Академический Документы
Профессиональный Документы
Культура Документы
Contact Information
Americas: Blue Coat Systems Inc. 410 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland http://www.bluecoat.com/support/contactsupport http://www.bluecoat.com For concerns or feedback about the documentation: documentation@bluecoat.com
Copyright 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Americas: Blue Coat Systems, Inc. 410 N. Mary Ave. Sunnyvale, CA 94085
Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
ii
Contents
Contents
Preface
Audience .............................................................................................................................................. 9 Typographical Conventions.............................................................................................................. 9 Blue Coat Knowledge Base ............................................................................................................... 9 Notes and Warnings......................................................................................................................... 10
Chapter 1: ProxyClient Concepts
Whats New in This Release............................................................................................................ 12 About ProxyClient Tamper Resistance ......................................................................................... 12 About ProxyClient Location Awareness....................................................................................... 13 Overview of Location Awareness............................................................................................ 13 About Web Filtering Auto-Detection...................................................................................... 14 General Guidelines for Location Conditions ......................................................................... 15 About Condition Rulebase Ordering ...................................................................................... 16 About ProxyClient CIFS Acceleration ........................................................................................... 17 About ProxyClient Web Filtering................................................................................................... 19 Web Filtering Terminology ...................................................................................................... 19 Enabling or Disabling Web Filtering Based on Location ..................................................... 20 Web Filtering for Users and Groups ....................................................................................... 20 About the BCWF Database and Categorization .................................................................... 21 About Security With Guest User Scenarios............................................................................ 22 About ADN Feature Support in ProxyClient ............................................................................... 23 ADN and ProxyClient Terminology ....................................................................................... 23 About the Roles of ProxySG Appliances With the ProxyClient.......................................... 25 ADN Features and the ProxyClient......................................................................................... 26 ProxyClient Security Disclaimers................................................................................................... 30 About ProxyClient Licensing.......................................................................................................... 31 Software and Hardware Requirements......................................................................................... 31 Why Deploy ProxyClient?............................................................................................................... 31 About Blue Coat in the Network.................................................................................................... 32
Chapter 2: ProxyClient Deployments
Assumptions...................................................................................................................................... 35 ProxySG Assumptions .............................................................................................................. 35 ProxyClient Computer Setup Assumptions........................................................................... 35 Network Assumptions .............................................................................................................. 36 Location Awareness Assumptions .......................................................................................... 36
iii
ProxyClient Deployment Roadmap............................................................................................... 37 Step 1: Configure a Primary ADN Manager and Internet Gateway ......................................... 38 Step 2: Configure the Concentrator................................................................................................ 41 Step 3: Configure the Client Manager ........................................................................................... 42 Step 4: Configuring ProxyClient Acceleration ............................................................................. 43 Step 5: Configuring ProxyClient Web Filtering ........................................................................... 46 Step 6: Configure ProxyClient Locations ...................................................................................... 48 Step 7: Install the ProxyClient Software ........................................................................................ 53 Performing Basic Verification ......................................................................................................... 53 Verifying Location Awareness................................................................................................. 54 Viewing Acceleration Details ................................................................................................... 56 Viewing Web Filtering Details ................................................................................................. 57 Viewing the Admin Log............................................................................................................ 57 Verifying Tamper Resistance ................................................................................................... 58 For More Information About ProxyClient Troubleshooting ............................................... 58 Step 8: (Optional) Using Web Filtering Auto-Detection ............................................................. 58 Sample Local Policy File............................................................................................................ 62 Verifying Web Filtering Auto-Detection ................................................................................ 63
Chapter 3: Getting Started with the ProxyClient
ProxyClient Compatibility with SGOS.......................................................................................... 71 Recommended Upgrade Information ..................................................................................... 71 ProxyClient and SGOS Compatibility..................................................................................... 72 Important Information About Web Filtering Support.......................................................... 72 For More Information About ADN Networks....................................................................... 73 Preparing the ADN Configuration for ProxyClient Deployment ............................................. 73 About Open ADN and Closed ADN With the ProxyClient....................................................... 74 Configuring a Closed or Open ADN Network...................................................................... 75 Enabling ADN Managers.......................................................................................................... 76 About Manager Listening Mode With the ProxyClient.............................................................. 77 About Tunneling Listening Mode With the ProxyClient ........................................................... 78 Configuring Manager and Tunneling Ports ................................................................................. 79 Configuring Concentrators to Advertise Subnets........................................................................ 79 About Secure Outbound Mode ...................................................................................................... 80 About Internet Gateways ................................................................................................................ 80
Chapter 5: Configuring the Client Manager
iv
Contents
Designating a ProxySG as the Client Manager ............................................................................ 81 Uploading the ProxyClient Software to the Client Manager ..................................................... 85 Overview of the ProxyClient Upload Process ....................................................................... 85 Getting the ProxyClient Software............................................................................................ 86 Running Windows.msi.............................................................................................................. 87 Uploading the ProxyClient .car File to the Client Manager ................................................ 87 Setting Up the Client Manager (CLI) ............................................................................................. 89 Configuring the Client Manager (CLI) ................................................................................... 90 Loading the Software (CLI) ...................................................................................................... 90 Showing ProxyClient Settings (CLI) ....................................................................................... 90 Clearing ProxyClients (CLI) ..................................................................................................... 90
Chapter 6: Configuring ProxyClient Locations
Location Awareness Overview....................................................................................................... 93 Location Awareness Decision Diagram ........................................................................................ 94 Location Awareness Task Summary ............................................................................................. 95 Configuring ProxyClient Locations ............................................................................................... 95 Ordering Locations in the Rulebase ........................................................................................ 98 Configuring Default Actions .................................................................................................... 99 Configuring Web Filtering Auto-Detection................................................................................ 100 Installing Local Policy on ProxySGs...................................................................................... 100 Configuring ProxyClient Locations (CLI)................................................................................... 101
Chapter 7: Configuring ProxyClient Acceleration
Before You Begin Configuring ProxyClient Policy.................................................................... 103 Specifying the ProxyClient ADN Manager ................................................................................ 103 Troubleshooting ProxyClient Acceleration Configuration................................................ 106 Tuning the ADN Configuration ................................................................................................... 107 Excluding Subnets from Being Accelerated ......................................................................... 108 Excluding and Including Ports .............................................................................................. 109 Enabling File Sharing Acceleration .............................................................................................. 111 Configuring ProxyClient Acceleration Settings (CLI)............................................................... 114 Troubleshooting ProxyClient Acceleration ................................................................................ 115 Overview of Acceleration Troubleshooting ......................................................................... 115 Getting Detailed Diagnostics.................................................................................................. 118 More Information About ProxyClient Acceleration Troubleshooting ............................. 119 Getting Detailed Diagnostics.................................................................................................. 126
Chapter 8: Configuring ProxyClient Web Filtering
Web Filtering Task Summary ....................................................................................................... 128 Options for Enabling Blue Coat Web Filtering........................................................................... 129 Enabling the Blue Coat Web Filter Database (Optional) .......................................................... 130
Enabling Other Databases....................................................................................................... 133 Enabling the Use of the Local Database (Optional)................................................................... 133 Enabling the Local Database .................................................................................................. 134 Setting Up ProxyClient Web Filtering ......................................................................................... 135 Entering BCWF Database Credentials .................................................................................. 135 Enabling ProxyClient Web Filtering ..................................................................................... 136 About the Policy Tab Page...................................................................................................... 139 Working With Categories, Users, Groups, and Policy Actions ............................................... 141 Getting Started With Categories ............................................................................................ 141 Selecting Categories ................................................................................................................. 143 Configuring Users and Groups.............................................................................................. 144 Managing Policy Categories................................................................................................... 147 Configuring System and Default Policy Actions................................................................. 149 Ordering Categories in the Rulebase .................................................................................... 150 Configuring Other Web Filtering Options ........................................................................... 153 Web Filtering Best Practices .......................................................................................................... 155 Displaying and Customizing Web Filtering Exception Pages ................................................. 157 Enabling Web Filtering Logging .................................................................................................. 159 About Web Filtering Logging ................................................................................................ 159 How to Enable Web Filtering Logging ................................................................................. 160 Configuring Clients That Require a Proxy to FTP Logs..................................................... 163 Interpreting the Log Files........................................................................................................ 163 Configuring ProxyClient Web Filtering (CLI)............................................................................ 165 Troubleshooting ProxyClient Web Filtering .............................................................................. 165 Overview of Web Filtering Troubleshooting ....................................................................... 166 More Information About Web Filtering Troubleshooting ................................................. 167 Getting Detailed Diagnostics.................................................................................................. 170
Chapter 9: Distributing the ProxyClient Software
ProxyClient Software Distribution Prerequisites....................................................................... 173 Overview of Distributing the ProxyClient Software ................................................................. 173 Preparing Interactive Installations ............................................................................................... 174 Interactive Installations from the Client Manager .............................................................. 175 Interactive Manual Installations ............................................................................................ 180 Preparing Silent Installations and Uninstallations .................................................................... 181 About Silent Web Filtering Installations............................................................................... 182 Parameters for Silent Installations ......................................................................................... 183 Command for Silent Uninstallations..................................................................................... 188 Example Installations and Uninstallation ............................................................................ 189 Limiting ProxyClient Visibility and Interactivity................................................................ 190 Using Group Policy Object Distribution ..................................................................................... 193
vi
Contents
Viewing ProxyClient History Statistics ....................................................................................... 197 Viewing ProxyClient Bandwidth (BW) Usage Statistics .................................................... 199 Viewing ProxyClient Active Clients Statistics ..................................................................... 199 Viewing ProxyClient Configurations Served Statistics ...................................................... 199 Viewing ProxyClient Software Served Statistics ................................................................. 199 Viewing ProxyClient Detail Statistics.......................................................................................... 200 Viewing ProxyClient Client Details ...................................................................................... 203 Viewing ProxyClient Client Version Count......................................................................... 208 Viewing ProxyClient ADN History Statistics ............................................................................ 209 Viewing ProxyClient Active Session Statistics........................................................................... 210
Chapter 11: Troubleshooting the ProxyClient
Using the ProxyClient Web Browser for Troubleshooting....................................................... 213 Troubleshooting ProxyClient Installation and Operation ........................................................ 214 Suggested Workarounds for Installation Errors.................................................................. 215 ProxyClient Tray Icon States and Meanings ........................................................................ 222 Other ProxyClient Troubleshooting Tools.................................................................................. 224 ProxyClient Troubleshooting Tools Summary .................................................................... 225 Changing the Client Manager ................................................................................................ 229 Changing the Default Web Server Port ................................................................................ 230 Uninstalling the ProxyClient Software ................................................................................. 231 Performing Data Traces and Data Collection ...................................................................... 232 Using the ProxyClient VPN Whitelist Utility ...................................................................... 238 Client Manager Logging ......................................................................................................... 240 Using the ProxyClient VPN Whitelist Utility ...................................................................... 241 Installation ....................................................................................................................................... 243 Folders ....................................................................................................................................... 243 Files ............................................................................................................................................ 244 Setup MSI .................................................................................................................................. 244 Setup pkg................................................................................................................................... 244 During Runtime .............................................................................................................................. 247 Logging and Support............................................................................................................... 247 Web Filter Files ......................................................................................................................... 248 Data Collector ........................................................................................................................... 248 Removal ........................................................................................................................................... 248
vii
viii
Preface
This Preface provides you with an overview of the intended audience for this book, the document organization, Blue Coat typographical conventions, and related documentation for this product.
Audience
This book is written for administrators responsible for planning and deploying the Blue Coat ProxyClient and assumes that you have knowledge of basic ADN networking.
Typographical Conventions
Blue Coat documents employ the following typographical conventions:
Conventions Italics Definition The first use of a new or Blue Coatproprietary term; also used for emphasis. Command-line text. A command-line variable that is to be replaced by a name or value pertaining to your network system. A literal value to be entered as shown. One of the parameters enclosed within the braces must be supplied An optional parameter or parameters. You can select the parameter before or after the pipe character. (I think this needs a better description/JR)
[ ] |
Blue Coat recommends you regularly search the Knowledge Base for latebreaking information that might not be available in product documentation or Release Notes.
To view articles in the Knowledge Base:
1. Enter the following URL in your browsers address or location field: https://kb.bluecoat.com 2. Do any of the following:
question
To get an answer to a specific question, enter the question in the Ask a field, and click Ask.
To view a specific set of articles, click a selection in the horizontal navigation bar (Solutions, FAQs, and so on). All of the sections enable you to browse by product, operating system, type of deployment, or topic.
3. Follow the prompts on your screen to locate the desired information. To view solutions for the ProxyClient: a. Click Solutions. b. On the Solutions page, click Products. c. On the Products page, click ProxyClient. Note: Not all products are listed in alphabetical order; ProxyClient is listed in the first column.
Important:
Critical information that is not related to equipment damage or personal injury (for example, data loss).
10
Before configuring the ProxyClient, Blue Coat recommends that you understand the conceptual information discussed in this chapter.
Note: This book assumes that you are familiar with the Blue Coat Application Delivery Network (ADN) concepts and features, as discussed in "ADN Acceleration Techniques" on page 770 in the SGOS Administration Guide.
"Whats New in This Release" "ADN and ProxyClient Terminology" on page 23 "About Blue Coat in the Network" on page 32 "About the Roles of ProxySG Appliances With the ProxyClient" on page 25 "About ProxyClient Tamper Resistance" on page 12 "About ProxyClient Location Awareness" on page 13 "About ProxyClient CIFS Acceleration" on page 17 "About ProxyClient Web Filtering" on page 19 "About ADN Feature Support in ProxyClient" on page 23 "ADN Features and the ProxyClient" on page 26 "About ProxyClient Licensing" on page 31 "Software and Hardware Requirements" on page 31 "Why Deploy ProxyClient?" on page 31 "About Blue Coat in the Network" on page 32
11
For more information about ProxyClient features, see the following sections:
"About ProxyClient Tamper Resistance" on page 12 "About ProxyClient Location Awareness" on page 13 "About Web Filtering Auto-Detection" on page 14 "About ProxyClient CIFS Acceleration" on page 17 "About ProxyClient Web Filtering" on page 19
Yes No
Uninstalling the softwareOnly a local administrator who knows the password can uninstall the ProxyClient software. Stopping the serviceNo user, even a local administrator, can permanently stop the service. The uninstall password must be configured to enable this feature but a password prompt is not presented to the user.
12
A user who is a local administrator can temporarily stop the service but after a short period of time, the service restarts itself. Note for ProxyClient Web filtering: Blue Coat recommends you set the policy action for the Unavailable category to Block to prevent Internet access in the event users attempt to defeat Web filtering by stopping the service. See "Web Filtering Best Practices" on page 155.
Altering policyEven if a user succeeds in editing the encrypted configuration file, the users changes are ignored.
"Overview of Location Awareness" "About Web Filtering Auto-Detection" on page 14 "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16
Locations are defined by the ProxySG administrator using one or more the following location conditions (Configuration > ProxyClient > General > Locations):
Source IP range, which is appropriate for situations (such as in the office) where you know the IP address range from which clients connect. DNS server IP address In some situations, the clients IP address might not be enough to uniquely define a location. If that is the case, DNS servers can be used as additional location conditions.
Virtual network interface IP address, which should be used whenever clients connect to the corporate network using VPN software.
13
VPN software typically creates a virtual network adapter (referred to as a virtual NIC) that is assigned an IP address to be used when the client connects to the corporate network over VPN. A VPN gateway behind the firewall at the corporate data center provisions IP addresses and DNS server addresses to VPN clients.
Note:
Some VPN client software creates a virtual NIC as a physical adapter, and that prevents the adapter from being used as a location criterion. To work around this issue, see "Using the ProxyClient VPN Whitelist Utility" on page 238. Location conditions are logically ANDed together so choosing more than one location condition for a location is a good way to uniquely identify the location. If the computers IP address changes, the ProxyClient detects the IP address change and evaluates it against location rules. For example, if a user takes a laptop from the office to a mobile location and installs a wireless adapter in the laptop, as soon as the IP address changes, the laptops location is evaluated against defined locations.
In-path with a ProxySG that performs Web filtering The ProxyClient uses a filtering ProxySG as an explicit proxy
With this new feature, introduced in SGOS 5.5 and ProxyClient 3.2, you are no longer required to create an in-office location to disable ProxyClient Web filtering. Prerequisites: All of the following must be true:
The Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF). The ProxyClient must be deployed in any of the following ways: In-path with the filtering ProxySG The ProxyClient computer must use the filtering ProxySG as an explicit proxy
14
Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed. For details, see "Configuring Web Filtering Auto-Detection" on page 100. Benefits: Web filtering auto-detection is fast, happening within a few seconds after a ProxyClient requests a rating for a URL. Web filtering auto-detection prevents double filtering. Double filtering happens when both ProxyClient Web filtering and ProxySG Web filtering are applied to a URL request. (For example, if Web filtering is enabled in the ProxyClients location and is also enabled by policy in an office network with ProxySG Web filtering.) Double filtering can result in policy conflicts if the same category is allowed by one policy set and blocked by another policy set.
Whether or not a ProxySG at the location performs acceleration or Web filtering Which two of the three available location conditions uniquely defines the location
The following table shows how to use these guidelines in a sample four-location deployment:
Location type Mobile with no local ProxySG How to apply the guidelines Role of local ProxySG: There is none so the location should enable both ProxyClient acceleration and Web filtering. Location conditions: To uniquely identify the location, choose Virtual NIC IP address and DNS server IP address.
15
How to apply the guidelines Role of local ProxySGs: Perform both acceleration and Web filtering so the location should disable both features. Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address.
Also see "About Web Filtering Auto-Detection" on page 14. Branch office with no local ProxySG Role of local ProxySG: There is none so the location should enable ProxyClient acceleration. However, if a ProxySG at headquarters performs Web filtering, you should disable Web filtering at the branch office. Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address. Role of local ProxySG: If the local ProxySG performs both acceleration and Web filtering, the location should disable both. However, if the local ProxySG performs only acceleration, the location should disable ProxyClient acceleration and enable Web filtering. Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address.
The order in which locations display on the Configuration > ProxyClient > General > tab page determine the order in which the rules are evaluated when users connect to the Client Manager. To avoid mismatches, order the rules from most to least restrictive. For example, suppose headquarters uses IP addresses in the range from 10.0.0.0 to 10.255.255.255 but the VPN gateway located at headquarters has a pool of IP addresses in a subset of that range; for example, 10.3.1.1 to 10.3.1.255. Because the VPN gateway is used by home office or mobile users, the administrator wants to use different policy actions for headquarters and home office users. Users at the headquarters location should have ProxyClient acceleration and Web filtering disabled but users in a home office or mobile location should have both ProxyClient features enabled.
16
To make sure the home office or mobile location is detected first, the administrator must order it in the rulebase before the headquarters location. An example follows.
Starting with ProxyClient version 3.2, two new options enhance these capabilities:
Remote storage optimization Improves performance by causing Windows Explorer to minimize the amount of data transfer when users browse to a remote accelerated file share.
17
Specifically, this feature limits read ahead. Excessive read ahead slows performance if users enable the Display file size information in folder tips option for folders in Windows Explorer (On Windows XP and Vista: Tools > Folder Options > View tab page under Files and Folders. On Windows 7: Organize > Folder and Search Options > View tab page under Files and Folders). When a user browses to a folder if read ahead is enabled, Windows Explorer waits while folder and file metadata is retrieved; if you enable remote storage optimization, metadata is not requested so performance is improved. The amount of performance improvement from enabling ProxyClient remote storage optimization depends on how many files are in the remote folder and how many subfolders are nested under the folder.
Note:
It takes time for a configuration change to take effect. For example, if a client has two connection open to an accelerated file share at the time the client receives a configuration update from the Client Manager, it might take several minutes before a change from Enable to Disable takes effect for these open connections. On the other hand, the first connection after a configuration change is received by the client uses the current configuration setting.
Suppress folder customization This setting can improve performance when a user browses to a remote accelerated file share that has a large number of customized nested folders. (An example of customizing a folder is changing its display icon.) Customized folders have the Windows read only attribute. Read only folders are not the same as read-only files in the following ways: Windows, Windows components, and accessories usually ignore the readonly attribute of a folder. Windows does not usually enable a user to view or change read-only or system attributes of a folder.
Windows uses the read-only and system attributes of folders to specify them as special folders (for example, system folders and folders like My Documents that are customized by Windows). If an accelerated file share has a large number of nested customized folders, performance can be degraded because of the time Windows waits to retrieve properties for the folder (in particular, desktop.ini). As discussed in Microsoft KB article 326549, Microsoft recommends you disable the read-only attribute of remote folders for this reason.
18
Note: It takes time for a configuration change to take effect. For example, if a client has two tunnels open to an accelerated file share at the time the client receives a configuration update from the Client Manager, it might take several minutes before a change from Enable to Disable takes effect for these open connections.
On the other hand, the first connection opened to an accelerated file share after a configuration change is received by the client will use the current configuration setting.
"Web Filtering Terminology" "Enabling or Disabling Web Filtering Based on Location" on page 20 "Web Filtering for Users and Groups" on page 20 "About the BCWF Database and Categorization" on page 21 "About Security With Guest User Scenarios" on page 22
Blue Coat WebFilter (BCWF) database and categories The BCWF database contains categories and URLs that are contained in those categories. The BCWF categories contain mappings between URLs and categories but do not contain the URLs themselves; URLs are categorized and rated by the WebPulse cloud service. A dedicated Client Manager needs only the BCWF categories to provide ProxyClient Web filtering services. WebPulse performs the ratings. A Client Manager that also proxies Internet traffic and performs BCWF Web filtering needs the BCWF database. The BCWF database and categories are maintained by Blue Coat. To enable and use ProxyClient Web filtering, the BCWF database or categories must be updated on the Client Manager at least once every 30 days.
19
The administrator chooses categories and policy actions for users and groups in each category; these categories and actions are downloaded to the ProxyClient in its configuration file. All ProxyClient URL requests are categorized by WebPulse.
WebPulse An Internet cloud service consisting of many service points located around the globe, WebPulse categorizes all URLs requested by ProxyClients.
Note: One major difference between ProxyClient Web filtering and branch ProxySG Web filtering is that categorization for the ProxyClient is performed by WebPulse. ProxyClient categorization is not performed by the Client Manager.
Policy action The action that is applied to a ProxyClient URL request. Possible actions are allow, block and warn. Policies can be applied to individual users or to user groups. More information about these policy actions can be found in "Working With Categories, Users, Groups, and Policy Actions" on page 141.
ProxyClient Web filtering categories can be configured for individual users and user groups configured as follows: Fully qualified account names (for example, domain_name\user_name).
20
Fully qualified DNS names (for example, domain.example.com\user_name). User principal names (UPN)for example, user@example.com. However, be aware that translating isolated names introduces the possibility of name collisions because the same name might be used in multiple domains.
Blue Coat recommends you do not use isolated names such as user_name. Fully qualified names are unambiguous and provide better performance when the lookup is performed. Using CPL or VPM, you can configure the branch ProxySG to apply different Web filtering policies for users or groups. More information about performing these tasks can be found in "Managing Policy Categories" on page 147.
About Categorization
Categorization is the process of assigning a classification to a particular requested URL. If ProxyClient Web filtering is enabled for the users location, the categorization process is as follows: 1. The user requests a URL. 2. The ProxyClient collects Web filtering categories from its configuration file. Categories are defined by the following: The local database, if enabled. VPM policy, if configured. Results of WebPulse lookups that are temporarily cached on the users computer.
3. The ProxyClient requests a category for the URL from WebPulse. The result of the request can be one of the following:
21
The URL request is categorized by WebPulse, if a result was not found in the local cache. (The cache, which is temporary, consists of results from previous lookups.) If WebPulse cannot determine a URLs category, the URL is categorized as none and the appropriate policy action is applied. If WebPulse is not available, the URL is categorized as unavailable and the appropriate policy action is applied.
Note: One Web site can have many URLs associated with it. For example,
many Web sites have advertisements that each trigger a URL request and therefore a categorization request to WebPulse. 4. After the URLs category is determined, the ProxyClients configuration file determines the policy action (block, deny, or warn) according to the first match in the rulebase. If the policy action is allow, the request goes to its destination. If the policy action is block, the blocked category exception page displays. If the policy action is warn, a warning message displays. The user must click an acceptance link, which represents an acknowledgment that the content request might violate corporate Web use policy. If the user clicks the acceptance link, the request goes to its destination. Note: If a user clicks the acceptance link, the requested Web site will be accessible for 15 minutes. The accessibility time period is not currently configurable for the Web site. 5. Results of WebPulse lookups are temporarily cached.
22
ProxyClient operates within the restricted network before completing the welcome page transaction, yet prevents any unauthorized user access.
"ADN and ProxyClient Terminology" "About the Roles of ProxySG Appliances With the ProxyClient" on page 25 "ADN Features and the ProxyClient" on page 26 "About Internet Gateways" on page 28 "About Reflecting the ProxyClient IP Address" on page 28
ProxyClient Downloaded and installed on user systems, the ProxyClient provides increased network performance and Web filtering when the connection is not fronted by a Blue Coat ProxySG.
ADN Manager Every ADN network in which ProxyClient acceleration is enabled must have a ProxySG designated as the ADN Manager, which is responsible for publishing the routing table to ProxyClients (and to other ProxySG ADN peers). You can optionally designate another ProxySG appliance as the backup manager. This appliance takes over the duty of providing routing information to ProxyClients in the event the ADN manager becomes unavailable.
23
If you are using ProxyClient Web filtering only, you do not need to specify an ADN manager.
Concentrator A ProxySG appliance that receives inbound ADN tunnels from the ProxyClient (and other ProxySG appliances on the ADN network) and accelerates data center resources (such as file servers and Web applications).
Branch ProxySG A ProxySG deployed near a branch office router (where branch office means a small or regional office). To retrieve client file and data requests from servers located in the corporate data center, the branch proxy connects to the ADN concentratorswhich are advertised by the ADN manager or discovered transparentlyin the data centers at the corporate location. If the branch location has servers, the branch peer also serves as a concentrator. A branch ProxySG can provide acceleration, Web filtering, or both for the branch office.
Client Manager A Client Manager is a ProxySG (running a compatible version of SGOS) that provides the ProxyClient software to users, maintains the software and the client configuration of all clients in the ADN network. Commonly, the Client Manager appliance is deployed in the intranet behind the enterprise VPN gateway, with a router connection to the Internet. For details, including which SGOS versions are supported, see "ProxyClient Compatibility with SGOS" on page 71.
Mobile user Employees who use laptops with ProxyClient installed and travel from corporate locations to other locations, such as customer sites, hotels, or home offices. Mobile users does not refer to users with hand-held devices.
Location awareness The ability of the ProxyClient to detect the presence of a network connection and enable or disable acceleration and Web filtering as determined by policy. For example, you typically disable both ProxyClient acceleration and Web filtering in the office but enable them for mobile users. The ProxySG administrator determines the criteria that define locations and enables or disables acceleration and Web filtering for each location.
Byte caching A specific form of compression that looks for repeated data patterns transmitted over the WAN. Byte caching plus other forms of compression (such as gzip) optimizes the data sent over the TCP tunnel.
24
Common Internet File System (CIFS) optimization ProxyClient significantly enhances WAN file service delivery by implementing the following: CIFS protocol optimization, which improves performance by consolidating data forwarded across the WAN. Client object caching, which enables clients to get previously obtained data from the cache rather than from across the WAN.
ADN Manager and backup managerAs discussed in "ADN and ProxyClient Terminology" on page 23, to use ProxyClient acceleration, you must configure an ADN Manager and Blue Coat recommends you also configure a backup manager. If you are using ProxyClient Web filtering only, no ADN manager is required. Client ManagerThe ProxySG that provides the management infrastructure to ProxyClients, including the following services: Software for the client (initial deployment and updates) Periodic verification of the Blue Coat Web Filter (BCWF) license and database (required to use BCWF) Monitoring Client configuration management (such as Web filtering policy)
Note: The Client Manager can be any appliance in the ADN network, including a concentrator, the ADN manager, or a backup manager. For example, the Client Manager could also be the ADN manager, but that is not a requirement.
ConcentratorA ProxySG that terminates ProxyClient ADN tunnels, and provides two-way compression and data forwarding to and from the appropriate server. A concentrator accelerates network traffic. Branch ProxySGDepending on how it is configured, a branch ProxySG might provide acceleration and Web filtering for a branch office.
25
Figure 11
"Open ADN and Closed ADN" "Byte Caching and gzip Compression" on page 27 "CIFS Optimization and Caching" on page 27 "Load Balancing and Failover" on page 27 "Cache Encryption" on page 28 "About Internet Gateways" on page 28 "About Reflecting the ProxyClient IP Address" on page 28
26
27
Cache Encryption
To maintain a high security level after content is retrieved over the network connection, ProxyClient supports the Microsoft Encrypting File System (EFS), which makes it extremely difficult for malicious users to hack into a user systems cache to retrieve company-sensitive files. No other user can access the data in the cache, even the system administrator. If ProxyClient is uninstalled, the EFS encrypted caches are also deleted.
Note:
EFS is supported only on the New Technology File System (NTFS) partitions, although Windows XP Home Edition supports NTFS, but not EFS. File Allocation Table (FAT) or FAT32 partitions do not support EFS and therefore, the cache is not encrypted on those partitions. The Web filtering log folder is also encrypted but the folder is in a location separate from the cache.
For computers that are connected to a network, the EFS domain certificate is required for encryption. Therefore, if the domain certificate has expired, no EFS encryption occurs. When the computer is not connected to the network, it uses its local EFS certificate and in that case, encryption works properly.
28
Note: For client IP reflection to work, the concentrator used by the ProxyClient should be deployed in-path between the ProxyClient and the origin server. In other words, the return packets will have ProxyClient's IP address as the destination address and must be routed back through the same concentrator.
If the origin server is able to connect directly back to the ProxyClient computer, the connection fails. This happens because the concentrator opens a different connection to the origin server than the one originally opened by the ProxyClient, so response packets going directly from the origin server to the ProxyClient will be rejected and the connection will fail. If the concentrator is deployed out of path, you can configure the concentrator to use local IP. For example, suppose the ProxyClient requests data from a server in the corporate data center. The ProxyClient request is accepted by a ProxySG concentrator, which sends the request to the server. When the concentrator sends the request, you can configure the following IP reflection options:
Allow the request and reflect the client IPThe concentrator can present its own IP
address as the source address. Select this option if your network is configured so that the origin server cannot reach a ProxyClient computer with an outside IP address; in other words, an IP address located outside the internal network.
concentrator can present the ProxyClient computer IP address as the source address.
Reject the requestIf the concentrator can be configured to deny client reflection, in which case one of the following occurs:
If the concentrator runs SGOS 5.3 or later, the concentrator presents its own IP address as the source address. This option is equivalent to Allow the request but connect using a local IP. If the concentrator runs an SGOS version earlier than 5.3, the connection fails.
SGOS 6.2 and later offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers. For example, you can have the Concentrator reject client IP reflection requests from ProxyClient peers but allow them from ProxySG peers. In previous releases, when the Concentrator was configured to deny reflect client IP requests from branch peers, there was a special hard-coded override that always used the Concentrator's local IP address for ProxyClient tunnel connections; if reflect client IP was set to allow, then the client IP would be reflected. For more information, see "Configuring IP Address Reflection" on page 791 of the SGOS 6.2 Administration Guide.
29
than 5.3, and that concentrator that is configured to reject client IP reflection requests, you must change the configuration. Otherwise, ProxyClients cannot connect to origin servers. Any of the following options can be used with the ProxyClient: Management Console using the Configuration > ADN > Tunneling > Network tab page. Choose either of the following options (click Help for more information about the options):
Allow the request and reflect the client IP Allow the request but connect using a local IP
Command line:
SGOS#(config adn tunnel) reflect-client-ip allow SGOS#(config adn tunnel) reflect-client-ip use-local-ip
Avoid allowing users with FAT and FAT32 partitions to download the ProxyClient for the following reasons: EFS encryption is not supported; therefore, the object cache (that is, the byte cache and CIFS cache) and Web filtering logs will not be encrypted. Because the ProxyClient uses NTFS permissions, Web filtering can be bypassed on FAT or FAT32 partitions and logs can be deleted.
Although unlikely, it is possible for a user to edit or delete Web filtering log files before they are uploaded to the FTP server. In addition, because the FTP server allows anonymous access, anyone can download a log file, change it, and upload it again without detection (although your FTP server can report the source IP address used to upload log files). These vulnerabilities can be exploited by a legitimate user or by an unauthorized user (such as a hacker or malware).
If a user runs a VMWare image on their computer, even if the computer has the ProxyClient, the VMWare image can access the Internet without restrictions, effectively circumventing Web filtering. (The VMWare image also operates without acceleration.) To avoid this issue, install the ProxyClient software on the VMWare image.
30
ProxyClient Web filtering can be used only with the SGOS Proxy Edition. Web filtering cannot be used with the SGOS Mach5 Edition. ProxyClient Web Filtering licensing requires a valid Blue Coat Web Filter (BCWF) database installed on the Client Manager and a user name and password to use to update the BCWF database categories at least once every 30 days. The BCWF license is available with trial and permanent licenses. Even if the Client Manager is being used as a forward proxy, you must download the BCWF database on the Client Manager for licensing purposes.
For more information on SGOS licensing, refer to the SGOS Administration Guide.
For employees using laptops and who work from both the office and the field.These users enjoy accelerated network performance while on the corporate network, but lose that performance when they must, from a remote location, connect to the enterprise network using VPN. For users in micro-branches, or offices with a very small number of users, where it might not be cost-justifiable to deploy even the smallest Blue Coat ProxySG acceleration gateway appliance.
31
In both of these scenarios, the ProxyClient maintains user productivity levels by providing enterprise-grade performance, while also ensuring that the corporate Web usage policies are maintained on company-owned systems in the field (only users with administrator privileges can remove or disable the ProxyClient).
Figure 12
Blue Coat does not provide strict guidelines for determining whether a remote location requires a local ProxySG. Generally, use a local ProxySG if the branch office has a data center (that is, file servers and so on) and to offload acceleration and Web filtering functions from the corporate ProxySGs to the branch. Blue Coat recommends considering a ProxyClient-only solution at a remote location if any of the following is true:
The remote location is a mobile user whose location changes. The remote location is a home office. The remote location has a few users and therefore does not justify a local ProxySG appliance.
32
In any of the proceeding locations, you might provide connectivity to the corporate network with VPN client software; however, that is not a requirement for using the ProxyClient.
Note: Refer to the ProxyClient Release Notes for the latest list of supported VPN
33
34
This chapter provides a step by step example of configuring the ADN manager, concentrator, and Client Manager; and installing the ProxyClient software. You can use the information in this section to quickly install the ProxyClient in an evaluation environment. Additional tasks are generally required to deploy the ProxyClient in a production environment. This chapter discusses the following topics:
"Assumptions" "ProxyClient Deployment Roadmap" on page 37 "Step 2: Configure the Concentrator" on page 41 "Step 3: Configure the Client Manager" on page 42 "Step 4: Configuring ProxyClient Acceleration" on page 43 "Step 5: Configuring ProxyClient Web Filtering" on page 46 "Step 6: Configure ProxyClient Locations" on page 48 "Step 7: Install the ProxyClient Software" on page 53 "Performing Basic Verification" on page 53 "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58
Assumptions
This section discusses the assumptions that will be made in the examples discussed in this sample ProxyClient deployment. See one of the following sections for more information:
"ProxySG Assumptions" "ProxyClient Computer Setup Assumptions" on page 35 "Network Assumptions" on page 36 "Location Awareness Assumptions" on page 36
ProxySG Assumptions
It is assumed that one ProxySG appliance acts as the ADN manager, concentrator, and Client Manager. The ADN network is set up as open, managed, meaning there is an ADN manager but that transparent connections to the ADN manager would be allowed. (Because the ProxyClient requires explicit routes, ADN transparency is irrelevant in this example deployment.)
The ProxyClient software gets installed from the Client Manager (as opposed to installing it from the command line).
35
Prerequisites for optional Web filtering auto-detection are discussed in "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58. For location awareness, the computer can have one or two network adapters: one to physically connect to the network using a cable and the other to connect to the network wirelessly. Furthermore, it is assumed that these network adapters have IP addresses in different ranges. If the computer has only one network adapter, ensure separate IP addresses are used for each location. If it is necessary for you to access network resources like file shares using VPN software, you must start the VPN software and connect to the network before determining the computers IP address. These adapters will be used to set up ProxyClient locations.
Network Assumptions
The following assumptions apply to how the ADN manager and concentrator are set up:
Property Primary ADN manager IP address Backup ADN manager Subnets advertised by the concentrator Value Self (192.168.0.2) None 172.0.0.0/8 10.0.0.0/8 192.168.0.0/16 Internet gateway? ProxyClient acceleration? ProxyClient Web filtering? No Enabled/disabled based on location Enabled/disabled based on location (can optionally be automatically detected as well)
36
Virtual network interface card (NIC) address ranges for VPN-assigned IP addresses (for example, an offsite laptop with a wireless adapter that uses VPN to connect to the network) DNS server IP addresses which are useful if there are overlaps between IP address ranges. For example, if VPN IP address ranges overlap with physical IP address ranges, you need to specify a DNS server to distinguish your locations. However, if you know that there are no IP address overlaps, you do not need to use a DNS server IP address as a location condition. Unlike the other location conditions, DNS server IP addresses are logically ANDed together; users must match all DNS servers listed to match the location.
"Step 1: Configure a Primary ADN Manager and Internet Gateway" "Step 2: Configure the Concentrator" on page 41 "Step 3: Configure the Client Manager" on page 42 "Step 4: Configuring ProxyClient Acceleration" on page 43 "Step 5: Configuring ProxyClient Web Filtering" on page 46 "Step 6: Configure ProxyClient Locations" on page 48 "Step 7: Install the ProxyClient Software" on page 53 "Performing Basic Verification" on page 53
37
2. 3. 4.
38
Figure 21 Enabling the primary ADN manager is required for any ProxyClient deployment that uses acceleration
Figure 22
Secure ADN requires you to select an SSL device profile for the ProxySG appliance
39
Figure 23
Selecting listening mode options that are compatible with the ProxyClient
"About Manager Listening Mode With the ProxyClient" on page 77 "About Tunneling Listening Mode With the ProxyClient" on page 78 "About Secure Outbound Mode" on page 80
40
Figure 24 shows how to configure the concentrator to advertise the sample subnets used in this deployment. You must replace these ranges with the appropriate values for your network.
Figure 24
41
10. Wait a few minutes for the upload to complete. 11. At the confirmation dialog, click OK. Figure 25 shows an example of ProxyClient version 3.4.1.1 software on the Client Manager. 3 Continue with the next step. "Step 4: Configuring ProxyClient Acceleration"
Figure 25 shows the Client Software tab with ProxyClient version 3.4 software installed.
42
Figure 25 The Current ProxyClient Software section displays the version of ProxyClient software currently on the Client Manager
"Designating a ProxySG as the Client Manager" on page 81 "Uploading the ProxyClient Software to the Client Manager" on page 85 "Configuring ProxyClient Locations" on page 93
43
# 3
What to do 1. 2. 3. Click Configuration > ProxyClient > Acceleration > General. Select the Enable Acceleration check box. Figure 26 shows an example. Click the ADN Rules tab. For the purposes of this sample deployment you should change the defaults only if there is a particular application you want to accelerate and you know the ports it uses. Figure 27 shows default settings. 4. 5. 6. Click the CIFS tab. Select the Enable CIFS acceleration check box. Your choices for Remote Storage Optimization and Suppress Folder Customizations do not matter in this example deployment. To learn more about these features, see "About ProxyClient CIFS Acceleration" on page 17. 7. Apply the changes. Figure 28 shows an example.
Figure 26 shows the primary ADN manager being enabled on the Client Manager.
Figure 26 Enabling ProxyClient acceleration enables both gzip compression and byte caching; it requires the Client Manager to get the list of published routes from the ADN manager
44
Figure 27 The ADN Rules tab enables you to customize acceleration features which is not necessary for this sample deployment
Figure 28
"Specifying the ProxyClient ADN Manager" on page 103 "Other ProxyClient Troubleshooting Tools" on page 224 "Tuning the ADN Configuration" on page 107 "Enabling File Sharing Acceleration" on page 111
45
46
# 3
What to do 1. 2. 3. 4. 5. Click Configuration > ProxyClient > Web Filtering > Policy. In the All Categories pane, expand a category. Select the check box corresponding to a category. In the Selected Category Rule Base pane, in the Action column, click a policy action. To configure policies per user or group, click the name of a category in the Selected Category Rule Base pane and click user-group rule). 6. (Add
In the provided field, enter a user or group in any of the following formats: Fully qualified account names (for example, domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name). Fully qualified DNS names (for example, example.example.com\user_name) User principal names (UPN) (for example, someone@example.com).
7.
Figure 29 shows sample ProxyClient Web filtering policy that allows, warns, and blocks content based on selections from the BCWF database. In this sample deployment, neither CPL/VPM nor local database categories are used.
Figure 29 Setting up ProxyClient Web filtering with allow, block, and warn on various Blue Coat categories
47
"Web Filtering Task Summary" on page 128 "Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Managing Policy Categories" on page 147 "Web Filtering Best Practices" on page 155 "Enabling Web Filtering Logging" on page 159
# 1
Description Prerequisite
What to do Your computer must have all of the following: Physical adapter Wireless adapter When you connect wirelessly, you must have the ability to connect to the network using VPN. Otherwise, you do not have access to remote accelerated resources like file shares. The adapters must use different IP address ranges. The samples being used in this deployment are discussed in "Location Awareness Assumptions" on page 36.
48
# 2
What to do The in-office location has acceleration enabled and Web filtering disabled because when you are in the office, a ProxySG appliance is assumed to perform Web filtering for you. 1. 2. 3.
Configuration > ProxyClient > General > Locations.
In the Name field, enter In office. Select the Match source IP ranges check box if you select the Source IP range or select the Virtual NIC IP range checkbox if you select the virtual NIC IP range. In the Source IP Ranges section, click New. The steps that follow show how to set up the sample IP address ranges discussed in "Location Awareness Assumptions" on page 36. Replace these values with the appropriate IP address ranges.
4.
5. 6. 7. 8. 9.
In the IP Source Ranges fields, enter 192.168.0.200 and 192.168.0.254. Click OK. Select the Match DNS Servers check box. In the Match DNS Servers section, click New. In the Add DNS Server field, enter 192.168.1.55.
10. Click OK. 11. In the Actions section, select the Enable Acceleration check box. 12. Clear the Web Filtering check box. 13. In the New Locations dialog, click OK. 14. Apply the changes. Figure 210 shows an example in-office location.
49
# 3
What to do The out-of-office location has both acceleration and Web filtering enabled. 1. 2. 3. 4.
Configuration > ProxyClient > General > Locations.
In the Name field, enter Out of office. Select the Match source IP ranges check box. Is the IP address you get when you connect wirelessly assigned by a router or by a VPN device? If it is assigned by a router, click New in the Source IP Ranges section. If it is assigned by VPN, click New in the Virtual NIC IP Ranges section.
The steps that follow show how to set up the sample IP address ranges discussed in "Location Awareness Assumptions" on page 36. Replace these values with the appropriate IP address ranges for your network. 5. 6. 7. 8. 9. In the provided fields, enter 10.5.0.0 and 10.5.4.254. Click OK. Select the Match DNS Servers check box. In the Match DNS Servers section, click New. In the Add DNS Server field, enter 10.5.5.54.
10. Click OK. 11. In the Actions section, select the Enable Acceleration check box and the Web Filtering check box. 12. In the New Locations dialog, click OK. 13. Apply the changes. Figure 211 shows a sample out-of-office location. 4 Continue with the next step. "Step 7: Install the ProxyClient Software"
50
Figure 210 shows the sample in-office location used in this deployment. You must replace the sample IP address ranges with the IP address ranges used in your network.
Figure 210 Setting up an in office location that enables acceleration but disables ProxyClient Web filtering, assuming a ProxySG appliance performs Web filtering in the office
51
Figure 211 shows the sample out-of-office location used in this deployment. You must replace the sample IP address ranges with the IP address ranges used in your network.
Figure 211 Sample out of office location that enables both acceleration and Web filtering for the ProxyClient
52
https://client-manager_host-or-ip:8084/ proxyclient/ProxyClientSetup.exe
3. 4.
Follow the prompts to install the software. When prompted, reboot your computer. After you reboot, the ProxyClient begins accelerating network traffic. (Web filtering, if enabled, starts immediately after installation.) For more information refer the section: "Preparing Silent Installations and Uninstallations" on page 181
4 3
"Step 8: (Optional) Using Web Filtering AutoDetection" on page 58 "Performing Basic Verification" on page 53
"Distributing the ProxyClient Software" on page 173 "Interactive Installations from the Client Manager" on page 175 "Troubleshooting ProxyClient Installation and Operation" on page 214
Double-click the tray icon or right-click the tray icon and, from the pop-up menu, click Show Status. Now see one of the following topics:
53
"Verifying Location Awareness" on page 54 "Viewing Acceleration Details" on page 56 "Viewing Web Filtering Details" on page 57 "Viewing the Admin Log" on page 57 "Verifying Tamper Resistance" on page 58 "For More Information About ProxyClient Troubleshooting" on page 58
1. Physically connect to the network and make sure that acceleration is enabled but that Web filtering is disabled due to your location. An example follows.
Acceleration is running Location displays as In office
2. Disconnect from the network and enable your wireless adapter. If necessary, log in to your VPN application.
54
Your location should change to Out of office and both acceleration and Web filtering should be enabled. 3. Browse to some Web sites that will either be blocked or that will warn you. This will generate some Web filtering events and confirm that Web filtering is functioning. An example follows.
Acceleration is running Location displays as Out of office
55
The Network tab displays (if acceleration is disabled or not running, there is no Network tab page) The Acceleration Statistics section on the Status tab page displays (if acceleration is disabled or not running, there is no Acceleration Statistics section)
Running
To view results from byte caching and CIFS protocol optimization, click the Advanced tab. The cache utilization displayed in the Disk Cache section on the Advanced tab page should increment as you copy files from a file share behind your concentrator.
56
"Other ProxyClient Troubleshooting Tools" on page 224 "Using the Client Manager for Acceleration Troubleshooting" on page 118 "Using a Concentrator for Acceleration Troubleshooting" on page 118 "Getting Detailed Diagnostics" on page 126
Figure 213 ProxyClient Web browser window showing Web filtering is running
If Web filtering is enabled and running, Running displays in the Filtering Statistics section heading and the statistics increment as the user browses the Web.
"Troubleshooting ProxyClient Web Filtering" on page 165 "Getting Web Filtering Status from the Web Browser Window" on page 166 "Using the Client Manager for Web Filtering Troubleshooting" on page 167 "Getting Detailed Diagnostics" on page 170
57
Right-click ProxyClientConfig.xml (the ProxyClient policy file) and try to edit it. Even if you edit it and save it, the policy file will not be used because it is not possible to encrypt it properly. Delete or rename ProxyClientConfig.xml. The configured policy remains in effect. You can verify this if you have Web filtering enabled by trying to access a blocked Web site. If you have only acceleration enabled, copy or open a file on an accelerated file share and notice the cache usage increases and the acceleration statistics change. To recover ProxyClientConfig.xml, either restart the ProxyClient service or change the policy on the Client Manager and get a configuration update. (From the ProxyClient Web browser window, click the Advanced tab and click Check For Updates Now.)
See Also
"For More Information About ProxyClient Troubleshooting" on page 58
"Troubleshooting ProxyClient Installation and Operation" on page 214 "Other ProxyClient Troubleshooting Tools" on page 224 "Troubleshooting ProxyClient Web Filtering" on page 165
The Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF). The ProxyClient must be deployed in any of the following ways: In-path with the filtering ProxySG
58
The ProxyClient computer must use the filtering ProxySG as an explicit proxy
ProxyClients must run 3.2 or later. Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed. In this sample deployment, you can do this as follows: Connect the ProxyClient computer to the ProxySGs LAN port and make sure the ProxySG can connect to the Internet. If you have an in-office ProxySG is already in-path between the ProxyClient computer and the Internet, you must install the local policy discussed in the next bullet on that ProxySG.
The filtering ProxySG is an in-office appliance that performs Blue Coat WebFiltering for users in the office, including ProxyClients. Your ProxySG is the appliance you configured as the ADN Manager, Client Manager, and concentrator.
All of the following must be true of this appliance you use for Web filtering auto-detection: It must have the BCWF database installed on it It must be in-path between the ProxyClient computer and the Internet It must be able to access the Internet It must be configured as a proxy (that is, it must intercept traffic) It must have Web filtering policy configured
Depending on your office network, this could be one ProxySG appliance or more than one appliance.
59
To enable and verify Web filtering auto-detection, use the following steps:
# 1 Description Install local policy on the ProxySG that performs inoffice Web filtering What to do 1. Log in to filtering ProxySGs Management Console as an administrator. This ProxySG can be either an in-office filtering proxy that is in-line with the ProxyClient computer or a filtering proxy that is configured as an explicit proxy for the ProxyClient computer. 2. 3. 4. 5.
Configuration > Policy > Policy Files.
From the Install Local Policy from list, click Text Editor. Click Install. In the provided field, enter the following:
<proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X-BCWF-License, "VendorID") end
where VendorID is your Blue Coat WebFilter database user name. For an example, see "Sample Local Policy File" on page 62. 3 Required if your ProxySG will perform Web filtering. Download the BCWF database. 1. 2. 3. 4. 5. 6. 7. 8. Log in to your ProxySG appliance as an administrator.
Configuration > Content Filtering > General.
Select the Blue Coat WebFilter check box. Apply the changes.
Configuration > Content Filtering > Blue Coat WebFilter.
Click Download Now. At the configuration dialog, click OK. Click View Download Status. It takes several minutes to download the database. Click View Download Status until a success message similar to the following displays:
Download log: Blue Coat download at: 2009/10/01 19:02:44 +0000 Downloading from https://list.bluecoat.com/bcwf/ activity/download/bcwf.db Requesting differential update Download size: 194115948 Database date: Thu, 01 Oct 2009 16:05:59 UTC Database expires: Sat, 31 Oct 2009 16:05:59 UTC Database version: 292740400 Database format: 1.1
If errors display, see the suggestions in "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 to resolve the issue before continuing.
60
# 4
What to do 1. Create a text file with categories and URLs in the following format:
define category-name url1 url2 urln end
2. 3. 4. 5. 6. 7. 8. 5 Optional. Configure Web filtering policies. Connect the ProxyClient computer to the ProxySG inpath.
Put the text file on a Web server your ProxySG can access. Click Configuration > Content Filtering > General. Select the Enable check box for the Local Database. Click Configuration > Content Filtering > Local Database. If a user name and password are required, follow the prompts on your screen to enter them. Click Download Now. Click View Download Status and verify the database downloaded successfully.
Use CPL or VPM to configure Web filtering policies as discussed in "Defining Custom Categories in Policy" on page 404 in the SGOS Administration Guide. Do any of the following: Connect the ProxyClient computers network cable to the LAN port on the rear panel of the ProxySG appliance. For more information, see the Quick Start Guide provided with the appliance. Depending on the appliance, it might be necessary to configure a software bridge; for more information, click Configure > Network > Adapters and click Help. For a filtering ProxySG that is either in-path with the ProxyClient or is used by the ProxyClient computer as an explicit proxy, make sure you installed the local policy in step 1 on that ProxySG.
61
# 7
What to do This is necessary because your in-office location already has ProxyClient Web filtering disabled, which will prevent autodetection from being enabled. As a result of deleting the in-office location, you will use the default location, which has ProxyClient Web filtering enabled. 1. 2. 3. 4. 5. 6. 7. 8. 9.
Configuration > ProxyClient > General > Locations
Click your in-office location. Click Delete. At the configuration dialog, click Yes. Apply the changes. Start the ProxyClient Web browser window. Click the Advanced tab. On the Advanced tab page, in the Software Update section, click Check For Updates Now. At the confirmation dialog, click Close.
Request a URL
Before Web filtering auto-detection is enabled, you must request a URL. It does not matter whether the URL is one that should be allowed or blocked. "Verifying Web Filtering Auto-Detection" on page 63
62
Click More logs at the bottom of the window and look for this message:
Web Filtering has been delegated to a Blue Coat Security Gateway.
# 1
In the Uninstall Password section, click Change Password. Enter a password in the provided fields (for example, bluecoat). Click OK. At the confirmation dialog, click OK.
63
# 2
What to do 1. 2. 3. Start the ProxyClient Web browser window. Click the Advanced tab. On the Advanced tab page, in the Software Update section, click Check For Updates Now. At the confirmation dialog, click Close.
Start > [Settings] > Control Panel.
Double-click Administrative Tools. Double-click Services. Right-click Blue Coat ProxyClient. From the pop-up menu, click either Stop or Restart. An error displays and the service does not stop or restart.
6. 7.
Open a DOS command window. Enter the following command: An error displays and the service does not stop.
8. 9. 10. Attempt to uninstall the ProxyClient software using the incorrect password. 1. 2. 3. 4. 5. 6.
Start > [Settings] > Control Panel.
Double-click Add or Remove Programs. Click Blue Coat ProxyClient. Click Remove. At the confirmation dialog, click Yes. At the Enter Password dialog, enter the incorrect uninstall password and click OK. An error displays and the uninstallation does not proceed.
64
# 5
3. 4. 5. 6.
Right-click ProxyClientConfig.xml From the pop-up menu, click Rename. Enter a new name and press Enter. An error displays. Delete ProxyClientConfig.xml An error displays.
65
66
See Also
For a step by step sample deployment, see Chapter 2: "ProxyClient Deployments".
67
Figure 31
68
69
70
This chapter discusses ADN configuration tasks that must be performed before you can start to configure the ProxyClient. This chapter discusses the following topics:
"ProxyClient Compatibility with SGOS" "Preparing the ADN Configuration for ProxyClient Deployment" on page 73 "About Open ADN and Closed ADN With the ProxyClient" on page 74 "About Manager Listening Mode With the ProxyClient" on page 77 "About Tunneling Listening Mode With the ProxyClient" on page 78 "Configuring Manager and Tunneling Ports" on page 79 "Configuring Concentrators to Advertise Subnets" on page 79 "About Secure Outbound Mode" on page 80 "About Internet Gateways" on page 80
"Recommended Upgrade Information" "ProxyClient and SGOS Compatibility" on page 72 "Important Information About Web Filtering Support" on page 72
Make sure the ADN manager, ADN backup manager (if any), concentrators, and Client Manager are running the most recent version of SGOS. If you need to upgrade ProxySG appliances, do so in the following order: a. ADN Manager and ADN backup manager, if any b. Concentrators c. Client Manager
71
Not compatible
Not compatible
Compatible
Compatible
Compatible
Compatible
Not compatible
Not compatible
Not compatible
Compatible
Compatible
Compatible
Compatible
Not compatible
Not compatible
Not compatible
To use the ProxyClient version 3.2.x or later in your ADN network, Blue Coat strongly recommends your Client Manager and ADN Manager (and backup manager, if any) run SGOS version 5.5.x or later. In addition, Blue Coat recommends all concentrators that provide ADN tunnels for ProxyClients be upgraded to SGOS version 5.5.x or later. SGOS 5.4.x or later ADN managers, backup managers, and concentrators enable you to use either open, managed ADN or closed ADN with the ProxyClient. Open ADN and closed ADN are backward compatible with SGOS versions 5.1.4 and later (in other words, SGOS versions that support secure ADN).
Note: SGOS 5.5.x and later does not support the SG Client 2.x.
72
A ProxyClient user requests a URL that matches a category that changed. (Ten new categories were added and five existing categories were renamed.) For example, the Arts/Entertainment category is now split into the Arts/ Culture and Entertainment categories.
You configured a policy action for one of the categories that changed. When a client requests a URL that is categorized as Arts/Culture, for example, but you set a policy action for Arts/Entertainment, the URL is classified as Unknown and the policy action is applied (allow, block, or warn).
The resulting Unknown categorization has a policy action that is different from the policy action for the policy you configured. To complete the example, suppose you blocked Arts/Entertainment but you allowed Unknown. In that case, the URL request is allowed when you intended for it to be blocked.
For more information, see one of the following Blue Coat Knowledge Base articles:
KB2966 KB1567
To use Web filtering only, you can set up your ADN network to use open ADN without an ADN manager. If you use Web filtering only, and you do have ADN managers in your network, you do not need to continue reading this chapter. You should continue with Chapter 5: "Configuring the Client Manager".
To use acceleration, your ADN network must use explicit deployment (that is, the ProxyClient must obtain routes from the ADN manager). Therefore, you must specify a primary ADN manager and backup manager (if any). The ProxyClient does not advertise routes.
73
If your primary ADN manager and backup manager (if any) run SGOS 5.4 or later, you have the option of selecting open, managed ADN or closed ADN. Both options support the use of the ProxyClient. ADN configuration for the ProxyClient with open ADN and closed ADN is discussed in "About Open ADN and Closed ADN With the ProxyClient" on page 74.
Because the ProxyClient uses plain communications only, the options you select for manager listening mode and tunneling listening mode must be compatible with the ProxyClient. These options are discussed in the sections that follow. You can configure the ADN network to use the same port for plain manager and plain tunnel and the same port for secure manager and secure tunnel. You set these options in the Management Console as follows:
Configuration Configuration
> ADN > General > General, Manager Ports section > ADN > Tunneling > Connection, Inbound section
"About Open ADN and Closed ADN With the ProxyClient" "About Manager Listening Mode With the ProxyClient" on page 77 "About Tunneling Listening Mode With the ProxyClient" on page 78 "About Secure Outbound Mode" on page 80
Note: Manager listening mode and tunneling listening mode options are available only in a secure ADN network. To set up secure ADN, all appliances must run SGOS 5.1.4 or later and you must first set up an SSL device profile on each ProxySG. For more information about SSL device profiles, see the section on SSL device profiles in the chapter on managing SSL traffic in the SGOS Administration Guide.
Use the following guidelines to configure open ADN or closed ADN with the ProxyClient:
ProxyClient requires explicit deployments (that is, there must be an ADN manager that publishes routes advertised by concentrators).
74
You can therefore use either an open, managed ADN network or a closed ADN network. You cannot use an open, ADN network with the ProxyClient unless ProxyClient is used only for Web filtering.
If you use a backup ADN manager, configure it the same as the primary ADN manager. In particular, make sure both managers use the same open or closed ADN options. To use ProxyClient Web filtering only, no ADN manager is required. You can configure your ADN network to be either closed or open. You do not need to continue reading this chapter; instead, continue with Chapter 5: "Configuring the Client Manager". "Configuring a Closed or Open ADN Network" "Enabling ADN Managers" on page 76
1. Log in to the ADN managers Management Console as an administrator. 2. Click Configuration > ADN > Manager > Peer Authorization. 3. Do any of the following: To configure an open ADN network, clear the Allow transparent tunnels only within this managed network check box. To configure a closed ADN network, select the Allow transparent tunnels only within this managed network check box.
4. Optionally configure peer authorization and load balancing options as discussed in "ADN Peer Authentication" on page 778 and "ADN Load Balancing" on page 775 in the SGOS Administration Guide. 5. Repeat these tasks on the backup ADN manager, if any. 6. See one of the following sections: To configure ADN managers (for either a managed or unmanaged open ADN network or for a closed ADN network), see "Enabling ADN Managers" . To configure concentrators to advertise subnets to accelerate (for any type of ADN network), see "Configuring Concentrators to Advertise Subnets" on page 79. If you do not set up concentrators to advertise subnets, the ProxyClient will not accelerate network traffic.
75
1. Log in as an administrator to the Management Console of a concentrator that will accelerate traffic for ProxyClients. 2. Click Configuration > ADN > General. 3. Select the Enable Application Delivery Network check box. 4. In the Primary ADN Manager section, specify the primary ADN managers IP address. 5. If your ADN network has a backup ADN manager, in the Backup ADN Manager section, specify the backup ADN managers IP address. The following error most likely indicates you entered the IP address of the wrong device (for example, another Client Manager, a proxy, or a ProxySG appliance that is not an ADN manager):
% Device ID is needed to support security authorization
If this error displays, re-enter the ADN managers IP address. 6. Continue with the following sections: "About Manager Listening Mode With the ProxyClient" "About Tunneling Listening Mode With the ProxyClient" on page 78 "Configuring Concentrators to Advertise Subnets" on page 79 "About Secure Outbound Mode" on page 80 "About Internet Gateways" on page 80
76
1. Log in to the primary or backup ADN managers Management Console as an administrator. 2. Click Configuration > ADN > General > Connection Security. 3. Click one of the following options:
Secure Only
Only ProxySG appliances using secure connections can advertise routes. However, because selecting this option means that only the secure listener is active, you cannot select this option if you have ProxyClients in your ADN network because ProxyClients use only plain connections.
Plain Read-Only
(Recommended.) Select this option if all ProxySG appliances in the ADN network use SGOS version 5.1.4 or laterwhere all appliances support secure routing, and you have enabled secure routing on those ProxySG appliances. This option means that only ProxySG appliances that use secure connections can advertise routes. Devices that use plain communications (such as ProxyClients) can obtain routes but cannot advertise routes.
Note: Select this option only if all appliances in the ADN network run SGOS
Select this option in cases where you do not secure any ADN connections between ProxySG appliances. This option means that only ProxySG appliances that use plain connections can advertise routes.
77
Both
Select this option if you use the ProxyClient in your ADN network and some appliances in the network are not capable of using secure connections (for example, some appliances run SGOS version 5.1.3 or earlier). This option means that ProxySG appliances that use either secure or plain connections can advertise routes. If secure is enabled and available, it is used by default. 4. Apply the changes. For more information about setting the plain manager port and the secure manager port, see the section on configuring ADN managers in the chapter on configuring an ADN network in the SGOS Administration Guide. 5. Continue with "About Tunneling Listening Mode With the ProxyClient" .
1. Log in to a concentrators Management Console as an administrator. 2. Click Configuration > ADN > General > Connection Security. Click one of the following options:
Secure Only
This option means the ProxySG appliance accepts only secure tunneling connections. Because the ProxyClient uses only plain connections, you cannot select this option if you have ProxyClients in your ADN network.
Plain
Select this option to enable the ProxyClient to connect to the appliance in cases where you do not secure any ADN connections between ProxySG appliances. This option means this appliance accepts only plain tunneling connections.
78
Both
Recommended for ProxyClient deployments in ADN networks in which secure ADN is used. Select this option if you use the ProxyClient in your ADN network and some appliances in the network use secure ADN. This option also enables you to support appliances that are not capable of accepting incoming secure tunneling connections (for example, some appliances run SGOS version 5.1.3 or earlier). This option means this appliance accepts both plain and secure tunneling connections. 3. Apply the changes. For more information about the plain tunnel port and the secure tunnel port, see the section on configuring ADN managers in the chapter on configuring an ADN network in the SGOS Administration Guide. 4. Continue with "About Secure Outbound Mode" .
> ADN > General > General, Manager Ports section > ADN > Tunneling > Connection, Inbound section
1. Log in to the concentrators Management Console as an administrator. 2. Click Configuration > ADN > Routing > Server Subnets. 3. Click Add. 4. In the IP/ Subnet dialog, enter the following information: Enter either an IP address or an IP address in CIDR notation (for example, 172.16.0.0/16). If you enter the address in CIDR notation, you do not need to enter a subnet mask.
Subnet Mask field: Enter a valid subnet mask for the IP address you entered IP / Subnet Prefix field:
in the preceding field. 5. In the IP / Subnet dialog, click OK. 6. Repeat these tasks to set up all subnets advertised by the concentrator.
79
80
This chapter discusses how to configure a ProxySG appliance as the Client Manager.The Client Manager can function in other roles in an ADN network (for example, it can be a concentrator, ADN manager, or both). This chapter discusses the following topics:
"Before You Begin Configuring the Client Manager" "Designating a ProxySG as the Client Manager" on page 81 "Uploading the ProxyClient Software to the Client Manager" on page 85 "Setting Up the Client Manager (CLI)" on page 89
Configure an ADN manager and optionally a backup ADN manager. See "Enabling ADN Managers" on page 76
Note: To use ProxyClient Web filtering only, you do not need to configure an
ADN manager. You must configure a Client Manager as discussed in this chapter, however.
Configure your concentrators to advertise subnets. See "Configuring Concentrators to Advertise Subnets" on page 79
Concepts discussed in the chapter on configuring an ADN network in the SGOS Administration Guide. Chapter 4: "ADN Network Configuration Prerequisites" "About ProxyClient Licensing" on page 31
81
Note: The Client Manager can be a different appliance than the ADN manager or the backup ADN manager. That is, you can configure the ADN manager or the backup ADN manager as the Client Manager, but it is not required. To designate a ProxySG as the Client Manager:
1. Perform the tasks discussed in "Before You Begin Configuring the Client Manager" on page 81. 2. Log in to the Client Managers Management Console as an administrator. 3. Click ProxyClient > General > Client Manager.
4. On the Client Manager tab page, select the Enable Client Manager check box. Doing this designates this ProxySG as a Client Manager. The Features message displays the current state of ProxyClient features. If ProxyClient features are currently disabled, you can click a link to go to the appropriate page and configure that feature. For more information about enabling ProxyClient features, see one of the following sections: "Specifying the ProxyClient ADN Manager" on page 103 Chapter 8: "Configuring ProxyClient Web Filtering"
82
Table 51
Description Specify the host from which users get the ProxyClient software, configuration, and updates. Blue Coat recommends you specify a fully qualified host name, and not an unqualified (short) host name or IP address. If you use a fully qualified host name and the Client Managers IP address changes later, you need only to update DNS for the Client Managers new address and clients can continue to download the software and updates from the Client Manager. You have the following options:
Use host from initial client request: (Recommended.) Select this option to enable clients to download the ProxyClient software, configuration, and updates from the original host. In other words, in a typical ProxyClient deployment, the administrator e-mails users a URL from which they obtain the ProxyClient software and configuration initially. The host name or IP address in this URL is used to download the software to the client and is written to the clients configuration file for use in future software and configuration updates.
This option is compatible with all methods of deploying the ProxyClient, including Windows Group Policy Object (GPO), Microsoft System Center Configuration Manager (SCCM), or Systems Management Server (SMS). For more information about these deployment options, see Chapter 9: "Distributing the ProxyClient Software".
Use host: Select this option to download the ProxyClient software and configuration from the host name you specify. Enter a fully qualified host name or IP address only; do not preface it with http:// or https:// because software and configuration downloads will fail.
Use this option to migrate users from one Client Manager to another Client Manager or if you have more than one Client Manager behind a load balancer. Because a load balancer typically advertises one Virtual IP (VIP) address, you should enter the load balancers VIP in the Use host field. To migrate users from one Client Manager to another, see also "" on page 229.)
Port field Keyring list Update Interval field
Enter the port on which the Client Manager listens for requests from clients. The default is 8084. Click the name of the keyring to use when clients connect to the Client Manager. Specify the length of time (in minutes) between update checks. For example, if the value is 120, each ProxyClient application connects to the Client Manager every 120 minutes for configuration and software updates (beginning at startup). Valid values are 10-432000 (that is, 300 days). The default is 120 minutes.
83
After you apply the changes, the Client Components section displays a summary of the information you selected. Table 52 discusses the meaning of this information.
Table 52 Client Components section
Item
Client setup
Description Displays the URL from which users download the ProxyClient setup application. The setup application (ProxyClientSetup.exe) downloads the Microsoft installer (ProxyClientSetup.msi) to the client. This information is intended for interactive client installations from the Client Manager; for more information, see "Preparing Interactive Installations" on page 174. Provide this URL to users so they can install the ProxyClient software on their computers. To install the software this way, the user must have administrator privileges on the client machine. Note: If you selected Use host from client request for Host, the URL displays as follows:
https://host-from-client-request:8084/ proxyclient/ProxyClientSetup.bsx
To download the ProxyClient using this URL, substitute the Client Managers host name or IP address for host-fromclient-request.
Client install MSI
Displays the URL from which ProxyClientSetup.exe downloads ProxyClientSetup.msi. This information is intended for non-interactive installations using SCCM, SMS, or GPO, as discussed in "Using Group Policy Object Distribution" on page 193. Note: Blue Coat recommends users not run the .msi on their computers because the installation fails unless the user enters parameters on the command line (for example, BCSI_UPDATEURL).
Client configuration
Displays the URL from which the ProxyClient installer downloads the client configuration file (ProxyClientConfig.xml). This information is provided for your reference only. For more information, see one of the following sections: "Preparing Silent Installations and Uninstallations" on page 181 "Using Group Policy Object Distribution" on page 193
Displays the most recent date and time ProxyClientConfig.xml was updated on the Client Manager.
84
See Also
"Uploading the ProxyClient Software to the Client Manager" on page 85 Chapter 7: "Configuring ProxyClient Acceleration" Chapter 9: "Distributing the ProxyClient Software" "Setting Up the Client Manager (CLI)" on page 89
Uninstalling the ProxyClient software Disabling ProxyClient features or policy (Web filtering or acceleration) by: Stopping the ProxyClient service using Task Manager or net stop or sc from the command line Viewing or editing the ProxyClient configuration file
"Overview of the ProxyClient Upload Process" "Getting the ProxyClient Software" on page 86 "Running Windows.msi" on page 87 "Uploading the ProxyClient .car File to the Client Manager" on page 87
See Also
Chapter 2: "ProxyClient Deployments"
Upload the ProxyClient software to the Client Manager and let clients get the software from the Client Manager as discussed in the procedure that follows. Upgrading the Client Manager to the most recent version of SGOS does not replace the ProxyClient software on the Client Manager.
Manually run ProxyClientSetup.msi on client computers. The other installer, named ProxyClientSetup.exe, should be used only to download the ProxyClient software from the Client Manager.
85
Automated updates using Group Policy Object (GPO) or Microsoft Systems Management Server (SMS).
Note: If the ProxyClient software was installed on the client machine with the option to prohibit software updates, you must update the ProxyClient software on client computers using one of the following methods:
To upgrade the software, see the following sections in the order shown: 1. "Getting the ProxyClient Software" 2. "Running Windows.msi" on page 87 3. "Uploading the ProxyClient .car File to the Client Manager" on page 87
See Also
Chapter 9: "Distributing the ProxyClient Software"
The ProxyClient.msi file, which you use to install the ProxyClient software on client machinesincluding distributing the software using SCCM, SMS, GPO, or a similar method. The ProxyClient .car file, which you upload to the Client Manager. Client computers receive the updated ProxyClient software at the next update interval, with the exception of any client computers for which updates are prohibited.
1. Go to the following URL: http://support.bluecoat.com 2. Click the link to download the ProxyClient 3.4.2.0 software. 3. At the prompts, enter your BlueTouch Online user name and password. If you do not have a BlueTouch Online login, go to http:// www.bluecoat.com/support/supportservices/btorequest
86
Description Manually install the ProxyClient software on client computers. If you choose this option, skip the rest of this procedure after downloading the file.
ProxyClient.car file
Upload the ProxyClient software to the Client Manager, which enables clients to upgrade to the latest version. On the Download ProxyClient.car page, you also have the option to copy the link displayed on the page to download the .car file to the Client Manager. To use this link, the Client Manager must be able to contact http:// bto.bluecoat.com. The link expires in 24 hours. If you choose this option, skip the rest of this procedure after copying the link location.
Note: The Windows.msi and ProxyClient.car files can install the 32-bit or 64-bit
version of the ProxyClient software. 5. If you chose to download the ProxyClient .car file, locate it in any of the following: On the local file system of the computer you run the Client Managers Management Console. That is, to upload the ProxyClient software from your local file system or from a network share drive (as opposed to uploading it from a remote URL), you must copy ProxyClient.car to an accessible location. On a Web server the Client Manager can access. 6. Continue with "Running Windows.msi" .
Running Windows.msi
The Windows.msi file should be used for manual installations or installations distributed by SCCM, SMS, GPO, or a similar system as discussed in Chapter 9: "Distributing the ProxyClient Software". To distribute the ProxyClient software from the Client Manager instead, see "Uploading the ProxyClient .car File to the Client Manager" .
87
To install the ProxyClient software manually from the command line, or using SCCM, SMS, GPO, or a similar system, skip this section and see Chapter 9: "Distributing the ProxyClient Software" instead.
To upload the ProxyClient .car file to the Client Manager:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > General > Client Manager > Client Software. The Current ProxyClient Software section displays information about the ProxyClient software this Client Manager is currently using. Do any of the following: To upload the ProxyClient .car file, see step 3. To use the link from the Blue Coat download site, see step 4.
3. This step discusses how to upload to the Client Manager the ProxyClient .car file you got from the Blue Coat download site. To use the link provided on the download page instead, skip this step and see step 4. To upload the ProxyClient .car file: a. From the Install ProxyClient software from list, click Local file. b. Click Install. c. At the confirmation dialog, click Yes. d. In the Open dialog, locate the ProxyClient .car file and click Open. The .car file has a name similar to the following:
proxyclient_3[4].3.1.1_12345_ProxyClientSetup.car
Notes: The name of the ProxyClient .car file changes with every release. Depending on the Web browser you used to download the software, square brackets might not be in the file name.
e. Wait a few minutes for the upload to complete. A confirmation dialog displays the message File successfully installed. If errors display, try the upload again. If errors continue, try getting the ProxyClient .car file again or try using the link displayed on the download page. Using the link to the ProxyClient software displayed on the download page is discussed in more detail in step 4. f. At the confirmation dialog, click OK. At the next update interval, the software will be distributed to all ProxyClient users except those for which you disabled automatic software updates.
88
4. This step discusses how to upload the ProxyClient software to the Client Manager using the link provided on the Blue Coat download site. To upload the ProxyClient .car file instead, skip this step and see step 3. To use the link provided on the Blue Coat download page to update the ProxyClient software on the Client Manager: a. From the Install ProxyClient software from list, click Remote URL. b. Click Install. c. At the confirmation dialog, click Yes. The Install ProxyClient Software dialog displays. d. In the Installation URL field, paste the URL displayed on the Blue Coat download page. The URL has a format similar to the following:
https://bto.bluecoat.com/download/direct/ 56549919812997134284474771733824
Note: Every download URL link is unique. e. In the Install ProxyClient Software dialog, click Install. f. Wait a few minutes for the upload to complete. A confirmation displays the message The file was successfully downloaded and installed. If errors display, try the upload again. If errors continue, try using the ProxyClient .car file as discussed earlier. g. At the confirmation dialog, click OK. h. In the Install ProxyClient Software dialog, click OK. At the next update interval, the software will be distributed to all ProxyClient users except those for which you disabled automatic software updates.
Important: After you update the ProxyClient software on the Client Manager, whenever users connect using the ProxyClient, they must update their ProxyClient software unless software updates are disabled. You have the option of disabling software updates from the Client Manager if you plan to distribute updates some other way (for example, by SCCM, SMS, or GPO). For more information, see "Parameters for Silent Installations" on page 183.
Before uploading the ProxyClient software, verify the Client Manager is running compatible SGOS software. For example, ProxyClient 3.2.x requires SGOS 5.4.x or later. Compatibility information is discussed in the ProxyClient Release Notes.
89
"Loading the Software (CLI)" on page 90 "Showing ProxyClient Settings (CLI)" on page 90 "Clearing ProxyClients (CLI)" on page 90
1. At the #(config) command prompt, enter proxy-client. 2. Enable this appliance as the Client Manager:
#(config proxy-client) enable
You can use any of the following commands to load the ProxyClient software on the Client Manager:
#(config) load proxy-client-software
Clears (that is, sets to zero) the count of inactive ProxyClients or all ProxyClients. Note the following: Clients are automatically cleared after 30 days of inactivity. After a software upgrade, clients appear twice for 30 daysone entry for the earlier version of client software and one entry for the newer version of client software. You can optionally clear the inactive clients to avoid seeing duplicate information.
90
For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.
91
92
"Location Awareness Overview" "Location Awareness Decision Diagram" on page 94 "Location Awareness Task Summary" on page 95 "Configuring ProxyClient Locations" on page 95 "Configuring Web Filtering Auto-Detection" on page 100 "Configuring ProxyClient Locations (CLI)" on page 101
For conceptual information and examples, see "About ProxyClient Location Awareness" on page 13 and "Step 6: Configure ProxyClient Locations" on page 48.
93
94
2. 3. 4. 5.
"Step 6: Configure ProxyClient Locations" on page 48 "Configuring ProxyClient Locations" on page 95 "Configuring Default Actions" on page 99 "Ordering Locations in the Rulebase" on page 98
"Location Awareness Overview" on page 93 "Location Awareness Task Summary" on page 95 "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16 "Step 6: Configure ProxyClient Locations" on page 48
To specify locations:
1. Log in to the Client Managers Management Console as an administrator. 2. Select Configuration > ProxyClient > General > Locations. 3. On the Locations tab page, click New. The New Locations dialog displays. 4. In the Name field, enter a name that identifies this location. For example, Headquarters.
Note: The location name cannot be changed later.
95
5. In the Conditions section, select one or more conditions that define this location. The Conditions section enables you to specify one or more conditions that define the location, and therefore the ProxyClient features to apply to users in the location. For more information and examples of setting up locations, see the following sections: "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16
96
Tasks 1. 2. Select the Match Virtual NICs IP check box. Click New. Note: You cannot directly edit an existing condition. First delete the existing condition and then add a new one. 3. In the Add Virtual NIC IP Range dialog, enter a starting and ending IP address in the provided fields. The range you enter should correspond to a range of IP addresses provisioned by your VPN gateway. You must enter a pair of IP addresses; you cannot enter CIDR notation. Click OK. Repeat these tasks to enter other Virtual NIC IP address ranges if required. Note: This condition is matched if the user has an VNIC IP address in any of the ranges you define.
4. 5.
Note: If VPN client software does not recognize a Virtual NIC (and instead recognizes it as a physical adapter), see "Using the ProxyClient VPN Whitelist Utility" on page 238.
6. Select the check box corresponding to which features are enabled for this location: Select Enable Acceleration to accelerate network traffic using all of the following: gzip CIFS protocol acceleration byte caching
All selected conditions must match to enable the selected location features. For example, if Source IP Address and DNS Servers conditions are selected, and if the user matches the source IP address but not the DNS server IP address, the user does not match this location and the features enabled by the location will not be applied to the user.
Important:
Users who do not match any location conditions have default actions applied to them as discussed in "Configuring Default Actions" on page 99. 7. Click OK.
97
The location name and associated policy actions display on the Locations tab page.
See Also
"Overview of Location Awareness" on page 13 "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16
To make sure the home office or mobile location is detected first, the administrator must order it in the rulebase before the headquarters location. An example follows.
98
1. Log in to the Management Console as an administrator. 2. Click Configuration > ProxyClient > General > Locations. 3. At the bottom of the Locations tab page, in the Default Actions section, select the check box corresponding to features to enable for clients who do not match any defined location conditions. The following figure shows an example of enabling both acceleration and Web filtering by default:
See Also
"Overview of Location Awareness" on page 13 "General Guidelines for Location Conditions" on page 15
99
The Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF). The ProxyClient must be deployed in any of the following ways: In-path with the filtering ProxySG The ProxyClient computer must use the filtering ProxySG as an explicit proxy
ProxyClients must run 3.2 or later. Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed.
ProxySGs in-path between the ProxyClient computer and the Internet ProxySGs that are used by ProxyClients as an explicit proxy
To install local policy on a ProxySG that performs Web filtering for ProxyClients:
1. Log in to the ProxySGs Management Console as an administrator. 2. Click Configuration > Policy > Policy Files. 3. In the right pane, for Install Local File from, click Text Editor from the list. 4. Click Install.
100
where VendorID is your Blue Coat WebFilter database user name. If your enterprise has more than one Vendor ID, enter them as a comma-separated list. An example with one Vendor ID follows:
<proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X-BCWF-License, "6EAZ8-BDC17F") end
6. Click Install. If errors display, check the command syntax and try again. 7. After the policy successfully installs, click OK at the conformation dialog and then click Close.
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) command prompt, enter locations. 3. Configure location settings:
#(config proxy-client locations) create location_name #(config proxy-client locations) edit location_name #(config proxy-client name) acceleration {enable | disable} #(config proxy-client name) webfilter {enable | disable} #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client name name name name name name name name name name name name name name name dns) dns) dns) dns) dns) add ip-address clear exit remove ip-address view add ip-address-range clear exit remove ip-address-range view
source) source) source) source) source) vnic) vnic) vnic) vnic) vnic)
#(config proxy-client name) match-dns {enable | disable} #(config proxy-client name) source {enable | disable} #(config proxy-client name) vnic {enable | disable}
101
#(config proxy-client name) exit #(config proxy-client name) view #(config proxy-client #(config proxy-client #(config proxy-client location_name} #(config proxy-client #(config proxy-client #(config proxy-client locations) acceleration {disable | enable} locations) webfilter {disable | enable} locations) {promote location_name | demote locations) delete location_name locations) clear locations) view
102
"Before You Begin Configuring ProxyClient Policy" "Specifying the ProxyClient ADN Manager" on page 103 "Tuning the ADN Configuration" on page 107 "Enabling File Sharing Acceleration" on page 111 "Troubleshooting ProxyClient Acceleration" on page 115
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > General.
103
Description You must select this check box to enable ProxyClient to accelerate network traffic using all of the following methods: gzip CIFS protocol acceleration byte caching
Displays the status of your acceleration license as either Valid or Invalid. The ProxyClientAcceleration license component is part of the base SGOS license. If the status is Invalid, there is a problem with your Blue Coat license. Verify a valid base SGOS license is installed (Maintenance > Licensing > View). Contact Blue Coat Support for license troubleshooting issues.
104
Item
Maximum percentage of disk space to use for caching field
Description Enter the maximum percentage of total client disk space (as opposed to available disk space) to use for caching objects, such as CIFS objects. Valid values are 190; the default is 10. The higher you set the value, the more information is cached on user systems, but at the expense of disk space that might be required to run other applications.
Enter the IP address of the ADN manager for the ADN network to which the ProxyClient connects. You have the following options: To use the current ADN configuration on this ProxySG, click Use ProxySG ADN Managers. The primary and backup ADN manager IP address and plain manager port values are copied into the appropriate fields. To enable this ProxySG to be the primary or backup ADN manager, click Configure ADN.
For assistance troubleshooting issues with this tab page, see "Troubleshooting ProxyClient Acceleration Configuration" on page 106. For more information about the role of the ADN manager, see "ADN and ProxyClient Terminology" on page 23 and "About the Roles of ProxySG Appliances With the ProxyClient" on page 25.
Backup manager IP address
Enter the IP address of the backup ADN manager, if any. Enter the ADN managers plain listen port (by default, 3034).
Important: Do not enter a secure port number, because the ProxyClient version 3.2.x does not support secure tunnels.
4. Click Apply. If errors display, see "Troubleshooting ProxyClient Acceleration Configuration" on page 106. Otherwise, continue with "Tuning the ADN Configuration" on page 107.
105
ProxySG ADN must be enabled with primary or backup manager Self to use this configuration for ProxyClient acceleration.
4. 5. 6.
2.
Click Apply.
106
Include and exclude portsIncludes or excludes TCP ports in ADN tunnels. Assuming ProxyClients can connect to a ProxySG that can optimize traffic to the destination address, this setting determines which ports are accelerated (or are not accelerated) for clients. You can use either the excluded ports list or included ports list, but not both.
Note: Make sure you know which ports are used by applications you want to
accelerate and put them in the include ports list; otherwise, the traffic is not accelerated.
Excluded subnetsYou can exclude intranet connections from being forwarded to a ProxySG configured as an Internet gateway. This is important if your network is designed such that a connection to an intranet server fails if it is sent through an Internet gateway. Provided an Internet gateway is configured, forwarding occurs as follows: a. If the destination IP address is a local address, do not attempt to use an ADN tunnel; instead, connect directly. This is the end of the process. b. If the destination IP address is in the ProxyClients excluded subnets list, do not attempt to use an ADN tunnel; instead, connect directly. This is the end of the process. Otherwise, if the IP address is not in the ProxyClients exclude list, continue with the next step. c. If the destination IP address matches an entry in the ADN routing table, forward the connection over an ADN tunnel; otherwise, continue with the next step.
107
d. If a ProxySG is configured as an Internet gateway, look up the destination IP address in the Internet gateways exception list. If the address does not match, forward the connection over an ADN tunnel to the Internet gateway; otherwise, connect directly to the destination IP address. See one of the following sections for more information:
"Excluding Subnets from Being Accelerated" "Excluding and Including Ports" on page 109
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > ADN Rules. 3. On the ADN Rules tab page, in the Excluded Subnets section, click Add. The Add IP/Subnet dialog displays.
108
Description Enter either an IP address or an IP address and subnet in Classless InterDomain Routing (CIDR) notation (for example, 192.168.0.0/16). Use this field if you entered only an IP address in the preceding field (that is, if you used CIDR notation in the preceding field, you do not need to enter a value in this field).
5. In the Add IP/ Subnet dialog, click OK. 6. Repeat these tasks to exclude more subnets, if required.
On any ProxySG configured as a proxy, Configuration > Services > Proxy Services. For any protocol the proxy is intercepting, consider adding the protocols port to the include list. Internet Assigned Numbers Authority reference.
109
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > ADN Rules. The ports section displays.
3. In the Ports section, click one of the following options: Client traffic from specified ports is not routed through the ADN tunnel. All other traffic is accelerated. Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash character). For example:
22,88,443,993,995,1352,1494,1677,3389,5900-5902 Exclude:
Include: Client traffic from specified ports is routed through the ADN tunnel and therefore is accelerated. All other traffic bypasses the tunnel and is not accelerated.
Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash character). For example:
80,139,445,8080-8088
Include ports 139 and 445 for file sharing (CIFS services) acceleration.
Note: The include and exclude ports lists are advanced settings that limit the traffic that is accelerated by the ADN network.
4. Click Apply.
110
For file sharing conceptual information, see "About ProxyClient CIFS Acceleration" on page 17. For more detailed information about CIFS optimization on the ProxySG, see the chapter on the CIFS proxy in the SGOS Administration Guide.
To enable file sharing acceleration using the ProxyClient:
1. Log in to the Client Managers Management Console as an administrator. 2. Verify the CIFS ports are listed in the Included Port list as discussed in "Enabling File Sharing Acceleration" on page 111. 3. Click Configuration > ProxyClient > Acceleration > CIFS. The CIFS tab displays.
111
Description You must select this check box to enable clients to accelerate CIFS traffic. When a user browses to an accelerated remote file share using Windows Explorer, setting this option to Enable to improve access to remote file shares by causing Windows Explorer to avoid read ahead on those folders. Setting the option to Disable to allow Windows Explorer to read ahead on remote file shares. Note: This setting is not related to Windows offline folders. For more information, see "About ProxyClient CIFS Acceleration" on page 17.
Setting this option to Enable can improve performance when using Windows Explorer to browse to a remote accelerated file share that has a large number of customized nested folders that are set to read-only. (An example of customizing a folder is changing its display icon.) Click Disable to cause Windows to enforce the read-only attribute for all folders on accelerated remote file shares. For more information, see "About ProxyClient CIFS Acceleration" on page 17.
Write back options determine whether or not user connections continue sending data to the ProxySG appliance while the appliance is writing data on the back end. Select one of the following: Select Full to enable write-back, which causes the ProxyClient to send data to the ProxySG appliance without waiting for acknowledgement that the data was written successfully. This setting improves responsiveness but can lead to data loss in the rare circumstance in which the ProxyClient crashes or the link drops before delivering all the data to the ProxySG appliance. Select None to disable write-back. Disabling write-back can introduce substantial latency while clients send data to the appliance and wait for acknowledgement before sending more data. One reason to set this option to None is the risk of data loss if the link from the branch to the core server fails. There is no way to recover queued data if such a link failure occurs.
112
Option
Directory cache time
Description Enter the number of seconds for directory listings to remain in the clients cache.
field
5. Click Apply.
See Also
"ADN Features and the ProxyClient" on page 26
113
1. At the #(config) command prompt, enter proxy-client. 2. Configure general client settings:
#(config #(config #(config #(config proxy-client) proxy-client) proxy-client) proxy-client) max-cache-disk-percent percentage software-upgrade-path url update-interval minutes view
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) prompt, enter adn. 3. Configure ADN rules settings:
#(config proxy-client acceleration adn) port-list {exclude-ports | include-ports} #(config proxy-client acceleration adn) {exclude-ports | includeports} {port | port-list | port-range} #(config proxy-client acceleration adn) exclude-subnets #(config proxy-client acceleration adn remove} subnet_prefix[/prefix length] #(config proxy-client acceleration adn #(config proxy-client acceleration adn #(config proxy-client acceleration adn exclude-subnets) {add | exclude-subnets) clear exclude-subnets) exit exclude-subnets) view
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) prompt, enter adn. 3. Configure ADN manager settings:
#(config proxy-client acceleration adn) primary-manager ip-address #(config proxy-client acceleration adn) backup-manager ip-address #(config proxy-client acceleration adn) manager-port plain-port
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) command prompt, enter cifs. 3. Configure CIFS settings:
#(config #(config #(config #(config #(config {disable #(config {disable #(config proxy-client proxy-client proxy-client proxy-client proxy-client | enable} proxy-client | enable} proxy-client acceleration acceleration acceleration acceleration acceleration cifs) cifs) cifs) cifs) cifs) directory-cache-time seconds {disable | enable} exit write-back {full | none} remote-storage-optimization
114
"Overview of Acceleration Troubleshooting" "More Information About ProxyClient Acceleration Troubleshooting" on page 119 "Getting Detailed Diagnostics" on page 126 "Using the ProxyClient Web Browser for Troubleshooting" on page 213 "Troubleshooting ProxyClient Installation and Operation" on page 214 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
Concentrator is not available To confirm which concentrators are advertising routes in the ADN network, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119
The destination is not defined in ADN routing table To confirm which routes have been published, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119
Acceleration is disabled To confirm that acceleration is enabled and running properly, see "Getting Acceleration Status from the Web Browser Window" on page 115
The ProxyClient Web browser window and the Client Managers Statistics > ProxyClient > Details tab pages assist you with troubleshooting acceleration issues clients might be experiencing. The following sections provide a brief overview of how you can use these tools:
"Getting Acceleration Status from the Web Browser Window" on page 115 "Configuration Error" on page 117 "Using the Client Manager for Acceleration Troubleshooting" on page 118
115
Figure 71
The Network tab displays (if acceleration is disabled or not running, there is no Network tab) The Acceleration Statistics section on the Status tab page displays (if acceleration is disabled or not running, there is no Acceleration Statistics section)
Running
The following table lists the meanings of other status messages for acceleration:
Status message Configuration Error Meaning The routing table the ProxyClient gets from the ADN manager or backup manager is empty. The most likely reason is that concentrators are advertising no routes to the managers. For more information, see "Configuration Error" on page 117. Disabled due to Location Acceleration is disabled in the clients current location. For more information about locations, see Chapter 6: "Configuring ProxyClient Locations". Status is not available because the ProxyClient cannot contact the ADN Manager. See "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.
Not Available
116
Meaning Your acceleration license is invalid. To verify this is the case, log in to the Client Managers Management Console as an administrator and click Configuration > ProxyClient > Acceleration > General. If the message Acceleration License: Invalid displays below the Enable Acceleration check box, you know your license is invalid. Contact your Blue Coat representative or Blue Coat Support to resolve the issue.
Acceleration is always disabled if the user boots their computer in Safe Mode. Resolve the issue that caused the user to boot in Safe Mode. This message displays in the heading of the component (acceleration or Web filtering) that is experiencing errors. If the error indicates a problem with Web filtering, see "Web Filtering Internal Service Error" on page 169. If the error indicates a problem with acceleration, ask the user to reboot the computer, enable trace logging, and repeat the actions that caused the internal service error. For more information about trace logging, see "Performing Data Traces and Data Collection" on page 232.
For more detailed information, see "More Information About ProxyClient Acceleration Troubleshooting" on page 119.
Configuration Error
This section discusses how to resolve issues related to the error message Configuration Error. This message indicates the routing table the ProxyClient gets from the ADN manager or backup manager is empty. The most likely reason is that concentrators are advertising no routes to the managers.
To resolve the configuration error:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > General. 3. In the ADN Manager section, click Use ProxySG ADN Managers. This causes the Client Manager to use the ADN manager configuration. 4. Log in to a concentrators Management Console as an administrator. 5. Click Configuration > ADN > Routing > Server Subnets. 6. Click Help and make sure the settings are correct.
117
7. If the concentrator is being used as an internet gateway, click Configuration > ADN > Routing > Internet Gateway. 8. Click Help and make sure the settings are correct. 9. Repeat steps 4 through 8 on all concentrators that front servers the ProxyClient needs to access. Any changes to the routing table (for example, adding server subnets) are received by the ProxyClient immediately. If you suspect there are communication issues between the ProxyClient and the ADN manager(s) or concentrators, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.
118
The following information can be useful to isolate acceleration issues to a particular concentrator:
displays information about currently active sessions, including sessions with ProxyClients. Use a client IP address filter to view tunnels from a specific client. For more information, see "Viewing ProxyClient Active Session Statistics" on page 210
To view related client statistics, see "Getting Acceleration Status from the Web Browser Window" on page 115
The Peer statistics link displays aggregate information per peer (client). For each peer, it shows byte cache information such as dictionary status and cache size. The tunnel connection link shows information per each active connection. The tunnel connection pool link shows information about idle tunnels. This correspond to the idle tunnels displayed on the clients Network tab page. The dashboard link and other links display aggregate information for components such as tunnels and dictionary sizes.
"Starting the ProxyClient Web Browser Window" "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119 "About the Network Tab Page" on page 122
119
The Status tab page displays as follows if the ADN Manager is not reachable:
Status: Not Available
Hovering the mouse pointer over the Not Available link displays the following message:
Cannot accelerate: Not connected to Acceleration Network
If the ProxyClient shows that acceleration is enabled but that no routes are being accelerated, most likely the connectivity issue is with the ADN manager. However, if routes are advertised but connections are going direct to their destinations, there is likely an issue communicating with a concentrator.
To confirm the acceleration issue is due to loss of connectivity to the ADN manager or concentrator:
1. Ask the user to start the ProxyClient Web browser window as discussed in "Starting the ProxyClient Web Browser Window" on page 119. 2. Verify the Network tab page displays; if so, acceleration is enabled.
120
3. If the Network tab page does not display, click the Status tab. If the message Configuration error displays, no concentrators are advertising subnets to be accelerated. This indicates a configuration error on the concentrators. Verify the following: Every concentrator fronting a server that accelerates traffic for ProxyClients uses managed ADN (that is, there is an ADN manager specified on each concentrator). Verify the Client Manager specifies the same ADN manager as the concentrator. (Log in to the Client Managers Management Console and click Configuration > ProxyClient > Acceleration > General and click Use ProxySG ADN Managers.)
If the message Not Available displays, the ProxyClient has lost contact with the ADN manager. View the Admin Log on the client computer and, if necessary, request the user perform trace logging as discussed in "Performing Data Traces and Data Collection" on page 232.
4. Click the Network tab. If the Network tab page displays no subnets, most likely the error is caused by a loss of communication with the ADN manager. An example follows.
To confirm this is the case, click the Advanced tab and click View Log in the Diagnostic Tools section. The message Cannot connect to any ADN manager confirms the ProxyClient cannot connect to the ADN manager.
121
If Current Direct Connections is not zero, it means that a concentrator in the clients routing table is not reachable by the client. (The routing table is displayed in the Subnets section.) As long as that concentrators IP address remains in the clients routing table, connections go directly to their destinations. If the client connects to a host that is not in the routing table, connections go directly to that host but are not counted as Current Direct Connections. An example follows.
For additional information about the direct connections, click the More Info link in the ADN Tunnels section and see "Network Tab PageADN Tunnels Section" on page 123.
"Network Tab PageConfiguration Section" "Network Tab PageADN Tunnels Section" on page 123 "Network Tab PageSubnets Section" on page 125 "Network Tab PageExempt Routes Section" on page 125 "Network Tab PageExcluded Subnets Section" on page 126
The Primary ADN Manager and Backup ADN Manager (if any) display the IP addresses of the primary and backup ADN managers.
122
Ports can be either included in acceleration or excluded from acceleration (but not both), as follows: Included Ports displays specific ports that are accelerated; traffic on all other ports is not accelerated. The ports correspond to the following setting on the Client Managers Management Console: Configuration > ProxyClient > Client Manager > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107. Excluded Ports displays which ports are excluded from acceleration. The ports correspond to the following setting on the Client Managers Management Console: Configuration > ProxyClient > Client Manager > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107. If there is a mismatch between the ports displayed on the ProxyClient and the ports configured on the Client Manager, make sure the ProxyClient is using the correct Client Manager. (Click the Advanced tab and review the information in the Client Manager section. You can change the Client Manager as discussed in "Changing the Client Manager" on page 229.) If the ports specified are incorrect, change them on the Client Manager and update the ProxyClient configuration (Advanced tab page, click Check for Updates Now.)
Current Idle Tunnels: An idle tunnel is a connection, not currently in use, that was
used at one time to accelerate network traffic. For performance reasons, the ProxyClient keeps open a certain number of idle tunnels; this is not unusual.
A connection to an external resource (such as a Web site) that goes directly to its destination and is therefore not accelerated. A direct connection means the concentrator is in the clients routing table but the client cannot connect to the concentrator. (The clients routing table displays in the Subnets section on the Network tab page.) A non-zero Current Direct Connections count means the ADN manager has the concentrator in its routing table but the ProxyClient cannot contact the concentrator. If the ADN manager removes the concentrator from the routing table, connections to servers fronted by that concentrator go direct to their destinations but the Current Direct Connections count does not increment. In other words, these connections bypass the client entirely.
123
A row displays with alternating white and gray backgrounds as long as the connection is open. A row displays with a green background to indicate the ADN tunnel has been opened recently. A row displays with a red background to indicate the ADN tunnel is about to close.
Note: The View ADN Tunnels window displays current information, while the
Status tab page displays information aggregated over a selectable time period.
124
The following table discusses the meanings of the columns on this page:
Column name PID Process Name Client Server ADN Next Hop Total Demand Actual Usage Details Description Process ID of the process listed in the next column. Name of the process that created the tunnel. A value of svchost.exe means this is a CIFS tunnel. The ProxyClients IP address and the port over which the tunnel opened. The servers IP address and the port over which the server accepted the request. The IP address of the concentrator accelerating the network traffic. The number of bytes sent and received by the applications running on the clients computer. The number of bytes sent over the WAN after acceleration was applied. Additional information about the connection; for example: CIFSThe connection uses CIFS. Provided CIFS protocol acceleration is enabled, the connection should be accelerated. (Log in to the Client Managers Management Console and click Configuration > ProxyClient > Acceleration > CIFS.) CIFS Bypass or N/AThe CIFS connection is not optimized. The reason it was bypassed can be found in the admin log. In the ProxyClient Web browser window, click the Advanced tab and click View Log in the Diagnostic Tools section.
Savings Gain
(Actual Usage / Total Demand) x 100. Total Demand / Actual Usage expressed as a decimal.
125
126
This chapter discusses how to configure the Client Manager to provide the Blue Coat WebFilter service for ProxyClient users. Web filtering enables you to allow, block, or warn users about accessing content in categories you specify using any of the following:
The Blue Coat WebFilter database categories Local database categories Policy categories (also referred to as custom categories) System and Default categories, which are discussed in more detail later in this chapter
For conceptual information about Web filtering, see "About ProxyClient Web Filtering" on page 19. This chapter discusses the following topics:
"Web Filtering Task Summary" "Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 "Enabling the Use of the Local Database (Optional)" on page 133 "Setting Up ProxyClient Web Filtering" on page 135 "Working With Categories, Users, Groups, and Policy Actions" on page 141 "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157 "Enabling Web Filtering Logging" on page 159 "Configuring ProxyClient Web Filtering (CLI)" on page 165
127
"Options for Enabling Blue Coat Web Filtering" on page 129 3. Download the BCWF database or categories: Set up updates for the BCWF database or categories; they must be updated on the Client Manager at least once every 30 days. Note: Although it is possible to enable other databases (for example, Internet Watch Foundation), only the following categories can be used by the ProxyClient: Blue Coat Web Filter Policy, such as VPM policy The local database System and Default categories
If theProxySG is a dedicated Client Manager: "Entering BCWF Database Credentials" on page 135 If the ProxySG is a Client Manager and also performs inoffice Web filtering: "Enabling the Blue Coat Web Filter Database (Optional)" on page 130
Categories from other databases are not used by ProxyClient Web filtering. The local database is one way you can optionally create categories to whitelist or blacklist specific lists of URLs for your employees. You can also add policy categories (also referred to as custom categories) to set up whitelists and blacklists. For more information, see "Managing Policy Categories" on page 147.
4.
Optional. "Enabling the Use of the Local Database (Optional)" on page 133
5.
After you have the current BCWF database or categories, you can enable the ProxyClient to perform Web filtering.
128
Task 6. "Working With Categories, Users, Groups, and Policy Actions" on page 141 "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157
Description Define categories of content you will allow users to access, block users from accessing, or warn users about accessing. You can fine-tune policy actions for individual users and user groups. Information about how to best use Web filtering in your corporation. Exception pages are displayed to users when they attempt to access content that the administrator chose to either block or to warn about. Blue Coat recommends you customize the default exception pages to provide users with more specific information. How to upload client Web filtering logs to an anonymous FTP server.
7. 8.
9.
Regardless of whether you choose to download the entire BCWF database or only the categories, you must obtain a BCWF license, which entitles you to a BCWF user name and password. For more information, contact your Blue Coat representative. Because the BCWF database or categories must be updated at least once every 30 days, make sure the Client Manager is capable of accessing the Internet.
129
If you are starting out configuring ProxyClient Web filtering, see "Setting Up ProxyClient Web Filtering" on page 135 To download the entire BCWF database, see "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 To download only the BCWF database categories, see "Entering BCWF Database Credentials" on page 135
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > General.
3. In the right pane, select the Enable check box for Blue WebFilter. 4. Click Apply.
130
5. To download the BCWF database, on the Blue Coat WebFilter tab page, enter the following information:
Option
Username field Change Password button
Description Enter the user name provided with your BCWF subscription. Click the button and follow the prompts on your screen to set or change your BCWF password. Enter the URL provided with your BCWF subscription. Typically, the URL is: https://list.bluecoat.com/bcwf/activity/ download/bcwf.db
URL field
6. Click Download Now. This starts the download process. Make sure you verify the download was successful as discussed in the next step. 7. Allow a few minutes for the download to complete and click Verify Download. The following table shows sample success messages.
Type of download Full database Success message
Blue Coat download at: 2009/09/11 23:28:00 +0000 Downloading from https://list.bluecoat.com/ bcwf/activity/download/bcwf.db Requesting initial database Download size: 7507 Database date: Fri, 11 Sep 2009 23:25:02 UTC Database expires: Tue, 19 Jan 2038 03:14:07 UTC Database version: 1 Database format: 1.1
131
Success message
Blue Coat download at: 2009/09/11 16:00:41 +0000 Downloading from https://list.bluecoat.com/ bcwf/activity/download/bcwf.db Requesting differential update Differential update applied successfully Download size: 3208 Database date: Fri, 11 Sep 2009 15:50:05 UTC Database expires: Sun, 11 Oct 2009 15:50:05 UTC Database version: 292540200 Database format: 1.1
The following table shows sample error messages with suggestions about how to correct the error.
Failure message
ERROR: Socket connect error
Suggested workaround The Client Manager cannot contact the BCWF URL, most likely for any of the following reasons: The URL is incorrect Click Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the URL field with the information provided with your Web filtering license. Try clicking Set to default and trying the download again. Network issues prevent the Client Manager from reaching the site. Using an SSH application, log in to the Client Manager and enter the following command at the command line:
> ping list.bluecoat.com
If you cannot ping the list.bluecoat.com Web site, check the configuration of routers and firewalls to make sure the Client Manager can reach the site.
ERROR: HTTP 401 Unauthorized
Either the user name or password you specified is incorrect. Click Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the Username field. Click Change Password and enter your password again in the provided fields. When you are finished, click Apply.
For more information about other options, click Help or see the section on configuring Blue Coat Web filter in "Configuring Blue Coat WebFilter" on page 359 in the SGOS Administration Guide. 8. Select the Automatically check for updates check box.
132
The BCWF database For more information, see "Options for Enabling Blue Coat Web Filtering" on page 129
The local database For more information, see "Enabling the Use of the Local Database (Optional)" on page 133
Policy, such as VPM policy (including local, central, and forward policies) For more information, see "Managing Policy Categories" on page 147 System categories (none and unavailable), which cannot be edited or deleted For more information, see "Configuring System and Default Policy Actions" on page 149
The Default Action, which enables you to allow or block any content request that is not classified into any of the preceding categories For more information, see "Configuring System and Default Policy Actions" on page 149
"Creating the Local Database" "Enabling the Local Database" on page 134
133
define category-name url1 url2 urln end define category-name url1 url2 urln end
For example,
define category whitelist www.cnn.com www.webmd.com end define category blacklist www.gambling.com end
Each category can have an unlimited number of URLs. 2. Upload the text file to a Web server that the Client Manager can access. 3. Continue with "Enabling the Local Database" .
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > General. 3. In the right pane, select the Enable check box next to Local Database. 4. Click Apply. 5. Continue with the next section.
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > Local Database. 3. In the right pane, enter or edit the following information:
Option
Username field
Description Enter the user name required to access the local database, if any.
134
Option
Change Password button
Description Click the button and follow the prompts on your screen to set or change your local database password. Enter the URL to the local database.
URL field
4. Click Download Now. 5. To verify the download, click Verify Download. 6. Select the Automatically check for updates check box. 7. Click Apply. 8. Continue with "Setting Up ProxyClient Web Filtering" on page 135.
See Also
Section on configuring the local database in "Creating a Local Database" on page 366 in the SGOS Administration Guide.
"Entering BCWF Database Credentials" "Enabling ProxyClient Web Filtering" on page 136 "About the Policy Tab Page" on page 139 "Getting Started With Categories" on page 141 "Selecting Categories" on page 143 "Configuring Users and Groups" on page 144 "Managing Policy Categories" on page 147 "Configuring System and Default Policy Actions" on page 149 "Ordering Categories in the Rulebase" on page 150 "Configuring Other Web Filtering Options" on page 153
For an overview of the entire process, see "Web Filtering Task Summary" on page 128. Continue with "Enabling ProxyClient Web Filtering" .
135
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > Blue Coat WebFilter. 3. On the Blue Coat WebFilter tab page, enter the following information:
Option
Username field Change Password button
Description Enter the user name provided with your BCWF subscription. Click the button and follow the prompts on your screen to set or change your BCWF password. Enter the URL provided with your BCWF subscription. Typically, the URL is: https://list.bluecoat.com/bcwf/activity/ download/bcwf.db
URL field
"Web Filtering Task Summary" on page 128 "Options for Enabling Blue Coat Web Filtering" on page 129
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. Under the Enable Web Filtering check box, one of the following messages might display. Use the following table to take the appropriate action:
Table 81 ProxyClient Web filtering status messages
136
Table 81
Message Meaning and suggested action Blue Coat Web filtering is set up properly. Continue with Step 3 on page 138.
Select the Enable Web Filtering check box and click Apply. Other messages might display; if so, consult later rows in this table.
Your SGOS license is invalid or expired. Click the link to find more information.
137
Table 81
Message Meaning and suggested action You have not entered credentials required to download the BCWF database or categories to this ProxySG appliance. Action: Use the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. Click the link in the error message or click Configuration > Content Filtering > Blue Coat. In the Username field, enter the Blue Coat Web Filter database user name provided with your Web filtering license. Click Change Password. In the provided fields, enter the Blue Coat Web Filter database password. Click OK. At the confirmation dialog, click OK. Click Apply. Click Download Now. This starts the download using the credentials you entered. Click View Download Status to confirm the database downloaded successfully.
10. Click Configuration > ProxyClient > Web Filtering > Policy. 11. Clear the Enable Web Filtering check box and apply the change. 12. Select the Enable Web Filtering check box.
After you enable ProxyClient Web filtering, the Client Manager must download the BCWF database categories. During the time the categories are being downloaded, this message displays. This message does not display if you downloaded the entire BCWF database. For more information about the differences between downloading the database and only the database categories, see "Options for Enabling Blue Coat Web Filtering" on page 129. If this message displays for an extended period of time, try the following: 1. 2. Clear the Enable Web Filtering check box and apply the change. Select the Enable Web Filtering check box and apply the change.
3. After you have successfully enabled the BCWF database with a valid license, continue with "About the Policy Tab Page" on page 139.
138
See Also
"Options for Enabling Blue Coat Web Filtering" on page 129
"General Settings Pane" "All Categories Pane" on page 140 "Selected Category Rule Base Pane" on page 140
139
Reorder rules
140
"Getting Started With Categories" "Selecting Categories" on page 143 "Configuring Users and Groups" on page 144 "ProxyClient Web Filtering and Proxy Servers" on page 144 "Managing Policy Categories" on page 147 "Configuring System and Default Policy Actions" on page 149 "Ordering Categories in the Rulebase" on page 150 "Configuring Other Web Filtering Options" on page 153
If you are configuring ProxyClient Web filtering for the first time, you should complete the tasks discussed in the preceding sections in the order in which they are shown. If you are modifying an existing configuration, choose any task.
Note: Users and groups for ProxyClient Web filtering are validated against the users cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. On the Policy tab, the All Categories section displays the available category nodes:
Blue Coat:
Special categories (none and unavailable) that are discussed in more detail in Step 4 on page 149. Categories defined using policy (usually the Visual Policy Manager (VPM)).
141
3. Expand a node to display its categories. 4. Select the check box next to categories for which you want to set policy actions.
Note:
If you are not familiar with ProxySG content filtering, refer to Chapter 18, Filtering Web Content, in the SGOS Administration Guide. Many Web sites generate more than one URL request so it is possible that an allowed Web site might create other URL requests that are categorized differently, or are categorized as the System category none. For example, images and advertisements displayed on an allowed Web site are individually classified based on their URLs. Even if you allow users to access that Web site, each of the ads and images on the site can be blocked based on each URLs categorization.
5. Continue configuring ProxyClient Web filtering. If you are configuring ProxyClient Web filtering for the first time, complete following tasks in the order in which they are presented. If you have already configured Web filtering and need to modify your previous choices, choose a task from the following list. "Selecting Categories" "Configuring Users and Groups" on page 144 "Configuring System and Default Policy Actions" on page 149 "Ordering Categories in the Rulebase" on page 150 "Configuring Other Web Filtering Options" on page 153
142
Selecting Categories
This section discusses how to select categories to use to filter Web content for ProxyClient users. Select only the categories you wish to explicitly allow, deny, or warn users about accessing. If a user accesses content that is not associated with any categories you select, the policy action for Default Action is applied. For more information, see "Configuring System and Default Policy Actions" on page 149. Prerequisites:
"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136
To select categories:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. In the All Categories pane, expand Blue Coat.
Note: If the Client Manager does not have a valid BCWF database, there
are no BCWF categories and the following message displays on the Policy tab page:
ProxyClient Web filtering is unavailable due to an invalid license. Please contact Blue Coat Support.
Contact your Blue Coat representative for more information about getting a valid BCWF license. 4. Select the check box next to each category to enforce a policy action on that category. When you select a category, it automatically displays in the Selected Category Rule Base pane with a policy action the opposite of the Default Action category. 5. Repeat the preceding steps for the local and policy categories. If you have no policy categories defined, see "Managing Policy Categories" . If you do not wish to configure or change your policy categories, skip the next section and continue with "Configuring System and Default Policy Actions" on page 149. 6. Apply policy actions to users and groups as discussed in "Configuring Users and Groups" .
143
"ProxyClient Web Filtering and Proxy Servers" "Prerequisites for Configuration Users and Groups" on page 144 "Procedure for Configuring Users and Groups" on page 145
"Enabling ProxyClient Web Filtering" on page 136 "Selecting Categories" on page 143
Note: Users and groups for ProxyClient Web filtering are validated against the users cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.
144
"About ProxyClient Web Filtering" on page 19 "Options for Enabling Blue Coat Web Filtering" on page 129 "ProxyClient Web Filtering and Proxy Servers" on page 144 "Prerequisites for Configuration Users and Groups" on page 144
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. On the Policy tab page, in the All Categories pane, select the check box corresponding to each category for which you will configure users and groups. When you select a category, the category name displays in the Selected Category Rule Base pane. The policy action is initially the opposite of Default Action. The Selected Category Rule Base pane initially displays the category with an associated policy action.
4. In the Selected Category Rule Base pane, you have the following options:
Action Assign a policy action to everyone (that is, all users, all groups) Change the name of a user or group Change the order of users and groups in the rulebase Description From the Action list, click the policy action to apply. For more information about policy actions, see Table 82. Click the field with the name you wish to change and enter a new name. "Ordering Categories in the Rulebase" on page 150
145
In the provided field, enter the name of the user or group to which to apply the policy action in any of the following formats: Fully qualified account names (for example, domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name). Fully qualified DNS names (for example, example.example.com\user_name) User principal names (UPN) (for example, someone@example.com).
If the user or group has been used before, click its name from the list. 3. From the Action list, click the appropriate policy action. For more information about policy actions, see Table 82. 4. Delete a user or group Press Enter. Click the name of the user or group to delete and click (delete user-group rule).
Meaning The request goes to its destination. An access log entry occurs
for URL tracking and analyzing Web use (if the value of Log
Exceptions Only on the Configuration > ProxyClient > Web Filtering > Log tab page is set to All).
Block Warn
The blocked category exception page displays and the URL request is blocked. The exception is logged. A warning exception displays. The user must click an acceptance link, which represents an acknowledgment that the content request might violate corporate Web use policy. If the user clicks the acceptance link, the request goes to its destination. The exception is logged. Note: If a user clicks the acceptance link the requested Web site will be accessible for 15 minutes. The accessibility time period is not currently configurable.
146
See Also
"Getting Started With Categories" on page 141
"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. Near the bottom of the All Categories pane, click Edit Categories. The Edit Categories dialog displays the currently configured category nodes (for example, Policy, Local, Blue Coat, and System).
Note: You can manage only the Policy categories. With the exception of local categories (that come from the local database, if it is configured), the other categories cannot be changed.
4. In the Edit Categories dialog, expand Policy. 5. You have the following options:
Task Add a policy category Procedure 1. 2. 3. 4. 5. Click Policy. Click Add. In the Object Name dialog, enter a name for the policy category. Click OK. Add URLs to the category as discussed in later in this table.
147
Procedure 1. 2. 3. Click the name of the category. Click Rename. In the Edit Locally defined category Object dialog, enter a new name for the policy category. Click OK. Optionally add URLs to the category as discussed in later in this table. Click the name of the category. Click Remove. You are required to confirm the deletion. Click the name of the category in which you want to edit the list of URLs. Note: You cannot add URLs to the Policy node. You must first create a category under that node as discussed earlier in this table. 2. 3. Click Edit URLs. In the Edit Locally defined category Object dialog, enter or edit the list of URLs, one URL per line. Click OK.
4.
See Also
"Configuring Users and Groups" on page 144
148
Many Web sites generate more than one URL request so it is possible that an allowed Web site might create other URL requests that are categorized differently, or are categorized as none. For example, images and advertisements displayed on an allowed Web site are individually classified based on their URLs. Even if you allow users to access that Web site, each of the ads and images on the site can be blocked based on each URLs categorization.
unavailable, a category that is used if all of the following are true of a particular URL request:
Default Action
When WebPulse cannot be reached When there is no match either in the local database (if enabled) or policy categories (if configured)
The policy action for the Default Action category is used if a URL request is not classified into any of the categories in the Category Rulebase section. Use caution before setting the policy action of the Default Action category to block. If Default Action is set to block, any URL that is not in a category that you specifically allow will be blocked.
Prerequisites:
"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141 "Selecting Categories" on page 143
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. In the All Categories pane, expand System. 4. Select the check box next to the none or unavailable categories.
149
The following table discusses the meanings of policy actions for these categories.
System category
none
Policy action description Set the policy action for Web sites that could not be categorized by the service point. Set the policy action for Web sites for which the ProxyClient could not reach WebPulse to determine a categorization. Typical reasons include local connectivity issues (for example, a personal firewall blocking the traffic or a machine that has no IP address).
unavailable
5. When you are satisfied with your policy configuration, select the Enable Web Filtering check box. 6. Click Apply. 7. In the Selected Category Rulebase pane, from the Default Action list, click a policy action. 8. Click Apply. 9. Continue with "Ordering Categories in the Rulebase" .
150
Rulebase configuration
Policy action Because News/Media is first in the rulebase and its policy action is block, www.example.com/news is blocked except for users in the BLUECOAT\Managers group, for which it is allowed.
Because Blogs/Personal Pages is first in the rulebase and its policy action is allow, www.example.com/news is allowed except for users in the BLUECOAT\Users group, for which it is blocked.
disabled, a branch ProxySG performs Web filtering. For more information about configuring a branch ProxySG to perform Web filtering, see TBD. Blue Coat recommends you order Web filtering rules in the category rulebase as follows: 1. Whitelist overrides (that is, local database and policy categories you always want to allow) 2. Blacklist overrides (that is, local database and policy categories you always want to block) 3. All other categories with policy action set to block 4. All other categories with policy action set to warn 5. All other categories with policy action set to allow
151
Prerequisites:
"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141 "Selecting Categories" on page 143 "Configuring System and Default Policy Actions" on page 149
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. In the Selected Category Rule Base pane, click the name of a category to move. 4. Click one of the following buttons:
Table 83 ProxyClient Web filtering category ordering buttons
Button
Meaning Move the selected category up one position in the rulebase hierarchy. Use this button to move a more restrictive category and action before a less restrictive category and action. Move the selected category down one position in the rulebase hierarchy. Use this button to move a more general category and action after a more restrictive category and action. Move the selected category and action to the top of the rulebase hierarchy. Use this button to move a very specific category and action to the top of the rulebase. Move the selected category and action to the bottom of the rulebase hierarchy.
The rulebase hierarchy is the structure of categories, users, and groups in the rulebase. If you click the name of a category, you can reorder the category (including its users and groups) among the other categories. If you click the name of a user or group, you can reorder that user or group among the other users and groups in that category only.
152
The buttons shown in Table 83 enable you to move users, groups, or categories in the hierarchy. An example is shown in the following figure.
To move users and groups under Blogs/Personal Pages, click the name of a user or group and click one of the buttons shown in Table 83. To move the entire category, click the name of the category and click one of the buttons shown in Table 83. Because the Brokerage/Trading category has no users or groups, you can order it among the other categories only. 5. Continue with "Configuring Other Web Filtering Options" . If you have already configured options for license expiration, HTTPS filtering, and safe search, continue with one of the following sections: "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157 "Enabling Web Filtering Logging" on page 159
On license expiration, which sets the behavior of ProxyClient Web filtering in the event the BCWF license expires on the Client Manager HTTPS filtering, which determines whether or not Web filtering policy actions are applied to HTTPS content Safe search, which determines whether or not ProxyClient users are required to use safe search with supported search engines. "Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141
Prerequisites:
153
"Selecting Categories" on page 143 "Configuring System and Default Policy Actions" on page 149
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. The options discussed in this section are in the General Settings section of the Policy tab page.
Description Select the action to take if the BCWF license expires (usually because the database has not been updated in a 30-day period):
Allow AllUsers are allowed to browse
anywhere; in other words, content is not filtered. Select this option if user Web access is more critical than filtering or security.
Block AllUsers are not allowed to browse to any Web page. A Service Unavailable exception displays in the users Web browser. Select this option if security is your primary concern.
Select this check box to force a search engine that supports Safe Search to enable its strictest search filter; however, the quality of the filtering is based on the search engines built-in capabilities. The same search string entered on one search engine might yield different results when entered on another search engine (including returning varying levels of inappropriate content). Safe Search is supported on the following search engines: Google, A9, Altavista, Microsoft Bing, Yahoo, Ask, and Orange.co.uk. With safe search enabled, the search engine Web page displays Safe Search ON, Family Filter On, Safe Search Strict, or another engine-specific string. Clear this check box if you do not wish to enforce Safe Search.
154
Option
Enable HTTPS filtering check
Description Select this check box to use Web filtering when the content request is sent over an SSL connection using the default port 443. For exceptions to this behavior, see the ProxyClient Release Notes. Clear this check box to not filter HTTPS traffic if certain browsers are used.
box
See Also
"About ProxyClient Web Filtering" on page 19 "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157 "Enabling Web Filtering Logging" on page 159 "Configuring ProxyClient Web Filtering (CLI)" on page 165
Set the policy action for the System > unavailable category to Block. This prevents any possibility of Internet access in the event Internet access (specifically, access to WebPulse) is temporarily prevented because a personal firewall blocks the ProxyClient service, a temporary network outage occurs, or users attempt to disable or stop the ProxyClient service. Any of these might result in WebPulse appearing to be unavailable for a period of time.
Some software update sites will be blocked if the Business/Economy category is set to Block or Warn. For example, Java updates would fail because the Java update site is rated as Business/Economy. Either allow the Business/Economy category or add the software update Web sites to a custom category (using either the local database or VPM), set its policy action to Allow, and order the rule before the the Business/Economy category.
Because a particular URL might be listed in more than one category, policy action conflicts can occur.
In the case of a conflict between policy actions, the policy action associated with the first rulebase match is applied. For example, suppose the same URL (www.example.com/news) is listed in two categories. One category has a policy action of allow and the other category has a policy action of block.
155
In the table that follows, www.example.com/news is in both the Blogs/Personal Pages and News/Media categories. The following table shows how the conflict is resolved.
Rulebase configuration Policy action Because News/Media is first in the rulebase and its policy action is block, www.example.com/news is blocked except for users in the BLUECOAT\Managers group, for which it is allowed.
Because Blogs/Personal Pages is first in the rulebase and its policy action is allow, www.example.com/news is allowed except for users in the BLUECOAT\Users group, for which it is blocked.
disabled, a branch ProxySG performs Web filtering. For more information about configuring a branch ProxySG to perform Web filtering, see TBD. Blue Coat recommends you order Web filtering rules in the category rulebase as follows: 1. Whitelist overrides (that is, local database and policy categories you always want to allow) 2. Blacklist overrides (that is, local database and policy categories you always want to block) 3. All other categories with policy action set to block 4. All other categories with policy action set to warn 5. All other categories with policy action set to allow
156
See Also
"Getting Started With Categories" on page 141 "Selecting Categories" on page 143
Some Web browsers: The exception page displays in the same browser window as the request. All other Web browsers: The exception page displays in a new browser window. For up-to-date information about Web browsers and their behavior with HTTPS filtering, see the ProxyClient Release Notes. To enable HTTPS filtering, in the Client Managers Management Console, click Configuration > ProxyClient > Web Filtering > Policy, and select the Enable HTTPS Filtering check box. Click Help for more information.
Blue Coat provides default exception pages for the following occurrences:
Blocked content: When a user requests content that violates (matched by category) enterprise Web use policy, the following message displays in the Web browser:
Your request was denied because of its content categorization: Category: offending_category_name URL: requested_URL
Warn: When a user requests content that might violate enterprise Web use policy (for example, you chose a policy action of Warn for the Search Engine/Portals category, and you want to coach a user regarding Web use policies), the following message appears in the browser:
It may violate company policy to visit this site. Category: Search Engine/Portals URL: www.google.com Click here to continue anyway.
The last line, available only (by default) on the Warn exception page, is a link that users click to acknowledge the warning and proceed with the content request. If they elect to opt out of this request, they must navigate to another page, click the Back button on the browser, or exit the browser.
157
Unavailable rating service: If a user requests a URL that is not already categorized, and ProxyClient cannot connect to WebPulse, the following message displays in the browser:
The Blue Coat Web Filter Service point could not be reached. This may be due to a networking error.
Users are not allowed to retrieve Web content until a rating service is reached (unless the System > unavailable category is set to Allow). Typical reasons why WebPulse might be unreachable include local connectivity issues (for example, a personal firewall blocking the traffic or a computer with no IP address). If you decide to change or add to the default text, each exception page is customizable using the Management Console or the command line.
To customize exception pages:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Exceptions.
3. Customize exception pages: a. From the Exception page for list, select a page to customize:
Block:
Warn: Display text to inform users that the content they are requesting might violate Web use policy. Users must click a link to acknowledge this warning before receiving the content. Unavailable:
158
b. Customize the Web page header and body text. The Substitution Variables field provides variables you can insert to display content information:
url:
cs-categories: A full list of all category rating assigned to the Web site. Many Web sites have more than one rating. cs-categories-exception: The category that caused the exception (the first one matched in the rulebase). override-url: Applies to the Warn exception page only. This is used if you change the Continue anyway link to something else, such as a button. It will be substituted with the URL that must be pulled through an HTML request to visit the page that was blocked by the exception.
To add a variable to the custom message, insert the cursor in the HTML code where you want the variable to be, select a variable, and click Insert. You can add as many variables as you want. c. Click Apply.
"About Web Filtering Logging" "How to Enable Web Filtering Logging" on page 160 "Configuring Clients That Require a Proxy to FTP Logs" on page 163 "Interpreting the Log Files" on page 163
159
Note: Because log files are uploaded using anonymous FTP, Blue Coat strongly recommends you put your FTP server behind the corporate firewall. In addition, configure the FTP server as follows:
To prevent the possibility of data loss, do not allow file overwrites. For security reasons, do not allow files on the FTP servers upload directory to be browsed. The FTP server must support passive FTP clients. Active FTP is not supported (in other words, log uploads will fail). If the FTP server is deployed behind a firewall, the firewall must be configured to allow FTP data connections over TCP ports greater than 1024.
Placing an FTP server outside the firewall has the advantage that even mobile users can upload log files to it; however, it exposes the server and your company to potentially serious malicious activity.
Length of time since the last upload Size, in MB, of the current log file
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Log. The Log tab displays.
160
3. Select the Enable Logging check box. 4. Click one of the following logging options:
Option
Log All Log Exceptions Only
Description Log all Web browsing activity. Add a log entry only when a policy exception occurs (blocks, warnings, and rating service unavailability).
5. In the FTP Server Connection section, enter or edit the following information:
Option
Settings for list
Hosts field
Enter the FTP servers fully-qualified domain name or IP address. Do not precede the name with ftp:// or uploads will fail. Enter the FTP servers listen port. The default is port 21. Make sure your firewall allows FTP traffic through this port, and change the port from the default only if your firewall and FTP server are configured accordingly.
Port field
161
Option
Path field
Description Enter the relative path on the server to write the log files. You can optionally precede the relative path with the / character; uploads will succeed whether or not the first character is /. Examples:
/path/to/log/directory path/to/log/directory
To upload logs to the FTP servers home directory, leave the field blank. Note: Entering / in the field (with no path following the / character) causes uploads to fail.
6. Choose options that determine when files are uploaded from the ProxyClient computer to the FTP server. You can choose either a time interval or the total size, in MB, the current log file occupies on the client computer. If a mobile or offsite user is away from the network for an extended period of time and the threshold values are exceeded, an upload occurs as soon as possible. Enter or edit the following information:
Option
Upload periodically every
Description
Hours field: Enter the maximum number of hours
to wait before attempting to upload logs from the ProxyClient computer to the FTP server.
Minutes field: Enter the maximum number of
minutes to wait before attempting to upload logs from the ProxyClient computer to the FTP server. Note: If you enter a non-zero value for both Hours and Minutes, the total amount of time is used. For example, if you enter 24 Hours and 10 Minutes, the client waits 24 hours and 10 minutes to upload log files.
Start an early upload if log reaches
Enter the minimum log file size, in megabytes, to trigger a log file upload. This value takes precedence over the value you entered in the preceding field. In other words, if you specify 24 hours in the preceding field and 10 megabytes in this field, if the current log file reaches 10 megabytes after only 10 hours, the ProxyClient attempts to upload its log files to the FTP server.
7. Click Apply. 8. Continue with "Configuring Clients That Require a Proxy to FTP Logs" .
162
Note: Make sure the system clock of all ProxyClient computers is synchronized with the Client Managers clock. (You can do this by configuring them to use the same time standard, such as NTP.) Failure to do so will result in inaccurate log upload times and log ages.
Description Date stamp in Universal Time Code (UTC) format. Time stamp. Clients IP address.
163
Field
c-username x-cs-auth-domain c-computername x-exception-id
Description Clients login user name. Clients domain name (if available). Clients computer name. One of the following:
- if the content is allowed. content_filter_warned if the policy action is
warn.
content_filter_denied if the policy action is
block.
cs-categories
Semi-colon-delimited categories for the content request. The first category match; in other words, the category on which the policy action shown by xexception-id is based. Referring URL, if any. The method used in the content request (for example, GET). The URIs scheme (http or https). The host portion of the URI. The port used to access the URI. The path relative to cs-host. If cs-uri-scheme is https, this field is blank. Query string, if any. If cs-uri-scheme is https, this field is blank. File extension of the object. Information about the Web browser that requested the object. Web servers public IP address.
cs-categories-exception
cs(Referer) cs-method
cs-uri-query
cs-uri-extension cs(User-Agent)
r-ip
In the preceding example, user joe.jones requested content from http:// www.mazdausa.com and the content was blocked. The content was categorized as Vehicles, was requested by Internet Explorer 7, and was delivered from a Web server with public IP address 129.33.107.81.
164
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) command prompt, enter web-filtering. 3. Configure Web filtering settings:
#(config proxy-client web-filtering) disable #(config proxy-client web-filtering) enable #(config proxy-client web-filtering) default-action {allow | block} #(config proxy-client web-filtering) {allow category_name | block category_name | warn category_name} #(config proxy-client web-filtering) {promote category_name | demote category_name} #(config proxy-client web-filtering) {promote-to-top category_name | demote-to-bottom category_name} #(config proxy-client web-filtering) failure-mode {open | closed} #(config proxy-client web-filtering) safe-search {disable | enable} #(config proxy-client web-filtering) https-filtering {disable | enable} #(config proxy-client web-filtering) user-group-rules category_name #(config proxy-client web-filtering category_name) {allow user_group_name | block user_group_name | warn user_group_name} #(config proxy-client web-filtering category_name) {promote user_group_name | demote user_group_name) #(config proxy-client web-filtering category_name) {promote-totop user_group_name | demote-to-bottom user_group_name) #(config proxy-client web-filtering category_name) clear user_group_name #(config proxy-client web-filtering category_name) exit #(config proxy-client web-filtering category_name) view #(config proxy-client web-filtering) inline exception {block | allow | warn} data end-of-file-marker #(config proxy-client web-filtering) log #(config proxy-client web-filtering #(config proxy-client web-filtering #(config proxy-client web-filtering interval hours [minutes] #(config proxy-client web-filtering primary} host hostname port #(config proxy-client web-filtering exceptions-only} log) {disable | enable} log) early-update megabytes log) periodic-upload uploadlog) ftp-client {alternate | log) mode {all-requests |
"Overview of Web Filtering Troubleshooting" "More Information About Web Filtering Troubleshooting" on page 167 "Getting Detailed Diagnostics" on page 170 "Using the ProxyClient Web Browser for Troubleshooting" on page 213
165
"Troubleshooting ProxyClient Installation and Operation" on page 214 "Troubleshooting ProxyClient Acceleration" on page 115 "Other ProxyClient Troubleshooting Tools" on page 224
"Getting Web Filtering Status from the Web Browser Window" on page 166 "Using the Client Manager for Acceleration Troubleshooting" on page 118
Figure 81
If Web filtering is enabled and running, Running displays in the Filtering Statistics section heading and the statistics increment as the user browses the Web.
Note: In Figure 81, only Web filtering is enabled. If acceleration is also enabled, the Status tab page also displays the Acceleration Statistics section as shown in Figure 71 on page 116.
The following table lists the meanings of other status messages for Web filtering:
Status message Disabled due to Location Meaning Web filtering is disabled in the clients current location. For more information about locations, see Chapter 6: "Configuring ProxyClient Locations".
166
Meaning Web filtering auto-detection is being used so that a Web filtering ProxySG appliance is performing Web filtering for the client. For more information, see "Configuring Web Filtering Auto-Detection" on page 100.
The service that Blue Coat Web filtering uses to get ratings for Web sites is not reachable. As a result, the policy action for the unavailable category is being used. Status is not available because the ProxyClient cannot contact the Client Manager. See "Client Manager Communication Troubleshooting Suggestions" on page 215. The Web filtering license on the Client Manager is invalid. To verify this is the case, log in to the Client Managers Management Console as an administrator and click Configuration > ProxyClient > Web Filtering > Policy. If the message Web Filtering License: Invalid displays below the Enable Web Filtering check box, you know your license is invalid. Contact your Blue Coat representative or Blue Coat Support to resolve the issue.
Not Available
Unlicensed
The Web filtering driver is missing or not functioning properly. See "Web Filtering Internal Service Error" on page 169.
For more detailed information, see "More Information About Web Filtering Troubleshooting" on page 167.
"Why Are Users Receiving Blocked or Warn Messages For No Justifiable Reason?" "ProxyClient Web Filtering Licensing" on page 169 "Disputing URL Categorizations For ProxyClient" on page 169 "ProxyClient Web Filtering Licensing" on page 169 "Getting Detailed Diagnostics" on page 170
167
Why Are Users Receiving Blocked or Warn Messages For No Justifiable Reason?
The most common message you are likely to receive from your users is that ProxyClient is denying them access to a Web site that they feel does not violate Web-use policy. The first step is to understand why the page is blocked or warned:
The rating server returned a category that resulted in a block action. The exception page, admin log, and Most Recent Events list display the category that caused the block action. The rating server did not return a category, and the none system category is configured with a block action. WebPulse is not available, and the unavailable system category is associated with a block action. WebPulse might be unavailable because of networking and configuration issues. Also make sure personal firewall software on the ProxyClient computer is not blocking the ProxyClient service.
License expiration is fail closed and the Client Manager is not licensed for ProxyClient Web Filtering or does not have a current BCWF database. ProxyClient displays Not licensed as the Web Filtering status on the Status tab page. Some images on requested pages do not display. This is most likely caused by subsequent requests on an allowed Web page falling into a blocked category. (For example, a section or portlet on an allowed Web page might contact a prohibited site for an advertisement.) Advise your users this is expected behavior.
More detailed information for most of these events can be retrieved by activating the Advanced Web Filtering Admin Log (see "Instructing Users to Perform Data Traces" on page 233). Various actions to remedy unjustified block (and warn) actions are available, depending on the reason for the block action:
Add a URL to a custom category or local database that is associated with an allow action (that is, create a whitelist). Move this category above the category that is causing the block action. This causes the allow action to be processed first. You also have the option to disagree with the rating decision made by BCWF and submit a request for categorization change. See "Disputing URL Categorizations For ProxyClient" on page 169.
Consider modifying the rule base, allowing the blocked category, allowing none or unavailable categories, or changing the unlicensed behavior to fail open. This option is valid if you are authorized to change the corporate compliant browsing policy.
168
Fix the license violation. See "ProxyClient Web Filtering Licensing" on page 169.
The Web Page Review Process page displays. 2. In the field, enter the URL to be reviewed and click Submit. 3. On the second Web Page Review Process page, select Blue Coat ProxyClient from the Filtering Service drop-down list. 4. From the first What category or categories does this site belong to? drop-down list, select the category you believe the site belongs to. You can optionally select a secondary category (for example, if your Web filtering policy allows one category, but not the other). 5. (Optional) Select Please send results of the Site Review via email if you want Blue Coat to notify you of the submission verdict. 6. In the Comments and Site Description field, enter a detailed message to Blue Coat site reviewers explaining your reason for this submission. 7. Click Submit.
169
filtering is enabled, it is possible the user tampered with the Web filter driver. To confirm this might be the case, look for the Internal Service Error as discussed in the preceding paragraph.) A likely reason for the driver not loading is user tampering; for example, deleting or renaming the driver:
proxyclient-install-dir\drivers\proxyclientwebfilter.sys
Note: To prevent users from renaming or deleting ProxyClient drivers, configure an uninstall password as discussed in "Configure an uninstall password." on page 63.
To make sure it is not a configuration issue, in the ProxyClient Web browser window, click the Advanced tab and click Check for Configuration Updates Now. If that does not resolve the problem, view the Admin log or enable trace logging for Web filtering as discussed in "Performing Data Traces and Data Collection" on page 232. The Admin log displays the following messages to indicate the Web filtering driver did not load:
Failed to start web filter, error 4112 Error starting web filtering module: Internal Error Error initializing web filtering driver: 4112. Please restart your computer. If you continue to experience this problem, contact your administrator.
170
171
172
"ProxyClient Software Distribution Prerequisites" "Overview of Distributing the ProxyClient Software" on page 173 "Preparing Interactive Installations" on page 174 "Preparing Silent Installations and Uninstallations" on page 181 "Using Group Policy Object Distribution" on page 193
Upgraded the ProxySG appliances in your network to versions compatible with the ProxyClient as discussed in "ProxyClient Compatibility with SGOS" on page 71. Uploaded the current version of ProxyClient software to the Client Manager as discussed in "Uploading the ProxyClient .car File to the Client Manager" on page 87. "Overview of Distributing the ProxyClient Software" "Preparing Interactive Installations" on page 174 "Preparing Silent Installations and Uninstallations" on page 181 "Using Group Policy Object Distribution" on page 193
Interactive installations started from: A command line on the users machine The Client Manager
Silent installations For more information, see "Preparing Silent Installations and Uninstallations" on page 181
Windows Group Policy Object distribution For more information, see "Using Group Policy Object Distribution" on page 193
173
Windows System Center Configuration Manager (SCCM)previously referred to as Systems Management Server (SMS)distribution For more information about SCCM or SMS, consult the documentation provided with your SCCM or SMS server.
Important:
Users can install the ProxyClient software either by downloading from the Client Manager, or manually by running from a command line, as shown in the following table:
ProxyClient Installation Options
Description Provide users the URL to ProxyClientSetup.exe, which displays on the Client Manager tab page when you click Configuration > ProxyClient > General > Client Software.
ProxyClientSetup.exe downloads and runs ProxyClientSetup.msi on the client machine. Users see
the installation in progress and have the option of canceling the installation. For more information about this installation method, see "Interactive Installations from the Client Manager" on page 175.
174
Table 91
Description To install ProxyClient using ProxyClientSetup.msi, users must first download it to the client machine, then execute it from the command line as discussed in "Interactive Manual Installations" on page 180. Note: For a complete discussion of
ProxyClientSetup.msi command-line parameters, see
"Preparing Silent Installations and Uninstallations" on page 181. Note: Users who run the ProxyClient setup application must be in the Administrators group on the client machine. Also, although it is possible for users to run the .msi, it is not recommended because the installation will fail unless the user provides parameters on the command-line (for example, BCSI_UPDATEURL).
Send users an e-mail with the URL to ProxyClientSetup.exemsx on the Client Manager. The URL displays when on the ProxyClient > Client Manager > Client Manager tab page.
To install the ProxyClient using this method:
1. Get the URL or location from which you access ProxyClientSetup.exemsx. 2. Click the URL in an e-mail or enter it in your browsers address field. 3. ProxyClientSetup.exe starts the setup applicationProxyClientSetup.msi that installs the ProxyClient software. The following dialog displays if you use Internet Explorer 7:
175
176
4. Click Run. The following dialog displays if your browser is Internet Explorer 7:
not signed. This is because ProxyClientSetup.exe is unique to each Client Manager, which in turn makes signing it by a recognized certificate authority difficult. 5. Click Run. The ProxyClient software download begins. During the download, a progress dialog similar to the following displays:
177
6. Click Next. 7. The Destination Folder dialog allows you to determine the folder location to which ProxyClient is installed. Blue Coat recommends that you install to the default directory: c:\Program Files\Blue Coat\Proxy Client. To accept the default, click Next and proceed to Step 8. To install to a directory of your choosing, click Change. The Change Current Destination Folder dialog displays. Click the icons to navigate to a folder and click Ok.
178
8. When you are satisfied with your installation preparation decisions, click Install. The Installing Blue Coat ProxyClient wizard dialog displays.
Click Yes to reboot the system immediately. Click No to reboot the system at a later time. Select this option to save work before you reboot.
179
9. After the machine reboots, verify the state of the ProxyClient as discussed in "ProxyClient Tray Icon States and Meanings" on page 222.
Provide a location from which the user can download ProxyClientSetup.msi to the client machine; for example, provide the user the URL to the Client Manager.
Important:
Do not rename ProxyClientSetup.msi; doing so causes future updates to fail. Do not edit ProxyConfig.xml on the client machine; instead, click Check for Updates on the Advanced tab page in the ProxyClient Web browser window to get updates from the Client Manager.
Now
1. Download ProxyClientSetup.msi to a location on the local file system. 2. Perform either of the following: Select Start > Run, then enter the command shown in step 3. Open a DOS command prompt window and change to the directory to which you downloaded ProxyClientSetup.msi.
180
where path is the absolute file system path to ProxyClientSetup.msi (if necessary), url-to-config.xml is the URL to ProxyConfig.xml on the Client Manager.
Client Manager
This URL displays when you select ProxyClient > Client Manager and click the tab as discussed in "Designating a ProxySG as the Client Manager" on page 81. For example,
Note:
If the Client Manager is not available, the installation succeeds and the ProxyClient tries to contact the Client Manager every 10 minutes until the client gets a configuration. If Client Manager communication issues persist, see "Client Manager Communication Troubleshooting Suggestions" on page 215. Other command-line parameters are available. For a complete list, see "Preparing Silent Installations and Uninstallations" on page 181.
4. The installation proceeds as discussed in "Interactive Installations from the Client Manager" on page 175. 5. Verify the ProxyClient tray icon state as discussed in "ProxyClient Tray Icon States and Meanings" on page 222. If only Web filtering is enabled, you can verify the icon state immediately. If acceleration is enabled, you must reboot the computer first.
"About Silent Web Filtering Installations" "Parameters for Silent Installations" on page 183 "Command for Silent Uninstallations" on page 188 "Example Installations and Uninstallation" on page 189
181
Important:
Do not rename ProxyClientSetup.msi; doing so causes future updates to fail. Do not edit ProxyClientConfig.xml on the client computer after it has been downloaded from the Client Manager. Instead, click Check for Updates Now on the Advanced tab page of the ProxyClients Web browser window to get a configuration update.
For information about distributing the ProxyClient software using Group Object Policy, skip this section and see "Using Group Policy Object Distribution" on page 193.
Initial installation of ProxyClient version 3.2. Upgrade to version 3.2 from an earlier version. Upgrade from 3.2 to a later 3.2.x patch.
ProxyClient features enabled Web filtering enabled Acceleration disabled Post-installation behavior Web filtering continues to function as defined by policy; that is, categories that are blocked by policy remain blocked after the installation or upgrade. If the ProxyClient tray icon is visible, a message displays to indicate the operation was successful. If the ProxyClient tray icon is hidden, no message displays so the user is not aware the upgrade occurred. For more information about hiding the tray icon, see "Limiting ProxyClient Visibility and Interactivity" on page 190.
182
ProxyClient features enabled Web filtering enabled Acceleration enabled Web filtering disabled Acceleration enabled
Post-installation behavior If acceleration is enabled, the user must reboot their computer after an installation or upgrade, regardless of whether or not Web filtering is enabled. All existing connections are dropped during the installation or upgrade process and any new connections are accelerated after the computer is rebooted. If Web filtering is enabled, policies remain in effect during the upgrade process. The following applies to the ProxyClient tray icon: If the tray icon is visible, the user is prompted to reboot their computer after the installation or upgrade completes. The balloon message Disabled Until Reboot displays on the tray icon and in the Acceleration Statistics section on the Status tab page in the ProxyClient Web browser window. If the tray icon is not visible, no prompt displays; however, acceleration is disabled until the computer is rebooted.
Note: The only way to downgrade from ProxyClient version 3.2 to version 3.1
is to uninstall version 3.2 and install the earlier version. For more information, see "ProxyClient Compatibility with SGOS" on page 71. Continue with "Parameters for Silent Installations" .
"Silent Installation Parameters" "Example Installations" on page 189 "Example Uninstallation" on page 190
183
Parameter
/qf | /qb | /qr | /qn | /quiet
Argument
Description Sets the user interface level (in other words, the extent to which the installer interface displays to the user).
/qf (fully visible and interactive, the default) enables
the user to see and interact with the installer and to cancel the installation.
/qb (basic) /qr (reduced) enables the user to see and interact with
seeing or interacting with the installer and from canceling the installation. Note: Because this is an msiexec parameter, other options are available. Enter msiexec at a command prompt for more information about other options.
BCSI_UPDATEURL url
URL to ProxyClientConfig.xml on the Client Manager, which you can find as discussed in "Designating a ProxySG as the Client Manager" on page 81, entered in the following format:
https://client-manager-host:client-managerport[/proxyclient/ProxyClientConfig.xml]
Installs all ProxyClient components, whether they are already installed or not.
ALL is the only supported parameter value in this
release.
REINSTALLMODE vamus
Blue Coat recommends using vamus as the parameter value. Because this is an msiexec parameter, other options are available. For more information, see the description of the REINSTALLMODE parameter on the MSDN Web site.
184
Table 92
Parameter
AUTOUPDATEPROHIBITED
Argument
0|1
Description
0 (default) means the ProxyClient automatically implements software updates at the interval the administrator specified for software update interval in "Designating a ProxySG as the Client Manager" on page 81. 1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as SCCM, SMS, or GPO.
Note: Regardless of the value of this setting, the client always gets configuration updates at the next software update interval. Users can also get configuration updates manually.
FORCEREBOOT yes|no y|n yes or y mean the dialog displays with only a Restart Now button and a progress bar that increments until the computer reboots. (However, if REBOOTTIME=0, neither
Number of seconds after the ProxyClient installation completes before the users machine is rebooted. A non-zero value means a counter displays on the postinstallation reboot dialog. If FORCEREBOOT is set to no, this value is ignored. For more information, see "Example Installations and Uninstallation" on page 189. The default is 0.
NOUISHORTCUT
0 | 1
Set to 1 to hide the Start menu option for the ProxyClient: Start > [All] Programs > Blue Coat ProxyClient > ProxyClient. To start the ProxyClient browser window, a user must double-click the ProxyClient shortcut located in
%SystemDrive%:\Program Files\Blue Coat\ProxyClient.
185
Table 92
Parameter
REGISTRYSETTINGS
Argument
name:datatype:value
Description Colon-delimited, semicolon-separated list of registry settings to create for the client. For more information, see Table 93. If you want the installation to be logged, enter the absolute file system path and file name of the log file. The user installing the software must have permission to write to the indicated folder and the folder must be available during the installation; therefore, you should avoid specifying a network drive.
/l*v
logfile
LOG_APPEND
0 | 1
Set to 0 to overwrite the existing ProxyClient installer log file. Set to 1 to append to the existing ProxyClient installer log file. Default is 0.
Table 93 shows the available arguments for the REGISTRYSETTINGS parameter. This parameter sets the key name, data type, and value of ProxyClient registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Proxy Client. On Windows 7 (64bit), the registry settings are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client. Examples of using these settings can be found in "Limiting ProxyClient Visibility and Interactivity" on page 190. Blue Coat strongly recommends testing these registry settings before deploying them in a production environment. Improper registry settings might cause the installation to fail or to not function as expected.
Important:
Table 93 shows the available arguments for the REGISTRYSETTINGS parameter. This parameter sets the key name, data type, and value of ProxyClient registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Proxy Client. On Windows 7 (64bit), the registry settings are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client. Examples of using these settings can be found in "Limiting ProxyClient Visibility and Interactivity" on page 190.
Important: Blue Coat strongly recommends testing these registry settings before deploying them in a production environment. Improper registry settings might cause the installation to fail or to not function as expected.
186
Table 93
Key name
CacheDirectory
Data type
REG_SZ
Value Set the folder in which ProxyClient byte and CIFS cache files are stored. The directory you specify must already exist. For example,
REGISTRYSETTINGS="CacheDirectory:REG_SZ: D:\BCCacheDir"
By default, with no registry key specified, cache files are stored in the following folder: Windows XP
%SystemDrive%\Documents and Settings\ LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient
ChangeCMAllowed
REG_DWORD
Allowed values: 0 | 1 Set to 1 to allow the user to change the Client Manager. For example,
REGISTRYSETTINGS="ChangeCMAllowed:REG_DWORD:1"
Set to 0 to prevent the user from changing the Client Manager. The default is 0.
DefaultWebPort REG_DWORD
Allowed values: 1024 through 65534 (inclusive) If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000. Default is 8000 For more information, see "Changing the Default Web Server Port" on page 230.
TiNotVisible
REG_DWORD
Allowed values: 0 | 1 Set to 1 to hide the ProxyClient system tray icon and all pop-up messages. For more detail about ProxyClient icon states, see "Limiting ProxyClient Visibility and Interactivity" on page 190. For example,
REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1
Set to 0 to display the ProxyClient tray icon and pop-up messages. The default is 0.
187
Table 93
Key name
TiNotVisibleForceUpdate
Data type
REG_DWORD
Value Allowed values: 0 | 1 Set to 1 to force ProxyClient software updates on client computers without user interaction. This registry setting does not depend on the setting for TiNotVisible; in other words, setting the value of this key to 1 means clients always get updates regardless of whether or not the tray icon is hidden. For example,
REGISTRYSETTINGS="TiNotVisibleForceUpdate: REG_DWORD:1"
Set to 0 to apply ProxyClient software updates normally; that is, provided updates are allowed, users must install the updates manually. The default value is 0. Note: Regardless of the value of this registry key, clients always get configuration updates automatically at the update interval you set using Configuration > ProxyClient > General > Client Manager. Clients can also get configuration updates manually at any time.
The string {D35B0C7A-4545-4A98-A810-3810B3FE25E5} identifies the ProxyClient installers MSI product code. During uninstallation, the ProxyClient removes:
The SG Client (this is the pre-SGOS 5.3 version of ProxyClient). All ProxyClient drivers, folders, files, the service, and so on. ProxyClient cache files and the cache folder.
188
Additional examples are discussed in "Limiting ProxyClient Visibility and Interactivity" on page 190.
Important:
Do not edit ProxyClientConfig.xml on the client computer after it has been downloaded. Instead, click Check for Updates Now on the Advanced tab page of the ProxyClients Web browser window to get updates.
Example Installations
Example 1: Basic manual installation:
ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=no REGISTRYSETTINGS="CacheDirectory:REG_SZ:D:\BCCacheDir"
The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters cause all ProxyClient components to install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user is prompted to reboot unless only Web filtering is enabled. The REGISTRYSETTINGS parameter locates the cache directory in D:\BCCacheDir. This directory must exist prior to the installation; otherwise, the default cache directory will be used. Example 2: The user has the ability to change the Client Manager using the ProxyClient browser window
ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes REBOOTTIME=30 REGISTRYSETTINGS="ChangeCMAllowed:REG_DWORD:1"
The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters make sure that all ProxyClient components install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. The REGISTRYSETTINGS parameter creates a registry key that enables users to change the Client Manager using the ProxyClient browser window (for more information, see "" on page 229). After the installation is complete, the user has the following options:
189
Wait 30 seconds for the machine to reboot. Click Restart Now in the dialog to reboot immediately.
The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters make sure that all ProxyClient components install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user has the option to reboot unless only Web filtering is enabled.
Important:
The AUTOUPDATEPROHIBITED=1 argument prevents ProxyClient software updates only. Configuration updates are installed from the Client Manager at the next update interval after they are available.
Example Uninstallation
msiexec /X{D35B0C7A-4545-4A98-A810-3810B3FE25E5} /quiet PASSWORD=uninstall-password
The string {D35B0C7A-4545-4A98-A810-3810B3FE25E5} identifies the ProxyClient installers MSI product code.
Registry keys and installer switches are discussed in more detail in "Command for Silent Uninstallations" on page 188. The following table shows the ProxyClient tray icon states and how they are affected by these settings:
190
Icon
Description Always displays Never displays Always displays to warn users about critical states or when user action is required (for example, to get software updates manually)
Warning state (for example, low disk space or updates are available)
Default:
TiNotVisible
Never displays; configuration updates are downloaded automatically but the user must install software updates manually. However, if software updates are disabled (AutoUpdateProhibited registry key set to 1), the user never gets software updates. The tray icon never displays.
Note: To enable users to get software updates if you hide the system tray icon or Start menu option, set the AutoUpdateProhibited registry key to 0. You can do this by editing the registry or by installing the ProxyClient software with the AUTOUPDATEDPROHIBITED installer option absent or set to 0.
Example
The following example hides the system tray icon, and requires clients to accept software updates without interaction:
ProxyClientSetup.msi /qn BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1; TiNotVisibleForceUpdate:REG_DWORD:1"
191
Description Performs a non-interactive installation. Specifies the URL from which clients obtain policy. Installs all ProxyClient components, whether they are already installed or not. For more information, see the description of the REINSTALLMODE parameter on the MSDN Web site. Forces clients to reboot after installing the ProxyClient software.
TiNotVisible:REG_DWORD:1
REINSTALL=ALL
REINSTALLMODE=vamus
FORCEREBOOT=yes
REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1; TiNotVisibleForceUpdate:REG_DWORD:1"
Hides the ProxyClient system tray icon unless software updates are being downloaded. The icon also displays after the updates have been installed to indicate the computer must be rebooted.
TiNotVisibleForceUpdate:REG_DWORD: 1
Requires clients to accept software updates when they are available. User interaction is not permitted. However, if the AutoUpdateProhibited registry key is set to 1, it takes precedence and software updates are never downloaded.
192
1. Get an .msi transform tool, such as the Orca database editor. Orca is a table-editing tool available in the Windows Installer SDK that can be used to edit your .msi files. You can also use similar tools available from other vendors.
Note: Blue Coat does not recommend a particular transform tool.
For more information about Orca, see Microsoft KB article 255905. The remainder of this section assumes you use Orca. Consult the documentation provided with the transform tool you are using for vendorspecific instructions. 2. Open ProxyClientSetup.msi. 3. Perform the following changes to the Property table:
Note: Be advised, this action invalidates the signature on the MSI.
Table 94
Property
BCSI_UPDATEURL
Value Required for all installations. URL to ProxyClientConfig.xml on the Client Manager, entered in the following format: https://client-manager-host:clientmanager-port[/proxyclient/ ProxyClientConfig.xml]
Edit value
Required for all installations. Change the value from n to y. This value causes the users machine to reboot after the ProxyClient is downloaded, which is required to use the ProxyClient.
193
Table 94
Property
REINSTALL
Value Add this row and set it to all only if you want to update the ProxyClient software and configuration using GPO. If clients get future ProxyClient software and configuration updates from the Client Manager, do not add this row.
REINSTALLMODE
Add row
Add this row and change it to vamus only if you want to update the ProxyClient software and configuration using GPO. If clients will get future ProxyClient software and configuration updates from the Client Manager, do not add this row.
AUTOUPDATEPROHIBITED
Edit value
Change the value from 0 to 1 only if you want to update the ProxyClient software in some way other than from the Client Manager, such as using SCCM, SMS, or GPO. (Configuration updates are obtained from the Client Manager whose URL is specified by the BCSI_UPDATEURL parameter discussed earlier in this table.)
1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as using SCCM, SMS, or GPO.
If clients will get future ProxyClient software updates from the Client Manager, leave this value at 0.
4. To implement registry changes discussed in Table 93 on page 187, use the following steps: a. Add one row to the Registry table for every registry setting you wish to set. b. In the Add Row dialog, enter the following information:
Field
Registry
Description Enter a unique description of the registry entry. The value you enter is not written to the registry; it is used only to identify the entry. The value must begin with Registry. For example, Registry1. Enter 2.
Root
194
Field
Key
Description Enter the ProxyClient registry path relative to HKEY_LOCAL_MACHINE, Software\Blue Coat
Systems\Proxy Client
Name
Enter the name of the registry key; see Table 93 on page 187. Enter the value of the registry key. Note: If the value is REG_DWORD, you must preface the value with the number sign (#). For example, a registry key value of 1 must be entered as #1.
Value
Component
Enter ProxyClientSvc.exe.
195
196
Aggregated bandwidth usage statistics related to the ProxyClient and all concentrators in the network, and with the Client Manager (for example, number of clients, number of software updates, and number of configuration updates).
Information about active and inactive ProxyClients, such as user name, host name, operating system; whether or not acceleration and Web filtering are enabled in the clients location; size of log files; size of the ProxyClient cache; and data related to ProxyClient software version running on clients.
Statistics related to the ProxyClient and a particular concentrator. To view statistics related to ProxyClients and all concentrators on the network, view the BW Usage tab page on Statistics > ProxyClient History.
Client Manager: Current active ProxyClients, the number of software updates, number of configuration updates, and ProxyClient version information. Concentrators: Bandwidth usage aggregated for all concentrators.
The ProxySG displays graphs for each tab page in selectable time increments, varying from the last hour to all time periods. Hover the mouse pointer over any graph on the page to see metric data.
197
1. Log in to a ProxySG appliances Management Console as an administrator. The statistics you view depend on the role of the appliance, as follows: Client Manager: To view Active Clients, Configurations Served, Software Served, or Client Version Count. Concentrator: To view BW Usage.
3. Click a tab to view statistics and then see one of the following sections: "Viewing ProxyClient Bandwidth (BW) Usage Statistics" "Viewing ProxyClient Active Clients Statistics" on page 199 "Viewing ProxyClient Configurations Served Statistics" on page 199 "Viewing ProxyClient Software Served Statistics" on page 199
198
C: The number of bytes sent and received by the applications running on the clients computer (that is, corresponding to the Total Demand graph in the ProxyClient browser window). S: The number of bytes sent over the WAN after acceleration was applied (that is, corresponds to the Actual Usage graph in the ProxyClient browser window). Gain:
Savings:
199
"Viewing ProxyClient Detail Statistics" "About the ProxyClient Detail Tab Pages" on page 200 "Common Tasks on Every Tab Page" on page 201 "For More Information About ProxyClient Details" on page 202
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details. The Client Details tab page displays.
The Client Details tab page has four tabs: General, Acceleration, Filtering, and All. For detailed information about each of these tab pages, see "Viewing ProxyClient Client Details" on page 203.
200
Total displayed clients: The number of clients displayed on the tab page after filters were applied. If no filters were applied, the total displayed clients is equal to the available clients. More information about filtering is discussed in the sections that follow.
Available clients: Total number of clients (both active and inactive) this Client Manager has seen since the last time the client list was cleared using the #(config proxy-client) clear {all | inactive} command. The #(config proxy-client) clear {all | inactive} command is discussed in "Clearing ProxyClients (CLI)" on page 90.
Note:
Clients are automatically cleared after 30 days of inactivity. After a software upgrade, clients appear twice for 30 daysone entry for the earlier version of client software and one entry for the newer version of client software. You can optionally clear the inactive clients using the clear inactive command to avoid seeing duplicate information. For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.
201
Description You can optionally filter data displayed on any tab page by certain columns displayed on that tab page. Filters are logically ANDed together. Column values are sorted by type; for example, numeric values are sorted numerically. 1. From the Add Filter list, click the name of a column to use to filter data. If you click the name of a column that has no predetermined values (like Username), a field displays next to the Add Filter list. If you click the name of a column that has predetermined values, a list of available values displays next to the Add Filter list. 2. From the adjacent field or list, make a selection to use to filter the data. For example, if you clicked Username from the Add Filter list, enter all or part of a user name in the adjacent field. The matching criterion you enter is not case-sensitive. Filters are matched by substring; wildcard characters are not supported. For example, to search for a user name that contains the string proxy, enter proxy in the field. 3. Click Add. This adds the filter and updates the data displayed on the tab page. 4. Optional tasks: To add another filter, repeat the preceding steps. Filters are logically ANDed together. To edit an existing filter, click the link in the filter, make changes to filter settings, and click Add. To delete an existing filter, click x next to the name of the filter.
Click Refresh at the bottom of the tab page. It might take several minutes for configuration changes to be reflected on the tab page. For example, if you enable acceleration in a location, it might take several minutes after the client receives the configuration update for the data on this page to be updated to reflect the new configuration. Click Download at the bottom of the tab page and follow the prompts on your screen to save the text file on your computer. The data displayed on that tab page is saved to the text file. Any filters or sorting options you chose are preserved.
202
"Viewing ProxyClient Client Details" "Viewing ProxyClient Client Version Count" on page 208
GeneralFor each user, displays information such user name, domain, host name, host operating system, ProxyClient software version, last known status, age of last known status, location, and which ProxyClient features are enabled for that location. For more information, see "ProxyClient General Details" . AccelerationFor each user, displays acceleration-related information such as user name, domain, host name, acceleration status, client cache size, client bytes, server bytes, and the clients ADN peers. For more information, see "ProxyClient Acceleration Details" on page 205. FilteringFor each user, displays Web filtering-related information such as user name, domain, host name, Web filtering status, the age of the Web filtering log, and the size of the Web filtering log file. For more information, see the "ProxyClient Web Filtering Details" on page 206. AllDisplays all information on the preceding tab pages. For more information, see "All ProxyClient Details" on page 208.
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details > General. The following table discusses the data displayed in each column of the General tab:
Column User Name Domain Host Name OS Version Status Description Name of the user logged in to the ProxyClient computer. Domain to which the ProxyClient computer belongs. ProxyClient computers host name. ProxyClient computer operating system version information. ProxyClient software version. indicates an active client. indicates an inactive client. A client is reported as inactive if 10 minutes or more elapse between heartbeat packets it sends to the Client Manager.
203
Description The length of time since the ProxyClient last reported its status (either active or inactive) to the Client Manager. indicates an uninstallation password is configured. indicates an uninstallation password is not configured. The name of the ProxyClients location. indicates acceleration is enabled in this clients location. indicates acceleration is disabled in this clients location.
Web Filter
indicates Web filtering is enabled in this clients location. indicates Web filtering is disabled in this clients location. It could also indicate user tampering; for more information, see "Web Filtering Internal Service Error" on page 169.
File Encryption
indicates this clients cache is encrypted. Provided the user installed the ProxyClient software on an NTFS partition on Windows XP or Windows Vista, the cache and Web filtering log files are encrypted. A value of 0 most likely means the cache has not been used yet or the clients computer has no available space for caching. indicates this clients CIFS cache is not encrypted. If acceleration is enabled in this clients location but the cache is not encrypted, the most likely reason is this client installed the ProxyClient software on a non-NTFS partition.Note: The cache is used for CIFS protocol acceleration and for byte caching.
IID
A globally-unique identifier assigned to every ProxyClient in the ADN network. A ProxyClients IID starts with the string CL. An IID is similar to a Peer ID for appliances.
Sort data by column: Click the name of a column to sort it in ascending or descending order. Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add. Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect. Download the data to a text file: Click Download and follow the prompts on your screen. For additional information about these options, see "Common Tasks on Every Tab Page" on page 201.
204
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details > Acceleration. The Acceleration tab page displays.
205
Description Size of the clients cache. If acceleration is enabled for a client but the cache size is 0 bytes in size, check the value of the ADN Peers column. If the client has no ADN peers, most likely the ADN manager or backup manager is not configured properly (for example, no subnets are being accelerated). To resolve this issue, see "Before You Begin Configuring ProxyClient Policy" on page 103.
Client Bytes
The number of bytes sent and received by the applications running on the clients computer (that is, corresponding to the Total Demand graph in the ProxyClient Web browser window). The number of bytes sent over the WAN after acceleration was applied (that is, corresponding to the Actual Usage graph in the ProxyClient Web browser window). The Peer ID of each concentrator that is accelerating traffic for the ProxyClient.
Server Bytes
ADN Peers
Sort data by column: Click the name of a column to sort it in ascending or descending order. Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add. Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect. Download the data to a text file: Click Download and follow the prompts on your screen. For additional information, see "Common Tasks on Every Tab Page" on page 201.
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details > Filtering. The Filtering tab page displays.
206
207
Description Displays the size of this clients Web filtering log file. indicates there was an error retrieving the data. Hover the mouse pointer over the symbol to display an error message. For more detailed information, collect logs from the users computer (including the the Web filter trace file) as discussed in "Instructing Users to Perform Data Traces" on page 233. means the log age is not available, probably because the client is inactive. There could also be a problem preventing this client from uploading its logs to the FTP server. If the issue persists, collect logs from the users computer (including the Web filter trace file) as discussed in "Instructing Users to Perform Data Traces" on page 233.
n/a means Web filtering is not enabled for this client.
Sort data by column: Click the name of a column to sort it in ascending or descending order. Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add. Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect. Download the data to a text file: Click Download and follow the prompts on your screen. For additional information, see "Common Tasks on Every Tab Page" on page 201.
"ProxyClient General Details" on page 203 "ProxyClient Acceleration Details" on page 205 "ProxyClient Web Filtering Details" on page 206
208
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Version Count. The Client Version Count tab page displays. For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.
1. Log in to a concentrators Management Console as an administrator. 2. Click Statistics > ADN History.
Hover mouse over data Select Usage or Gain ProxyClients display in a peer group
3. From the Duration list, click a time frame. 4. View the following statistics: The displayed statistics represent all ADN traffic processed by this concentrator. ProxyClients are aggregated into one peer group, with ProxyClients as the Peer ID and Peer IP. Other appliances on the network devices are listed by IP address. The other attributes for both usage and gain are:
Optimized Bytes:
209
Unoptimized Bytes:
How many bytes would have been sent over the network had ADN not been used. By comparing optimized bytes and unoptimized bytes, you can determine how much savings was realized by using ADN.
Savings:
1. Log in to a concentrators Management Console as an administrator. 2. Click Statistics > Sessions > Active Sessions > ADN Inbound Connections.
Click Show
See step 3
3. At the top of the ADN Inbound Connections tab page, click Show to display statistics from active sessions.
ClientThe IP address of the ProxyClient (for example, the outbound IP address of the VPN application). ServerThe IP address of the final destination server (such as a content server). PeerFor ProxyClients, client DurationHow
and peer IP addresses are the same because ProxyClient mimics a branch ProxySG. long the active session has been connected.
Unopt. BytesThe number of bytes served to or from the server before or after ADN optimization. For example, the number of bytes sent to a server before the traffic was optimized by ADN. Opt. BytesThe SavingsThe
210
CWhether
(compressed) displays if the data is being compressed. (not compressed) if compression is not being used.
BCWhether
EWhether or
not the incoming ADN tunnel is encrypted. In this release, ProxyClient connections are not encrypted.
Tunnel TypeThe
211
212
"Using the ProxyClient Web Browser for Troubleshooting" "Troubleshooting ProxyClient Installation and Operation" on page 214 "Troubleshooting ProxyClient Acceleration" on page 115 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
The user should double-click the tray icon or right-click the tray icon and, from the pop-up menu, click Status.
To start the ProxyClient Web browser window if the tray icon is not visible:
Click Start > [All] Programs > Blue Coat ProxyClient > ProxyClient Note that the Start menu option can be hidden. Double-click the ProxyClient shortcut located in %SystemDrive%:\Program
Files\Blue Coat\ProxyClient
Open a supported Web browser and enter the following URL in the browsers location or address field:
http://localhost:web-server-port
where web-server-port is the listen port of the ProxyClient internal Web server. Supported Web browsers are discussed in the ProxyClient Release Notes. By default, the port is 8000 but administrators can change the port as discussed in "Changing the Default Web Server Port" on page 230. The ProxyClient window displays status information as follows. Click any of the circled locations to jump to more information about troubleshooting that ProxyClient feature.
213
Application status
Acceleration status
Web filtering status Figure 111 Blue Coat ProxyClient Web browser window
"Troubleshooting ProxyClient Installation and Operation" "Other ProxyClient Troubleshooting Tools" on page 224 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
"Suggested Workarounds for Installation Errors" "ProxyClient Tray Icon States and Meanings" on page 222 "Other ProxyClient Troubleshooting Tools" on page 224 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
For assistance with other issues, see one of the following sections:
214
"Cannot Connect to the Client Manager" "Client Manager Communication Troubleshooting Suggestions" on page 215 "Configuration Error" on page 117
After installing the ProxyClient software for the first time, the following message displays: Cannot connect to the Client Manager to download configuration updates. The following message displays: Cannot contact the Client Manager.
These messages might display if you hover the mouse pointer over the ProxyClient tray icon or by viewing the Status tab page on the ProxyClient Web browser window as discussed in the next section.
"Getting Started Troubleshooting Client Manager Communication Issues" "Resolution: Download Error Getting the Initial Configuration" on page 216 "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219 "Resolution: Client Manager Not Available" on page 221
Cause: Client cannot contact the Client Manager to get a configuration after initially installing the ProxyClient software. Result (any of the following): If the tray icon is visible, a balloon message displays: Unable to download
configuration from Client Manager
215
To resolve this issue, see "Resolution: Download Error Getting the Initial Configuration" on page 216.
Cause: Client has not been able to download a configuration from the Client Manager for a period of two times the update interval or 30 days (whichever is longer): Result: The following message displays on the Acceleration Statistics section heading if the
Cannot contact the Client Manager.
To resolve this issue, see "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219.
216
4. In the Software Update section, click Check for Updates Now. Use the following guidelines to resolve the issue:
Table 111 ProxyClient manual configuration attempts
Resolution
The issue has been resolved. Check the following: Make sure any required VPN software is running on the users computer. Check your network setup to make sure the user can access the Client Manager.
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > General. 3. For the value of Host, verify the following:
217
Troubleshooting suggestions Meaning: This selection means the client uses the Client Manager host name or IP address you specified either from the command line or that you provided to the user. Most likely, the administrator made a typographical error in a command-line installation. As a result, the ProxyClient software installed but the client cannot contact the Client Manager after rebooting the computer. Resolution: Use the following steps to verify the Client Manager URL in the ProxyClient configuration: 1. In to the Client Managers Management Console, click
General > Identification.
The value of IP address specifies the Client Managers default IP address, which is the IP address you must use as the Client Manager URL. (If you specified a host name instead, the host name must resolve to this IP address.) 2. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213. Click the Advanced tab. On the Advanced tab page, in the Software Update section, is the Client Manager Address a link, or is there a (change) link next to the address? Yes: Click the link and change the Client Managers URL. The client validates the URL and gets a configuration update immediately. No: Set a registry key to enable you to change the Client Manager URL as discussed in "" on page 229.
3. 4.
Use host
Meaning: This selection means the client downloads the ProxyClient software and configuration from the host name or IP address you specify. This option can be used to migrate users from one Client Manager to another or it can be used if you have multiple, load-balanced Client Managers. Resolution: Check your DNS or load balancer configuration as follows: If you have one Client Manager, check your DNS configuration and make sure the host name resolves to the Client Managers default IP address. This IP address is specified in General > Identification in the Client Managers Management Console. A load balancer typically advertises one Virtual IP (VIP) address. For each Client Manager behind the load balancer, enter the load balancers VIP in the Use host field.
218
In the ProxyClient Web browser window, click the Advanced tab. In the Admin Log section, click View Log and look for any of the following errors:
Cause and suggested solution Cause: The Client Managers host name is not DNSresolvable. Suggested actions: Make sure the ProxyClient computer is connected to the network physically or using VPN. Make sure a DNS server is available. Ping the Client Managers host name from the ProxyClient computer. To change the Client Managers host name, on the Advanced tab page, click the (change) link and enter the correct name in the provided field. In the Software Update section, click Check for
Updates Now.
219
Cause and suggested solution Causes: The Client Managers IP address is not available. You entered the incorrect Client Manager IP address. You entered the IP address of a device that is not a Client Manager. Make sure the ProxyClient computer is connected to the network physically or using VPN. Ping the Client Managers IP address from the ProxyClient computer. To change the Client Managers IP address, in the Advanced tab page, click the (change) link and enter the Client Managers IP address. In the Software Update section, click Check for
Updates Now.
Solutions:
See Table 111 on page 217. The cause of the error is highlighted in boldface text:
Trying all connection types in order Direct connection (no proxy settings): Failed [URL is invalid or the scheme is not supported] Trying all connection types in order Direct connection (no proxy settings): Failed [Unhandled http status 404] WinHttp registry settings: Failed [Attempted proxy settings do not exist] Per-user IE settings: Failed [No logged on session to get settings from] Trying all connection types in order Direct connection (no proxy settings): Failed [Invalid server response] WinHttp registry settings: Failed [Attempted proxy settings do not exist] Per-user IE settings: Failed [No logged on session to get settings from]
Cause: You entered a Client Manager URL that contained invalid characters, did not use the https:// scheme, or that used an invalid path to
ProxyClientConfig.xml
Description: Examples of invalid characters include the following: \, $, and space. Examples of invalid schemes include: ftp://, http://, and scp:// Because the path to ProxyClientConfig.xml is optional, you can exclude it from the URL to reduce the possibility of errors. For examples of command line installations, see Chapter 9: "Distributing the ProxyClient Software".
220
Description The Client Managers address might be correct in the ProxyClient Web browser window but because the URL or scheme was not valid, the configuration file could not be loaded. Re-entering the Client Manager address should resolve the issue.
Solution Change the Client Managers address. 1. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213. Click the Advanced tab. On the Advanced tab page, in the Client Manager section, click the (change) link. Note: If the (change) link does not display, see "" on page 229. 4. 5. Enter the Client Managers IP address or host name in the provided field. Click Change. The ProxyClient contacts the Client Manager and downloads the configuration file. If this does not resolve the problem, verify the Client Managers address and try again. Change the Client Managers address; see the preceding row in this table.
2. 3.
http:// scheme
No scheme
Typically, the Client Managers address displays as the name of the scheme. Changing the address should resolve the issue.
The Client Manager is down. Make sure the Client Manager appliance is running. If the Client Manager runs SGOS 5.4 or later, log in to the its Management Console as an administrator and click Statistics > Summary and make sure the interface to which ProxyClients connect is up.
Network issues are preventing the users computer from contacting the Client Manager. Review your networking topology, verify that switches and routers are configured correctly, and so on.
If the user requires VPN to connect to the network, make sure the users VPN client is running.
221
Make sure third-party products like anti-virus or personal firewall software allow the ProxyClient service (ProxyClientSvc.exe) to run and to communicate with the Client Manager using SSL over its listen port (by default, 8084).
The Client Managers host was specified incorrectly or it has changed since the ProxyClient software was installed. To verify the Client Managers host name, log in to the Client Managers Management Console and click Configuration > ProxyClient > General > Client Manager. Correct the value specified in the Use host field. The user can change the Client Manager host name or IP address if any of the following is true: The ProxyClient has not successfully contacted the Client Manager since it was installed. The ProxyClient software was installed with the ChangeCMAllowed registry key set to 1.
To change the Client Manager URL, start the ProxyClient Web browser window, click the Advanced tab, and, in the Client Manager section, click the (change) link next to the current Client Manager URL. Enter the new URL in the provided fields and click OK.
222
Meaning The ProxyClient has been unable to download a configuration update for a period of two times the update interval or 30 days (whichever is longer). ProxyClient is using the last configuration file it was able to get from the Client Manager. Likely causes: Firewall configuration problems. Verify the following: If the user has a firewall on the computer, make sure it allows the Client Managers host name or IP address as a destination. The corporate firewall must allow SSL traffic through the Client Managers listen port (by default, 8084). To confirm the port, in the Client Managers Management Console, click Configuration > ProxyClient > General > Client Manager. If the user is located offsite, the user must first connect to the network (for example, using a VPN client). Make sure the Client Manager appliance is running. If the Client Manager runs SGOS 5.4.x, log in to the Client Managers Management Console as an administrator and click Statistics > Summary and make sure the interface to which ProxyClients connect is up.
223
Meaning The ProxyClient was unable to download a configuration file from the Client Manager after the software was first installed, most likely due to communication problems between the client and the Client Manager. To resolve this issue, see "Client Manager Communication Troubleshooting Suggestions" on page 215.
(continued)
A ProxyClient software update is available from the Client Manager. This message never displays if software updates are disabled. The ADN manager or backup manager is not providing any routing information, most likely because concentrators not advertising any routes to the managers. See "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.
Displays if either acceleration or Web filtering drivers are not operational. Do any of the following: For Web filtering errors, see "Web Filtering Internal Service Error" on page 169 If the error indicates a problem with acceleration, ask the user to reboot the computer, enable trace logging, and repeat the actions that caused the internal service error. See "Instructing Users to Perform Data Traces" on page 233.
a. To display the message, either hover the mouse pointer over the ProxyClient tray icon or double-click the icon and look for the message in one of the locations shown in "Using the ProxyClient Web Browser for Troubleshooting" on page 213.
"ProxyClient Troubleshooting Tools Summary" "Changing the Client Manager" on page 229 "Changing the Default Web Server Port" on page 230
224
"Uninstalling the ProxyClient Software" on page 231 "Performing Data Traces and Data Collection" on page 232 "Using the ProxyClient VPN Whitelist Utility" on page 238 "Client Manager Logging" on page 240
value is a link.
Advanced tab page, in the Diagnostic Tools section.
Support trace
"Instructing Users to Perform Data Traces" on page 233 "Performing Data Traces and Data Collection" on page 232 "Instructing Users to Run the ProxyClient Data Collector" on page 234
Advanced logs
Advanced tab page, in the Diagnostic Tools section. Click More under Admin Log.
Data collector
Collects diagnostic information useful to troubleshoot unexpected behavior and connectivity problems.
Enables users to collect logs and system information so you can analyze the problem and refer it to Blue Coat Support, if necessary. If you have an SR number, you can attach data collector output to the SR ticket. The default port is 8000. You can change the port to 1024 through 65534, inclusive.
Enables the administrator to change the default port the ProxyClient internal Web server uses to start the Web browser window.
225
Description
Detail
Enables users with administrative privileges on the computer to uninstall the ProxyClient software.
226
On Windows 7
Table 114
Key name
AutoUpdateProhibited
Allowed values
0 (default) means the ProxyClient automatically implements software updates at the interval the administrator specified for software update interval in "Designating a ProxySG as the Client Manager" on page 81. 1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as SCCM, SMS, or GPO.
Note: Regardless of the value of this setting, the client always gets configuration updates automatically when they are available. Users can also get configuration updates manually.
CacheDirectory
REG_SZ
Set the folder in which ProxyClient cache files are stored. The path must already exist; otherwise, the default cache directory is used. The default cache directory follows: Windows XP
%SystemDrive%:\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient
DefaultWebPort
REG_DWORD
Allowed values: 1024 through 65534 (inclusive) If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000. Default is 8000 For more information, see "Changing the Default Web Server Port" on page 230.
227
Table 114
Key name
TiNotVisible
Allowed values Allowed values: 0 | 1 Set to 1 to hide the ProxyClient system tray icon and pop-up messages. Set to 0 to display the ProxyClient tray icon and popup messages. By default, this registry key does not exist.
TiNotVisibleForceUpdate
REG_DWORD
Allowed values: 0 | 1 Set to 1 to force users to accept software and configuration updates without interaction. This key is independent of TiNotVisible; in other words, the setting for this key determines update behavior whether or not the ProxyClient tray icon is hidden. Set to 0 to allow updates normally; that is, users always get configuration updates. Software updates can be installed manually. By default, this registry key does not exist. Note: The availability of software updates is controlled by the AutoUpdateProhibited registry key. If AutoUpdateProhibited is set to 1, users cannot get software updates, regardless of the value of this registry key. For more information, see "Parameters for Silent Installations" on page 183.
228
On
Key name
ChangeCMAllowed
Allowed values Allowed values: 0 | 1 Set to 1 to allow the user to change the Client Manager. Set to 0 to prevent the user from changing the Client Manager. The default is 0. For more information, see "" on page 229.
1. Set the ChangeCMAllowed registry key in any of the following ways: When the ProxyClient software is installed as discussed in Table 92, "Parameters for Silent ProxyClient Installations" on page 184. After installing the ProxyClient software as discussed in the next step.
2. If a user is not allowed to change the Client Manager URL and the ProxyClient is already installed, perform the following tasks: a. Start plist editor application like Property List Editor with sudo privileges. b. Browse to the following key:
/Library/Prefrences/com.bluecoat.proxyclient.config.plist
229
d. In the Value field, enter 1. e. Click OK. f. Another way to plist values is to use the defaults command. Example: sudo defaults write /Library/Preferences com.bluecoat.proxyclient.config ChangeCMAllowed 1
Note: It is safe to set this while the service is running.
3. In the ProxyClient Web browser window, click the Advanced tab. 4. In the Client Manager section, click the change link next to the current Client Manager address. The Change Client Manager dialog displays. 5. In the Change Client Manager dialog, enter or edit the following information:
Field
New Address
Description Enter the Client Managers fully qualified host name or IP address. Enter the Client Managers listen port.
New Port
6. Click OK. A success or fail message displays in the Change ProxyClient Manager browser window as the URL is verified. The client gets a configuration update from the new Client Manager immediately. If software updates are ready to download at the next update interval, and if the client is allowed to get software updates, you are notified before the updates are installed. When the operation is complete, the Advanced tab page displays the new Client Manager host name or IP address. 7. Close the registry editor application. 8. Reboot the computer for the changes to take effect. The tray icon and pop-up messages are not visible except to notify the user that a software update is being downloaded, and to notify the user to reboot the computer after updates have been installed. If you prohibit automatic software updates, the icon never displays.
230
Install the ProxyClient software with the DefaultWebPort registry setting from the installer command line as discussed in "Preparing Silent Installations and Uninstallations" on page 181. If the ProxyClient software is already installed, add the DefaultWebPort registry key as discussed in the following procedure.
Start a registry editor like regedit. 1. Create a registry value named DefaultWebPort of type DWORD in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\ProxyClient
2. Set the value of DefaultWebPort as follows: Allowed values: 1024 through 65534 If the port you specify is in use, the ProxyClient attempts to use the nexthighest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000. 3. Exit the registry editor. 4. Restart the computer for the changes to take effect.
For information about silent uninstallation, see "Example Uninstallation" on page 190.
To uninstall the ProxyClient software on Windows:
1. Log in to your machine as a user who is a member of the Administrators group. 2. Click Start > Control Panel. 3. In the Control Panel window, select: Windows XP and Vista: In Classic View, double-click Add or Remove Programs. Windows Vista and Windows 7: In Category view, select Uninstall a program. 4. Click Blue Coat ProxyClient. 5. Click Remove. In Windows Vista and Windows 7, select Uninstall. 6. If prompted, enter the uninstall password.
231
Secondary Procedure
If you discover the preceding procedure did not remove all traces of the
ProxyClient software, perform the tasks discussed in this section. To uninstall the ProxyClient in Windows Safe Mode:
1. Boot into Safe Mode without Networking, which means that no ProxyClient components are loaded by the system. 2. Log in as an administrator 3. Click Start > Settings > Control Panel. 4. In the Control Panel window, select: Windows XP and Vista: In Classic View, double-click Add or Remove Programs. Windows Vista and Windows 7: In Category view, select Uninstall a program. 5. Click Blue Coat ProxyClient. 6. Click Remove. In Windows Vista and Windows 7, select Uninstall. 7. If prompted, enter the uninstall password. 8. Follow the prompts to uninstall the software.
"About ProxyClient Logs" "About the Data Collection Application" on page 233 "Instructing Users to Perform Data Traces" on page 233 "Instructing Users to Run the ProxyClient Data Collector" on page 234
Windows XP:
%SystemDrive%\Documents and Settings\All Users\Application Data\Blue Coat Systems\ProxyClient\support
232
Used by Logs automatic software updates but not configuration updates. Admin log (the log users can view on the ProxyClient Web browser windows Advanced tab page) and the advanced admin logs. The admin log and advanced admin log contain information about acceleration, Web filtering, software upgrades, and configuration updates. These logs are written during the entire time the ProxyClient is running.
proxyclientlog.etl
proxyclientdebug.etl
The support trace records all client activity. Detailed trace activity for acceleration, Web filtering, or both.
1. The user starts the ProxyClient Web browser window. 2. Click the Advanced tab. 3. On the Advanced tab page, in the Diagnostic Tools section, click More under Admin Log. 4. Click the Start Trace link next to the trace you wish to start. 5. Repeat the activity that caused the problem. 6. Click the Stop Trace link. 7. Click Open Trace Folder. 8. Send the appropriate .etl file to Blue Coat Support with detailed information about what caused the issue.
233
Note: These instructions are included in the ProxyClient on-line help that is
available to users. Users can click Help either on the ProxyClient system tray icon or in the Web browser window.
Installed in the ProxyClient folder on user systems, the ProxyClient Data Collector is a utility that end users run to collect comprehensive system information that administrators or Blue Coat Support can use to diagnose problems with the ProxyClient application and network connectivity. When users access the Data Collector, they must select one of two data collection modes:
System Administrator Mode: This mode collects the following information, which is intended for corporate network administrators: All ProxyClient logs, including installation logs and diagnostic trace messages. A memory dump of the ProxyClient service process. The current configuration file and registry settings. A list of all running processes on the system. Packet capture Various network-related information (IP configuration, trace route, netstat data, and so on).
Blue Coat Mode: Same as Administrator Mode except this option uploads the information to an existing support case. If your issue was assigned a Service Response (SR) number, the user must enter the SR number to enter Blue Coat mode.
1. The user starts Windows Explorer or double-clicks My Computer. 2. Locate the ProxyClient installation folder. The default location is %SystemDrive%:\Program Files\Blue Coat\Proxy Client\. On Windows 7 (64bit), the location is %SystemDrive%:\Program Files (x86)\Blue Coat\ProxyClient.
234
Double-click
3. Double-click the ProxyClientDC application. The Blue Coat ProxyClient Data Collector dialog displays.
4. Choose the mode in which to run the Data Collector. Options are discussed in the following table.
Option Action Ask users to select this option if you suspect a configuration or network problem.
235
Option
Action If you have entered a support case with Blue Coat Support and have received an SR number, provide users with that number. The user should select the check box and enter the SR number in the provided field. Alternate: If you do not have an SR number but want to collect detailed information for Blue Coat Support, clear the check box. After the data collection process completes, ask the user to send you the file so you can contact Blue Coat Support.
5. Click Next. The Data Collector starts and displays the Blue Coat ProxyClient Data Collector dialog.
236
mode. If the user selects Blue Coat Support mode, additional tasks are performed. A green check mark displays next to each task as it completes successfully (some tasks might require several minutes to complete). At any time, click Stop to stop the data collection process (for example, the process appears hung on one stage). 6. After ProxyClient completes all of the tasks: System Administrator Mode or Blue Coat mode without selecting the check box to send the data to Blue Coat. Instruct users to:
a b
Click View collected data. The collected files display in Windows Explorer. Right-click the .zip file (begins with proxyclientdc- and ends with the users system name and date/timestamp) and select Send to > My Documents.
E-mail the .zip file (begins with proxyclientdc- and ends with the users system name and date/timestamp) to yourself. Click Exit.
c d
237
Blue Coat Mode (with the Automatically upload data directly to Blue Coat option selected): ProxyClient automatically forwards the information and associated case number to Blue Coat Support. Click Exit. Blue Coat Modeconnection error: If users experience a connection errorthat is, ProxyClient cannot upload to Blue Coatinstruct them to run the Data Collector in Blue Coat Mode again, but do not select Automatically upload data directly to Blue Coat.
You must edit the registry key to include values that enable the ProxyClient to recognize the VPN adapter for location awareness purposes. The CardList.exe utility identifies these values.
CardList.exe
Choose an output from CardList.exe that is common among multiple users' computers. When it is available, use the MAC address; avoid using the IP address because it is likely to be different on different computers. Examples follow.
To use CardList.exe:
1. Log in as an administrator to a computer with a VPN adapter that is not recognized by the ProxyClient. 2. Download CardList.exe to that computer.
CardList.exe
For more information about the Blue Coat Knowledge Base, see "Blue Coat Knowledge Base" on page 9. 3. Connect to the VPN network. 4. Double-click CardList.exe.
238
Note that in the preceding example, the VPN adapter's MAC address is not output by CardList.exe but the IP address is (192.168.192.124).
239
In the preceding example, both the MAC address (00-53-45-00-00-00) and the IP address (192.168.192.125) are output by CardList.exe. 5. Start a registry editor utility like regedit. 6. Locate the HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\Proxy Client\VPN Whitelist registry key. On Windows 7 (64bit), the registry key is located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client
7. Edit the existing RG_SZ (string) registry value containing one or more of the following values (using a comma to separate multiple values): Virtual NIC IP address MAC address Any other string output by the utility; in the example, click to connect to network access using firepass 1200. Note that you can enter a portion of the string; you do not have to enter the entire string.
For example:
00-53-45-00-00-00,click to connect to network access using firepass 1200
8. Save your changes to the registry and reboot the computer. When the computer reboots, the ProxyClient recognizes the Virtual NIC.
240
where host is the fully qualified host name or IP address of the Client Manager, and port is the ProxySG appliances listen port.
You must edit the plist entry to include values that enable the ProxyClient to recognize the VPN adapter for location awareness purposes. The value can be anyone of the following:
241
242
This chapter lists the files, folders, and registry keys created by the ProxyClient application. This chapter divides the information into the following sections:
"Installation" on page 243 "Folders" on page 243 "Files" on page 244 "Setup MSI" on page 244 "Setup MSI" on page 244 "Installed Files" on page 244 "Shortcuts" on page 246
"During Runtime" on page 247 "Logging and Support" on page 247 "Web Filter Files" on page 248 "Data Collector" on page 248
Installation
This section lists all of the folders and files affected by installation.
Folders
Installation affects the following folders.
Table A1 Folders affected by installation
Default Path
%temp% $TMPDIR %SystemDrive%\Documents and Settings\All Users\Application Data\Blue Coat Systems\ProxyClient\support
Notes
Windows 7 (64bit):
%SystemDrive%\ProgramData\Blue Coat Systems\ProxyClient\support/ opt/.bluecoatsystems/proxyclient
243
Table A1
Default Path
/Applications/Blue\ Coat/ Proxyclient/
Notes The Tray Icon Application and the DataCollector tool are installed here. Diagnostic data is stored here Plist entries are located in this directory
Application Support
Files
Installation affects the following files.
Table A2 Files affected by installation
File Name
ProxyClientSetup.msi .pkg InstallSupport.log proxyclientsetup_msi.log
Location
%TEMP%
Temp
Support folder
Setup MSI
The user can download the setup executable to any location on the system (disk). This executable creates a .pkg file in the Temp directory, which proceeds with the actual installation.
Setup pkg
This is created either by setup bsx in the Temp directory during installation or by extracting it to a location specified by the user (usually Administrator). This file initiates installation.
Installed Files
The MSI installs the majority of the ProxyClient files to the installation target. Table A4 lists the files for a 32bit Windows platform, and Table A5 lists the files installed on a 64bit Windows 7 platform.
244
Table A4
File Name
ProxyClient ProxyClientSvc.exe ProxyClientUI.exe ProxyClient32.dll Easyhook32.lib ProxyClientDC.exe SGClientEula.html Chartdir.dll SGCustomAction.dll Bridge.pyc StringTable.pyc ProxyClientConfig.xml
Description Shortcut for the ProxyClient application ProxyClient service executable ProxyClient tray icon executable ProxyClient acceleration/web filtering library ProxyClient Data Collector utility End User License Agreement User interface support library Installation support library User interface support file User interface support file ProxyClient configuration and policy file (downloaded from Client Manager) Acceleration driver Web filter driver Required by the Easyhook library.
File Name
ProxyClient ProxyClientSvc.exe ProxyClientUI.exe ProxyClient64.dll Easyhook64.lib ProxyClientDC.exe SGClientEula.html Chartdir.dll SGCustomAction.dll Bridge.pyc
Description Shortcut for the ProxyClient application ProxyClient service executable ProxyClient tray icon executable ProxyClient acceleration/web filtering library ProxyClient Data Collector utility End User License Agreement User interface support library Installation support library User interface support file
245
Table A5
File Name
StringTable.pyc ProxyClientConfig.xml
Description User interface support file ProxyClient configuration and policy file (downloaded from Client Manager) Acceleration driver Web filter driver Required by the Easyhook library. Injects a 64bit process with the 32bit ProxyClient service.
File Name
Location
Description Service launch daemon Webfilter driver ProxyClient configuration plist files
com.bluecoat.proxyclient.plis Plist files directory t com.bluecoat.proxyclient.con fig.plist com.bluecoat.proxyclient.dat acollector.plist com.bluecoat.proxyclient.int ernal.plist Proxyclientlog.etl Proxyclientdebug.etl Support Directory Support Directory
Additionally, several user interface files are written to the include and webroot folders under the installation target. The total size of the installed files (not including the initial configuration file) is approximately 15 MB. The size of the configuration file varies in size, from 2 KB to several MB.
Shortcuts
The MSI also creates a shortcut in the Start menu. The shortcut is called ProxyClient, and is in the Blue Coat ProxyClient folder. No shortcuts are created on the desktop.
Table A7 lists some of the registry keys used by the ProxyClient. In the table, the following abbreviations are used:
HKCR
means HKEY_CLASSES_ROOT
246
HKCU HKLM
Table A7
Path
HKCR\AppID\{5CDD0A2B-2C5C-4313-83EFA3F4A4551918} HKLM\Software\Blue Coat Systems\Proxy Client\
Purpose Key: Contains data required by the service Key: Software settings for ProxyClient Keys under this node are discussed in Table 114, "ProxyClient registry settings" on page 227. Table 115, "ProxyClient registry settings (config subnode)" on page 229
Windows 7 (64bit):
HKLM\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client
Windows 7 (64bit):
HKLM\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client\config HKLM\Software\Microsoft\Windows\ CurrentVersion\Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\ProxyClient Service HKLM\System\CurrentControlSet\Services\ (proxyclientflt, ProxyClientSvc, proxyclientwebfilter, WebFilter) HKLM\System\CurrentControlSet\Control\ SafeBoot\Network\proxyclientsvc
Sub-keys (in parentheses) created for acceleration and web filter drivers Key: Start ProxyClient when booting in Safe Mode
During Runtime
As the ProxyClient runs, it creates additional files depending on what functionality is enabled. When the service runs, an encrypted folder is created under the Windows user folder for the LocalService account. This provides a more secure environment for storing sensitive data.
interpretation.
247
Windows XP
%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient
Windows Vista
%SystemDrive%\Windows\system32\config\systemprofile\ AppData\Local\Blue Coat\Blue Coat ProxyClient
Windows 7 (64bit)
%SystemDrive%\Windows\SysWOW64\config\systemprofile\ AppData\Local\Blue Coat\Blue Coat ProxyClient
To change the location of the cache directory, see one of the following sections:
To set the cache directory when you install the ProxyClient software, see "Parameters for Silent Installations" on page 183.
Data Collector
The Data Collector utility, which is installed with the ProxyClient, creates a subfolder of Temp as a repository for the collected data. The contents of the Support folder are copied here, and several new files are created. The specifics of the folder's contents are discussed in other documents about the Data Collector.
Note: The Data Collector is a troubleshooting utility. For more details, see
Removal
When the ProxyClient is removed from a user's system, all installed software, drivers and supported files are removed.
248