Sizing Guide for Advanced Secure Gateway Deployments Symantec Confidential - Internal and Channel Partner Use Only

Forward Proxy ASG Software 6.7, Jul 22, 2017

Deployment Mode ASG Resource Spec
Model Forward Proxy ASG paired with Client Licensed Active Storage CPU Memory Available slots On-board Power
Malware Analysis Manager Client IPs Connections Capacity Cores Network Ports Supply
Employee Recommended Maximum Recommended Max Unique Active Concurrent Total
Count Internet BW Internet BW Suggested MAA Max (UA) Clients Client IPs (For VAs, S/M/L) Drives (GB) Bypass Other
S200-30-U500 500 50-60 Mbps 120 Mbps MAA-S400-10 10,000 No Limit 2,500 2 1,000 2 16GB 1 open slot 2 x 1000BT 2 x 1000BT Single
S200-30-U1000 1000 50-60 Mbps 120 Mbps MAA-S400-10 10,000 No Limit 5,000 2 1,000 2 16GB 1 open slot 2 x 1000BT 2 x 1000BT Single
S200-30-U2500 2500 50-60 Mbps 120 Mbps MAA-S400-10 10,000 No Limit 12,500 2 1,000 2 16GB 1 open slot 2 x 1000BT 2 x 1000BT Single
S200-40-U1000 1000 100-125 Mbps 250 Mbps MAA-S400-10 15,000 No Limit 5,000 2 1,000 2 16GB 1 open slot 2 x 1000BT 2 x 1000BT Single
S200-40-U2500 2500 100-125 Mbps 250 Mbps MAA-S400-10 15,000 No Limit 12,500 2 1,000 2 16GB 1 open slot 2 x 1000BT 2 x 1000BT Single
S400-20-1000 1,000 100-150 Mbps 300 Mbps MAA-S400-10 15,000 No Limit 5,000 3 3,000 4 24GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-20-2500 2,500 100-150 Mbps 300 Mbps MAA-S400-10 15,000 No Limit 12,500 3 3,000 4 24GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-20-5000 5,000 100-150 Mbps 300 Mbps MAA-S400-10 15,000 No Limit 25,000 3 3,000 4 24GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-30-5000 5,000 250-320 Mbps 500 Mbps MAA-S400-10 27,000 No Limit 25,000 6 6,000 6 48GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-30-10K 10,000 250-320 Mbps 500 Mbps MAA-S400-10 27,000 No Limit 50,000 6 6,000 6 48GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-30-15K 15000 250-320 Mbps 500 Mbps MAA-S400-10 27,000 No Limit 75,000 6 6,000 6 48GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-40-10K 10,000 500-600 Mbps 1000 Mbps MAA-S400-10 35,000 No Limit 50,000 8 8,000 6 72GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-40-15K 15,000 500-600 Mbps 1000 Mbps MAA-S400-10 35,000 No Limit 75,000 8 8,000 6 72GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
S400-40-25K 25,000 500-600 Mbps 1000 Mbps MAA-S400-10 35,000 No Limit 125,000 8 8,000 6 72GB 2 open slots 2 x 1000BT 2 x 1000BT Redundant
1
S500-10-10K 10,000 500-750 Mbps 1200 Mbps MAA-S400-10 45,000 No limit 50,000 8 8,000 10 96GB 2 open slots 2 x 10GBT 2 x 10GBT Redundant
1
S500-10-15K 15,000 500-750 Mbps 1200 Mbps MAA-S400-10 45,000 No limit 75,000 8 8,000 10 96GB 2 open slots 2 x 10GBT 2 x 10GBT Redundant
1
S500-10-25K 25,000 500-750 Mbps 1200 Mbps MAA-S400-10 45,000 No limit 125,000 8 8,000 10 96GB 2 open slots 2 x 10GBT 2 x 10GBT Redundant
1
S500-20-25K 25,000 1000-1500 Mbps 1200 Mbps MAA-S500-10 45,000 No limit 125,000 16 16,000 20 128GB 5 open slots 2 x 10GBT 2 x 10GBT Redundant
1
S500-20-35K 35,000 1000-1500 Mbps 2000 Mbps MAA-S500-10 45,000 No limit 175,000 16 16,000 20 128GB 5 open slots 2 x 10GBT 2 x 10GBT Redundant
1
S500-20-50K 50,000 1000-1500 Mbps 2000 Mbps MAA-S500-10 45,000 No limit 250,000 16 16,000 20 128GB 5 open slots 2 x 10GBT 2 x 10GBT Redundant
1
Note: See below for SSL S500 has 2 x 1000BT for BMC/mgmt
HW acceleration details

These guidelines provide sizing based on a standard workload for ASG appliances.
Employee Count
The total number of employees that use the system for general Internet browsing. If employees have multiple
systems or devices that are simultaneously active, rely on the total number of active connections. This number
assumes 100% of devices have web connections open at any moment, though up to 80% are used for
background tasks. Adjust this number if Internet usage, device count is higher.
For Cloud Applications, such as Office365, which may require more connections per employee, rely on
the Active Connections limit for accurate sizing.
Recommended Internet Bandwidth
Typical bandwidth range, at 70% peak CPU load with complex policies, 40% SSL, content analysis,
content filtering, access logging and limited streaming content.
Maximum Internet Bandwidth
Maximum client-side throughput at 70% peak CPU with basic SWG features and limited SSL decryption.
Basic SWG features include URL filtering with simple policy and access logging, no content analysis.
Client Manager Recommended (UA) Clients Managed
Maximum number of Client instances connecting to and serviced by a Client Manager,
regardless of the features enabled on the Client (filtering, acceleration or both),
at 50% CPU utilization. Updates can be posted to all clients in a two-hour window.
NOTE: Include the appropriate additional options for ASG for all models.
Include BCIS Standard or Advanced Intelligence Services to enable CASB Audit AppFeed
Include the Cache Pulse subscription for increased bandwidth savings where appropriate
Copyright © 2017 Symantec Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Symantec Inc. Specifications are subject to change without notice. Information contained in this document is believed
to be accurate and reliable, however, Symantec Inc. assumes no responsibility for its use. Blue Coat ProxySG, PacketShaper, ProxyClient are registered trademarks of Symantec Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Actual sizing may vary significantly depending on customer workload requirements.
Licensing
ASGs are licensed based on Active Connections (and concurrent client IP if a limit exists). Other
parameters such as Max Internet Bandwidth and Employee Count are suggested values based on the
physical capacity of the system.
Licensed Active Connections & Client IPs
Licensing is measured by the number of open inbound TCP connections that are active (and unique client
IPs if a limit exists) to the ASG. The measurement is instantaneous and concurrent. It is not based on
the average over any time interval. If a licensed client IP limit exists and about to be exceeded, the
administrator can configure the ASG to either bypass, queue or drop new connections from a new user.
If no limit exist, the ASG will accept and process new connections up to the Active Connection limit.
Active Connections
This represents the total number of active and concurrent client side connections that are being processed.
Client side connections above the Active Connection limit are supported but not actively processed.
Resource Spec
All HW models have hardware SSL acceleration capabilities in the CPUs.
A separate license is not required to activate SSL termination. Ports on bypass-capable network interfaces
can be configured to be bridged pairwise or to act independently.
Include the Web Application Protections subscription where appropriate Include the ETAP licenses for encrypted traffic visibility where appropriate
Include the File Inspection (FI) licenses for content analysis capabilities Include the Flash streaming licenses for Flash caching/splitting where appropriate
EXAMPLE 1: Advanced Secure Gateway with Office 365 EXAMPLE 2: Advanced Secure Gateway Cluster
• Organization has 2000 employees and expect 500 more over 4 years • A customer requires Threat protection at the Internet gateway, starting
• One Internet gateway with 100 Mbps connectivity today at 300Mbps, growing 25% annually over the next 4 years for 10,000 users
• Requires redundancy and room for growth over 4 years at 25% annually • The solution must be fault tolerant to survive against a single point of failure.
• The customer values upgradeability to support corporate Cloud/SaaS initiatives.
Model Forward Proxy ASG paired with
• The customer is sensitive to price and has budget constraints.
Malware Analysis
Employee Recommended Maximum Internet Suggested MAA Model Forward Proxy ASG paired with
Count Internet BW BW Malware Analysis
S400-20-1000 1,000 100-150 Mbps 300 Mbps MAA-S400-10 Employee Recommended Maximum Internet Suggested MAA
Count Internet BW BW
S400-20-2500 2,500 100-150 Mbps 300 Mbps MAA-S400-10
S400-20-1000 1,000 100-150 Mbps 300 Mbps MAA-S400-10
S400-20-5000 5,000 100-150 Mbps 300 Mbps MAA-S400-10 S400-20-2500 2,500 100-150 Mbps 300 Mbps MAA-S400-10
S400-30-5000 5,000 250-320 Mbps 500 Mbps MAA-S400-10 S400-20-5000 5,000 100-150 Mbps 300 Mbps MAA-S400-10
S400-30-10K 10,000 250-320 Mbps 500 Mbps MAA-S400-10 S400-30-5000 5,000 250-320 Mbps 500 Mbps MAA-S400-10
S400-30-15K 15,000 250-320 Mbps 500 Mbps MAA-S400-10 S400-30-10K 10,000 250-320 Mbps 500 Mbps MAA-S400-10
S400-40-10K 10,000 500-750 Mbps 1000 Mbps MAA-S400-10 S400-30-15K 15000 250-320 Mbps 500 Mbps MAA-S400-10
S400-40-10K 10,000 500-600 Mbps 1000 Mbps MAA-S400-10
S400-40-15K 15,000 500-750 Mbps 1000 Mbps MAA-S400-10
S400-40-15K 15,000 500-600 Mbps 1000 Mbps MAA-S400-10
S400-40-25K 25,000 500-750 Mbps 1000 Mbps MAA-S400-10 S400-40-25K 25,000 500-600 Mbps 1000 Mbps MAA-S400-10
S500-10-10K 10,000 500-600 Mbps 1200 Mbps MAA-S400-10
Step 1 First detemine the limiting factor, Users (Active Connections) or Bandwidth.
4
S500-10-15K 15,000 500-600 Mbps 1200 Mbps MAA-S400-10
At 25% growth over 4 yrs, they will need 100 Mbps x(1.25) = 244 Mbps at yr 4 S500-10-25K 25,000 500-600 Mbps 1200 Mbps MAA-S400-10
Several models meet the bandwidth requirement, but adoption of Office 365 has S500-20-25K 25,000 1000-1500 Mbps 2000 Mbps MAA-S500-10
additional connection requirements. Office365 can use from 8-25 additional S500-20-35K 35,000 1000-1500 Mbps 2000 Mbps MAA-S500-10
connections/user. For moderate use, anticipate 12 conns/user for Office365 on S500-20-50K 50,000 1000-1500 Mbps 2000 Mbps MAA-S500-10
top of 5 conns/user for general Internet browsing for a total of 17 conns/user.
Total connections: 2500 employees x (12 + 5) conn/user = 42.5K connections. Option 1: A straightforward approach is an appliance that can support 750Mbps and at least
10K users, and double (2N) the footprint to provide fault tolerance.This would be:
Step 2 The ASG-S400-30 meets the BW requirements and offers three different 2x ASG-S500-20-U25K
options for total connections. While the U5000 looks to meet the user requirements,
it only provide 5x5000 =25,000 connections which is insufficient with Office365 Option 2: A cluster (N+1) of three appliances (S400-40 or S500-10 at 500Mbps) with
demands. The U10K will provide 5x10000 = 50K total connections which would be at least 10K users in the N units would work:
sufficient. Purchasing a pair will provide redundancy. 3x ASG-S400-40-10K (or SG-S500-10-10K)
2 x ASG-S400-30-U10K
Option 3: Another option that meets the requirements is to cluster four ASG-S400-30-5000s:
4x ASG-S400-30-5000U

In this case, the cluster (3+1) of S400-30-5000s is the least expensive solution, and provides flexibility
for future upgrade paths, either by adding another S400-30 to the cluster for incremental throughput
or upgrading the S400-30s to S400-40s if significant expansion is necessary.
It also allows fo user/connection capacity upgrade as needed for varing traffic needs.

Account for the load balancing mechanism into this analysis, if appropriate.

Symantec Confidential - Internal and Channel Partner Use Only

Copyright © 2017 Symantec Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Symantec Inc. Specifications are subject to change without notice. Information contained in this document is believed
to be accurate and reliable, however, Symantec Inc. assumes no responsibility for its use. Blue Coat ProxySG, PacketShaper, ProxyClient are registered trademarks of Symantec Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners.