X-
Forwarded-For HTTP Header (if present and valid) instead of the actual client
IP address. For information on the X-Forwarded-For HTTP Header format,
see Access Log Formats in the 6.2 Feature Change Reference.
6. Click Apply.
See Also
❐ "Installing Websense Components"
❐ "Configuring the ProxySG appliance Access Logs for Websense"
402
Chapter 18: Filtering Web Content
occur only within a specific time period. While you can customize the time
interval for an automatic database update, the frequency of checks is not
configurable.
For example, you might schedule automatic updates only between the hours of 8
am and 11 pm local time. The ProxySG appliance will check for updates in five
minute intervals within the specified interval. You cannot, however, alter the
frequency of checks.
Note: When the database is downloaded, a log is available that includes detailed
information about how the database was updated. You can view the download
log in the Management Console by selecting the Statistics > Advanced > Content Filter
Service tab, or in the CLI (SGOS#(config) show content-filter status).
2. Select the Only between the hours of option. The time frame is always local time.
3. Expand the drop-down lists and set the time period for your update schedule.
For example, to check for updates between the hours of 8 am and midnight,
set the first box to 08:00 and the second box to 23:59.
4. Click Apply.
403
SGOS 6.2 Administration Guide
See Also
❐ "Applying Policy"
❐ "Applying Policy to Categorized URLs"
❐ "Defining Custom Categories in Policy"
404
Chapter 18: Filtering Web Content
Creating a Blacklist
If your default proxy policy is set to allow and you would like to block users
access to certain categories, you must create policy to block all requests for the
categories that you wish to restrict access in your network.
In this example, Sports/Recreation, Gambling, and Shopping categories are
blocked with a single rule and a predefined exception page
content_filter_denied is served to the user. This exception page informs the user
that the request was denied because the requested content belongs to a category
that is blocked.
405
SGOS 6.2 Administration Guide
4a
4c
4b
b. In the Set Destination Object dialog, click New > Request URL Category. The
Add Request URL Category Object dialog displays.
406
Chapter 18: Filtering Web Content
c. Expand the list of categories for your content filter database in the
Categories list.
5. Select the categories to block and click OK. This example blocks Shopping,
Gambling and Sports/Recreation categories.
6. Set the action for blocking the categories In the Action column, right click and
select Deny or Deny Content Filter.
The Deny action, denies the user access without providing an explanation for
the denial of the requested content. And the Deny Content Filter action, denies
the user access to the requested content and describes that the request was
denied because it belongs to a category blocked by organizational policy.
407
SGOS 6.2 Administration Guide
b. In the Set Destination Object dialog, click New > Request URL Category. The
Add Request URL Category Object dialog displays. In this example, the
Add Request URL Category Object is named Sports Access.
c. Expand the list of categories for your content filter database from the
Categories list.
408
Chapter 18: Filtering Web Content
409
SGOS 6.2 Administration Guide
410
Chapter 18: Filtering Web Content
411
SGOS 6.2 Administration Guide
9. Set the action to restrict access. In the Action column, right click and select Deny
or Deny Content Filter
The Deny action, denies the user access without providing an explanation for
the denial of the requested content. And the Deny Content Filter action, denies
the user access to the requested content and describes that the request was
denied because it belongs to a category blocked by organizational policy.
Note: While the following example blocks most downloads, it will not prevent all
Web downloads. For example, compressed and encrypted files, server side scripts
and Webmail attachments are not detected.
412
Chapter 18: Filtering Web Content
b. In the Set Destination Object dialog, click New > File Extensions. The Add
File Extension Object dialog displays.
c. In the Known Extensions field, find and add .exe files. Click OK.
d. Select the apparent data types that include DOS and Windows
executables and Windows Cabinet files. In the Set Destination Object
dialog, click New > Apparent Data Type, and select the choices. Click OK.
413
SGOS 6.2 Administration Guide
e. Combine the two rules using a combined object. In the Set Destination
Object dialog, click New > Combined Destination Object and add the file
extensions and the apparent data type rule created above. Click OK
Creating a Whitelist
If the default policy on the ProxySG appliance is set to deny, you must create a
whitelist to permit Web access to users. Whitelists require constant maintenance
to be effective. Unless your enterprise Web access policy is very restrictive, Blue
Coat recommends setting the default policy to allow. The default policy of allow
will keep the help desk activity less hectic in managing Web access policies.
414
Chapter 18: Filtering Web Content
b. In the Set Destination Object dialog, click New > Request URL Category. The
Add Request URL Category Object dialog displays.
c. Expand the list of categories for your content filter database in the
Categories list.
415
SGOS 6.2 Administration Guide
4. Select the categories to allow and click OK. This example allows Business/
Economy and the Computers/Internet categories.
5. Set the action for blocking the categories In the Action column, right click and
select Allow.
416
Chapter 18: Filtering Web Content
b. In the Set Destination Object dialog, click New > Request URL Category. The
Add Request URL Category Object dialog displays.
c. Expand the list of categories for your content filter database in the
Categories list.
d. Select the categories to monitor and click OK. This example tracks
access of Adult/Mature Content.
417
SGOS 6.2 Administration Guide
418
Chapter 18: Filtering Web Content
b. In the Set Destination Object dialog, click New > Request URL Category. The
Add Request URL Category Object dialog displays.
419
SGOS 6.2 Administration Guide
3. Set the action to restrict access. In the Action column, right click and select Deny
Content Filter.
You can also use this feature with custom exception pages (refer to Visual Policy
Manager Reference), where a custom exception page displays during business
hours, say between 8 am and 6 pm local time for the requested content. In the
event that the license is expiring, the user can be served an exception page that
instructs the user to inform the administrator about license expiry.
420
Chapter 18: Filtering Web Content
where NAME is the exact spelling, spacing, and punctuation listed in the view
applications CLI output, and OPERATION is the exact specification listed in the
view operations output. Note that the application names and operations are NOT
case sensitive.
You can use CPL or VPM (for SGOS version 6.2.3.1 and later) to update your
existing policy file with the application filtering conditions you want to
implement. The examples in this section use CPL.
See Also
❐ SGOS 6.2 Content Policy Language Reference
❐ SGOS 6.2 Visual Policy Manager Reference
❐ SGOS 6.2 Command Line Interface Reference
Example Policy 1
The following policy allows LinkedIn access but denies Hotmail. Note that this
policy is only looking at the application, not the operation.
; Allow LinkedIn application but deny Hotmail.
; Show an error page displaying the application name
<Proxy>
url.application.name=Linkedin allow ; no explicit allows
url.application.name=Hotmail exception( policy_denied, "To prevent
data loss, personal email is prohibited by management.",
my_format_string )
Example Policy 2
The following policy 1) blocks all Hotmail use, and 2) allows Facebook generally,
but denies Facebook picture uploads.
; Block Hotmail
; Allow Facebook except for picture uploads
; Definitions
define string my_format_string
> $(exception.details)
> url.application.name= $(url.application.name)
> url.application.operation= $(url.application.operation)
; Policy Rules
<Proxy>
421
SGOS 6.2 Administration Guide
end
Example Policy 3
The following policy allows attachment downloads, but blocks attachment
uploads for all applications.
; Allow attachment downloads but not uploads.
; Show an error page displaying the application operation
<Proxy>
url.application.operation=”Download Attachment” allow ; no
explicit allows
url.application.operation=”Upload Attachment” exception(
policy_denied, "Attachment uploads are not allowed.", my_format_string
)
Example Policy 4
The following policy blocks all social networking sites except for Facebook.
<Proxy>
url.application.name=Facebook allow
url.category=social-networking deny
422
Chapter 18: Filtering Web Content
If your policy is not working properly, make sure you have spelled the application
and operation names exactly as listed in the view applications and view
operations command output. Also make sure that the operation is supported by
the application. Correct any errors, install the revised policy, and run through the
above verification steps again.
Additional Information
The following two new access log variables are available:
x-bluecoat-application-name
x-bluecoat-application-operation
These variables are automatically added to the Blue Coat Reporter access log
format (bcreportermain_v1) in new installations and after upgrading to SGOS
6.2.x.
Limitations
The policy compiler will not display a warning if you create policy that defines
unsupported combinations of application names and operations. For example,
Twitter doesn’t support uploading of pictures but the compiler doesn’t warn you
that the following policy is invalid:
Example
Policy: Limit employee access to travel Web sites.
The first step is to rephrase this policy as a set of rules. In this example, the model
of a general rule and exceptions to that rule is used:
❐ Rule 1: All users are denied access to travel sites
❐ Rule 2: As an exception to the above, Human Resources users are allowed to
visit Travel sites
Before you can write the policy, you must be able to identify users in the Human
Resources group. You can do this with an external authentication server, or define
the group locally on the ProxySG appliance. For information on identifying and
423
SGOS 6.2 Administration Guide
Example
Policy: Student access to Health sites is limited to a specified time of day, when
the Health 100 class is held.
This time the policy contains no exceptions:
❐ Rule 1: Health sites can be accessed Monday, Wednesday, and Friday from 10-
11am.
❐ Rule 2: Health sites can not be accessed at other times.
define condition Health_class time
weekday=(1, 3, 5) time=1000..1100
end
<proxy>
; 1) Allow access to health while class in session
ALLOW category=health condition=health_class_time
; 2) at all other times, deny access to health
DENY category=health
424
Chapter 18: Filtering Web Content
❐ hosts and subdomains within the domain you specify will automatically be
included
❐ if you specify a path, all paths with that prefix are included (if you specify no
path, the whole site is included) For example, if you add
www2.nature.nps.gov/air/webcams/parks/grcacam/nps.gov/grca
only the pages in the /grca directory of nps.gov will be included in the
category, but if you just add www2.nature.nps.gov/ all pages in the entire
directory will be included in the category.
Example:
define category Grand_Canyon
kaibab.org
www2.nature.nps.gov/air/webcams/parks/grcacam
nps.gov/grca
grandcanyon.org
end
Any URL at kaibab.org is now put into the Grand_Canyon category (in addition to
any category it might be assigned by a provider). Only those pages in the /grca
directory of nps.gov are put in this category.
425
SGOS 6.2 Administration Guide
Example:
<proxy>
category=Webcams DENY
category=National_Parks ALLOW
category=Travel time =0800..1800 DENY
Click the Test button on the Management Console or the test-url command in
CLI to validate the categories assigned to any URL. This can help you to ensure
that your policy rules have the expected effect (refer to Configuring Policy Tracing
in the Content Policy Language Guide).
If you are using policy-defined categories and a content-filter provider at the
same time, be sure that your custom category names do not coincide with the
ones supplied by your provider. You can also use the same names—this adds your
URLs to the existing categories, and extends those categories with your own
definitions. For example, if the webcam mentioned above was not actually
categorized as Travel by your provider, you could do the following to add it to the
Travel category (for the purpose of policy):
define category Travel ; extending a vendor category
www2.nature.nps.gov/air/webcams/parks/grcacam/ ; add the GC webcam
end
Note: The policy definitions described in this section can also be used as
definitions in a local database. See "Configuring a Local Database" on
page 386 for information about local databases.
426
Chapter 18: Filtering Web Content
Note: The ProxySG appliance supports Websense off-box server versions 4.4 and
higher.
2b
2a
427
SGOS 6.2 Administration Guide
5a
5b
5c
5d
5e
6a
6b
6c
428
Chapter 18: Filtering Web Content
To display the Websense off-box error page perform the following tasks:
1. Select the Configuration tab > External Services > Websense tab.
2. Select the Websense service and click Edit.
3. Clear the Serve exception page when content is blocked option
4. Click OK and Apply to save your changes.
429
SGOS 6.2 Administration Guide
5. Click OK to perform the health check. When the health check is complete, the
Health Check Results dialog displays information about the health check.
6. Click Close to close the Health Check Results dialog.
430
Chapter 18: Filtering Web Content
Section I: Troubleshooting
This section describes troubleshooting tips and solutions for content filtering
issues. It discusses the following topics:
❐ "Unable to Communicate with the DRTR Service" on page 431
❐ "Event Log Message: Invalid DRTR Service Name, Health Check Failed" on
page 431
❐ "Error Determining Category for Requested URL" on page 432
❐ "Error Downloading a Content Filtering Database" on page 433
Note: The ProxySG appliance resolves the domain name sp.cwfservice.net once a
day and maintains the list of returned IP addresses. The ProxySG appliance then
uses the IP address that provides the fastest service. If an IP address that is in use
fails to respond, the ProxySG appliance will failover to an alternate IP address.
Health checks are automatically conducted on all the IP addresses to make this
failover as smooth as possible and to restore service to the geographically closest
IP address as soon as it is available.
2. Check the firewall logs for messages about denied or blocked traffic
attempting to reach IP addresses or in response from IP addresses. A firewall
rule denying or blocking in either direction impedes DRTR.
Event Log Message: Invalid DRTR Service Name, Health Check Failed
The following event log message displays:
Invalid DRTR service name - Health check failed - Receive failed.
These messages are common in event logs and, for the most part, should not affect
your service. A server may fail an L4 health check for various reasons, but unless
all servers (services) are unavailable for extended periods of time, you should not
experience interruptions in DRTR services and can regard this as expected
behavior.
When the proxy makes a request for the DRTR service name, several IP addresses
for our servers are returned. The ProxySG appliance will periodically perform a
quick Layer-4 health check (opening and closing a TCP socket with no data
transfer) to each of those servers. In the event that the ProxySG appliance cannot
contact the server or doesn’t receive a response quickly enough, it logs similar
event log messages.
431
SGOS 6.2 Administration Guide
Your DRTR service will not be interrupted unless all of the servers are unable to
be contacted for more than a few seconds. When one of these error messages
appears, the services health status changes back to healthy within 2 to 10 seconds.
A communication error occurred Check the event log entries for DRTR
contacting the DRTR service. messages.
432
Chapter 18: Filtering Web Content
The ProxySG appliance license has If you are using a trial or demo license,
expired. instead of a perpetual license, the
ProxySG appliance license may have
expired. Verify the status of your license
on the Maintenance > Licensing > View
tab. To purchase a license, contact Blue
Coat Technical Support or your Blue
Coat sales representative.
(Possible, but not likely) There are Check event log entries for disk or
issues with memory or a disk error. memory messages.
❐ For the ERROR: HTTP 401 - Unauthorized, verify that you have entered your
username and password correctly. For example, the following error message
was generated when an incorrect username was entered to download a
SmartFilter database:
Download log:
SmartFilter download at: Thu, 21 June 2007 18:03:08
Checking incremental update
Checking download parameters
Fetching:http://example.com/
Warning: HTTP 401 - Unauthorized
Downloading full control file
SmartFilter download at: Thu, 21 June 2007 18:03:17
Downloading from http://example.com/
Fetching:http://example.com/
ERROR: HTTP 401 - Unauthorized
Download failed
Download failed
Previous download:
...
If you have an upstream proxy and all internet traffic must be forwarded to
this upstream proxy, you must enable download-via-forwarding on this
ProxySG appliance using the following CLI command:
SGOS> enable
SGOS# config t
SGOS#(config )forwarding
SGOS#(config forwarding) download-via-forwarding enable
❐ For the Socket Connection Error, check for network connectivity and Internet
access in your network.
Only after completing network troubleshooting, perform the following
procedure if the socket connection error persists.
433
SGOS 6.2 Administration Guide
Because the content filter database is downloaded using SSL, if the SSL client
on the ProxySG appliance gets corrupt, a connection error occurs.
1. Verify that you have a valid SSL client on the ProxySG appliance.
a. Access the Command Line Interface (CLI) of the ProxySG appliance.
b. In configuration mode, view the SSL client configuration.
Blue Coat SG210 Series>en
Enable Password:XXXXX
Blue Coat SG210 Series#conf t
Blue Coat SG210 Series#(config)ssl
Blue Coat SG210 Series#(config ssl)view ssl-client
SSL-Client Name Keyring CCL Protocol
default <None> browser-trusted SSLv2v3TLSv1
2. If you have an ssl-client configured but the issue still persists, delete, and
recreate the SSL client.
a. In the Configuration mode:
Blue Coat SG210 Series#(config ssl)delete ssl-client
ok
Blue Coat SG210 Series#(config ssl)create ssl-client default
defaulting protocol to SSLv2v3TLSv1 and CCL to browser-trusted
ok
434
Chapter 19: Configuring Threat Protection
Blue Coat ProxySG and the Blue Coat ProxyAV appliances work in conjunction
to analyze incoming Web content and protect users from malware and
malicious content. Malware is defined as software that infiltrates or damages a
computer system without the owner’s informed consent. The common types of
malware include adware, spyware, viruses, worms, downloaders and Trojan
horses.
Blue Coat’s threat protection solution protects user productivity, blocks
malware downloads and Web threats, and enables compliance to network
security policies.
The following sections describe how to configure threat protection on the
ProxySG and the ProxyAV appliances:
❐ "About Threat Protection"
❐ "Enabling Malware Scanning"
❐ "Updating the Malware Scanning Policy"
❐ "Fine Tuning the Malware Scanning Policy using VPM"
❐ "Disabling Malware Scanning"
❐ "Editing a ProxyAV Content Scanning Service"
❐ "Deleting a ProxyAV From the List of Configured Content Scanners"
435
SGOS 6.2 Administration Guide
The ProxySG monitors the results of the ProxyAV scan and notifies the WebPulse
service when a new virus or malware is found. This notification triggers an
update of the Blue Coat WebFilter database and all members of the WebPulse
community are protected from the emerging threat.
Blue Coat’s threat protection solution also provides a threat protection policy that
is implemented when you integrate the appliances and enable malware scanning.
The malware scanning policy that is implemented is a built-in security policy that
offers immediate, out-of-the-box protection. This policy can be set to optimize
either your network security needs or your network performance needs.
1. Install and configure the • Configure the ProxyAV with basic network
ProxyAV appliance. settings. Make sure to configure the ProxyAV and
the ProxySG appliances on the same subnet.
From the ProxyAV Management Console, perform the
following tasks:
• Activate the ProxyAV license.
• Identify the ProxySG as an ICAP client on the
ProxyAV Management Console and allow ICAP
access between the appliances.
• Configure the scanning behavior on the ProxyAV
Management Console
For information on these tasks, refer to the ProxyAV
Configuration and Management Guide.
2. Select whether to transfer The ProxySG and the ProxyAV can communicate
data between the ProxySG using plain ICAP, secure ICAP or both methods.
and the ProxyAV using If you wish to use secure communication mode
plain ICAP or secure ICAP. between the appliances, either use the built-in SSL
device profile or create a new SSL device profile to
authorize the ProxyAV on the ProxySG. For
information on SSL device profile, see "About SSL
Device Profiles"
If you create an SSL device profile, make sure that the
CA certificate is imported in the ProxySG at
Configuration > SSL > External Certificates. Otherwise,
when the Verify Peer option is enabled in
Configuration > SSL > Device Profiles, the ProxySG
fails to verify the ProxyAV as trusted.
For information on enabling secure connection on the
ProxyAV or creating new certificate, refer to the
ProxyAV Configuration and Management Guide.
436
Chapter 19: Configuring Threat Protection
3. Add the ProxyAV to allow To add the ProxyAV to the ProxySG, see "Adding a
in-path threat detection and ProxyAV for Content Scanning".
enable malware scanning, To begin scanning of Web responses you must enable
on the ProxySG. malware scanning. Malware scanning, when enabled,
automatically invokes the built-in threat protection
policy. See "Enabling Malware Scanning"
Note: If you have manually configured a service group titled proxyav, the
ProxySG will display an error when attempting to create an automatic service
group titled proxyav. This error is caused by a naming conflict; to resolve the
conflict, you must rename the manually created proxyav service group.
437
SGOS 6.2 Administration Guide
3. In the Host field, enter the host name or IP address of the ProxyAV. Only an
IPv4 address is accepted.
4. Choose the connection mode(s) and ports. The default is plain ICAP only.
If you select secure ICAP, you must add an SSL device profile. An SSL device
profile contains the information required for device authentication, including
the name of the keyring with the private key and certificate this requires to be
authenticated. For information on SSL device profiles, refer to "About SSL
Device Profiles".
5. Click OK to save your changes and exit the open dialog box.
You now have proxyavx service that is automatically created to perform
response modification. Response modification means that the ProxyAV only
acts on requested content that is redirected to it by the ProxySG after the
content is served by the origin Web server.
6. Click Perform health check to verify that the ProxyAV is accessible. The health
check result is displayed immediately. For information on health checks, see
"Managing ICAP Health Checks".
7. Continue with "Enabling Malware Scanning".
438
Chapter 19: Configuring Threat Protection
Note: The threat protection policy cannot be edited. If you would like to
supplement or override the configuration in this policy, see "Fine Tuning the
Malware Scanning Policy using VPM".
439
SGOS 6.2 Administration Guide
440
Chapter 19: Configuring Threat Protection
441
SGOS 6.2 Administration Guide
442
Chapter 19: Configuring Threat Protection
2. Select the preference for your network, under Action on an unsuccessful scan. To
ensure network security, the default is Deny the client request.
3. Click Apply to save your changes.
See Also
❐ "Updating the Malware Scanning Policy"
❐ "Fine Tuning the Malware Scanning Policy using VPM"
443
SGOS 6.2 Administration Guide
2. Click Update malware scanning policy. The Install Malware Scanning Policy dialog
box displays.
3. (Optional) Enter the Installation URL. By default, the URL is
https://bto.bluecoat.com/download/modules/security/SGv6/
threatprotection.tar.gz
If you have downloaded the threat protection policy to a local Web server, add
the URL for the local Web server in this field.
Note: If you change the default URL, you cannot revert to the default
value. You must manually re-enter the URL.
4. Click Install.
5. (Optional) Click View to view the contents of the updated threat protection
policy file. Note: The threat protection policy cannot be edited.
6. Click OK to save your changes and exit.
444
Chapter 19: Configuring Threat Protection
scanning mode is high performance, you can add rules in VPM to invoke
maximum protection mode for sites that belong to select content filtering
categories such as software downloads or spyware sources.
The following example demonstrates how to create rules in VPM to complement
the malware scanning options that are set in configuration. The setting in
configuration, in the example below, uses maximum security. The VPM rule
allows internal traffic to be scanned using the high performance rules that are
defined in the threat protection policy.
2. Launch the VPM and create policy to scan all traffic from an internal host
using the high performance mode. This example uses the 10.0.0.0/8 subnet.
445
SGOS 6.2 Administration Guide
h. In the Destination column, right click and select Set. The Set Destination
Object dialog box displays.
i. Select Destination IP Address/Subnet. The Set Destination IP/Subnet
Object dialog displays.
j. Add the IP address and subnet for the internal host and click Close.
k. Click OK to save your changes and exit all open dialogs.
l. Click Apply to install the policy. After this policy is installed, all traffic
from the internal subnet 10.0.0.0/8 will be scanned using the high
performance mode.
3. The completed rule is shown below.
446
Chapter 19: Configuring Threat Protection
447
SGOS 6.2 Administration Guide
Note: If you have enabled malware scanning and have added only one ProxyAV
for content scanning, you must disable malware scanning before you can delete
the ProxyAV from the ProxyAV ICAP Servers list.
Malware scanning must be disabled so that the ProxyAV is no longer referenced
in the threat protection policy, and can be deleted.
To delete a ProxyAV:
1. Select Configuration > Threat Protection > Malware Scanning.
2. Select the ProxyAV to be deleted from the ProxyAV ICAP Servers list.
448
Chapter 19: Configuring Threat Protection
449
Chapter 20: Malicious Content Scanning Services
This chapter describes how to configure the ProxySG to interact with external
Internet Content Adaptation Protocol (ICAP) clients and servers to provide
content scanning and transformation.
To integrate the ProxyAV with the ProxySG, see "Configuring Threat
Protection".
449
SGOS 6.2 Administration Guide
450
Chapter 20: Malicious Content Scanning Services
❐ Whether to delete infected files that cannot be repaired from the ICAP server’s
archive
451
SGOS 6.2 Administration Guide
Note: Some ICAP servers do not support virus scanning for request modification,
but support only content filtering.
452
Chapter 20: Malicious Content Scanning Services
Sense Settings
The Sense Settings feature allows the ProxySG to query any identified ICAP
server running v1.0, detect the parameters, and configure the ICAP service as
appropriate. See "Creating an ICAP Service" on page 463.
453
SGOS 6.2 Administration Guide
ISTags
ISTags eliminates the need to designate artificial pattern version numbers, as was
required in v0.95.
Every response from an ICAP v1.0 server must contain an ISTag value that
indicates the current state of the ICAP server. For instance, when the pattern/
scanner version of a virus scanner on the ICAP server changes, the ISTag value
changes. This change invalidates all content cached with the previous ISTag value
and a subsequent request for any content in cache must be refetched from the
origin content server and scanned by the ICAP server.
Backing out a virus pattern on the ICAP server can revert ISTags to previous
values that are ignored by the ProxySG. To force the ProxySG to recognize the old
values, use the Sense Settings option. See "Creating an ICAP Service" on page 463.
Persistent Connections
New ICAP connections are created dynamically as ICAP requests are received (up
to the defined maximum connection limit). The connection remains open to
receive subsequent requests. If a connection error occurs, the connection closes to
prevent more errors.
Table 20–1 Content Types Scanned By ICAP Server and the ProxySG
All or specified file types, based • All HTTP objects • Streaming content (for
on the file extension, as (uploaded or downloaded) example, RTSP and MMS)
configured on the server. • All FTP over HTTP • Live HTTP streams (for
Examples: .exe (executable (webftp) objects (uploaded or example, HTTP radio
programs), .bat (batch downloaded) streams)
files), .doc and .rtf (document • All native FTP objects • CIFS
files), and .zip (archive files); or (uploaded or downloaded) • MAPI
specific MIME types.
The above is true for both • IM
transparent and explicit proxies.
• TCP tunnel traffic
454
Chapter 20: Malicious Content Scanning Services
With the ProxySG, you can define flexible, yet enterprise-specific content
scanning policies, which are discussed in the following two sections.
Notes
❐ Patience pages are not compatible with infinite stream connections—or live
content streamed over HTTP—such as a cam or video feed. ICAP scanning
cannot begin until the object download completes. Because this never occurs
with this type of content, the ProxySG continues downloading until the
maximum ICAP file size limit is breached. At that point, the ProxySG either
returns an error or attempts to serve the content to the client (depending on
fail open/closed policy). However, even when configured to fail open and
serve the content, the delay added to downloading this large amount of data
is often enough to cause the user give up before reaching that point.
❐ Patience pages are limited to Web browsers.
455
SGOS 6.2 Administration Guide
Note: This feature is supported for the HTTP proxy only; FTP connections are not
supported.
LEGEND:
1: After 5 seconds (default), trickling begins.
2: The response is received from the ICAP server (clean), and the client receives the
remaining bytes at the best connection possible.
Figure 20–3 A client receives only the initial bytes of a transaction during the ICAP scan.
After the ICAP server completes its scan:
❐ If the object is deemed to be clean (no response modification is required), the
ProxySG sends the rest of the object bytes to the client at the best speed
allowed by the connection.
❐ If the object is deemed to be malicious, the ProxySG terminates the connection
and the remainder of the response object bytes—which in this case are the
majority of the bytes—are not sent to the client.
Deployment Notes
❐ This method is the more secure option because the client receives only a small
amount of data pending the outcome of the virus scan.
❐ One drawback is that users might become impatient, especially if they notice
the browser display of bytes received. They might assume the connection is
poor or the server is busy, close the client, and restart a connection.
456
Chapter 20: Malicious Content Scanning Services
LEGEND:
1: After 5 seconds (default), the ICAP scan begins, but the client begins receiving bytes at
the best connection possible.
2: Trickling begins for the final 16K of data.
3: The response is received from the ICAP server (clean), and the client receives the
remaining bytes.
Figure 20–4 A client receives most of the bytes immediately during the ICAP scan.
After the ICAP server completes its scan, the behavior is the same as described in
"Trickling Data From the Start" on page 456.
Deployment Notes
❐ Blue Coat recommends this method for media content, such as flash objects.
❐ This method is more user-friendly than trickle at start. This is because users
tend to be more patient when they notice that 99% of the object is downloaded
versus 1%, and are less likely to perform a connection restart. However,
network administrators might perceive this method as the less secure method,
as a majority of the object is delivered before the results of the ICAP scan.
457
SGOS 6.2 Administration Guide
458
Chapter 20: Malicious Content Scanning Services
❐ The upstream ProxySG is performing ICAP scanning, and the downstream ProxySG is
not: The only issue with this deployment is that user agent-specific policy
cannot be applied at the core ProxySG because the branch ProxySG
consolidates multiple client requests in one out-going request to the upstream
ProxySG. If data trickling is employed at the upstream ProxySG and if ICAP
scanning detects a virus, the upstream ProxySG resets the client connection.
This also deletes the corrupted object from the downstream ProxySG cache.
❐ Both ProxySG appliances (upstream and downstream) are scanning: Behavior is
mostly determined by the configuration of the upstream ProxySG.
• If the upstream ProxySG is configured to deliver patience pages, then the
downstream ProxySG also attempts to serve patience pages, including to
non-graphical user agents. Therefore, this method is not recommended.
• If the upstream ProxySG employs data trickle from start, the downstream
ProxySG is not able to send any bytes to the client for a long period of
time. If a patience page is not configured on the downstream ProxySG,
users might experience connection time-outs.
• If the upstream ProxySG employs trickle at end, the downstream ProxySG
allows for all options of patience page and data trickling.
459
SGOS 6.2 Administration Guide
Note: See "Creating an ICAP Service" on page 463 for information about setting
the defer scanning threshold value on the ProxySG Management Console.
When an ICAP connection is deferred, the connection to the ICAP server is closed.
The application response continues to be received and when the download is
complete the ICAP request is restarted. The new ICAP request may still be
queued if there are no available ICAP connections. After a request is deferred,
ICAP waits to receive the full object before restarting the request. If there is a
queue when a deferred action has received a complete object, that action is
queued behind other deferred actions that have finished. However it will be
queued before other new requests.
460
Chapter 20: Malicious Content Scanning Services
Notes
❐ Failover is configured as part of the ICAP policy definition.
❐ You cannot configure failover policy until ICAP services are configured on the
ProxySG.
❐ To avoid errors, ICAP service names cannot be named fail_open or fail_closed
(the CLI commands prevent these names from being created).
461
SGOS 6.2 Administration Guide
1. Install and configure the Follow the manufacturer instructions for installing the
ICAP server ICAP server, including any configuration necessary to
work with the ProxySG.
Based on your network environment, you might use
the ProxySG with multiple ICAP servers or multiple
scanning services on the same server. Configure
options as needed, including the exception message
displayed to end users in the event the requested
object was modified or blocked.
2. Decide whether to scan data Scan data using the plain ICAP method, secure ICAP
using plain ICAP or secure method or both.
ICAP • Plain ICAP should be used only for non-
confidential data. In particular, if plain ICAP is
used for intercepted HTTPS traffic, then data
intended to be cryptographically secured would
be transmitted in plain text on the local network.
• Secure ICAP send data through a secure data
channel. This method protects the integrity of
messages that are sent between the ProxySG and
the ICAP server while it allows users to
authenticate ICAP servers by enabling certificate
verification.
462
Chapter 20: Malicious Content Scanning Services
4. Create and configure new Create an ICAP service that specifies the ICAP server
or existing ICAP services on IP address, supported connection method, content
the ProxySG. processing mode and select deferred scanning, if
For information on ICAP desired. See "Creating an ICAP Service".
content processing modes,
see "Content Processing
Modes".
5. Specify the feedback Select patience pages or data trickling for feedback
method method. See "Configuring ICAP Feedback".
6. Add ICAP rules to policy Depending on your network needs, add ICAP rules to
policy and install the policy file on the ProxySG.
See Section E: "Creating ICAP Policy"
463
SGOS 6.2 Administration Guide
2a
2b
4a-f
a. In the Service URL field, enter the ICAP server URL, which includes the
URL schema, ICAP server hostname or IP address. For example:
icap://10.x.x.x/
464
Chapter 20: Malicious Content Scanning Services
Note: The connection timeout value does not measure how much of the
scanning process is complete, it is a mechanism for ensuring that the
communication between the appliances is alive and healthy. The details of
the interaction between the ProxySG appliance and the ICAP server can
only be viewed through a packet capture.
If the ICAP server does not respond within the configured timeout value,
by default, the user will not receive the requested content. However, if the
ProxyAV is your ICAP server, the scanning response configured in the
Configuration > Threat Protection > Malware Scanning determines whether or
not the user is served the requested content.
465
SGOS 6.2 Administration Guide
f. Select Use vendor’s “virus found” page to display the default vendor error
exception page to the client instead of the ProxySG exception page.
This is the default behavior for SGOS upgrades from previous versions.
This feature maintains the same appearance of previous versions, but also
retains the inherent timestamp issues involved with cache hits. If this
option is not selected, the exception pages originate from the ProxySG,
and they employ the accurate timestamps for cache hits.
5a-e
5. Configure service ports for plain ICAP and secure ICAP. You can enable one
or both types of ICAP connections at the same time. However, you must select
at least one type of ICAP service.
a. Select This service supports plain ICAP connections to use plain ICAP. Use
plain ICAP when you are scanning plain data (HTTP). In this case, if
the HTTPS proxy is enabled on the ProxySG, the data is decrypted first
on the ProxySG and then sent to the ICAP server.
b. In the Plain ICAP port field, enter a port number. The default port is 1344.
c. Select This service supports secure ICAP connections to use secure ICAP.
Use secure ICAP when you are scanning sensitive or confidential data
(HTTPS).
d. In the Secure ICAP port field, enter a port number. The default port is
11344.
e. If you selected secure ICAP, make sure that you select a valid SSL
profile for secure ICAP in the SSL Device Profile field. This associates an
SSL device profile with the secure ICAP service.
Note: If you do not select an SSL device profile you cannot use secure
ICAP connections. The SSL device profile can be customized for your
environment. For more information, refer to "Appliance Certificates and
SSL Device Profiles" on page 1330.
466
Chapter 20: Malicious Content Scanning Services
6b
6c
6d
6a
6e
c. (Only for RESPMOD service) If you are using file scanning policies
based on file extensions on the ProxyAV appliance, enter 0 in the
Preview size (bytes) field, and select enabled. With a 0 bytes preview size,
only response headers are sent to the ICAP server; more object data is
only sent if requested by the ICAP server.
or
If you have enabled the Kaspersky Apparent Data Types feature on the
ProxyAV appliance, enter a value (512 is recommended) in the Preview size
(bytes) field, and select enabled. The ICAP server reads the object up to the
specified byte total. The ICAP server either continues with the transaction
(that is, receives the remainder of the object for scanning) or opts out of the
transaction.
or
Unselect enabled if the above two situations don’t apply to you; do not use
the preview option.
d. (Optional) The Send options allow additional information to be
forwarded to the ICAP server. Select one or more of the following:
Client address, Server address, Authenticated user, or Authenticated groups.
467
SGOS 6.2 Administration Guide
See Also
❐ "About Content Scanning" on page 450
❐ "Configuring ProxySG Appliance ICAP Communications" on page 462
❐ "Avoiding Network Outages due to Infinite Streaming Issues" on page 459
❐ "Configuring ProxySG Appliance ICAP Communications" on page 462
❐ "Securing Access to an ICAP Server" on page 477
❐ "Monitoring ICAP Requests and Sessions" on page 484
❐ "Managing Virus Scanning" on page 504
468
Chapter 20: Malicious Content Scanning Services
Note: You cannot delete an ICAP service used in an ProxySG policy (that is,
if a policy rule uses the ICAP service name) or that belongs to a service group.
Before proceeding with the steps below, make sure to remove the references in
policy and remove the ICAP service from the service group.
469
SGOS 6.2 Administration Guide
2a
2b
2c
3a
3b
3c
Note: When the deferred scanning option is enabled and a patience page
is configured, the browser continues to receive a patience page until the
object is fully received and the outstanding ICAP actions have
completed.
470
Chapter 20: Malicious Content Scanning Services
• Trickle object data from start: The client receives 1 byte per second, which
should prevent connection time-outs while the ICAP server performs
the scan. If the response from the ICAP server is clean, the client
receives the rest of the object data at the best connection speed
possible. If the scan detects malicious content, the connection is
dropped. This is the more secure method.
• Trickle object data at end: The client receives most (99%) of the object
data, but the final bytes are sent at the rate of one per second while the
ICAP scanner performs the scan. If the response from the ICAP server
is clean, the client receives the rest of the object data at the best
connection speed possible. If the scan detects malicious content, the
connection is dropped. This is the least secure method, as most of the
data has already been delivered to the client. However, this method
provides the best user experience because there most of the object is
already delivered.
Note: When deferred scanning is enabled and the data trickle options are
configured, the object continues to trickle during deferred scanning.
However, due to the trickle buffer requirement, there may be a delay
before the ProxySG starts sending a response.
471
SGOS 6.2 Administration Guide
The following topics describe how to customize the HTTP/FTP patience page:
❐ "HTTP Patience Text" on page 472
❐ "FTP Patience Text" on page 475
2a
2b
2c
2d
2. In the HTTP Patience Page Customization section, click Header, Summary, Details, or
Help. The corresponding customize dialog displays. Customize the
information as appropriate.
472
Chapter 20: Malicious Content Scanning Services
473
SGOS 6.2 Administration Guide
Interactivity Notes
❐ When ICAP scanning is enabled and a patience page is triggered, a unique
URL is dynamically generated and sent to the browser to access the patience
page. This unique URL might contain a modified version of the original URL.
This is expected behavior.
❐ Patience pages and exceptions can only be triggered by left-clicking a link. If a
user right-clicks a link and attempts to save it, it is not possible to display
patience pages. If this action causes a problem, the user might see browser-
specific errors (for example, an Internet site not found error); however, ICAP
policy is still in effect.
❐ A patience page is not displayed if a client object request results in an HTTP
302 response and the ProxySG pipelines the object in the Location header.
After the ProxySG receives the client request for the object, the client enters a
waiting state because a server-side retrieval of the object is already in
progress. The wait status of the client request prevents the patience page from
displaying. To prevent the ProxySG from pipelining these requests (which
decreases performance) and to retain the ability to provide a patience page,
configure HTTP as follows:
#SGOS (config) http no pipeline client redirects
❐ The status bar update does not work if it is disabled or if the Javascript does
not have sufficient rights to update it.
474
Chapter 20: Malicious Content Scanning Services
2. In the FTP Patience Page Customization field, click Summary; the Customize FTP
Patience Text dialog displays. Customize the FTP client patience text as
appropriate.
3. Click OK.
4. Click Apply.
475
SGOS 6.2 Administration Guide
476
Chapter 20: Malicious Content Scanning Services
477
SGOS 6.2 Administration Guide
Note: The SG210 has only two network interfaces that default as a hardware
bridge.
478
Chapter 20: Malicious Content Scanning Services
c. Choose a name for this certificate and enter it in the CA Cert Name field,
then paste the certificate in the CA Certificate PEM panel. You must
include the ----BEGIN CERTIFICATE---- and -----END CERTIFICATE---
-- statements.
d. Click OK. The dialog closes and you return to the CA Certificates tab.
e. Click Apply to save your settings.
4. Create a CA Certificate List. For more information, see "Creating CA
Certificate Lists" on page 1191.
a. From the ProxySG appliance Management Console, select Configuration
> SSL > CA Certificates > CA Certificate Lists. The CA Certificates Lists page
displays.
b. Click New. The Create CA Certificate List dialog displays.
c. Enter the name of the certificate list in the field provided.
d. Locate the certificate that you imported in Step 3, then click Add >> to
move the certificate to the Selected column.
e. Click OK. The dialog closes and you return to the CA Certificate Lists
page. The new certificate list is shown in the table.
f. Click Apply to save your settings.
5. Create an SSL device profile for the ICAP server. For more information, see
"About SSL Device Profiles" on page 1330.
a. From the ProxySG appliance Management Console, select Configuration
> SSL > Device Profiles. The Profiles page displays.
479
SGOS 6.2 Administration Guide
e. Enter the Service URL of the ICAP server, for example, icap://
192.0.2.0/avscan.
f. In the ICAP Service Ports section, select the check box for This service
supports secure ICAP connections.
g. Set the SSL device profile to the profile that was created in Step 5.
h. To set remaining configurations for the ProxySG appliance, see
"Creating an ICAP Service" on page 463.
i. Click OK. The dialog closes and you return to the ICAP Services page.
j. Click Apply to save your settings.
Note: The SG210 offers only two physical ports, making it difficult to connect to
the private network and WAN, while still being able to plug in the Ethernet cable.
480
Chapter 20: Malicious Content Scanning Services
Note: If you are using an SG210, you are restricted to only two network
interfaces that default as a hardware bridge. Although you can still use a
crossover cable to connect the ProxySG appliance to an ICAP server, setup is not
recommended, as it requires that you disable bridging and install the SG210 as an
explicit proxy.
b. Select New. The Add list item dialog displays. Enter the ICAP service in
the field provided, then click OK. The dialog closes and you return to
the ICAP Services page.
c. Select the service you just created, then click Edit. The Edit ICAP Service
dialog displays.
d. Enter the Service URL of the ICAP server, for example, icap://
192.0.2.0/avscan.
e. In the ICAP Service Ports section, select the check box for This service
supports plain ICAP connections.
481
SGOS 6.2 Administration Guide
482
Chapter 20: Malicious Content Scanning Services
Blue Coat recommends that all ProxySG appliances reside on the same subnet
as the ICAP servers, even in cases where multiple ProxySG appliances are
load balanced with multiple ICAP servers. Although you can put the ICAP
server in California and the ProxySG appliance in New York, performance
will suffer. For optimal performance, the ICAP server and ProxySG appliance
must be physically and logically close to each other; Blue Coat recommends
that the ICAP server be on the next-hop VLAN.
3. Set each ProxySG appliance's IP address from this subnet on its interface 1:0,
with selected netmask.
4. Set each ICAP server’s IP address from this subnet on its interface 1 using the
same netmask.
5. Plug each each ProxySG appliance’s interface 1:0 and each ICAP server’s
interface 1 into the private network switch.
6. Create one or more ICAP services on each ProxySG appliance, pointing at the
ICAP servers’ IP addresses selected above.
a. Create an ICAP response service. Select Configuration > External Services
> ICAP > ICAP Services. The ICAP Services page displays.
b. Select New. The Add list item dialog displays. Enter the ICAP service in
the field provided, then click OK. The dialog closes and you return to
the ICAP Services page.
c. Select the service you just created, then click Edit. The Edit ICAP Service
dialog displays.
d. Enter the Service URL of the ICAP server, for example, icap://
192.0.2.0/avscan.
e. In the ICAP Service Ports section, select the check box for This service
supports plain ICAP connections.
483
SGOS 6.2 Administration Guide
Statistic Definition
Secure Requests ICAP scanning transactions that are encrypted and tunneled
over SSL
Deferred Requests ICAP scanning transactions that have been deferred until
the full object has been received
Bytes Sent Bytes of ICAP data sent to the ICAP service or service group
Note: Bytes Sent does not include secure ICAP traffic.
Bytes Received Bytes of data received from the ICAP service or service
group
484
Chapter 20: Malicious Content Scanning Services
Statistic Definition
485
SGOS 6.2 Administration Guide
Additional Information
❐ While the ICAP statistics screen is displayed, you can view new graphs by
selecting different services, service groups, time periods, or graph types.
❐ Graphs automatically refresh every minute. This may be noticeable only on
graphs with the Last Hour duration.
❐ To see the actual statistics associated with a bar on the graph, hover the mouse
pointer anywhere on the bar. A box showing the statistics and total appears at
the mouse pointer.
486
Chapter 20: Malicious Content Scanning Services
3. From the Duration drop-down list, select the time period for the statistics: Last
Hour, Last Day, Last Week, Last Month, or Last Year.
For the time period you selected, the ProxySG displays statistics for
individual services as well as totals for all services.
4. (Optional) Select the service name from the Service drop-down list.
5. (Optional) Select the ICAP state from the Status drop-down list: Any, transferring,
deferred, scanning, completed.
6. (Optional) To limit the number of connections to view, select Display the most
recent and enter a number in the results field. This helps optimize performance
when there is a large number of connections.
487
SGOS 6.2 Administration Guide
7. (Optional) To view the current errored proxied sessions, select Show errored
sessions only.
8. Click Show. The Proxied Sessions table displays the ICAP-enabled sessions.
Of particular interest in the Proxied Sessions table is the ICAP (I) column. This
column indicates the status of the ICAP-enabled session, with unique icons
identifying the status of the connection. Table 20–4 describes each of the icons. For
descriptions of the other columns in the table, see "About the Proxied Sessions
Statistics" on page 773.
(magnifying glass) Scanning — ICAP requests are in the process of being scanned
Additional Information
❐ Icon Tooltips—When you mouse over an ICAP icon, a tooltip displays details
about the ICAP-enabled session:
• The type of service (REQMOD and/or RESPMOD)
• The name of the service
488
Chapter 20: Malicious Content Scanning Services
❐ When the following conditions are meet, two ICAP services display for one
explicit HTTPS connection:
• An ICAP service group is used for request modification (REQMOD) and
there are more than one ICAP service in the ICAP service group.
• Explicit HTTPS connection are set by policy to perform ICAP request
modification (REQMOD).
• The ProxySG is configured to intercept these HTTPS connections.
❐ When only one type of service is used for a session, the tooltip indicates
whether the other type is inactive or unsupported, for example:
RESPMOD Service: inactive
Sorting—If you click the I column heading, the sessions are sorted in the
following order:
❐ Transferring
❐ Deferred
❐ Scanning
❐ Completed
❐ Inactive
❐ Unsupported
4. (Optional) Select the service name from the Service drop-down list.
5. (Optional) Select the ICAP state from the Status drop-down list: Any,
transferring, deferred, scanning, completed.
6. (Optional) To limit the number of sessions to view, select Display the most recent
and enter a number in the results field. This helps optimize performance when
there is a large number of connections.
489
SGOS 6.2 Administration Guide
7. Click Show. The Proxied Sessions table displays the active and inactive errored
ICAP-enabled sessions.
490
Chapter 20: Malicious Content Scanning Services
VPM Objects
The VPM contains the following objects specific to Web content scanning.
Table 20–5 AV Scanning Objects
Object Layer>Column
Virus Detected Web Access>Service
For information on the VPM and defining policies, refer to Visual Policy Manager
Reference.
For more information on using CPL, refer to Content Policy Language Guide
491
SGOS 6.2 Administration Guide
To perform virus scanning, protecting both the server side and the client side:
1. In the VPM, select Policy > Web Access Layer. Name the layer RequestAV.
2. Right-click the Action column; select Set. The Set Action Object dialog displays.
3. Click New.
4. Select Set ICAP Request Service; the Add ICAP Request Service Object dialog
displays.
492
Chapter 20: Malicious Content Scanning Services
5a
5b
5c
5d
5e
493
SGOS 6.2 Administration Guide
6. In the VPM, select Policy > Add Web Content Layer. Name the rule ResponseAV.
7. Right-click the Action column; select Set. The Set Action Object dialog displays.
8. Click New.
9. Select Set ICAP Response Service; the Add ICAP Response Service Object dialog
displays.
10a
10b
10c
10e
494
Chapter 20: Malicious Content Scanning Services
495
SGOS 6.2 Administration Guide
5c
5a
5b
5d
496
Chapter 20: Malicious Content Scanning Services
497
SGOS 6.2 Administration Guide
The following table lists the error codes and their descriptions:
Table 20–6 ICAP Error Codes Available in Policy
Password protected Password Protected Archive Archive file could not be scanned because
it is password protected.
Max file size exceeded Maximum File Size Maximum individual file size to be
Exceeded scanned exceeds settings in configuration.
The maximum individual file size that
can be scanned depends on the RAM and
disk size of the ProxyAV appliance
model.
Max total size exceeded Maximum Total Size Maximum total uncompressed file size
Exceeded exceeds settings in configuration. The
maximum limit varies by ProxyAV
appliance model.
Max total files exceeded Maximum Total Files Maximum total files in an archive exceeds
Exceeded settings in configuration.
The maximum is 100,000.
Max archive layers Maximum Archive Layers Maximum number of layers in a nested
exceeded Exceeded archive exceeds settings in configuration.
The maximum by vendor is:
• Panda: 30
• McAfee: 300
• All others: 100.
File type blocked File Type Blocked Blocked a file type as configured on the
ICAP server settings.
File extension blocked File Extension Blocked Blocked a file extension as configured on
the ICAP server settings.
Antivirus load failure Anti-virus Load Failure Unable to load antivirus engine on the
ICAP server.
498
Chapter 20: Malicious Content Scanning Services
ICAP connection mode ICAP Connection Mode not ICAP server does not support the
not supported Supported configured connection mode. For
example, plain ICAP is required but
server supports only secure ICAP and
vice versa.
ICAP security error ICAP Security Error (Secure ICAP error) Unable to establish a
secure connection to the ICAP server. This
could be because the SSL device profile is
not enabled or is corrupt.
499
SGOS 6.2 Administration Guide
500
Chapter 20: Malicious Content Scanning Services
c. Click Selected Errors and select the Decode error from the list of available
errors.
d. Click OK to save your changes and exit all open dialogs.
3. In the Source column, right click and select Set. The Set Source Object dialog
displays.
501
SGOS 6.2 Administration Guide
4. In the Action column, right-click set the action to Allow. Now you have rule in
the Web Access Later that allows the SuperUser group access to content when
the ProxySG receives the ICAP decode error.
5. Add another rule in the Web Access Layer to deny access to unscanned content
to all other users in the network.
a. In the Service column, right click and select Set. The Set Service Object
dialog displays.
b. Select the ICAP error code service object that you created in Step1 from
the list. Click OK.
c. In the Action column, right click and set action to Deny.
6. Click Install Policy, to install the policy.
502
Chapter 20: Malicious Content Scanning Services
CPL Notes
The following CPL properties are available to manage ICAP services:
• request.icap_service() for request modification
• response.icap_service() for response modification
❐ If policy specifies that an ICAP service is to be used, but the service is not
available, the default behavior is to fail closed—that is, deny the request or
response. The following CPL allows the serving of objects without ICAP
processing if the server is down.
request.icap_service(service_name, fail_open)
response.icap_service(service_name, fail_open)
When the ICAP service is restored, these objects are scanned and served from
the cache if they are requested again.
Note: Blue Coat recommends this CPL to be used for internal sites; use with
caution.
❐ When configuring the secure ICAP feature, the following CPLs are used:
request.icap_service.secure_connection(option)
response.icap_service.secure_connection(option)
request.icap_service.secure_connection.service_name(option)
response.icap_service.secure_connection.service_name(option)
request.icap_service.secure_connection
[service__0,service_1,...,service_N-1](option)
response.icap_service.secure_connection
[service__0,service_1,..., service_N-1](option)
503
SGOS 6.2 Administration Guide
Advanced Configurations
This section summarizes more-advanced configurations between the ProxySG
and multiple ICAP servers. These brief examples provide objectives and suggest
ways of supporting the configuration.
504
Chapter 20: Malicious Content Scanning Services
When the virus definitions are updated, the ProxySG stores a signature. This
signature consists of the server name plus a virus definition version. If either of
these changes, the ProxySG checks to see if the object is up to date, and then
rescans it. If two requests for the same object are directed to different servers, then
the scanning signature changes and the object is rescanned.
where:
Type=number Specifies the numeric code for the virus.
Resolution= Specifies an integer value that indicates what action was taken to fix
the file. Zero (0) defines the file is unrepairable, one (1) specifies that
the file was repaired, and two (2) specifies that the file was deleted.
Threat= Specifies the name of the virus.
505
SGOS 6.2 Administration Guide
Note: The access log string cannot exceed 256 characters. If the header name or
value extends the length over the limit, then that string does not get logged. For
example, if the x-virus-id header value is 260 characters, the access log displays
"x-virus-id: " with no value because the value is too long to display. Also, if the
access log string is already 250 characters and the ProxySG attempts to append a
"Malicious-Mobile-Type: " string, the string is not appended
Access log entries might vary depending upon the type of ICAP scan performed
and the custom log formats. For information about default and custom access log
formats, see "Creating Custom Access Log Formats" on page 685.
506
Chapter 21: Configuring Service Groups
This chapter describes how to create and manage ICAP or Websense service
groups. In high-traffic network environments, a service group accelerates
response time by a performing a higher volume of scanning.
507
SGOS 6.2 Administration Guide
Legend:
Weighting
Weighting determines what proportion of the load one server bears relative to the
others when transactions are waiting to be scanned. (The waiting transactions are
typically large file downloads.) If all servers have either the default weight (1) or
the same weight, each share an equal proportion of the load when transactions are
waiting. If one server has weight 25 and all other servers have weight 50, the
25-weight server processes half as much as any other server.
508
Chapter 21: Configuring Service Groups
Before configuring weights, consider the capacity of each server. The processing
capacity of the server hardware in relationship to other servers (for example, the
number and performance of CPUs or the number of network interface cards)
could affect assigned weight of a ICAP server.
Having appropriate weights assigned to your services is critical when all servers
in a service group have waiting transactions. As servers reach their capacity,
proper weighting is important because requests are queued according to weight.
One technique for determining weight assignments is to start out by setting equal
weights to each service in a group; then, after several thousand requests, make
note of how many requests were handled by each service. For example, support
there are two services in a group: Service A handled 1212 requests, Service B
handled 2323. These numbers imply that the second service is twice as powerful
as the first. So, the weights would be 1 for Service A and 2 for Service B.
Setting the weight value to 0 (zero) disables weighted load balancing for the ICAP
service. Therefore, if one ICAP server of a two-server group has a weight value of
1 and the second a weight value of 0, should the first server go down, a
communication error results because the second server cannot process the
request.
Load Balancing
When load balancing between services, how does the ProxySG decide which
ICAP service to send a scanning request to? For each service, it calculates an index
by dividing the number of waiting transactions by the server weight (think of this
as wait/weight). The ICAP service with the lowest index value handles the new
ICAP action, assuming that the service has an available connection to use. If it
does not, it sends the request to the service with the next lowest index value that
has a free connection.
Note: If there are no transactions waiting, load balancing using the assigned
weights does not take effect.
509
SGOS 6.2 Administration Guide
Example1
Service A and B are in the same service group.
❐ Service A can handle up to 50 connections, is assigned a weight of 1, has 17
active transactions, with 5 transactions in the waiting state. The index is
calculated by dividing the wait by the weight: 5/1 = 5.
❐ Service B can handle up to 100 connections, is assigned a weight of 2, has 17
active connections, with 15 waiting transactions. The index is 15/2 = 7.5.
To which service will the ProxySG assign the next ICAP action? Service A because
it has a lower index.
Example 2
Service C and D are in the same service group.
❐ Service C can handle up to 5 connections, is assigned a weight of 1, has 5
active transactions, with 1 transaction in the waiting state. The index is 1/1=1.
❐ Service D can handle up to 10 connections, is assigned a weight of 1, has 7
active transactions, with 5 waiting transactions. The index is 5/1=5.
To which service will the ProxySG assign the next ICAP action? Although Service
C has a lower index than Service D, it does not have any available connections;
therefore, the ProxySG assigns the next ICAP action to Service D which has
several free connections.
2b
2a
510
Chapter 21: Configuring Service Groups
4b
4c
4a
511
SGOS 6.2 Administration Guide
5b
5a
See Also
"About Service Groups" on page 507
"Deleting a Service Group or Group Entry" on page 513
"Displaying External Service and Group Information" on page 513
512
Chapter 21: Configuring Service Groups
Note: A service or service group used in a ProxySG policy (that is, if a policy rule
uses the entry) cannot be deleted; it must first be removed from the policy.
513
SGOS 6.2 Administration Guide
websense4
Version: 4.4
Host: www.websense.com/list
Port: 15868
Max-conn: 5
Timeout(secs): 70
Send: nothing
Fail-by-default: closed
Apply-by-default: no
Serve-exception-page:yes
; External Service-Groups
CorpICAP
total weight 5
entries:
ICAP1
weight 4
ICAP2
weight 1
BranchWebsense
total weight 2
entries:
Websense1
weight 1
Websense2
weight 1
514
Chapter 22: Managing Streaming Media
515
SGOS 6.2 Administration Guide
516
Chapter 22: Managing Streaming Media
In the case of live video broadcasts, ProxySG appliances can take a single stream
of video and then split it locally into enough streams to serve all local viewers;
this is called live splitting.
517
SGOS 6.2 Administration Guide
In the typical streaming server-client model, the streaming server sends a separate
copy of the media stream to each client that requested the same unique stream.
Because streaming media uses a considerable amount of bandwidth, delivering
multiple copies of the same media data between the streaming server and the
clients can cause significant network and server congestion. The more clients that
request the same media stream, the more bandwidth is used.
Planning for efficient bandwidth use is important for streaming media because
bandwidth use has a direct correspondence to the quality of the media streams
that are delivered to the clients. If your network is congested, your users are likely
to experience problems such as jagged video, patchy audio, and unsynchronized
video and audio as packets are dropped or arrive late. Conversely, the more
bandwidth that is available, the better the quality of media streams.
The ProxySG appliance has several methods for allocating bandwidth to
streaming media traffic. See "Limiting Bandwidth" on page 525.
518
Chapter 22: Managing Streaming Media
SGOS offers unified support for WM content delivered over RTSP and HTTP. The
ProxySG appliance’s HTTP proxy hands off Windows Media Player HTTP
streaming requests to the Windows Media HTTP Module, which itself is a
component of the Windows Media RTSP Proxy.
The ProxySG supports the caching of WM content over the RTSP and HTTP
protocols. The ProxySG uses the same object cache, which means the content can
be served over RTSP and HTTP protocols. WM-HTTP and WM-RTSP both share
the same cache.
Live splitting is also supported over both protocols, where all RTSP clients are
served by an RTSP splitter and all HTTP clients are served by a separate HTTP
splitter, involving two separate live streams to the server, one each for RTSP and
HTTP.
Live Support
Table 22–1 Windows Media live streaming feature support
UDP Retransmission No
519
SGOS 6.2 Administration Guide
On-Demand Support
Table 22–2 Windows Media on-demand streaming feature support
UDP Retransmission No
Stream Change No
Multicast Support
Table 22–3 Windows Media multicast UDP streaming feature support
Feature Multicast
Server-Side Playlists No
Stream Change No
520
Chapter 22: Managing Streaming Media
Bandwidth Management
Windows Media supports bandwidth management for both client-side and
gateway-side streaming traffic. Bandwidth limits are also be supported for pass-
through streams. See "Limiting Bandwidth" on page 525 for more information.
Delivery Methods
The ProxySG appliance supports the following streaming delivery methods:
521
SGOS 6.2 Administration Guide
Device requirement The network devices use The network devices must
unicast. support multicast (not all
do).
522
Chapter 22: Managing Streaming Media
523
SGOS 6.2 Administration Guide
Benefits of Multicast
The benefits of using multicast for streaming media include the following:
❐ It alleviates network congestion.
❐ For live streaming events that have a large audience, multicast significantly
reduces network traffic compared to the traffic that would result from
transmitting the same live event over unicast. If unicast transport is used, the
same content must be sent across the network multiple times or it must be
broadcast to all devices on the network.
❐ It scales well as the number of participants expand.
❐ It is well suited for efficient transmission over satellite links.
A company might, for example want to reserve WAN connections for
business-critical traffic, such as stock trades, but it needs a way to deliver
corporate broadcasts. The company could efficiently transmit corporate
broadcasts over satellite by using multicast transmission and reserve the
WAN for business-critical traffic.
❐ It enables network planners to proactively manage network growth and
control cost because deploying multicast is more cost-effective than
alternatives for increasing LAN and WAN capabilities.
Limitations of Multicast
The limitations of multicast include the following:
❐ Multicast support is not yet widely available on the Internet. Therefore, using
multicast to deliver content is limited to intranet-style deployments.
❐ Not all networking equipment supports multicasting. In addition, not all
network administrators enable the multicast functionality on their networking
equipment.
❐ Switches do not understand multicast. When a multicast stream reaches a
switch, the switch sends the multicast stream to all of its ports. A switch treats
a multicast address as an Ethernet broadcast.
524
Chapter 22: Managing Streaming Media
Limiting Bandwidth
The following sections describe how to configure the ProxySG appliance to limit
global and protocol-specific media bandwidth.
To manage streaming media bandwidth, you configure the ProxySG appliance to
restrict the total number of bits per second the appliance receives from the origin
media servers and delivers to clients. The configuration options are flexible to
allow you to configure streaming bandwidth limits for the ProxySG appliance, as
well as for the streaming protocol proxies (Windows Media, Real Media, and
QuickTime).
After it has been configured, the ProxySG appliance limits streaming access to the
specified threshold. If a client tries to make a request after a limit has been
reached, the client receives an error message.
Note: If a maximum bandwidth limitation has been specified for the ProxySG
appliance, the following condition can occur. If a Real Media client, followed by a
Windows Media client, requests streams through the same ProxySG appliance
and total bandwidth exceeds the maximum allowance, the Real Media client
enters the rebuffering state. The Windows Media client continues to stream.
525
SGOS 6.2 Administration Guide
526
Chapter 22: Managing Streaming Media
Windows Media
The ProxySG appliance caches Windows Media-encoded video and audio files.
The standard extensions for these file types are: .wmv, .wma, and .asf.
Real Media
The ProxySG appliance caches Real Media-encoded files, such as RealVideo and
RealAudio. The standard extensions for these file types are: .ra, .rm, and .rmvb.
Other content served from a Real Media server through RTSP is also supported,
but it is not cached. This content is served in pass-through mode only. (Pass-
through mode offers application, layer-7 proxy functionality, but does not support
acceleration features—caching, pre-population, splitting, and multi-casting.)
QuickTime
The ProxySG appliance does not cache QuickTime content (.mov files). All
QuickTime content is served in pass-through mode only.
Flash
The ProxySG appliance caches pre-recorded audio and video content delivered
over Real Time Messaging Protocol (RTMP) or RTMP traffic tunneled over HTTP
(RTMPT). Flash media files have .flv, .f4v extensions.
527
SGOS 6.2 Administration Guide
❐ MMS (Microsoft Media Services), MMSU (MMS UDP), and MMST (MMS
TCP) are considered to be identical.
❐ RTMP and RTMPT are considered to be identical.
Splitting of live unicast streams provides bandwidth savings, since subsequent
requests do not increase network traffic.
Note: The Flash proxy does not cache videos that the OCS delivers by
dynamic streaming.
528
Chapter 22: Managing Streaming Media
Pre-Populating Content
Note: This feature applies to Windows Media and Real Media only.
Note: Content must be hosted on an HTTP server in addition to the media server.
Using the content distribute CLI command, content is downloaded from the
HTTP server and renamed with a given URL argument. A client requesting the
content perceives that the file originated from a media server. If the file on the
origin media server experiences changes (such as naming convention), SGOS
bypasses the cached mirrored version and fetches the updated version.
Example:
content distribute rtsp://wm_server/bar.wmv from http://web_server/
bar.wmv
Windows Media Server version 9 and higher contains a feature called Fast
Streaming that allows clients to provide streams with extremely low buffering
time.
SGOS supports the following functionality for both cached and uncached content:
❐ Fast Start—Delivers an instant playback experience by eliminating buffering
time. The first few seconds of data are sent using the maximum available
bandwidth so that playback can begin as soon as possible.
529
SGOS 6.2 Administration Guide
❐ Fast Cache—Streams content to clients faster than the data rate that is
specified by the stream format. For example, fast caching allows the server to
transmit a 128-kilobits-per-second (Kbps) stream at 500 Kbps. The Windows
Media client buffers the streaming content before it is rendered at the specified
rate — 128 Kbps for this stream.
In the case of MBR VOD content, fast- caching content to the local cache of the
Windows Media client impacts playback quality. To maintain smooth
streaming of MBR VOD content, you might need to disable the fast-caching
ability of the Windows Media client. By default, fast-caching is enabled on the
ProxySG. You can use the VPM or CPL to configure policy for disabling fast
caching, thereby preventing the Windows Media clients from fast- caching
content to the local cache. For the VPM and CPL properties, see the Visual
Policy Manager Reference and the Content Policy Language Reference.
Fast Recovery and Fast Reconnect are currently not supported on the ProxySG
appliance.
IPv6 Support
All streaming proxies include IPv6 support, and the ProxySG can act as a
transitional devices between IPv4 and IPv6 networks for Flash, Windows Media
(RTSP, HTTP), Real Media, and QuickTime. Streaming proxies support IPv6 in the
following ways:
❐ Flash: RTMP-based protocols (such as RTMP, RTMPT) support IPv6 for
making upstream connections to the origin content server (OCS) as well as can
accept IPv6 client connections.
❐ Windows Media:
• RTSP and HTTP protocols support IPv6 for making upstream connections
to the origin content server (OCS), and can accept IPv6 client connections.
• For multicast-station, the RTSP protocol can be used when retrieving
content from an IPv6 OCS and sending multicast to IPv4 clients.
• ASX rewrite is IPv6 capable, but only for the HTTP protocol.
❐ Real Media and QuickTime: RTSP and HTTP protocols support IPv6 for
making upstream connections to the origin content server (OCS), and can
accept IPv6 client connections.
Note that Windows Media over MMS does not support IPv6.
530
Chapter 22: Managing Streaming Media
531
SGOS 6.2 Administration Guide
532
Chapter 22: Managing Streaming Media
533
SGOS 6.2 Administration Guide
534
Chapter 22: Managing Streaming Media
2a
2b
535
SGOS 6.2 Administration Guide
2. Scroll the list of services and select the Standard service group.
3. Click New Service. The New Service dialog displays with the default settings.
4a
4b
4c
4e
4f
4d 4g
536
Chapter 22: Managing Streaming Media
2. Select the tab for the proxy you want to configure: Windows Media, Real Media,
QuickTime, or Flash.
537
SGOS 6.2 Administration Guide
2
3
4
3. Enable HTTP handoff: Enabled by default. When a Windows Media, Real Media,
QuickTime, or Flash client requests a stream from the ProxySG appliance over
port 80, which in common deployments is the only port that allows traffic
through a firewall, the HTTP module passes control to the streaming module
so HTTP streaming can be supported through the HTTP proxy port. Disable
this option only if you do not want HTTP streams to be cached or split.
4. Forward client-generated logs to origin media server: Enabled by default. The
ProxySG appliance logs information, such as client IP address, the date, and
the time, to the origin server for Windows Media and Real Media content. See
"Forwarding Client Logs" on page 541 for more information about log
forwarding.
5. Enable multicast (Real Media proxy only): The ProxySG appliance receives a
unicast stream from the origin RealServer and serves it as a multicast
broadcast. This allows the ProxySG appliance to take a one-to-one stream and
split it into a one-to-many stream, saving bandwidth and reducing the server
load. It also produces a higher quality broadcast.
Multicasting maintains a TCP control (accounting) channel between the client
and RealServer. The multicast data stream is broadcast using UDP from the
ProxySG appliance to RealPlayers that join the multicast. The ProxySG
appliance support for Real Media uses UDP port 554 (RTSP) for multicasting.
This port number can be changed to any valid UDP port number.
6. Specify how often the ProxySG appliance checks cached streaming content for
freshness.
• Never check freshness:
Although this is the default setting, Blue Coat
recommends selecting one of the other freshness options.
538
Chapter 22: Managing Streaming Media
• Check freshness every value hours: The ProxySG appliance checks content
freshness every n.nn hours.
See Also
❐ "Configuring Streaming Services to Intercept Traffic"
❐ "Limiting Bandwidth"
❐ "Managing Multicast Streaming for Windows Media"
❐ "Managing Simulated Live Content (Windows Media)"
❐ "Windows Media Player Interactivity Notes"
Limiting Bandwidth
This section describes how to limit bandwidth from the clients to the ProxySG
appliance and from the ProxySG appliance to origin content servers.
539
SGOS 6.2 Administration Guide
2a
2b
See Also
❐ "Configuring Streaming Services to Intercept Traffic" on page 534
❐ "Configuring the Streaming Proxies" on page 537
❐ "Configuring the ProxySG Multicast Network" on page 541
❐ "Viewing Streaming History Statistics" on page 545
540
Chapter 22: Managing Streaming Media
2a
2b
2c
Note: For Real Media, the log is only forwarded before a streaming session is
halted; QuickTime log forwarding is not supported.
541
SGOS 6.2 Administration Guide
542
Chapter 22: Managing Streaming Media
543
SGOS 6.2 Administration Guide
❐ x-duration:
Length of time a client played content prior to a client event (FF,
REW, Pause, Stop, or jump to marker).
❐ x-wm-c-dns: Hostname of the client determined from the Windows Media
protocol.
❐ x-wm-c-ip: The client IP address determined from the Windows Media
protocol.
❐ x-cs-streaming-client: Type of streaming client in use (windows_media,
real_media, quicktime, flash).
544
Chapter 22: Managing Streaming Media
c-starttime
filelength
filesize
avgbandwidth
x-streaming-rtmp-app-name
x-streaming-rtmp-stream-name
x-streaming-rtmp-swf-url
x-streaming-rtmp-page-url
Triggers
❐ streaming.client=
❐ streaming.content=
545
SGOS 6.2 Administration Guide
4. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
546
Chapter 22: Managing Streaming Media
2. Select a streaming protocol (Windows Media, Real Media, QuickTime, Flash) from
the Protocol drop-down list.
3. Select a traffic connection type (Live Traffic, On-Demand Traffic, or Passthru Traffic)
from the drop-down list.
2. Select a streaming protocol (Windows Media, Real Media, QuickTime, Flash) from
the Protocol drop-down list.
3. Select a traffic connection type (Live Traffic, On-Demand, or Passthru Traffic) from
the drop-down list.
547
SGOS 6.2 Administration Guide
548
Chapter 22: Managing Streaming Media
multicast station’s TTL. If the player fails to receive streaming data packets, it uses
the unicast URL specified in the .nsc file. All .nsc files contain a unicast URL to
allow rollover.
Unicast to Multicast
Unicast to multicast streaming requires converting a unicast stream on the server-
side connection to a multicast station on the ProxySG appliance. The unicast
stream must contain live content before the multicast station works properly. If
the unicast stream is a video-on-demand file, the multicast station is created but is
not able to send packets to the network. For video-on-demand files, use the
broadcast-alias command. A broadcast alias defines a playlist, and specifies a
starting time, date, and the number of times the content is repeated.
Multicast to Multicast
Use the multicast-alias command to get the source stream for the multicast
station.
Note: For MMS protocol only, you can use an alias—multicast-alias, unicast-
alias, or broadcast-alias—as a source stream for a multicast station. WM-RTSP
and WM-HTTP do not support aliases.
Syntax
multicast-station name {alias | url} [address | port | ttl]
where
• name specifies the name of the multicast station, such as station1.
• {alias | url} defines the source of the multicast stream. The source can
be a URL or it can be a multicast alias, a unicast alias, or simulated live.
(The source commands must be set up before the functionality is enabled
within the multicast station.)
549
SGOS 6.2 Administration Guide
• [address | port | ttl] are optional commands that you can use to
override the default ranges of these values. (Defaults and permissible
values are discussed below.)
550
Chapter 22: Managing Streaming Media
Note: You can also enter the URL in Windows Media Player to start the stream.
The newly created file is not editable; the settings come from the streaming
configuration file. In that file, you have already defined the following pertinent
information:
❐ The address, which includes TTL, IP address, IP port, Unicast URL, and the
NSC URL. All created .nsc files contain a unicast URL for rollover in case
Windows Media Player cannot find the streaming packets.
❐ The description, which references the RTSP URL that you defined.
❐ The format, which contains important Advanced Streaming Format (ASF)
header information. All streams delivered by the multicast station definition
have their ASF headers defined here.
551
SGOS 6.2 Administration Guide
Note: Playing at the end of the multicast station definition indicates that the
station is currently sending packets onto the network. The IP address and
port ranges have been randomly assigned from the default ranges allowed.
552
Chapter 22: Managing Streaming Media
Note: This note applies to HTTP only. If a client opens Windows Media Player
and requests an alias before the starting time specified in the broadcast-alias
option, the HTTP connection closes after a short time period. When the specified
time arrives, the player fails to reconnect to the stream and remains in waiting
mode.
553
SGOS 6.2 Administration Guide
where:
• alias is the name of the simulated live content.
• url isthe URL for the video-on-demand stream. Up to 128 URLs can be
specified for simulated live content.
• loops is the number of times you want the content to be played back. Set
to 0 (zero) to allow the content to be viewed an indefinite number of times.
• date is the simulated live content starting date. Valid date strings are in the
format yyyy-mm-dd or today. You can specify up to seven start dates by
using the comma as a separator (no spaces).
• time is the simulated live content starting time. Valid time strings are in
the format hh:mm (on a 24-hour clock) or one of the following strings:
— midnight, noon
— 1am, 2am, ...
— 1pm, 2pm, ...
Example 1
This example creates a playlist for simulated live content. The order of playback is
dependent on the order you enter the URLs. You can add up to 128 URLs.
SGOS#(config) streaming windows-media broadcast-alias alias url
Example 2
This example demonstrates the following:
❐ creates a simulated live file called bca.
❐ plays back rtsp://ocs.bca.com/bca1.asf and rtsp://ocs.bca.com/bca2.asf.
❐ configures the ProxySG appliance to play back the content twice.
❐ sets a starting date and time of today at 4 p.m., 6 p.m., and 8 p.m.
SGOS#(config) streaming windows-media broadcast-alias bca rtsp://
ocs.bca.com/bca1.asf 2 today 4pm,6pm,8pm
SGOS#(config) streaming windows-media broadcast-alias bca rtsp://
ocs.bca.com/bca2.asf
554
Chapter 22: Managing Streaming Media
Note: If an .asx file syntax does not follow the standard <ASX> tag-based syntax,
the ASX rewrite module is not triggered.
For the ProxySG appliance to operate as a proxy for Windows Media Player
requires the following:
❐ The client is explicitly proxied for HTTP content to the ProxySG appliance that
rewrites the .asx metafile.
❐ The streaming media ProxySG appliance is configurable.
555
SGOS 6.2 Administration Guide
With the asx-rewrite command, you can implement redirection of the streaming
media to a ProxySG appliance by specifying the rewrite protocol, the rewrite IP
address, and the rewrite port.
The protocol specified in the ASX rewrite rule is the protocol the client uses to
reach the ProxySG appliance. You can use forwarding and policy to change the
default protocol specified in the original .asx file that connects to the origin media
server.
When creating ASX rewrite rules, you need to determine the number priority. It is
likely you will create multiple ASX rewrite rules that affect the .asx file; for
example, rule 100 could redirect the IP address from 10.25.36.01 to 10.25.36.47,
while rule 300 could redirect the IP address from 10.25.36.01 to 10.25.36.58. In
this case, you are saying that the original IP address is redirected to the IP address
in rule 100. If that IP address is not available, the ProxySG appliance looks for
another rule matching the incoming IP address.
In this scenario, the URL used by the downstream ProxySG appliance for
caching and access logging can be different than what is expected. Specifically,
the downstream ProxySG appliance creates an access log entry with
protocol2://upstream_SecApp/redirect as the requested URL. Content is also
cached using this truncated URL. Blue Coat recommends that the ASX rewrite
rule be configured for only the downstream ProxySG appliance, along with a
proxy route rule that can forward the Windows Media streaming requests
from the downstream to upstream ProxySG appliances.
556
Chapter 22: Managing Streaming Media
where:
• in-addr—Specifies the hostname or IP address delivering the content
• cache-proto—Specifies the rewrite protocol on the ProxySG appliance.
Acceptable values for the rewrite protocol are:
• mmsu specifies Microsoft Media Services UDP
• mmst specifies Microsoft Media Services TCP
• http specifies HTTP
• mms specifies either MMS-UDP or MMS-TCP
• * specifies the same protocol as in the .asx file
If the .asx file is referred from within another .asx file (not a
recommended practice), use a * for the cache-proto value. The *
designates that the protocol specified in the original URL be used. As a
conservative, alternative approach, you could use HTTP for the cache-
proto value.
To ensure that an ASX rewrite rule is immediately recognized, clear the local
browser cache.
Example
This example:
❐ Sets the priority rule to 200.
❐ Sets the protocol to be whatever protocol was originally specified in the URL
and directs the data stream to the appropriate default port.
❐ Provides the rewrite IP address of 10.9.44.53, the ProxySG appliance.
SGOS#(config) streaming windows-media asx-rewrite 200 * * 10.9.44.53
Note: ASX files must be fetched from HTTP servers. If you are not sure of the
network topology or the content being served on the network, use the
asterisks to assure the protocol set is that specified in the URL.
557
SGOS 6.2 Administration Guide
558
Chapter 22: Managing Streaming Media
Note: The following procedure example uses Windows Media Player 11.
Installation and setup varies with different versions of Windows Media Player.
3a
4a
3b
4b
3c
559
SGOS 6.2 Administration Guide
Striding
When you use Windows Media Player, consider the following interactivities in
regard to using fast forward and reverse (referred to as striding):
❐ If you request a cached file and repeatedly attempt play and fast forward, the
file freezes.
❐ If you attempt a fast reverse of a cached file that is just about to play, you
receive an error message, depending on whether you have a proxy:
• Without a proxy: A device attached to the system is not functioning.
• With a proxy: The request is invalid in the current state.
❐ If Windows Media Player is in pause mode for more than ten minutes and you
press fast reverse or fast forward, an error message displays: The network
connection has failed.
Other Notes
❐ Applies to WMP v9: If a url_host_rewrite rule is configured to rewrite a host
name that is a domain name instead of an IP address, a request through the
MMS protocol fails and the host is not rewritten. As the connect message sent
by the player at the initial connection does not contain the host name, a
rewrite cannot occur. HTTP requests are not affected by this limitation.
❐ If explicit proxy is configured and the access policy on the ProxySG appliance
is set to deny, a requested stream using HTTP from Windows Media Player 9
serves the stream directly from the origin server even after the request is
denied. The player sends a request to the OCS and plays the stream from
there.
560
Chapter 22: Managing Streaming Media
The above rules force the HTTP module to hand off HTTP requests to the
MMS module. MMS returns the error properly to the player, and does not go
directly to the origin server to try to serve the content.
❐ If you request an uncached file using the HTTP protocol, the file is likely to
stop playing if the authentication type is set to BASIC or NTLM/Kerberos and
you initiate rapid seeks before the buffering begins for a previous seek.
Windows Media Player, however, displays that the file is still playing.
❐ If a stream is scheduled to be accessible at a future time (using a simulated live
rule), and the stream is requested before that time, Windows Media Player
enters a waiting stage. This is normal. However, if HTTP is used as the
protocol, after a minute or two Windows Media Player closes the HTTP
connection, but remains in the waiting stage, even when the stream is
broadcasting.
Notes:
For authentication-specific notes, see "Windows Media Server-Side
Authentication" on page 531 and "Windows Media Proxy Authentication" on
page 531.
561
SGOS 6.2 Administration Guide
Note: This procedure features RealPlayer, version 10.5. Installation and setup
menus vary with different versions of RealPlayer. Refer to the RealPlayer
documentation to configure earlier versions of RealPlayer.
To configure RealPlayer:
1. Start RealPlayer.
2. Select Tools > Preferences.
3a 3b
4a
4b
562
Chapter 22: Managing Streaming Media
Note: For HTTP Proxy, if you have an HTTP proxy already configured in
your browser, select Use system Internet Connection proxy settings.
d. Optional: In the Do not use proxy for: section, you can enter specific hosts
and bypass the ProxySG appliance.
Note: This can also be accomplished with policy, the method Blue Coat
recommends.
563
SGOS 6.2 Administration Guide
5a
5b
564
Chapter 22: Managing Streaming Media
8a
8b
Notes:
For authentication-specific issues, see "Real Media Proxy Authentication" on page
532.
565
SGOS 6.2 Administration Guide
To configure QuickTime
1. Start QuickTime player.
2. Select Edit > Preferences > QuickTime Preferences.
2a
2b
2d
2c
566
Chapter 22: Managing Streaming Media
Notes:
For authentication-specific issues, see "QuickTime Proxy Authentication" on page
533.
567
SGOS 6.2 Administration Guide
Perform these tasks to configure the Flash proxy so that it splits live streams and
caches video-on-demand.
1 Configure the client browsers to use the ProxySG "Configuring Client Browsers for
appliance as an explicit proxy. Explicit Proxy" on page 568.
3 Enable HTTP handoff so that RTMP tunneled over "Enabling HTTP Handoff for the Flash
HTTP is also intercepted. Proxy" on page 570
568
Chapter 22: Managing Streaming Media
Note: You cannot configure Firefox browsers because Flash uses Windows
settings.
Most likely, you will already have an RTMP service; if not, you should create it.
Then set the service to Intercept:
1. In the Management Console, select Configuration > Services > Proxy Services.
2. Locate the RTMP service in the Standard group.
3. Select Intercept.
4. Click Apply.
569
SGOS 6.2 Administration Guide
570
Chapter 22: Managing Streaming Media
Additional Information
Refer to the following sections for additional information related to the Flash
proxy:
❐ "When VOD Content Gets Cached" on page 572
❐ "Proxy Chaining" on page 572
❐ "CDN Interoperability Support" on page 573
571
SGOS 6.2 Administration Guide
Proxy Chaining
Proxy chaining (hierarchy of proxies) supports the use of multiple ProxySG
appliances between the server and client. This hierarchy of proxy servers (set by
the administrator using policy gestures) allows further maximizing of bandwidth
usage optimization achieved by features such as live splitting. If forwarding is set
up in an organized manner, the overhead involved in splitting and transmitting
live streams gets pushed to the end of the proxy chain (the one closest to the end
users), which avoids sending any piece of content across any given WAN link
more than once.
To enable proxy chaining, you must create forwarding hosts using the MC or CLI
and set the proxy hierarchy using the following policy gestures:
572
Chapter 22: Managing Streaming Media
❐ Traffic can be forwarded to the next ProxySG appliance by using the following
policy gesture:
forward(fwd_host)
where the fwd_host must be type proxy and have a defined http port.
❐ Traffic can be forwarded to the server by using the following policy gesture:
forward(fwd_host)
where the fwd_host must be type server and have a defined rtmp port.
Use the following CLI command to create forwarding hosts:
#(config forwarding)create host ?
<host-alias> <host-name> [http[=<port>]] [https[=<port>]]
[ftp[=<port>]]
[mms[=<port>]] [rtmp[=<port>]] [rtsp[=<port>]] [tcp=<port>]
[telnet[=<port>]]
[ssl-verify-server[=(yes|no)]] [group=<group-name>] [server|proxy]
request.header.User-Agent <string>
streaming.client flash
streaming.rtmp.app_name <string>
573
SGOS 6.2 Administration Guide
streaming.rtmp.page_url <URL>
streaming.rtmp.stream_name <string>
streaming.rtmp.swf_url <URL>
url <URL>
live yes, no
streaming.content flash
574
Chapter 22: Managing Streaming Media
575
SGOS 6.2 Administration Guide
Note: Silverlight is supported when it streams Windows Media content from the
WM server using WM-HTTP protocol. In this scenario, its interaction with the
ProxySG appliance is similar to that of Windows Media Player, and, as such, is
handled by the Windows Media proxy.
Note: Blue Coat recommends not deploying a Helix proxy between the ProxySG
appliance and a Helix server where the Helix proxy is the parent to the ProxySG
appliance. This causes errors with the Helix server. The reverse is acceptable
(using a Helix proxy as a child to the ProxySG appliance).
576
Chapter 22: Managing Streaming Media
Client-side
❐ RTP over unicast UDP (RTSP over TCP, RTP over unicast UDP)
❐ Interleaved RTSP (RTSP over TCP, RTP over TCP on the same connection)
❐ RTP over multicast UDP (RTP over multicast UDP; for live content only)
❐ HTTP streaming
❐ MMS-UDP (Microsoft Media Streaming—User Data Protocol)
❐ MMS-TCP (Microsoft Media Streaming—Transmission Control Protocol)
❐ Multicast-UDP is the only delivery protocol supported for multicast. No TCP
control connection exists for multicast delivery
577
SGOS 6.2 Administration Guide
Server-side
❐ Interleaved RTSP
❐ HTTP streaming
❐ MMS-TCP between the ProxySG appliance and origin server for video-on-
demand and live unicast content
Server-side RTP over UDP is not supported. If policy directs the RTSP proxy to
use HTTP as server-side transport, the proxy denies the client request. The client
then rolls over to MMS or HTTP.
Client-Side
❐ HTTP streaming (RTSP and RDT over TCP tunneled through HTTP)—HTTP
streaming is supported through a handoff process from HTTP to RTSP. HTTP
accepts the connection and, based on the headers, hands off to RTSP. The
headers identify an RTSP URL.
❐ RDT over unicast UDP (RTSP over TCP, RDT over unicast UDP)
❐ Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection)
❐ RDT over multicast UDP (RTSP over TCP, RDT over multicast UDP; for live
content only)
Server-Side
❐ HTTP streaming
❐ Interleaved RTSP
Unsupported Protocols
The following Real Media protocols are not supported in this version of SGOS:
❐ PNA
❐ Server-side RDT/UDP (both unicast and multicast)
QuickTime Protocols
The ProxySG appliance supports the following QuickTime protocols:
578
Chapter 22: Managing Streaming Media
❐ HTTP streaming (RTSP and RDT over TCP tunneled through HTTP)—HTTP
streaming is supported through a handoff process from HTTP to RTSP. HTTP
accepts the connection and, based on the headers, hands off to RTSP. The
headers identify an RTSP URL.
❐ RTP over unicast UDP (RTSP over TCP, RDT over unicast UDP)
❐ Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection)
Server-Side
❐ HTTP streaming
❐ Interleaved RTSP
Unsupported Protocols
The following QuickTime protocols are not supported in this version of SGOS:
❐ Server-side RTP/UDP, both unicast and multicast, is not supported.
Client-side multicast is not supported.
Flash Protocols
Flash streaming proxy supports the following RTMP-based protocols:
579
SGOS 6.2 Administration Guide
580
Chapter 23: Managing Instant Messaging Protocols
581
SGOS 6.2 Administration Guide
Recommended Deployments
Blue Coat recommends the following deployments:
❐ For large networks with unimpeded Internet access, Blue Coat recommends
transparently redirecting the IM protocols to the ProxySG, which requires the
ProxySG bridging feature or an L4 switch or WCCP.
❐ For networks that do not allow outbound access, Blue Coat recommends
using the SOCKS proxy and configuring policy and content filtering denials
for HTTP requests to IM servers.
582
Chapter 23: Managing Instant Messaging Protocols
Note: AIM 5.x—Direct connections, file transfers, and picture sharing are not
available (AIM 6.x supports these functions because of explicit proxy
connections). Audio and video traffic uses UDP, which is bypassed by the
ProxySG.
Notes
Consider the following proxy authentication notes, which apply to IM clients
using HTTP proxy:
❐ AIM and Yahoo—Proxy authentication is supported.
❐ MSN IM (5.0 and above)—The ProxySG supports MSN/Live Messenger if the
appliance is configured to use HTTP ProxyAuth code 407, not HTTP auth
code 401.
583
SGOS 6.2 Administration Guide
Refer to the Best Practices for Controlling Skype in the Enterprise White Paper,
available on Blue Touch Online Knowledge Base (https://bto.bluecoat.com/
support/kb).
Legend
A: IM client 1—logged into the ProxySG.
B: IM client 2—logged into the ProxySG.
C: IM client 3—outside the network.
D: ProxySG configured to reflect all IM activity, but with fail open policy.
E: IM service provider.
Process Flow
1: (Blue arrows) IM client 1, an employee, sends an IM directed to a co-worker: “Did you finish
coding Project X?”
2: The ProxySG directs the message to IM client 2, who is an employee on the same network,
who is able to respond: “Yes! The system runs ten times faster now!”
3: (Green arrows) IM client 1 sends an IM directed to a friend: “Want to see a movie tonight?”
4: The ProxySG allows the message to leave the network and ultimately arrive to IM client 3.
584
Chapter 23: Managing Instant Messaging Protocols
Legend
A: IM client 1—logged into the ProxySG.
B: IM client 2—logged into the ProxySG.
C: IM client 3—outside the network.
D: ProxySG configured to reflect all IM activity, but with fail closed policy.
E: IM service provider.
Process Flow
1: (Blue arrows) IM client 1, an employee, sends an IM directed to a co-worker: “Did you finish
coding Project X?”.
2: The ProxySG directs the message to IM client 2, who is an employee on the same network,
who is able to respond: “Yes! The system runs ten times faster now!”.
3: (Green arrow) IM client 1 sends an IM directed to a friend (IM client 3): “Want to see a movie
tonight?”.
4: (Red arrow) The ProxySG does not allow the message to leave the network; IM client 1
receives an automated response: “Denial of service. Please review the company IM policy.”
585
SGOS 6.2 Administration Guide
Legend
BC_SG1: Located in building 1 of the corporate campus; configured to fail open.
BC_SG2: Located in building 2 of the corporate campus; configured to fail open.
BC_SG3: Located in the IT lab of the corporate campus; configured to fail open.
BC_SG4: Located in the IT lab of the corporate campus; configured to fail close.
BC_SG5: Located at a branch location.
A: IM client 1—logged into BC_SG1.
B: IM client 2—logged into BC_SG2.
C: IM client 3—logged into BC_SG5.
D: IM client 4—off the corporate network.
E: IM service provider.
Process Flow
1: (Blue arrows) IM client 1, a project manager, sends an IM directed to IM client 2, the QA lead:
“Did you finish testing Project X?”. BC_SG1 directs the message to IM client 2 (BC_SG3 to
BC_SG2), who is able to respond: “Yes. Testing is complete.”
2: (Blue-dashed arrows) IM client 1 sends an IM directed to a sales manager (IM client 3):
“Project X is complete.” BC_SG4 recognizes the destination as allowable, and IM client
receives the message and is able respond: “Excellent. We we start announcing Project X.”
3: (Red arrows) IM client 2 attempts to send an IM to a personal buddy. “We finally finished
Project X.” BC_SG4, configured to fail close, does not allow the message to leave the network;
IM client 2 receives an automated response: “Denial of service. Please review the company IM
policy.”
Figure 23–3 Proxy chaining deployment with fail open/fail closed policies.
586
Chapter 23: Managing Instant Messaging Protocols
companies release new IM client versions that users within the enterprise then
download. The new IM clients might experience erratic behavior, with some
features supported while other are not. Furthermore, network integrity might
become compromised because policy compliance might not occur or some client
features might not correctly function.
This SGOS release provides a default policy that blocks unsupported IM client
versions (does not apply to AOL AIM clients) until such time that Blue Coat
provides a patch or new SGOS release that supports the new versions. You do
have the policy option to tunnel IM traffic, but the cost is you cannot apply IM use
policy to the tunneled traffic.
More details, plus how to allow IM tunneling, is described as part of the IM
solution configuration tasks that are provided in this chapter (see the next
section). To proceed directly to that specific task, see "Tunneling IM Client Traffic
(MSN/WLM and Yahoo)" on page 614.
587
SGOS 6.2 Administration Guide
1 Set the default ProxySG AOL service Configuration > Services > "Intercepting Default IM
to intercept. Proxy Services Services" on page 594
2 Verify the Direct IM Proxy Host is the Configuration > Proxy "AOL AIM 5.x Client Host
same that your enterprise clients use Settings > IM Proxies > Settings" on page 599
to connect to AOL servers. General Settings area
3 Verify the default AOL 5.x native and Configuration > Proxy "AOL AIM 5.x Client Host
AOL 5.x HTTP hosts are the same Settings > IM Proxies > AOL 5 Settings" on page 599
that your enterprise clients use to Settings area
connect to AOL servers.
4 If clients are not able to communicate 1. Configuration > Network "Redirecting IM Client
to default public servers, redirect IM > Advanced > VIPs Requests" on page 601
client DNS requests. 2. Configuration > Proxy
Settings > IM Proxies >
General
5 (Recommended) Select the Enable Configuration > Proxy "Handing Off Instant
HTTP Handoff option, which enables Settings > IM Proxies > Messaging to HTTP" on
IM policy checks. General page 602
7 (This step is not required for native N/A "AOL AIM 5.x Client
mode setup.) Configure AOL 5.x Explicit Proxy
clients on user systems to use the Configuration" on page 608
ProxySG as an HTTP(S) or SOCKS5
proxy.
588
Chapter 23: Managing Instant Messaging Protocols
9 After IM traffic is flowing, review Statistics > Protocol Details > Section H: "Reviewing IM
statistics to analyze efficiency. IM History Statistics" on page 623
1 Verify the Direct IM Proxy Host is the Configuration > Proxy "AOL AIM 6.x Client Host
same that your enterprise clients use Settings > IM Proxies > AOL > Settings" on page 597
to connect to AOL servers. General Settings area
2 Verify the default AOL 6.x native host Configuration > Proxy "AOL AIM 6.x Client Host
is the same that your enterprise Settings > IM Proxies > AOL > Settings" on page 597
clients use to connect to AOL servers. AOL 6 Settings area
3 • Create an SSL Keyring and Device 1. Configuration > SSL > "AOL AIM 6.x Client Host
Profile and import the certificate Keyrings > SSL Keyring Settings" on page 597
from an AIM 6.x-supported CA. area
• Set the IM proxy to use the AIM- 2. Configuration > Proxy
supported server signed Settings > IM Proxies >
certificate. AOL > AOL 6 Settings
area
5 Configure AOL 6.x clients on user N/A "AOL AIM 6.x Client
systems to use the ProxySG as an Explicit Proxy
HTTP(S) or SOCKS5 proxy. Configuration" on page 609
7 After IM traffic is flowing, review Statistics > Protocol Details > Section H: "Reviewing IM
statistics to analyze efficiency. IM History Statistics" on page 623
589
SGOS 6.2 Administration Guide
1 Set the default ProxySG MSN service Configuration > Services > "Intercepting Default IM
to intercept. Proxy Services Services" on page 594
3 If clients are not able to communicate 1. Configuration > Network "Redirecting IM Client
to default public servers, redirect IM > Advanced > VIPs Requests" on page 601
client DNS requests. 2. Configuration > Proxy
Settings > IM Proxies >
General
4 (Recommended) Select the Enable Configuration > Proxy "Handing Off Instant
HTTP Handoff option, which enables Settings > IM Proxies > Messaging to HTTP" on
IM policy checks. General page 602
590
Chapter 23: Managing Instant Messaging Protocols
9 After IM traffic is flowing, review Statistics > Protocol Details > Section H: "Reviewing IM
statistics to analyze efficiency. IM History Statistics" on page 623
591
SGOS 6.2 Administration Guide
1 Set the default ProxySG Yahoo Configuration > Services > "Intercepting Default IM
service to intercept. Proxy Services Services" on page 594
4 (Recommended) Select the Enable Configuration > Proxy "Handing Off Instant
HTTP Handoff option, which enables Settings > IM Proxies > Messaging to HTTP" on
IM policy checks. General page 602
6 (This step is not required for native N/A "Yahoo Messenger Client
mode setup.) Configure Yahoo clients Explicit Proxy
on user systems to use the ProxySG Configuration" on page 612
as an HTTP(S) or SOCKS5 proxy.
7 (Optional) Change the default policy VPM "Tunneling IM Client Traffic
and allow unsupported Yahoo client (MSN/WLM and Yahoo)"
traffic to passthrough the ProxySG. on page 614
592
Chapter 23: Managing Instant Messaging Protocols
9 After IM traffic is flowing, review Statistics > Protocol Details > Section H: "Reviewing IM
statistics to analyze efficiency. IM History Statistics" on page 623
593
SGOS 6.2 Administration Guide
Notes:
MSN port 1863 and Yahoo port 5050 are the default client login ports. MSN Port
6891 (MSN) and port 80 (Yahoo) are the default for client-to-client direct
connections and file transfers. If these ports are not enabled:
❐ File transfer requests for AOL 5.x clients are handled through the default
(5190) or specified client login port. For intercepted P2P connections, random
ports are used unless the Direct IM Proxy Host is used.
594
Chapter 23: Managing Instant Messaging Protocols
❐ The MSN proxy does not attempt to redirect 6891 connections to itself. For
native mode, the result depends on policy settings and whether the ProxySG
is deployed between both clients. For HTTP proxy, the MSNFTP protocol
using port 6891 ignores HTTP proxy settings; the connection bypasses the
ProxySG and proceeds straight to its destination.
❐ Depending on IM client configuration, file transfer connections are
intercepted transparently or redirected to the ProxySG IP address. However, if
IM tunneling is enabled, files are sent directly from one client to another. In
this deployment, control connections are tunnelled entirely and file transfer
connections are not intercepted or redirected (see "About Unsupported Instant
Messaging Clients" on page 586).
By default, these services are configured be Transparent and in Bypass mode. The
following procedure describes how to change them to Intercept mode, and
explains other attributes within the service.
2. Scroll the list of service groups and click Other to expand the services list.
3. As you expand the services for AOL, MSN, and Yahoo, notice the Action for
each default service is Bypass. Select Intercept from the drop-down list(s) for
the IM services that apply in your enterprise.
4. Click Apply.
595
SGOS 6.2 Administration Guide
2. At the bottom of the page, click New Service. The New Service dialog displays.
3a
3b
3c
3d
596
Chapter 23: Managing Instant Messaging Protocols
c. From the Proxy drop-down list in the Proxy settings area, select the IM
type for this service.
d. In the Listeners area, click New. The New Listener dialog displays.
4a
4b
4c
597
SGOS 6.2 Administration Guide
Note: As of this release, Blue Coat tested and supports the rapidssl.com CA.
Others might work, but have not been tested by Blue Coat.
3. Select Configuration > SSL > Device Profiles > Profiles tab; click Create.
4. Name the profile; select the keyring created in Steps 1-2.
Note: For more detailed information about keyrings and device profiles, see
Chapter 60: "Managing SSL Traffic" on page 1207.
2. In the General AOL Settings area, verify that the default AOL hostname used for
direct IM traffic is the same that your enterprise AOL clients use. Enter new
service hostname if required.
3a
3b
598
Chapter 23: Managing Instant Messaging Protocols
b. In the AOL 6 Settings area, select the Inbound SSL Device Profile (the SSL
device profile that enables the ProxySG to stand in as a server) that
you created for the AOL 6.8 service. If you not created an SSL keyring
and device profile for the AOL 6.x service, see "Prerequisite: Generate
a Keyring and Create a Device Profile" on page 598. In most
deployments, the default option is the required setting from the
Outbound SSL Device Profile drop-down list (the this is SSL device profile
that the ProxySG uses to communicate with the AIM service host).
4. Click Apply.
Continue to "Configuring IM Alerts" on page 603 or the task table—Section B:
"AOL 5.x/6.x High-Level Tasks" on page 589.
Related Information
❐ "About AOL AIM 6.x SSL Policy" on page 615
2. In the General AOL Settings area, verify that the default AOL hostname used for
direct IM traffic is the same that your enterprise AOL clients use. Enter new
service hostname if required.
3. In the AOL 5 Settings area, verify that the default AOL native and HTTP
hostnames are the same that your enterprise AOL clients use to connect to IM
services. Enter new service hostname if required.
4. If you performed configuration changes, click Apply.
599
SGOS 6.2 Administration Guide
2. The MSN Settings area displays the two default hostnames the MSN/Live
Messenger clients use to connect to IM services. Enter new service hostname if
required.
3. If you performed configuration changes, click Apply.
Continue to "Handing Off Instant Messaging to HTTP" on page 602 or return to
the task table—Section C: "MSN/Live Messenger High-Level Tasks" on page 590.
600
Chapter 23: Managing Instant Messaging Protocols
2. The Yahoo Settings area displays the five default hostnames the Yahoo
Messenger clients use to connect to IM services. Enter new service hostnames
if required.
3. If you performed configuration changes, click Apply.
Continue to "Handing Off Instant Messaging to HTTP" on page 602 or return to
the task table—Section D: "Yahoo Messenger High-Level Tasks" on page 592.
2b
2a
601
SGOS 6.2 Administration Guide
6. Click Apply.
Result: IM clients regard the
ProxySG as the IM server.
Remain on this screen and continue
to the next section or return to the
task tables—"Reference Links: Deploying the ProxySG IM Solution" on page 587.
602
Chapter 23: Managing Instant Messaging Protocols
Configuring IM Alerts
A ProxySG IM alert is an IM message sent to clients upon an action triggered by
policy. An IM alert contains two elements:
❐ Admin buddy names: You can assign an administrator buddy name for each
client type. An administrator buddy name can be a registered name user
handle or a fictitious handle. The benefit of using a registered name is that
users can send IM messages to the administrator directly to report any issues,
and that communication can be logged for tracking and record-keeping. By
default, the ProxySG assigns each IM protocol the admin buddy name: Blue
Coat ProxySG.
❐ Exception message delivery method: Alert messages can be delivered in the
same window or spawn a new window.
603
SGOS 6.2 Administration Guide
3a
3b
2. In the Admin buddy names field, enter the handle or handles to represent the
administrator. In this example, the company sanctions AOL Messenger as the
one used for internal communications. IM alerts are sent from Example Corp IT.
MSN and Yahoo are acceptable for personal use, but a created policy denies
file transfers. Alerts are sent from Example Corp HR.
3. Specify the exceptions message delivery method:
a. Send exception messages in a separate window (out-of-band)—If an
exception occurs, the user receives the message in a separate IM
window.
b. Send exception messages in the existing window (in-band)—If an exception
occurs, the message appears in the same IM window. The message
appears to be sent by the buddy on the other end, with the exception
that when in a chat room, the message always appears to be sent by
the configured Admin buddy name. You can enter a prefix message
that appears in the client window before the message. For example:
Inappropriate IM use. Refer to Employee Conduct Handbook concerning Internet
usage.
4. Click Apply.
ProxySG IM proxy configuration is complete. The final step is to configure IM
clients to send traffic to the ProxySG.
604
Chapter 23: Managing Instant Messaging Protocols
605
SGOS 6.2 Administration Guide
Triggers
❐ im.buddy=
❐ im.chat_room.conference=
❐ im.chat_room.id=
❐ im.chat_room.invite_only=
❐ im.chat_room.type=
606
Chapter 23: Managing Instant Messaging Protocols
❐ im.chat_room.member=
❐ im.chat_room.voice_enabled=
❐ im.client=
❐ im.file.extension=
❐ im.file.name=
❐ im.file.path=
❐ im.file.size=
❐ im.message.opcode=
❐ im.message.reflected=
❐ im.message.route=
❐ im.message.size=
❐ im.message.text=
❐ im.message.type=
❐ im.method=
❐ im.user_agent=
❐ im.user_agent.supported=
❐ im.user_id=
607
SGOS 6.2 Administration Guide
General Configuration
As each IM client has different menu structures, the procedures to configure them
differ. This section provides the generic tasks that need to be completed.
Explicit Proxy
Perform the following tasks on the IM client:
1. Navigate to the Connection Preferences dialog.
2. Select Use Proxies.
3. Select proxy type as SOCKS V5.
4. Enter the ProxySG IP address.
5. Enter the SOCKS port number; the default is 1080.
6. Enter authentication information, if required.
Transparent Proxy
IM clients do not require any configuration changes for transparent proxy. An L4
switch or in-path ProxySG routes the traffic.
Note: This example uses AOL Messenger 5.9. Other versions might vary.
608
Chapter 23: Managing Instant Messaging Protocols
3a
3b
2a
3c
3d
3e
2b
c. Select SOCKS 5.
d. If authentication is required on the ProxySG, enter the authentication
user name and password.
e. Click OK to close the Connections Preferences dialog.
4. Click OK to close the Preferences dialog. Result: the AOL client now sends
traffic to the ProxySG.
Note: This example uses AOL AIM 6.8.15.1 Other versions might vary.
609
SGOS 6.2 Administration Guide
1. Select My AIM > Edit Options > Edit Preferences. The Settings-Connection dialog
displays.
2a
2b
2c
2d
Note: This example uses MSN Messenger 7.5. Other versions might vary.
610
Chapter 23: Managing Instant Messaging Protocols
3a
3b
2a
3c
2b
2. Navigate to Settings:
a. Click Connection.
b. Click Advanced Settings. The Settings dialog appears.
3. Configure the proxy settings:
a. In the SOCKS field, enter the ProxySG IP address. If the default port is
1080, accept it; if not, change it to port 1080.
611
SGOS 6.2 Administration Guide
Note: This example uses Yahoo Messenger 7.0. Other versions might vary.
2b
2a
2d
2c
2e
2f
612
Chapter 23: Managing Instant Messaging Protocols
Notes
• If Yahoo Messenger is configured for explicit proxy (SOCKS) through the
ProxySG, the IM voice chat feature is disabled. Any client attempting a
voice chat with a client behind the ProxySG firewall receives an error
message. The voice data stream is carried by default on port 5001;
therefore, you can create and open this port.
• The same applies to video on port 5100.
613
SGOS 6.2 Administration Guide
Note: Refer to the Blue Coat SGOS 5.4.x Release Notes for a list of unsupported
client versions that were successfully tunneled or blocked as tested by Blue Coat.
For unsupported versions that are not listed in the Release Notes, tunneling and
blocking should work, but Blue Coat does provide a guarantee.
By default, the ProxySG prevents the IM client connection to the Yahoo messenger
service when a user click Connect on the IM interface; the users receive a cannot
connect message. As Blue Coat releases software updates that support the latest
IM clients, the policy the allows users to connect.
You might elect to enable the policy that tunnels IM traffic, which allows your
users to connect with unsupported versions. This option provides uninterrupted
user experiences at the expense of a security risk because users can use
unsupported versions to violate IM use policies or bypass intrusion prevention
policies, such as blocked file sharing.
You can also tunnel supported versions of IM clients. For example, you want to
exempt a specific IM client from policy checks or you discovered a problem with
some version when the ProxySG alters its traffic.
Tunneling IM policy occurs in the Web Access Layer in the VPM (<proxy> layer in
CPL). The following VPM examples illustrate the common policy use cases (other
than the default, which is block all unsupported versions).
614
Chapter 23: Managing Instant Messaging Protocols
Figure 23–5 Example policy that tunnels Yahoo Messenger 9, which is unsupported, and blocks all
others (by default).
You can also create the same type of object to tunnel a supported IM version. For
example, you discover that a supported version causes a problem when the
ProxySG alters its traffic. Tunnel traffic for that version until a fix is provided.
Figure 23–6 Example rule: Denying a server certificate that contains aol.com.
615
SGOS 6.2 Administration Guide
2a
2b
2c
2d
2e 2f
616
Chapter 23: Managing Instant Messaging Protocols
f. Select Advanced Match; in the Host field, enter the default AOL 5.x IM
service URL.
g. Click OK to add the object.
h. Repeat Steps e through g and add the other default IM host URLs
(AOL 6.x, MSN, Yahoo).
617
SGOS 6.2 Administration Guide
3a
618
Chapter 23: Managing Instant Messaging Protocols
2a
2c
2b
1. In the VPM, select Policy > Add Web Access Layer; name it IM_File_Transfer.
2. Create a new IM user object:
a. Right-click the Source field; select Set. The Set Source Object dialog
displays.
b. Click New; select IM User. The Add IM User Object dialog displays.
c. In the IM User field, enter Nigel1; click OK in each dialog.
619
SGOS 6.2 Administration Guide
3a
3c
3b
620
Chapter 23: Managing Instant Messaging Protocols
6. From the Substitution Variables list, select x-im-buddy-name and click insert.
Repeat for x-im-file-path and x-im-file-size. Click OK in each dialog.
621
SGOS 6.2 Administration Guide
2a
2b
7. In the Alert Text field, enter a message that appears to users. For example,
Employee notice: Your Instant Messaging activity is tracked and logged.
8. Click OK to close the dialog; click OK to insert the object in the rule.
9. Click Install Policy.
622
Chapter 23: Managing Instant Messaging Protocols
IM History Statistics
The ProxySG provides statistics that allow you to track IM connections, file
transfers, and messages that are currently in use and in total, or have been
allowed and denied. The information can be displayed for each IM client type or
combined.
2. The default protocol is All. To select a specific protocol, select AOL, MSN, or
Yahoo from the drop-down list.
623
SGOS 6.2 Administration Guide
Note: The IM activity data statistics are available only through the Management
Console.
2. The default protocol is All. To select a specific protocol, select AOL, MSN, or
Yahoo from the drop-down list.
IM Clients Tab
The IM Clients tab displays dynamic graphical statistics for connections over 60
minutes, 24 hours and 30 days. The page displays all values in the graph or clip a
percentage of peak values. When peak values are clipped by a percentage, that
percentage is allowed to fall off the top of the scale.
For example, if you clip 25% of the peaks, the top 25% of the values are allowed to
exceed the scale for the graph, showing greater detail for the remaining 75% of the
values.
624
Chapter 23: Managing Instant Messaging Protocols
Move the cursor over the graphs to dynamically display the color-coded AOL,
MSN, Yahoo, and total statistics.
Note: The IM clients statistics are available only through the Management
Console.
2. Select the Duration: for which the graph displays. The default is last hour. You
can select from last hour, last day, last month and all periods.
Roll your mouse over graphs to display exact data.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
625
SGOS 6.2 Administration Guide
626
Chapter 24: Bandwidth Management
Bandwidth management (BWM) allows you to classify, control, and limit the
amount of bandwidth used by different classes of network traffic flowing into
or out of the ProxySG appliance. Network resource sharing (or link sharing) is
accomplished by using a bandwidth-management hierarchy where multiple
traffic classes share available bandwidth in a controlled manner.
Note: The ProxySG does not attempt to reserve any bandwidth on the network
links that it is attached to or otherwise guarantee that the available bandwidth
on the network can sustain any of the bandwidth limits which have been
configured on it. The ProxySG can only shape the various traffic flows passing
through it, and prioritize some flows over others according to its configuration.
627
SGOS 6.2 Administration Guide
❐ Create policy rules using those bandwidth classes to identify and classify the
traffic in the ProxySG.
❐ Enable bandwidth management.
Bandwidth management configuration consists of two areas:
❐ Bandwidth allocation—Thisis the process of creating and configuring
bandwidth classes and placing them into a bandwidth class hierarchy. This
process can be done using either the Management Console or the CLI. See
"Allocating Bandwidth" on page 628.
❐ Flow classification—This is the process of classifying traffic flows into
bandwidth management classes using policy rules. Policy rules can classify
flows based on any criteria testable by policy. You can create policy rules using
either the Visual Policy Manager (VPM), which is accessible through the
Management Console, or by composing Content Policy Language (CPL). See
"Flow Classification" on page 631.
Note: For more information about using VPM to create policy rules, refer to
Visual Policy Manager Reference. For information about composing CPL, refer to
Content Policy Language Guide.
Allocating Bandwidth
The process of defining bandwidth classes and grouping them into a bandwidth
class hierarchy is called bandwidth allocation. Bandwidth allocation is based on:
❐ the placement of classes in a hierarchy (the parent/child relationships).
❐ the priority level of classes in the same hierarchy.
❐ the minimum and/or maximum bandwidth setting of each class.
For example deployment scenarios, see "Bandwidth Allocation and VPM
Examples" on page 639.
Bandwidth Classes
To define a bandwidth class, you create the class, giving it a name meaningful to
the purpose for which you are creating it. You can configure the class as you
create it or edit it later. The available configuration settings are:
❐ Parent: Used to create a bandwidth-management hierarchy.
❐ Minimum Bandwidth: Minimum amount of bandwidth guaranteed for traffic
in this class.
❐ Maximum Bandwidth: Maximum amount of bandwidth allowed for traffic in
this class.
❐ Priority: Relative priority level among classes in the same hierarchy.
628
Chapter 24: Bandwidth Management
Parent Class
A parent class is a class that has children. When you create or configure a
bandwidth class, you can specify another class to be its parent (the parent class
must already exist). Both classes are now part of the same bandwidth-class
hierarchy, and so are subject to the hierarchy rules (see "Class Hierarchy Rules
and Restrictions" on page 630).
Minimum Bandwidth
Setting a minimum for a bandwidth class guarantees that class receives at least
that amount of bandwidth, if the bandwidth is available. If multiple hierarchies
are competing for the same available bandwidth, or if the available bandwidth is
not enough to cover the minimum, bandwidth management is not be able to
guarantee the minimums defined for each class.
Note: The ProxySG does not attempt to reserve any bandwidth on the network
links that it is attached to or otherwise guarantee that the available bandwidth on
the network can be used to satisfy bandwidth class minimums. The ProxySG can
only shape the various traffic flows passing through it, and prioritize some flows
over others according to its configuration.
Maximum Bandwidth
Setting a maximum for a bandwidth class puts a limit on how much bandwidth is
available to that class. It does not matter how much bandwidth is available; a class
can never receive more bandwidth than its maximum.
To prevent a bandwidth class from using more than its maximum, the ProxySG
inserts delays before sending packets associated with that class until the
bandwidth used is no more than the specified maximum. This results in queues of
packets (one per class) waiting to be sent. These queues allow the ProxySG to use
priority settings to determine which packet is sent next. If no maximum
bandwidth is set, every packet is sent as soon as it arrives, so no queue is built and
nothing can be prioritized.
Unlike minimums and priority levels, the maximum-bandwidth setting can
purposely slow down traffic. Unused bandwidth can go to waste with the
maximum-bandwidth setting, while the minimum-bandwidth settings and
priority levels always distributes any unused bandwidth as long as classes
request it. However, priority levels are not meaningful without a maximum
somewhere in the hierarchy. If a hierarchy has no maximums, any class in the
hierarchy can request and receive any amount of bandwidth regardless of its
priority level.
Priority
When sharing excess bandwidth with classes in the same hierarchy, the class with
the highest priority gets the first opportunity to use excess bandwidth. When the
high-priority class uses all the bandwidth it needs or is allowed, the next class
gets to use the bandwidth, if any remains. If two classes in the same hierarchy
have the same priority, then excess bandwidth is shared in proportion to their
maximum bandwidth setting.
629
SGOS 6.2 Administration Guide
Class Hierarchies
Bandwidth classes can be grouped together to form a class hierarchy. Creating a
bandwidth class allows you to allocate a certain portion of the available
bandwidth to a particular type of traffic. Putting that class into a bandwidth-class
hierarchy with other bandwidth classes allows you to specify the relationship
among various bandwidth classes for sharing available (unused) bandwidth.
The way bandwidth classes are grouped into the bandwidth hierarchy determines
how they share available bandwidth among themselves. You create a hierarchy so
that a set of traffic classes can share unused bandwidth. The hierarchy starts with
a bandwidth class you create to be the top-level parent. Then you can create other
bandwidth classes to be the children of the parent class, and those children can
have children of their own.
To manage the bandwidth for any of these classes, some parent in the hierarchy
must have a maximum bandwidth setting. The classes below that parent can then
be configured with minimums and priority levels to determine how unused
bandwidth is shared among them. If none of the higher level classes have a
maximum bandwidth value set, then bandwidth flows from the parent to the
child classes without limit. In that case, minimums and priority levels are
meaningless, because all classes get all the bandwidth they need at all times. The
bandwidth, in other words, is not being managed.
630
Chapter 24: Bandwidth Management
Flow Classification
You can classify flows to BWM classes by writing policy rules that specify the
bandwidth class that a particular traffic flow belongs to. A typical transaction has
four traffic flows:
1. Client inbound—Traffic flowing into the ProxySG from a client (the entity
sending a request, such as a client at a remote office linked to the appliance).
631
SGOS 6.2 Administration Guide
Some types of traffic can flow in all four directions. The following example
describes different scenarios that you might see with an HTTP request. A client
sends a GET to the ProxySG (client inbound). The appliance then forwards this
GET to a server (server outbound). The server responds to the ProxySG with the
appropriate content (server inbound), and then the appliance delivers this content
to the client (client outbound).
Policy allows you to configure different classes for each of the four traffic flows.
See "Using Policy to Manage Bandwidth" on page 638 for information about
classifying traffic flows with policy.
632
Chapter 24: Bandwidth Management
An existing
parent class
3a
3b
3c
3d
3e
2
633
SGOS 6.2 Administration Guide
After you add a child class to a parent class, the parent class is denoted by a
folder icon. Double-click the folder to view all of the child classes under that
parent.
4. Select Enable Bandwidth Management (if not currently selected).
5. Click Apply.
Note: You cannot delete a class that is referenced by another class or by the
currently installed policy. For instance, you cannot delete a class that is the parent
of another class or one that is used in an installed policy rule. If you attempt to do
so, a message displays explaining why this class cannot be deleted.
1. Select Configuration > Bandwidth Management > BWM Classes > Bandwidth Classes.
2. Highlight the class to delete and Delete.
3. Click Yes to delete the class.
4. Click Apply.
634
Chapter 24: Bandwidth Management
2. To view the statistics of child bandwidth classes, double-click the folder icon
of the parent class.
The child classes become visible. A second double-click closes the folder.
See Also
❐ "Bandwidth Management Statistics in the CLI"
❐ "Using Policy to Manage Bandwidth"
635
SGOS 6.2 Administration Guide
2. To view the statistics of child bandwidth classes, double-click the folder icon
of the parent class. A second double-click closes the folder.
See Also
❐ "Bandwidth Management Statistics in the CLI"
❐ "Using Policy to Manage Bandwidth"
2. To view the BWM statistics for a specific class, enter the following command
at the (config) command prompt:
SGOS#(config bandwidth-management) view statistics bwm_class
636
Chapter 24: Bandwidth Management
Example
SGOS#(config bandwidth-management) view statistics http
Class Name: http
Parent: <none>
Minimum Bandwidth: unspecified
Maximum Bandwidth: unlimited
Priority: 0
Total Bytes: 0 bytes
Total Packets: 0 pkts
Dropped Packets: 0 pkts
Current Bandwidth: 0 kbps
Current Packet Rate: 0 pps
Queue Length: 0 bytes
637
SGOS 6.2 Administration Guide
CPL Triggers
You can use all of the CPL triggers for BWM classification (refer to Content Policy
Language Guide for information about using CPL triggers). Basing a bandwidth
decision on a trigger means that the decision does not take effect until after the
information needed to make that decision becomes available. For example, if you
set the CPL to trigger on the MIME type of the HTTP response, then the HTTP
headers must be retrieved from the OCS before a classification can occur. The
decision to retrieve those headers occurs too late to count any of the request bytes
from the client or the bytes in the HTTP response headers. However, the decision
affects the bytes in the body of the HTTP response and any bytes sent back to the
client.
638
Chapter 24: Bandwidth Management
Supported CPL
Bandwidth class can be set with policy on each of these four traffic flows:
❐ limit_bandwidth.client.inbound(none | bwm_class)
❐ limit_bandwidth.client.outbound(none | bwm_class)
❐ limit_bandwidth.server.inbound(none | bwm_class)
❐ limit_bandwidth.server.outbound(none | bwm_class)
If you set policy to none, the traffic is unclassified and is not to be bandwidth-
managed.
639
SGOS 6.2 Administration Guide
Each of the classes above has a maximum set at an amount equal to half of the
total link bandwidth for each office. A hierarchy does not exist in this scenario.
The administrator launches the VPM and creates a new Web Access Layer,
naming it FTP/HTTP Limitations. He selects the Client IP Address/Subnet object in the
Source column, filling in the IP address and mask of the subnet used by Office_A.
640
Chapter 24: Bandwidth Management
He selects a Combined Service Object in the Service column, naming it FTP/HTTP and
adding a Client Protocol for FTP and for HTTP.
In the Action column, he selects Manage Bandwidth, naming it Office_A and setting it
to manage the bandwidth of Office_A on the Client side in the Outbound direction.
641
SGOS 6.2 Administration Guide
He adds two more similar rules for the other two offices. He is able to reuse the
same Combined Service Object in the Service column, but must add new objects
specific to each office in the Source and Action columns. The order of the rules does
not matter here, because each office, and thus each rule, is distinct because of its
IP address/subnet mask configuration.
The administrator now has three separate hierarchies. In each one, bandwidth is
limited by the configuration of the parent class, and the two child classes are
prioritized to determine how they share any unused bandwidth. Because no
minimums have been set, the highest priority class has the first opportunity to use
all of the available bandwidth; whatever is left then goes to the next priority class.
Priority levels are only effective among the classes in the same hierarchy. This
means that the priority levels for the Office_A hierarchy do not affect the classes in
the Office_B or Office_C hierarchies.
642
Chapter 24: Bandwidth Management
He first edits each of the three VPM rules for the three offices. He edits each the
Manage Bandwidth objects, changing the name of the objects to Emp_A, Emp_B,
and Emp_C and changes the bandwidth class to the corresponding employee class.
Next, he creates three more rules for the CEO, moving them above the first three
rules. For the CEO rules, he selects the same combined FTP/HTTP object in the
Service column; in the Action column, he selects a Manage Bandwidth object
configured for client side/outbound, as before, but this time, he names the objects
CEO_A, CEO_B, and CEO_C and selects the corresponding CEO bandwidth class. In
the Source column, he creates a Combined Source Object, naming it for the CEO. He
combines the Client IP/subnet object already created for each office with a User
object that he creates for the CEO.
643
SGOS 6.2 Administration Guide
The administrator places all three CEO rules above the employee rules, because
the ProxySG looks for the first rule that matches a given situation and ignores the
remaining rules. If he had placed the CEO rules below the employee rules, the
appliance would never get to the CEO rules because the CEO’s Web surfing client
IP address matches both the CEO rules and the employee rules, and the ProxySG
would stop looking after the first match. With the CEO rules placed first, the
appliance applies the CEO rules to the CEO’s Web surfing, and an employee’s
Web surfing does not trigger the CEO rules and instead skips ahead to the
appropriate employee rule.
644
Chapter 24: Bandwidth Management
minimum of 500 kbps. But they share it based on their priority levels. This means
that management has priority over employees. The employees are only
guaranteed a minimum if management is using less than 500 kbps.
He decides to leave the minimum on the parent class Staff_A and not to set a
minimum for the class Mgmt_A. This is okay, because the minimum of the parent
class is available to its children if the parent class does not use all of it, and the
only way that the CEO can get more than 250 kbps is if the employees and
management combined use less than 500.
This last change does not require additional changes to policy; the administrator
has added a minimum to a class that he has already classified for traffic using
policy.
645
SGOS 6.2 Administration Guide
In the above scenario, the class called Staff_A does not have traffic configured for
it—it was created to guarantee bandwidth minimums for its child classes.
However, if it were configured for traffic, it would have a practical minimum of
300 kbps. The practical minimum of a parent class is equal to its assigned
minimum bandwidth minus the minimums of its children. In that case, if the
parent class Staff_A used 300 kbps and the child class Emp_A used 200 kbps, the
child class Mgmt_A would not receive any bandwidth unless the class CEO_A was
using less than 250 kbps. Under those circumstances, the administrator probably
also needs to create a minimum for management.
646
Chapter 24: Bandwidth Management
CPL:
define condition student_mp3_weekday
client_address=student_subnet response_header.Content-Type="audio/
mpeg" \
weekday=1..5 hour=9..16
end condition
<proxy>
condition=student_mp3_weekday limit_bandwidth.server.inbound(mp3)
<proxy>
condition=http_posts limit_bandwidth.client.inbound(http_post)
<proxy>
condition=prepop_weekday limit_bandwidth.server.inbound(pre-pop)
647
SGOS 6.2 Administration Guide
648
Chapter 25: Configuring Access Logging
Access logging allows you to track Web usage for the entire network or specific
information on user or department usage patterns. These logs and reports can
be made available in real-time or on a scheduled basis. This chapter describes
access logging and provides procedures for enabling access logging and
configuring upload schedules.
Note: Event logging is not the same as access logging. Event logging allows you
to specify the types of system events logged, the size of the event log, and to
configure Syslog monitoring.
Note: The only data that can be logged in an access log on the ProxySG are the
access-log fields and the CPL fields (found in Chapter 29: "Access Log
Formats" on page 693).
These log records can be directed to one or more log facilities, which associates
the logs with their configured log formats, upload schedules, and other
customizable components. In addition, access logs can be encrypted and
digitally signed before uploading.
Data stored in log facilities can be automatically uploaded to a remote location
for analysis and archive purposes. The uploads can take placing using HTTP,
FTP, or one of several proprietary protocols. After they are uploaded, reporting
tools such as Blue Coat Reporter can be used to analyze the log files. For
information on using Blue Coat Reporter, refer to the Blue Coat Reporter Initial
Configuration Guide.
649
SGOS 6.x Administration Guide
About Facilities
A log facility is a separate log that contains a single logical file and supports a
single log format. The facility contains the file’s configuration and upload
schedule information as well as other configurable information such as how often
to rotate (switch to a new log) the logs at the destination, any passwords needed,
and the point at which the facility can be uploaded.
Multiple access log facilities are supported, although each access log supports a
single log format. You can log a single transaction to multiple log facilities
through a global configuration setting for the protocol that can be modified on a
per-transaction basis through policy.
650
Chapter 25: Configuring Access Logging
❐ Instant Messaging
❐ Peer-to-peer (P2P)
❐ RealMedia/QuickTime
❐ SOCKS
❐ SSL
❐ TCP Tunnel
❐ Telnet
❐ Windows Media
SGOS can create access logs with any one of a number of log formats, and you can
create additional types using custom or ELFF format strings. The log types
supported are:
❐ NCSA common log format
❐ SQUID-compatible format
❐ ELFF (W3C Extended Log File Format)
❐ Custom, using the strings you enter
❐ SmartReporter, an ELFF log format compatible with the SmartFilter Reporter
tool
❐ SurfControl, a log format compatible with the SurfControl Reporter tool
❐ Websense, a log format compatible with the Websense Reporter tool
The log facilities, each containing a single logical file and supporting a single log
format, are managed by policy (created through the Visual Policy Manager (VPM)
or Content Policy Language (CPL)), which specifies the destination log format
and log file.
651
SGOS 6.x Administration Guide
With continuous uploading, the ProxySG continuously streams new access log
entries from the device memory to a remote server. Here, streaming refers to the
real-time transmission of access log information. The SGOS software transmits
access log entries using the specified client, such as FTP client. A keep-alive is sent
to keep the data connection open.
652
Chapter 25: Configuring Access Logging
Continuous uploading allows you to view the latest logging information almost
immediately, send log information to a log analysis tool for real-time processing
and reporting, maintain the ProxySG performance by sending log information to
a remote server (avoiding disk writes), and save device disk space by saving log
information on the remote server.
If the remote server is unavailable to receive continuous upload log entries, the
SGOS software saves the log information on the device disk. When the remote
server is available again, the appliance resumes continuous uploading.
Note: If you do not need to analyze the upload entries in real time, use periodic
uploading because it is more reliable than continuous uploading.
If there is a problem configuring continuous uploading to Microsoft Internet
Information Server (IIS), use periodic uploading instead.
3a
3b
3c
4a 5
4b
b. To change the time between connection attempts, enter the new time
(in seconds) in the Wait between connect attempts field.
653
SGOS 6.x Administration Guide
654
Chapter 25: Configuring Access Logging
Note: If you have multiple access logs, each access log has its own list of
objects.
❐ Show access log statistics: The statistics of an individual access log is shown.
❐ Show statistics of all logs:
The statistics of all the access logs on the system are
displayed in a single list.
❐ Show last N bytes in the log: The last N bytes in the log are shown.
❐ Show last part of log every time it changes:
A stream of the latest log entries is
shown on the page as they are written in the system.
❐ Show access log tail with optional refresh time: A refresh from the browser displays
the latest log entries.
❐ Show access log objects: The statistics of individual access log objects are
displayed.
❐ Show all access log objects: The statistics of all access log object are displayed in
a single list.
655
SGOS 6.x Administration Guide
Status Description
active Log writing is active.
active - early upload The early upload threshold has been reached.
disabled An administrator has disabled logging.
idle Log writing is idle.
initializing The system is initializing.
shutdown The system is shutting down.
656
Chapter 25: Configuring Access Logging
stopped The access log is full. The maximum log size has
been reached.
unknown A system error has occurred.
Estimated compressed size of the uploaded access log and ProxySG access log
size might differ during uploading. This occurs because new entries are created
during the log upload.
2. Under Status of Last Upload, check the appropriate status information displayed
in the Upload client field.
657
SGOS 6.x Administration Guide
3. Check the other status information. For information about the status, see the
table below.
Table 25–2 Upload Status Information
Status Description
Connect time The last time a client connection was made or attempted.
Remote filename The most recent upload filename. If an access log was
encrypted, only the encrypted access log file (the ENC file)
displays.
Remote size The current size of the upload file. If an access log was
encrypted, only the encrypted access log file size (the ENC
file) displays. The private key file (the DER file) varies, but
is usually about 1 Kb.
Maximum bandwidth The maximum bandwidth used in the current or last
connection.
Current bandwidth The bandwidth used in the last second (available only if
currently connected).
Final result The result of the last upload attempt (success or failure).
This is available only if not connected.
2. To view the statistics for a specific access log, enter the following command:
SGOS# show access-log statistics log_name
The statistics for the access log Main are displayed below as an example:
SGOS#(config) show access-log statistics main
Statistics:
Access Log (main) Statistics:
Log Manager Version 3
Log entry lifetime counter: 0
System Status:
Log manager: enabled and running
Upload client: disabled
Log writer: idle
Log reader: idle
Log Information:
Current log size: 0 bytes
Early upload threshold: 1736 MB
Maximum log size: 2170 MB
658
Chapter 25: Configuring Access Logging
659
SGOS 6.x Administration Guide
2a
2b
660
Chapter 25: Configuring Access Logging
c. To disable a particular log, click Disable logging to and select that log
from the drop-down list; to disable all access logging, click Disable all
access logging.
5. Click OK; click OK again; close the VPM window and click Yes in the dialog to
save your changes.
661
SGOS 6.x Administration Guide
662
Chapter 26: Configuring the Upload Client
Note: You must have a socket server to use the Custom client.
663
SGOS 6.2 Administration Guide
The SGOS software allows you to upload either compressed access logs or plain-
text access logs. The device uses the gzip format to compress access logs. Gzip-
compressed files allow more log entries to be stored in the device. Advantages of
using file compression include:
❐ Reduces the time and resources used to produce a log file because fewer disk
writes are required for each megabyte of log-entry text.
❐ Uses less bandwidth when the device sends access logs to an upload server.
❐ Requires less disk space.
Compressed log files have the extension .log.gz. Text log files have the
extension .log.
Note: You cannot upload gzip access-log files for the Websense client.
For greater security, you can configure the SGOS software to:
❐ Encrypt the access log
❐ Sign the access log
Note: The encryption feature is not available for custom or Websense clients.
664
Chapter 26: Configuring the Upload Client
4. Enter the name of the external certificate into the External Cert Name field and
paste the certificate into the External Certificate field. Be sure to include the ----
BEGIN CERTIFICATE---- and -----END CERTIFICATE---- statements.
5. Click OK.
6. Click Apply to commit the changes to the ProxySG.
665
SGOS 6.2 Administration Guide
signature for verifying the log file. The signature file has the same name as the
access log file but with a .sig extension; that is, filename.log.sig, if the access
log is a text file, or filename.log.gzip.sig, if the access log is a gzip file.
Note: The signing feature is not available for custom or Websense clients.
For information about verifying a log, see "Verifying a Digital Signature" on page
669.
Continue with "Configuring the Upload Client to Digitally Sign Access Logs" .
666
Chapter 26: Configuring the Upload Client
2
3b
3a
2. From the Log drop-down list, select the log facility to configure. The facility
must exist before it displays in this list.
3. Select and configure the client type:
a. From the Client type drop-down list, select the upload client to use.
Only one client can be configured for each log facility.
b. Click Settings to customize the upload client.
For information on customizing the clients, skip to "Editing the FTP
Client" on page 669, "Editing the HTTP Client" on page 671, "Editing the
Custom Client" on page 672, "Editing the Custom SurfControl Client" on
page 673, or "Editing the Websense Client" on page 674.
For information about testing the upload client, see "Testing Access Log
Uploading" on page 654.
4. Configure Transmission Parameters, if applicable:
a. (Optional) To use an external certificate to encrypt the uploaded log
facility, select an external certificate from the Encryption Certificate drop-
down list. You must first import the external certificate to the SG
appliance (see "Importing an External Certificate" on page 664).
The encryption option is not available for Websense or Custom clients.
b. (Optional) To enable the digital signature of the uploaded access log,
select a keyring from the Keyring Signing drop-down list. The signing
keyring, with a certificate set to smime, must already exist. A certificate
set to any other purpose cannot be used for digital signatures.
The digital signing option is not available for Websense or Custom clients.
c. Select one of the Save the log file as radio buttons to determine whether
the access log that is uploaded is compressed (gzip file, the default) or
not (text file).
667
SGOS 6.2 Administration Guide
Note: If you are configuring a SurfControl Custom client, select the text file
radio button.
If you select text file, you can change the Send partial buffer after n seconds
field to the time you need (30 seconds is the default).
This field configures the maximum time between text log packets,
meaning that it forces a text upload after the specified length of time even
if the internal log buffer is not full. If the buffer fills up before the time
specified in this setting, the text uploads right away, and is not affected by
this maximum setting.
Note: If you selected gzip file, the Send partial buffer after n seconds field is not
configurable. Also, this setting is only valid for continuous uploading (see
"Configuring Access Logging" on page 649 for information about continuous
uploading).
Note: Before you can manage the bandwidth for this log facility, you must
first create a bandwidth-management class. It is the log facility that is
bandwidth-managed—the upload client type does not affect this setting. See
"Bandwidth Management" on page 627 for information about enabling
bandwidth management and creating and configuring the bandwidth class.
Less bandwidth slows down the upload, while more could flood the network.
5. Click Apply.
See Also
"Verifying a Digital Signature" on page 669
"Digitally Signing Access Logs" on page 665
To disable an upload:
1. Select Configuration > Access Logging > Logs > Upload Client.
2. Select the log facility for which you want to disable an upload from the Log
drop-down menu.
668
Chapter 26: Configuring the Upload Client
where
cacrt The CA certificate used to issue the certificate in the signature
file.
filename.sig The file containing the digital signature of the log file.
filename.log The log file generated after decryption. If the access log is a gzip
file, it contains a .gz extension.
logFile The filename that is generated after signature verification.
669
SGOS 6.2 Administration Guide
2. Select FTP Client from the Client type drop-down list. Click the Settings button.
4a 4b
4c
4d
4e
5
6
7
8
3. Select the primary or alternate FTP server to configure from the Settings for
drop-down list.
4. Fill in the server fields, as appropriate:
a. Host: The name of the upload client host. If the Use secure connections
(SSL) checkbox is selected, the hostname must match the hostname in
the certificate presented by the server.
b. Port: The default is 21; it can be changed.
c. Path: The directory path where the access log is uploaded on the server.
d. Username: This is the username that is known on the host you are
configuring.
e. Change Password: Change the password on the FTP; the Change
Password dialog displays; enter and confirm the new password; click
OK.
5. Filename: The Filename field is comprised of text and/or specifiers. The default
filename includes specifiers and text that indicate the log name (%f), name of
the external certificate used for encryption, if any (%c), the fourth parameter of
the ProxySG IP address (%l), the date and time (Month: %m, Day: %d, Hour: %H,
Minute: %M, Second: %S), and the .log or .gzip.log file extension.
6. Secure Connections: If you use FTPS, select the Use secure connections (SSL)
checkbox. The remote FTP server must support FTPS.
7. Local Time: If you want the upload to reflect the local time it was uploaded
instead of Universal Time Coordinates (UTC), select Local Time.
670
Chapter 26: Configuring the Upload Client
8. Use PASV: With Use PASV selected (the default), the ProxySG connects to the
FTP server. With Use PASV de-selected, the FTP server uses the PORT
command to connect to the ProxySG.
9. Click OK.
10. Click Apply.
Note: To create an HTTPS client, you must also import the appropriate CA
Certificate. For more information, see "Importing a CA Certificate" on page 1189.
4a 4b
4c
4d
4e
5
6
7
3. From the Settings for drop-down list, select the primary or alternate HTTP
server to configure.
4. Fill in the server fields, as appropriate:
a. Host: The name of the upload host. If Use secure connections (SSL) is
selected, the hostname must match the hostname in the certificate
presented by the server.
b. Port: The default is 80, but you can change it.
671
SGOS 6.2 Administration Guide
c. Path: The directory path where the access log facility is uploaded on
the server.
d. Username: This is the username that is known on the host you are
configuring.
e. Change Password: Change the password on the HTTP host; the Change
Password dialog displays; enter and confirm the new password and
click OK.
5. Filename: The Filename field is comprised of text and/or specifiers. The default
filename includes specifiers and text that indicate the log name (%f), name of
the external certificate used for encryption, if any (%c), the fourth parameter of
the ProxySG IP address (%l), the date and time (Month: %m, Day: %d, Hour: %H,
Minute: %M, Second: %S), and the .log or .gzip.log file extension.
6. Local Time: If you want the upload to reflect the local time it was uploaded
instead of Universal Time Coordinate (UTC), select Local Time.
7. Use secure connections (SSL): Select this to create an HTTPS client. To create an
HTTPS client, you must also create a keypair, import or create a certificate,
and, if necessary, associate the keypair and certificate (called a keyring), with
the SSL device profile.
8. Click OK.
9. Click Apply.
672
Chapter 26: Configuring the Upload Client
4a 4b
4c
3. From the Settings for drop-down list, select to configure the primary or
alternate custom server.
4. Fill in the server fields, as appropriate:
a. Host: Enter the hostname of the upload destination. If Use secure
connections (SSL) is selected, the hostname must match the hostname in
the certificate presented by the server.
b. Port: The default is 69; it can be changed.
c. Use secure connections (SSL): Select this if you are using secure
connections.
5. Click OK.
6. Click Apply.
Note: For specific information on managing upload clients, see "Editing the
Custom Client" on page 672.
673
SGOS 6.2 Administration Guide
7. Click OK.
8. Click Apply.
Note: You cannot upload gzip access log files with the Websense client.
3. From the Settings for drop-down list, select the primary or alternate server you
want to configure.
4. Fill in the fields as appropriate:
a. Host: Enter the hostname of the primary Websense Server.
b. Port: The default is 55805, but you can change it if the Websense Server
is using a different port.
5. Repeat for the Alternate Websense Server.
6. Click OK.
7. Click Apply.
674
Chapter 26: Configuring the Upload Client
Troubleshooting
❐ Problem: The ProxySG is uploading logs more frequently than expected.
Description: If access logging is enabled, logs can accrue on the ProxySG’s
hard drive even if the upload client is not configured for specific protocols
(often the case if you configured streaming, IM, or P2P). Eventually the size of
these combined logs, triggers the global Start an Early upload threshold
(Configuration > Access Logging > General > Global Settings. The ProxySG attempts
to upload all configured logs more often than expected. For example, a main
log that is configured for upload every 24 hours starts to upload small
portions of the main log every 10 minutes.
Solution: To prevent the access logs that do not have an upload client
configured from triggering the Start an Early upload threshold, edit the default
logs for each protocol that you do not need uploaded. Set them to <None> from
the Configuration > Access Logging > Logs > Upload Client tab.
675
SGOS 6.2 Administration Guide
676
Chapter 27: Creating and Editing An Access Log Facility
This chapter describes how to modify existing log facilities for your needs. You
can also create new log facilities for special circumstances, such as associating
the SurfControl log format with a log facility.
Note: Several log facilities have already been created. Before creating a new
one, check the existing ones to see if they fit your needs. If you want to use a
custom log format with the new log facility, you must create the log format
before associating it with a log (see "Creating Custom Access Log Formats" on
page 685).
677
SGOS 6.2 Administration Guide
3a
3b
3c
4a
4b
Note: The name can include specifiers from Table 29–5 on page 700. For
example, if you name the file:
• AccLog, the name will be AccLog
• AccLog%C%m%d%H%M%S, the name becomes
AccLog ProxySG_name month day hour min sec
678
Chapter 27: Creating and Editing An Access Log Facility
Note: If you change the log format of a log, remember that ELFF formats require
an ELFF header in the log (the list of fields being logged are mentioned in the
header) and that non-ELFF formats do not require this header.
The format of data written to the log changes as soon as the format change is
applied; for best practices, do a log upload before the format change and
immediately after (to minimize the number of log lines in a file with mixed log
formats).
Upload the log facility before you switch the format.
2a
2b
2c
3a
3b
679
SGOS 6.2 Administration Guide
2. Select the log facility you want to delete and click Delete.
3. The Confirm Delete? dialog displays. Click Ok.
The log is successfully deleted when it is no longer displayed under Logs.
680
Chapter 27: Creating and Editing An Access Log Facility
Note: If you have a policy that defines protocol and log association, that policy
overrides any settings you make here.
The following list shows the protocols supported and the default log facilities
assigned to them, if any:
CIFS cifs
FTP main
HTTP main
HTTPS-Reverse-Proxy main (Set to the same log facility that HTTP is using
upon upgrade.)
HTTPS-Forward-Proxy ssl (If the facility for HTTP, TCP, or SOCKS is set
before upgrade.)
Instant Messaging im
681
SGOS 6.2 Administration Guide
MAPI mapi
SOCKS none
SSL ssl (If the facility for HTTP, TCP or SOCKS is set before
upgrade.)
Telnet main
Note: To disable access logging for a particular protocol, you must either disable
the default logging policy for that protocol (see "Disabling Access Logging for a
Particular Protocol" on page 682) or modify the access logging policy in VPM
(refer to Visual Policy Manager Reference).
682
Chapter 27: Creating and Editing An Access Log Facility
2a
2b
2c
683
SGOS 6.2 Administration Guide
684
Chapter 28: Creating Custom Access Log Formats
This chapter describes the default access log formats and describes how to
create customized access log formats.
Note: Reserved log formats cannot be edited or modified in any way. If you
wish to create a custom log format based on an existing reserved log format,
see "Creating a Custom or ELFF Log Format" on page 688.
For a description of each value in the log, see "Access Log Formats" on page
693.
❐ cifs: This is an ELFF format with the custom strings of
date time c-ip c-port r-ip r-port s-action s-ip cs-auth-group cs-
username x-client-connection-bytes x-server-connection-bytes x-
server-adn-connection-bytes x-cifs-method x-cifs-client-read-
operations x-cifs-client-write-operations x-cifs-client-other-
operations x-cifs-server-operations x-cifs-error-code x-cifs-server
x-cifs-share x-cifs-path x-cifs-orig-path x-cifs-client-bytes-read
x-cifs-server-bytes-read x-cifs-bytes-written x-cifs-uid x-cifs-tid
x-cifs-fid x-cifs-file-size x-cifs-file-type
❐ im (Instant Messaging): This is an ELFF format with the custom strings of:
date time c-ip cs-username cs-auth-group cs-protocol x-im-method x-
im-user-id x-im-user-name x-im-user-state x-im-client-info x-im-
buddy-id x-im-buddy-name x-im-buddy-state x-im-chat-room-id x-im-
chat-room-type x-im-chat-room-members x-im-message-text x-im-
message-size x-im-message-route x-im-message-type x-im-file-path x-
im-file-size s-action
685
SGOS 6.2 Administration Guide
The ELFF/custom access log format strings that represent the strings above
are:
$(c-ip) - $(cs-username) $(localtime) $(cs-request-line) $(sc-status)
$(sc-bytes)
❐ squid:This is a reserved format that cannot be edited. You can create a new
SQUID log format using custom strings. The default SQUID format is SQUID-
1.1 and SQUID-2 compatible.
SQUID uses several definitions for its field formats:
SQUID-1:time elapsed remotehost code/status/peerstatus bytes method
URL
SQUID-1.1: time elapsed remotehost code/status bytes method URL rfc931
peerstatus/peerhost type
SQUID-2 has the same fields as SQUID-1.1, although some of the field values
have changed.
❐ ssl: This is an ELFF format with custom strings of:
date time time-taken c-ip s-action x-rs-certificate-validate-status x-
rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error cs-host
s-supplier-name x-rs-connection-negotiated-ssl-version x-rs-
connection-negotiated-cipher x-rs-connection-negotiated-cipher-size x-
rs-certificate-hostname x-rs-certificate-hostname-category x-cs-
connection-negotiated-ssl-version x-cs-connection-negotiated-cipher x-
cs-connection-negotiated-cipher-size x-cs-certificate-subject s-ip s-
sitename
686
Chapter 28: Creating Custom Access Log Formats
❐ surfcontrol, surfcontrolv5, and smartfilter: These are reserved formats that cannot
be edited.
❐ websense: This is a reserved format that cannot be edited.
❐ bcreportercifs_v1: This is a reserved format that cannot be edited:
date time c-ip c-port r-ip r-port s-action s-ip cs-auth-group cs-
username x-client-connection-bytes x-server-connection-bytes x-server-
adn-connection-bytes x-cifs-method x-cifs-client-read-operations x-
cifs-client-write-operations x-cifs-client-other-operations x-cifs-
server-operations x-cifs-error-code x-cifs-server x-cifs-share x-cifs-
path x-cifs-orig-path x-cifs-client-bytes-read x-cifs-server-bytes-
read x-cifs-bytes-written x-cifs-uid x-cifs-tid x-cifs-fid x-cifs-
file-size x-cifs-file-type
❐ bcreportermain_v1 format:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-
filter-result cs-categories cs(Referer) sc-status s-action cs-method
rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-
query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-
id x-bluecoat-application-name x-bluecoat-application-operation
❐ bcreporterssl_v1:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-
filter-result cs-categories sc-status s-action cs-method rs(Content-
Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-
Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-
errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-
cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-
category
❐ bcreporterstreaming_v1 format:
date time time-taken c-ip sc-status s-action sc-bytes rs-bytes cs-
method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-
username cs-auth-group cs(Referer) cs(User-Agent) c-starttime
filelength filesize avgbandwidth x-rs-streaming-content x-streaming-
rtmp-app-name x-streaming-rtmp-stream-name x-streaming-rtmp-swf-url x-
streaming-rtmp-page-url s-ip s-dns s-session-id x-cache-info
Note: If you had previously created formats with the name smartreporter or
surfcontrolv5 and you upgrade the device, those formats are changed to
smartreporter_user or surfcontrolv5_user. If you already have a log format named
smartreporter_user or surfcontrolv5_user, then the names become smartreporter_user1
or surfcontrolv5_user1. This naming protocol continues (_user2, _user3...) as
necessary. The logs associated with these formats are automatically associated
with the new format name.
687
SGOS 6.2 Administration Guide
2. Click New (or highlight a format and click Edit). The Create Format dialog
displays. If you select an unconfigurable format, you receive an error message.
3a
3b
3c 3d
3e
688
Chapter 28: Creating Custom Access Log Formats
689
SGOS 6.2 Administration Guide
3. Highlight the portion of the string that you wish to copy and use a keyboard
shortcut to copy the text onto the clipboard.
Note: Be aware that you cannot copy and paste selections using the right
mouse button from within the Management Console; you must use keyboard
shortcuts.
6. Select the format string field (if there is an existing string, place the cursor
where you want to insert the string) and paste the string from the clipboard
using a keyboard shortcut.
7. Continue from step 3 from "To create or edit the log format:" on page 688.
690
Chapter 28: Creating Custom Access Log Formats
691
SGOS 6.2 Administration Guide
692
Chapter 29: Access Log Formats
This chapter describes the access log formats that are created by ProxySG:
❐ "Custom or W3C ELFF Format"
❐ "SQUID-Compatible Format" on page 697
❐ "NCSA Common Access Log Format" on page 699
ELFF is a log format defined by the W3C that contains information about
Windows Media and RealProxy logs.
The ProxySG can create access logs with any one of six formats. Four of the six
are reserved formats and cannot be configured. However, you can create
additional logs using custom or ELFF format strings.
When using an ELFF or custom format, a blank field is represented by a dash
character. When using the SQUID or NCSA log format, a blank field is
represented according to the standard of the format.
ELFF formats are created by selecting a corresponding custom log format using
the table below. Unlike the Blue Coat custom format, ELFF does not support
character strings and require a space between fields.
693
SGOS 6.2 Administration Guide
❐ Changes all spaces within fields to + or %20. The ELFF standard requires that
spaces only be present between fields.
ELFF formats are described in the following table.
Table 29–2 Blue Coat Custom Format and Extended Log File Format
694
Chapter 29: Access Log Formats
Table 29–2 Blue Coat Custom Format and Extended Log File Format (Continued)
695
SGOS 6.2 Administration Guide
Table 29–2 Blue Coat Custom Format and Extended Log File Format (Continued)
%O - [Not used.]
%P s-port Port of the appliance on which the client
established its connection
%Q cs-uri-query Query from the 'log' URL.
%R cs(Referer) Request header: Referer
%S s-sitename The service type used to process the
transaction
%T duration Time taken (in seconds) to process the request
%U cs-uri-path Path from the 'log' URL. Does not include
query.
%V cs-version Protocol and version from the client's request,
e.g. HTTP/1.1
%W sc-filter- Content filtering result: Denied, Proxied or
result Observed
%X cs(X- Request header: X-Forwarded-For
Forwarded-
For)
%Y - [Not used.]
%Z s-icap-info ICAP response information
696
Chapter 29: Access Log Formats
SQUID-Compatible Format
The SQUID-compatible format contains one line for each request. For SQUID-1.1,
the format is:
time elapsed remotehost code/status bytes method URL rfc931
peerstatus/peerhost type
For SQUID-2, the columns stay the same, though the content within might change
a little.
Value Description
ACCELERATED (SOCKS only) The request was handed to the
appropriate protocol agent for handling.
ALLOWED An FTP method (other than the data transfer method)
is successful.
DENIED Policy denies a method.
FAILED An error or failure occurred.
LICENSE_EXPIRED (SOCKS only) The request could not be handled
because the associated license has expired.
TUNNELED Successful data transfer operation.
TCP_ Refers to requests on the HTTP port.
TCP_ACCELERATED For CONNECT tunnels that are handed off to the
following proxies: HTTP, SSL, Endpoint mapper, and
P2P for BitTorrent/EDonkey/Gnutella.
TCP_AUTH_HIT The requested object requires upstream
authentication, and was served from the cache.
TCP_AUTH_HIT_RST The requested object requires upstream
authentication, but the client connection was reset
before the complete response was delivered.
TCP_AUTH_MISS The requested object requires upstream
authentication, and was not served from the cache.
This is part of CAD (Cached Authenticated Data).
TCP_AUTH_MISS_RST The requested object requires upstream
authentication, and was not served from the cache; the
client connection was reset before the complete
response was delivered.
697
SGOS 6.2 Administration Guide
Value Description
TCP_AUTH_FORM Forms-based authentication is being used and a form
challenging the user for credentials is served in place
of the requested content.
Note: Upon submission of the form, another access log
entry is generated to indicate the status of the initial
request.
TCP_AUTH_REDIRECT The client was redirected to another URL for
authentication.
TCP_CLIENT_REFRESH The client forces a revalidation with the origin server
with a Pragma: no-cache. If the server returns 304
Not Modified, this appears in the
Statistics:Efficiency file as In Cache,
verified Fresh.
698
Chapter 29: Access Log Formats
Value Description
TCP_PARTIAL_MISS_RST The object is in the cache, but retrieval from the origin
server is in progress; the client connection was reset
before the complete response was delivered.
TCP_POLICY_REDIRECT The client was redirected to another URL due to
policy.
TCP_REFRESH_HIT A GIMS request to the server was forced and the
response was 304 Not Modified; this appears in the
Statistics:Efficiency file as In Cache, verified
Fresh.
699
SGOS 6.2 Administration Guide
Specifier Description
%% Percent sign.
%a Abbreviated weekday name.
%A Full weekday name.
%b Abbreviated month name.
%B Full month name.
%c The certificate name used for encrypting the log file (expands to nothing in
non-encrypted case).
%C The ProxySG name.
%d Day of month as decimal number (01 – 31).
%f The log name.
%H Hour in 24-hour format (00 – 23).
%i First IP address of the ProxySG, displayed in x_x_x_x format, with leading
zeros removed.
%I Hour in 12-hour format (01 – 12).
%j Day of year as decimal number (001 – 366).
%l The fourth (last) octet in the ProxySG IP address ( For example, for the IP
address 10.11.12.13, %l would be 13)
%m Month as decimal number (01 – 12).
700
Chapter 29: Access Log Formats
Category: bytes
cs-bodylength Number of bytes in the body
(excludes header) sent from
client to appliance
cs-bytes %B Number of bytes sent from
client to appliance
cs- Number of bytes in the header
headerlength sent from client to appliance
rs-bodylength Number of bytes in the body
(excludes header) sent from
upstream host to appliance
rs-bytes Number of bytes sent from
upstream host to appliance
rs- Number of bytes in the header
headerlength sent from upstream host to
appliance
sc-bodylength Number of bytes in the body
(excludes header) sent from
appliance to client
701
SGOS 6.2 Administration Guide
Category: cifs
x-cifs-bytes- Total number of bytes written to
written the associated resource
x-cifs- Total number of bytes read by
client-bytes- CIFS client from the associated
read resource
x-cifs- Total number of read operations
client-read- issued by the CIFS client for the
operations associated resource
x-cifs- Total number of non read/write
client-other- operations issued by the CIFS
operations client for the associated resource
x-cifs- Total number of write
client-write- operations issued by the CIFS
operations client for the associated resource
x-cifs-dos- DOS error class generated by
error-class server, in hexadecimal
x-cifs-dos- DOS error code generated by
error-code server, in hexadecimal
x-cifs-error- Error code generated by server
code
702
Chapter 29: Access Log Formats
Category: connection
cs-ip proxy.address IP address of the destination of
the client's connection
c-connect- The type of connection made by
type the client to the appliance --
'Transparent' or 'Explicit'
c-dns %h Hostname of the client (uses the
client's IP address to avoid
reverse DNS)
x-cs-dns client.host The hostname of the client
obtained through reverse DNS.
703
SGOS 6.2 Administration Guide
704
Chapter 29: Access Log Formats
705
SGOS 6.2 Administration Guide
706
Chapter 29: Access Log Formats
707
SGOS 6.2 Administration Guide
Category: dns
x-dns-cs- dns.client_transpo The transport protocol used by
transport rt the client connection in a DNS
query
x-dns-cs- dns.request.addres The address queried in a reverse
address s DNS lookup
x-dns-cs-dns dns.request.name The hostname queried in a
forward DNS lookup
x-dns-cs- dns.request.opcode The DNS OPCODE used in the
opcode DNS query
708
Chapter 29: Access Log Formats
Category: im
x-im-buddy-id Instant messaging buddy ID
x-im-buddy- Instant messaging buddy
name display name
x-im-buddy- Instant messaging buddy state
state
709
SGOS 6.2 Administration Guide
Category:
mapi
x-mapi-method The method associated with the
MAPI request
x-mapi-user- The distinguished name of the
dn user negotiated by MAPI
x-mapi-user The name of the user negotiated
by MAPI. See x-mapi-user-dn
for the fully distinguished
name.
x-mapi-cs- The count of RPC messages
rpc-count received from the client
x-mapi-sr- The count of RPC messages sent
rpc-count to the server
x-mapi-rs- The count of RPC messages
rpc-count received from the server
x-mapi-sc- The count RPC messages sent to
rpc-count the client
x-mapi- Total number of RPC messages
endpoint-rpc- sent to the end point
count
710
Chapter 29: Access Log Formats
Category: p2p
x-p2p-client- Number of bytes from client
bytes
Category: packets
c-pkts-lost- Number of packets lost during
client transmission from server to
client and not recovered at the
client layer via error correction
or at the network layer via UDP
resends.
c-pkts-lost- Maximum number of
cont-net continuously lost packets on the
network layer during
transmission from server to
client
c-pkts-lost- Number of packets lost on the
net network layer
c-pkts- Number of packets from the
received server (s-pkts-sent) that are
received correctly by the client
on the first try
c-pkts- Number of packets repaired and
recovered-ECC recovered on the client layer
c-pkts- Number of packets recovered
recovered- because they were resent via
resent UDP.
c-quality The percentage of packets that
were received by the client,
indicating the quality of the
stream
c-resendreqs Number of client requests to
receive new packets
711
SGOS 6.2 Administration Guide
Category: req_rsp_line
cs-method method %m Request method used from
client to appliance
x-cs-http- http.method HTTP request method used
method from client to appliance. Empty
for non-HTTP transactions
cs-protocol client.protocol Protocol used in the client's
request
cs-request- http.request_line %r First line of the client's request
line
712
Chapter 29: Access Log Formats
Category: special_token
x-bluecoat- amp The ampersand character
special-amp
713
SGOS 6.2 Administration Guide
Category: ssl
x-rs- server.certificate Hostname from the server's SSL
certificate- .hostname certificate
hostname
714
Chapter 29: Access Log Formats
715
SGOS 6.2 Administration Guide
Category: status
x-bluecoat- release.id The release ID of the ProxySG
release-id operating system
716
Chapter 29: Access Log Formats
717
SGOS 6.2 Administration Guide
718
Chapter 29: Access Log Formats
719
SGOS 6.2 Administration Guide
720
Chapter 29: Access Log Formats
721
SGOS 6.2 Administration Guide
Category: streaming
audiocodec Audio codec used in stream.
avgbandwidth Average bandwidth (in bits per
second) at which the client was
connected to the server.
channelURL URL to the .nsc file
c-buffercount Number of times the client
buffered while playing the
stream.
c-bytes An MMS-only value of the total
number of bytes delivered to the
client.
c-cpu Client computer CPU type.
c-hostexe Host application
c-hostexever Host application version
number
c-os Client computer operating
system
c-osversion Client computer operating
system version number
c-playerid Globally unique identifier
(GUID) of the player
c- Client language-country code
playerlanguag
e
722
Chapter 29: Access Log Formats
723
SGOS 6.2 Administration Guide
Category: time
connect-time Total ms required to connect to
the origin server
date date.utc %x GMT Date in YYYY-MM-DD
format
dnslookup- Total ms cache required to
time perform the DNS lookup
duration %T Time taken (in seconds) to
process the request
gmttime %t GMT date and time of the user
request in format: [DD/MM/
YYYY:hh:mm:ss GMT]
x-bluecoat- day.utc GMT/UTC day (as a number)
day-utc formatted to take up two spaces
(e.g. 07 for the 7th of the month)
x-bluecoat- hour.utc GMT/UTC hour formatted to
hour-utc always take up two spaces (e.g.
01 for 1AM)
x-bluecoat- minute.utc GMT/UTC minute formatted to
minute-utc always take up two spaces (e.g.
01 for 1 minute past)
x-bluecoat- month.utc GMT/UTC month (as a
month-utc number) formatted to take up
two spaces (e.g. 01 for January)
x-bluecoat- monthname.utc GMT/UTC month in the short-
monthname-utc form string representation (e.g.
Jan for January)
x-bluecoat- second.utc GMT/UTC second formatted to
second-utc always take up two spaces (e.g.
01 for 1 second past)
x-bluecoat- weekday.utc GMT/UTC weekday in the
weekday-utc short-form string representation
(e.g. Mon for Monday)
724
Chapter 29: Access Log Formats
725
SGOS 6.2 Administration Guide
Category: url
cs-host %v Hostname from the client's
request URL. If URL rewrite
policies are used, this field's
value is derived from the 'log'
URL
cs-uri log_url %i The 'log' URL.
cs-uri- log_url.address IP address from the 'log' URL.
address DNS is used if URL uses a
hostname.
cs-uri- log_url.extension Document extension from the
extension 'log' URL.
cs-uri-host log_url.host Hostname from the 'log' URL.
cs-uri- log_url.hostname Hostname from the 'log' URL.
hostname RDNS is used if the URL uses an
IP address.
cs-uri-path log_url.path %U Path from the 'log' URL. Does
not include query.
726
Chapter 29: Access Log Formats
727
SGOS 6.2 Administration Guide
728
Chapter 29: Access Log Formats
729
SGOS 6.2 Administration Guide
Category: user
cs-auth-group group One group that an
authenticated user belongs to. If
a user belongs to multiple
groups, the group logged is
determined by the Group Log
Order configuration specified in
VPM. If Group Log Order is not
specified, an arbitrary group is
logged. Note that only groups
referenced by policy are
considered.
cs-auth- groups List of groups that an
groups authenticated user belongs to.
Note that only groups
referenced by policy are
included.
cs-auth-type Client-side: authentication type
(basic, ntlm, etc.)
730
Chapter 29: Access Log Formats
731
SGOS 6.2 Administration Guide
732
Chapter 29: Access Log Formats
Category: ci_request_header
cs(Accept) request.header.Acc Request header: Accept
ept
733
SGOS 6.2 Administration Guide
734
Chapter 29: Access Log Formats
735
SGOS 6.2 Administration Guide
736
Chapter 29: Access Log Formats
737
SGOS 6.2 Administration Guide
738
Chapter 29: Access Log Formats
739
SGOS 6.2 Administration Guide
740
Chapter 29: Access Log Formats
741
SGOS 6.2 Administration Guide
742
Chapter 29: Access Log Formats
743
SGOS 6.2 Administration Guide
Category: si_response_header
rs(Accept) response.header.Ac Response header: Accept
cept
744
Chapter 29: Access Log Formats
745
SGOS 6.2 Administration Guide
746
Chapter 29: Access Log Formats
747
SGOS 6.2 Administration Guide
748
Chapter 30: Statistics
749
SGOS 6.2 Administration Guide
g h e
b
a
Key:
a: View aggregated bandwidth usage or gain graphs and statistics. d
Note: Bypassed bytes are bytes that are not intercepted by a service or proxy.
When you include or exclude bypassed bytes, only the graph data and totals are
affected. The table data in the lower half of the page is not altered.
For a list of supported proxies, see "Supported Proxy Types" on page 756.
Note: Endpoint Mapper proxy bytes are the result of Microsoft Remote
Procedure Call (MSRPC) communication for MAPI traffic.
750
Chapter 30: Statistics
See Also
"Clearing the Statistics" on page 751
"Understanding Chart Data" on page 751
"Detailed Values" on page 752
"Refreshing the Data" on page 753
"About Bypassed Bytes" on page 753
"About the Default Service Statistics" on page 753
"Viewing Bandwidth Usage or Gain" on page 754
"Viewing Client Byte and Server Byte Traffic Distribution" on page 754
"Supported Proxy Types" on page 756
751
SGOS 6.2 Administration Guide
Figure 30–2 Traffic Mix Statistics— displayed when the cursor hovers over chart data
Detailed Values
The values that display when you hover the mouse cursor over the chart data, are
called tool tips. These values can include:
❐ C = Client-side traffic data rate. This statistic represents the data rate calculated
(to and from the client) on the client–side connection. Data rate is represented
by units of bits per second (bps) from measurements that are sampled at one-
minute intervals. All application protocol-level bytes are counted, including
application-protocol overhead such as HTTP and CIFS headers.
❐ S = Server-side traffic data rate. This statistic represents the data rate
calculated (to and from the server) on the server–side connection. The data
rate is represented by units of bits per second (bps) from measurements that
are sampled at one-minute intervals. All application-level bytes are counted,
including application overhead such as HTTP and CIFS headers.
❐ Unopt = Unoptimized traffic data rate. This statistic reflects the data rate of
original traffic served to/from the client or server prior to or subsequent to
ADN optimization. The data rate is represented by units of bits per second
(bps).
❐ Opt = Optimized traffic data rate. This statistic reflects the data rate of ADN-
optimized traffic. Data rate is represented by units of bits per second (bps).
❐ B = Bypassed traffic data rate. This statistic reflects that data rate of bypassed
traffic (traffic that is not intercepted by ProxySG services). The data rate is
represented by units of bits per second (bps).
❐ Gain = Bandwidth Gain. This statistic, representing the overall bandwidth
benefit achieved by object and byte caching, compression, protocol
optimization, and object caching, is computed by the ratio:
client bytes / server bytes
752
Chapter 30: Statistics
753
SGOS 6.2 Administration Guide
754
Chapter 30: Statistics
b c
Key:
a: View traffic history statistics by service or by proxy.
b: Modify the historical reporting period.
c: Include or exclude bypassed bytes.
d: View totals for client bytes, server bytes, and bandwidth gain for the selected service
or proxy type.
e: Display charts for bandwidth usage, bandwidth gain, client bytes, and server bytes.
Note: Bypassed bytes are bytes that are not intercepted by a service or a proxy.
755
SGOS 6.2 Administration Guide
Supported Services
• VNC • X Windows
Note: Endpoint Mapper proxy bytes are the result of Remote Procedure Call
(RPC) communication for MAPI traffic.
756
Chapter 30: Statistics
• DNS • IM • P2P
• SOCKS • Telnet
Figure 30–4 Traffic History Statistics — displayed when the cursor hovers over chart data
757
SGOS 6.2 Administration Guide
758
Chapter 30: Statistics
759
SGOS 6.2 Administration Guide
❐ CIFS History
The Statistics > Protocol Details > CIFS History pages enable you view statistics for
CIFS objects, CIFS bytes read, CIFS bytes written, and CIFS clients. See
"Reviewing CIFS Protocol Statistics" on page 259 for more information about
these statistics.
❐ HTTP/FTP History
The Statistics > Protocol Details > HTTP/FTP History pages enable you view
statistics for HTTP/HTTPS/FTP objects, HTTP/HTTPS/FTP bytes, HTTP/
HTTPS/FTP clients, client compression gain, and server compression gain.
See "Viewing FTP Statistics" on page 301 and "Understanding HTTP
Compression" on page 205 for more information about these statistics.
For HTTP/FTP bandwidth usage statistics, see the Traffic Mix and Traffic History
pages.
❐ IM History
The Statistics > Protocol Details > IM History pages enable you view statistics for
IM connection data, IM activity data, and IM clients. See "Reviewing IM
Statistics" on page 623 for more information about these statistics.
❐ MAPI History
The Statistics > Protocol Details > MAPI History pages enable you view statistics for
MAPI client bytes read, MAPI client bytes written, and MAPI clients. See
"Reviewing Endpoint Mapper Proxy Statistics" on page 276 for more
information about these statistics.
For MAPI bandwidth usage statistics, see the Traffic Mix and Traffic History
pages.
❐ P2P History
The Statistics > Protocol Details > P2P History pages enable you view statistics for
P2P data, P2P clients, and P2P bytes. Refer to the P2P information in the Visual
Policy Manager Reference for more information about these statistics.
❐ Shell History
The Statistics > Protocol Details > Shell History pages enable you view statistics for
shell clients. See "Viewing Shell History Statistics" on page 323 for more
information about these statistics.
❐ SOCKS History
The Statistics > Protocol Details > SOCKS History pages enable you view statistics
for SOCKS clients, SOCKS connections, client compression gain, and server
compression gain. See "Viewing SOCKS History Statistics" on page 313 for
more information about these statistics.
❐ SSL History
The Statistics > Protocol Details > SSL History pages enable you view statistics for
unintercepted SSL data, unintercepted SSL clients, and unintercepted SSL
bytes. See "Viewing SSL History Statistics" on page 240 for more information
about these statistics.
760
Chapter 30: Statistics
❐ Streaming History
The Statistics > Protocol Details > Streaming History pages enable you view
statistics for Windows Media, Real Media, QuickTime, current streaming data,
total streaming data, and bandwidth gain. See "Viewing Streaming History
Statistics" on page 545 for more information about these statistics.
For MMS bandwidth usage statistics, see the Traffic Mix and Traffic History
pages.
Resources Statistics
The Resources tabs (CPU, Concurrent Users, Disk Use, and Memory Use) allow you to
view information about how the CPU, disk space and memory are being used,
and how disk and memory space are allocated for cache data. You can view data
allocation statistics through both the Management Console and the CLI, but disk
and memory use statistics are available only through the Management Console.
761
SGOS 6.2 Administration Guide
Note: If the ADN adaptive compression feature is enabled, the ProxySG will
adjust its compression level based on its internal compression index, resulting in
higher or lower CPU usage. This means that if adaptive compression is enabled,
you can not rely on the CPU utilization values alone for capacity planning.
Instead, you should also consider the compression index (Statistics > ADN History >
Adaptive Compression). To determine whether adaptive compression is enabled,
click the Enable or disable adaptive compression link.
762
Chapter 30: Statistics
763
SGOS 6.2 Administration Guide
764
Chapter 30: Statistics
Note: The Kernel attempts to maximize the number and lifetime of cache
buffers, but if needed, it will recover cache buffers using the LRU replacement
algorithm to satisfy a memory allocation request.
Contents Statistics
The Contents tabs (Distribution and Data) allow you to see information about objects
currently stored or served that are organized by size. The cache contents include
all objects currently stored by the ProxySG appliance. The cache contents are not
cleared when the appliance is powered off.
765
SGOS 6.2 Administration Guide
766
Chapter 30: Statistics
767
SGOS 6.2 Administration Guide
2. Click Log start or Log end or the forward and back arrow buttons to move
through the event list.
3. (Optional) Click the Poll for new events check box to poll for new events that
occurred while the log was being displayed.
768
Chapter 30: Statistics
Failover Statistics
At any time, you can view statistics for any failover group you have configured
on your system.
2. From the Failover Group drop-down list, select the group to view.
The information displayed includes the multicast address, the local address, the
state, and any flags, where V indicates that the group name is a virtual IP address,
R indicates that the group name is a physical IP address, and M indicates that this
machine can be configured to be the master if it is available.
Note: You can also view session statistics for ADN inbound connections, which is
described in "Reviewing ADN Active Sessions" on page 835.
See Also
❐ "Example Scenarios Using Active Sessions for Troubleshooting" on page 770
❐ "Analyzing Proxied Sessions" on page 770
769
SGOS 6.2 Administration Guide
770
Chapter 30: Statistics
Important: Use the statistics on the Proxied Sessions pages as a diagnostic tool
only. The Proxied Sessions pages do not display every connection running through
the ProxySG. This feature displays only the active sessions—one client connection
(or several), together with the relevant information collected from other
connections associated with that client connection. Because it displays only open
connections, you cannot use the data for reporting purposes.
The Proxied Sessions page displays statistics for the following proxies:
• CIFS • MSRPC
• HTTP • SSL
• MAPI
3. Enter the appropriate information for the filter you have selected:
Filter Information to Enter
Client Address Enter the client’s IP address or IP address and subnet
mask
Client Port Enter a client port number.
771
SGOS 6.2 Administration Guide
ICAP Select the ICAP service type from the drop-down list: Any,
(For Proxy Edition REQMOD, RESPMOD
license only)
Select the service name from the Service drop-down list.
Select the ICAP state from the Status drop-down list: Any,
transferring, deferred, scanning, completed
Notes:
• The ICAP filtering fields are optional. If you leave all
the options set to Any, all ICAP-enabled sessions are
listed.
• To see entries that represents a session instead of a
connection, you must expand that row (by clicking the
Client column) to see all the connections inside the
session.
Proxy Select a proxy from the drop-down list. The proxy types
are listed on page 120.
Server Address Enter the IP address or hostname of the server. Hostname
filters automatically search for suffix matches. For
example, if you filter for example.com,
test.example.com is included in the results.
4. (Optional) To limit the number of connections to view, select Display the most
recent and enter a number in the results field. This optimizes performance
when there is a large number of connections.
5. (Optional) To view the current errored proxied sessions, select Show errored
sessions only. For more details, see "Viewing Errored Sessions and
Connections" on page 783.
6. Click Show.
772
Chapter 30: Statistics
❐ Session and connection totals are displayed on the bottom left side of the
page.
The following table describes the per-column statistics and the various icons on
the Proxied Sessions page.
773
SGOS 6.2 Administration Guide
Table 30–1 Column and Icon Descriptions on the Proxied Sessions Page
774
Chapter 30: Statistics
Table 30–1 Column and Icon Descriptions on the Proxied Sessions Page (Continued)
775
SGOS 6.2 Administration Guide
Table 30–1 Column and Icon Descriptions on the Proxied Sessions Page (Continued)
776
Chapter 30: Statistics
Table 30–1 Column and Icon Descriptions on the Proxied Sessions Page (Continued)
777
SGOS 6.2 Administration Guide
HTTP
The tree view displays (as shown above) for HTTP if multiple hosts are contacted
during a session or if pipelining is used.
FTP
FTP uses multiple, concurrent connections. These are represented as separate
rows in the tree view, as shown in the following figure.
778
Chapter 30: Statistics
MMS
The active sessions feature displays MMS streams that have a client associated
with them. MMS streams that do not have a client associated with them
(multicast, content management requests, and so on) are not displayed. MMS
streams are displayed as follows:
❐ MMS UDP streams have two connections, one for data and one for control.
❐ MMS TCP streams have a single connection.
❐ MMS HTTP streams have a single connection.
For additional information about streaming connections, see "About MMS
Streaming Connections" on page 778.
ADN Tunnels
If the traffic is flowing through an ADN tunnel, the bytes are counted after ADN
optimization, meaning that compressed byte counts are displayed.
779
SGOS 6.2 Administration Guide
Aborted Downloads
In some cases, you might see the server bytes increasing even after the client has
closed the connection. This can occur when a client requests a large object and
aborts the download before receiving the entire object. The server bytes continue
to increase because the ProxySG is retrieving the object for caching. You can
change this behavior by enabling the bandwidth gain mode.
780
Chapter 30: Statistics
See Also
❐ "Analyzing Bypassed Connections Statistics"
❐ "Viewing Errored Sessions and Connections"
3. Enter the appropriate information for the filter you have selected:
Filter Information to Enter
Client Address Enter the client’s IP address or IP address and subnet
mask
Client Port Enter a client port number.
781
SGOS 6.2 Administration Guide
4. (Optional) To limit the number of connects to view, select Display the most recent
and enter a number in the results field. This helps optimize performance when
there is a large number of connections.
5. (Optional) To view the current errored bypassed connections, select Show
errored sessions only. For more details, see See "Viewing Errored Sessions and
Connections" on page 783.
6. Click Show.
Note the following:
❐ Unavailable connections (gray) indicate connections that are now closed.
❐ Previously-established connections displayed with (<--?-->) text indicate that
the direction of these connections is unknown.
❐ One-way connections are displayed in color.
Table 30–2 Table Column Heading Descriptions on the Bypassed Connections Page
782
Chapter 30: Statistics
Table 30–2 Table Column Heading Descriptions on the Bypassed Connections Page (Continued)
Note: ProxySG 5.3 bypasses CIFS sessions that require message signing or
server signatures. Object caching and protocol optimization are inactive for
these CIFS sessions, and the message in the Details field is Server requires security
signatures.
See Also
❐ "Active Sessions—Viewing Per-Connection Statistics"
❐ "Example Scenarios Using Active Sessions for Troubleshooting"
❐ "About the Proxied Sessions Statistics"
❐ "Analyzing Proxied Sessions"
❐ "Viewing Errored Sessions and Connections"
783
SGOS 6.2 Administration Guide
4. (Optional) To limit the number of connections to view, select Display the most
recent and enter a number in the results field.
5. Click Show.
6. Scroll to the right to display the Detail column and view error details. To sort
by error type, click the Detail column header. The Age column displays how
long it has been since that session ended.
784
Chapter 30: Statistics
See "About the Proxied Sessions Statistics" on page 773 for descriptions of each
column and icon in the Errored Sessions pages.
See Also
❐ "Active Sessions—Viewing Per-Connection Statistics"
❐ "Example Scenarios Using Active Sessions for Troubleshooting"
❐ "Analyzing Proxied Sessions"
❐ "About the Proxied Sessions Statistics"
❐ "Analyzing Bypassed Connections Statistics"
❐ "Reviewing ADN Active Sessions"
785
SGOS 6.2 Administration Guide
786
Chapter 31: Configuring an Application Delivery Network
Topics
Refer to the following topics:
❐ Section A: "ADN Overview" on page 788
❐ Section B: "Configuring an ADN" on page 799
❐ Section C: "Securing the ADN" on page 813
❐ Section D: "Configuring Load Balancing" on page 820
❐ Section E: "Configuring Advanced ADN Settings" on page 823
❐ Section F: "Monitoring the ADN" on page 834
❐ Section G: "Related CLI Syntax to Configure an ADN" on page 842
❐ Section H: "Policy" on page 844
❐ Section I: "Troubleshooting" on page 845
787
SGOS 6.2 Administration Guide
788
Chapter 31: Configuring an Application Delivery Network
789
SGOS 6.2 Administration Guide
790
Chapter 31: Configuring an Application Delivery Network
ADN Modes
The ADN mode that is configured determines which peers an ADN node can
form tunnel connections with. There are two ADN modes as follows:
❐ Open — An ADN peer is allowed to form a transparent tunnel connection
with any other ADN peer.
❐ Closed — ADN nodes can only establish accelerated tunnel connections with
peers in its ADN. In this configuration, you must configure a Primary ADN
manager and, optionally, a Backup ADN Manger to manage ADN
membership. The ADN manager(s) can be ADN nodes or they can be
dedicated ProxySG appliances. In a closed ADN, every ADN peer must
connect to the ADN manager(s) in order to become part of the ADN. For
instructions on configuring a closed ADN, see "Configuring a Closed ADN"
on page 800.
By default, an ADN operates in Open mode and an ADN manager is not required.
This is called Open-unmanaged mode (see "Configuring an Open-unmanaged
ADN" on page 799). This allows you to get your ADN up and running quickly
and easily. However, because the ADN management functions are not available in
an Open-unmanaged ADN, the following are not supported in this configuration:
❐ Explicit tunnel connections (including ProxyClient and out-of-path
deployments)
❐ Load balancing (explicit or transparent)
❐ Internet Gateway
❐ Manager authorization in secure ADN
To enable any of these services, you must configure an ADN manager and connect
the ProxySG appliances that require the services to it. You do not need to connect
all ProxySG appliances to the ADN manager. Mixed acceleration networks, in
which some open nodes connect to a manager and some do not, is called an
Open-managed ADN (see "Configuring an Open-managed ADN" on page 800). The
ADN mode is defined on the ADN manager, if there is one. If there is no manager,
the ADN mode is Open by default.
791
SGOS 6.2 Administration Guide
Without this feature, the ADN tunnel ends at the first qualified concentrator in the
path, as shown in the topology below. The traffic is optimized over this partial
segment of the path to the origin content server (OCS). Traffic is not optimized
over the rest of the path to the OCS.
Contrast the above illustration with the one shown below. The second illustration
shows how the ADN tunnel is lengthened when the last peer detection feature is
enabled on the intermediate concentrators. This feature results in the longest
ADN tunnel, allowing the traffic to be optimized over the entire path.
792
Chapter 31: Configuring an Application Delivery Network
Limitations
❐ When using last peer detection in a deployment where traffic to an OCS is
distributed by a load balancer, there should be a concentrator in each potential
path to the OCS. This allows the traffic to be optimized irrespective of the path
that the load balancer decides upon.
❐ This feature is not operational when the concentrator is performing HTTP
proxy processing. For accelerated HTTP traffic, an intermediate concentrator
with HTTP proxy processing enabled will not attempt to detect any upstream
concentrators and will terminate any inbound transparent tunnels carrying
HTTP traffic. Note that the HTTP proxy processing feature has been
deprecated.
793
SGOS 6.2 Administration Guide
❐ You can use a WCCP router or L4 switch as an external load balancer. In this
configuration, the individual peers in the ADN cluster make the load
balancing decision. This configuration is a little more difficult because the
WCCP router or L4 switch must be configured on each system in the cluster.
In this scenario, the router or switch cannot guarantee ADN peer affinity
because the router cannot use the peer ID as input for its hash. Because of this,
the ADN peers make the actual routing decisions.
794
Chapter 31: Configuring an Application Delivery Network
ADN Security
The choices for securing your ADN depend on the ADN mode you are using.
Many of the ADN security features rely on the ADN manager for enforcement
("Managed ADN Security" on page 796); therefore if your ADN is operating
without a manager ("Unmanaged ADN Security" on page 796), you will not be
able to use all of the security features. By default, none of the ADN security
features are enabled.
795
SGOS 6.2 Administration Guide
796
Chapter 31: Configuring an Application Delivery Network
797
SGOS 6.2 Administration Guide
Application Connections
Secure- Routing
Outbound Connections CIFS SSL Proxy SSL Proxy
Setting Intercept Mode Tunnel Mode
For information on optimizing and securing ADN tunnels, see "Securing the
ADN" on page 813 and "Configuring Advanced ADN Settings" on page 823.
798
Chapter 31: Configuring an Application Delivery Network
Note: In addition to the tasks you must perform on the ProxySG appliance to
enable acceleration, you must also make sure that your firewall is configured to
allow tunnel connections between your ADN Concentrator peers and your ADN
Branch peers for all deployment types (in-path, virtually in-path, or out-of-path;
Open and Closed). To do this, open the tunnel listening port on the ADN
Concentrator side of the firewall. By default, this port is set to 3035 (plain) and
3037 (secure). This port is used to create the control connection for the tunnel,
which is used to synchronize ADN byte-cache dictionaries and other non-
application-related activities. In explicit deployments, this port is also required to
establish the explicit tunnel.
799
SGOS 6.2 Administration Guide
800
Chapter 31: Configuring an Application Delivery Network
801
SGOS 6.2 Administration Guide
802
Chapter 31: Configuring an Application Delivery Network
2. Set the Allow transparent tunnels only within this managed network option as follows:
• To set the ADN mode to Closed, make sure the option is checked.
• To set the ADN mode to Open, make sure the option is cleared.
3. Click Apply.
803
SGOS 6.2 Administration Guide
804
Chapter 31: Configuring an Application Delivery Network
Note: You can also configure the exempt subnet capability through policy that
allows you to disable ADN tunnels for specific connections. For more
information, refer to Content Policy Language Guide.
Added
Server
Subnet
2. To add a subnet, click Add. The Add IP/Subnet dialog box is displayed.
3. Define a subnet as follows and then click OK:
• IP address: Enter an IPv4 or IPv6 address.
• Prefix length or subnet mask: Specify the prefix length (for IPv6) or subnet
mask (for IPv4).
4. Repeat steps 2 and 3 for each subnet.
5. To remove subnets, do one of the following:
• To remove an individual subnet, select the subnet and click Remove.
• To remove all subnets, click Clear all.
6. Click Apply.
805
SGOS 6.2 Administration Guide
Note: Starting in SGOS 5.5, the ADN protocol speeds up transparent tunnel
establishment. To take advantage of this feature, the Branch peers must be
running this version or higher. Make sure to upgrade ADN nodes in the
following order: First, upgrade the Primary ADN manager and Backup ADN
manager; next, upgrade all appliances that only act as Concentrator peers; finally,
upgrade all appliances that act as Branch peers.
Note that a Concentrator peer will intercept a transparent tunnel from a Branch
peer only when it is configured with at least one address of the same address
family (IPv4/IPv6) as the destination (OCS) address.
If you have an out-of-path ADN Concentrator peer, you must use explicit tunnels
or translucent tunnels. If an ADN Branch peer receives advertised explicit routes
from an ADN Concentrator peer, it must determine what type of tunnel to
establish based on the tunnel mode settings. If the routing preference on the ADN
Concentrator peer is set to prefer transparent tunnels, the ADN Branch peer
attempts to create a transparent tunnel if it is allowed to. If not, it checks whether
the ADN Concentrator peer is configured to preserve the destination port, and, if
so it will attempt to establish a translucent tunnel. Otherwise, it establishes an
explicit tunnel. For information on each type of tunnel and when to use it, see
"ADN Tunnel Types" on page 789.
The following sections describe how to configure the settings that are used to
configure the tunnel mode:
❐ "Setting the Routing Preference" on page 807
❐ "Enabling Translucent Tunnels" on page 807
❐ "Enabling Explicit Tunnels" on page 808
❐ "Enabling Last Peer Detection on Transparent Tunnels" on page 808
806
Chapter 31: Configuring an Application Delivery Network
Note: The proxy processing feature has been deprecated. The Proxy Processing
tab has been removed from the Management Console, but the feature can still be
configured via the CLI. Since proxy processing will be completely removed from
an SGOS release in the near future, Blue Coat recommends that you discontinue
using this feature and deploy a separate secure web gateway to handle proxy
processing.
2. Select the Tell ADN peers to prefer transparent connections over advertised routes
option.
3. Click Apply.
807
SGOS 6.2 Administration Guide
2. Select the When a route is available, preserve the destination TCP port number when
connecting to the ADN peer.
3. Click Apply.
808
Chapter 31: Configuring an Application Delivery Network
809
SGOS 6.2 Administration Guide
❐ If the ADN node will act as an ADN Concentrator peer, see "To configure
client IP address reflection on an ADN Concentrator Peer:" on page 810.
❐ If the ADN node will act as an ADN Branch peer, see "To configure client IP
address reflection on an ADN Branch peer:" on page 811.
Select this option to reject requests to reflect the client IP; as a result, the
connection to the ADN Concentrator peer is rejected.
• Allow the request and reflect the client IP
810
Chapter 31: Configuring an Application Delivery Network
Note: You can also modify the TCP window size from this tab. For more
information, see "Modifying the TCP Window Size" on page 825.
811
SGOS 6.2 Administration Guide
• Advertise the subnets that the ADN Concentrator peer services. See
"Advertising Server Subnets" on page 804.
For more information about setting ADN options for use with ProxyClient,
refer to the ProxyClient Configuration and Deployment Guide.
812
Chapter 31: Configuring an Application Delivery Network
813
SGOS 6.2 Administration Guide
5. Configure each ADN node to form tunnels over secure connections only by
selecting Configuration > ADN > General > Connection Security and then selecting
the Secure Only option in the Tunnel Listening Mode section of the screen. Click
Apply.
Note: Secure tunnel connections for applications such as CIFS, MAPI, TCP
Tunnel, HTTP, or HTTPS/SSL, are dependent upon an SSL license.
Note: If the device being configured for authentication has Internet access,
acquisition of the ProxySG appliance certificate is automatic. If you use your own
appliance certificates and profile, or if the affected device does not have Internet
access, manual device authentication is required.
814
Chapter 31: Configuring an Application Delivery Network
3a
3b
3c
3c
Note: The device ID is only used for security. The peer ID is the serial
number.
c. To enable authorization, select the Validate ADN Peer Device IDs option.
• If the primary or backup ADN manager is Self, you do not need to
retrieve the device ID.
• If the primary or backup ADN manager is a different system, click the
Retrieve Manager IDs button to retrieve the device ID. Click Accept to add
the manager device ID to the Primary Manager Device ID or Backup
Manager Device ID field.
4. Click Apply.
815
SGOS 6.2 Administration Guide
To configure connection security and define the manager and tunnel listening
ports:
1. Select Configuration > ADN > General > Connection Security.
2. Select a manager listening mode. By default, the ADN manager(s) will listen
for requests on both the plain port and the secure port (Both) if you have
selected a device authentication profile. You can change the manager listening
mode by selecting one of the following:
• Secure Only — The ADN manager(s) will listen for requests on the secure
port only.
• Plain Read-Only — This mode is recommended if ProxyClient is deployed in
your ADN. Currently, ProxyClient does not support secure ADN. For
information about using the other modes with the ProxyClient, refer to the
ProxyClient Configuration and Deployment Guide.
• Plain Only — The ADN manager(s) will listen for requests on the plain port
only.
816
Chapter 31: Configuring an Application Delivery Network
3. Select a tunnel listening mode. By default, the tunnel listening mode will be
set to listen for requests on both the plain port and the secure port (Both) if you
have selected a device authentication profile. You can change the tunnel
listening mode by selecting one of the following:
• Secure Only — The tunnel listener will listen for requests on the secure port
only. Do not use this mode if you have ProxyClients deployed in your
ADN.
• Plain Only — The tunnel listener will listen for requests on the plain port
only.
4. Select a secure-outbound mode. By default, the ProxySG is configured to
Secure ADN routing connections and tunnel connections made by secure proxies. You
can change the secure-outbound mode by selecting one of the following
options:
• Do not secure ADN connections — Neither routing nor tunnel connections
are secured. Secure proxy connections bypass ADN and go directly to the
OCS.
• Secure all ADN routing and tunnel connections — All outbound routing and
tunnel connections are secured. Only use this option if the ProxySG
platform has capacity to handle the extra overhead.
Note: You must have an SSL license in order to secure outbound tunnel
connections.
5. To change the manager listening ports, select Configuration > ADN > General >
General. The default plain port is 3034; the default secure port is 3036. To
consolidate the number for ports required for ADN, you can set the manager
listening ports to the same port numbers you use for ADN tunnel connections:
3035 (plain) and 3037 (secure) by default.
6. To change tunnel listening ports, select Configuration > ADN > Tunneling >
Connection. The default is plain port is 3035; the default secure port is 3037.
7. Click Apply.
817
SGOS 6.2 Administration Guide
2b
2a
3. To remove a peer that was previously authorized to join the ADN, select the
node from the Approved Peers list and then click Remove. If a peer is deleted
from the approved list, the ADN manager broadcasts a REJECT-PEER to all
peers to delete this peer and terminate any existing ADN connections to it. No
new connections are routed through the deleted ADN peer.
Note: If you remove a peer and then want it to rejoin the ADN, you must
reconnect the peer to the ADN manager(s). Select Configuration > ADN > General
> Reconnect to Managers.
4. Click Apply.
818
Chapter 31: Configuring an Application Delivery Network
Approving a Peer
To approve a peer:
If a peer is configured to contact the ADN manager on startup but has not been
added to the approved list, the ADN manager adds the peer to the list of pending
peers if the Allow Pending Peers option is selected. You must manually move a peer
from the Pending Peers list to the Approved Peers list on both the Primary ADN
Manager and the Backup ADN Manager as follows:
1. Select Configuration > ADN > Manager > Pending Peers.
Pending peers
display here
819
SGOS 6.2 Administration Guide
3. (Optional) If you do not want this ProxySG to participate in any ADN tunnels
(that is, you want it to act as a dedicated load balancer), select Act as load
balancer only. This ProxySG is still part of the ADN and must still connect to the
ADN manager(s).
820
Chapter 31: Configuring an Application Delivery Network
4. Put all ADN peers into a forwarding connection cluster. For more information,
see "TCP Connection Forwarding" on page 935.
5. (Optional) Set the same group name on all of the peers in the cluster.
Note: Blue Coat does not currently support WCCP on an IPv6 network.
2. Put all ADN peers into a connection forwarding cluster. For more information,
see "TCP Connection Forwarding" on page 935.
3. (Optional) Configure each box in the cluster with the same load-balancing
group name.
4. Configure WCCP on each peer and on the WCCP router. For detailed
information on configuring WCCP, refer to the WCCP Reference Guide.
821
SGOS 6.2 Administration Guide
822
Chapter 31: Configuring an Application Delivery Network
2. Select (or deselect) the Enable adaptive compression option to enable (or disable)
adaptive compression
3. Click Apply.
823
SGOS 6.2 Administration Guide
Note: You can also configure the exempt subnet capability through policy that
allows you to disable ADN tunnels for specific connections. For more
information, refer to Content Policy Language Guide.
824
Chapter 31: Configuring an Application Delivery Network
2. Select Enable this SG as an Internet Gateway for all subnets except the following.
3. Click Add. The Add IP/Subnet dialog displays.
4. Define each subnet to be exempted, and then click OK:
Note: Some subnets are on the exempt list by default (for example,
10.0.0.0/8 and fe80::/10). Verify these default exempt defaults do not affect
the configuration in your environment.
825
SGOS 6.2 Administration Guide
Note: If you know the bandwidth and round-trip delay, you can compute
the value to use as, roughly, 2 * bandwidth * delay. For example, if the
bandwidth of the link is 8 Mbits/sec and the round-trip delay is 0.75
seconds:
window = 2 * 8 Mbits/sec * 0.75 sec = 12 Mbits = 1.5 Mbytes
The setting in this example would be 1500000 bytes. This number goes up
as either bandwidth or delay increases, and goes down as they decrease.
You can decrease or increase the window size based on the calculation;
however, decreasing the window size below 64Kb is not recommended.
The window-size setting is a maximum value; the normal TCP/IP
behaviors adjust the window-size setting downward as necessary. Setting
the window size to a lower value might result in an artificially low
throughput.
Note: Peers that are using an SGOS version prior to 5.3 do not support persistent
byte-cache, so GZIP-only mode is used on these nodes. Therefore, they are not
ranked unless you have manually sized their dictionaries.
826
Chapter 31: Configuring an Application Delivery Network
In some instances you may want to manually set the size of a peer dictionary. For
example, suppose you have a mission critical application that you want to
accelerate using byte caching. If byte caching isn’t as efficient for this application
as for other applications accelerated by other peers, the peer may not be allocated
any dictionary space or may be allocated a small dictionary. If you want to ensure
that this mission-critical application can use byte caching, you might want to
manually resize its dictionary. Keep in mind that any manually-sized peers are
ranked above all other peers. In addition, the automatic dictionary sizing feature
is no longer in effect for this peer, so you should not use this feature unless
absolutely necessary.
Note: You cannot reduce the space available for byte caching to below the total
size of all manually sized dictionaries. You also cannot assign a size to a
dictionary that would cause the total size of all manually sized dictionaries to
exceed the space available for byte-caching.
Because a byte-cache dictionary is shared between two peers, any time you make
a change to the dictionary on one peer, you must make the same change on the
other peer. For example, if you manually size a dictionary to a particular size on
one peer, you must change the other peer’s dictionary to manual and set it to the
same size. There are two ways to manually resize the byte-cache dictionaries
depending on whether or not the peer already has a dictionary established:
❐ If a dictionary already exists for the peer, see "To manually resize byte cache
dictionaries from the Statistics tab:" on page 827.
❐ If the peer does not yet have an established dictionary, see "To manually size
byte cache dictionaries from the Configuration > ADN > Byte Caching tab:" on
page 829.
827
SGOS 6.2 Administration Guide
The Peer Dictionary Sizing tab displays the following statistics for each peer.
• Rank: The ranking of a peer’s dictionary. Manually-configured peers have
a higher rank than dynamically-configured peers.
• Peer ID: The serial number of the device.
• Peer IP: The IPv4 or IPv6 address of the device, if it is connected.
• Byte Cache Score:The score of this peer relative to other peers. Score is
calculated based on the traffic history and byte-caching efficiency of the
peer.
• Peer Traffic (GB/Day): The average amount of pre-byte-cache traffic per day.
• Fill Rate (GB/Day): The
average amount of data put into the dictionary per
day over the last week.
• Recommended Dict Size (GB): The dictionary size the Blue Coat appliance
recommends, based on the peer traffic over the last week.
• Actual Dict Size (GB): The actual size of the dictionary.
Note: You can also delete a peer from this tab. For more information, see
"Deleting ADN Peers" on page 831.
2. Select the peer for which you want to resize the dictionary and click Edit. The
Edit Peer dialog displays.
828
Chapter 31: Configuring an Application Delivery Network
3. To set the dictionary size for the selected peer, select the Manual Re-size radio
button and enter the desired dictionary size value (in megabytes).
4. Click OK. The peer dictionary is resized immediately. You must manually size
the corresponding peer’s dictionary to the same size.
To manually size byte cache dictionaries from the Configuration > ADN > Byte
Caching tab:
1. Select Configuration > ADN > Byte Caching.
829
SGOS 6.2 Administration Guide
Note: You can also enable or disable adaptive compression from this
tab. For more information, see "Configuring Adaptive Compression" on
page 823.
2. To change the total disk space available for all byte-cache dictionaries, change
the percentage in the Maximum disk space to use for byte caching field.
The Max disk usage range should be between 5 and 80 percent of x GB indicates how
much of the existing disk space can be used for byte caching.
3. Click New. The Create Manual Dictionary Sizing dialog box displays.
4. Enter the peer ID (serial number) of the device for which you want to
manually size the dictionary.
830
Chapter 31: Configuring an Application Delivery Network
5. Enter the new value in megabytes in the Size field or select the Disable Byte
Caching radio button to disable byte caching for this peer.
6. Click OK.
7. Click Apply. The peer is added to the manually configured dictionary sizing list
and is ranked among the other manually sized peers at the top of the
dictionary byte cache table. You must manually size the corresponding peer’s
dictionary to the same size.
Note: If you enter an invalid value, an error message displays when you
click Apply. The error message displays the maximum disk space you can
allocate to the manually-sized dictionary.
831
SGOS 6.2 Administration Guide
Note: Automatic peer deletion occurs at 3:05 AM local standard time. If you
change the time zone you must reboot the appliance in order for ADN to use
the new time.
As long as your system is sized properly, the automatic peer deletion process will
prevent you from reaching the maximum number of peers. However, there may
be times when you want to manually delete a peer that you know is no longer
valid (and is therefore taking up dictionary space unnecessarily) and that will not
get deleted automatically, either because its dictionary is manually sized or
because it has not yet been idle for at least 8 days .
You can manually delete a peer from the Management Console or from the CLI as
described in the following sections. Keep in mind that even if you delete a peer, it
can be accepted as a peer again if it forms a tunnel connection later.
Note: You cannot delete ProxyClient ADN peers from the Management
Console; you must use the CLI instead.
If the peer you are trying to delete has an active data or control connection,
you will not be allowed to delete it. If the peer you are trying to delete has a
non-zero dictionary size and/or a manually sized dictionary, you will be
prompted to confirm the deletion. To avoid this prompt, you can invoke the
command with the force keyword as follows:
#(config adn byte-cache)delete-peer <peer-id> force
832
Chapter 31: Configuring an Application Delivery Network
833
SGOS 6.2 Administration Guide
You can view either usage statistics or gain statistics (by clicking the Gain tab) and
either Unoptimized Bytes or Optimized Bytes through the pie charts on the right side.
The left side of the tab represents optimized and unoptimized bytes trend graphs
for the selected peer or all peers; hovering the cursor over the graph displays
statistics in numeric form. For information on tool tips, see "Detailed Values" on
page 752.
834
Chapter 31: Configuring an Application Delivery Network
The right-side pie chart represents optimized and unoptimized bytes for all peers.
The rows in the table below the graphs represent ADN peers and columns
representing various aspects of the ADN peers:
Note: All ProxyClient peers are combined and shown on one row. For more
information on ProxyClient refer to the ProxyClient Configuration and
Deployment Guide.
835
SGOS 6.2 Administration Guide
Note: You must press Show each time you change display options or if you want
to refresh the page.
You can terminate an active ADN inbound connection or you can download
session details.
❐ To terminate an ADN inbound connection, select the session in the list and
click Terminate Connection.
❐ To download details about all connections as a text file that you can open in a
spreadsheet program, click Download. All of the connections in the list are
downloaded.
836
Chapter 31: Configuring an Application Delivery Network
837
SGOS 6.2 Administration Guide
The Status tab displays ADN health statistics for the following metrics:
838
Chapter 31: Configuring an Application Delivery Network
839
SGOS 6.2 Administration Guide
Approval Pending The ADN peer is awaiting a decision from the Warning
active ADN manager for the peer’s request to
join the ADN.
840
Chapter 31: Configuring an Application Delivery Network
ADN Manager Not an ADN The ADN peer is not an ADN manager. OK
Status manager
Approvals Pending ADN peers are requesting to join the network. Warning
The approvals are made by the administrator.
841
SGOS 6.2 Administration Guide
842
Chapter 31: Configuring an Application Delivery Network
843
SGOS 6.2 Administration Guide
Section H: Policy
The following gestures can be used for WAN optimization from either the VPM or
CPL.
Note: For more information on using the VPM or CPL to configure policy, refer to
Visual Policy Manager Reference or Content Policy Language Guide.
844
Chapter 31: Configuring an Application Delivery Network
Section I: Troubleshooting
You can troubleshoot your ADN several ways:
❐ through the test adn diagnostics command
❐ through viewing the ADN configuration
Each of these tools can provide information about the ADN and suggest reasons
for the network failure.
Notes
❐ If the Branch ADN peer is able to successfully reach the OCS by forming a
transparent ADN tunnel, you will see the Success messages shown above.
❐ The Remote Peer is the device ID (serial number, in this case) of the remote
ProxySG the test adn command found. When last peer detection is enabled
on intermediate concentrators and you issue the test adn command from the
Branch peer, the Remote Peer should be the last qualified peer, such as the
ProxySG closest to the OCS.
❐ The Local Addr is the originating system.
❐ The Peer Addr shows either the server IP address (for transparent tunnels, as in
this example) or the ProxySG IP address (for explicit or translucent tunnels).
845
SGOS 6.2 Administration Guide
Notes
❐ Because no ADN connection existed, the Route decision indicates what
happened:
• The test adn command went directly to the server.
• Success in this case refers to the successful connection to the server but not
through an ADN connection.
• Remote peer device ID and local address information were not available.
Notes
❐ The Remote Peer is the device ID (serial number, in this case) of the remote SG
the test adn command found.
❐ The Local Addr is the originating system.
❐ The Peer Addr is the IP address of the remote peer (for explicit or translucent
tunnels) or the IP address of the server (for transparent tunnels).
846
Chapter 31: Configuring an Application Delivery Network
Notes
❐ For an explicit connection, the local IP address is displayed even if a
connection cannot be established.
Error Codes
Table 31–3 Error Codes
50 Network is down
51 Network is unreachable
61 Connection refused
847
SGOS 6.2 Administration Guide
❐ Load Balance Configuration: The load balance configuration displays the Load
Balance information for this device.
SGOS# show adn load-balancing
Load Balancing Configuration:
Load-balancing: disabled
Load-balancing Group: <none>
Load-balance only mode: disabled; will take traffic
External VIP: none
❐ Routing Table:The routing table section shows the advertised subnets for this
device. The routing table is only populated if explicit ADN is used.
SGOS# show adn routing
Prefer Transparent: disabled
Internet Gateway: enabled
Exempt Server subnet: 10.0.0.0/8
Exempt Server subnet: 172.16.0.0/12
Exempt Server subnet: 192.168.0.0/16
Server subnet: 10.25.36.0/24
848
Chapter 31: Configuring an Application Delivery Network
❐ Byte Cache Configuration: This section shows the percentage of disk space you
are allowing this peer to use for byte caching. The recommended range is also
displayed. For more information on the byte-caching CLI tables that are
displayed as part of the byte-cache configuration output, continue with the
next section.
SGOS# show adn byte-cache
Adaptive compression: Enabled
Adaptive compression index: 200
Max disk usage: 50%
(Max disk usage range should be between 5 and 80 percent of 126 GB)
849
SGOS 6.2 Administration Guide
Note: All ProxyClients are shown on a single line. In this case it shows the total
number of ProxyClients rather than the Peer ID. The corresponding statistics
represent total overall client statistics for the traffic, savings, adjusted gzip,
recommended size, allocated size, actual size, and manual size; the flags column
displays an unbroken underline.
850
Chapter 32: WCCP Configuration
851
SGOS 6.2 Administration Guide
Service Groups
A service group unites one or more routers/switches with one or more ProxySG
appliances in a transparent redirection scheme governed by a common set of
rules. The service group members agree on these rules by announcing their
specific capabilities and configuration to each other in WCCP protocol packets.
When creating a service group on the ProxySG, you define the following:
❐ "Home Router Address" on page 852
❐ "Service Group Authentication" on page 852
❐ "Packet Forward and a Return Methods" on page 852
❐ "Router Affinity" on page 853
❐ "Assignment Types" on page 854
❐ "WCCP Load Balancing" on page 855
852
Chapter 32: WCCP Configuration
Note: The ProxySG does not support GRE forwarding and L2 packet return. If
you configure this combination, the ProxySG will generate a capability mismatch
error. To view the errors and warnings, click the WCCP Status button in the
Configuration> Network> WCCP tab or use the CLI command show wccp status.
Router Affinity
By default, the ProxySG uses the configured return method to return bypassed
traffic to the router that redirected it and uses regular routing table lookups to
determine the next hop for intercepted traffic. With router affinity, the ProxySG
also uses the configured return method to return intercepted client- and/or
server-bound traffic to the WCCP router that redirected it, bypassing the routing
table lookup. This is a useful feature if you have routing policies that may prevent
your client- and/or server-bound traffic from reaching its destination and
853
SGOS 6.2 Administration Guide
Assignment Types
For every service group, you must configure the way the router determines the
ProxySG to which to redirect a given packet, by setting an assignment type on the
ProxySG. When the service group is formed, the ProxySG with the lowest IP
address automatically becomes the designated cache (and if there is only one
ProxySG in the service group, it is automatically the designated cache). The
designated cache is responsible for communicating the assignment settings to the
router, that is which ProxySG should be assigned a particular packet.
The ProxySG supports two assignment types:
❐ Hash Assignment (Default): With hash assignment, the designated cache
assigns each ProxySG in the service group a portion of a 256-bucket hash table
and communicates the assignment to the routers in the group. When the
router receives a packet for redirection, it runs the hashing algorithm against
one or more of the fields in the packet header to determine the hash value. It
then compares the value to the hash assignment table to see which ProxySG is
assigned to the corresponding bucket and then forwards the packet to that
appliance. When you configure the service group on the ProxySG appliances,
you specify which field(s)—destination IP address, destination port, source IP
address, and/or source port—should be used to calculate the hash value.
In some cases, since all of the packets are hashed using the same fields and
algorithm, it is possible that one of the caches in the group can become
overloaded. For example, if you have a large proportion of traffic that is
directed to the same server and you are using the destination IP address to
run the hashing function, it is possible that the bulk of the traffic will be
redirected to the same ProxySG. Therefore, you can configure an alternate
field or group of fields to use to run the hashing algorithm. The router will
then use this alternate hashing algorithm if the number of GRE packets or
MAC addresses (depending on the forwarding method you’re using)
redirected to a given ProxySG exceeds a certain number.
For details on configuring a hash-weight value to adjust the proportion of the
hash table that gets assigned to a ProxySG, see "WCCP Load Balancing"
below.
854
Chapter 32: WCCP Configuration
❐ Mask Assignment: With mask assignment, each router in the service group
has a table of masks and values that it uses to distribute traffic across the
ProxySG appliances in the service group. When the router receives a packet, it
performs a bitwise AND operation between the mask value and the field of
the packet header that is designated in the ProxySG mask assignment
configuration. It then compares the result against its list of values for each
mask; each value is assigned to a specific ProxySG in the service group.
855
SGOS 6.2 Administration Guide
❐ Configure the routers. For information on the feature sets and the capabilities
of your router and for instructions on how to configure WCCP on the router,
refer to the router documentation. For sample router WCCP configurations,
refer to the WCCP Reference Guide.
856
Chapter 32: WCCP Configuration
Note: If you select version 1.0, you can only configure a single web-cache
service group. The web-cache service group is a well-defined service group
that intercepts all TCP traffic on destination port 80. When configuring a
web-cache service group, you must select an interface to which apply the
service group and define a single home router. You can optionally enable
router affinity. See "Router Affinity" on page 853 for more information on this
setting.
5. To create a service group, click New. The New Service dialog displays.
857
SGOS 6.2 Administration Guide
e. (Optional) Enter the Weight value for this ProxySG. This value
determines the proportion of traffic that the router redirects to this
ProxySG. The weight value can range from 1 to 255 inclusive.
Use this field only if you have multiple ProxySG appliances in the
service group and you need to allocate the percentage of traffic
redirected to each ProxySG in the service group.
8. Define how the router and the ProxySG handle packet forwarding and return:
a. Select a Forwarding Type — Generic Routing Encapsulation (GRE) or
Layer 2 forwarding (L2). For a description of these options, see "Packet
Forward and a Return Methods" on page 852.
b. Select a Returning Type. Only applicable if you select L2 forwarding. For
the GRE forwarding method, the ProxySG only supports GRE return.
858
Chapter 32: WCCP Configuration
• <None> (the default) indicates that the ProxySG will use regular routing
table lookups rather than the configured Returning Type to route the
client- and server-bound traffic that it intercepts.
9. Add the home router address. Specify individual unicast or a single multicast
address for the router(s) in the service group:
• If you want to use multicast addressing, select Multicast Home Router and
enter the Group Address and optionally a Multicast TTL value (default =1).
• If you want to use unicast addresses, select Individual Home Router Address.
For each router in the service group, click Add, enter the Home Router
Address and click OK. The home router address that you use for a service
group on the ProxySG should be consistent with the IP address (virtual or
physical) over which the ProxySG communicates with the router.
10. Select an Assignment Type. The assignment type instructs the router how to
distribute redirected traffic using the information in the packet header.
You can select a different assignment method for each service group
configured on the same ProxySG.
• If you select the Hash assignment type (the default), you can select one or
more fields to use as the Primary Hash. Additionally, you can optionally
select one or more fields to use as the Alternate Hash The alternate hashing
function is used to distribute traffic when a particular ProxySG exceeds a
given number of redirected packets.
• If you select the Mask assignment type, select which field in the packet header
to use to run the mask function.
11. Click OK to save the service group settings. If you want to add another service
group, repeat Steps 5 through 11.
12. To save the WCCP settings, click Apply.
859
SGOS 6.2 Administration Guide
3. In the Install WCCP Settings panel, select the location of the configuration file: a
remote URL, a local file, or use the text editor on the system.
4. Click Install.
If you selected Remote URL or Local File, a dialog opens that allows you to enter
the complete path, and the file is retrieved. If you selected Text Editor, the text
editor displays with the current settings. You can copy and paste the contents
of an existing configuration file or you can enter new text and click Install
when finished.
The following shows an example WCCP configuration:
wccp enable
wccp version 2
service-group 9
forwarding-type L2
returning-type GRE
router-affinity both
assignment-type mask
mask-scheme source-port
priority 1
protocol 6
service-flags ports-defined
ports 80 21 1755 554 0 0 0 0
interface 0:0
home-router 10.16.18.2
end
For descriptions of the settings in the configuration file, refer to the WCCP
Reference Guide.
5. (Optional): View the WCCP settings that are currently on the system or view
the text file with the current settings by clicking WCCP Settings or WCCP Source.
6. Click Apply to save the changes.
860
Chapter 32: WCCP Configuration
Related CLI Syntax to enable WCCP install a WCCP configuration file from
a remote URL on the ProxySG:
SGOS#(config) wccp enable
SGOS#(config) wccp path http://10.25.36.47/files/wccp.txt
SGOS#(config) load wccp-settings
Disabling WCCP
To exclude a ProxySG from receiving traffic or from participating in any of the
services groups configured on it, you can disable WCCP on the ProxySG.
Disabling WCCP does not delete the WCCP configuration settings, it places them
out-of-service until WCCP is re-enabled on the ProxySG.
861
SGOS 6.2 Administration Guide
2. Clear the Enable WCCP check box. When WCCP is disabled, the previous
WCCP statistics are cleared.
3. Click Apply to save your changes.
Statistic Description
Last Refresh The date and time the displayed statistics were last refreshed. Click Refresh
WCCP Statistics to refresh them now.
GRE Redirected Packets The number of packets that have been redirected using GRE forwarding.
Layer-2 Redirected The number of packets that have been redirected using L2 forwarding.
Packets
Services Groups Lists the service groups that have been configured on this ProxySG. If the
group has successfully formed, you can click the arrow next to the group to
see a list of the caches (ProxySG appliances) and routers that have joined
the group.
State Shows the service group state. See Table 17–1 for a description of each state.
862
Chapter 32: WCCP Configuration
Statistic Description
Here I Am Sent The number of HERE_I_AM messages that this ProxySG has sent to the
routers in the group.
I See You Received The number of I_SEE_YOU messages that this ProxySG has received from
the routers in the group.
Redirect Assign Sent The number of REDIRECT_ASSIGN messages that this ProxySG has sent
to the routers in the group. The REDIRECT_ASSIGN message contains the
hash table or mask values table that the router will use to determine which
ProxySG to redirect packets to. Only the designated cache—the cache with
the lowest IP address—sends REDIRECT_ASSIGN messages.
State Description
Assignment mismatch The router does not support the assignment type (hash or mask) that is
configured for the service group.
Bad router id The home-router specified in the service group configuration does not
match the actual router ID.
Bad router view The list of ProxySG appliances in the service group does not match.
Capability mismatch The WCCP configuration includes capabilities that the router does not
support.
Initializing WCCP was just enabled and the ProxySG is getting ready to send out its
first HERE_I_AM message.
Interface link is down The ProxySG cannot send the HERE_I_AM message because the interface
link is down.
Negotiating assignment The ProxySG received the I_SEE_YOU message from the router but has not
yet negotiated the service group capabilities.
Negotiating membership The ProxySG sent the HERE_I_AM message and is waiting for an
I_SEE_YOU message from the router.
Packet forwarding The router does not support the forwarding method (GRE or L2) that is
mismatch configured for the service group.
Packet return mismatch The router does not support the return method (GRE or L2) that is
configured for the service group. Note that on the ProxySG, the return
method is always the same as the forwarding method.
863
SGOS 6.2 Administration Guide
Ready The service group formed successfully and the ProxySG sent the
REDIRECT_ASSIGN message to the router with the hash or mask values
table.
Service group mismatch The router and the ProxySG have a mismatch in port, protocol, priority,
and/or other service flags.
Security mismatch The service group passwords on the router and the ProxySG do not match.
864
Chapter 33: TCP/IP Configuration
This chapter describes the TCP/IP configuration options, which enhance the
performance and security of the ProxySG. Except for IP Forwarding, these
commands are only available through the CLI.
865
SGOS 6.2 Administration Guide
RFC-1323
The RFC-1323 TCP/IP option enables the ProxySG to use a set of extensions to
TCP designed to provide efficient operation over large bandwidth-delay-product
paths and reliable operation over very high-speed paths, including satellite
environments. RFC-1323 support can be configured through the CLI and is
enabled by default.
TCP NewReno
NewReno is a modification of the Reno algorithm. TCP NewReno improves TCP
performance during fast retransmit and fast recovery when multiple packets are
dropped from a single window of data. TCP NewReno support is enabled by
default.
866
Chapter 33: TCP/IP Configuration
For example, disabling the ICMP timestamp echo commands prevents an attack
that occurs when the ProxySG responds to an ICMP timestamp request by
accurately determining the target's clock state, allowing an attacker to more
effectively attack certain time-based pseudo-random number generators (PRNGs)
and the authentication systems on which they rely.
This setting is disabled by default.
PMTU Discovery
Path MTU (PMTU) discovery is a technique used to determine the maximum
transmission unit (MTU) size on the network path between two IP hosts to avoid
IP fragmentation.
A ProxySG that is not running PMTU might send packets larger than that allowed
by the path, resulting in packet fragmentation at intermediate routers. Packet
fragmentation affects performance and can cause packet discards in routers that
are temporarily overtaxed.
A ProxySG configured to use PMTU sets the Do-Not-Fragment bit in the IP header
when transmitting packets. If fragmentation becomes necessary before the
packets arrive at the second ProxySG, a router along the path discards the packets
and returns an ICMP Host Unreachable error message, with the error condition of
Needs-Fragmentation, to the original ProxySG appliance. The first appliance then
reduces the PMTU size and re-transmits the transmissions.
The discovery period temporarily ends when the ProxySG estimates the PMTU is
low enough that its packets can be delivered without fragmentation or when the
ProxySG stops setting the Do-Not-Fragment bit.
Following discovery and rediscovery, the size of the packets that are transferred
between the two communicating nodes dynamically adjust to a size allowable by
the path, which might contain multiple segments of various types of physical
networks.
867
SGOS 6.2 Administration Guide
868
Chapter 33: TCP/IP Configuration
Note: If you know the bandwidth and round-trip delay, you can compute
the value to use as, roughly, 2 * bandwidth * delay. For example, if the
bandwidth of the link is 8 Mbits/sec and the round-trip delay is 0.75
seconds:
window = 2 * 8 Mbits/sec * 0.75 sec = 12 Mbits = 1.5 Mbytes
The setting in this example would be 1500000 bytes. This number goes up
as either bandwidth or delay increases, and goes down as they decrease.
You can decrease or increase the window size based on the calculation;
however, decreasing the window size below 64Kb is not recommended..
The window-size setting is a maximum value; the normal TCP/IP
behaviors adjust downward as necessary. Setting the window size to a
lower value might result in an artificially low throughput.
where seconds is the length of time you chose for the 2MSL value. Valid
values are 1 to 16380 inclusive.
869
SGOS 6.2 Administration Guide
The TCP loss recovery mode is set to Normal by default. Blue Coat recommends
that you consider non-normal loss modes — enhanced or aggressive, only when
you experience packet losses of 0.5% or greater. For quickly estimating packet
losses between two endpoints in your network, you can run a continuous, non-
flooding, ping for a couple minutes and record the reported loss.
Blue Coat does not recommend modifying the loss recovery mode to Aggressive
unless your network has demonstrated an improvement in the Enhanced mode.
Aggressive mode may not provide further improvement, and in some instances it
could worsen network performance. For additional information and guidance,
contact Blue Coat Technical Support.
If you reconfigure the TCP loss recovery mode, you must configure the TCP
window size that is appropriate for the link. A good rule is to set the window size
to bandwidth times round-trip delay. For example, a 1.544Mbps link with a 100ms
round-trip time would have a window size of 19,300 bytes.
The bandwidth and round-trip times can be determined from link characteristics
(such as from the ISP) or observations (such as ping usage).
870
Chapter 34: Routing on the ProxySG
This chapter explains how the ProxySG delivers packets and describes the
features you can use to optimize packet delivery.
871
SGOS 6.2 Administration Guide
Note: Load balancing through multiple gateways is independent from the per-
interface load balancing the ProxySG automatically does when more than one
network interface is installed.
ProxySG Specifics
Which default gateway the ProxySG uses at a given time is determined by the
preference group configuration assigned by the administrator. A ProxySG can
have from 1 to 10 preference groups. A group can contain multiple gateways or
only a single gateway.
Each gateway within a group can be assigned a relative weight value from 1 to
100. The weight determines how much bandwidth a gateway is given relative to
the other gateways in the same group. For example, in a group with two
gateways, assigning both gateways the same weight, whether 1 or 100, results in
the same traffic distribution pattern. Alternatively, assigning one gateway a value
of 10 and the other gateway a value of 20 results in the ProxySG sending
approximately twice the traffic to the gateway with a weight value of 20.
If there is only one gateway, it automatically has a weight of 100.
All gateways in the lowest preference group are considered to be active until one
of them becomes unreachable and is dropped from the active gateway list. Any
remaining gateways within the group continue to be used. If all gateways in the
lowest preference group become unreachable, the gateways in the next lowest
preference group become the active gateways (unless a gateway in a lower
preference group becomes reachable again).
872
Chapter 34: Routing on the ProxySG
873
SGOS 6.2 Administration Guide
Configuring IP Forwarding
IP Forwarding is a special type of transparent proxy. The ProxySG is configured to
act as a gateway and is configured so that if a packet is addressed to the ProxySG
adapter, but not its IP address, the packet is forwarded toward the final
destination. If IP forwarding is disabled, the packet is rejected as being mis-
addressed.
By default, IP forwarding is disabled to maintain a secure network.
Important: When IP forwarding is enabled, be aware that all ProxySG ports are
open and all the traffic coming through them is not subjected to policy, with the
exception of the ports that have explicitly defined through the Configuration >
Services > Proxy Services tab.
To enable IP forwarding:
1. Select Configuration > Network > Routing > Gateways.
2. Select the Enable IP forwarding check box at the bottom of the pane.
3. Click OK; click Apply.
Outbound Routing
By default, the ProxySG sends outbound traffic to the default gateway unless one
of the following is used (in order of precedence):
❐ The Trust Destination MAC feature, which is used when the ProxySG is in
transparent bridging mode (unless certain other conditions are true—see
"About Trust Destination MAC" on page 875).
❐ A static route, if one is defined.
For more information, see "About Static Routes" on page 876.
❐ The outbound Return-to-Sender (RTS) feature.
For more information, see "Using Return-to-Sender (RTS)" on page 878.
874
Chapter 34: Routing on the ProxySG
Inbound Routing
By default, the ProxySG sends inbound traffic to the default gateway unless one
of the following is used (in order of precedence):
❐ A static route, if one is defined.
For more information, see "About Static Routes" on page 876.
❐ The inbound RTS feature. Inbound RTS is enabled by default.
For more information, see "Using Return-to-Sender (RTS)" on page 878.
❐ An interface route, if the device is on the same subnet as the ProxySG.
Note: Trust Destination MAC uses only the first client SYN packet to determine
the MAC address and outgoing interface and continues to use this information
even if the destination MAC address is not responding. To work around this
limitation, enable outbound RTS, as described in "Using Return-to-Sender (RTS)"
on page 878.
875
SGOS 6.2 Administration Guide
876
Chapter 34: Routing on the ProxySG
Note: If you upgrade to SGOS 5.x from SGOS 4.x, entries from the central and
local bypass lists are converted to static route entries in the static route table. The
converted static route entries are appended after the existing static route entries.
Duplicate static route entries are silently ignored.
All traffic leaving the ProxySG is affected by the static route entries created from
the SGOS 4.x bypass lists.
877
SGOS 6.2 Administration Guide
Note: If you use URL host rewrite functionality in your policies, mismatches can
occur between the client-provided IP address and the resolved, rewritten
hostname. In these cases, a routing lookup is performed and an interface route,
static route, or default route is used.
878
Chapter 34: Routing on the ProxySG
The Return-to-Sender (RTS) option eliminates the need to create static routes by
configuring the ProxySG to send response packets back to the same interface that
received the request packet, entirely bypassing any routing lookup on the
ProxySG. Essentially, the ProxySG stores the source Ethernet MAC address that
the client’s packet came from and sends all responses to that address.
The RTS interface mapping is updated each time a packet is received. For
example, if there are two gateways and both of them send packets to the ProxySG,
the packets are sent back to the last MAC address and interface that received the
packet.
RTS can be configured in two ways, inbound or outbound. These two options can
be enabled at the same time.
Inbound RTS affects connections initiated to the SG by clients and is enabled by
default in SGOS 5.4 and later. Inbound RTS configures the SG to send SYN-ACK
packets to the same interface that the SYN packet arrived on. All subsequent
TCP/IP response packets are also sent to the same interface that received the
request packet.
RTS inbound applies only to clients who are on a different subnet than the
ProxySG. If clients are on the same subnet, interface routes are used.
879
SGOS 6.2 Administration Guide
880
Chapter 34: Routing on the ProxySG
Enabling Return-to-Sender
To enable RTS, use the return-to-sender command. For example:
#(config) return-to-sender inbound {disable | enable}
DNS Verification
In transparent deployments, the ProxySG verifies the destination IP addresses
provided by the client. This is known as L2/L3 transparency.
881
SGOS 6.2 Administration Guide
Note: The Trust Destination IP option overrides DNS verification. This option is
recommended for acceleration deployments only. For more information about
this option, see "About Trusting the Destination IP Address Provided by the
Client" on page 143
For hostname-less protocols such as CIFS and FTP, the IP address can always be
trusted. For other protocols, such as HTTP, RTSP, and MMS, which have a
hostname that must be resolved, verification can be an issue. URL rewrites that
modify the hostname also can cause verification to fail.
L2/L3 transparency is not supported in explicit proxy deployments, or if the
destination IP addresses cannot be verified by the ProxySG. In these cases, you
must configure static routes to hosts that are only accessible through gateways
other than the default gateway.
Transparent ADN connections that are handed off to an application proxy (HTTP
or MAPI, for example) can utilize L2/L3 transparency. Also, transparent ADN
connections that are tunneled but not handed off can utilize the functionality.
Note: IM is not supported with trust client addressing. To support IM, proper
routes must be configured for Internet access and IM client-to-client
communication.
882
Chapter 35: Configuring Failover
Using IP address failover, you can create a redundant network for any explicit
proxy configuration. If you require transparent proxy configuration, you can
create software bridges to use failover. For information on creating software
bridges, see "Configuring a Software Bridge" on page 1296.
Note: If you use the Pass-Through adapter for transparent proxy, you must
create a software bridge rather than configuring failover. For information on
using the Pass-Through adapter, see "About the Pass-Through Adapter" on
page 1295.
About Failover
Failover allows a second machine to take over if a first machine (not just an
interface card) fails, providing redundancy to the network through a master/
slave relationship. In normal operations, the master (the machine whose IP
address matches the group name) owns the address. The master sends keep
alive messages (advertisements) to the slaves. If the slaves do not receive
advertisements at the specified interval, the slave with the highest configured
priority takes over for the master. When the master comes back online, the
master takes over from the slave again.
The Blue Coat failover implementation resembles the Virtual Router
Redundancy Protocol (VRRP) with the following exceptions:
❐ A configurable IP multicast address is the destination of the
advertisements.
❐ The advertisement interval is included in protocol messages and is learned
by the slaves.
❐ A virtual router identifier (VRID) is not used.
❐ Virtual MAC addresses are not used.
❐ MD5 is used for authentication at the application level.
883
SGOS 6.2 Administration Guide
Configuring Failover
Before you begin, ensure that software bridges already exist. For information on
configuring bridges, see "Software and Hardware Bridges" .
You also must decide which machine is the master and which machines are the
slaves, and whether you want to configure explicit proxy or transparent proxy
network.
When configuring the group, the master and all the systems in the group must
have exactly the same failover configuration except for priority, which is used to
determine the rank of the slave machines. If no priority is set, a default priority of
100 is used. If two appliances have equal priority, the one with the highest
physical address ranks higher.
To configure failover:
1. Select the Configuration > Network > Advanced > Failover tab.
2. Click New. The Add Failover Group dialog displays.
884
Chapter 35: Configuring Failover
4a
4b
4c
4d
885
SGOS 6.2 Administration Guide
Troubleshooting
An indication that there may be issues with the election of a master is if
advertisements are not being sent or received by either of the systems in a failover
group.
886
Chapter 35: Configuring Failover
887
SGOS 6.2 Administration Guide
888
Chapter 36: Configuring DNS
About DNS
A hierarchical set of DNS servers comprises a Domain Name System. For each
domain or subdomain, one or more authoritative DNS servers publish
information about that domain and the name servers of any domains that are
under it.
Note: The DNS servers are configured in groups. For more information, see
"About Configuring DNS Server Groups" on page 891.
889
SGOS 6.2 Administration Guide
Note: Servers are always contacted in the order in which they appear in a group
list.
❐ The ProxySG first checks all the DNS groups for a domain match, using
domain-suffix matching to match a request to a group.
• If there is a match, the servers in the matched group are queried until a
response is received; no other DNS groups are queried.
• If there is no match, the ProxySG selects the Primary DNS group.
❐ The ProxySG sends requests to DNS servers in the Primary DNS server group
in the order in which they appear in the list. If a response is received from one
of the servers in the Primary group, no attempts are made to contact any other
Primary DNS servers.
❐ If none of the servers in the Primary group resolve the host name, the ProxySG
sends requests to the servers in the Alternate DNS server group. (If no
Alternate servers have been defined, an error is returned to the client.)
• If a response is received from a server in the Alternate group list, there are
no further queries to the Alternate group.
• If a server in the Alternate DNS server group is unable to resolve the host
name, an error is returned to the client, and no attempt is made to contact
any other DNS servers.
Note: The Alternate DNS server is not used as a failover DNS server. It
is only used when DNS resolution of the Primary DNS server returns a
name error. If the query to each server in the Primary list times out, no
alternate DNS server is contacted.
890
Chapter 36: Configuring DNS
891
SGOS 6.2 Administration Guide
2. Select a group (primary or alternate) and click Edit. The Edit DNS Forwarding
Group dialog displays.
3. Enter the IPv4 or IPv6 address of each additional DNS server and click OK.
4. Click Apply.
892
Chapter 36: Configuring DNS
See Also
❐ "About DNS"
❐ ""Promoting DNS Servers in a List""
❐ "Creating a Custom DNS Group"
❐ "About Configuring DNS Server Groups"
❐ "Promoting DNS Servers in a List"
Notes:
❐ You can create a maximum of 8 custom groups , and each custom group can
contain a maximum of four DNS servers and eight domains.
❐ Groups do not accept wild cards, such as:
*.example.com
Further more:
exam.com
893
SGOS 6.2 Administration Guide
See Also
❐ "About DNS"
❐ "About Configuring DNS Server Groups"
❐ "Adding DNS Servers to the Primary or Alternate Group"
❐ ""Promoting DNS Servers in a List""
❐ "Promoting DNS Servers in a List"
Deleting Domains
If a domain becomes defunct, you can easily delete it from a DNS group. In
addition, you need to delete all domains associated with the last server in any
DNS group before you can delete the server.
To delete domains:
1. Select Configuration > Network > DNS > Groups. The list of DNS groups displays.
2. Select the DNS group in the list and click Edit. The Edit DNS Forwarding
Group dialog displays.
3. Delete domains, and click OK.
4. Click Apply.
894
Chapter 36: Configuring DNS
See Also
"Deleting DNS Groups and Servers"
895
SGOS 6.2 Administration Guide
See Also
❐ "Deleting Domains"
❐ "Promoting DNS Servers in a List"
See Also
❐ "Adding DNS Servers to the Primary or Alternate Group"
❐ ""Promoting DNS Servers in a List""
❐ "Creating a Custom DNS Group"
❐ "Deleting DNS Groups and Servers"
896
Chapter 36: Configuring DNS
897
SGOS 6.2 Administration Guide
4. Click Apply.
Note: This functionality is only available through the Management Console. You
cannot configure it using the CLI.
Note: The ProxySG generates more DNS requests when negative caching is
disabled.
The ProxySG supports caching of both type A and type PTR DNS negative
responses.
This functionality is only available through the CLI. You cannot configure DNS
negative caching through the Management Console.
898
Chapter 37: Virtual IP Addresses
This chapter discusses the uses of Virtual IP (VIP) addresses and how to create
them.
Virtual IP addresses are addresses assigned to a system (but not an interface)
that are recognized by other systems on the network. Up to 255 VIPs can be
configured on each ProxySG appliance.
Uses of a VIP
VIP addresses have several uses:
❐ Assign multiple identities to a system on the same or different network,
partitioning the box in to separate logical entities for resource sharing or
load sharing.
❐ Create an HTTPS Console to allow multiple, simultaneous, secure
connections to the system.
❐ Direct authentication challenges to different realms.
❐ Set up failover among multiple ProxySG appliances on the same subnet.
Creating a VIP
This section discusses how to create a VIP. For more information about VIPs,
see "Uses of a VIP" on page 899.
To create a VIP:
1. Select the Configuration > Network > Advanced > VIPs tab.
2. Click New.
3. Enter the virtual IP address you want to use. It can be any IP address,
except a multicast address. (A multicast address is a group address, not an
individual IP address.)
899
SGOS 6.2 Administration Guide
Note: You cannot create a VIP address that is the IP address used by the
origin content server. You must assign a different address on the ProxySG,
and use DNS or forwarding to point to the origin content server's real IP
address.
4. Click OK.
5. Click Apply.
The VIP address can now be used.
900
Chapter 38: Configuring Private Networks
901
SGOS 6.2 Administration Guide
The ProxySG allows you to delete subnets from this list or add private subnets to
this list, see "Configuring Private Subnets" on page 902 to configure private
subnets. To configure private domains, see "Configuring Private Domains" on
page 903.
902
Chapter 38: Configuring Private Networks
See Also
"Configuring Private Networks"
"Default Private Subnets on the ProxySG"
"Using Policy On Configured Private Networks"
903
SGOS 6.2 Administration Guide
where,
<subnet_prefix>[/<prefix_length>] specifies a host or a subnet in IP form,
and
domain_name specifies domain name patterns (not in IP form).
See Also
"Configuring Private Networks"
"Default Private Subnets on the ProxySG"
"Configuring Private Subnets"
"Using Policy On Configured Private Networks"
904
Chapter 38: Configuring Private Networks
905
SGOS 6.2 Administration Guide
906
Chapter 39: Managing Routing Information Protocols (RIP)
907
SGOS 6.2 Administration Guide
Note: When entering RIP settings that affect current settings (for example, when
switching from ripv1 to ripv2), disable RIP before you change the settings; re-
enable RIP when you have finished.
3. In the Install RIP Setting from drop-down list, select the method used to install
the routing table; click Install.
• Remote URL:
Enter the fully-qualified URL, including the filename, where the routing
table is located. To view the file before installing it, click View. Click Install.
To view the installation results, click Results; close the window when you
are finished. Click OK.
• Local File:
Click Browse to display the Local File Browse window. Browse for the file
on the local system. Open it and click Install. When the installation is
complete, a results window opens. View the results and close the window.
• Text Editor:
The current configuration is displayed in installable list format. You can
customize it or delete it and create your own. Click Install. When the
installation is complete, a results window opens. View the results, close
the window, and click OK.
4. Click Apply.
5. Select Enable RIP.
6. Click Apply.
❐ To paste an RIP configuration directly into the CLI, enter the following
command at the (config) command prompt:
SGOS#(config) inline rip-settings end-of-file_marker
908
Chapter 39: Managing Routing Information Protocols (RIP)
RIP Commands
You can place any of the commands below into a Routing Information Protocol
(RIP) configuration text file. You cannot edit a RIP file through the command line,
but you can overwrite a RIP file using the inline rip-settings command.
After the file is complete, place it on an HTTP or FTP server accessible to the
ProxySG and download it.
Note: RIP parameters are accepted in the order that they are entered. If a RIP
parameter is added, it is appended to the default RIP parameters. If a subsequent
parameter conflicts with a previous parameter, the most recent one is used.
net
net Nname[/mask] gateway Gname metric Value {passive | active |
external}
Parameters Description
Nname Name of the destination network. It can be a symbolic
network name, or an Internet address specified in dot
notation.
/mask Optional number between 1 and 32 indicating the netmask
associated with Nname.
909
SGOS 6.2 Administration Guide
Parameters Description
Gname Name or address of the gateway to which RIP responses
should be forwarded.
Value The hop count to the destination host or network. A net
Nname/32 specification is equivalent to the host Hname
command.
passive | active | Specifies whether the gateway is treated as passive or active,
external or whether the gateway is external to the scope of the RIP
protocol.
host
host Hname gateway Gname metric Value {passive | active | external}
Parameters Description
Hname Name of the destination network. It can be a symbolic
network name, or an Internet address specified in dot
notation.
Gname Name or address of the gateway to which RIP responses
should be forwarded. It can be a symbolic network name, or
an Internet address specified in dot notation.
Value The hop count to the destination host or network. A net
Nname/32 specification is equivalent to the host Hname
command.
passive | active | Specifies whether the gateway is treated as passive or active,
external or whether the gateway is external to the scope of the RIP
protocol.
RIP Parameters
Lines that do not start with net or host commands must consist of one or more of
the following parameter settings, separated by commas or blank spaces:
Parameters Description
if=[0|1|2|3] Specifies that the other parameters on the line apply to the interface
numbered 0,1,2, or 3 in SGOS terms.
passwd=XXX Specifies an RIPv2 password included on all RIPv2 responses sent and
checked on all RIPv2 responses received. The password must not contain any
blanks, tab characters, commas or ‘#’ characters.
no_ag Turns off aggregation of subnets in RIPv1 and RIPv2 responses.
910
Chapter 39: Managing Routing Information Protocols (RIP)
Parameters Description
no_super_ag Turns off aggregation of networks into supernets in RIPv2 responses.
passive Marks the interface to not be advertised in updates sent through other
interfaces, and turns off all RIP and router discovery through the interface.
no_rip Disables all RIP processing on the specified interface.
no_ripv1_in Causes RIPv1 received responses to be ignored.
no_ripv2_in Causes RIPv2 received responses to be ignored.
ripv2_out Turns off RIPv1 output and causes RIPv2 advertisements to be multicast
when possible.
ripv2 Is equivalent to no_ripv1_in and no_ripv1_out. This parameter is set by
default.
no_rdisc Disables the Internet Router Discovery Protocol. This parameter is set by
default.
no_solicit Disables the transmission of Router Discovery Solicitations.
send_solicit Specifies that Router Discovery solicitations should be sent, even on point-to-
point links, which by default only listen to Router Discovery messages.
no_rdisc_adv Disables the transmission of Router Discovery Advertisements.
rdisc_adv Specifies that Router Discovery Advertisements should be sent, even on
point-to-point links, which by default only listen to Router Discovery
messages.
bcast_rdisc Specifies that Router Discovery packets should be broadcast instead of
multicast.
rdisc_pref=N Sets the preference in Router Discovery Advertisements to the integer N.
rdisc_interval=N Sets the nominal interval with which Router Discovery Advertisements are
transmitted to N seconds and their lifetime to 3*N.
trust_gateway=rname Causes RIP packets from that router and other routers named in other
trust_gateway keywords to be accept, and packets from other routers to be
ignored.
redirect_ok Causes RIP to allow ICMP Redirect messages when the system is acting as a
router and forwarding packets. Otherwise, ICMP Redirect messages are
overridden.
911
SGOS 6.2 Administration Guide
Parameters Description
supply_routing_info -s option:
-or- Supplying this option forces routers to supply routing
advertise_routes information whether it is acting as an Internetwork router
or not. This is the default if multiple network interfaces are
present or if a point-to-point link is in use.
-g option:
This flag is used on Internetwork routers to offer a route to
the `default' destination. This is typically used on a
gateway to the Internet, or on a gateway that uses another
routing protocol whose routes are not reported to other
local routers.
-h option:
Suppress_extra_host_routes advertise_host_route
-m option:
Advertise_host_route on multi-homed hosts
-A option:
Ignore_authentication //
no_supply_ -q option:
routing_info opposite of -s.
no_rip_out Disables the transmission of all RIP packets. This setting is
the default.
no_ripv1_out Disables the transmission of RIPv1 packets.
no_ripv2_out Disables the transmission of RIPv2 packets.
rip_out Enables the transmission of RIPv1 packets.
ripv1_out Enables the transmission of RIPv1 packets.
rdisc Enables the transmission of Router Discovery
Advertisements.
ripv1 Causes RIPv1 packets to be sent.
ripv1_in Causes RIPv1 received responses to be handled.
912
Chapter 39: Managing Routing Information Protocols (RIP)
Interface 0 accepts passwords aaa and ccc, and transmits using password aaa.
Interface 1 accepts passwords bbb and ccc, and transmits using password bbb. The
other interfaces accept and transmit the password ccc.
913
SGOS 6.2 Administration Guide
914
Chapter 40: SOCKS Gateway Configuration
915
SGOS 6.2 Administration Guide
See Also
"Adding a SOCKS Gateway" on page 916
"Creating SOCKS Gateway Groups" on page 919
"Configuring Global SOCKS Defaults" on page 921
"Configuring the SOCKS Gateway Default Sequence" on page 923
916
Chapter 40: SOCKS Gateway Configuration
917
SGOS 6.2 Administration Guide
b. Host: Add the IP address or the host name of the gateway where traffic
is directed. The host name must DNS resolve.
c. Port: The default is 1080.
d. SOCKS version: Select the version that the SOCKS gateway can support
from the drop-down list. Version 5 is recommended.
e. Username (Optional, and only if you use version 5) The username of the
user on the SOCKS gateway. The username already must exist on the
gateway. If you have a username, you must also set the password.
f. Set Password:The plaintext password or encrypted password of the
user on the SOCKS gateway. The password must match the gateway’s
information. The password can be up to 64 bytes long. Passwords that
include spaces must be within quotes.
You can enter an encrypted password (up to 64 bytes long) either through
the CLI or through installable list directives.
g. In the Load Balancing and Host Affinity section, select the load balancing
method from the drop-down list. Global default (configured on the
Configuration > Forwarding > Global Defaults tab), sets the default for all
SOCKS gateways on the system. You can also specify the load
balancing method for this system: Least Connections or Round Robin, or
you can disable load balancing by selecting None.
h. In the Host affinity methods drop-down list, select the method you want
to use:
• HTTP: The default is to use the Global Defaults. Other choices are None,
which disables host affinity, Accelerator Cookie, which places a cookie in
the response to the client, and Client IP Address, which uses the client
IP address to determine which upstream SOCKS gateway was last
used.
By default, SOCKS treats all incoming requests destined to port 80 as
HTTP, allowing the usual HTTP policy to be performed on them,
including ICAP scanning. If the SOCKS connection is being made to a
server on another port, write policy on the ProxySG to match on the
server host and port and specify that it is HTTP using SOCKS.
• SSL: The default is to use the Global Defaults. Other choices are None,
which disables host affinity, Accelerator Cookie, which places a cookie in
the response to the client, and Client IP Address, which uses the client IP
address to determine which group member was last used. In addition,
you can select SSL Session ID, used in place of a cookie or IP address,
which extracts the SSL session ID name from the connection
information.
918
Chapter 40: SOCKS Gateway Configuration
919
SGOS 6.2 Administration Guide
3. To create an alias group, highlight the hosts and groups you want grouped,
and click Add.
4. Give the new group a meaningful name.
5. In the Load Balancing and Host Affinity section, select the load balancing method
from the drop-down list. Global default (configured on the Configuration >
Forwarding > SOCKS Gateways > Global Defaults tab), sets the default for all
forwarding hosts on the system. You can also specify the load balancing
method for this system: Least Connections, Round Robin, Domain Hash, URL Hash,
or you can disable load balancing by selecting None.
920
Chapter 40: SOCKS Gateway Configuration
6. In the Host affinity methods drop-down lists, select the method you want to use.
Refer to the previous procedure for details on methods.You are selecting
between the resolved IP addresses of all of the hosts in the group, not the
resolved IP addresses of an individual host.
• HTTP: The default is to use the Global Defaults. Other choices are None, which
disables host affinity, Accelerator Cookie, which places a cookie in the
response to the client, and Client IP Address, which uses the client IP
address to determine which group member was last used.
• SSL: The default is to use the Global Defaults. Other choices are None, which
disables host affinity, Accelerator Cookie, which places a cookie in the
response to the client, and Client IP Address, which uses the client IP
address to determine which group member was last used. In addition, you
can select SSL Session ID, used in place of a cookie or IP address, which
extracts the SSL session ID name from the connection information.
• Other. Applies to any traffic that is not HTTP, terminated HTTPS, or
intercepted HTTPS. You can attempt load balancing of any of the
supported traffic types in forwarding and this host affinity setting can be
applied as well. For example, you could load balance a set of TCP tunnels
and apply the Other host affinity (client IP only).
The default is to use Global Defaults. Other choices are None, which disables
host affinity, and Client IP Address, which uses the client IP address to
determine which group member was last used.
7. Click OK to close the dialog.
8. Click Apply.
921
SGOS 6.2 Administration Guide
2. Determine how you want connections to behave if the health checks fail:
Connect Directly (fail open) or Deny the request (fail closed). Note that failing open is
an insecure option. The default is to fail closed. This option can be overridden
by policy, if it exists.
3. In the Global Load Balancing and Host Affinity area:
a. Configure Load Balancing methods:
• SOCKS hosts: Specify the load balancing method for all forwarding
hosts unless their configuration specifically overwrites the global
settings. You can choose Least Connections or Round Robin, or you can
disable load balancing by selecting None. Round Robin is specified by
default.
• SOCKS groups: Specify the load balancing method for all forwarding
groups unless their configuration specifically overwrites the global
settings. You can choose to hash the domain or the full URL. You can
also choose Least Connections, Round Robin, Domain Hash, URL Hash, and
you can disable load balancing by selecting None. Round Robin is
specified by default.
922
Chapter 40: SOCKS Gateway Configuration
923
SGOS 6.2 Administration Guide
Note: Traffic is forwarded to the first member of the list until it fails, then traffic is
sent to the second member of list until it fails or the first member becomes healthy
again, and so on.
1. Select the Configuration > Forwarding > SOCKS Gateways > Default Sequence tab.
2. The available aliases (host and group) display in the Available Aliases pane. To
select an alias, highlight it and click Add.
3. You can use the Promote and Demote buttons to change the order of the hosts
and groups in the sequence after you add them to the Selected Aliases pane.
4. Click Apply.
924
Chapter 40: SOCKS Gateway Configuration
925
SGOS 6.2 Administration Guide
Statistics
SOCKS gateways statistics are available through the Statistics > Advanced > SOCKS
Gateways menu
item.
926
Chapter 40: SOCKS Gateway Configuration
Directive Meaning
gateway Specifies the gateway alias and name, SOCKS port, version
supported, usernames and password.
group Creates a forwarding group directive and identifies member of
the group.
host_affinity Directs multiple connections by a single user to the same group
member.
load_balance Manages the load among SOCKS gateways in a group, or
among multiple IP addresses of a gateway.
sequence Adds a space-separated list of one or more SOCKS gateways
alias_list and group aliases. (The default sequence is the default
forwarding rule, used for all requests lacking policy instructions
socks_fail In case connections cannot be made, specifies whether to abort
the connection attempt or to connect to the origin content server.
927
SGOS 6.2 Administration Guide
928
Chapter 40: SOCKS Gateway Configuration
Example
gateway Sec_App1 10.25.36.47 1022 version=5 user=username
password=password
where the value determines whether the SOCKS gateways should fail open or
fail closed if an operation does not succeed. Fail open is a security risk, and
fail closed is the default if no setting is specified. This setting can be
overridden by policy, using the SOCKS_gateway.fail_open(yes|no) property.
Examples
socks_fail open
929
SGOS 6.2 Administration Guide
Example
load_balance gateway least_connections
930
Chapter 40: SOCKS Gateway Configuration
Example
host_affinity ssl accelerator-cookie 10.25.36.48
host_affinity timeout 5
Note: Creating the default sequence through the CLI is a legacy feature. You can
set up sequences by using policy alone. The default sequence (if present) is
applied only if no applicable command is in policy.
For information on using VPM, refer to Visual Policy Manager Reference; for
information on using CPL, refer to Content Policy Language Guide.
931
SGOS 6.2 Administration Guide
Example
sequence gateway_alias
Note: During the time that a SOCKS gateways installable list is being compiled
and installed, SOCKS gateways might not be available. Any transactions that
come into the appliance during this time might not be forwarded properly.
2. If you use a SOCKS gateway server for the primary or alternate forwarding
gateway, you must specify the ID for the Identification (Ident) protocol used
by the SOCKS gateway in SOCKS server handshakes. The default is BLUECOAT
SYSTEMS.
932
Chapter 40: SOCKS Gateway Configuration
3. From the drop-down list, select the method used to install the SOCKS
gateway configuration; click Install.
• Remote URL:
Click Browse to bring up the Local File Browse window. Browse for the file
on the local system. Click Install. When the installation is complete, a
results window opens. View the results, close the window, click Close.
• Text Editor:
933
SGOS 6.2 Administration Guide
934
Chapter 41: TCP Connection Forwarding
This section describes how to configure the ProxySG appliance to join peer
clusters that process requests in asymmetrically routed networks.
935
SGOS 6.2 Administration Guide
936
Chapter 41: TCP Connection Forwarding
937
SGOS 6.2 Administration Guide
938
Chapter 41: TCP Connection Forwarding
939
SGOS 6.2 Administration Guide
Load balancing is based on the IP address of the remote ADN peer. This assures
that all the traffic from a particular ADN peer to the local ADN cluster always
goes to a specific local ProxySG, thus eliminating the inefficiency of keeping
dictionaries for that remote peer on more than one local ProxySG.
The Blue Coat ADN solution is discussed in greater detail in "Configuring an
Application Delivery Network" on page 787.
940
Chapter 41: TCP Connection Forwarding
4
2
3b
3a
2. From the Local IP drop-down list, select the IP address that is routing traffic to
this ProxySG.
Specify the port number (the default is 3030) that the ProxySG uses to
communicate with all peers, which includes listening and sending out
connection forwarding cluster control messages to all peers in the group. All
peers in the group must use the same port number (when connection
forwarding is enabled, you cannot change the port number).
3. Add the cluster peers:
a. Click Add.
b. In the Peer IPs field, enter the IP addresses of the other peers in the
cluster that this ProxySG is to communicate connection requests with;
click OK.
4. Select Enable Connection Forwarding.
5. Click Apply.
This ProxySG joins the peer cluster and immediately begins communicating with
its peers.
941
SGOS 6.2 Administration Guide
Clipboard to paste the list of peers, and click Apply. Whichever peer IP address is the
new appliance’s local IP address is pulled out of the list and used as the local IP
address on the new appliance. If a local IP address is not found or if more than
one local IP address is found, the paste fails with an error.
Removing a Peer
A network change or other event might require you to remove a peer from the
cluster. Highlight a peer IP address and click Remove. The peer connection is
terminated and all connections associated with the peer are removed from the
local system.
Note: A CLI command is available that allows you to disable a peer, which
terminates the communication with other peers, but does not remove the peer
from the cluster. See the next section.
942
Chapter 42: Configuring the Upstream Network Environment
The following topics in this chapter discuss how to configure the ProxySG to
interact with both the local network and with the upstream network
environment:
❐ Section A: "Overview" on page 944
❐ Section B: "About Forwarding" on page 945
❐ Section C: "Configuring Forwarding" on page 953
❐ Section D: "Using Forwarding Directives to Create an Installable List" on
page 963
943
SGOS 6.2 Administration Guide
Section A: Overview
Section A: Overview
To control upstream interaction, the ProxySG supports the following:
❐ The ProxySG forwarding system—Allows you to define the hosts and groups
of hosts to which client requests can be redirected. Those hosts can be servers
or proxies. Rules to redirect requests are set up in policy.
❐ SOCKS gateways—SOCKS servers provide application-level firewall
protection for an enterprise. The SOCKS protocol provides a generic way to
proxy HTTP and other protocols. For information on configuring SOCKS
gateways, see Chapter 40: "SOCKS Gateway Configuration" on page 915.
944
Chapter 42: Configuring the Upstream Network Environment
Note: The ProxySG forwarding system directly supports the forwarding of HTTP,
HTTPS, FTP, MMS, RTSP, Telnet, and TCP tunnels.
945
SGOS 6.2 Administration Guide
See Also
"About the Forwarding System" on page 945
946
Chapter 42: Configuring the Upstream Network Environment
This means that, for example, any piece of content in ProxySG 1’s object cache can
be distributed to ProxySG 2 or ProxySG 3’s object cache without having to send
the content over the Internet.
Continue with "Example Network" .
Example Network
The following figure shows a more detailed view of the example network.
947
SGOS 6.2 Administration Guide
948
Chapter 42: Configuring the Upstream Network Environment
Figure 42–3 How forwarding can leverage object caching to prevent multiple requests to the
Internet and over WAN links
In Figure 42–3, a user connected to ProxySG 4 requests content located on a Web
server in the Internet. The content—which might be a spreadsheet or
multimedia—is in the object cache of load-balanced ProxySG 2, and therefore is
retrieved from the object cache. Neither the WAN links nor the origin server are
used to retrieve the content. The content is then cached on ProxySG 4’s object
cache so the next time a user requests the same content, it is retrieved from
ProxySG 4’s object cache.
If a user connected to ProxySG 5 requests the same content—and the content is in
neither ProxySG 5’s nor ProxySG 3’s object cache—load-balanced ProxySG 3 gets
the content from ProxySG 1 and object caches it. Subsequently, ProxySG 5 gets the
content from ProxySG 3 and object caches it.
949
SGOS 6.2 Administration Guide
Because the content is in ProxySG 1’s object cache, the content is not retrieved
from the origin server. In this scenario, only the WAN links are used; the Internet
link is not used to retrieve the content.
Note: In Figure 42–2 and Figure 42–3, each ProxySG is assumed to use one IP
address for forwarding. You could achieve similar results using load balancing if
you configure a DNS host name as a forwarding host and used DNS load
balancing to forward requests to more than one ProxySG. For more information,
see "About Load Balancing and Health Checks" .
See Also
"About Load Balancing and Health Checks"
"About Host Affinity" on page 951
"About the Forwarding System" on page 945
950
Chapter 42: Configuring the Upstream Network Environment
Health Checks
The availability of a proxy to participate in load balancing depends on the status
of the proxy’s health check (Statistics > Health Checks). The name of a forwarding
hosts or group starts with fwd.; any host or group whose health status is
Unhealthy is excluded from forwarding.
If a proxy has a health check of Unhealthy, the proxy is assumed to be down and
cannot participate in load balancing. If this happens, verify the following:
❐ The proxy or proxies are all intercepting traffic on the same ports you
configured in your forwarding host or group.
If the health check for a downstream proxy is shown as unhealthy on the
upstream proxy, verify that the downstream proxy intercepts traffic on the
specified port in the forwarding host on the upstream proxy.
For example, if you set up forwarding for HTTP traffic on port 80, make sure
the forwarding proxy or proxies are set to intercept HTTP traffic on port 80
(Services > Proxy Services).
❐ The proxy or proxies are available. Use the ping command from a downstream
proxy to verify upstream proxies are available.
❐ Verify the proxies’ health status and take corrective action if necessary.
For more information, see Chapter 72: "Verifying the Health of Services
Configured on the ProxySG" on page 1391.
In the event no load balancing host is available, global defaults determine whether
the connection fails open (that is, goes directly to its destination) or fails closed
(that is, the connection fails). For more information, see "Configuring Global
Forwarding Defaults" on page 957.
951
SGOS 6.2 Administration Guide
❐ For HTTPS, extract the SSL session ID name from the connection information.
The host uses the session ID in place of a cookie or client IP address to
determine which group member was last used. The host makes the connection
to that group member.
952
Chapter 42: Configuring the Upstream Network Environment
See Also
"Creating Forwarding Hosts and Groups" on page 953
"About the Forwarding System" on page 945
"Example of Using Forwarding" on page 945
953
SGOS 6.2 Administration Guide
3a
3b
3c
3d
3e
Note: Because the forwarding host alias is used in policy, the alias
cannot be a CPL keyword, such as no, default, or forward.
b. In the Host field, enter the forwarding host’s fully qualified domain
name or IPv4/IPv6 address.
c. For Type, click one of the following:
• Servershould be used for reverse proxy deployments. Choosing Server
means you will use the relative path for URLs in the HTTP header
because the next hop is a Web server, not a proxy server. HTTPS, TCP
tunnels, and Telnet can be forwarded to a server only; they cannot be
forwarded to a proxy.
• Proxy should be used in forward proxy deployments.
954
Chapter 42: Configuring the Upstream Network Environment
See Also
"Creating Forwarding Groups"
Section D: "Using Forwarding Directives to Create an Installable List" on page 963
"About the Forwarding System" on page 945
"Example of Using Forwarding" on page 945
955
SGOS 6.2 Administration Guide
3. In the Alias field, enter a unique name to identify the forwarding group.
Note: Because the forwarding group alias is used in policy, the alias
cannot be a CPL keyword, such as no, default, or forward.
4. To add members to a group, click the name of the hosts you want grouped and
click Add.
5. Choose load balancing and host affinity methods:
• From the Load balancing method list, click one of the following:
• Global default (configured on the Configuration > Forwarding > Global
Defaults tab), which sets the default for all forwarding hosts on the
system.
• Round Robin,which causes the request to be forwarded to the next
forwarding host or group in the sequence.
• Least Connections,
which causes requests to be sent to the forwarding
host or group that currently has the least number of connections.
• Url Hash, which hashes requests based on the request URL.
956
Chapter 42: Configuring the Upstream Network Environment
• Domain Hash, which hashes requests based on the domain name in the
request.
• None, which means load balancing will not be used.
• From the Host affinity methods list (see Table 42–1, "Host Affinity Methods"),
click the method you want to use.
6. Click OK.
7. Click Apply.
See Also
"Creating Forwarding Hosts"
Section D: "Using Forwarding Directives to Create an Installable List" on page 963
"About the Forwarding System" on page 945
"Example of Using Forwarding" on page 945
957
SGOS 6.2 Administration Guide
958
Chapter 42: Configuring the Upstream Network Environment
Note: The preceding CLI command is intended for backward compatibility with
older SGOS versions for which there was no equivalent CPL. Blue Coat
recommends you create forwarding policy (including sequences) using CPL or
VPM.
For information on using VPM, refer to Visual Policy Manager Reference; for
information on using CPL, refer to Content Policy Language Guide. For information
on using forwarding with policy, see Chapter 43: "Using Policy to Manage
Forwarding" on page 971.
959
SGOS 6.2 Administration Guide
2. To select an alias, click its name in the Available Aliases area and click Add.
3. Click Promote or Demote to change the order of the hosts in the default
sequence.
4. Click Apply.
960
Chapter 42: Configuring the Upstream Network Environment
961
SGOS 6.2 Administration Guide
Statistics
To view forwarding statistics, select the Statistics > Advanced > Forwarding tab.
962
Section D: Using Forwarding Directives to Create an Installable List
The information in this section is provided for backward compatibility only.
You can use directives instead of using the Management Console or CLI to
configure forwarding. Using directives, you can:
❐ Create the forwarding hosts and groups
❐ Provide load balancing and host affinity
This section discusses the following topics:
❐ "Creating Forwarding Host and Group Directives"
❐ "Setting Special Parameters" on page 966
❐ "Creating a Forwarding Default Sequence" on page 968
❐ "Creating a Forwarding Installable List" on page 969
963
Table 42–2 Forwarding Directives (Continued)
964
Table 42–3 Commands to Create Forwarding Host and Group Directives (Continued)
ssl-verify- =yes | =no Sets SSL to specify that the ProxySG checks the
server CA certificate of the upstream server.
The default for ssl-verify-server is yes. This
can be overridden in the SSL layer in policy.
To disable this feature, you must specify ssl-
verify-server=no in the installable list or CLI.
In other words, you can configure ssl-verify-
server=yes in three ways: do nothing (yes is the
default), specify ssl-verify-server=no, or
specify ssl-verify-server=yes.
group =group_name Specifies the group (or server farm or group of
proxies) to which this host belongs. If this is the
first mention of the group group_name then that
group is automatically created with this host as its
first member.
The ProxySG uses load balancing to evenly
distribute forwarding requests to the origin
servers or group of proxies.
server | proxy server specifies to use the relative path for URLs
in the HTTP header because the next hop is a Web
server, not a proxy server. The default is proxy.
Example
fwd_host www.bluecoat1.com 10.25.36.48 ssl-verify-server=no
group=bluecoat
See Also
"Creating Forwarding Groups Using Directives"
See Also
"Creating Forwarding Hosts Using Directives" on page 964
965
Setting Special Parameters
After you configure the forwarding hosts and groups, you might need to set other
special parameters to fine tune the hosts. You can configure the following settings:
❐ "Setting Fail Open/Closed and Host Timeout Values"
❐ "Configuring Load-Balancing Directives" on page 967
❐ "Configuring Host Affinity Directives" on page 967
Table 42–4 Commands to Set Fail Open/Closed and Host Timeout Values
Examples
fwd_fail open
integrated_host_timeout 90
See Also
"Configuring Load-Balancing Directives"
"Configuring Host Affinity Directives" on page 967
966
Configuring Load-Balancing Directives
Load balancing shares the load among a set of IP addresses, whether a group or a
host with multiple IP addresses.
The syntax is:
load_balance group {none | domain-hash | url-hash | round-robin |
least-connections} [group_alias]
load_balance host {none | round-robin | least-connections}
[host_alias]
Example
load_balance host least_connections
See Also
"Configuring Host Affinity Directives"
"Creating a Forwarding Default Sequence" on page 968
"Creating a Forwarding Installable List" on page 969
967
Table 42–6 Commands to Configure Host Affinity Directives
Example
host_affinity ssl_method 10.25.36.48
host_affinity timeout 5
See Also
"Creating a Forwarding Default Sequence"
"Creating a Forwarding Installable List" on page 969
A default forwarding sequence works by allowing healthy hosts to take over for
an unhealthy host (one that is failing its DNS resolution or its health check). The
sequence specifies the order of failover, with the second host taking over for the
first host, the third taking over for the second, and so on).
If all hosts are unhealthy, the operation fails either open or closed, depending
upon your settings.
968
This configuration is generally created and managed through policy. If no
forwarding policy applies, you can create a default sequence through the CLI.
This single default sequence consists of a single default host (or group) plus one
or more hosts to use if the preceding ones are unhealthy.
The syntax is:
sequence alias_list
Example
sequence bluecoat
See Also
"Creating a Forwarding Installable List"
Note: During the time that a forwarding installable list is being compiled and
installed, forwarding might not be available. Any transactions that come into the
ProxySG during this time might not be forwarded properly.
969
Note: A message is written to the event log when you install a list through
the SGOS software.
• Remote URL:
Click Browse to display the Local File Browse window. Browse for the
installable list file on the local system. Open it and click Install. When the
installation is complete, a results window opens. View the results, close
the window, click Close.
• Text Editor:
3. Click Apply.
Note: You can create forwarding settings using the CLI #inline forwarding
command. You can use any of the forwarding directives.
For more information on using inline commands, refer to Command Line Interface
Reference.
Note: Any host or group in the default sequence (or the DRTR service
configuration) is considered in use by policy. As a result, if you try to delete a
host or group while it is in the default sequence or DRTR service configuration,
you will receive an error message. You must remove the host/group from the
sequence or service first, then delete.
970
Chapter 43: Using Policy to Manage Forwarding
After forwarding and the SOCKS gateways are configured, use policy to create
and manage forwarding rules. Create forwarding and SOCKS gateway rules in
the <Forward> layer of the Forwarding Policy file or the VPM Policy file (if you
use the VPM).
The separate <Forward> layer is provided because the URL can undergo URL
rewrites before the request is fetched. This rewritten URL is accessed as a
server_url and decisions about upstream connections are based on the
rewritten URL, requiring a separate layer. All policy commands allowed in the
<Forward> layer are described below.
Forward Description
Conditions
client_address= Tests the IP address of the client. Can also be used in
<Exception> and <Proxy> layers.
971
SGOS 6.2 Administration Guide
Forward Description
minute[.utc]=month[.utc]= Tests if the minute of the hour is in the specified range or
an exact match. Can be used in all layers.
proxy.address= Tests the IP address of the network interface card (NIC) on
which the request arrives. Can also be used in <Admin>
and <Proxy> layers.
proxy.card= Tests the ordinal number of the network interface card
(NIC) used by a request. Can also be used in <Admin> and
<Proxy> layers.
972
Chapter 43: Using Policy to Manage Forwarding
Forward Description
server_url.query.regex= Tests if the regex matches a substring of the query string
component of the request URL.
server_url.regex= Tests if the requested URL matches the specified pattern.
server_url.scheme= Tests if the scheme of the requested URL matches the
specified string.
socks= This condition is true whenever the session for the current
transaction involves SOCKS to the client.
socks.version= Switches between SOCKS 4/4a and 5. Can also be used in
<Exception> and <Proxy> layers.
streaming.client= yes | no. Tests the user agent of a Windows, Real Media,
or QuickTime player.
time[.utc]= Tests if the time of day is in the specified range or an exact
match. Can be used in all layers.
tunneled= yes | no. Tests TCP tunneled requests, HTTP CONNECT
requests, and unaccelerated SOCKS requests
weekday[.utc]= Tests if the day of the week is in the specified range or an
exact match. Can be used in all layers.
year[.utc]= Tests if the year is in the specified range or an exact match.
Can be used in all layers.
Properties
access_server() Determines whether the client can receive streaming
content directly from the OCS. Set to no to serve only
cached content.
ftp.transport() Determines the upstream transport mechanism.
This setting is not definitive. It depends on the capabilities
of the selected forwarding host.
forward() Determines forwarding behavior.
There is a box-wide configuration setting
(config>forwarding>failure-mode) for the forward
failure mode. The optional specific settings can be used to
override the default.
forward.fail_open() Controls whether the ProxySG appliance terminates or
continues to process the request if the specified
forwarding host or any designated backup or default
cannot be contacted.
http.refresh.recv.timeout() Sets the socket timeout for receiving bytes from the
upstream host when performing refreshes. Can also be
used in <Cache> layers.
973
SGOS 6.2 Administration Guide
Forward Description
http.server.connect_attempts() Sets the number of attempts to connect performed per-
address when connecting to the upstream host.
http.server.recv.timeout() Sets the socket timeout for receiving bytes from the
upstream host. Can also be used in <Proxy> layers.
im.transport() Sets the type of upstream connection to make for IM
traffic.
integrate_new_hosts() Determines whether to add new host addresses to health
checks and load balancing. The default is no. If it is set to
yes, any new host addresses encountered during DNS
resolution of forwarding hosts are added to health checks
and load balancing.
reflect_ip() Determines how the client IP address is presented to the
origin server for explicitly proxied requests. Can also be
used in <Proxy> layers.
socks_gateway() The socks_gateway() property determines the gateway
and the behavior of the request if the gateway cannot be
contacted.
There is a box-wide configuration setting for the SOCKS
failure mode. The optional specific settings can be used to
override the default.
socks_gateway.fail_open() Controls whether the ProxySG terminates or continues to
process the request if the specified SOCKS gateway or any
designated backup or default cannot be contacted.
streaming.transport() Determines the upstream transport mechanism. This
setting is not definitive. The ability to use
streaming.transport() depends on the capabilities of
the selected forwarding host.
trace.request() Determines whether detailed trace output is generated for
the current request. The default value is no, which
produces no output
trace.rules() Determines whether trace output is generated that shows
each policy rule that fired. The default value of no
suppresses output.
trace.destination() Used to change the default path to the trace output file. By
default, policy evaluation trace output is written to an
object in the cache accessible using a console URL of the
following form:
http://ProxySG_ip_address:8082/Policy/
Trace/path
974
Chapter 43: Using Policy to Manage Forwarding
Forward Description
Actions
notify_email() Sends an e-mail notification to the list of recipients
specified in the Event Log mail configuration. Can be used
in all layers.
notify_snmp() The SNMP trap is sent when the transaction terminates.
Can be used in all layers.
log_message Writes the specified string to the event log.
Definitions
define server_url.domain condition Binds a user-defined label to a set of domain suffix
name patterns for use in a condition= expression.
975
SGOS 6.2 Administration Guide
976
Chapter 44: About Security
977
SGOS 6.2 Administration Guide
978
Chapter 45: Controlling Access to the Internet and Intranet
The following sections describe how to limit user access to the Internet and
intranet:
❐ Section A: "Managing Users" on page 980
❐ Section B: "Using Authentication and Proxies" on page 987
❐ Section C: "Using SSL with Authentication and Authorization Services" on
page 996
❐ Section D: "Creating a Proxy Layer to Manage Proxy Operations" on page
998
❐ Section E: "Forwarding BASIC Credentials" on page 1007
979
SGOS 6.2 Administration Guide
980
Chapter 45: Controlling Access to the Internet and Intranet
To browse users:
1. Select the Statistics > Authentication tab.
2
3
4
2. Select a single realm or All realms from the Realm drop-down list.
3. (Optional) Enter a regular expression in the User pattern field to display the
usernames that match the pattern.
4. (Optional) Enter an IP address or subnet in the IP prefix field to display the IP
addresses that match the prefix.
5. Click Display by user to display the statistic results by user, or Display by IP to
display the results by IP address.
981
SGOS 6.2 Administration Guide
Note: The Challenge user after logout option only works when cookie-surrogate
credentials are used. If this setting is enabled, the user is explicitly challenged
for credentials after logging out.
Inactivity Timeout
Each realm has a new inactivity-timeout setting, used in conjunction with the last
activity- time value for a particular login. Each time that a login is completed, this
activity time is updated. If the time since the last activity time for a specific login
exceeds the inactivity-timeout value, the user is logged out.
Administrator Action
The administrator can explicitly log out a set of users using the Logout link at the
bottom of the user login information pages. See "Viewing Logged-In Users" on
page 980 for information about displaying user login information. For
information about using the CLI to logout users, see "Related CLI Syntax to
Manage Users" on page 985.
Policy
Policy has three properties and three conditions to manage user logouts. These
properties and conditions can be used to dynamically log out users. For example,
you can create a logout link for users.
For information about using policy, refer to Visual Policy Manager Reference and
Content Policy Language Guide.
New Properties
Policy has three properties for logging out users.
❐ user.login.log_out(yes)
This property logs out the user referenced by the current transaction.
❐ user.login.log_out_other(yes)
If a user is logged in at more than one IP address, this property logs the user
out from all IP addresses except the current IP address.
❐ client.address.login.log_out_other(yes)
If more than one user is logged in at the IP address of the current transaction,
this property logs out all users from the current IP address except the current
user.
982
Chapter 45: Controlling Access to the Internet and Intranet
New Conditions
Several conditions support different logout policies.
❐ user.login.count
This condition matches the number of times that a specific user is logged in
with the current realm. You can use this condition to ensure that a user can be
logged in only at one workstation. If the condition is combined with the
user.login.log_out_other property, old login sessions on other workstations
are automatically logged out.
❐ client.address.login.count
This condition matches the number of different users who are logged into the
current IP address, and you can use it to limit the user number.
❐ user.login.time
This condition matches the number of seconds since the current login started,
and you can use it to limit the length of a login session.
Note: The local realm uses Basic credentials but does not need to cache them
since they are stored already on the ProxySG.
983
SGOS 6.2 Administration Guide
One-Time Passwords
One-time passwords are trusted for the credential refresh time. Only when the
credential refresh time expires is the user challenged again.
984
Chapter 45: Controlling Access to the Internet and Intranet
For more information about using cookie and IP address surrogate credentials,
see "About Authentication Modes" on page 988.
Policy
Policy has three properties for setting the refresh times for individual
transactions.
❐ authenticate.authorization_refresh_time(x)
where x is the number of seconds to use for the authorization refresh time
during this transaction. The refresh time cannot exceed the time configured in
the realm; policy can be used only to reduce the authorization refresh time.
You can use this property to dynamically force the user's authorization data to
be refreshed.
❐ authenticate.credential_refresh_time(x)
where x is the number of seconds to use for the credential refresh time during
this transaction. The refresh time cannot exceed the time configured in the
realm; policy can be used only to reduce the credential refresh time. You can
use this property to dynamically force the user's credentials to be refreshed.
❐ authenticate.surrogate_refresh_time(x)
where x is the number of seconds to use for the surrogate refresh time during
this transaction. The refresh time cannot exceed the time configured in the
realm; policy can be used only to reduce the surrogate refresh time. You can
use this property to dynamically force the user's surrogate to be refreshed.
For information about using policy, refer to Visual Policy Manager Reference and
Content Policy Language Guide.
985
SGOS 6.2 Administration Guide
986
Chapter 45: Controlling Access to the Internet and Intranet
Terminology
❐ authentication modes: The various ways that the ProxySG interacts with the
client for authentication. For more information, see "About Authentication
Modes" on page 988.
❐ challenge type: The kind of authentication challenge that is issues (for
example, proxy or origin-ip-redirect).
❐ guest authentication: Allowing a guest to login with limited permissions.
❐ impersonation: The proxy uses the user credentials to connect to another
computer and access content that the user is authorized to see.
❐ surrogate credentials: Credentials accepted in place of the user’s real
credentials. Surrogate credentials can be either cookie-based or IP address-
based.
❐ virtual authentication site: Used with authentication realms such as IWA, and
LDAP. The request for credentials is redirected to the ProxySG instead of the
origin server. The appliance intercepts the request for the virtual
authentication site and issues the appropriate credential challenge. Thus, the
challenge appears to come from the virtual site, which is usually named to
make it clear to the user that ProxySG credentials are requested.
987
SGOS 6.2 Administration Guide
❐ Auto: The default; the mode is automatically selected, based on the request.
Auto can choose any of proxy, origin, origin-ip, or origin-cookie-redirect, depending
on the kind of connection (explicit or transparent) and the transparent
authentication cookie configuration.
❐ Proxy: The ProxySG uses an explicit proxy challenge. No surrogate credentials
are used. This is the typical mode for an authenticating explicit proxy. In some
situations proxy challenges do not work; origin challenges are then issued.
If you have many requests consulting the back-end authentication authority
(such as LDAP, RADIUS, or the BCAAA service), you can configure the
ProxySG (and possibly the client) to use persistent connections. This
dramatically reduces load on the back-end authentication authority and
improves the all-around performance of the network.
❐ Proxy-IP:The ProxySG uses an explicit proxy challenge and the client's IP
address as a surrogate credential. Proxy-IP specifies an insecure forward
proxy, possibly suitable for LANs of single-user workstations. In some
situations proxy challenges do not work; origin challenges are then issued.
❐ Origin:
The ProxySG acts like an OCS and issues OCS challenges. The
authenticated connection serves as the surrogate credential.
❐ Origin-IP:
The ProxySG acts like an OCS and issues OCS challenges. The client
IP address is used as a surrogate credential. Origin-IP is used to support IWA
authentication to the upstream device when the client cannot handle cookie
credentials. This mode is primarily used for automatic downgrading, but it
can be selected for specific situations.
❐ Origin-cookie: The ProxySG acts like an origin server and issues origin server
challenges. A cookie is used as the surrogate credential. Origin-cookie is used in
forward proxies to support pass-through authentication more securely than
origin-ip if the client understands cookies. Only the HTTP and HTTPS
protocols support cookies; other protocols are automatically downgraded to
origin-ip.
988
Chapter 45: Controlling Access to the Internet and Intranet
❐ Origin-IP-redirect:
The client is redirected to a virtual URL to be authenticated,
and the client IP address is used as a surrogate credential. The ProxySG does
not support origin-redirects with the CONNECT method. For forward
proxies, only origin-*-redirect modes are supported for Kerberos/IWA
authentication. (Any other mode uses NTLM authentication.)
❐ SG2:
The mode is selected automatically, based on the request, and uses the
SGOS 2.x-defined rules.
❐ Form-IP:A form is presented to collect the user's credentials. The form is
presented whenever the user’s credential cache entry expires.
❐ Form-Cookie: A form is presented to collect the user's credentials. The cookies
are set on the OCS domain only, and the user is presented with the form for
each new domain. This mode is most useful in reverse proxy scenarios where
there are a limited number of domains.
❐ Form-Cookie-Redirect: A form is presented to collect the user's credentials. The
user is redirected to the authentication virtual URL before the form is
presented. The authentication cookie is set on both the virtual URL and the
OCS domain. The user is only challenged when the credential cache entry
expires.
❐ Form-IP-redirect: This is similar to form-ip except that the user is redirected to the
authentication virtual URL before the form is presented.
Note: Modes that use an IP address surrogate credential are insecure: After a
user has authenticated from an IP address, all further requests from that IP
address are treated as from that user. If the client is behind a NAT, or on a
multi-user system, this can present a serious security problem.
989
SGOS 6.2 Administration Guide
Note: Sharing the virtual URL with other content on a real host requires
additional configuration if the credential exchange is over SSL.
You can configure the virtual site to something that is meaningful for your
company. The default, which requires no configuration, is www.cfauth.com. See
"Configuring Transparent Proxy Authentication" on page 991 to set up a virtual
URL for transparent proxy.
990
Chapter 45: Controlling Access to the Internet and Intranet
Permitted Errors
Authentication and authorization can be permitted to fail if policy has been
written to allow specific failures. The behavior is as follows:
❐ Authentication Failures: After an authentication failure occurs, the
authentication error is checked against the list of errors that policy specifies as
permitted.
• If the error is not on the list, the transaction is terminated.
• If the error is on the list, the transaction is allowed to proceed although the
user is unauthenticated. Because the transaction is not considered
authenticated, the authenticated=yes policy condition evaluates to false
and the user has no username, group information, or surrogate
credentials. Policy that uses the user, group, domain, or attribute
conditions does not match.
991
SGOS 6.2 Administration Guide
Note: You are not limited to these conditions and properties in creating
policy. For a discussion and a complete list of policy conditions and
properties you can use, refer to Content Policy Language Guide.
992
Chapter 45: Controlling Access to the Internet and Intranet
Note: You can use guest authentication with or without default groups. If you
use default groups, you can assign guest users to groups for tracking and
statistics purposes. For more information about default groups, see "Using
Default Groups" on page 994.
In the case of guest authentication, a user is not actually authenticated against the
realm, but is:
❐ Assigned the specified guest username
❐ Marked as authenticated in the specified realm
❐ Marked as a guest user
❐ Tracked in access logs
Since the user is not actually authenticated, the username does not have to be
valid in that realm.
993
SGOS 6.2 Administration Guide
Write the corresponding policy. Policy available for guest authentication includes:
❐ authenticate.guest
❐ user.is_guest
❐ authenticated
Note: You are not limited to these conditions and properties in creating policy.
For a complete list of policy conditions and properties you can use, refer to the
Content Policy Language Guide.
Note: You can use default groups in conjunction with guest users (see "Using
Guest Authentication" on page 993) or it can be used with regular user
authentication.
994
Chapter 45: Controlling Access to the Internet and Intranet
You can specify a single or multiple groups here. In most cases, only a single
group will be required, but occasionally you might need to assign the user to
multiple groups:
❐ For extra reporting abilities.
❐ If the policy is structured in a way that users should receive the same access as
if they belonged in multiple different groups.
Policy available for default groups includes:
❐ group
❐ authorize.add_group
Note: You are not limited to these conditions and properties in creating
policy. For a complete list of policy conditions and properties you can use,
refer to Content Policy Language Guide.
Note: This example assumes you have already created a realm in Configuration >
Authentication.
995
SGOS 6.2 Administration Guide
Note: You can use SSL between the client and the ProxySG for origin-style
challenges on transparent and explicit connections (SSL for explicit proxy
authentication is not supported).
In addition, if you use a forward proxy, the challenge type must use redirection; it
cannot be an origin or origin-ip challenge type.
When redirected to the virtual URL, the user is prompted to accept the certificate
offered by the ProxySG (unless the certificate is signed by a trusted certificate
authority). If accepted, the authentication conversation between the ProxySG and
the user is encrypted using the certificate.
Note: If the hostname does not resolve to the IP address of the ProxySG, then the
network configuration must redirect traffic for that port to the appliance. Also, if
you use the IP address as the virtual hostname, you might have trouble getting a
certificate signed by a CA-Certificate authority (which might not be important).
996
Chapter 45: Controlling Access to the Internet and Intranet
997
SGOS 6.2 Administration Guide
Using CPL
Below is a table of all commands available for use in proxy layers of a policy. If a
condition, property, or action does not specify otherwise, it can be used only in
<Proxy> layers. For information about creating effective CPL, refer to Content
Policy Language Guide.
client_address= Tests the IP address of the client. Can also be used in <Admin> layers.
client.connection. Test the cipher suite negotiated with a securely connected client. Can
negotiated_cipher= also be used in <Exception> layers.
client.connection. Test the cipher strength negotiated with a securely connected client.
negotiated_cipher. Can also be used in <Exception> layers.
strength=
client.host= Test the hostname of the client (obtained through RDNS). Can also be
used in <Admin>, <Forward>, and <Exception> layers.
client.host.has_name= Test the status of the RDNS performed to determine client.host. Can
also be used in <Admin>, <Forward>, and <Exception> layers.
client_protocol= Tests true if the client transport protocol matches the specification. Can
also be used in <Exception> layers.
condition= Tests if the specified defined condition is true. Can be used in all layers.
998
Chapter 45: Controlling Access to the Internet and Intranet
console_access= (This trigger was formerly admin=yes|no.) Tests if the current request
is destined for the admin layer. Can also be used in <Cache> and
<Exception> layers.
http.request_line.regex= Test the HTTP protocol request line. Can also be used in <Exception>
layers.
http.request.version= Tests the version of HTTP used by the client in making the request to
the ProxySG. Can also be used in <Cache> and <Exception> layers.
http.response_code= Tests true if the current transaction is an HTTP transaction and the
response code received from the origin server is as specified. Can also
be used in <Cache> and <Exception> layers.
http.response.version= Tests the version of HTTP used by the origin server to deliver the
response to the ProxySG. Can also be used in <Cache> and
<Exception> layers.
999
SGOS 6.2 Administration Guide
im.buddy_id= Tests the buddy_id associated with the IM transaction. Can also be
used in <Exception> layers.
im.chat_room.conference= Tests whether the chat room associated with the transaction has the
conference attribute set. Can also be used in <Exception> layers.
im.chat_room.id= Tests the chat room ID associated with the transaction. Can also be
used in <Exception> layers.
im.chat_room.invite_ Tests whether the chat room associated with the transaction has the
only= invite_only attribute set. Can also be used in <Exception> layers.
im.chat_room.type= Tests whether the chat room associated with the transaction is public or
private. Can also be used in <Exception> layers.
im.chat_room.member= Tests whether the chat room associated with the transaction has a
member matching the specified criterion. Can also be used in
<Exception> layers.
im.chat_room.voice_ Tests whether the chat room associated with the transaction is voice
enabled= enabled. Can also be used in <Exception> layers.
im.client= Test the type of IM client in use. Can also be used in <Exception>,
<Forward>, and <Cache> layers.
im.file.extension= Tests the file extension. Can also be used in <Exception> layers.
im.file.name= Tests the file name (the last component of the path), including the
extension. Can also be used in <Exception> layers.
im.file.path= Tests the file path against the specified criterion. Can also be used in
<Exception> layers.
im.file.size= Performs a signed 64-bit range test. Can also be used in <Exception>
layers.
im.message.reflected Test whether IM reflection occurred. Can also be used in <Exception>
and <Forward> layers.
im.message.route= Tests how the IM message reaches its recipients. Can also be used in
<Exception> layers.
im.message.size= Performs a signed 64-bit range test. Can also be used in <Exception>
layers.
im.message.text. Tests if the message text contains the specified text or pattern. Can also
substring= be used in <Exception> layers.
im.message.opcode= Tests the value of an opcode associated with an im.method of
unknown_send or unknown_receive.
im.message.type= Tests the message type. Can also be used in <Exception> layers.
im.method= Tests the method associated with the IM transaction. Can also be used
in <Cache> and <Exception> layers.
1000
Chapter 45: Controlling Access to the Internet and Intranet
im.user_id= Tests the user_id associated with the IM transaction. Can also be used
in <Exception> layers.
live= Tests if the streaming content is a live stream. Can also be used in
<Cache> layers.
minute= Tests if the minute of the hour is in the specified range or an exact
match. Can be used in all layers.
month= Tests if the month is in the specified range or an exact match. Can be
used in all layers.
proxy.address= Tests the IP address of the network interface card (NIC) on which the
request arrives. Can also be used in <Admin> layers.
proxy.card= Tests the ordinal number of the network interface card (NIC) used by a
request. Can also be used in <Admin> layers.
proxy.port= Tests if the IP port used by a request is within the specified range or an
exact match. Can also be used in <Admin> layers.
raw_url Test the value of the raw request URL. Can also be used in
<Exception> layers.
raw_url.host Test the value of the 'host' component of the raw request URL. Can also
be used in <Exception> layers.
raw_url.path Test the value of the 'path' component of the raw request URL. Can
also be used in <Exception> layers.
raw_url.pathquery Test the value of the 'path and query' component of the raw request
URL. Can also be used in <Exception> layers.
raw_url.port Test the value of the 'port' component of the raw request URL. Can also
be used in <Exception> layers.
raw_url.query Test the value of the 'query' component of the raw request URL. Can
also be used in <Exception> layers.
realm= Tests if the authenticated condition is set to yes, the client is
authenticated, and the client has logged into the specified realm. an
also be used in <Admin> layers.
release.id= Tests the ProxySG release ID. Can be used in all layers.
request.header_address. Tests if the specified request header can be parsed as an IP address.
header_name= Can also be used in <Cache> layers.
request.header.header_ Tests the specified request header (header_name) against a regular
name= expression. Can also be used in <Cache> layers.
request.header.header_ Test the number of header values in the request for the given
name.count header_name. Can also be used in <Exception> layers.
request.header.header_ Test the total length of the header values for the given header_name.
name.length Can also be used in <Exception> layers.
1001
SGOS 6.2 Administration Guide
request.header.Referer. Test whether the Referer URL has a resolved DNS hostname. Can also
url.host.has_name= be used in <Exception> layers.
request.header.Referer. Test whether the Referer URL is expressed in absolute form. Can also
url.is_absolute be used in <Exception> layers.
request.raw_headers. Test the total number of HTTP request headers. Can also be used in
count <Exception> layers.
request.raw_headers. Test the total length of all HTTP request headers. Can also be used in
length <Exception> layers.
request.raw_headers. Test the value of all HTTP request headers with a regular expression.
regex Can also be used in <Exception> layers.
request.x_header.header_ Test the number of header values in the request for the given
name.count header_name. Can also be used in <Exception> layers.
request.x_header.header_ Test the total length of the header values for the given header_name.
name.length Can also be used in <Exception> layers.
response.header.header_ Tests the specified response header (header_name) against a regular
name= expression. Can also be used in <Cache> layers.
response.x_header. Tests the specified response header (header_name) against a regular
header_name= expression. Can also be used in <Cache> layers.
server_url[.case_ Tests if a portion of the requested URL exactly matches the specified
sensitive|.no_lookup]= pattern. Can also be used in <Forward> layers.
socks.accelerated= Controls the SOCKS proxy handoff to other protocol agents.
socks.method= Tests the protocol method name associated with the transaction. Can
also be used in <Cache> and <Exception> layers.
socks.version= Switches between SOCKS 4/4a and 5. Can also be used in
<Exception> and <Forward> layers.
streaming.content= (This trigger has been renamed from streaming.) Can also be used in
<Cache>, <Exception>, and <Forward> layers.
time= Tests if the time of day is in the specified range or an exact match. Can
be used in all layers.
tunneled=
1002
Chapter 45: Controlling Access to the Internet and Intranet
url.host.has_name Test whether the request URL has a resolved DNS hostname. Can also
be used in <Exception> layers
url.is_absolute Test whether the request URL is expressed in absolute form. Can also
be used in <Exception> layers
url.host.is_numeric= This is true if the URL host was specified as an IP address. Can also be
used in <Forward> layers.
url.host.no_name= This is true if no domain name can be found for the URL host. Can also
be used in <Forward> layers.
url.host.regex= Tests if the specified regular expression matches a substring of the
domain name component of the request URL. Can also be used in
<Forward> layers.
1003
SGOS 6.2 Administration Guide
always_verify( ) Determines whether each request for the objects at a particular URL
must be verified with the origin server.
authenticate( ) Identifies a realm that must be authenticated against. Can also be used
in <Admin> layers.
authenticate.force( ) Either disables proxy authentication for the current transaction (using
the value no) or requests proxy authentication using the specified
authentication realm. Can also be used in <Admin> layers.
authenticate.form( ) When forms-based authentication is in use, authenticate.form ( )
selects the form used to challenge the user.
authenticate.mode(auto) Setting the authentication.mode property selects a challenge type and
authenticate.mode(sg2) surrogate credential combination. In auto mode, explicit IWA uses
connection surrogate credentials. In sg2.mode, explicit IWA uses IP
surrogate credentials.
authenticate.redirect_ Sets whether requests stored during forms-based authentication can be
stored_requests redirected if the upstream host issues a redirecting response.
bypass_cache( ) Determines whether the cache is bypassed for a request.
check_authorization( ) In connection with CAD (Caching Authenticated Data) and CPAD
(Caching Proxy Authenticated Data) support,
check_authorization( ) is used when you know that the upstream
device will sometimes (not always or never) require the user to
authenticate and be authorized for this object. Can also be used in
<Cache> layers.
delete_on_abandonment( ) If set to yes, then if all clients requesting an object close their
connections prior to the object being delivered, the object fetch from
the origin server is abandoned. Can also be used in <Cache> layers.
deny Denies service. Can be used in all layers except <Exception> and
<Forward> layers.
1004
Chapter 45: Controlling Access to the Internet and Intranet
1005
SGOS 6.2 Administration Guide
1006
Chapter 45: Controlling Access to the Internet and Intranet
Situation
An internal reverse proxy setup. The administrator wishes to forward BASIC
credential, either user or custom credentials to a particular OCS.
3. Select Policy > Add Web Authentication Layer. An Add New Layer dialog box
displays.
4. Enter a name that is easily recognizable and click OK. A new policy tab and
rule displays in the workspace.
1007
SGOS 6.2 Administration Guide
5. Select Action under the new rule. Right click Any > Set. The Set Action Object
window displays.
7a
7b
7c
1008
Chapter 45: Controlling Access to the Internet and Intranet
Note: For all transactions which match the Send Credentials Upstream Object,
credentials will be sent even if the receiving server does not require them.
Depending upon how your policy is written, you can use the Do Not Send
Credentials Upstream object to manage which servers should not receive
credentials. You can enforce this rule using the VPM object, Do Not Send
Credentials Upstream. It is a fixed action and requires no configuration.
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
1009
SGOS 6.2 Administration Guide
❐ The following subcommands apply to LDAP, XML, Local, IWA, and Radius
realms:
SG#(config realm realmname) server-authentication {none | origin |
proxy}
SG#(config realm realmname) view
SG#(config realm realmname) exit
1010
Chapter 46: Local Realm Authentication and Authorization
Using a Local realm is appropriate when the network topology does not
include external authentication or when you want to add users and
administrators to be used by the ProxySG only.
The Local realm (you can create up to 40) uses a Local User List, a collection of
users and groups stored locally. Multiple Local realms can reference the same
list at the same time, although each realm can only reference one list at a time.
The default list used by the realm can be changed at any time.
1011
SGOS 6.2 Administration Guide
2a
2b
2c
3a
3b
3c
3d
1012
Chapter 46: Local Realm Authentication and Authorization
Before the refresh time expires, if a surrogate credential (IP address or cookie)
is available and it matches the expected surrogate credential, the ProxySG
authenticates the transaction. After the refresh time expires, the ProxySG
verifies the user’s credentials. Depending upon the authentication mode and
the user-agent, this may result in challenging the end user for credentials.
The main goal of this feature is to verify that the user-agent still has the
appropriate credentials.
Enter the number of seconds in the Authorization refresh time field. The
Authorization Refresh Time allows you to manage how often the
authorization data is verified with the authentication realm. It has a default
setting of 900 seconds (15 minutes). You can configure this in policy for better
control over the resources as policy overrides any settings made here.
4. In the Inactivity timeout field, enter the number of seconds to specify the amount
of time a session can be inactive before it is logged out.
5. Configure cookie options:
a. Select the Use persistent cookies check box to use persistent browser
cookies instead of session browser cookies.
b. Select the Verify the IP address in the cookie check box if you would like
the cookies surrogate credentials to only be accepted for the IP address
that the cookie was authenticated. Disabling this will allow cookies to
be accepted from other IP addresses.
6. You can specify a virtual URL. For more information on the virtual URL, see
"About Origin-Style Redirection" on page 990.
7. Select the Challenge user after logout check box if the realm requires the users to
enter their credentials after they have logged out.
8. Click Apply.
1013
SGOS 6.2 Administration Guide
Notes
If you use guest authentication/authorization:
❐ Local realms provide split authorization, and it is possible to be successfully
authenticated but have authorization fail.
❐ If the Local realm validate authorized user command is disabled and the
user does not exist in the authorization realm, authorization is considered a
success and the user is assigned to the default group if there is one configured
and it is of interest to policy.
1014
Chapter 46: Local Realm Authentication and Authorization
Username
The username must be case-sensitively unique, and can be no more than 64
characters long. All characters are valid, except for a colon (:).
A new local user is enabled by default and has an empty password.
List of Groups
You cannot add a user to a group unless the group has previously been created in
the list. The group name must be case-sensitively unique, and can be no more
than 64 characters long. All characters are valid, except for colon (:).
The groups can be created in the list; however, their user permissions are defined
through policies only.
Hashed Password
The hashed password must be a valid UNIX DES or MD5 password whose plain-
text equivalent cannot be more than 64 characters long.
To populate the local user list using an off-box .htpasswd file, continue with the
next section. To populate the local user list using the ProxySG CLI, go to "Defining
the Local User List" on page 1014.
1015
SGOS 6.2 Administration Guide
Important: Because the -c option overwrites the existing file, do not use the option if
you are adding users to an existing .htpasswd file.
After you add the users to the .htpasswd file, you can manually edit the file to add
user groups. When the .htpasswd file is complete, it should have the following
format:
user:encrypted_password:group1,group2,…
user:encrypted_password:group1,group2,…
Note: You can also modify the users and groups once they are loaded on the
ProxySG. To modify the list once it is on the appliance, see "Populating a Local
User List through the ProxySG" on page 1017.
Note: To use the set_auth.pl script, you must have Perl binaries on the system
where the script is running.
1016
Chapter 46: Local Realm Authentication and Authorization
where username and password are valid administrator credentials for the
ProxySG.
Note: To add users and groups to the list, enter the following commands,
beginning with groups, since they must exist before you can add them to a
user account.
Note: If you enter a plain-text password, the ProxySG hashes the password. If
you enter a hashed password, the appliance does not hash it again.
1017
SGOS 6.2 Administration Guide
Note: If a user has no failed logins, the statistic does not display.
1018
Chapter 46: Local Realm Authentication and Authorization
Users:
Groups:
test1
Users:
Groups:
1019
SGOS 6.2 Administration Guide
Note: Refer to the SGOS 6.2 Content Policy Language Reference for details about
CPL and how transactions trigger the evaluation of policy file layers.
1020
Chapter 46: Local Realm Authentication and Authorization
.
.
.
[Rule]
deny
1021
SGOS 6.2 Administration Guide
1022
Chapter 47: Using BCAAA
Important: Refer to the Release Notes for this SGOS version for the most
updated information on BCAAA compatibility.
If you are upgrading SGOS, the Blue Coat SGOS Upgrade/Downgrade Guide
provides exact procedures to follow.
1023
SGOS 6.2 Administration Guide
1024
Chapter 47: Using BCAAA
For specific information about configuring the SiteMinder realm to work with
the CA eTrust policy servers, see Chapter 48: "CA eTrust SiteMinder
Authentication" on page 1043. For specific information about configuring the
COREid realm to work with Oracle COREid Access Servers, see Chapter 50:
"Oracle COREid Authentication" on page 1071.
❐ Windows Single Sign-on (SSO): The BCAAA service is used to supply
mappings for IP addresses to logged on users. The Windows SSO realm can
use domain controller querying, or client querying, or both domain controller
and client querying to determine the logged-on user.
To use domain controller querying, you must configure the sso.ini file to
enable it and to add the domain controllers you want to query. For
information on configuring the sso.ini file, see "Modifying the sso.ini File for
Windows SSO Realms" on page 1226.
❐ Novell SSO: The BCAAA service manages communication with the Novell
eDirectory server. This realm also requires that the sso.ini file be configured.
For information on configuring the sso.ini file, see "Modifying the sso.ini File
for Novell SSO Realms" on page 1126.
Performance Notes
Blue Coat recommends that the Windows BCAAA service be installed on a
dedicated Windows machine. Installation of any other non-essential software
might degrade the BCAAA service performance, which in turn degrades the user
experience.
This is because the BCAAA server is in the client data path for accessing protected
resources. Users make client requests to the ProxySG, which in turn proxies
authentication requests to the BCAAA service. The user must wait for the
authentication request to complete before the ProxySG responds to the user with a
protected resource.
The appendix discusses:
❐ "Installing the BCAAA Service on a Windows System" on page 1025
❐ "Installing the BCAAA Service on a Solaris System" on page 1031
❐ "Creating Service Principal Names for IWA Realms" on page 1032
❐ "Troubleshooting Authentication Agent Problems" on page 1034
❐ "Common BCAAA Event Messages" on page 1035
1025
SGOS 6.2 Administration Guide
Note: The firewall on Windows machine should be disabled for BCAAA to work.
To install BCAAA:
1. (Optional) If you plan to use BCAAA for IWA/Kerberos, Kerberos
Constrained Delegation, or Windows SSO, you must create a domain user
account for the BCAAA service in the Windows Active Directory (AD).
2. Log in to the Windows server where you plan to install BCAAA. If your
BCAAA deployment required you to create a domain user account, log in
using that account.
3. Download the setup package from BlueTouch Online (BTO):
https://bto.bluecoat.com/download/ProxySG
There are many versions of BCAAA available on BTO; you must use the one
that corresponds to the software version you are running on your appliance.
Select the corresponding SGOS version on the download page and click the
WindowsBCAAA link. After you accept the Software Download Rules, the
DOWNLOAD NOW link will display.
Note: You must have a BTO account before you can download BCAAA. If
you do not yet have an account, you can request one at the following URL:
http://www.bluecoat.com/support/supportservices/btorequest
4. Unzip the BCAAA Setup file and double-click the .exe file to launch the
BCAAA Setup.
5. To begin the setup, click Next.
6. Specify a Destination Folder for the BCAAA software. You can accept the default
location (C:\Program Files\Blue Coat Systems\BCAAA) or browse to a
different location. Make sure that anti-virus software is not configured to scan
the directory where you install BCAAA. Click Next to continue.
7. Specify the Port Number that BCAAA and the ProxySG appliance will use to
communicate. By default, both BCAAA and the ProxySG appliance use 16101.
If you choose a port other than the default, you must set the same value on the
ProxySG appliance. In addition, you must make sure that this port is not
blocked, for example by a firewall between the BCAAA server and the
ProxySG appliance or by the Windows firewall on the server where you are
installing BCAAA. Click Next to continue.
1026
Chapter 47: Using BCAAA
8. Select one of the following options to specify whether you want to use SSL
between the ProxySG appliance and BCAAA:
• Permitted—Both SSL and non-SSL connections can be used.
• Required—BCAAA and the ProxySG appliance can only connect using SSL.
1027
SGOS 6.2 Administration Guide
9. If you selected Permitted or Required, you will be prompted for the following
SSL configuration information:
• Certificate Subject—Enter the hostname of the server where you are
installing BCAAA; do not use the IP address. Your DNS server must be
able to resolve the hostname you supply. Click Next to continue. The
installation program checks to see if the server's certificate store already
contains a certificate with this subject name. If it does not find one, it
automatically generates a new self-signed certificate with the specified
subject name.
• Save the automatically generated certificate in the certificate store?—Select Yes
and then click Next to continue. Note that this option only appears if the
BCAAA installation generated a new self-signed certificate.
• Require the ProxySG to provide a valid certificate in order to connect?—
If you
want to use mutual SSL between BCAAA and the ProxySG, select Yes.
Otherwise, select No. After you make your selection, click Next to continue.
• Do you want to configure BCAAA to run as a domain user?—This
depends on
how you are using BCAAA. If you are using BCAAA with Novell SSO,
SiteMinder, COREid, IWA/Basic, IWA/NTLM, select No. If you are using
BCAAA with IWA/Kerberos, Kerberos Constrained Delegation, or
Windows SSO, select Yes. After you make your selection, click Next. If you
selected Yes, you will be prompted for the User Name and Password for the
domain user you created in Step 1. Note that the user name you supply
must include the domain name (for example, MYDOMAIN\bcaaa_user).
10. Verify the settings you defined and then click Install.
When installation completes, the final BCAAA screen displays.
11. (Kerberos Only) If you are using BCAAA with IWA/Kerberos or Kerberos
Constrained Delegation, configure the BCAAA Windows service on the
system where you just installed BCAAA to log on using the domain user
account you created for it in Step 1 rather than using the local system account.
On the Domain Controller, open the domain policy console and modify the
user rights assignment for the BCAAA domain account you created as
appropriate for your deployment:
• IWA/Kerberos: The domain account must have full access to the directory
where you installed BCAAA and must have rights to Act as part of the
operating system and rights to log on as a service. To enable Kerberos, you
must also assign a Service Principal Name (SPN) to the account. See
"Creating Service Principal Names for IWA Realms" on page 1032 for
details.
Kerberos Constrained Delegation: The domain account must be trusted for
delegation and have rights to delegate to the services specified in the ProxySG
appliance policy (that is, it must have rights to the SPN for the OCS referenced
in the authenticate.constrained_delegation action in policy).
1028
Chapter 47: Using BCAAA
2. Click Modify to re-enter the installation wizard; click Remove to uninstall the
BCAAA service from the system.
Note: For instructions on using the installation wizard, see "Installing the
BCAAA Service on a Windows System" on page 1025.
1029
SGOS 6.2 Administration Guide
2. Verify in Local Security Policy's User Rights Assignment folder that the BCAAA
Service user account has been added to the list of the Log on as a service policy.
• If you are doing Kerberos Constrained Delegation, ensure that the Active
Directory computer account running the BCAAA service has the Trust
computer for delegation configuration property enabled.
4. (Optional) For all users authenticating to the ProxySG using IWA realms, user
accounts in the Active Directory must have permission to log in to the
machine where the BCAAA server is running.
5. Go to the user’s account properties user account tab.
6. Click Log On To… to specify the domain that computers can log onto. If the
network environment restricts users to specific computers, then each user
must have the name of the host running the BCAAA service added to their
list.
To solve this:
1. Stop the BCAAA service.
1030
Chapter 47: Using BCAAA
2. From the Run prompt, type mmc, which is the Microsoft Management
Console.
3. Click File > Add/Remove Snap-in > Add > Certificates > Add Service Account > Local
Computer > BCAAA
Solutions:
❐ Make the BCAAA user a Domain Administrator or an Administrator of the
computer where the BCAAA service is running.
❐ Give the BCAAA user access the certificate store:
• Stop the BCAAA service.
• From the Run prompt, launch the regedit program to give the BCAAA
user full access to the following key and its children:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services
Note: For successful installation of the BCAAA service on a Solaris system, you
need libstdc++.so.5", usually installed with package
SFWgcc32 gcc-3.2 - GNU Compiler Collection Version 3.2
3. Answer the questions to install the service on your Solaris system. A sample
session is shown below:
1031
SGOS 6.2 Administration Guide
Note: Handling of the shared secret is done by Windows when the machine
joins the domain; there is no explicit knowledge of the shared secret by SGOS
or by BCAAA.
❐ Service Account
You can also create a service account for the BCAAA service and register the
SPN on the service account. This allows multiple servers to run BCAAA all
using the same account.
The advantage is the ability to have a backup BCAAA server. The
disadvantage is that it requires additional configuration on the Active
Directory server, the domain controller, and on each BCAAA machine. It is
also less secure, since the BCAAA account password is shared among
multiple machines.
1032
Chapter 47: Using BCAAA
where name is the name of the account created in step 1 and the FQDN is the
virtual URL that was set in the authentication realm. For example:
setspn -A HTTP/krbproxy.authteam.waterloo.bluecoat.com authteam\krb-
bcaaa
2. Ensure that the Active Directory computer account running the BCAAA
service has the Trust computer for delegation configuration property
enabled.
On each machine where you want to run the BCAAA service:
1. Install the BCAAA service as normal.
2. Open the Properties panel for the BCAAA service and select the Logon tab.
Change the account to the one you created on the Active Directory server, and
enter the password. When you click OK, it might warn you that the account
has been granted Log On as A Service right.
3. Change the security on the BCAAA install directory to give the account
created on the Active Directory server full control.
All these machines now share the same secret with the KDC and can decrypt
service tickets intended for the service described by the SPN.
1033
SGOS 6.2 Administration Guide
1034
Chapter 47: Using BCAAA
1002 Authentication Agent stopped This indicates normal shutdown of the service.
1003 ProxySG (a.b.c.d) connected; This indicates a ProxySG has connected to the agent
Process # spawned as # (Windows only).
1004 ProxySG agent process exited This indicates normal logout by a ProxySG.
(normal logout)
1035
SGOS 6.2 Administration Guide
1205 Various The agent was unable to close the Windows mutex
named for the reason given.
1207 GetAclInformation failed The agent was unable to obtain ACL information
needed to do group authorization checks.
1209 GetKernelObjectSecurity The agent was unable to obtain security
failed for AuthGroup='%s' information about the specified group.
1210 SetKernelObjectSecurity The agent was unable to set up security information
failed for the reason specified.
1036
Chapter 47: Using BCAAA
1228 IWA: The agent could not impersonate the specified user.
ImpersonateSecurityContext
failed; Group access denied
for user '%s'
1037
SGOS 6.2 Administration Guide
1038
Chapter 47: Using BCAAA
1502 Unable to allocate memory for The agent could not allocate some needed memory.
ContextLink buffer.
1610 Unsupported service control Windows sent a service control code that the agent
code: # does not support.
1701 WSASocket failed The agent could not create a Windows socket for
the reason given.
1702 WSAStartup failed. The agent could not start the Windows socket for
the reason given.
1703 Various The agent could not send data to the ProxySG for
the reason given.
1704 Various The agent could not receive data from the ProxySG
for the reason given.
1705 accept failed The agent dispatcher could not initialize to accept
new connections.
1706 bind failed, PortNumber=# The agent dispatcher could not bind to the specified
port.
1039
SGOS 6.2 Administration Guide
1710 WSARecv failed reading bytes Windows reported an error when the agent tried to
from socket receive bytes from the ProxySG.
1711 WSASend failed sending bytes Windows reported an error when the agent tried to
to socket. send bytes to the ProxySG.
1712 Various A socket I/O operation did not complete
successfully.
1801 Error calling The agent could not acquire its credentials from
AcquireCredentialsHandle Windows.
1803 Various The agent could not load a needed library (DLL).
1804 Various The agent could not locate the needed services in a
library (DLL).
1805 Unsupported SSPI Windows The reported Windows platform is not supported
platform; PlatformId=# for NTLM authentication.
1806 Error calling The agent could not determine the authenticated
QueryContextAttributes user's security attributes.
1807 QuerySecurityPackageInfo The agent could not get needed security
failed information from Windows.
1808 Max Token size too long (#); The client supplied an NTLM token that is too long.
max size is #
1809 FreeContextBuffer failed An attempt to free the NTLM context buffer failed.
1811 Username 'x\\y' too long The reported user name is too long.
1901 Admin Services Error: Access The agent was unable to access necessary
denied to domain/user/group information.
information
1902 Admin Services Error: Invalid The computer to be used to get security information
computer from which to fetch is invalid.
information
1903 Admin Services Error: Group The requested group could not be found.
not found
1040
Chapter 47: Using BCAAA
1906 Admin service out of memory The browsing service ran out of memory.
1907 Search request object too The requested object for browsing is too long.
long: # > #
2000 AcquireCredentialsHandle The agent could not acquire the credentials needed
failed: 0x# for an SSL session.
2001 Various The agent was unable to negotiate an SSL session
for the reason given.
2002 Various An I/O error occurred during an SSL session.
2003 Various The specified cryptographic error occurred during
an SSL session.
2004 Various The specified problem occurred with a certificate
during SSL negotiation.
2204 Cannot create incremental The local computer might not have the necessary
persistence file; registry information or message DLL files to
status=3:0x3:The system cannot display messages from a remote computer. You
find the path specified. might be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for
details.
2205 Could not initialize SSO; The local computer might not have the necessary
status=3:0x3:The system cannot registry information or message DLL files to
find the path specified. display messages from a remote computer. You
might be able to use the /AUXSOURCE= flag to
retrieve this description; see Help and Support for
details.
1041
SGOS 6.2 Administration Guide
1042
Chapter 48: CA eTrust SiteMinder Authentication
1043
SGOS 6.2 Administration Guide
Note: Each (active) SiteMinder realm on the ProxySG must reference a different
agent on the Policy Server.
Note: The request URL is not sent to the SiteMinder policy server as the
requested resource; the requested resource is the entire ProxySG realm. Access
control of individual URLs is done on the ProxySG using CPL or VPM.
The SiteMinder realm that controls the protected resource must be configured
with a compatible authentication scheme. The supported schemes are Basic (in
plain text and over SSL), Forms (in plain text and over SSL), and X.509 certificates.
Configure the SiteMinder realm with one of these authentication schemes.
Note: Only the following X.509 Certificates are supported: X.509 Client Cert
Template, X.509 Client Cert and Basic Template, and X.509 Client Cert and Form
Template.
1044
Chapter 48: CA eTrust SiteMinder Authentication
❐ In order to use off-box redirection (such as an SSO realm), all agents involved
must have the setting EncryptAgentName=no in their configurations.
❐ The ProxySG's credential cache only caches the user's authentication
information for the smaller of the time-to-live (TTL) configured on the
ProxySG and the session TTL configured on the SiteMinder policy server.
1045
SGOS 6.2 Administration Guide
❐ Provide BCAAA with the information that allows it to find the SiteMinder
policy server (IP address, ports, connection information.)
❐ Provide BCAAA with the information that it needs to do authentication and
collect authorization information (protected resource name), and general
options (server fail-over and off-box redirection)
For more information on configuring the ProxySG SiteMinder realm, see
"Creating a SiteMinder Realm" on page 1047.
Note: All ProxySG and agent configuration occurs on the appliance. The
ProxySG sends the necessary information to BCAAA when it establishes
communication.
1046
Chapter 48: CA eTrust SiteMinder Authentication
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter. The name should be meaningful to you, but it does not
have to be the name of the SiteMinder policy server.
4. Click OK.
5. Click Apply.
1047
SGOS 6.2 Administration Guide
2
3
1048
Chapter 48: CA eTrust SiteMinder Authentication
4. Enter the name of the server in the dialog. This name is used only to identify
the server in the ProxySG’s configuration; it usually is the real hostname of the
SiteMinder policy server.
5. Click OK.
6. To edit an existing SiteMinder policy server, highlight the server and click Edit.
The Edit SiteMinder Server.
1049
SGOS 6.2 Administration Guide
7a
7b
7c
7d
7e
1050
Chapter 48: CA eTrust SiteMinder Authentication
2a
2b
2c
Note: The server mode describes the way the agent (the BCAAA service)
interacts with the SiteMinder policy server, not the way that ProxySG
interacts with BCAAA.
Note: All SiteMinder Web agents involved must have the setting
EncryptAgentName=no in their configurations to go off-box for any reason.
If using SiteMinder forms for authentication, the ProxySG always redirects the
browser to the forms URL for authentication. You can force this behavior for
other SiteMinder schemes by configuring the always redirect off-box property on
the realm.
4. If your Web applications need information from the SiteMinder policy server
responses, you can select Add Header Responses. Responses from the policy
server obtained during authentication are added to each request forwarded by
the ProxySG. Header responses replace any existing header of the same name;
if no such header exists, the header is added. Cookie responses replace a
cookie header with the same cookie name; if no such cookie header exists, one
is added.
1051
SGOS 6.2 Administration Guide
4a
4b
4c
1052
Chapter 48: CA eTrust SiteMinder Authentication
b. Select Use FQDN or to determine through search criteria, which uses the
FQDN or full username determined while identifying the user during
the authentication process. -or-
c. Select Determine by search, which enables the fields below. Specify the
following to focus the search:
• LDAP search realm name: An LDAP realm to search. In most cases,
this is the same as the LDAP realm used for authorization.
• Search filter:
Used during the LDAP search. This search filter can
contain policy substitutions including the $(cs-username)
substitution.
• User attribute: An attribute on the entry returned in the LDAP
search results that has the value to use as the authorization
username. In most cases this is the FQDN of the user entry.
5. (Optional) Click Set Users to Ignore to add a list of users excluded from
searches.
6. Click Apply.
2. From the Realm name drop-down list, select the SiteMinder realm for which
you want to change properties.
1053
SGOS 6.2 Administration Guide
3. If needed, change the SiteMinder realm display name. The default value for
the display name is the realm name. The display name cannot be greater than
128 characters and it cannot be empty.
4. Configure refresh options:
a. Select the Use the same refresh time for all check box if you would like to
use the same refresh time for all.
b. Enter the number of seconds in the Credential refresh time field. The
Credential Refresh Time is the amount of time Basic credentials
(username and password) are kept on the ProxySG. This feature
allows the ProxySG to reduce the load on the authentication server
and enables credential spoofing. It has a default setting of 900 seconds
(15 minutes). You can configure this in policy for better control over
the resources as policy overrides any settings made here. Before the
refresh time expires, the ProxySG authenticates the user supplied
credentials against the cached credentials. If the credentials received
do not match the cached credentials, they are forwarded to the
authentication server in case the user password changed. After the
refresh time expires, the credentials are forwarded to the
authentication server for verification.
c. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here.
Before the refresh time expires, if a surrogate credential (IP address or
cookie) is available and it matches the expected surrogate credential, the
ProxySG authenticates the transaction. After the refresh time expires, the
ProxySG verifies the user’s credentials. Depending upon the
authentication mode and the user-agent, this may result in challenging the
end user for credentials.
The main goal of this feature is to verify that the user-agent still has the
appropriate credentials.
5. Enter the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
6. If you use Basic credentials and want to cache failed authentication attempts
(to reduce the load on the authentication service), enter the number of seconds
in the Rejected Credentials time field. This setting, enabled by default and set to
one second, allows failed authentication attempts to be automatically rejected
for up to 10 seconds. Any Basic credentials that match a failed result before its
cache time expires are rejected without consulting the back-end authentication
1054
Chapter 48: CA eTrust SiteMinder Authentication
service. The original failed authentication result is returned for the new
request. All failed authentication attempts can be cached: Bad password,
expired account, disabled account, old password, server down. To disable
caching for failed authentication attempts, set the Rejected Credentials time field
to 0.
7. Configure cookie options:
a. Select the Use persistent cookies check box to use persistent browser
cookies instead of session browser cookies.
b. Select the Verify the IP address in the cookie check box if you would like
the cookies surrogate credentials to only be accepted for the IP address
that the cookie was authenticated. Disabling this allows cookies to be
accepted from other IP addresses.
8. Specify the virtual URL to redirect the user to when they need to be
challenged by the ProxySG. If the appliance is participating in SSO, the virtual
hostname must be in the same cookie domain as the other servers
participating in the SSO. It cannot be an IP address or the default,
www.cfauth.com.
9. Select the Challenge user after logout check box if the realm requires the users to
enter their credentials after they have logged out.
10. Click Apply.
1055
SGOS 6.2 Administration Guide
1056
Chapter 48: CA eTrust SiteMinder Authentication
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file <Proxy> and other layers.
Configuration
1. Download and install the BCAAA service.
2. Set up the SiteMinder server; be sure to configure the SMSession cookie and
the BCSI_USERNAME variable on the SiteMinder server.
3. Configure an LDAP, XML, or Local realm that can be used to authorize users.
1057
SGOS 6.2 Administration Guide
Behavior
❐ ProxySG receives a request for a user.
• If this request does not contain an SMSession cookie (user
unauthenticated), the ProxySG redirects the request to the central
authentication service. The URL of the service is configured in the scheme
definition on the SiteMinder policy server. When the request returns from
the central authentication service, the SMSession cookie is extracted and
sent to the BCAAA service for validation.
• If the request does contain an SMSession cookie, the ProxySG passes the
SMSession cookie through the BCAAA service for validation and
authentication.
❐ The SiteMinder policy server authenticates the user and sends the LDAP
attribute of the user (UID) in the BCSI_USERNAME variable to the BCAAA
service, which then passes it on the ProxySG.
❐ The ProxySG uses the UID attribute to do an LDAP search, identifying the
user FQDN.
❐ The ProxySG uses the FQDN to construct an LDAP query to the authorization
LDAP realm server to compare and validate group membership.
You can use the result to check group-based policy.
1058
Chapter 49: Certificate Realm Authentication
If you have a Public Key Infrastructure (PKI) in place, you can configure the
ProxySG to authenticate users based on their X.509 certificates by creating a
certificate realm. Additionally, if the users are members of an LDAP, XML, or
Local group, you can configure the certificate realm to forward the user
credentials to the LDAP, XML, or Local realm for authorization.
The following topics describe how to set up and configure a certificate realm:
❐ "How a Certificate Realm Works" on page 1059
❐ "Configuring Certificate Realms" on page 1060
❐ "Specifying an Authorization Realm" on page 1065
❐ "Revoking User Certificates" on page 1067
❐ "Creating a Certificate Authorization Policy" on page 1067
❐ "Tips" on page 1068
❐ "Certificate Realm Example" on page 1069
Note: If you authenticate with a certificate realm, you cannot also challenge for
a password.
1059
SGOS 6.2 Administration Guide
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Click OK.
5. Click Apply.
1060
Chapter 49: Certificate Realm Authentication
2
3
4
2. From the Realm name drop-down list, select the Certificate realm for which you
want to change realm properties.
3. In the username field, enter the substitution that specifies the common name in
the subject of the certificate. $(CN.1) is the default. Be aware that multiple
attributes can be entered into the field to build complex substitutions.
4. (Optional) In the Full Username field, enter the substitutions used to construct
the user's full username. For example, the user principal name (UPN) or
LDAP distinguished name (DN). The field is empty by default.
The substitutions used to construct the username use the following parser
format:
Parser Format
$([attributename=][field][.generalName[.generalNameindex]]
[.attribute[.attribute index]])
To see how the parser works, examine the client certificate example and the
resulting substitutions in the table.
1061
SGOS 6.2 Administration Guide
1062
Chapter 49: Certificate Realm Authentication
Note: Starting in SGOS version 5.4, the username is no longer appended to the
container attribute list. If you upgrade from a pervious version, the existing
substitutions are converted to the new parser, but may require a manual
update.
5. Add or delete OIDs to enforce Extended Key Usage fields in a certificate. The
list is empty by default. For example, to enforce a Microsoft Smart Card Logon
OID, add a valid OID such as 1.3.6.1.4.1.311.20.2.2.
6. Click Apply to complete the changes.
1063
SGOS 6.2 Administration Guide
2. From the Realm name drop-down list, select the Certificate realm to modify.
3. If necessary, change the realm’s display name.
4. Configure refresh options:
a. Select Use the same refresh time for all to use the same refresh time for all.
b. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here.
Before the refresh time expires, if a surrogate credential (IP address or
cookie) is available and it matches the expected surrogate credential, the
ProxySG authenticates the transaction. After the refresh time expires, the
ProxySG will verify the user’s certificate.
c. Enter the number of seconds in the Authorization refresh time field. The
Authorization Refresh Time allows you to manage how often the
authorization data is verified with the authentication realm. It has a
default setting of 900 seconds (15 minutes). You can configure this in
policy for better control over the resources as policy overrides any
settings made here.
5. Enter the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
1064
Chapter 49: Certificate Realm Authentication
1065
SGOS 6.2 Administration Guide
4a
4b
4c
2. Select the certificate realm for which you want to configure authorization
from the Realm name drop-down list.
3. Select the realm that you will use for authorization from the Authorization realm
name drop-down list. You can use an LDAP, Local, or XML realm to authorize
the users in a certificate realm.
4. Configure authorization options. You cannot always construct the user's
authorization username from the substitutions available. If not, you can
search on a LDAP server for a user with an attribute matching the substitution
and then use the FQDN for the matched user as the authorization username.
Authorization would then be done on that authorization username.:
a. In the Authorization username field, enter the substitution to use to
identify the user. The default authorization username is $(cs-
username). You can use any policy substitutions. -or-
b. Select Use FQDN or to determine through search criteria, which uses the
FQDN or full username determined while identifying the user during
the authentication process. -or-
c. Select Determine by search, which enables the fields below. Specify the
following to focus the search:
• LDAP search realm name: An LDAP realm to search. In most cases,
this is the same as the LDAP realm used for authorization.
• Search filter:
Used during the LDAP search. This search filter can
contain policy substitutions, including the $(cs-username)
substitution.
• User attribute: An attribute on the entry returned in the LDAP
search results that has the value to use as the authorization
username. In most cases this is the FQDN of the user entry.
1066
Chapter 49: Certificate Realm Authentication
5. (Optional) Click Set Users to Ignore to add a list of users excluded from
searches.
6. Click Apply.
Note: This method of revoking user certificates is meant for those with a small
number of certificates to manage. For information on using automatically
updated lists, see "Using Certificate Revocation Lists" on page 1182.
Example
If you have only one Certificate Signing Authority signing user certificates, you
do not need to test the issuer. In the <Proxy> layer of the Local Policy file:
<proxy>
deny user.x509.serialnumber=11
deny user.x509.serialNumber=0F
If you have multiple Certificate Signing Authorities, test both the issuer and the
serial number. In the <Proxy> layer of the Local Policy file:
<proxy>
deny
user.x509.issuer="Email=name,CN=name,OU=name,O=company,L=city,ST=state
or province,C=country" user.x509.serialnumber=11\
deny user.x509.issuer="CN=name,OU=name,O=company, L=city,ST=state or
province,C=country" \
deny user.x509.serialnumber=2CB06E9F00000000000B
1067
SGOS 6.2 Administration Guide
Note: Refer to the Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file <Proxy> and other layers.
Be aware that the default policy condition for these examples is allow. On new
SGOS systems, the default policy condition is deny.
❐ Every certificate realm authenticated user is allowed access the ProxySG.
<Proxy>
authenticate(CertificateRealm)
Tips
If you use a certificate realm and see an error message similar to the following
Realm configuration error for realm "cert": connection is not SSL.
This means that certificate authentication was requested for a transaction, but the
transaction was not done on an SSL connection, so no certificate was available.
This can happen in three ways:
❐ The authenticate mode is either origin-IP-redirect/origin-cookie-redirect
or origin-IP/origin-cookie, but the virtual URL does not have an https:
scheme. This is likely if authentication through a certificate realm is selected
with no other configuration, because the default configuration does not use
SSL for the virtual URL.
1068
Chapter 49: Certificate Realm Authentication
Configuration
1. Configure an HTTPS reverse proxy as explained in "Creating an HTTPS
Reverse Proxy Service" on page 327. Be sure to enable the Verify Client option.
2. Configure SSL between the client and ProxySG (for more information, see
"Using SSL with Authentication and Authorization Services" on page 996).
3. Verify that the certificate authority that signed the client's certificates is in the
ProxySG trusted list.
4. Make sure that ProxySG CRL is correct (for more information, see "Using
Certificate Revocation Lists" on page 1182.)
5. Create a Certificate Authority Certificate List (CCL) and add the CA that
created the certificate to the CCL. (For more information, see "Creating CA
Certificate Lists" on page 1191.)
6. Configure the certificate realm:
• Use the Configuration > Authentication > Certificate > Realms tab to name the
realm.
• Use the Configuration > Authentication > Certificate > Main tab to define the
substitutions used to retrieve the username from the certificate field:
• Username
• Full username
• Extended key usage OIDs
• Use the Configuration > Authentication > Certificate > Authorization tab to:
• Specify the LDAP realm to search
• Select the Determine by search radio button and specify a search filter to
map the username to a specific LDAP attribute, such as (email=$(cs-
username))
1069
SGOS 6.2 Administration Guide
• Use the Configuration > Authentication > Certificate > General tab to set:
• Refresh times
• Inactivity timeout
• Cookies
• Virtual URL
Behavior
❐ The ProxySG retrieves the end-user PKI certificate from the browser when an
HTTP request is received for the domain.
❐ The user enters the smart card and pin code information into the browser.
❐ The browser retrieves the certificate from a smart card or from within a web
browser's certificate store and sends it to the ProxySG.
• For a specific destination, the certificate must be a validate certificate from
a specific Certificate Authority and the certificate must not be revoked.
• The e-mail address being used as the username must be retrieved from the
certificate as a unique ID for the user.
❐ The ProxySG does an LDAP search operation with the retrieved username from
the certificate. If only one entry in the LDAP server exists with this e-mail
address, the user is authenticated. If the user has the correct group attributes,
the user is authorized to access the Web site.
1070
Chapter 50: Oracle COREid Authentication
1071
SGOS 6.2 Administration Guide
Note: Blue Coat assumes you are familiar with the configuration of the COREid
Access System and WebGates.
Important: The request URL is not sent to the Access System as the requested resource;
the requested resource is the entire ProxySG realm. Access control of individual URLs is
done on the ProxySG using policy.
The COREid policy domain that controls the protected resource must use one of
the challenge methods supported by the ProxySG.
Supported challenge methods are Basic, X.509 Certificates and Forms. Acquiring
the credentials over SSL is supported as well as challenge redirects to another
server.
The ProxySG requires information about the authenticated user to be returned as
COREid authorization actions for the associated protected resource. Since
authentication actions are not returned when a session token is simply validated,
the actions must be authorization and not authentication actions.
The following authorization actions should be set for all three authorization types
(Success, Failure, and Inconclusive):
❐ A HeaderVar action with the name BCSI_USERNAME and with the value
corresponding to the simple username of the authenticated user. For example,
with an LDAP directory this might be the value of the cn attribute or the uid
attribute.
❐ A HeaderVar action with the name BCSI_GROUPS and the value corresponding
to the list of groups to which the authenticated user belongs. For example,
with an LDAP directory this might be the value of the memberOf attribute.
1072
Chapter 50: Oracle COREid Authentication
After the COREid AccessGate, authentication scheme, policy domain, rules, and
actions have been defined, the ProxySGcan be configured.
Note: The ProxySG credential cache only caches the user's authentication
information for the lesser of the two values of the time-to-live (TTL) configured
on the ProxySG and the session TTL configured in the Access System for the
AccessGate.
Note: All ProxySG and agent configuration occurs on the appliance. The
appliance sends the necessary information to BCAAA when it establishes
communication.
1073
SGOS 6.2 Administration Guide
Note: The ProxySG must not attempt to authenticate a request for the off-box
authentication URL. If necessary, authenticate(no) can be used in policy to
prevent this.
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter. The name should be meaningful to you, but it does not
have to be the name of the COREid AccessGate.
1074
Chapter 50: Oracle COREid Authentication
2. From the Realm Name drop-down list, select the COREid realm.
3. Configure the Primary Agent:
a. In the Primary agent section, enter the hostname or IP address where the
agent resides.
b. Change the port from the default of 16101 if necessary.
c. Enter the AccessGate ID in the AccessGate id field. The AccessGate ID is
the ID of the AccessGate as configured in the Access System.
d. If an AccessGate password has been configured in the Access System,
you must specify the password on the ProxySG. Click Change Secret
and enter the password. The passwords can be up to 64 characters long
and are always case sensitive.
4. (Optional) Enter an alternate agent host and AccessGate ID in the Alternate
agent section.
1075
SGOS 6.2 Administration Guide
5. (Optional) Select Enable SSL to enable SSL between the ProxySG and the
BCAAA agent. Select the SSL device profile that this realm uses to make an
SSL connection to a remote system. Select any device profile that displays in
the drop-down list. For information on using device profiles, see "About SSL
Device Profiles" on page 1330.
6. Specify the length of time in the Timeout Request field, in seconds, to elapse
before timeout if a response from BCAAA is not received. (The default request
timeout is 60 seconds.)
7. If you want username and group comparisons on the ProxySG to be case
sensitive, select Case sensitive.
8. Click Apply.
1076
Chapter 50: Oracle COREid Authentication
1077
SGOS 6.2 Administration Guide
2. From the Realm name drop-down list, select the COREid realm for which you
want to change properties.
3. If needed, change the COREid realm display name. The default value for the
display name is the realm name. The display name cannot be greater than 128
characters and it cannot be null.
4. Select the Use the same refresh time for all option to use the same refresh time for
all.
5. Enter the number of seconds in the Credential refresh time field. The Credential
Refresh Time is the amount of time basic credentials (username and
password) are kept on the ProxySG. This feature allows the ProxySG to reduce
the load on the authentication server and enables credential spoofing. It has a
default setting of 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made here.
Before the refresh time expires, the ProxySG authenticates the user supplied
credentials against the cached credentials. If the credentials received do not
match the cached credentials, they are forwarded to the authentication server
in case the user password changed. After the refresh time expires, the
credentials are forwarded to the authentication server for verification.
6. Enter the number of seconds in the Surrogate refresh time field. The Surrogate
Refresh Time allows you to set a realm default for how often a user’s
surrogate credentials are refreshed. Surrogate credentials are credentials
accepted in place of a user’s actual credentials. The default setting is 900
seconds (15 minutes). You can configure this in policy for better control over
the resources as policy overrides any settings made here.
1078
Chapter 50: Oracle COREid Authentication
Before the refresh time expires, if a surrogate credential (IP address or cookie)
is available and it matches the expected surrogate credential, the ProxySG
authenticates the transaction. After the refresh time expires, the ProxySG will
verify the user’s credentials. Depending upon the authentication mode and
the user-agent, this may result in challenging the end user for credentials.
The main goal of this feature is to verify that the user-agent still has the
appropriate credentials.
7. Type the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
8. If you use Basic credentials and want to cache failed authentication attempts
(to reduce the load on the authentication service), enter the number of seconds
in the Rejected Credentials time field. This setting, enabled by default and set to
one second, allows failed authentication attempts to be automatically rejected
for up to 10 seconds. Any Basic credentials that match a failed result before its
cache time expires are rejected without consulting the back-end authentication
service. The original failed authentication result is returned for the new
request.
All failed authentication attempts can be cached: Bad password, expired
account, disabled account, old password, server down.
To disable caching for failed authentication attempts, set the Rejected
Credentials time field to 0.
9. Select the Use persistent cookies check box to use persistent browser cookies
instead of session browser cookies.
10. Select the Verify the IP address in the cookie check box if you would like the
cookies surrogate credentials to only be accepted for the IP address that the
cookie was authenticated. Disabling this will allow cookies to be accepted
from other IP addresses.
11. Specify the virtual URL to redirect the user to when they need to be
challenged by the ProxySG. If the appliance is participating in SSO, the virtual
hostname must be in the same cookie domain as the other servers
participating in the SSO. It cannot be an IP address or the default,
www.cfauth.com.
12. Select the Challenge user after logout option if the realm requires the users to
enter their credentials after they have logged out.
13. Click Apply.
1079
SGOS 6.2 Administration Guide
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file <Proxy> and other layers.
1080
Chapter 51: IWA Realm Authentication and Authorization
About IWA
IWA is a Microsoft-proprietary authentication suite that allows Windows
clients (running on Windows 2000 and higher) to automatically choose
between using Kerberos and NTLM authentication challenge/response, as
appropriate. When an IWA realm is used and a resource is requested by the
client from the ProxySG, the appliance contacts the client's domain account to
verify the client's identity and request an access token. The access token is
generated by the domain controller (in case of NTLM authentication) or a
Kerberos server (in the case of Kerberos authentication) and passed to (and if
valid, accepted by) the ProxySG.
Refer to the Microsoft Web site for detailed information about the IWA
protocol.
1081
SGOS 6.2 Administration Guide
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Enter the primary server host for the machine running BCAAA. You must
enter a valid host or an error message is generated.
5. (Optional) The default port is 16101. You can change the port number if the
primary server is listening on a different port.
6. Click OK to close the dialog.
7. Select Apply.
1082
Chapter 51: IWA Realm Authentication and Authorization
2. From the Realm name drop-down list, select the IWA realm for which you want
to change server properties.
You must define at least one IWA realm (using the IWA Realms page) before
attempting to set IWA server properties. If the message Realms must be added in
the IWA Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any IWA realms defined
3. Specify the host and port for the primary IWA server. The default port is 16101.
Optionally, specify the host and port for an alternate IWA server.
4. (Optional) In the SSL Options area, SSL Options, select SSL enable to enable SSL.
Select the SSL device profile that this realm uses to make an SSL connection to
a remote system. You can choose any device profile that displays in the drop-
down list. For information on using device profiles, see "Appliance
Certificates and SSL Device Profiles" on page 1330.
5. In the Timeout Request field, enter the number of seconds the ProxySG allows
for each request attempt before timing out. (The default request timeout is 60
seconds.)
6. Configure credentials:
a. You can enable or disable support for Basic credentials in the realm by
selecting or deselecting the Allow Basic credentials checkbox.
At least one Basic or NTLM/Kerberos credential must be enabled. Note
that Basic credentials cannot be disabled in the IWA realm if the IWA
realm is part of a sequence realm but is not the first realm in the sequence
with try IWA authentication only once enabled.
You can disable both NTLM and Kerberos credentials, leaving a realm that
collects plaintext credentials but validates them against a Windows
domain.
1083
SGOS 6.2 Administration Guide
2. Configure realm name from the Realm name drop-down list, select the IWA
realm for which you want to change properties.
1084
Chapter 51: IWA Realm Authentication and Authorization
3. If needed, change the IWA realm display name. The default value for the
display name is the realm name. The display name cannot be greater than 128
characters and it cannot be null.
4. Configure refresh options:
a. Select the Use the same refresh time for all check box if you would like to
use the same refresh time for all.
b. Enter the number of seconds in the Credential refresh time field. The
Credential Refresh Time is the amount of time basic credentials
(username and password) are kept on the ProxySG. This feature
allows the ProxySG to reduce the load on the authentication server
and enables credential spoofing. It has a default setting of 900 seconds
(15 minutes). You can configure this in policy for better control over
the resources as policy overrides any settings made here.
Before the refresh time expires, the ProxySG will authenticate the user
supplied credentials against the cached credentials. If the credentials
received do not match the cached credentials, they are forwarded to the
authentication server in case the user password changed. After the refresh
time expires, the credentials are forwarded to the authentication server for
verification.
c. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here.
Before the refresh time expires, if a surrogate credential (IP address or
cookie) is available and it matches the expected surrogate credential, the
ProxySG authenticates the transaction. After the refresh time expires, the
ProxySG will verify the user’s credentials. Depending upon the
authentication mode and the user-agent, this may result in challenging the
end user for credentials.
The main goal of this feature is to verify that the user-agent still has the
appropriate credentials.
5. Type the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
6. If you use Basic credentials and want to cache failed authentication attempts
(to reduce the load on the authentication service), enter the number of seconds
in the Rejected Credentials time field. This setting, enabled by default and set to
one second, allows failed authentication attempts to be automatically rejected
for up to 10 seconds. Any Basic credentials that match a failed result before its
cache time expires are rejected without consulting the back-end authentication
service. The original failed authentication result is returned for the new
request.
1085
SGOS 6.2 Administration Guide
Note: The virtual URL is not involved if the challenge does not redirect.
You can specify a virtual URL based on the individual realm. For more
information on the virtual URL, see "About Origin-Style Redirection" on page
990.
When NTLM is in use, requests to the virtual URL must be sent to the proxy.
This can be done either by transparent redirection or by making the virtual
URL hostname resolve to an IP address of the proxy.
When Kerberos is in use:
• The virtual URL hostname must be part of the Kerberos realm (this is
using the term realm in the Kerberos sense, not the ProxySG sense).
• For a forward proxy, this hostname should be added to the DNS server for
the same domain as the Kerberos protected resources so that requests for
this address go directly to the ProxySG.
In both NTLM and Kerberos, if single-sign on is desired, then the virtual URL
hostname must have no dots and must not be proxied by the browser. The
client must be able to resolve this hostname to an IP address of the proxy.
9. Select the Challenge user after logout check box if the realm requires the users to
enter their credentials after they have logged out.
10. Select Apply.
1086
Chapter 51: IWA Realm Authentication and Authorization
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
1087
SGOS 6.2 Administration Guide
Notes
❐ Forms authentication modes cannot be used with an IWA realm that allows
only NTLM/Kerberos credentials. If a form mode is in use and the
authentication realm is an IWA realm, you receive a configuration error.
❐ For Windows Internet Explorer IWA users who want true single-sign-on
(allowing Internet Explorer to provide your credentials automatically when
challenged), you must set the virtual URL to a hostname that is resolvable to
the IP address of the ProxySG by the client machines. Dots (for example,
10.1.1.1) are not allowed.
Note: Firefox (1.02 and higher) allows NTLM credentials for single sign-on
but not Kerberos.
For Windows Internet Explorer 6.x, add the virtual host address.
❐ If you use guest authentication, remember that IWA/NTLM realms retrieve
authorization data at the same time as the user is authenticated. In some cases,
the system can distinguish between an authentication and authorization
failure. Where the system cannot determine if the error was due to
authentication or authorization, both the authentication and authorization are
considered to be failed.
1088
Chapter 52: Kerberos Constrained Delegation
Note: The ProxySG can handle extended Kerberos tickets, such as 32k
authentication tokens. Note that the Kerberos token and other request headers
must fit within the maximum size of the HTTP request header (128k).
1089
SGOS 6.2 Administration Guide
PROCESS FLOW:
1: The user requests a service from a Windows Server that is marked for KCD.
2: The proxy challenges the user for their identity.
3: The user provides identification and authenticates to the proxy.
4: The proxy queries the BCAAA for a ticket to the OCS on behalf of the authenticated user.
5. BCAAA goes to the Ticket Granting Server (which runs on the Active Directory server)
and retrieves a ticket.
6. BCAAA sends the ticket to the proxy.
7: Proxy now caches the ticket for future requests to this OCS from this user.
8: Proxy requests page from the OCS with the ticket attached to authenticate the user.
9: OCS responds to the Proxy with the page
10: Proxy responds to the client with the page.
1090
Chapter 52: Kerberos Constrained Delegation
Requirements
Kerberos authentication requires two names to function: the user name (user
principal name) and the service name (service principal name of the OCS). By
default the ProxySG autogenerates SPNs in a similar manner to how Microsoft
Internet Explorer autogenerates the SPN of the server it is attempting to
authenticate to. You can override default behavior by setting the SPN using the
VPM object: Add Kerberos Constrained Delegation Object.
Kerberos Constrained Delegation requires running the Windows domain at a
Windows 2003 functional level. Although Windows Server 2000 supports the
Kerberos protocol, it does not support constrained delegation and the protocol
transition extensions, both of which are necessary.
1. Create and configure an Configuration > Authentication For general information about
authentication realm. > Authentication Realm realms, see "Controlling User
• KCD requires a full Access with Identity-based
username (user principal Access Controls" on page 978.
name) to function. For information about a specific
• (Optional) Determine a authentication realms, see the
user’s authorization data. corresponding section.
2. Create and configure an IWA Configuration > Authentication "Creating an IWA Realm" on
realm to handle Kerberos. > IWA page 1082
• IWA Realm must use SSL
to connect to the BCAAA Configuration > SSL > Device "Appliance Certificates and SSL
server. Profiles > Profiles Device Profiles" on page 1330
• IWA Realm must provide a
certificate that BCAAA can
verify.
1091
SGOS 6.2 Administration Guide
3. Configure BCAAA to use BCAAA (You can download Chapter 47: "Using BCAAA" on
Kerberos Constrained the Blue Coat page 1023
Delegation Authentication and "Installing the BCAAA Service
• Configure BCAAA to run Authorization Agent at on a Windows System" on page
under the Local System https:// 1025
account (default). hypersonic.bluecoat.com) "Creating Service Principal
• The BCAAA server must Names for IWA Realms" on page
be trusted to delegate to 1032
specified services using an
authentication protocol.
The SPNs for the services
must be specified.
• Select Require the ProxySG
to provide a valid certificate
in order to connect during
BCAAA installation. If
using an existing
installation, edit
bcaaa.ini and set the
value of VerifySG to 1.
4. Create policy to enable VPM: Under Web Visual Policy Manager Reference
constrained delegation. Authentication "Creating Kerberos Constrained
Layer>Action>Kerberos Delegation Policies" on page
Constrained Delegation 1092
Note: Refer to Visual Policy Manager Reference for complete details about the VPM.
There are two VPM objects that enable Kerberos Constrained Delegation: Add
Kerberos Constrained Delegation Object and Do not use Kerberos Constrained Delegation.
Both objects exist in the Web Authentication Layer as an Action. Do not use Kerberos
Constrained Delegation is a fixed action and needs no configuration.
The following example policy enables Kerberos Constrained Delegation and
shows configurable options.
1092
Chapter 52: Kerberos Constrained Delegation
3. Select Policy > Add Web Authentication Layer. An Add New Layer dialog displays.
4. Enter a name that is easily recognizable and click OK. A new policy tab and
rule display in the VPM manager window.
5. Select Action under the new rule. Right click Any > Set. The Set Action Object
window displays.
6. Select New > Kerberos Constrained Delegation to add a new Kerberos object.
7a
7b
7c
7d
1093
SGOS 6.2 Administration Guide
7. The Add Kerberos Constrained Delegation Object window allows you to configure
KCD implementation.
a. In the Name field, enter a name for the object or leave as is to accept the
default.
b. From the Authentication Type drop-down list, select origin or proxy. If you
are authenticating to an upstream origin server, select origin. If you are
authenticating to a proxy server, select proxy.
c. In the IWA Realm field, enter a valid IWA realm to use for Kerberos
authentication.
d. (Optional) Enter the Service Principal Name to use for the OCS. The
default SPN for the service is set to http/<hostname>. If a non-standard
port is used for a service, use http/<hostname>:<port>
8. Click OK.
9. Click OK to return to the VPM.
10. Click the Install Policy button when finished adding policies.
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
1094
Chapter 52: Kerberos Constrained Delegation
1095
SGOS 6.2 Administration Guide
1096
Chapter 53: LDAP Realm Authentication and Authorization
LDAP Overview
LDAP is a client protocol used to access information stored in an LDAP-
compatible directory service. It is the vehicle by which LDAP-enabled
applications speak to one another. As a shared protocol, LDAP integrates
compatible applications in your network to a single authentication interface.
Any additions or changes made to information in the directory are available to
authorized users, directory-enabled applications, devices, and ProxySGs. This
central control gives administrators simplified application management.
1097
SGOS 6.2 Administration Guide
1098
Chapter 53: LDAP Realm Authentication and Authorization
4a
4b
3c
3. In the Realm Name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Configure the realm options:
a. From the Type of LDAP server drop-down list, select the specific LDAP
server.
b. Specify the host and port for the primary LDAP server. The host must
be entered. The default port number is 389.
c. (Optional) The ProxySG automatically retrieves the default User
attribute type when the user specifies the LDAP server type.
You can manually specify the user attribute type for a particular LDAP
server. The following list shows which attribute each directory server uses
to form a username:
• Microsoft Active Directory Servers: sAMAccountName=
• Novell NDS/eDirectory Server/Other: cn=
• Netscape/iPlanet Directory Server: uid=
d. Click OK to close the dialog.
5. Click Apply.
1099
SGOS 6.2 Administration Guide
2a
2b
2c
3
1100
Chapter 53: LDAP Realm Authentication and Authorization
1101
SGOS 6.2 Administration Guide
2. From the Realm name drop-down list, select the LDAP realm for which you
want to change DN properties.
1102
Chapter 53: LDAP Realm Authentication and Authorization
3. In the User attribute type field, the ProxySG has entered the default user
attribute type for the type of LDAP server you specified when creating the
realm.
• Microsoft Active Directory Servers: sAMAccountName=
• Novell NDS/eDirectory Server/Other: cn=
• Netscape/iPlanet Directory Server: uid=
If you entered information correctly when creating the realm, you do not need
to change the User attribute type in this step. If you do need to change or edit
the entry, do so directly in the field.
4. Enter as many Base DNs as required for the realm. Assume, for example, that
Example Corp has offices in New York and Lisbon, each with its own Base
DN. A simplified directory information tree is illustrated below.
To specify entries for the Base DNs field, click New, enter the Base DN, and click
OK. Repeat for multiple Base DNs. To search all of Sample_Company, enter o
values:
1103
SGOS 6.2 Administration Guide
You can add, edit, and delete Base DNs for an ProxySG to search. The
ProxySG searches multiple DNs in the order listed, starting at the top and
working down. Select an individual DN and move it up or down in the list
with the Promote and Demote buttons.
5. Click Apply.
Note: Authorization decisions are completely handled by policy. The groups that
the appliance looks up and queries are derived from the groups specified in
policy in group= conditions, attribute= conditions, ldap.attribute= conditions
and has_attribute conditions. If you do not have any of those conditions, then
Blue Coat does not look up any groups or attributes to make policy decisions
based on authorization.
1104
Chapter 53: LDAP Realm Authentication and Authorization
2. From the Realm name drop-down list, select an LDAP realm for which you
want to specify authorization information.
3. To permit users to anonymously bind to the LDAP service, select Anonymous
Search Allowed. For example, with Netscape/iPlanet Directory Server, when
anonymous access is allowed, no username or password is required by the
LDAP client to retrieve information.
4. The Dereference level field has four values—always, finding, never, searching—that
allow you to specify when to search for a specific object rather than search for
the object’s alias. The default is Always.
5. Click Apply.
Note: For Microsoft Active Directory, you must use the full name and not the
login name.
3
4
5
6
2. From the Realm name drop-down list, select an LDAP realm for which you
want to specify authorization information.
3. To enforce user authentication before binding to the LDAP service, deselect
Anonymous Search Allowed.
4. Enter a user distinguished name in the Search User DN field. This username can
identify a single user or a user object that acts as a proxy for multiple users (a
pool of administrators, for example). A search user distinguished name can be
up to 512 characters long.
1105
SGOS 6.2 Administration Guide
5. You can set or change the search user password by clicking Change Password.
The password can be up to 64 alphanumeric characters long.
Note: You might want to create a separate user (such as Blue Coat, for
example) instead of using an Administrator distinguished name and
password.
6. The Dereference level field has four values—always, finding, never, searching—that
allow you to specify when to search for a specific object rather than search for
the object’s alias. The default is Always.
7. Click Apply.
4
5
6
7
2. From the Realm name drop-down list, select an LDAP realm for which you
want to specify authorization information.
3. Enter Membership type and Membership attribute: The ProxySG enters
defaults for the following LDAP directories:
• Microsoft Active Directory:
Membership type: user
Membership attribute type: memberOf
• Netscape/Sun iPlanet:
Membership type:group
Membership attribute type:uniqueMember
• Novell NDS eDirectory
Membership type:group
Membership attribute type:member
1106
Chapter 53: LDAP Realm Authentication and Authorization
• Other
Membership type:user
Membership attribute type:member
4. Username type to lookup: Select either FQDN or Relative. Only one can be
selected at a time.
• Relative can only be selected in the membership type is Group.
• FQDN indicates that the lookup is done only on the user object. FQDN can be
selected when the membership type is either Group or User.
5. Nested LDAP: If the LDAP server you use does not natively support group
membership tests of nested groups, you can select the Nested LDAP checkbox.
Note: When a group of interest referenced within policy is part of a loop, User
Authorization results in Access Denied(policy_denied). For example, a loop forms
if the group member Testgroup has the nested group member Testgroup2, which
in turn has the aforementioned Testgroup as a nested member.
When loops are removed from an LDAP server, the Nested Groups Support
option must be disabled and then re-enabled for the ProxySG to re-fetch the
correct group structure.
6. Nested group attribute: For other, ad and nds, the default attribute is member.
For iPlanet, the attribute is uniqueMember.
7. Group constraint filter: Enter a search limiting clause to reduce the number of
groups returned for an LDAP search. This feature is generally used only when
the user wishes to limit the scope of a comparison due to a very large number
of groups. Constraints must be valid LDAP search filters and are AND’d to
the search filter when performing a group search.
Example 1: If you enter (cn=p*) into the Group constraint filter field, only groups
starting with the letter P are returned.
Example 2: If you enter (cn=proxy) into the Group constraint filter field, only the
group is returned.
proxy
Note: The Group constraint filter functions only for local comparisons. To enable
local group comparisons, go to "Defining LDAP General Realm Properties" on
page 1108.
8. Click Apply.
1107
SGOS 6.2 Administration Guide
Currently, the objectclass attribute values are used by Blue Coat during a VPM
browse of an LDAP server. If an administrator wants to browse the groups in a
particular realm, the ProxySG searches the LDAP server for objects that have
objectclass attribute values matching those in the group list and in the container
list. The list of objectclass attribute values in the container list is needed so that
containers that contain groups can be fetched and expanded correctly.
2. From the Realm name drop-down list, select the LDAP realm whose
objectclasses you want to modify.
3. From the Object type drop-down list, select the type of object: container, group, or
user.
4. To create or edit an object for the specified objectclass, click New or Edit. (The
only difference is whether you are adding or editing an objectclass value.)
5. Enter or edit the objectclass, and click OK.
6. Click Apply.
1108
Chapter 53: LDAP Realm Authentication and Authorization
1109
SGOS 6.2 Administration Guide
c. Enter the number of seconds in the field. The Surrogate Refresh Time
allows you to set a realm default for how often a user’s surrogate
credentials are refreshed. Surrogate credentials are credentials
accepted in place of a user’s actual credentials. The default setting is
900 seconds (15 minutes). You can configure this in policy for better
control over the resources as policy overrides any settings made here.
Before the refresh time expires, if a surrogate credential (IP address or
cookie) is available and it matches the expected surrogate credential, the
ProxySG authenticates the transaction. After the refresh time expires, the
ProxySG verifies the user’s credentials. Depending upon the
authentication mode and the user-agent, this may result in challenging the
end user for credentials.
The main goal of this feature is to verify that the user-agent still has the
appropriate credentials.
d. Enter the number of seconds in the Authorization refresh time field. The
Authorization Refresh Time allows you to manage how often the
authorization data is verified with the authentication realm. It has a
default setting of 900 seconds (15 minutes). You can configure this in
policy for better control over the resources as policy overrides any
settings made here.
4. Enter the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
5. If you use Basic credentials and want to cache failed authentication attempts
(to reduce the load on the authentication service), enter the number of seconds
in the Rejected Credentials time field. This setting, enabled by default and set to
one second, allows failed authentication attempts to be automatically rejected
for up to 10 seconds. Any Basic credentials that match a failed result before its
cache time expires are rejected without consulting the back-end authentication
service. The original failed authentication result is returned for the new
request. All failed authentication attempts can be cached: Bad password,
expired account, disabled account, old password, server down. To disable
caching for failed authentication attempts, set the Rejected Credentials time field
to 0.
6. Configure the cookies option:
a. Select the Use persistent cookies check box to use persistent browser
cookies instead of session browser cookies.
b. Select the Verify the IP address in the cookie check box if you would like
the cookies surrogate credentials to only be accepted for the IP address
that the cookie was authenticated. Disabling this will allow cookies to
be accepted from other IP addresses.
7. You can specify a virtual URL. For more information on the virtual URL, see
"About Origin-Style Redirection" on page 990.
8. Select the Challenge user after logout check box if the realm requires the users to
enter their credentials after they have logged out.
1110
Chapter 53: LDAP Realm Authentication and Authorization
9. Select the group comparison search method. There are two compare methods:
• Local—The local method performs compare operations on the ProxySG
after retrieving the appropriate entries. Because the compares are
performed locally, this method typically reduces load on the LDAP server.
• Server—The server method queries the LDAP server for each compare
operation. If there are a large number of compares to perform, it can result
in significant server load.
Note: There is a minute possibility that local compares can produce differing
results from server compares. If you suspect erroneous compare results, set to
server.
1111
SGOS 6.2 Administration Guide
1112
Chapter 53: LDAP Realm Authentication and Authorization
The following example lists the options available when creating an LDAP
attribute policy using the VPM. The VPM allows you to perform LDAP string
comparisons and existence checks. These LDAP attribute comparisons are
performed locally on the ProxySG.
Note: Refer to Visual Policy Manager Reference for details about VPM.
3. Add a valid policy layer. The LDAP Attribute Object exists in the Admin Access,
SSL Access, Web Access, and Forwarding layers as Source objects. For example, to
add an SSL Access layer, select Policy > Add SSL Access Layer. An Add New Layer
dialog box appears.
4. Enter a name that is easily understandable and click OK. A new policy tab and
rule will displays.
5. Select source for the new rule. Right click on Any and select Set. The Set Source
Object window displays.
1113
SGOS 6.2 Administration Guide
6. Select New > LDAP Attribute to create a new LDAP attribute object.
10
7. In the Name field, enter a name for the object or leave as is to accept the default.
8. From the Authentication Realm drop-down list, select a specific LDAP realm or
<ALL>. The default setting for this field is <ALL>.
1114
Chapter 53: LDAP Realm Authentication and Authorization
Note: A list count check and numeric check are only available through CPL.
For information about these checks, refer to Content Policy Language Guide.
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
Be aware that the default policy condition for these examples is allow. The default
policy condition on new SGOS 5.x systems is deny.
❐ Every LDAP-authenticated user is allowed access to the ProxySG.
<Proxy>
authenticate(LDAPRealm)
1115
SGOS 6.2 Administration Guide
deny
.
.
.
[Rule]
deny
You can use the substitution to provide the value of an attribute in a header that is
sent to an upstream server as well as within exception pages.
Notes
If you use guest authentication/authorization, note that:
❐ LDAP realms provide split authorization, and it is possible to be successfully
authenticated but have authorization fail.
❐ If the LDAP realm validate authorized user command is disabled and the
user does not exist in the authorization realm, authorization is considered a
success and the user is assigned to the default group if there is one configured
and it is of interest to policy.
❐ Returned attributes that are stored within the user’s authentication data must
not exceed 7680 bytes, or an authorization error occurs.
1116
Chapter 54: Novell Single Sign-on Authentication and
Authorization
This section discusses the Novell Single Sign-on (SSO) realm, which is an
authentication mechanism that provides single sign-on authentication for users
that authenticate against a Novell eDirectory server.
1117
SGOS 6.2 Administration Guide
to monitor for logins. Additional monitor servers must be specified if they contain
user information that is not replicated to the master Novell eDirectory server
being searched.
After a Novell SSO realm has been configured, you can write policy that
authenticates and authorizes users against the Novell SSO realm.
To ensure that users who do not successfully authenticate against the Novell SSO
realm are not challenged, administrators can use a realm sequence that contains
the Novell SSO realm and then a policy substitution realm to use when Novell
SSO authentication fails.
Note: The Novell SSO realm works reliably only in environments where one IP
address maps to one user. If an IP address cannot be mapped to a single user,
authentication fails. Those with NAT systems, which uses one set of IP addresses
for intranet traffic and a different set for Internet traffic, may need to use a
different realm for authentication.
When a user logs into the Novell network, the user entry in Novell eDirectory is
updated with the login time and the IP address that the user logged in from and
the login time. The ProxySG uses BCAAA to do LDAP searches and monitoring of
the configured Novell eDirectory servers to obtain the user login information and
maintain a user IP address to user FQDN map.
To create the initial IP/FQDN map, the BCAAA service searches the configured
master eDirectory server for all user objects within the configured base DNs that
have a Network Address attribute. For each user entry returned, BCAAA parses
the Network Address attribute and adds the IP/FQDN entry to the map. If an
existing entry exists for that IP address, it is overwritten.
A user entry can have more than one Network Address entry in which case an
entry for each IP address is added to the map. Since service accounts can login
using the same IP address and subsequently overwrite entries for actual users, the
BCAAA service has a configurable list of the Service names to ignore. Users can
be added or removed from the list in the sso.ini file. (see "Modifying the sso.ini
File for Novell SSO Realms" on page 1126.)
Once the initial map has been created it is kept current by monitoring all of the
eDirectory servers that contain unique partition data for the eDirectory tree. By
default, the search server defined by the LDAP realm is monitored. If other
servers contain data that is not replicated to the search server, they must be
individually monitored. When a server is being monitored, each time a user logs
in or logs out, an event message is sent to BCAAA to update its mapping of
FQDNs to IP addresses.
Multiple ProxySG devices can talk to the same BCAAA service and can reference
the same eDirectory servers. To avoid multiple queries to the same server, the
LDAP hostname and port combination uniquely identifies an eDirectory
configuration and should be shared across devices.
To ensure that BCAAA has complete map of FQDNs to IP addresses, the realm
can be configured to do a full search of the configured master eDirectory server
up to once per day.
1118
Chapter 54: Novell Single Sign-on Authentication and Authorization
The BCAAA service must be version 120 or higher and must be installed on a
Windows 2000+ machine that can access the eDirectory server. The BCAAA
machine does not need to have a Windows trust relationship with the eDirectory
server.
Note: For information on configuring the BCAAA service, see Chapter 47:
"Using BCAAA" on page 1023.
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Click OK to close the dialog.
5. Click Apply.
1119
SGOS 6.2 Administration Guide
You must have defined at least one Novell SSO realm (using the Novell SSO
Realms tab) before attempting to configure the BCAAA agent. If the message
Realms must be added in the Novell SSO Realms tab before editing this tab is displayed in
red at the bottom of this page, you do not currently have any Novell SSO realms
defined.
1. Select the Configuration > Authentication > Novell SSO>Agents tab.
1120
Chapter 54: Novell Single Sign-on Authentication and Authorization
Note: The Enable SSL setting only enables SSL between the ProxySG and
BCAAA. To enable SSL between BCAAA and the eDirectory server, the
Enable SSL setting
must be set in the LDAP search realm.
6. In the Timeout Request field, enter the number of seconds the ProxySG allows
for each request attempt before timing out. (The default request timeout is 60
seconds.)
7. Click Apply.
1121
SGOS 6.2 Administration Guide
4b
4a
Related CLI Syntax to specify the LDAP search realm and LDAP servers to
monitor:
SGOS#(config) security novell-sso edit-realm realm_name
SGOS#(config novell-sso realm_name) ldap search-realm ldap_realm
SGOS#(config novell-sso realm_name) ldap monitor-servers {add host
[port] | clear | remove host [port]}
1122
Chapter 54: Novell Single Sign-on Authentication and Authorization
Configuring Authorization
Novell SSO realm can be configured to do no authorization, authorize against
itself (the default), or authorize against another valid authorization realm (either
LDAP or Local).
1123
SGOS 6.2 Administration Guide
Authorization Prerequisite
You must have defined at least one Novell SSO realm (using the Novell SSO
Realms tab) before attempting to configure authorization. If the message Realms
must be added in the Novell SSO Realms tab before editing this tab is displayed in red at
the bottom of this page, you do not currently have any Novell SSO realms
defined.
2. From the Realm Name drop-down list, select the Novell SSO realm to edit.
3. By default, the Novell SSO realm is selected to authorize against itself by
default. To select another realm, clear the Self checkbox and select an
authorization realm from the drop-down list.
4. The LDAP FQDN is selected as the Authorization user name, by default. Change
this if the user's authorization information resides in a different root DN. To
select a different authorization name, clear the Use FQDN option and enter a
different name. For example:
cn=$(user.name),ou=partition,o=company
5. Click Apply.
1124
Chapter 54: Novell Single Sign-on Authentication and Authorization
subsequent users during that same time coming from the same IP address are
allowed or denied as that first user. This is true even if policy would have treated
them differently if they were authenticated as themselves.
If multiple users often log in from the same IP address, it is recommended to use a
shorter surrogate credential refresh timeout than the default or an authentication
mode that does not use IP surrogate credentials.
Novell SSO Prerequisite
You must have defined at least one Novell SSO realm (using the Novell SSO
Realms tab) before attempting to set Novell SSO general properties. If the
message Realms must be added in the Novell SSO Realms tab before editing this tab is
displayed in red at the bottom of this page, you do not currently have any Novell
SSO realms defined.
2. From the Realm name drop-down list, select the Novell SSO realm for which
you want to change properties.
3. Configure refresh options:
a. Select the Use the same refresh time for all option to use the same refresh
time for all.
b. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here.
1125
SGOS 6.2 Administration Guide
1126
Chapter 54: Novell Single Sign-on Authentication and Authorization
Note: The changes to the sso.ini file have no effect until the BCAAA service is
restarted.
• SearchRetryTime=30
• TrustedRootCertificateEncoding=der
• PublicCertificateEncoding=der
• PrivateKeyFile=
• PrivateKeyEncoding=der
3. If the LDAP realm used by the Novell SSO realm requires that the identity of
the server be verified, add the paths to the Trusted root certificate files in
the NovellTrustedRootCertificates section.
4. In the SSOServiceUsers section, list the names of users who can log in with
eDirectory credentials on behalf of the service and mask the identity of the
logged-on user.
Listing these users here forces the BCAAA service to ignore them for
authentication purposes.
5. Save the sso.ini file.
Note: The examples below assume the default policy condition is allow.
Refer to Content Policy Language Guide for details about CPL and how transactions
trigger the evaluation of policy file layers.
❐ Every Novell SSO-authenticated user is allowed access the ProxySG.
<Proxy>
authenticate(NSSORealm)
1127
SGOS 6.2 Administration Guide
<Proxy>
group=”cn=proxyusers, ou=groups, o=myco” ALLOW
deny
policy running on the gateway might see the IP address of the data center proxy
rather than the IP address of the client workstation.
Note: The source IP address is not masked if you use the reflect client ip attribute.
Note: The user.login.address condition only works correctly if you use the
authenticate.credentials.address property to set the address.
You can also use the x-cs-user-login-address substitution to log this event.
Examples
In the following example, the address to use for authenticating with myrealm is set
to the address received from the HTTP Client-IP header.
<proxy>
authenticate(myrealm)\
authenticate.credentials.address($(request.header.Client-IP))
In the following example, the user is authenticated if logged in from the 1.2.3.0/
24 subnet.
<proxy>
user.login.address=1.2.3.0/24 allow
Notes
❐ The Novell SSO realm works reliably only in environments where one IP
address maps to one user. NAT environments are not supported.
❐ Novell SSO realms are not supported in IPX environments.
❐ Event monitoring of eDirectory is only compatible with eDirectory 8.7+.
❐ Upgrade to Novell client 4.91 SP1 or later if you experience issues with the
Network Address attribute not being updated during login.
❐ Novell SSO realms do not use user credentials so they cannot spoof
authentication information to an upstream server.
1128
Chapter 54: Novell Single Sign-on Authentication and Authorization
1129
SGOS 6.2 Administration Guide
1130
Chapter 55: Policy Substitution Realm
1131
SGOS 6.2 Administration Guide
Note: The user field and username field must include at least one
substitution that successfully evaluates in order for the user to be considered
authenticated.
If no policy substitutions exist that map directly to the user's simple and full
usernames but there are substitutions that map to attributes on the user on the
LDAP server, the user's identity can be determined by searching the LDAP server.
The following fields are used to determine the user's identity by LDAP search:
❐ LDAP search realm: The LDAP realm on the ProxySG that corresponds to the
LDAP server where the user resides
❐ Search filter: An LDAP search filter as defined in RFC 2254 to be used in the
LDAP search operation. Similar to the explicitly defined username and full
username fields, the search filter string can contain policy substitutions that
are available based on the user's request. The search filter string must be
escaped according to RFC 2254. The policy substitution modifier
escape_ldap_filter is recommended to use with any policy substitutions that
could contain characters that need to be escaped. It will escape the policy
substitution value per RFC 2254.
Note: The search filter must include at least one substitution that successfully
evaluates before the LDAP search will be issued and the user authenticated.
❐ User attribute: The attribute on the search result entry that corresponds to the
user's full username. If the search result entry is a user entry, the attribute is
usually the FQDN of that entry. The user's full username is the value of the
specified attribute. If the attribute value is an FQDN, the user's simple
username is the value of the first attribute in the FQDN. If the attribute value
is not an FQDN, the simple username is the same as the full username.
1132
Chapter 55: Policy Substitution Realm
Note: If all the policy substitutions fail, authentication fails. If any policy
substitution works, authentication succeeds in the realm.
Example
The following is an example of how to use substitutions with Policy Substitution
realms.
Assumptions:
❐ The user susie.smith is logged in to a Windows client computer at IP address
10.25.36.47.
where username is the name of the user, and computer_domain is the domain to
which the user's computer belongs.
❐ A login script that runs on the client computer updates a DNS server so that a
reverse DNS lookup for 10.25.36.47 results in
susie.smith.authteam.location.company.com.
Results:
Under these circumstances, the following username and full username attributes
might be used:
❐ Username: $(netbios.messenger-username)@$(client.address).
1133
SGOS 6.2 Administration Guide
Example
The following is an example of how to determine the user's identity by search.
Assumptions:
❐ The user susie.smith is logged in to a Windows client computer.
❐ The customer has an LDAP directory in which group information is stored.
The FQDN for Susie Smith is cn=Susie Smith, cn=Users, dc=Eng,
dc=company, dc=com.
Results:
Under these circumstances the login username can not be explicitly mapped to
the user's FQDN, so a search of the LDAP server for the user's login identity is
required instead. The following values can be used:
❐ Search filter: (sAMAccountName=$(netbios.messenger-
username:escape_ldap_filter))
1134
Chapter 55: Policy Substitution Realm
3. In the Realm name field, enter a realm name. The name can be up to 32
characters long and composed of alphanumeric characters and underscores.
The name must start with a letter.
4. Click OK to close the dialog.
5. Click Apply.
Prerequisites
You must have defined at least one Policy Substitution realm (using the Policy
Substitution Realms tab) before attempting to set Policy Substitution realm
properties. If the message Realms must be added in the Policy Substitutions
Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any Policy Substitution realms defined.
1135
SGOS 6.2 Administration Guide
-or-
2. From the Realm name drop-down list, select the Policy Substitution realm for
which you want to change realm properties.
3. To determine username by definition, select Determine username by definition
and specify the username and full username strings. Remember that the
Username and Full username attributes are character strings that contain policy
substitutions. When authentication is required for the transaction, these
character strings are processed by the policy substitution mechanism, using
the current transaction as input. The resulting string becomes the user's
identity for the current transaction. For an overview of usernames and full
usernames, see "About Policy Substitution Realms" on page 1131.
-or-
4. To determine username by search, select Determine username by search.
• From the drop-down list, select the LDAP realm to use as a search realm.
• The search filter must be a valid LDAP search filter per RFC 2254. The
search filter can contain any of the policy substitutions that are available
based on the user's request (such as IP address, netbios query result, and
ident query result).
• The user attribute is the attribute on the LDAP search result that
corresponds to the user's full username. The LDAP search usually results
in user entries being returned, in which case the user attribute is the
FQDN. If the LDAP search was for a non-user object, however, the
username might be a different attribute on the search result entry.
5. Click Apply.
1136
Chapter 55: Policy Substitution Realm
❐ To search by definition:
SGOS#(config policy-substitution realm_name) identification determine-
usernames by-definition
SGOS#(config policy-substitution realm_name) identification username
construction_rule
SGOS#(config policy-substitution realm_name) identification full-
username construction_rule
Prerequisite
You must have defined at least one Policy Substitution realm (using the Policy
Substitution Realms tab) before attempting to set Policy Substitution realm
properties. If the message Realms must be added in the Policy Substitutions
Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any Policy Substitution realms defined.
1. Select Configuration > Authentication > Policy Substitution > Ignore Users.
2. From the Realm Name drop-down list, select the Policy Substitution realm for
which you want to change realm properties.
3. Click New to add a username to be ignored during the username search. The
username format depends on what the LDAP search is looking for but will
most often be an LDAP FQDN.
4. Click OK to close the dialog; repeat the previous step to add other users.
5. Click Apply.
1137
SGOS 6.2 Administration Guide
where add allows you to add a user to the list, clear removes all users from the
list, and remove deletes one user from the list.
Configuring Authorization
Policy Substitution realms do not require an authorization realm. If the policy
does not make any decisions based on groups, you need not specify an
authorization realm.
Prerequisite
You must have defined at least one Policy Substitution realm (using the Policy
Substitution Realms tab) before attempting to set Policy Substitution realm
properties. If the message Realms must be added in the Policy Substitutions
Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any Policy Substitution realms defined.
2. From the Realm Name drop-down list, select the Policy Substitution realm for
which you want to change realm properties.
3. From the Authorization Realm Name drop-down list, select the authorization
realm you want to use to authorize users.
4. Click Apply.
1138
Chapter 55: Policy Substitution Realm
Prerequisite
You must have defined at least one Policy Substitution realm (using the Policy
Substitution Realms tab) before attempting to set Policy Substitution general
properties. If the message Realms must be added in the Policy Substitution
Realms tab before editing this tab is displayed in red at the bottom of this
page, you do not currently have any Policy Substitution realms defined.
2. From the Realm name drop-down list, select the Policy Substitution realm for
which to change properties.
3. Configure refresh options:
a. Select the Use the same refresh time for all check box if you would like to
use the same refresh time for all.
b. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here.
Before the refresh time expires, if a surrogate credential (IP address or
cookie) is available and it matches the expected surrogate credential, the
ProxySG authenticates the transaction. After the refresh time expires, the
ProxySG reevaluates the user’s credentials.
1139
SGOS 6.2 Administration Guide
c. Enter the number of seconds in the Authorization refresh time field. The
Authorization Refresh Time allows you to manage how often the
authorization data is verified with the authentication realm. It has a
default setting of 900 seconds (15 minutes). You can configure this in
policy for better control over the resources as policy overrides any
settings made here.
4. Enter the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
5. Configure cookie options:
a. Select the Use persistent cookies option to use persistent browser cookies
instead of session browser cookies.
b. Select the Verify the IP address in the cookie option if you would like the
cookies surrogate credentials to only be accepted for the IP address
that the cookie was authenticated. Disabling this will allow cookies to
be accepted from other IP addresses.
6. You can specify a virtual URL. For more information on the virtual URL, see
"About Origin-Style Redirection" on page 990.
7. Click Apply.
Notes
❐ Following are examples of how to configure four different types of Policy
Substitution realms. For a list of available substitutions, see the Content Policy
Language Guide.
• Identity to be determined by sending a NetBIOS over TCP/IP query to the
client computer, and using LDAP authorization
SGOS#(config) security policy-substitution create-realm netbios
SGOS#(config) security policy-substitution edit-realm netbios
SGOS#(config policy-substitution netbios) username \
$(netbios.messenger-username)
SGOS#(config policy-substitution netbios) full-username \
cn=$(netbios.messenger-username),cn=users,dc=company,dc=com
SGOS#(config policy-substitution netbios) authorization-realm-name
ldap
1140
Chapter 55: Policy Substitution Realm
❐ If you need to change the NetBIOS defaults of 5 seconds and 3 retries, use the
nbstat requester option from the netbios command submode. (For more
information on using the NetBIOS commands, refer to Command Line Interface
Reference.)
❐ If you need to change the Ident defaults of 30 second timeout, treating
username whitespace as significant and querying Ident port 113, use the client
commands in the identd command submode. (For more information on using
the Ident commands, refer to Command Line Interface Reference.)
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file <Proxy> and other layers.
1141
SGOS 6.2 Administration Guide
Be aware that the default policy condition for this example is allow. On new SGOS
5.x systems, the default policy condition is deny.
Every Policy Substitution realm authenticated user is allowed to access the
ProxySG.
<Proxy>
authenticate(PolicySubstitutionRealm)
policy running on the gateway might see the IP address of the data center proxy
rather than the IP address of the client workstation.
Note: The source IP address is not masked if you use the reflect client ip attribute.
Note: The user.login.address condition only works correctly if you use the
authenticate.credentials.address property to set the address.
You can also use the x-cs-user-login-address substitution to log this event.
Examples
In the following example, the address to use for authenticating with myrealm is set
to the address received from the HTTP Client-IP header.
<proxy>
authenticate(myrealm)\
authenticate.credentials.address($(request.header.Client-IP))
In the following example, the user is authenticated if logged in from the 1.2.3.0/
24 subnet.
<proxy>
user.login.address=1.2.3.0/24 allow
1142
Chapter 56: RADIUS Realm Authentication and Authorization
About RADIUS
RADIUS is often the protocol of choice for ISPs or enterprises with very large
numbers of users. RADIUS is designed to handle these large numbers through
centralized user administration that eases the repetitive tasks of adding and
deleting users and their authentication information. RADIUS also inherently
provides some protection against sniffing.
Some RADIUS servers support one-time passwords. One-time passwords are
passwords that become invalid as soon as they are used. The passwords are
often generated by a token or program, although pre-printed lists are also used.
Using one-time passwords ensures that the password cannot be used in a
replay attack.
The ProxySG’s one-time password support works with products such as Secure
Computing SafeWord synchronous and asynchronous tokens and RSA SecurID
tokens.
The ProxySG supports RADIUS servers that use challenge/response as part of
the authentication process. SafeWord asynchronous tokens use challenge/
response to provide authentication. SecurID tokens use challenge/response to
initialize or change PINs.
1143
SGOS 6.2 Administration Guide
1144
Chapter 56: RADIUS Realm Authentication and Authorization
2
3
5
6
1145
SGOS 6.2 Administration Guide
7. If you are using one-time passwords, select the One-time passwords option.
You must enable one-time passwords if you created a challenge/response
realm.
8. If the RADIUS server is configured to expect case-sensitive usernames and
passwords, make sure the Case sensitive option is selected.
9. Click Apply.
1146
Chapter 56: RADIUS Realm Authentication and Authorization
1147
SGOS 6.2 Administration Guide
1148
Chapter 56: RADIUS Realm Authentication and Authorization
Note: RADIUS groups can only be configured through policy. This feature is not
available through either the Management Console or the CLI.
1149
SGOS 6.2 Administration Guide
Note: The remove command will not remove attributes that are currently part of
the session-monitor’s configuration.
Example 1
The following example shows an enum mapping an integer value to a string
value:
SGOS#(config radius attributes) add radius-attribute 205 sample-enum
enum 1="string for value 1" 2=string2 3="string for value 3"
The integer values are sent on the wire from the RADIUS server. However, an
admin can also refer to a value using either an integer or a string in CPL using
the following expressions:
session-monitor.attribute.sample-enum=3
session-monitor.attribute.sample-enum="string for value 3"
Example 2
The following example shows octet string value:
SGOS#(config radius attributes) add radius-attribute 206 sample-octet-
string octet-string 30
An octet string functions similarly to a string, but it can contain binary data.
Example 3
The following example show a tag data type:
SGOS#(config radius attributes) add radius-attribute 205 sample-tag-
string tag-string 25
1150
Chapter 56: RADIUS Realm Authentication and Authorization
Tag data types differ from non-tag counterparts because they include an extra
byte in the value sent from the RADIUS server, which identifies a VPN tunnel.
The ProxySG skips this extra value to get to the actual value when parsing the
value sent from the RADIUS server.
Example 4
The following example shows a vendor attribute with a fictional vendor ID
value of 21234:
SGOS#(config radius attributes) add radius-attribute 21234 1 sample-
vendor-integer integer.
CPL Example
The examples below are just part of a comprehensive authentication policy. By
themselves, they are not adequate.
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
1151
SGOS 6.2 Administration Guide
Troubleshooting
One of five conditions can cause the following error message:
Your request could not be processed because of a configuration error: "The request
timed out while trying to authenticate. The authentication server may be busy or offline."
Notes
If you use guest authentication, remember that RADIUS realms retrieve
authorization data at the same time as the user is authenticated. In some cases, the
system can distinguish between an authentication and authorization failure.
Where the system cannot determine if the error was due to authentication or
authorization, both the authentication and authorization are considered to be
failed.
1152
Chapter 57: Configuring the ProxySG as a Session Monitor
This chapter discusses how you can configure the SGOS software to monitor
RADIUS accounting messages and to maintain a session table based on the
information in these messages. The session table can then be used for logging
or authentication.
You can also, optionally, configure multiple appliances to act as a session
monitor cluster. When enabled, the session table is replicated to all members of
the cluster to provide failover support.
After you configure and enable the session monitor, it maintains a session table
that records which sessions are currently active and the user identity for each
session. User information can be extracted from the session table by the
ProxySG and used to make policy decisions.
and
1153
SGOS 6.2 Administration Guide
1154
Chapter 57: Configuring the ProxySG as a Session Monitor
Note: When using a session monitor cluster, the RADIUS client must be
configured to send the RADIUS accounting messages to the failover group's
virtual IP address.
1155
SGOS 6.2 Administration Guide
2. (Optional) To view the session-monitor configuration, you can either use the
session-monitor view command or the config show session-monitor
command.
SGOS#(config) show session-monitor
General:
Status: enabled
Entry timeout: 120 minutes
Maximum entries: 500000
Cluster support: enabled
Cluster port: 55555
Cluster group address: 10.9.17.159
Synchronization delay: 0
Synchronization grace period: 30
1156
Chapter 57: Configuring the ProxySG as a Session Monitor
All session-monitor attributes can use the following string comparison functions:
• .prefix
• .suffix
• .substring
• .regex
1157
SGOS 6.2 Administration Guide
❐ IPv4: session-monitor.attribute.NAS-IP-Address=1.2.3.4
❐ IPv6: session-monitor.attribute.NAS-IPv6-
Address=2001:db8:85a3::8a2e:370:7334
❐ Enum: session-monitor.attribute.Service-type=3
session-monitor.attribute.Service-type="Callback-Login"
Note: The enum data type maps a string to an integer, and either can be used in
comparisons. You can see a listing of the possible values for Service-Type (and
other enum attributes) in the security radius attributes sub-mode.
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
❐ In the following example, the ProxySG is using the session table maintained
by the session monitor to extract user information for authentication.
<proxy>
allow authenticate(session)
Access Logging
The Blue Coat ProxySG uses the following ELFF field syntax for access logging.
x-cs-session-monitor-radius(<attribute_name>)
When a user is authenticated by the ProxySG, the named attribute is fetched and
recorded. When access log records are created, this field will be substituted with
the value of the named attribute.
Access Logging is enabled on the Configuration > Access Logging > General page.
For information about customizing access logs, refer to Chapter 29: "Access
Log Formats" on page 693.
1158
Chapter 57: Configuring the ProxySG as a Session Monitor
Notes
❐ The session table is stored entirely in memory. The amount of memory needed
is roughly 40MB for 500,000 users.
❐ The session table is kept in memory. If the system goes down, the contents of
the session table are lost. However, if the system is a member of a failover
cluster, the current contents of the session table can be obtained from another
machine in the cluster. The only situation in which the session table is entirely
lost is if all machines in the cluster go down at the same time.
❐ The session replication protocol replicates session information only;
configuration information is not exchanged. That means each ProxySG in the
cluster must have identical RADIUS attribute settings in order to properly
share information.
❐ The session replication protocol is not secured. The failover group should be
on a physically secure network to communicate with each other.
❐ The session monitor requires sufficient memory and at least 100Mb-per-
second network links among the cluster to manage large numbers of active
sessions.
❐ The username in the session table is obtained from the Calling-Station-ID
attribute in the RADIUS accounting message and can be a maximum of 19
bytes.
1159
SGOS 6.2 Administration Guide
1160
Chapter 58: Sequence Realm Authentication
This section describes how to configure the ProxySG to use multiple realms to
authenticate users. It includes the following topics:
❐ "About Sequencing" on page 1161
❐ "Adding Realms to a Sequence Realm" on page 1161
❐ "Creating a Sequence Realm" on page 1162
❐ "Defining Sequence Realm General Properties" on page 1164
❐ "Tips" on page 1165
About Sequencing
After a realm is configured, you can associate it with other realms to allow the
ProxySG to search for the proper authentication credentials for a specific user.
That is, if the credentials are not acceptable to the first realm, they are sent to
the second, and so on until a match is found or all the realms are exhausted.
This is called sequencing.
For example, if a company has one set of end-users authenticating against an
LDAP server and another using NTLM, a sequence realm can specify to
attempt NTLM authentication first; if that fails because of a user-correctable
error (such as credentials mismatch or a user not in database) then LDAP
authentication can be specified to try next. You can also use sequences to fall
through to a policy substitution realm if the user did not successfully
authenticate against one of the earlier realms in the sequence.
Note: Errors such as server down do not fall through to the next realm in the
sequence. Those errors result in an exception returned to the user. Only errors
that are end-user correctable result in the next realm in the sequence being
attempted.
1161
SGOS 6.2 Administration Guide
❐ If an IWA realm is in a realm sequence and the IWA realm does not support
Basic credentials, the realm must be the first realm in the sequence and try
IWA authentication once must be enabled.
❐ Multiple Basic realms are allowed.
❐ Multiple Windows SSO realms are allowed.
❐ Connection-based realms, such as Certificate, are not allowed in the realm
sequence.
❐ A realm can only exist once in a particular realm sequence.
❐ A realm sequence cannot have another realm sequence as a member.
❐ If a realm is down, an exception page is returned. Authentication is not tried
against the other later realms in the sequence.
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Click OK.
5. Click Apply.
1162
Chapter 58: Sequence Realm Authentication
2a
2b
1163
SGOS 6.2 Administration Guide
5. To change the order that the realms are checked, use the promote/demote
buttons. When you add an IWA realm, it is placed first in the list and you can
allow the realm sequence to try IWA authentication only once. If you demote the
IWA entry, it becomes last in the sequence and the default of checking IWA
multiple times is enabled.
6. If you permit authentication or authorization errors, you can select the Try next
realm on tolerated error checkbox to specify that the next realm on the list should
be attempted if authentication in the previous realm has failed with a
permitted error. The default value is to not attempt the next realm and fall out
of the sequence. (For information on using permitted errors and guest
authentication, see "Permitting Users to Login with Authentication or
Authorization Failures" on page 991.)
7. Click Apply.
1164
Chapter 58: Sequence Realm Authentication
2. From the Realm name drop-down list, select the Sequence realm for which you
want to change properties.
3. (Optional) If required, change the Sequence realm name in the Display Name
field. The default value for the display name is the realm name. The display
name cannot be longer than 128 characters and it cannot be null.
4. You can specify a virtual URL based on the individual realm sequence. For
more information on the virtual URL, see "Sequence Realm Authentication"
on page 1161.
5. Click Apply.
Tips
❐ Explicit Proxy involving a sequence realm configured with an NTLM/IWA
realm and a substitution realm.
Internet Explorer (IE) automatically sends Windows credentials in the Proxy-
Authorization: header when the ProxySG issues a challenge for NTLM/IWA.
The prompt for username/password appears only if NTLM authentication
fails. However, in the case of a sequence realm configured with an NTLM/
IWA realm and a substitution realm, the client is authenticated as a guest in
the policy substitution realm, and the prompt allowing the user to correct the
NTLM credentials never appears.
1165
SGOS 6.2 Administration Guide
1166
Chapter 59: Managing X.509 Certificates
1167
SGOS 6.2 Administration Guide
Certificates
The SGOS software uses:
❐ SSL Certificates.
❐ CA Certificates.
❐ External Certificates.
You can also use wildcard certificates during HTTPS termination. Microsoft’s
implementation of wildcard certificates is as described in RFC 2595, allowing an *
(asterisk) in the leftmost-element of the server's common name only. For
information on wildcards supported by Internet Explorer, refer to the Microsoft
knowledge base, article: 258858. Any SSL certificate can contain a common name
with wildcard characters.
SSL Certificates
SSL certificates are used to authenticate the identity of a server or a client. A
certificate is confirmation of the association between an identity (expressed as a
string of characters) and a public key. If a party can prove they hold the
corresponding private key, you can conclude that the party is who the certificate
says it is. The certificate contains other information, such as its expiration date.
The association between a public key and a particular server is done by
generating a certificate signing request using the server's or client’s public key. A
certificate signing authority (CA) verifies the identity of the server or client and
1168
Chapter 59: Managing X.509 Certificates
generates a signed certificate. The resulting certificate can then be offered by the
server to clients (or from clients to servers) who can recognize the CA's signature.
Such use of certificates issued by CAs has become the primary infrastructure for
authentication of communications over the Internet.
The ProxySG trusts all root CA certificates trusted by Internet Explorer and
Firefox. The list is updated periodically to be in sync with the latest versions of IE
and Firefox.
CA certificates installed on the ProxySG are used to verify the certificates
presented by HTTPS servers and the client certificates presented by browsers.
Browsers offer a certificate if the server is configured to ask for one and an
appropriate certificate is available to the browser.
CA Certificates
CA certificates are certificates that belong to certificate authorities. CA certificates
are used by ProxySG devices to verify X.509 certificates presented by a client or a
server during secure communication. ProxySG appliances are pre-installed with
the most common CA certificates.
The ProxySG comes with many popular CA certificates already installed. You can
review these certificates using the Management Console or the CLI. You can also
add certificates for your own internal certificate authorities.
External Certificates
An external certificate is any X509 certificate for which the ProxySG does not have
the private key. The certificate can be used to encrypt data, such as access logs,
with a public key so that it can only be decrypted by someone who has the
corresponding private key. See "Encrypting the Access Log" on page 664 for
information about encrypting access logs.
Keyrings
A keyring contains a public/private keypair. It can also contain a certificate
signing request or a signed certificate. Keyrings are named, can be created,
deleted and viewed; there are built-in keyrings for specified purposes. For
information on managing keyrings, see "Using Keyrings and SSL Certificates" on
page 1172.
1169
SGOS 6.2 Administration Guide
Note: You can delete cipher suites that you do not trust. However, SGOS does not
provide any mechanism to change the ordering of the ciphers used.
All cipher suites supported by the ProxySG use the RSA key exchange algorithm,
which uses the public key encoded in the server's certificate to encrypt a piece of
secret data for transfer from the client to server. This secret is then used at both
endpoints to compute encryption keys.
By default, the ProxySG is configured to allow SSLv2 and v3 as well as TLSv1
traffic. The cipher suites available for use differ depending on whether you
configure SSL for version 2, version 3, TLS, or a combination of these.
Cipher Suite configuration is discussed in "Changing the Cipher Suite of the SSL
Client" on page 1209.
1170
Chapter 59: Managing X.509 Certificates
1171
SGOS 6.2 Administration Guide
Note: You can also import keyrings. For information on importing keyrings,
see "Importing an Existing Keypair and Certificate" on page 1187.
1172
Chapter 59: Managing X.509 Certificates
Note: These steps must be done using a secure connection such as HTTPS, SSH,
or a serial console.
Creating a Keyring
The ProxySG ships with several keyrings already created:
❐ default: The default keyring contains a certificate and an automatically-
generated keypair. The default keyring is intended for securely accessing the
ProxySG Management Console. Create an additional keyring for each HTTPS
service defined.
❐ configuration-passwords-key: The configuration-passwords-key keyring contains a
keypair but does not contain a certificate. This keyring is used to encrypt
passwords in the show config command and should not be used for other
purposes.
❐ appliance-key: The appliance-key keyring contains an internally-generated
keypair. If the ProxySG is authenticated (has obtained a certificate from the
Blue Coat CA appliance-certificate server), that certificate is associated with
this keyring, which is used to authenticate the device. (For more information
on authenticating the ProxySG, see Chapter 70: "Authenticating a ProxySG"
on page 1329.)
❐ passive-attack-protection-only-key: The passive-attack-protection-only-key keyring
allows data to be encrypted, but with no endpoint authentication. Although
the traffic cannot be sniffed, it can be intercepted with a man-in-the-middle
attack. The passive-attack-protection-only-key keyring is NOT considered secure;
therefore, it should not be used on production networks.
If an origin content server requires a client certificate and no keyring is associated
with the ProxySG SSL client, the HTTPS connections fails. For information on
using the SSL client, see Chapter 60: "Managing SSL Traffic" on page 1207.
To create a keyring:
1. Select the Configuration > SSL > Keyrings > SSL Keyrings tab.
1173
SGOS 6.2 Administration Guide
3a
3b
3c
-or-
3d
3e
Note: Spaces in keyring names are not supported. Including a space can
cause unexpected errors while using such keyrings.
1174
Chapter 59: Managing X.509 Certificates
Note: The choice among show, do not show keypair, and show keypair to
has implications for whether keyrings are included in profiles
director
and backups created by Director. For more information, refer to the
Blue Coat Director Configuration and Management Guide.
c. Enter the key length in the Create a new ______ -bit keyring field. A length
of 2048 bits is the maximum (and default). For deployments reaching
outside the U.S., determine the maximum key length allowed for
export.
Click OK. The keyring is created with the name you chose. It does not have
a certificate associated with it yet. To associate a certificate, see "Importing
a Server Certificate" on page 1181.
-or-
d. Select Import keyring. The grayed-out Keyring field becomes enabled,
allowing you to paste in an already existing private key. Any certificate
or certificate request associated with this private key must be imported
separately. For information on importing a certificate, see "Importing a
Server Certificate" on page 1181.
e. If the private key that is being imported has been encrypted with a
password, select Keyring Password and enter the password into the
field.
Note: The only way to retrieve a keyring's private key from the ProxySG
is by using Director or the command line —it cannot be exported
through the Management Console.
1175
SGOS 6.2 Administration Guide
Notes
❐ To view the keypair in an encrypted format, you can optionally specify des or
des3 before the keyring_id, along with an optional password. If the optional
password is provided on the command line, the CLI does not prompt for a
password.
❐ If the optional password is not provided on the command line, the CLI asks
for the password (interactive). If you specify either des or des3, you are
prompted.
❐ To view the keypair in unencrypted format, select either the optional
keyring_id or use the unencrypted command option.
❐ You cannot view a keypair over a Telnet connection because of the risk that it
could be intercepted.
1176
Chapter 59: Managing X.509 Certificates
Creating a CSR
To create a CSR:
1. Select the Configuration > SSL > SSL Keyrings tab.
2. Select the keyring for which you need a signed certificate and click Edit. The
Edit Keyring dialog displays.
1177
SGOS 6.2 Administration Guide
3. In the Certificate Signing Request area, click Create. The Create Certificate-
signing-request dialog displays.
1178
Chapter 59: Managing X.509 Certificates
Note: Most field limits are counted in terms of bytes rather than characters.
The number of non-ASCII characters a field can accommodate will be less
than the size limit because non-ASCII characters can occupy more than one
byte, depending on the encoding. The only exception is the Challenge field,
which is counted in terms of characters.
5. Click OK to close the dialog. The Certificate Signing Request area displays the
certificate information.
6. Click OK to close the dialog. The CSR column for the keyring displays Yes.
1179
SGOS 6.2 Administration Guide
1180
Chapter 59: Managing X.509 Certificates
Example:
SGOS#(config ssl) create certificate keyring-id cn bluecoat challenge
test c US state CA company bluecoat
1181
SGOS 6.2 Administration Guide
1182
Chapter 59: Managing X.509 Certificates
To import a CRL:
You can choose from among four methods to install a CRL on the ProxySG:
❐ Use the Text Editor, which allows you to enter the installable list (or copy and
paste the contents of an already-created file) directly onto the ProxySG.
❐ Create a local file on your local system.
❐ Enter a remote URL, where you placed an already-created file on an FTP or
HTTP server to be downloaded to the ProxySG.
❐ Use the CLI inline command.
To update a CRL:
1. Select the Configuration > SSL > CRLs tab.
2. Click New or highlight an existing CRL and click Edit.
3. Give the CRL a name.
4. From the drop-down list, select the method to use to install the CRL; click
Install.
• Remote URL:
Enter the fully-qualified URL, including the filename, where the CRL is
located. To view the file before installing it, click View. Click Install.
The Install CRL dialog displays. Examine the installation status that
displays; click OK.
• Local File:
Click Browse to display the Local File Browse window. Browse for the CRL
file on the local system. Open it and click Install. When the installation is
complete, a results window opens. View the results, close the window,
click Close.
• Text Editor:
Copy a new CRL file into the window, and click Install.
When the installation is complete, a results window opens. View the
results, close the window, click Close.
Note: The Management Console text editor can be used to enter a CRL
file. You cannot use it to enter CLI commands.
1183
SGOS 6.2 Administration Guide
SGOS#(config) ssl
SGOS#(config ssl) inline crl CRL_list_name eof
Paste CRL here
eof
This commonly occurs when you use the HTTPS-Console service on port
8082, which uses a self-signed certificate by default. When you access the
Management Console over HTTPS, the browser displays a pop-up that says
that the security certificate is not trusted and asks if you want to proceed. If
you select No instead of proceeding, the browser sends an unknown CA alert to
the ProxySG.
You can eliminate the error message one of two ways:
• If this was caused by the Blue Coat self-signed certificate (the certificate
associated with the default keyring), import the certificate as a trusted
Certificate Signing Authority certificate. See "Importing a Server
Certificate" on page 1181 for more information.
• Import a certificate on the ProxySG for use with HTTPS-Console that is
signed by a CA that a browser already trusts.
❐ If the ProxySG appliance’s certificate is not accepted because of a host name
mismatch or it is an invalid certificate, you can correct the problem by creating a
new certificate and editing the HTTPS-Console service to use it. For
information on editing the HTTPS-Console service, see "Managing the HTTPS
Console (Secure Console)" on page 1312.
1184
Chapter 59: Managing X.509 Certificates
4. Enter the name of the external certificate into the External Cert Name field and
paste the certificate into the External Certificate field. You must include the ----
BEGIN CERTIFICATE---- and -----END CERTIFICATE---- statements.
5. Click OK.
1185
SGOS 6.2 Administration Guide
1186
Chapter 59: Managing X.509 Certificates
To Import a keyring:
1. Copy the already-created keypair onto the clipboard.
2. Select the Configuration > SSL > Keyrings > SSL Keyrings tab.
3. If the keyring already exists, select the keyring and click Delete and Apply.
4. Click Create. The Create Keyring dialog displays.
5a
5b
5c
1187
SGOS 6.2 Administration Guide
Note: The choice among show, do not show and show keypair to director has
implications for whether keyrings are included in profiles and backups
created by Director. For more information, refer to the Blue Coat Director
Configuration and Management Guide.
1188
Chapter 59: Managing X.509 Certificates
Importing a CA Certificate
A CA Certificate is a certificate that verifies the identity of a Certificate Authority.
The certificate is used by the ProxySG to verify server and client certificates.
1189
SGOS 6.2 Administration Guide
To view a CA certificate:
1. Select the Configuration > SSL > CA Certificates > CA Certificates tab.
2. Select the certificate you want to view.
3. Click View. Examine the contents and click Close.
To delete a CA certificate:
1. Select the Configuration > SSL > CA Certificates > CA Certificates tab.
2. Select the certificate to delete.
3. Click Delete.
4. Click OK.
1190
Chapter 59: Managing X.509 Certificates
Note: For information on using the SSL client or SSL-device profiles, see
Chapter 60: "Managing SSL Traffic" on page 1207.
1191
SGOS 6.2 Administration Guide
1192
Chapter 59: Managing X.509 Certificates
1193
SGOS 6.2 Administration Guide
About OCSP
OCSP (RFC 2560) allows you to obtain the revocation status of an X.509 digital
certificate. OCSP provides the same revocation functionality as the local
Certificate Revocation List (CRL) configured on the ProxySG.
Managing large CRLs poses scalability challenges. This is due to high memory
consumption on the ProxySG associated with storing revocation lists. OCSP
overcomes these limitations by checking certificate status in real time using off-
box OCSP responders.
1194
Chapter 59: Managing X.509 Certificates
If the certificate status is valid, the end user (in cases of SSL proxy or HTTPS
reverse proxy) can access the secure website. If the status is revoked, an error is
flagged and the end user is denied access to the secure website. If status is
unknown, the ProxySG has the ability to treat it as an error or ignore it based on
the administrator’s discretion.
Scenario A
The OCSP response is signed by a root CA that also issued the subject certificate.
Scenario B
1195
SGOS 6.2 Administration Guide
The OCSP response is signed by a delegated certificate and both the responder
certificate and the subject certificate are issued by the same root CA. The root CA
in this scenario delegates the job of the signing OCSP responses to the OCSP
responder by adding the OCSP signing purpose to the extendedKeyUsage
extension of the responder's certificate (See section 4.2.2.2 of RFC 2560).This
denotes that the certificate has been delegated for the purpose of signing OCSP
responses by the root CA certificate.
Scenario C
The OCSP response is signed by a certificate having no common issuer with the
subject certificate. Thus, the root CA certificates signing the subject certificate and
OCSP response are different. This only works if the responder certificate’s root
CA is trusted by the administrator for the OCSP signing. The administrator can
denote this trust by adding the OCSP Signing trust setting in the Trusted Uses
section of the root CA. OpenSSL provides a command line tool to add this trust
setting to a traditional root CA certificate.
Here is an example of how to create a root CA trusted for OCSP signing from an
existing root:
openssl x509 -in <root CA file> -addtrust OCSPSigning -out
<trusted root CA>
A trusted certificate is an ordinary certificate that has several additional pieces of
information attached to it. Information can include the permitted and prohibited
uses of the certificate and an alias. Trust settings are a non-standard way to
override the purposes present in the keyUsage or extendedKeyUsage extensions of a
certificate.
1196
Chapter 59: Managing X.509 Certificates
By default, a trusted certificate must be stored locally and must be a root CA.
Trust settings currently are only used with a root CA. They allow finer control
over the purposes for which the root CA can be used for. For example, a CA may
be trusted for an SSL client but not SSL server use. Other trust values that are
supported by OpenSSL include:
❐ clientAuth (SSL client use)
❐ serverAuth (SSL server use)
❐ emailProtection (S/MIME email)
Notes
❐ The keyword TRUSTED is denoted in the certificate header and footer:
-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----
❐ The Ignore OCSP signing purpose check option (see Step 5 on page 1202 in
"Creating and Configuring an OCSP Responder" ) lists the errors that are
related to the OCSP signing delegation. This applies to Scenarios B and C only.
1197
SGOS 6.2 Administration Guide
Data Flow
1. The user accesses a secure website that is fronted by a ProxySG.
2. The ProxySG requests a client certificate from the browser.
3. The browser sends a client certificate, based on the user’s choice, to the ProxySG.
4. The ProxySG sends an OCSP query for the revocation status of the client certificate
to the responder.
5. The responder returns the revocation status in an OCSP response.
6a. If the status is good, the request is allowed and the content is displayed.
6b. If the status is revoked, the user is denied access to the content.
1198
Chapter 59: Managing X.509 Certificates
2. Click New to create a new OCSP responder. The Create OCSP responder dialog
displays.
1199
SGOS 6.2 Administration Guide
1200
Chapter 59: Managing X.509 Certificates
4a
4b
1201
SGOS 6.2 Administration Guide
1202
Chapter 59: Managing X.509 Certificates
• Scenario C—The root CA does not have the trust setting enabled for
the OCSP Signing. The event log records this error as root ca not
trusted.
2. From the Default Responder drop-down list, select the responder you want to be
designated as the default responder. If a responder has not been previously
created then <None> is the only option.
If the subject certificate is not associated with any responder (using Issuer
CCL option) then the OCSP request for this certificate is sent to the default
responder.
1203
SGOS 6.2 Administration Guide
3. Click Apply.
See Also
"About OCSP" on page 1194
"How Blue Coat ProxySG Uses OCSP" on page 1194
"OCSP CLI Commands" on page 1204
"OCSP CPL Policy Configuration" on page 1204
"OCSP Listed Exceptions" on page 1205
"OCSP Access Log Fields" on page 1205
1204
Chapter 59: Managing X.509 Certificates
For detailed information about defining Exceptions, refer to the Visual Policy
Manager Reference, Chapter 4, Table 4-1.
Note: See Chapter 28: "Creating Custom Access Log Formats" on page 685 for
detailed information about creating and editing log formats.
The following table lists and describes the OCSP access log fields:
Table 59–2 Access Log Substitutions
ELFF Description
x-rs-ocsp-error An error was observed during the OCSP check for a server
certificate.
x-cs-ocsp-error An error was observed during the OCSP check for a client
certificate.
1205
SGOS 6.2 Administration Guide
1206
Chapter 60: Managing SSL Traffic
This section describes how to configure the SSL client and devices profiles,
which are required for secure connections. These profiles are configured to
group together the collection of settings required for an SSL connection. The
profiles themselves include:
❐ Keyrings
❐ CA certificates
❐ CA Certificate List (CCL)
❐ Cipher Suite
CA certificates, keyrings, CCLs and cipher suites must be configured
individually before being added to an SSL client profile or an SSL device
profile. Except for cipher suites, discussed in "Changing the Cipher Suite of the
SSL Client" on page 1209, these settings are discussed in greater detail in
Chapter 59: "Managing X.509 Certificates" on page 1167.
This section discusses the following topics:
❐ Section A: "SSL Client Profiles" on page 1208.
❐ Section B: "SSL Device Profiles" on page 1212.
❐ Section C: "Notes and Troubleshooting" on page 1216.
1207
Volume 4: Securing the Blue Coat ProxySG Appliance
Note: The SSL proxy, also known as the SSL forward proxy, uses parameters
taken from the SSL connection made by the client when originating SSL
connections to the server. As a result, settings in the default SSL client profile are
not applied to these connections.
To modify any parameters for SSL connections, change the corresponding SSL
device-profile. You will need to modify the SSL client profile settings in the
reverse proxy scenario only. This is because the reverse proxy uses the SSL client,
instead of the SSL device profile, when connecting to the upstream OCS using
HTTPS.
1208
Chapter 60: Managing SSL Traffic
2a
2b
2c
Related CLI Syntax to Associate a Keyring, Protocol, and CCL with the
SSL Client
SGOS#(config) ssl
SGOS#(config ssl) edit ssl-client default
SGOS#(config ssl ssl-client default) ccl {ccl_name | all}
SGOS#(config ssl ssl-client default) keyring-id keyring_id
SGOS#(config ssl ssl-client default) protocol {sslv2 | sslv3 | tlsv1 |
sslv2v3 | sslv2tlsv1 | sslv3tlsv1 | sslv2v3tlsv1}
1209
Volume 4: Securing the Blue Coat ProxySG Appliance
2. (Optional) View the results. Notice the change in the Use column.
SGOS#(config ssl ssl-client default) view
SSL-Client Name Keyring Name Protocol
--------------- ------------ ------------
default default SSLv2v3TLSv1
1210
Chapter 60: Managing SSL Traffic
Notes:
❐ If you do not specify any attributes, the cipher suite cannot be used.
❐ Multiple ciphers can be specified on the command line, separated by blank
spaces.
Example
SGOS#(config ssl ssl-client default) cipher-suite rc4-sha
ok
SGOS#(config ssl ssl-client default) view
SSL-Client: default
Keyring: <None>
CCL: browser-trusted
Protocol: SSLv2v3TLSv1
Cipher suite: rc4-sha
1211
Volume 4: Securing the Blue Coat ProxySG Appliance
Note: Non-proxy traffic uses an SSL device profile. Proxy traffic uses the SSL
client profile. For proxy traffic, see Section A: "SSL Client Profiles" on page 1208.
1212
Chapter 60: Managing SSL Traffic
3a
3b
3c
3d
3e
3f
3g
1213
Volume 4: Securing the Blue Coat ProxySG Appliance
4. Select the ciphers you want to use. Click Add to add the cipher to the list of
selected ciphers. Remove unwanted ciphers from the Selected Options list.
5. Click OK.
6. Click Apply.
1214
Chapter 60: Managing SSL Traffic
1215
Volume 4: Securing the Blue Coat ProxySG Appliance
1216
Chapter 61: Windows Single Sign-on Authentication
This section describes how to configure the Windows Single Sign-on (SSO)
realm, which is an authentication mechanism available on Windows networks.
It includes the following topics:
❐ "How Windows SSO Realms Work" on page 1217
❐ "Creating a Windows SSO Realm" on page 1220
❐ "Configuring Windows SSO Agents" on page 1220
❐ "Configuring Windows SSO Authorization" on page 1222
❐ "Defining Windows SSO Realm General Properties" on page 1224
❐ "Modifying the sso.ini File for Windows SSO Realms" on page 1226
❐ "Creating the CPL" on page 1228
❐ "Notes" on page 1229
Note: The Windows SSO realm works reliably only in environments where
one IP address maps to one user. If an IP address cannot be mapped to a single
user, authentication fails. Those with NAT systems, which uses one set of IP
addresses for intranet traffic and a different set for Internet traffic, should use a
different realm for authentication
To authenticate a user, the Windows SSO realm uses two methods, either
separately or together:
❐ Domain Controller Querying: The domain controller is queried to identify
which users are connecting to, or authenticating with, the domain
controller. This can be used to infer the identity of the user at a particular
workstation.
❐ Client Querying: The client workstation is queried to determine who the
client workstation thinks is logged in.
1217
SGOS 6.2 Administration Guide
❐ When Domain Controller Querying and Client Querying are both used, the
Domain Controller Query result is used if it exists and is still within the valid
time-to-live as configured in the sso.ini file. If the Domain Controller Query
result is older than the configured time-to-live, the client workstation is
queried.
For the most complete solution, an IWA realm could be configured at the same
time as the Windows SSO realm and both realms added to a realm sequence.
Then, if the Windows SSO realm failed to authenticate the user, the IWA realm
could be used. For information on using a sequence realm, see Chapter 58:
"Sequence Realm Authentication" on page 1161.
BCAAA Synchronization
Optionally, when using Domain Controller Querying, you can configure a
BCAAA service to use another BCAAA service as a synchronization server.
Whenever a BCAAA service restarts, it contacts its synchronization server and
updates the logon state. Two given BCAAA services can use each other as their
synchronization server. Thus, each BCAAA service can act as a synchronization
server to provide logon state to other BCAAA services, as well as acting as a
synchronization client to update its logon state from another BCAAA service.
1218
Chapter 61: Windows Single Sign-on Authentication
Note: Windows SSO realms never challenge for credentials. If the authorization
username cannot be determined from the configured substitutions, authorization
in the Windows SSO realm fails.
1219
SGOS 6.2 Administration Guide
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Click OK.
5. Click Apply.
Prerequisite
You must have defined at least one Windows SSO realm (using the Windows SSO
Realms tab) before attempting to configure the BCAAA agent. If the message
Realms must be added in the Windows SSO Realms tab before editing this tab displays in
red at the bottom of this page, you do not have any Windows SSO realms defined.
1. Select the Configuration > Authentication > Windows SSO > Agents tab.
1220
Chapter 61: Windows Single Sign-on Authentication
1221
SGOS 6.2 Administration Guide
By default the Windows SSO realm is configured for Domain Controller Querying.
Note that the BCAAA service is disabled by default, so it must be enabled
manually before using the Domain Controller Querying option. For more
information on enabling Domain Controller Querying in the BCAAA service,
see "Modifying the sso.ini File for Windows SSO Realms" on page 1226.
Client Querying is blocked by the Windows XP SP2 firewall. This can be
overridden through domain policy. If the firewall setting Allow remote
administration exception or Allow file and printer sharing exception or Define port
exceptions (with port 445) is enabled, then the query will work.
8. Click Apply.
1222
Chapter 61: Windows Single Sign-on Authentication
Prerequisite
You must have defined at least one Windows SSO realm (using the Windows SSO
Realms tab) before attempting to set Windows SSO realm properties. If the
message Realms must be added in the Windows SSO Realms tab before editing this tab is
displayed in red at the bottom of this page, you do not currently have any
Windows SSO realms defined.
1. Select the Configuration > Authentication > Windows SSO > Authorization tab.
3. Click Apply.
Table 61–1 Common Substitutions Used in the Authorization username Field
1223
SGOS 6.2 Administration Guide
Prerequisite
You must have defined at least one Windows SSO realm (using the Windows SSO
Realms tab) before attempting to set Windows SSO general properties. If the
message Realms must be added in the Windows SSO Realms tab before editing this tab
displays in red at the bottom of this page, you do not currently have any
Windows SSO realms defined.
1224
Chapter 61: Windows Single Sign-on Authentication
2. From the Realm name drop-down list, select the Windows SSO realm for which
you want to change properties.
3. Configure refresh options:
a. Select the Use the same refresh time for all check box if you would like to
use the same refresh time for all.
b. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here. Before the refresh time expires, if a surrogate credential (IP
address or cookie) is available and it matches the expected surrogate
credential, the ProxySG authenticates the transaction. After the refresh
time expires, the ProxySG determines which user is using the current
IP address, and update the surrogate credential to authenticate with
that user.
c. Enter the number of seconds in the Authorization refresh time field. The
Authorization Refresh Time allows you to manage how often the
authorization data is verified with the authentication realm. It has a
default setting of 900 seconds (15 minutes). You can configure this in
policy for better control over the resources as policy overrides any
settings made here.
4. Enter the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
1225
SGOS 6.2 Administration Guide
Note: The changes to the sso.ini file have no effect until the BCAAA service is
restarted.
1226
Chapter 61: Windows Single Sign-on Authentication
By default all domain controllers that are in the forest or are trusted are
queried. In large organizations, domain controllers that are not of interest for
the ProxySG installation might be queried. The sso.ini file can be used to list
the domain controllers of interest or IP address ranges of interest.
5. In the section SSOServiceUsers, list the domain names of users who can access
the domain controller on behalf of the service and mask the identity of the
logged-on user.
Listing these users here forces the BCAAA service to ignore them for
authentication purposes.
6. Save the sso.ini file.
Note: Before you use the Windows SSO realm, you must change the BCAAA
service to run as a domain user, and, if using XP clients, update the domain policy
to allow the client query to pass through the firewall.
• EnableSyncServer=1
• SyncPortNumber=16102
• UseSSL=0
• VerifyCertificate=0
• QueryDelta=10
• RetrySyncTime=60
1227
SGOS 6.2 Administration Guide
Note: Refer to Content Policy Language Guide for details about CPL and how
transactions trigger the evaluation of policy file layers.
Policy running on the gateway might see the IP address of the data center proxy
rather than the IP address of the client workstation.
Note: The source IP address is not masked if you use the reflect client ip
attribute.
Note: The user.login.address condition only works correctly if you use the
authenticate.credentials.address property to set the address.
1228
Chapter 61: Windows Single Sign-on Authentication
You can also use the x-cs-user-login-address substitution to log this event.
Examples
In the following example, the address to use for authenticating with myrealm is set
to the address received from the HTTP Client-IP header.
<proxy>
authenticate(myrealm)\
authenticate.credentials.address($(request.header.Client-IP))
In the following example, the user is authenticated if logged in from the 1.2.3.0/
24 subnet.
<proxy>
user.login.address=1.2.3.0/24 allow
Notes
❐ The Windows SSO realm works reliably only in environments where one IP
address maps to one user.
❐ This realm never uses a password.
❐ When doing domain controller querying, the Windows SSO realm can lose the
logon if the NetBIOS computer name cannot by determined through a DNS
query or a NetBIOS query. The DNS query can fail if the NetBIOS name is
different than the DNS host name or if the computer is in a different DNS
domain than the BCAAA computer and the BCAAA computer is not set up to
impute different DNS domains.
The NetBIOS query can fail because the NetBIOS broadcast does not reach the
target computer. This can happen if the computer is behind a firewall that is
not forwarding NetBIOS requests or if the computer is on a subnet that is not
considered to be local to the BCAAA server.
To prevent this issue, the BCAAA machine must be configured to be able to
query the NetBIOS name of any computer of interest and get the correct IP
address.
One workaround is to use a WINS server. This works like a DNS server but
handles NetBIOS lookups.
1229
SGOS 6.2 Administration Guide
1230
Chapter 62: Using XML Realms
This section discusses XML realms, which are used to integrate SGOS with the
authentication/authorization protocol. If you use an authentication or
authorization protocol that is not natively supported by Blue Coat, you can use
the XML realm.
1231
SGOS 6.2 Administration Guide
2. Click New.
1232
Chapter 62: Using XML Realms
3. In the Realm Name field, enter a realm name. The name can be 32 characters
long, composed of alphanumeric characters and underscores. The name must
start with a letter.
4. Click OK to close the dialog.
5. Click Apply.
3a
3b
3c
3d
2. From the Realm Name drop-down list, select the XML realm.
3. Configure the Responder options:
a. Responder: Select the XML responder service to configure—Primary or
Alternate—from the drop-down list. Primary is the default. You can
configure both responder services before clicking Apply.
1233
SGOS 6.2 Administration Guide
b. Host: This is the hostname or IP address of the HTTP server that has
the XML service. You must specify a host. The port defaults to port 80.
c. Authenticate request path: Enter the XML responder path for
authentication requests.
d. Authorize request path: Enter the XML responder path for authorization
requests.
4. In the timeout request fields, enter the number of seconds for the system to wait
for a request and the number of times for the system to retry a request. The
default is not to retry a request.
5. Specify the maximum number of connections to the responder. The default is five
connections.
6. (Optional) Select One-time passwords to integrate with a non-Blue Coat
supported authentication service that uses one-time passwords.
7. Click Apply.
8. Repeat the above steps for additional XML realms, up to a total of 40.
1234
Chapter 62: Using XML Realms
2. From the Realm name drop-down list, select the XML realm.
3. Select the HTTP request method: GET or POST.
4. Select a user credential option:
• If the HTTP server is integrated with the authentication system, the HTTP
server can authenticate the credentials. Select the Put user credentials for
authentication in the HTTP header radio button. However, if this does not
provide enough flexibility, the XML responder can do authentication.
• To have the XML responder service handle both authentication and
authorization, select the Put user credentials for authentication in the request
radio button.
5. Enter the username parameter in the Username parameter field. The default is
username.
6. Click Apply.
1235
SGOS 6.2 Administration Guide
2a
2b
2d
2e
2. From the Realm name drop-down list, select the XML realm.
a. Authorization realm name: If the XML realm is not doing authorization,
select an authorization realm from the drop-down list. By default, the
authorization realm name is Self.
b. Authorization username: The default is Use full username. Clear the Use full
username option to use a different name or to use a policy substitution
that generates a username.
c. Default group: The default is no groups are selected.
d. The send the groups and attributes of interest in the request option is
selected by default. These are the groups and attributes that are used
in policy.
3. Click Apply.
1236
Chapter 62: Using XML Realms
1237
SGOS 6.2 Administration Guide
c. Enter the number of seconds in the Surrogate refresh time field. The
Surrogate Refresh Time allows you to set a realm default for how often
a user’s surrogate credentials are refreshed. Surrogate credentials are
credentials accepted in place of a user’s actual credentials. The default
setting is 900 seconds (15 minutes). You can configure this in policy for
better control over the resources as policy overrides any settings made
here.
Before the refresh time expires, if a surrogate credential (IP address or
cookie) is available and it matches the expected surrogate credential, the
ProxySG authenticates the transaction. After the refresh time expires, the
ProxySG verifies the user’s credentials. Depending upon the
authentication mode and the user-agent, this may result in challenging the
end user for credentials.
The main goal of this feature is to verify that the user-agent still has the
appropriate credentials.
d. Enter the number of seconds in the Authorization refresh time field. The
Authorization Refresh Time allows you to manage how often the
authorization data is verified with the authentication realm. It has a
default setting of 900 seconds (15 minutes). You can configure this in
policy for better control over the resources as policy overrides any
settings made here.
4. Enter the number of seconds in the Inactivity timeout field to specify the amount
of time a session can be inactive before being logged out.
5. If you use Basic credentials and want to cache failed authentication attempts
(to reduce the load on the authentication service), enter the number of seconds
in the Rejected Credentials time field. This setting, enabled by default and set to
one second, allows failed authentication attempts to be automatically rejected
for up to 10 seconds. Any Basic credentials that match a failed result before its
cache time expires are rejected without consulting the back-end authentication
service. The original failed authentication result is returned for the new
request.
All failed authentication attempts can be cached: Bad password, expired
account, disabled account, old password, server down.
To disable caching for failed authentication attempts, set the Rejected
Credentials time field to 0.
6. Select the Use persistent cookies check box to use persistent browser cookies
instead of session browser cookies.
7. Select the Verify the IP address in the cookie check box if you would like the
cookies surrogate credentials to only be accepted for the IP address that the
cookie was authenticated. Disabling this allows cookies to be accepted from
other IP addresses.
8. You can specify a virtual URL. For more information on the virtual URL, see
"About Origin-Style Redirection" on page 990.
9. Click Apply.
1238
Chapter 62: Using XML Realms
Note: For information on using policy, refer to Visual Policy Manager Reference or
Content Policy Language Guide.
1239
SGOS 6.2 Administration Guide
<proxy>
authenticate(eng_users)
<proxy>
realm=eng_users group=waterloo allow
Viewing Statistics
To view statistics for XML realms, select Statistics > Authentication > User Logins.
Select an XML realm from the Realm drop-down list.
1240
Appendix 63: XML Protocol
The XML realm uses a SOAP 1.2 based protocol for the Blue Coat supported
protocol.
This section includes the following topics:
❐ Section A: "Authenticate Request" on page 1242
❐ Section B: "Authenticate Response" on page 1244
❐ Section C: "Authorize Request" on page 1246
❐ Section D: "Authorize Response" on page 1247
1241
SGOS 6.2 Administration Guide
1242
Appendix 63: XML Protocol
1243
SGOS 6.2 Administration Guide
Success
All of the response fields except full-username are optional. The intersection of
the groups of interest and the groups that the user is in are returned in the groups
element. The attributes of interest for the user are returned in a flattened two
dimensional array of attribute names and values.
<?xml version='1.0' encoding="UTF-8" ?>
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Body
env:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
<m:authenticate-response
xmlns:m="http://www.bluecoat.com/xmlns/xml-realm/1.0">
<m:full-username>full-username</m:full-username>
<m:groups enc:arraySize="*" enc:itemType="xsd:string">
<m:group>group2</m:group>
</m:groups>
<m:attribute-values enc:arraySize="* 2"
enc:itemType="xsd:string">
<m:item>attribute2</m:item>
<m:item>value2a</m:item>
<m:item>attribute2</m:item>
<m:item>value2b</m:item>
<m:item>attribute2</m:item>
<m:item>value2c</m:item>
</m:attribute-values>
</m:authenticate-response>
</env:Body>
</env:Envelope>
Failed/Denied
The failed response includes a text description of the failure that becomes the text
description of the error reported to the user. The fault-code is one of a set of SGOS
authentication errors that can be returned from the responder. The codes are
returned as strings, but are part of an enumeration declared in the schema for the
protocol. Only codes in this list are acceptable.
account_disabled
account_restricted
credentials_mismatch
general_authentication_error
expired_credentials
account_locked_out
account_must_change_password
offbox_server_down
general_authorization_error
unknown_error
1244
Appendix 63: XML Protocol
1245
SGOS 6.2 Administration Guide
GET Method
http://<server hostname>:<server port>/<authorize service
path>?<username parameter
name>=<username>[&group=<group1>&group=<group2>…&attribute=<attribute1
>&…]
POST Method
<?xml version='1.0' encoding="UTF-8" ?>
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Body
env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"
xmlns:enc="http://www.w3.org/2003/05/soap-encoding">
<m:authorize
xmlns:m="http://www.bluecoat.com/soap/xmlns/xml-realm/1.0">
<m:username>Username</m:username>
<m:groups enc:arraySize="*" enc:itemType="xsd:string">
<m:group>group1</m:group>
<m:group>group2</m:group>
</m:groups>
<m:attributes enc:arraySize="*" enc:itemType="xsd:string">
<m:attribute>attribute1</m:attribute>
<m:attribute>attribute2</m:attribute>
</m:attributes>
</m:authorize>
</env:Body>
</env:Envelope>
1246
Appendix 63: XML Protocol
Success
Only applicable groups and attributes are returned. Multi-valued attributes are
returned by multiple instances of the same attribute name.
<?xml version='1.0' encoding="UTF-8" ?>
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Body
env:encodingStyle="http://www.w3.org/2003/05/soap-encoding"
xmlns:enc="http://www.w3.org/2003/05/soap-encoding">
<m:authorize-response
xmlns:m="http://www.bluecoat.com/xmlns/xml-realm/1.0">
<m:groups enc:arraySize="*" enc:itemType="xsd:string">
<m:group>group2</m:group>
</m:groups>
<m:attribute-values enc:arraySize="* 2"
enc:itemType="xsd:string">
<m:item>attribute2</m:item>
<m:item>value2a</m:item>
<m:item>attribute2</m:item>
<m:item>value2b</m:item>
<m:item>attribute2</m:item>
<m:item>value2c</m:item>
</m:attribute-values>
</m:authorize-response>
</env:Body>
</env:Envelope>
Failed
<?xml version='1.0'encoding="UTF-8" ?>
<env:Envelope
xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Body>
<env:Fault>
<env:Code>
<env:Value>env:Receiver</env:Value>
</env:Code>
<env:Reason>
<env:Text xml:lang="en-US">Could not contact LDAP server</
env:Text>
</env:Reason>
<env:Detail>
<e:realm-fault
xmlns:e="http://www.bluecoat.com/xmlns/xml-realm/1.0">
<e:fault-code>offbox_server_down</e:fault-code>
</e:realm-fault>
</env:Detail>
</env:Fault>
</env:Body>
</env:Envelope>
1247
SGOS 6.2 Administration Guide
1248
Chapter 64: Forms-Based Authentication
Note: You can configure and install an authentication form and several
properties through the Management Console and the CLI, but you must use
policy to dictate the authentication form’s use.
1249
SGOS 6.2 Administration Guide
To create and put into use forms-based authentication, you must complete the
following steps:
❐ Create a new form or edit one of the existing authentication form exceptions
❐ Set storage options
❐ Set policies
Three authentication forms are created initially:
❐ authentication_form: Enter Proxy Credentials for Realm $(cs-realm). This is the
standard authentication form that is used for authentication with the
ProxySG.
❐ new_pin_form: Create New PIN for Realm $(cs-realm). This form is used if you
created a RADIUS realm using RSA SecurID tokens. This form prompts the
user to enter a new PIN. The user must enter the PIN twice in order to verify
that it was entered correctly.
❐ query_form: Query for Realm $(cs-realm). This form is used if you created a
RADIUS realm using RSA SecurID tokens. The form is used to display the
series of yes/no questions asked by the SecurID new PIN process.
You can customize any of the three initial authentication form exceptions or you
can create other authentication forms. (You can create as many authentication
form exceptions as needed. The form must be a valid HTML document that
contains valid form syntax.)
Each authentication form can contain the following:
❐ Title and sentence instructing the user to enter ProxySG credentials for the
appropriate realm.
❐ Domain:Text input with maximum length of 64 characters The name of the
input must be PROXY_SG_DOMAIN, and you can specify a default value of $(x-
cs-auth-domain) so that the user's domain is prepopulated on subsequent
attempts (after a failure).
The input field is optional, used only if the authentication realm is an IWA
realm. If it is used, the value is prepended to the username value with a
backslash.
❐ Username: Text input with maximum length of 64 characters. The name of the
input must be PROXY_SG_USERNAME, and you can specify a default value of
$(cs-username) so the username is prepopulated on subsequent attempts
(after a failure).
❐ Password: The password should be of type PASSWORD with a maximum length
of 64 characters. The name of the input must be PROXY_SG_PASSWORD.
❐ Request ID:
If the request contains a body, then the request is stored on the
ProxySG until the user is successfully authenticated.
The request ID should be of type HIDDEN. The input name must be
PROXY_SG_REQUEST_ID, and the value must be $(x-cs-auth-request-id). The
information to identify the stored request is saved in the request id variable.
1250
Chapter 64: Forms-Based Authentication
❐ Challenge State:
The challenge state should be of type HIDDEN. If a RADIUS
realm is using a response/challenge, this field is used to cache identification
information needed to correctly respond to the challenge.
The input name must be PROXY_SG_PRIVATE_CHALLENGE_STATE, and the value
must be $(x-auth-private-challenge-state).
❐ Submit button. The submit button is required to submit the form to the
ProxySG.
❐ Clear form button. The clear button is optional and resets all form values to their
original values.
❐ Form action URI: Thevalue is the authentication virtual URL plus the query
string containing the base64 encoded original URL $(x-cs-auth-form-action-
url).
❐ Form METHOD of POST. The form method must be POST. The ProxySG does
not process forms submitted with GET.
The ProxySG only parses the following input fields during form submission:
❐ PROXY_SG_USERNAME (required)
❐ PROXY_SG_PASSWORD (required)
❐ PROXY_SG_REQUEST_ID (required)
❐ PROXY_SG_PRIVATE_CHALLENGE_STATE (required)
❐ PROXY_SG_DOMAIN(optional) If specified, its value is prepended to the
username and separated with a backslash.
Authentication_form
The initial form, authentication_form, looks similar to the following:
<HTML>
<HEAD>
<TITLE>Enter Proxy Credentials for Realm $(cs-realm)</TITLE>
</HEAD>
<BODY>
<H1>Enter Proxy Credentials for Realm $(cs-realm)</H1>
<P>Reason for challenge: $(exception.last_error)
<P>$(x-auth-challenge-string)
<FORM METHOD="POST" ACTION=$(x-cs-auth-form-action-url)>
$(x-cs-auth-form-domain-field)
<P>Username: <INPUT NAME="PROXY_SG_USERNAME" MAXLENGTH="64"
VALUE=$(cs-username)></P>
<P>Password: <INPUT TYPE=PASSWORD NAME="PROXY_SG_PASSWORD"
MAXLENGTH="64"></P>
<INPUT TYPE=HIDDEN NAME="PROXY_SG_REQUEST_ID" VALUE=$(x-cs-auth-
request-id)>
<INPUT TYPE=HIDDEN NAME="PROXY_SG_PRIVATE_CHALLENGE_STATE"
VALUE=$(x-auth-private-challenge-state)>
1251
SGOS 6.2 Administration Guide
New_pin_form
<HTML>
<HEAD>
<TITLE>Create New PIN for Realm $(cs-realm)</TITLE>
<SCRIPT LANGUAGE="JavaScript"><!--
function validatePin() {
var info;
var pin = document.pin_form.PROXY_SG_PASSWORD;
if (pin.value != document.pin_form.PROXY_SG_RETYPE_PIN.value) {
info = "The PINs did not match. Please enter them again.";
} else {
// Edit this regular expression to match local PIN
definition
var re=/^[A-Za-z0-9]{4,16}$/
var match=re.exec(pin.value);
if (match == null) {
info = "The PIN must be 4 to 16 alphanumeric
characters";
} else {
return true;
}
}
alert(info);
pin.select();
pin.focus();
return false;
}// -->
</script>
</HEAD>
<BODY>
<H1>Create New PIN for Realm $(cs-realm)</H1>
<P>$(x-auth-challenge-string)
<FORM NAME="pin_form" METHOD="POST" ACTION=$(x-cs-auth-form-action-
url)ONSUBMIT="return validatePin()">
$(x-cs-auth-form-domain-field)
<P> Enter New Pin: <INPUT TYPE=PASSWORD NAME="PROXY_SG_PASSWORD"
MAXLENGTH="64"></P>
<P>Retype New Pin: <INPUT TYPE=PASSWORD NAME="PROXY_SG_RETYPE_PIN"
MAXLENGTH="64"></P>
<INPUT TYPE=HIDDEN NAME="PROXY_SG_USERNAME" VALUE=$(cs-username)>
1252
Chapter 64: Forms-Based Authentication
Query_form
<HTML>
<HEAD>
<TITLE>Query for Realm $(cs-realm)</TITLE>
</HEAD>
<BODY>
<H1>Query for Realm $(cs-realm)</H1>
<P>$(x-auth-challenge-string)
<FORM METHOD="POST" ACTION=$(x-cs-auth-form-action-url)>
$(x-cs-auth-form-domain-field)
<INPUT TYPE=HIDDEN NAME="PROXY_SG_USERNAME" VALUE=$(cs-username)>
<INPUT TYPE=HIDDEN NAME="PROXY_SG_REQUEST_ID" VALUE=$(x-cs-auth-
request-id)>
<INPUT TYPE=HIDDEN NAME="PROXY_SG_PRIVATE_CHALLENGE_STATE" VALUE=$(x-
auth-private-challenge-state)>
<INPUT TYPE=HIDDEN NAME="PROXY_SG_PASSWORD"">
<P><INPUT TYPE=SUBMIT VALUE="Yes"
ONCLICK="PROXY_SG_PASSWORD.value='Y'">
<INPUT TYPE=SUBMIT VALUE="No" ONCLICK="PROXY_SG_PASSWORD.value='N'"></
P>
</FORM>
<P>$(exception.contact)
</BODY>
</HTML>
x-auth-private-challenge-
state
1253
SGOS 6.2 Administration Guide
Note: Any substitutions that are valid in CPL and in other exceptions are valid in
authentication form exceptions. There is no realm restriction on the number of
authentication form exceptions you can create. You can have an unlimited
number of forms, but make them as generic as possible to cut down on
maintenance.
Storage Options
When a request requiring the user to be challenged with a form contains a body,
the request is stored on the ProxySG appliance while the user is being
authenticated. Storage options include:
❐ the maximum request size
❐ the expiration of the request
❐ whether to verify the IP address of the client requesting against the original
request
❐ whether to allow redirects from the origin server
The storage options are global, applying to all form exceptions you use.
The global allow redirects configuration option can be overridden on a finer
granularity in policy using the authenticate.redirect_stored_requests(yes|no)
action.
1254
Chapter 64: Forms-Based Authentication
1255
SGOS 6.2 Administration Guide
Note: View in the Authentication Forms panel and View in the Default
Definitions panel have different functions. View in the Authentication
Forms panel allows you to view the form you highlighted; View in the
Default Definitions panel allows you view the original, default settings
for each form. This is important in an upgrade scenario; any forms
already installed will not be changed. You can compare existing forms to
the default version and decide if your forms need to be modified.
3. Select one of the following installation options from the Install Authentication
Form from drop-down list:
1256
Chapter 64: Forms-Based Authentication
2. In the Maximum request size to store (Megabytes) field, enter the maximum POST
request size allowed during authentication. The default is 50 megabytes.
3. In the Request object expiry time (seconds) field, enter the amount of time before
the stored request expires. The default is 300 seconds (five minutes). The
expiry time should be long enough for the user to fill out and submit the
authentication form.
4. If you do not want the ProxySG to Verify the IP address against the original request,
deselect that option. The default is to verify the IP address.
5. To Allow redirects from the origin servers, select the check box. The default is to
not allow redirects from origin servers. Enable this option if you know that the
redirects are going to a known server.
6. Click Apply.
1257
SGOS 6.2 Administration Guide
❐ Which form to use during authentication is specified in policy using one of the
CPL conditions authenticate.form(form_name),
authenticate.new_pin_form(form_name), or authenticate.query_form
(form_name).
These conditions override the use of the initial forms for the cases where a
new pin form needs to be displayed or a query form needs to be displayed. All
three of the conditions verify that the form name has the correct type.
Note: Each of these conditions can be used with the form authentication
modes only. If no form is specified, the form defaults to the CPL condition for
that form. That is, if no name is specified for authenticate.form(form_name),
the default is authentication_form; if no name is specified for
authenticate.new_pin_form(form_name), the default is
authenticate.new_pin_form, and if no name is specified for
authenticate.query_form(form_name), the default is
authenticate.query_form.
1258
Chapter 64: Forms-Based Authentication
1259
SGOS 6.2 Administration Guide
1260
Chapter 65: Authentication and Authorization Errors
Following is the list of all groups and individual errors that can be permitted
during authentication and authorization. The first table lists the groups and the
individual errors within each group. The second table lists all of the individual
errors along with descriptions of the errors.
1261
SGOS 6.2 Administration Guide
1262
Chapter 65: Authentication and Authorization Errors
1263
SGOS 6.2 Administration Guide
1264
Chapter 65: Authentication and Authorization Errors
1265
SGOS 6.2 Administration Guide
1266
Chapter 65: Authentication and Authorization Errors
1267
SGOS 6.2 Administration Guide
1268
Chapter 65: Authentication and Authorization Errors
1269
SGOS 6.2 Administration Guide
1270
Chapter 65: Authentication and Authorization Errors
1271
SGOS 6.2 Administration Guide
1272
Chapter 65: Authentication and Authorization Errors
1273
SGOS 6.2 Administration Guide
1274
Chapter 65: Authentication and Authorization Errors
1275
SGOS 6.2 Administration Guide
1276
Chapter 66: Configuring Adapters and Virtual LANs
This section describes ProxySG network adapters, the adapter interfaces, and
how to configure the ProxySG to function within a Virtual LAN (VLAN)
environment. Although you most likely have performed initial configuration
tasks to get the ProxySG live on the network, this section provides additional
conceptual information to ensure the configuration matches the deployment
requirement.
How Do I...?
Identify the task to perform and click the link:
Verify the ProxySG is connected properly "About WAN and LAN Interfaces" on
based on the basic deployment type, such page 1278
as bridging and in-path?
Change the settings for default link "About Link Settings" on page 1280
speeds for interfaces?
1277
SGOS 6.2 Administration Guide
Verify that traffic is flowing through the "Viewing Interface Statistics" on page
interfaces and see what type of traffic it 1290
is?
Figure 66–1 Connecting WAN and LAN interfaces in-path with bridging.
1278
Chapter 66: Configuring Adapters and Virtual LANs
❐ Clients and WAN links connect to the ProxySG transparently through a router
with WCCP.
1279
SGOS 6.2 Administration Guide
The default intercept option depends on the type of license on this ProxySG:
❐ Proxy Edition: The default is Bypass transparent interception.
❐ Mach 5 Edition: The default is Allow transparent interception. The ProxySG
performs normal proxy interception, as configured in Configuration > Services,
for traffic on the interface. If you require this ProxySG to perform interception
of traffic on specific interface(s), set the other interfaces to either bypass
(bridge/forward, but do not intercept traffic on it) or firewall it (drop all traffic
not related to established proxy connections).
Note: When the 100 Mbps Ethernet interfaces on the ProxySG 210 are connected
to Gigabit Ethernet capable devices, they might incorrectly auto-negotiate when
fail-open pass-through is used.
If both the interfaces on these ProxySG appliances are connected to Gigabit
capable switches or hubs, Blue Coat recommends that you configure the link
settings manually to 100 Mbps. To configure the link settings, see Step 3 in "To
configure a network adapter:" on page 1285.
1280
Chapter 66: Configuring Adapters and Virtual LANs
The following table lists the results of various ProxySG and router link settings for
100 Mbps speeds. The values are listed in the format: speed/duplex.
Table 66–2 Results for 100 Mbps link speed settings on the ProxySG and the switch
Table 66–3 Results for 1Gbps link speed settings on the ProxySG and switch
See Also
"Verifying the Health of Services Configured on the ProxySG" on page 1391.
1281
SGOS 6.2 Administration Guide
1282
Chapter 66: Configuring Adapters and Virtual LANs
The trunk link carries both the native VLAN and all other VLAN (tagged)
packets, as illustrated in the following diagram.
Figure 66–5 A switch broadcasting native and regular VLAN traffic over a trunk
In this example, the client attached to port 7 belongs to VLAN 2. Even though port
7 is part of VLAN 2, it does not set tags or receive VLAN-tagged packets. The
switch associates the traffic with VLAN 2 and tags it accordingly when
appropriate. Conversely, it strips the VLAN 2 tag on the response. The trunk link
carries VLAN 1 (the native) and 2 traffic to a router that forwards traffic for those
VLANs.
Deployment complications arise when a device (other than a router) is required
between switches. Any network device without VLAN-tagging support might
drop or misinterpret the traffic.
As a best practice, do not deploy a device that is not configured to recognize
VLAN-tagged traffic in-path of a trunk link.
1283
SGOS 6.2 Administration Guide
The Management Console enables you to configure VLAN interfaces the same
way you configure physical interfaces. After a VLAN is added, it appears in the
list of network interfaces. Settings such as allow-intercept and reject-inbound
are applicable to VLAN interfaces.
The most common deployment is a ProxySG residing between two switches or a
switch and a router; in these cases, preserving tagged packets is essential to
proper network operation.
1284
Chapter 66: Configuring Adapters and Virtual LANs
1285
SGOS 6.2 Administration Guide
2a: Select
an adapter
2c
2b
• FDX/HDX:
1286
Chapter 66: Configuring Adapters and Virtual LANs
1287
SGOS 6.2 Administration Guide
7a
7b
7c
7d
8a
8b
1288
Chapter 66: Configuring Adapters and Virtual LANs
9a
9c
9b
9d
1289
SGOS 6.2 Administration Guide
1290
Chapter 66: Configuring Adapters and Virtual LANs
Mouse-
over for
exact
data
Packets The number of outgoing packets sent from this interface or VLAN.
Sent
Input The number of input and output errors that occurred on the interface
Errors (not applicable on VLANs). This information provides details that
Blue Coat Technical Support uses to troubleshoot issues.
Output
Errors
See Also
Chapter 71: "Monitoring the ProxySG" on page 1339
1291
SGOS 6.2 Administration Guide
1292
Chapter 67: Software and Hardware Bridges
This section describes the SGOS hardware and software bridging capabilities.
Network bridging through the ProxySG provides transparent proxy pass-
through and failover support.
About Bridging
A bridge is a network device that interconnects multiple computer networks.
Unlike a hub, a bridge uses the Ethernet frame’s destination MAC address to
make delivery decisions. Because these decisions are based on MAC
addressing, bridges are known as Layer 2 devices. This Layer 2 functionality is
similar to that used by switches. Bridging is especially useful in smaller
deployments in which explicit proxies or L4 switches are not feasible options.
Bridging functionality allows each ProxySG to be easily deployed as a
transparent redirection device, without requiring the additional expense and
maintenance of L4 switches or WCCP-capable routers. Transparent bridges are
deployed in-path between clients and routers—all packets must pass through
them, though clients are unaware of their presence.
1293
SGOS 6.2 Administration Guide
Traffic Handling
Bridges are used to segment Ethernet collision domains, thus reducing frame
collisions. To make efficient delivery decisions, the bridge must discover the
identity of systems on each collision domain. The bridge uses the source MAC
address of frames to determine the interface that the device can be reached from
and stores that information in the bridge forwarding table. When packets are
received, the bridge consults the forwarding table to determine which interface to
1294
Chapter 67: Software and Hardware Bridges
deliver the packet to. The only way to bypass the bridge forwarding table lookup
is to define a static forwarding entry. For more information on static forwarding
entries, see "Adding Static Forwarding Table Entries" on page 1305.
1295
SGOS 6.2 Administration Guide
fails open; that is, network traffic passes from one Ethernet interface to the other.
Therefore, network traffic is uninterrupted, but does not route through the
appliance.
After power is restored to the ProxySG, the bridge comes back online and
network traffic is routed to the appliance and thus is subject to that appliance’s
configured features, policies, content scanning, and redirection instructions.
Bridging supports only failover; it does not support load balancing.
Note: The adapter state is displayed on Configuration > Network > Adapters.
Deployment Recommendations
Blue Coat recommends racking and cabling the ProxySG while it is powered off.
This enables you to confirm that the pass-through adapter is functioning and that
traffic is passing through the appliance. If traffic is not being passed, confirm that
you have used the correct cabling (crossover or straight).
If the link goes down while propagation-failure is disabled, the previous link
state is immediately reflected to the other interface if propagation-failure is
enabled during this time.
1296
Chapter 67: Software and Hardware Bridges
3a
3b
3c
1297
SGOS 6.2 Administration Guide
4a
4b
4c
1298
Chapter 67: Software and Hardware Bridges
Note: If you create a software bridge, the programmable bridge card mode is
implicitly Fail Closed (if the appliance fails, the software bridge is non-functional).
1299
SGOS 6.2 Administration Guide
4a
4b
4c
Note: If the bridge adapters are not programmable, the mode commands are not visible.
1300
Chapter 67: Software and Hardware Bridges
Note: This setting only controls the bandwidth class used by bypassed traffic
on this bridge. To manage intercepted traffic, you must define a Manage
Bandwidth policy (using VPM or CPL).
3. Click Apply.
1301
SGOS 6.2 Administration Guide
Configuring Failover
In failover mode, two appliances are deployed, a master and a slave. The master
sends keepalive messages (advertisements) to the slaves. If the slaves do not receive
advertisements at the specified interval, the slave takes over for the master. When
the master comes back online, the master takes over from the slave again.
The SGOS bridging feature allows two different types of failover modes, parallel
and serial. Hardware and software bridges allow different failover modes:
❐ Software bridges allow serial or parallel failover. However, note that if the
ProxySG fails, serial failover also fails.
❐ Hardware bridges allow serial failover only.
Parallel Failover
In parallel failover mode, two systems are deployed side by side on redundant
paths. In parallel failover, the slave does not actively bridge any packets unless
the master fails. If the master fails, the slave takes over the master IP address and
begins bridging. A parallel failover configuration is shown in the following
figure.
Because of the redundant paths, you must enable Spanning Tree to avoid bridge
loops. See "Bridging Loop Detection" on page 1304 for more information about
STP.
Serial Failover
In serial failover mode, the slave is in-path and continuously bridges packets, but
does not perform any other operations to the bridged traffic unless the master
fails. If the master fails, the slave takes over the master IP address and applies
policy, etc. A serial configuration is shown in the following figure.
1302
Chapter 67: Software and Hardware Bridges
Configuring Failover
Failover is accomplished by doing the following:
❐ Creating virtual IP addresses on each proxy.
❐ Creating a failover group.
❐ Attaching the bridge configuration.
❐ Selecting a failover mode (parallel or serial).
Both proxies can have the same priority (for example, the default priority). In that
case, priority is determined by the local IP address—the ProxySG with the highest
local IP will assume the role of master.
Example
The following example creates a bridging configuration with one bridge on
standby.
Note: This deployment requires a hub on both sides of the bridge or a switch
capable of interface mirroring.
The preceding commands create a failover group called 10.0.0.4. The priority
is automatically set to 254 and the failover interval is set to 40.
❐ ProxySG B—software bridge IP address: 10.0.0.3. Create a virtual IP address
and a failover group.
SGOS_B#(config) virtual-ip address 10.0.0.4
SGOS_B#(config) failover
SGOS_B#(config failover) create 10.0.0.4
SGOS_B#(config failover) edit 10.0.0.4
SGOS_B#(config failover 10.0.0.4) enable
In the bridge configuration on each SG, attach the bridge configuration
to the failover group:
SGOS_A#(config bridge bridge_name) failover group 10.0.0.4
SGOS_B#(config bridge bridge_name) failover group 10.0.0.4
1303
SGOS 6.2 Administration Guide
4. Select the interface to configure and click Edit. The Edit Bridge Interface dialog
displays.
1304
Chapter 67: Software and Hardware Bridges
1305
SGOS 6.2 Administration Guide
2. Select the bridge to edit and click Edit. The Edit Bridge Interface dialog
displays.
3a
3c
3d
3b
1306
Chapter 67: Software and Hardware Bridges
GRE GRE
L2 GRE
L2 L2
1307
SGOS 6.2 Administration Guide
1308
Chapter 68: Configuring Management Services
1309
SGOS 6.2 Administration Guide
1310
Chapter 68: Configuring Management Services
7b
7c
7a
7d
1311
SGOS 6.2 Administration Guide
Selecting a Keyring
The ProxySG ships with a default keyring that can be reused with each secure
console that you create. You can also create your own keyrings.
To use the default keyring, accept the default keyring through the Management
Console. If using the CLI, the default keyring is automatically used for each new
HTTPS Console that is created.To use a different keyring you must edit the
console service and select a new keyring using the attribute keyring command.
Note: If you get “host mismatch” errors or if the security certificate is called out
as invalid, create a different certificate and use it for the HTTPS Console. For more
information on keyrings and certificates, see Chapter 59: "Managing X.509
Certificates" on page 1167.
1312
Chapter 68: Configuring Management Services
For information on creating a key pair and a certificate to make a keyring, see
Chapter 59: "Managing X.509 Certificates" on page 1167.
Selecting an IP Address
You can use any IPv4 or IPv6 address on the ProxySG for the HTTPS Console
service, including virtual IP addresses. Note that when IPv6 addresses are
specified, they must be global (not linklocal). For information on how to create a
virtual IP address, see "Creating a VIP" on page 899.
5b
5c
5a
5d
1313
SGOS 6.2 Administration Guide
4. (Optional) Select the appropriate options to determine the SSL version used
for this console.
5. Configure the new listener options:
a. Click New to view the New Listener dialog. A listener defines the fields
where the console service will listen for traffic.
b. Select a destination option:
• All ProxySG IP addresses—Indicates that service listens on all addresses
(IPv4 and IPv6).
• IP Address—Indicates that only destination addresses match the IP
address. You can enter an IPv4 or an IPv6 address. Note that when
IPv6 addresses are specified, they must be global (not linklocal).
c. Port—Identifies the port you want this service to listen on. Port 8081 is
the default port.
d. Enabled—Select this option to enable the listener.
e. Click OK to close the New Listener dialog.
6. Click OK to close the Edit Service dialog.
7. Click Apply.
1314
Chapter 68: Configuring Management Services
Note: By default, SSHv2 is enabled and assigned to port 22. You do not need to
create a new host key unless you want to change the existing configuration.
SSHv1 is disabled by default.
Note: If you disable both SSHv1 and SSHv2, you could be locked out of the CLI,
requiring you to re-create an SSH key pair using the terminal console. (You can re-
create the SSH keys through the Management Console.)
1315
SGOS 6.2 Administration Guide
Note: If you receive an error message when attempting to log in to the system
after regenerating the host key pair, locate the ssh known hosts file and delete the
system’s IP address entry.
1316
Chapter 68: Configuring Management Services
Note: The ProxySG cannot create client keys. You must use your SSH client
to create a key.
2. Select the Configuration > Authentication > Console Access > SSH Client tab.
4a
4b
1317
SGOS 6.2 Administration Guide
In the SSH Client tab, the fingerprint (a unique ID) of the imported key
displays.
5. Click Apply.
❐ The following subcommands are available for managing key pairs and other
global options:
SGOS (config ssh-console) create host-keypair {sshv1| sshv2 | <Enter>}
SGOS (config ssh-console) delete {client-key username key_id | legacy-
client-key key_id | director-client-key key_id | host-keypair {sshv1 |
sshv2 | <Enter>}}
SGOS (config ssh-console) inline {client-key <eof> | director-client-
key <eof> | sshv2-welcome-banner <eof>}
SGOS (config ssh-console) no sshv2-welcome-banner
SGOS (config ssh-console) view {client-key | director-client-key |
host-public-key | sshv2-welcome-banner | user-list | versions-enabled}
Note: If you do enable the Telnet console, be aware that you cannot use Telnet
everywhere in the CLI. Some modules, such as SSL, respond with the error
message:
Telnet sessions are not allowed access to ssl commands.
By default a Telnet shell proxy service exists on the default Telnet port (23). Since
only one service can use a specific port, you must delete the shell service if you
want to create a Telnet console. Be sure to apply any changes before continuing. If
you want a Telnet shell proxy service in addition to the Telnet console, you can re-
create it later on a different port. For information on the Telnet service, see
Chapter 15: "Managing Shell Proxies" on page 317.
1318
Chapter 68: Configuring Management Services
To create a new Telnet console service or edit an existing one, see "Creating a
Management Service" on page 1310.
Note: To use the Telnet shell proxy (to communicate with off-proxy systems)
and retain the Telnet Console, you must either change the Telnet shell proxy to
use a transparent Destination IP address, or change the destination port on
either the Telnet Console or Telnet shell proxy. Only one service is permitted
on a port. For more information on the Telnet shell proxy, see Chapter 15:
"Managing Shell Proxies" on page 317.
1319
SGOS 6.2 Administration Guide
1320
Chapter 69: Preventing Denial of Service Attacks
This section describes how the ProxySG prevents attacks designed to prevent
Web services to users.
1321
SGOS 6.2 Administration Guide
Note: If you edit an existing client’s limits to a smaller value, the new value only
applies to new connections to that client. For example, if the old value was 10
simultaneous connections and the new value is 5, existing connections above 5 are
not dropped.
1322
Chapter 69: Preventing Denial of Service Attacks
1323
SGOS 6.2 Administration Guide
2. Create a client.
SGOS#(config client) create {ip_address | ip_and_length}
block-action drop | send-tcp-rst Indicates the behavior when the client is at the
maximum number of connections: drop the connections
that are over the limit or send TCP RST for the
connection over the limit. The default is drop.
connection-limit integer Indicates the number of simultaneous connections
between 1 and 65534. The default is 100.
failure-limit integer Indicates the behavior when the specified client is at the
maximum number of connections: drop the connections
that are over the limit or send TCP RST for the
connection over the limit. The default is 50.
unblock-time minutes Indicates the amount of time a client is locked out at the
network level when the client-warning-limit is exceeded.
Time must be a multiple of 10 minutes, up to a
maximum of 1440. By default, the client is blocked until
explicitly unblocked.
warning-limit integer Indicates the number of warnings sent to the client
before the client is locked out at the network level and
the administrator is notified. The default is 10; the
maximum is 100.
1324
Chapter 69: Preventing Denial of Service Attacks
1325
SGOS 6.2 Administration Guide
Note: There are three thresholds that dictate when a client is blocked:
• Number of connections
• Number of failures
• Number of warnings
A client displays as blocked when it exceeds the number of failure or the
number of warnings, but not when it exceeds the number of connections.
1326
Chapter 69: Preventing Denial of Service Attacks
2. Create the first host in a server group, using the fully qualified domain name:
SGOS#(config server) create hostname
1327
SGOS 6.2 Administration Guide
1328
Chapter 70: Authenticating a ProxySG
1329
SGOS 6.2 Administration Guide
1330
Chapter 70: Authenticating a ProxySG
❐ The name of the CA Certificate List (CCL) that contains the names of
certificates of CAs trusted by this profile. If another device offers a valid
certificate signed by an authority in this list, the certificate is accepted. The
default is appliance-ccl. For information on CCLs, see "Creating CA
Certificate Lists" on page 1191.
❐ Verification of the peer certificate.
When the ProxySG is participating in device authentication as an SSL client,
the peer certificate verification option controls whether the server certificate is
validated against the CCL. If verification is disabled, the CCL is ignored.
When the ProxySG is participating in device authentication as an SSL server,
the peer certificate verification option controls whether to require a client
certificate. If verification is disabled, no client certificate is obtained during the
SSL handshake. The default is verify-peer-certificate enabled.
❐ Specification of how the device ID authorization data is extracted from the
certificate. The default is $(subject.CN).
❐ SSL cipher settings. The default is AES256-SHA.
Each Blue Coat appliance has an automatically-constructed profile called bluecoat-
appliance-certificate that can be used for device-to-device authentication. This
profile cannot be deleted or edited.
If you cannot use the built-in profile because, for example, you require a different
cipher suite or you are using your own appliance certificates, you must create a
different profile, and have that profile reference the keyring that contains your
certificate.
Note: If you do not want to use peer verification, you can use the built-in passive-
attack-detection-only profile in place of the bluecoat-appliance-certificate profile.
This profile uses a self-signed certificate and disables the verify-peer option, so
that no authentication is done on the endpoints of the connection. The traffic is
encrypted, but is vulnerable to active attacks.
This profile can be used only when there is no threat of an active man-in-the-
middle attack. Like the bluecoat-appliance certificate profile, the passive-attack-
detection-only profile cannot be edited or deleted.
If you create your own profile, it must contain the same kind of information that is
contained in the Blue Coat profile. To create your own profile, skip to "Creating an
SSL Device Profile for Device Authentication" on page 1335.
1331
SGOS 6.2 Administration Guide
To generate a CSR:
1. Select the Configuration > SSL > Appliance Certificates > Request Certificate tab.
2. Select Create CSR. The Appliance Certificate Signing Request dialog displays.
1332
Chapter 70: Authenticating a ProxySG
1333
SGOS 6.2 Administration Guide
The signed certificate displays, and can be pasted into the appliance-key
keyring.
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwgbYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxIDAeBgNV
BAoTF0JsdWUgQ29hdCBTeXN0ZW1zLCBJbmMuMRkwFwYDVQQLExBCbHVlIENvYXQs
IEFCUkNBMRswGQYDVQQDExJhYnJjYS5ibHVlY29hdC5jb20xJDAiBgkqhkiG9w0B
CQEWFXN5c2FkbWluQGJsdWVjb2F0LmNvbTAeFw0wNzAxMjkyMDM5NDdaFw0xMjAx
MjkyMDM5NDdaMIGGMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcT
CVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3RlbXMsIEluYy4xHzAd
BgNVBAsTFkJsdWUgQ29hdCBTRzIwMCBTZXJpZXMxEzARBgNVBAMTCjA1MDUwNjAw
OTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBUmCuKSsSd+D5kJQiWu3OG
DNLCvf7SyKK5+SBCJU2iKwP5+EfiQ5JsScWJghtIo94EhdSC2zvBPQqWbZAJXN74
k/yM4w9ufjfo+G7xPYcMrGmwVBGnXbEhQkagc1FH2orINNY8SVDYVL1V4dRM+0at
YpEiBmSxipmRSMZL4kqtAgMBAAGjggLGMIICwjAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DBOBgNVHSUERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBgsr
BgEEAfElAQECAQYLKwYBBAHxJQEBAgIGCysGAQQB8SUBAQIDMB0GA1UdDgQWBBSF
NqC2ubTI7OT5j+KqCPGlSDO7DzCB6wYDVR0jBIHjMIHggBSwEYwcq1N6G1ZhpcXn
OTIu8fNe1aGBvKSBuTCBtjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExEjAQBgNVBAcTCVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3Rl
bXMsIEluYy4xGTAXBgNVBAsTEEJsdWUgQ29hdCwgQUJSQ0ExGzAZBgNVBAMTEmFi
cmNhLmJsdWVjb2F0LmNvbTEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AYmx1ZWNv
YXQuY29tggkAhmhbUPEEb60wgZ8GCCsGAQUFBwEBBIGSMIGPMEkGCCsGAQUFBzAB
hj1odHRwczovL2FicmNhLmJsdWVjb2F0LmNvbS9jZ2ktYmluL2RldmljZS1hdXRo
ZW50aWNhdGlvbi9vY3NwMEIGCCsGAQUFBzAChjZodHRwOi8vYWJyY2EuYmx1ZWNv
YXQuY29tL2RldmljZS1hdXRoZW50aWNhdGlvbi9jYS5jZ2kwSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vQ1JMLmNybDBfBgNVHSAEWDBWMFQGCisGAQQB8SUBAQEwRjBEBggrBgEF
BQcCARY4aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vcnBhLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBACIhQ7Vu6aGJBpxP255X
d2/Qw7NiVsnqOlAy913QZlieFfVATJnCeSrH+M9B/2XtnRxVT0/ZWrf4GbsdYqTF
hc9jR/IwKu6kZq32Dqo8qFU5OzbAEzT2oebB5QgwuJtHcJHggp9PS9uS27qAnGQK
OeB2bYcjWtMvTvr50iDOV69BEQz+VXos8QiZmRHLVnebQSjl3bi1w3VjBw31tCmc
clgz0SlN9ZmJdRU/PlWdNVqD4OLqcMZQ53HqcdWNEzN2uvigIb//rM7XazK7xIaq
r23/+BsZlYKAeVMq3PEmxaA2zLzO+jf79a8ZvIKrF27nNuTN7NhFL/V6pWNE1o9A
rbs=
-----END CERTIFICATE-----
1334
Chapter 70: Authenticating a ProxySG
Note: You cannot put a Blue Coat appliance certificate into a keyring you
create yourself.
1335
SGOS 6.2 Administration Guide
3. Name: Give the profile a meaningful name. The only valid characters are
alphanumeric, the underscore, and hyphen, and the first character must be a
letter.
4. SSL protocol versions: Change the default from SSLv2v3TLSv1 to any other
protocol listed in the drop-down list.
5. Keyring: From the drop-down list, select the keyring you want to use for device
authentication.
Note: You must create a new keyring for device authentication if you do not use
the appliance-key keyring. The other keyrings shipped with the ProxySG are
dedicated to other purposes. For information on creating a new keyring, see
"Creating a Keyring" on page 1173.
6. CCL: From the drop-down list, select the CA Certificate List you want to use.
7. Device ID extractor: The field describes how device ID information is extracted
from a presented certificate. The string contains references to the attributes of
the subject or issuer in the form $(subject.attr[.n]) or $(issuer.attr[.n]),
where attr is the short-form name of the attribute and n is the ordinal
instance of that attribute, counting from 1 when the subject is in LDAP (RFC
2253) order. If n is omitted, it is assumed to be 1.
The default is $(subject.CN); many other subject attributes are recognized,
among them OU, O, L, ST, C, and DC.
8. Verify peer: This setting determines whether peer certificates are verified
against the CCL or whether client certificates are required.
1336
Chapter 70: Authenticating a ProxySG
1337
SGOS 6.2 Administration Guide
1338
Chapter 71: Monitoring the ProxySG
This section describes the methods you can use to monitor your ProxySG
appliances, including disk management, event logging, monitoring network
devices (SNMP), and health monitoring. The section also provides a brief
introduction to Director.
Topics
❐ Section A: "Using Director to Manage ProxySG Systems" on page 1340
❐ Section B: "Monitoring the System and Disks" on page 1345
❐ Section C: "Configuring Event Logging and Notification" on page 1350
❐ Section D: "Monitoring Network Devices (SNMP)" on page 1357
❐ Section E: "Configuring Health Monitoring" on page 1375
1339
SGOS 6.2 Administration Guide
1340
Chapter 71: Monitoring the ProxySG
Note:
• Regardless of whether or not you register the appliance with Director,
communication between the ProxySG appliance and Director is secured
using SSHv2.
• The ProxySG uses interface 0:0 to register with Director. Before you
attempt to register a ProxySG with Director, make sure its interfaces, static
routes, and Internet gateways are configured properly to allow
communication to succeed.
• The Blue Coat appliance certificate is an X.509 certificate that contains the
hardware serial number of a specific ProxySG as the Common Name (CN)
in the subject field. See "Appliance Certificates and SSL Device Profiles"
on page 1330 for more information about appliance certificates.
Registration Requirements
To register the appliance with Director, the SSH Console management service on
the ProxySG must be enabled. Director registration will fail if the SSH Console has
been disabled or deleted, or if the SSHv2 host key has been deleted.
Ports 8085 and 8086 are used for registration from the ProxySG to Director. If
Director is already in the network, you do not need to open these ports. If you
have a firewall between the ProxySG and Director and you want to use the
registration feature, you must open ports 8085 and 8086.
Continue with "Registering the ProxySG with Director" .
1341
SGOS 6.2 Administration Guide
3
4
6
Note: Refer to the Blue Coat Director Configuration and Management Guide for
more information about configuring the registration password. For
information about appliance certificates, see Chapter 59: "Managing X.509
Certificates" on page 1167.
6. Click Register.
After the registration process is complete, Director communicates with the
ProxySG using SSH-RSA. The appliance’s administrative password, enable
mode password, serial console password, and front panel PIN are values
known only to Director.
Note: To verify or confirm that a ProxySG is registered with a Director (in the
CLI):
#sh ssh-console director-client-key
This returns either:
% missing client key list
or
director xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
1342
Chapter 71: Monitoring the ProxySG
For more information, see the Blue Coat Director Configuration and Management
Guide.
Important: You must add the Director identification at the end of the client
key. The example shows the username, IP address, and MAC address of
Director. Director must be the username, allowing you access to passwords in
clear text.
1343
SGOS 6.2 Administration Guide
To delete a key:
SGOS#(config ssh-console) delete director-client-key clientID
1344
Chapter 71: Monitoring the ProxySG
Enables you to perform systems tasks, such as restarting the system and
clearing the DNS or object cache. See "Performing Maintenance Tasks" on
page 1453 for information about these tasks.
❐ Environment
Displays details about the installed disks and enables you take them offline.
❐ SSL Cards
Note: The Management Console for SG400 appliances does not contain an
Environment tab.
1345
SGOS 6.2 Administration Guide
❐ Configuration area:
• Model—The model number of this ProxySG.
• Disks Installed—The number of disk drives installed in the ProxySG. The
Disks tab displays the status of each drive.
• Memory installed—The amount of RAM installed in the ProxySG.
• CPUs installed—The number of CPUs installed in the ProxySG.
• IP Address—The IP address assigned to this ProxySG.
• Software version—The SGOS image name and edition type (Mach 5 or
Proxy).
• Serial release ID—The SGOS image version number.
• NIC 0 MAC—The MAC address assigned to the connected interface(s).
• Serial number—The ProxySG serial number.
❐ General Status area:
• System started—The most recent time and date that the ProxySG was
started.
• CPU utilization—The current percent of CPU usage.
Note: The health monitoring metrics on the Statistics > Health page also display the
state of environmental sensors. See Section E: "Configuring Health Monitoring"
on page 1375 for more information.
The SG400 model ProxySG does not support viewing environmental statistics.
Note: This displayed contents of this tab varies depending on the type of
ProxySG. Systems with multiple disks display environmental information for
each disk.
1346
Chapter 71: Monitoring the ProxySG
If any disk statistics display statuses other than OK, the ProxySG is experiencing
environmental stress, such as higher than advised heat. Ensure the area is
properly ventilated.
Note: The name and displayed contents of this tab differs, depending on the
range of disks available to the ProxySG model you use.
1347
SGOS 6.2 Administration Guide
b. Click OK.
Note: Since there are no physical appliance disks in a virtual appliance, the Take
disk x offline button is not available on the ProxySG VA.
Note: You cannot view statistics about SSL accelerator cards through the CLI.
1348
Chapter 71: Monitoring the ProxySG
1349
SGOS 6.2 Administration Guide
Severe errors Writes only severe error messages to the event log.
Configuration Writes severe and configuration change error messages to the
events event log.
Policy messages Writes severe, configuration change, and policy event error
messages to the event log.
Informational Writes severe, configuration change, policy event, and
information error messages to the event log.
Verbose Writes all error messages to the event log.
When you select an event level, all levels above the selection are included. For
example, if you select Verbose, all event levels are included.
3. Click Apply.
1350
Chapter 71: Monitoring the ProxySG
2. In the Event log size field, enter the maximum size of the event log in
megabytes.
3. Select the action that occurs when the event log reaches maximum size:
• Overwrite earlier events—TheProxySG overwrites the oldest event entries,
replacing with the most recent events. With this option, there is no way to
recover overwritten events.
• Stop logging new events—The ProxySG retains all of the entries to date, but
any new events are not recorded.
4. Click Apply.
1351
SGOS 6.2 Administration Guide
Note: The ProxySG must know the host name or IP address of your SMTP mail
gateway to mail event messages to the e-mail address(es) you have entered. If you
do not have access to an SMTP gateway, use the Blue Coat default SMTP gateway
to send event messages directly to Blue Coat.
The Blue Coat SMTP gateway sends mail only to Blue Coat. It will not forward
mail to other domains.
Note: The default port used for SMTP is 25. If your configuration uses a
different port , you can set the port number with the following CLI command:
1352
Chapter 71: Monitoring the ProxySG
4. (Optional) The Clear SMTP Settings option clears the selected setting, but it does
not delete the setting. For example, if you click SMTP gateway name and click
Clear SMTP Settings, the value disappears. When you click SMTP gateway name
again, the value re-displays.
5. (Optional) You can specify the sender’s email address in the Custom ‘From’
address field. For example, you can enter the e-mail address of the lab manager
responsible for administering ProxySG appliances.
By default, the field is empty and email notifications use the name of the
ProxySG as the sender address. For information on configuring the appliance
name, see "Configuring the ProxySG Name" on page 36.
6. Click Apply.
Note: When a host is removed from the active syslog host list, a message
indicating that syslog has been deactivated is sent to the host(s). This message
alerts administrators that this host will no longer be receiving logs from this
ProxySG.
1353
SGOS 6.2 Administration Guide
Note: Event log messages are automatically emailed to all syslog servers in
the loghost list.
1354
Chapter 71: Monitoring the ProxySG
1355
SGOS 6.2 Administration Guide
If the date is omitted in either start or end, it must be omitted in the other one
(that is, if you supply just times, you must supply just times for both start and
end, and all times refer to today). The time is interpreted in the current time zone
of the appliance.
Note: If the notation includes a space, such as between the start date and the start
time, the argument in the CLI should be quoted.
Example
SGOS# show event-log start "2009-10-22 9:00:00" end "2009-10-22
9:15:00"
2009-10-22 09:00:02+00:00UTC "Snapshot sysinfo_stats has fetched /
sysinfo-stats " 0 2D0006:96 ../Snapshot_worker.cpp:183
2009-10-22 09:05:49+00:00UTC "NTP: Periodic query of server
ntp.bluecoat.com, system clock is 0 seconds 682 ms fast compared to NTP
time. Updated system clock. " 0 90000:1 ../ntp.cpp:631
1356
Chapter 71: Monitoring the ProxySG
Introduction to SNMP
Simple Network Management Protocol (SNMP) is used in network management
systems to monitor network devices for health or status conditions that require
administrative attention. The ProxySG supports SNMPv1, SNMPv2c, and
SNMPv3.
This section discusses the following topics:
❐ "Typical Uses of SNMP"
❐ "Types of SNMP Management" on page 1357
❐ "Components of an SNMP Managed Network" on page 1358
1357
SGOS 6.2 Administration Guide
See Also
❐ "About Management Information Bases (MIBs)"
1358
Chapter 71: Monitoring the ProxySG
See Also
❐ "Configuring SNMP Communities" on page 1363
❐ "Changing Threshold and Notification Properties" on page 1384
❐ "Adding Community Strings for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP Traps for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP for SNMPv3"
❐ "Configuring SNMP Traps and Informs for SNMPv3"
1359
SGOS 6.2 Administration Guide
One of the many uses for MIBs is to monitor system variables to ensure that the
system is performing adequately. For example, a specific MIB can monitor
variables such as temperatures and voltages for system components and send
traps when something goes above or below a set threshold.
The Blue Coat MIB specifications adhere to RFC1155 (v1-SMI), RFC1902 (v2-SMI),
RFC1903 (v2-TC), and RFC1904 (v2-CONF.)
Note: Some common MIB types, such as 64-bit counters, are not supported by
SNMPv1. We recommend using either SNMPv2c or, for best security, SNMPv3.
The ProxySG uses both public MIBs and Blue Coat proprietary MIBs. You can
download the MIB files from the Blue Coat Web site.
1. Go to https://bto.bluecoat.com/download.
2. Click the link for the SGOS version you have. The page displays for the
software release you specified.
3. Click the MIBS link in the Product Files box. A file download dialog displays.
4. Click Save to navigate to the location to save the zip file of MIBs.
Note: To load the Blue Coat MIBs on an SNMP network manager, also load the
dependent MIBs. Most commercial SNMP-based products load these MIBs when
the software starts.
1360
Chapter 71: Monitoring the ProxySG
6a
6b
6c
1361
SGOS 6.2 Administration Guide
All selects all IP addresses on the proxy. Alternatively, you can select a specific
proxy’s IP address. You must always choose a port. By default, the listener is
enabled.
1362
Chapter 71: Monitoring the ProxySG
See Also
❐ "Managing Proxy Services" on page 119
To configure SNMP:
1. Select the Maintenance > SNMP > SNMP General tab.
2. In the Protocols area, SNMPv1, SNMPv2, and SNMPv3 are all enabled by default.
Select the specific versions that match the configuration of your SNMP
manager.
Note: Only SNMPv3 uses the Engine ID, which is required to be unique
among SNMP agents and systems that are expected to work together.
The Engine ID is set by default to a value that is derived from the
ProxySG serial number and the Blue Coat SNMP enterprise code. This is
a unique hexadecimal identifier that is associated with the ProxySG. It
appears in each SNMP packet to identify the source of the packet. The
configured bytes must not all be equal to zero or to 0FFH (255).
If you reset the engine ID and want to return it to the default, click Set to
Default. You do not need to reboot the system after making configuration
changes to SNMP.
1363
SGOS 6.2 Administration Guide
3. In the Traps and Informs area, enable traps and informs, as required.
a. Select Enable use of traps and informs to enable SNMP traps (for
SNMPv1, SNMPv2c, and SNMPv3) or informs (for SNMPv2c and
SNMPv3 only).
b. Select Enable SNMP authentication failure traps to have an SNMP
authentication failure trap sent when the SNMP protocol has an
authentication failure.
Note: For SNMPv1 and SNMPv2c, this happens when the community
string in the SNMP packet is not correct (does not match one that is
supported). For SNMPv3, this happens when the authentication hash of
an SNMP packet is not correct for the specified user.
c. To perform a test trap, click Perform test trap, enter the trap data (string)
to be sent, and click Execute Trap. This sends a policy notification, as
defined in the BLUECOAT-SG-POLICY-MIB, to all configured trap and
inform recipients, and it is intended as a communications test.
4. In the sysContact field, enter a string that identifies the person responsible for
administering the appliance.
5. In the sysLocation field, enter a string that describes the physical location of the
appliance.
6. Click Apply.
1364
Chapter 71: Monitoring the ProxySG
See Also
❐ "Monitoring Network Devices (SNMP)"
❐ "Adding and Enabling an SNMP Service and SNMP Listeners"
❐ "Adding Community Strings for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP Traps for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP for SNMPv3"
❐ "Configuring SNMP Traps and Informs for SNMPv3"
1365
SGOS 6.2 Administration Guide
1366
Chapter 71: Monitoring the ProxySG
See Also
❐ "Adding and Enabling an SNMP Service and SNMP Listeners"
❐ "Configuring SNMP for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP Users for SNMPv3"
❐ "Monitoring Network Devices (SNMP)"
1367
SGOS 6.2 Administration Guide
1368
Chapter 71: Monitoring the ProxySG
See Also
❐ "Monitoring Network Devices (SNMP)"
❐ "About SNMP Traps and Informs"
❐ "Adding and Enabling an SNMP Service and SNMP Listeners"
❐ "Configuring SNMP Communities"
❐ "Adding Community Strings for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP for SNMPv3"
❐ "Configuring SNMP Users for SNMPv3"
❐ "Configuring SNMP Traps and Informs for SNMPv3"
1369
SGOS 6.2 Administration Guide
4a
4b
4c
5a
5b
5c
1370
Chapter 71: Monitoring the ProxySG
To edit a user:
1. Select Maintenance > SNMP > SNMPv3 Users.
2. Select the user to edit and click Edit. The Edit (user name) dialog displays.
1371
SGOS 6.2 Administration Guide
See Also
❐ "Configuring SNMP Communities"
❐ "Adding Community Strings for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP Traps for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP Traps and Informs for SNMPv3"
1372
Chapter 71: Monitoring the ProxySG
Related Syntax to Add and Edit Traps and Informs for SNMPv3
#(config snmp)edit user username
1373
SGOS 6.2 Administration Guide
See Also
❐ "About SNMP Traps and Informs"
❐ "Configuring SNMP Communities"
❐ "Adding Community Strings for SNMPv1 and SNMPv2c"
❐ "Configuring SNMP Traps for SNMPv1 and SNMPv2c"
1374
Chapter 71: Monitoring the ProxySG
Health Click on
monitor this link
Figure 71–1 Health Monitor as displayed on the Management Console
See Also
❐ "About Health Monitoring"
1375
SGOS 6.2 Administration Guide
1376
Chapter 71: Monitoring the ProxySG
CRITICAL
WARNING
OK
Value
0 5 10 15 20 25 30 35 40 45 50 55 60
Time 20 seconds below the Warning threshold an
OK notification is sent
Legend:
Configured threshold interval, 20 seconds
Figure 71–2 Relationship between the threshold value and threshold interval
Note: A change in health status does not always indicate a problem that requires
corrective action; it indicates that a monitored metric has deviated from the
normal operating parameters.
The Health: indicator is always visible in the Management Console, and the color
and text reflect the most severe health state for all metrics— red for Critical, yellow
for Warning, and green for OK. In the Health Monitoring > Statistics panel, the tabs for
General, License, and Status metrics change color to reflect the most severe state of
the metrics they contain. You might click the tabs to view the problem and assess
1377
SGOS 6.2 Administration Guide
the information. Based on the cause for the alert, the administrator might take
diagnostic action or redefine the normal operating parameters for the metric and
restore the health state of the ProxySG.
For example, if the revolutions per minute for Fan 1 Speed falls below the warning
threshold, the appliance’s health transitions to Warning. Because Fan 1 Speed is a
metric in the Status tab, the Statistics > Health Monitoring > Status tab turns yellow. By
clicking the Health: link and navigating to the yellow tab, you can view the alert.
You might then examine the fan to determine whether it needs to be replaced (due
to wear and tear) or if something is obstructing its movement.
To facilitate prompt attention for a change in the health state, you can configure
notifications on the appliance.
1378
Chapter 71: Monitoring the ProxySG
The health check status metric is also not configurable. It takes into account the
most acute value amongst the configured health checks and the severity
component for each health check.
Severity of a health check indicates how the value of a failed health check affects
the overall health of the ProxySG, as indicated by the health monitor.
If, for example, three health checks are configured on the ProxySG:
❐ dns.192.0.2.4 with severity No-effect
❐ fwd.test with severity Warning
❐ auth.service with severity Critical
The value of the health check status metric adjusts in accordance with the success
or failure of each health check and its configured severity as shown below:
If all three health checks report healthy, the health check status metric is OK.
If dns.192.0.2.4 reports unhealthy, the health check status remains OK. The
health check status metric does not change because its severity is set to no-effect.
If fwd.test reports unhealthy, the health check status transitions to Warning. This
transition occurs because the severity for this health check is set to warning.
If auth.service reports unhealthy, the health check status becomes Critical
because its severity is set to critical.
Subsequently, even if fwd.test reports healthy, the health check status remains
critical as auth.service reports unhealthy.
The health check status transitions to OK only if both fwd.test and auth.service
report healthy.
Table 71–1 Health Check Status Metric — Combines the Health Check Result and the Severity Option
You can configure the default Severity for all health checks in the Configuration >
Health Checks > General > Default Notifications tab. For more information on
configuring the severity option for health checks, see Chapter 72: "Verifying the
Health of Services Configured on the ProxySG" on page 1391.
1379
SGOS 6.2 Administration Guide
CPU Utilization 95% / 120 seconds 80% / 120 seconds Measures the value of the
primary CPU on multi-
processor systems — not
the average of all CPU
activity.
Memory 95% / 120 seconds 90% / 120 seconds Measures memory use
Utilization and tracks when memory
resources become limited,
causing new connections
to be delayed.
Interface 90% / 120 seconds 60% / 120 seconds Measures the traffic (in
Utilization and out) on the interface
to determine if it is
approaching the
maximum capacity.
(bandwidth maximum)
See Also:
❐ "Changing Threshold and Notification Properties" on page 1384
❐ "Snapshot of the Default Threshold Values and States" on page 1383
❐ "Health Monitoring Cycle" on page 1377
❐ "Health Monitoring Example" on page 1376
1380
Chapter 71: Monitoring the ProxySG
The threshold values for license expiration metrics are set in days until expiration.
In this context, a critical threshold indicates that license expiration is imminent.
Thus, the Critical threshold value should be smaller than the Warning threshold
value. For example, if you set the Warning threshold to 45, an alert is sent when
there are 45 days remaining in the license period. The Critical threshold would be
less than 45 days, for example 5 days.
For license expiration metrics, the threshold interval is irrelevant and is set to 0.
Note: For new ProxySG appliances running SGOS 5.3 or higher, the default
Warning threshold for license expiration is 15 days.
For ProxySG appliances upgrading from earlier versions to SGOS 5.4, the default
Warning threshold remains at the same value prior to the upgrade. For example,
if the Warning threshold was 30 days prior to the upgrade, the Warning threshold
will remain at 30 days after the upgrade.
Refer to the most current Release Notes for SGOS upgrade information.
License 90% / 120 seconds 80% / 120 seconds Monitors the number of
Utilization users using the ProxySG.
30 days / 0
(For non-new ProxySG
appliances upgrading
from earlier versions of
SGOS)
See Also
❐ "About User Limits" on page 146.
❐ "Tasks for Managing User Limits" on page 148.
❐ Chapter 3: "Licensing" on page 45.
1381
SGOS 6.2 Administration Guide
Voltage — Bus Voltage, CPU Voltage, Power Threshold states and values vary by
Supply Voltage ProxySG models
1382
Chapter 71: Monitoring the ProxySG
1383
SGOS 6.2 Administration Guide
Health Check No health checks with One or more health One or more
Status Severity: Warning or checks with Severity: health checks
Critical are failing. Warning has failed. with
A health check with Severity: Critical
Severity: No-effect might has failed.
be failing.
1384
Chapter 71: Monitoring the ProxySG
4a
4b
4c
4d
1385
SGOS 6.2 Administration Guide
1386
Chapter 71: Monitoring the ProxySG
1387
SGOS 6.2 Administration Guide
3. To get more details about a metric, highlight the metric and click View. The View
Metrics Detail dialog displays.
1388
Chapter 71: Monitoring the ProxySG
See Also:
❐ "About Health Monitoring" on page 1375
❐ "Planning Considerations for Using Health Monitoring" on page 1378
❐ "About the Health Monitoring Metric Types" on page 1378
❐ "About the General Metrics" on page 1380
❐ "About the Licensing Metrics" on page 1380
❐ "About the Status Metrics" on page 1382
❐ "Snapshot of the Default Threshold Values and States" on page 1383
1389
SGOS 6.2 Administration Guide
1390
Chapter 72: Verifying the Health of Services Configured on
the ProxySG
This section discusses Blue Coat health checks, which enable you to determine
the availability of external networking devices and off-box services.
Topics
Refer to the following topics:
❐ Section A: "Overview" on page 1392
❐ Section B: "About Blue Coat Health Check Components" on page 1395
❐ Section C: "Configuring Global Defaults" on page 1401
❐ Section D: "Forwarding Host and SOCKS Gateways Health Checks" on
page 1413
❐ Section E: "DNS Server Health Checks" on page 1419
❐ Section F: "Authentication Health Checks" on page 1423
❐ Section G: "Virus Scanning and Content Filtering Health Checks" on page
1427
❐ Section H: "Managing User-Defined Health Checks" on page 1433
❐ Section I: "Viewing Health Check Statistics" on page 1444
❐ Section J: "Using Policy" on page 1450
❐ Section K: "Related CLI Syntax to Configure Health Checks" on page 1451
1391
SGOS 6.2 Administration Guide
Section A: Overview
Section A: Overview
The ProxySG performs health checks to test for network connectivity and to
determine the responsiveness of external resources. Examples of external
resources include: DNS servers, forwarding hosts, SOCKS gateways,
authentication servers, ICAP services (for example, anti-virus scanning services),
and Websense off-box services.
The ProxySG automatically generates health checks based on:
❐ Forwarding configuration
❐ SOCKS gateways configuration
❐ DNS server configuration
❐ ICAP service configuration
❐ Websense off-box configuration
❐ Authentication realm configuration
❐ Whether Dynamic Real-Time Rating (DRTR) is enabled
You also can create user-defined health checks, including a composite health
check that combines the results of multiple other health check tests. For
information on health check types, see Section B: "About Blue Coat Health Check
Components" on page 1395.
Health checks fall into three broad categories:
❐ Determining if the IP address can be reached. Health check types that fall into
this category are:
• Forwarding hosts
• SOCKS gateways
• User-defined host health checks
❐ Determining if a service is responsive. Health check types that fall into this
category are:
• Authentication servers
• DNS server
• Dynamic Real-Time Rating (DRTR) service
• ICAP services
• Websense off-box services
1392
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Section A: Overview
1393
SGOS 6.2 Administration Guide
Section A: Overview
1394
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1395
SGOS 6.2 Administration Guide
Some health check types only have one matching test, while others have a
selection. For more information about health check types and tests, see Table 72–1
on page 1397.
Note: Although a host health check tests an upstream server, it can also be
used to test whether a proxy is working correctly. To test HTTP/HTTPS
proxy behavior, for example, you can set up a host beyond the proxy, and
then use forwarding rules so the health check passes through the proxy to the
host, allowing the proxy to be tested.
User-defined health checks allow you to test for attributes that the ProxySG does
not test automatically. For example, for a forwarding host, you could perform
three user-defined tests — an HTTP test, an HTTPS test, and a TCP test of other
ports. Then, you can set up a composite health check that combines the results of
these user-defined tests to represent the health of the forwarding host. The
ProxySG reports the status of the (user-defined) composite health check as the
forwarding host's health, instead of the default forwarding host health check.
All health check types are given standardized names, based on the name of the
target. For example:
❐ Forwarding hosts and groups have a prefix of fwd
❐ DNS servers have a prefix of dns
❐ SOCKS gateways and gateway groups have a prefix of socks
❐ Authentication realms have a prefix of auth
❐ External services have prefixes of icap, ws, and drtr
❐ User-defined or composite health checks have a prefix of user
1396
Chapter 72: Verifying the Health of Services Configured on the ProxySG
ICMP Test (Layer The basic connection between the ProxySG and Forwarding
3) the origin server is confirmed. The server must hosts, SOCKS
recognize ICMP echoing, and any intervening gateways, or
networking equipment must support ICMP. user-defined
The ProxySG appliance sends a ping (three hosts
ICMP echo requests) to the host.
ICMP tests do not support policy for SOCKS
gateways or forwarding.
1397
SGOS 6.2 Administration Guide
1398
Chapter 72: Verifying the Health of Services Configured on the ProxySG
External Services The tests for external services are specialized ICAP, Websense
Tests tests devised for each particular kind of external off-box, DRTR
service. The health check system conducts service.
external service tests by sending requests to the
external services system, which reports back a
health check result.
Group Individual tests that are combined for any of the Forwarding
four different available groups (forwarding, groups, SOCKS
SOCKS gateways, ICAP services, and Websense gateways
off-box). If any of the members is healthy, then groups, and
the group as a whole is considered healthy. ICAP and
Note: Blue Coat supports a composite test, used Websense off-
only with composite (user-defined) health box external
checks, that is similar to a group test except that, service groups.
by default, all members must be healthy for the
result to be healthy.
These settings are configurable.
By default, group health tests are used for two
purposes:
• Monitoring and notification
• Policy
DNS Server The DNS server maps the hostname, default is DNS
www.bluecoat.com, to an IP address. The health
check is successful if the hostname can be
resolved to an IP address by the DNS server.
1399
SGOS 6.2 Administration Guide
See Also
❐ "To edit forwarding and SOCKS gateways health checks:" on page 1414
❐ "To edit forwarding or SOCKS gateway group health checks:" on page 1415
❐ "To edit a DNS server health check:" on page 1420
❐ "To edit an authentication health check:" on page 1423
❐ "To edit virus scanning and content filtering tests:" on page 1427
❐ "To edit Websense off-box or ICAP group tests:" on page 1430
❐ "To create a user-defined host health check:" on page 1435
❐ "To create a user-defined composite health check:" on page 1439
1400
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1401
SGOS 6.2 Administration Guide
Note: Individual health checks for members of a group remain active; they can
be used apart from the group.
1402
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: Severity of a health check is pertinent only when a health check fails.
The ProxySG allows you to configure the severity option to Critical, Warning and
No effect. Set the severity of a health check to:
❐ Critical: If the success of a health check is crucial to the health of the device. If
the health check then reports unhealthy, the overall health status becomes
Critical.
1403
SGOS 6.2 Administration Guide
When a status change notification e-mail is sent to a listed user, it includes the
following information in the e-mail subject line:
❐ Appliance name (see the Initial Configuration Guide for more information on
naming an appliance)
❐ Health check test (see "Health Check Tests" on page 1397 for a list of available
tests)
❐ Health state change (Health state changes are contingent upon health check
parameters)
The body of the e-mail includes relevant information based on the nature of the
health change.
1404
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1405
SGOS 6.2 Administration Guide
4a
4b
4c
4d
4e
4f
4g
1406
Chapter 72: Verifying the Health of Services Configured on the ProxySG
e. Specify the sick threshold, or the number of failed health checks before
an entry is considered unhealthy. Valid values are 1-65535. The default
is 1.
f. Specify the failure trigger for the number of failed connections to the
server before a health check is triggered.Valid values are between 1
and 2147483647.
The failures are reported back to the health check as a result of either a
connection failure or a response error. The number of these external
failures is cleared every time a health check is completed. If the number of
failures listed meets or exceeds the threshold, and the health check is idle
and not actually executing, then the health of the device or service is
immediately checked.
g. Specify the maximum response time threshold, in milliseconds. The
threshold time can be between 1 and 65535.
h. Click OK to close the dialog.
5. Click Apply.
Related CLI Syntax to Modify Default Settings for a Targeted Health Check
#(config health-check) edit alias_name
Configures intervals before the health check is re-run. The intervals can be
different for health checks that are reporting healthy and health checks that
are reporting sick.
#(config health-check alias_name) perform-health-check
1407
SGOS 6.2 Administration Guide
Sets the level when health checks will report healthy or sick.
#(config health-check alias_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check alias_name) exit
1408
Chapter 72: Verifying the Health of Services Configured on the ProxySG
b. Event logging: Select the appropriate options to enable the event logging
you require. Messages can be logged as either informational or severe.
c. SNMP traps: Select the situations for which you require SNMP traps to
be sent.
4. Click Apply.
1409
SGOS 6.2 Administration Guide
5. Select the options to override. You can cancel your choices by clicking Clear all
overrides.
1410
Chapter 72: Verifying the Health of Services Configured on the ProxySG
c. Event logging: Select the appropriate check boxes to enable the event
logging you need. Messages can be logged as either informational or
severe.
d. SNMP traps: Select the situations in which you want SNMP traps to be
sent.
e. Click OK to close the override dialog
f. Click OK to close the edit dialog.
6. Click Apply.
1411
SGOS 6.2 Administration Guide
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
1412
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: You can create groups in the Configuration > Forwarding > Forwarding Hosts tab
or Configuration > Forwarding > SOCKS Gateways tab.
By default, if any of the members of the group are healthy, then the group is
considered healthy. You can specify the number of group members that must be
healthy for the group to be considered healthy.
1413
SGOS 6.2 Administration Guide
1414
Chapter 72: Verifying the Health of Services Configured on the ProxySG
c. Select the port setting you require. If you select Use Port, enter the new
port number.
d. To change the default settings for this test, click Override the default
settings. Select the options to override. Cancel your choices by clicking
Clear all overrides. For detailed information about configuring healthy
and sick intervals and thresholds, see "Changing Health Check Default
Settings" on page 1404. Click OK to close the dialog.
e. To change default notifications, click Override the default notifications. By
default, no notifications are sent for any health checks. Select the
options to override. You can cancel your choices by clicking Clear all
overrides. For detailed information about configuring notifications, see
"Configuring Health Check Notifications" on page 1408. Click OK to
close the dialog.
f. Click OK to close the edit dialog.
5. Click Apply.
Note: The only way to add or delete group members to the automatically
generated health check tests is to add and remove members from the actual
forwarding or SOCKS gateway group. The automatically generated health
check is then updated.
1. Select Configuration > Health Checks > General > Health Checks.
2. Select the forwarding or SOCKS gateways group health check you need to
modify.
3. Click Edit.
1415
SGOS 6.2 Administration Guide
Related CLI Syntax to Edit Forwarding Groups and SOCKS Groups Health
Checks
The examples below use the forwarding group, fwd.group_name.
#(config health-check) edit fwd.group_name
Allows you to configure options for the health check you specified.
#(config health-check fwd.group_name) combine {all healthy | any-
healthy | some-healthy}
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check fwd.group_name) event-log {healthy {default |
disable | information | severe}| report-all-ips {default | enable |
disable}| sick {default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check fwd.group_name) exit
1416
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
#(config health-check fwd.group_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check fwd.group_name) view {configuration |
statistics}
Related CLI Syntax to Edit Forwarding Hosts and SOCKS Gateway Health
Checks
The examples below use the forwarding host, fwd.host_name.
#(config health-check)edit fwd.host_name
Allows you to configure options for the health check you specified.
#(config health-check fwd.host_name) authentication {basic | disable |
encrypted-password encrypted-password| password password| username
username}
Allows you to specify a username and password for the health-check target, if
it uses basic authentication.(Used with HTTP or HTTPS health checks.)
#(config health-check fwd.host_name) clear-statistics
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check fwd.host_name) event-log {healthy {default |
disable | information | severe}| report-all-ips {default | enable |
disable}| sick {default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check fwd.host_name) exit
1417
SGOS 6.2 Administration Guide
Configures intervals before the health check is re-run. The intervals can be
different for health checks that are reporting healthy and health checks that
are reporting sick.
#(config health-check fwd.host_name) perform-health-check
Allows you to specify a username and password for the intermediate proxy.
(Used with HTTP or HTTPS health checks, when intermediate proxies are
between you and the target.)
#(config health-check fwd.host_name) response-code {add codes | remove
codes}
Manages a list of codes that are considered valid and result in health-check
successes. You can add or remove codes, separated by semi-colons. If a
success code is received by the health check, the health check considers the
HTTP/ HTTPS test to be successful.
(Used with HTTP or HTTPS health checks.)
#(config health-check fwd.host_name) severity {critical |no-effect
|default |warning}
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
#(config health-check fwd.host_name) threshold {healthy {default |
count} | response-time {default | none | milliseconds} | sick {default
| count}}
Sets the level when the health check will report healthy or sick.
#(config health-check fwd.host_name) type (http URL | https URL | icmp
hostname | ssl hostname [port] | tcp hostname [port]}
Sets the number of consecutive healthy or sick test results before the health
check actually reports as healthy or sick.
#(config health-check fwd.host_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check fwd.host_name) view {configuration | events
|statistics}
1418
Chapter 72: Verifying the Health of Services Configured on the ProxySG
❐ For a server in a custom DNS group, the default is the longest domain name
listed in the group.
You can also override these defaults and specify a health check hostname for each
DNS server.
See Also
Chapter 36: "Configuring DNS" on page 889
1419
SGOS 6.2 Administration Guide
1420
SGOS 6.2 Administration Guide
Allows you to configure options for the health check you specified.
#(config health-check dns.test_name) clear-statistics
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check dns.test_name) event-log {healthy {default |
disable | information | severe}| report-all-ips {default | enable |
disable}| sick {default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check dns.test_name) exit
1421
SGOS 6.2 Administration Guide
Configures intervals before the health check is re-run. The intervals can be
different for health checks that are reporting healthy and health checks that
are reporting sick.
#(config health-check dns.test_name) hostname {default|hostname }
Sets the hostname for the DNS Server health check to the default hostname or
to a user-defined hostname.
#(config health-check dns.test_name) perform-health-check
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
(config health-check dns.test_name) threshold {healthy {default |
count} | response-time {default | none | milliseconds} | sick {default
| count}}
Sets the level when health checks will report healthy or sick.
#(config health-check dns.test_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check dns.test_name) view {configuration | events
|statistics}
1422
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1423
SGOS 6.2 Administration Guide
1424
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Allows you to configure options for the health check you specified.
#(config health-check auth.test_name) clear-statistics
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check auth.test_name) event-log {healthy {default |
disable | information | severe}| report-all-ips {default | enable |
disable}| sick {default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check auth.test_name) exit
Configures intervals before the health check is re-run. The intervals can be
different for health checks that are reporting healthy and health checks that
are reporting sick.
#(config health-check auth.test_name) perform-health-check
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
#(config health-check auth.host_name) threshold {healthy {default |
count} | response-time {default | none | milliseconds} | sick {default
| count}}
Sets the level when health checks will report healthy or sick.
#(config health-check auth.test_name) use-defaults
1425
SGOS 6.2 Administration Guide
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check auth.test_name) view {configuration | events
|statistics}
1426
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: The names of the ICAP and Websense off-box services and service groups
can be a maximum of 64 characters long, a change from previous releases, which
allowed names to be a maximum of 127 characters. If a previously existing name
exceeds 64 characters, the service or service group continues to function normally
but no corresponding health check type is created.
The settings you can change on ICAP, Websense off-box, and DRTR service health
checks are:
❐ Enable or disable the health check
❐ Override default settings
❐ Override default notifications
3. Click Edit.
1427
SGOS 6.2 Administration Guide
1428
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: DRTR health check has default settings that differ from the
defaults for other external services: 10800 seconds (3 hours) for the
interval, and 1 for the failure trigger.
• Click OK.
d. To change default notifications, click Override the default notifications. By
default, no notifications are sent for any health checks. Select the
options. Cancel your choices by clicking Clear all overrides. For detailed
information about configuring notifications, see "Configuring Health
Check Notifications" on page 1408.
e. Click OK to close the override dialog.
f. Click OK to close the edit dialog.
5. Click Apply.
Related CLI Syntax to Modify ICAP Service and Content Filtering Health
Checks
The examples below use Blue Coat’s Content Filter — DRTR_
#(config health-check)edit drtr.test_name
Allows you to configure options for the health check you specified.
#(config health-check drtr.test_name) clear-statistics
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check drtr.test_name) event-log {healthy {default |
disable |information |severe}| report-all-ips {default |enable |
disable}| sick {default |disable |information |severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check drtr.test_name) exit
1429
SGOS 6.2 Administration Guide
Configures intervals before the health check is re-run. The intervals can be
different for health checks that are reporting healthy and health checks that
are reporting sick.
#(config health-check drtr.test_name) perform-health-check
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
#(config health-check drtr.test_name) threshold {healthy {default
|count} | response-time {default | none| milliseconds} | sick {default
|count}}
Sets the level when the health check will report healthy or sick.
#(config health-check ws.test_name) test-url {default |url}
(Used only with the WebSense health checks) Sets the test URL to default.
#(config health-check drtr.test_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check drtr.test_name) view {configuration |events
|statistics}
Note: The only way to add or delete group members to the automatically
generated health check tests is to add and remove members from the ICAP or
Websense off-box services. The automatically generated health check type is
then updated.
1. Select Configuration > Health Checks > General > Health Checks.
2. Select the external service group health check to modify. Groups are identified
in the Type column.
1430
Chapter 72: Verifying the Health of Services Configured on the ProxySG
3. Click Edit.
Allows you to configure options for the health check you specified.
#(config health-check ws.group_name) combine {all healthy | any-
healthy | some-healthy}
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
1431
SGOS 6.2 Administration Guide
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check ws.group_name) exit
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
#(config health-check ws.group_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check ws.group_name) view {configuration |events
|statistics}
1432
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: Frequent testing of specific Internet sites can result in that Internet site
objecting to the number of hits.
1433
SGOS 6.2 Administration Guide
❐ TCP: Establishes that a TCP layer connection can be made to a port on the
host. Then the connection is dropped.
❐ SSL: A connection is made to a target and the full SSL handshake is confirmed.
Then the connection is dropped.
❐ HTTP/HTTPS: An HTTP or HTTPS test is defined by the URL supplied. The
port used for this test is as specified in that URL. If no port is explicitly
specified in the URL, the port defaults to the standard Internet value of 80 or
443.
When configuring user-defined host health check types, keep the following in
mind:
❐ User-defined host health checks are created and deleted manually.
❐ All individual user-defined tests consider the target to be a server.
❐ To conduct proxy HTTP/HTTPS tests, a proxy must be defined as a
forwarding host, set up between the originating device and the target, and
forwarding policy must cause the test to be directed through the proxy.
❐ For an ICMP test, a hostname is specified in the health check configuration.
❐ The TCP and SSL tests support SOCKS gateway policy, based on a URL of
tcp://hostname:port/ and ssl://hostname:port/, respectively, using a
hostname and port supplied in health check configuration.
❐ An HTTP/HTTPS test requires a full URL. The port used for this test is as
specified in that URL. If no port is explicitly specified in the URL, the port
defaults to the standard value for these protocols of 80 or 443. The server
being tested is assumed to support whatever port is indicated.
Forwarding and SOCKS gateway policy is applied based on the URL. The
HTTPS or SSL tests use all the server certificate settings in the SSL layer in
policy. For a forwarding host, all the sever certificate settings in the SSL layer
also apply, and if present, override the forwarding host configuration setting.
Note: None of the above tests apply to user-defined composite health checks,
which only consist of a set of members and a setting to combine the results.
1434
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: You cannot create user-defined health checks for external service tests,
such as authentication servers, ICAP, Websense off-box, and the DRTR
service.
The following procedure explains how to create a user-defined host health check.
To create a user-defined composite health check, continue with "To create a user-
defined composite health check:" on page 1439.
1435
SGOS 6.2 Administration Guide
3. Select the type of test to configure from the Type of test drop-down list. To
configure a composite test, see "To create a user-defined composite health
check:" on page 1439.
The options you can select vary with the type of health check. The example
above uses the HTTP/HTTPS options. Options for other tests are explained in
this procedure, as well.
a. Enter a name for the health check.
b. Select the Enabled state option, as required.
c. If you are configuring an SSL or TCP health check, enter the port to
use.
d. If you are configuring an ICMP, SSL, or TCP health check, enter the
hostname of the health check’s target. The hostname can be an IPv4 or
IPv6 host or address.
1436
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Note: The 200 response code is added by default. The list must always
have at least one member.
f. To change the default settings for this test, click Override the default
settings. Select the override options. Cancel your choices by clicking
Clear all overrides. For detailed information about configuring healthy
and sick intervals and thresholds, see "Changing Health Check Default
Settings" on page 1404. Click OK.
g. To change the default notifications for this test, click Override the default
notifications. By default, no notifications are sent for any health checks.
Select the override options. You can cancel your choices by clicking
Clear all overrides. For detailed information about configuring
notifications, see "Configuring Health Check Notifications" on page
1408 Click OK.
h. Click OK to close the dialog.
4. Click Apply.
Allows you to configure options for the health check you specified.
#(config health-check user.health_check_name) authentication {basic |
disable | encrypted-password encrypted-password| password password|
username username}
Allows you to specify a username and password for the health-check target, if
its allows basic authentication.(Used with HTTP or HTTPS health checks.)
1437
SGOS 6.2 Administration Guide
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check user.health_check_name) event-log {healthy
{default | disable | information | severe}| report-all-ips {default |
enable | disable}| sick {default | disable | information | severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check user.health_check_name) exit
Configures intervals before the health check is re-run. The intervals can be
different for health checks that are reporting healthy and health checks that
are reporting sick.
#(config health-check user.health_check_name) perform-health-check
Allows you to specify a username and password for the intermediate proxy.
(Used with HTTP or HTTPS health checks, when intermediate proxies are
between you and the target.)
#(config health-check user.health_check_name) response-code {add codes
| remove codes}
Manages a list of codes that are considered valid and result in health-check
successes. You can add or remove codes, separated by semi-colons. If a
success code is received by the health check, the health check considers the
HTTP/ HTTPS test to be successful. (Used with HTTP or HTTPS health
checks.)
#(config health-check user.health_check_name) severity {critical |no-
effect |default |warning}
1438
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Sends a trap when the health check reports healthy, whenever an IP address
health check reports healthy, or when a health check reports sick.
#(config health-check user.health_check_name) threshold {healthy
{default | count} | response-time {default | none | milliseconds} |
sick {default | count}}
Sets the threshold level when the health check will report healthy or sick.
#(config health-check user.health_check_name) type (http URL | https
URL | icmp hostname | ssl hostname [port] | tcp hostname [port]}
Sets the number of consecutive healthy or sick test results before the health
check actually reports as healthy or sick.
#(config health-check user.health_check_name) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check user.health_check_name) view {configuration |
events | statistics}
1439
SGOS 6.2 Administration Guide
d. Add the health check members to the composite test from the Available
Aliases list by selecting the health check to add and clicking Add to
move the alias to the Selected Alias list.
e. To change the default notifications for this test, click Override the default
notifications. By default, no notifications are sent for any health checks.
Select the override options. You can cancel your choices by clicking
Clear all overrides. For detailed information about configuring
notifications, see "Configuring Health Check Notifications" on page
1408
f. Click OK to close the override dialog.
g. Click OK to close the edit dialog.
4. Click Apply.
1440
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Requires that all, some, or any members of the group report as healthy to have
the composite health check report as healthy.
#(config health-check user.composite_health_check) e-mail {healthy
{default |enable |disable}| report-all-ips {default |enable |disable}|
sick {default |enable |disable}}
Sends e-mail notification when the health check reports healthy or sick,
whether or not those reports are for all IP addresses.
#(config health-check user.composite_health_check) event-log {healthy
{default |disable |information |severe}| report-all-ips {default
|enable | disable}| sick {default |disable |information |severe}}
Logs an event when the health check reports healthy or sick, whether or not
those reports are for all IP addresses. An informational or a severe event-log
message is logged depending on the setting chosen.
#(config health-check user.composite_health_check) exit
Sends a trap when the health check reports healthy or sick, whether or not
those reports are for all IP addresses.
#(config health-check user.composite_health_check) severity {critical
| default|no-effect|warning}
1441
SGOS 6.2 Administration Guide
Sets the severity level of the health check, which determines how this health
check affects the overall health of the device.
#(config health-check user.composite_health_check) use-defaults
Resets the defaults of the health check to use the global defaults instead of any
explicitly set values.
#(config health-check user.composite_health_check) view {configuration
|events |statistics}
If the target does not match the source type, the copy operation fails and you
receive an error message.
1442
Chapter 72: Verifying the Health of Services Configured on the ProxySG
Copies settings from one health check to another, creating the target if
necessary.
#(config health-check) delete alias_name
1443
SGOS 6.2 Administration Guide
1444
Chapter 72: Verifying the Health of Services Configured on the ProxySG
The Statistics > Health Check screen displays the following information:
❐ Current time: Displays the current date and time.
❐ Last Boot: Displays the date and time when the device was last booted.
❐ Since Boot: Displays the time that the device has been functioning since the last
boot.
❐ Status: Displays the summary of each health check configured on the ProxySG.
1445
SGOS 6.2 Administration Guide
1446
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1447
SGOS 6.2 Administration Guide
1448
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1449
SGOS 6.2 Administration Guide
1450
Chapter 72: Verifying the Health of Services Configured on the ProxySG
1451
1452
Chapter 73: Maintaining the ProxySG
The following sections describe how to maintain the ProxySG. It includes the
following topics:
❐ "Restarting the ProxySG" on page 1453
❐ "Restoring System Defaults" on page 1455
❐ "Clearing the DNS Cache" on page 1458
❐ "Clearing the Object Cache" on page 1458
❐ "Clearing the Byte Cache" on page 1458
❐ "Clearing Trend Statistics" on page 1459
❐ "Upgrading the ProxySG" on page 1459
❐ "Managing ProxySG Systems" on page 1459
❐ "Disk Reinitialization" on page 1462
❐ "Deleting Objects from the ProxySG Appliance" on page 1464
1453
SGOS 6.2 Administration Guide
2 3
See Also
"Restoring System Defaults" on page 1455
"Restore-Defaults" on page 1455
"Clearing the DNS Cache" on page 1458
"Clearing the Object Cache" on page 1458
"Clearing the Byte Cache" on page 1458
"Clearing Trend Statistics" on page 1459
1454
Chapter 73: Maintaining the ProxySG
Restore-Defaults
Settings that are deleted when you use the restore-defaults command include:
❐ All IP addresses (these must be restored before you can access the
Management Console again).
❐ DNS server addresses (these must be restored through the CLI before you can
access the Management Console again).
❐ Installable lists.
❐ All customized configurations.
1455
SGOS 6.2 Administration Guide
Keep-Console
Settings that are retained when you use the restore-defaults command with the
keep-console option include:
1456
Chapter 73: Maintaining the ProxySG
2. In the Maintenance Tasks field, click Restore. This invokes the restore-defaults
keep-console action. The Restore Configuration dialog displays.
Factory-Defaults
All system settings are deleted when you use the restore-defaults command
with the factory-defaults option.
The only settings that are retained are:
❐ Trial period information
❐ The last five installed appliance systems, from which you can pick one for
rebooting
The Serial Console password is also deleted if you use restore-defaults
factory-defaults. For information on the Serial Console password, see "Securing
the Serial Port" on page 62.
You can use the force option to restore defaults without confirmation.
1457
SGOS 6.2 Administration Guide
1458
Chapter 73: Maintaining the ProxySG
1459
SGOS 6.2 Administration Guide
Example Session
SGOS> show installed-systems
ProxySG Appliance Systems
1. Version: SGOS 5.4.1.3, Release ID: 25460
Thursday June 25 2009 08:49:55 UTC, Lock Status: Locked
Boot Status: Last boot succeeded, Last Successful Boot: Thursday
April 6 2006 17:33:19 UTC
2. Version: SGOS 5.4.1.1, Release ID: 25552 Debug
Friday April 14 2009 08:56:55 UTC, Lock Status: Unlocked
Boot Status: Last boot succeeded, Last Successful Boot: Friday April
14 2006 16:57:18 UTC
3. Version: N/A, Release ID: N/A ( EMPTY )
No Timestamp, Lock Status: Unlocked
Boot Status: Unknown, Last Successful Boot: Unknown
4. Version: N/A, Release ID: N/A ( EMPTY )
No Timestamp, Lock Status: Unlocked
Boot Status: Unknown, Last Successful Boot: Unknown
5. Version: N/A, Release ID: N/A ( EMPTY )
1460
Chapter 73: Maintaining the ProxySG
Note: An empty system cannot be specified as default, and only one system can
be specified as the default system.
To lock a system:
1. Select the Maintenance > Upgrade > Systems tab.
2. Select the system(s) to lock in the Lock column.
3. Click Apply.
To unlock a system:
1. Select the Maintenance > Upgrade > Systems tab.
2. Deselect the system(s) to unlock in the Lock column.
3. Click Apply.
1461
SGOS 6.2 Administration Guide
To delete a system:
At the (config) command prompt:
SGOS#(config) installed-systems
SGOS#(config installed-systems) delete system_number
Disk Reinitialization
You can reinitialize disks on a multi-disk ProxySG. You cannot reinitialize the disk
on a single-disk ProxySG. If you suspect a disk fault in a single-disk system,
contact Blue Coat Technical Support for assistance.
About Reinitialization
Reinitialization is done online without rebooting the system. (For more
information, refer to the #disk command in the Command Line Interface Reference.)
1462
Chapter 73: Maintaining the ProxySG
SGOS operations, in turn, are not affected, although during the time the disk is
being reinitialized, that disk is not available for caching. Only the master disk
reinitialization restarts the ProxySG.
Only persistent objects are copied to a newly-reinitialized disk. This is usually not
a problem because most of these objects are replicated or mirrored. If the
reinitialized disk contained one copy of these objects (which is lost), another disk
contains another copy.
You cannot reinitialize all of the ProxySG disks over a very short period of time.
Attempting to reinitialize the last disk in a system before critical components can
be replicated to other disks in the system causes a warning message to appear.
Immediately after reinitialization is complete, the ProxySG automatically starts
using the reinitialized disk for caching.
1463
SGOS 6.2 Administration Guide
Note: The maximum number of objects that can be stored in a ProxySG is affected
by a number of factors, including the SGOS version it is running and the
hardware platform series.
This feature is not available in the Management Console. Use the CLI instead.
1464
Chapter 74: Diagnostics
Diagnostic Terminology
❐ Heartbeats: Enabled by default, Heartbeats (statistics) are a diagnostic tool
used by Blue Coat, allowing them to proactively monitor the health of
appliances.
❐ Core images: Created when there is an unexpected system restart. This
stores the system state at the time of the restart, enhancing the ability for
Blue Coat to determine the root cause of the restart.
❐ SysInfo (System Information): SysInfo provides a snapshot of statistics and
events on the ProxySG.
❐ PCAP: An onboard packet capture utility that captures packets of Ethernet
frames going in or out of an ProxySG.
❐ Policy trace: A policy trace can provide debugging information on policy
transactions. This is helpful, even when policy is not the issue. For
information on using policy tracing, refer to Content Policy Language Guide.
❐ Event Logging: The event log files contain messages generated by software
or hardware events encountered by the appliance. For information on
configuring event logging, see "Configuring Event Logging and
Notification" on page 1350.
❐ Access Logging: Access logs allow for analysis of Quality of Service,
content retrieved, and other troubleshooting. For information on Access
Logging, see "About Access Logging" on page 649.
1465
SGOS 6.2 Administration Guide
❐ CPU Monitoring: With CPU monitoring enabled, you can determine what
types of functions are taking up the majority of the CPU.
To test connectivity, use the following commands from the enable prompt:
❐ ping: Verifies that a particular IP address exists and is responding to requests.
❐ traceroute: Traces the route from the current host to the specified destination
host.
❐ test http get path_to_URL: Makes a request through the same code paths as a
proxied client.
❐ display path_to_URL: Makes a direct request (bypassing the cache).
❐ show services: Verifies the port of the Management Console configuration.
❐ show policy: Verifies if policy is controlling the Management Console.
For information on using these commands, refer to Chapter 2: “Standard and
Privileged Mode Commands” in the Command Line Interface Reference.
Note: If you cannot access the Management Console at all, ensure that you are
using HTTPS (https://ProxySG_IP_address:8082). To use HTTP, you must
explicitly enable it before you can access the Management Console.
Important: A core image and packet capture can contain sensitive information—
for example, parts of an HTTP request or response. The transfer to Blue Coat is
encrypted, and therefore secure; however, if you do not want potentially sensitive
information to be sent to Blue Coat automatically, do not enable the automatic
service information feature.
1466
Chapter 74: Diagnostics
3. Enter the service-request number that you received from a Technical Support
representative into the Auto Send Service Request Number field (the service-
request number is in the form xx-xxxxxxx or x-xxxxxxx).
4. Click Apply.
5. (Optional) To clear the service-request number, clear the Auto Send Service
Request Number field and click Apply.
Note: Before you can manage the bandwidth for the automatic service
information feature, you must first create an appropriate bandwidth-
management class.For information about creating and configuring bandwidth
classes, see "Configuring Bandwidth Allocation" on page 632.
1467
SGOS 6.2 Administration Guide
Important: You must specify a service-request number before you can send
service information. See Blue Coat Technical Support at: http://
www.bluecoat.com/support/index.html for details on opening a service
request ticket.
1468
Chapter 74: Diagnostics
2a
2b
2c
Note: Options for items that you do not have on your system are grayed out
and cannot be selected.
1469
SGOS 6.2 Administration Guide
1470
Chapter 74: Diagnostics
2b
2a
3. Click Apply.
4. (Optional) To view snapshot job information, click View All Snapshots. Close the
window that opens when you are finished viewing.
1471
SGOS 6.2 Administration Guide
4a
4b
4c
4d
4e
1472
Chapter 74: Diagnostics
1473
SGOS 6.2 Administration Guide
Note: Some qualifiers must be escaped with a backslash because their identifiers
are also keywords within the filter expression parser.
❐ ip proto protocol
1474
Chapter 74: Diagnostics
2d
2a 2b
2c
1475
SGOS 6.2 Administration Guide
3a
3b
3c
3d
1476
Chapter 74: Diagnostics
d. To start the capture, click Start Capture. The Start Capture dialog closes.
The Start captures button in the Packet Captures tab is now grayed out
because packet capturing is already started.
You do not have to click Apply because all changes are applied when you
start the packet capture.
4. To stop the capture, click the Stop capture button. This button is grayed out if a
packet capture is already stopped.
5. To download the capture, click the Download capture button. This button is
grayed out if no file is available for downloading.
1477
SGOS 6.2 Administration Guide
3. Select the desired action: Start packet capture, Stop packet capture, Download packet
capture file.
You can also use the following URLs to configure these individually:
❐ To start packet capturing, use this URL:
https://ProxySG_IP_address:8082/PCAP/start
1478
Chapter 74: Diagnostics
4. Click Apply.
1479
SGOS 6.2 Administration Guide
2. Select or clear Participate in the Blue Coat Customer Experience Improvement Program
(heartbeats) or Enable Automatic Trouble Reporting (monitoring).
3. Click Apply.
Note: The last option is not available through the Management Console.
1480
Chapter 74: Diagnostics
Note: CPU monitoring uses about 2-3% CPU when enabled, and so is disabled by
default.
1481
SGOS 6.2 Administration Guide
3. To enable CPU monitoring, click the Start the CPU Monitor link; to disable it,
click the Stop the CPU Monitor link.
4. To view CPU monitoring statistics, click the CPU Monitor statistics link. You
can also click this link from either of the windows described in Step 3.
Notes
❐ The total percentages do not always add up because the display only shows
those functional groups that are using 1% or more of the CPU processing
cycles.
❐ The SGOS#(config) show cpu and SGOS#(config diagnostics) view cpu-
monitor commands might sometimes display CPU statistics that differ by
about 2-3%. This occurs because different measurement techniques are used
for the two displays.
1482
Third Party Copyright Notices
CERTAIN BLUE COAT PRODUCTS MAY INCLUDE THE FOLLOWING SOFTWARE (OR PART THEREOF):
ACPI
1. copyright notice some or all of this work - copyright (c) 1999 - 2011, intel corp. all rights reserved.
2. license
2.1. this is your license from intel corp. under its intellectual property rights. you may have additional license terms
from the party that provided you this software, covering your right to use that party's intellectual property rights.
2.2. intel grants, free of charge, to any person ("licensee") obtaining a copy of the source code appearing in this file ("cov-
ered code") an irrevocable, perpetual, worldwide license under intel's copyrights in the base code distributed originally
by intel ("original intel code") to copy, make derivatives, distribute, use and display any portion of the covered code in
any form, with the right to sublicense such rights; and
2.3. intel grants licensee a non-exclusive and non-transferable patent license (with the right to sublicense), under only
those claims of intel patents that are infringed by the original intel code, to make, use, sell, offer to sell, and import the
covered code and derivative works thereof solely to the minimum extent necessary to exercise the above copyright li-
cense, and in no event shall the patent license extend to any additions to or modifications of the original intel code. no
other license or right is granted directly or by implication, estoppel or otherwise; the above copyright and patent license
is granted only if the following conditions are met:
3. conditions
3.1. redistribution of source with rights to further distribute source. redistribution of source code of any substantial por-
tion of the covered code or modification with rights to further distribute source must include the above copyright notice,
the above license, this list of conditions, and the following disclaimer and export compliance provision. in addition, li-
censee must cause all covered code to which licensee contributes to contain a file documenting the changes licensee
made to create that covered code and the date of any change. licensee must include in that file the documentation of
any changes made by any predecessor licensee. licensee must include a prominent statement that the modification is
derived, directly or indirectly, from original intel code.
3.2. redistribution of source with no rights to further distribute source. redistribution of source code of any substantial
portion of the covered code or modification without rights to further distribute source must include the following dis-
claimer and export compliance provision in the documentation and/or other materials provided with distribution. in
addition, licensee may not authorize further sublicense of source of any portion of the covered code, and must include
terms to the effect that the license from licensee to its licensee is limited to the intellectual property embodied in the soft-
ware licensee provides to its licensee, and not to intellectual property embodied in modifications its licensee may make.
3.3. redistribution of executable. redistribution in executable form of any substantial portion of the covered code or mod-
ification must reproduce the above copyright notice, and the following disclaimer and export compliance provision in
the documentation and/or other materials provided with the distribution.
3.4. intel retains all right, title, and interest in and to the original intel code.
3.5. neither the name intel nor any other trademark owned or controlled by intel shall be used in advertising or otherwise
to promote the sale, use or other dealings in products derived from or relating to the covered code without prior written
authorization from intel.
4. disclaimer and export compliance
4.1. intel makes no warranty of any kind regarding any software provided here. any software originating from intel or
derived from intel software is provided "as is," and intel will not provide any support, assistance, installation, training
or other services. intel will not provide any updates, enhancements or extensions. intel specifically disclaims any im-
plied warranties of merchantability, noninfringement and fitness for a particular purpose.
4.2. in no event shall intel have any liability to licensee, its licensees or any other third party, for any lost profits, lost
data, loss of use or costs of procurement of substitute goods or services, or for any indirect, special or consequential dam-
ages arising out of this agreement, under any cause of action or theory of liability, and irrespective of whether intel has
advance notice of the possibility of such damages. these limitations shall apply notwithstanding the failure of the es-
sential purpose of any limited remedy.
4.3. licensee shall not export, either directly or indirectly, any of this software or system incorporating such software
without first obtaining any required license or other approval from the u. s. department of commerce or any other agen-
cy or department of the united states government. in the event licensee exports any such software from the united states
or re-exports any such software from a foreign destination, licensee shall ensure that the distribution and export/re-ex-
port of the software is in compliance with all laws, regulations, orders, or other restrictions of the u.s. export adminis-
tration regulations. licensee agrees that neither it nor any of its subsidiaries will export/re-export any technical data,
process, software, or service, directly or indirectly, to any country for which the united states government or any agency
thereof requires an export license, other governmental approval, or letter of assurance, without first obtaining such li-
cense, approval or letter.
Advanced Software Engineering
This software is based in part on the work of the Independent JPEG Group.
This software is based in part of the work of the FreeType Team.
aic79xx
Core definitions and data structures shareable across OS platforms.
Copyright (c) 1994-2001 Justin T. Gibbs.
Copyright (c) 2000-2002 Adaptec Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following dis-
claimer, without modification.
2. Redistributions in binary form must reproduce at minimum a disclaimer substantially similar to the "NO WARRAN-
1483
SGOS 6.2 Administration Guide
TY" disclaimer below ("Disclaimer") and any redistribution must be conditioned upon including a substantially similar
Disclaimer requirement for further binary redistribution.
3. Neither the names of the above-listed copyright holders nor the names of any contributors may be used to endorse or
promote products derived from this software without specific prior written permission. Alternatively, this software may
be distributed under the terms of the GNU General Public License ("GPL") version 2 as published by the Free Software
Foundation.
NO WARRANTY
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Apache
Copyright 2006 Apache Software Foundation
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
for the specific language governing permissions and limitations under the License.
Apache License, Version 2.0
Version 2.0, January 2004
http://www.apache.org/licenses/
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through
9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under
common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to
cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent
(50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source
code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including
but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as in-
dicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work
and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original
work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable
from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or
additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work
by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For
the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the
Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code con-
trol systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing
and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writ-
ing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been re-
ceived by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You
a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare De-
1484
rivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works
in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a
perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license
to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to
those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by
combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent
litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribu-
tion incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses grant-
ed to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium,
with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You must give any other recipients of the Work or Derivative Works a copy of this License; and
You must cause any modified files to carry prominent notices stating that You changed the files; and
You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the De-
rivative Works; and
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute
must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that
do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file dis-
tributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Deriva-
tive Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally
appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may
add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NO-
TICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the Li-
cense.
You may add Your own copyright statement to Your modifications and may provide additional or different license
terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as
a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated
in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for in-
clusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any addi-
tional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any
separate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product
names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and
each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-IN-
FRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for de-
termining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise
of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or oth-
erwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall
any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential dam-
ages of any character arising as a result of this License or out of the use or inability to use the Work (including but not
limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commer-
cial damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may
choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or
rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and
on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold
each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your
accepting any such warranty or additional liability.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets
"[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the ap-
propriate comment syntax for the file format. We also recommend that a file or class name and description of purpose
be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
1485
SGOS 6.2 Administration Guide
http://www.apache.org/licenses/LICENSE-2.0
Copyright (c) 1999-2001 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowlegement:
"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternate-
ly, this acknowlegement may appear in the software itself, if and wherever such third-party acknowlegements normally
appear.
4. The names "The Jakarta Project", "Commons", and "Apache Software Foundation" must not be used to endorse or pro-
mote products derived from this software without prior written permission. For written permission, please contact
apache@apache.org.
5. Products derived from this software may not be called "Apache" nor may "Apache" appear in their names without
prior written permission of the Apache Group.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIB-
UTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Founda-
tion. For more information on the Apache Software Foundation, please see
<http://www.apache.org/>.
Copyright (c) 2000 The Apache Software Foundation. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment:
"This product includes software developed by the Apache Software Foundation (http://www.apache.org/)." Alternate-
ly, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally
appear.
4. The names "Apache" and "Apache Software Foundation" must not be used to endorse or promote products derived
from this software without prior written permission. For written permission, please contact apache@apache.org.
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without
prior written permission of the Apache Software Foundation.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIB-
UTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the Apache Software Founda-
1486
tion. For more information on the Apache Software Foundation, please see
<http://www.apache.org/>.
Portions of this software are based upon public domain software originally written at the National Center for Supercom-
puting Applications, University of Illinois, Urbana-Champaign.
As3corelib, Version 0.90
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are
met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of Adobe Systems Incorporated nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org>> wrote this file. As long as you retain this notice you can do whatever
you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return.
Poul-Henning Kamp
Boost
Boost Software License - Version 1.0 - August 17th, 2003
Permission is hereby granted, free of charge, to any person or organization obtaining a copy of the software and accom-
panying documentation covered by
this license (the "Software") to use, reproduce, display, distribute, execute, and transmit the Software, and to prepare
derivative works of the Software, and to permit third-parties to whom the Software is furnished to do so, all subject to
the following:
The copyright notices in the Software and this entire statement, including the above license grant, this restriction and
the following disclaimer, must be included in all copies of the Software, in whole or in part, and all derivative works of
the Software, unless such copies or derivative works are solely in the form of machine-executable object code generated
by a source language processor.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR ANYONE
DISTRIBUTING THE SOFTWARE BE LIABLE FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CON-
TRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
USE OR OTHER
DEALINGS IN THE SOFTWARE.
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source
code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary
code include the above copyright notice and this paragraph in its entirety in the documentation or other materials pro-
vided with the distribution, and (3) all advertising materials mentioning features or use of this software display the fol-
lowing acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its con-
tributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products de-
rived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND
WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
BC Driver from Broadcom
Copyright (c) 2001
1487
SGOS 6.2 Administration Guide
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:.
This product includes software developed by Broadcom Corporation.
4. Neither the name of the author nor the names of any co-contributors may be used to endorse or promote products
derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY Broadcom Corporation ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRAN-
TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Broadcom Corporation BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUD-
ING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
Browser Detect
http://creativecommons.org/licenses/by/1.0/
BSD 2.0 License
The following products are covered under the BSD 2.0 license:
virtio_blk.h
virtio_fbsd
virtio_net.h
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
"Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
"Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
"Neither the name of the author nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Cavium Networks
Copyright (c) 2003-2005 Cavium Networks (support@cavium.com). All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All manuals, brochures, user guides mentioning features or use of this software must display the following acknowl-
edgement:
This product includes software developed by Cavium Networks
4. Cavium Networks' name may not be used to endorse or promote products derived from this software without specific
prior written permission.
5. User agrees to enable and utilize only the features and performance purchased on the target hardware.
This Software, including technical data, may be subject to U.S. export control laws, including the U.S. Export Adminis-
tration Act and its associated regulations, and may be subject to export or import regulations in other countries. You
warrant that you will comply strictly in all respects with all such regulations and acknowledge that you have the respon-
sibility to obtain licenses to export, re-export or import the Software.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SOFTWARE IS PROVIDED "AS IS" AND WITH ALL
FAULTS AND CAVIUM MAKES NO PROMISES, REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS,IM-
PLIED,STATUTORY, OR OTHERWISE, WITH RESPECT TO THE SOFTWARE, INCLUDING ITS CONDITION,ITS
CONFORMITY TO ANY REPRESENTATION OR DESCRIPTION, OR THE EXISTENCE OF ANY LATENT OR PAT-
1488
ENT DEFECTS, AND CAVIUM SPECIFICALLY DISCLAIMS ALL IMPLIED (IF ANY) WARRANTIES OF TITLE, MER-
CHANTABILITY, NONINFRINGEMENT,FITNESS FOR A PARTICULAR PURPOSE,LACK OF VIRUSES,
ACCURACY OR COMPLETENESS, QUIET ENJOYMENT, QUIET POSSESSION OR CORRESPONDENCE TO DE-
SCRIPTION. THE ENTIRE RISK ARISING OUT OF USE OR PERFORMANCE OF THE SOFTWARE LIES WITH YOU.
CMU libsasl, Version 2.1.22 and 2.1.23
Tim Martin
Rob Earhart
Rob Siemborski
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in
the documentation and/or other materials provided with the distribution.
3. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software
without prior written permission. For permission or any other legal details, please contact
Office of Technology Transfer
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3890
(412) 268-4387, fax: (412) 268-7395
tech-transfer@andrew.cmu.edu
4. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by Computing Services at Carnegie Mellon University (http://
www.cmu.edu/computing/)."
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, IN-
CLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNE-
GIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
Creating Tree Tables in Swing
Copyright 1994-2006 Sun Microsystems, Inc. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of Sun Microsystems, Inc. or the names of contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
This software is provided "AS IS," without a warranty of any kind. ALL EXPRESS OR IMPLIED CONDITIONS, REP-
RESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FIT-
NESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN
MICROSYSTEMS, INC. ("SUN") AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY
LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN
NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DI-
RECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED
AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS
SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
You acknowledge that this software is not designed, licensed or intended for use in the design, construction, operation
or maintenance of any nuclear facility.
CryptJS
JavaScript password hash generator.
$Id: crypt.jscript,v 1.3 2004/11/29 22:05:13 mark.funkenhauser Exp $ <---JOHN COMMMENT: DOES THIS BELONG
HERE?
Copyright (c) 2004, Emil Mikulic.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the author nor the names of other contributors may be used to endorse or promote products de-
1489
SGOS 6.2 Administration Guide
Cyrus Sasl
Copyright (c) 1994-2012 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software
without prior written permission. For permission or any legal details, please contact
Office of Technology Transfer
Carnegie Mellon University
5000 Forbes Avenue
Pittsburgh, PA 15213-3890
(412) 268-4387, fax: (412) 268-7395
tech-transfer@andrew.cmu.edu
4. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by Computing Services at Carnegie Mellon University (http://
www.cmu.edu/computing/)."
CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, IN-
CLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNE-
GIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain
program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
Ext Js
Sencha SDK Software License Agreement
Version 2.0
THIS DOCUMENT IS A LEGAL AGREEMENT (the “Agreement”) BETWEEN SENCHA INC. (“We,” “Us”) AND YOU
OR THE ORGANIZATION ON WHOSE BEHALF YOU ARE ENTERING INTO THIS AGREEMENT (“You”) IN RELA-
TION TO SENCHA EXT JS, SENCHA GXT, SENCHA TOUCH, SENCHA TOUCH CHARTS, AND/OR SENCHA EN-
TERPRISE CONNECTORS (AMF/SOAP/WSDL) (the “Software”) IN SOURCE CODE FORMAT.
RIGHTS GRANTED HEREIN APPLY ONLY TO SOFTWARE FOR WHICH YOU’VE PAID THE APPLICABLE FEE
(NO FEE FOR SENCHA TOUCH).
BY DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING THE SOFTWARE, YOU ACCEPT THE FOL-
LOWING TERMS AND CONDITIONS. IF YOU DO NOT AGREE WITH ANY OF THE TERMS OR CONDITIONS OF
THIS LICENSE AGREEMENT, DO NOT PROCEED WITH THE DOWNLOADING, COPYING, INSTALLATION OR
ANY OTHER USE OF THE SOFTWARE OR ANY PORTION THEREOF AS YOU HAVE NO RIGHTS TO DO SO. THE
SOFTWARE IS PROTECTED BY UNITED STATES COPYRIGHT LAWS AND INTERNATIONAL COPYRIGHT
LAWS, AS WELL AS OTHER INTELLECTUAL PROPERTY LAWS AND TREATIES. THE SOFTWARE IS LICENSED,
1490
NOT SOLD.
THIS LICENSE AGREEMENT DESCRIBES YOUR RIGHTS AND RESTRICTIONS WITH RESPECT TO THE SOFT-
WARE AND ITS COMPONENTS.
1. DEFINITIONS
“Application” means any software, application, or elements that Your Designated Users develop using the Software or
Modifications in accordance with this Agreement; provided that any such Application (i) must have substantially dif-
ferent functionality than the Software, and (ii) must not allow any third party to use the Software or Modifications, or
any portion thereof, for software development or application development purposes.
“Designated User” shall mean a single distinct person for whom You have purchased a license to use the Software,
whether such person is an employee acting within the scope of their employment with You or Your consultant or con-
tractor acting within the scope of the services they provide for You. A Designated User can be replaced with a new Des-
ignated User only after being a Designated User for a minimum of six (6) months. You may have an unlimited number
of Designated Users for Sencha Touch, subject to reassignment at Your discretion.
“End User” means an end user of Your Application who acquires a license to such solely for their own internal use and
not for distribution, resale, user interface design, or software development purposes.
“Modification” means: a) any addition to or deletion from the contents of a file included in the original Software or pre-
vious Modifications created by You, and/or b) any new file that leverages any part of the original Software or previous
Modifications.
“Sample Code” means sample source code included with the Software and designated as “sample code,” “samples,”
“sample application code,” and/or “snippets,” and/or found in directories labeled “samples” or “examples”.
2. LICENSE GRANT
Subject to the payment of the fee required, and subject to your compliance with all of the terms and conditions of this
Agreement, We grant to You a revocable, non-exclusive, non-transferable and non-sublicensable license (i) for Designat-
ed User(s) to use the Software to create Modifications and Applications; (ii) for You to distribute the Software and/or
Modifications to End Users solely as integrated into the Applications; and (iii) for End Users to use the Software as in-
tegrated into Your Applications in accordance with the terms of this Agreement.
In addition to the other terms contained herein, We grant to You a revocable, non-exclusive, non-transferable and non-
sublicensable license to install and use the Software (the “Trial License”) strictly for Your internal evaluation and review
purposes and not for production purposes. This Trial License applies only if You have registered with Us for a Trial Li-
cense of the Software and shall be effective for forty-five (45) consecutive days following the date of registration (“the
Trial Period”). You may only register for a Trial License once in any eighteen month period. You agree not to use a Trial
License for any purpose other than determining whether to purchase a license to the Software. You are explicitly not
permitted to distribute the Software to any user outside the Organization on whose behalf you have undertaken this
license. Your rights to use the Trial License will immediately terminate upon the earlier of (i) the expiration of the Trial
Period, or (ii) such time that You purchase a license to the Software. We reserve the right to terminate Your Trial License
at any time in Our absolute and sole discretion.
In addition to the other terms contained herein, in the event You have downloaded or received beta or pre-release ver-
sions of the Software (the “Beta Software”) from Us, We grant to You a revocable, non-exclusive, non-transferable and
non-sublicensable license to install and use the Beta Software strictly for Your internal evaluation and review purposes
and not for production purposes (the “Beta License”). You are explicitly not permitted to distribute the Software to any
user outside the Organization on whose behalf you have undertaken this license. Your rights to use the Beta Software
will immediately terminate upon the earlier of (i) the expiration of the evaluation period established by Us, or (ii) such
time that You purchase a license to a non-evaluation version of the Software. We reserve the right to terminate Your Beta
License at any time in Our absolute and sole discretion.
YOU ACKNOWLEDGE THAT TRIAL AND/OR BETA SOFTWARE MIGHT PLACE WATERMARKS ON OUTPUT,
CONTAIN LIMITED FUNCTIONALITY, FUNCTION FOR A LIMITED PERIOD OF TIME, OR LIMIT THE FUNC-
TIONALITY OR TIME OF FUNCTIONING OF ANY OUTPUT. ACCESS TO AND/OR USE OF ANY FILES OR OUT-
PUT CREATED WITH SUCH SOFTWARE IS ENTIRELY AT YOUR OWN RISK. WE ARE LICENSING THE
SOFTWARE ON AN “AS IS” BASIS AT YOUR OWN RISK AND WE DISCLAIM ANY WARRANTY OR LIABILITY TO
YOU OF ANY KIND.
You may modify the “Sample Code” solely for the purposes of designing, developing and testing Your own Applica-
tions. However, You are permitted to use, copy and redistribute Your modified Sample Code only if all of the following
conditions are met: (a) You include Our copyright notice (if any) with Your Application, including every location in
which any other copyright notice appears in such Application; and (b) You do not otherwise use Our name, logos or
other of Our trademarks to market Your Application, unless otherwise agree by Us in writing.
3. OWNERSHIP
This is a license agreement and not an agreement for sale. We reserve ownership of all intellectual property rights inher-
ent in or relating to the Software, which include, but are not limited to, all copyright, patent rights, all rights in relation
to registered and unregistered trademarks (including service marks), confidential information (including trade secrets
and know-how) and all rights other than those expressly granted by this Agreement.
We provide You with source code so that You can create Modifications and Applications. . While You retain all rights
1491
SGOS 6.2 Administration Guide
to any original work authored by You as part of the Modifications, We continue to own all copyright and other intellec-
tual property rights in the Software.
You must not remove, obscure or interfere with any copyright, acknowledgment, attribution, trademark, warning or
disclaimer statement affixed to, incorporated in or otherwise applied in connection with the Software.
You will not owe Us any royalties for Your distribution of the Software in accordance with this Agreement. You will not
owe Us any fees for Your use or distribution of Applications in accordance with this Agreement, which are based on
Sencha Touch and not other Software.
4. PROHIBITED USES
You may not redistribute the Software or Modifications other than by including the Software or a portion thereof within
Your Application. You may not redistribute the Software or Modifications as part of any Application that can be de-
scribed as a development toolkit or library, an application builder, a website builder or any Application that is intended
for use by software, application, or website developers or designers. You may not redistribute any part of the Software
documentation. You may not change or remove the copyright notice from any of the files included in the Software or
Modifications.
UNDER NO CIRCUMSTANCES MAY YOU USE THE SOFTWARE FOR AN APPLICATION THAT IS INTENDED
FOR SOFTWARE OR APPLICATION DEVELOPMENT PURPOSES.
You are required to ensure that the Software is not reused by or with any applications other than those with which You
distribute it as permitted herein. For example, if You install the Software on a customer’s server, that customer is not
permitted to use the Software independently of Your Application, and must be informed as such.
You are not allowed to distribute Applications which leverage Sencha Touch for use on any Embedded Device, apart
from use within a general purpose web browser. The term “Embedded Device” shall mean hardware products that are
designed and/or marketed to have a specific primary purpose, including without limitation any the following alone or
in combination with each other: television, television receiver, game console, personal video recorder, player for digital
versatile disc or other optical media, video camera, still camera, camcorder, GPS device, navigation device, in-car
telematics device, in-car entertainment console, medical devices, video editing and format conversion device, video im-
age projection device, or any similar type of consumer, professional or industrial device. The term “Embedded Device”
shall also include general purpose hardware products that are permanently integrated into other products that have a
specific primary purpose, such as automobiles, trucks, busses, recreational vehicles, refrigerators and other household
appliances, beds and chairs. The term “Embedded Device” shall not include hardware products which are designed and
marketed with the primary purpose of operating a wide variety of productivity, entertainment, and other software ap-
plications provided by unrelated third party software vendors, nor shall the term include devices designed and/or mar-
keted primarily as a telephone or similar telephony based device, provided such device similarly supports a wide
variety of productivity, entertainment, and other software applications provided by unrelated third party software ven-
dors. Notwithstanding the foregoing, you may distribute Applications which leverage Sencha Touch on a number of
Embedded Devices that does not exceed the limit established by Us as requiring fees, as posted at sencha.com/prod-
ucts/touch/license or as otherwise agreed by Us in writing.
The Open Source version of the Software (“GPL Version”) is licensed under the terms of the GNU General Public License
versions 3.0 (“GPL”) and not under this Agreement. If You, or another third party, has, at any time, developed all (or
any portions of) the Application(s) using the GPL Version, You may not combine such development work with the Soft-
ware and must license such Application(s) (or any portions derived there from) under the terms of the GNU General
Public License version 3, a copy of which is located at http://www.gnu.org/copyleft/gpl.html.
5. TERMINATION
This Agreement and Your right to use the Software and Modifications will terminate immediately if You fail to comply
with any of the terms and conditions of this Agreement. Upon termination, You agree to immediately cease using and
destroy the Software or Modifications, including all accompanying documents. The provisions of sections 4, 5, 6, 7, 8, 9,
and 11 will survive any termination of this Agreement.
6. DISCLAIMER OF WARRANTIES
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE AND OUR RESELLERS DISCLAIM ALL
WARRANTIES AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IM-
PLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND TITLE AND NON-
INFRINGEMENT, WITH REGARD TO THE SOFTWARE. WE DO NOT GUARANTEE THAT THE OPERATION OF
THE SOFTWARE OR THE CODE IT PRODUCES WILL BE UNINTERRUPTED OR ERROR-FREE, AND YOU AC-
KNOWLEDGE THAT IT IS NOT TECHNICALLY PRACTICABLE FOR US TO DO SO.
7. LIMITATION OF LIABILITIES
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL WE OR OUR RESELLERS
BE LIABLE UNDER ANY LEGAL OR EQUITABLE THEORY FOR ANY SPECIAL, INCIDENTAL, INDIRECT OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF
BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION OR ANY OTHER PECUNI-
ARY LAW) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE OR THE CODE IT PRODUCES
OR ANY OTHER SUBJECT MATTER RELATING TO THIS AGREEMENT, EVEN IF WE OR OUR RESELLERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, OUR ENTIRE LIABILITY WITH RE-
SPECT TO ANY SUBJECT MATER RELATING TO THIS AGREEMENT SHALL BE LIMITED TO THE GREATER OF
(I) THE AMOUNT ACTUALLY PAID BY YOU FOR THE SOFTWARE OR (II) FIVE HUNDRED DOLLARS ($500).
1492
8. VERIFICATION
We or a certified auditor acting on Our behalf, may, upon Our reasonable request and at Our expense, audit You with
respect to the use of the Software. Such audit may be conducted by mail, electronic means or through an in-person visit
to Your place of business. Any such in-person audit shall be conducted during regular business hours at Your facilities
and shall not unreasonably interfere with Your business activities. We shall not remove, copy, or redistribute any elec-
tronic material during the course of an audit. If an audit reveals that You are using the Software in a way that is in ma-
terial violation of the terms of this Agreement, then You shall pay Our reasonable costs of conducting the audit. In the
case of a material violation, You agree to pay Us any amounts owing that are attributable to the unauthorized use. In the
alternative, We reserve the right, at Our discretion, to terminate the licenses for the Software, in addition to any other
remedies available under law. This Section shall survive expiration or termination of this Agreement for a period of two
(2) years.
If credit has been extended to You by Us, all payments under this Agreement are due within thirty (30) days of the date
We mail an invoice to You. If We have not extended credit to You, You shall be required to make payment concurrent
with the delivery of the Software by Us. Any value added tax, use tax, sales tax or similar tax (“Transaction Taxes”) shall
be your sole responsibility. Each party shall pay all taxes (including, but not limited to, taxes based upon its income) or
levies imposed on it under applicable laws, regulations and tax treaties as a result of this Agreement and any payments
made hereunder (including those required to be withheld or deducted from payments); provided that You shall be re-
sponsible for all Transactions Taxes and shall pay or reimburse Us for the same upon invoice. Each party shall furnish
evidence of such paid taxes as is sufficient to enable the other party to obtain any credits available to it, including original
withholding tax certificates. Notwithstanding the foregoing, Software ordered through Our resellers is subject to the
fees and payment terms set forth on the applicable reseller invoice.
You are not entitled to any support for the Software under this Agreement. All support must be purchased separately
and will be subject to the terms and conditions contained in the Sencha support agreement. You are entitled to receive
minor version updates to the Software (i.e. versions identified as follows (X.Y, X.Y+1). You are not entitled to receive
major version updates (i.e. X.Y, X+1.Y) or bug fix updates to the Software (X.Y.Z, X.Y.Z+1), unless purchased indepen-
dently of this license.
11. MISCELLANEOUS
The license granted herein applies only to the version of the Software available when purchased (or downloaded in the
case of Sencha Touch) in connection with the terms of this Agreement, and to any updates and/or upgrades to which
you may be entitled. Any previous or subsequent license granted to You for use of the Software shall be governed by
the terms and conditions of the agreement entered in connection with purchase or download of that version of the Soft-
ware. You agree that you will comply with all applicable laws and regulations with respect to the Software, including
without limitation all export and re-export control laws and regulations.
While redistributing the Software or Modifications thereof as part of Your Application, You may choose to offer accep-
tance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this Agreement. How-
ever, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on our
behalf. You shall indemnify Us and our resellers, or at Our option, defend Us and our resellers against any claim, suit
or proceeding brought against Us or our resellers (i) arising by reason of Your accepting any such support, warranty,
indemnity or additional liability; or (ii) arising out of the use, reproduction or distribution of Your Application, except
to the extent such claim is solely based on the inclusion of the Software therein. Further, You agree only to distribute the
Software pursuant to an enforceable written agreement for Our benefit that includes all the limitations and restrictions
of this Agreement and is as protective of Us and Software as is this Agreement. For clarity, for Software for which you
have paid a fee, You must purchase Designated User licenses for each contractor or consultant who uses the Software
to create an Application on your behalf (including system integrators), whether or not such contractor or consultant has
its own license to the Software.
You agree to be identified as a customer of ours and You agree that We may refer to You by name, trade name and trade-
mark, if applicable, and may briefly describe Your business in our marketing materials and web site.
You may not assign or transfer this Agreement without Our prior written consent. This Agreement may be assigned by
Us in whole or part and will inure to the benefit of Our successors and assigns. Notwithstanding the foregoing, in any
instance in which You transfer ownership of an Application on a work for hire basis, You may assign licenses for the
total Designated Users that have used the Software to develop said Application under this Agreement to another party
(Assignee) provided (i) you provide written notice to Us prior to the effective date of such assignment; and (ii) there is
a written agreement, wherein the Assignee accepts the terms of this Agreement. Upon any such transfer, the Assignee
may appoint new Designated Users.
You acknowledge that this Agreement is complete and is the exclusive representation of our agreement. No oral or writ-
ten information given by Us, Our resellers, or otherwise on Our behalf shall create a warranty or collateral contract, or
in any way increase the scope of this Agreement in any way, and You may not rely on any such oral or written informa-
tion. No term or condition contained in any purchase order shall have any force or effect.
There are no implied licenses or other implied rights granted under this Agreement, and all rights, save for those ex-
pressly granted hereunder, shall remain with Us and our licensors. In addition, no licenses or immunities are granted
to the combination of the Software and/or Modifications, as applicable, with any other software or hardware not deliv-
ered by Us or Our resellers to You under this Agreement. Your rights under this Agreement apply only to Software,
Modifications, and/or Applications for which all Designated Users are duly licensed hereunder.
1493
SGOS 6.2 Administration Guide
If any provision in this Agreement shall be determined to be invalid, such provision shall be deemed omitted; the re-
mainder of this Agreement shall continue in full force and effect. If any remedy provided is determined to have failed
for its essential purpose, all limitations of liability and exclusions of damages set forth in this Agreement shall remain
in effect.
This Agreement may be modified only by a written instrument signed by an authorized representative of each party.
The failure of either party to enforce any provision of this Agreement may not be deemed a waiver of that or any other
provision of this Agreement.
This Agreement is governed by the law of the State of California, United States (notwithstanding conflicts of laws pro-
visions), and all parties irrevocably submit to the jurisdiction of the state or federal courts of the State of California and
further agree to commence any litigation which may arise hereunder in the state or federal courts located in the judicial
district of San Mateo County, California, US.
If the Software or any related documentation is licensed to the U.S. Government or any agency thereof, it will be consid-
ered to be “commercial computer software” or “commercial computer software documentation,” as those terms are
used in 48 CFR § 12.212 or 48 CFR § 227.7202, and is being licensed with only those rights as are granted to all other
licensees as set forth in this Agreement.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flexlib, Version 1.4
Copyright (c) 2007-2011 flexlib contributors.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN
THE SOFTWARE.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
The FreeType Project LICENSE
2006-Jan-27
Copyright 1996-2002, 2006 by David Turner, Robert Wilhelm, and Werner Lemberg
Introduction
=========
The FreeType Project is distributed in several archive packages; some of them may contain, in addition to the FreeType
font engine, various tools and contributions which rely on, or relate to, the FreeType Project.
This license applies to all files found in such packages, and which do not fall under their own explicit license. The
license affects thus the FreeType font engine, the test programs, documentation and makefiles, at the very least.
This license was inspired by the BSD, Artistic, and IJG (Independent JPEG Group) licenses, which all encourage
inclusion and use of free software in commercial and freeware products alike. As a consequence, its main points are
that:
o We don't promise that this software works. However, we will be interested in any kind of bug reports. (`as is' dis-
tribution)
o You can use this software for whatever you want, in parts or full form, without having to pay us. (`royalty-free'
usage)
o You may not pretend that you wrote this software. If you use it, or only parts of it, in a program, you must ac-
knowledge somewhere in your documentation that you have used the FreeType code. (`credits')
We specifically permit and encourage the inclusion of this software, with or without modifications, in commercial
products. We disclaim all warranties covering The FreeType Project and assume no liability related to The FreeType
Project.
Finally, many people asked us for a preferred form for a credit/disclaimer to use in compliance with this license.
We thus encourage you to use the following text:
“Portions of this software are copyright (c) 2007The FreeType Project (www.freetype.org). All rights reserved."
Legal Terms
=========
0. Definitions
Throughout this license, the terms `package', `FreeType Project', and `FreeType archive' refer to the set of files orig-
inally distributed by the authors (David Turner, Robert Wilhelm, and Werner Lemberg) as the `FreeType Project', be
they named as alpha, beta or final release.
`You' refers to the licensee, or person using the project, where `using' is a generic term including compiling the project's
source code as well as linking it to form a `program' or `executable'. This program is referred to as `a program using
the FreeType engine'.
1494
This license applies to all files distributed in the original FreeType Project, including all source code, binaries and
documentation, unless otherwise stated in the file in its original, unmodified form as distributed in the original
archive. If you are unsure whether or not a particular file is covered by this license, you must contact us to verify this.
The FreeType Project is copyright (C) 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg. All rights
reserved except as specified below.
1. No Warranty
THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IM-
PLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO USE, OF THE FREETYPE PROJECT.
2. Redistribution
This license grants a worldwide, royalty-free, perpetual and irrevocable right and license to use, execute, perform,
compile, display, copy, create derivative works of, distribute and sublicense the FreeType Project (in both source
and object code forms) and derivative works thereof for any purpose; and to authorize others to exercise some or
all of the rights granted herein, subject to the following conditions:
o Redistribution of source code must retain this license file (`FTL.TXT') unaltered; any additions, deletions or changes
to the original files must be clearly indicated in accompanying documentation. The copyright notices of the unal-
tered, original files must be preserved in all copies of source files.
o Redistribution in binary form must provide a disclaimer that states that the software is based in part of the work of
the FreeType Team, in the distribution documentation. We also encourage you to put an URL to the FreeType web
page in your documentation, though this isn't mandatory.
These conditions apply to any software derived from or based on the FreeType Project, not just the unmodified files.
If you use our work, you must acknowledge us. However, no fee need be paid to us.
3. Advertising
Neither the FreeType authors and contributors nor you shall use the name of the other for commercial, advertising,
or promotional purposes without specific prior written permission.
We suggest, but do not require, that you use one or more of the following phrases to refer to this software in your
documentation or advertising materials: `FreeType Project', `FreeType Engine', `FreeType library', or `FreeType Distri-
bution'.
As you have not signed this license, you are not required to accept it. However, as the FreeType Project is copy-
righted material, only this license, or another one contracted with the authors, grants you the right to use, distribute,
and modify it. Therefore, by using, distributing, or modifying the FreeType Project, you indicate that you understand
and accept all the terms of this license.
4. Contacts
There are two mailing lists related to FreeType:
o freetype@nongnu.org
Discusses general use and applications of FreeType, as well as future and wanted additions to the library and distribu-
tion. If you are looking for support, start in this list if you haven't found anything to help you in the documentation.
o freetype-devel@nongnu.org
Discusses bugs, as well as engine internals, design issues, specific licenses, porting, etc.
Our home page can be found at http://www.freetype.org
FreeBSD
Certain Blue Coat Product may include various version of FreeBSD (or part thereof). FreeBSD is licensed under the fol-
lowing license.
Copyright 1992-2013 The FreeBSD Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRAN-
TIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIB-
UTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1495
SGOS 6.2 Administration Guide
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The views and conclusions contained in the software and documentation are those of the authors and should not be in-
terpreted as representing official policies, either expressed or implied, of the FreeBSD Project.
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
This GCC Runtime Library Exception ("Exception") is an additional permission under section 7 of the GNU General Pub-
lic License, version
3 ("GPLv3"). It applies to a given file (the "Runtime Library") that bears a notice placed by the copyright holder of the
file stating that the file is governed by GPLv3 along with this Exception.
When you use GCC to compile a program, GCC may combine portions of certain GCC header files and runtime libraries
with the compiled
program. The purpose of this Exception is to allow compilation of non-GPL (including proprietary) programs to use, in
this way, the header files and runtime libraries covered by this Exception.
0. Definitions.
A file is an "Independent Module" if it either requires the Runtime Library for execution after a Compilation Process, or
makes use of an interface provided by the Runtime Library, but is not otherwise based on the Runtime Library.
"GCC" means a version of the GNU Compiler Collection, with or without modifications, governed by version 3 (or a
specified later version) of the GNU General Public License (GPL) with the option of using any subsequent versions pub-
lished by the FSF.
"GPL-compatible Software" is software whose conditions of propagation, modification and use would permit combina-
tion with GCC in accord with
the license of GCC.
"Target Code" refers to output from any compiler for a real or virtual target processor architecture, in executable form
or suitable for input to an assembler, loader, linker and/or execution phase. Notwithstanding that, Target Code does
not include data in any format that is used as a compiler intermediate representation, or used for producing a compiler
intermediate representation.
The "Compilation Process" transforms code entirely represented in non-intermediate languages designed for human-
written code, and/or in Java Virtual Machine byte code, into Target Code. Thus, for example, use of source code gener-
ators and preprocessors need not be considered part of the Compilation Process, since the Compilation Process can be
understood as starting with the output of the generators or preprocessors.
A Compilation Process is "Eligible" if it is done using GCC, alone or with other GPL-compatible software, or if it is done
without using any work based on GCC. For example, using non-GPL-compatible Software to optimize any GCC inter-
mediate representations would not qualify as an Eligible Compilation Process.
You have permission to propagate a work of Target Code formed by combining the Runtime Library with Independent
Modules, even if such propagation would otherwise violate the terms of GPLv3, provided that all Target Code was gen-
erated by Eligible Compilation Processes. You may then convey such a combination under terms of your choice, consis-
tent with the licensing of the Independent Modules.
The availability of this Exception does not imply any general presumption that third-party software is unaffected by the
copyleft requirements of the license of GCC.
Hopefully that text is self-explanatory. If it isn't, you need to speak to your lawyer, or the Free Software Foundation.
The Documentation: GPL, FDL
The documentation shipped with the library and made available over the web, excluding the pages generated from
source comments, are copyrighted by the Free Software Foundation, and placed under the GNU Free Documentation
License version 1.3. There are no Front-Cover Texts, no Back-Cover Texts, and no Invariant Sections.
For documentation generated by doxygen or other automated tools via processing source code comments and markup,
the original source code license applies to the generated files. Thus, the doxygen documents are licensed GPL.
If you plan on making copies of the documentation, please let us know. We can probably offer suggestions.
1496
HEIMDAL
Copyright (c) 1995 - 2008 Kungliga Tekniska HÃgskolan (Royal Institute of Technology, Stockholm, Sweden). All rights
reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products de-
rived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
HEIMDAL 1.2.1
Kungliga Tekniska Högskolan
Copyright (c) 1997-2008 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights
reserved.
Portions Copyright (c) 2009 Apple Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products de-
rived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
1497
SGOS 6.2 Administration Guide
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAM-
AGE.
1. The authors are not responsible for the consequences of use of this software, no matter how awful, even if they arise
from flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever
read sources, credits must appear in the documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software.
Since few users ever read sources, credits must appear in the documentation.
4. This notice may not be removed or altered.
Michael J. Fromberger
The RSA/DH support for libhcrypto. IMath is Copyright 2002-2005 Michael J. Fromberger
You may use it subject to the following Licensing Terms:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
Doug Rabson
GSS-API mechglue layer. Copyright (c) 2005 Doug Rabson
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1498
Marko Kreen
Fortuna in libhcrypto
Copyright (c) 2005 Marko Kreen
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
1499
SGOS 6.2 Administration Guide
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIA-
BLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (IN-
CLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAM-
AGE.
Apple, Inc
kdc/announce.c
Copyright (c) 2008 Apple Inc. All Rights Reserved.
Export of this software from the United States of America may require a specific license from the United States Govern-
ment. It is the responsibility of any person or organization contemplating export to obtain such a license before export-
ing.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for
any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple
Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior per-
mission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided "as
is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUD-
ING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE.
Richard Outerbridge
DES core in libhcrypto
D3DES (V5.09) -
A portable, public domain, version of the Data Encryption Standard. Written with Symantec's THINK (Lightspeed) C
by Richard Outerbridge. Thanks to: Dan Hoey for his excellent Initial and Inverse permutation code; Jim Gillogly & Phil
Karn for the DES key schedule code; Dennis Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau,
for humouring me on.
Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge.
(GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992.
Highcharts JS
Highcharts JS is owned by and licensed through Highsoft Solutions AS. The use of Highcharts JS is not an endorsement
of any work done by Blue Coat Systems.
ICU - International Components for Unicode, Version 3.2
Copyright (c) 1995-2003 International Business Machines Corporation and others
All rights reserved.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL
INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
1500
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Soft-
ware is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies
of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documen-
tation.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER
OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CON-
SEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to pro-
mote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.
Intel e1000
Copyright (c) 2001-2010, Intel Corporation
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Intel Corporation nor the names of its contributors may be used to endorse or promote prod-
ucts derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Intel ixgbe
Copyright (c) 2001-2010, Intel Corporation
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Intel Corporation nor the names of its contributors may be used to endorse or promote prod-
ucts derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1501
SGOS 6.2 Administration Guide
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
irrxml
Copyright © 2002-2007 Nikolaus Gebhardt
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for
any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it
and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If
you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not
required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original soft-
ware.
3. This notice may not be removed or altered from any source distribution.
json-c
Copyright (c) 2004, 2005 Metaparadigm Pte Ltd
Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documenta-
tion files (the "Software"),to deal in the Software without restriction, including without limitationthe rights to use, copy,
modify, merge, publish, distribute, sublicense,and/or sell copies of the Software, and to permit persons to whom the-
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be includedin all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHER-
WISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
Kame
Copyright (C) 1998-2003
Sony Computer Science Laboratories Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SONY CSL OR CONTRIBU-
TORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Kerberos 5, version 1.7
Copyright and Other Legal Notices
---------------------------------
Export of this software from the United States of America may require a specific license from the United States Govern-
ment. It is the responsibility of any person or organization contemplating export to obtain such a license before export-
ing.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for
any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T.
not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permis-
sion. Furthermore if you modify this software you must label your software as modified software and not distribute it
in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the
suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICU-
LAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat,
Sun Microsystems, FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachu-
1502
setts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permis-
sion of MIT.
"Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm
from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trade-
mark status should be given).
--------------------
Export of this software from the United States of America may require a specific license from the United States Govern-
ment. It is the responsibility of any person or organization contemplating export to obtain such a license before export-
ing.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for
any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in supporting documentation, and that the name of Fund-
sXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior
permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided
"as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICU-
LAR PURPOSE.
--------------------
The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in
kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:
WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates
your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Ker-
beros administration system.
You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but
this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITA-
TION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTH-
ER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, IN-
CLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAIL-
URE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.
OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works
of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be pre-
served if derivative works are made based on the donated Source Code.
OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard
Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development
and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.
--------------------
Portions contributed by Matt Crawford <crawdad@fnal.gov> were work performed at Fermi National Accelerator Lab-
oratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the
U.S. Department of Energy.
--------------------
The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following
copyright:
Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby
granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice
and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc.
not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permis-
1503
SGOS 6.2 Administration Guide
sion. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, IN-
CLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-
KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN AC-
TION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--------------------
The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright:
LICENSE TERMS
The free distribution and use of this software in both source and binary form is allowed (with or without changes) pro-
vided that:
1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaim-
er;
2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in
the documentation and/or other associated materials;
3. the copyright holder's name is not used to endorse products built using this software without specific written per-
mission.
DISCLAIMER
This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not
limited to, correctness and fitness for purpose.
--------------------
Portions contributed by Red Hat, including the pre-authentication plug-ins framework, contain the following copyright:
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------
The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files:
lib/gssapi/generic/gssapi_err_generic.et
lib/gssapi/mechglue/g_accept_sec_context.c
lib/gssapi/mechglue/g_acquire_cred.c
lib/gssapi/mechglue/g_canon_name.c
lib/gssapi/mechglue/g_compare_name.c
1504
lib/gssapi/mechglue/g_context_time.c
lib/gssapi/mechglue/g_delete_sec_context.c
lib/gssapi/mechglue/g_dsp_name.c
lib/gssapi/mechglue/g_dsp_status.c
lib/gssapi/mechglue/g_dup_name.c
lib/gssapi/mechglue/g_exp_sec_context.c
lib/gssapi/mechglue/g_export_name.c
lib/gssapi/mechglue/g_glue.c
lib/gssapi/mechglue/g_imp_name.c
lib/gssapi/mechglue/g_imp_sec_context.c
lib/gssapi/mechglue/g_init_sec_context.c
lib/gssapi/mechglue/g_initialize.c
lib/gssapi/mechglue/g_inquire_context.c
lib/gssapi/mechglue/g_inquire_cred.c
lib/gssapi/mechglue/g_inquire_names.c
lib/gssapi/mechglue/g_process_context.c
lib/gssapi/mechglue/g_rel_buffer.c
lib/gssapi/mechglue/g_rel_cred.c
lib/gssapi/mechglue/g_rel_name.c
lib/gssapi/mechglue/g_rel_oid_set.c
lib/gssapi/mechglue/g_seal.c
lib/gssapi/mechglue/g_sign.c
lib/gssapi/mechglue/g_store_cred.c
lib/gssapi/mechglue/g_unseal.c
lib/gssapi/mechglue/g_userok.c
lib/gssapi/mechglue/g_utils.c
lib/gssapi/mechglue/g_verify.c
lib/gssapi/mechglue/gssd_pname_to_uid.c
lib/gssapi/mechglue/mglueP.h
lib/gssapi/mechglue/oid_ops.c
lib/gssapi/spnego/gssapiP_spnego.h
lib/gssapi/spnego/spnego_mech.c
and the initial implementation of incremental propagation, including the following new or changed files:
include/iprop_hdr.h
kadmin/server/ipropd_svc.c
lib/kdb/iprop.x
lib/kdb/kdb_convert.c
lib/kdb/kdb_log.c
lib/kdb/kdb_log.h
lib/krb5/error_tables/kdb5_err.et
slave/kpropd_rpc.c
slave/kproplog.c
lib/krb5/os/hst_realm.c
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
--------------------
MIT Kerberos includes documentation and software developed at the University of California at Berkeley, which in-
cludes this copyright
notice:
1505
SGOS 6.2 Administration Guide
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
--------------------
Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license:
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
The copyright holder's name is not used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------
Portions funded by Sandia National Laboratory and developed by the University of Michigan's Center for Information
Technology Integration, including the PKINIT implementation, are subject to the following license:
Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works
for any purpose, so long as the name of The University of Michigan is not used in any advertising or publicity pertaining
to the use of distribution of this software without specific, written prior authorization. If the above copyright notice or
any other identification of the University of Michigan is included in any copy of any portion of this software, then the
disclaimer below must also be included.
THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF MICHIGAN AS
TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF
MICHIGAN S HALL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH
THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
1506
--------------------
The pkcs11.h file included in the PKINIT code has the following license:
--------------------
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
--------------------
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--------------------
1507
SGOS 6.2 Administration Guide
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are
permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution, and
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version num-
ber. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the
license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAM-
AGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIA-
BILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use
or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at
all times remain with copyright holders.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to
copy and distribute verbatim copies of this document is granted.
--------------------
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from
this software without cspecific prior written permission.
THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAM-
AGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIA-
BILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Libpcap, Version 0.5.2
Copyright (c) 1993, 1994, 1995, 1996, 1997
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The names of the authors may not be used to endorse or promote products derived from this software without specific
prior written permission.
1508
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUD-
ING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE.
Libcrypt
Blowfish - a fast block cipher designed by Bruce Schneier
Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by Niels Provos.
4. The name of the author may not be used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
LibInjection
Copyright 2012, 2013
Nick Galbreath -- nickg [at] client9 [dot] com
http://www.client9.com/projects/libinjection/
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of libinjection nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
libpng
1509
SGOS 6.2 Administration Guide
This copy of the libpng notices is provided for your convenience. In case ofany discrepancy between this copy and the
notices in the file png.h that isincluded in the libpng distribution, the latter shall prevail.
COPYRIGHT NOTICE, DISCLAIMER, and LICENSE:
If you modify libpng you may insert additional notices immediately following this sentence.
libpng versions 1.2.6, August 15, 2004, through 1.2.25, February 18, 2008, are
Copyright (c) 2004, 2006-2008 Glenn Randers-Pehrson, and aredistributed according to the same disclaimer and license
as libpng-1.2.5
with the following individual added to the list of Contributing Authors
Cosmin Truta
libpng versions 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, areCopyright (c) 2000-2002 Glenn Randers-Pehrson,
and aredistributed according to the same disclaimer and license as libpng-1.0.6with the following individuals added to
the list of Contributing Authors
Simon-Pierre Cadieux
Eric S. Raymond
Gilles Vollant
and with the following additions to the disclaimer:
There is no warranty against interference with your enjoyment of the library or against infringement. There is no
warranty that our efforts or the library will fulfill any of your particular purposes or needs. This library is provided
with all faults, and the entire risk of satisfactory quality, performance, accuracy, and effort is with the user.
libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, areCopyright (c) 1998, 1999 Glenn Randers-Pehrson,
and aredistributed according to the same disclaimer and license as libpng-0.96,with the following individuals added to
the list of Contributing Authors:
Tom Lane
Glenn Randers-Pehrson
Willem van Schaik
libpng versions 0.89, June 1996, through 0.96, May 1997, are
Copyright (c) 1996, 1997 Andreas Dilger
Distributed according to the same disclaimer and license as libpng-0.88,with the following individuals added to the list
of Contributing Authors:
John Bowler
Kevin Bracey
Sam Bushell
Magnus Holmgren
Greg Roelofs
Tom Tanner
libpng versions 0.5, May 1995, through 0.88, January 1996, areCopyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.
For the purposes of this copyright and license, "Contributing Authors"is defined as the following set of individuals:
Andreas Dilger
Dave Martindale
Guy Eric Schalnat
Paul Schmidt
Tim Wegner
The PNG Reference Library is supplied "AS IS". The Contributing Authorsand Group 42, Inc. disclaim all warranties,
expressed or implied,including, without limitation, the warranties of merchantability and offitness for any purpose. The
Contributing Authors and Group 42, Inc.assume no liability for direct, indirect, incidental, special, exemplary, or con-
sequential damages, which may result from the use of the PNG Reference Library, even if advised of the possibility of
such damage. Permission is hereby granted to use, copy, modify, and distribute this source code, or portions hereof, for
any purpose, without fee, subject to the following restrictions:
1. The origin of this source code must not be misrepresented.
2. Altered versions must be plainly marked as such and must not be misrepresented as being the original source.
3. This Copyright notice may not be removed or altered from any source or altered source distribution. The Contributing
Authors and Group 42, Inc. specifically permit, without fee, and encourage the use of this source code as a component
to supporting the PNG file format in commercial products. If you use this source code in a product, acknowledgment
is not required but would be appreciated.
A "png_get_copyright" function is available, for convenient use in "about"
boxes and the like:
printf("%s",png_get_copyright(NULL));
Also, the PNG logo (in PNG format, of course) is supplied in the files "pngbar.png" and "pngbar.jpg (88x31) and "png-
now.png" (98x31).
Libpng is OSI Certified Open Source Software. OSI Certified Open Source is a certification mark of the Open Source
Initiative.
Glenn Randers-Pehrson
glennrp at users.sourceforge.net
February 18, 2008
Libxml2
Open Source Initiative OSI - The MIT License (MIT):Licensing
Except where otherwise noted in the source code (e.g. the files hash.c, list.c and the trio files, which are covered by a
similar licence but with different Copyright notices) all the files are:
1510
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE DANIEL VEILLARD BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFT-
WARE.
Except as contained in this notice, the name of Daniel Veillard shall not be used in advertising or otherwise to promote
the sale, use or other dealings in this Software without prior written authorization from him.
Mach_Star
mach_star is licensed under Creative Commons Attribution License 2.0. Read the license for details, but the gist is you
can use mach_star however youíd like so long as you give me credit. That mostly means putting
Portions Copyright (c) 2003-2005 Jonathan ëWolfí Rentzsch
In your About Box.
Keychain framework
Created by Wade Tregaskis on Fri Jan 24 2003.
Copyright (c) 2003, Wade Tregaskis. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Wade Tregaskis nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Method Swizzle
Copyright (c) 2006 Tildesoft. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in // all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE // AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
Implementation of Method Swizzling, inspired by
http://www.cocoadev.com/index.pl?MethodSwizzling
Growl
Uses the BSD license: http://growl.info/documentation/developer/bsd-license.txt
Base64 encoding in Cocoa
Original code: http://www.dribin.org/dave/blog/archives/2006/03/12/base64_cocoa/
Uses the Create Commons license: http://creativecommons.org/licenses/by-nc-nd/3.0/us/
Madcap Software
Copyright MadCap Software
http://www.madcapsoftware.com/
v8.0.0.0
MAPI
MICROSOFT OUTLOOK 2010 MAPI HEADER FILES
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates)
and you. Please read them. They apply to the software named above, which includes the media on which you received
it, if any. The terms also apply to any Microsoft
1511
SGOS 6.2 Administration Guide
• updates,
• supplements,
• Internet-based services, and
• support services
for this software, unless other terms accompany those items. If so, those terms apply.
BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE
SOFTWARE.
MICROSOFT SOFTWARE LICENSE TERMS
MICROSOFT OUTLOOK 2010 MAPI HEADER FILES
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates)
and you. Please read them. They apply to the software named above, which includes the media on which you received
it, if any. The terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this software, unless other terms accompany those items. If so, those terms apply.
BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE
SOFTWARE.
If you comply with these license terms, you have the rights below.
1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.
2. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Distributable Code. The software contains code that you are permitted to distribute in programs you develop if you
comply with the terms below.
i. Right to Use and Distribute. The code and text files listed below are “Distributable Code.”
• Sample Code. You may modify, copy, and distribute the source and object code form of code marked as “sam-
ple.”
• Third Party Distribution. You may permit distributors of your programs to copy and distribute the Distributable
Code as part of those programs.
ii. Distribution Requirements. For any Distributable Code you distribute, you must
• add significant primary functionality to it in your programs;
• require distributors and external end users to agree to terms that protect it at least as much as this agreement;
• display your valid copyright notice on your programs; and
• indemnify, defend, and hold harmless Microsoft from any claims, including attorneys’ fees, related to the dis-
tribution or use of your programs.
iii. Distribution Restrictions. You may not
• alter any copyright, trademark or patent notice in the Distributable Code;
• use Microsoft’s trademarks in your programs’ names or in a way that suggests your programs come from or
are endorsed by Microsoft;
• distribute Distributable Code to run on a platform other than the Windows platform;
• include Distributable Code in malicious, deceptive or unlawful programs; or
• modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an
Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that
• the code be disclosed or distributed in source code form; or
• others have the right to modify it.
3. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the soft-
ware. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may
use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limi-
tations in the software that only allow you to use it in certain ways. You may not
• work around any technical limitations in the software;
• reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly
permits, despite this limitation;
• make more copies of the software than specified in this agreement or allowed by applicable law, despite this limi-
tation;
• publish the software for others to copy;
• rent, lease or lend the software; or
• use the software for commercial software hosting services.
4. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.
5. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the
documentation for your internal, reference purposes.
6. TRANSFER TO ANOTHER DEVICE. You may uninstall the software and install it on another device for your use.
You may not do so to share this license between devices.
7. TRANSFER TO A THIRD PARTY. The first user of the software may transfer it and this agreement directly to a third
party. Before the transfer, that party must agree that this agreement applies to the transfer and use of the software. The
first user must uninstall the software before transferring it separately from the device. The first user may not retain any
copies.
8. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply
with all domestic and international export laws and regulations that apply to the software. These laws include restric-
tions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.
9. SUPPORT SERVICES. Because this software is “as is,” we may not provide support services for it.
1512
10. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and sup-
port services that you use, are the entire agreement for the software and support services.
11. APPLICABLE LAW.
a. United States. If you acquired the software in the United States, Washington state law governs the interpretation of
this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where
you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and
in tort.
b. Outside the United States. If you acquired the software in any other country, the laws of that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your
country. You may also have rights with respect to the party from whom you acquired the software. This agreement does
not change your rights under the laws of your country if the laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS-IS.” YOU BEAR THE RISK OF USING IT. MI-
CROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS. YOU MAY HAVE ADDITIONAL
CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EX-
TENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT EXCLUDES THE IMPLIED WARRANTIES OF MER-
CHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT
AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAM-
AGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
•anything related to the software, services, content (including code) on third party Internet sites, or third party pro-
grams; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to
the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation
or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, conse-
quential or other damages.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Mes-
sage-Digest Algorithm" in all material mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the
RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability
of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
Mersenne-Twister
Mersenne-Twister (MT19937) with initialization improved 2002/1/26. Coded by Takuji Nishimura and Makoto Matsu-
moto.
Before using, initialize the state by using init_genrand(seed) or init_by_array(init_key, key_length).
Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura, All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the
documentation and/or other materials provided with the distribution.
3. The names of its contributors may not be used to endorse or promote products derived from this software without
specific prior written permission
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Any feedback is very welcome. http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html email: m-mat @
math.sci.hiroshima-u.ac.jp (remove space)
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
Morten’s JavaScript Tree Menu
Copyright (c) 2001-2002, Morten Wang & contributors
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1513
SGOS 6.2 Administration Guide
* Neither the name "Morten's JavaScript Tree Menu" nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
MOZILLA PUBLIC LICENSE
The following products are covered under the Mozilla Public License:
Elvenware Source Code
---------------------------------------------------------------
Version 1.0
The following products are covered under the Mozilla public license:
Mozilla NSS
1. Definitions.
1.1. ``Contributor'' means each entity that creates or contributes to the creation of Modifications.
1.2. ``Contributor Version'' means the combination of the Original Code, prior Modifications used by a Contributor,
and the Modifications made by that particular Contributor.
1.3. ``Covered Code'' means the Original Code or Modifications or the combination of the Original Code and Modifi-
cations, in each case including portions thereof.
1.4. ``Electronic Distribution Mechanism'' means a mechanism generally accepted in the software development com-
munity for the electronic transfer of data.
1.5. ``Executable'' means Covered Code in any form other than Source Code.
1.6. ``Initial Developer'' means the individual or entity identified as the Initial Developer in the Source Code notice
required by Exhibit A.
1.7. ``Larger Work'' means a work which combines Covered Code or portions thereof with code not governed by the
terms of this License.
1.9. ``Modifications'' means any addition to or deletion from the substance or structure of either the Original Code or
any previous Modifications. When Covered Code is released as a series of files, a Modification is:
A. Any addition to or deletion from the contents of a file containing Original Code or previous Modifications.
B. Any new file that contains any part of the Original Code or previous Modifications.
1.10. ``Original Code'' means Source Code of computer software code which is described in the Source Code notice
required by Exhibit A as Original Code, and which, at the time of its release under this License is not already Covered
Code governed by this License.
1.11. ``Source Code'' means the preferred form of the Covered Code for making modifications to it, including all mod-
ules it contains, plus any associated interface definition files, scripts used to control compilation and installation of an
Executable, or a list of source code differential comparisons against either the Original Code or another well known,
available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided
the appropriate decompression or de-archiving software is widely available for no charge.
1.12. ``You'' means an individual or a legal entity exercising rights under, and complying with all of the terms of, this
License or a future version of this License issued under Section 6.1. For legal entities, ``You'' includes any entity which
controls, is controlled by, or is under common control with You. For purposes of this definition, ``control'' means (a) the
power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b)
1514
ownership of fifty percent (50%) or more of the outstanding shares or beneficial ownership of such entity.
(a) to use, reproduce, modify, display, perform, sublicense and distribute the Original Code (or portions thereof)
with or without Modifications, or as part of a Larger Work; and
(b) under patents now or hereafter owned or controlled by Initial Developer, to make, have made, use and sell (``Uti-
lize'') the Original Code (or portions thereof), but solely to the extent that any such patent is reasonably necessary to en-
able You to Utilize the Original Code (or portions thereof) and not to any greater extent that may be necessary to Utilize
further Modifications or combinations.
(a) to use, reproduce, modify, display, perform, sublicense and distribute the Modifications created by such Con-
tributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code or as part of a
Larger Work; and
(b) under patents now or hereafter owned or controlled by Contributor, to Utilize the Contributor Version (or por-
tions thereof), but solely to the extent that any such patent is reasonably necessary to enable You to Utilize the Contrib-
utor Version (or portions thereof), and not to any greater extent that may be necessary to Utilize further Modifications
or combinations.
3. Distribution Obligations.
1515
SGOS 6.2 Administration Guide
fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You
may do so only on Your own behalf, and not on behalf of the Initial Developer or any Contributor. You must make it
absolutely clear than any such warranty, support, indemnity or liability obligation is offered by You alone, and You
hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial Developer
or such Contributor as a result of warranty, support, indemnity or liability terms You offer.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered
Code due to statute or regulation then You must: (a) comply with the terms of this License to the maximum extent pos-
sible; and (b) describe the limitations and the code they affect. Such description must be included in the LEGAL file de-
scribed in Section 3.4 and must be included with all distributions of the Source Code. Except to the extent prohibited by
statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to under-
stand it.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A, and to related Covered
Code.
7. DISCLAIMER OF WARRANTY.
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN ``AS IS'' BASIS, WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COV-
ERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH YOU. SHOULD
ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY
OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS
DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COV-
ERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
8. TERMINATION.
This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein
and fail to cure such breach within 30 days of becoming aware of the breach. All sublicenses to the Covered Code which
are properly granted shall survive any termination of this License. Provisions which, by their nature, must remain in
effect beyond the termination of this License shall survive.
1516
9. LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLI-
GENCE), CONTRACT, OR OTHERWISE, SHALL THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR
ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO YOU OR
ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY
CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE,
COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES,
EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMI-
TATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING
FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME
JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL
DAMAGES, SO THAT EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
The Covered Code is a ``commercial item,'' as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of ``com-
mercial computer software'' and ``commercial computer software documentation,'' as such terms are used in 48 C.F.R.
12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), all U.S.
Government End Users acquire Covered Code with only those rights set forth herein.
11. MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of this License is
held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. This Li-
cense shall be governed by California law provisions (except to the extent applicable law, if any, provides otherwise),
excluding its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an entity
chartered or registered to do business in, the United States of America: (a) unless otherwise agreed in writing, all dis-
putes relating to this License (excepting any dispute relating to intellectual property rights) shall be subject to final and
binding arbitration, with the losing party paying all costs of arbitration; (b) any arbitration relating to this Agreement
shall be held in Santa Clara County, California, under the auspices of JAMS/EndDispute; and (c) any litigation relating
to this Agreement shall be subject to the jurisdiction of the Federal Courts of the Northern District of California, with
venue lying in Santa Clara County, California, with the losing party responsible for costs, including without limitation,
court costs and reasonable attorneys fees and expenses. The application of the United Nations Convention on Contracts
for the International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a
contract shall be construed against the drafter shall not apply to this License.
Except in cases where another Contributor has failed to comply with Section 3.4, You are responsible for damages
arising, directly or indirectly, out of Your utilization of rights under this License, based on the number of copies of Cov-
ered Code you made available, the revenues you received from utilizing such rights, and other relevant factors. You
agree to work with affected parties to distribute responsibility on an equitable basis.
EXHIBIT A.
``The contents of this file are subject to the Mozilla Public License Version 1.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/
Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
either express or implied. See the License for the specific language governing rights and limitations under the License.
The Initial Developer of the Original Code is ________________________. Portions created by ______________________
are Copyright (C) ______ _______________________. All Rights Reserved.
Contributor(s): ______________________________________.''
Multipart-parser-c
Based on node-formidable by Felix Geisendörfer
Igor Afonov - afonov@gmail.com - 2012
MIT License - http://www.opensource.org/licenses/mit-license.php
NetBSD
Certain Blue Coat product may include a certain version of NetBSD (or part thereof). NetBSD is licensed under the fol-
lowing license. For more information about the licensing terms of NetBSD, please refer to documentations that are
shipped with NetBSD, and the NetBSD webpage at http://www.netbsd.org/about/redistribution.html.
This code is derived from software contributed to The NetBSD Foundation by Redistribution and use in source and bi-
nary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
1517
SGOS 6.2 Administration Guide
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS “AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EX-
EMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTI-
TUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Newlib
The newlib subdirectory is a collection of software from several sources.
Each file may have its own copyright/license that is embedded in the source file. Unless otherwise noted in the body
of the source file(s), the following copyright notices will apply to the contents of the newlib subdirectory:
This copyrighted material is made available to anyone wishing to use, modify, copy, or redistribute it subject to the
terms and conditions of the BSD License. This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY expressed or implied, including the implied warranties of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. A copy of this license is available at
http://www.opensource.org/licenses.
Any Red Hat trademarks that are incorporated in the source code or documentation are not subject to the BSD License
and may only be used or replicated with the express permission of Red Hat, Inc.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Permission to use, copy, modify, and distribute this software for any purpose without fee is hereby granted, provided
that this entire notice is included in all copies of any software which is or includes a copy or modification of this software
and in all copies of the supporting documentation for such software.
THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTIC-
ULAR, NEITHER THE AUTHOR NOR AT&T MAKES ANY REPRESENTATION OR WARRANTY OF ANY KIND
CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PUR-
POSE.
-------------------------------------------------------------------
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is
1518
hereby granted, provided that the above copyright notice appear in all copies and that both that the copyright notice
and this permission notice and warranty disclaimer appear in supporting documentation, and that the name of Lucent
or any of its entities not be used in advertising or publicity pertaining to distribution of the software without specific,
written prior permission.
LUCENT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WAR-
RANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL LUCENT OR ANY OF ITS ENTITIES BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
This software is the property of Advanced Micro Devices, Inc (AMD) which specifically grants the user the right to
modify, use and distribute this software provided this notice is not removed or altered. All other rights are reserved by
AMD.
AMD MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE. IN
NO EVENT SHALL AMD BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH OR ARISING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS SOFTWARE.
So that all may benefit from your experience, please report any problems or suggestions about this software to the 29K
Technical Support Center at 800-29-29-AMD (800-292-9263) in the USA, or 0800-89-1131 in the UK, or 0031-11-1129 in
Japan, toll free. The direct dial number is 512-462-4118.
(5)
(6)
To anyone who acknowledges that this file is provided "AS IS" without any express or implied warranty: permission to
use, copy, modify, and distribute this file for any purpose is hereby granted without fee, provided that the above copy-
right notice and this notice appears in all copies, and that the name of Hewlett-Packard Company not be used in adver-
tising or publicity pertaining to distribution of the software without specific, written prior permission. Hewlett-Packard
Company makes no representations about the suitability of this software for any purpose.
Permission to use, copy, modify, and distribute this software is freely granted, provided that the above copyright notice,
this notice and the following disclaimer are preserved with no changes.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUD-
ING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE.
The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation
for any purpose, provided that existing copyright notices are retained in all copies and that this notice is included ver-
batim in any distributions. No written agreement, license, or royalty fee is required for any of the authorized uses. Mod-
1519
SGOS 6.2 Administration Guide
ifications to this software may be copyrighted by their authors and need not follow the licensing terms described here,
provided that the new terms are clearly indicated on the first page of each file where they apply.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software is the property of SuperH, Inc (SuperH) which specifically grants the user the right to modify, use and
distribute this software provided this notice is not removed or altered. All other rights are reserved by SuperH.
SUPERH MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE.
IN NO EVENT SHALL SUPERH BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAM-
AGES IN CONNECTION WITH OR ARISING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS SOFT-
WARE.
So that all may benefit from your experience, please report any problems or suggestions about this software to the Su-
perH Support Center via e-mail at softwaresupport@superh.com .
SuperH, Inc.
405 River Oaks Parkway
San Jose
CA 95134
USA
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAM-
AGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIA-
BILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
1520
(14) Alexey Zelkin
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIA-
BLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
(16) FreeBSD
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
(17) S. L. Moshier
Author: S. L. Moshier.
Permission to use, copy, modify, and distribute this software for any purpose without fee is hereby granted, provided
that this entire notice is included in all copies of any software which is or includes a copy or modification of this software
and in all copies of the supporting documentation for such software.
1521
SGOS 6.2 Administration Guide
THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN PARTIC-
ULAR, THE AUTHOR MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MER-
CHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PUR-
POSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCI-
DENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTER-
RUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIA-
BILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Redistribution, modification, and use in source and binary forms is permitted provided that the above copyright notice
and following paragraph are duplicated in all such forms.
This file is distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser Gen-
eral Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option)
any later version.
The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser Gen-
eral Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write
1522
to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Pub-
lic License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the im-
plied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General
Public License for more details.
Intel hereby grants you permission to copy, modify, and distribute this software and its documentation. Intel grants this
permission provided that the above copyright notice appears in all copies and that both the copyright notice and this
permission notice appear in supporting documentation. In addition, Intel grants this permission provided that you
prominently mark as "not part of the original" any modifications made to this software or documentation, and that the
name of Intel Corporation not be used in advertising or publicity pertaining to distribution of the software or the docu-
mentation without specific, written prior permission.
Intel Corporation provides this AS IS, WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING, WITH-
OUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intel
makes no guarantee or representations regarding the use of, or the results of the use of, the software and documentation
in terms of correctness, accuracy, reliability, currentness, or otherwise; and you rely on the software, documentation and
results solely at your own risk.
IN NO EVENT SHALL INTEL BE LIABLE FOR ANY LOSS OF USE, LOSS OF BUSINESS, LOSS OF PROFITS, INDI-
RECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OF ANY KIND. IN NO EVENT SHALL INTEL'S
TOTAL LIABILITY EXCEED THE SUM PAID TO INTEL FOR THE PRODUCT LICENSED HEREUNDER.
To anyone who acknowledges that this file is provided "AS IS" without any express or implied warranty: permission to
use, copy, modify, and distribute this file for any purpose is hereby granted without fee, provided that the above copy-
right notice and this notice appears in all copies, and that the name of Hewlett-Packard Company not be used in adver-
tising or publicity pertaining to distribution of the software without specific, written prior permission.
Hewlett-Packard Company makes no representations about the suitability of this software for any purpose.
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redis-
tribute it, subject to the following restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from
flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever
read sources, credits must appear in the documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software.
Since few users ever read sources, credits must appear in the documentation.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
1523
SGOS 6.2 Administration Guide
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the names of the copyright holders nor the names of their contributors may be used to endorse or promote
1524
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOOD OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIA-
BLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (IN-
CLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
1525
SGOS 6.2 Administration Guide
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the company may not be used to endorse or promote products derived from this software without spe-
cific prior written permission.
THIS SOFTWARE IS PROVIDED BY ARM LTD ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUD-
ING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ARM LTD BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1526
1. Redistributions source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of Xilinx nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANT-
ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPY-
RIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of Texas Instruments Incorporated nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The authors hereby grant permission to use, copy, modify, distribute, and license this software and its documentation
for any purpose, provided
that existing copyright notices are retained in all copies and that this notice is included verbatim in any distributions.
No written agreement, license, or royalty fee is required for any of the authorized uses. Modifications to this software
may be copyrighted by their authors and need not follow the licensing terms described here, provided that the new
terms are clearly indicated on the first page of each file where they apply.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Adapteva nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
1527
SGOS 6.2 Administration Guide
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Novell
Novell and eDirectory are [either] registered trademarks [or] trademarks of Novell, Inc. in the United States and other
countries.
LDAPSDK.DLL Copyright (c) 2006 Novell, Inc. All rights reserved.
LDAPSSL.DLL Copyright (c) 2006 Novell, Inc. All rights reserved.
LDAPX.DLL Copyright (c) 2006 Novell, Inc. All rights reserved.
The following are copyrights and licenses included as part of Novell's LDAP Libraries for C:
HSpencer
Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the
University of California.
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redis-
tribute it, subject
to the following restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from
flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever
read sources, credits must appear in the documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software.
Since few users ever read sources, credits must appear in the documentation.
4. This notice may not be removed or altered.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Copyright (c) 1994
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
@(#)COPYRIGHT8.1 (Berkeley) 3/16/94
OpenLDAP 2.3.32
Copyright 1998,1999 The OpenLDAP Foundation, Redwood City, California, USA
Version 2.8, 17 August 2003
All rights reserved.
Redistribution and use in source and binary forms are permitted only as authorized by the OpenLDAP Public License.
A copy of this license is available at http://www.OpenLDAP.org/license.html or in file LICENSE in the top-level di-
rectory of the distribution.
Individual files and/or contributed packages may be copyright by other parties and use subject to additional restric-
tions.
This work is derived from the University of Michigan LDAP v3.3 distribution. Information concerning is available at
http://www.umich.edu/~dirsvcs/ldap/ldap.html.
This work also contains materials derived from public sources.
Additional Information about OpenLDAP can be obtained at:
http://www.openldap.org/
or by sending e-mail to:
info@OpenLDAP.org
Portions Copyright (c) 1992-1996 Regents of the University of Michigan.
All rights reserved.
Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due
credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or
promote products derived from this software without specific prior written permission. This software is provided ``as
is'' without express or implied warranty.
1528
The OpenLDAP Public License
Version 2.0.1, 21 December 1999
Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA.
All Rights Reserved.
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are
permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution, and
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version num-
ber. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the
license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAM-
AGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIA-
BILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use
or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at
all times remain with copyright holders.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to
copy and distribute verbatim copies of this document is granted.
OpenSSL
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay
license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-tyle Open Source licenses. In case of any license
issues related to OpenSSL
please contact openssl-core@openssl.org.
OpenSSL License (for 0.9.8r)
---------------
====================================================================
Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from
this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without
prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.opens-
sl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WAR-
RANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FIT-
NESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
====================================================================
1529
SGOS 6.2 Administration Guide
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes soft-
ware written by Tim
Hudson (tjh@cryptsoft.com).
Original SSLeay License
-----------------------
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so
as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following
conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the
same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in
the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)"
The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related .
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you
must include an acknowledgement:
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIA-
BLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (IN-
CLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAM-
AGE.
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e.
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
[end of copyrights and licenses for Novell's LDAP Libraries for C]
OpenSSL FIPS
Copyright (c) 2011 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
*"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from
this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without
prior written permission of the OpenSSL Project.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WAR-
RANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FIT-
NESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
The OpenLDAP Public License
Version 2.8, 17 August 2003
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are
1530
permitted provided that the following conditions are met:
1. Redistributions in source form must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and
the following disclaimer in the documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version num-
ber. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the
license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPEN LDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAM-
AGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROF-
ITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use
or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at
all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.
OpenSSH
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all com-
ponents are under a BSD licence, or a licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived
versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol de-
scription in the RFC file, it must be called by a name other than "ssh" or "Secure Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software
includes parts that are not under my direct control. As far as I know, all included source code is used in accordance with
the relevant license agreements and can be used freely for any purpose (the GNU license being the most restrictive); see
below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components
which he talks about have been removed from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]
Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and
at any major bookstore, scientific library, and patent office worldwide. More information can be found e.g. at "http://
www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own
responsibility. You will be responsible for any legal consequences yourself; I am not making any claims whether pos-
sessing or using this is legal or not in your country, and I am not taking any responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO
THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY
AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU AS-
SUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS RE-
QUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER
PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO
YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTH-
ER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style li-
cense.
1531
SGOS 6.2 Administration Guide
1532
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Netscape NSPR
Version: MPL 1.1/GPL 2.0/LGPL 2.1
The contents of this file are subject to the Mozilla Public License Version 1.1 (the "License"); you may not use this file
except in compliance with the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/
Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, ei-
ther express or implied. See the License for the specific language governing rights and limitations under the License.
The Original Code is the Netscape Portable Runtime (NSPR).
The Initial Developer of the Original Code is * Netscape Communications Corporation.
Portions created by the Initial Developer are Copyright (C) 1998-2000
the Initial Developer. All Rights Reserved. *
Contributor(s): *
Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version
2 or later (the "GPL"), or * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), in which case the
provisions of the GPL or the LGPL are applicable insteadof those above. If you wish to allow use of your version of this
file only under the terms of either the GPL or the LGPL, and not to allow others to use your version of this file under the
terms of the MPL, indicate your decision by deleting the provisions above and replace them with the notice and other
provisions required by the GPL or the LGPL. If you do not delete the provisions above, a recipient may use your version
of this file under the terms of any one of the MPL, the GPL or the LGPL.
Net-SNMP
Various copyrights apply to this package, listed in various separate parts below. Please make sure that you read all the
parts. Up until 2001, the project was based at UC Davis, and the first part covers all code written during this time. From
2001 onwards, the project has been based at SourceForge, and Networks Associates Technology, Inc hold the copyright
on behalf of the wider Net-SNMP community, covering all derivative work done since then. An additional copyright
section has been added as Part 3 below also under a BSD license for the work contributed by Cambridge Broadband Ltd.
to the project since 2001. An additional copyright section has been added as Part 4 below also under a BSD license for
the work contributed by Sun Microsystems, Inc. to the project since 2003.
Code has been contributed to this project by many people over the years it has been in development, and a full list of
contributors can be found in the README file under the THANKS section.
---- Part 2: Networks Associates Technology, Inc copyright notice (BSD) -----
Copyright (c) 2001-2003, Networks Associates Technology, Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
1533
SGOS 6.2 Administration Guide
Copyright © 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.
Use is subject to license terms below.
This distribution may include materials developed by third parties.
Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in
the U.S. and other countries.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of the Sun Microsystems, Inc. nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1534
COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---- Part 7: Fabasoft R&D Software GmbH & Co KG copyright notice (BSD) -----
Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003 oss@fabasoft.com Author: Bernhard Penz
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
The name of Fabasoft R&D Software GmbH & Co KG or any of its subsidiaries, brand or product names may not be used
to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER ``AS IS'' AND ANY EXPRESS OR IMPLIED WAR-
RANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FIT-
NESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DA-
TA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAM-
AGE.
OpenBSD
Certain Blue Coat product may include a certain version of OpenBSD (or part thereof). For information about the licens-
ing terms of OpenBSD, please refer to documentations that are shipped with OpenBSD, and the OpenBSD webpage at
http://www.openbsd.org/policy.html
OSF DCE-RPC
Copyright (c) 2010 Apple Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of Apple Inc. ("Apple") nor the names of its contributors may be used to endorse or promote prod-
ucts derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBU-
TORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LI-
ABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
1535
SGOS 6.2 Administration Guide
disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the Novell, Inc. nor the names of its contributors may be used to endorse or promote products
derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are
permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and
the following
disclaimer in the documentation and/or other materials provided with the distribution, and
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version num-
ber. You may use
this Software under terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLA-
RY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use
1536
or other dealing
in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain
with copyright
holders.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to
copy and distribute verbatim copies of this document is granted.
DCE/RPC is an open source software project made available primarily under a BSD license (full license text). Hosting
provided by Mac OS Forge. Use of this site is subject to the Mac OS Forge Terms of Use. This website was created with
Webby.
The basic library functions are written in C and are freestanding. Also
included in the distribution is a set of C++ wrapper functions, and a
just-in-time compiler that can be used to optimize pattern matching. These
are both optional features that can be omitted when the library is built.
1537
SGOS 6.2 Administration Guide
* Neither the name of the University of Cambridge nor the name of Google
Inc. nor the names of their contributors may be used to endorse or
promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1538
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Python 2.5 license
This is the official license for the Python 2.5 release:
A. HISTORY OF THE SOFTWARE
==========================
Python was created in the early 1990s by Guido van Rossum at Stichting Mathematisch Centrum (CWI, see http://
www.cwi.nl) in the Netherlands as a successor of a language called ABC. Guido remains Python's principal author, al-
though it includes many contributions from others.
In 1995, Guido continued his work on Python at the Corporation for National Research Initiatives (CNRI, see http://
www.cnri.reston.va.us) in Reston, Virginia where he released several versions of the software.
In May 2000, Guido and the Python core development team moved to BeOpen.com to form the BeOpen PythonLabs
team. In October of the same year, the PythonLabs team moved to Digital Creations (now Zope Corporation, see http:/
/www.zope.com). In 2001, the Python Software Foundation (PSF, see http://www.python.org/psf/) was formed, a
non-profit organization created specifically to own Python-related Intellectual Property. Zope Corporation is a spon-
soring member of the PSF.
All Python releases are Open Source (see http://www.opensource.org for the Open Source Definition). Historically,
most, but not all, Python releases have also been GPL-compatible; the table below summarizes the various releases.
Table 75.1:
1539
SGOS 6.2 Administration Guide
Table 75.1:
1540
exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare deriv-
ative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the
BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee.
3. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS
OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO
AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY
PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY
RIGHTS.
4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCI-
DENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DIS-
TRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY
THEREOF.
5. This License Agreement will automatically terminate upon a material breach of its terms and conditions.
6. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, ex-
cluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of
agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission
to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee,
or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html
may be used according to the permissions granted on that web page.
7. By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of
this License Agreement.
CNRI LICENSE AGREEMENT FOR PYTHON 1.6.1
---------------------------------------
1. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895
Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and other-
wise using Python 1.6.1 software in source or binary form and its associated documentation.
2. Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a nonexclusive, royalty-
free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distrib-
ute, and otherwise use Python 1.6.1 alone or in any derivative version, provided, however, that CNRI's License Agree-
ment and CNRI's notice of copyright, i.e., "Copyright (c)
1995-2001 Corporation for National Research Initiatives; All Rights Reserved" are retained in Python 1.6.1 alone or in
any derivative version prepared by Licensee. Alternately, in lieu of CNRI's License Agreement, Licensee may substitute
the following text (omitting the quotes): "Python 1.6.1 is made available subject to the terms and conditions in CNRI's
License Agreement. This Agreement together with Python 1.6.1 may be located on the Internet using the following
unique, persistent identifier (known as a handle): 1895.22/1013. This Agreement may also be obtained from a proxy
server on the Internet using the following URL: http://hdl.handle.net/1895.22/1013".
3. In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6.1 or any part thereof, and
wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any
such work a brief summary of the changes made to Python 1.6.1.
4. CNRI is making Python 1.6.1 available to Licensee on an "AS IS"
basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE,
BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MER-
CHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6.1 WILL NOT
INFRINGE ANY THIRD PARTY RIGHTS.
5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 1.6.1 FOR ANY INCIDENTAL,
SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTH-
ERWISE USING PYTHON 1.6.1, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THERE-
OF.
6. This License Agreement will automatically terminate upon a material breach of its terms and conditions.
7. This License Agreement shall be governed by the federal intellectual property law of the United States, including
without limitation the federal copyright law, and, to the extent such U.S. federal law does not apply, by the law of the
Commonwealth of Virginia, excluding Virginia's conflict of law provisions. Notwithstanding the foregoing, with regard
to derivative works based on Python 1.6.1 that incorporate non-separable material that was previously distributed un-
der the GNU General Public License (GPL), the law of the Commonwealth of Virginia shall govern this License Agree-
ment only as to issues arising under or with respect to Paragraphs 4, 5, and 7 of this License Agreement. Nothing in this
License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI
and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark
sense to endorse or promote products or services of Licensee, or any third party.
8. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6.1, Li-
censee agrees to be bound by the terms and conditions of this License Agreement.
ACCEPT
CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2
--------------------------------------------------
Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam,
The Netherlands. All rights reserved.
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or
CWI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior per-
mission.
STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICH-
TING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES
OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN AC-
TION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Proview
1541
SGOS 6.2 Administration Guide
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE, TITLE AND NON-INFRINGEMENT. IN NO EVENTSHALL THE COPYRIGHT HOLDERS OR ANYONE
DISTRIBUTING THE SOFTWARE BE LIABLE FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CON-
TRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
USE OR OTHER DEALINGS IN THE SOFTWARE.
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, Real-
Networks, Inc. All rights reserved.
RTMP
Adobe
Copyright (c) 2009, Adobe Systems Incorporated. All rights reserved.
NOTICE: All information contained herein is, and remains the property of Adobe Systems Incorporated and its suppli-
ers, if any. The intellectual and technical concepts contained herein are proprietary to Adobe Systems Incorporated and
its suppliers and may be covered by U.S. and Foreign P tents, patents in process, and are protected by trade secret or
copyright law. Dissemination of this information or reproduction of this material is strictly forbidden unless prior writ-
ten permission is obtained from Adobe Systems Incorporated.
Adobe Systems Incorporated 415.832.200
601 Townsend Street 415.832.2020 fax
San Francisco, CA 94103
RTMP
Adobe
Copyright (c) 2009, Adobe Systems Incorporated. All rights reserved.
NOTICE: All information contained herein is, and remains the property of Adobe Systems Incorporated and its suppli-
ers, if any. The intellectual and technical concepts contained herein are proprietary to Adobe Systems Incorporated and
its suppliers and may be covered by U.S. and Foreign P tents, patents in process, and are protected by trade secret or
copyright law. Dissemination of this information or reproduction of this material is strictly forbidden unless prior writ-
ten permission is obtained from Adobe Systems Incorporated.
Adobe Systems Incorporated 415.832.200
601 Townsend Street 415.832.2020 fax
San Francisco, CA 94103
Silicom
Copyright (c) 2006, Silicom All rights reserved.
1542
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Silicom nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are
retained on all copies. Permission to modify the code and to distribute modified code is granted, provided the above
notices are retained, and a notice that the code was modified is included with the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby grant-
ed without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this
permission notice appear in supporting documentation. Hewlett-Packard Company makes no representations about the
suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby grant-
ed without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this
permission notice appear in supporting documentation. Silicon Graphics makes no representations about the suitability
of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby grant-
ed without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this
permission notice appear in supporting documentation. Moscow Center for SPARC Technology makes no representa-
tions about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
SWIG
SWIG is distributed under the following terms:
I.
Copyright (c) 1995-1998
The University of Utah and the Regents of the University of California
All Rights Reserved
Permission is hereby granted, without written agreement and without license or royalty fees, to use, copy, modify, and
distribute this software and its documentation for any purpose, provided that (1) The above copyright notice and the
following two paragraphs appear in all copies of the source code and (2) redistributions including binaries reproduces
these notices in the supporting documentation. Substantial modifications to this software may be copyrighted by their
authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated in all
files where they apply.
IN NO EVENT SHALL THE AUTHOR, THE UNIVERSITY OF CALIFORNIA, THE UNIVERSITY OF UTAH OR DIS-
TRIBUTORS OF THIS SOFTWARE BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL,
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,
EVEN IF THE AUTHORS OR ANY OF THE ABOVE PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
THE AUTHOR, THE UNIVERSITY OF CALIFORNIA, AND THE UNIVERSITY OF UTAH SPECIFICALLY DISCLAIM
ANY WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BA-
SIS, AND THE AUTHORS AND DISTRIBUTORS HAVE NO OBLIGATION TO PROVIDE MAINTENANCE, SUP-
PORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
II.
This software includes contributions that are Copyright (c) 1998-2005
University of Chicago.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions
1543
SGOS 6.2 Administration Guide
and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of con-
ditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Nei-
ther the name of the University of Chicago nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY OF CHICAGO AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
UNIVERSITY OF CHICAGO OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-
CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
III.
This software includes contributions that are Copyright (c) 2005-2006
Arizona Board of Regents (University of Arizona).
All Rights Reserved
Permission is hereby granted, without written agreement and without license or royalty fees, to use, copy, modify, and
distribute this software and its documentation for any purpose, provided that (1) The above copyright notice and the
following two paragraphs appear in all copies of the source code and (2) redistributions including binaries reproduces
these notices in the supporting documentation. Substantial modifications to this software may be copyrighted by their
authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated in all
files where they apply.
THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY OF ARIZONA AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
UNIVERSITY OF ARIZONA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE-
CIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOW-
EVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995, 1996, 1997, 1998
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
The Mesa 3-D graphics library
Copyright (C) 1999-2007 Brian Paul All Rights Reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the fol-
lowing conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL BRIAN PAUL BE LIABLE FOR ANY CLAIM, DAMAGES
OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT
OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Timezone
This file is in the public domain, so clarified as of 2006-07-17 by Arthur David Olson.
Trend Micro
1544
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
TreeTable
Copyright 1997, 1998 Sun Microsystems, Inc. All Rights Reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
- Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
Neither the name of Sun Microsystems, Inc. or the names of contributors may be used to endorse or promote products
derived from this software without specific prior written permission
This software is provided "AS IS," without a warranty of any kind.
ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
HEREBY EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES OR LIABILITIES
SUFFERED BY LICENSEE AS A RESULT OF OR RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THIS
SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REV-
ENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNI-
TIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
THE USE OF OR INABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
Unicode
Copyright © 1991-2013 Unicode, Inc. All rights reserved.
Certain documents and files on this website contain a legend indicating that "Modification is permitted." Any person
is hereby authorized, without fee, to modify such documents and files to create derivative works conforming to the Uni-
code® Standard, subject to Terms and Conditions herein.
Any person is hereby authorized, without fee, to view, use, reproduce, and distribute all documents and files solely
for informational purposes in the creation of products supporting the Unicode Standard, subject to the Terms and Con-
ditions herein.
Further specifications of rights and restrictions pertaining to the use of the particular set of data files known as the
"Unicode Character Database" can be found in Exhibit 1.
Each version of the Unicode Standard has further specifications of rights and restrictions of use. For the book editions
(Unicode 5.0 and earlier), these are found on the back of the title page. The online code charts carry specific restrictions.
All other files, including online documentation of the core specification for Unicode 6.0 and later, are covered under
these general Terms of Use.
No license is granted to "mirror" the Unicode website where a fee is charged for access to the "mirror" site.
Modification is not permitted with respect to this document. All copies of this document must be verbatim.
Restricted Rights Legend. Any technical data or software which is licensed to the United States of America, its agencies
and/or instrumentalities under this Agreement is commercial technical data or commercial computer software devel-
oped exclusively at private expense as defined in FAR 2.101, or DFARS 252.227-7014 (June 1995), as applicable. For tech-
nical data, use, duplication, or disclosure by the Government is subject to restrictions as set forth in DFARS 202.227-7015
Technical Data, Commercial and Items (Nov 1995) and this Agreement. For Software, in accordance with FAR 12-212 or
DFARS 227-7202, as applicable, use, duplication or disclosure by the Government is subject to the restrictions set forth
in this Agreement.
Waiver of Damages. In no event shall Unicode or its licensors be liable for any special, incidental, indirect or consequen-
tial damages of any kind, or any damages whatsoever, whether or not Unicode was advised of the possibility of the dam-
age, including, without limitation, those resulting from the following: loss of use, data or profits, in connection with the
use, modification or distribution of this information or its derivatives.
1545
SGOS 6.2 Administration Guide
Miscellaneous.
Jurisdiction and Venue. This server is operated from a location in the State of California, United States of America.
Unicode makes no representation that the materials are appropriate for use in other locations. If you access this server
from other locations, you are responsible for compliance with local laws. This Agreement, all use of this site and any
claims and damages resulting from use of this site are governed solely by the laws of the State of California without re-
gard to any principles which would apply the laws of a different jurisdiction. The user agrees that any disputes regard-
ing this site shall be resolved solely in the courts located in Santa Clara County, California. The user agrees said courts
have personal jurisdiction and agree to waive any right to transfer the dispute to any other forum.
Modification by Unicode Unicode shall have the right to modify this Agreement at any time by posting it to this site.
The user may not assign any part of this Agreement without Unicode’s prior written consent.
Taxes. The user agrees to pay any taxes arising from access to this website or use of the information herein, except for
those based on Unicode’s net income.
Severability. If any provision of this Agreement is declared invalid or unenforceable, the remaining provisions of this
Agreement shall remain in effect.
Entire Agreement. This Agreement constitutes the entire agreement between the parties.
Wcwidth
This is an implementation of wcwidth() and wcswidth() (defined in
IEEE Std 1002.1-2001) for Unicode.
http://www.opengroup.org/onlinepubs/007904975/functions/wcwidth.html
http://www.opengroup.org/onlinepubs/007904975/functions/wcswidth.html
In fixed-width output devices, Latin characters all occupy a single "cell" position of equal width, whereas ideographic
CJK characters occupy two such cells. Interoperability between terminal-line applications and (teletype-style) character
terminals using the UTF-8 encoding requires agreement on which character should advance the cursor by how many
cell positions. No established formal standards exist at present on which Unicode character shall occupy how many cell
positions on character terminals. These routines are a first attempt of defining such behavior based on simple rules ap-
plied to data provided by the Unicode Consortium.
For some graphical characters, the Unicode standard explicitly defines a character-cell width via the definition of the
East Asian FullWidth (F), Wide (W), Half-width (H), and Narrow (Na) classes. In all these cases, there is no ambiguity
about which width a terminal shall use. For characters in the East Asian Ambiguous (A) class, the width choice depends
purely on a preference of backward compatibility with either historic CJK or Western practice. Choosing single-width
for these characters is easy to justify as the appropriate long-term solution, as the CJK practice of displaying these char-
acters as double-width comes from historic implementation simplicity (8-bit encoded characters were displayed single-
width and 16-bit ones double-width, even for Greek,Cyrillic, etc.) and not any typographic considerations.
Much less clear is the choice of width for the Not East Asian (Neutral) class. Existing practice does not dictate a width
for any of these characters. It would nevertheless make sense typographically to allocate two character cells to characters
such as for instance EM SPACE or VOLUME INTEGRAL, which cannot be represented adequately with a single-width
glyph. The following routines at present merely assign a single-cell width to al neutral characters, in the interest of sim-
plicity. This is not entirely satisfactory and should be reconsidered before establishing a formal standard in this area. At
the moment, the decision which Not East Asian (Neutral) characters should be represented by double-width glyphs can-
not yet be answered by applying a simple rule from the Unicode database content. Setting up a proper standard for the
behavior of UTF-8 character terminals will require a careful analysis not only of each Unicode character, but also of each
presentation form, something the author of these routines has avoided to do so far.
http://www.unicode.org/unicode/reports/tr11/
Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby granted. The
author disclaims all warranties with regard to this software.
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
1546
zip.cpp
THIS FILE is almost entirely based upon code by info-zip. It has been modified by Lucian Wischik. The modifications
were a complete rewrite of the bit of code that generates the layout of the zipfile, and support for zipping to/from mem-
ory or handles or pipes or pagefile or diskfiles, encryption, unicode. The original code may be found at http://www.in-
fo-zip.org. The original copyright text follows..
This is version 1999-Oct-05 of the Info-ZIP copyright and license.
The definitive version of this document should be available at ftp:ftp.cdrom.compubinfoziplicense.html indefinitely.
Copyright (c) 1990-1999 Info-ZIP. All rights reserved.
For the purposes of this copyright and license, "Info-ZIP" is defined as the following set of individuals:
Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, Jean-loup Gailly, Hunter Goatley, Ian Gorman,
Chris Herborth, Dirk Haase, Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum, Johnny
Lee, Onno van der Linden, Igor Mandrichenko, Steve P. Miller, Sergio Monesi, Keith Owens, George Petrov, Greg Roe-
lofs, Kai Uwe Rommel, Steve Salisbury, Dave Smith, Christian Spieler, Antoine Verheijen, Paul von Behren, Rich Wales,
Mike White
This software is provided "as is," without warranty of any kind, express or implied. In no event shall Info-ZIP or its
contributors be held liable for any direct, indirect, incidental, special or consequential damages arising out of the use of
or inability to use this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it
and redistribute it freely, subject to the following restrictions:
1. Redistributions of source code must retain the above copyright notice, definition, disclaimer, and this list of condi-
tions.
2. Redistributions in binary form must reproduce the above copyright notice, definition, disclaimer, and this list of con-
ditions in documentation andor other materials provided with the distribution.
3. Altered versions--including, but not limited to, ports to new operating systems, existing ports with new graphical in-
terfaces, and dynamic, shared, or static library versions--must be plainly marked as such and must not be misrepresent-
ed as being the original source. Such altered versions also must not be misrepresented as being Info-ZIP releases--
including, but not limited to, labeling of the altered versions with the names "Info-ZIP" (or any variation thereof, includ-
ing, but not limited to, different capitalizations), "Pocket UnZip," "WiZ" or "MacZip" without the explicit permission of
Info-ZIP. Such altered versions are further prohibited from misrepresentative use of the Zip-Bugs or Info-ZIP e-mail
addresses or of the Info-ZIP URL(s).
4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "WiZ," "Pocket UnZip," "Pocket Zip," and "Mac-
Zip" for its own source and binary releases.
zlib.h -- interface of the 'zlib' general purpose compression library
version 1.2.3, July 18th, 2005
Copyright (C) 1995-2005
Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable
for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it
and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If
you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not
required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original soft-
ware.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly Mark Adler
jloup@gzip.org madler@alumni.caltech.edu
The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files http://
www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
BSD Tar
All of the C source code and documentation in this package is subject to the following:
Copyright (c) 2003-2006 Tim Kientzle
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer in this position and unchanged.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DI-
RECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
libarchive 2.3.1
All of the C source code and documentation in this package is subject to the following:
Copyright (c) 2003-2009 Tim Kientzle
All rights reserved.
Each individual file in this distribution should have a clear copyright/licensing statement at the beginning of the file. If
1547
SGOS 6.2 Administration Guide
any do not, please let me know and I will rectify it. The following is intended to summarize the copyright status of the
individual files; the actual statements in the files are controlling.
Except as listed below, all C sources (including .c and .h files) and documentation files are subject to the copyright notice
reproduced at the bottom of this file.
The following source files are also subject in whole or in part to a 3-clause UC Regents copyright; please read the indi-
vidual source files for details:
libarchive/archive_entry.c
libarchive/archive_read_support_filter_compress.c
libarchive/archive_write_set_filter_compress.c
libarchive/mtree.5
tar/matching.c
The build files---including Makefiles, configure scripts, and auxiliary scripts used as part of the compile process---have
widely varying licensing terms. Please check individual files before distributing them to see if those restrictions apply
to you.
I intend for all new source code to use the license below and hope over time to replace code with other licenses with new
implementations that do use the license below. The varying licensing of the build scripts seems to be an unavoidable
mess.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer in this position and unchanged.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DI-
RECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
WinPcap
Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy).
Copyright (c) 2005 - 2008 CACE Technologies, Davis (California).
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its con-
tributors.
This product includes software developed by the Kungliga Tekniska Högskolan and its contributors.
This product includes software developed by Yen Yen Lim and North Dakota State University.
Portions Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 The Regents of the University of California. All rights
reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes software developed by the University of California, Berkeley and its contributors."
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
1548
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE. Portions Copyright (c) 1983 Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this para-
graph are duplicated in all such forms and that any documentation, advertising materials, and other materials related
to such distribution and use acknowledge that the software was developed by the University of California, Berkeley.
The name of the University may not be used to endorse or promote products derived from this software without specific
prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Portions Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden). All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes software developed by the Kungliga Tekniska Högskolan and its contributors."
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE. Portions Copyright (c) 1997 Yen Yen Lim and North Dakota State University. All rights
reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes software developed by Yen Yen Lim and North Dakota State University"
4. The name of the author may not be used to endorse or promote products derived from this software without specific
prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CON-
TRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Portions Copy-
right (c) 1993 by Digital Equipment Corporation.
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, pro-
vided that the above copyright notice and this permission notice appear in all copies, and that the name of Digital Equip-
ment Corporation not be used in advertising or publicity pertaining to distribution of the document or software without
specific, written prior permission.
THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FIT-
NESS. IN NO EVENT SHALL DIGITAL EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, IN-
DIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Portions Copy-
right (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IM-
PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI-
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR
1549
SGOS 6.2 Administration Guide
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE. Portions Copyright (c) 1996 Juniper Networks, Inc. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source
code distributions retain the above copyright notice and this paragraph in its entirety, (2) distributions including binary
code include the above copyright notice and this paragraph in its entirety in the documentation or other materials pro-
vided with the distribution. The name of Juniper Networks may not be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUD-
ING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PAR-
TICULAR PURPOSE. Portions Copyright (c) 2001 Daniel Hartmeier All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTOR "AS IS" AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANT-
ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPY-
RIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Portions Copyright 1989 by Carnegie Mellon.
Permission to use, copy, modify, and distribute this program for any purpose and without fee is hereby granted, pro-
vided that this copyright and permission notice appear on all copies and supporting documentation, the name of Carn-
egie Mellon not be used in advertising or publicity pertaining to distribution of the program without specific prior
permission, and notice be given in supporting documentation that copying and distribution is by permission of Carne-
gie Mellon and Stanford University. Carnegie Mellon makes no representations about the suitability of this software for
any purpose. It is provided "as is" without express or implied warranty.
Flex-iFrame
Copyright (c) 2007-2011 flex-iframe contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
NSS 3.12.4
Version: MPL 1.1
The contents of this file are subject to the Mozilla Public License Version 1.1 (the "License"); you may not use this file
except in compliance with the License. You may obtain a copy of the License at
http://www.mozilla.org/MPL/
Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, ei-
ther express or implied. See the License for the specific language governing rights and limitations under the License. The
Original Code is the Network Security Services libraries. The Initial Developer of the Original Code is Red Hat, Inc. Por-
tions created by the Initial Developer are Copyright (C) 2009 the Initial Developer. All Rights Reserved. Portions created
by Netscape Communications Corporation are Copyright (C) 1994-2000 Netscape Communications Corporation.
All Rights Reserved.
Director Third Party Copyright Notices
DOM4J
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are
permitted provided that the following conditions are met:
Redistributions of source code must retain copyright statements and notices. Redistributions must also contain a copy
of this document.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
The name "DOM4J" must not be used to endorse or promote products derived from this Software without prior written
1550
permission of MetaStuff, Ltd. For written permission, please contact dom4j-info@metastuff.com.
Products derived from this Software may not be called "DOM4J" nor may "DOM4J" appear in their names without prior
written permission of MetaStuff, Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
Due credit should be given to the DOM4J Project - http://dom4j.sourceforge.net
THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANT-
ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF,
LTD. OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF AD-
VISED OF THE POSSIBILITY OF SUCH DAMAGE.
Expat License
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
and Clark Cooper
Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documen-
tation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Soft-
ware.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUD-
ING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PUR-
POSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH-
ERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEAL-
INGS IN THE SOFTWARE.
Jpam 0.5
--------------
Apache Software License 2.0
General information:
Copyright 2007 © The Apache Software Foundation
Definitions.
"'License' shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through
9 of this document.
"'Licensor' shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"'Legal Entity' shall mean the union of the acting entity and all other entities that control, are controlled by, or are under
common control with that entity. For the purposes of this definition, 'control' means (i) the power, direct or indirect, to
cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent
(50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"'You' (or 'Your') shall mean an individual or Legal Entity exercising permissions granted by this License.
"'Source' form shall mean the preferred form for making modifications, including but not limited to software source
code, documentation source, and configuration files.
"'Object' form shall mean any form resulting from mechanical transformation or translation of a Source form, including
but not limited to compiled object code, generated documentation, and conversions to other media types.
"'Work' shall mean the work of authorship, whether in Source or Object form, made available under the License, as in-
dicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"'Derivative Works' shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work
and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original
work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable
from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"'Contribution' shall mean any work of authorship, including the original version of the Work and any modifications or
additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work
by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For
the purposes of this definition, 'submitted' means any form of electronic, verbal, or written communication sent to the
Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code con-
trol systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing
and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writ-
ing by the copyright owner as 'Not a Contribution.'
"'Contributor' shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been re-
ceived by Licensor and subsequently incorporated within the Work.
Grant of Copyright License.
Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-
exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly dis-
play, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
Grant of Patent License.
Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-
1551
SGOS 6.2 Administration Guide
exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use,
offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licens-
able by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contri-
bution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any
entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated with-
in the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this
License for that Work shall terminate as of the date such litigation is filed.
Redistribution.
You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You meet the following conditions:
1.You must give any other recipients of the Work or Derivative Works a copy of this License; and
2.You must cause any modified files to carry prominent notices stating that You changed the files; and
3.You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the De-
rivative Works; and
4.If the Work includes a 'NOTICE' text file as part of its distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do
not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distrib-
uted as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative
Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally ap-
pear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add
Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE
text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license
terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as
a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated
in this License.
Submission of Contributions.
Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the
Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwith-
standing the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have
executed with Licensor regarding such Contributions.
Trademarks.
This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Li-
censor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the
content of the NOTICE file.
Disclaimer of Warranty.
Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides
its Contributions) on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANT-
ABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness
of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this Li-
cense.
Limitation of Liability.
In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by
applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to
You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising
as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of
goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if
such Contributor has been advised of the possibility of such damages.
Accepting Warranty or Additional Liability.
While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance
of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in
accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any
other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability in-
curred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional li-
ability.
junixsocket
--------------
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through
9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
1552
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are
under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or in-
direct, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty
percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source
code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, includ-
ing but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as
indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix be-
low).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the
Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an
original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain sep-
arable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications
or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the
Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner.
For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to
the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code
control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of dis-
cussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated
in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been
received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to
You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare
Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works
in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You
a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent li-
cense to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies
only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone
or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute
patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Con-
tribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium,
with or without modifications, and in Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark,
and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of he
Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute
must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that
do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file dis-
tribute as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative
Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally ap-
pear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add
Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE
text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license
terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as
a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated
in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for
inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any addi-
tional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any sep-
1553
SGOS 6.2 Administration Guide
arate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product
names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and
each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-IN-
FRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for de-
termining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise
of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or
otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall
any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential dam-
ages of any character arising as a result of this License or out of the use or inability to use the Work (including but not
limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commer-
cial damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may
choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or
rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and
on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold
each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your
accepting any such warranty or additional liability.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets
"[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the
appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose
be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
for the specific language governing permissions and limitations under the License.
The enclosed software and documentation includes copyrighted works of Hewlett-Packard Co. For as long as you com-
ply with the following limitations, you are hereby authorized to (i) use, reproduce, and modify the software and docu-
mentation, and to (ii) distribute the software and documentation, including modifications, for non-commercial purposes
only.
1. The enclosed software and documentation is made available at no charge in order to advance the general develop-
ment of high-performance networking products.
2. You may not delete any copyright notices contained in the software or documentation. All hard copies, and copies in
source code or object code form, of the software or documentation (including modifications) must contain at least one
of the copyright notices.
3. The enclosed software and documentation has not been subjected to testing and quality control and is not a Hewlett-
Packard Co. product. At a future time, Hewlett-Packard Co. may or may not offer a version of the software and docu-
mentation as a product.
4. THE SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS". HEWLETT-PACKARD COMPANY DOES
NOT WARRANT THAT THE USE, REPRODUCTION, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
DOCUMENTATION WILL NOT INFRINGE A THIRD PARTY'S INTELLECTUAL PROPERTY RIGHTS. HP DOES
NOT WARRANT THAT THE SOFTWARE OR DOCUMENTATION IS ERROR FREE. HP DISCLAIMS ALL WARRAN-
TIES, EXPRESS AND IMPLIED, WITH REGARD TO THE SOFTWARE AND THE DOCUMENTATION. HP SPECIFI-
CALLY DISCLAIMS ALL WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
5. HEWLETT-PACKARD COMPANY WILL NOT IN ANY EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, SPE-
1554
CIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS) RELATED TO ANY USE, RE-
PRODUCTION, MODIFICATION, OR DISTRIBUTION OF THE SOFTWARE OR DOCUMENTATION.
NTP 3.5
**************************************************************************************************************************************
**************************************
Copyright (c) University of Delaware 1992-2012
Permission to use, copy, modify, and distribute this software and its documentation for any purpose with or without
fee is herebygranted, provided that the above copyright notice appears in all copies and that both the copyright notice
and this permission notice appear in supporting documentation, and that the name University of Delaware not be used
in advertising or publicity pertaining to distribution of the software without specific, written prior permission. The Uni-
versity of Delaware makes no representations about the suitability this software for any purpose. It is provided "as is"
without express or implied warranty.
**************************************************************************************************************************************
**************************************
OpenSSL 0.9.7
--------------
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay
license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source li-
censes. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License
---------------
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following dis-
claimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://
www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from
this software without
prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without
prior written permission of the OpenSSL Project.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WAR-
RANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FIT-
NESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSE-
QUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SER-
VICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POS-
SIBILITY OF SUCH DAMAGE.
====================================================================
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes soft-
ware written by Tim Hudson (tjh@cryptsoft.com).
1555
SGOS 6.2 Administration Guide
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so
as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The fol-
lowing conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL
code. The SSL documentation included with this distribution is covered by the same copyright terms except that the
holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is
used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in
the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic'
can be left out if the rouines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you
must include an acknowledgement:
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, IN-
CLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIA-
BLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (IN-
CLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAM-
AGE.
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e.
this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
1556
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
Selenium
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through
9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are
under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or in-
direct, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty
percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source
code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, includ-
ing but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as
indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix be-
low).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the
Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an
original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain sep-
arable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications
or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the
Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner.
For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to
the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code
control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of dis-
cussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated
in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been
received by Licensor and
subsequently incorporated within the Work.
1557
SGOS 6.2 Administration Guide
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to
You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare
Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works
in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You
a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent li-
cense to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies
only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone
or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute
patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Con-
tribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium,
with or without modifications, and in Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark,
and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of he
Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute
must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that
do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file dis-
tribute as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative
Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally ap-
pear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add
Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE
text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license
terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as
a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated
in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for
inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any addi-
tional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any sep-
arate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product
names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and
each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-IN-
FRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for de-
termining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise
of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or
otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall
any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential dam-
ages of any character arising as a result of this License or out of the use or inability to use the Work (including but not
limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commer-
cial damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may
choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or
rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and
on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold
each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your
accepting any such warranty or additional liability.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets
"[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the
appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose
be included on the same "printed page" as the copyright notice for easier identification within third-party archives.
1558
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
for the specific language governing permissions and limitations under the License.
StringTemplate 2.2
--------------
[The BSD License]
Copyright (c) 2008, Terence Parr
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the fol-
lowing conditions are met:
"Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaim-
er.
"Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following dis-
claimer in the documentation and/or other materials provided with the distribution.
"Neither the name of the author nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EX-
PRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MER-
CHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB-
STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (IN-
CLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
As described below, using some features also operates as your consent to the transmission of certain standard computer
information for Internet-based services.
By using the software, you accept these terms. If you do not accept them, do not use or copy the software. Instead, con-
tact Blue Coat to determine its return policy for a refund or credit.
If you comply with these license terms, you have the rights below.
1. Use Rights.
You may use the software on the device with which you acquired the software.
2. Additional Licensing Requirements and/or Use Rights.
a.Specific Use. Blue Coat designed this device for a specific use. You may only use the software for that use.
b.Other Software. You may use other programs with the software as long as the other programs
-Directly support the manufacturer's specific use for the device, or
-Provide system utilities, resource management, or anti-virus or similar protection.
Software that provides consumer or business tasks or processes may not be run on the device. This includes email, word
processing, spreadsheet, database, scheduling and personal finance software. The device may use terminal services pro-
tocols to access such software running on a server.
c. Device Connections.
-You may use terminal services protocols to connect the device to another device running business task or processes soft-
ware such as email, word processing, scheduling or spreadsheets.
-You may allow up to ten other devices to access the software to use
-File Services,
-Print Services,
-Internet Information Services, and
-Internet Connection Sharing and Telephony Services.
The ten connection limit applies to devices that access the software indirectly through "multiplexing" or other software
1559
SGOS 6.2 Administration Guide
or hardware that pools connections. You may use unlimited inbound connections at any time via TCP/IP.
3. Scope of License. The software is licensed, not sold. This agreement only gives you some rights to use the software.
Blue Coat and Microsoft reserve all other rights. Unless applicable law gives you more rights despite this limitation,
you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any tech-
nical limitations in the software that allow you to use it only in certain ways. For more information, see the software
documentation or contact Blue Coat. Except and only to the extent permitted by applicable law despite these limitations,
you may not:
-Work around any technical limitations in the software;
-Reverse engineer, decompile or disassemble the software;
-Make more copies of the software than specified in this agreement;
-Publish the software for others to copy;
-Rent, lease or lend the software; or
-Use the software for commercial software hosting services.
Except as expressly provided in this agreement, rights to access the software on this device do not give you any right to
implement Microsoft patents or other Microsoft intellectual property in software or devices that access this device.
You may use remote access technologies in the software such as Remote Desktop to access the software remotely from
another device. You are responsible for obtaining any licenses required for use of these protocols to access other soft-
ware.
oRemote Boot Feature. If Blue Coat enabled the device Remote Boot feature of the software, you may
(i)use the Remote Boot Installation Service (RBIS) tool only to install one copy of the software on your server and to de-
ploy the software on licensed devices as part of the Remote Boot process; and
(ii)use the Remote Boot Installation Service only for deployment of the software to devices as part of the Remote Boot
process; and
(iii)download the software to licensed devices and use it on them.
For more information, please refer to the device documentation or contact Blue Coat.
oInternet-Based Services. Microsoft provides Internet-based services with the software. Microsoft may change or cancel
them at any time.
a. Consent for Internet-Based Services. The software features described below connect to Microsoft or service provider
computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may
switch off these features or not use them. For more information about these features, visit
http://www.microsoft.com/windowsxp/downloads/updates/sp2/docs/privacy.mspx.
By using these features, you consent to the transmission of this information. Microsoft does not use the information to
identify or contact you.
b.Computer Information. The following features use Internet protocols, which send to the appropriate systems comput-
er information, such as your Internet protocol address, the type of operating system, browser and name and version of
the software you are using, and the language code of the device where you installed the software. Microsoft uses this
information to make the Internet-based services available to you.
-Web Content Features. Features in the software can retrieve related content from Microsoft and provide it to you. To
provide the content, these features send to Microsoft the type of operating system, name and version of the software you
are using, type of browser and language code of the device where the software was installed. Examples of these features
are clip art, templates, online training, online assistance and Appshelp. These features only operate when you activate
them. You may choose to switch them off or not use them.
-Digital Certificates. The software uses digital certificates. These digital certificates confirm the identity of Internet users
sending X.509 standard encrypted information. The software retrieves certificates and updates certificate revocation
lists. These security features operate only when you use the Internet.
-Auto Root Update. The Auto Root Update feature updates the list of trusted certificate authorities. You can switch off
the Auto Root Update feature.
-Windows Media Player. When you use Windows Media Player, it checks with Microsoft for
-Compatible online music services in your region;
-New versions of the player; and
-Codecs if your device does not have the correct ones for playing content. You can switch off this feature. For more in-
formation, go to: http://microsoft.com/windows/windowsmedia/mp10/privacy.aspx.
-Windows Media Digital Rights Management. Content owners use Windows Media digital rights management tech-
nology (WMDRM) to protect their intellectual property, including copyrights. This software and third party software
use WMDRM to play and copy WMDRM-protected content. If the software fails to protect the content, content owners
may ask Microsoft to revoke the software's ability to use WMDRM to play or copy protected content. Revocation does
not affect other content. When you download licenses for protected content, you agree that Microsoft may include a
revocation list with the licenses. Content owners may require you to upgrade WMDRM to access their content. Micro-
soft software that includes WMDRM will ask for your consent prior to the upgrade. If you decline an upgrade, you will
not be able to access content that requires the upgrade. You may switch off WMDRM features that access the Internet.
When these features are off, you can still play content for which you have a valid license.
c. Misuse of Internet-based Services. You may not use these services in any way that could harm them or impair anyone
else's use of them. You may not use the services to try to gain unauthorized access to any service, data, account or net-
work by any means.
4. Windows Update Agent (also known as Software Update Services). The software on the device includes Windows
Update Agent ("WUA") functionality that may enable your device to connect to and access updates ("Windows Up-
dates") from a server installed with the required server component. Without limiting any other disclaimer in this Mi-
crososoft Software License Terms or any EULA accompanying a Windows Update, you acknowledge and agree that no
warranty is provided by MS, Microsoft Corporation or their affiliates with respect to any Windows Update that you in-
stall or attempt to install on your device.
5. Product Support. Contact Blue Coat for support options. Refer to the support number provided with the device.
6. Backup Copy. You may make one backup copy of the software. You may use it only to reinstall the software on the
device.
7. Proof Of License. If you acquired the software on the device, or on a disc or other media, a genuine Certificate of Au-
thenticity label with a genuine copy of the software identifies licensed software. To be valid, this label must be affixed
to the device, or included on or in Blue Coat's software packaging. If you receive the label separately, it is not valid. You
should keep the label on the device or packaging to prove that you are licensed to use the software. To identify genuine
1560
Microsoft software, see http://www.howtotell.com.
8. Transfer to a Third Party. You may transfer the software only with the device, the Certificate of Authenticity label,
and these license terms directly to a third party. Before the transfer, that party must agree that these license terms apply
to the transfer and use of the software. You may not retain any copies of the software including the backup copy.
9. Not Fault Tolerant. The software is not fault tolerant. Blue Coat installed the software on the device and is responsible
for how it operates on the device.
10. Restricted Use. The Microsoft software was designed for systems that do not require fail-safe performance. You may
not use the Microsoft software in any device or system in which a malfunction of the software would result in foresee-
able risk of injury or death to any person. This includes operation of nuclear facilities, aircraft navigation or communi-
cation systems and air traffic control.
11. No Warranties for the Software. The software is provided "as is". You bear all risks of using it. Microsoft gives no
express warranties, guarantees or conditions. Any warranties you receive regarding the device or the software do not
originate from, and are not binding on, Microsoft or its affiliates. When allowed by your local laws, Blue Coat and Mi-
crosoft exclude implied warranties of merchantability, fitness for a particular purpose and non-infringement.
12. Liability Limitations. You can recover from Microsoft and its affiliates only direct damages up to two hundred fifty
U.S. Dollars (U.S. $250.00). You cannot recover any other damages, including consequential, lost profits, special, indirect
or incidental damages.
This limitation applies to:
-Anything related to the software, services, content (including code) on third party internet sites, or third party pro-
grams; and
-Claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the
extent permitted by applicable law.
It also applies even if Microsoft should have been aware of the possibility of the damages. The above limitation may not
apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other dam-
ages.
13. Export Restrictions. The software is subject to United States export laws and regulations. You must comply with all
domestic and international export laws and regulations that apply to the software. These laws include restrictions on
destinations, end users and end use. For additional information, see www.microsoft.com/exporting.
1561
SGOS 6.2 Administration Guide
1562