Вы находитесь на странице: 1из 556

Blue Coat® Systems

Director™

Configuration and Management Guide

SGME Version 5.4.2.x


Director Configuration and Management Guide

Contact Information

Americas:
Blue Coat Systems Inc.
410 North Mary Ave
Sunnyvale, CA 94085-4121

Rest of the World:


Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland

http://www.bluecoat.com/support/contactsupport

http://www.bluecoat.com

For concerns or feedback about the documentation:


documentation@bluecoat.com

Copyright© 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®,
PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®,
Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL
WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND
DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT,
ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER
LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

ii
Americas: Rest of the World:
Blue Coat Systems, Inc. Blue Coat Systems International SARL
420 N. Mary Ave. 3a Route des Arsenaux
Sunnyvale, CA 94085 1700 Fribourg, Switzerland

Document Number: 231-03036


Document Revision: SGME 5.4.2.x—09/17/2009

Third Party Copyright Notices


Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective owners as indicated in
the copyright notices below.
The following lists the copyright notices for:
JPAM and Tomcat
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For
the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and
configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object
code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is
included in or attached to the work.
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions,
annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works
shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative
Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to
submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking
systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is
conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently
incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide,
non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense,
and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer
the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or
by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory
patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in
Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent
notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent,
trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d)
If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the
attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the

iii
Director Configuration and Management Guide

following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the
Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the
NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You
distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as
modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use,
reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the
Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall
supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as
required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its
Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation,
any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely
responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under
this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable
law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect,
special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not
limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such
Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for,
acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations,
You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and
hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or
additional liability.
Java JRE
SUN MICROSYSTEMS, INC. ("SUN") IS WILLING TO LICENSE THIS SPECIFICATION TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT
ALL OF THE TERMS CONTAINED IN THIS AGREEMENT. PLEASE READ THE TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY. BY
DOWNLOADING THIS SPECIFICATION, YOU ACCEPT THE TERMS AND CONDITIONS OF THE AGREEMENT.
Specification: JAVA PLATFORM, STANDARD EDITION ("Specification")
Version: 6
Status: Final Release
Release: December 7, 2006
Copyright 2006 SUN MICROSYSTEMS, INC.
4150 Network Circle, Santa Clara, California 95054, U.S.A
All rights reserved.
LIMITED LICENSE GRANTS
1. License for Evaluation Purposes.
Sun hereby grants you a fully-paid, non-exclusive, non-transferable, worldwide, limited license (without the right to sublicense), under Sun's applicable
intellectual property rights to view, download, use and reproduce the Specification only for the purpose of internal evaluation. This includes (i) developing
applications intended to run on an implementation of the Specification, provided that such applications do not themselves implement any portion(s) of the
Specification, and (ii) discussing the Specification with any third party; and (iii) excerpting brief portions of the Specification in oral or written
communications which discuss the Specification provided that such excerpts do not in the aggregate constitute a significant portion of the Specification.
2. License for the Distribution of Compliant Implementations.
Sun also grants you a perpetual, non-exclusive, non-transferable, worldwide, fully paid-up, royalty free, limited license (without the right to sublicense)
under any applicable copyrights or, subject to the provisions of subsection 4 below, patent rights it may have covering the Specification to create and/or
distribute an Independent Implementation of the Specification that: (a) fully implements the Specification including all its required interfaces and
functionality; (b) does not modify, subset, superset or otherwise extend the Licensor Name Space, or include any public or protected packages, classes, Java
interfaces, fields or methods within the Licensor Name Space other than those required/authorized by the Specification or Specifications being implemented;
and (c) passes the Technology Compatibility Kit (including satisfying the requirements of the applicable TCK Users Guide) for such Specification ("Compliant
Implementation"). In addition, the foregoing license is expressly conditioned on your not acting outside its scope. No license is granted hereunder for any
other purpose (including, for example, modifying the Specification, other than to the extent of your fair use rights, or distributing the Specification to third
parties). Also, no right, title, or interest in or to any trademarks, service marks, or trade names of Sun or Sun's licensors is granted hereunder. Java, and
Java-related logos, marks and names are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
3. Pass-through Conditions.
You need not include limitations (a)-(c) from the previous paragraph or any other particular "pass through" requirements in any license You grant concerning
the use of your Independent Implementation or products derived from it. However, except with respect to Independent Implementations (and products
derived from them) that satisfy limitations (a)-(c) from the previous paragraph, You may neither: (a) grant or otherwise pass through to your licensees any
licenses under Sun's applicable intellectual property rights; nor (b) authorize your licensees to make any claims concerning their implementation's compliance
with the Specification in question.
4. Reciprocity Concerning Patent Licenses.
a. With respect to any patent claims covered by the license granted under subparagraph 2 above that would be infringed by all technically feasible
implementations of the Specification, such license is conditioned upon your offering on fair, reasonable and non-discriminatory terms, to any party seeking it

iv
from You, a perpetual, non-exclusive, non-transferable, worldwide license under Your patent rights which are or would be infringed by all technically feasible
implementations of the Specification to develop, distribute and use a Compliant Implementation.
b. With respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2, whether or not their infringement can be
avoided in a technically feasible manner when implementing the Specification, such license shall terminate with respect to such claims if You initiate a claim
against Sun that it has, in the course of performing its responsibilities as the Specification Lead, induced any other entity to infringe Your patent rights.
c. Also with respect to any patent claims owned by Sun and covered by the license granted under subparagraph 2 above, where the infringement of such
claims can be avoided in a technically feasible manner when implementing the Specification such license, with respect to such claims, shall terminate if You
initiate a claim against Sun that its making, having made, using, offering to sell, selling or importing a Compliant Implementation infringes Your patent rights.
5. Definitions.
For the purposes of this Agreement: "Independent Implementation" shall mean an implementation of the Specification that neither derives from any of Sun's
source code or binary code materials nor, except with an appropriate and separate license from Sun, includes any of Sun's source code or binary code
materials; "Licensor Name Space" shall mean the public class or interface declarations whose names begin with "java", "javax", "com.sun" or their equivalents
in any subsequent naming convention adopted by Sun through the Java Community Process, or any recognized successors or replacements thereof; and
"Technology Compatibility Kit" or "TCK" shall mean the test suite and accompanying TCK User's Guide provided by Sun which corresponds to the
Specification and that was available either (i) from Sun's 120 days before the first release of Your Independent Implementation that allows its use for
commercial purposes, or (ii) more recently than 120 days from such release but against which You elect to test Your implementation of the Specification.
This Agreement will terminate immediately without notice from Sun if you breach the Agreement or act outside the scope of the licenses granted above.
DISCLAIMER OF WARRANTIES
THE SPECIFICATION IS PROVIDED "AS IS". SUN MAKES NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT (INCLUDING AS A
CONSEQUENCE OF ANY PRACTICE OR IMPLEMENTATION OF THE SPECIFICATION), OR THAT THE CONTENTS OF THE SPECIFICATION ARE
SUITABLE FOR ANY PURPOSE. This document does not represent any commitment to release or implement any portion of the Specification in any product.
In addition, the Specification could include technical inaccuracies or typographical errors.
LIMITATION OF LIABILITY
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT
LIMITATION, LOST REVENUE, PROFITS OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES,
HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF OR RELATED IN ANY WAY TO YOUR HAVING,
IMPELEMENTING OR OTHERWISE USING USING THE SPECIFICATION, EVEN IF SUN AND/OR ITS LICENSORS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. You will indemnify, hold harmless, and defend Sun and its licensors from any claims arising or resulting from: (i) your
use of the Specification; (ii) the use or distribution of your Java application, applet and/or implementation; and/or (iii) any claims that later versions or
releases of any Specification furnished to you are incompatible with the Specification provided to you under this license.
RESTRICTED RIGHTS LEGEND
U.S. Government: If this Specification is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at
any tier), then the Government's rights in the Software and accompanying documentation shall be only as set forth in this license; this is in accordance with 48
C.F.R. 227.7201 through 227.7202-4 (for Department of Defense (DoD) acquisitions) and with 48 C.F.R. 2.101 and 12.212 (for non-DoD acquisitions).
REPORT
If you provide Sun with any comments or suggestions concerning the Specification ("Feedback"), you hereby: (i) agree that such Feedback is provided on a
non-proprietary and non-confidential basis, and (ii) grant Sun a perpetual, non-exclusive, worldwide, fully paid-up, irrevocable license, with the right to
sublicense through multiple levels of sublicensees, to incorporate, disclose, and use without limitation the Feedback for any purpose.
GENERAL TERMS
Any action related to this Agreement will be governed by California law and controlling U.S. federal law. The U.N. Convention for the International Sale of
Goods and the choice of law rules of any jurisdiction will not apply.
The Specification is subject to U.S. export control laws and may be subject to export or import regulations in other countries. Licensee agrees to comply strictly
with all such laws and regulations and acknowledges that it has the responsibility to obtain such licenses to export, re-export or import as may be required
after delivery to Licensee.
This Agreement is the parties' entire agreement relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications,
proposals, conditions, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other
communication between the parties relating to its subject matter during the term of this Agreement. No modification to this Agreement will be binding, unless
in writing and signed by an authorized representative of each party.
Rev. April, 2006
PostgreSQL is released under the BSD license.
PostgreSQL Database Management System (formerly known as Postgres, then as Postgres95)
Portions Copyright (c) 1996-2008, The PostgreSQL Global Development Group
Portions Copyright (c) 1994, The Regents of the University of California
Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby
granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.
IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF
THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS"
BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR
MODIFICATIONS.
JDOM.jar Copyright (C) 2000-2004 Jason Hunter & Brett McLaughlin. All rights reserved.

v
Director Configuration and Management Guide

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the disclaimer that follows these conditions in the
documentation and/or other materials provided with the distribution.
3. The name "JDOM" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact request@jdom.org.
4. Products derived from this software may not be called "JDOM", nor may "JDOM" appear in their name, without prior written permission from the JDOM
Project Management request@jdom.org.
In addition, we request (but do not require) that you include in the end-user documentation provided with the redistribution and/or in the software itself an
acknowledgement equivalent to the following:
"This product includes software developed by the JDOM Project (http://www.jdom.org/)."
Alternatively, the acknowledgment may be graphical using the logos available at http://www.jdom.org/images/logos.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE JDOM
AUTHORS OR THE PROJECT CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the JDOM Project and was originally created by Jason Hunter
jhunter@jdom.org and Brett McLaughlin brett@jdom.org>. For more information on the JDOM Project, please see http://www.jdom.org.
JFreeChart
JFreeChart is a free (LGPL) chart library for the Java(tm) platform.
BPF
Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the above
copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph in its entirety
in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this software display
the following acknowledgement:
This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors.
Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific
prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
DES
Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly.
EXPAT
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the
Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Finjan Software
Copyright (c) 2003 Finjan Software, Inc. All rights reserved.
Flowerfire
Copyright (c) 1996-2002 Greg Ferrar
ISODE
ISODE 8.0 NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the User's
Manual for the full terms of this agreement.
4BSD/ISODE SMP NOTICE
Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME.
UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd.
MD5
RSA Data Security, Inc. MD5 Message-Digest Algorithm
Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved.

vi
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing this software or this function.
License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5
Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular
purpose. It is provided "as is" without express or implied warranty of any kind.
THE BEER-WARE LICENSE" (Revision 42):
<phk@FreeBSD.org <mailto:phk@FreeBSD.org>> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet
some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
Microsoft Windows Media Streaming
Copyright (c) 2003 Microsoft Corporation. All rights reserved.
OpenLDAP
Copyright (c) 1999-2001 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim
copies of this document is granted.
http://www.openldap.org/software/release/license.html
The OpenLDAP Public License Version 2.7, 7 September 2001
Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following
conditions are met:
1. Redistributions of source code must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under
terms of this license revision or under the terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF
THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software
without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
OpenSSH
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved
This file is part of the OpenSSH software.
The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, or a
licence more free than that.
OpenSSH contains no GPL code.
1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly
marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or "Secure
Shell".
[Tatu continues]
However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under my
direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose
(the GNU license being the most restrictive); see below for details.
[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been removed
from OpenSSH, i.e.,
- RSA is no longer included, found in the OpenSSL library
- IDEA is no longer included, its use is deprecated
- DES is now external, in the OpenSSL library
- GMP is no longer used, and instead we call BN code from OpenSSL
- Zlib is now external, in a library
- The make-ssh-known-hosts script is no longer included
- TSS has been removed
- MD5 is now external, in the OpenSSL library
- RC4 support has been replaced with ARC4 support from OpenSSL
- Blowfish is now external, in the OpenSSL library
[The licence continues]

vii
Director Configuration and Management Guide

Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, scientific
library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto".
The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible
for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any
responsibility on your behalf.
NO WARRANTY
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE
PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE
TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH
HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license.
Cryptographic attack detector for ssh - source code
Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without
modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE.
Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com>
3) ssh-keygen was contributed by David Mazieres under a BSD-style license.
Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted provided that due
credit is given to the author and the OpenBSD project by leaving this copyright notice intact.
4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original
Berkeley code.
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders:
Markus Friedl
Theo de Raadt
Niels Provos

viii
Dug Song
Aaron Campbell
Damien Miller
Kevin Steves
Daniel Kouril
Wesley Griffin
Per Allansson
Nils Nordman
Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenSSL
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
http://www.openssl.org/about/
http://www.openssl.org/about/
OpenSSL is based on the excellent SSLeay library developed by Eric A. Young <mailto:eay@cryptsoft.com> and Tim J. Hudson <mailto:tjh@cryptsoft.com>.
The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial
purposes.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code
found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered
by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should
be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic
software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic
related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This
product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and
put under another distribution license [including the GNU Public License.]
Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written
permission. For written permission, please contact openssl-core@openssl.org.

ix
Director Configuration and Management Guide

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the
OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson
(tjh@cryptsoft.com).
PCRE
Copyright (c) 1997-2001 University of Cambridge
University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714.
Written by: Philip Hazel <ph10@cam.ac.uk>
Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following
restrictions:
1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the
University of Cambridge, England.
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
PHAOS SSLava and SSLavaThin
Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved.
The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development of
which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The software
and any portions or copies thereof shall at all times remain the property of Phaos.
PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN
COMBINATION WITH ANY OTHER SOFTWARE.
PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR
SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES.
RealSystem
The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights reserved.
SNMP
Copyright (C) 1992-2001 by SNMP Research, Incorporated.
This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the inclusion of the above
copyright notice. This software or any other copies thereof may not be provided or otherwise made available to any other person. No title to and ownership of
the software is hereby transferred. The information in this software is subject to change without notice and should not be construed as a commitment by
SNMP Research, Incorporated.
Restricted Rights Legend:
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013; subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause, FAR 52.227-19; and in
similar clauses in the NASA FAR Supplement and other corresponding governmental regulations.
PROPRIETARY NOTICE
This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. Unauthorized copying,
redistribution or other use of this work is prohibited. The above notice of copyright on this source code product does not indicate any actual or intended
publication of such source code.
STLport
Copyright (c) 1999, 2000 Boris Fomitchev
This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk.
Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission to
modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is included with
the above copyright notice.
The code has been modified.
Copyright (c) 1994 Hewlett-Packard Company
Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc.
Copyright (c) 1997 Moscow Center for SPARC Technology

x
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.
Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon
Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Moscow
Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied
warranty.
SmartFilter
Copyright (c) 2003 Secure Computing Corporation. All rights reserved.
SurfControl
Copyright (c) 2003 SurfControl, Inc. All rights reserved.
Symantec AntiVirus Scan Engine
Copyright (c) 2003 Symantec Corporation. All rights reserved.
TCPIP
Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source.
Their copyright header follows:
Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
Trend Micro
Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved.
zlib
Copyright (c) 2003 by the Open Source Initiative
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of
this software.
ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines Corporation and others
All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission
notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation. THE
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO
EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT
OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to
promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder
The PHP License, version 3.01 Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission,
please contact group@php.net.

xi
Director Configuration and Management Guide

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net.
You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number.
Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may
also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP
Group has the right to modify the terms applicable to covered code created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes PHP software, freely available from
<http://www.php.net/software/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--------------------------------------------------------------------
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
The PHP Group can be contacted via Email at group@php.net.
For more information on the PHP Group and the PHP project, please see <http://www.php.net>.

The Zend Engine License, version 2.00 Copyright (c) 1999-2002 Zend Technologies Ltd. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
other materials provided with the distribution.
3. The names "Zend" and "Zend Engine" must not be used to endorse or promote products derived from this software without prior permission from Zend
Technologies Ltd. For written permission, please contact license@zend.com.
4. Zend Technologies Ltd. may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version
number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version.
You may also choose to use such covered code under the terms of any subsequent version of the license published by Zend Technologies Ltd. No one other
than Zend Technologies Ltd. has the right to modify the terms applicable to covered code created under this License.
5. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes the Zend Engine, freely available at
http://www.zend.com"
6. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"The Zend Engine is freely available at http://www.zend.com"
THIS SOFTWARE IS PROVIDED BY ZEND TECHNOLOGIES LTD. ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL ZEND TECHNOLOGIES LTD. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

TSRM (Thread Safe Resource Manager) license. Copyright (c) 1999, 2000, Andi Gutmans, Sascha Schumann, Zeev Suraski.
All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are
met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Neither name of the copyright holders nor the names of their contributors may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Regex. Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved.
This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California.

xii
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject to the following
restrictions:
1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it.
2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear in the
documentation.
3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, credits
must appear in the documentation.
4. This notice may not be removed or altered.

libgd
Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National
Institutes of Health.
Portions copyright 1996, 1997, 1998, 1999, 2000, 2001 by Boutell.Com, Inc.
Portions relating to GD2 format copyright 1999, 2000 Philip Warner.
Portions relating to PNG copyright 1999, 2000 Greg Roelofs.
Portions relating to libttf copyright 1999, 2000 John Ellson (ellson@lucent.com).
Portions relating to JPEG and to color quantization copyright 2000, Doug Becker and copyright (C) 1994-1998, Thomas G. Lane. This software is based in part
on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.
Portions relating to WBMP copyright 2000 Maurice Szmurlo and Johan Van den Brande.
Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is
present in user-accessible supporting documentation._
This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible
documentation.
This software is provided "AS IS."_ The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of
merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation.
Although their code does not appear in gd 2.0.1, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for
their prior contributions.
mail.jar
Sun Microsystems, Inc. ("Sun") ENTITLEMENT for SOFTWARE
Permitted Uses:
1. You may reproduce and use the Software for Individual, Commercial, or Research and Instructional Use for the purposes of designing, developing, testing,
and running Your applets and application("Programs").
2. Subject to the terms and conditions of this Agreement and restrictions and exceptions set forth in the Software's documentation, You may reproduce and
distribute portions of Software identified as a redistributable in the documentation ("Redistributable"), provided that:
(a) you distribute Redistributable complete and unmodified and only bundled as part of Your Programs,
(b) your Programs add significant and primary functionality to the Redistributable,
(c) you distribute Redistributable for the sole purpose of running your Programs,
(d) you do not distribute additional software intended to replace any component(s) of the Redistributable,
(e) you do not remove or alter any proprietary legends or notices contained in or on the Redistributable.
(f) you only distribute the Redistributable subject to a license agreement that protects Sun's interests consistent with the terms contained in this Agreement,
and
(g) you agree to defend and indemnify Sun and its licensors from and against any damages, costs, liabilities, settlement amounts and/or expenses (including
attorneys' fees) incurred in connection with any claim, lawsuit or action by any third party that arises or results from the use or distribution of any and all
Programs and/or Redistributable.
3. Java Technology Restrictions. You may not create, modify, or change the behavior of, or authorize your licensees to create, modify, or change the behavior of,
classes, interfaces, or subpackages that are in any way identified as "java", "javax", "sun" or similar convention as specified by Sun in any naming convention
designation.
B. Sun Microsystems, Inc. ("Sun")
SOFTWARE LICENSE AGREEMENT
READ THE TERMS OF THIS AGREEMENT ("AGREEMENT") CAREFULLY BEFORE OPENING SOFTWARE MEDIA PACKAGE. BY OPENING
SOFTWARE MEDIA PACKAGE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ACCESSING SOFTWARE ELECTRONICALLY,
INDICATE YOUR ACCEPTANCE OF THESE TERMS BY SELECTING THE "ACCEPT" BUTTON AT THE END OF THIS AGREEMENT. IF YOU DO NOT
AGREE TO ALL OF THE TERMS, PROMPTLY RETURN THE UNUSED SOFTWARE TO YOUR PLACE OF PURCHASE FOR A REFUND OR, IF SOFTWARE
IS ACCESSED ELECTRONICALLY, SELECT THE "DECLINE" (OR "EXIT") BUTTON AT THE END OF THIS AGREEMENT. IF YOU HAVE SEPARATELY
AGREED TO LICENSE TERMS ("MASTER TERMS") FOR YOUR LICENSE TO THIS SOFTWARE, THEN SECTIONS 1-5 OF THIS AGREEMENT
"SUPPLEMENTAL LICENSE TERMS") SHALL SUPPLEMENT AND SUPERSEDE THE MASTER TERMS IN RELATION TO THIS SOFTWARE.
1. Definitions.
(a) "Entitlement" means the collective set of applicable documents authorized by Sun evidencing your obligation to pay associated fees (if any) for the license,
associated Services, and the authorized scope of use of Software under this Agreement.

xiii
Director Configuration and Management Guide

(b) "Licensed Unit" means the unit of measure by which your use of Software and/or Service is licensed, as described in your Entitlement.
(c) "Permitted Use" means the licensed Software use(s) authorized in this Agreement as specified in your Entitlement. The Permitted Use for any bundled Sun
software not specified in your Entitlement will be evaluation use as provided in Section 3.
(d) "Service" means the service(s) that Sun or its delegate will provide, if any, as selected in your Entitlement and as further described in the applicable service
listings at www.sun.com/service/servicelist.
(e) "Software" means the Sun software described in your Entitlement. Also, certain software may be included for evaluation use under Section 3.
(f) "You" and "Your" means the individual or legal entity specified in the Entitlement, or for evaluation purposes, the entity performing the evaluation.
2. License Grant and Entitlement.
Subject to the terms of your Entitlement, Sun grants you a nonexclusive, nontransferable limited license to use Software for its Permitted Use for the license
term. Your Entitlement will specify (a) Software licensed, (b) the Permitted Use, (c) the license term, and (d) the Licensed Units.
Additionally, if your Entitlement includes Services,then it will also specify the (e) Service and (f) service term.
If your rights to Software or Services are limited in duration and the date such rights begin is other than the purchase date, your Entitlement will provide that
beginning date(s).
The Entitlement may be delivered to you in various ways depending on the manner in which you obtain Software and Services, for example, the Entitlement
may be provided in your receipt, invoice or your contract with Sun or authorized Sun reseller. It may also be in electronic format if you download Software.
3. Permitted Use.
As selected in your Entitlement, one or more of the following Permitted Uses will apply to your use of Software. Unless you have an Entitlement that
expressly permits it, you may not use Software for any of the other Permitted Uses. If you don't have an Entitlement, or if your Entitlement doesn't cover
additional software delivered to you, then such software is for your Evaluation Use.
(a) Evaluation Use. You may evaluate Software internally for a period of 90 days from your first use.
(b) Research and Instructional Use. You may use Software internally to design, develop and test, and also to provide instruction on such uses.
(c) Individual Use. You may use Software internally for personal, individual use.
(d) Commercial Use. You may use Software internally for your own commercial purposes.
(e) Service Provider Use. You may make Software functionality accessible (but not by providing Software itself or through outsourcing services) to
your end users in an extranet deployment, but not to your affiliated companies or to government agencies.
4. Licensed Units.
Your Permitted Use is limited to the number of Licensed Units stated in your Entitlement. If you require additional Licensed Units, you will need additional
Entitlement(s).
5. Restrictions.
(a) The copies of Software provided to you under this Agreement are licensed, not sold, to you by Sun. Sun reserves all rights not expressly granted. (b) You
may make a single archival copy of Software, but otherwise may not copy, modify, or distribute Software. However if the Sun documentation accompanying
Software lists specific portions of Software, such as header files, class libraries, reference source code, and/or redistributable files, that may be handled
differently, you may do so only as provided in the Sun documentation. (c) You may not rent, lease, lend or encumber Software. (d) Unless enforcement is
prohibited by applicable law, you may not decompile, or reverse engineer Software. (e) The terms and conditions of this Agreement will apply to any
Software updates, provided to you at Sun's discretion, that replace and/or supplement the original Software, unless such update contains a separate license.
(f) You may not publish or provide the results of any benchmark or comparison tests run on Software to any third party without the prior written consent of
Sun. (g) Software is confidential and copyrighted. (h) Unless otherwise specified, if Software is delivered with embedded or bundled software that enables
functionality of Software, you may not use such software on a stand-alone basis or use any portion of such software to interoperate with any program(s) other
than Software. (i) Software may contain programs that perform automated collection of system data and/or automated software updating services. System
data collected through such programs may be used by Sun, its subcontractors, and its service delivery partners for the purpose of providing you with remote
system services and/or improving Sun's software and systems. (j) Software is not designed, licensed or intended for use in the design, construction, operation
or maintenance of any nuclear facility and Sun and its licensors disclaim any express or implied warranty of fitness for such uses. (k) No right, title or interest
in or to any trademark, service mark, logo or trade name of Sun or its licensors is granted under this Agreement.
6. Term and Termination.
The license and service term are set forth in your Entitlement(s). Your rights under this Agreement will terminate immediately without notice from Sun if you
materially breach it or take any action in derogation of Sun's and/or its licensors' rights to Software. Sun may terminate this Agreement should any Software
become, or in Sun's reasonable opinion likely to become, the subject of a claim of intellectual property infringement or trade secret misappropriation. Upon
termination, you will cease use of, and destroy, Software and confirm compliance in writing to Sun. Sections 1, 5, 6, 7, and 9-15 will survive termination of the
Agreement.
7. Java Compatibility and Open Source.
Software may contain Java technology. You may not create additional classes to, or modifications of, the Java technology, except under compatibility
requirements available under a separate agreement available at www.java.net.
Sun supports and benefits from the global community of open source developers, and thanks the community for its important contributions and open
standards-based technology, which Sun has adopted into many of its products.
Please note that portions of Software may be provided with notices and open source licenses from such communities and third parties that govern the use of
those portions, and any licenses granted hereunder do not alter any rights and obligations you may have under such open source licenses, however, the
disclaimer of warranty and limitation of liability provisions in this Agreement will apply to all Software in this distribution.
8. Limited Warranty.
Sun warrants to you that for a period of 90 days from the date of purchase, as evidenced by a copy of the receipt, the media on which Software is furnished (if
any) will be free of defects in materials and workmanship under normal use. Except for the foregoing, Software is provided "AS IS". Your exclusive remedy
and Sun's entire liability under this limited warranty will be at Sun's option to replace Software media or refund the fee paid for Software. Some states do not
allow limitations on certain implied warranties, so the above may not apply to you. This limited warranty gives you specific legal rights. You may have
others, which vary from state to state.

xiv
9. Disclaimer of Warranty.
UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO
THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
10. Limitation of Liability.
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA,
OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED REGARDLESS OF THE THEORY OF
LIABILITY, ARISING OUT OF OR RELATED TO THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. In no event will Sun's liability to you, whether in contract, tort (including negligence), or otherwise, exceed the amount
paid by you for Software under this Agreement. The foregoing limitations will apply even if the above stated warranty fails of its essential purpose. Some
states do not allow the exclusion of incidental or consequential damages, so some of the terms above may not be applicable to you.
11. Export Regulations.
All Software, documents, technical data, and any other materials delivered under this Agreement are subject to U.S. export control laws and may be subject to
export or import regulations in other countries. You agree to comply strictly with these laws and regulations and acknowledge that you have the responsibility
to obtain any licenses to export, re-export, or import as may be required after delivery to you.
12. U.S. Government Restricted Rights.
If Software is being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), then the
Government's rights in Software and accompanying documentation will be only as set forth in this Agreement; this is in accordance with 48 CFR 227.7201
through 227.7202-4 (for Department of Defense (DOD) acquisitions) and with 48 CFR 2.101 and 12.212 (for non-DOD acquisitions).
13. Governing Law.
Any action related to this Agreement will be governed by California law and controlling U.S. federal law. No choice of law rules of any jurisdiction will apply.
14. Severability.
If any provision of this Agreement is held to be unenforceable, this Agreement will remain in effect with the provision omitted, unless omission would
frustrate the intent of the parties, in which case this Agreement will immediately terminate.
15. Integration.
This Agreement, including any terms contained in your Entitlement, is the entire agreement between you and Sun relating to its subject matter. It supersedes
all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms
of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No
modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party.
iText
MOZILLA PUBLIC LICENSE Version 1.1
1. Definitions.
1.0.1. "Commercial Use" means distribution or otherwise making the Covered Code available to a third party.
1.1. "Contributor" means each entity that creates or contributes to the creation of Modifications.
1.2. "Contributor Version" means the combination of the Original Code, prior Modifications used by a Contributor, and the Modifications made by that
particular Contributor.
1.3. "Covered Code" means the Original Code or Modifications or the combination of the Original Code and Modifications, in each case including portions
thereof.
1.4. "Electronic Distribution Mechanism" means a mechanism generally accepted in the software development community for the electronic transfer of data.
1.5. "Executable" means Covered Code in any form other than Source Code.
1.6. "Initial Developer" means the individual or entity identified as the Initial Developer in the Source Code notice required by Exhibit A.
1.7. "Larger Work" means a work which combines Covered Code or portions thereof with code not governed by the terms of this License.
1.8. "License" means this document.
1.8.1. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently acquired, any and
all of the rights conveyed herein.
1.9. "Modifications" means any addition to or deletion from the substance or structure of either the Original Code or any previous Modifications. When
Covered Code is released as a series of files, a Modification is:
A. Any addition to or deletion from the contents of a file containing Original Code or previous Modifications.
B. Any new file that contains any part of the Original Code or previous Modifications.
1.10. "Original Code" means Source Code of computer software code which is described in the Source Code notice required by Exhibit A as Original Code, and
which, at the time of its release under this License is not already Covered Code governed by this License.
1.10.1. "Patent Claims" means any patent claim(s), now owned or hereafter acquired, including without limitation, method, process, and apparatus claims, in
any patent Licensable by grantor.
1.11. "Source Code" means the preferred form of the Covered Code for making modifications to it, including all modules it contains, plus any associated
interface definition files, scripts used to control compilation and installation of an Executable, or source code differential comparisons against either the
Original Code or another well known, available Covered Code of the Contributor's choice. The Source Code can be in a compressed or archival form, provided
the appropriate decompression or de-archiving software is widely available for no charge.
1.12. "You" (or "Your") means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License or a future version of
this License issued under Section 6.1.

xv
Director Configuration and Management Guide

For legal entities, "You" includes any entity which controls, is controlled by, or is under common control with You. For purposes of this definition, "control"
means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than
fifty percent (50%) of the outstanding shares or beneficial ownership of such entity.
2. Source Code License.
2.1. The Initial Developer Grant. The Initial Developer hereby grants You a world-wide, royalty-free, non-exclusive license, subject to third party intellectual
property claims:
(a) under intellectual property rights (other than patent or trademark) Licensable by Initial Developer to use, reproduce, modify, display, perform, sublicense
and distribute the Original Code (or portions thereof) with or without Modifications, and/or as part of a Larger Work; and
(b) under Patents Claims infringed by the making, using or selling of Original Code, to make, have made, use, practice, sell, and offer for sale, and/or
therwise dispose of the Original Code (or portions thereof).
(c) the licenses granted in this Section 2.1(a) and (b) are effective on the date Initial Developer first distributes Original Code under the terms of this License.
(d) Notwithstanding Section 2.1(b) above, no patent license is granted: 1) for code that You delete from the Original Code; 2) separate from the Original Code;
or 3) for infringements caused by: i) the modification of the Original Code or ii) the combination of the Original Code with other software or devices.
2.2. Contributor Grant.
Subject to third party intellectual property claims, each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license
(a) under intellectual property rights (other than patent or trademark) Licensable by Contributor, to use, reproduce, modify, display, perform, sublicense and
distribute the Modifications created by such Contributor (or portions thereof) either on an unmodified basis, with other Modifications, as Covered Code
and/or as part of a Larger Work; and
(b) under Patent Claims infringed by the making, using, or selling of Modifications made by that Contributor either alone and/or in combination with its
Contributor Version (or portions of such combination), to make, use, sell, offer for sale, have made, and/or otherwise dispose of: 1) Modifications made by
that Contributor (or portions thereof); and 2) the combination of Modifications made by that Contributor with its Contributor Version (or portions of such
combination).
(c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first makes Commercial Use of the Covered Code.
(d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2)
separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of
Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices; or 4) under Patent Claims infringed
by Covered Code in the absence of Modifications made by that Contributor.
3. Distribution Obligations.
3.1. Application of License.
The Modifications which You create or to which You contribute are governed by the terms of this License, including without limitation Section 2.2. The Source
Code version of Covered Code may be distributed only under the terms of this License or a future version of this License released under Section 6.1, and You
must include a copy of this License with every copy of the Source Code You distribute. You may not offer or impose any terms on any Source Code version
that alters or restricts the applicable version of this License or the recipients' rights hereunder. However, You may include an additional document offering the
additional rights described in Section 3.5.
3.2. Availability of Source Code.
Any Modification which You create or to which You contribute must be made available in Source Code form under the terms of this License either on the
same media as an Executable version or via an accepted Electronic Distribution Mechanism to anyone to whom you made an Executable version available;
and if made available via Electronic Distribution Mechanism, must remain available for at least twelve (12) months after the date it initially became available,
or at least six (6) months after a subsequent version of that particular Modification has been made available to such recipients. You are responsible for
ensuring that the Source Code version remains available even if the Electronic Distribution Mechanism is maintained by a third party.
3.3. Description of Modifications.
You must cause all Covered Code to which You contribute to contain a file documenting the changes You made to create that Covered Code and the date of
any change. You must include a prominent statement that the Modification is derived, directly or indirectly, from Original Code provided by the Initial
Developer and including the name of the Initial Developer in (a) the Source Code, and (b) in any notice in an Executable version or related documentation in
which You describe the origin or ownership of the Covered Code.
3.4. Intellectual Property Matters
(a) Third Party Claims.
If Contributor has knowledge that a license under a third party's intellectual property rights is required to exercise the rights granted by such Contributor
under Sections 2.1 or 2.2, Contributor must include a text file with the Source Code distribution titled "LEGAL" which describes the claim and the party
making the claim in sufficient detail that a recipient will know whom to contact. If Contributor obtains such knowledge after the Modification is made
available as described in Section 3.2, Contributor shall promptly modify the LEGAL file in all copies Contributor makes available thereafter and shall take
other steps (such as notifying appropriate mailing lists or newsgroups) reasonably calculated to inform those who received the Covered Code that new
knowledge has been obtained.
(b) Contributor APIs.
If Contributor's Modifications include an application programming interface and Contributor has knowledge of patent licenses which are reasonably
necessary to implement that API, Contributor must also include this information in the LEGAL file.
(c) Representations.
Contributor represents that, except as disclosed pursuant to Section 3.4(a) above, Contributor believes that Contributor's Modifications are Contributor's
original creation(s) and/or Contributor has sufficient rights to grant the rights conveyed by this License.
3.5. Required Notices.
You must duplicate the notice in Exhibit A in each file of the Source Code. If it is not possible to put such notice in a particular Source Code file due to its
structure, then You must include such notice in a location (such as a relevant directory) where a user would be likely to look for such a notice. If You created
one or more Modification(s) You may add your name as a Contributor to the notice described in Exhibit A. You must also duplicate this License in any
documentation for the Source Code where You describe recipients' rights or ownership rights relating to Covered Code. You may choose to offer, and to

xvi
charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Code. However, You may do so only on Your own
behalf, and not on behalf of the Initial Developer or any Contributor. You must make it absolutely clear than any such warranty, support, indemnity or liability
obligation is offered by You alone, and You hereby agree to indemnify the Initial Developer and every Contributor for any liability incurred by the Initial
Developer or such Contributor as a result of warranty, support, indemnity or liability terms You offer.
3.6. Distribution of Executable Versions.
You may distribute Covered Code in Executable form only if the requirements of Section 3.1-3.5 have been met for that Covered Code, and if You include a
notice stating that the Source Code version of the Covered Code is available under the terms of this License, including a description of how and where You
have fulfilled the obligations of Section 3.2. The notice must be conspicuously included in any notice in an Executable version, related documentation or
collateral in which You describe recipients' rights relating to the Covered Code. You may distribute the Executable version of Covered Code or ownership
rights under a license of Your choice, which may contain terms different from this License, provided that You are in compliance with the terms of this License
and that the license for the Executable version does not attempt to limit or alter the recipient's rights in the Source Code version from the rights set forth in this
License. If You distribute the Executable version under a different license You must make it absolutely clear that any terms which differ from this License are
offered by You alone, not by the Initial Developer or any Contributor. You hereby agree to indemnify the Initial Developer and every Contributor for any
liability incurred by the Initial Developer or such Contributor as a result of any such terms You offer.
3.7. Larger Works.
You may create a Larger Work by combining Covered Code with other code not governed by the terms of this License and distribute the Larger Work as a
single product. In such a case, You must make sure the requirements of this License are fulfilled for the Covered Code.
4. Inability to Comply Due to Statute or Regulation.
If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Code due to statute, judicial order, or
regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect.
Such description must be included in the LEGAL file described in Section 3.4 and must be included with all distributions of the Source Code. Except to the
extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it.
5. Application of this License.
This License applies to code to which the Initial Developer has attached the notice in Exhibit A and to related Covered Code.
6. Versions of the License.
6.1. New Versions.
Netscape Communications Corporation ("Netscape") may publish revised and/or new versions of the License from time to time. Each version will be given a
distinguishing version number.
6.2. Effect of New Versions.
Once Covered Code has been published under a particular version of the License, You may always continue to use it under the terms of that version. You may
also choose to use such Covered Code under the terms of any subsequent version of the License published by Netscape. No one other than Netscape has the
right to modify the terms applicable to Covered Code created under this License.
6.3. Derivative Works.
If You create or use a modified version of this License (which you may only do in order to apply it to code which is not already Covered Code governed by this
License), You must (a) rename Your license so that the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", "MPL", "NPL" or any confusingly similar
phrase do not appear in your license (except to note that your license differs from this License) and (b) otherwise make it clear that Your version of the license
contains terms which differ from the Mozilla Public License and Netscape Public License. (Filling in the name of the Initial Developer, Original Code or
Contributor in the notice described in Exhibit A shall not of themselves be deemed to be modifications of this License.)
7. DISCLAIMER OF WARRANTY.
COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
PARTICULAR PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE IS WITH
YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR)
ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL
PART OF THIS LICENSE. NO USE OF ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
8. TERMINATION.
8.1. This License and the rights granted hereunder will terminate automatically if You fail to comply with terms herein and fail to cure such breach within 30
days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License.
Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive.
8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the
Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that:
(a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections
2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i)
agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii)
withdraw Your litigation claim with respect to the Contributor Version against such Participant. If within 60 days of notice, a reasonable royalty and payment
arrangement are not mutually agreed upon in writing by the parties or the litigation claim is not withdrawn, the rights granted by Participant to You under
Sections 2.1 and/or 2.2 automatically terminate at the expiration of the 60 day notice period specified above.
(b) any software, hardware, or device, other than such Participant's Contributor Version, directly or indirectly infringes any patent, then any rights granted to
You by such Participant under Sections 2.1(b) and 2.2(b) are revoked effective as of the date You first made, used, sold, distributed, or had made, Modifications
made by that Participant.
8.3. If You assert a patent infringement claim against Participant alleging that such Participant's Contributor Version directly or indirectly infringes any patent
where such claim is resolved (such as by license or settlement) prior to the initiation of patent infringement litigation, then the reasonable value of the licenses
granted by such Participant under Sections 2.1 or 2.2 shall be taken into account in determining the amount or value of any payment or license.
8.4. In the event of termination under Sections 8.1 or 8.2 above, all end user license agreements (excluding distributors and resellers) which have been validly
granted by You or any distributor hereunder prior to termination shall survive termination.

xvii
Director Configuration and Management Guide

9. LIMITATION OF LIABILITY.
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE,
SHALL YOU, THE INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, OR ANY SUPPLIER OF ANY OF
SUCH PARTIES, BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER
INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR
ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF
SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM
SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO
YOU.
10. U.S. GOVERNMENT END USERS.
The Covered Code is a "commercial item," as that term is defined in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer software" and "commercial
computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through
227.7202-4 (June 1995), all U.S. Government End Users acquire Covered Code with only those rights set forth herein.
11. MISCELLANEOUS.
This License represents the complete agreement concerning subject matter hereof. If any provision of this License is held to be unenforceable, such provision
shall be reformed only to the extent necessary to make it enforceable. This License shall be governed by California law provisions (except to the extent
applicable law, if any, provides otherwise), excluding its conflict-of-law provisions. With respect to disputes in which at least one party is a citizen of, or an
entity chartered or registered to do business in the United States of America, any litigation relating to this License shall be subject to the jurisdiction of the
Federal Courts of the Northern District of California, with venue lying in Santa Clara County, California, with the losing party responsible for costs, including
without limitation, court costs and reasonable attorneys' fees and expenses. The application of the United Nations Convention on Contracts for the
International Sale of Goods is expressly excluded. Any law or regulation which provides that the language of a contract shall be construed against the drafter
shall not apply to this License.
12. RESPONSIBILITY FOR CLAIMS.
As between Initial Developer and the Contributors, each party is responsible for claims and damages arising, directly or indirectly, out of its utilization of
rights under this License and You agree to work with Initial Developer and Contributors to distribute such responsibility on an equitable basis. Nothing
herein is intended or shall be deemed to constitute any admission of liability.
13. MULTIPLE-LICENSED CODE.
Initial Developer may designate portions of the Covered Code as "Multiple-Licensed". "Multiple-Licensed" means that the Initial Developer permits you to
utilize portions of the Covered Code under Your choice of the NPL or the alternative licenses, if any, specified by the Initial Developer in the file described in
Exhibit A.

xviii
Contents

Document Objectives........................................................................................................................ 29
Audience ............................................................................................................................................ 29
Document Conventions ................................................................................................................... 29
Forbidden Characters ....................................................................................................................... 30
Related Documentation.................................................................................................................... 30
Getting Blue Coat Documentation ................................................................................................. 31

Chapter 1: Director Overview


About Director................................................................................................................................... 33
About the Benefits of Director ........................................................................................................ 34
Managing and Monitoring Blue Coat ProxySG Appliances with Director.............................. 34
What’s New in This Release ............................................................................................................ 35
Director Terminology....................................................................................................................... 36
About the Director Management Console and Command Line ................................................ 36
Using the Director Management Console............................................................................... 38
Using the Director Command Line.......................................................................................... 38
About the Content Sync Module .................................................................................................... 38

Chapter 2: Connecting to Director


Prerequisites For Connecting to Director ...................................................................................... 39
Director Configuration Defaults ..................................................................................................... 40
Command Line Configuration Tasks............................................................................................. 40
Options for Connecting to Director................................................................................................ 41
Connecting to Director Using Telnet ............................................................................................. 42
Generating RSA Keys for Director Communication.................................................................... 43
SSH-RSA Overview.................................................................................................................... 43
RSA Key Task Overview ........................................................................................................... 44
Procedure to Create the SSH-RSA Connection ...................................................................... 45
Connecting to Director using SSH.................................................................................................. 50
Connecting to Director with the Management Console.............................................................. 52
Management Console Prerequisites ........................................................................................ 52
Management Console General Notes...................................................................................... 53
Starting the Management Console........................................................................................... 53
Connecting to Director Using SSH-Simple............................................................................. 54
Connecting to Director Using SSH-RSA ................................................................................. 56
About the Director Management Console .............................................................................. 58

xix
Director Configuration and Management Guide

Configuring Browser and Mail Settings........................................................................................ 61


Setting Director Browser and Output Settings ...................................................................... 61

Chapter 3: Registering Devices


About Device Registration .............................................................................................................. 65
Comparing SSH Simple and SSH-RSA ................................................................................... 66
Registration Quick Start................................................................................................................... 67
About Appliance Certificates.......................................................................................................... 68
Overview of the Registration Process............................................................................................ 69
Determining Whether Appliances Support Certificates ............................................................. 71
Getting Started With Appliance Certificates.......................................................................... 72
Confirming Whether Director Has an Appliance Certificate..................................................... 73
Confirming Whether a Device Has an Appliance Certificate .................................................... 74
Getting Appliance Certificates or Setting Up a Registration Password ................................... 75
Getting a Device Appliance Certificate................................................................................... 75
Setting Up a Director Registration Password ........................................................................ 77
Getting a Director Appliance Certificate—Internet Access........................................................ 78
Getting a Director Appliance Certificate—No Internet Access ................................................. 79
About the Registration Process....................................................................................................... 84
Registration Methods ....................................................................................................................... 85
Registering the Device with Director ...................................................................................... 87
Setting Passwords for Newly Registered Devices on Director ........................................... 92
Changing Properties of a Registered Device ................................................................................ 95
Creating a Partial Device Record on Director .............................................................................. 99
Matching Partial Device Records............................................................................................. 99
Getting Information for the Partial Device Record ............................................................. 100
Creating the Partial Device Record ....................................................................................... 102
Registering Pre-Staged Devices With Director .................................................................... 103
Changing Passwords on Pre-Staged Devices (If Required)............................................... 108
Changing Properties of a Registered Device .............................................................................. 108

Chapter 4: Adding and Connecting to Devices


About Adding Devices .................................................................................................................. 113
Adding Devices............................................................................................................................... 114
Adding a Device Using an Identification File...................................................................... 115
Adding Devices Manually ...................................................................................................... 117
Connecting to a Device .................................................................................................................. 123
Changing the Authentication Protocol........................................................................................ 124
Marking a Device as Configured.................................................................................................. 129

xx
Contents

Chapter 5: Managing Device Groups, Profiles, and Overlays


About Director Groups .................................................................................................................. 132
About System Groups ............................................................................................................. 133
About Custom Groups ............................................................................................................ 135
Tasks Supported by Device Groups ...................................................................................... 135
Where To Go Next ................................................................................................................... 136
Adding Custom Groups ................................................................................................................ 136
Removing a Custom Group .......................................................................................................... 138
Adding Devices to a Custom Group............................................................................................ 138
Creating or Editing Folders........................................................................................................... 140
Deleting Folders.............................................................................................................................. 142
Removing or Copying Profiles or Overlays In Folders............................................................. 143
Important Information About Profiles ........................................................................................ 144
Best Practice for Creating Profiles ......................................................................................... 144
Important Information About Platforms .............................................................................. 145
About Profiles.................................................................................................................................. 145
About Profiles and Overlays .................................................................................................. 145
Important Information About Profiles.................................................................................. 146
About Profiles and Device Settings ....................................................................................... 147
About Secure Profiles..................................................................................................................... 148
Creating a Profile ............................................................................................................................ 149
Editing a Profile .............................................................................................................................. 152
Executing a Profile.......................................................................................................................... 154
Copying a Profile ............................................................................................................................ 157
Refreshing or Deleting Profiles..................................................................................................... 158
Important Information About Using Overlays .......................................................................... 159
Important Information About Overlays and SGOS Versions............................................ 159
General Tips .............................................................................................................................. 159
Executing Overlays that Depend on Databases................................................................... 160
Creating an Overlay ....................................................................................................................... 163
Adding to the Overlay Using the Management Console................................................... 164
Adding to the Overlay Using the CLI ................................................................................... 166
Adding to the Overlay Using Refreshables.......................................................................... 166
Executing an Overlay Immediately ............................................................................................. 168
Adding VPM Policy to an Overlay .............................................................................................. 171
Copying Overlays........................................................................................................................... 175
Deleting Overlays ........................................................................................................................... 176

xxi
Director Configuration and Management Guide

Chapter 6: Device Administration


Selecting Devices to Administer................................................................................................... 182
Performing Administration Tasks................................................................................................ 183
Reconnecting to Devices ......................................................................................................... 184
Rebooting Devices.................................................................................................................... 184
Clearing Devices’ DNS, Object, or Byte Cache .................................................................... 184
About Searching.............................................................................................................................. 185
Ways to Perform a Search ....................................................................................................... 185
Basic and Advanced Searches ................................................................................................ 187
Using Search .................................................................................................................................... 189
Searching for Devices and Groups ........................................................................................ 189
Searching for Profiles and Overlays ...................................................................................... 191
Searching for Config and Content Jobs................................................................................. 194
Searching for URL Lists and Regular Expression Lists ...................................................... 197
Using Search Results ...................................................................................................................... 199
Using Results from a Basic Search......................................................................................... 200
Using Results from an Advanced Search ............................................................................. 201

Chapter 7: Managing Content Collections


About Content Distribution .......................................................................................................... 207
Content Distribution Use Case............................................................................................... 209
Details of URL Distribution .................................................................................................... 210
Managing Folders for Content Collections................................................................................. 211
Creating or Editing Folders .................................................................................................... 212
Deleting Folders ....................................................................................................................... 213
Removing or Copying Content Collections In Folders ...................................................... 214
Creating and Distributing URL Lists........................................................................................... 215
Creating a URL List Object ..................................................................................................... 215
Distributing, Revalidating, Deleting, or Prioritizing a URL List ...................................... 217
Creating and Distributing Regular Expression Lists................................................................. 221
Creating a Regex List Object................................................................................................... 221
Revalidating, Deleting, or Prioritizing a Regex List ........................................................... 223
Querying URLs ............................................................................................................................... 226

Chapter 8: Creating, Scheduling, and Managing Jobs


Managing Job Folders .................................................................................................................... 232
Creating or Editing Folders .................................................................................................... 233
Deleting Folders ....................................................................................................................... 234
Removing or Copying Objects In Folders ............................................................................ 235
Creating or Editing a Job and its Basic Properties ..................................................................... 236

xxii
Contents

Getting Started With Job Actions ................................................................................................. 238


Config Job Actions ................................................................................................................... 239
Content Job Actions ................................................................................................................. 240
Config Job Action Details .............................................................................................................. 241
Push Overlay or Push Profile Details.................................................................................... 242
Refresh Overlay or Refresh Profile Details........................................................................... 244
Abort or Continue on Errors Details ..................................................................................... 245
Take Backup Details ................................................................................................................ 246
Create and Upload Archive Details....................................................................................... 248
Schedule Reports Details ........................................................................................................ 251
Reboot Device Details.............................................................................................................. 254
Clear Cache Details .................................................................................................................. 255
System Download Details....................................................................................................... 257
System Validate Details........................................................................................................... 259
Issue Director CLI Command Details ................................................................................... 260
Content Job Action Details ............................................................................................................ 262
Distribute, Revalidate, or Delete URL(s) Details ................................................................. 263
Prioritize URL(s) Details ......................................................................................................... 266
Revalidate or Delete Regex(es) Details ................................................................................. 269
Prioritize Regex(es) Details..................................................................................................... 271
Executing a Job Immediately ........................................................................................................ 274
Scheduling a Job for Future Execution ........................................................................................ 275
Scheduling a Job for Recurring Execution .................................................................................. 277
Related Commands.................................................................................................................. 279
About the Job Queue and Description Panes ............................................................................. 280
Alternate Way to View Job Results ....................................................................................... 284
Verifying Backup Jobs.................................................................................................................... 286
For More Information About Substitution Variables ......................................................... 287
Viewing the Conflict in the Job Report ................................................................................. 287
Resolving the Conflicting Substitution Variable Value...................................................... 288

Chapter 9: Managing Substitution Variables


About Substitution Variables........................................................................................................ 291
Inheriting Substitution Variables From a Custom Group.................................................. 292
Allowed Substitution Variable Formats ............................................................................... 296
Example of Using Substitution Variables............................................................................. 296
Resolving Substitution Variable Conflicts............................................................................ 297

xxiii
Director Configuration and Management Guide

Creating and Implementing Substitution Variables.................................................................. 303


About Using Substitution Variables in Profiles and Overlays .......................................... 303
Creating and Importing Substitution Variable Files........................................................... 304
Defining the Value of a Substitution Variable ..................................................................... 310
Creating Substitution Variables in an Overlay .................................................................... 314
Creating Substitution Variables in a Profile......................................................................... 319
Validating the Values of Substitution Variables.................................................................. 320
Editing or Deleting Substitution Variables ................................................................................. 325

Chapter 10: Monitoring Devices


About the Monitor Tab Page......................................................................................................... 329
Viewing Group and Device Status............................................................................................... 330
Viewing Group Status ............................................................................................................. 330
Viewing Device Status............................................................................................................. 331
Viewing a Device’s SGOS Edition ......................................................................................... 332
Managing Alerts ............................................................................................................................. 332
About Alerts.............................................................................................................................. 333
Managing Alerts....................................................................................................................... 338
Viewing Statistics............................................................................................................................ 348
Generating Performance Analysis Reports................................................................................. 350
Generating Health Reports............................................................................................................ 354

Chapter 11: Audit Logging


Overview of Audit Logging.......................................................................................................... 357
About Audit Logging .............................................................................................................. 357
Comparing Event Logging and Audit Logging .................................................................. 358
Examples of Audit Logging and Event Logging................................................................. 359
For More Information About Logging.................................................................................. 360
Viewing Audit Logging Status in the Management Console .................................................. 360
Configuring Audit Logging .......................................................................................................... 362
Enabling TACACS+ Authentication ..................................................................................... 362
Setting the Logging Level ....................................................................................................... 364
Configuring the External Server ............................................................................................ 364

Chapter 12: Monitoring the Health of Devices


About Health Monitoring.............................................................................................................. 369
Device Health Monitoring Requirements ................................................................................... 370
About the Health Monitoring Metrics ......................................................................................... 370
About Device Polling ..................................................................................................................... 371
Health Monitoring Example ......................................................................................................... 371
About License Expiration Metrics ......................................................................................... 372

xxiv
Contents

About the Health Monitoring Device States............................................................................... 373


About the General Metrics...................................................................................................... 373
About the Licensing Metrics................................................................................................... 374
About the Status Metrics......................................................................................................... 375
About Health Monitoring Notification ....................................................................................... 376
Viewing a Device’s Health Monitoring Metrics......................................................................... 377
Changing Threshold and Notification Properties ..................................................................... 378
Getting A Quick View of ProxySG Appliance Health .............................................................. 381
Viewing Health Monitoring Statistics ......................................................................................... 381
Remotely Notifying Management Stations of Device Changes............................................... 383
Verifying SNMP Trap Receipt................................................................................................ 384
Troubleshooting.............................................................................................................................. 385

Chapter 13: Configuring Director Redundancy


Requirements................................................................................................................................... 388
Terminology .................................................................................................................................... 389
About the Standby Pair State ................................................................................................. 391
Failover Assumptions .................................................................................................................... 392
How Data is Mirrored.................................................................................................................... 393
Monitoring Connectivity ............................................................................................................... 393
How Failover Works ...................................................................................................................... 394
Taking a Director Out of the Pair ................................................................................................. 396
Configuring the Standby Pair ....................................................................................................... 397
Viewing the State of the Primary or Secondary Director.......................................................... 398
Making Changes on the Primary Director ........................................................................... 400
Connecting to a Non-Active Director ................................................................................... 400
Example Company’s Disaster Preparedness .............................................................................. 401
Example Procedure: Configuring the Standby Pair .................................................................. 401
Moving the Directors ..................................................................................................................... 403
Moving the Secondary Director ............................................................................................. 403
Taking the Primary Director Offline ..................................................................................... 403
Network Link Failure..................................................................................................................... 405
Determining the Root Cause .................................................................................................. 405
Troubleshooting Network Failures ....................................................................................... 406
Upgrading the Software on the Standby Pair............................................................................. 409
Software Upgrade the Easy Way: Breaking the Standby Pair........................................... 409
Software Upgrade Without Downtime................................................................................. 410
Notifications Sent Only by the Primary Director ................................................................ 412
Notifications Sent Only by the Secondary Director ............................................................ 414
Notifications Sent by the Primary or Secondary Director.................................................. 414
Notifications Caused by Administrator Action................................................................... 415

xxv
Director Configuration and Management Guide

Chapter 14: Director Logging


About Event Logging ..................................................................................................................... 417
About Audit Logging .............................................................................................................. 417
Comparing Event Logging and Audit Logging .................................................................. 418
Examples of Audit Logging and Event Logging................................................................. 419
For More Information about Logging ................................................................................... 419
Log Message Terminology ............................................................................................................ 420
Components of Director ................................................................................................................ 421
About the Syslog............................................................................................................................. 421
Syslog Log Levels..................................................................................................................... 422
Navigating Through the Syslogs ........................................................................................... 423
Syslog Messages.............................................................................................................................. 424
Content Management Syslog Messages................................................................................ 424
LCD Panel Manager Syslog Messages .................................................................................. 426
Communication Manager Syslog Messages......................................................................... 427
Command Line Interface Syslog Messages .......................................................................... 429
Job Manager Syslog Messages................................................................................................ 430
Configuration Syslog Messages ............................................................................................. 432
Configuration Management Syslog Messages..................................................................... 433
Health Monitoring Syslog Messages..................................................................................... 437
CLI Informational and Error Messages ................................................................................ 438
Interpreting Audit Details ............................................................................................................. 446
Profile, Overlay, and Backup Logging.................................................................................. 446
Job Logging ............................................................................................................................... 447
Viewing Log Files ........................................................................................................................... 448

Chapter 15: Backing Up Director and Devices


About Device Backup..................................................................................................................... 452
General Information About Device Backups ....................................................................... 452
What is Not Backed Up ........................................................................................................... 453
Creating a Backup........................................................................................................................... 453
Pinning or Unpinning a Backup................................................................................................... 457
Restoring a Backup......................................................................................................................... 458
Deleting a Backup........................................................................................................................... 459
Comparing Two Backups .............................................................................................................. 459
Saving Director’s Configuration................................................................................................... 463
What is a Configuration? ........................................................................................................ 464
Saving a Configuration............................................................................................................ 464
Changing the Active Director Configuration ...................................................................... 465
Deleting Configuration Files .................................................................................................. 465

xxvi
Contents

Archiving and Restoring the Entire Director Configuration ................................................... 466


About Archives......................................................................................................................... 466
Prerequisites for Archiving Director ..................................................................................... 467
Archiving Director Using the Management Console ......................................................... 470
Archiving Director Using the Command Line .................................................................... 474

Chapter 16: Upgrading Director


Supported Upgrade and Rollback Paths..................................................................................... 480
SGME Rollback Notes ............................................................................................................. 480
Director and SGOS Compatibility Matrix................................................................................... 481
Upgrade and Rollback Roadmap ................................................................................................. 482
Getting SGME Documentation ..................................................................................................... 484
Upgrade Prerequisite Tasks .......................................................................................................... 485
Getting the SGME Software Package........................................................................................... 486
Installing the SGME Software Package ....................................................................................... 486
Destroying Old Configuration Files After an Upgrade ............................................................ 489
Changing Director Defaults .......................................................................................................... 493
About Configuration Changes...................................................................................................... 494
About Director Configurations .............................................................................................. 494
About the Configuration Lock ............................................................................................... 494
Changing Director’s Running Configuration ...................................................................... 495
Using Director Configuration Files ....................................................................................... 498
Setting Up Users ............................................................................................................................. 502
Creating Local User Accounts................................................................................................ 502
Managing Users Who Manage Content ...................................................................................... 504
Authenticating Users...................................................................................................................... 508
Configuring RADIUS .............................................................................................................. 508
Configuring TACACS+ ........................................................................................................... 511
Determining the Connection Protocol ......................................................................................... 514
Managing Security Using Access Lists........................................................................................ 514
Creating Access Lists To Control Access.............................................................................. 515
Creating Access Groups for an Interface .............................................................................. 518
Using the SNMP Server ................................................................................................................. 519
Managing Sessions ......................................................................................................................... 520
Rebooting Director ......................................................................................................................... 522
Shutting Down Director ................................................................................................................ 522
Procedure to Replace a Director 800 ............................................................................................ 523
Access List Differences................................................................................................................... 525
About the access-list Command ............................................................................................ 525
Summarizing the Differences ................................................................................................. 525
Example Access Lists............................................................................................................... 525

xxvii
Director Configuration and Management Guide

Introduction to the Director Management Console................................................................... 527


Internet Explorer 6, 7, and 8 .......................................................................................................... 528
Setting Up Internet Explorer 6, 7, or 8................................................................................... 528
Internet Explorer 7 and 8 Connection Details...................................................................... 529
Internet Explorer 6 Connection Details................................................................................. 532
Firefox 3 and 3.5 .............................................................................................................................. 534
Setting Up Firefox 3.x (Including 3.5) ................................................................................... 534
Firefox 3.5 Connection Details ............................................................................................... 535
Firefox 3.x Connection Details ............................................................................................... 540
Safari 3 .............................................................................................................................................. 546
Setting Up Safari 3.................................................................................................................... 546
Safari 3 Connection Details..................................................................................................... 546
Director RSA Fingerprint Warning.............................................................................................. 549

xxviii
Preface

This preface describes who should read the Director Configuration and
Management Guide, how it is organized, and its document conventions.
This preface contains the following sections:
❐ "Document Objectives" on page 29
❐ "Audience" on page 29
❐ "Document Conventions" on page 29
❐ "Forbidden Characters" on page 30
❐ "Related Documentation" on page 30

Document Objectives
This configuration and management guide describes how to use the Blue Coat®
Director software for setting up, monitoring, and managing all aspects of
networks that use Blue Coat ProxySG™ appliances.

Audience
This guide is intended for network administrators and managers.

Document Conventions
The documentation uses the following conventions:
Convention Description

bold sans serif type Field and option labels in the Management
Console.

italicized type • Book titles


• Variables
• New terms

monospaced type • File and directory names


• Commands and code examples
• Text you must enter in the command line or
Management Console

monospaced bold type Literal command-line commands; that is,


commands you enter in the Director command
line exactly as written

Square brackets, as in [value] Optional command parameters

Curly braces, as in {value} Required command parameters

29
Director Configuration and Management Guide

Convention Description

Logical OR, as in value1|value2 Exclusive command parameters where only one


of the options can be specified

Forbidden Characters
The colon (:) and question mark (?) characters cannot be used in entry fields or
parameter values unless you perform the following tasks:
❐ If you use a colon character in a field or parameter (for example, in a URL),
either enclose the entire URL in double quotation marks or escape it by
preceding it with a / character.
Examples of using a colon character in a URL:
http/://www.example.com
“http://www.example.com”

❐ To use a question mark in a field or parameter (for example, in a URL), first


enter cli help disable, which causes Director to ignore the question mark
character.

Related Documentation
The following table shows other Director documentation available from Blue
Coat:
Table 1–1 Documentation available from Blue Coat

Document name Description

Quick Start Guide Shipped with your Blue Coat Director appliance;
discusses how to install the Director appliance and
perform basic configuration.

Blue Coat Systems Director Describes all of the available Director command line
Command Line Interface commands.
Reference

Blue Coat Director Content Sync Discusses the Content Sync Module, which crawls a
Module Guide Web server or file system and tracking the time that
the content was last modified, and then changing the
content in the ProxySG appliances accordingly.
Note: The Content Sync Module does not ship with
Director. It is available separately. The Content Sync
Module is used in Content Distribution Network
(CDN) deployments.

Release Notes Provides late-breaking news; updates to the product;


and known issues. To get Blue Coat documentation
and Release Notes, see the next section.

30
Getting Blue Coat Documentation
To get the Director Release Notes and documentation:
1. Go to http://support.bluecoat.com, enter your BlueTouch Online user name
and password in the fields at the top of the page, and click Login.
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.
2. Click the Documentation tab.
3. On the Documentation tab page, click Director.
4. Follow the prompts on your screen to download the documentation and
Release Notes.
5. After reading the Release Notes, save them on your local computer.

31
Director Configuration and Management Guide

32
Chapter 1: Director Overview

This chapter provides an overview of Director. It discusses benefits,


terminology, the Director Management Console, and the command line
(sometimes referred to as the command line interface or CLI).
Topics include:
❐ "About Director"
❐ "About the Benefits of Director" on page 34
❐ "Managing and Monitoring Blue Coat ProxySG Appliances with Director"
on page 34
❐ "What’s New in This Release" on page 35
❐ "Director Terminology" on page 36
❐ "About the Director Management Console and Command Line" on page 36
❐ "About the Content Sync Module" on page 38

About Director
Blue Coat® Director centrally manages and monitors multiple Blue Coat
ProxySG appliances simultaneously. Administrators can use Director to set
user and content policy, manage ProxySG appliance configurations, distribute
and control Web content, upgrade and validate SGOS software, and back up
ProxySG appliances.

Note: SGME 5.4.2.x can be used to manage appliances running SGOS version
5.4.1 and later. For up-to-date information, see the Director Release Notes.

Director is the single point of administration and monitoring for configuration


and policy management for one or more ProxySG appliances. It manages
everything from ProxySG appliance configuration to content distributed to
ProxySG appliances—including policy and license distribution.
Key configuration management features include:
❐ Configure groups of ProxySG appliances based on locations, applications,
or more.
❐ Rapidly deploy standardized configurations.
❐ Manage the scheduling of policy and configuration changes.
❐ Easily schedule incremental configuration changes to one or more ProxySG
appliances.
❐ Create and distribute policy across a system of ProxySG appliances.
❐ Back up ProxySG appliances.
❐ Compare backup files from different ProxySG appliances and restore
configuration backups to multiple ProxySG appliances.

33
Director Configuration and Management Guide

❐ Quickly monitor ProxySG appliance status, statistics, and configurations.


❐ Upgrade ProxySG appliances simultaneously.

About the Benefits of Director


Director provides the following benefits:
❐ Reduces management costs by centrally managing all ProxySG appliances.
❐ Delegates network and content control to multiple administrators.
❐ Eliminates the need to configure each remote ProxySG appliance manually.
❐ Ensures consistency when updating multiple, identical ProxySG appliances.
❐ Recovers from system problems with automated configuration snapshots and
recovery.
You can access Director using either the Director Management Console or the
command line.

Managing and Monitoring Blue Coat ProxySG Appliances with Director


Administrators can use Director to set user and content policy, manage ProxySG
appliance configurations, distribute and control all types of Web content, upgrade
and validate SGOS software, back up ProxySG appliances, and monitor the health
and performance of ProxySG appliances.

34
Chapter 1: Director Overview

What’s New in This Release


The Director 5.4.2.x release includes the following new features:
Feature Benefit

Java WebStart Management The Director Management Console is no longer a


Console separate application you must install on your
computer. Instead, you access it using a Web
browser from the following URL:
https://director_host-or-ip:8082
Starting with this release, the Director
Management Console is a Java WebStart
application. It requires JRE 1.6 update 1 or later be
installed on your computer.
In addition, the Management Console has been
redesigned to be more usable and attractive.
For a list of supported operating systems and Web
browsers, see the System Requirements section
later in the Director Release Notes.
(B#109155, 109157)

Administration Tasks in the As part of the Management Console redesign, a


Management Console new Administration Tasks panel on the
Configuration tab page enables you to:
• Reconnect devices
• Reboot devices
• Clear the object cache, byte cache, or DNS
cache on devices
• Clear ProxySG .jar files cached on the local
computer.

Scheduling health reports and Health Reports and Performance Analysis reports
Performance Analysis reports can now be scheduled as jobs and e-mailed to
recipients you select.

XML APIs For the first time starting in this release, you can
perform the following actions using XML-based
APIs:
• Content API:
• Push content to devices
• Delete content from devices
• Revalidate content on devices
• Query content on devices
• Forwarding hosts API, which creates
forwarding host objects.
• Policy API, which enables you to create Web
Content, Web Access, and Forwarding layers.
For more information about these tasks, see the
Director API Reference.

35
Director Configuration and Management Guide

Director Terminology
The following special Director terminology is used in this manual:
❐ Security Gateway Management Edition (SGME)
❐ Device: A ProxySG appliance.
❐ Director (or Blue Coat Director): The product as a whole, encompassing the
hardware and software and all the features.
❐ Command Line Interface (CLI): A term sometimes used for the SGOS and
Director command lines.
❐ Director image file: The file containing the Director SGME software.
❐ Director Management Console: The Director user interface.
❐ Profile: A configuration operation on Director that creates a snapshot of all
configuration and policy from a source device.
❐ Overlay: A configuration operation on Director that is used to replace selected
configurations or policy on one or more ProxySG appliances.
❐ Job: A set of actions Director performs on appliances, either immediately or
scheduled in advance.

About the Director Management Console and Command Line


The Director Management Console or the command line an be used to manage
ProxySG appliances. The Director Management Console provides a graphical
view, making it easier to learn Director. However, the Director Management
Console is not used for initial setup of Director.
Table 1–1 lists the features and actions that can be performed in each interface.

Table 1–1 Availability of Features in the Director CLI and Management Console

Feature Management CLI


Console

Initial Setup and Managing System Software

Director software installation, upgrade, and downgrade No Yes

Archive (that is, back up) the Director configuration Yes Yes

Device software upgrade and validation Yes Yes

Device license management Yes Yes

Global IP configuration No Yes

Network interface configuration No Yes

Search for devices, groups, jobs, profiles, overlays Yes No

Run performance analysis reports Yes No

Manage substitution variables Yes Yes

36
Chapter 1: Director Overview

Table 1–1 Availability of Features in the Director CLI and Management Console (Continued)

Feature Management CLI


Console

Time management No Yes

LCD panel setup No Yes

SSH server No Yes

FTP and Telnet servers No Yes

SNMP No Yes

User accounts No Yes

Workgroups No Yes

Authentication No Yes

Session management Yes Yes

Event logging No Yes

Audit logging No Yes

Director standby No Yes

Director CLI state management No Yes

Archiving configuration and backups No Yes

Device health monitoring Yes Yes

Configuration Management

Enabling the explicit configuration lock No Yes

Managing folders for profiles, overlays, and jobs Yes Yes

Initial setup of Directory hierarchy—management node, Yes Yes


groups, and ProxySG appliances

Configuration management for multiple ProxySG Yes Yes


appliances

Comparison between two profiles, two overlays, or two Yes Yes


device backups

Overlay creation Yes Yes

Configuration file backups Yes Yes

Job management Yes Yes

Job querying Yes Yes

Job summary Yes Yes

Content Management

Content distribution Yes Yes

37
Director Configuration and Management Guide

Table 1–1 Availability of Features in the Director CLI and Management Console (Continued)

Feature Management CLI


Console

Job management Yes Yes

Job querying Yes Yes

Using the Director Management Console


The Director Management Console can be used to manage one Director appliance
at a time, although you can set up connections to many Director appliances. The
Management Console is a Web-based application that runs on any system in any
Web browser listed in the Director Release Notes.

Using the Director Command Line


The Director command line enables you to set up Director, its associated ProxySG
appliances, and its users. With the exceptions noted in Table 1–1, you can perform
the same tasks in the command line as you can with the Management Console.
You can access the Director command line using either Secure Shell (SSH)—which
is recommended for security reasons—or Telnet.

About the Content Sync Module


The Content Sync Module (CSM) operates by crawling a Web server or file system
and tracking the time that the content was last modified, and then changing the
content in the ProxySG appliances accordingly.

Note: The Content Sync Module does not ship with Director. It is available
separately. The Content Sync Module is used in Content Distribution
Network (CDN) deployments.

The CSM supports:


❐ Scheduled generation of URL lists and upload of URL lists.
❐ Generated URL lists reflecting changes in content, either on request or
automatically, and upload the lists on request.
❐ Issuing of content commands to Director.
❐ Enabling of automatic content updates. CSM can watch where internal
content owners (such as HR or engineering) publish content and then tell
Director to update the ProxySG appliances.
The CSM is discussed in more detail in the Blue Coat Director Content Sync Module
manual.

38
Chapter 2: Connecting to Director

This chapter discusses how to connect to your Director appliance using the
Director Management Console. This chapter includes the following topics:
❐ "Prerequisites For Connecting to Director"
❐ "Director Configuration Defaults" on page 40
❐ "Command Line Configuration Tasks" on page 40
❐ "Options for Connecting to Director" on page 41
❐ "Generating RSA Keys for Director Communication" on page 43
❐ "Connecting to Director with the Management Console" on page 52
❐ "Configuring Browser and Mail Settings" on page 61
See also Appendix C: "Management Console Browser Details".

Prerequisites For Connecting to Director


Before you begin, rack mount the appliance, connect it to the network, and
configure it for the following:
❐ IP address and subnet mask
❐ Default gateway
❐ DNS server, if any
These tasks are discussed in the Quick Start Guide shipped with your Director
appliance.
Note: Make sure you connect to Director appliances with the matching version
of the Management Console. For example, use the Management Console 5.4.2
to connect to Director appliances running SGME 5.4.2.x, and use the
Management Console 5.4 to connect to Director appliances running SGME
5.4.x. You cannot use the Management Console 5.4.2 to manage a Director
appliance running SGME 5.2 because new features (like folders, search, and
performance analysis reports) were not available in SGME 5.2.

39
Director Configuration and Management Guide

Director Configuration Defaults


Director’s configuration is set to the following by default:
❐ Director administrator user name: admin
❐ Authentication method: local
❐ Connection protocol (connection between Director and the ProxySG
appliance): SSHv2 Simple
❐ Authentication Port: 8082 (HTTP is not supported between Director and the
device)
❐ FTP, SNMP and Telnet: disabled by default.

Command Line Configuration Tasks


Following is a partial list of tasks you should perform using Director’s
command line:
Task For more information

Enabling an external server to receive Chapter 11: "Audit Logging"


Director event and audit logs using SCP

Administering users "Setting Up Users" on page 502

Enabling the explicit configuration lock "About Configuration Changes" on


page 494

Upgrading or downgrading SGME Chapter 16: "Upgrading Director"


software

Secure access to Director using access "Managing Security Using Access Lists"
lists on page 514

Manage Director configurations "Using Director Configuration Files" on


page 498

40
Chapter 2: Connecting to Director

Options for Connecting to Director


The following tables summarize the tasks required to connect to the Director
Management Console.
Before you begin, you must perform the tasks discussed in "Prerequisites For
Connecting to Director" on page 39.
Table 2–1 Options for connecting to Director

Connection Method Description

Telnet Telnet is not secure and is therefore not a


recommended connection method. For more
information, see "Connecting to Director Using
Telnet" on page 42.

Command line, SSH Simple Although SSH using RSA-SSH is preferred,


you also have the option of using SSH-Simple,
which is not secure. After you set up Director
on the network, you can connect to the
command line using SSH Simple without any
other configuration required.

Command line, SSH-RSA The secure, recommended way to connect to


the Director command line. For more
information, see "Generating RSA Keys for
Director Communication" on page 43.

Management Console Configure Director from any computer using a


supported Web browser. For more information,
see "Connecting to Director with the
Management Console" on page 52.

41
Director Configuration and Management Guide

Connecting to Director Using Telnet


You can optionally enable Director’s Telnet server to enable a Telnet session to the
Director Management Console. Because Telnet is less secure, Director’s Telnet
server is disabled by default.
Blue Coat recommends you always connect to the Management Console using
SSH-RSA as discussed in "Generating RSA Keys for Director Communication" on
page 43.

To enable Director’s Telnet server:


1. Log in to Director using an SSH application as discussed in "Connecting to
Director using SSH" on page 50.
2. After you log in to the Director command line, the command prompt displays
as follows:
director >

3. At the prompt, enter enable.


4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configuration terminal.
6. At the director (config) # command prompt, enter the following command
to enable the Telnet server:
director (config)# telnet-management enable

7. Save the configuration.


director (config)# write memory

To disable Director’s Telnet server:


1. At the (config) command prompt, enter the following command:
director (config)# no telnet-management enable

2. Save the configuration.


Director (config)# write memory

Note: Telnet disconnects after three invalid attempts to connect. There also might
be a time lag before Telnet reports on device status.

42
Chapter 2: Connecting to Director

Generating RSA Keys for Director Communication


To create RSA keys to securely authenticate your computer with the Director
Management Console and command line using SSH-RSA, complete the tasks
discussed in this section.
To connect to the Director Management Console using SSH Simple (that is, a user
name and password), skip this section and continue with "Connecting to Director
with the Management Console" on page 52.

SSH-RSA Overview
SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.
❐ Securing protocols. Many protocols require authentication at each end of the
connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.
The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA

Is communication Yes Yes


encrypted?

Are passwords sent over the Yes No


network?

Is it vulnerable to man-in- Yes No


the-middle attacks?

43
Director Configuration and Management Guide

RSA Key Task Overview


To create an RSA public-private key pair with which to authenticate with Director,
you need an application that creates an RSA private key in OpenSSH format
because OpenSSH is the only format Director accepts.
Cygwin (specifically, ssh-keygen which is included in OpenSSH components that
are not part of the default installation) creates an RSA private key in that format
and Puttygen converts its private key to OpenSSH format.
Consult the documentation provided with the application you use to see if it
generates an OpenSSH private key or if it converts the private key to OpenSSH
format. (More information about Puttygen can be found in the Puttygen User
Manual.)
Blue Coat does not recommend a specific utility to generate the key pair.
The process can be summarized as follows:
1. Generate the key pair on the Windows host from which you run the Director
Management Console.
(You can also create the key pair on UNIX and copy the public and private
keys to the Windows host; however, those instructions are beyond the scope
of this document.)
2. Import your public key in to Director using its command line.
When you connect to Director using SSH to perform this task, use SSH Simple
user name and password authentication.
3. Add Director’s public key to your list of known hosts.
The tasks you perform in this step depend on your SSH application. An
example is shown in the procedure that follows; consult the documentation
provided with your SSH applications for specific details.

44
Chapter 2: Connecting to Director

Procedure to Create the SSH-RSA Connection


The procedure to create the SSH-RSA connection with Director can be divided
into the following tasks:
1. "Generating RSA Public and Private Keys"
2. "Importing Your Public Key Into Director" on page 47
3. "Adding Director to Your List of Known Hosts" on page 48

Generating RSA Public and Private Keys


The first task you must perform to authenticate with Director using SSH-RSA is to
generate an RSA key pair (that is, public and private keys) on the host you will
use to run the Management Console.

To generate RSA public and private keys:


1. If necessary, get an application like Cygwin (specifically, ssh-keygen) or
Puttygen to create the RSA key pair.
The application must be able to create an RSA private key in OpenSSH format.
Consult the documentation provided with the application you use to see if it
generates an OpenSSH private key or if it converts the private key to
OpenSSH format.
Note: Cygwin does not install the OpenSSH components like ssh-keygen by
default. For more information, see the Cygwin Package List page.
Blue Coat does not recommend a particular utility. Consult the documentation
provided with the utility you choose for specific information about it not
covered in this book.
2. Generate and save an RSA-SSH v2 key pair (that is, public and private keys)
on a machine accessible to Director using the utility.
Note: When you create the private key, you have the option of creating a
passphrase to encrypt it. Creating a passphrase is highly recommended as a
security precaution in the event your private key is stolen because without the
passphrase, your private key cannot be read.
If you do not use a passphrase, your private key can be read by anyone,
meaning another party can access Director without using any other
authentication credentials.
The procedure you use to create the key depends on the utility you use.
Following is an example only for Puttygen. If you use another utility, skip the
example and continue with Step on page 47.
For more information about Puttygen, see the Puttygen User Manual.
a. Open a DOS command prompt window.
b. Change to the folder in which you downloaded Puttygen and enter
puttygen.

c. In the Parameters section, click SSH-2 RSA.

45
Director Configuration and Management Guide

d. Click Generate.
e. Follow the prompts on your screen to generate the key pair.
f. Recommended. Enter a passphrase for your private key and confirm it in
the provided fields.
An example Puttygen window follows:

Copy the public


key from here

g. Copy the data in the Key section to the clipboard.


This is your public key. An example follows:
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEA6FiqZbBBWfimtAFqrSv94W9XpJd3CoGF1nyY3E
YxDWpI2vspLxfBoSSyojXiIPJviXoSwP0qvKQkEucM3LS5y6d7WPjJIsbGOGJtNaif
I+k451iHe0LJLGUV438Hiq4PvapcY1J4u6OEsClFSFpMke/H2JY35kpd/
fanG9yyed8=

Notes:
• The entire public key must be on a single line. It it shown here on
multiple lines because of space limitations.
• The public key begins with ssh-rsa followed by one space and ends
with one or more equal signs (=). Remove additional characters from
the end of the public key, after the equal sign.
h. Paste the public key into Notepad and save it as a text file.
Later, you import this public key into Director.
i. Click Conversions > Export OpenSSH key.
This step is required to connect to the Director Management Console using
SSH-RSA. The Management Console cannot use a Puttygen-formatted
private key; it uses only OpenSSH-formatted private keys.

46
Chapter 2: Connecting to Director

j. Follow the prompts on your screen to save the exported private key to
a folder.
You will need the private key later to connect to the Director Management
Console.
3. This step applies to you only if you used a tool such as Cygwin to create your
key pair. You do not need to perform this task if you used Puttygen.
Before the public key can be imported into Director, you must remove
information like the following:
• Carriage returns
• ---- BEGIN SSH2 PUBLIC KEY ---- and ---- END SSH2 PUBLIC KEY ----
• Comments
• Commands preceded by, including, or followed by spaces (the only
exception being ssh-rsa and the space following it)
• Text following the final equal signs (==)

Importing Your Public Key Into Director


After creating the RSA key pair as discussed in the preceding sections, you must
import your public key into Director so Director recognizes your computer as a
known host.

To import your public key into Director:


1. Use a Secure Shell (SSH) application to connect to Director.
2. Log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. At the director (config) # prompt, import the public key into Director by
entering the following command:
ssh client user username authorized-key rsakey sshv2 public_key

where
username is Director’s administrator user name, which is admin by default
public_key is your public key; you copied it to the text editor in "Importing
Your Public Key Into Director" on page 47.
A message displays only if an error occurs.
7. Disconnect from Director so you can add Director to your list of known hosts
as discussed in the next section.

47
Director Configuration and Management Guide

Adding Director to Your List of Known Hosts


The final task to set up an SSH-RSA connection to Director is to add Director to
the lists of hosts known by the computer from which you will start the
Management Console.
The tasks you perform depend on the SSH application you use; consult its
documentation for specific details.

To add Director to your list of known hosts:


Configure your SSH application to connect to Director using RSA-SSH v2.
Consult the documentation provided with the SSH application for details.
To connect to Director using RSA-SSH v2, you must import Director’s public key
to your known hosts file. The procedure you use depends on the SSH application
you use.
Following is an example only for Putty. If you do not use Putty, ignore the
example and continue with "Connecting to Director with the Management
Console" on page 52.

Putty Example
An example of adding Director to Putty’s list of known hosts follows; consult the
documentation provided with Putty for additional information.

To add Director to Putty’s list of known hosts:


1. Start Putty.
2. Load the connection information for Director.
3. In the Category pane, click Connection > SSH > Auth.
4. In the Private key for authentication field, enter the absolute file system path to
Director’s private key file (including the file name), or click Browse to locate it.

48
Chapter 2: Connecting to Director

An example Putty window follows:

5. At the top of the Category pane, click Session.


6. Click Save to save the changes to the connection.
7. Click Open.
8. If you created a passphrase for your private key, enter it at the prompt.
An example follows; your connection information will be different,
depending on your Director administrator user name and the date on which
you created the key pair.
login as: admin
Authenticating with public key "rsa-key-20080209"
Passphrase for key "rsa-key-20080209":

9. Continue with the next section.

49
Director Configuration and Management Guide

Connecting to Director using SSH


The following procedure discusses how to access the Director command line
using a Secure Shell (SSHv2) application.

To start a Director command line session:


1. Get an SSH application.
If you use UNIX, use the ssh utility.
If you use Windows, get an application like Cygwin or Putty.
Blue Coat does not recommend a particular application; however, Windows
examples in this book are based on Putty.
2. Connect to Director using either of the following:
• UNIX: Step 3
• Windows: Step 4
3. UNIX: Connect to Director using ssh:
To connect using the UNIX ssh utility or using Windows OpenSSH software,
use the following command:
ssh -lusername host_or_ip

where username is the Director administrator user name (admin by default)


and host_or_ip is Director’s fully qualified host name or IP address.
An example follows:
Copyright (c) 1997-2009, BlueCoat Systems, Inc.
Welcome to SG-ME 5.4.1.1 #34567 2009.03.20-110141
director >

After completing these tasks, continue with step 5.


4. Windows: To connect using Putty:
a. Open a DOS command prompt window.
b. Change to the folder to which you downloaded putty.exe.
c. In the command prompt window, enter putty.

50
Chapter 2: Connecting to Director

d. In the Putty Configuration window, enter the following information:


Item Description

Host Name (or IP address) field Enter Director’s fully qualified host
name or IP address.

Port field Enter the SSH port number (the default


is 22).

Connection Type options Click SSH.

Saved Sessions field Enter a unique name to identify this


Director session.

An example follows:

e. Click Save.
f. Click Open.
5. After you log in to the Director command line, the command prompt displays
as follows:
director >

This prompt indicates you are using standard mode.


The command prompt changes to reflect the mode you are using:
Prompt Mode
> Standard, which enables you to set basic settings.
Standard mode does not require a password.
After you log in to Director, you start with standard
mode.

51
Director Configuration and Management Guide

Prompt Mode
# Enable, which enables you to set more advanced
settings. By default, enable mode does not require a
password but Blue Coat recommends you create a
password.
From standard mode, enter enable to start enable
mode.
(config) # Configuration, which enables you to configure the
Director appliance.
From enable mode, enter configure to start
configuration mode.

Note:
• For information about using the Director command line to set up Director,
see Appendix A: "Administering Director" on page 493. For full
command arguments and syntax, refer to the Blue Coat Director Command
Line Interface Reference Guide.
• Commands listed in standard mode are also available in enable and
configuration modes. Most commands provided in enable mode are also
available in configuration mode.

Connecting to Director with the Management Console


This section discusses how to connect to the Director Management Console. See
one of the following topics for more information:
❐ "Management Console Prerequisites"
❐ "Management Console General Notes" on page 53
❐ "Starting the Management Console" on page 53

Management Console Prerequisites


To run the Director Management Console, you need all of the following:
❐ Supported operating system
❐ Supported Web browser
For the latest operating system and Web browsers supported, see the Director
Release Notes.
❐ Sun Java JRE 1.6 or later
If you have not done so already, install JRE 1.6 or later from the Sun Java Web
site.
❐ Your Director appliance must have an appliance certificate
For more information, see Section B: "Getting a Director Appliance Certificate"
on page 78.

52
Chapter 2: Connecting to Director

Management Console General Notes


Note the following about the Director Management Console:
❐ Up to five users can be logged in to the Director Management Console at one
time.
❐ The Director Management Console can be used with the same version of
SGME only. In other words, The Director 5.4.2 Management Console can be
used with a Director appliance running SGME 5.4.2.
The following combinations are not expected to function properly:
• Director 5.4.2 Management Console with a Director running SGME 5.4 or
earlier.
• Director 5.4 Management Console with a Director running SGME 5.4.2.

Starting the Management Console


This section discusses how to start the Director Management Console. Before
beginning, make sure you review the following information:
❐ To authenticate with the Management Console using SSH-RSA, see
"Generating RSA Keys for Director Communication" on page 43
❐ "Management Console Prerequisites" on page 52
❐ "Management Console General Notes" on page 53

To start the Director Management Console:


1. If you have not done so already, install JRE 1.6 or later from the Sun Java Web
site.
2. Start a supported Web browser.
For a list of supported Web browsers, see the Director Release Notes.
3. Enter the following URL in your browser’s address or location field:
https://director_host_or_ip:8082

where director_host_or_ip is the Director appliance’s fully qualified host name


or IP address.
4. Depending on the Web browser, prompts might display before you log in.
For details about these browser-specific prompts, see Appendix C:
"Management Console Browser Details".

53
Director Configuration and Management Guide

The Login page displays.

Continue with one of the following sections:


• "Connecting to Director Using SSH-Simple"
• "Connecting to Director Using SSH-RSA" on page 56

Connecting to Director Using SSH-Simple


This section discusses how to connect to Director using the SSH-Simple protocol.
To use SSH-RSA instead, skip this section and see "Connecting to Director Using
SSH-RSA" on page 56.

To connect to Director using SSH-Simple:


1. Complete the tasks discussed in "Connecting to Director with the
Management Console" on page 52.
The Login page displays as follows.

54
Chapter 2: Connecting to Director

2. At the Login page, click SSH-Simple and enter the following information:
Field Description
User Name Enter the Director administrator user name.
Password Enter the user’s password.
Enable Password Enter the enable mode password, if any.

3. Click Proceed.
The following warning might display after you log in to the Director
Management Console:

For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
After you log in to Director, the Management Console displays in a new
window. For more detailed information, see Appendix C: "Management
Console Browser Details".
You have the following options:
• "About the Director Management Console" on page 58
• "Setting Director Browser and Output Settings" on page 61

55
Director Configuration and Management Guide

Connecting to Director Using SSH-RSA


This section discusses how to connect to Director using the SSH-Simple protocol.
To use SSH-RSA instead, skip this section and see "Connecting to Director Using
SSH-RSA" on page 56.

To connect to Director using SSH-RSA:


1. Complete the tasks discussed in "Generating RSA Keys for Director
Communication" on page 43 to generate the public-private key pair to connect
to Director.
2. Complete the tasks discussed in "Connecting to Director with the
Management Console" on page 52.
The Login page displays as follows.

3. At the Login page, click SSH-RSA and enter the following information:
Item Description
RSA User Name Enter the Director administrator user name.
Identity file location Enter the absolute file system path to the
identity file—including the file name—or
click Browse to locate it.
The identity file is the Open SSH private key
you created for logging in to Director as
discussed in "Generating RSA Public and
Private Keys" on page 45.
The identity file is password Select this check box if you created a
protected passphrase to protect your private key (that
is, identity file).
Identity password If you selected the check box, enter the
identity file’s passphrase.
Enable password Enter the enable mode password, if any.

56
Chapter 2: Connecting to Director

4. Click Proceed.
The following warning might display after you log in to the Director
Management Console:

For example, the warning typically displays after you log in to Director for the
first time (including logging in for the first time after upgrading Director).
However, this warning might indicate a problem if another device is trying to
impersonate Director and is sending you a different RSA fingerprint.
You have the following options:
• Click Cancel to quit without attempting to connect to Director.
You should cancel the connection if you suspect that another device is
trying to impersonate Director.
• Click No to connect to Director using the RSA fingerprint cached on the
computer. If the connection fails, there might be an issue with another
device impersonating Director.
• Click Yes to accept the fingerprint and connect to Director.
This is the best option if you are connecting to Director for the first time.
After you log in to Director, the Management Console displays in a new
window. For more detailed information, see Appendix C: "Management
Console Browser Details".
You have the following options:
• "About the Director Management Console" on page 58
• "Setting Director Browser and Output Settings" on page 61

57
Director Configuration and Management Guide

About the Director Management Console


After connecting to Director, the Management Console displays.

Configuration options are categorized according to task and presented in four tab
pages.

About Director Status


If you expand Director Status at the top of the Management Console, the current
standby and audit logging status displays:

Under Director Status, clicking More next to Auditing Policy displays the current
status of audit logging.
In SGME 5.3 and later, Director enables you to track the contents of the following
using audit logging:
❐ Profiles
❐ Overlays
❐ Configuration and content jobs
❐ Backups

58
Chapter 2: Connecting to Director

Audit logging enables administrators to track what tasks were performed by


commands that configured components in the preceding list. Administrators and
auditors can use event logging and audit logging together to determine what was
changed, who changed it, and when it was changed.
The Management Console displays the current status of audit logging, including
the default auditing policy, which is one of the following:
❐ delete (Default.) Deletes audit log files from subdirectories of /local/logs/
scplogs, starting with the oldest files first.

❐ stop-logging Stops transferring log files to subdirectories of the /local/logs/


scplogs directory if uses more than 1GB less.

❐ stop-processing Stops processing any commands that trigger audit logging.


The Audit Policy Settings dialog box displays similarly to the following:

To display audit policy from the command line, enter the following command:
director (config) # show logging
Console logging level: crit
Local logging level: notice
No logging hosts configured.
SCP server: NULL
Auditing overflow policy: delete
Directory usage for audit logs:
Used space: 5.119403 MB
Free space: 1018.880597 MB

About the Monitor Tab Page


The Monitor tab page contains a summary of the current health status and alerts
for devices managed by Director. The top pane displays two metrics:
❐ The Current Device Status indicators show how many devices are currently
connected to Director and cumulative representative health states.
❐ The Accumulated Alerts indicators show how many total alerts are currently
detected Director. These alerts might not represent the current health state of
the device.

59
Director Configuration and Management Guide

To view the current status of a device, click the name of a device in the Devices
pane.
In the Reports pane, click Performance Analysis to generate reports available for the
first time in the SGME 5.4 release; for more information, see "Generating
Performance Analysis Reports" on page 350.
For more information about the Monitor tab page, see Chapter 10: "Monitoring
Devices".

About the Configure Tab Page


The Configure tab page enables you to create and manage groups and devices.
After you have added devices to Director, you can edit the devices (by right-
clicking the device and clicking Edit) or place them in groups. After devices are
added, you can then create profiles and overlays to manage the configuration on
your devices.
The Backup Manager enables you to create and manage the backups for every
device.
For more information about the tasks available on the Configure tab page, see
Chapter 3: "Registering Devices", Chapter 4: "Adding and Connecting to
Devices", and Chapter 5: "Managing Device Groups, Profiles, and Overlays".

About the Jobs Tab Page


The Jobs tab page enables you to execute jobs—such as applying or refreshing
overlays or profiles, doing backups, or rebooting a device—either immediately or
scheduled for a future time (and optionally recurring periodically).
You can create jobs for individual ProxySG appliances, multiple appliances, or
groups of appliances.
For more information about the tasks available on the Jobs tab page, see
Chapter 8: "Creating, Scheduling, and Managing Jobs".

About the Content Tab Page


The Content tab page enables you to identify locally-stored content lists (URLs
and regular expressions) and pre-populate ProxySG appliances with content
(push content to the cache) so users have quicker access and consume fewer
network resources. You can push the content immediately or schedule a job.
For more information about the tasks available on the Content tab page, see
Chapter 7: "Managing Content Collections".

60
Chapter 2: Connecting to Director

Configuring Browser and Mail Settings


This section discusses how to change the following settings:
❐ Director’s Web browser settings, which are used for operations like displaying
the SGOS Management Console.
These settings also enable you to specify output settings, which define the
verbosity of output displayed when you run profiles and overlays. For more
information about browser settings and options, see "Setting Director Browser
and Output Settings" .
❐ Mail settings used to optionally e-mail the reports discussed in "Generating
Performance Analysis Reports" on page 350.
For information on mail settings, see "Setting Mail Options" on page 63

Setting Director Browser and Output Settings


This section discusses how to set the following options:
❐ Choose a Web browser for the Director Management Console to use (see
"Setting Web Browser and Verbosity" )
❐ Specify output verbosity (see "Setting Web Browser and Verbosity" )
❐ E-mail options for optionally e-mailing performance analysis reports (see
"Setting Mail Options" on page 63)

Setting Web Browser and Verbosity


This section discusses how to choose a Web browser to use for operations like
running a device’s Management Console, and also how to set output verbosity for
profiles, overlays, and backups executed using the Management Console.

To configure browser and output settings:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click File > Options.
The Options dialog box displays.

61
Director Configuration and Management Guide

3. Click the Browser Configuration tab.

4. In the Select Your Browser section, enter the path to your browser’s executable
in the Path To Browser field, or click Browse to locate it.
5. In the Update Your Output Settings section, enter the following information:
Item Description

Enable verbose output • If Enable verbose output is selected and the output
check box limit is set to a small value, such as 10 KB, then:
• Profile and overlay output is shown in its entirety.
• Archive and device backup output is truncated at
the value in the Limit output to field.
• If Enable verbose output is not selected (the default),
and the output limit is set to a small value, such as 10
KB, then:
• Profile and overlay output displays errors only.
• Archive configuration output is truncated at the
value in the Limit output to field.
• If Enable verbose output is not selected and the output
limit is set to a large value, all output is limited to
errors only.
Limit output to Enter a limit, in KB, for output from profiles, overlays, and
backups.

Use Defaults button Return the values in this dialog box to defaults.

The list of supported browsers for the Management Console can be found in
the Director Release Notes.

62
Chapter 2: Connecting to Director

6. Click OK.
Note the following:
• The default output limit is 5120 KB; the maximum is 1 GB. The limit is
reset to its default if you click Use Defaults.
• Backup and restore output is always errors only, regardless of the setting
of the verbose mode.

Setting Mail Options


This section discusses how to set e-mail options to optionally e-mail reports you
can create as discussed in "Generating Performance Analysis Reports" on page
350.
Guidelines for Simple Mail Transfer Protocol (SMTP) servers follow:
❐ You can specify an SMTP mail server by either a fully qualified host name or
IP address
❐ Make sure the SMTP server meets all of the following availability
requirements
• It must be reachable by Director
• It must be capable of sending e-mails to all addresses you specify
In other words, you can choose either a corporate server or an external,
publicly reachable SMTP server provided the server meets the preceding
requirements.
❐ SSL and Transport Layer (TLS) encryption are not supported
❐ User name/password authentication is supported

To set mail options:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click File > Options.

63
Director Configuration and Management Guide

The Options dialog box displays.


3. Click the Mail Settings tab.

4. Enter the following information:


Item Description

Server IP field Enter your Simple Mail Transfer Protocol (SMTP) outgoing
e-mail server’s IP address or fully qualified host name.
Note: The SMTP server you specify cannot use either SSL
or TLS encryption, must be reachable by Director, and
must be able to send e-mail to all addresses to which you
wish to send reports.

Server Port field Enter the server’s port.

Authentication check Select this check box if your SMTP server requires
box authentication.

Username field If you selected the Authentication check box, enter the
SMTP server’s user name.

Password field Enter the user’s password.

64
Chapter 3: Registering Devices

This chapter discusses how to register devices with Director. Topics include:
❐ "About Device Registration"
❐ "Registration Quick Start" on page 67
❐ "About Appliance Certificates" on page 68
❐ Section A: "Prerequisite Tasks" on page 71
❐ Section B: "Getting a Director Appliance Certificate" on page 78
❐ Section C: "Setting Up Registration" on page 84
❐ Section D: "Registering Devices without Pre-Staged Device Records" on
page 86
❐ Section E: "Registering Devices with Pre-Staged Device Records" on page 97
❐ Section F: "Marking a Device As Configured" on page 110

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

About Device Registration


Registering ProxySG appliances (that is, devices) is an alternative to adding
devices, which is discussed in Chapter 4: "Adding and Connecting to
Devices". During registration, Director and devices use their Blue Coat
appliance certificates or a shared secret to confirm identities before exchanging
public keys over an HTTPS connection.
Registering devices has the following advantages compared to adding devices:
❐ Registration can be done in bulk using pre-staged device records, which
means the following tasks can be performed in one step:
• device records are created
• devices connect to Director
• optionally, devices are added to a group
• optionally, jobs are configured to target the devices
• optionally, profiles and overlays are targeted to the devices
❐ Even if you do not use pre-staged device records, you can register devices
in bulk so additional configuration (such as adding devices to groups) can
be performed quickly.
❐ Every device registered with Director uses the SSH-RSA protocol to
authenticate itself with Director. The SSH-RSA protocol is more secure than
SSH Simple.

65
Director Configuration and Management Guide

When you add a device, it initially uses the SSH Simple protocol (that is, a
user name and password is sent from the device to Director). Blue Coat
strongly recommends using the SSH-RSA protocol, which is an additional
task you must perform after you add the device.
After adding a device, you can change the communication method to SSH-
RSA using the Management Console or command line. (Changing to SSH-
RSA using the command line requires several commands.) More information
about SSH Simple and SSH-RSA can be found in "Comparing SSH Simple and
SSH-RSA" on page 66.
Notes:
❐ The registration process uses a secure HTTPS connection where Director acts
as the server and the device acts as the client.
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall.
❐ The process by which Director and devices authenticate with each other is not
to be confused with the process by which users authenticate with Director. For
more information about user authentication, see the following:
• To connect to the Director Management Console using SSH-RSA, see
Chapter 2: "Connecting to Director".
• The discussion of the aaa authentication and username commands in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director
Command Line Interface Reference Guide.

Comparing SSH Simple and SSH-RSA


SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.
❐ Securing protocols. Many protocols require authentication at each end of the
connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.

66
Chapter 3: Registering Devices

The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA

Is communication Yes Yes


encrypted?

Are passwords sent over the Yes No


network?

Is it vulnerable to man-in- Yes No


the-middle attacks?

Registration Quick Start


This section discusses how to quickly get started registering devices if your
Director appliance and all ProxySG appliances it manages were manufactured
after July 2006. If Director and all ProxySG appliances were manufactured after
July 2006, you can assume they all have appliance certificates and are ready for
registration.
If you are not sure if all of your devices have appliance certificates, skip this
section and continue with "About Appliance Certificates" on page 68.
To complete the registration process, complete the tasks discussed in the
following table:
Task Description

1. "About the Registration Understand concepts related to registering


Process" on page 84 your ProxySG appliances with Director.

2. "Registration Methods" on Understand which registration method works


page 85 best for your deployment:
• Without pre-staged device records: Use
this method to add devices to Director on
demand, which is appropriate for smaller
deployments.
• With pre-staged device records: Use this
method to pre-stage (that is, pre-create) a
basic device configuration, which includes
passwords, for all your devices on
Director. This method is appropriate if you
are planning a large deployment.

3. Section D: "Registering Use this registration method if you have a


Devices without Pre-Staged smaller deployment and want to add devices
Device Records" on page 86 to Director on demand.

67
Director Configuration and Management Guide

Task Description

4. Section E: "Registering Devices Use this registration method if you have a


with Pre-Staged Device larger deployment and would benefit from
Records" on page 97 creating device records before registering the
devices with Director.

About Appliance Certificates


For devices to register with Director, the Director appliance must have an
appliance certificate, and each device must have either an appliance certificate or
it must use a shared secret created on Director.
An appliance certificate is an X.509 certificate that contains the hardware serial
number of a the appliance (Director or ProxySG) as the CommonName (CN) in
the subject field. Blue Coat appliances manufactured after July 2006 have
appliance certificates.

68
Chapter 3: Registering Devices

Overview of the Registration Process


The following figure shows an overview of the registration process:

Register the device as


Does the
discussed in "About the
appliance yes Registration Process"
already have a
on page 84
certificate?

no

Get an appliance
certificate as
Does the discussed in "Getting
Can the a Device Appliance
appliance yes yes
appliance access Certificate" on page
support
the Internet? 75 (device) or "Getting
certificates?
a Director Appliance
Certificate—Internet
Access" on page 78
(Director)

no no

Add the device as


discussed in Chapter 4:
"Adding and Connecting Get an appliance certificate as discussed in
to Devices" "Getting a Device Appliance Certificate" on
page 75 (device) or "Getting a Director
Appliance Certificate—No Internet Access"
on page 79

Figure 3–1 Process overview for getting appliance certificates for devices and Director
Note the following:
❐ You go through the same process with Director and with ProxySG appliances.
❐ If your Director appliance does not support appliance certificates, you cannot
register any devices with it, even if the devices support application
certificates.
If that is the case, skip the remainder of this chapter and continue with
Chapter 4: "Adding and Connecting to Devices".

69
Director Configuration and Management Guide

❐ If a device does not support appliance certificates, that device cannot be


registered with Director.
If that is the case, for that device, see Chapter 4: "Adding and Connecting to
Devices".

70
Director Configuration and Management Guide

Section A: Prerequisite Tasks


This section discusses the following tasks:
❐ "Determining Whether Appliances Support Certificates" on page 71
❐ "Confirming Whether Director Has an Appliance Certificate" on page 73
❐ "Confirming Whether a Device Has an Appliance Certificate" on page 74

Determining Whether Appliances Support Certificates


This section discusses how to determine if ProxySG appliances and Director
support appliance certificates.

Important:
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall between Director and the devices you want Director to manage.
❐ Appliances manufactured before July 2006 do not support appliance
certificates and cannot be registered with Director. If your Director
appliance does not support appliance certificates, you cannot register any
devices with it, even if the devices support appliance certificates; instead,
you must add devices to Director as discussed in Chapter 4: "Adding and
Connecting to Devices".
❐ If you attempt to register a device with that runs incompatible SGOS
version, the error Incompatible SG version displays. In that case, you
cannot register the device with Director; instead, you must add the device
to Director as discussed in Chapter 4: "Adding and Connecting to
Devices". Be aware that configuring an older device using Director profiles
and overlays can result in errors. If possible, upgrade these devices to more
recent versions.
❐ Make sure Director supports appliance certificates and has an appliance
certificate before registering devices with Director.

71
Director Configuration and Management Guide

Section A: Prerequisite Tasks

Getting Started With Appliance Certificates


To complete the tasks discussed in this section, you need the following:
❐ Appliance hardware serial numbers (optional, but recommended)
The hardware serial number is printed on a label affixed to the rear panel of
the appliance. You can also find the serial number in any of the following
ways:
• ProxySG appliance:
• Displays on the SGOS Management Console in any of the following
ways:
• On the Home page when you first log in to the Management
Console.
• In the SGOS Management Console, click the Maintenance tab. In the
right pane, click the Summary tab and in the left navigation pane,
click System and Disks.
• Using the privileged mode command show version. Refer to the
Command Line Interface Reference in the ProxySG Appliance Configuration
and Management Guide for more information about using the SGOS
command line.
• Director appliance: The show version command displays Director’s
hardware serial number.
❐ A BlueTouch login
If you do not have a user name and password, fill in the form at http://
www.bluecoat.com/support/supportservices/btorequest.

To determine whether your appliances support appliance certificates:


1. Get appliance certificates as discussed in "Getting Started With Appliance
Certificates" on page 72.
2. Go to http://www.bluecoat.com/activate.
3. When prompted, log in with your BlueTouch user name and password.
The Blue Coat Licensing Portal displays.
4. In the left navigation bar, click Appliance Certificate Verification.
5. Enter the appliance hardware serial number in the provided field and click
Submit.

A message displays to indicate whether or not the appliance supports


appliance certificates.

72
Chapter 3: Registering Devices

Section A: Prerequisite Tasks

6. Do any of the following:


• If Director does not support appliance certificates, you cannot register any
devices with it, even if the devices support appliance certificates.
Skip the remainder of this chapter and continue with Chapter 4: "Adding
and Connecting to Devices".
• If a device does not support appliance certificates, you cannot register that
device with Director.
For that device, skip the remainder of this chapter and continue with
Chapter 4: "Adding and Connecting to Devices".
• If Director supports appliance certificates, confirm whether or not Director
already has an appliance certificate as discussed in "Confirming Whether
Director Has an Appliance Certificate" on page 73.
• If a device supports appliance certificates, confirm whether or not the
device already has an appliance certificate as discussed in "Confirming
Whether a Device Has an Appliance Certificate" on page 74.

Confirming Whether Director Has an Appliance Certificate


To confirm whether Director has an appliance certificate:
1. Use a Secure Shell (SSH) application to connect to Director.
For details, see "Using the Director Command Line" on page 38.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. At the director (config) # prompt, enter the following command:
show ssl appliance-certificate

Examine the output for one of the following:

Output Meaning

An error message displays, such as: Director has no appliance certificate.


appliance-certificate does not Continue with one of the following
exist. Please request/import one sections:
first. • "Getting a Director Appliance
Certificate—Internet Access" on
page 78
• "Getting a Director Appliance
Certificate—No Internet Access" on
page 79

73
Director Configuration and Management Guide

Section A: Prerequisite Tasks

Output Meaning

Displays the certificate, starting with Director already has an appliance


-----BEGIN CERTIFICATE ----- certificate.
Continue with "Confirming Whether a
Device Has an Appliance Certificate" on
page 74.

7. Continue with one of the following sections:


• If Director has no appliance certificate, see "Getting a Device Appliance
Certificate" on page 75.
• If Director has an appliance certificate, continue with the next section.

Confirming Whether a Device Has an Appliance Certificate


To confirm whether a device has an appliance certificate:
1. Use a Secure Shell (SSH) application to connect to the device.
2. When prompted, log in as an administrator.
3. At the next prompt, enter enable.
4. If prompted, enter the privileged mode password.
5. At the # prompt, enter the following command:
# show ssl certificate appliance-key

One of the following displays:

Result Meaning
% Certificate "appliance-key" not The device has no appliance certificate.
found Continue with "Getting Appliance
Certificates or Setting Up a Registration
Password" on page 75.

The certificate displays, starting with The appliance has an appliance


-----BEGIN CERTIFICATE----- certificate. Continue with Section C:
"Setting Up Registration" on page 84.

74
Chapter 3: Registering Devices

Section A: Prerequisite Tasks

6. Perform one of the following tasks:


• If all devices have appliance certificates, continue with Section C: "Setting
Up Registration" on page 84.
• If any device has no appliance certificate, continue with the next section.

Getting Appliance Certificates or Setting Up a Registration Password


If a device has no appliance certificate, you have the following options:
❐ Recommended. Get an appliance certificate for the device as discussed in
"Getting a Device Appliance Certificate" on page 75.
Appliance certificates are required to use Secure Application Delivery
Network (ADN). For detailed information about appliance certificates, see the
chapter on authenticating ProxySGs in Advanced Networking in the ProxySG
Appliance Configuration and Management Guide.
❐ Set up a registration password on Director and use this password to register
the device.
For registration purposes only, the registration password takes the place of the
appliance certificate. For more information, see "Setting Up a Director
Registration Password" on page 77.

Getting a Device Appliance Certificate


This section discusses how to get an appliance certificate for a device.

Note:
• Appliances manufactured before July 2006 do not support appliance
certificates. If you attempt to get an appliance certificate for such a
device, an error message displays; for details, see Table 3–1 on page 76.
If the appliance does not support appliance certificates, you cannot
register it with Director; instead, you must add the device as discussed
in Chapter 4: "Adding and Connecting to Devices".
• To register a device with Director, the device must have a certificate
from Blue Coat’s http://abrca.bluecoat.com/sign-manual Web site.
You cannot use another CA to generate an appliance certificate.

75
Director Configuration and Management Guide

Section A: Prerequisite Tasks

To get an appliance certificate for a device, perform any of the following tasks:
❐ If the device can connect to the Internet, from its Management Console,
perform the following tasks:
• Click Configuration > SSL > Appliance Certificates > Request Certificate.
• Click Request appliance certificate. You are required to confirm the action.
The Blue Coat CA server does validates and signs the certificate. The
certificate is automatically placed in the appliance-key keyring. Note that
the appliance-key keyring cannot be backed up. The keyring is re-created
if it is missing at boot time.
The following table discusses error messages and their meanings:
Table 3–1 Appliance certificate error messages

Error message Meaning


Request failed: Signing server The device does not support
reported error: No such serial appliance certificates, most
number serial_number. likely because it was
manufactured before July
2006.
% Request failed: Request to The device cannot connect to
signing server failed: Socket the Internet.
connect error

❐ If the device cannot connect to the Internet, the procedure is similar to getting
a Director appliance certificate: Create a CSR on the device, go to the
abrca.bluecoat.com/sign-manual Web site to create a certificate, and import
the certificate into the device.
The details are discussed in the chapter on authenticating ProxySGs in
Advanced Networking in the ProxySG Appliance Configuration and Management
Guide.
After getting appliance certificates for all devices, continue with Section C:
"Setting Up Registration" on page 84.

76
Chapter 3: Registering Devices

Section A: Prerequisite Tasks

Setting Up a Director Registration Password


If any device to be managed by Director has no appliance certificate, you must
either create a registration password on Director or get an appliance certificate for
the device as discussed in "Getting a Device Appliance Certificate" on page 75.
This password is used as a shared secret during the registration process, in effect
taking the place of the device’s appliance certificate for the purpose of registration
only.

To create a Director registration password:


1. Use a Secure Shell (SSH) application to connect to Director.
For details, see "Using the Director Command Line" on page 38.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. At the director (config) # prompt, enter the following command:
director (config) # ssl registration-password password

The registration password character set is a-z0-9A-Z-,. (The final dash is a


true dash.) Minimum length is 1; maximum length is 16.
7. Disconnect from Director.
8. Continue with Section C: "Setting Up Registration" on page 84.

77
Director Configuration and Management Guide

Section B: Getting a Director Appliance Certificate


This section discusses the following topics:
❐ "Getting a Director Appliance Certificate—Internet Access" on page 78
❐ "Getting a Director Appliance Certificate—No Internet Access" on page 79
Blue Coat has a CA for the purpose of issuing appliance certificates. The root
certificate for the Blue Coat CA is automatically trusted by SGOS for
authenticating devices with and communicating with Director. These Blue Coat
signed certificates contain no authorization information and are valid for five
years.
The process can be summarized as follows:
1. Verify whether Director has an appliance certificate as discussed in
"Confirming Whether Director Has an Appliance Certificate" on page 73.
2. Do one of the following:
• If Director has an appliance certificate, continue with Section C: "Setting
Up Registration" on page 84.
• If Director has no appliance certificate, continue with one of the
following sections:
• "Getting a Director Appliance Certificate—Internet Access" on page
78
• "Getting a Director Appliance Certificate—No Internet Access" on
page 79

Getting a Director Appliance Certificate—Internet Access


To get a Director appliance certificate for a Director appliance that has
access to the Internet:
1. Use a Secure Shell (SSH) application to connect to Director.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. From the (config) prompt, enter:
director (config) # ssl request-appliance-certificate
Requesting certificate
Verifying certificate
Certificate verified successfully

This command creates a new private key, creates the Certificate Signing
Request signature (CSR) for the private key, and sends the CSR to Blue Coat
to get the corresponding appliance certificate.

78
Chapter 3: Registering Devices

Section B: Getting a Director Appliance Certificate

To display the appliance certificate:


From the (config) prompt, enter:
director (config) # show ssl appliance-certificate
Skip the next section and continue with Section C: "Setting Up Registration" on
page 84.

Getting a Director Appliance Certificate—No Internet Access


To get a Director appliance certificate for a Director appliance that has no
access to the Internet:
1. Use a Secure Shell (SSH) application to connect to Director.
2. When prompted, log in as an administrator.
3. At the director > prompt, enter enable.
4. If prompted, enter the enable mode password.
5. At the director # prompt, enter configure terminal.
6. From the (config) prompt, enter:
director (config) # show ssl appliance-certificate-request

This command creates a CSR (if it does not already exist) and displays it. It
also creates the digital signature for the CSR, using the appliance’s private
key.

79
Director Configuration and Management Guide

Section B: Getting a Director Appliance Certificate

An example follows:

-----BEGIN CERTIFICATE REQUEST-----


MIICuDCCAaACAQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
EwlTdW5ueXZhbGUxHDAaBgNVBAoTEydCbHVlIENvYXQgU3lzdGVtcycxEDAOBgNV
BAsTB1NHTUU1MTAxEzARBgNVBAMTCjQ3MDYxMDUyMzMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDGC0CSms4F2C4pFuHbJW0zAEJfna+54giEIW49I2qA
l9J/yAmwDhPcScd+mAJJEMdsWuUGA1UEBhMCVVMxCzXF/Wjo6B9CHTTENvAy8r2Y
JiHE5OJPXfqHDjzsnxppo54L//G3CgAsW8rI7UDsnpML8gDuQ1SXefopFPfa8WOw
RtKpU87Ma/YhTexHMmI1p+wYyOaiv/P/KpfLPyIqICvdKhMdvh3lk49u+maPLt0R
7+ljzWbJ8cD2oQvQkEmhEOMtX+rotkUT1GHJF+J5maSns8WfCkjnQ8N7NzwQAGnb
7plbhZcA4jIGvIltavCcREab3VfHlVJKn5eskNKrFKzrAgMBAAGgADANBgkqhkiG
9w0BAQUFAAOCAQEALGNLV4I6Vk5Rznq4DvLbdi7rceO8xD0e2poAjxdjFUaBXf/4
9vQMB41BdjA1f1Ic1f9a0MG6Qwm+ngJsAUJN46ZGtRRjgd5kImYveFX1+hJjg9vb
5Wp/5xEf3jWVB1EBtvqdAcSe+y8qS4/fDFs2VJv806i4oNCvzJKLmNcY7/J5++3Z
BvOThkuI5DROqA4ivN8o+ENIG98xgcsQqKnf+wGg3TKqC9x/15PcoCgxAsc6zlmU
joUgYgFNCJIGZBn2pqCgS7giHfNz2Di6LUf0ZCiOxR8p2n0fr4c1D6OmNpEB5vXH
DTUG7fyToMQITCK6vKz+oL+alQyVvDpYgNpAug==
-----END CERTIFICATE REQUEST-----
----- BEGIN CSR SIGNATURE -----
wrj98DWIUuIfiCxOcq7GnbQOjKI4S20WG3/6gzlzNaJN/pyQHwG4ehpzII+6JlY+
GKwzXmpa46Tyhkfv3HMIDBhAB31vJljNMwzjwn2Uc3AmEhd/mVBdw9U1q4UTWhzU
M8yuhbjMla3939IcwNrwIbQmEiaSRXHxUfcRYty5Q8CYZe0A8OSB8JDIHex1+E9K
ICjUBlUpz8rdeL/SxYZmwnrOTDoZ1KOz0bCbNVcjPsmZhqLwSrQwsBUXGiutjHDe
B/Hg3z0bPcvh1CNQZNv2LgSVPdPpeB6OPaSaQkuSs6WwPmeGGurSl7K0w6t/V6XL
VY93Z3Jph1FNpH7FES+pvw==
----- END CSR SIGNATURE -----

Figure 3–2 Sample CSR

7. Copy the CSR and the signature to your clipboard. Include the BEGIN
CERTIFICATE and END CERTIFICATE statements, as well as the BEGIN CSR
SIGNATURE and END CSR SIGNATURE statements.

8. Open a browser and go to the Blue Coat CA Server Web site at


http://abrca.bluecoat.com/sign-manual
9. Paste the CSR and signature into the form.

80
Chapter 3: Registering Devices

Section B: Getting a Director Appliance Certificate

An example follows:

10. Click Generate Cert.

81
Director Configuration and Management Guide

Section B: Getting a Director Appliance Certificate

The signed certificate displays and can be pasted into Director. A sample
certificate follows:

-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgICAMowDQYJKoZIhvcNAQEFBQAwgbYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxIDAeBgNV
BAoTF0JsdWUgQ29hdCBTeXN0ZW1zLCBJbmMuMRkwFwYDVQQLExBCbHVlIENvYXQs
IEFCUkNBMRswGQYDVQQDExJhYnJjYS5ibHVlY29hdC5jb20xJDAiBgkqhkiG9w0B
CQEWFXN5c2FkbWluQGJsdWVjb2F0LmNvbTAeFw0wNzAxMjkyMDM5NDdaFw0xMjAx
MjkyMDM5NDdaMIGGMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcT
CVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3RlbXMsIEluYy4xHzAd
BgNVBAsTFkJsdWUgQ29hdCBTRzIwMCBTZXJpZXMxEzARBgNVBAMTCjA1MDUwNjAw
OTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBUmCuKSsSd+D5kJQiWu3OG
DNLCvf7SyKK5+SBCJU2iKwP5+EfiQ5JsScWJghtIo94EhdSC2zvBPQqWbZAJXN74
k/yM4w9ufjfo+G7xPYcMrGmwVBGnXbEhQkagc1FH2orINNY8SVDYVL1V4dRM+0at
YpEiBmSxipmRSMZL4kqtAgMBAAGjggLGMIICwjAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIE8DBOBgNVHSUERzBFBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBgsr
BgEEAfElAQECAQYLKwYBBAHxJQEBAgIGCysGAQQB8SUBAQIDMB0GA1UdDgQWBBSF
NqC2ubTI7OT5j+KqCPGlSDO7DzCB6wYDVR0jBIHjMIHggBSwEYwcq1N6G1ZhpcXn
OTIu8fNe1aGBvKSBuTCBtjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExEjAQBgNVBAcTCVN1bm55dmFsZTEgMB4GA1UEChMXQmx1ZSBDb2F0IFN5c3Rl
bXMsIEluYy4xGTAXBgNVBAsTEEJsdWUgQ29hdCwgQUJSQ0ExGzAZBgNVBAMTEmFi
cmNhLmJsdWVjb2F0LmNvbTEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AYmx1ZWNv
YXQuY29tggkAhmhbUPEEb60wgZ8GCCsGAQUFBwEBBIGSMIGPMEkGCCsGAQUFBzAB
hj1odHRwczovL2FicmNhLmJsdWVjb2F0LmNvbS9jZ2ktYmluL2RldmljZS1hdXRo
ZW50aWNhdGlvbi9vY3NwMEIGCCsGAQUFBzAChjZodHRwOi8vYWJyY2EuYmx1ZWNv
YXQuY29tL2RldmljZS1hdXRoZW50aWNhdGlvbi9jYS5jZ2kwSAYDVR0fBEEwPzA9
oDugOYY3aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vQ1JMLmNybDBfBgNVHSAEWDBWMFQGCisGAQQB8SUBAQEwRjBEBggrBgEF
BQcCARY4aHR0cDovL2FicmNhLmJsdWVjb2F0LmNvbS9kZXZpY2UtYXV0aGVudGlj
YXRpb24vcnBhLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBACIhQ7Vu6aGJBpxP255X
d2/Qw7NiVsnqOlAy913QZlieFfVATJnCeSrH+M9B/2XtnRxVT0/ZWrf4GbsdYqTF
hc9jR/IwKu6kZq32Dqo8qFU5OzbAEzT2oebB5QgwuJtHcJHggp9PS9uS27qAnGQK
OeB2bYcjWtMvTvr50iDOV69BEQz+VXos8QiZmRHLVnebQSjl3bi1w3VjBw31tCmc
clgz0SlN9ZmJdRU/PlWdNVqD4OLqcMZQ53HqcdWNEzN2uvigIb//rM7XazK7xIaq
r23/+BsZlYKAeVMq3PEmxaA2zLzO+jf79a8ZvIKrF27nNuTN7NhFL/V6pWNE1o9A
rbs=
-----END CERTIFICATE-----

82
Chapter 3: Registering Devices

Section B: Getting a Director Appliance Certificate

To import the certificate into Director:


1. Copy the signed certificate to your clipboard. Be sure to include the BEGIN
CERTIFICATE and END CERTIFICATE statements.

2. From the (config) prompt, enter:


director (config) # ssl input appliance-certificate
Enter your certificate now.
Press Ctrl-D when finished, or Ctrl-C to abort.

3. Paste the certificate into the command window.


4. Press Control+D when you are finished.
The following message displays to indicate the import was successful:
Appliance certificate imported OK

To view the imported certificate:


To display the appliance certificate, from the (config) prompt, enter:
director (config) # show ssl appliance-certificate

83
Director Configuration and Management Guide

Section C: Setting Up Registration


This section discusses the following topics:
❐ "About the Registration Process"
❐ "Registration Methods" on page 85

About the Registration Process


Devices use their Blue Coat appliance certificates or a shared secret to confirm
identities before exchanging public keys over an HTTPS connection. If a device
has an appliance certificate, that certificate is used to establish secure
communication with Director.
If a device does not have an appliance certificate, you must either get an
appliance certificate for the device (recommended) or configure a shared secret
(a registration password configured on Director) and enter the shared secret
when registering the device to confirm identities before exchanging public
keys. For more information, see "Getting Appliance Certificates or Setting Up a
Registration Password" on page 75.
After Director and the device authenticate each other, registration is complete
and one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Notes:
❐ The process by which Director and devices authenticate with each other is
not to be confused with the process by which users authenticate with
Director. For more information about user authentication, see the following:
• To authenticate with the Director Management Console using SSH-RSA,
see Chapter 2: "Connecting to Director".
• The discussion of the aaa authentication and username commands in
Chapter 3, Configuration Mode Commands, in the Blue Coat Director
Command Line Interface Reference Guide.
❐ If you attempt to register a device with an incompatible SGOS version, the
error Incompatible SG version displays. In that case, you must add the
device to Director as discussed in Chapter 4: "Adding and Connecting to
Devices".
❐ For registration to succeed, TCP ports 8085 and 8086 must be open on the
firewall.

84
Chapter 3: Registering Devices

Section C: Setting Up Registration

Registration Methods
You can set up registration in either of the following ways:
❐ "Registering Devices without Pre-Staged Device Records" on page 86
Use this method to add devices to Director on demand, which is appropriate
for smaller deployments.
❐ "Registering Devices with Pre-Staged Device Records" on page 97
Use this method to pre-stage (that is, pre-create) a basic device configuration,
which includes passwords, for all your devices on Director. This method is
appropriate if you are planning a large deployment.

85
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records


Table 4–1 provides a high-level view of workflow tasks for registering devices
without creating pre-staged device records. It also provides a task description
and the role most suitable for performing the task.
Review this table, then read the sections that follow for detailed information
about each task.
Table 3–2 Workflow Tasks—Registering devices without pre-staged device records

Task Task Description Role

1. Prerequisites Complete the following tasks discussed Director


earlier in this chapter: Administrator
• "Prerequisite Tasks" on page 71
• "Getting Appliance Certificates or Setting
Up a Registration Password" on page 75,
if necessary
• Section B: "Getting a Director Appliance
Certificate" on page 78, if necessary

2. Register devices with Director. • Verify the device has been installed and ProxySG
connected to the network. Technician
• Register the device with Director.
This process is discussed in "Registering ProxySG
the Device with Director" on page 87. Administrator

3. Optionally change randomly set • View the newly registered device on Director
passwords for the newly Director. Administrator
registered Director device. • Optionally change randomly set
passwords (admin user, enable mode, and
front panel PIN) as discussed in "Setting
Passwords for Newly Registered Devices
on Director" on page 92.

4. Place it into a group and • Section A: "Setting Up and Managing Director


configure it using profiles and Device Groups" on page 132 Administrator
overlays. • Section C: "Managing Profiles" on page
144
• Section D: "Managing Overlays" on page
159

86
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Registering the Device with Director


After the device is installed and connected to the network, the device
administrator must configure device-specific initial settings. The procedure you
use to register the device depends, in part, on whether or not the device has been
configured. Use the following guidelines:
❐ If the device has never been configured (that is, does not have an IP address,
subnet mask, or DNS settings), see "Registering the Device Using its Serial
Setup Console" on page 87.
❐ If the device has already been configured, you have the following options:
• Register the device using its serial setup console as discussed in
"Registering the Device Using its Serial Setup Console" on page 87.
• Register the device from the command line as discussed in "Registering
the Device Using its Command Line" on page 89.
• Register the device using its Management Console as discussed in
"Registering a Device Using its Management Console" on page 106.

Registering the Device Using its Serial Setup Console


A device can be initially configured using its front panel or its serial console. Refer
to the device Installation Guide for more information. This section provides sample
information about configuring the device from its serial console.
Initial device configuration settings include:
❐ Register with Director option
❐ Device IP address
❐ Device IP subnet mask
❐ Director IP address
❐ Registration password (only if the device does not have an appliance
certificate. The device’s administrator needs to know this password and it
must be the same one configured on Director.)
❐ Device friendly name (optional; you can configure one later)
❐ Verify the Director serial number
The hardware serial number is printed on a label affixed to the rear panel of
the appliance and it is displayed using the show version detail command.

To register a device with Director using the device’s serial console:


1. Connect one end of a serial null modem cable to the ProxySG appliance’s
serial console and connect the other end to a terminal or computer.
2. Consult the documentation provided with your terminal or computer’s
communication software (such as Windows HyperTerminal) for how to start
the software and configure it.
3. Configure the terminal or computer’s communication software as follows:

87
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

• Rate: 9600 bps


• Parity: none
• Flow control: none
• Data bits: 8
• Stop bits: 1
4. Follow the prompts on your screen to connect to the device and start its setup
wizard.
The setup wizard prompts are different for different SGOS versions.
Following is a summary of the prompts and their meanings; however, the
exact verbiage displayed on the wizard might be different.

Setup wizard prompt Description

How do you want to set up the SG Select the option to register with
appliance? Director.

Director’s IP address Enter Director’s IP address.

Registration password (if prompted) You are prompted to enter a registration


password only if the appliance does not
have an appliance certificate. If
prompted, enter the registration
password you created on Director.

Appliance name Enter an optional “friendly” name to


identify the appliance.

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.

88
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Skip the next section and continue with "Setting Passwords for Newly Registered
Devices on Director" on page 92.

Registering the Device Using its Command Line


This section discusses how to use the device’s command line to register the device
with Director. You can use this procedure only if the device has an IP address,
subnet mask, and DNS settings.

To register a device with Director using the device’s command line:


1. Use a Secure Shell (SSH) application to connect to the device.
2. When prompted, log in as an administrator.
3. When prompted, enter enable.
4. If prompted, enter the enable mode password.
5. At the # prompt, enter the following command:
register-with-director director_ip

director_ip is Director’s IP address.


6. When prompted, enter an optional “friendly” name for the device, or press
Enter without a name to set the device name later.
7. When prompted, confirm Director’s hardware serial number.
The hardware serial number is printed on a label affixed to the rear panel of
the device. You can use the show version detail command to display the
serial number.
8. If prompted, enter the registration password.

Note: You are not prompted to enter a registration password if the device has an
appliance certificate.

9. Follow the prompts on your screen to complete the registration process.


If registration is successful, you can view the new device using either the
Management Console’s Configure tab page or using the show devices
command as discussed in Chapter 2, Standard and Enable Mode Commands,
in the Blue Coat Director Command Line Interface Reference Guide. After
registration is complete, the SG-newly-registered SNMP trap is sent.
Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.

89
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

Error Meaning
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.

Registering a Device Using its Management Console


This section discusses how to use the device’s Management Console to register
the device with Director. You can use this procedure only if the device has an IP
address, subnet mask, and DNS settings.

To register a device with Director using its Management Console:


1. Enter the following URL in your browser’s location or address field:
https://device_host_or_ip:port

where device_host_or_ip is the device’s fully qualified host name or IP address,


and port is its HTTPS Console port; by default, the port is 8082.
2. Log in to the device’s Management Console as an administrator.
3. Click the Maintenance tab.
4. On the Maintenance tab page, click Director Registration.
5. Enter the following information:
Table 3–3 Registering a device with Director using the device Management Console

Field Description
Director IP address Enter Director’s fully qualified host name or IP address.
Director serial number If you know Director’s hardware serial number, enter it in
this field. If you do not know Director’s serial number,
click Retrieve S/N from Director. (The button is available
only after you enter Director’s host name or IP address in
the preceding field.)
Appliance name Enter a unique identifier for the device. The device ID can
be a maximum of 250 characters in length and cannot
include the following characters: {, }, <, >, (, ), #, or $.

90
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Note: Note the following about registering a device using its Management
Console:
• If after you enter or retrieve from Director its serial number, the Register
button is inactive, you must enter a registration password. This is most
likely due to the fact the ProxySG appliance has no appliance
certificate.
Either enter a registration password in the provided field or get an
appliance certificate for the device.
• If after you click Retrieve S/N from Director an error displays that the
device cannot connect to Director, check the following:
• Make sure Director has an appliance certificate.
• Log in to the device’s command line and ping Director’s IP address
to make sure the device can contact Director.

6. Click Register.
You are required to confirm the action.
7. Follow the prompts on your screen to complete the registration process.
• If registration is successful, the following confirmation dialog box
displays:

At the Registration Succeeded dialog box, click OK.


• The message Could not contact Director indicates either Director is not
accessible by ProxySG appliance or that Director has no appliance
certificate.
• Pre-staged device records only. The following error indicates that the
ProxySG appliance did not match the device record you created before
you registered the appliance:

Make sure the device record is correct—in particular, make sure the
device’s IP address and serial number match—and try again.

91
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Setting Passwords for Newly Registered Devices on Director


After registration is complete, the device record is created on Director and the
device is set for SSH-RSA communication. During registration, the device’s
passwords were changed to random strings known only to Director. (Director
changes the admin user’s password, the enable mode password, and the front
panel PIN password.)
Perform one of the following tasks:
❐ To use the passwords assigned during registration so that only Director can
configure the device, skip the remainder of this chapter and continue with
Chapter 5: "Managing Device Groups, Profiles, and Overlays".
❐ To change the passwords so administrators and Director can use the SGOS
Management Console or command line to configure the device, complete the
remainder of the tasks discussed in this section.

To change randomly set passwords:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, right-click the new device whose passwords you
want to set.
4. From the pop-up menu, click Set Passwords.
The Enter Passwords dialog box displays.

92
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

5. Enter the new passwords:


Section Description

Enable Password In the provided fields, enter and confirm a password to


access command line enable mode on this device and
device record. Character minimum length is 1;
maximum length is 64.

Console Password In the provided fields, enter and confirm enter the
admin user’s password. Character minimum length is 1;
maximum length is 64.

93
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

Section Description

Frontpanel Pin In the provided fields, enter and confirm enter a


password to configure the device from its front panel.
The character set is 1–9; and the length is 4 characters.
To clear the front panel PIN, use either of the following
commands:
From Director, use:
director (config device device_id) # front-
panel-pin 0000
For more information, refer to Chapter 3, Configure
Mode Commands, in the Blue Coat Director Command
Line Interface Reference Guide.
From the device, use:
#(config front-panel) pin 0000
For more information, refer to Chapter 3, Privileged
Mode Configure Commands, in Command Line Interface
Reference, in the ProxySG Appliance Configuration and
Management Guide.

Note: To save your changes, you must enter a valid password in all
fields.

6. Click OK.

Related Commands
The pushpassword and front-panel-pin commands set these passwords on
both the device and the device record.
First, enter device_id submode using the following command:
director (config) # device device_id

Then enter the following commands:


director (config device device_id) # pushpassword {enable-password
password | front-panel-pin pin | password password}
director (config device device_id) # front-panel-pin pin

The enable-password and serial-console-password commands set these


passwords on the device record only.
director (config device device_id) # enable-password enable-password
director (config device device_id) # serial-console-password password

94
Chapter 3: Registering Devices

Section D: Registering Devices without Pre-Staged Device Records

Changing Properties of a Registered Device


This section discusses how to change the following properties of a device you
have already registered with Director:
❐ Serial number
❐ Serial console password
❐ Front panel PIN

To change the properties of a registered device:


1. Click the Configure tab.
2. On the Configure tab page, in the Groups pane, click the name of the group to
which the device belongs.
If you are not sure, click the All system group.
3. In the Devices pane, right-click the name of the device.
4. From the pop-up menu, click Edit.
The Edit Device dialog box displays.
5. In the Edit Device dialog box, click Advanced Settings.
The Advanced Settings dialog box displays.
6. Click the Auto Registration tab.
The Auto Registration tab page displays as follows:

95
Director Configuration and Management Guide

Section D: Registering Devices without Pre-Staged Device Records

7. Enter or edit the following information:


Table 3–4

Field Description
Serial No Enter the device’s serial number.
Caution: Because the device serial number is
tied to its appliance certificate, use caution
before changing it.
Serial Console Password Enter a new serial console password for the
device.
Frontpanel Pin Enter a new front panel PIN for the device.
The front panel PIN is a four-digit number.
Enter 0000 to clear the front panel PIN.

96
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records


If your company is rolling out a large deployment, you should pre-stage (that
is, pre-create) records for devices to be managed by Director. This workflow
method lets you preconfigure passwords, create profiles and overlays, and
create jobs that are already associated with devices before the devices have
been registered with Director.
Pre-staging has the following advantages:
❐ Devices can be added to groups automatically.
❐ You can target profiles, overlays, and jobs at devices or groups of devices
before registering them.
❐ Jobs can apply profiles and overlays to devices after devices are registered,
automating the configuration process.
❐ If you create passwords in the device records, the passwords are preserved
after registration. (Otherwise, Director changes the passwords to random
strings known only to Director.)
Table 4–2 provides a high-level view of workflow tasks for automatically
registering devices with a Director that has pre-staged device records. It also
provides a task description and the role most suitable for performing the task.
Review this table, then read the sections that follow for detailed information
about each task.
Table 3–5 Workflow tasks—Registering devices with pre-staged device records

Task Task Description Role

1. Prerequisites Complete the following tasks discussed Director


earlier in this chapter: Administrator
• "Prerequisite Tasks" on page 71
• "Setting Up a Director Registration
Password" on page 77, if necessary
• Section B: "Getting a Director Appliance
Certificate" on page 78, if necessary

97
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

Table 3–5 Workflow tasks—Registering devices with pre-staged device records

Task Task Description Role

2. Create a partial device record on • Create a partial device record that Director
Director. contains configuration information for the Administrator
device that will be deployed. See
"Creating a Partial Device Record on
Director" on page 99.
• Configure the passwords in the device
record.
• Optionally add devices to groups as
discussed in Section A: "Setting Up and
Managing Device Groups" on page 132.
• Optionally, configure profiles and
overlays for the device. See Section C:
"Managing Profiles" on page 144 and
Section D: "Managing Overlays" on page
159.
• To optionally execute jobs to apply
profiles and overlays to devices, see
Chapter 7: "Managing Content
Collections".

3. Register devices with Director. • Verify the device has been installed and ProxySG
connected to the network. Technician
• Register the device with Director.
This process is discussed in "Registering ProxySG
Pre-Staged Devices With Director" on Administrator
page 103.

4. Optionally change randomly set • View the newly registered device on Director
passwords for the newly Director. Administrator
registered Director device. • If required, change randomly set
passwords (admin user, enable mode, and
front panel PIN) as discussed in "Setting
Passwords for Newly Registered Devices
on Director" on page 92.
This is necessary only for devices whose
partial device records did not match the
devices being registered. (For example,
you did not enter a device serial number
or you entered the wrong serial number.)

98
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Creating a Partial Device Record on Director


A partial device record contains a subset of configuration information for a device
(for example, its IP address, friendly name, device ID, and hardware serial
number). When Director receives a registration request from a device, it tries to
match the information in the request with information that is contained in the
partial device record.
If there is a match between the partial device record and the device, the
passwords in the device record are pushed to the device.

Important: If the partial device record does not contain enough information
for a match, Director creates a new device record. In that case, Director names
the device according to its host name or IP address and also replaces the
device’s admin user password, enable mode password, and front panel PIN
password with random strings known only to Director. To make sure you enter
enough information in the partial device record, see the next section.

Matching Partial Device Records


Director matches information in the device record with device settings in the
following order:
1. Director matches the device’s hardware serial number with the device record
serial number.
2. If the partial device record does not include a hardware serial number,
Director performs the following tasks in the order shown:
a. If the device is configured with a host name, attempts a DNS lookup
on the host name.
b. If the device is configured with an IP address, attempts to match the IP
address.
3. If no match is found for the host name or IP address, Director attempts to
match the device “friendly” name.
If the “friendly” appliance name configured in the device record matches the
appliance name you entered when you registered the device, the device
record is matched to the device. The appliance name becomes the Device ID
and the device name is not changed.
4. If no match can be found for any of the preceding, Director creates a new
device record with the device name and device ID both being set to the
device’s host name or IP address.

99
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

If more than one of the preceding parameters exist in the device record, all of the
parameters are matched. If any parameter fails, Director rejects the registration
request, an error message displays on the device console, the following SNMP
trap is generated:
Node name OID
blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9
Failed

Getting Information for the Partial Device Record


The following tables show required and optional information for the partial
device record.

Getting Required Information for the Partial Device Record


To create a partial device record, you must input the following data into the
Director Management Console’s New Device Wizard:
Table 3–6 Required device information

Required information Description

Device name (Optional.) A friendly name for the device that


identifies the device in Director.

Device ID A unique identifier you choose for this device. If


you configure the device from the command line,
you enter its device ID. When you view the device
in the Management Console, the device displays as
device_name [device_id].
The device ID can be a maximum of 250 characters
in length and cannot include the following
characters: {, }, <, >, (, ), #, or $.

IP address The device’s IP address.

Serial number Device’s hardware serial number, which is printed


on a label affixed to the back panel of the device.
The hardware serial number is also displayed on the
SGOS Management Console in any of the following:
• On the Home page when you first log in to the
Management Console.
• In the ProxySG Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation pane,
click System and Disks.
The hardware serial number can also be found
using the privileged mode command show
version. Refer to the Command Line Interface
Reference for more information about using the
SGOS command line.

100
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Getting Optional Information for the Partial Device Record


The following table lists optional information for the device record:
Table 3–7 Optional device information

Required information Description

Device name A friendly name for the device that identifies the
device in Director.

Username Device’s administrator user name.

Password Administrator’s password.


Important: If you do not specify a password, during
the registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device by logging in to its
Management Console or command line, enter a
password. The password is preserved after
registration.

Enable mode password Password to enter enable mode on the command


line.
Important: If you do not specify a password, during
the registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device by logging in to its
Management Console or command line, enter a
password. The password is preserved after
registration.

Front Panel PIN Four-digit PIN to configure the device using its
front LCD panel.
Important: If you do not specify a PIN, during the
registration process Director assigns a random
string known only to Director. This is appropriate if
you want only Director to manage the device.
For you to manage the device using its front panel,
enter a four-digit PIN. The PIN is preserved after
registration.

101
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

Creating the Partial Device Record


After getting the information required to create the partial device record, create
the device record using the Director Management Console as discussed in this
section.

To create a partial device record:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the lower left corner of the Configure tab page, click Add Device(s).
The New Device Wizard displays.
4. Click Next.
5. Enter the device ID in the Device ID field.
6. Enter the device’s IP address and serial number in the IP Address and Serial No
fields, respectively.
7. Optional. For you to manage the device after registration using the device’s
Management Console and command line, enter the following:
• Username
• Password
• Enable Mode Password
• Front Panel Pin

Details about these settings are discussed in "Getting Optional Information for
the Partial Device Record" on page 101.
8. To create another partial device record, click Add Row and repeat steps 5
through 7.
9. Click Add Device(s) to save changes.
10. Optionally add the partial device records to groups as discussed in Section A:
"Setting Up and Managing Device Groups" on page 132.
11. Optionally create profiles and overlays for the devices:
• Section C: "Managing Profiles" on page 144
• Section D: "Managing Overlays" on page 159
12. Optionally create jobs to apply profiles and overlays to the device as
discussed in Chapter 7: "Managing Content Collections".
13. Register the devices as discussed in the next section.

102
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Registering Pre-Staged Devices With Director


After the device is installed and connected to the network, the device
administrator must configure device-specific initial settings. The procedure you
use to register the device depends, in part, on whether or not the device has been
configured. Use the following guidelines:
❐ If the device has never been configured (that is, does not have an IP address,
subnet mask, or DNS settings), see "Registering the Device Using its Serial
Setup Console" on page 87.
❐ If the device has already been configured, you have the following options:
• Register the device using its serial setup console as discussed in
"Registering the Device Using its Serial Setup Console" on page 87.
• Register the device from the command line as discussed in "Registering
the Device Using its Command Line" on page 105.
• Register the device using its Management Console as discussed in
"Registering a Device Using its Management Console" on page 106.

Registering the Device Using its Serial Setup Console


A device can be initially configured using its front panel or its serial console. Refer
to the device Installation Guide for more information. This section provides sample
information about configuring the device from its serial console.
Initial device configuration settings include:
❐ Register with Director option
❐ Device IP address
❐ Device IP subnet mask
❐ Director IP address
❐ Registration password (only if the device does not have an appliance
certificate. The device’s administrator needs to know this password and it
must be the same one configured on Director.)
❐ Device friendly name (optional; you can configure one later)
❐ Verify the Director serial number
The hardware serial number is printed on a label affixed to the rear panel of
the appliance and it is displayed using the show version detail command.

To register a device with Director using the device’s serial console:


1. Connect one end of a serial null modem cable to the ProxySG appliance’s
serial console and connect the other end to a terminal or computer.
2. Consult the documentation provided with your terminal or computer’s
communication software (such as Windows HyperTerminal) for how to start
the software and configure it.
3. Configure the terminal or computer’s communication software as follows:

103
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

• Rate: 9600 bps


• Parity: none
• Flow control: none
• Data bits: 8
• Stop bits: 1
4. Follow the prompts on your screen to connect to the device and start its setup
wizard.
The setup wizard prompts are different for different SGOS versions.
Following is a summary of the prompts and their meanings; however, the
exact verbiage displayed on the wizard might be different.

Setup wizard prompt Description

How do you want to set up the SG Select the option to register with
appliance? Director.

Director’s IP address Enter Director’s IP address.

Registration password (if prompted) You are prompted to enter a registration


password only if the appliance does not
have an appliance certificate. If
prompted, enter the registration
password you created on Director.

Appliance name Enter an optional “friendly” name to


identify the appliance.

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.

104
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Skip the next section and continue with "Setting Passwords for Newly Registered
Devices on Director" on page 92.

Registering the Device Using its Command Line


This section discusses how to use the device’s command line to register the device
with Director. You can use this procedure only if the device has an IP address,
subnet mask, and DNS settings.

To register a device with Director using the device’s command line:


1. Use a Secure Shell (SSH) application to connect to the device.
2. When prompted, log in as an administrator.
3. When prompted, enter enable.
4. If prompted, enter the enable mode password.
5. At the # prompt, enter the following command:
register-with-director director_ip

director_ip is Director’s IP address.


6. When prompted, enter an optional “friendly” name for the device, or press
Enter without a name to set the device name later.
7. When prompted, confirm Director’s hardware serial number.
The hardware serial number is printed on a label affixed to the rear panel of
the device. You can use the show version detail command to display the
serial number.
8. If prompted, enter the registration password.

Note: You are not prompted to enter a registration password if the device has an
appliance certificate.

9. Follow the prompts on your screen to complete the registration process.


If registration is successful, you can view the new device using either the
Management Console’s Configure tab page or using the show devices
command as discussed in Chapter 2, Standard and Enable Mode Commands,
in the Blue Coat Director Command Line Interface Reference Guide. After
registration is complete, the SG-newly-registered SNMP trap is sent.
Some error messages follow:

Error Meaning
Could not contact Director Director likely has no appliance
certificate, or Director is not accessible
by this device.

105
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

Error Meaning
Request rejected by Director: Device Displays only for pre-staged device
didn't uniquely match a device records. Make sure the device record is
record correct. In particular, make sure the
device’s IP address and serial number
match.
The following tasks are performed automatically after registration if you had set
them up before you registered the devices:
❐ Device records are added to groups.
❐ Jobs that apply profiles and overlays are run at their scheduled times.

Registering a Device Using its Management Console


This section discusses how to use the device’s Management Console to register
the device with Director. You can use this procedure only if the device has an IP
address, subnet mask, and DNS settings.

To register a device with Director using its Management Console:


1. Enter the following URL in your browser’s location or address field:
https://device_host_or_ip:port

where device_host_or_ip is the device’s fully qualified host name or IP address,


and port is its HTTPS Console port; by default, the port is 8082.
2. Log in to the device’s Management Console as an administrator.
3. Click the Maintenance tab.
4. On the Maintenance tab page, click Director Registration.
5. Enter the following information:
Table 3–8 Registering a device with Director using the device Management Console

Field Description
Director IP address Enter Director’s fully qualified host name or IP address.
Director serial number If you know Director’s hardware serial number, enter it in
this field. If you do not know Director’s serial number,
click Retrieve S/N from Director. (The button is available
only after you enter Director’s host name or IP address in
the preceding field.)
Appliance name Enter a unique identifier for the device. The device ID can
be a maximum of 250 characters in length and cannot
include the following characters: {, }, <, >, (, ), #, or $.

106
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

Note: Note the following about registering a device using its Management
Console:
• If after you enter or retrieve from Director its serial number, the Register
button is inactive, you must enter a registration password. This is most
likely due to the fact the ProxySG appliance has no appliance
certificate.
Either enter a registration password in the provided field or get an
appliance certificate for the device.
• If after you click Retrieve S/N from Director an error displays that the
device cannot connect to Director, check the following:
• Make sure Director has an appliance certificate.
• Log in to the device’s command line and ping Director’s IP address
to make sure the device can contact Director.

6. Click Register.
You are required to confirm the action.
7. Follow the prompts on your screen to complete the registration process.
• If registration is successful, the following confirmation dialog box
displays:

At the Registration Succeeded dialog box, click OK.


• The message Could not contact Director indicates either Director is not
accessible by ProxySG appliance or that Director has no appliance
certificate.
• Pre-staged device records only. The following error indicates that the
ProxySG appliance did not match the device record you created before
you registered the appliance:

Make sure the device record is correct—in particular, make sure the
device’s IP address and serial number match—and try again.

107
Director Configuration and Management Guide

Section E: Registering Devices with Pre-Staged Device Records

After Director and the device authenticate each other, registration is complete and
one of the following SNMP traps is generated:

Condition Node name OID

Success blueCoatDirectorSgChgSgAutoregistered 1.3.6.1.4.1.3417.3.1.2.8

Failure blueCoatDirectorSgChgSgAutoregistration 1.3.6.1.4.1.3417.3.1.2.9


Failed

Changing Passwords on Pre-Staged Devices (If Required)


Provided your pre-staged device records matched the devices you registered, you
do not need to change the devices’ passwords. However, if errors displayed
indicating that device records were not matched, Director sets the following
passwords to random strings known only to Director: admin user’s password,
enable mode password, and front panel PIN.
To change passwords on those devices, see "Setting Passwords for Newly
Registered Devices on Director" on page 92.

Changing Properties of a Registered Device


This section discusses how to change the following properties of a device you
have already registered with Director:
❐ Serial number
❐ Serial console password
❐ Front panel PIN

To change the properties of a registered device:


1. Click the Configure tab.
2. On the Configure tab page, in the Groups pane, click the name of the group to
which the device belongs.
If you are not sure, click the All system group.
3. In the Devices pane, right-click the name of the device.
4. From the pop-up menu, click Edit.
The Edit Device dialog box displays.
5. In the Edit Device dialog box, click Advanced Settings.
The Advanced Settings dialog box displays.
6. Click the Auto Registration tab.

108
Chapter 3: Registering Devices

Section E: Registering Devices with Pre-Staged Device Records

The Auto Registration tab page displays as follows:

7. Enter or edit the following information:


Table 3–9

Field Description
Serial No Enter the device’s serial number.
Caution: Because the device serial number is
tied to its appliance certificate, use caution
before changing it.
Serial Console Password Enter a new serial console password for the
device.
Frontpanel Pin Enter a new front panel PIN for the device.
The front panel PIN is a four-digit number.
Enter 0000 to clear the front panel PIN.

109
Director Configuration and Management Guide

Section F: Marking a Device As Configured


This section discusses how to optionally change a device’s state to Configured,
which can assist you in remembering which devices you have pushed profiles
or overlays to. For example, after adding or registering a device, you can apply
a profile or overlay to it and then mark the device’s state as Configured.

To change a device’s state to Configured:


1. Log in to the Management Console as discussed in "Connecting to Director
with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Groups pane, click the Registered group.
4. In the Devices pane, right-click the device name.
5. From the pop-up menu, click Mark As Configured.
An example follows:

The device moves from the Registered group to the Unassigned group.
6.

110
Chapter 3: Registering Devices

Section F: Marking a Device As Configured

111
Director Configuration and Management Guide

112
Chapter 4: Adding and Connecting to Devices

This chapter discusses how to add devices and how to connect to them from
Director. Topics include:
❐ "About Adding Devices"
❐ "Adding Devices" on page 114
❐ "Connecting to a Device" on page 123
❐ "Changing the Authentication Protocol" on page 124
❐ "Marking a Device as Configured" on page 129

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

About Adding Devices


Adding ProxySG appliances (that is, devices) is an alternative to registering
devices, which is discussed in Chapter 3: "Registering Devices". You can add
one or more devices at a time to Director using either the Management Console
or the command line.
Adding devices differs from registering devices in the following ways:
❐ After you add a device, the device uses SSH Simple to authenticate itself
with and communicate with Director.
Blue Coat strongly recommends changing the protocol to SSH-RSA, which
is a separate, manual step.
After you register a device, however, the device uses the SSH-RSA protocol.
❐ All other configuration must be done manually after you add a device,
whereas if you register devices using pre-stage device records, you can
automatically add devices to groups; push passwords to devices; and
configure jobs to apply profiles and overlays to devices or groups of
devices.

113
Director Configuration and Management Guide

Adding Devices
Use the Director Management Console’s New Device Wizard to add devices
using either of the following methods:
❐ Importing a device identification file
A device identification file is a text file that contains a comma-separated value
list f the data required to identify new devices. The New Device Wizard
includes a sample device identification file you can use as a template.
❐ Manually entering the required data

Note: If you add devices using a device identification file, you must enter data for
all fields in the correct order. Otherwise, the add device operation will fail and
errors will display.

To add a device, you must input the following data into the New Device Wizard.
Unless otherwise noted, all information is required for Director to add the device
and to communicate with the device.
Table 4–1 Required device information

Required information Description

Device name A friendly name for the device that identifies the
device in Director.

Device ID A unique identifier for this device.


The device ID can be a maximum of 250 characters
in length and cannot include the following
characters: {, }, <, >, (, ), #, or $.

IP address The device’s IP address.

Web port The device’s HTTPS Console port. To find this


value, log in to the ProxySG Management Console
for the device and click Services > Management
Services. The port value displays in the right pane
in the Port column for HTTPS-Console.

Authentication port SSH port; by default, port 22.

User name Administrator user name of the device to manage.

Password Administrator’s password.

Enable mode password Enable mode password of the ProxySG device to


manage. By default, the enable mode password is
the same as the device’s administrator password.

Serial console password Serial console password, if any, of the ProxySG


device to manage.

114
Chapter 4: Adding and Connecting to Devices

Table 4–1 Required device information

Required information Description

Front panel PIN Enter the front panel PIN, if one is configured for
this device. The front panel PIN is an optional
configuration setting discussed in the Installation
Guide for your ProxySG appliance, and also in
Command Line Interface Reference.

Serial number Device’s hardware serial number, which is printed


on a label affixed to the back panel of the device.
The hardware serial number is displayed on the
SGOS Management Console in any of the following:
• On the Home page when you first log in to the
Management Console.
• In the ProxySG Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation pane,
click System and Disks.
The hardware serial number can also be found
using the enable mode command show version.
Refer to the Command Line Interface Reference for
more information about using the SGOS command
line.

Registered Choose whether or not to register the device with


this Director.
See one of the following sections:
❐ "Adding a Device Using an Identification File"
❐ "Adding Devices Manually" on page 117

Adding a Device Using an Identification File


This section discusses how to add a device using a device identification file—a
comma-separated value (.csv) file containing information required to add the
device. For more information about the device identification file, including an
example, start the New Device Wizard and click the link to display an example
file.

Important:
• Before running the New Device Wizard, make sure your device
identification file has a value for every field and that every value is
separated by a comma character. Otherwise, the add device operation
will fail and errors will display. For assistance, view the sample file in
the New Device Wizard.
• The comma character is reserved for delimiting fields. Do not use
comma characters in other fields, such as the comment field. Doing so
causes device creation to fail.

115
Director Configuration and Management Guide

To add a device by importing a device identification file:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, click Add Device(s).
4. Read the information that displays on the New Device Wizard and click Next.
The Import page displays as follows:

Click to learn
more about
the format

5. Select the import options:


Option Description

Click Here link Click the link to view a sample device


identification file.
Yes, import the appliance file at this location Enter the absolute path and file name of
your device information file, or click
Browse to locate it.
No. I will manually enter the information Manually enter device information.

6. Click Next.

116
Chapter 4: Adding and Connecting to Devices

The imported appliance data displays on the Summary page.

7. Click Finish to return to the Configure tab page.


The added devices display in the All or Unassigned to Group categories in the
Group pane. To assign devices to groups, see Section A: "Setting Up and
Managing Device Groups" on page 132.

Adding Devices Manually


This section discusses how to manually add one or more devices.

To manually add devices:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, click Add Device(s).
4. Read the information that displays on the New Device Wizard and click Next.

117
Director Configuration and Management Guide

The Import page displays as follows:

5. Click No and click Next.


The next page displays.

118
Chapter 4: Adding and Connecting to Devices

6. Place the cursor in the field in which to enter the following information and
use either the mouse or the Tab key to move between fields. Unless otherwise
noted, all information is required.
Note: Your input cannot include any of the characters listed in "Forbidden
Characters" on page 30.
Table 4–2 Adding a device manually

Field Description
Device Name A friendly name for the device that identifies the
device in Director.
Device ID A unique alphanumeric identifier for this device.
Important: The device ID cannot be changed later.
IP Address The device’s IP address.
Important: The IP address cannot be changed later.
Web Port The device’s HTTPS Console port. To find this
value, log in to the ProxySG Management Console
for the device and click Services > Management
Services. The port value displays in the right pane
in the Port column for HTTPS-Console.
Auth Port SSH port; by default, port 22.
Username Administrator user name of the device to manage.
Password Administrator’s password.
Enable Mode Password Enable mode password, if any, of the device to
manage.
Serial Console Password Serial console password, if any, of the device to
manage.
Front Panel PIN Enter the front panel PIN, if one is configured for
this device. The front panel PIN is an optional
configuration setting discussed in Command Line
Interface Reference.
Serial Number The ProxySG device’s hardware serial number,
which is printed on a label affixed to the back panel
of the device.
You can find the hardware serial number in any of
the following ways:
• Displayed on the SGOS Management Console:
• On the Home page when you first log in to
the Management Console.
• In the SGOS Management Console, click the
Maintenance tab. In the right pane, click the
Summary tab and in the left navigation
pane, click System and Disks.
• Using the show version command.

119
Director Configuration and Management Guide

Table 4–2 Adding a device manually

Field Description
Registered Choose whether or not to mark the device as
registered with Director.
Note: Marking a device as Registered is not the
same as registering the device as discussed in
Chapter 3: "Registering Devices".

Note: A red border around a cell in the New Devices table indicates the data is
invalid.

7. (Optional) Click Add Row to enter information for another device.

8. When you are finished configuring devices, click one of the following:
• Previous to return to a previous page to change configuration information.
• Next or Last to display the Summary page.
The Summary page displays configuration about the devices you are adding
as follows:

9. Click Finish to return to the Configure pane.

120
Chapter 4: Adding and Connecting to Devices

The added devices display in the All or Unassigned to Group categories in the
Group pane. To assign devices to groups, see Section A: "Setting Up and
Managing Device Groups" on page 132.

Related CLI Syntax to Add Devices


This section discusses commands you can use to add devices; however, Blue Coat
recommends using the Director Management Console to add devices to Director
for the following reasons:
❐ You can add one device at a time using the CLI, but the New Device Wizard
allows you to add multiple devices at one time.
❐ The CLI requires you to enter the device ID in every command.
director (config) # device device_id
This changes the prompt to
director (config device "device_id") #

❐ Common Authentication Commands


For Director to connect to a device, you must enter the following commands at
minimum:
(config device device_id) # address hostname_or_ip_address
(config device device_id) # enable-password enable-password
(config device device_id) # web-config port port_number
(config device device_id) # protocol sshv2 port port_number

This command is required only if you use a port other than the default, 22.
(config device device_id) # front-panel-pin pin

This command is required only if a front panel PIN is set on the device.
❐ Commands for SSH Simple Authentication
SSH Simple authentication means Director uses an unencrypted user name
and password to authenticate itself with the device. Because the user name
and password are not encrypted, Blue Coat strongly recommends you use
SSH-RSA authentication as discussed in the next section.
For Director to authenticate itself with a device non-securely using SSH
Simple authentication, you must enter the following commands in addition to
the commands discussed in the preceding bullet point.
(config device device_id) # auth simple password password
(config device device_id) # auth simple username username

121
Director Configuration and Management Guide

❐ Commands for SSH-RSA Authentication


For a device to authenticate securely with Director using SSH-RSA, you have
the following options:
• Add the device using SSH Simple authentication and upload keyrings to
the device to change it to SSH-RSA
The commands required to perform these tasks are discussed in this
section.
• Register the device with Director, which adds it and causes it to
authenticate using SSH-RSA in one step
SSH-RSA communication authenticates Director with devices using a secure
channel and private/public key cryptography. To authenticate, Director uses
a reserved user name director and a keyring stored on the device.
For Director to use SSH-RSA authentication, you must enter the following
commands in addition to the commands discussed in the bullet point about
simple authentication commands.
(config device device_id) # auth simple username username
(config device device_id) # auth simple password password

The auth simple username and auth simple password commands are
required for Director to use the device’s CLI to set up SSH-RSA
authentication.
(config device device_id) # auth rsa username director

This reserved user name is required for Director to authenticate the


device.
(config device device_id) # auth rsa key {copy device_id sshv1} |
generate sshv2}

This command gives you the choice of copying a keyring from another
device or generating a new keyring for the device.
(config device device_id) # pushkey sshv2
(config device device_id) # authtype rsa

122
Chapter 4: Adding and Connecting to Devices

Connecting to a Device
This section discusses how to connect to a device using the Management Console.
After you add a device, Director attempts to connect to it. If the connection is
unsuccessful, see the troubleshooting suggestions in Table 4–3.

To connect to a device:
1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Configure tab.

(disconnected) displays next to the name of a device to which Director is


not currently connected.
3. In the Configure tab page, right-click the device to which to connect.
4. From the pop-up menu, click Reconnect.

If connection is successful, the icon changes to (connected).


If connection is unsuccessful, the reason displays in the Description pane,
similarly to the following:

The following table discusses common reasons for disconnection and


suggested workarounds:
Table 4–3 Troubleshooting disconnected devices

Reason Suggestion

Director cannot reach the device If Director and the device it manages are
across firewalls that prevent
communication, Director cannot reach
the device.
To determine if this is the problem, log
in to Director and ping the device. Use
an SSH application to connect to
Director, log in with its administrator
user name and password, and enter
ping device-ip-address at the
director > prompt.
If Director cannot ping the device,
verify the device is powered on,
functioning properly, and check firewall
configurations to make sure the
networks on which the device and
Director are located can communicate
with each other.

123
Director Configuration and Management Guide

Table 4–3 Troubleshooting disconnected devices

Reason Suggestion

Incorrect device setup information Incorrect information—including


missing information—can prevent
Director from communicating with a
device.
To determine if this is the problem, on
the Configure tab page, right-click the
device, and click Edit. Verify all
information about the device, including
all configured passwords and the front
panel PIN, if configured.

Device is powered off or is malfunctioning If the device is powered off or if its


connection to the network failed,
Director cannot communicate with it.
Verify all of the following:
• The device is powered on.
• The switch or router port to which
the device is connected is enabled
and functioning.
• The device’s Ethernet adapter is
functional. See the Quick Start Guide
or the Installation Guide for your
appliance to verify it is functioning
properly.

Changing the Authentication Protocol


After a device has been added to Director, you should configure the system to use
SSH-RSA to authenticate Director with the devices it manages.
SSH-RSA has the following benefits:
❐ Securing the network. Devices that are authenticated have exchanged keys,
verified each others’ identity, and know which devices are trusted. Passwords
are not sent over the network.
❐ Preventing man-in-the-middle attacks. Using RSA public/private key
authentication prevents man-in-the-middle attacks by using the server's host
key to verify the other host’s identity. Because the man-in-the-middle cannot
access the private key, the attacker cannot decrypt the traffic between the
server and the client.
❐ Secure profiles. When you create a device profile using a source device that
communicates with Director using SSH-RSA, Director includes in the profiles
keyrings, certificates, and other settings that would otherwise be encrypted. If
the source device uses SSH Simple, however, these encrypted settings are
omitted from the profile.

124
Chapter 4: Adding and Connecting to Devices

❐ Securing protocols. Many protocols require authentication at each end of the


connection before they are considered secure. SSH-RSA authentication means
that each host verifies each other’s identity at each end of the connection.
The following table summarizes the differences between SSH Simple and SSH-
RSA:
Feature SSH Simple SSH-RSA

Is communication Yes Yes


encrypted?

Are passwords sent over the Yes No


network?

Is it vulnerable to man-in- Yes No


the-middle attacks?

Note: The process by which Director and devices authenticate with each other is
not to be confused with the process by which users authenticate with Director. For
more information about user authentication, see the following:
❐ To log in to the Director Management Console using SSH-RSA, see
Chapter 2: "Connecting to Director".
❐ The discussion of the aaa authentication and username commands in Chapter
3, Configuration Mode Commands, in the Blue Coat Director Command Line
Interface Reference Guide.

To change the protocol to SSH-RSA:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Make sure you are connected to the device for which to set the protocol.
To connect to a device, see "Connecting to a Device" on page 123.
4. On the Configure tab page, right-click the device on which to set the protocol.
5. From the pop-up menu, click Edit.

125
Director Configuration and Management Guide

The Edit Device dialog displays as follows:

126
Chapter 4: Adding and Connecting to Devices

6. Click SSH-RSA.
In the RSA Username field, the name director automatically displays. director
is the only user name allowed for SSH-RSA communication.
7. To generate an RSA key, click Change Key at the bottom of the dialog box.

Director can create a new SSH-RSA keypair, or you can use a keypair from
another device that is currently connected to Director.
8. Do any of the following:
a. To generate a new keypair, click Generate a new keypair.
b. To re-use a keypair, click Use a keypair from another device and enter the
device ID.
9. Click OK.

10. Click Push key to device.


This step causes the key to be pushed to the device. Failure to push the key
results in incomplete configuration.
11. Click OK.
12. Verify the change by seeing if SSH-RSA is listed for the device under Device
Properties in the Properties pane.

127
Director Configuration and Management Guide

An example follows:

Confirms
device uses
SSH-RSA

After successfully adding the device and changing the protocol, continue
configuring the device as discussed in Chapter 5: "Managing Device Groups,
Profiles, and Overlays".

128
Chapter 4: Adding and Connecting to Devices

Marking a Device as Configured


This section discusses how to optionally change a device’s state to Configured,
which can assist you in remembering which devices you have pushed profiles or
overlays to. For example, after adding or registering a device, you can apply a
profile or overlay to it and then mark the device’s state as Configured.

To change a device’s state to Configured:


1. Log in to the Management Console as discussed in "Connecting to Director
with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Groups pane, click the Registered group.
4. In the Devices pane, right-click the device name.
5. From the pop-up menu, click Mark As Configured.
An example follows:

The device moves from the Registered group to the Unassigned group.

129
Director Configuration and Management Guide

130
Chapter 5: Managing Device Groups, Profiles, and Overlays

This chapter discusses how to manage groups, profiles, overlays, and


substitution variables. Topics include:
❐ Section A: "Setting Up and Managing Device Groups" on page 132
❐ Section B: "Managing Folders for Profiles and Overlays" on page 140
❐ Section C: "Managing Profiles" on page 144
❐ Section D: "Managing Overlays" on page 159

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

131
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups


This section discusses Director groups, which can be used to associate devices
with similar characteristics (for example, model number, geographical location,
or function).
This section discusses the following topics:
❐ "About Director Groups"
❐ "Adding Custom Groups" on page 136
❐ "Removing a Custom Group" on page 138
❐ "Adding Devices to a Custom Group" on page 138

About Director Groups


If you have a number of ProxySG appliances that have similar characteristics,
such as configuration, location, or content requirements, you can create a group
and add the devices to the group.

Note:
❐ Only 500 devices can be viewed in the Director Management Console at one
time, even if the devices are managed by different Director appliances.
❐ A summary of tasks you can perform using system groups and custom
groups can be found in "Tasks Supported by Device Groups" on page 135.

Director supports the following types of groups:


❐ Custom groups, which you define.
❐ The following System groups:

System group type Description

All All devices added to this Director.

Unassigned All devices that do not belong to a custom group.

Registered All devices that have been registered with Director.

Not Registered All devices that have not been registered.

Model Devices grouped by model number (for example, the


SG 210 group displays all SG 210 devices).

OS Version Devices grouped by SGOS version.

Note: Director automatically nests Model and OS Version system groups;


however, this is not configurable. You cannot nest system groups, but you can
nest custom groups.

132
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

The following figure shows an example:

For more information about each type of group, see the following sections:
❐ "About System Groups"
❐ "About Custom Groups" on page 135

About System Groups


When devices are added to Director, they are placed in the All system group, a
Model group, and an OS Version group. Until the devices are assigned to a
custom group, they are also placed in the Unassigned system group.
Devices are removed from system groups only if the devices are deleted from
Director.
To add a device to a group, select the device in the All or Unassigned system
groups and drag and drop the device into the custom group of your choice.
The following figure shows an example:

133
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups

Following is a brief description of each type of system group:


❐ All includes all devices Director manages.
❐ Unassigned includes only devices that have not been added to custom
groups.
❐ Registered includes devices that have been registered with Director as
discussed in Chapter 3: "Registering Devices".
Unless the device was previously added to a custom group, a device moves
from the Registered group to the Unassigned group after you mark it as
configured as discussed in Section F: "Marking a Device As Configured" on
page 110.
❐ Not Registered includes all devices that have not yet been registered with
Director.
❐ Model displays devices by model type. The figure displays several model
types (SG 200, SG 510, and so on). If you expand any node, the number of
devices of each device type displays.
The following figure shows an example of Director that manages one SG510-
10 and one SG510-B:

Note: Director automatically nests Model and OS Version system groups;


however, this is not configurable.
❐ OS Version displays devices by SGOS version. Similarly to the Model groups,
expanding a node displays the number of devices running that SGOS version.
The following figure shows an example of Director that manages one device
running SGOS 5.4.1.1 and one device running SGOS 5.4.1.3:

Note: Director automatically nests Model and OS Version system groups;


however, this is not configurable.

134
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

About Custom Groups


You can create as many custom groups as required, and groups can be nested in
other groups. When a device is assigned to a custom group, it is removed from the
Unassigned system group, but not from the All system group.
You can create custom groups before you add devices, or you can add devices
first. The two are independent of one another.

Tasks Supported by Device Groups


The following table summarizes which tasks can be performed on system and
custom groups using the Director Management Console or command line:

Method Upgrade URL lists Configure Reboot Clear Apply


license and jobs device caches profiles
Regex and
lists overlays

Man- All
agement system
Console group

Model
system
groupa
OS
Version
system
groupb

Other
system
groupsc

Custom
groups

Command line

a. Specifically, you can perform these tasks on individual groups such as SG 200, 510-C, 8100-
20, and so on.
b. Specifically, you can perform these tasks on individual groups like SGOS 5.3, 4.2.7.1, and so
on.
c. Other system groups mean the following: Registered, Not Registered, and Unassigned.

135
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups

The table shows the following:


❐ The following actions can be performed on devices in any Director group
except Registered, Not Registered, and Unassigned system groups:
• Profiles and overlays can be applied
• Devices can be rebooted
• The object cache, byte cache, and DNS cache can be cleared
❐ Any task that can be performed by a configure job can be performed on the
All system group, groups in the Model system group, or groups in the OS
Version system group.
❐ URL lists and regular expression lists can be applied to the All system group,
groups in the Model system group, or groups in the OS Version system group.
❐ In addition to the preceding tasks, groups in the Model system group, or
groups in the OS Version system group enable you to:
• Upgrade device licenses
• Reboot devices
• Clear the DNS cache, the object cache, and the byte cache
❐ Custom groups and the command line enable you to perform all of the
preceding tasks on devices, either individually or in groups

Where To Go Next
Continue with one of the following sections:
❐ "Adding Custom Groups"
❐ "Removing a Custom Group" on page 138
❐ "Adding Devices to a Custom Group" on page 138

Adding Custom Groups


This section describes how to add custom groups.

To add a custom group:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Groups pane, right-click Custom Groups.

136
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

4. From the pop-up menu, click Add Group.

5. Enter the following information:


Field Description

Group Name Enter a name to identify the group.

Group ID Enter a unique identifier that will be used in


commands and displayed in the Management
Console to identify the group.
Note: The group ID cannot contain the following
characters: {, }, <, >, (, ), #, or $.

Description (Optional.) Enter an optional description for the


group.

6. Click OK.
7. To create an additional group, do any of the following:
• Top-level group. Repeat the steps 1 through 4 to create a new top-level
group.
• Nested group. Click the group you just created, and right-click to add a
group that will be subordinate to the top-level group.
8. After the groups are created, drag and drop the devices into the desired
groups.
You can add a device to multiple groups.

137
Director Configuration and Management Guide

Section A: Setting Up and Managing Device Groups

You can move a nested group to a different top-level group by dragging and
dropping, and you can change a nested group to a top-level group by
dragging it under Custom Groups.

Removing a Custom Group


To remove a group, right-click the group name and, from the pop-up menu, click
Delete. Any devices in the group are moved to the Unassigned group; the devices
are not deleted.

Adding Devices to a Custom Group


When you add devices, Director automatically puts them in the Unassigned
group. This section discusses how to add devices from the Unassigned group to a
custom group, and how to add devices from one custom group to another custom
group.

To add devices to custom groups:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Add the devices as discussed in Chapter 3: "Registering Devices" or
Chapter 4: "Adding and Connecting to Devices".
4. Create one or more custom groups as discussed in "Adding Custom Groups"
on page 136.
5. Do any of the following:
Table 5–1 Adding devices to groups

Task Steps

To add a device from a system 1. In the Groups pane, click the system group
group to a custom group that contains the device (for example,
Unassigned).
2. Drag the device from the system group to
the desired custom group.
You are required to confirm the action.

To add a device from a custom 1. In the Groups pane, click the custom group
group to another custom group that contains the device.
2. Drag the device to the desired group.
You are required to confirm the action.
This copies the device to the custom group.

138
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section A: Setting Up and Managing Device Groups

Table 5–1 Adding devices to groups

Task Steps

To move a device from one group 1. In the Groups pane, click the group that
to another group contains the device to move.
2. Drag the device to the desired group.
You are required to confirm the action.
This copies the device to the custom group.
3. Click the original group.
4. Right-click the name of the device from
step 1.
5. From the pop-up menu, click Remove.
You are required to confirm the action.
This removes the device from the group,
but does not delete the device from
Director.

139
Director Configuration and Management Guide

Section B: Managing Folders for Profiles and Overlays

Section B: Managing Folders for Profiles and Overlays


This section discusses how to create folders in which to organize profiles and
overlays. Creating folders is recommended in large deployments where you
might want to organize profiles and overlays by device location, function, or
other criteria.
Note: The same folders are used for profiles, overlays, jobs, and content
collections, enabling you to create custom folders on either the Configure, Jobs, or
Content tab pages.
Following is general information about creating folders:
❐ There are two types of folders: System and Custom
❐ System folders are divided into two subfolders that cannot be changed: All
and Unassigned
❐ All profiles, overlays, or jobs belong to the All system folder, even those that
have been added to custom folders.
❐ Profiles and overlays that have not been added to a custom folder belong to
the Unassigned system folder
❐ You can create profile and overlay folders only under Custom Folders
❐ You can nest custom folders
This section discusses the following topics:
❐ "Creating or Editing Folders"
❐ "Deleting Folders" on page 142
❐ "Removing or Copying Profiles or Overlays In Folders" on page 143

Creating or Editing Folders


This section discusses how to create or edit profile or overlay folders and
subfolders.

To create or edit profile folders and subfolders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Right-click Custom Folders in the Configuration Library section in the right
pane.
4. From the pop-up menu, click one of the following:
• To create a new folder, click New > New Folder.
• To edit an existing folder, click Edit.
The following figure shows an example of adding a new folder:

140
Director Configuration and Management Guide

Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Table 5–2 Adding or editing a folder

Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
Note: The folder ID cannot be changed later.
Description Enter an optional description of the folder.

6. Click OK.
7. To create an additional folder, do any of the following:
• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop jobs into the desired folders as
follows:
a. From the Show list in the Configuration Library section on the
Configure tab page, click the object to put in a folder.
For example, to put a profile in a folder, from the Show list on the
Configure tab page, click Profiles or All.

141
Director Configuration and Management Guide

Section B: Managing Folders for Profiles and Overlays

b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a profile or overlay to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.

Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders
contained in the folder. Any profiles or overlays contained in those folders and
subfolders are moved to the Unassigned folder; they are not deleted.

To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Optional. To display profiles or overlays before you delete their containing
folders, on the Configure tab page, in the Configuration Library section, from
the Show list, click Profiles, Overlays, or All.
4. Right-click the name of the folder to delete.
5. From the pop-up menu, click Delete.
You are required to confirm the action. After deleting the folder, any profiles
or overlays contained in the folder or subfolders move to the Unassigned
system folder; they are not deleted.

Creating, Editing, or Deleting Folders from the Command Line


First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # comment comment
director (config folder folder_id) # create
director (config folder folder_id) # name name

142
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section B: Managing Folders for Profiles and Overlays

Removing or Copying Profiles or Overlays In Folders


This section discusses how to perform the following tasks for profiles or overlays
stored in folders:
❐ Remove a profile or overlay from a custom folder and put it in the Unassigned
folder, without deleting the folder.
❐ Remove a profile or overlay from the Unassigned system folder and put it in a
custom folder.
❐ Copy a profile or overlay from one folder to another folder.

To remove or copy profiles or overlays in folders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. To display profiles or overlays before you remove or copy them, on the
Configure tab page, in the Configuration Library section, from the Show list,
click All.
4. Do any of the following:
• To remove the profile or overlay from the custom folder it is in now and
move it to the Unassigned system folder, right-click on the profile or
overlay and, from the pop-up menu, click Remove. You are required to
confirm the action.
• To move a profile or overlay from the Unassigned system folder to a
custom folder, click the profile or overlay and drag it to the desired custom
folder.
• To copy a profile or overlay to another custom folder, click the profile or
overlay and drag it to the desired custom folder.

Related Commands
First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # overlay overlay_id
director (config folder folder_id) # parent folder_id
director (config folder folder_id) # profile profile_id
director (config folder folder_id) # regex-list list_id
director (config folder folder_id) # url-list list_id

143
Director Configuration and Management Guide

Section C: Managing Profiles

Section C: Managing Profiles


A profile is a set of configuration commands pulled from an existing ProxySG
appliance (the source device), saved in Director, and then applied to one or more
target devices. A profile configures one or more target devices identically to the
source device (with the exception of certain device-specific settings discussed in
"About Profiles and Device Settings" on page 147).

Important Information About Profiles


Blue Coat strongly recommends you understand all of the following before you
create a profile:
❐ "Best Practice for Creating Profiles"
❐ "Important Information About Platforms" on page 145

Best Practice for Creating Profiles


Director profiles are SGOS-version-specific and device-model-specific; executing
a profile created for a ProxySG appliance that runs a different SGOS version can
result in errors due to features that might not exist or that might have changed
between versions. (The same applies to different ProxySG models.)
A profile is a set of commands that transforms a ProxySG’s configuration from the
default for that version to its current configuration. The SGOS version value is an
integral part of a profile. In other words, the reason two identically configured
devices—one running SGOS 5.3.x and one running SGOS 5.4.x—have different
profiles is due to the fact their starting points (that is, default configurations) are
different.
This also explains why when you apply an SGOS 5.3.x profile to an SGOS 5.4.x
appliance you do not get the results you expect. The assumed starting point for
the series of commands is different and will likely result in an error when the
profile is executed.
Blue Coat recommends you use the following procedure to create and update
profiles for upgraded ProxySG appliances:
1. Create a profile for a device that runs a particular SGOS version.
For example, create a profile for an SG510 that runs SGOS 5.4.1.11.
2. After you upgrade that device, either create a new profile or refresh the
existing profile.
Continuing the example, upgrade the SG510 to SGOS 5.4.2.1 and refresh the
profile. (You can optionally create a new profile, for example, if you still need
the 5.4.1-based profile for other devices running SGOS 5.4.1.x.)
3. Upgrade other devices of the same model to the same SGOS version.
4. Execute the new profile on those devices.
Continuing the example, use the profile you created for the SG510 running
SGOS 5.4.2.1 on other SG510s that have been upgraded to 5.4.2.x only.

144
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

Do not execute the profile on SG210s, SG810s, and so on.


Do not execute the profile on other SG510s running SGOS 5.3.x, SGOS 4.x, or a
later SGOS version.

Important Information About Platforms


Because of the number of hardware platforms, software versions, and
configuration options available for devices, Blue Coat strongly recommends you
create very simple profiles and use overlays to further configure devices.
For example, some Blue Coat customers create a source profile that has WCCP
settings only and configure other device settings using overlays. Another use for
profiles and overlays is to selectively apply policies to certain devices. For
example, create a profile that contains everything except policies and push that
profile to all devices. Create overlays for each set of policies you want to apply
(for example, one set of policies that for Instant Messaging content filtering and
another set of policies for Web content filtering). Selectively apply to overlays to
the desired devices.
For more information about overlays, see Section D: "Managing Overlays" on
page 159.

About Profiles
This section discusses the following topics about profiles:
❐ "About Profiles and Overlays"
❐ "About Profiles and Device Settings" on page 147

About Profiles and Overlays


Profiles work in conjunction with overlays and refreshables (filters) to configure
multiple devices the same way. Because profiles replace a device’s entire
configuration (with exceptions noted in "Settings Preserved On the Target Device"
on page 147) and overlays apply a subset of a device’s configuration, use an
overlay to change only certain configuration settings.
The following table summarizes the main differences between profiles and
overlays:
Table 5–3 Main differences between profiles and overlays

Feature Profiles Overlays

Performs a backup of the Yes No


device first

Replaces the target device’s Yes No


entire configuration

Applies a subset of device No Yes


configuration to the target

145
Director Configuration and Management Guide

Important: Because of the number of hardware platforms, software versions,


and configuration options available for devices, Blue Coat strongly
recommends you create very simple profiles and use overlays to further
configure devices.

Overlays are discussed in Section D: "Managing Overlays" on page 159.

Important Information About Profiles


Director profiles are SGOS-version-specific and device-model-specific;
executing a profile created for a ProxySG appliance that runs a different SGOS
version can result in errors due to features that might not exist or that might
have changed between versions. (The same applies to different ProxySG
models.)
A profile is a set of commands that transforms a ProxySG’s configuration from
the default for that version to its current configuration. The SGOS version value
is an integral part of a profile. In other words, the reason two identically
configured devices—one running SGOS 5.3.x and one running SGOS 5.4.x—
have different profiles is due to the fact their starting points (that is, default
configurations) are different.
This also explains why when you apply an SGOS 5.3.x profile to an SGOS 5.4.x
appliance you do not get the results you expect. The assumed starting point for
the series of commands is different and will likely result in an error when the
profile is executed.
Blue Coat recommends you use the following procedure to create and update
profiles for upgraded ProxySG appliances:
1. Create a profile for a device that runs a particular SGOS version.
For example, create a profile for an SG510 that runs SGOS 5.4.1.1.
2. After you upgrade that device, either create a new profile or refresh the
existing profile.
Continuing the example, upgrade the SG510 to SGOS 5.5.1.1 and refresh the
profile. (You can optionally create a new profile, for example, if you still
need the 5.4-based profile for other devices running SGOS 5.4.x.)
3. Upgrade other devices of the same model to the same SGOS version.
4. Execute the new profile on those devices.
Continuing the example, use the profile you created for the SG510 running
SGOS 5.5.1.1 on other SG510s that have been upgraded to 5.5.x only.
Do not execute the profile on SG210s, SG810s, and so on.
Do not execute the profile on other SG510s running SGOS 5.4.x, SGOS 4.x,
or a later SGOS version.

146
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

About Profiles and Device Settings


This section discusses which settings are preserved when a source profile is
created and which settings are removed.

Source Device Settings Removed


The following source device settings are removed when you create a profile:
❐ IP address, host name, and default gateway
❐ Passwords for the SGOS Management Console and for command line enable
mode
❐ Any command beginning with the following strings:
• interface (the entire submode)
• line-vty (the entire submode)
• accelerated-pac path or inline accelerated-pac
• security authentication-form path or inline authentication-forms
• bypass-list local-path or inline bypass-list
• ICP path
• license-key path
• policy local-path
• rip path
• socks-gateways path
• static-routes path
• WCCP path

❐ All licenses are removed, including third-party licenses like WebSense.

Settings Preserved On the Target Device


When you execute a profile, Director first issues a restore-defaults keep-
console command on the target device. This command deletes the device’s
configuration except for the following:
❐ IP interface settings, including VLAN configuration.
❐ Default gateway and static routing configuration.
❐ Virtual IP address configuration.
❐ Bridging settings.
❐ Failover group settings.
❐ Services, including services with assigned IP addresses.

147
Director Configuration and Management Guide

Section C: Managing Profiles

The keep-console option also retains the settings for all consoles (Telnet, SSH,
HTTP, and HTTPS), whether they are enabled, disabled, or deleted.
Administrative access settings retained using the restore-defaults command
with the keep-console option include:
❐ Management Console user name and password.
❐ Front panel PIN.
❐ Command line enable mode password.
❐ SSH (v1 and v2) host keys.
❐ Keyrings used by secure management services.
❐ RIP configurations.

Settings Replaced on the Target Device


The following settings are replaced on the target device:
❐ Network DNS settings.
Note: Only the DNS settings under the Network menu in the SGOS
Management Console are replaced. DNS settings used by services (such as the
DNS proxy service) are not replaced.
❐ The appliance name (in other words, the name that displays in the device’s
Management Console under General > Identification). This name is not the same
as the device’s friendly name you set up in Director.
❐ All custom service groups and associated services (that is, everything under
the Services > Proxy Services menu in the SGOS Management Console).

About Secure Profiles


A secure profile is a profile created using a source device that authenticates with
Director using SSH-RSA. This profile includes the device’s SSL keys and all other
encrypted device settings. A secure profile can be applied to a secure or a non-
secure target.
Applying a secure profile to a non-secure target does not make the target secure.
To make the target secure, configure the target to use the SSH-RSA protocol with
Director as discussed in "Changing the Authentication Protocol" on page 124.
To create a secure profile, Director uses the create keyring show-director
command, which outputs all device keyrings. The command also outputs other
commands that would otherwise be encrypted (such as passwords and
certificates).
To create a non-secure profile, Director uses the create keyring no-show
command. This command excludes keyrings and other encrypted device settings
(such as passwords and certificates).

148
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

Note: A non-secure profile is a profile created using a source device that


authenticates with Director using the SSH Simple. This type of profile includes no
SSL keyrings or other encrypted device settings (such as certificates and
passwords).
If a non-secure profile is applied to a secure device, SSL keys with the show-
director attribute are lost but the keys with show attribute are overwritten.
For information on creating SSL keys with the show-director attribute, refer to
Proxies and Proxy Services in the ProxySG Appliance Configuration and Management
Guide.

The following figure shows how these types of profiles display on the Configure
tab page of the Director Management Console:
Non-secure profile

Secure profile

The following icons indicate whether or not the profile is secure:


Table 5–4 Secure and non-secure profiles

Icon Meaning

Non-secure profile

Secure profile

Creating a Profile
Because a profile consists of settings from one device to apply to multiple device,
first select the device that serves as the profile source. A profile source must meet
all of the following requirements:
❐ Be the same hardware type and software version as the devices to which you
plan to apply the profile.
In other words, if the source is an SG210 running SGOS version 5.3.0.2, the
targets must also be SG210s running SGOS version 5.3.0.2.
Executing a profile on a device with a different hardware type or version
results in errors that might result in unpredictable behavior. (For example,
some commands might not be available in earlier SGOS versions.)
❐ Include all the settings you want to apply to other devices.

149
Director Configuration and Management Guide

Section C: Managing Profiles

❐ Blue Coat recommends all devices authenticate with Director using SSH-RSA.
If the profile source device uses SSH-RSA authentication, Director issues the
create keyring show-director command to the device, which outputs all
device keyrings. The command also outputs other commands that would
otherwise be encrypted (such as passwords and certificates).
On the other hand, if the device uses SSH Simple authentication, excludes
keyrings and encrypted settings.
See "Changing the Authentication Protocol" on page 124 for more information
about changing from SSH Simple to SSH-RSA.

To create a new profile:


1. Before beginning, see "Important Information About Profiles" on page 144.
2. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
3. Click the Configure tab.
4. In the Configuration Library pane, from the Show list, click Profiles.
5. Right-click the folder in which to place the profile and click New > New Profile.
The New Profile or Edit dialog box displays similarly to the following:

150
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

6. Enter or edit the following information:


Table 5–5 Creating or editing a profile

Item Description

Profile Name field Enter a name for the profile.

Profile ID field Enter a unique identifier for the profile. You use
this ID when configuring the profile from the
command line.

Description field Enter an optional description of the profile.

Device option Click this option to select a device as the profile


source. After you click this option, the Select
Reference Device dialog box displays. Click the
source device or enter its device ID in the provided
field and click OK.

URL option Click this option and enter the fully-qualified URL
where the information is located.

7. Click OK.
The profile displays in the Configuration Library section similarly to the
following:

8. Edit the profile as discussed in the next section.

151
Director Configuration and Management Guide

Section C: Managing Profiles

Editing a Profile
Blue Coat strongly recommends you edit every profile immediately after creating
it to remove or edit any commands that might cause problems on the target
device.
Examples follow:
❐ Remove commands that are not compatible with target devices
For example, remove SGOS version-specific commands. If for example you
created a profile using a source device running SGOS 5.4.1.1 and one or more
target devices run SGOS 5.2.x, remove commands that are specific to 5.4.1.1.
❐ Remove or edit commands that will fail on target devices
For example, if the source device has a bridge card but target devices do not,
remove bridging settings from the profile.

Important: Failure to edit the profile might result in the profile failing on the
device or device misconfiguration that might result in unpredictable
performance.

To edit a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library pane, from the Show list, click Profiles.
4. If required, expand the folders containing the profile.
5. Right-click the profile.
6. From the pop-up menu, click Edit.

152
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

The Edit dialog box displays similarly to the following:

7. Optional. To save a backup copy of the profile, place the cursor in the right
pane and click Control+A (select all), then paste the profile into a text editor
application and save it.
8. In the right pane, edit the commands in the profile to remove incompatible or
problematic commands.
For details about device commands, refer to Command Line Interface Reference
in the ProxySG Appliance Configuration and Management Guide.
9. Apply the profile to target devices as discussed in the next section.

153
Director Configuration and Management Guide

Section C: Managing Profiles

Executing a Profile
You can execute a profile either immediately or as part of a scheduled job. When
you execute a profile, the following tasks are performed:
1. All target devices are backed up.
If the profile causes problems, you can recover the backup of the previous
configuration as discussed in Section A: "Backing Up Devices" on page 452.
2. Director sends all selected devices the restore-defaults keep-console
command.
This command restores device defaults except settings required for console
access. The keep-console option retains the settings for all consoles (Telnet-,
SSH-, HTTP-, and HTTPS-consoles), whether they are enabled, disabled, or
deleted.
3. The profile is executed on the targets.

To execute a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
profile.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. On the configure tab page, in the Configuration Library section on the right,
expand the folders containing the profile to execute.
5. Click the name of a profile to execute.
6. Select the devices to which to apply the profile as follows:
• To apply the profile to a single device, click the name of the device in the
Devices pane.
• To apply the profile to a group, click the name of the group in the Groups
pane.
You can apply a profile to either system groups or custom groups.
Note: To execute a profile on more than one device or group, hold down the
Control key while clicking.

154
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

An example of executing a profile on one device follows:

7. In the lower right corner, click Execute.


You are required to confirm the action. If you are applying a non-secure
profile, the following message displays:

For a review of secure and non-secure profiles, see "About Secure Profiles" on
page 148.
8. Click Yes to apply the profile.

Note: When a profile is applied to a device, a backup of the device


configuration is performed. Click Launch Backup Manager for the device to see
details about the backup.

155
Director Configuration and Management Guide

Section C: Managing Profiles

A dialog box displays the results of applying the profile. Carefully examine
the results for errors, which display in red text.
Use the following steps to determine if the profile executed properly:
a. Log in to the target device’s Management Console to see whether the
configuration item that caused the error succeeded.
Typical reasons configuration will not succeed include the following:
• The target device is not the same SGOS version as the source, so a
feature is not available on the target.
• The feature requires a license that does not exist on the target device.
b. Consult the following table, which shows a partial list of error
messages:
Table 5–6 Partial list of errors after executing a profile

Error message Description


Invalid input detected at '^' marker • The target device does not have a
given feature enabled, such as
streaming
• A feature requires a license (such as
RealMedia streaming)
• The profile was taken from a device
with a different version number (in
other words, the command is not
available on the older device)
• The failure is harmless (for
example, setting the front panel PIN
fails with this error).
The complete error message
follows:
ip-or-hostname - Blue Coat
SG210 Series#(config)security
hashed-front-panel-pin
"$1$YbFIjrEL$lUvDC6H4plalM1iQ
a1p3T/"
^
Error: Invalid input
detected at '^' marker.

Error: Keyring "passive-attack- The default passive-attack-


protection-only-key" exists, delete protection-only-key keyring already
keyring first exists and does not need to be replaced.
Error: Certificate "passive-attack-
protection-only-key" already exists,
delete existing certificate first

156
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section C: Managing Profiles

Table 5–6 Partial list of errors after executing a profile

Error message Description


ip-or-hostname - Blue Coat SG200 Check the target device to make sure the
Series#(config bridge name)failover bridge was created and associated with
group failover-group-ip the correct failover group.
Error: Failover group does not
exist

Commands Related to Creating, Editing, or Executing Profiles


director (config) remote-config
director (config remote-config) profile profile_id
(config remote-config profile profile_id) # comment
(config remote-config profile profile_id) # create
(config remote-config profile profile_id) # execute {addr-device
ip_address_or_hostname | all | device device_id | group group_id}
[errors-only]
(config remote-config profile profile_id) # input
(config remote-config profile profile_id) # name name

Copying a Profile
Copying a profile is a convenient way to create a similar profile without having to
create them from scratch.

To copy a profile:
1. Create a profile as discussed in "Creating a Profile" on page 149.
2. In the Management Console, click the Configure tab.
3. In the Configure tab page, right-click a profile in the Configuration Library
section.
4. From the pop-up menu, click Copy.
5. Enter or edit the following information:
Field Description
Profile Name Enter a unique name to identify this profile.
Profile ID Enter a unique identifier for the profile.
Description Enter an optional description of the profile.

6. Click OK.
The profile displays in the Configuration Library section.
7. Right-click the profile you just copied.
8. From the pop-up menu, click Edit.

157
Director Configuration and Management Guide

Section C: Managing Profiles

9. Change the profile as required. When you are finished editing the profile, click
OK.

For information about the options available for a profile, see "Editing a
Profile" on page 152.
10. Optionally drag the profile into a profile folder or create a new profile folder
for it as discussed in "Creating or Editing Folders" on page 140.

Refreshing or Deleting Profiles


You can refresh or delete individual profiles. If you are using the configuration of
a specific device as the template for your profile, use the refresh feature to update
the profile when the device configuration changes.

To refresh or delete a profile:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section on the right side of the page, expand the
profile folders containing the profile to refresh or delete.
4. Right-click the profile.
5. From the pop-up menu, click Refresh or Delete.
You are required to confirm the action.

Related CLI Syntax to Refresh or Delete a Profile


director (config) # no remote-config profile profile_id
(config remote-config profile profile_id) # refresh [device device_id
| url url]
(config remote-config profile profile_id) # refresh

158
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

Section D: Managing Overlays


An overlay is a collection of one or more individual configuration settings (such as
time, WCCP, or local policy) that can be applied to one or more devices. An
overlay is designed to change settings created by a profile or to add new settings
not covered in the profile.
This section discusses the following topics:
❐ "Important Information About Using Overlays" on page 159
❐ "Creating an Overlay" on page 163
❐ "Executing an Overlay Immediately" on page 168
❐ "Adding VPM Policy to an Overlay" on page 171
❐ "Copying Overlays" on page 175
❐ "Deleting Overlays" on page 176

Important Information About Using Overlays


This section discusses information you need to understand before using overlays:
❐ "Important Information About Overlays and SGOS Versions"
❐ "General Tips" on page 159
❐ "Executing Overlays that Depend on Databases" on page 160

Important Information About Overlays and SGOS Versions


Before you execute an overlay, make sure you understand the following
information:

Important: Due to the number of CLI changes between SGOS versions, Blue
Coat strongly recommends you apply overlays only to devices running the
same major SGOS revision. In other words, do not apply an overlay created on
a device running SGOS 5.3.x to a device running SGOS 5.2.x. Doing so can
result in errors that might affect how the device functions in the network.
In particular, avoid executing overlays that contain policies to devices running
different SGOS versions because those policy commands can be incompatible.

General Tips
Following are tips you can use when executing overlays:
❐ If you choose to use CLI commands in overlays, be aware that by default,
commands execute in privileged configure mode on the device. (Privileged
mode is also referred to as configuration mode.)
To execute commands that run in privileged mode, you must first exit
privileged configure mode on the device using the exit command. For
example, to update licensing immediately, enter the following commands:
exit
licensing update-key

159
Director Configuration and Management Guide

Section D: Managing Overlays

❐ You can apply an overlay immediately or you can schedule it to run later as
part of a job.
❐ Director does not check overlays for syntax, validity, or version compatibility,
so make sure overlay commands are from the same version as the targeted
device.
❐ Create a backup of the device configuration before pushing the new overlay in
case the overlay needs to be reverted.
Because a profile saves a device backup and an overlay does not, consider
exacting a simple profile on a target device before executing an overlay. In the
event of errors, you can recover the device backup and apply the overlay
again. (You can schedule a profile and an overlay in the same job.)

Executing Overlays that Depend on Databases


This section discusses tasks you must perform to execute an overlay that depends
on a database (for example, to configure policies that depend on the content
filtering database). In particular, you must first download the database on the
target device and verify the database is populated with the appropriate data.
Otherwise, configuring policies that depend on data in the database will fail.
The following table provides a high-level overview of the tasks you must
perform:
Table 5–7 Task summary for overlays that depend on databases

Task Description For more information

1. Create a profile that Create a profile for that has minimal "Creating a Profile" on
performs basic configuration; that way, you know the page 149
configuration. device’s starting configuration but
introduce a minimum number of
variables to troubleshoot in the event of
problems.
Because executing a profile first backs up
the device, you can restore from backup
later in the event of problems.

160
Director Configuration and Management Guide

Table 5–7 Task summary for overlays that depend on databases

Task Description For more information

2. Create an overlay that You can do this either using the device’s "Creating an Overlay" on
downloads the database. Management Console or using its page 163
command line.
If you use the command line, see the
description of the content-filter
command and subcommands in Chapter
3, Privileged Mode Configure
Commands, in Command Line Interface
Reference in the ProxySG Appliance
Configuration and Management Guide.
For example, to download the Blue Coat
Web Filtering database, use the following
commands in the overlay:
content-filter
bluecoat
download get-now

3. Create a job that executes Creating the job is straightforward; Chapter 8: "Creating,
the database-loading however, when you view the job results Scheduling, and
overlay. later, ignore timeouts. Timeout errors Managing Jobs"
when loading a large database are usually
harmless. Schedule the job during a time
when there is minimal network activity.

4. Create overlays that The tasks you perform in this step • "Creating an Overlay"
perform other database- depend on how your policies are set up. on page 163
related configuration You must create one or more overlays that • For information about
(for example, policies). configure your local policy, forward policies, refer to
policy, central policy, and VPM policies Volume 6: The Visual
that depend on the database you loaded Policy Manager and
in the preceding overlay. Advanced Policy in the
To add policies to the overlay, use ProxySG Appliance
refreshables fetched from the source Configuration and
device (that is, the device on which the Management Guide.
policies were originally created). You can • For information about
edit refreshables to add additional commands related to
commands as well. policies, refer to the
Tip: To make the process easier, create a description of the
profile from a source device that is inline command in
already configured with the desired Chapter 2, Standard
policy settings. Add selected policy CLI and Privileged Mode
commands from that profile to the Commands, in
overlay with the Using CLI option Command Line
discussed in step 8 in "Creating an Interface Reference in
Overlay" on page 163. the ProxySG Appliance
(Policy commands are grouped inside !- Configuration and
BEGIN policy and !- END policy tags; Management Guide.
commands themselves start with inline
policy.)

161
Director Configuration and Management Guide

Section D: Managing Overlays

Table 5–7 Task summary for overlays that depend on databases

Task Description For more information

5. Execute the profile. Executing a profile first backs up the "Executing a Profile" on
device so you can start over if necessary. page 154
As discussed earlier, Blue Coat strongly
recommends executing very simple
profiles to make troubleshooting easier in
the event of problems.

6. Execute the database- Execute the job that loads the database; You can execute the job in
loading job. you configured this job as discussed in any of the following ways:
step 3. • "Executing a Job
Note: When you view the job results, Immediately" on page
ignore timeouts. Timeouts when loading 274
a large database are usually harmless. To • Section C:
speed up the job, schedule it during a "Scheduling Jobs" on
time when there is minimal network page 274
activity.

7. Verify the database is This task can be performed manually or Chapter 2, Standard and
available and populated using an overlay that is optionally Privileged Mode
with data. executed in a job. Commands, in Command
Because the time required to load the Line Interface Reference in
database varies with the size of the the ProxySG Appliance
database, network latency, and other Configuration and
factors, use your past experience or run a Management Guide.
job periodically to check its status.
Use the following command to show the
status of the database:
show content-filter {bluecoat
| i-filter | intersafe | iwf
| local | optenet | proventia
| smartfilter | surfcontrol
| status | websense | webwasher}

8. Execute the other Execute the overlays you created as "Creating an Overlay" on
overlays. discussed in step 4. page 163

Continue with one of the following sections:


❐ "Creating an Overlay"
❐ "Executing an Overlay Immediately" on page 168
❐ "Adding VPM Policy to an Overlay" on page 171

162
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

Creating an Overlay
This section discusses how to create an overlay. Before continuing, review the
information discussed in "Important Information About Using Overlays" on page
159.

To create an overlay:
1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section on the right side of the page, from the
Show list, click Overlays.

4. If necessary, create folders in which to store the overlays as discussed in


Section B: "Managing Folders for Profiles and Overlays" on page 140.
5. Right-click the folder in which to store the overlay.
6. From the pop-up menu, click New > Overlay.
The Create new Overlay dialog box displays.
The following figure shows the Properties section of the Create new Overlay
dialog box:

7a
7b

7c

7d

7. Configure the Overlay properties:


a. In the Overlay Name field, enter the name of the overlay.
b. In the Overlay ID field, enter a unique identifier for this overlay. You use
the Overlay ID to configure the overlay from the command line.
Note: You can later change the name of the overlay but not of the Overlay
ID.
c. (Optional) In the Description field, enter a description of the overlay.

163
Director Configuration and Management Guide

Section D: Managing Overlays

d. (Optional) Select a source device or a URL to add refreshables to the


overlay. Refreshables are whole files that reside on the device. They
contain configuration and policy options that can be pulled from a
device or URL and refreshed as part of a job.

8. In the Add to Overlay section, make the following selections:


• "Adding to the Overlay Using the Management Console"
• "Adding to the Overlay Using the CLI" on page 166
• "Adding to the Overlay Using Refreshables" on page 166

Adding to the Overlay Using the Management Console


This section discusses how to add overlay settings using the device’s
Management Console, which is useful when you do not know the required CLI
commands.

To add overlay settings using the device’s Management Console:


1. Complete the preceding tasks in this procedure.
2. In the Add to Overlay section, click Using Device Management Console and click
(Browse).
A list of available devices displays.
3. Click the name of the device.
4. Click Launch to open the target device’s Management Console.
5. Use the Management Console to choose settings to add to the overlay.
6. Click Save to Overlay Editor to add only the settings you changed to the overlay
or click Cancel to exit the Management Console without making changes.

164
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

If you changed existing WCCP settings (Configuration > Network > WCCP), after
you click Add to Overlay, the following dialog box displays:

You have the following options:


• Overwrite All:
Replace the existing WCCP settings in the overlay with the
ones you just selected.
• Discard All:
Use the existing WCCP settings in the overlay instead of the
ones you just selected.
• Resolve Conflicts: Displays the following confirmation dialog box:

You have the following options:


• Yes: Equivalent to selecting Overwrite All.
• No: Equivalent to selecting Discard All.
7. Continue with one of the following sections:
• "Adding to the Overlay Using the CLI"
• "Adding to the Overlay Using Refreshables" on page 166

165
Director Configuration and Management Guide

Section D: Managing Overlays

Adding to the Overlay Using the CLI


This section discusses how add SGOS command-line commands to an overlay.

To add commands to an overlay:


1. Complete the preceding tasks in this procedure.
2. In the Add to Overlay section, click Using CLI.
Enter the commands in the dialog box.
If you choose to use CLI commands in overlays, be aware that by default,
commands execute in privileged configure mode on the device. (Privileged
mode is also referred to as configuration mode.)
To execute commands that run in a privileged mode, first enter exit. For
example, to force a license key update, enter the following commands:
exit
licensing update-key force

For more information about privileged mode and privileged mode configure
commands, refer to Command Line Interface Reference in the ProxySG Appliance
Configuration and Management Guide.
Note: The commands are not checked for validity or syntax.
3. When you are finished, click OK to add the commands to the overlay or click
Cancel to quit without adding the commands.
4. Continue with one of the following sections:
• "Adding to the Overlay Using the Management Console" on page 164
• "Adding to the Overlay Using Refreshables"

Adding to the Overlay Using Refreshables


This section discusses how add SGOS refreshables to an overlay.

To add refreshables to an overlay:


1. Complete the preceding tasks in this procedure.
2. In the Properties section, click either the name of a device from which to get
the refreshables or enter a URL from which to get the refreshables.
3. In the Add to Overlay section, click Refreshables.
4. Select the check box next to every refreshable to add to the overlay.
5. Click Add.

166
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

The following figure shows an example:

The selected refreshables display in the Overlay Settings section in the right
pane.
6. Click one of the following:
• In the add or edit dialog box, click OK to save changes to the Director
overlay.
• In the Overlay Settings pane, click the name of a refreshable and click Edit
to edit the commands that add that refreshable to the overlay.
• In the Overlay Settings pane, click the name of a refreshable and click
Delete to delete that refreshable from the overlay
• In the Overlay Settings pane, click the name of a refreshable and click View
to view the commands associated with that refreshable.

167
Director Configuration and Management Guide

Section D: Managing Overlays

If you included Refreshables in the overlay, a confirmation dialog box similar


to the following displays:

7. Click Yes to fetch the refreshables from the device.

Commands Related to Creating and Editing Overlays


First, enter the following command to enter overlay submode:
director (config) # remote-config overlay overlay_id
This command changes the prompt to:
director (config remote-config overlay overlay_id) #
Then enter the following commands:
(config remote-config overlay overlay_id) # comment overlay_comment
(config remote-config overlay overlay_id) # copy new_overlay_id
(config remote-config overlay overlay_id) # create

Executing an Overlay Immediately


You can execute an overlay immediately or at a later date, as part of a job.

Important: Due to the number of CLI changes between SGOS versions, Blue
Coat strongly recommends you apply overlays only to devices running the
same major SGOS revision. In other words, do not apply an overlay created on
a device running SGOS 5.3.x to a device running SGOS 5.2.x. Doing so can
result in errors that might affect how the device functions in the network.
In particular, avoid executing overlays that contain policies (including VPM) to
devices running different SGOS versions because policy commands can be
incompatible in different SGOS versions.

168
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

To apply an overlay immediately:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
overlay.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Configuration Library section on the right side of the page, from the
Show list, click Overlays.

5. If necessary, create an overlay as discussed in "Creating an Overlay" on page


163.
6. Expand the folder containing the overlay to execute.
7. Optional. To refresh the commands in the overlay, click Actions > Refresh
Overlay.

8. Click the name of the overlay to execute.


9. Select the devices on which to execute the overlay as follows:
• To execute the overlay on a single device, click the name of the device in
the Devices column.
• To execute the profile on all devices in a group, click the name of the group
in the Groups column.
You can execute an overlay on either a system group or a custom group.
Note: To execute an overlay on more than one device or group, hold down the
Control key while clicking.

169
Director Configuration and Management Guide

Section D: Managing Overlays

The following figure shows an example of executing an overlay on multiple


devices:

10. Click Execute.


You are required to confirm the action. When completed, an Execution Results
dialog box displays.

Command to Execute an Overlay


(config remote-config overlay overlay_id) # execute addr-device
ip_address_or_hostname [errors-only]

170
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

Adding VPM Policy to an Overlay


The Visual Policy Manager (VPM) is a graphical interface policy editor that is
included with the ProxySG appliance. The VPM allows you to define Web access
and resource control policies without having in-depth knowledge of Blue Coat
Content Policy Language (CPL). VPM policy is one of the refreshables that can be
added to an overlay.
In Director, you can use the VPM graphical interface from the ProxySG appliance
(instead of the command line) to create policy and apply that policy to target
devices as part of an overlay.
You can edit the VPM refreshable from the Overlay Settings editor from within
Director, or using the Management Console viewer of the selected device. You
may want to use the Overlay Settings editor if you are editing only the VPM
refreshable.
You can add a VPM section to the Overlay using any of the following methods:
❐ Use the Management Console to populate the VPM of a device and save an
edited copy of that policy file as an Overlay settings section.
❐ Add a VPM Refreshable using a source device or URL. This displays an empty
VPM policy overlay setting section that is populated if you click Refresh.

Note: Refreshing an overlay refreshes all sections that can be refreshed,


regardless of whether custom edits are made.

For more information about using the VPM graphical interface, refer to
Volume 6: The Visual Policy Manager and Advanced Policy. To learn about writing
policy, refer to Content Policy Language Guide in the Blue Coat ProxySG
Configuration and Management Guide.

To edit a VPM Settings Section using the Overlay Settings Editor:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
overlay.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Configuration Library section, from the Show list, click Overlays.
5. Expand the folder containing the overlay to edit.
6. Right-click the overlay to edit.
7. From the pop-up menu, click Edit.

171
Director Configuration and Management Guide

Section D: Managing Overlays

The Edit exiting Overlay dialog box displays.

8. In the Overlay Settings section, select VPM and click Edit.


The Blue Coat Visual Policy Manager dialog box displays, similarly to the
following:

9. Use the VPM dialog box to make any policy changes.

172
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

10. Click File > Save Policy to Overlay Editor.


The View Generated CPL dialog box displays. This dialog displays the policy
changes you just made and allows you to view the changes in the Content
Policy Language (CPL) mode.
11. When you finish viewing the policy changes, close both the CPL and VPM
dialog boxes.
12. Save changes to the overlay. Use the following methods:
a. In the Edit existing Overlay dialog box, click OK. This saves the setting
changes you made to the overlay.

b. Click Yes to fetch the refreshables and save them on the device.

To add a VPM Settings section using the Management Console viewer:


Use the Management Console viewer if you want to add VPM settings sections
along with other refreshable settings sections.
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the
overlay.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Configure tab.
4. In the Configuration Library section, from the Show list, click Overlays.
5. Right-click the overlay to edit.
6. From the pop-up menu, click Edit.
The Edit exiting Overlay dialog box displays.
7. In the Add to Overlay section, click Using Device Management Console and then
click (browse).

173
Director Configuration and Management Guide

Section D: Managing Overlays

The Select Reference Device dialog box displays a list of available devices.
8. In the Select Reference Device dialog box, click the reference device to be the
source for the VPM settings and click OK.
9. Click Launch.
The Management Console viewer displays.

10. Click Policy > Visual Policy Manager, then click Launch.
The Blue Coat Visual Policy Manager dialog box displays settings that were
saved in the Director overlay. If there were no previous settings that were
saved in the Director overlay, the VPM dialog box is initially populated with
policy settings from the reference device.

174
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section D: Managing Overlays

11. Use the VPM dialog box to make any policy changes.

12. Click one of the following:


• To save the changes you made, click File > Save Policy to Overlay Editor.
• To cancel without making the changes, click File > Revert to Policy on
Reference SG Appliance.

Copying Overlays
Copying an overlay is a convenient way to create similar overlays without having
to create them from scratch.

To copy an overlay:
1. Create an overlay as discussed in "Creating an Overlay" on page 163.
2. In the Management Console, click the Configure tab.
3. On the Configure tab page, from the Show list, click Overlays.
4. In the Configuration Library section, expand the folder containing the overlay
to copy.
5. Right-click the overlay.
6. From the pop-up menu, click Copy.
7. Enter or edit the following information:
Field Description
Overlay Name Enter a unique name to identify this overlay.
Overlay ID Enter a unique identifier for the overlay.
Description Enter an optional description of the overlay.

8. Click OK.
The overlay displays in the Configuration Library section.

175
Director Configuration and Management Guide

Section D: Managing Overlays

9. Right-click the overlay you just copied.


10. From the pop-up menu, click Edit.
11. Change the overlay as required.
12. When you are finished editing the overlay, click OK.

Commands to Execute Overlays


(config remote-config overlay overlay_id) # execute addr-device
ip_address_or_hostname [errors-only]

Deleting Overlays
This section discusses how to refresh or delete individual overlays.

To delete an overlay:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, from the Show list, click Overlays.
4. In the Configuration Library section, expand the folder containing the overlay
to delete.
5. Right-click the overlay to delete.
6. From the pop-up menu, click Delete.
You are required to confirm the action.

Related CLI Syntax to Manage Overlays


director (config) # remote-config overlay overlay_ID
director (config remote-config overlay overlay_ID) #
director (config remote-config overlay overlay_ID) # comment comment
director (config remote-config overlay overlay_ID) # copy
new_overlay_ID
director (config remote-config overlay overlay_ID) # create
director (config remote-config overlay new_overlay_ID) # input
director (config remote-config overlay new_overlay_ID) # name name
director (config remote-config overlay new_overlay_ID) # reference
director (config remote-config overlay new_overlay_ID) # refresh

176
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section E: Comparing Profiles or Overlays

Section E: Comparing Profiles or Overlays


This section discusses how to compare two profiles or two overlays using the
Management Console.

To compare profiles or overlays:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Configuration Library section, from the
Show list, click Profiles or Overlays.

4. Expand the profile folders containing the profiles or overlays to compare.


5. Hold down the Control key while you click the two profiles or overlays to
compare.
6. Right-click either profile or overlays.
7. From the pop-up menu, click Diff.
An example follows:

177
Director Configuration and Management Guide

Section E: Comparing Profiles or Overlays

The Diff Profiles dialog box displays similarly to the following:

Function
buttons
Legend

8. Use the legend at the bottom of the dialog box to interpret the results.
9. Use the function buttons as follows:
Table 5–8 Diff Profiles dialog box function buttons

Button Meaning
Search Displays a search field so you can search for text. Diff
searching supports text searching only and not logic
like Boolean or regular expressions.
Find next Used in conjunction with the Search button to perform
the same search again.
Prev diff The cursor in the right pane moves to the previous
difference.
Next diff The cursor in the right pane moves to the next
difference.
Save as Saves the difference file in unified format, which uses
plus and minus signs to indicate differences: each line
that occurs only in the left file is preceded by a minus
sign, each line that occurs only in the right file is
preceded by a plus sign, and common lines are
preceded by a space

178
Chapter 5: Managing Device Groups, Profiles, and Overlays

Section E: Comparing Profiles or Overlays

Commands Related to Comparing Profiles and Overlays


director (config) # remote-config diff {unified | context} overlays
first_overlay_id second_overlay_id
director (config) # remote-config diff {unified | context} profiles
first_profile_id second_profile_id

where:
• context format uses an identification line for each file, containing the
filename and modification date.
• unified uses plus and minus signs to indicate differences: each line that
occurs only in the left file is preceded by a minus sign, each line that
occurs only in the right file is preceded by a plus sign, and common lines
are preceded by a space.

Note: The only options supported are context and unified.

❐ profile_id specifies the profile’s unique identifier. You can display the list of
profile IDs available for comparison by entering the following command:
director (config) # remote-config diff unified profiles ?
first_profile_id second_profile_id
2003Nov05160651PST
2003Nov05160921PST
2003Nov05161008PST
2003Nov06113244PST

179
Director Configuration and Management Guide

Section E: Comparing Profiles or Overlays

Following is a sample comparison:

--- /local/tmp/2003Nov05160921PST Fri Apr 16 07:48:55 2004


+++ /local/tmp/2003Nov05161008PST Fri Apr 16 07:48:56 2004
@@ -1,28 +1,10 @@
!
-!
+security management display-realm "Blackbird"
security management no auto-logout-timeout
!
-access-log ;mode
-edit log im ;mode
-client-type websense
-exit
-create log "testlog"
-edit log testlog ;mode
-client-type websense
-websense-client primary 10.24.35.46 55805
-websense-client alternate 10.25.36.47 55805
-exit
-exit
-!
-services ;mode
-telnet-console ;mode
-enable 23
+forwarding ;mode
+add 10.25.36.47 80 http default
exit
-exit
-!
!
!
!

180
Chapter 6: Device Administration

This chapter discusses administration tasks you can perform using Director.
Topics include:
❐ Section A: "Administration Tasks" on page 182
❐ Section B: "Search" on page 185
❐ Section C: "Upgrading Device Licenses" on page 203
❐ Section D: "Configuring a Device from Director" on page 204

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

181
Director Configuration and Management Guide

Section A: Administration Tasks


This section discusses how to perform the following tasks on individual
devices, custom groups, or selected devices:
❐ Reconnect
❐ Reboot
❐ Clear the object cache
❐ Clear the DNS cache
❐ Clear the byte cache
Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132
To perform these tasks, you must:
1. Select the devices.
"Selecting Devices to Administer"
2. Perform administration tasks on the selected devices.
"Performing Administration Tasks" on page 183

Selecting Devices to Administer


You can administer individual devices, selected devices; or devices in custom
groups; and devices in Model or OS Version groups. You cannot perform these
tasks on devices in system groups.
Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132

To select devices to administer:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, do any of the following:

182
Chapter 6: Device Administration

Section A: Administration Tasks

• In the Devices pane, click the name of a device.


To select more than one device, hold down the Control key while clicking.
• In the Groups pane, do any of the following:
• Click the name of a custom group.
• Click the name of a Model group (for example, SG810-25).
• Click the name of an OS Version group (for example, SGOS 5.3 or SGOS
5.3.1.1).

Performing Administration Tasks


This section discusses how to perform the following tasks on selected devices:
reconnect; reboot; or clear the object, DNS, or byte cache.
The Administration Tasks section displays in the Description pane on the
Configure tab page, as shown in the following figure:

Before you begin, make sure you perform all of the following:
❐ Add the devices to Director or register devices with Director
• Chapter 3: "Registering Devices"
• Chapter 4: "Adding and Connecting to Devices"
❐ Add devices to custom groups
Section A: "Setting Up and Managing Device Groups" on page 132
❐ Select the devices to administer
"Selecting Devices to Administer" on page 182
Now see one of the following sections:
❐ "Reconnecting to Devices"
❐ "Rebooting Devices" on page 184
❐ "Clearing Devices’ DNS, Object, or Byte Cache" on page 184

183
Director Configuration and Management Guide

Section A: Administration Tasks

Reconnecting to Devices
Use the following steps to reconnect to devices after a temporary network outage:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click Reconnect
Device(s).

Rebooting Devices
Use the following steps to reboot devices:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click Reboot
Device(s).

You are required to confirm the action. A progress indicator displays while the
device is rebooted.

Clearing Devices’ DNS, Object, or Byte Cache


Use the following steps to reboot devices:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices to reconnect as discussed in
"Selecting Devices to Administer" on page 182.
4. In the Description pane, in the Administration Tasks section, click any of the
following:
• Clear Object Cache on Device(s)

• Clear DNS Cache on Device(s)

• Clear Byte Cache on Device(s)

You are required to confirm the action. A progress indicator displays while the
device is rebooted.

184
Chapter 6: Device Administration

Section B: Search

Section B: Search
The Director Management Console enables you to search for the names of
devices, custom groups, custom folders, profiles, overlays, jobs, URL lists, and
regular expression lists using either exact names or by the use of wildcards. Each
object found by the search is selected in the appropriate pane in the Management
Console window. If multiple results are found, you can choose which object to
select.
This section discusses the following topics:
❐ "About Searching"
❐ "Using Search" on page 189
❐ "Using Search Results" on page 199

About Searching
This section discusses the following topics:
❐ "Ways to Perform a Search"
❐ "Basic and Advanced Searches" on page 187

Ways to Perform a Search


You can perform a search by pressing Control+F or clicking Actions > Find on the
Monitor, Configure, Jobs, or Content tab pages.
The search tool displays at the top of the Management Console window as
follows:

Note: Pressing Control+F or clicking Actions > Find toggles the search tool on
and off. To close the search tool, press Control+F again, click Actions > Find
again, or click (close).

Searches are limited to objects on those tab pages as follows:


❐ On the Monitor tab page, you can search for the following objects:
• custom groups
• devices
❐ On the Configure tab page, you can search for the following objects:
• custom groups
• custom folders
• devices
• profiles
• overlays

185
Director Configuration and Management Guide

Section B: Search

❐ On the Jobs tab page, you can search for the following objects:
• custom folders
• config jobs
• content jobs
• other jobs (that is, jobs that are not classified as config or content; for
example, jobs you create from the command line without using the
commands-type parameter, or where commands-type is other)
• custom folders
❐ On the Content tab page, you can search for the following objects:
• custom groups
• custom folders
• devices
• URL lists
• regular expression lists
Furthermore, the objects are limited by what you select from the Show list in each
tab page (with the exception of the Monitor tab page, which has no Show list). The
following figure shows an example:

Available Show list


object types

186
Chapter 6: Device Administration

Section B: Search

In the example, Profiles is selected from the Show list in the Configuration Library
section on the Configure tab page. This limits the search to devices, groups, or
profiles. In this example, you cannot search for overlays. To search for overlays
and profiles, select All from the Show list.

Basic and Advanced Searches


This section discusses the differences between basic and advanced searches.
When you press Control+F or click Actions > Find on any tab page in the Director
Management Console, the following options display at the top of the
Management Console window:

Enter search term Select objects Perform search

Advanced search

See one of the following sections:


❐ "Basic Search"
❐ "Advanced Search" on page 188

Basic Search
The preceding figure shows a basic search. The following rules apply to basic
searches:
❐ Always case-sensitive
❐ One object at a time
❐ One search term at a time
❐ With no wildcard, use substring matching
❐ Wildcards:
• The asterisk character (*) can be used as a multiple-character wildcard.
• The question mark character (?) can be used as a single-character
wildcard.
More information about basic searches, including examples, can be found in
"Using Search" on page 189.

187
Director Configuration and Management Guide

Section B: Search

Advanced Search
To perform an advanced search, Control+F or click Actions > Find on any tab page
in the Director Management Console to display search options, then click More.
The following figure shows an example Find dialog box:

The following rules apply to advanced searches:


❐ You can choose case-sensitive or case-insensitive searches.
❐ You can search multiple objects at a time.
❐ You can search for one term at a time.
❐ Wildcards:
• The asterisk character (*) can be used as a multiple-character wildcard.
• The question mark character (?) can be used as a single-character
wildcard.
More information about advanced searches, including examples, can be found
in "Using Search" on page 189.

188
Chapter 6: Device Administration

Section B: Search

Using Search
This section discusses how to search for groups, devices, profiles, overlays, jobs,
URL lists, and regular expression lists in the Director Management Console. For
background information, see "About Searching" on page 185.
This section discusses the following topics:
❐ "Searching for Devices and Groups"
❐ "Searching for Profiles and Overlays" on page 191
❐ "Searching for Config and Content Jobs" on page 194
❐ "Searching for URL Lists and Regular Expression Lists" on page 197

Searching for Devices and Groups


This section discusses how to search for devices and groups. You can search for
devices and groups in any of the following tab pages in the Monitor, Configure,
and Content tab pages in the Director Management Console.

To search for devices and groups:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor, Configure, or Content tab.
3. If the search tool does not display at the top of the Management Console
window, press Control+F (find).
The search tool displays as follows:

4. To search for devices, the Groups pane, click System Groups > All.
Your search for devices will produce no results unless you click the All group.
5. Do any of the following:
• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description

Find field Enter the name or the ID of a group or device in the field,
using the asterisk (*) character as a wildcard. This search
is case-sensitive.
Examples:
• To search for a group that begins with Dev, enter
either Dev or Dev*.
• The search for a group that contains Dev, enter *Dev*.

189
Director Configuration and Management Guide

Section B: Search

Item Description

Object list From the list, click Groups or Devices.


Note: Model group names are case-sensitive.

b. Click (Go).
c. To use search results, see "Using Search Results" on page 199.

7. Perform an advanced search:


a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

Note: The Find dialog box displays different object types, depending on which
tab page you select and which objects are visible. For example, if you click the
Configure tab page and click All from the Show list in the Configuration Library
section, the Find dialog box has check boxes for Folders, Profiles, Overlays
object types as well.

190
Chapter 6: Device Administration

Section B: Search

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a group or device in


the field, using the asterisk (*) character as a
wildcard.Examples:
• To search for a group that begins with Dev,
enter either Dev or Dev*.
• The search for a group that contains Dev, enter
*Dev*.

Case Sensitive check box To perform a case-sensitive search, select the check
box.
To perform a case-insensitive search, clear the
check box.
Note: Model group names are case-sensitive.

Type section Select the check box corresponding to each object


type to search.

Organize button Click at least two search results to create a


container in which to store them. For example,
click two or more devices and click Organize to
create a custom group in which to store the
devices.

Clear Results button Click to clear any previous search results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Searching for Profiles and Overlays


This section discusses how to search for profiles and overlays. You can search for
profiles and overlays on the Configure tab page in the Director Management
Console.

To search for profiles and overlays:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Profiles, Overlays,
or All.
This selection determines the scope of a basic search.

191
Director Configuration and Management Guide

Section B: Search

4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:

5. Do any of the following:


• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description

Find field Enter the name or the ID of a profile or


overlay in the field, using the asterisk (*)
character as a wildcard. This search is
case-sensitive.
Examples:
• To search for a profile that begins
with Proxy, enter either Proxy or
Proxy*.
• The search for a group that contains
proxy, enter *proxy*.

Object list From the list, click Profiles or Overlays.


If the desired option does not display,
try the following:
• Make sure you clicked the correct
tab page and that you selected the
correct object type to start your
search.
• Make sure you created at least one
object of the type for which you are
searching and repeat step 3.

b. Click (Go).

c. To use search results, see "Using Search Results" on page 199.

192
Chapter 6: Device Administration

Section B: Search

7. Perform an advanced search:


a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a profile or overlay in


the field, using the asterisk (*) character as a
wildcard.
Examples:
• To search for a profile that begins with Proxy,
enter Proxy*.
• The search for a group that contains proxy,
enter *proxy*.

Case Sensitive check box To perform a case-sensitive search, select the check
box.
To perform a case-insensitive search, clear the check
box.

Type section Select the check box corresponding to each object


type to search.

193
Director Configuration and Management Guide

Section B: Search

Item Description

Clear Results button Click to clear any previous search results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Searching for Config and Content Jobs


This section discusses how to search for configuration jobs and content jobs. You
can search for jobs on the Jobs tab page in the Director Management Console.

To search for jobs:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. In the Job Library section, from the Show list, click Config Jobs, Content Jobs, or
All.

This selection determines the scope of a basic search.


4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:

5. Do any of the following:


• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.

194
Chapter 6: Device Administration

Section B: Search

6. Perform a basic search:


a. Enter the following information:
Item Description

Find field Enter the name or the ID of a job in the


field, using the asterisk (*) character as a
wildcard. This search is case-sensitive.
Examples:
• To search for a job that begins with
Backup, enter Backup*.
• The search for a job that contains
CEO, enter *CEO*.

Object list From the list, click Config Jobs, Content


Jobs, or Other Jobs.
If the desired option does not display,
make sure you have created at least one
object of that type and repeat step 3.

b. Click (Go).

c. To use search results, see "Using Search Results" on page 199.


7. Perform an advanced search:

195
Director Configuration and Management Guide

Section B: Search

a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a job in the


field, using the asterisk (*) character as a
wildcard. This search is case-sensitive.
Examples:
• To search for a job that begins with
Backup, enter Backup*.
• The search for a job that contains
CEO, enter *CEO*.

Case Sensitive check box To perform a case-sensitive search,


select the check box.
To perform a case-insensitive search,
clear the check box.

Type section Select the check box corresponding to


each object type to search.

196
Chapter 6: Device Administration

Section B: Search

Item Description

Clear Results button Click to clear any previous search


results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Searching for URL Lists and Regular Expression Lists


This section discusses how to search for URL lists and regular expression lists.
You can search for these lists on the Content tab page in the Director Management
Console.

To search for URL lists and regular expression lists:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. In the Content Collections section, from the Show list, click Url Lists, Regex Lists,
or All.
This selection determines the scope of a basic search.
4. If the search tool does not display at the top of the Management Console
window, press Control+F (Find).
The search tool displays as follows:

5. Do any of the following:


• To perform a basic search, see step 6.
• To perform an advanced search, see step 7.
6. Perform a basic search:
a. Enter the following information:
Item Description

Find field Enter the name or the ID of a job in the


field, using the asterisk (*) character as a
wildcard. This search is case-sensitive.
Examples:
• To search for a list that begins with
Content, enter Content*.
• The search for a list that contains
CEO, enter *CEO*.

197
Director Configuration and Management Guide

Section B: Search

Item Description

Object list From the list, click Url Lists, or Regex


Lists.
If the desired option does not display,
make sure you have created at least one
object of that type and repeat step 3.

b. Click (Go).

c. To use search results, see "Using Search Results" on page 199.


7. Perform an advanced search:
a. In the search tool at the top of the Management Console window, click
More.

The Find dialog box displays.

198
Chapter 6: Device Administration

Section B: Search

b. Enter the following information:


Item Description

Find field Enter the name or the ID of a URL list or


regular expression list in the field, using
the asterisk (*) character as a wildcard.
This search is case-sensitive.
Examples:
• To search for a job that begins with
Backup, enter Backup*.
• The search for a job that contains
CEO, enter *CEO*.

Case Sensitive check box To perform a case-sensitive search,


select the check box.
To perform a case-insensitive search,
clear the check box.

Type section Select the check box corresponding to


each object type to search.

Clear Results button Click to clear any previous search


results.

c. Click Go.
d. To use search results, see "Using Search Results" on page 199.

Using Search Results


This section discusses how to use the results of a search you performed in the
Director Management Console. Before continuing, make sure you have reviewed
the following information:
❐ "About Searching" on page 185
❐ "Using Search" on page 189
This section discusses the following topics:
❐ "Using Results from a Basic Search"
❐ "Using Results from an Advanced Search" on page 201

199
Director Configuration and Management Guide

Section B: Search

Using Results from a Basic Search


The results from a basic search display in the search tool at the top of the
Management Console window.
An example follows:

In the preceding example, a search for all groups that begin with Dev returned
three results.
If a search returns one or more results, the first matching object is selected in the
Management Console. In the example, the first group that begins with Dev is
selected in the Groups pane on the Configure tab page.
In the search tool, click the following buttons to select the next or previous object
returned by the search:
Previous search Next search
result result

The following figure shows an example:

200
Chapter 6: Device Administration

Section B: Search

Using Results from an Advanced Search


You use the results from an advanced search in almost the same way as the results
from a basic search; however, because different types of objects can be returned,
the results are displayed differently.
The results from an advanced search display in the Find dialog box. An example
follows:

The example shows a search for groups, devices, and profiles that begin with Dev.
Search results consist of four groups and one profile.
You have the following options:
❐ Select a search result in the Management Console: Click OK and the object is
selected in the Management Console.
This is useful if you want to perform an action on that object; for example, to
rename a group, click the name of a group and click OK. The group is selected
in the Management Console. Right-click the name of the group, click Edit, and
rename the group.
❐ Organize the objects in a new custom folder:
a. Click two or more search results of the same object type (for example,
two or more devices, two or more groups, and so on). Hold down the
Shift or Control key while clicking to select multiple objects.

201
Director Configuration and Management Guide

Section B: Search

b. Click Organize.
The Add New Folder dialog box displays.
c. Enter a folder name and a unique ID for the folder and click OK.
The selected objects are copied to the folder you created.

202
Director Configuration and Management Guide

Section C: Upgrading Device Licenses


This section discusses how to upgrade the license on one or more devices using
the Director Management Console. Before performing a license upgrade, you
must have the appropriate licensing for the devices you wish to upgrade.
Consult your Blue Coat representative for more information about purchasing
licenses.

To upgrade device licenses:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, select the devices whose licenses you wish to
upgrade as follows:
• Click the name of a group in the Groups pane.
• Click the name of a device in the Devices pane.
Note: To select more than one group or device, hold down the Control
key while clicking.
4. Right-click any previously selected device.
5. From the pop-up menu, click Upgrade License.
6. When prompted, enter a user name and password.
Note: The user name and password you enter are not validated.
Depending on whether or not you have previously upgraded any device
licenses, you are prompted to use an existing BlueTouch account or to enter
a BlueTouch user name or password
Messages display to indicate whether or not the upgrades were successful.

Related CLI Syntax for License Upgrade


director (config)# remote-config license-key update {addr-device
ip_address_or_hostname | all | device device_id | group group_id |
model model | os-version sgos_version}} [errors-only | username
web_power_username password web_power_password]

203
Director Configuration and Management Guide

Section D: Configuring a Device from Director


You can use Director as an alternative to the SGOS Management Console,
allowing you to make configuration changes to one or more appliances
(sequentially, not simultaneously). To make simultaneous configuration
changes to devices, use profiles and overlays as discussed earlier in this
chapter.
All the commands executed in the Manage Device window refer to the
ProxySG appliance. You cannot use Director’s content or configuration
management commands in the Manage Device window.
If you change the version of the device due to an upgrade or downgrade, re-
connect to the device attempting any subsequent operations with Director. You
must also close the Manage Device window and restart it.
You can change the user names when configuring the device, but you must
reconnect to the device using the new credentials.

To configure a device from Director:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. Right-click the device you want to configure.
4. From the pop-up menu, click Configure.

204
Chapter 6: Device Administration

The device’s Management Console displays similarly to the following:

5. Make the desired changes in the Management Console.


Note: Make sure to click Apply before leaving a tab page, or the changes are
not committed.
6. When you are finished making changes, close the Manage Device window.

205
Director Configuration and Management Guide

206
Chapter 7: Managing Content Collections

This chapter discusses general information about content distribution and how
to perform the following tasks:
❐ Create URL lists and regular expression lists
❐ Schedule content actions using URL lists and regular expression lists
immediately, or at a future day of the week and time of day
❐ Query a ProxySG’s object cache to determine if URLs are pre-populated
This chapter discusses the following topics:
❐ "About Content Distribution"
❐ "Managing Folders for Content Collections" on page 211
❐ "Creating and Distributing URL Lists" on page 215
❐ "Creating and Distributing Regular Expression Lists" on page 221
❐ "Querying URLs" on page 226

About Content Distribution


Content distribution is the means by which you can pre-populate a ProxySG’s
object cache with particular URLs. This reduces bandwidth usage during peak
hours because when users request the content during the next business day, the
content is already cached.
Director enables you to pre-populate the object cache with particular URLs
only. The object cache contains objects that are indexed by name (that is, file
name or URL). The object cache is available for specific protocols (such as
HTTP, HTTPS, FTP, CIFS, and some streaming protocols).

207
Director Configuration and Management Guide

Note:
• ProxySGs do not spider a Web site to pre-populate all its contents. To
do that, you can use the Content Sync Module, which is discussed in
the Blue Coat Director Content Sync Module Guide.
• For a variety of reasons, certain content is not object-cacheable. For
example, Web pages that include the meta tag <META HTTP-
EQUIV="Pragma" CONTENT="no-cache"> are not cacheable. Also,
dynamically generated content might not be cacheable.
Before populating or revalidating content, verify the content is
cacheable because the content operations take time to complete and
consume CPU resources while they are executing.
Provided any of the following is true, content that is not object-
cacheable is byte cached, however:
• If there is an explicit ADN route for the origin server subnet
advertised by some other ProxySG appliance in the network.
• If there is a ProxySG in the network in the path between the branch
ProxySG and the origin server, and that ProxySG is set for
transparent tunnels.

See one of the following sections for more information about content distribution:
❐ "Managing Folders for Content Collections"
❐ "Creating and Distributing URL Lists" on page 215
❐ "Creating and Distributing Regular Expression Lists" on page 221
❐ "Querying URLs" on page 226

208
Chapter 7: Managing Content Collections

Content Distribution Use Case


It is common that an enterprise employee, such an IT administrator, is tasked with
pushing content to one or more proxies on the network. Pre-population usually
occurs during off-peak hours to avoid clogging bandwidth pipes. Examples of
mass-distributed content might be a video message from the CEO and large
information files, such as a PDF.
The IT administrator creates a URL list that contains the content URLs and stores
the list file locally. Blue Coat Director allows you to either instantly push the URL
list to target ProxySG appliances or schedule a day and time when the push
occurs.

Legend
1: The IT admin creates a list of URLs to content objects and stores it on an internal Web
server that is accessible by Director.
2: The IT admin uses Director to create a new content job that calls the list stored on the
Web server. The IT admin also creates a job schedule that populates ProxySGs’ object
caches at 12:01 am.
3: At 12:01 am, the ProxySG appliances at headquarters and the branch office receive the
content URLs and request the content from the Web server.
4: The Web server sends the content to the ProxySG appliances, which cache the objects.
5: The next morning, the company’s users access the content locally from their respective

Figure 7–1 Pre-populating process flow.


Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.

209
Director Configuration and Management Guide

❐ If you distribute a large amount of content, query a subset of the content


collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.

Details of URL Distribution


Director can process up to 500,000 URLs (except with older ProxySG models such
as the SG200), subject to the limitations discussed in this section. This number is
derived by considering the number of devices and the url-list:
Maximum number of URLs supported = m x n
In the preceding equation, m is the number of devices and n is the number of URLs
in the url-list. For example, if there are 16 devices, the url-list cannot contain
more than 31,250 URLs (16 devices * 31250 URLs = 500000 URLs). The url-list
can contain more URLs if there are fewer devices, and vice versa.
Using 500,000 URLs is subject to the following limitations:
❐ Group URLs by size (for example, group URLs that download content of less
than 1MB separately from URLs that download 10MB of content or more).
Lists of smaller URLs distribute in a shorter time than lists of longer URLs.
❐ To use 500,000 URLs in a content job, Blue Coat recommends changing the
defaults to execute one batch of 50 commands every 3 seconds.
Defaults for the Director 510 follow:
❐ Outstanding commands timeout: 10,800 seconds (that is, three hours)
❐ Completed commands timeout: 3,600 seconds (that is, one hour)
❐ Number of commands in a batch: 25
❐ Length of time between batches of commands: 10 seconds
Use the enable mode command content options throttle delay to manipulate
the number of content commands that complete per unit time.
A summary of command options follows:
director (config)# content options throttle delay delay_sec num-
commands integer
where delay_sec is the number of seconds to delay between sending batches of
content, and integer is the number of content commands to send in one batch
Note: Older ProxySG models—such as the SG200—might not function properly if
the throttle options defaults are changed from their defaults (25 commands every
10 seconds). Using these older models—because of slower processors and smaller
amounts of RAM—you should expect to process a maximum of 400,000 URLs
using the formula shown at the beginning of this section.

To view the current settings using the Management Console:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. At the bottom of the Content tab page, click Show Throttle Settings.

210
Chapter 7: Managing Content Collections

The current settings display in a dialog box.

Commands to Change Throttle Settings


director (config)# content options {throttle delay delay_sec num-
commands integer | timeout {completed-cmds seconds | outstanding-cmds
seconds}}

Managing Folders for Content Collections


This section discusses how to create folders in which to organize content
collections (that is, regular expression lists and URL lists). Creating folders is
recommended in large deployments where you might want to organize content
collections by device location, function, or other criteria.
Following is general information about creating folders:
❐ There are two types of folders: System and Custom
❐ System folders are divided into two subfolders that cannot be changed: All
and Unassigned
❐ All content collections belong to the All system folder, even those that have
been added to custom folders.
❐ Content collections that have not been added to a custom folder belong to the
Unassigned system folder
❐ You can create content collection folders only under Custom Folders
❐ You can nest custom folders

211
Director Configuration and Management Guide

This section discusses the following topics:


❐ "Creating or Editing Folders"
❐ "Deleting Folders" on page 213
❐ "Removing or Copying Content Collections In Folders" on page 214

Creating or Editing Folders


This section discusses how to create or edit content collection folders and
subfolders.

To create or edit content collection folders and subfolders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. Right-click Custom Folders.
4. From the pop-up menu, click one of the following:
• To create a new folder, click New > New Folder.
• To edit an existing folder, click Edit.
The following figure shows an example of adding a new folder:

Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Table 7–1 Adding or editing a folder

Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.

212
Chapter 7: Managing Content Collections

Table 7–1 Adding or editing a folder

Field Description
Description Enter an optional description of the folder.

6. Click OK.
7. To create an additional folder, do any of the following:
• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop regular expression lists or URL
lists into the desired folders as follows:
a. From the Show list in the Content collections section on the Content tab
page, click the object to put in a folder.
For example, to put a URL list in a folder, from the Show list on the Content
tab page, click Url Lists or All.
b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a URL list or regular expression list to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.

Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders the
folder. Any content collections contained in those folders and subfolders are
moved to the Unassigned folder; the content collections themselves are not
deleted.

To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. Optional. To display content collections before you delete their containing
folders, on the Content tab page, in the Content collections section, from the
Show list, click Regex Lists, Url Lists, or All.

4. Right-click the name of the folder to delete.

213
Director Configuration and Management Guide

5. From the pop-up menu, click Delete.


You are required to confirm the action. After deleting the folder, any content
collections contained in the folder or subfolders move to the Unassigned
system folder.

Removing or Copying Content Collections In Folders


This section discusses how to perform the following tasks for content collections
stored in folders:
❐ Remove a content collection from a custom folder and put it in the
Unassigned folder, without deleting the folder.
❐ Remove a content collection from the Unassigned system folder and put it in a
custom folder.
❐ Copy a content collection from one folder to another folder.

To remove or copy content collections in folders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. To display content collections before you remove or copy them, on the
Content tab page, in the Content collections section, from the Show list, click
All.

4. Do any of the following:


• To remove the content collection from the custom folder it is in now and
move it to the Unassigned system folder, right-click on the content
collection and, from the pop-up menu, click Remove. You are required to
confirm the action.
• To move a content collection from the Unassigned system folder to a
custom folder, click the content collection and drag it to the desired
custom folder.
• To copy a content collection to another custom folder, click the content
collection and drag it to the desired custom folder.

214
Chapter 7: Managing Content Collections

Related Commands
First, enter the following command to enter folder submode:
(config) # folder folder_id
This command changes the prompt to the following:
director (config folder folder_id) #
Then enter the following commands:
director (config folder folder_id) # overlay overlay_id
director (config folder folder_id) # parent folder_id
director (config folder folder_id) # profile profile_id
director (config folder folder_id) # regex-list list_id
director (config folder folder_id) # url-list list_id

Creating and Distributing URL Lists


This section discusses how to create valid URL lists to use to pre-populate
devices’ object caches and how to distribute the content.
This section discusses the following topics:
❐ "Creating a URL List Object"
❐ "Distributing, Revalidating, Deleting, or Prioritizing a URL List" on page 217

Creating a URL List Object


This section discusses how to create a URL List object, which can be used to
perform content actions on devices managed by this Director. Content actions that
can be performed using a URL List object include:
❐ Distributing URLs to the object cache of one or more devices
❐ Deleting URLs from the object cache of one or more devices
❐ Revalidating URLs in the object cache of one or more devices
❐ Prioritizing URLs in the object cache of one or more devices

To create a URL list object:


1. Create a URL list in a plain text or HTML file, with only one URL per line. For
example:
https://www.example.com/IT/content/CEOvideo0707.qt
https://www.example.com/IT/content/07annualreport.pdf
mms://www.example.com/mediafiles/AllHands.asf
mms://www.example.com/mediafiles/bond.wmv
rtsp://www.example.com/mediafiles/28k_av.rm
rtsp://www.example.com/mediafiles/TrainingVideo.rm

Note: Every URL must start with the protocol (also referred to as the schema);
for example, http://. URLs that start with www. or a similar prefix are not valid
and will result in job execution failure.

215
Director Configuration and Management Guide

2. You have the following options:


• To import the URL list to Director, save the text file on a computer that is
accessible by the Director Management Console.
• To upload the URL list to a remote Web server, make sure the Web server is
accessible by Director. The location cannot use authentication. Upload the
file using FTP or any other supported protocol.
3. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
4. Click the Content tab.
5. In the Content collections section, from the Show list, click Url Lists.
6. If necessary, create a folder in which to store the URL as discussed in "Creating
or Editing Folders" on page 212.
7. Right-click the folder in which to store the URL list.
8. From the pop-up menu, click New > New Content List > Url List.
The Create URL List dialog box displays.

9. Enter the following information:


Item Description

URL List Name field Enter a name to identify the URL list object.

URL List ID field Enter a unique identifier. The URL List ID can be
a maximum of 250 characters and cannot include
the following characters: {, }, <, >, (, ), #, or $.

216
Chapter 7: Managing Content Collections

Item Description

Description field Enter an optional description.


Import from local file Click this option to import the URL list from a
text file accessible from this computer. Click
Browse to locate the file.

Import from URL Click this option to import the URL list from a
text file stored on a Web server that Director can
access.

Other options If you are updating an existing URL list object,


click any of the following:
• Append imported entries to list: The lists
from the file or HTML are added the
existing URL list.
• Replace list with imported entries: The lists
from the file or HTML replace the existing
URL list.

10. Click Import.


Director performs validation on the list, after which the imported URLs
display in the right pane. An error displays if the URLs are not valid. (A
common error is more than one URL per line.)
You can optionally edit the URL list in the right pane to fix errors, add URLs,
or remove URLs.

11. Click OK.


The Content collections pane on the Content tab page displays the new object.

Distributing, Revalidating, Deleting, or Prioritizing a URL List


This section discusses how to perform the following tasks to individual devices,
selected devices, or to all devices in a custom group, Model group, or OS Version
group:
❐ Distribute URLs in a URL list.
❐ Delete from the object cache URLs in a URL list.
❐ Revalidate URLs in a URL list.
Revalidation compares each URL in the list in the device’s object cache to the
content in the source server. If the content on the source server is newer, the
content is updated in the object cache; otherwise, no change is made to the
object cache.

217
Director Configuration and Management Guide

❐ Prioritize URLs in a URL list.


Determines the relative order that content is deleted from a full object cache to
make room for new content. In other words, when the object cache is full, this
setting determines the relative order in which existing content is deleted.
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
Content distribute, revalidate, delete, and prioritize actions can be configured to
run as follows:
❐ Immediately but not as a job
❐ As a job (which enables you to track execution) that executes:
• Immediately
• One time in the future
To schedule the job to run more than one time in the future or at scheduled
intervals, see "Content Job Action Details" on page 262 instead.

To distribute a URL list immediately:


1. Create the URL list object as discussed in "Creating and Distributing URL
Lists" on page 215.
2. Select devices to which to distribute the URL list:
• In the Groups pane, click the name of a group.
• In the Devices pane, click the name of one or more devices. (To select more
than one device, hold down the Control key while clicking.)
3. Click Apply.

218
Chapter 7: Managing Content Collections

The Perform URL List Action dialog box displays.

219
Director Configuration and Management Guide

4. From the Action list, click any of the following:


• Distribute URL(s)

• Revalidate URL(s)

• Delete URL(s)

• Prioritize URL(s)

Priority levels range from 0 (lowest) to 7 (highest). Prioritization does the


following:
• Pre-populates important content first so devices cache high priority
content before lower priority content.
• In the event devices purge their object cache, makes sure that higher
priority content is purged after lower priority content. A device purges
its object cache for a variety of reasons, including low available disk
space.
5. Do any of the following:
• Click Apply content as an immediate action to push the list without job
tracking.
Choose this option if your user account does not have permissions to
create jobs or if you do not need job tracking.
• Click Apply content as a job to enable job tracking.
• In the Job Name and Job ID fields, accept the defaults or enter other
values.
By default, the job name and job ID are both set to a time and date
stamp in the format: YYYYMMDDHHMMSS. You can change any value you
wish. The job ID can be a maximum of 250 characters in length and
cannot include the following characters: {, }, <, >, (, ), #, or $.
• Select Execute now for an immediate push or use the month, day, year,
hour, minute, and am/pm lists to schedule a time to push the lists.
6. Click OK.
Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.
❐ If you distribute a large amount of content, query a subset of the content
collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.
For more information, see one of the following sections:

220
Chapter 7: Managing Content Collections

❐ Section D: "Verifying Jobs" on page 280 in Chapter 8: "Creating, Scheduling,


and Managing Jobs"
❐ "Querying URLs" on page 226

Related Command
director # content url-list url_list_id input

Creating and Distributing Regular Expression Lists


This section discusses how to create valid regular expression lists to use to
revalidate or delete content in devices’ object caches.
This section discusses the following topics:
❐ "Creating a Regex List Object"
❐ "Revalidating, Deleting, or Prioritizing a Regex List" on page 223

Creating a Regex List Object


Director supports Perl-compliant regular expressions. For more information, see a
regular expression resource.
This section discusses how to create a URL Regex List object (hereafter referred to
as a Regex List object), which can be used to perform content actions on devices
managed by this Director. Content actions that can be performed using a Regex
List object include:
❐ Deleting URLs from the object cache of one or more devices
❐ Revalidating URLs in the object cache of one or more devices
❐ Prioritizing URLs in the object cache of one or more devices

To create a regular expression list object:


1. Create a regular list in a plain text or HTML file, with only one regular
expression per line. For example:
https://www.example.com/IT/.*\.jpg$
https://www.example.com/IT/content/rp&rf&me&ts
mms://www.example.com/mediafiles/.*\.rm$
rtsp://www.example.com/mediafiles/a+.rm

Note: Every regular expression must start with the protocol (also referred to as
the schema); for example, http://. URLs that start with www. or a similar prefix
are not valid and will result in job execution failure.

2. You have the following options:


• To import the regular expression list to Director, save the text file on a
computer that is accessible by the Director Management Console.
• To upload the regular expression list to a remote Web server, make sure
the Web server is accessible by Director. The location cannot use
authentication. Upload the file using FTP or any other supported protocol.

221
Director Configuration and Management Guide

3. Start the Director Management Console as discussed in "Connecting to


Director with the Management Console" on page 52.
4. Click the Content tab.
5. In the Content collections section, from the Show list, click Regex Lists.
6. If necessary, create a folder in which to store the URL as discussed in "Creating
or Editing Folders" on page 212.
7. Right-click the folder in which to store the URL list.
8. From the pop-up menu, click New > New Content List > Regex List.
The Create Regex List dialog box displays.

9. Enter the following information:


Item Description

Regex List Name field Enter a name to identify the regular expression
list object.

Regex List ID field Enter a unique identifier. The Regex List ID can
be a maximum of 250 characters and cannot
include the following characters: {, }, <, >, (, ),
#, or $.

Description field Enter an optional description.

222
Chapter 7: Managing Content Collections

Item Description
Import from local file Click this option to import the regular
expression list from a text file accessible from
this computer. Click Browse to locate the file.
Import from URL Click this option to import the regular
expression list from a text file stored on a Web
server that Director can access.

Other options If you are updating an existing regular


expression list object, click any of the following:
• Append imported entries to list: The lists
from the file or HTML are added the
existing regular expression list.
• Replace list with imported entries: The lists
from the file or HTML replace the existing
regular expression list.

10. Click Import.


Director performs validation on the list, after which the imported regular
expressions display in the right pane. An error displays if the regular
expressions are not valid. (A common error is more than one regular
expression per line.)
You can optionally edit the URL list in the right pane to fix errors, add regular
expressions, or remove regular expressions.
11. Click OK.
The Content collections pane on the Content tab page displays the new object.

Revalidating, Deleting, or Prioritizing a Regex List


This section discusses how to perform the following tasks to individual devices,
selected devices, or to all devices in a custom group, Model group, or OS Version
group:
❐ Delete from the object cache URLs that match a regular expression list.
❐ Revalidate URLs that match a regular expression list.
Revalidation compares each URL in the list in the device’s object cache to the
content in the source server. If the content on the source server is newer, the
content is updated in the object cache; otherwise, no change is made to the
object cache.
❐ Prioritize regular expressions in a regular expression list.
Updates the priority setting of objects in the object cache; objects that match
the regular expression only are updated. The priority setting determines the
relative order that content is deleted from a full object cache to make room for
new content. In other words, when the object cache is full, this setting
determines the relative order in which existing content is deleted.

223
Director Configuration and Management Guide

Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
These actions can be configured to run as follows:
❐ Immediately but not as a job
❐ As a job (which enables you to track execution) that executes:
• Immediately
• One time in the future
To schedule the job to run more than one time in the future or at scheduled
intervals, see "Content Job Action Details" on page 262 instead.

To revalidate, delete, or prioritize content using a regular expression list:


1. Create the regular expression list object as discussed in "Creating and
Distributing Regular Expression Lists" on page 221.
2. Select devices to which to distribute the regular expression list:
• In the Groups pane, click the name of a group.
• In the Devices pane, click the name of one or more devices. (To select more
than one device, hold down the Control key while clicking.)
3. Click Apply.

224
Chapter 7: Managing Content Collections

The Perform URL Regex List Action dialog box displays.

4. From the Action list, click any of the following:


• Revalidate Regex(es)

• Delete Regex(es)

• Prioritize Regex(es)

Priority levels range from 0 (lowest) to 7 (highest). Prioritization does the


following:
• Pre-populates important content first so devices cache high priority
content before lower priority content.
• In the event devices purge their object cache, makes sure that higher
priority content is purged after lower priority content. A device purges
its object cache for a variety of reasons, including low available disk
space.
5. Do any of the following:
• Click Apply content as an immediate action to push the list without job
tracking.
Choose this option if your user account does not have permissions to
create jobs or if you do not need job tracking.
• Click Apply content as a job to enable job tracking.
• In the Job Name and Job ID fields, accept the defaults or enter other
values.

225
Director Configuration and Management Guide

By default, the job name and job ID are both set to a time and date
stamp in the format: YYYYMMDDHHMMSS. You can change any value you
wish. The job ID can be a maximum of 250 characters in length and
cannot include the following characters: {, }, <, >, (, ), #, or $.
• Select Execute now for an immediate push or use the month, day, year,
hour, minute, and am/pm lists to schedule a time to push the lists.
6. Click OK.
Tip: Because content collections can have a large number of URLs or regular
expression lists, verifying that content was pushed successfully can be difficult. If
you distribute content using a content job, Director reports only that the job
executed successfully. The device might report that the content request was
received but not that the content was cached on the device successfully.
Blue Coat recommends that, to verify the content job completed successfully, you
do any of the following after verifying the job completed successfully:
❐ Query the entire content collection to make sure all content was distributed
correctly.
❐ If you distribute a large amount of content, query a subset of the content
collection, which saves time but is also effective in determining whether or not
the content was distributed correctly.
For more information, see one of the following sections:
❐ Section D: "Verifying Jobs" on page 280 in Chapter 8: "Creating, Scheduling,
and Managing Jobs"
❐ "Querying URLs" on page 226

Related Command
director # content url-list url_list_id input

Querying URLs
Querying URLs allows you to verify the status of content from objects created on
Director—whether it is cached or not and URLs currently in progress of being
cached. You can use this command only for URL List and Regex List objects; not
for individual URLs or for remote URLs or regular expression lists.

To query URLs for cached status:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Content tab.
3. In the Content collections section, from the Show list, click Url Lists.
4. Expand the folder containing the content job to query.
5. Click the content job.

226
Chapter 7: Managing Content Collections

6. In the lower left corner of the Management Console, click Query Selection.

When you click Query Selection, the Cancel Query button is available during
the time the query takes place. Clicking Cancel Query does not halt Director
from processing the query, but it does allow you to submit a new query.
After the query completes, the Show Results button becomes active.
7. Click Show Results.
Query results display similarly to the following:

Note: Percent values are rounded up; decimal values are not used. For
example, if you used a list of 30,000 URLs and 10 URLs are not in the
cache, the percent shown for in cache is displayed as 100%.

8. For each category that Director registers results, the View/Export button
displays. In this example, the two URLs in the content job were not detected in
the ProxySG appliance cache.

227
Director Configuration and Management Guide

Click View/Export to display more detailed results.

The options at the bottom of the dialog allow you to perform different actions
using this result set.

Note: If you view URLs that are not in the device’s cache, the Delete button is
replaced by a Distribute button.

9. To export the results, select a format:


• Export: Saves the URLs in the list to a text file in a local directory of your
selection.
• Save: Saves the URLs in the list as a new URL list object. This might be
useful for a set of successful taken from a larger set mixed with
unsuccessful URLs.
• Distribute:
This button displays if the URLs you selected are not in the
device’s cache. Clicking this button saves the URLs in the list as a new
content list and immediately distributes the list to the target device.

228
Chapter 7: Managing Content Collections

• Delete:
This button displays if the URLs you selected are currently in the
device’s cache. Clicking this button removes the URLs in the list from the
device’s cache.
10. Click Close.

Related Commands
director (config)# content query command command_id {concise | (detail
[status {all | failed | issued | pending | remaining | successful}
{addr-device ip_address_or_hostname | all | device device_id | group
group_id} | summary [status {all | failed | issued | pending |
remaining | successful} {addr-device ip_address_or_hostname | all |
device device_id | group group_id} | model model | os-version
sgos_version]]
# content query in-progress {detail | summary} {addr-device
ip_address_or_hostname | all | device device_id | group group_id}
# content query info {concise | detail | summary} {url url | urls-from
url} {addr-device ip_address_or_hostname | all | device device_id |
group group_id | model model | os-version sgos_version}
# content query liveness device device_id
# content query outstanding {all {addr-device ip_address_or_hostname
device device_id | group group_id} | {regex url_regex {addr-device
ip_address_or_hostname | all | device device_id | group group_id} |
{regex-list regex-list_id {addr-device ip_address_or_hostname | all |
device device_id | group group_id} | {regexes-from url {addr-device
ip_address_or_hostname | all | device device_id | group group_id} |
{url url {addr-device ip_address_or_hostname | all | device device_id
| group group_id} | {urls-from url {addr-device ip_address_or_hostname
| all | device device_id | group group_id | model model | os-version
sgos_version}}
# content query status {addr-device ip_address_or_hostname | all |
device device_id | group group_id | model model | os-version
sgos_version}

229
Director Configuration and Management Guide

230
Chapter 8: Creating, Scheduling, and Managing Jobs

Director jobs enable you to automate common or recurring tasks—for example,


applying profiles and overlays and updating SGOS system software on
devices. Jobs consist of actions that are applied to targets either immediately,
one time in the future, or on a recurring schedule. The target of a job can be a
single device, an arbitrary collection of devices, or a group of devices.
Job actions include the following:
❐ Applying or refreshing overlays
❐ Applying or refreshing profiles
❐ Backing up devices
❐ Backing up Director
❐ Rebooting devices
❐ Distribute, revalidate, delete, or prioritize URLs
❐ Revalidate, delete, or prioritize regular expression lists
❐ Clearing various caches (object, DNS, byte cache)
❐ Upgrading SGOS appliance system software
❐ Validating SGOS appliance software versions

Note:
• For information about content jobs, see Chapter 7: "Managing Content
Collections". Content jobs enable you to perform the following tasks:
• Distribute, revalidate, delete, or prioritize URLs and URL lists
• Revalidate, delete, or prioritize regular expression lists
• See Section C: "Managing Profiles" on page 144 for information about
profiles and overlays. See "" on page 290 for information about
upgrading and validating ProxySG appliance software.

This chapter discusses the following topics:


❐ Section A: "Getting Started With Jobs" on page 232
❐ Section B: "Setting Up Job Actions" on page 238
❐ Section C: "Scheduling Jobs" on page 274

231
Director Configuration and Management Guide

Section A: Getting Started With Jobs


This section discusses how to create folders in which to optionally store jobs, how
to manage folders, and how to start creating a job and defining its basic
properties. Subsequent sections in this chapter discuss how to add actions and
schedules to jobs.
This section discusses the following topics:
❐ "Managing Job Folders"
❐ "Creating or Editing a Job and its Basic Properties" on page 236

Note: The Jobs tab page provides several different methods of selecting items.
For example, to edit a job, click the name of the job and perform one of the
following tasks:
❐ Click Edit in the Jobs pane.
❐ Right-click the job and, from the pop-up menu, click Edit.
❐ Click Edit > Edit Job.

Managing Job Folders


This section discusses how to create folders in which to organize jobs. Creating
folders is recommended in large deployments where you might want to organize
jobs by device location, function, or other criteria.
Note: The same folders are used for profiles, overlays, jobs, and content
collections, enabling you to create custom folders on either the Configure, Jobs, or
Content tab pages.
Following is general information about creating folders:
❐ There are two types of folders: System and Custom
❐ System folders are divided into two subfolders that cannot be changed: All
and Unassigned
❐ All jobs belong to the All system folder, even those that have been added to
custom folders.
❐ Jobs that have not been added to a custom folder belong to the Unassigned
system folder
❐ You can create job folders only under Custom Folders
❐ You can nest custom folders
This section discusses the following topics:
❐ "Creating or Editing Folders"
❐ "Setting Up Job Actions" on page 238
❐ "Removing or Copying Objects In Folders" on page 235

232
Chapter 8: Creating, Scheduling, and Managing Jobs

Creating or Editing Folders


This section discusses how to create or edit job folders and subfolders.

To create or edit profile folders and subfolders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Right-click Custom Folders in the Job Library section in the right pane.
4. From the pop-up menu, click one of the following:
• To create a new folder, click New > New Folder.
• To edit an existing folder, click Edit.
The following figure shows an example of adding a new folder:

Note: Because the same folders are used for profiles, overlays, jobs, and
content collections, you can create custom folders on either the Configure,
Jobs, or Content tab pages.
The Add New Folder or Edit Folder dialog box displays.
5. Enter or edit the following information:
Field Description
Folder Name Enter a name to identify the folder.
Folder ID Enter a unique identifier for the folder. You use the
folder ID, for example, to configure the folder using
the command line.
Description Enter an optional description of the folder.

6. Click OK.

233
Director Configuration and Management Guide

7. To create an additional folder, do any of the following:


• Top-level folder. Repeat the steps 1 through 6 to create a new top-level
folder.
• Nested folder. Click the folder you just created, and right-click to add a
folder that will be subordinate to the top-level folder.
8. After the folders are created, drag and drop jobs into the desired folders as
follows:
a. In the Job Library section, from the Show list, click Config Jobs or
Content Jobs.

b. Click the objects and drag them into the desired folder.
To place more than one object at a time into a folder, hold down the
Control key while clicking.
Notes:
• You can add a job to multiple folders.
• You can move a nested folder to a different top-level folder by
dragging and dropping, and you can change a nested folder to a top-
level folder by dragging it under Custom Folders.

Command to Add a Job to a Folder


First, enter folder submode using the following command:
director (config) # folder folder_id
This command changes the prompt to:
director (config folder folder_id) #
Then enter the following command:
director (config folder folder_id) # job job_id

Deleting Folders
This section discusses how to delete folders, which also deletes all subfolders the
folder. Any profiles, overlays, jobs, or content collections contained in those
folders and subfolders are moved to the Unassigned folder; they are not deleted.

To delete folders:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Optional. To display jobs before you delete their containing folders, on the Jobs
tab page, in the Job Library section, from the Show list, click Config Jobs, Content
Jobs, or All.

4. Right-click the name of the folder to delete.

234
Chapter 8: Creating, Scheduling, and Managing Jobs

5. From the pop-up menu, click Delete.


You are required to confirm the action. After deleting the folder, any jobs
contained in the folder or subfolders move to the Unassigned system folder.

Removing or Copying Objects In Folders


This section discusses how to perform the following tasks for jobs stored in
folders:
❐ Remove a job from a custom folder and put it in the Unassigned folder,
without deleting the folder.
❐ Remove a job from the Unassigned system folder and put it in a custom folder.
❐ Copy a job from one folder to another folder.

To remove or copy jobs in folders:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. To display jobs before you remove or copy them, on the Jobs tab page, in the
Job Library section, from the Show list, click All.
4. Do any of the following:
• To remove the job from the custom folder it is in now and move it to the
Unassigned system folder, right-click on the job and, from the pop-up
menu, click Remove. You are required to confirm the action.
• To move a job from the Unassigned system folder to a custom folder, click
the object and drag it to the desired custom folder.
• To copy a job to another custom folder, click the object and drag it to the
desired custom folder.

235
Director Configuration and Management Guide

Creating or Editing a Job and its Basic Properties


This section discusses how to create or edit a job for one or more devices. You can
use the same procedure to edit an existing job; however, you cannot change the job
ID.

To create or edit a job:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Click the Jobs tab.
4. On the Jobs tab page, in the Job Library section, from the Show list, click Config
Jobs, Content Jobs, or Both.

5. If necessary, create a folder in which to store the new job as discussed in


"Managing Job Folders" on page 232.
6. Right-click the folder in which to store the job.
7. New job:
From the pop-up menu, click any of the following:
• New > New Job > Config
• New > New Job > Content
The Properties tab page of the Create a new Job dialog box displays.
8. Edit an existing job:
Do any of the following:
• In the Job Library pane, click the name of the job and click Edit at the
bottom of the pane.
• In the Job Library pane, right-click the name of the job. From the pop-up
menu, click View.

236
Chapter 8: Creating, Scheduling, and Managing Jobs

The job’s properties display.

9. Enter the following information:


Item Description

Job Name field Enter a name to identify the job.

Job ID field Enter a unique identifier for the job. Initially, the
value of the Job ID field is identical to the Job
Name field (unless the job ID is not unique).
You can change the Job Name field at any time
before you click OK; after you click OK, the Job ID
cannot be changed.
Note: The job ID can be a maximum of 250
characters in length and cannot include the
following characters: {, }, <, >, (, ), #, or $.

Description field Enter an optional description.

Enable check box This check box is selected by default. Clear the
Enable check box if you want the scheduler to
ignore this job.
Note: A job runs only if it is enabled and it is
scheduled to run at a valid time (either
immediately or by setting the job schedule as
discussed in Section C: "Scheduling Jobs" on
page 274).

10. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.

237
Director Configuration and Management Guide

Section B: Setting Up Job Actions


This section discusses how to add actions to a job. Actions determine what the job
does and to which devices.
This section discusses the following topics:
❐ "Getting Started With Job Actions"
❐ "Config Job Action Details" on page 241
❐ "Content Job Action Details" on page 262

Getting Started With Job Actions


This section discusses how to get started adding actions to a job.

To add actions to a job:


1. Complete the tasks discussed in Section A: "Getting Started With Jobs" on
page 232.
2. In the Create a New Job or Edit Job dialog box, click the Actions tab.

Note: You can click the other tab pages to add actions and a schedule without
clicking OK in the Profile tab page first.

3. To add an action to a job, click New.

238
Chapter 8: Creating, Scheduling, and Managing Jobs

This also adds an additional action to a job that already has one or more
actions configured for it.

4. From the Action list, click one of the following tasks:


• For config jobs, see "Config Job Actions"
• For content jobs, see "Content Job Actions" on page 240
5. Use the same procedure to add more actions to the job.
6. After adding actions to the job, see one of the following sections:
• Section C: "Scheduling Jobs" on page 274
• Section D: "Verifying Jobs" on page 280

Config Job Actions


The following table shows the list of config job actions:
Action Description
Push Overlay Push the overlay (specified in the Object field) to the
designated target device.
Refresh Overlay Refresh the overlay (specified in the Object field)
from the designated source device.
Push Profile Push the profile (specified in the Object field) to the
designated target device.
Refresh Profile Refresh the profile (specified in the Object field) from
the designated source device.
Abort on errors Abort the job if any of the subsequent job actions fail.
Continue on errors Continue job execution even when a job action fails.
Take Backup Take a backup of the target device’s configuration.

239
Director Configuration and Management Guide

Action Description
Create and Upload Archive Archive (that is, back up) this Director appliance.
For more information, see "Archiving Director Using
the Management Console" on page 470.
Reboot Device Reboot the target device.
Clear Device’s Byte Cache Clear the byte cache on the target device.
Clear Device’s DNS Cache Clear the DNS cache on the target device.
Clear Device’s Object Cache Clear the object cache on the target device.
System Download Download a software version to the target device.
System Validate Validate the software version on the target device.
Issue Director CLI command Available only for jobs that were created using the Director
command line.
Enables you to edit CLI commands in a job.

Content Job Actions


The following table shows the list of content job actions:
Action Description
Distribute URL(s) Pre-populates a device’s object cache with URLs you
specify.
Revalidate URL(s) Checks the origin server to determine if URLs in a
device’s object cache need to be updated and if so,
updates the object cache.
Delete URL(s) Removes URLs from a device’s object cache.
Prioritize URL(s) Prioritizes URLs to be deleted from the object cache
when it becomes full.
Revalidate Regexe(s) Checks the origin server to determine if URLs that
match a regular expression need to be updated and if
so, updates the object cache.
Delete Regexe(s) Deletes from a device’s object cache URLs that match
a regular expression.
Prioritize Regexe(s) Prioritizes URLs that match a regular expression to be
deleted from the object cache when it becomes full.
Abort on Errors Abort the job if any of the subsequent job actions fail.
Continue on Errors Continue job execution even when a job action fails.

240
Chapter 8: Creating, Scheduling, and Managing Jobs

Config Job Action Details


This section discusses details about setting up actions for config jobs:
❐ "Push Overlay or Push Profile Details"
❐ "Refresh Overlay or Refresh Profile Details" on page 244
❐ "Abort or Continue on Errors Details" on page 245
❐ "Take Backup Details" on page 246
❐ "Create and Upload Archive Details" on page 248
❐ "Reboot Device Details" on page 254
❐ "Clear Cache Details" on page 255
❐ "System Download Details" on page 257
❐ "System Validate Details" on page 259
❐ "Issue Director CLI Command Details" on page 260

241
Director Configuration and Management Guide

Push Overlay or Push Profile Details


This section discusses the details of a Push Overlay or Push Profile job action,
which applies (that is, pushes) a profile to one or more devices. For more
information about profiles and overlays, see Chapter 5: "Managing Device
Groups, Profiles, and Overlays".
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Push Overlay
as the action. (Push Profile is very similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Push Overlay
• Push Profile

Overlay list (or Profile list) From the list, click the name of the overlay or
profile to push.

242
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description
Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the device that
contains the source overlay or profile.

Validate button Click to evaluate the profile or overlay for


substitution variable conflicts.
If conflicts display, see Section E: "Resolving
Substitution Variable Conflicts in Jobs" on page
287.

Apply button Click to add the action to the job.

Note: A job fails to execute if the job contains substitution variable conflicts.

The action displays in the left pane, as shown in the following example:

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.

243
Director Configuration and Management Guide

Continue with any of the following sections:


❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Refresh Overlay or Refresh Profile Details


This section discusses the details of a Refresh Overlay or Refresh Profile job
action, which reapplies a profile or overlay to selected devices. Before beginning,
see Section A: "Getting Started With Jobs" on page 232 and "Getting Started With
Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Refresh
Overlay as the action. (Refresh Profile is very similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Refresh Overlay
• Refresh Profile

Overlay list (or Profile list) From the list, click the name of the overlay or
profile to refresh on the device.

244
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description

Refresh options Click any of the following:


• Use Stored Source Information—Refresh the
profile or overlay from data stored on Director
for that device.

• From Device—Click (browse), which


displays the Choose Target dialog box, then
click the device that contains the source
overlay or profile to use to refresh.
• From Remote URL—Enter the URL path to the
server that contains the source overlay or
profile.

Apply button Click to add the action to the job.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Abort or Continue on Errors Details


The actions Abort on Errors and Continue on Errors can be added to any job.
Their meanings follow:
❐ Abort on Errors: If an error occurs while performing any job action, stop the job
immediately and log the errors.
❐ Continue on Errors: Complete job execution, regardless of errors, and log the
errors in the job report.
For more information about the job report, see Section D: "Verifying Jobs" on page
280.

245
Director Configuration and Management Guide

Take Backup Details


This section discusses the details of a Take Backup job action, which backs up one
or more ProxySG devices. Before beginning, see Section A: "Getting Started With
Jobs" on page 232 and "Getting Started With Job Actions" on page 238.
To back up (that is, archive) Director, see "Create and Upload Archive Details" on
page 248 instead.
The right pane of the Job dialog box displays as follows if you select Take Backup
as the action.

Enter or edit the following information:


Item Description

Action list Click Take Backup.


Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the device to back up.
To select more than one device, hold down the
Control key while clicking.

Apply button Click to add the action to the job.

246
Chapter 8: Creating, Scheduling, and Managing Jobs

The job action displays in the left pane.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section A: "Backing Up Devices" on page 452 in Chapter 15: "Backing Up
Director and Devices", for additional details not covered here
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

247
Director Configuration and Management Guide

Create and Upload Archive Details


This section discusses the details of a Create and Upload Archive job action,
which backs up the Director appliance.
To back up ProxySG devices, see "Take Backup Details" on page 246 instead.

Archive Prerequisites
Before beginning, complete the following tasks:
❐ Learn about archive types: "About Archives" on page 466
❐ Create an archive keypair: "Creating an Encryption Keypair" on page 467
❐ If this Director is part of a standby pair: "Standby Prerequisite: Make Both
Directors Standalone" on page 467
❐ Create the job: Section A: "Getting Started With Jobs" on page 232
❐ Create a job action: "Getting Started With Job Actions" on page 238

Procedure to Archive Director


The right pane of the Job dialog box displays as follows if you select Create and
Upload Archive as the action.

248
Chapter 8: Creating, Scheduling, and Managing Jobs

Enter or edit the following information:


Item Description

Action list Click Create and Upload Archive.

Archive Type list From the list, click the type of archive to create. For
an explanation of the options, see "About
Archives" on page 466.

With Key list Select the key to use to encrypt the archive.
For more information about archive keys, see
"Creating an Encryption Keypair" on page 467

Upload URL field Enter the URL of the external server to which to
upload the archive. The URL can optionally
include the file name. If you omit the file name, the
archive is uploaded to the external server with a
name like the following:
sgmearchive-director-all-2008.12.03-
004256.tgz
Valid URL formats follow:
scp://host//path
ftp://host/path
http://host/path
For example, to upload the archive to a directory
using the SCP protocol, enter
scp://192.168.0.50//director
For example, to upload the archive using a
different name using the FTP protocol, enter
ftp://192.168.0.50//director/
director_5.4.1.1_04-01-09.tgz

Directory and File options Select the option corresponding to the URL you
entered in the Upload URL field.
• To upload the archive to the external server
using the default name, enter a URL without a
file name and click Directory.
• To upload the archive to the external server
using a name other than the default name,
enter a URL that includes a file name and click
File.
Note: Archive file names cannot contain spaces.

Username field If the external server requires authentication, enter


the user name in this field. The user name you
enter must have privileges to write to the director
you specified in the Upload URL field.

Password field Enter the user’s password.

249
Director Configuration and Management Guide

The job action displays in the left pane.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section B: "Archiving Director" on page 463 in Chapter 15: "Backing Up
Director and Devices", for additional details not covered here
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

250
Chapter 8: Creating, Scheduling, and Managing Jobs

Schedule Reports Details


This section discusses how to schedule the following types of reports to be e-
mailed:
❐ Performance Analysis Reports
Includes bandwidth savings, effective throughput, and acceleration
information available for proxies. For more details, see "Generating
Performance Analysis Reports" on page 350.
❐ Health reports
Enables you to monitor CPU and memory usage of devices. For more details,
see "Generating Health Reports" on page 354.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Schedule
Reports as the job action.

251
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click Schedule Reports

Report type Click one of the following:


• Performance Analysis
• Health Monitoring

Period list From the list, click the period of time over which to
average the data for the report:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year

Scale list Performance Analysis report only.


From the list, click the units of measure to use to
scale the graphs and charts in the reports:
• Bytes
• Kilo Bytes
• Mega Bytes
• Giga Bytes

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click a single device,
multiple devices, a group. To select more than one
device, hold down the Control key while clicking.
Note: If you select more than one individual
device, a custom group is created when the report
is run. By default, the custom group is named
according to the date and time stamp when it is
created, in the format
YYYYMMDDHHMMSSS’S’S’ where S’ is
milliseconds.
If you click No in the Custom group creation dialog
box, you can enter another name for the custom
group.

From field Enter one e-mail address to appear on the From


line in the e-mail. This e-mail address is also used
to return reports to this address in the event the e-
mail failed to deliver.
E-mail addresses must be in the format
name@domain. For example,
bob.smith@example.com
Separate multiple e-mail addresses with a comma
character.

252
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description

To field Enter one or more e-mail addresses to which to


send the reports.

Cc field Enter one or more e-mail addresses to copy on the


report e-mail.

Bcc field Enter one or more e-mail addresses to blind copy


on the report e-mail.

Server IP field Displays the outgoing Simple Mail Transport


Protocol (SMTP) server’s host name or IP address.
To change this setting, click Change Mail Settings.

Server Port field Displays the SMTP server’s listen port. To change
this setting, click Change Mail Settings.

Username field Displays the SMTP server’s login user name (if
any). To change this setting, click Change Mail
Settings.

Password field Displays the SMTP server’s password (if any). To


change this setting, click Change Mail Settings.
Change Mail Settings Add or change SMTP server settings. For more
information, see "Setting Mail Options" on page 63.

Apply button Click to add this action to the job.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click the Scheduling tab to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

253
Director Configuration and Management Guide

Reboot Device Details


This section discusses the details of a Reboot Device action, which reboots a
device (typically after downloading SGOS software to it as discussed in "System
Download Details" on page 257).
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Reboot
Device as the job action.

Enter or edit the following information:


Item Description

Action list Click Reboot Device


Select Target Device(s)
Click (browse), which displays the Choose
Target dialog box, then click the devices to reboot.
To select more than one device, hold down the
Control key while clicking.

Apply button Click to add the action to the job.

254
Chapter 8: Creating, Scheduling, and Managing Jobs

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Clear Cache Details


This section discusses the details of any of the following job actions:
❐ Clear Device’s Byte Cache: The byte cache is a per-connection cache maintained
on a device for all of its clients. The byte cache optimizes traffic by replacing
byte sequences in data streams with smaller tokens. When byte sequences are
seen again, the token is referenced rather than sending the sequence of bytes
over the network.
❐ Clear Device’s DNS Cache:
The DNS cache is a list of host names and their
associated IP addresses stored on a device.
❐ Clear Device’s Object Cache: Caches objects that are indexed by name (that is, file
name or URL). The object cache is available for specific protocols (such as
HTTP, HTTPS, FTP, CIFS, and some streaming protocols).
Content commands can be used to pre-populate, revalidate, and delete objects
in the object cache. For more information, see "About Content Distribution" on
page 207.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.

255
Director Configuration and Management Guide

The right pane of the Job dialog box displays as follows if you select Clear
Device’s Byte Cache as the job action. (The other clear cache actions are similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Clear Device’s Byte Cache
• Clear Device’s DNS Cache
• Clear Device’s Object Cache

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click a device to clear its
cache. To select more than one device, hold down
the Control key while clicking.

Apply button Click to add the action to the job.

256
Chapter 8: Creating, Scheduling, and Managing Jobs

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

System Download Details


This section discusses the details of a System Download action, which downloads
SGOS system software to a device. Before beginning, see Section A: "Getting
Started With Jobs" on page 232 and "Getting Started With Job Actions" on page
238.
The right pane of the Job dialog box displays as follows if you select System
Download as the job action.

257
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click System Download

Remote URL field The SGOS image must be placed on a Web server
to which the devices have access.
When you download system software, you have
the option of installing it from a URL similar to the
following (URLs expire after 24 hours):
https://bto.bluecoat.com/download/direct/
3577157784791669817118692320

Target Device(s) Select the device or devices to which to apply the


SGOS image. (Use Control+click to select multiple
devices.)

Apply button Click to add the action to the job.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

258
Chapter 8: Creating, Scheduling, and Managing Jobs

System Validate Details


This section discusses the details of a System Validate action, which validates the
version number of SGOS software running on a device. You typically use System
Validate after downloading SGOS software to a device and rebooting it.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select System
Validate as the job action.

Enter or edit the following information:


Item Description

Action list Click System Validate

Version field Enter the version number to match. See the note
following this table.
Target Device(s) Select the device or devices on which to validate
the SGOS version. (Use Control+click to select
multiple devices.)

Apply button Click to add the action to the job.

259
Director Configuration and Management Guide

Note about the Version field:


The version number can be used to match releases, as shown in the following
table.

Version Number Matches

5.3 5.3.0.1, 5.3.0.2, 5.3.1, 5.3.2, and so on

5.2.2 5.2.2.1, 5.2.2.2, 5.2.2.3, and so on

Do not precede the software version number with SGOS. Doing so results in an
error.
You can now:
❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Issue Director CLI Command Details


This section discusses the details of an Issue Director CLI Command action, which
is a special action available only for jobs that were created or edited using the
Director command line (also referred to as the CLI). You can use this job action to
change existing CLI commands and to add additional CLI commands.
Unlike other job actions, you can add a new Issue Director CLI Command action
only to a job that had CLI commands already. If a job was created using the
Management Console and not the command line, this action is not available.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Issue Director
CLI Command as the job action.

260
Chapter 8: Creating, Scheduling, and Managing Jobs

You have the following options:


Action Description

Add a new CLI command 1. Click New.


2. From the Action list, click Issue Director CLI
command.
3. In the CLI Command field, enter the command.
4. Click Apply.

Edit an existing CLI command 1. In the left pane, click the command to edit.
2. In the right pane, in the CLI Command field,
enter the new or changed command.
3. Click Apply.

Reorder commands 1. In the left pane, click a command.


2. At the bottom of the left pane, click Move Up or
Move Down to reorder that command in the list
of commands.
3. Repeat step 2 as necessary.
4. Click OK.

Delete a command 1. In the left pane, click a command.


2. At the bottom of the left pane, click Remove.
3. Click OK.

261
Director Configuration and Management Guide

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Content Job Action Details


This section discusses details about setting up actions for content jobs:
❐ "Distribute, Revalidate, or Delete URL(s) Details"
❐ "Prioritize URL(s) Details" on page 266
❐ "Revalidate or Delete Regex(es) Details" on page 269
❐ "Prioritize Regex(es) Details" on page 271

262
Chapter 8: Creating, Scheduling, and Managing Jobs

Distribute, Revalidate, or Delete URL(s) Details


This section discusses the details of the following related job actions:
❐ Distribute URL(s)
Distributes URLs to devices (that is, pre-populates a device’s object cache with
content in the URL).
❐ Revalidate URL(s)
Revalidation compares each URL in the list in the device’s object cache to the
content in the source server. If the content on the source server is newer, the
content is updated in the object cache; otherwise, no change is made to the
object cache.
❐ Delete URL(s)
Removes URLs from a device’s object cache.
For more information about content pre-population, see "About Content
Distribution" on page 207.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Distribute
URL(s) as the action. (The other actions are similar.)

263
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Distribute URL(s)
• Revalidate URL(s)
• Delete URL(s)

Choose URLs Click any of the following:


• From URL list: Distribute or revalidate URLs
from a URL list object that already exists on
Director. For information about creating URL
list objects, see "Creating and Distributing
URL Lists" on page 215.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of URLs.
• Single URL: Enter a single URL to distribute or
revalidate in the following format:
http[s]://www.example.com/path
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

264
Chapter 8: Creating, Scheduling, and Managing Jobs

The action displays in the left pane, as shown in the following example:

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

265
Director Configuration and Management Guide

Prioritize URL(s) Details


Determines the relative order that content is deleted from a full object cache to
make room for new content. In other words, when the object cache is full, this
setting determines the relative order in which existing content is deleted.
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Prioritize
URL(s) as the action.

Enter or edit the following information:


Item Description

Action list Click Prioritize URL(s)

266
Chapter 8: Creating, Scheduling, and Managing Jobs

Item Description

Choose URLs Click any of the following:


• From URL list: Prioritize URLs from a URL
object that already exists on Director. For
information about creating URL list objects,
see "Creating and Distributing URL Lists" on
page 215.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of URLs.
• Single URL: Enter a single URL to prioritize in
the following format:
http[s]://www.example.com/path
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

267
Director Configuration and Management Guide

The action displays in the left pane, as follows.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

268
Chapter 8: Creating, Scheduling, and Managing Jobs

Revalidate or Delete Regex(es) Details


This section discusses the details of the following related job actions:
❐ Revalidate Regex(es): Deletes URLs from a device’s object cache that match
the regular expressions you choose and adds them back, in effect deleting and
repopulating the object cache.
❐ Delete Regex(es): Removes URLs from a device’s object cache that match the
regular expressions you choose.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
Director supports Perl-compatible regular expressions. For more information, see
a regular expression resource.
The right pane of the Job dialog box displays as follows if you select Revalidate
Regex(es) as the action. (Delete Regex(es) is similar.)

Enter or edit the following information:


Item Description

Action list Click any of the following:


• Revalidate Regex(es)
• Delete Regex(es)

269
Director Configuration and Management Guide

Item Description

Choose regular expressions Click any of the following:


• From Regex list: Revalidate or delete URLs
from a Regex object that already exists on
Director. For information about creating Regex
list objects, see "Creating and Distributing
Regular Expression Lists" on page 221.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of regular expressions.
• Single Regex: Enter a single URL to or
revalidate or delete in the following format:
http[s]://www.example.com/regex
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

The action displays in the left pane, as shown in the following example:

270
Chapter 8: Creating, Scheduling, and Managing Jobs

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

Prioritize Regex(es) Details


Updates the priority setting of objects in the object cache; objects that match
the regular expression only are updated. The priority setting determines the
relative order that content is deleted from a full object cache to make room for
new content. In other words, when the object cache is full, this setting
determines the relative order in which existing content is deleted.
Priority levels are from 0 (lowest) to 7 (highest), with 4 as the default. Lower
priority content is deleted before higher priority content.
Before beginning, see Section A: "Getting Started With Jobs" on page 232 and
"Getting Started With Job Actions" on page 238.
The right pane of the Job dialog box displays as follows if you select Prioritize
Regex(es) as the action.

271
Director Configuration and Management Guide

Enter or edit the following information:


Item Description

Action list Click Prioritize Regex(es)

Choose regular expressions Click any of the following:


• From Regex list: Prioritize content from a
Regex object that already exists on Director.
For information about creating Regex List
objects, see "Creating and Distributing Regular
Expression Lists" on page 221.
• From Remote URL: Specifies the URL to a text
file or HTML file located on a remote Web
server to which the selected devices have
access. url must include the name of a text file
that has a valid list of regular expressions.
• Single Regex: Enter a single URL to prioritize
in the following format:
http[s]://www.example.com/regex
Note: Failure to include the schema (http://,
https:// and so on) causes the job to fail.

Select Target Device(s)


Click (browse), which displays the Choose
Target dialog box, then click devices on which to
perform the action. To apply the action to more
than one device at a time, hold down the Control
key while clicking.

Apply button Click to add the action to the job.

272
Chapter 8: Creating, Scheduling, and Managing Jobs

The action displays in the left pane, as follows.

You can now:


❐ Click New to add more actions to this job.
❐ Click OK to save your changes to the job.
❐ Click Scheduling to schedule the job for execution in the future.
Continue with any of the following sections:
❐ Section C: "Scheduling Jobs" on page 274
❐ Section D: "Verifying Jobs" on page 280

273
Director Configuration and Management Guide

Section C: Scheduling Jobs


A Director job can be scheduled in any of the following ways:
❐ Immediate execution: The job runs immediately for the selected devices as
discussed in "Executing a Job Immediately" .
❐ One or more times in the future: The job executes at future times and dates
(but not on a regularly recurring schedule) as discussed in "Scheduling a Job
for Future Execution" on page 275.
❐ Recurring execution: The job executes on a recurring schedule on the days of
the week and times of day you select as discussed in "Scheduling a Job for
Recurring Execution" on page 277.

Note: Jobs run according to the time set on the Director appliance, which is not
necessarily the same time as the job on the computer on which the
Management Console runs. Before scheduling a job, use the standard mode
show clock command on Director to determine its time and time zone settings.

Executing a Job Immediately


This section discusses how to run a job immediately. Other scheduling options
follow:
❐ "Scheduling a Job for Future Execution" on page 275
❐ "Scheduling a Job for Recurring Execution" on page 277

To execute a job immediately:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Create or edit the job’s properties as discussed in Section A: "Getting Started
With Jobs" on page 232.
4. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
5. Click the Jobs tab.
6. On the Jobs tab page, in the Job Library pane, from the Show list, click Config,
Content, or All (depending on what type of job you want to execute).

7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.

274
Chapter 8: Creating, Scheduling, and Managing Jobs

8. Click Execute.

The job displays in the Job Queue pane.


9. Verify the job executed properly as discussed in "Verifying Jobs" on page 280.

Scheduling a Job for Future Execution


This section discusses how to run a job one or more times in the future but not on
a regularly recurring schedule. Other scheduling options follow:
❐ "Executing a Job Immediately" on page 274
❐ "Scheduling a Job for Recurring Execution" on page 277
In the procedure that follows, start with step 1 if you have already saved the job.
Start with step 10 if you are creating the job for the first time or if you are currently
editing the job.

To schedule a job for execution in the future:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Create or edit the job’s properties as discussed in Section A: "Getting Started
With Jobs" on page 232.
4. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
5. Click the Jobs tab.
6. On the Jobs tab page, in the Job Library pane, from the Show list, click Config,
Content, or All (depending on what type of job you want to execute).

7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
8. Click the name of the job.

275
Director Configuration and Management Guide

9. Click Edit.
10. Click the Schedule tab.
11. On the Schedule tab page, click This is a job to be executed on.

12. From the provided lists, click the month, day, year, hour, minute, and am or
pm.

13. Click ( ) (add) to execute the job at the selected time.


14. (Optional.) Repeat steps 11 through 13 to add more times.
The times display in the List of Dates/List of Times section in the right pane.

15. Click OK.


The job displays in the Job Queue pane.
16. Verify the job executed properly as discussed in Section D: "Verifying Jobs" on
page 280.

276
Chapter 8: Creating, Scheduling, and Managing Jobs

Scheduling a Job for Recurring Execution


This section discusses how to run a job on a regularly recurring schedule. Other
scheduling options follow:
❐ "Executing a Job Immediately" on page 274
❐ "Scheduling a Job for Future Execution" on page 275
In the procedure that follows, start with step 1 if you have already saved the job.
Start with step 10 if you are creating the job for the first time or if you are currently
editing the job.

To schedule a job to run on a recurring schedule:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optionally enable verbose output so you see all results of executing the job.
Click File > Options and see "Configuring Browser and Mail Settings" on page
61 for details.
3. Create or edit the job’s properties as discussed in Section A: "Getting Started
With Jobs" on page 232.
4. Add actions to the job as discussed in Section B: "Setting Up Job Actions" on
page 238.
5. Click the Jobs tab.
6. On the Jobs tab page, in the Job Library pane, from the Show list, click Config,
Content, or All (depending on what type of job you want to execute).

7. If necessary, expand the folder containing the name of the job to execute.
More information about folders can be found in "Managing Job Folders" on
page 232.
8. Click the name of the job.
9. Click Edit.
10. Click the Schedule tab.

277
Director Configuration and Management Guide

11. On the Schedule tab page, click This is a recurring job to be executed on.

12. Perform the tasks discussed in the following table in the order shown:
Task Description

1. Click This is a recurring job to be Required for all recurring jobs.


executed on.

2. Select one or more day of the week Specifies which days of the week to
check boxes. execute the job.

3. Select the time of day. Specifies the time of day to execute the
job on the days of the week you
previously specified.

4. Optional. Select a start date. Select a date to begin running the


recurring job. If you do not select a date,
the job begins running at the next
available date and time.

5. Optional. Select an end date. Select a date to stop running the


recurring job. If you do not select a date,
the job continues running at the
scheduled dates and times until you
either edit the job to provide a stop date
or until you delete the job.

Schedule the recurring job.


6. Click (add job).

13. Click OK.


The job displays in the Job Queue pane.
14. Verify the job executed properly as discussed in Section D: "Verifying Jobs" on
page 280.

278
Chapter 8: Creating, Scheduling, and Managing Jobs

Related Commands
First, enter job mode using the following command:
director (config) # job jobname
This command changes the prompt to:
director (config job jobname) #
Commands available from this submode include:
director (config job jobname) # cancel
director (config job jobname) # comment
director (config job jobname) # create
director (config job jobname) date-time-pairs date_yyyy/mm/dd
time_hh:mm[:ss]
director (config job jobname) # disable
director (config job jobname) # execute
director (config job jobname) # input
director (config job jobname) # name friendly_name
director (config job jobname) # no

director (config job jobname) saved-executions number_of_reports


[force]
(config job jobname) time-of-day {absolute {start | stop} date_yyyy/
mm/dd time_hh:mm[:ss] | day {all | fri | mon | sat | sun | thu | tue |
wed | weekdays} | time time_hh:mm[:ss]}
director (config job jobname) # type {date-time-pairs | time-of-day}
Other related commands:
director (config) # job update-status
director (config) # abort-on-errors

279
Director Configuration and Management Guide

Section D: Verifying Jobs


The Job Queue and Description panes on the Jobs tab page display summary and
detailed information, respectively, about the status of jobs.
The Job Queue pane The Description pane
displays summary displays details, including
information the Job Report

This section discusses the following topics:


❐ "About the Job Queue and Description Panes"
❐ "Verifying Backup Jobs" on page 286

About the Job Queue and Description Panes


Table 8–1 shows the meanings of the indicators in the Status column of the Job
Queue pane.
Table 8–1 Job status and meanings

Icon Meaning

The job completed successfully.

Errors occurred during job execution. Click the job in


the Job Queue pane and click View Job Report in the
Description pane to see the errors.

The job has been scheduled but has not run yet.

280
Chapter 8: Creating, Scheduling, and Managing Jobs

Table 8–1 Job status and meanings

Icon Meaning

Content jobs only. The job is in progress.

Table 8–2 shows the meanings of the options at the bottom of the Job Queue pane.

Table 8–2 Job queue options

Option Meaning

Display jobs’ next run time • Select the check box to display the next run time
for jobs scheduled in the future
• Clear the check box to display only job execution
results

Display jobs that ran in the From the list, click the length of time for which to
last display jobs that ran in the past:
• 1 day
• 7 days
• 15 days
• 30 days
• 1 year

Note: Jobs that were disabled after being executed also display in the Job
Queue.

281
Director Configuration and Management Guide

The Description pane provides additional information, including a link to the Job
Report, which lists the commands executed on the target object or device. You can
customize the job report output. The default is to show only errors. To see all
command output, you must set the output to verbose as discussed in
"Configuring Browser and Mail Settings" on page 61.

To view the Job Report from the Description pane:


1. In the Job Queue pane, click the name of the job.
The page refreshes, displaying a job execution summary.
2. Click View Job Report to view the commands executed by the job.

282
Chapter 8: Creating, Scheduling, and Managing Jobs

The Job Report dialog box displays.

This job report shows an example of verbose output. For information about
setting the output level, see "Configuring Browser and Mail Settings" on page
61.

Note: If the job report is empty, see "Alternate Way to View Job Results" on
page 284.

3. You have the following options:


Button Description
Next Error If the job report contains errors, click to advance
to the next error.
Previous Error If the job report contains errors, click to go back
to the preceding error.
Close Close the job report.

283
Director Configuration and Management Guide

Alternate Way to View Job Results


This section discusses how to view all execution results for a particular job, which
is useful in the following circumstances:
❐ If it is a recurring job that has many executions to view.
❐ If the job report viewed from the Job Queue pane is empty.
Typically, this happens if you change the name of a job after it has executed
one or more times, in which case Director matches the job results to the Job ID
rather than the job name.

To all executions for a particular job:


1. On the Jobs tab page, in the Job Library section, from the Show list, click Config
Jobs, Content Jobs, or Both.

2. In the Job Library pane, if necessary, expand the folder containing the job that
has executions you want to view.
3. Click the name of the job.
4. Click Edit.

284
Chapter 8: Creating, Scheduling, and Managing Jobs

The Edit Job dialog box displays.


5. In the Execution History pane, click the job instance and click View Job Report.

This job report shows an example of verbose output. For information about
setting the output level, see "Configuring Browser and Mail Settings" on page
61.

6. You have the following options:


Button Description
Next Error If the job report contains errors, click to advance
to the next error.
Previous Error If the job report contains errors, click to go back
to the preceding error.
Close Close the job report.

285
Director Configuration and Management Guide

Verifying Backup Jobs


Use the following procedure to view the results of a backup job.

To examine the result of a backup job:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. Review the job status in the Job Queue pane to make sure the backup job
executed successfully.
For more information about viewing job status, see "" on page 290.
4. Click the Configure tab.
5. In the Groups pane, expand the group containing the device whose backup
you want to view.
6. In the Devices pane, click the device.
7. Click Launch Backup Manager.
The Backup Manager displays.
8. Click the backup you want to view.
9. Click View Contents.
The backup contents display in the right pane.

286
Chapter 8: Creating, Scheduling, and Managing Jobs

Section E: Resolving Substitution Variable Conflicts in Jobs


In the event a job has conflicting values for a substitution variable, you can view
the errors using the Job Report and you have the option of manually resolving the
substitution variable conflict as discussed in the following topics:
❐ "For More Information About Substitution Variables"
❐ "Viewing the Conflict in the Job Report" on page 287
❐ "Resolving the Conflicting Substitution Variable Value" on page 288

For More Information About Substitution Variables


For more information about substitution variables and conflicts, see the following
sections:
❐ "About Substitution Variables" on page 291
❐ "Resolving Substitution Variable Conflicts" on page 297

Viewing the Conflict in the Job Report


When a job fails for any reason, an icon displays next to the name of the job in
the Job Queue pane in the Jobs tab page, similarly to the following:

To view the cause of the error, click View Job Report in the Description pane. If the
job failed because of conflicting substitution variables, the job report displays
similarly to the following:

287
Director Configuration and Management Guide

The example shows there are conflicts in substitution variables in this job that
Director could not resolve. For more information about substitution variable
conflicts, see "Rules for Resolving Conflicts" on page 297.
To manually resolve the conflict, see the next section.

Resolving the Conflicting Substitution Variable Value


If the Job Report indicates there are substitution variable conflicts that Director
could not resolve, you can resolve the conflict as discussed in this section. You
have the option of editing the value of a conflicting substitution variable, defining
a new variable for the device, or deleting a conflicting substitution variable.

To resolve substitution variable conflicts in a job:


1. Log in to the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Jobs tab.
3. On the Jobs tab page, in the Job Queue pane, click the name of a job that failed
to execute.
4. In the Description pane, click View Job Report.
5. Confirm the job failed to execute because of a substitution variable conflict.
The following message confirms the failure was due to a substitution variable
conflict:
% Conflicts found, unable to apply the substitution variables.

6. In the Job Report dialog box, click Close.


7. In the Job Library section, from the Show list, click Content Jobs, Config Jobs, or
All.

8. Click the name of the job that reported the error.


9. Click Edit.
10. In the Edit Job dialog box, click the Actions tab.
11. On the Actions tab page, click the profile or overlay action that caused the
error.
12. In the right pane, click Validate.
The following figure shows an example.

288
Chapter 8: Creating, Scheduling, and Managing Jobs

The Resolve Conflict dialog box displays the conflicting variables and their
values.
13. In the Resolve Conflict dialog box, click the substitution variable value you
want to change and click Resolve Conflict.
The following figure shows an example.

In the example, there is a substitution variable conflict for a device named


AustinDev. A variable named DNS has been defined in two locations—a
group named AustinDev and a group named Austin.

289
Director Configuration and Management Guide

After you click Resolve Conflict, the Group Substitution Variables dialog box
displays for that group as shown in the following figure.

14. You now have the following options:


• Edit the variable value to remove the conflict: In the Group Specific
Substitution Variables pane, click the value in the Value field and change it
so it matches the value of the other variable.
In the preceding example, change the value of DNS to 10.107.4.60 to match
the value defined for the group AustinDev.
This action is appropriate only if devices in the group Sunnyvale should
use the same value for this variable as devices in the group Austin Dev.
• Delete the variable: In the Group Specific Substitution Variables pane,
click the variable and click Delete.
15. In the Group Substitution Variables dialog box, click OK.
16. You are required to confirm the action.
17. Follow the prompts on your screen to execute the job.

290
Chapter 9: Managing Substitution Variables

This chapter discusses how to manage groups, profiles, overlays, and


substitution variables. Topics include:
❐ "About Substitution Variables"
❐ "Creating and Implementing Substitution Variables" on page 303
❐ "Editing or Deleting Substitution Variables" on page 325

Important: SGME 5.4.x can be used to manage appliances running SGOS


version 5.4.1 and later. For up-to-date information, see the Director Release Notes.

About Substitution Variables


Without substitution variables, device configuration would be difficult. To
configure devices with different values (for example, different DNS servers),
you would be required to create multiple profiles, overlays, or jobs—one for
each configuration difference. Substitution variables enable you to replace a
value on a device or group of devices without changing the profile, overlay, or
job. Substitution also enables you to replace a variable with multiple CLI
commands.
Notes:
• Substitution variables persistent across Director reboots.
• A substitution variable name can be a maximum of 64 alphanumeric
characters.
Substitution variables are name-value pairs. The name (sometimes referred to
as a token) is in the following format: @(name). The @ (at) symbol designates the
start of the token and the token must be followed by a matching set of
parentheses. name inside the parentheses is the name of the substitution
variable.
When a profile, overlay, or job is executed on a device or a group, the token is
replaced with the appropriate variable value from the device’s or group’s
configuration.
This section discusses the following topics:
❐ "Inheriting Substitution Variables From a Custom Group"
❐ "Allowed Substitution Variable Formats" on page 296
❐ "Example of Using Substitution Variables" on page 296

291
Director Configuration and Management Guide

Inheriting Substitution Variables From a Custom Group


A substitution variable can be defined for a device and for a custom group of
devices. You cannot define a substitution variable for a system group. For more
information about device groups, see "About Director Groups" on page 132.
This section discusses the following topics:
❐ "Substitution Variable Inheritance"
❐ "Simplifying Device Configuration With Substitution Variables" on page
295

Substitution Variable Inheritance


Substitution variables defined for a custom group are inherited by all devices in
that group and by all children of that group in the group hierarchy. Inheritance
always flows from parent groups to child groups.
The following figures show examples.
Suppose you nested custom groups as follows:

In the preceding figure, inheritance flows as follows:


❐ AustinDev and AustinQA inherit variables from Austin
❐ Any groups nested under AustinDev inherit variables from Austin and
from AustinDev
❐ SunnyvaleDev and SunnyvaleQA inherit variables from Sunnyvale
❐ AustinQA and AustinDev (and any groups nested under them) inherit no
variables from each other
❐ SunnvaleDev and SunnyvaleQA (and any groups nested under them)
inherit no variables from each other
To continue the example, suppose you define a substitution variable named
DNS for the group Austin and you define a substitution variable named
DNSAlt for the group AustinDev.

292
Chapter 9: Managing Substitution Variables

The following figure shows how these variables are inherited by a group named
AustinDevGroup1, which is a child of AustinDev:

Inherited from
groups higher in
the hierarchy

Defined for this


group and
inherited by
groups lower in the
hierarchy

In the preceding figure, the variable named DNS was inherited from Austin and
the variable DNSAlt was inherited from Austin > AustinDev.

293
Director Configuration and Management Guide

However, DNSAlt is not inherited by the group AustinQA because AustinQA is a


child of Austin but not of AustinDev:

Finally, the groups Sunnyvale, SunnyvaleDev and SunnyvaleQA inherit none of


the variables defined for the group Austin.
Because devices can belong to multiple groups and because you can create
substitution variables of the same name with different values in different groups
(and different devices), conflicts can occur. For information on how variable
conflicts are resolved, see "Resolving Substitution Variable Conflicts" on page 297.

294
Chapter 9: Managing Substitution Variables

Simplifying Device Configuration With Substitution Variables


To simplify how these devices are configured, put similar devices in a custom
group, define substitution variables for the group, and then execute profiles,
overlays, or jobs on the group to configure devices in a similar fashion.
Examples follow:
❐ Set up custom groups according to the domain to which ProxySG appliances
authenticate.
❐ Set up custom groups according to the functions devices perform (that is, edge
proxies, branch proxies, forward proxies, and so on).
If a particular device in a group has substitution variables defined for that device,
the set of substitution variables available to it is the union of the variables defined
for the group and for the device.
The following figure shows an example.

295
Director Configuration and Management Guide

The preceding figure shows an example of a device with two substitution


variables:
❐ Substitution variable named DNS defined for the group (named Austin) to
which the device belongs
❐ Substitution variable named DNSAlt defined for the device

Allowed Substitution Variable Formats


The following table summarizes the formats for substitution variables. Additional
information, including examples, is discussed in the remainder of this section.
Format Meaning
@(variable-name) variable-name is substituted with the
value of the variable defined for the
device.
@(variable- Enables you to selectively substitute
name1)separator@(variable- parts of IP addresses, port number
name2)separator@(variable-name- ranges, and so on.
n)
For example to substitute the last two
bytes of an IP address, use
@(SUBNET).@(ADDRESS)

@@(string) Passes @(string) as a substitution


variable. In other words, if you do not
want @(...) to be used as a substitution
variable, escape it with another @
symbol.

Example of Using Substitution Variables


For example, suppose that because of a network update, you must change the
DNS server for one or more devices. This example assumes you are configuring
the device using an overlay; using substitution variables with profiles is similar
and is discussed in detail in "Creating Substitution Variables in a Profile" on page
319.
To use substitution variables, you must perform the following tasks in any order:
❐ Replace the affected DNS server addresses in the overlay with CLI commands
like the following:
dns clear server
add server @(DNS)

@(DNS) is the name of the substitution variable.


❐ Create the value of the variable in either the device record or in a custom
group to which the device belongs.
When the overlay is applied to the target device, the @(DNS) token is replaced with
the value of the @(DNS) substitution variable.

296
Chapter 9: Managing Substitution Variables

Notes:
❐ The token format must be as follows: @(string).
The maximum length of string is 64 characters, alphanumeric only. If there are
any spaces, reserved characters, or special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is
a special character and cannot be used in a substitution variable.
❐ The token @ must be followed by a matching set of parentheses.
❐ If you do not want the @() token to be a substitution variable, escape it with
another @ symbol.

Resolving Substitution Variable Conflicts


Because substitution variables can be defined for a device and for a group, and
because a single device can belong to multiple groups, there can be conflicts. This
section discusses substitution variable conflicts in the following sections:
❐ "About Substitution Variable Conflicts"
❐ "Rules for Resolving Conflicts" on page 297
❐ "Examples of Resolving Conflicts" on page 299
Before you execute a profile or overlay, you can see substitution variable conflicts
as discussed in "Validating the Values of Substitution Variables" on page 320.

About Substitution Variable Conflicts


If the same substitution variable name is defined in more than one place with a
different value, a conflict occurs. For example, if you define a substitution variable
named DNS in a group named Group1 with value 10.107.0.62 and define a
variable named DNS and in a device named Device1 with value 172.16.45.141,
and you add Device1 in Group1, there is a conflict. The next section discusses how
Director resolves these conflicts.

Rules for Resolving Conflicts


A substitution variable conflict occurs only if a variable with the same name is
defined with different values in more than one place (for example, for two groups
to which a device belongs; or for a device and for a group to which the device
belongs). Generally, Director resolves a conflict at the device level; that is, a
substitution variable defined for a device takes precedence over a variable
inherited from a group.

297
Director Configuration and Management Guide

Note:
❐ To avoid the possibility of substitution variable conflicts, assign a device to
only one group and define all substitution variables either for the device or
for the group, but not both.
❐ If a substitution variable with the same name is defined with the same
value in more than one place, there is no conflict.

Examples of resolving substitution variable conflicts can be found in "Examples of


Resolving Conflicts" on page 299.
In the event of substitution variable conflicts, Director resolves the conflict as
follows:
❐ The substitution variable defined for the device takes precedence if any of the
following is true:
• If a device is a member of only one group and the variable is defined for
the group and for the device. For an example, see "Example 1: Substitution
Variable Defined for a Group and a Device" on page 300.
• If a device is a member of a hierarchy of groups and the variable is defined
for any higher-level group and for the device.
• If a device is a member of two or more groups not in the same hierarchy
and the variable is defined for one or more groups and for the device. For
an example, see "Example 2: Substitution Variable Defined for a Different
Group Hierarchy" on page 301.
❐ The substitution variable defined for a group takes precedence if a device is a
member of a hierarchy of groups and the variable is defined for any higher-
level group but not for the device.
In this case, the substitution variable defined for the group closest to the
device takes precedence. For an example, see "Example 3: Substitution
Variable Defined for Two Groups in a Hierarchy but Not for a Device" on page
302.
❐ Director cannot resolve a substitution variable conflict if a device is a member
of two or more groups not in the same hierarchy, and the same variable is
defined with different values for the groups but not for the device.
Conflicts cause errors executing jobs, profiles, and overlays. Profiles and
overlays with conflicts fail to execute. For jobs, you have the option to resolve
the conflict manually.

298
Chapter 9: Managing Substitution Variables

Examples of Resolving Conflicts


This section discusses some examples of substitution variable conflicts:
❐ "Group Hierarchy Used in the Examples"
❐ "Example 1: Substitution Variable Defined for a Group and a Device" on page
300
❐ "Example 2: Substitution Variable Defined for a Different Group Hierarchy"
on page 301
❐ "Example 3: Substitution Variable Defined for Two Groups in a Hierarchy but
Not for a Device" on page 302

Group Hierarchy Used in the Examples


The following figure shows the group hierarchy used in the examples in this
section:

In the preceding figure, all groups under Austin are in the same hierarchy and all
groups under Sunnyvale are in the same hierarchy with the following exceptions:
❐ AustinDev and AustinQA inherit variables from Austin but not from each
other.
❐ Groups nested under AustinDev inherit variables from Austin and but not
from AustinQA.
❐ SunnyvaleDev and SunnyvaleQA inherit variables from Sunnyvale but not
from each other.

299
Director Configuration and Management Guide

Example 1: Substitution Variable Defined for a Group and a Device


In this example, a substitution variable named DNS is defined for the group
Austin and for a device named AustinDev that is in the group AustinDevGroup1,
which inherits variables from Austin and from AustinDev:

The top pane shows variables inherited by the device’s parent groups and the
bottom pane shows variables for the device. The substitution variable conflict is
circled.
In this example, the substitution variable defined for the device takes precedence
(that is, the variable named DNS with the value 172.16.36.60). That means that
when a profile, overlay, or job is executed, the value of the substitution variable
defined for the device is used and the other values are ignored.

300
Director Configuration and Management Guide

Example 2: Substitution Variable Defined for a Different Group Hierarchy


In this example, a substitution variable named DNS is defined for a device
named Dev142 that is in the groups AustinDevGroup1 and SunnyvaleDev. A
variable named DNS is also defined in the group Austin.
The groups AustinDevGroup1 and SunnyvaleDev are not in the same
hierarchy.
In this example, the variables available to the device are the same as the
preceding example, "Example 1: Substitution Variable Defined for a Group and
a Device" on page 300:

In the preceding example, the same variable (DNS) is defined in three places
with three different values: in the group Austin, in the group Sunnyvale and for
the device itself.
In this example, the substitution variable defined for the device takes
precedence. That means that when a profile, overlay, or job is executed, the
value of the substitution variable defined for the device is used and the other
values are ignored.

301
Director Configuration and Management Guide

Example 3: Substitution Variable Defined for Two Groups in a Hierarchy


but Not for a Device
In this example, a substitution variable named DNS is defined for two groups:
Austin and AustinDev. The variable is not defined for the device named QA142,
which belongs a child of AustinDev.
AustinDev is a child of Austin so they are in the same group hierarchy.

Groups in which
variables are
defined

In the preceding figure, the device (named QA142) belongs to the group
AustinDevGroup1. The substitution variables are defined in the groups Austin
and AustinDev. The variables are circled in blue.
Because the group AustinDev is closer in the hierarchy than the group Austin, the
value of the variable used in the group AustinDev takes precedence. That means
that when a profile, overlay, or job is executed, the value of the substitution
variable defined for the group Sunnyvale is used and the other value is ignored.
For information about viewing and resolving substitution variable conflicts when
you execute profiles, overlays, and jobs, see one of the following sections:
❐ "Resolving Substitution Variable Conflicts" on page 297
❐ "Validating the Values of Substitution Variables" on page 320
❐ Section E: "Resolving Substitution Variable Conflicts in Jobs" on page 287

302
Chapter 9: Managing Substitution Variables

Creating and Implementing Substitution Variables


This section describes how to create profiles or overlays that use substitution
variables, how to create substitution variables on devices, and how to implement
a configuration change using the variables.
This section discusses the following topics:
❐ "About Using Substitution Variables in Profiles and Overlays"
❐ "Creating and Importing Substitution Variable Files" on page 304
❐ "Defining the Value of a Substitution Variable" on page 310
❐ "Creating Substitution Variables in an Overlay" on page 314
❐ "Creating Substitution Variables in a Profile" on page 319
❐ "Validating the Values of Substitution Variables" on page 320

About Using Substitution Variables in Profiles and Overlays


This section discusses general information about using substitution variables in
profiles and overlays. Because devices can either inherit values of substitution
variables from groups or variable values can be directly defined in the device
record, you must understand how values are assigned to substitution variables.
A substitution variable value defined for a device always takes precedence over
the value of a variable defined in a group (either the group to which the device
belongs or a group from which the device inherits variables from other groups).
For additional information, see "Inheriting Substitution Variables From a Custom
Group" on page 292 and "Resolving Substitution Variable Conflicts" on page 297.
To use substitution variables in profiles and overlays, you must complete the
following tasks in the order shown:
1. Optional. Create a substitution variable file and import it into Director as
discussed in "Creating and Importing Substitution Variable Files" .
2. Edit the definition of the device or group to give the substitution variable a
value as discussed in "Defining the Value of a Substitution Variable" on page
310.
3. Add the substitution variable token to a profile or overlay as discussed in one
of the following sections:
• "Creating a Profile" on page 149
• "Creating an Overlay" on page 163
4. Validate substitution variables for conflicts as discussed in "Validating the
Values of Substitution Variables" on page 320.

303
Director Configuration and Management Guide

5. Execute the profile or overlay.

Note: Usually, a profile or overlay displays results for all devices in a group
when the profile or overlay is executed on a group of devices under a banner
similar to:
+-------------------------------------------
| Output for device "name"
+-------------------------------------------
However, if the group has no substitution variables defined for it but some of
the devices in the group have substitution variables defined for them, profile
or overlay execution displays errors for the devices without substitution
variables and it displays the result of the command execution for devices with
substitution variables.
The error displays as follows:
Error: The device <name> does not have a value for the required
substitution variable variable-name.

Creating and Importing Substitution Variable Files


This section describes how to optionally create substitution variable files and
import them into Director. Substitution variable files enable you to substitute
multiple variables on multiple groups or devices at the same time, as opposed to
defining the variables and then manually changing them.
If you do not need to create substitution variable files, skip this section and
continue with "Defining the Value of a Substitution Variable" on page 310.
For general information about how substitution variables are inherited from
groups to devices, see "Inheriting Substitution Variables From a Custom Group"
on page 292. For information about how conflicts are resolved, see "Resolving
Substitution Variable Conflicts" on page 297.
Because substitution variables can be defined for devices and for groups, there are
two types of substitution variable files. These files are discussed in more detail in
the following sections:
❐ "Device Substitution Variable File Format" on page 306
❐ "Group Substitution Variable File Format" on page 306
This section discusses the following topics:
❐ "About Substitution Variable Files"
❐ "Substitution Variable File Formats" on page 305
❐ "Importing a Substitution Variable File" on page 308

304
Chapter 9: Managing Substitution Variables

About Substitution Variable Files


A substitution variable file contains the names, values, and targets of multiple
substitution variables you import into Director all at one time. This automates
and simplifies the process of implementing substitution variables for large
numbers of groups and devices.

Topics Related to Substitution Variable Files


❐ For information about substitution variable file formats, see "Substitution
Variable File Formats" on page 305.
❐ To view a sample substitution variable file, see "Viewing Example
Substitution Variable Files" on page 307.
❐ To import the substitution variable file, see "Importing a Substitution Variable
File" on page 308.
❐ For general information about substitution variables, see "About Substitution
Variables" on page 291.
❐ For general information about how devices inherit substitution variables from
groups, see "Inheriting Substitution Variables From a Custom Group" on page
292.
❐ For general implementation information, see "Example of Using Substitution
Variables" on page 296.
❐ For information on how substitution variable conflicts are resolved, see
"Resolving Substitution Variable Conflicts" on page 297.

Substitution Variable File Formats


A substitution variable file is a comma-separated list of variables and values that
starts with either a group ID or a device ID. The ID is required.
Because substitution variables can be defined for groups and for devices, see one
of the following sections for more details:
❐ "Device Substitution Variable File Format"
❐ "Group Substitution Variable File Format" on page 306
❐ "Viewing Example Substitution Variable Files" on page 307

305
Director Configuration and Management Guide

Device Substitution Variable File Format


This section discusses how to create a substitution variable file for a device.

To create a device substitution variable file:


1. Create a file in comma separated value (.csv) format using the following
guidelines:
A substitution variable file has two lines: the first line defines the variable
names and the second line defines variable values. The substitution
variable file for a device must start with the device ID.
An example follows:
Device ID,VarName1,VarName2,VarName3
AustinQA,192.168.0.2,example.com,192.168.0.3

In the example, the first line defines the names of the substitution variables.
The second line defines the values of those variables.

Note: The Device ID field and its value are required. You cannot import the
substitution variable file unless the field is present and its value is valid. The
value of Device ID is the device’s unique identifier, and not the “friendly”
device name.
To view a device ID, on the Configure tab page of the Director Management
Console, right-click a device in the Devices pane. From the pop-up menu, click
Edit. The value of the Device ID field on the Edit Device dialog box is the ID you
must use.
A substitution variable name can be a maximum of 64 characters in length,
alphanumeric characters only. If there are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is a
special character and cannot be used in a substitution variable.

2. When you are finished, save the file.


3. Import the file into Director as discussed in "Importing a Substitution
Variable File" on page 308.

Group Substitution Variable File Format


This section discusses how to create a substitution variable file for a group.

To create a group substitution variable file:


1. Create a file in comma separated value (.csv) format using the following
guidelines:
A substitution variable file has two lines: the first line defines the variable
names and the second line defines variable values. The substitution
variable file for a group must start with the group ID.

306
Chapter 9: Managing Substitution Variables

An example follows:
Group ID,VarName1,VarName2,VarName3
AustinDevGroup,192.168.0.2,example.com,192.168.0.3

In the example, the first line defines the names of the substitution variables.
The second line defines the values of those variables.

Note: The Group ID field and its value are required. You cannot import the
substitution variable file unless the field is present and its value is valid. The
value of Group ID is the group’s unique identifier, and not the “friendly” group
name.
To view a group ID, on the Configure tab page of the Director Management
Console, right-click a custom group in the Groups pane. From the pop-up
menu, click Edit. The value of the Group ID field on the Edit Group dialog box is
the ID you must use.
A substitution variable name can be a maximum of 64 characters in length,
alphanumeric characters only. If there are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ? (question mark—reserved for
command help) or % (percent—reserved for errors). In addition, * (asterisk) is a
special character and cannot be used in a substitution variable.

2. When you are finished, save the file.


3. Import the file into Director as discussed in "Importing a Substitution Variable
File" on page 308.

Viewing Example Substitution Variable Files


You can view optionally an example in the Director Management Console as
follows:
1. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
2. Click the Configure tab.
3. Click File > Import Substitutions > Device or Group.
The Import Substitution Variables dialog box displays.
4. Click Next.
The Import page displays.
5. On the Import page, click the Click Here link to display an example.

307
Director Configuration and Management Guide

Importing a Substitution Variable File


To import a substitution variable file:
1. Create a substitution variable file as discussed in "Substitution Variable File
Formats" on page 305.
2. Start the Management Console as discussed in "Connecting to Director with
the Management Console" on page 52.
3. Click the Configure tab.
4. Click one of the following:
• File > Import Substitutions > Device
• File > Import Substitutions > Group
The Import Substitution Variables dialog box displays.

5. Click Next.

308
Chapter 9: Managing Substitution Variables

The Import page displays.

6. In the provided field, enter the absolute file system path to your substitution
variable file, or click Browse to locate it.
7. Click Next.
The Summary page displays information about the import.
A sample success message follows:
Successfully parsed substitution variables for 1 device(s).

A sample error follows:


Unable to retrieve substitution variables for the specified file.
Please make sure the file exists, and matches the format described on
the previous screen

This error can be caused by any of the following:


• You are attempting to import a device substitution variable file for a group
or vice versa (go back to Step 4 on page 308).
• There are fewer substitution variable names than substitution variable
values in your substitution variable file (click Cancel and validate the file
again as discussed in "Substitution Variable File Formats" on page 305).
• The file you are attempting to import is in the wrong format (for example,
you attempted to import a binary file). Click Prev and import the correct
file.
8. After verifying the substitution variable file as discussed in the preceding
step, click Finish.

309
Director Configuration and Management Guide

Defining the Value of a Substitution Variable


This section discusses how to give the substitution variable a value, either in a
group or in the device record. A substitution variable defined for a device always
takes precedence over a substitution variable defined for a group. In other words,
if you define the value of a substitution variable for a device, that value is always
used when executing the overlay.
Note: If you created and imported substitution variable files, skip this section
and continue with "Creating Substitution Variables in an Overlay" on page 314
or "Creating Substitution Variables in a Profile" on page 319.

For additional information about substitution variables defined for groups, see
"Inheriting Substitution Variables From a Custom Group" on page 292.
This section discusses how to give a substitution variable a value in any of the
following ways:
❐ "Defining a Substitution Variable Value for a Group"
❐ "Defining a Substitution Variable Value for a Device" on page 312

Defining a Substitution Variable Value for a Group


This section discusses how to define the value of a substitution variable for a
group. A substitution variable defined for any group to which a device belongs,
directly or indirectly, is inherited by the device. In other words, if a device belongs
to a group Austin > AustinDev > AustinDevGroup1, and a substitution variable is
defined for Austin, the device inherits that substitution variable.
The value of a substitution variable is defined either by the device record or by the
group closest in the hierarchy to which the device belongs. For more information,
see "Resolving Substitution Variable Conflicts" on page 297.
Before you execute an overlay that contains substitution variables, you should
validate the variables for conflicts as discussed in "Validating the Values of
Substitution Variables" on page 320.

To define a substitution variable for a group:


1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. In the Configure tab page, in the Groups pane, right-click the name of a group.
3. From the pop-up menu, click Edit.
4. At the bottom of the Edit Group dialog box, click Substitution Variables.

310
Chapter 9: Managing Substitution Variables

An example follows.

5. In the Group Substitution Variable dialog box, click New.


The Group Substitution Variables dialog box displays.
6. In the Group Specific Substitution Variables pane, enter the following
information:
Field Description
Substitution Variable Name Enter a name for the substitution
variable. For example, DNS.
A substitution variable name can be a
maximum of 64 characters in length,
alphanumeric characters only. If there
are any spaces, reserved characters, or
special characters, errors occur.
Reserved characters for SGOS include ?
(question mark—reserved for command
help) or % (percent—reserved for
errors). In addition, * (asterisk) is a
special character and cannot be used in
a substitution variable.
Value Enter the variable’s value.

7. Click OK.
8. At the confirmation dialog box, click Yes.
9. At the Edit Group dialog box, click OK.

311
Director Configuration and Management Guide

10. Repeat these tasks for other substitution variables to define for this group.
11. Validate the overlay as discussed in "Validating the Values of Substitution
Variables" on page 320.

Defining a Substitution Variable Value for a Device


This section discusses how to define the value of a substitution variable for a
device. The value of a substitution variable defined for a device always takes
precedence over the value of the same variable defined for a group from which
the device inherits substitution variables. In other words, if you define the value
of a substitution variable for a device, that value is always used when executing
the overlay.
Before you execute an overlay that contains substitution variables, you should
validate the variables for conflicts as discussed in "Validating the Values of
Substitution Variables" on page 320.

To edit the definition of a device to specify a substitution variable value:


1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. On the Configure tab page, in the Devices pane, right-click the name of a
device.
3. From the pop-up menu, click Edit.

The Edit Device dialog box displays, similarly to the following:

4. Click Advanced Settings, located at the bottom of the dialog box.

312
Chapter 9: Managing Substitution Variables

The Advanced Settings dialog box displays, similarly to the following:

5. Click the Substitution Variables tab.


6. On the Substitution Variables tab page, click New.
7. In the Substitution Variable Name field, enter the name of the variable.
The name you enter must be the same name you created in the overlay.
8. In the Value field, enter the new configuration value.
9. Click OK.

313
Director Configuration and Management Guide

10. You are required to confirm the action.


11. Repeat these tasks for other substitution variables to define for this device.
12. Validate the overlay as discussed in "Validating the Values of Substitution
Variables" on page 320.

Creating Substitution Variables in an Overlay


This section discusses how to use substitution variables in an overlay. Following
is a summary of the process:
The procedure in this section assumes you have already created the overlay as
discussed in "Creating an Overlay" on page 163.

Adding a Property to the Overlay


This section discusses how to add a property to the overlay; this property
becomes the name of the substitution variable. In this section, the primary DNS
server is used as an example of the substitution variable value.

To add a property to the overlay:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Overlays.
4. Expand the name of the folder containing the overlay.
5. Right-click the name of the overlay.
6. From the pop-up menu, click Edit.
The Edit existing Overlay dialog box displays. The Add to Overlays section
displays as follows:

314
Chapter 9: Managing Substitution Variables

7. In the Add to Overlay section, click one of the following:


• Using Device Management Console
if you do not know the exact CLI syntax,
use the device’s Management Console to configure it as discussed in
"Adding a Property using the Management Console Viewer" .
• Using CLI if you know the exact CLI syntax for the feature, see "Adding a
Property using the Command Line" on page 318.

Adding a Property using the Management Console Viewer


This section discusses how to add a property to the overlay using the device’s
Management Console viewer. Use this method if you do not know the command
to add the property to the overlay.

To add a property using the Management Console Viewer:


1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. In the Add to Overlay section, click Using Device Management Console and then
click (browse).
The Select Reference Device dialog box displays a list of available devices.
3. In the Select Reference Device dialog box, click the reference device to be the
source for the overlay settings and click OK.
4. Click Launch.
The Management Console viewer displays.
5. Select the property you wish to make into a substitution variable.

315
Director Configuration and Management Guide

For the purposes of this example, click Network > DNS.

6. Click the current DNS value and click Edit.


The Edit dialog box displays the current settings for that property; in this
example, the alternate DNS server.
7. Change the desired values.
8. In the Edit dialog box, click OK to save your changes.
9. Click Save to Overlay Editor at the bottom of the Manage Device dialog box.
10. In the Overlay settings section of the Edit existing Overlay dialog box, click
the configuration change you made (in this example, DNS) and click Edit.

316
Chapter 9: Managing Substitution Variables

The Edit CLI dialog box displays.

11. Replace the value with the new variable.


In this example, the following changes were made:
• Before add server, insert clear server to clear any existing DNS alternate
server.
• Replace the alternate server’s IP address with the substitution variable,
@(DNS).

Note: Any character other than a space before the initial @ symbol or the
ending parenthesis causes the substitution value to not be inserted. Also
review the information discussed in "Allowed Substitution Variable Formats"
on page 296.

12. In the Edit CLI dialog box, click OK to save your changes to the substitution
variable.
13. In the Edit existing Overlay dialog box, click OK to save your changes to the
overlay.

317
Director Configuration and Management Guide

Adding a Property using the Command Line


This section discusses how to add a property to the overlay using the command
line. Use this method if you know the command to add the property to the
overlay.
1. Complete the tasks discussed in "Adding a Property to the Overlay" on page
314.
2. In the Add to Overlay section, click Using CLI.
The Add Commands to add to the Overlay dialog box displays.
3. In the Add Commands dialog box, enter the CLI syntax.
The following figure shows how to set the DNS server using the commands
dns clear server and add server @(DNS).

4. In the Add Commands dialog box, click OK.


5. In the Edit existing Overlay dialog box, click OK.
6. Continue with the next section.

318
Chapter 9: Managing Substitution Variables

Creating Substitution Variables in a Profile


This section discusses how to edit a profile to add the value of a substitution
variable.

To edit a profile:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. In the Configuration Library section, from the Show list, click Profiles.
4. Expand the name of the folder containing the profile.
5. Right-click the name of the profile.
6. From the pop-up menu, click Edit.
The Edit existing Profile dialog box displays, similarly to the following:

7. In the right pane, locate the command or set of commands you want to change
to a substitution variable.

319
Director Configuration and Management Guide

In this example, the set of commands is:


edit alternate
clear server
exit

8. Edit the commands using a substitution variable.


For example,
edit alternate
clear server
add server @(DNSAlt)

9. In the Edit existing Profile dialog box, click OK.


10. Continue with the next section.

Validating the Values of Substitution Variables


Before you execute a profile or overlay that contains substitution variables, you
should validate the variables for conflicts as discussed in this section. Substitution
variable conflicts can occur because a device might inherit two variables with the
same name from different groups, or the device might have a substitution
variable defined for the device and inherit one or more from groups.
Following is a quick overview of how Director resolves substitution variable
conflicts:
❐ A substitution variable defined for a device always takes precedence over
variables inherited by the device from groups to which it belongs.
❐ If no substitution variable is defined for a device, the variable defined in the
closest group in the hierarchy takes precedence.
❐ If a device inherits conflicting substitution variables from two or more groups
not in the same hierarchy, and no substitution variable is defined for the
device, Director cannot resolve the conflict.
For more information, see "Examples of Resolving Conflicts" on page 299.

Note: If no value is defined for a substitution variable, the substitution


variable validates successfully but the profile or overlay that contains it will
fail to execute. Before you execute a profile or overlay that contains a
substitution variable, make sure the variable has a value as discussed in
"Editing or Deleting Substitution Variables" on page 325.

This section discusses the following topics:


❐ "Prerequisites for Validating Substitution Variables"
❐ "Validating Substitution Variables" on page 321

320
Director Configuration and Management Guide

Prerequisites for Validating Substitution Variables


Before validating substitution variables, make sure you have completed the
following tasks in the order shown:
Task For more information

1. Understand concepts related to "About Substitution Variables" on page


substitution variables. 291

2. Understand how devices inherit "Inheriting Substitution Variables From


substitution variables and values a Custom Group" on page 292
from groups.

3. Understand how substitution "Resolving Substitution Variable


variable conflicts are resolved. Conflicts" on page 297

4. Create substitution variables and "Creating and Implementing


values for devices and groups. Substitution Variables" on page 303

5. Include substitution variables in "Creating Substitution Variables in a


profiles. Profile" on page 319

6. Include substitution variables in "Creating Substitution Variables in an


overlays. Overlay" on page 314

Validating Substitution Variables


This section discusses how to validate substitution variables defined for groups
and devices for conflicts.

To validate substitution variables for conflicts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, in the Configuration Library section, from the
Show list, click Profiles, Overlays, or All.

4. Click any of the following:


• To execute the profile or overlay on a device, click the name of the
device in the Devices pane and click the name of the profile or overlay
in the Configuration Library pane.
• To execute the profile or overlay on a group, click the name of the group
in the Groups pane and click the name of the profile or overlay in the
Configuration Library pane.
5. Right-click the name of the profile or overlay.
6. From the pop-up menu, click Substitution Variables.

321
Director Configuration and Management Guide

The following figure shows an example.

7. A dialog box displays conflicts, if any, in red text.

322
Chapter 9: Managing Substitution Variables

The following figures show examples.


• Example of a conflict that Director cannot resolve:

In the preceding example, a variable named DNS has been defined with
different values in two groups. The variables display in red text to indicate
that Director cannot resolve the conflicting values. The reason Director
cannot resolve the conflict is that the device inherited the variables from
groups that are not in the same hierarchy.
Before you can execute the profile or overlay, you must remove the
substitution variable or edit its value in one of the locations displayed in
the dialog box to remove the conflict, then execute the profile or overlay.

323
Director Configuration and Management Guide

• Example of no conflict:

The value of the variable displayed in the preceding dialog box will be used
when executing the profile or overlay.

Note: If no value is defined for a substitution variable, the substitution


variable validates successfully but the profile or overlay that contains it will
fail when you execute it. Before you execute a profile or overlay that contains a
substitution variable, make sure the variable has a value as discussed in
"Editing or Deleting Substitution Variables" on page 325.

8. After resolving any conflicts, click Execute.


For additional information about executing profiles and overlays, see one of
the following sections:
• "Executing a Profile" on page 154
• "Executing an Overlay Immediately" on page 168

324
Chapter 9: Managing Substitution Variables

Editing or Deleting Substitution Variables


This section discusses how to edit or delete substitution variables defined for
devices and groups.

To edit or delete substitution variables:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Configure tab.
3. On the Configure tab page, locate the device or group with variables you want
to edit or delete.
You might need to expand groups or click the All system group to locate a
particular group or device. You can also click Actions > Find and search for a
device or group as discussed in Section B: "Search" on page 185.
4. Right-click the name of the device or group.
5. From the pop-up menu, click Edit.
6. Do one of the following:
• Device: From the pop-up menu, click Advanced Settings. In the Advanced
Settings dialog box, click the Substitution Variables tab.
• Group: From the pop-up menu, click Substitution Variables.

325
Director Configuration and Management Guide

The Group Substitution Variables dialog box for the device or group displays.
The following figure shows an example Advanced Settings dialog box for a
group.

7. Do any of the following:


Task Description

Add a new substitution variable 1. Click New.


2. In the Substitution Variable Name
field, enter a name to identify the
substitution variable.
3. In the Substitution Variable Value
field, enter a value for this variable.
For more information, see "About
Substitution Variables" on page 291.

326
Chapter 9: Managing Substitution Variables

Task Description

Edit an existing substitution variable 1. In the bottom pane of the dialog


box, click either the Substitution
Variable Name or the Substitution
Variable Value field.
2. Enter a new value.

Delete an existing substitution variable 1. In the bottom pane of the dialog


box, click the variable you want to
delete.
2. Click Delete.

8. Click OK.
9. You are required to confirm the action.
10. In the Edit dialog box, click OK.

Command Related to Creating a Substitution Variable Value


First, enter device submode using the following command:
director (config) # device device_id
This command changes the prompt to:
director (config device device_id) #
Then enter the following command:
director (config device device_id) # substitution-variable name input

327
Director Configuration and Management Guide

328
Chapter 10: Monitoring Devices

This chapter describes the options on the Monitor tab page and how to use
them to view device status.
This chapter discusses the following topics:
❐ "About the Monitor Tab Page" on page 329
❐ "Viewing Group and Device Status" on page 330
❐ "Managing Alerts" on page 332
❐ "Viewing Statistics" on page 348
❐ "Generating Performance Analysis Reports" on page 350
❐ "Generating Health Reports" on page 354

About the Monitor Tab Page


After you have added devices, you can view device status using the Monitor
tab page.

The Monitor tab page enables you to quickly determine the status of groups or
of individual devices. The Monitor tab page provides a quick, global view of
the health of your devices by listing the total number of alerts for all devices
and providing a summary of device health for those systems. It also enables
you to access alert and statistics information.

329
Director Configuration and Management Guide

Viewing Group and Device Status


The Groups pane lists all of the groups, including system groups. When a group is
selected, the group’s overall status is displayed. When a device is selected, its
individual status and alerts summary is displayed in the Description pane. More
detailed information is discussed in the following sections:
❐ "Viewing Group Status"
❐ "Viewing Device Status" on page 331

Viewing Group Status


This section discusses how to view the status of all devices in a group.

To view group status:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, click the name of a group.
The group’s status displays in the Description pane, as shown in the following
figure:

330
Chapter 10: Monitoring Devices

Viewing Device Status


This section discusses how to view the status of a selected device.

To view device status:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, click the name of the device for which you want to
view status.
The device status displays in the Description pane, as shown in the following
figure.

The device information contains additional status information not displayed in


the group status, such as health statistics. See Chapter 12: "Monitoring the
Health of Devices" for more information about device health statistics.

331
Director Configuration and Management Guide

Viewing a Device’s SGOS Edition


This section discusses how to view whether a device runs SGOS MACH5 or Proxy
Edition. You can view information about a device’s SGOS version only by looking
at what system group it belongs to, as discussed in "About System Groups" on
page 133.

To view device SGOS edition:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, click the name of a device.
4. Scroll toward the bottom of the Description pane to display the device edition.

Managing Alerts
This section discusses the following topics:
❐ "About Alerts"
❐ "Managing Alerts" on page 338

332
Chapter 10: Monitoring Devices

About Alerts
Alerts inform you of specific device events, such as fan failures or CPU utilization
warnings. Director records a maximum of 50,000 alerts. If the 50,000 alert limit is
reached, the oldest acknowledged alerts are deleted first.
This section discusses the following topics:
❐ "Alerts Terminology"
❐ "Alert Metric Details" on page 335

Alerts Terminology
The following table discusses the meanings of commonly used terms in this
chapter.
Table 10–1 Alerts terminology

Term Meaning

Active alert An event that is currently occurring on the device and


that requires immediate attention.

Inactive alert Event that has since returned to normal and no longer
require attention.

Acknowledged alert Alert you have acknowledged with Director.


Acknowledging an alert does not correct the error
condition; acknowledging an alert makes the alert a
candidate for deletion when the maximum number of
alerts is reached.

Unacknowledged alert Alert you have not acknowledged with Director.

Alert state Alert state can be:


• All
• Active
• Inactive
See the discussion of these terms earlier in this table. The
Director Management Console enables you to filter
alerts by alert state.

Alert status Alert status can be:


• All
• Acknowledge
• Unacknowledge
See the discussion of these terms earlier in this table. The
Director Management Console enables you to filter
alerts by alert status.

333
Director Configuration and Management Guide

Table 10–1 Alerts terminology

Term Meaning

Alert severity Alert severity can be:


• All
• Warning
• Critical
• Disconnected
The Director Management Console enables you to filter
alerts by alert severity.

Alert metric Alert metric can be:


• All
• ADN Connection Status
• ADN Manager Status
• CPU Utilization
• Device Connection
• Disk Status
• Health Check Status
• Interface Utilization
• License Expiration
• License Utilization
• Memory Pressure
• Memory Utilization
• Sensor
The Director Management Console enables you to filter
alerts by alert metric.
The meanings of these metrics are discussed in "Alert
Metric Details" on page 335.

334
Chapter 10: Monitoring Devices

Alert Metric Details


Following is a summary of the meanings of the alert metrics. These metrics are
referred to as health monitoring metrics in the documentation provided with
SGOS. For additional details not covered in this section, see Managing the Blue
Coat ProxySG Appliance in the ProxySG Appliance Configuration and Management
Guide documentation set.
Table 10–2 discusses metrics with user configurable thresholds.
Table 10–2 Health monitoring metrics

Metric Default Values Notes

Critical Threshold / Warning Threshold /


Interval Interval

CPU Utilization 95% / 120 seconds 80% / 120 seconds Measures the value of the
primary CPU on multi-
processor systems — not
the average of all CPU
activity.

Memory 95% / 120 seconds 90% / 120 seconds Measures memory use
Utilization and tracks when memory
resources become limited,
causing new connections
to be delayed.

Interface 90% / 120 seconds 60% / 120 seconds Measures the traffic (in
Utilization and out) on the interface
to determine if it is
approaching the
maximum capacity.
(bandwidth maximum)

License 90% / 120 seconds 80% / 120 seconds Monitors the number of
Utilization users using the ProxySG.

License 0 days / 0 15 days / 0 Warns of impending


Expiration license expiration.
30 days / 0

335
Director Configuration and Management Guide

Table 10–3 discusses metrics with thresholds that are not user configurable.
Table 10–3 Status health monitoring metrics

Metric Threshold States and


Corresponding Values

Disk Status Critical:


Bad
Warning:
Removed
Offline
OK:
Not Present
Present

ADN Connection Status OK:


Connected
Connecting
Connection Approved
Disabled
Not Operational
Warning:
Approval Pending
Mismatching Approval Status
Partially Connected
Critical:
Disconnected
Connection Denied
See Advanced Networking for more
information about the ADN metrics.

ADN Manager Status OK:


Not a Manager
No Approvals Pending
Warning:
Approvals Pending

Health Check Status OK:


No health checks with
Severity: Warning or Critical are
failing. A health check with Severity:
No-effect might be failing.
Warning:
One or more health checks with
Severity: Warning has failed.
Critical:
One or more health checks with
Severity: Critical has failed.

336
Chapter 10: Monitoring Devices

Table 10–3 Status health monitoring metrics

Metric Threshold States and


Corresponding Values

Temperature — Motherboard and CPU Threshold states and values vary by


ProxySG models

Fan Speed Threshold states and values vary by


ProxySG models

Voltage — Bus Voltage, CPU Voltage, Power Threshold states and values vary by
Supply Voltage ProxySG models

Getting Started With Alerts


This section discusses general information you can use to get started monitoring
device alerts using the Director Management Console’s Monitor tab page.

Viewing a Summary of All Device Alerts


The top section of the Monitor tab page displays a summary view of device alerts
similar to the following.

The Current Device Status row displays how many devices are in each alert
severity state currently.
The Accumulated Alerts row displays the total number of alerts stored on
Director since the last time the alerts were cleared.

Viewing Alerts for Custom Groups of Devices


To display all alerts for a particular custom group, click the name of the group in
the Groups pane on the Monitor tab page and click Alerts.
Examples are shown "Examples of Managing Alerts" on page 341.

Viewing Alerts for Individual Devices


To display all alerts for a particular device, click the name of the device in the
Devices pane on the Monitor tab page and click Alerts. (You might need to click
the name of a group in the Groups pane first; if in doubt, click the All system
group.)
Examples are shown "Examples of Managing Alerts" on page 341.

337
Director Configuration and Management Guide

Managing Alerts
The Alerts dialog box enables you to view all of the alerts for the selected device
or group and allows you to filter, comment on, acknowledge, or unacknowledge
those alerts.

To manage alerts:
1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts in any of
the following ways:
• Select one or more devices: In the Groups pane, click the name of the
group to which the devices belong (if in doubt, click All).
In the Devices pane, click the names of the devices (to select more than one
device, hold down the Control key while clicking).
Continue with step 4.
• Select a group of devices: In the Groups pane, under Custom groups, click
the name of a group.
Continue with step 4.
4. In the Description pane, under Reports, click Alerts.

338
Chapter 10: Monitoring Devices

The Alerts dialog box displays.

Filtering options

Alerts details Details about Actions


selected alert

339
Director Configuration and Management Guide

You have the following options:

Option Description

Filter alerts Filtering means to limit the alerts that display to only
those you choose. Make a selection from each list; the
selections are combined to filter the results. Examples
are shown in "Examples of Managing Alerts" on page
341.
To limit the alerts that display in the dialog box (that
is, to filter alerts), select the following options:
1. From the Metric list, click All to display alerts with
all metrics or click the name of a metric to limit the
alerts displayed to show that metric only.
For more information about alert metrics, see Table
10–2 on page 335.
2. From the Severity list, click All to display alerts
with all severities or click one of the following:
• Warning to display only alerts with a severity
of Warning.
• Critical to display only alerts with a severity of
Critical.
• Disconnected to display only alerts with a
severity of Disconnected.
3. From the State list, click All to display alerts with
all states or click one of the following:
• Active to display only alerts that are currently
in a critical or warning severity.
• Inactive to display only alerts that have since
returned to a normal severity.
4. From the Status list, click All to display alerts with
all states or click one of the following:
• Acknowledge to display only alerts that have
been previously acknowledged. You can do
this, for example, to delete acknowledged
alerts.
• Unacknowledge to display only alerts that
have not been acknowledged.
5. From the Days list, click All to display alerts from
all dates, or click a time interval to display alerts
that occurred in that time interval.
6. Click Show.
Clicking Reset returns the filters to their default
values.
7. See "Examples of Managing Alerts" on page 341.

340
Chapter 10: Monitoring Devices

Option Description

Sort alerts Click the name of a column to sort alerts by the value
of that column, in either ascending or descending
order. Clicking a column name once displays results in
ascending order; clicking the same column name
again displays results in descending order.

View details about one alert Click an alert in the lower section of the dialog box.
Alert details display in the Details section.

Select all alerts Click Select All.

Unselect all alerts Click Unselect All.

Add comments to selected Comments display only in the Alerts dialog box;
alerts comments are not propagated to the device.
Click one or more alerts, enter text in the Comments
field, and click Update. (To click more than one alert,
hold down the Control key while clicking.)

Acknowledge selected alerts Acknowledging an alert makes the alert a candidate


for deletion when the maximum number of alerts is
reached; acknowledging an alert does not solve the
issue that caused the alert.
(acknowledged) displays in the Acknowledged
column in the Alerts dialog box for an acknowledged
alert.
Click one or more alerts and click Acknowledge. (To
click more than one alert, hold down the Control key
while clicking.)

Unacknowledge selected Click one or more alerts and click Unacknowledge. (To
alerts click more than one alert, hold down the Control key
while clicking.)
(unacknowledged) displays in the Acknowledged
column in the Alerts dialog box for an
unacknowledged alert.

Delete selected alerts Click one or more alerts and click Delete. (To click
more than one alert, hold down the Control key while
clicking.)
You are required to confirm the deletion.

Examples of Managing Alerts


This section discusses the following examples:
❐ "Example 1: Filtering and Sorting Alerts"
❐ "Example 2: Acknowledging Alerts" on page 344
❐ "Example 3: Deleting Acknowledged Alerts" on page 346

341
Director Configuration and Management Guide

Example 1: Filtering and Sorting Alerts


This example shows how to filter alerts to show only acknowledged alerts and
how to sort alerts by description.

To filter and sort alerts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts.
In this example, select a custom group and click Alerts.
The Alerts dialog box displays.

4. To sort the alerts by description, click the Description column.

342
Chapter 10: Monitoring Devices

The Alerts dialog box then displays as follows.

5. To display only acknowledged alerts, make the following selections from the
Filters section of the Alerts dialog box:
• Metric list: click All.
• Severity list: click All.
• State list: click All.
• Status list: click Acknowledge.
• Days list: click any value, such as last 30 days.
The following figure shows an example:

6. Click Show.

343
Director Configuration and Management Guide

The Alerts dialog box displays only acknowledged alerts.

Example 2: Acknowledging Alerts


This example shows how to filter alerts to acknowledge alerts; if the 50,000 alert
maximum is exceeded, Director deletes the oldest acknowledged alerts first.

To filter and sort alerts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts.
In this example, select a custom group and click Alerts.

344
Chapter 10: Monitoring Devices

The Alerts dialog box displays.

4. Optional. Sort or filter the alerts.


For example, you can sort alerts by oldest first by clicking twice on the Start
Time column.
5. Click on one or more alerts to acknowledge. (To select more than one alert,
hold down the Control key while clicking.)
6. Click Acknowledge.
You are required to confirm the action.

345
Director Configuration and Management Guide

The Alerts dialog box displays the acknowledged alerts.

indicates an acknowledged alert

indicates an unacknowledged alert


7. Optional. To delete acknowledged alerts, see the next example.

Example 3: Deleting Acknowledged Alerts


You can delete acknowledged alerts to prevent them from displaying again; also,
if the 50,000 alert limit is exceeded, Director automatically deletes the oldest
acknowledged alerts first.
In the event an error condition occurs again on a device, another alert is created so
deleting acknowledged alerts has no effect on your ability to monitor devices in
the future.

To delete acknowledged alerts:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, select the devices from which to view alerts.
In this example, select a custom group and click Alerts.

346
Chapter 10: Monitoring Devices

The Alerts dialog box displays.

4. Filter the alerts to display only acknowledged alerts as follows:


• From the Metric list, click All.
• From the Severity list, click All.
• From the Statue list, click All.
• From the Status list, click Acknowledge.
• Days list: click any value, such as last 30 days.
The following figure shows an example.

5. Click Show.
The Alerts dialog box shows only acknowledged alerts.
6. Optional. Sort the alerts in order of oldest first by clicking twice on the Start
Time column.

347
Director Configuration and Management Guide

7. Click the alerts to delete. You have the following options:


• To select all acknowledged alerts, click Select All.
• To select a range of consecutive alerts, hold down the Shift key while
clicking.
• To select more than one alert, hold down the Control key while clicking.
8. Click Delete.
You are required to confirm the deletion.

Viewing Statistics
The Manage Device page enables you to view the alerts and statistics for
individual devices. When you click the Statistics button, an instance of that
device’s ProxySG appliance Management Console Statistics tab page displays.
The Alerts tab page enables you to switch back and forth between alert and
statistics information to obtain additional details.

Note: Unlike alerts, statistics can be viewed only for individual devices.

To view device statistics:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Click the Monitor tab.
3. On the Monitor tab page, from the Devices pane, click the name of a device.

4. In the Description section, in the Reports pane, click Statistics.

348
Chapter 10: Monitoring Devices

The Manage Device window displays, with the Management Console of the
selected device in view.

5. Select statistics to view.


6. (Optional.) Click the Health field status link to navigate to the health statistics.
7. (Optional.) Click the Alerts tab to review alert information.

Note: You can make configuration changes only to devices from the Configure
tab.

Related Commands
director (config) # monitoring {alerts {acknowledge {alert alert_id |
all | device device_id | group group_id} | add-comment alert alert_id
comment comment | delete {alert alert_id | all | device device_id |
group group_id} | unacknowledge {alert alert_id | all | device
device_id | group group_id}} | diagnose {device-state subcommands |
standby-state subcommands} | refresh health-state {all | device
device_id | group group_id}

349
Director Configuration and Management Guide

Generating Performance Analysis Reports


For any device that runs SGOS 5.3 or later, custom group, Model group, or OS
Version group, you can create and optionally e-mail a report that displays the
following charts:
❐ Bandwidth savings
❐ Effective throughput
❐ Overall traffic (includes amount of data transferred, gain (expressed as a
decimal), percent reduction; and the graph displays client bandwidth, server
bandwidth, and bypassed bandwidth).
❐ By proxy—client (percentage of traffic proxied by configured proxies such as
CIFS, Endpoint Mapper, MSRPC, MAPI, FTP, HTTP, HTTP forward proxy,
SSL, TCP tunnel, and Windows Media)
❐ By proxy—server (percentage of traffic proxied by configured proxies such as
CIFS, Endpoint Mapper, MSRPC, MAPI, FTP, HTTP, HTTP forward proxy,
SSL, TCP tunnel, and Windows Media)
❐ By service—client (percentage of client traffic used by configured services)
❐ By service—server (percentage of server traffic used by configured services)
❐ Traffic analysis for active services
Performance analysis data can be displayed for the following time periods:
❐ Last hour
❐ Last day
❐ Last week
❐ Last month
❐ Last year
The scale used on the graphs can be set as follows:
❐ Bytes
❐ Kilobytes
❐ Megabytes
❐ Gigabytes

To generate performance analysis reports:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optional. To e-mail reports, you must set the e-mail options discussed in
"Setting Mail Options" on page 63.
3. In the Director Management Console, click the Monitor tab.

350
Chapter 10: Monitoring Devices

4. On the Monitor tab page, click the device or group for which you want to
generate the report.
• To generate a report for one or more devices: In the Groups pane, click the
group to which the devices belong (for example, System > All group). In the
Devices pane, click one or more devices. (To select multiple devices, hold
down the Control key while clicking.)
If you click one device, the report displays data for that device.
If you click more than one device, the report displays aggregated data for
the devices you click.
• To generate a report for a group of devices: In the Groups pane, click the
name of the group.
The report displays aggregated data for all devices in the group (except for
disconnected devices). You can click the name of any group, including
custom groups or system groups (system groups include Model and OS
Version groups).
If you click the name of a group that has no devices, the Performance
Analysis Report button is unavailable.
Note: Performance analysis reports can take a long time to generate if you
select a group with a large number of devices.

5. Click Performance Analysis Report.

351
Director Configuration and Management Guide

The report displays in a new window.

The following error indicates the selected devices have not collected enough
data to display in the selected time interval and scale. To work around the
problem, choose a different device or group.

The title bar of the window displays the name of the device or group for
which the report was created (in the preceding example, the report was
created for a group named SG200).

352
Chapter 10: Monitoring Devices

6. The following table discusses options available with the report:


Option Description

Mouse-over data Place the mouse cursor on any peak of a line or area
graph (for example, Effective Throughput) to
display data for that peak.

From the list, click the time period to use to sample


data:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year

From the list, click the units of measure to use to


scale the graphs and charts in the reports:
• Bytes
• Kilo Bytes
• Mega Bytes
• Giga Bytes

Select the check box next to each report you wish to


view or e-mail.
Clear the check box next to each report you do not
wish to view or e-mail.

Text field Every chart or graph in the report has a text field
you can use to make notes about the chart or graph.
Note: Line breaks you enter in the field are
removed from the report when it is generated.
Click here to preview the report Click the link to preview the report in your default
Web browser. The report displays with all
comments and charts or graphs you selected.

Email button Follow the prompts on your screen to e-mail the


report.

Close button Close the report window at any time, including


during the time report data is being collected.

353
Director Configuration and Management Guide

Generating Health Reports


The Health report is an experimental feature that enables you to view CPU usage
and memory usage for any device—either by itself or in a Model group, or OS
Version group. One graph displays per device.
Health data can be displayed for the following time periods:
❐ Last hour
❐ Last day
❐ Last week
❐ Last month
❐ Last year

To generate health reports:


1. Start the Director Management Console as discussed in "Connecting to
Director with the Management Console" on page 52.
2. Optional. To e-mail reports, you must set the e-mail options discussed in
"Setting Mail Options" on page 63.
3. In the Director Management Console, click the Monitor tab.
4. On the Monitor tab page, click the device or group for which you want to
generate the report.
• To generate a report for one or more devices: In the Groups pane, click the
group to which the devices belong (for example, System > All group). In the
Devices pane, click one or more devices. (To select multiple devices, hold
down the Control key while clicking.)
One graph displays for each device.
• To generate a report for a group of devices: In the Groups pane, click the
name of the group.
One graph displays for each device.
5. Click Actions > Launch Health Report.
If you select a disconnected device, the Launch Health Report option is
unavailable.

354
Chapter 10: Monitoring Devices

6. The following table discusses options available with the report:


Option Description

From the list, click the time period to use to sample


data:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year

Select the check box next to each report you wish to


view or e-mail.
Clear the check box next to each report you do not
wish to view or e-mail.
Click here to preview the report Click the link to preview the report in your default
Web browser.

Email button Follow the prompts on your screen to e-mail the


report.

Close button Close the report window at any time, including


during the time report data is being collected.

Right-click a graph If the graph lines appear to be flat:


1. Right-click a graph.
2. From the pop-up menu, click Auto Range >
Both Axes.

355
Director Configuration and Management Guide

356
Chapter 11: Audit Logging

Director audit logging enables you to log the actions of all administrators who
perform tasks on Director. This can be useful if you need to document Director
administrator behavior for change management auditing or troubleshooting.
Auditing enables you to do the following:
❐ Authenticate using TACACS+
❐ Log of all actions performed by an administrative user
❐ Log the contents of backups, profiles, overlays, configure jobs, and content
jobs
❐ Export the generated log entries to an external server using the Secure Copy
Protocol (SCP)

Important: In Director 5.3 and later, you can no longer transfer files to a server
using an insecure protocol. The external server to which files are transferred
must support the SCP protocol.

This chapter discusses the following topics:


❐ "Overview of Audit Logging"
❐ "Viewing Audit Logging Status in the Management Console" on page 360
❐ "Configuring Audit Logging" on page 362

Overview of Audit Logging


Director logs commands entered from the command line and commands
executed as the result of actions in the Management Console. If a command
returns an error, the error message is logged.
Because Director does not display success confirmation, all other commands
are assumed to have succeeded. This type of logging is referred to as event
logging. In earlier SGME releases, you had the option of transferring event logs
to a syslog server using an insecure protocol.

About Audit Logging


In the SGME 5.3 release for the first time, Director also enables you to track the
contents of the following using audit logging:
❐ Profiles
❐ Overlays
❐ Configuration and content jobs

357
Director Configuration and Management Guide

Note: Throughout the rest of this chapter, the term content jobs is intended to
include the content jobs themselves as well as any URL list or regular
expression lists they might contain. When you create, edit, or run a job with a
URL list or regular expression list, those activities are logged in the audit log.
❐ Backups
Audit logging enables administrators to track what tasks were performed by
commands that configured components in the preceding list. Administrators and
auditors can use event logging and audit logging together to determine what was
changed, who changed it, and when it was changed.

Comparing Event Logging and Audit Logging


The following table summarizes the two types of logging:
Logging type What is logged

Audit logging • The contents of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The contents of an overlay, the name of the user
who executed it, and the IP address from which the
command was executed
• The contents of a device backup, the name of the
user who executed it, and the IP address from
which the command was executed

Event logging • The name of a profile, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of an overlay, the name of the user who
executed it, and the IP address from which the
command was executed
• The name of a device backup, the name of the user
who executed it, and the IP address from which the
command was executed

358
Chapter 11: Audit Logging

The following table summarizes the main functional differences between event
logging and a