Proxy Client Administration and Deployment Guide For Windows 3.4.x.1

Blue Coat Systems ProxyClient Administration and Deployment Guide for Windows
ProxyClient Version 3.4 SGOS Version 6.2.x
ProxyClient Administration and Deployment Guide
Contact Information
Americas: Blue Coat Systems Inc. 410 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland http://www.bluecoat.com/support/contactsupport http://www.bluecoat.com For concerns or feedback about the documentation: documentation@bluecoat.com
Copyright 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Americas: Blue Coat Systems, Inc. 410 N. Mary Ave. Sunnyvale, CA 94085
Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
Document Number: 231-03077 Document Revision: ProxyClient 3.4.x11/2011
ii
Contents
Contents
Preface
Audience .............................................................................................................................................. 9 Typographical Conventions.............................................................................................................. 9 Blue Coat Knowledge Base ............................................................................................................... 9 Notes and Warnings......................................................................................................................... 10
Chapter 1: ProxyClient Concepts
Whats New in This Release............................................................................................................ 12 About ProxyClient Tamper Resistance ......................................................................................... 12 About ProxyClient Location Awareness....................................................................................... 13 Overview of Location Awareness............................................................................................ 13 About Web Filtering Auto-Detection...................................................................................... 14 General Guidelines for Location Conditions ......................................................................... 15 About Condition Rulebase Ordering ...................................................................................... 16 About ProxyClient CIFS Acceleration ........................................................................................... 17 About ProxyClient Web Filtering................................................................................................... 19 Web Filtering Terminology ...................................................................................................... 19 Enabling or Disabling Web Filtering Based on Location ..................................................... 20 Web Filtering for Users and Groups ....................................................................................... 20 About the BCWF Database and Categorization .................................................................... 21 About Security With Guest User Scenarios............................................................................ 22 About ADN Feature Support in ProxyClient ............................................................................... 23 ADN and ProxyClient Terminology ....................................................................................... 23 About the Roles of ProxySG Appliances With the ProxyClient.......................................... 25 ADN Features and the ProxyClient......................................................................................... 26 ProxyClient Security Disclaimers................................................................................................... 30 About ProxyClient Licensing.......................................................................................................... 31 Software and Hardware Requirements......................................................................................... 31 Why Deploy ProxyClient?............................................................................................................... 31 About Blue Coat in the Network.................................................................................................... 32
Chapter 2: ProxyClient Deployments
Assumptions...................................................................................................................................... 35 ProxySG Assumptions .............................................................................................................. 35 ProxyClient Computer Setup Assumptions........................................................................... 35 Network Assumptions .............................................................................................................. 36 Location Awareness Assumptions .......................................................................................... 36
iii
ProxyClient Deployment Roadmap............................................................................................... 37 Step 1: Configure a Primary ADN Manager and Internet Gateway ......................................... 38 Step 2: Configure the Concentrator................................................................................................ 41 Step 3: Configure the Client Manager ........................................................................................... 42 Step 4: Configuring ProxyClient Acceleration ............................................................................. 43 Step 5: Configuring ProxyClient Web Filtering ........................................................................... 46 Step 6: Configure ProxyClient Locations ...................................................................................... 48 Step 7: Install the ProxyClient Software ........................................................................................ 53 Performing Basic Verification ......................................................................................................... 53 Verifying Location Awareness................................................................................................. 54 Viewing Acceleration Details ................................................................................................... 56 Viewing Web Filtering Details ................................................................................................. 57 Viewing the Admin Log............................................................................................................ 57 Verifying Tamper Resistance ................................................................................................... 58 For More Information About ProxyClient Troubleshooting ............................................... 58 Step 8: (Optional) Using Web Filtering Auto-Detection ............................................................. 58 Sample Local Policy File............................................................................................................ 62 Verifying Web Filtering Auto-Detection ................................................................................ 63
Chapter 3: Getting Started with the ProxyClient
ProxyClient Configuration Overview ........................................................................................... 67 Where To Go From Here ................................................................................................................. 69

Chapter 4: ADN Network Configuration Prerequisites
ProxyClient Compatibility with SGOS.......................................................................................... 71 Recommended Upgrade Information ..................................................................................... 71 ProxyClient and SGOS Compatibility..................................................................................... 72 Important Information About Web Filtering Support.......................................................... 72 For More Information About ADN Networks....................................................................... 73 Preparing the ADN Configuration for ProxyClient Deployment ............................................. 73 About Open ADN and Closed ADN With the ProxyClient....................................................... 74 Configuring a Closed or Open ADN Network...................................................................... 75 Enabling ADN Managers.......................................................................................................... 76 About Manager Listening Mode With the ProxyClient.............................................................. 77 About Tunneling Listening Mode With the ProxyClient ........................................................... 78 Configuring Manager and Tunneling Ports ................................................................................. 79 Configuring Concentrators to Advertise Subnets........................................................................ 79 About Secure Outbound Mode ...................................................................................................... 80 About Internet Gateways ................................................................................................................ 80
Chapter 5: Configuring the Client Manager
Before You Begin Configuring the Client Manager..................................................................... 81
iv
Contents
Designating a ProxySG as the Client Manager ............................................................................ 81 Uploading the ProxyClient Software to the Client Manager ..................................................... 85 Overview of the ProxyClient Upload Process ....................................................................... 85 Getting the ProxyClient Software............................................................................................ 86 Running Windows.msi.............................................................................................................. 87 Uploading the ProxyClient .car File to the Client Manager ................................................ 87 Setting Up the Client Manager (CLI) ............................................................................................. 89 Configuring the Client Manager (CLI) ................................................................................... 90 Loading the Software (CLI) ...................................................................................................... 90 Showing ProxyClient Settings (CLI) ....................................................................................... 90 Clearing ProxyClients (CLI) ..................................................................................................... 90
Chapter 6: Configuring ProxyClient Locations
Location Awareness Overview....................................................................................................... 93 Location Awareness Decision Diagram ........................................................................................ 94 Location Awareness Task Summary ............................................................................................. 95 Configuring ProxyClient Locations ............................................................................................... 95 Ordering Locations in the Rulebase ........................................................................................ 98 Configuring Default Actions .................................................................................................... 99 Configuring Web Filtering Auto-Detection................................................................................ 100 Installing Local Policy on ProxySGs...................................................................................... 100 Configuring ProxyClient Locations (CLI)................................................................................... 101
Chapter 7: Configuring ProxyClient Acceleration
Before You Begin Configuring ProxyClient Policy.................................................................... 103 Specifying the ProxyClient ADN Manager ................................................................................ 103 Troubleshooting ProxyClient Acceleration Configuration................................................ 106 Tuning the ADN Configuration ................................................................................................... 107 Excluding Subnets from Being Accelerated ......................................................................... 108 Excluding and Including Ports .............................................................................................. 109 Enabling File Sharing Acceleration .............................................................................................. 111 Configuring ProxyClient Acceleration Settings (CLI)............................................................... 114 Troubleshooting ProxyClient Acceleration ................................................................................ 115 Overview of Acceleration Troubleshooting ......................................................................... 115 Getting Detailed Diagnostics.................................................................................................. 118 More Information About ProxyClient Acceleration Troubleshooting ............................. 119 Getting Detailed Diagnostics.................................................................................................. 126
Chapter 8: Configuring ProxyClient Web Filtering
Web Filtering Task Summary ....................................................................................................... 128 Options for Enabling Blue Coat Web Filtering........................................................................... 129 Enabling the Blue Coat Web Filter Database (Optional) .......................................................... 130
Enabling Other Databases....................................................................................................... 133 Enabling the Use of the Local Database (Optional)................................................................... 133 Enabling the Local Database .................................................................................................. 134 Setting Up ProxyClient Web Filtering ......................................................................................... 135 Entering BCWF Database Credentials .................................................................................. 135 Enabling ProxyClient Web Filtering ..................................................................................... 136 About the Policy Tab Page...................................................................................................... 139 Working With Categories, Users, Groups, and Policy Actions ............................................... 141 Getting Started With Categories ............................................................................................ 141 Selecting Categories ................................................................................................................. 143 Configuring Users and Groups.............................................................................................. 144 Managing Policy Categories................................................................................................... 147 Configuring System and Default Policy Actions................................................................. 149 Ordering Categories in the Rulebase .................................................................................... 150 Configuring Other Web Filtering Options ........................................................................... 153 Web Filtering Best Practices .......................................................................................................... 155 Displaying and Customizing Web Filtering Exception Pages ................................................. 157 Enabling Web Filtering Logging .................................................................................................. 159 About Web Filtering Logging ................................................................................................ 159 How to Enable Web Filtering Logging ................................................................................. 160 Configuring Clients That Require a Proxy to FTP Logs..................................................... 163 Interpreting the Log Files........................................................................................................ 163 Configuring ProxyClient Web Filtering (CLI)............................................................................ 165 Troubleshooting ProxyClient Web Filtering .............................................................................. 165 Overview of Web Filtering Troubleshooting ....................................................................... 166 More Information About Web Filtering Troubleshooting ................................................. 167 Getting Detailed Diagnostics.................................................................................................. 170
Chapter 9: Distributing the ProxyClient Software
ProxyClient Software Distribution Prerequisites....................................................................... 173 Overview of Distributing the ProxyClient Software ................................................................. 173 Preparing Interactive Installations ............................................................................................... 174 Interactive Installations from the Client Manager .............................................................. 175 Interactive Manual Installations ............................................................................................ 180 Preparing Silent Installations and Uninstallations .................................................................... 181 About Silent Web Filtering Installations............................................................................... 182 Parameters for Silent Installations ......................................................................................... 183 Command for Silent Uninstallations..................................................................................... 188 Example Installations and Uninstallation ............................................................................ 189 Limiting ProxyClient Visibility and Interactivity................................................................ 190 Using Group Policy Object Distribution ..................................................................................... 193
vi
Contents
Chapter 10: Monitoring ProxyClient Performance
Viewing ProxyClient History Statistics ....................................................................................... 197 Viewing ProxyClient Bandwidth (BW) Usage Statistics .................................................... 199 Viewing ProxyClient Active Clients Statistics ..................................................................... 199 Viewing ProxyClient Configurations Served Statistics ...................................................... 199 Viewing ProxyClient Software Served Statistics ................................................................. 199 Viewing ProxyClient Detail Statistics.......................................................................................... 200 Viewing ProxyClient Client Details ...................................................................................... 203 Viewing ProxyClient Client Version Count......................................................................... 208 Viewing ProxyClient ADN History Statistics ............................................................................ 209 Viewing ProxyClient Active Session Statistics........................................................................... 210
Chapter 11: Troubleshooting the ProxyClient
Using the ProxyClient Web Browser for Troubleshooting....................................................... 213 Troubleshooting ProxyClient Installation and Operation ........................................................ 214 Suggested Workarounds for Installation Errors.................................................................. 215 ProxyClient Tray Icon States and Meanings ........................................................................ 222 Other ProxyClient Troubleshooting Tools.................................................................................. 224 ProxyClient Troubleshooting Tools Summary .................................................................... 225 Changing the Client Manager ................................................................................................ 229 Changing the Default Web Server Port ................................................................................ 230 Uninstalling the ProxyClient Software ................................................................................. 231 Performing Data Traces and Data Collection ...................................................................... 232 Using the ProxyClient VPN Whitelist Utility ...................................................................... 238 Client Manager Logging ......................................................................................................... 240 Using the ProxyClient VPN Whitelist Utility ...................................................................... 241 Installation ....................................................................................................................................... 243 Folders ....................................................................................................................................... 243 Files ............................................................................................................................................ 244 Setup MSI .................................................................................................................................. 244 Setup pkg................................................................................................................................... 244 During Runtime .............................................................................................................................. 247 Logging and Support............................................................................................................... 247 Web Filter Files ......................................................................................................................... 248 Data Collector ........................................................................................................................... 248 Removal ........................................................................................................................................... 248
vii
viii
Preface
This Preface provides you with an overview of the intended audience for this book, the document organization, Blue Coat typographical conventions, and related documentation for this product.
Audience
This book is written for administrators responsible for planning and deploying the Blue Coat ProxyClient and assumes that you have knowledge of basic ADN networking.
Typographical Conventions
Blue Coat documents employ the following typographical conventions:
Conventions Italics Definition The first use of a new or Blue Coatproprietary term; also used for emphasis. Command-line text. A command-line variable that is to be replaced by a name or value pertaining to your network system. A literal value to be entered as shown. One of the parameters enclosed within the braces must be supplied An optional parameter or parameters. You can select the parameter before or after the pipe character. (I think this needs a better description/JR)
Courier New Courier New Italic
Courier New Boldface { }
[ ] |
Blue Coat Knowledge Base

Blue Coat now has a Knowledge Base, which contains information about this product that might not be available in the documentation or Release Notes. The Knowledge Base contains information in the following categories:

Solutions FAQs Alertsincluding security alerts
Technical field information
Blue Coat recommends you regularly search the Knowledge Base for latebreaking information that might not be available in product documentation or Release Notes.
To view articles in the Knowledge Base:
1. Enter the following URL in your browsers address or location field: https://kb.bluecoat.com 2. Do any of the following:
question
To get an answer to a specific question, enter the question in the Ask a field, and click Ask.
To view a specific set of articles, click a selection in the horizontal navigation bar (Solutions, FAQs, and so on). All of the sections enable you to browse by product, operating system, type of deployment, or topic.
3. Follow the prompts on your screen to locate the desired information. To view solutions for the ProxyClient: a. Click Solutions. b. On the Solutions page, click Products. c. On the Products page, click ProxyClient. Note: Not all products are listed in alphabetical order; ProxyClient is listed in the first column.
Notes and Warnings

The following is provided for your information and to caution you against actions that can result in data loss or personal injury:
Note: Information to which you should pay attention.
Important:
Critical information that is not related to equipment damage or personal injury (for example, data loss).
10
Before configuring the ProxyClient, Blue Coat recommends that you understand the conceptual information discussed in this chapter.
Note: This book assumes that you are familiar with the Blue Coat Application Delivery Network (ADN) concepts and features, as discussed in "ADN Acceleration Techniques" on page 770 in the SGOS Administration Guide.
This chapter discusses the following topics:

"Whats New in This Release" "ADN and ProxyClient Terminology" on page 23 "About Blue Coat in the Network" on page 32 "About the Roles of ProxySG Appliances With the ProxyClient" on page 25 "About ProxyClient Tamper Resistance" on page 12 "About ProxyClient Location Awareness" on page 13 "About ProxyClient CIFS Acceleration" on page 17 "About ProxyClient Web Filtering" on page 19 "About ADN Feature Support in ProxyClient" on page 23 "ADN Features and the ProxyClient" on page 26 "About ProxyClient Licensing" on page 31 "Software and Hardware Requirements" on page 31 "Why Deploy ProxyClient?" on page 31 "About Blue Coat in the Network" on page 32
11
Whats New in This Release

This section summarizes the new features and significant enhancements in the ProxyClient 3.4 release.
Feature Support for Mac OS X Summary ProxyClient can be run on Mac OS X platforms.
For more information about ProxyClient features, see the following sections:

"About ProxyClient Tamper Resistance" on page 12 "About ProxyClient Location Awareness" on page 13 "About Web Filtering Auto-Detection" on page 14 "About ProxyClient CIFS Acceleration" on page 17 "About ProxyClient Web Filtering" on page 19
About ProxyClient Tamper Resistance

Users who log in with the local administrative privilege on their computer have the authority to perform tasks like stop services, kill processes, and uninstall software. For example, a user who can stop the ProxyClient service can circumvent Web content filtering. To help prevent that, ProxyClient 3.4 offers the following tamper resistance features:
Tamper resistance feature Users cannot uninstall the ProxyClient software unless they know the uninstall password Users cannot permanent stop the ProxyClient service using the Services application in the Windows Control panel, the Windows Task Manager, or using the net stop ProxyClientSvc.exe command Users cannot stop the ProxyClient services using net stop from the command line Users cannot alter or delete ProxyClient policy Requires uninstall password? Yes Yes
Yes No
More information about each feature follows:
Uninstalling the softwareOnly a local administrator who knows the password can uninstall the ProxyClient software. Stopping the serviceNo user, even a local administrator, can permanently stop the service. The uninstall password must be configured to enable this feature but a password prompt is not presented to the user.
12
A user who is a local administrator can temporarily stop the service but after a short period of time, the service restarts itself. Note for ProxyClient Web filtering: Blue Coat recommends you set the policy action for the Unavailable category to Block to prevent Internet access in the event users attempt to defeat Web filtering by stopping the service. See "Web Filtering Best Practices" on page 155.
Altering policyEven if a user succeeds in editing the encrypted configuration file, the users changes are ignored.
About ProxyClient Location Awareness

This following sections discuss location awareness:

"Overview of Location Awareness" "About Web Filtering Auto-Detection" on page 14 "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16
Overview of Location Awareness

Location awareness enables administrators to enable or disable ProxyClient acceleration and Web filtering functionality based on the location from which the client connects. For example, the administrator should disable both acceleration and Web filtering for users in the office and if ProxySG concentrators and branch proxies to perform those functions. Administrators should enable both acceleration and Web filtering for mobile users because there is no local ProxySG to perform those functions. (In general, enable the ProxyClient to perform functionality a local ProxySG does not perform.)
Note: The ProxyClient version 3.2 or later can be configured to detect whether it is in a network where a ProxySG appliance is performing Web filtering. For more information, see "About Web Filtering Auto-Detection" on page 14.
Locations are defined by the ProxySG administrator using one or more the following location conditions (Configuration > ProxyClient > General > Locations):
Source IP range, which is appropriate for situations (such as in the office) where you know the IP address range from which clients connect. DNS server IP address In some situations, the clients IP address might not be enough to uniquely define a location. If that is the case, DNS servers can be used as additional location conditions.
Virtual network interface IP address, which should be used whenever clients connect to the corporate network using VPN software.
13
VPN software typically creates a virtual network adapter (referred to as a virtual NIC) that is assigned an IP address to be used when the client connects to the corporate network over VPN. A VPN gateway behind the firewall at the corporate data center provisions IP addresses and DNS server addresses to VPN clients.
Note:
Some VPN client software creates a virtual NIC as a physical adapter, and that prevents the adapter from being used as a location criterion. To work around this issue, see "Using the ProxyClient VPN Whitelist Utility" on page 238. Location conditions are logically ANDed together so choosing more than one location condition for a location is a good way to uniquely identify the location. If the computers IP address changes, the ProxyClient detects the IP address change and evaluates it against location rules. For example, if a user takes a laptop from the office to a mobile location and installs a wireless adapter in the laptop, as soon as the IP address changes, the laptops location is evaluated against defined locations.
Continue with "About Web Filtering Auto-Detection" .
About Web Filtering Auto-Detection

This section discusses the prerequisites and benefits of Web filtering autodetection, which disables ProxyClient Web filtering if the ProxyClient is deployed in any of the following ways:

In-path with a ProxySG that performs Web filtering The ProxyClient uses a filtering ProxySG as an explicit proxy
With this new feature, introduced in SGOS 5.5 and ProxyClient 3.2, you are no longer required to create an in-office location to disable ProxyClient Web filtering. Prerequisites: All of the following must be true:

The Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF). The ProxyClient must be deployed in any of the following ways: In-path with the filtering ProxySG The ProxyClient computer must use the filtering ProxySG as an explicit proxy
ProxyClients must run 3.2 or later.
14
Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed. For details, see "Configuring Web Filtering Auto-Detection" on page 100. Benefits: Web filtering auto-detection is fast, happening within a few seconds after a ProxyClient requests a rating for a URL. Web filtering auto-detection prevents double filtering. Double filtering happens when both ProxyClient Web filtering and ProxySG Web filtering are applied to a URL request. (For example, if Web filtering is enabled in the ProxyClients location and is also enabled by policy in an office network with ProxySG Web filtering.) Double filtering can result in policy conflicts if the same category is allowed by one policy set and blocked by another policy set.
Continue with "General Guidelines for Location Conditions" .
General Guidelines for Location Conditions

In general, configure the ProxyClient to perform the features that a ProxySG does not perform (acceleration or Web filtering). Also see "Step 6: Configure ProxyClient Locations" on page 48 for a step by step example. When planning your ProxyClient deployment, Blue Coat recommends you take the following into account:
Whether or not a ProxySG at the location performs acceleration or Web filtering Which two of the three available location conditions uniquely defines the location
The following table shows how to use these guidelines in a sample four-location deployment:
Location type Mobile with no local ProxySG How to apply the guidelines Role of local ProxySG: There is none so the location should enable both ProxyClient acceleration and Web filtering. Location conditions: To uniquely identify the location, choose Virtual NIC IP address and DNS server IP address.
15
Location type Headquarters with several local ProxySGs
How to apply the guidelines Role of local ProxySGs: Perform both acceleration and Web filtering so the location should disable both features. Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address.
Also see "About Web Filtering Auto-Detection" on page 14. Branch office with no local ProxySG Role of local ProxySG: There is none so the location should enable ProxyClient acceleration. However, if a ProxySG at headquarters performs Web filtering, you should disable Web filtering at the branch office. Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address. Role of local ProxySG: If the local ProxySG performs both acceleration and Web filtering, the location should disable both. However, if the local ProxySG performs only acceleration, the location should disable ProxyClient acceleration and enable Web filtering. Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address.
Branch office with a local ProxySG
Also see "About Web Filtering Auto-Detection" on page 14.
For a step-by-step example of setting up locations, see Chapter 2: "ProxyClient Deployments".
About Condition Rulebase Ordering

Locations
The order in which locations display on the Configuration > ProxyClient > General > tab page determine the order in which the rules are evaluated when users connect to the Client Manager. To avoid mismatches, order the rules from most to least restrictive. For example, suppose headquarters uses IP addresses in the range from 10.0.0.0 to 10.255.255.255 but the VPN gateway located at headquarters has a pool of IP addresses in a subset of that range; for example, 10.3.1.1 to 10.3.1.255. Because the VPN gateway is used by home office or mobile users, the administrator wants to use different policy actions for headquarters and home office users. Users at the headquarters location should have ProxyClient acceleration and Web filtering disabled but users in a home office or mobile location should have both ProxyClient features enabled.
16
To accomplish that, the administrator creates the two locations as follows.

Location Headquarters Conditions Home office or mobile Source IP address range: 10.0.0.0 to 10.255.255.255 DNS server IP address: For example, 10.0.0.11 and 10.0.0.12 DNS server IP address: Same as headquarters VNIC IP address range: 10.3.1.1 to 10.3.1.255
To make sure the home office or mobile location is detected first, the administrator must order it in the rulebase before the headquarters location. An example follows.
About ProxyClient CIFS Acceleration

The ProxyClient accelerates file shares located on remote servers by locally caching regions of files that are read or written by the client. CIFS object caching applies to both read and write file activities.
Note: You can set the maximum percentage of total disk space (as opposed to available disk space) the ProxyClient allocates to the byte cache and the CIFS cache. The ProxyClient always leaves at least 1GB of available disk space on the client computer. By default, the cache is located on the system root volume.
Starting with ProxyClient version 3.2, two new options enhance these capabilities:
Remote storage optimization Improves performance by causing Windows Explorer to minimize the amount of data transfer when users browse to a remote accelerated file share.
17
Specifically, this feature limits read ahead. Excessive read ahead slows performance if users enable the Display file size information in folder tips option for folders in Windows Explorer (On Windows XP and Vista: Tools > Folder Options > View tab page under Files and Folders. On Windows 7: Organize > Folder and Search Options > View tab page under Files and Folders). When a user browses to a folder if read ahead is enabled, Windows Explorer waits while folder and file metadata is retrieved; if you enable remote storage optimization, metadata is not requested so performance is improved. The amount of performance improvement from enabling ProxyClient remote storage optimization depends on how many files are in the remote folder and how many subfolders are nested under the folder.
Note:
It takes time for a configuration change to take effect. For example, if a client has two connection open to an accelerated file share at the time the client receives a configuration update from the Client Manager, it might take several minutes before a change from Enable to Disable takes effect for these open connections. On the other hand, the first connection after a configuration change is received by the client uses the current configuration setting.
Suppress folder customization This setting can improve performance when a user browses to a remote accelerated file share that has a large number of customized nested folders. (An example of customizing a folder is changing its display icon.) Customized folders have the Windows read only attribute. Read only folders are not the same as read-only files in the following ways: Windows, Windows components, and accessories usually ignore the readonly attribute of a folder. Windows does not usually enable a user to view or change read-only or system attributes of a folder.
Windows uses the read-only and system attributes of folders to specify them as special folders (for example, system folders and folders like My Documents that are customized by Windows). If an accelerated file share has a large number of nested customized folders, performance can be degraded because of the time Windows waits to retrieve properties for the folder (in particular, desktop.ini). As discussed in Microsoft KB article 326549, Microsoft recommends you disable the read-only attribute of remote folders for this reason.
18
Note: It takes time for a configuration change to take effect. For example, if a client has two tunnels open to an accelerated file share at the time the client receives a configuration update from the Client Manager, it might take several minutes before a change from Enable to Disable takes effect for these open connections.
On the other hand, the first connection opened to an accelerated file share after a configuration change is received by the client will use the current configuration setting.
About ProxyClient Web Filtering

Web filtering is used by many enterprises for security and compliance reasons. Network managers want the security of knowing users can be prevented from accessing Web sites with malicious content. Human Resources wants to prevent users from accessing offensive content or from losing productivity due to too much Web surfing. Blue Coats ProxyClient Web filtering solution provides an answer for both concerns by providing robust filteringboth in the office and on the road. This section discusses ProxyClient Web filtering in the following sections:

"Web Filtering Terminology" "Enabling or Disabling Web Filtering Based on Location" on page 20 "Web Filtering for Users and Groups" on page 20 "About the BCWF Database and Categorization" on page 21 "About Security With Guest User Scenarios" on page 22
Web Filtering Terminology

This section defines common terms used to discuss ProxyClient Web filtering.
Blue Coat WebFilter (BCWF) database and categories The BCWF database contains categories and URLs that are contained in those categories. The BCWF categories contain mappings between URLs and categories but do not contain the URLs themselves; URLs are categorized and rated by the WebPulse cloud service. A dedicated Client Manager needs only the BCWF categories to provide ProxyClient Web filtering services. WebPulse performs the ratings. A Client Manager that also proxies Internet traffic and performs BCWF Web filtering needs the BCWF database. The BCWF database and categories are maintained by Blue Coat. To enable and use ProxyClient Web filtering, the BCWF database or categories must be updated on the Client Manager at least once every 30 days.
19
The administrator chooses categories and policy actions for users and groups in each category; these categories and actions are downloaded to the ProxyClient in its configuration file. All ProxyClient URL requests are categorized by WebPulse.
WebPulse An Internet cloud service consisting of many service points located around the globe, WebPulse categorizes all URLs requested by ProxyClients.
Note: One major difference between ProxyClient Web filtering and branch ProxySG Web filtering is that categorization for the ProxyClient is performed by WebPulse. ProxyClient categorization is not performed by the Client Manager.
Policy action The action that is applied to a ProxyClient URL request. Possible actions are allow, block and warn. Policies can be applied to individual users or to user groups. More information about these policy actions can be found in "Working With Categories, Users, Groups, and Policy Actions" on page 141.
Enabling or Disabling Web Filtering Based on Location

You can enable or disable Web filtering based on a users location. For example, if the user is at headquarters or in a branch office where there is a branch ProxySG that performs Web filtering, you should disable ProxyClient Web filtering. You should enable ProxyClient Web filtering in mobile locations because mobile users do not connect to a branch ProxySG. Use location awareness to enable or disable ProxyClient features as discussed in "About ProxyClient Location Awareness" on page 13.
Web Filtering for Users and Groups

ProxyClient Web filtering can be enforced for users and domain groups. These users and groups are validated against the users cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects. In other words, you can allow, block, or warn on content according to the specific user or to the domain group to which the user belongs. To configure Web filtering policies for individual users or for user groups, do any of the following:
ProxyClient Web filtering categories can be configured for individual users and user groups configured as follows: Fully qualified account names (for example, domain_name\user_name).
20
Fully qualified DNS names (for example, domain.example.com\user_name). User principal names (UPN)for example, user@example.com. However, be aware that translating isolated names introduces the possibility of name collisions because the same name might be used in multiple domains.
Blue Coat recommends you do not use isolated names such as user_name. Fully qualified names are unambiguous and provide better performance when the lookup is performed. Using CPL or VPM, you can configure the branch ProxySG to apply different Web filtering policies for users or groups. More information about performing these tasks can be found in "Managing Policy Categories" on page 147.
About the BCWF Database and Categorization

This section discusses the following topics:

"About BCWF Categories" "About Categorization" on page 21
About BCWF Categories

For ProxyClients to use Web filtering, the Client Manager must get the current BCWF categories at least once every 30 days. If the categories are not updated within 30 days since its last update, BCWF becomes unlicensed and all URL requests are either allowed or blocked, depending on the administrators choice for the On expiration option located on the Configuration > ProxyClient > Web Filtering > Policy tab page.
About Categorization
Categorization is the process of assigning a classification to a particular requested URL. If ProxyClient Web filtering is enabled for the users location, the categorization process is as follows: 1. The user requests a URL. 2. The ProxyClient collects Web filtering categories from its configuration file. Categories are defined by the following: The local database, if enabled. VPM policy, if configured. Results of WebPulse lookups that are temporarily cached on the users computer.
3. The ProxyClient requests a category for the URL from WebPulse. The result of the request can be one of the following:
21
The URL request is categorized by WebPulse, if a result was not found in the local cache. (The cache, which is temporary, consists of results from previous lookups.) If WebPulse cannot determine a URLs category, the URL is categorized as none and the appropriate policy action is applied. If WebPulse is not available, the URL is categorized as unavailable and the appropriate policy action is applied.
Note: One Web site can have many URLs associated with it. For example,
many Web sites have advertisements that each trigger a URL request and therefore a categorization request to WebPulse. 4. After the URLs category is determined, the ProxyClients configuration file determines the policy action (block, deny, or warn) according to the first match in the rulebase. If the policy action is allow, the request goes to its destination. If the policy action is block, the blocked category exception page displays. If the policy action is warn, a warning message displays. The user must click an acceptance link, which represents an acknowledgment that the content request might violate corporate Web use policy. If the user clicks the acceptance link, the request goes to its destination. Note: If a user clicks the acceptance link, the requested Web site will be accessible for 15 minutes. The accessibility time period is not currently configurable for the Web site. 5. Results of WebPulse lookups are temporarily cached.
About Security With Guest User Scenarios

When travelling, users might be required to initially access the Internet as a guest. For example, some businesses and hotels provide WiFi or hard-wired networks, but require users to gain access through a portal. When the user connects to the network and opens their Web browser, the browser redirects to a welcome page from which the user must interact to gain connectivity to the Internet. The welcome page can be as simple as a click-through service agreement or as complex as a service that requires a credit card payment for Internet access. After users complete the required agreement or transaction, they are allowed to access the Internet. When the ProxyClient detects this, it enables the user to view the welcome page and complete whatever authentication transaction is required to gain additional connectivity without applying Web filtering. After the user can connect to the Internet, the ProxyClient applies Web filtering policy.
22
ProxyClient operates within the restricted network before completing the welcome page transaction, yet prevents any unauthorized user access.
About ADN Feature Support in ProxyClient

This section discusses topics related to how the ProxyClient functions in an ADN network. For more information, see one of the following topics:

"ADN and ProxyClient Terminology" "About the Roles of ProxySG Appliances With the ProxyClient" on page 25 "ADN Features and the ProxyClient" on page 26 "About Internet Gateways" on page 28 "About Reflecting the ProxyClient IP Address" on page 28
ADN and ProxyClient Terminology

This chapter uses the following common terms:
ProxyClient Downloaded and installed on user systems, the ProxyClient provides increased network performance and Web filtering when the connection is not fronted by a Blue Coat ProxySG.
ADN Manager Every ADN network in which ProxyClient acceleration is enabled must have a ProxySG designated as the ADN Manager, which is responsible for publishing the routing table to ProxyClients (and to other ProxySG ADN peers). You can optionally designate another ProxySG appliance as the backup manager. This appliance takes over the duty of providing routing information to ProxyClients in the event the ADN manager becomes unavailable.
23
If you are using ProxyClient Web filtering only, you do not need to specify an ADN manager.
Concentrator A ProxySG appliance that receives inbound ADN tunnels from the ProxyClient (and other ProxySG appliances on the ADN network) and accelerates data center resources (such as file servers and Web applications).
Branch ProxySG A ProxySG deployed near a branch office router (where branch office means a small or regional office). To retrieve client file and data requests from servers located in the corporate data center, the branch proxy connects to the ADN concentratorswhich are advertised by the ADN manager or discovered transparentlyin the data centers at the corporate location. If the branch location has servers, the branch peer also serves as a concentrator. A branch ProxySG can provide acceleration, Web filtering, or both for the branch office.
Client Manager A Client Manager is a ProxySG (running a compatible version of SGOS) that provides the ProxyClient software to users, maintains the software and the client configuration of all clients in the ADN network. Commonly, the Client Manager appliance is deployed in the intranet behind the enterprise VPN gateway, with a router connection to the Internet. For details, including which SGOS versions are supported, see "ProxyClient Compatibility with SGOS" on page 71.
Mobile user Employees who use laptops with ProxyClient installed and travel from corporate locations to other locations, such as customer sites, hotels, or home offices. Mobile users does not refer to users with hand-held devices.
Location awareness The ability of the ProxyClient to detect the presence of a network connection and enable or disable acceleration and Web filtering as determined by policy. For example, you typically disable both ProxyClient acceleration and Web filtering in the office but enable them for mobile users. The ProxySG administrator determines the criteria that define locations and enables or disables acceleration and Web filtering for each location.
Byte caching A specific form of compression that looks for repeated data patterns transmitted over the WAN. Byte caching plus other forms of compression (such as gzip) optimizes the data sent over the TCP tunnel.
24
Common Internet File System (CIFS) optimization ProxyClient significantly enhances WAN file service delivery by implementing the following: CIFS protocol optimization, which improves performance by consolidating data forwarded across the WAN. Client object caching, which enables clients to get previously obtained data from the cache rather than from across the WAN.
About the Roles of ProxySG Appliances With the ProxyClient

One or more ProxySG appliances interact with ProxyClients in the following ways:
ADN Manager and backup managerAs discussed in "ADN and ProxyClient Terminology" on page 23, to use ProxyClient acceleration, you must configure an ADN Manager and Blue Coat recommends you also configure a backup manager. If you are using ProxyClient Web filtering only, no ADN manager is required. Client ManagerThe ProxySG that provides the management infrastructure to ProxyClients, including the following services: Software for the client (initial deployment and updates) Periodic verification of the Blue Coat Web Filter (BCWF) license and database (required to use BCWF) Monitoring Client configuration management (such as Web filtering policy)
Note: The Client Manager can be any appliance in the ADN network, including a concentrator, the ADN manager, or a backup manager. For example, the Client Manager could also be the ADN manager, but that is not a requirement.
ConcentratorA ProxySG that terminates ProxyClient ADN tunnels, and provides two-way compression and data forwarding to and from the appropriate server. A concentrator accelerates network traffic. Branch ProxySGDepending on how it is configured, a branch ProxySG might provide acceleration and Web filtering for a branch office.
The following diagram illustrates a high-level network architecture involving ProxyClient.
25
Figure 11
High-level ProxyClient network diagram
ADN Features and the ProxyClient

The ProxyClient supports the following ADN features:

"Open ADN and Closed ADN" "Byte Caching and gzip Compression" on page 27 "CIFS Optimization and Caching" on page 27 "Load Balancing and Failover" on page 27 "Cache Encryption" on page 28 "About Internet Gateways" on page 28 "About Reflecting the ProxyClient IP Address" on page 28
Open ADN and Closed ADN

ADN managers and concentrators that run SGOS 5.4 and later support ADN configurations referred to as open ADN and closed ADN. The terms open and closed refer to whether or not the ADN manager accepts connections from approved peers. For more information, see the section on ADN modes in the chapter on configuring an ADN network in the SGOS Administration Guide. To use ProxyClient acceleration, you must specify a primary ADN manager and optionally a backup ADN manager; the managers can use either open ADN or closed ADN. For more information about using open ADN or closed ADN with the ProxyClient, see "About Open ADN and Closed ADN With the ProxyClient" on page 74.
Note: To use ProxyClient Web filtering only, no ADN manager is required.
26
Byte Caching and gzip Compression

Enabling ProxyClient acceleration enables both byte caching and gzip compression. gzip compression uses a lossless compression algorithm for data sent across the WAN. Byte caching is a compression mechanism where data tokens that represent larger blocks of repeated data are sent across the WAN. When one of these data tokens matches tokens in the data dictionary cached on the ProxyClient computer, the entire block of data is passed to the application that requested it, resulting in reduced WAN bandwidth usage. For example, if you request a file using Internet Explorer and a data dictionary match is found, the data is sent to Internet Explorer. If no data dictionary match is found, the token and its corresponding byte values are added to the data dictionary cached on the ProxyClient computer. A data token is a few bytes in size; the corresponding block of data for a token is much larger.
CIFS Optimization and Caching

Regions of files that are read or written by the client are placed in the cache. CIFS object caching applies to both read and write file activities. For additional details, see "About ProxyClient CIFS Acceleration" on page 17.
Load Balancing and Failover

The ProxyClient attempts three types of connections in the ADN network: the routing connection, the ADN tunneling connection, and a control connection. The routing connection obtains the routing table from the ADN Manager or backup Manager; the tunneling connection transfers data to the ADN network; and the control connection contains client identification information. The ProxyClient first attempts to connect to the primary ADN manager to get routing information; if the ADN Manager is not available, the client attempts to connect to the backup ADN Manager. If the backup ADN manager is also not available, the connection continues on (bypassed by ADN) because an ADN route is not provided. When either of the ADN Managers becomes available again, acceleration automatically resumes. Client connections that do not go through a concentrator are not accelerated and remain unaccelerated as long as the connection is open (that is, until the connection is closed by the application). After a concentrator becomes available, new connections are accelerated. ADN peer affinity helps maintain fast application performance by persisting connections from a ProxyClient to a particular concentrator and therefore reusing the byte cache. After establishing a connection to an ADN peer, ProxyClient always attempts to connect to that peer; a connection to another peer occurs only when the initial peer becomes unavailable.
27
Cache Encryption
To maintain a high security level after content is retrieved over the network connection, ProxyClient supports the Microsoft Encrypting File System (EFS), which makes it extremely difficult for malicious users to hack into a user systems cache to retrieve company-sensitive files. No other user can access the data in the cache, even the system administrator. If ProxyClient is uninstalled, the EFS encrypted caches are also deleted.
Note:
EFS is supported only on the New Technology File System (NTFS) partitions, although Windows XP Home Edition supports NTFS, but not EFS. File Allocation Table (FAT) or FAT32 partitions do not support EFS and therefore, the cache is not encrypted on those partitions. The Web filtering log folder is also encrypted but the folder is in a location separate from the cache.
For computers that are connected to a network, the EFS domain certificate is required for encryption. Therefore, if the domain certificate has expired, no EFS encryption occurs. When the computer is not connected to the network, it uses its local EFS certificate and in that case, encryption works properly.
About Internet Gateways

The ProxyClient honors Internet Gateway settings. Network traffic that is not bound by ADN routing rules routes to the specified gateway unless an exception rule applies. There are some routes, such as those for local hosts, that are not required to go through the ADN Internet gateway. You can define these routes using the a concentrators Management Console (Configuration > ADN > Routing > Internet Gateway). ProxyClient uses this configuration.
About Reflecting the ProxyClient IP Address

When the ProxyClient version 3.1 or later attempts to connect to a destination, it always requests the concentrator reflect its IP address. The concentrator can be configured to either reflect the clients IP address or to reject the reflection request. Concentrator client IP reflection configuration determines what IP address the concentrator advertises to the origin server as the source addressthe concentrators own address (referred to as use local IP) or as the ProxyClient computers address (referred to as reflect the client IP).
28
Note: For client IP reflection to work, the concentrator used by the ProxyClient should be deployed in-path between the ProxyClient and the origin server. In other words, the return packets will have ProxyClient's IP address as the destination address and must be routed back through the same concentrator.
If the origin server is able to connect directly back to the ProxyClient computer, the connection fails. This happens because the concentrator opens a different connection to the origin server than the one originally opened by the ProxyClient, so response packets going directly from the origin server to the ProxyClient will be rejected and the connection will fail. If the concentrator is deployed out of path, you can configure the concentrator to use local IP. For example, suppose the ProxyClient requests data from a server in the corporate data center. The ProxyClient request is accepted by a ProxySG concentrator, which sends the request to the server. When the concentrator sends the request, you can configure the following IP reflection options:
Allow the request and reflect the client IPThe concentrator can present its own IP
address as the source address. Select this option if your network is configured so that the origin server cannot reach a ProxyClient computer with an outside IP address; in other words, an IP address located outside the internal network.
Allow the request but connect using a local IPThe
concentrator can present the ProxyClient computer IP address as the source address.
Reject the requestIf the concentrator can be configured to deny client reflection, in which case one of the following occurs:
If the concentrator runs SGOS 5.3 or later, the concentrator presents its own IP address as the source address. This option is equivalent to Allow the request but connect using a local IP. If the concentrator runs an SGOS version earlier than 5.3, the connection fails.
SGOS 6.2 and later offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers. For example, you can have the Concentrator reject client IP reflection requests from ProxyClient peers but allow them from ProxySG peers. In previous releases, when the Concentrator was configured to deny reflect client IP requests from branch peers, there was a special hard-coded override that always used the Concentrator's local IP address for ProxyClient tunnel connections; if reflect client IP was set to allow, then the client IP would be reflected. For more information, see "Configuring IP Address Reflection" on page 791 of the SGOS 6.2 Administration Guide.
29
Note: If a ProxyClient connects to a concentrator running an SGOS version earlier
than 5.3, and that concentrator that is configured to reject client IP reflection requests, you must change the configuration. Otherwise, ProxyClients cannot connect to origin servers. Any of the following options can be used with the ProxyClient: Management Console using the Configuration > ADN > Tunneling > Network tab page. Choose either of the following options (click Help for more information about the options):
Allow the request and reflect the client IP Allow the request but connect using a local IP
Command line:
SGOS#(config adn tunnel) reflect-client-ip allow SGOS#(config adn tunnel) reflect-client-ip use-local-ip
ProxyClient Security Disclaimers

When you deploy the ProxyClient in your network, be aware of the following:
Avoid allowing users with FAT and FAT32 partitions to download the ProxyClient for the following reasons: EFS encryption is not supported; therefore, the object cache (that is, the byte cache and CIFS cache) and Web filtering logs will not be encrypted. Because the ProxyClient uses NTFS permissions, Web filtering can be bypassed on FAT or FAT32 partitions and logs can be deleted.
Although unlikely, it is possible for a user to edit or delete Web filtering log files before they are uploaded to the FTP server. In addition, because the FTP server allows anonymous access, anyone can download a log file, change it, and upload it again without detection (although your FTP server can report the source IP address used to upload log files). These vulnerabilities can be exploited by a legitimate user or by an unauthorized user (such as a hacker or malware).
If a user runs a VMWare image on their computer, even if the computer has the ProxyClient, the VMWare image can access the Internet without restrictions, effectively circumventing Web filtering. (The VMWare image also operates without acceleration.) To avoid this issue, install the ProxyClient software on the VMWare image.
30
About ProxyClient Licensing

Your SGOS trial or permanent license enables you to designate a ProxySG appliance as the Client Manager and it enables unlimited ProxyClient connections, provided the SGOS base license is valid. However, you must size your ProxyClient deployment based on Client Manager scalability. User or client licenses for the ProxyClient software are not required.
Important:
ProxyClient Web filtering can be used only with the SGOS Proxy Edition. Web filtering cannot be used with the SGOS Mach5 Edition. ProxyClient Web Filtering licensing requires a valid Blue Coat Web Filter (BCWF) database installed on the Client Manager and a user name and password to use to update the BCWF database categories at least once every 30 days. The BCWF license is available with trial and permanent licenses. Even if the Client Manager is being used as a forward proxy, you must download the BCWF database on the Client Manager for licensing purposes.
For more information on SGOS licensing, refer to the SGOS Administration Guide.
Software and Hardware Requirements

For information about software and hardware requirements, see the ProxyClient Release Notes.
Why Deploy ProxyClient?

As mobile technology efficiency has advanced, so has the ability for enterprises and other organizations to mobilize their workforce and allow access to remote systems. Employees who are often in the field, at home, or in small offices including those who log into the corporate network through a Virtual Private Network (VPN) connectionrequire the same performance that is achieved when in the corporate network environment. Likewise, corporations seek to extend the same security, policy control, and tracking abilities that are available in the corporate network. Blue Coat designed the ProxyClient solution to provide accelerated application delivery and Web filtering in the following scenarios:
For employees using laptops and who work from both the office and the field.These users enjoy accelerated network performance while on the corporate network, but lose that performance when they must, from a remote location, connect to the enterprise network using VPN. For users in micro-branches, or offices with a very small number of users, where it might not be cost-justifiable to deploy even the smallest Blue Coat ProxySG acceleration gateway appliance.
31
In both of these scenarios, the ProxyClient maintains user productivity levels by providing enterprise-grade performance, while also ensuring that the corporate Web usage policies are maintained on company-owned systems in the field (only users with administrator privileges can remove or disable the ProxyClient).
About Blue Coat in the Network

ProxyClient optimizes the enterprise network conduit between remote or microbranch office systems and ProxySG appliances. Figure 12 provides a high-level, logical view of Blue Coat deployed in the network.
Figure 12
Blue Coat in the network
Blue Coat does not provide strict guidelines for determining whether a remote location requires a local ProxySG. Generally, use a local ProxySG if the branch office has a data center (that is, file servers and so on) and to offload acceleration and Web filtering functions from the corporate ProxySGs to the branch. Blue Coat recommends considering a ProxyClient-only solution at a remote location if any of the following is true:

The remote location is a mobile user whose location changes. The remote location is a home office. The remote location has a few users and therefore does not justify a local ProxySG appliance.
32
In any of the proceeding locations, you might provide connectivity to the corporate network with VPN client software; however, that is not a requirement for using the ProxyClient.
Note: Refer to the ProxyClient Release Notes for the latest list of supported VPN
technologies and operating systems.
33
34
This chapter provides a step by step example of configuring the ADN manager, concentrator, and Client Manager; and installing the ProxyClient software. You can use the information in this section to quickly install the ProxyClient in an evaluation environment. Additional tasks are generally required to deploy the ProxyClient in a production environment. This chapter discusses the following topics:

"Assumptions" "ProxyClient Deployment Roadmap" on page 37 "Step 2: Configure the Concentrator" on page 41 "Step 3: Configure the Client Manager" on page 42 "Step 4: Configuring ProxyClient Acceleration" on page 43 "Step 5: Configuring ProxyClient Web Filtering" on page 46 "Step 6: Configure ProxyClient Locations" on page 48 "Step 7: Install the ProxyClient Software" on page 53 "Performing Basic Verification" on page 53 "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58
Assumptions
This section discusses the assumptions that will be made in the examples discussed in this sample ProxyClient deployment. See one of the following sections for more information:

"ProxySG Assumptions" "ProxyClient Computer Setup Assumptions" on page 35 "Network Assumptions" on page 36 "Location Awareness Assumptions" on page 36
ProxySG Assumptions
It is assumed that one ProxySG appliance acts as the ADN manager, concentrator, and Client Manager. The ADN network is set up as open, managed, meaning there is an ADN manager but that transparent connections to the ADN manager would be allowed. (Because the ProxyClient requires explicit routes, ADN transparency is irrelevant in this example deployment.)
ProxyClient Computer Setup Assumptions

The deployment example discussed in this chapter assumes the following about the computer on which the ProxyClient software is installed:
The ProxyClient software gets installed from the Client Manager (as opposed to installing it from the command line).
35
Prerequisites for optional Web filtering auto-detection are discussed in "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58. For location awareness, the computer can have one or two network adapters: one to physically connect to the network using a cable and the other to connect to the network wirelessly. Furthermore, it is assumed that these network adapters have IP addresses in different ranges. If the computer has only one network adapter, ensure separate IP addresses are used for each location. If it is necessary for you to access network resources like file shares using VPN software, you must start the VPN software and connect to the network before determining the computers IP address. These adapters will be used to set up ProxyClient locations.
Network Assumptions
The following assumptions apply to how the ADN manager and concentrator are set up:
Property Primary ADN manager IP address Backup ADN manager Subnets advertised by the concentrator Value Self (192.168.0.2) None 172.0.0.0/8 10.0.0.0/8 192.168.0.0/16 Internet gateway? ProxyClient acceleration? ProxyClient Web filtering? No Enabled/disabled based on location Enabled/disabled based on location (can optionally be automatically detected as well)
Location Awareness Assumptions

When you set up ProxyClient location awareness, it is assumed your laptop has two network adapters:
Adapter Physical network Wireless network IP address range 192.168.0.200192.168.0.254 10.5.0.010.5.4.254 DNS server 192.168.1.55 10.5.5.54
ProxyClient location conditions are based on the following criteria:
IP address ranges for physical connections to the network
36
Virtual network interface card (NIC) address ranges for VPN-assigned IP addresses (for example, an offsite laptop with a wireless adapter that uses VPN to connect to the network) DNS server IP addresses which are useful if there are overlaps between IP address ranges. For example, if VPN IP address ranges overlap with physical IP address ranges, you need to specify a DNS server to distinguish your locations. However, if you know that there are no IP address overlaps, you do not need to use a DNS server IP address as a location condition. Unlike the other location conditions, DNS server IP addresses are logically ANDed together; users must match all DNS servers listed to match the location.
ProxyClient Deployment Roadmap

The following high-level tasks are required to configure the ProxySG and install the ProxyClient software:

"Step 1: Configure a Primary ADN Manager and Internet Gateway" "Step 2: Configure the Concentrator" on page 41 "Step 3: Configure the Client Manager" on page 42 "Step 4: Configuring ProxyClient Acceleration" on page 43 "Step 5: Configuring ProxyClient Web Filtering" on page 46 "Step 6: Configure ProxyClient Locations" on page 48 "Step 7: Install the ProxyClient Software" on page 53 "Performing Basic Verification" on page 53
37
Step 1: Configure a Primary ADN Manager and Internet Gateway

Configure a ProxySG to be a primary ADN manager for this sample deployment:
# 1 Description Enable ADN and select this ProxySG to be the primary ADN manager. What to do 1. Log in to the ProxySGs Management Console as an administrator and click Configuration > ADN > General. Select the Enable Application Delivery Network check box. In the Primary ADN Manager section, click Self. Apply the changes. An example is shown in Figure 21. 2 Set listening mode options. Because the ProxyClient uses plain tunneling, you cannot use secure ADN exclusively in a network that has ProxyClients. 1. 2. Click Configuration > ADN > General > Device Security. From the SSL Device Profile list, click the name of a profile to use. An example is shown in Figure 22. 3. 4. 5. 6. 7. 3 Continue with the next step. Click Configuration > ADN > General > Connection Security. For Manager Listening Mode, click Plain Read-Only. For Tunnel Listening Mode, click Both. For Secure Listening Mode, click any option. Apply the changes. An example is shown in Figure 23. "Step 2: Configure the Concentrator"
2. 3. 4.
38
Figure 21 shows enabling the ADN manager.
Figure 21 Enabling the primary ADN manager is required for any ProxyClient deployment that uses acceleration
Figure 22 shows the Device Security tab.
Figure 22
Secure ADN requires you to select an SSL device profile for the ProxySG appliance
39
Figure 23 shows the Connection Security tab.
Figure 23
Selecting listening mode options that are compatible with the ProxyClient
For More Information

"About Manager Listening Mode With the ProxyClient" on page 77 "About Tunneling Listening Mode With the ProxyClient" on page 78 "About Secure Outbound Mode" on page 80
40
Step 2: Configure the Concentrator

This section shows step by step how to configure the concentrator to advertise subnets to the ProxyClient in this sample deployment:
# 1 Description Configure subnets to advertise. What to do 1. 2. 3. Click Configuration > ADN > Routing > Server Subnets. At the bottom of the Server Subnets tab, click Add. Enter the subnets your concentrator advertises. The following steps show how to set up the sample ranges discussed in "Network Assumptions" on page 36. Replace the sample ranges with those advertised by your concentrator. 4. 5. 6. 7. 8. 9. In the IP/Prefix field, enter 172.0.0.0/8. Click OK. At the bottom of the Server Subnets tab, click Add. In the IP/Prefix field, enter 10.0.0.0/8. Click OK. Repeat these steps to add 192.168.0.0/16. Figure 24 shows an example. 2 Continue with the next step. "Step 3: Configure the Client Manager"
10. Apply the changes.
Figure 24 shows how to configure the concentrator to advertise the sample subnets used in this deployment. You must replace these ranges with the appropriate values for your network.
Figure 24
Example of setting up server subnets advertised by your concentrator
41
"Advertising Server Subnets" on page 786 in the SGOS Administration Guide.
Step 3: Configure the Client Manager

This section shows step by step how to enable the ProxySG to be the Client Manager and how to upload the latest ProxyClient software to it.
# 1 Description Enable the Client Manager. What to do 1. 2. 2 Upload ProxyClient software. This task, which is sometimes overlooked, is highly recommended because SGOS does not necessarily ship with the latest ProxyClient software. 1. 2. 3. 4. 5. 6. 7. 8. 9. Click Configuration > ProxyClient > General > Client Manager. Select the Enable Client Manager check box. Log in to http://support.bluecoat.com. Click the Downloads tab. Click the link to download the ProxyClient 3.x software. At the prompts, enter your BlueTouch Online user name and password. Follow the prompts on your screen to download the .car file. Click Configuration > ProxyClient > General > Client Software. From the Install ProxyClient software from list, click Local file. Click Install. Follow the prompts on your screen to upload the .car file to the Client Manager.
10. Wait a few minutes for the upload to complete. 11. At the confirmation dialog, click OK. Figure 25 shows an example of ProxyClient version 3.4.1.1 software on the Client Manager. 3 Continue with the next step. "Step 4: Configuring ProxyClient Acceleration"
Figure 25 shows the Client Software tab with ProxyClient version 3.4 software installed.
42
Figure 25 The Current ProxyClient Software section displays the version of ProxyClient software currently on the Client Manager

"Designating a ProxySG as the Client Manager" on page 81 "Uploading the ProxyClient Software to the Client Manager" on page 85 "Configuring ProxyClient Locations" on page 93
Step 4: Configuring ProxyClient Acceleration

This section shows step by step how to enable the ProxyClient to perform acceleration for this sample deployment (that is, gzip compression, CIFS protocol optimization, and byte caching). All tasks discussed in this section must be performed on the Client Manager.
# 1 2 Description Configure the concentrator to advertise subnets; otherwise, nothing will be accelerated. Specify the primary ADN manager. What to do "Step 2: Configure the Concentrator" on page 41 1. 2. Click Configuration > ProxyClient > Acceleration > General. In the ADN Manager section, click Use ProxySG ADN Managers.
43
# 3
Description Enable acceleration features.
What to do 1. 2. 3. Click Configuration > ProxyClient > Acceleration > General. Select the Enable Acceleration check box. Figure 26 shows an example. Click the ADN Rules tab. For the purposes of this sample deployment you should change the defaults only if there is a particular application you want to accelerate and you know the ports it uses. Figure 27 shows default settings. 4. 5. 6. Click the CIFS tab. Select the Enable CIFS acceleration check box. Your choices for Remote Storage Optimization and Suppress Folder Customizations do not matter in this example deployment. To learn more about these features, see "About ProxyClient CIFS Acceleration" on page 17. 7. Apply the changes. Figure 28 shows an example.
Continue with the next step.
"Step 5: Configuring ProxyClient Web Filtering"
Figure 26 shows the primary ADN manager being enabled on the Client Manager.
Figure 26 Enabling ProxyClient acceleration enables both gzip compression and byte caching; it requires the Client Manager to get the list of published routes from the ADN manager
44
Figure 27 shows the ADN Rules tab with default settings.
Figure 27 The ADN Rules tab enables you to customize acceleration features which is not necessary for this sample deployment
Figure 28 shows the CIFS tab.
Figure 28
The CIFS tab enables you to set CIFS acceleration options

"Specifying the ProxyClient ADN Manager" on page 103 "Other ProxyClient Troubleshooting Tools" on page 224 "Tuning the ADN Configuration" on page 107 "Enabling File Sharing Acceleration" on page 111
45
Step 5: Configuring ProxyClient Web Filtering

This section shows step by step how to enable the ProxyClient to perform Web filtering for this sample deployment. All tasks discussed in this section must be performed on the Client Manager.
# 1 Description Enable ProxyClient Web filtering. What to do 1. 2. 3. Click Configuration > ProxyClient > Web Filtering > Policy. Select the Enable Web Filtering check box. Apply the changes. If any errors occur, you must resolve them before continuing. For more information, see "Enabling the Blue Coat Web Filter Database (Optional)" on page 130. Note: Unlike in past releases, you do not need to enable or download the Blue Coat WebFilter database to use ProxyClient Web filtering. If the Client Manager runs SGOS 5.5 or later, all you must do is enable ProxyClient Web filtering. (The exception is if the same ProxySG appliance also performs in-office Web filtering.) 2 Enable ProxyClient Web filtering. 1. 2. Click Configuration > ProxyClient > Web Filtering > Policy. Select the Enable Web Filtering check box.
46
# 3
Description Configure ProxyClient Web filtering policies.
What to do 1. 2. 3. 4. 5. Click Configuration > ProxyClient > Web Filtering > Policy. In the All Categories pane, expand a category. Select the check box corresponding to a category. In the Selected Category Rule Base pane, in the Action column, click a policy action. To configure policies per user or group, click the name of a category in the Selected Category Rule Base pane and click user-group rule). 6. (Add
In the provided field, enter a user or group in any of the following formats: Fully qualified account names (for example, domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name). Fully qualified DNS names (for example, example.example.com\user_name) User principal names (UPN) (for example, someone@example.com).
7.
Apply the changes. Figure 29 shows some sample categories.
Continue with the next step.
"Step 6: Configure ProxyClient Locations"
Figure 29 shows sample ProxyClient Web filtering policy that allows, warns, and blocks content based on selections from the BCWF database. In this sample deployment, neither CPL/VPM nor local database categories are used.
Figure 29 Setting up ProxyClient Web filtering with allow, block, and warn on various Blue Coat categories
47

"Web Filtering Task Summary" on page 128 "Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Managing Policy Categories" on page 147 "Web Filtering Best Practices" on page 155 "Enabling Web Filtering Logging" on page 159
Step 6: Configure ProxyClient Locations

This section shows step by step how to set up ProxyClient locations for this sample deployment.
Note: This example does not discuss Web filtering auto-detection. To use Web filtering auto-detection, additional configuration is required as discussed in "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58.
# 1
Description Prerequisite
What to do Your computer must have all of the following: Physical adapter Wireless adapter When you connect wirelessly, you must have the ability to connect to the network using VPN. Otherwise, you do not have access to remote accelerated resources like file shares. The adapters must use different IP address ranges. The samples being used in this deployment are discussed in "Location Awareness Assumptions" on page 36.
48
# 2
Description Define an in-office location.
What to do The in-office location has acceleration enabled and Web filtering disabled because when you are in the office, a ProxySG appliance is assumed to perform Web filtering for you. 1. 2. 3.
Configuration > ProxyClient > General > Locations.
In the Name field, enter In office. Select the Match source IP ranges check box if you select the Source IP range or select the Virtual NIC IP range checkbox if you select the virtual NIC IP range. In the Source IP Ranges section, click New. The steps that follow show how to set up the sample IP address ranges discussed in "Location Awareness Assumptions" on page 36. Replace these values with the appropriate IP address ranges.
4.
5. 6. 7. 8. 9.
In the IP Source Ranges fields, enter 192.168.0.200 and 192.168.0.254. Click OK. Select the Match DNS Servers check box. In the Match DNS Servers section, click New. In the Add DNS Server field, enter 192.168.1.55.
10. Click OK. 11. In the Actions section, select the Enable Acceleration check box. 12. Clear the Web Filtering check box. 13. In the New Locations dialog, click OK. 14. Apply the changes. Figure 210 shows an example in-office location.
49
# 3
Description Define an out-of-office location.
What to do The out-of-office location has both acceleration and Web filtering enabled. 1. 2. 3. 4.
Configuration > ProxyClient > General > Locations.
In the Name field, enter Out of office. Select the Match source IP ranges check box. Is the IP address you get when you connect wirelessly assigned by a router or by a VPN device? If it is assigned by a router, click New in the Source IP Ranges section. If it is assigned by VPN, click New in the Virtual NIC IP Ranges section.
The steps that follow show how to set up the sample IP address ranges discussed in "Location Awareness Assumptions" on page 36. Replace these values with the appropriate IP address ranges for your network. 5. 6. 7. 8. 9. In the provided fields, enter 10.5.0.0 and 10.5.4.254. Click OK. Select the Match DNS Servers check box. In the Match DNS Servers section, click New. In the Add DNS Server field, enter 10.5.5.54.
10. Click OK. 11. In the Actions section, select the Enable Acceleration check box and the Web Filtering check box. 12. In the New Locations dialog, click OK. 13. Apply the changes. Figure 211 shows a sample out-of-office location. 4 Continue with the next step. "Step 7: Install the ProxyClient Software"
50
Figure 210 shows the sample in-office location used in this deployment. You must replace the sample IP address ranges with the IP address ranges used in your network.
Figure 210 Setting up an in office location that enables acceleration but disables ProxyClient Web filtering, assuming a ProxySG appliance performs Web filtering in the office
51
Figure 211 shows the sample out-of-office location used in this deployment. You must replace the sample IP address ranges with the IP address ranges used in your network.
Figure 211 Sample out of office location that enables both acceleration and Web filtering for the ProxyClient
52
Step 7: Install the ProxyClient Software

This section shows how to install the ProxyClient software from the Client Manager.
# 1 2 Description Prerequisite Download and install the software What to do "Step 3: Configure the Client Manager" on page 42 1. 2. See the ProxyClient Release Notes for a list of supported Web browsers. Start a supported Web browser and enter the following URL in its address or location field:
https://client-manager_host-or-ip:8084/ proxyclient/ProxyClientSetup.exe
3. 4.
Follow the prompts to install the software. When prompted, reboot your computer. After you reboot, the ProxyClient begins accelerating network traffic. (Web filtering, if enabled, starts immediately after installation.) For more information refer the section: "Preparing Silent Installations and Uninstallations" on page 181
4 3
(Optional.) Configure Web filtering autodetection Verify the installation
"Step 8: (Optional) Using Web Filtering AutoDetection" on page 58 "Performing Basic Verification" on page 53

"Distributing the ProxyClient Software" on page 173 "Interactive Installations from the Client Manager" on page 175 "Troubleshooting ProxyClient Installation and Operation" on page 214
Performing Basic Verification

This section discusses how to verify the ProxyClient is performing acceleration and Web filtering. The information discussed in this section is not intended to be exhaustive. To view details about ProxyClient operation, you must start the ProxyClient Web browser window.
To start the ProxyClient Web browser window:
Double-click the tray icon or right-click the tray icon and, from the pop-up menu, click Show Status. Now see one of the following topics:
53
"Verifying Location Awareness" on page 54 "Viewing Acceleration Details" on page 56 "Viewing Web Filtering Details" on page 57 "Viewing the Admin Log" on page 57 "Verifying Tamper Resistance" on page 58 "For More Information About ProxyClient Troubleshooting" on page 58
Verifying Location Awareness

This section discusses how to verify your location awareness rules are set up correctly. To switch locations, switch from being physically connected to the network (which corresponds to the In office location) to wirelessly connecting to the network (which corresponds to the Out of office location).
To verify that location awareness is configured correctly:
1. Physically connect to the network and make sure that acceleration is enabled but that Web filtering is disabled due to your location. An example follows.
Acceleration is running Location displays as In office
Web filtering is disabled due to location
2. Disconnect from the network and enable your wireless adapter. If necessary, log in to your VPN application.
54
Your location should change to Out of office and both acceleration and Web filtering should be enabled. 3. Browse to some Web sites that will either be blocked or that will warn you. This will generate some Web filtering events and confirm that Web filtering is functioning. An example follows.
Acceleration is running Location displays as Out of office
Web filtering is running and some events have been generated
55
Viewing Acceleration Details

To generate activity for ProxyClient acceleration, copy files from a file share on a file server behind your concentrator or start an application (such as an intranet application) that runs from a Web server that is accelerated by your concentrator. The ProxyClient Web browser window indicates the current status of acceleration as follows.
Display only if acceleration is enabled Current acceleration status
Figure 212 ProxyClient Web browser window showing acceleration is running
If acceleration is enabled and running, the following display:
The Network tab displays (if acceleration is disabled or not running, there is no Network tab page) The Acceleration Statistics section on the Status tab page displays (if acceleration is disabled or not running, there is no Acceleration Statistics section)
Running
displays in the Acceleration Statistics section heading
To view results from byte caching and CIFS protocol optimization, click the Advanced tab. The cache utilization displayed in the Disk Cache section on the Advanced tab page should increment as you copy files from a file share behind your concentrator.
56
For More Information About ProxyClient Acceleration

"Other ProxyClient Troubleshooting Tools" on page 224 "Using the Client Manager for Acceleration Troubleshooting" on page 118 "Using a Concentrator for Acceleration Troubleshooting" on page 118 "Getting Detailed Diagnostics" on page 126
Viewing Web Filtering Details

To generate activity for ProxyClient Web filtering, go to URLs that belong to categories you are allowing or blocking. The ProxyClient Web browser window indicates the current status of Web filtering as follows:
Figure 213 ProxyClient Web browser window showing Web filtering is running
If Web filtering is enabled and running, Running displays in the Filtering Statistics section heading and the statistics increment as the user browses the Web.
For More Information About ProxyClient Web Filtering

"Troubleshooting ProxyClient Web Filtering" on page 165 "Getting Web Filtering Status from the Web Browser Window" on page 166 "Using the Client Manager for Web Filtering Troubleshooting" on page 167 "Getting Detailed Diagnostics" on page 170
Viewing the Admin Log

The ProxyClient Admin Log contains information about the operations the ProxyClient is performing. To view the Admin Log, start the ProxyClient Web browser window and click the Advanced tab. In the Diagnostic Tools section, click View Log. (You can also click the ProxyClient tray icon and click View Log from the pop-up menu.)
57
Verifying Tamper Resistance

Even though you did not configure an uninstall password on the Client Manager in "Step 3: Configure the Client Manager" on page 42, the ProxyClient software is still protected from its policy file being changed or deleted. To verify this, locate the following directory in Windows Explorer:
%SystemDrive%\Program Files\Blue Coat\ProxyClient
On Windows 7 (64bit), locate the following directory:

%SystemDrive%\Program Files (x86)\Blue Coat\ProxyClient
Right-click ProxyClientConfig.xml (the ProxyClient policy file) and try to edit it. Even if you edit it and save it, the policy file will not be used because it is not possible to encrypt it properly. Delete or rename ProxyClientConfig.xml. The configured policy remains in effect. You can verify this if you have Web filtering enabled by trying to access a blocked Web site. If you have only acceleration enabled, copy or open a file on an accelerated file share and notice the cache usage increases and the acceleration statistics change. To recover ProxyClientConfig.xml, either restart the ProxyClient service or change the policy on the Client Manager and get a configuration update. (From the ProxyClient Web browser window, click the Advanced tab and click Check For Updates Now.)
See Also
"For More Information About ProxyClient Troubleshooting" on page 58
For More Information About ProxyClient Troubleshooting

"Troubleshooting ProxyClient Installation and Operation" on page 214 "Other ProxyClient Troubleshooting Tools" on page 224 "Troubleshooting ProxyClient Web Filtering" on page 165
Step 8: (Optional) Using Web Filtering Auto-Detection

Web filtering auto-detectionintroduced in SGOS 5.5 and ProxyClient 3.2 means you no longer have to specifically disable ProxyClient Web filtering in an in-office location. The ProxyClient automatically detects an in-line ProxySG that is performing Web filtering and disables ProxyClient Web filtering functionality. Prerequisites: All of the following must be true:

The Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF). The ProxyClient must be deployed in any of the following ways: In-path with the filtering ProxySG
58
The ProxyClient computer must use the filtering ProxySG as an explicit proxy
ProxyClients must run 3.2 or later. Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed. In this sample deployment, you can do this as follows: Connect the ProxyClient computer to the ProxySGs LAN port and make sure the ProxySG can connect to the Internet. If you have an in-office ProxySG is already in-path between the ProxyClient computer and the Internet, you must install the local policy discussed in the next bullet on that ProxySG.
Note: The procedure uses the following terminology:
The filtering ProxySG is an in-office appliance that performs Blue Coat WebFiltering for users in the office, including ProxyClients. Your ProxySG is the appliance you configured as the ADN Manager, Client Manager, and concentrator.
All of the following must be true of this appliance you use for Web filtering auto-detection: It must have the BCWF database installed on it It must be in-path between the ProxyClient computer and the Internet It must be able to access the Internet It must be configured as a proxy (that is, it must intercept traffic) It must have Web filtering policy configured
Depending on your office network, this could be one ProxySG appliance or more than one appliance.
59
To enable and verify Web filtering auto-detection, use the following steps:
# 1 Description Install local policy on the ProxySG that performs inoffice Web filtering What to do 1. Log in to filtering ProxySGs Management Console as an administrator. This ProxySG can be either an in-office filtering proxy that is in-line with the ProxyClient computer or a filtering proxy that is configured as an explicit proxy for the ProxyClient computer. 2. 3. 4. 5.
Configuration > Policy > Policy Files.
From the Install Local Policy from list, click Text Editor. Click Install. In the provided field, enter the following:
<proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X-BCWF-License, "VendorID") end
where VendorID is your Blue Coat WebFilter database user name. For an example, see "Sample Local Policy File" on page 62. 3 Required if your ProxySG will perform Web filtering. Download the BCWF database. 1. 2. 3. 4. 5. 6. 7. 8. Log in to your ProxySG appliance as an administrator.
Configuration > Content Filtering > General.
Select the Blue Coat WebFilter check box. Apply the changes.
Configuration > Content Filtering > Blue Coat WebFilter.
Click Download Now. At the configuration dialog, click OK. Click View Download Status. It takes several minutes to download the database. Click View Download Status until a success message similar to the following displays:
Download log: Blue Coat download at: 2009/10/01 19:02:44 +0000 Downloading from https://list.bluecoat.com/bcwf/ activity/download/bcwf.db Requesting differential update Download size: 194115948 Database date: Thu, 01 Oct 2009 16:05:59 UTC Database expires: Sat, 31 Oct 2009 16:05:59 UTC Database version: 292740400 Database format: 1.1
If errors display, see the suggestions in "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 to resolve the issue before continuing.
60
# 4
Description Optional. Enable the local database.
What to do 1. Create a text file with categories and URLs in the following format:
define category-name url1 url2 urln end
2. 3. 4. 5. 6. 7. 8. 5 Optional. Configure Web filtering policies. Connect the ProxyClient computer to the ProxySG inpath.
Put the text file on a Web server your ProxySG can access. Click Configuration > Content Filtering > General. Select the Enable check box for the Local Database. Click Configuration > Content Filtering > Local Database. If a user name and password are required, follow the prompts on your screen to enter them. Click Download Now. Click View Download Status and verify the database downloaded successfully.
Use CPL or VPM to configure Web filtering policies as discussed in "Defining Custom Categories in Policy" on page 404 in the SGOS Administration Guide. Do any of the following: Connect the ProxyClient computers network cable to the LAN port on the rear panel of the ProxySG appliance. For more information, see the Quick Start Guide provided with the appliance. Depending on the appliance, it might be necessary to configure a software bridge; for more information, click Configure > Network > Adapters and click Help. For a filtering ProxySG that is either in-path with the ProxyClient or is used by the ProxyClient computer as an explicit proxy, make sure you installed the local policy in step 1 on that ProxySG.
61
# 7
Description Delete your in-office location
What to do This is necessary because your in-office location already has ProxyClient Web filtering disabled, which will prevent autodetection from being enabled. As a result of deleting the in-office location, you will use the default location, which has ProxyClient Web filtering enabled. 1. 2. 3. 4. 5. 6. 7. 8. 9.
Configuration > ProxyClient > General > Locations
Click your in-office location. Click Delete. At the configuration dialog, click Yes. Apply the changes. Start the ProxyClient Web browser window. Click the Advanced tab. On the Advanced tab page, in the Software Update section, click Check For Updates Now. At the confirmation dialog, click Close.
Request a URL
Before Web filtering auto-detection is enabled, you must request a URL. It does not matter whether the URL is one that should be allowed or blocked. "Verifying Web Filtering Auto-Detection" on page 63
Verify auto-detection is working
Sample Local Policy File

Following is a sample local policy file where the Vendor ID is 6EAZ8-BDC17F.
<proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X-BCWF-License, "6EAZ8-BDC17F") end
62
Verifying Web Filtering Auto-Detection

After you make a URL request, start the ProxyClient Web browser window. The status of Web filtering displays as Delegated to the Blue Coat Security Gateway. A sample follows.
Status: Delegated to Blue Coat Security Gateway
Click More logs at the bottom of the window and look for this message:
Web Filtering has been delegated to a Blue Coat Security Gateway.
# 1
Description Configure an uninstall password.
What to do 1. 2. 3. 4. 5. 6. Log in to the Client Managers Management Console as an administrator.

Configuration > ProxyClient > General > Client Software.
In the Uninstall Password section, click Change Password. Enter a password in the provided fields (for example, bluecoat). Click OK. At the confirmation dialog, click OK.
63
# 2
Description Manually get the configuration update on the ProxyClient.
What to do 1. 2. 3. Start the ProxyClient Web browser window. Click the Advanced tab. On the Advanced tab page, in the Software Update section, click Check For Updates Now. At the confirmation dialog, click Close.
Start > [Settings] > Control Panel.
4. 3 Stop the ProxyClient service. 1. 2. 3. 4. 5.
Double-click Administrative Tools. Double-click Services. Right-click Blue Coat ProxyClient. From the pop-up menu, click either Stop or Restart. An error displays and the service does not stop or restart.
6. 7.
Open a DOS command window. Enter the following command: An error displays and the service does not stop.
net stop ProxyClientSvc.exe
8. 9. 10. Attempt to uninstall the ProxyClient software using the incorrect password. 1. 2. 3. 4. 5. 6.
Start > [Settings] > Control Panel.
Double-click Add or Remove Programs. Click Blue Coat ProxyClient. Click Remove. At the confirmation dialog, click Yes. At the Enter Password dialog, enter the incorrect uninstall password and click OK. An error displays and the uninstallation does not proceed.
64
# 5
Description Attempt to rename or delete ProxyClientConfig.xml
What to do 1. 2. Locate the following folder in Windows Explorer:
%SystemDrive%\Program Files\Blue Coat\ProxyClient
On Windows 7 (64bit), locate this folder:

%SystemDrive%\Program Files (x86)\Blue Coat\ProxyClient
3. 4. 5. 6.
Right-click ProxyClientConfig.xml From the pop-up menu, click Rename. Enter a new name and press Enter. An error displays. Delete ProxyClientConfig.xml An error displays.
65
66

"ProxyClient Configuration Overview" "Where To Go From Here" on page 69
ProxyClient Configuration Overview

Figure 31 provides an overview of the Application Delivery Network (ADN), Client Manager, and ProxyClient configuration tasks you must perform in an acceleration only, Web filtering only, and mixed feature environment. Click the Blue Coat logo to jump to a section with more information about that feature or see "Where To Go From Here" on page 69 for a list of links for ProxyClient configuration tasks.
See Also
For a step by step sample deployment, see Chapter 2: "ProxyClient Deployments".
67
Figure 31
High-level overview of ProxyClient configuration tasks
68
Where To Go From Here

Chapter 2: "ProxyClient Deployments" Chapter 4: "ADN Network Configuration Prerequisites" Chapter 5: "Configuring the Client Manager" Chapter 6: "Configuring ProxyClient Locations" Chapter 7: "Configuring ProxyClient Acceleration" Chapter 8: "Configuring ProxyClient Web Filtering"
69
70
This chapter discusses ADN configuration tasks that must be performed before you can start to configure the ProxyClient. This chapter discusses the following topics:

"ProxyClient Compatibility with SGOS" "Preparing the ADN Configuration for ProxyClient Deployment" on page 73 "About Open ADN and Closed ADN With the ProxyClient" on page 74 "About Manager Listening Mode With the ProxyClient" on page 77 "About Tunneling Listening Mode With the ProxyClient" on page 78 "Configuring Manager and Tunneling Ports" on page 79 "Configuring Concentrators to Advertise Subnets" on page 79 "About Secure Outbound Mode" on page 80 "About Internet Gateways" on page 80
ProxyClient Compatibility with SGOS


"Recommended Upgrade Information" "ProxyClient and SGOS Compatibility" on page 72 "Important Information About Web Filtering Support" on page 72
Recommended Upgrade Information

Before you deploy the ProxyClient, make sure the ADN manager, backup manager (if any), concentrators and the Client Manager isin your ADN network are running compatible versions of SGOS. In general, use the following guidelines:
Make sure the ADN manager, ADN backup manager (if any), concentrators, and Client Manager are running the most recent version of SGOS. If you need to upgrade ProxySG appliances, do so in the following order: a. ADN Manager and ADN backup manager, if any b. Concentrators c. Client Manager
ProxyClient software on client computers
71
ProxyClient and SGOS Compatibility

The following table summarizes SGOS compatibility with the ProxyClient (version 3.1.x, 3.2.x, and 3.3.x):
6.1.x CM 6.1.x ADN Mgr 6.1.x Conc ProxyClient version 3.1.x ProxyClient version 3.2.x ProxyClient version 3.3.x
Compatible
5.35.5 CM 5.35.5 ADN Mgr 5.35.5 Conc

Compatible
5.35.5 CM 5.35.5 ADN Mgr 5.2 Conc

Compatible
5.35.5 CM 5.2 ADN Mgr 5.2 Conc

Compatible
5.2 CM 5.2 ADN Mgr 5.2 Conc
5.2 CM 5.35.5 ADN Mgr 5.2 Conc
5.2 CM 5.35.5 ADN Mgr 5.35.5 Conc

Not compatible
Not compatible
Not compatible
Compatible
Compatible
Compatible
Compatible
Not compatible
Not compatible
Not compatible
Compatible
Compatible
Compatible
Compatible
Not compatible
Not compatible
Not compatible
To use the ProxyClient version 3.2.x or later in your ADN network, Blue Coat strongly recommends your Client Manager and ADN Manager (and backup manager, if any) run SGOS version 5.5.x or later. In addition, Blue Coat recommends all concentrators that provide ADN tunnels for ProxyClients be upgraded to SGOS version 5.5.x or later. SGOS 5.4.x or later ADN managers, backup managers, and concentrators enable you to use either open, managed ADN or closed ADN with the ProxyClient. Open ADN and closed ADN are backward compatible with SGOS versions 5.1.4 and later (in other words, SGOS versions that support secure ADN).
Note: SGOS 5.5.x and later does not support the SG Client 2.x.
Important Information About Web Filtering Support

Because of recent changes made to Blue Coat WebFilter categories, not all combinations of Client Manager and ProxyClient are compatible. The following table discusses compatible and incompatible versions.
SGOS 5.3.1.x ProxyClient 3.1.2.x or earlier ProxyClient 3.1.3.x or later, including 3.2.x and 3.4.x Possible issues Possible issues SGOS 5.3.2.x Compatible Compatible SGOS 5.3.3.x and later Possible issues Compatible
Issues result when all of the following are true:
72
A ProxyClient user requests a URL that matches a category that changed. (Ten new categories were added and five existing categories were renamed.) For example, the Arts/Entertainment category is now split into the Arts/ Culture and Entertainment categories.
You configured a policy action for one of the categories that changed. When a client requests a URL that is categorized as Arts/Culture, for example, but you set a policy action for Arts/Entertainment, the URL is classified as Unknown and the policy action is applied (allow, block, or warn).
The resulting Unknown categorization has a policy action that is different from the policy action for the policy you configured. To complete the example, suppose you blocked Arts/Entertainment but you allowed Unknown. In that case, the URL request is allowed when you intended for it to be blocked.
For more information, see one of the following Blue Coat Knowledge Base articles:

KB2966 KB1567
For More Information About ADN Networks

For more information about open ADN and closed ADN, see "ADN Modes" on page 773 in the chapter on configuring ADN networks in the SGOS Administration Guide. For more information about using open, managed ADN and closed ADN with the ProxyClient, see "About Open ADN and Closed ADN With the ProxyClient" on page 74.
Preparing the ADN Configuration for ProxyClient Deployment

This section discusses deployment considerations for the ProxyClient in your ADN network. The following list summarizes the choices you have:
To use Web filtering only, you can set up your ADN network to use open ADN without an ADN manager. If you use Web filtering only, and you do have ADN managers in your network, you do not need to continue reading this chapter. You should continue with Chapter 5: "Configuring the Client Manager".
To use acceleration, your ADN network must use explicit deployment (that is, the ProxyClient must obtain routes from the ADN manager). Therefore, you must specify a primary ADN manager and backup manager (if any). The ProxyClient does not advertise routes.
73
If your primary ADN manager and backup manager (if any) run SGOS 5.4 or later, you have the option of selecting open, managed ADN or closed ADN. Both options support the use of the ProxyClient. ADN configuration for the ProxyClient with open ADN and closed ADN is discussed in "About Open ADN and Closed ADN With the ProxyClient" on page 74.
Because the ProxyClient uses plain communications only, the options you select for manager listening mode and tunneling listening mode must be compatible with the ProxyClient. These options are discussed in the sections that follow. You can configure the ADN network to use the same port for plain manager and plain tunnel and the same port for secure manager and secure tunnel. You set these options in the Management Console as follows:
Configuration Configuration
> ADN > General > General, Manager Ports section > ADN > Tunneling > Connection, Inbound section

"About Open ADN and Closed ADN With the ProxyClient" "About Manager Listening Mode With the ProxyClient" on page 77 "About Tunneling Listening Mode With the ProxyClient" on page 78 "About Secure Outbound Mode" on page 80
Note: Manager listening mode and tunneling listening mode options are available only in a secure ADN network. To set up secure ADN, all appliances must run SGOS 5.1.4 or later and you must first set up an SSL device profile on each ProxySG. For more information about SSL device profiles, see the section on SSL device profiles in the chapter on managing SSL traffic in the SGOS Administration Guide.
About Open ADN and Closed ADN With the ProxyClient

Open ADN and closed ADN are configurable on ADN managers that run SGOS 5.4 or later. If your ADN manager and backup manager (if any) run SGOS 5.3 or earlier, these options are not available.
Note: Blue Coat strongly recommends you upgrade your ADN manager, backup manager, and concentrators to the latest SGOS release; however, if you choose not to do so, skip this section and continue with "About Manager Listening Mode With the ProxyClient" on page 77.
Use the following guidelines to configure open ADN or closed ADN with the ProxyClient:
ProxyClient requires explicit deployments (that is, there must be an ADN manager that publishes routes advertised by concentrators).
74
You can therefore use either an open, managed ADN network or a closed ADN network. You cannot use an open, ADN network with the ProxyClient unless ProxyClient is used only for Web filtering.
If you use a backup ADN manager, configure it the same as the primary ADN manager. In particular, make sure both managers use the same open or closed ADN options. To use ProxyClient Web filtering only, no ADN manager is required. You can configure your ADN network to be either closed or open. You do not need to continue reading this chapter; instead, continue with Chapter 5: "Configuring the Client Manager". "Configuring a Closed or Open ADN Network" "Enabling ADN Managers" on page 76
See one of the following sections for more information:

Configuring a Closed or Open ADN Network

This section discusses how to configure your ADN network as either open or closed.
To configure open or closed ADN options:
1. Log in to the ADN managers Management Console as an administrator. 2. Click Configuration > ADN > Manager > Peer Authorization. 3. Do any of the following: To configure an open ADN network, clear the Allow transparent tunnels only within this managed network check box. To configure a closed ADN network, select the Allow transparent tunnels only within this managed network check box.
4. Optionally configure peer authorization and load balancing options as discussed in "ADN Peer Authentication" on page 778 and "ADN Load Balancing" on page 775 in the SGOS Administration Guide. 5. Repeat these tasks on the backup ADN manager, if any. 6. See one of the following sections: To configure ADN managers (for either a managed or unmanaged open ADN network or for a closed ADN network), see "Enabling ADN Managers" . To configure concentrators to advertise subnets to accelerate (for any type of ADN network), see "Configuring Concentrators to Advertise Subnets" on page 79. If you do not set up concentrators to advertise subnets, the ProxyClient will not accelerate network traffic.
75
Enabling ADN Managers

This section discusses how to enable a primary ADN manager and, optionally, a back ADN manager. For the ProxyClient to be able to accelerate network traffic, you must configure a primary ADN manager.
To configure ADN managers:
1. Log in as an administrator to the Management Console of a concentrator that will accelerate traffic for ProxyClients. 2. Click Configuration > ADN > General. 3. Select the Enable Application Delivery Network check box. 4. In the Primary ADN Manager section, specify the primary ADN managers IP address. 5. If your ADN network has a backup ADN manager, in the Backup ADN Manager section, specify the backup ADN managers IP address. The following error most likely indicates you entered the IP address of the wrong device (for example, another Client Manager, a proxy, or a ProxySG appliance that is not an ADN manager):
% Device ID is needed to support security authorization
If this error displays, re-enter the ADN managers IP address. 6. Continue with the following sections: "About Manager Listening Mode With the ProxyClient" "About Tunneling Listening Mode With the ProxyClient" on page 78 "Configuring Concentrators to Advertise Subnets" on page 79 "About Secure Outbound Mode" on page 80 "About Internet Gateways" on page 80
76
About Manager Listening Mode With the ProxyClient

Manager listening mode determines the way routes are advertised in the ADN network: using the plain manager port (non-secure communication) or the secure manager port (secure communication), or both. Select manager listening mode options on the ADN manager and backup manager only. Manager listening mode options are not available on other ProxySG appliances.
To set manager listening mode options:
1. Log in to the primary or backup ADN managers Management Console as an administrator. 2. Click Configuration > ADN > General > Connection Security. 3. Click one of the following options:
Secure Only
Only ProxySG appliances using secure connections can advertise routes. However, because selecting this option means that only the secure listener is active, you cannot select this option if you have ProxyClients in your ADN network because ProxyClients use only plain connections.
Plain Read-Only
(Recommended.) Select this option if all ProxySG appliances in the ADN network use SGOS version 5.1.4 or laterwhere all appliances support secure routing, and you have enabled secure routing on those ProxySG appliances. This option means that only ProxySG appliances that use secure connections can advertise routes. Devices that use plain communications (such as ProxyClients) can obtain routes but cannot advertise routes.
Note: Select this option only if all appliances in the ADN network run SGOS
version 5.1.4 or later.

Plain Only
Select this option in cases where you do not secure any ADN connections between ProxySG appliances. This option means that only ProxySG appliances that use plain connections can advertise routes.
77
Both
Select this option if you use the ProxyClient in your ADN network and some appliances in the network are not capable of using secure connections (for example, some appliances run SGOS version 5.1.3 or earlier). This option means that ProxySG appliances that use either secure or plain connections can advertise routes. If secure is enabled and available, it is used by default. 4. Apply the changes. For more information about setting the plain manager port and the secure manager port, see the section on configuring ADN managers in the chapter on configuring an ADN network in the SGOS Administration Guide. 5. Continue with "About Tunneling Listening Mode With the ProxyClient" .
About Tunneling Listening Mode With the ProxyClient

Tunneling listening mode determines the type of incoming tunnel communications this ProxySG appliance accepts: using the plain tunnel port (non-secure communications) or the secure tunnel port (secure communications). Select options for tunneling listening mode on every concentrator to which you expect ProxyClients to connect.
To set tunneling listening mode options:
1. Log in to a concentrators Management Console as an administrator. 2. Click Configuration > ADN > General > Connection Security. Click one of the following options:
Secure Only
This option means the ProxySG appliance accepts only secure tunneling connections. Because the ProxyClient uses only plain connections, you cannot select this option if you have ProxyClients in your ADN network.
Plain
Select this option to enable the ProxyClient to connect to the appliance in cases where you do not secure any ADN connections between ProxySG appliances. This option means this appliance accepts only plain tunneling connections.
78
Both
Recommended for ProxyClient deployments in ADN networks in which secure ADN is used. Select this option if you use the ProxyClient in your ADN network and some appliances in the network use secure ADN. This option also enables you to support appliances that are not capable of accepting incoming secure tunneling connections (for example, some appliances run SGOS version 5.1.3 or earlier). This option means this appliance accepts both plain and secure tunneling connections. 3. Apply the changes. For more information about the plain tunnel port and the secure tunnel port, see the section on configuring ADN managers in the chapter on configuring an ADN network in the SGOS Administration Guide. 4. Continue with "About Secure Outbound Mode" .
Configuring Manager and Tunneling Ports

You can configure the ADN network to use the same port for plain manager and plain tunnel and the same port for secure manager and secure tunnel. You set these options in the Management Console as follows:
Configuration Configuration
> ADN > General > General, Manager Ports section > ADN > Tunneling > Connection, Inbound section
Configuring Concentrators to Advertise Subnets

To use ProxyClient acceleration, concentrators that front content servers must advertise the servers subnets; otherwise, network traffic to those servers is not accelerated. For example, if you have file servers that store data that ProxyClients need to access, those file servers should be fronted by concentrators that advertise the subnets on which the file servers reside.
To configure a concentrator to advertise subnets:
1. Log in to the concentrators Management Console as an administrator. 2. Click Configuration > ADN > Routing > Server Subnets. 3. Click Add. 4. In the IP/ Subnet dialog, enter the following information: Enter either an IP address or an IP address in CIDR notation (for example, 172.16.0.0/16). If you enter the address in CIDR notation, you do not need to enter a subnet mask.
Subnet Mask field: Enter a valid subnet mask for the IP address you entered IP / Subnet Prefix field:
in the preceding field. 5. In the IP / Subnet dialog, click OK. 6. Repeat these tasks to set up all subnets advertised by the concentrator.
79
7. When you are finished, apply the changes.
About Secure Outbound Mode

The Secure Outbound Mode options have no impact on the ProxyClient because these options determine how ProxySG appliances communicate with each other. For a tunneling connection to be established between two ProxySG appliances, the initiating appliances secure outbound mode must be compatible with the tunneling listening mode of the receiving appliance.
About Internet Gateways

The ProxyClient honors Internet Gateway settings. Network traffic that is not bound by ADN routing rules routes to the specified gateway unless an exception rule applies. There are some routes, such as those for local hosts, that are not required to go through the ADN Internet gateway. You can optionally define these routes using the a concentrators Management Console (Configuration > ADN > Routing > Internet Gateway). ProxyClient uses this configuration.
80
This chapter discusses how to configure a ProxySG appliance as the Client Manager.The Client Manager can function in other roles in an ADN network (for example, it can be a concentrator, ADN manager, or both). This chapter discusses the following topics:

"Before You Begin Configuring the Client Manager" "Designating a ProxySG as the Client Manager" on page 81 "Uploading the ProxyClient Software to the Client Manager" on page 85 "Setting Up the Client Manager (CLI)" on page 89
Before You Begin Configuring the Client Manager

To use ProxyClient acceleration, you must perform the following tasks at minimum:
Configure an ADN manager and optionally a backup ADN manager. See "Enabling ADN Managers" on page 76
Note: To use ProxyClient Web filtering only, you do not need to configure an
ADN manager. You must configure a Client Manager as discussed in this chapter, however.
Configure your concentrators to advertise subnets. See "Configuring Concentrators to Advertise Subnets" on page 79
Also see the following topics:

Concepts discussed in the chapter on configuring an ADN network in the SGOS Administration Guide. Chapter 4: "ADN Network Configuration Prerequisites" "About ProxyClient Licensing" on page 31
Continue with "Designating a ProxySG as the Client Manager" .
Designating a ProxySG as the Client Manager

This section discusses how to configure an appliance in the ADN network as the Client Manager. You must configure one ProxySG in your ADN network as the Client Manager. The Client Manager is responsible for providing the ProxyClient software, software updates, and client configuration to ProxyClient applications installed on user computers.
81
Note: The Client Manager can be a different appliance than the ADN manager or the backup ADN manager. That is, you can configure the ADN manager or the backup ADN manager as the Client Manager, but it is not required. To designate a ProxySG as the Client Manager:
1. Perform the tasks discussed in "Before You Begin Configuring the Client Manager" on page 81. 2. Log in to the Client Managers Management Console as an administrator. 3. Click ProxyClient > General > Client Manager.
4. On the Client Manager tab page, select the Enable Client Manager check box. Doing this designates this ProxySG as a Client Manager. The Features message displays the current state of ProxyClient features. If ProxyClient features are currently disabled, you can click a link to go to the appropriate page and configure that feature. For more information about enabling ProxyClient features, see one of the following sections: "Specifying the ProxyClient ADN Manager" on page 103 Chapter 8: "Configuring ProxyClient Web Filtering"
5. In the Client Manager section, enter or edit the following information:
82
Table 51
Client Manager options
Option Host section
Description Specify the host from which users get the ProxyClient software, configuration, and updates. Blue Coat recommends you specify a fully qualified host name, and not an unqualified (short) host name or IP address. If you use a fully qualified host name and the Client Managers IP address changes later, you need only to update DNS for the Client Managers new address and clients can continue to download the software and updates from the Client Manager. You have the following options:
Use host from initial client request: (Recommended.) Select this option to enable clients to download the ProxyClient software, configuration, and updates from the original host. In other words, in a typical ProxyClient deployment, the administrator e-mails users a URL from which they obtain the ProxyClient software and configuration initially. The host name or IP address in this URL is used to download the software to the client and is written to the clients configuration file for use in future software and configuration updates.
This option is compatible with all methods of deploying the ProxyClient, including Windows Group Policy Object (GPO), Microsoft System Center Configuration Manager (SCCM), or Systems Management Server (SMS). For more information about these deployment options, see Chapter 9: "Distributing the ProxyClient Software".
Use host: Select this option to download the ProxyClient software and configuration from the host name you specify. Enter a fully qualified host name or IP address only; do not preface it with http:// or https:// because software and configuration downloads will fail.
Use this option to migrate users from one Client Manager to another Client Manager or if you have more than one Client Manager behind a load balancer. Because a load balancer typically advertises one Virtual IP (VIP) address, you should enter the load balancers VIP in the Use host field. To migrate users from one Client Manager to another, see also "" on page 229.)
Port field Keyring list Update Interval field
Enter the port on which the Client Manager listens for requests from clients. The default is 8084. Click the name of the keyring to use when clients connect to the Client Manager. Specify the length of time (in minutes) between update checks. For example, if the value is 120, each ProxyClient application connects to the Client Manager every 120 minutes for configuration and software updates (beginning at startup). Valid values are 10-432000 (that is, 300 days). The default is 120 minutes.
83
After you apply the changes, the Client Components section displays a summary of the information you selected. Table 52 discusses the meaning of this information.
Table 52 Client Components section
Item
Client setup
Description Displays the URL from which users download the ProxyClient setup application. The setup application (ProxyClientSetup.exe) downloads the Microsoft installer (ProxyClientSetup.msi) to the client. This information is intended for interactive client installations from the Client Manager; for more information, see "Preparing Interactive Installations" on page 174. Provide this URL to users so they can install the ProxyClient software on their computers. To install the software this way, the user must have administrator privileges on the client machine. Note: If you selected Use host from client request for Host, the URL displays as follows:
https://host-from-client-request:8084/ proxyclient/ProxyClientSetup.bsx
To download the ProxyClient using this URL, substitute the Client Managers host name or IP address for host-fromclient-request.
Client install MSI
Displays the URL from which ProxyClientSetup.exe downloads ProxyClientSetup.msi. This information is intended for non-interactive installations using SCCM, SMS, or GPO, as discussed in "Using Group Policy Object Distribution" on page 193. Note: Blue Coat recommends users not run the .msi on their computers because the installation fails unless the user enters parameters on the command line (for example, BCSI_UPDATEURL).
Client configuration
Displays the URL from which the ProxyClient installer downloads the client configuration file (ProxyClientConfig.xml). This information is provided for your reference only. For more information, see one of the following sections: "Preparing Silent Installations and Uninstallations" on page 181 "Using Group Policy Object Distribution" on page 193
Client configuration last modified
Displays the most recent date and time ProxyClientConfig.xml was updated on the Client Manager.
84
See Also
"Uploading the ProxyClient Software to the Client Manager" on page 85 Chapter 7: "Configuring ProxyClient Acceleration" Chapter 9: "Distributing the ProxyClient Software" "Setting Up the Client Manager (CLI)" on page 89
Uploading the ProxyClient Software to the Client Manager

This section discusses how to upload ProxyClient software to the Client Manager and how to protect the ProxyClient from being tampered with by setting an uninstall password. Because SGOS does not necessarily have the latest ProxyClient software, you should check BlueTouch Online regularly for updates and provide the updates to ProxyClients. Setting an uninstall password prevents users from performing the following tasks:

Uninstalling the ProxyClient software Disabling ProxyClient features or policy (Web filtering or acceleration) by: Stopping the ProxyClient service using Task Manager or net stop or sc from the command line Viewing or editing the ProxyClient configuration file

"Overview of the ProxyClient Upload Process" "Getting the ProxyClient Software" on page 86 "Running Windows.msi" on page 87 "Uploading the ProxyClient .car File to the Client Manager" on page 87
See Also
Chapter 2: "ProxyClient Deployments"
Overview of the ProxyClient Upload Process

You have the following options to upgrade the ProxyClient software on the Client Manager and on client computers:
Upload the ProxyClient software to the Client Manager and let clients get the software from the Client Manager as discussed in the procedure that follows. Upgrading the Client Manager to the most recent version of SGOS does not replace the ProxyClient software on the Client Manager.
Manually run ProxyClientSetup.msi on client computers. The other installer, named ProxyClientSetup.exe, should be used only to download the ProxyClient software from the Client Manager.
85
Automated updates using Group Policy Object (GPO) or Microsoft Systems Management Server (SMS).
Note: If the ProxyClient software was installed on the client machine with the option to prohibit software updates, you must update the ProxyClient software on client computers using one of the following methods:
Manually running ProxyClientSetup.msi on client computers. Automatically using GPO or SMS.
To upgrade the software, see the following sections in the order shown: 1. "Getting the ProxyClient Software" 2. "Running Windows.msi" on page 87 3. "Uploading the ProxyClient .car File to the Client Manager" on page 87
See Also
Chapter 9: "Distributing the ProxyClient Software"
Getting the ProxyClient Software

This section discusses how to get any of the following:
The ProxyClient.msi file, which you use to install the ProxyClient software on client machinesincluding distributing the software using SCCM, SMS, GPO, or a similar method. The ProxyClient .car file, which you upload to the Client Manager. Client computers receive the updated ProxyClient software at the next update interval, with the exception of any client computers for which updates are prohibited.
To get the ProxyClient software:
1. Go to the following URL: http://support.bluecoat.com 2. Click the link to download the ProxyClient 3.4.2.0 software. 3. At the prompts, enter your BlueTouch Online user name and password. If you do not have a BlueTouch Online login, go to http:// www.bluecoat.com/support/supportservices/btorequest
86
4. Follow the prompts on your screen to download any of the following:

File
Windows.msi file
Description Manually install the ProxyClient software on client computers. If you choose this option, skip the rest of this procedure after downloading the file.
ProxyClient.car file
Upload the ProxyClient software to the Client Manager, which enables clients to upgrade to the latest version. On the Download ProxyClient.car page, you also have the option to copy the link displayed on the page to download the .car file to the Client Manager. To use this link, the Client Manager must be able to contact http:// bto.bluecoat.com. The link expires in 24 hours. If you choose this option, skip the rest of this procedure after copying the link location.
Note: The Windows.msi and ProxyClient.car files can install the 32-bit or 64-bit
version of the ProxyClient software. 5. If you chose to download the ProxyClient .car file, locate it in any of the following: On the local file system of the computer you run the Client Managers Management Console. That is, to upload the ProxyClient software from your local file system or from a network share drive (as opposed to uploading it from a remote URL), you must copy ProxyClient.car to an accessible location. On a Web server the Client Manager can access. 6. Continue with "Running Windows.msi" .
Running Windows.msi
The Windows.msi file should be used for manual installations or installations distributed by SCCM, SMS, GPO, or a similar system as discussed in Chapter 9: "Distributing the ProxyClient Software". To distribute the ProxyClient software from the Client Manager instead, see "Uploading the ProxyClient .car File to the Client Manager" .
Uploading the ProxyClient .car File to the Client Manager

This section discusses how to upload the ProxyClient .car file to the Client Manager, which makes the ProxyClient software available to client computers at the next update interval, with the exception of any client computers for which updates are prohibited.
87
To install the ProxyClient software manually from the command line, or using SCCM, SMS, GPO, or a similar system, skip this section and see Chapter 9: "Distributing the ProxyClient Software" instead.
To upload the ProxyClient .car file to the Client Manager:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > General > Client Manager > Client Software. The Current ProxyClient Software section displays information about the ProxyClient software this Client Manager is currently using. Do any of the following: To upload the ProxyClient .car file, see step 3. To use the link from the Blue Coat download site, see step 4.
3. This step discusses how to upload to the Client Manager the ProxyClient .car file you got from the Blue Coat download site. To use the link provided on the download page instead, skip this step and see step 4. To upload the ProxyClient .car file: a. From the Install ProxyClient software from list, click Local file. b. Click Install. c. At the confirmation dialog, click Yes. d. In the Open dialog, locate the ProxyClient .car file and click Open. The .car file has a name similar to the following:
proxyclient_3[4].3.1.1_12345_ProxyClientSetup.car
Notes: The name of the ProxyClient .car file changes with every release. Depending on the Web browser you used to download the software, square brackets might not be in the file name.
e. Wait a few minutes for the upload to complete. A confirmation dialog displays the message File successfully installed. If errors display, try the upload again. If errors continue, try getting the ProxyClient .car file again or try using the link displayed on the download page. Using the link to the ProxyClient software displayed on the download page is discussed in more detail in step 4. f. At the confirmation dialog, click OK. At the next update interval, the software will be distributed to all ProxyClient users except those for which you disabled automatic software updates.
88
4. This step discusses how to upload the ProxyClient software to the Client Manager using the link provided on the Blue Coat download site. To upload the ProxyClient .car file instead, skip this step and see step 3. To use the link provided on the Blue Coat download page to update the ProxyClient software on the Client Manager: a. From the Install ProxyClient software from list, click Remote URL. b. Click Install. c. At the confirmation dialog, click Yes. The Install ProxyClient Software dialog displays. d. In the Installation URL field, paste the URL displayed on the Blue Coat download page. The URL has a format similar to the following:
https://bto.bluecoat.com/download/direct/ 56549919812997134284474771733824
Note: Every download URL link is unique. e. In the Install ProxyClient Software dialog, click Install. f. Wait a few minutes for the upload to complete. A confirmation displays the message The file was successfully downloaded and installed. If errors display, try the upload again. If errors continue, try using the ProxyClient .car file as discussed earlier. g. At the confirmation dialog, click OK. h. In the Install ProxyClient Software dialog, click OK. At the next update interval, the software will be distributed to all ProxyClient users except those for which you disabled automatic software updates.
Important: After you update the ProxyClient software on the Client Manager, whenever users connect using the ProxyClient, they must update their ProxyClient software unless software updates are disabled. You have the option of disabling software updates from the Client Manager if you plan to distribute updates some other way (for example, by SCCM, SMS, or GPO). For more information, see "Parameters for Silent Installations" on page 183.
Before uploading the ProxyClient software, verify the Client Manager is running compatible SGOS software. For example, ProxyClient 3.2.x requires SGOS 5.4.x or later. Compatibility information is discussed in the ProxyClient Release Notes.
Setting Up the Client Manager (CLI)

"Configuring the Client Manager (CLI)"
89
"Loading the Software (CLI)" on page 90 "Showing ProxyClient Settings (CLI)" on page 90 "Clearing ProxyClients (CLI)" on page 90
Configuring the Client Manager (CLI)

To configure the Client Manager:
1. At the #(config) command prompt, enter proxy-client. 2. Enable this appliance as the Client Manager:
#(config proxy-client) enable
3. Configure Client Manager settings:

#(config proxy-client) ip_address | host} #(config proxy-client) #(config proxy-client) #(config proxy-client) #(config proxy-client) client-manager host {from-client-address | client-manager install-port port client-manager keyring keyring hashed-uninstall-password hashed-password uninstall-password cleartext-password
Loading the Software (CLI)

The following commands enable you to upload an updated ProxyClient.car file to the Client Manager.
#(config proxy-client) software-upgrade-path path-to-proxyclient-car
You can use any of the following commands to load the ProxyClient software on the Client Manager:
#(config) load proxy-client-software
Showing ProxyClient Settings (CLI)

To show current ProxyClient settings:
#(config) show proxy-client [adn [exclude-subnets] | clients | cifs | locations | web-filtering]
Clearing ProxyClients (CLI)

To show current ProxyClient settings:
#(config proxy-client) clear {inactive | all}
Clears (that is, sets to zero) the count of inactive ProxyClients or all ProxyClients. Note the following: Clients are automatically cleared after 30 days of inactivity. After a software upgrade, clients appear twice for 30 daysone entry for the earlier version of client software and one entry for the newer version of client software. You can optionally clear the inactive clients to avoid seeing duplicate information.
90
For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.
91
92

"Location Awareness Overview" "Location Awareness Decision Diagram" on page 94 "Location Awareness Task Summary" on page 95 "Configuring ProxyClient Locations" on page 95 "Configuring Web Filtering Auto-Detection" on page 100 "Configuring ProxyClient Locations (CLI)" on page 101
Location Awareness Overview

The ProxyClient application automatically detects its location by matching a combination of IP address, virtual NIC IP address, and DNS server address as specified by the ProxySG administrator. The purpose of configuring locations is to enable ProxyClient features based on where the user connects. For example, a user who works from home on a laptop needs the ProxyClient to perform both acceleration and Web filtering because the user does not connect to a network with a local ProxySG that performs those functions. However, if the user brings the same laptop to work, both ProxyClient acceleration and Web filtering should be disabled because a local ProxySG concentrator or branch appliance performs those functions. This section discusses the following topics:

"Configuring ProxyClient Locations" "Configuring Default Actions" on page 99
For conceptual information and examples, see "About ProxyClient Location Awareness" on page 13 and "Step 6: Configure ProxyClient Locations" on page 48.
93
Location Awareness Decision Diagram

The following figure shows how to decide which ProxyClient features to enable in your locations, as well as how to decide when to use Web filtering auto-detection. For more information about Web filtering auto-detection, either click one of the blue rectangles in the figure or see "Configuring Web Filtering Auto-Detection" on page 100.
Continue with "Location Awareness Task Summary" .
94
Location Awareness Task Summary

The following table summarizes the tasks required to set up location awareness:
Task 1. "About ProxyClient Location Awareness" on page 13 Description Understand your network; specifically, how clients use VPN to access your network, IP source address ranges, and DNS server IP addresses. See a step by step example of setting up locations. Configure locations for office, branch office, home office, and mobile users. Default actions are for users that do not match any configured locations. To make sure users match the correct location, put the most restrictive (that is, more specific) locations in the rulebase before less restrictive locations.
2. 3. 4. 5.
"Step 6: Configure ProxyClient Locations" on page 48 "Configuring ProxyClient Locations" on page 95 "Configuring Default Actions" on page 99 "Ordering Locations in the Rulebase" on page 98
Configuring ProxyClient Locations

This section discusses how to use location conditions to define specific locations, such as office headquarters, branch offices with ProxySG concentrators, and mobile users. For more information and examples, see the following sections:

"Location Awareness Overview" on page 93 "Location Awareness Task Summary" on page 95 "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16 "Step 6: Configure ProxyClient Locations" on page 48
To specify locations:
1. Log in to the Client Managers Management Console as an administrator. 2. Select Configuration > ProxyClient > General > Locations. 3. On the Locations tab page, click New. The New Locations dialog displays. 4. In the Name field, enter a name that identifies this location. For example, Headquarters.
Note: The location name cannot be changed later.
95
5. In the Conditions section, select one or more conditions that define this location. The Conditions section enables you to specify one or more conditions that define the location, and therefore the ProxyClient features to apply to users in the location. For more information and examples of setting up locations, see the following sections: "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16
To add a location condition, perform the following tasks:

Condition Source IP ranges Tasks 1. 2. Select the Match source IP ranges check box. Click New. Note: You cannot directly edit an existing condition. First delete the existing condition and then add a new one. 3. In the Add IP Source Range dialog, enter a starting and ending IP address in the provided fields. You must enter a pair of IP addresses; you cannot enter CIDR notation. 4. 5. Click OK. Repeat these tasks to enter other source IP address ranges if required. Note: This condition is matched if the user has an IP address in any of the ranges you define. DNS servers 1. 2. Select the Match DNS servers check box. Click New. Note: You cannot directly edit an existing condition. First delete the existing condition and then add a new one. 3. 4. 5. In the Add DNS Servers IPs dialog, enter the servers IP address. Click OK. Repeat these tasks to enter other DNS server IP addresses if required. Note: This condition is matched only if all DNS servers are matched. For example, if the location defines DNS IP addresses 10.1.1.1 and 10.1.1.2, and the users computer has only 10.1.1.2 defined, there is no match. However, if the location condition defines DNS IP addresses 10.1.1.1 and 10.1.1.2, and the users computer has 10.1.1.1, 10.1.1.2, and 10.1.1.3 defined, there is a match.
96
Condition Virtual NIC IP ranges
Tasks 1. 2. Select the Match Virtual NICs IP check box. Click New. Note: You cannot directly edit an existing condition. First delete the existing condition and then add a new one. 3. In the Add Virtual NIC IP Range dialog, enter a starting and ending IP address in the provided fields. The range you enter should correspond to a range of IP addresses provisioned by your VPN gateway. You must enter a pair of IP addresses; you cannot enter CIDR notation. Click OK. Repeat these tasks to enter other Virtual NIC IP address ranges if required. Note: This condition is matched if the user has an VNIC IP address in any of the ranges you define.
4. 5.
Note: If VPN client software does not recognize a Virtual NIC (and instead recognizes it as a physical adapter), see "Using the ProxyClient VPN Whitelist Utility" on page 238.
6. Select the check box corresponding to which features are enabled for this location: Select Enable Acceleration to accelerate network traffic using all of the following: gzip CIFS protocol acceleration byte caching
Select Enable Web Filter to perform Web filtering in this location.
All selected conditions must match to enable the selected location features. For example, if Source IP Address and DNS Servers conditions are selected, and if the user matches the source IP address but not the DNS server IP address, the user does not match this location and the features enabled by the location will not be applied to the user.
Important:
Users who do not match any location conditions have default actions applied to them as discussed in "Configuring Default Actions" on page 99. 7. Click OK.
97
The location name and associated policy actions display on the Locations tab page.
See Also
"Overview of Location Awareness" on page 13 "General Guidelines for Location Conditions" on page 15 "About Condition Rulebase Ordering" on page 16
Ordering Locations in the Rulebase

The order in which locations display on the Configuration > ProxyClient > General > Locations tab page determine the order in which the rules are evaluated when users connect to the Client Manager. To avoid mismatches, order the rules from most to least restrictive. For example, suppose headquarters uses IP addresses in the range from 10.0.0.0 to 10.255.255.255 but the VPN gateway located at headquarters has a pool of IP addresses in a subset of that range; for example, 10.3.1.1 to 10.3.1.255. Because the VPN gateway is used by home office or mobile users, the administrator wants to use different policy actions for headquarters and home office users. Users at the headquarters location should have ProxyClient acceleration and Web filtering disabled but users in a home office or mobile location should have both ProxyClient features enabled. To accomplish that, the administrator creates the two locations as follows.
Location Headquarters Conditions Home office or mobile Source IP address range: 10.0.0.0 to 10.255.255.255 DNS server IP address: For example, 10.0.0.11 and 10.0.0.12 DNS server IP address: Same as headquarters VNIC IP address range: 10.3.1.1 to 10.3.1.255
To make sure the home office or mobile location is detected first, the administrator must order it in the rulebase before the headquarters location. An example follows.
98
Configuring Default Actions

The purpose of default actions is to enable ProxyClient features for users that do not match any location conditions. For example, mobile users that do not connect to the network using VPN have unknown source IP ranges and DNS servers. If a mobile user connects to the network using VPN, the user has a VNIC IP address you can use to establish the users location.
To configure default actions:
1. Log in to the Management Console as an administrator. 2. Click Configuration > ProxyClient > General > Locations. 3. At the bottom of the Locations tab page, in the Default Actions section, select the check box corresponding to features to enable for clients who do not match any defined location conditions. The following figure shows an example of enabling both acceleration and Web filtering by default:
See Also
"Overview of Location Awareness" on page 13 "General Guidelines for Location Conditions" on page 15
99
Configuring Web Filtering Auto-Detection

This section discusses the prerequisites and benefits of Web filtering autodetection, which disables ProxyClient Web filtering when a ProxySG is available to perform Blue Coat Web filtering. Using Web filtering auto-detection, you no longer need to set up a location to specifically disable ProxyClient Web filtering. No additional Client Manager configuration is required; the only requirements follow:

The Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF). The ProxyClient must be deployed in any of the following ways: In-path with the filtering ProxySG The ProxyClient computer must use the filtering ProxySG as an explicit proxy
ProxyClients must run 3.2 or later. Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed.
Installing Local Policy on ProxySGs

This section discusses how to configure local policy on a ProxySG appliance that performs Web filtering. The ProxySG appliance must have policy installed on it that adds an HTTP response header (X-BCWF-License) to rating responses from service points. This header is interpreted by the ProxyClient to determine whether ProxyClient Web filtering should be disabled (that is, deferred to the ProxySG appliance). You must install this policy on all filtering ProxySGs that meet any of the following criteria:

ProxySGs in-path between the ProxyClient computer and the Internet ProxySGs that are used by ProxyClients as an explicit proxy
To install local policy on a ProxySG that performs Web filtering for ProxyClients:
1. Log in to the ProxySGs Management Console as an administrator. 2. Click Configuration > Policy > Policy Files. 3. In the right pane, for Install Local File from, click Text Editor from the list. 4. Click Install.
100
5. In the provided field, enter the following:

<proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X-BCWF-License, "VendorID") end
where VendorID is your Blue Coat WebFilter database user name. If your enterprise has more than one Vendor ID, enter them as a comma-separated list. An example with one Vendor ID follows:
<proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X-BCWF-License, "6EAZ8-BDC17F") end
6. Click Install. If errors display, check the command syntax and try again. 7. After the policy successfully installs, click OK at the conformation dialog and then click Close.
Configuring ProxyClient Locations (CLI)

To configure client location settings:
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) command prompt, enter locations. 3. Configure location settings:
#(config proxy-client locations) create location_name #(config proxy-client locations) edit location_name #(config proxy-client name) acceleration {enable | disable} #(config proxy-client name) webfilter {enable | disable} #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config #(config proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client proxy-client name name name name name name name name name name name name name name name dns) dns) dns) dns) dns) add ip-address clear exit remove ip-address view add ip-address-range clear exit remove ip-address-range view
source) source) source) source) source) vnic) vnic) vnic) vnic) vnic)
add vnic-address-range clear exit remove vnic-address-range view
#(config proxy-client name) match-dns {enable | disable} #(config proxy-client name) source {enable | disable} #(config proxy-client name) vnic {enable | disable}
101
#(config proxy-client name) exit #(config proxy-client name) view #(config proxy-client #(config proxy-client #(config proxy-client location_name} #(config proxy-client #(config proxy-client #(config proxy-client locations) acceleration {disable | enable} locations) webfilter {disable | enable} locations) {promote location_name | demote locations) delete location_name locations) clear locations) view
102

"Before You Begin Configuring ProxyClient Policy" "Specifying the ProxyClient ADN Manager" on page 103 "Tuning the ADN Configuration" on page 107 "Enabling File Sharing Acceleration" on page 111 "Troubleshooting ProxyClient Acceleration" on page 115
Before You Begin Configuring ProxyClient Policy

Before performing the tasks discussed in this section, perform the following tasks in the order shown: 1. "Preparing the ADN Configuration for ProxyClient Deployment" on page 73 2. "Enabling ADN Managers" on page 76 3. "Configuring Concentrators to Advertise Subnets" on page 79 4. Optional. "About Internet Gateways" on page 80
Specifying the ProxyClient ADN Manager

This section discusses how to configure the Client Manager to contact the ADN managers, which publish routes to the ProxyClient.
To specify the ADN manager for the ProxyClient:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > General.
103
3. On the General tab page, enter or edit the following information:

Item
Enable Acceleration check box
Description You must select this check box to enable ProxyClient to accelerate network traffic using all of the following methods: gzip CIFS protocol acceleration byte caching
If you clear the check box, the ProxyClient performs no acceleration.

Acceleration License
Displays the status of your acceleration license as either Valid or Invalid. The ProxyClientAcceleration license component is part of the base SGOS license. If the status is Invalid, there is a problem with your Blue Coat license. Verify a valid base SGOS license is installed (Maintenance > Licensing > View). Contact Blue Coat Support for license troubleshooting issues.
104
Item
Maximum percentage of disk space to use for caching field
Description Enter the maximum percentage of total client disk space (as opposed to available disk space) to use for caching objects, such as CIFS objects. Valid values are 190; the default is 10. The higher you set the value, the more information is cached on user systems, but at the expense of disk space that might be required to run other applications.
Primary manager IP address
Enter the IP address of the ADN manager for the ADN network to which the ProxyClient connects. You have the following options: To use the current ADN configuration on this ProxySG, click Use ProxySG ADN Managers. The primary and backup ADN manager IP address and plain manager port values are copied into the appropriate fields. To enable this ProxySG to be the primary or backup ADN manager, click Configure ADN.
For assistance troubleshooting issues with this tab page, see "Troubleshooting ProxyClient Acceleration Configuration" on page 106. For more information about the role of the ADN manager, see "ADN and ProxyClient Terminology" on page 23 and "About the Roles of ProxySG Appliances With the ProxyClient" on page 25.
Backup manager IP address
Enter the IP address of the backup ADN manager, if any. Enter the ADN managers plain listen port (by default, 3034).
ADN manager port
Important: Do not enter a secure port number, because the ProxyClient version 3.2.x does not support secure tunnels.
4. Click Apply. If errors display, see "Troubleshooting ProxyClient Acceleration Configuration" on page 106. Otherwise, continue with "Tuning the ADN Configuration" on page 107.
105
Troubleshooting ProxyClient Acceleration Configuration

The following table discusses the meanings of error messages on the General tab page:
Message ProxyClient acceleration might not function when the Client Manager is disabled. Meaning and suggested workaround Meaning: You enabled ProxyClient acceleration without designating this appliance as the Client Manager. Workaround: Either click the link or click Configuration > ProxyClient > General and enable this appliance to be the Client Manager as discussed in "Designating a ProxySG as the Client Manager" on page 81. Meaning: You entered the primary IP address of this ProxySG appliance as either the primary or backup ADN manager but you did not enable this appliance to be either the primary or backup ADN manager. (The primary IP address is the IP address assigned to the appliances lowest-numbered interface; for example, interface 0:0. To confirm the primary IP address, click General > Identification.) Workaround: Use the following steps: 1. 2. 3. Click Configure ADN or click Configuration > ADN > General. Select the Enable Application Delivery Network check box. In the Primary ADN Manager section, click Self to use this ProxySG appliance as the primary ADN manager, or click IP Address and enter the primary ADN managers IP address. Click Apply. Click Configuration > ProxyClient > Acceleration > General. Click Use ProxySG ADN Managers. This copies the ADN manager configuration from the Configuration > ADN > General tab page. 7. Click Apply. See also "Enabling ADN Managers" on page 76. For more detailed information, see Chapter 2, Configuring an Application Delivery Network. Primary ADN Manager IP address is required Meaning: You enabled ProxyClient acceleration but did not enter the IP address of the primary ADN manager. Workaround: 1. Click Use ProxySG ADN Managers. This copies the ADN manager configuration from the Configuration > ADN > General tab page.
ProxySG ADN must be enabled with primary or backup manager Self to use this configuration for ProxyClient acceleration.
4. 5. 6.
2.
Click Apply.
106
Tuning the ADN Configuration

The ProxySG enables you to customize include and exclude subnets and port lists, which are advanced settings that limit the traffic that is accelerated by the ADN network. Because the ADN manager sets options for both its peers in the ADN network and for ProxyClients, you can use the include or exclude ports list to fine-tune the way ProxySG appliances interact with the ProxyClient. For example, if you know that ProxyClient traffic over particular ports is not compressible, you can add those ports in the exclude ports list.
Important: Blue Coat strongly recommends you test the include/exclude ports settings in a controlled environment before using them in production because improper settings can have an adverse impact on performance.
Specifically, you must understand the following:
Include and exclude portsIncludes or excludes TCP ports in ADN tunnels. Assuming ProxyClients can connect to a ProxySG that can optimize traffic to the destination address, this setting determines which ports are accelerated (or are not accelerated) for clients. You can use either the excluded ports list or included ports list, but not both.
Note: Make sure you know which ports are used by applications you want to
accelerate and put them in the include ports list; otherwise, the traffic is not accelerated.
Excluded subnetsYou can exclude intranet connections from being forwarded to a ProxySG configured as an Internet gateway. This is important if your network is designed such that a connection to an intranet server fails if it is sent through an Internet gateway. Provided an Internet gateway is configured, forwarding occurs as follows: a. If the destination IP address is a local address, do not attempt to use an ADN tunnel; instead, connect directly. This is the end of the process. b. If the destination IP address is in the ProxyClients excluded subnets list, do not attempt to use an ADN tunnel; instead, connect directly. This is the end of the process. Otherwise, if the IP address is not in the ProxyClients exclude list, continue with the next step. c. If the destination IP address matches an entry in the ADN routing table, forward the connection over an ADN tunnel; otherwise, continue with the next step.
107
d. If a ProxySG is configured as an Internet gateway, look up the destination IP address in the Internet gateways exception list. If the address does not match, forward the connection over an ADN tunnel to the Internet gateway; otherwise, connect directly to the destination IP address. See one of the following sections for more information:

"Excluding Subnets from Being Accelerated" "Excluding and Including Ports" on page 109
Excluding Subnets from Being Accelerated

This section discusses how to prevent subnets from being accelerated when clients connect using the ProxyClient.
To exclude subnets:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > ADN Rules. 3. On the ADN Rules tab page, in the Excluded Subnets section, click Add. The Add IP/Subnet dialog displays.
108
4. Enter or edit the following information:

Option
IP / Subnet Prefix field
Description Enter either an IP address or an IP address and subnet in Classless InterDomain Routing (CIDR) notation (for example, 192.168.0.0/16). Use this field if you entered only an IP address in the preceding field (that is, if you used CIDR notation in the preceding field, you do not need to enter a value in this field).
Subnet Mask field
5. In the Add IP/ Subnet dialog, click OK. 6. Repeat these tasks to exclude more subnets, if required.
Excluding and Including Ports

This section discusses how to include and exclude from traffic on certain TCP ports; in other words, traffic on these ports either will be accelerated (if included) or will not be accelerated (if excluded). Note that if you include ports, traffic on all other ports is not accelerated. The following table discusses typical ports you can include.
Port or port range 49152-65534 443 139, 445 21 8080 Description Passive FTP HTTPS CIFS FTP control port Commonly used by Web applications.
In addition, consider the following sources of information:
On any ProxySG configured as a proxy, Configuration > Services > Proxy Services. For any protocol the proxy is intercepting, consider adding the protocols port to the include list. Internet Assigned Numbers Authority reference.
109
To exclude or include ports:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > ADN Rules. The ports section displays.
3. In the Ports section, click one of the following options: Client traffic from specified ports is not routed through the ADN tunnel. All other traffic is accelerated. Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash character). For example:
22,88,443,993,995,1352,1494,1677,3389,5900-5902 Exclude:
Include: Client traffic from specified ports is routed through the ADN tunnel and therefore is accelerated. All other traffic bypasses the tunnel and is not accelerated.
Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash character). For example:
80,139,445,8080-8088
Include ports 139 and 445 for file sharing (CIFS services) acceleration.
Note: The include and exclude ports lists are advanced settings that limit the traffic that is accelerated by the ADN network.
4. Click Apply.
110
Enabling File Sharing Acceleration

This section discusses how to enable the ProxyClient to enable Common Internet File System (CIFS) protocol acceleration, which is the protocol used to access files and directories across the WAN. Using CIFS acceleration improves performance when users request the same files from a file server at headquarters, for example.
Note: The ProxyClient does not perform CIFS acceleration to a server that has SMB message signing enabled. For more information, see Microsoft KB article 887429. Also see any other CIFS-related information discussed in the ProxyClient Release Notes.
For file sharing conceptual information, see "About ProxyClient CIFS Acceleration" on page 17. For more detailed information about CIFS optimization on the ProxySG, see the chapter on the CIFS proxy in the SGOS Administration Guide.
To enable file sharing acceleration using the ProxyClient:
1. Log in to the Client Managers Management Console as an administrator. 2. Verify the CIFS ports are listed in the Included Port list as discussed in "Enabling File Sharing Acceleration" on page 111. 3. Click Configuration > ProxyClient > Acceleration > CIFS. The CIFS tab displays.
111
4. On the CIFS tab, enter or edit the following information:

Option
Enable CIFS acceleration check box Remote Storage Optimization option
Description You must select this check box to enable clients to accelerate CIFS traffic. When a user browses to an accelerated remote file share using Windows Explorer, setting this option to Enable to improve access to remote file shares by causing Windows Explorer to avoid read ahead on those folders. Setting the option to Disable to allow Windows Explorer to read ahead on remote file shares. Note: This setting is not related to Windows offline folders. For more information, see "About ProxyClient CIFS Acceleration" on page 17.
Suppress Folder Customization option
Setting this option to Enable can improve performance when using Windows Explorer to browse to a remote accelerated file share that has a large number of customized nested folders that are set to read-only. (An example of customizing a folder is changing its display icon.) Click Disable to cause Windows to enforce the read-only attribute for all folders on accelerated remote file shares. For more information, see "About ProxyClient CIFS Acceleration" on page 17.
Write Back options
Write back options determine whether or not user connections continue sending data to the ProxySG appliance while the appliance is writing data on the back end. Select one of the following: Select Full to enable write-back, which causes the ProxyClient to send data to the ProxySG appliance without waiting for acknowledgement that the data was written successfully. This setting improves responsiveness but can lead to data loss in the rare circumstance in which the ProxyClient crashes or the link drops before delivering all the data to the ProxySG appliance. Select None to disable write-back. Disabling write-back can introduce substantial latency while clients send data to the appliance and wait for acknowledgement before sending more data. One reason to set this option to None is the risk of data loss if the link from the branch to the core server fails. There is no way to recover queued data if such a link failure occurs.
112
Option
Directory cache time
Description Enter the number of seconds for directory listings to remain in the clients cache.
field
5. Click Apply.
See Also
"ADN Features and the ProxyClient" on page 26
More About ProxyClient Caching

The following is a summary of how CIFS protocol acceleration and byte caching work on the client computer: 1. The ProxyClient starts. 2. The user requests a cacheable object, such as a file. 3. The ProxyClient allocates sufficient disk space on the client computer to cache the objectup to the limit set by the administrator. That is, if the client computers system has 100GB of total space and the administrator configures the cache to use a maximum of 10%, the ProxyClient allocates up to 10GB for the cache. Cache space is divided equally between the CIFS cache and the byte cache. However, if the maximum cache size leaves less than 1GB of available disk space, the cache size is further limited. Continuing this example, if the client has only 9GB of available space, the maximum cache size is 8GB instead of 10GB. 4. If any single object (such as a file) exceeds the maximum CIFS cache size, that object is not cached in the CIFS cache; however, tokens associated with the object are cached in the byte cache. For example, if the maximum size of the CIFS cache is 5GB, and the client requests a file that is 6GB in size, that file is not cached in the CIFS cache. 5. If the cache is full, objects are expired from the cache based on a number of criteria, such as unopened files and oldest objects first.
113
Configuring ProxyClient Acceleration Settings (CLI)

To set up ProxyClient acceleration:
1. At the #(config) command prompt, enter proxy-client. 2. Configure general client settings:
#(config #(config #(config #(config proxy-client) proxy-client) proxy-client) proxy-client) max-cache-disk-percent percentage software-upgrade-path url update-interval minutes view
To configure ProxyClient ADN rules settings:
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) prompt, enter adn. 3. Configure ADN rules settings:
#(config proxy-client acceleration adn) port-list {exclude-ports | include-ports} #(config proxy-client acceleration adn) {exclude-ports | includeports} {port | port-list | port-range} #(config proxy-client acceleration adn) exclude-subnets #(config proxy-client acceleration adn remove} subnet_prefix[/prefix length] #(config proxy-client acceleration adn #(config proxy-client acceleration adn #(config proxy-client acceleration adn exclude-subnets) {add | exclude-subnets) clear exclude-subnets) exit exclude-subnets) view
#(config proxy-client acceleration adn) exit
To configure ProxyClient ADN manager settings:
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) prompt, enter adn. 3. Configure ADN manager settings:
#(config proxy-client acceleration adn) primary-manager ip-address #(config proxy-client acceleration adn) backup-manager ip-address #(config proxy-client acceleration adn) manager-port plain-port
To configure ProxyClient CIFS settings:
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) command prompt, enter cifs. 3. Configure CIFS settings:
#(config #(config #(config #(config #(config {disable #(config {disable #(config proxy-client proxy-client proxy-client proxy-client proxy-client | enable} proxy-client | enable} proxy-client acceleration acceleration acceleration acceleration acceleration cifs) cifs) cifs) cifs) cifs) directory-cache-time seconds {disable | enable} exit write-back {full | none} remote-storage-optimization
acceleration cifs) suppress-folder-customization acceleration cifs) view
114
Troubleshooting ProxyClient Acceleration

This section discusses the following topics related to diagnosing and resolving issues with ProxyClient acceleration:

"Overview of Acceleration Troubleshooting" "More Information About ProxyClient Acceleration Troubleshooting" on page 119 "Getting Detailed Diagnostics" on page 126 "Using the ProxyClient Web Browser for Troubleshooting" on page 213 "Troubleshooting ProxyClient Installation and Operation" on page 214 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
For more troubleshooting information, see one of the following sections:

Overview of Acceleration Troubleshooting

Following are typical reasons why a connection is not accelerated:
Concentrator is not available To confirm which concentrators are advertising routes in the ADN network, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119
The destination is not defined in ADN routing table To confirm which routes have been published, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119
Acceleration is disabled To confirm that acceleration is enabled and running properly, see "Getting Acceleration Status from the Web Browser Window" on page 115
The ProxyClient Web browser window and the Client Managers Statistics > ProxyClient > Details tab pages assist you with troubleshooting acceleration issues clients might be experiencing. The following sections provide a brief overview of how you can use these tools:

"Getting Acceleration Status from the Web Browser Window" on page 115 "Configuration Error" on page 117 "Using the Client Manager for Acceleration Troubleshooting" on page 118
Getting Acceleration Status from the Web Browser Window

The ProxyClient Web browser window indicates the current status of acceleration as follows:
115
Display only if acceleration is enabled
Current acceleration status
Figure 71
ProxyClient Web browser window showing that acceleration is running
If acceleration is enabled and running, the following display:
The Network tab displays (if acceleration is disabled or not running, there is no Network tab) The Acceleration Statistics section on the Status tab page displays (if acceleration is disabled or not running, there is no Acceleration Statistics section)
Running
displays in the Acceleration Statistics section heading
The following table lists the meanings of other status messages for acceleration:
Status message Configuration Error Meaning The routing table the ProxyClient gets from the ADN manager or backup manager is empty. The most likely reason is that concentrators are advertising no routes to the managers. For more information, see "Configuration Error" on page 117. Disabled due to Location Acceleration is disabled in the clients current location. For more information about locations, see Chapter 6: "Configuring ProxyClient Locations". Status is not available because the ProxyClient cannot contact the ADN Manager. See "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.
Not Available
116
Status message Unlicensed
Meaning Your acceleration license is invalid. To verify this is the case, log in to the Client Managers Management Console as an administrator and click Configuration > ProxyClient > Acceleration > General. If the message Acceleration License: Invalid displays below the Enable Acceleration check box, you know your license is invalid. Contact your Blue Coat representative or Blue Coat Support to resolve the issue.
Disabled by Safe Mode
Acceleration is always disabled if the user boots their computer in Safe Mode. Resolve the issue that caused the user to boot in Safe Mode. This message displays in the heading of the component (acceleration or Web filtering) that is experiencing errors. If the error indicates a problem with Web filtering, see "Web Filtering Internal Service Error" on page 169. If the error indicates a problem with acceleration, ask the user to reboot the computer, enable trace logging, and repeat the actions that caused the internal service error. For more information about trace logging, see "Performing Data Traces and Data Collection" on page 232.
Internal Service Error
For more detailed information, see "More Information About ProxyClient Acceleration Troubleshooting" on page 119.
Configuration Error
This section discusses how to resolve issues related to the error message Configuration Error. This message indicates the routing table the ProxyClient gets from the ADN manager or backup manager is empty. The most likely reason is that concentrators are advertising no routes to the managers.
To resolve the configuration error:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Acceleration > General. 3. In the ADN Manager section, click Use ProxySG ADN Managers. This causes the Client Manager to use the ADN manager configuration. 4. Log in to a concentrators Management Console as an administrator. 5. Click Configuration > ADN > Routing > Server Subnets. 6. Click Help and make sure the settings are correct.
117
7. If the concentrator is being used as an internet gateway, click Configuration > ADN > Routing > Internet Gateway. 8. Click Help and make sure the settings are correct. 9. Repeat steps 4 through 8 on all concentrators that front servers the ProxyClient needs to access. Any changes to the routing table (for example, adding server subnets) are received by the ProxyClient immediately. If you suspect there are communication issues between the ProxyClient and the ADN manager(s) or concentrators, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.
Using the Client Manager for Acceleration Troubleshooting

The Client Managers Statistics tab page has information you can use to assist you with troubleshooting acceleration issues. For more information, see Chapter 10: "Monitoring ProxyClient Performance".
Using a Concentrator for Acceleration Troubleshooting

This section discusses how you can isolate acceleration issues to a particular concentrator. To use the information discussed in this section, log in as an administrator to the Management Console of a concentrator that accelerates traffic for ProxyClients.
Getting Detailed Diagnostics

If the information displayed on the ProxyClient Web browser window is not sufficient, get trace logs or run the ProxyClient Data Collection utility as discussed in "Performing Data Traces and Data Collection" on page 232.
118
The following information can be useful to isolate acceleration issues to a particular concentrator:
Statistics > Active Sessions > ADN Inbound Sessions
displays information about currently active sessions, including sessions with ProxyClients. Use a client IP address filter to view tunnels from a specific client. For more information, see "Viewing ProxyClient Active Session Statistics" on page 210
To view related client statistics, see "Getting Acceleration Status from the Web Browser Window" on page 115
Statistics > Advanced > ADN:
The Peer statistics link displays aggregate information per peer (client). For each peer, it shows byte cache information such as dictionary status and cache size. The tunnel connection link shows information per each active connection. The tunnel connection pool link shows information about idle tunnels. This correspond to the idle tunnels displayed on the clients Network tab page. The dashboard link and other links display aggregate information for components such as tunnels and dictionary sizes.
More Information About ProxyClient Acceleration Troubleshooting

This section focuses on using the ProxyClient Web browser window and the ADN manager to get detailed information about routing issues that might cause acceleration issues. This section discusses the following topics:

"Starting the ProxyClient Web Browser Window" "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119 "About the Network Tab Page" on page 122
Starting the ProxyClient Web Browser Window

See "Using the ProxyClient Web Browser for Troubleshooting" on page 213.
Troubleshooting ADN Manager or Concentrator Connection Issues

This section discusses how to determine whether an acceleration issue is due to loss of connectivity to either the ADN manager or to a concentrator fronting servers the ProxyClient needs to access. Remember that concentrators advertise subnets to be accelerated; the ADN manager advertises the routes to the ProxyClient.
119
The Status tab page displays as follows if the ADN Manager is not reachable:
Status: Not Available
Savings Over Time displays No Accelerated Traffic or shows periods of no acceleration
Hovering the mouse pointer over the Not Available link displays the following message:
Cannot accelerate: Not connected to Acceleration Network
If the ProxyClient shows that acceleration is enabled but that no routes are being accelerated, most likely the connectivity issue is with the ADN manager. However, if routes are advertised but connections are going direct to their destinations, there is likely an issue communicating with a concentrator.
To confirm the acceleration issue is due to loss of connectivity to the ADN manager or concentrator:
1. Ask the user to start the ProxyClient Web browser window as discussed in "Starting the ProxyClient Web Browser Window" on page 119. 2. Verify the Network tab page displays; if so, acceleration is enabled.
120
3. If the Network tab page does not display, click the Status tab. If the message Configuration error displays, no concentrators are advertising subnets to be accelerated. This indicates a configuration error on the concentrators. Verify the following: Every concentrator fronting a server that accelerates traffic for ProxyClients uses managed ADN (that is, there is an ADN manager specified on each concentrator). Verify the Client Manager specifies the same ADN manager as the concentrator. (Log in to the Client Managers Management Console and click Configuration > ProxyClient > Acceleration > General and click Use ProxySG ADN Managers.)
If the message Not Available displays, the ProxyClient has lost contact with the ADN manager. View the Admin Log on the client computer and, if necessary, request the user perform trace logging as discussed in "Performing Data Traces and Data Collection" on page 232.
4. Click the Network tab. If the Network tab page displays no subnets, most likely the error is caused by a loss of communication with the ADN manager. An example follows.
To confirm this is the case, click the Advanced tab and click View Log in the Diagnostic Tools section. The message Cannot connect to any ADN manager confirms the ProxyClient cannot connect to the ADN manager.
121
If Current Direct Connections is not zero, it means that a concentrator in the clients routing table is not reachable by the client. (The routing table is displayed in the Subnets section.) As long as that concentrators IP address remains in the clients routing table, connections go directly to their destinations. If the client connects to a host that is not in the routing table, connections go directly to that host but are not counted as Current Direct Connections. An example follows.
For additional information about the direct connections, click the More Info link in the ADN Tunnels section and see "Network Tab PageADN Tunnels Section" on page 123.
About the Network Tab Page

This section discusses the following topics related to the Network tab page on the ProxyClient Web browser window:

"Network Tab PageConfiguration Section" "Network Tab PageADN Tunnels Section" on page 123 "Network Tab PageSubnets Section" on page 125 "Network Tab PageExempt Routes Section" on page 125 "Network Tab PageExcluded Subnets Section" on page 126
Network Tab PageConfiguration Section

The Configuration section displays the following information about your ProxyClient network connections:
The Primary ADN Manager and Backup ADN Manager (if any) display the IP addresses of the primary and backup ADN managers.
122
Ports can be either included in acceleration or excluded from acceleration (but not both), as follows: Included Ports displays specific ports that are accelerated; traffic on all other ports is not accelerated. The ports correspond to the following setting on the Client Managers Management Console: Configuration > ProxyClient > Client Manager > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107. Excluded Ports displays which ports are excluded from acceleration. The ports correspond to the following setting on the Client Managers Management Console: Configuration > ProxyClient > Client Manager > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107. If there is a mismatch between the ports displayed on the ProxyClient and the ports configured on the Client Manager, make sure the ProxyClient is using the correct Client Manager. (Click the Advanced tab and review the information in the Client Manager section. You can change the Client Manager as discussed in "Changing the Client Manager" on page 229.) If the ports specified are incorrect, change them on the Client Manager and update the ProxyClient configuration (Advanced tab page, click Check for Updates Now.)
Network Tab PageADN Tunnels Section

The ADN Tunnels section displays the following information about current ADN tunneling:
Current Active Tunnels: An active tunnel is a connection, currently in use, used to
accelerate network traffic.
Current Idle Tunnels: An idle tunnel is a connection, not currently in use, that was
used at one time to accelerate network traffic. For performance reasons, the ProxyClient keeps open a certain number of idle tunnels; this is not unusual.
Current Direct Connections:
A connection to an external resource (such as a Web site) that goes directly to its destination and is therefore not accelerated. A direct connection means the concentrator is in the clients routing table but the client cannot connect to the concentrator. (The clients routing table displays in the Subnets section on the Network tab page.) A non-zero Current Direct Connections count means the ADN manager has the concentrator in its routing table but the ProxyClient cannot contact the concentrator. If the ADN manager removes the concentrator from the routing table, connections to servers fronted by that concentrator go direct to their destinations but the Current Direct Connections count does not increment. In other words, these connections bypass the client entirely.
Click More Info to display more detailed information.
123
Following is a discussion of the information displayed in the Active Tunnels section:
A row displays with alternating white and gray backgrounds as long as the connection is open. A row displays with a green background to indicate the ADN tunnel has been opened recently. A row displays with a red background to indicate the ADN tunnel is about to close.
Note: The View ADN Tunnels window displays current information, while the
Status tab page displays information aggregated over a selectable time period.
124
The following table discusses the meanings of the columns on this page:
Column name PID Process Name Client Server ADN Next Hop Total Demand Actual Usage Details Description Process ID of the process listed in the next column. Name of the process that created the tunnel. A value of svchost.exe means this is a CIFS tunnel. The ProxyClients IP address and the port over which the tunnel opened. The servers IP address and the port over which the server accepted the request. The IP address of the concentrator accelerating the network traffic. The number of bytes sent and received by the applications running on the clients computer. The number of bytes sent over the WAN after acceleration was applied. Additional information about the connection; for example: CIFSThe connection uses CIFS. Provided CIFS protocol acceleration is enabled, the connection should be accelerated. (Log in to the Client Managers Management Console and click Configuration > ProxyClient > Acceleration > CIFS.) CIFS Bypass or N/AThe CIFS connection is not optimized. The reason it was bypassed can be found in the admin log. In the ProxyClient Web browser window, click the Advanced tab and click View Log in the Diagnostic Tools section.
Savings Gain
(Actual Usage / Total Demand) x 100. Total Demand / Actual Usage expressed as a decimal.
Network Tab PageSubnets Section

Displays subnets that are configured to be accelerated. This information corresponds to the following configuration in the ADN Managers Management Console: Configuration > ADN > Routing > Server Subnets. The ADN Next Hop column displays the IP address of the concentrator accelerating the tunnel.
Network Tab PageExempt Routes Section

Displays routes that are configured to not be accelerated by a concentrator configured as an Internet Gateway. This information corresponds to the following configuration in the concentrators Management Console: Configuration > ADN > Routing > Internet Gateway.
125
Network Tab PageExcluded Subnets Section

Displays subnets that are configured to not be accelerated for the ProxyClient. This information corresponds to the following configuration in the Client Managers Management Console: Configuration > ProxyClient > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107.

126
This chapter discusses how to configure the Client Manager to provide the Blue Coat WebFilter service for ProxyClient users. Web filtering enables you to allow, block, or warn users about accessing content in categories you specify using any of the following:

The Blue Coat WebFilter database categories Local database categories Policy categories (also referred to as custom categories) System and Default categories, which are discussed in more detail later in this chapter
For conceptual information about Web filtering, see "About ProxyClient Web Filtering" on page 19. This chapter discusses the following topics:

"Web Filtering Task Summary" "Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 "Enabling the Use of the Local Database (Optional)" on page 133 "Setting Up ProxyClient Web Filtering" on page 135 "Working With Categories, Users, Groups, and Policy Actions" on page 141 "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157 "Enabling Web Filtering Logging" on page 159 "Configuring ProxyClient Web Filtering (CLI)" on page 165
127
Web Filtering Task Summary

To use ProxyClient Web filtering, you must perform the following tasks in the order shown:
Task 1. Prerequisites Description "About ProxyClient Licensing" on page 31 You can use Web filtering only if the Client Manager is properly licensed. "Designating a ProxySG as the Client Manager" on page 81 You must designate a Client Manager before you can enable Web filtering for the ProxyClient. 2. Understand the options for downloading the entire Blue Coat WebFilter (BCWF) database or only the BCWF database categories. If your ProxySG appliance is used only as a Client Manager, download only the BCWF database categories. If your ProxySG appliance is a Client Manager and also performs in-office Web filtering, download the BCWF database.
"Options for Enabling Blue Coat Web Filtering" on page 129 3. Download the BCWF database or categories: Set up updates for the BCWF database or categories; they must be updated on the Client Manager at least once every 30 days. Note: Although it is possible to enable other databases (for example, Internet Watch Foundation), only the following categories can be used by the ProxyClient: Blue Coat Web Filter Policy, such as VPM policy The local database System and Default categories
If theProxySG is a dedicated Client Manager: "Entering BCWF Database Credentials" on page 135 If the ProxySG is a Client Manager and also performs inoffice Web filtering: "Enabling the Blue Coat Web Filter Database (Optional)" on page 130
Categories from other databases are not used by ProxyClient Web filtering. The local database is one way you can optionally create categories to whitelist or blacklist specific lists of URLs for your employees. You can also add policy categories (also referred to as custom categories) to set up whitelists and blacklists. For more information, see "Managing Policy Categories" on page 147.
4.
Optional. "Enabling the Use of the Local Database (Optional)" on page 133
5.
"Setting Up ProxyClient Web Filtering" on page 135
After you have the current BCWF database or categories, you can enable the ProxyClient to perform Web filtering.
128
Task 6. "Working With Categories, Users, Groups, and Policy Actions" on page 141 "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157
Description Define categories of content you will allow users to access, block users from accessing, or warn users about accessing. You can fine-tune policy actions for individual users and user groups. Information about how to best use Web filtering in your corporation. Exception pages are displayed to users when they attempt to access content that the administrator chose to either block or to warn about. Blue Coat recommends you customize the default exception pages to provide users with more specific information. How to upload client Web filtering logs to an anonymous FTP server.
7. 8.
9.
"Enabling Web Filtering Logging" on page 159
Options for Enabling Blue Coat Web Filtering

Starting with SGOS version 5.5, you have the option of downloading to the Client Manager either the entire BCWF database or only the categories in the BCWF database. The following table discusses the differences.
BCWF download Entire BCWF database Description Required only if the same ProxySG appliance is used for both the Client Manager and for inoffice Web filtering (sometimes also referred to as on-box Web filtering). The BCWF database contains BCWF categories and URLs contained in those categories. Any client request that does not match a category in the database is referred to WebPulse for categorization. Only the BCWF database categories Required for dedicated Client Managers. Downloading only the categories saves hard disk space on the ProxySG appliance and speeds up downloads because the categories are much smaller than the entire BCWF database.
Regardless of whether you choose to download the entire BCWF database or only the categories, you must obtain a BCWF license, which entitles you to a BCWF user name and password. For more information, contact your Blue Coat representative. Because the BCWF database or categories must be updated at least once every 30 days, make sure the Client Manager is capable of accessing the Internet.
129
Continue with any of the following sections:
If you are starting out configuring ProxyClient Web filtering, see "Setting Up ProxyClient Web Filtering" on page 135 To download the entire BCWF database, see "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 To download only the BCWF database categories, see "Entering BCWF Database Credentials" on page 135
Enabling the Blue Coat Web Filter Database (Optional)

This section discusses how to enable and download the Blue Coat Web Filter database. Starting with SGOS 5.5, downloading the entire BCWF database is required only if the same ProxySG appliance is used as both the Client Manager and for in-office Web filtering. For more information, see "Options for Enabling Blue Coat Web Filtering" on page 129. If your Client Manager is not responsible for in-office Web filtering, skip this section and continue with "Enabling the Use of the Local Database (Optional)" on page 133.
To enable the Blue Coat Web Filter database:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > General.
3. In the right pane, select the Enable check box for Blue WebFilter. 4. Click Apply.
130
5. To download the BCWF database, on the Blue Coat WebFilter tab page, enter the following information:
Option
Username field Change Password button
Description Enter the user name provided with your BCWF subscription. Click the button and follow the prompts on your screen to set or change your BCWF password. Enter the URL provided with your BCWF subscription. Typically, the URL is: https://list.bluecoat.com/bcwf/activity/ download/bcwf.db
URL field
Set to default button
Click to reset the URL field to its default value of https://list.bluecoat.com/bcwf/

activity/download/bcwf.db
6. Click Download Now. This starts the download process. Make sure you verify the download was successful as discussed in the next step. 7. Allow a few minutes for the download to complete and click Verify Download. The following table shows sample success messages.
Type of download Full database Success message
Blue Coat download at: 2009/09/11 23:28:00 +0000 Downloading from https://list.bluecoat.com/ bcwf/activity/download/bcwf.db Requesting initial database Download size: 7507 Database date: Fri, 11 Sep 2009 23:25:02 UTC Database expires: Tue, 19 Jan 2038 03:14:07 UTC Database version: 1 Database format: 1.1
131
Type of download Differential update
Success message
Blue Coat download at: 2009/09/11 16:00:41 +0000 Downloading from https://list.bluecoat.com/ bcwf/activity/download/bcwf.db Requesting differential update Differential update applied successfully Download size: 3208 Database date: Fri, 11 Sep 2009 15:50:05 UTC Database expires: Sun, 11 Oct 2009 15:50:05 UTC Database version: 292540200 Database format: 1.1
The following table shows sample error messages with suggestions about how to correct the error.
Failure message
ERROR: Socket connect error
Suggested workaround The Client Manager cannot contact the BCWF URL, most likely for any of the following reasons: The URL is incorrect Click Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the URL field with the information provided with your Web filtering license. Try clicking Set to default and trying the download again. Network issues prevent the Client Manager from reaching the site. Using an SSH application, log in to the Client Manager and enter the following command at the command line:
> ping list.bluecoat.com
If you cannot ping the list.bluecoat.com Web site, check the configuration of routers and firewalls to make sure the Client Manager can reach the site.
ERROR: HTTP 401 Unauthorized
Either the user name or password you specified is incorrect. Click Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the Username field. Click Change Password and enter your password again in the provided fields. When you are finished, click Apply.
For more information about other options, click Help or see the section on configuring Blue Coat Web filter in "Configuring Blue Coat WebFilter" on page 359 in the SGOS Administration Guide. 8. Select the Automatically check for updates check box.
132
9. Click Apply. 10. Continue with "Enabling Other Databases" .
Enabling Other Databases

Although it is possible to enable other databases (for example, Internet Watch Foundation), categories in these databases are not used by ProxyClient Web filtering. Categories from only the following sources are used by the ProxyClient:
The BCWF database For more information, see "Options for Enabling Blue Coat Web Filtering" on page 129
The local database For more information, see "Enabling the Use of the Local Database (Optional)" on page 133
Policy, such as VPM policy (including local, central, and forward policies) For more information, see "Managing Policy Categories" on page 147 System categories (none and unavailable), which cannot be edited or deleted For more information, see "Configuring System and Default Policy Actions" on page 149
The Default Action, which enables you to allow or block any content request that is not classified into any of the preceding categories For more information, see "Configuring System and Default Policy Actions" on page 149
Enabling the Use of the Local Database (Optional)

The local database can be used by administrators to set up whitelists or blacklists; in other words, it enables you to add categories with particular URLs that you can allow, block, or warn. If you do not wish to enable the local database, skip this section and continue with "Setting Up ProxyClient Web Filtering" on page 135. This section discuses the following topics:

"Creating the Local Database" "Enabling the Local Database" on page 134
Creating the Local Database

To create the local database:
1. Create a text file in the following format:
133
define category-name url1 url2 urln end define category-name url1 url2 urln end
For example,
define category whitelist www.cnn.com www.webmd.com end define category blacklist www.gambling.com end
Each category can have an unlimited number of URLs. 2. Upload the text file to a Web server that the Client Manager can access. 3. Continue with "Enabling the Local Database" .
Enabling the Local Database

To enable the local database:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > General. 3. In the right pane, select the Enable check box next to Local Database. 4. Click Apply. 5. Continue with the next section.
Uploading the Local Database to the Client Manager

To upload the local database to the Client Manager:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > Local Database. 3. In the right pane, enter or edit the following information:
Option
Username field
Description Enter the user name required to access the local database, if any.
134
Option
Change Password button
Description Click the button and follow the prompts on your screen to set or change your local database password. Enter the URL to the local database.
URL field
4. Click Download Now. 5. To verify the download, click Verify Download. 6. Select the Automatically check for updates check box. 7. Click Apply. 8. Continue with "Setting Up ProxyClient Web Filtering" on page 135.
See Also
Section on configuring the local database in "Creating a Local Database" on page 366 in the SGOS Administration Guide.
Setting Up ProxyClient Web Filtering

The following sections discuss how to enable and configure ProxyClient Web filtering on the Client Manager:

"Entering BCWF Database Credentials" "Enabling ProxyClient Web Filtering" on page 136 "About the Policy Tab Page" on page 139 "Getting Started With Categories" on page 141 "Selecting Categories" on page 143 "Configuring Users and Groups" on page 144 "Managing Policy Categories" on page 147 "Configuring System and Default Policy Actions" on page 149 "Ordering Categories in the Rulebase" on page 150 "Configuring Other Web Filtering Options" on page 153
For an overview of the entire process, see "Web Filtering Task Summary" on page 128. Continue with "Enabling ProxyClient Web Filtering" .
Entering BCWF Database Credentials

This section discusses how to enter credentials to get the BCWF database categories. These credentials are supplied with your BCWF license and the credentials must be updated every 30 days to enable you to get the most recent categories and to continue to use WebPulse. The tasks discussed in this section are not required if you already downloaded the entire BCWF database as discussed in "Enabling the Blue Coat Web Filter Database (Optional)" on page 130. In that case, skip this section and continue with "Enabling ProxyClient Web Filtering" on page 136.
135
To enter credentials for the BCWF database:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > Content Filtering > Blue Coat WebFilter. 3. On the Blue Coat WebFilter tab page, enter the following information:
Option
Username field Change Password button
Description Enter the user name provided with your BCWF subscription. Click the button and follow the prompts on your screen to set or change your BCWF password. Enter the URL provided with your BCWF subscription. Typically, the URL is: https://list.bluecoat.com/bcwf/activity/ download/bcwf.db
URL field
Set to default button
Click to reset the URL field to its default value of https://list.bluecoat.com/bcwf/

activity/download/bcwf.db
4. Continue with "Enabling ProxyClient Web Filtering" on page 136
Enabling ProxyClient Web Filtering

This section discusses how to enable the Client Manager to perform ProxyClient Web filtering. Prerequisites:

"Web Filtering Task Summary" on page 128 "Options for Enabling Blue Coat Web Filtering" on page 129
To enable ProxyClient Web filtering:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. Under the Enable Web Filtering check box, one of the following messages might display. Use the following table to take the appropriate action:
Table 81 ProxyClient Web filtering status messages
Message Meaning and suggested action
136
Table 81
ProxyClient Web filtering status messages
Message Meaning and suggested action Blue Coat Web filtering is set up properly. Continue with Step 3 on page 138.
Select the Enable Web Filtering check box and click Apply. Other messages might display; if so, consult later rows in this table.
Your SGOS license is invalid or expired. Click the link to find more information.
137
Table 81
ProxyClient Web filtering status messages
Message Meaning and suggested action You have not entered credentials required to download the BCWF database or categories to this ProxySG appliance. Action: Use the following steps: 1. 2. 3. 4. 5. 6. 7. 8. 9. Click the link in the error message or click Configuration > Content Filtering > Blue Coat. In the Username field, enter the Blue Coat Web Filter database user name provided with your Web filtering license. Click Change Password. In the provided fields, enter the Blue Coat Web Filter database password. Click OK. At the confirmation dialog, click OK. Click Apply. Click Download Now. This starts the download using the credentials you entered. Click View Download Status to confirm the database downloaded successfully.
10. Click Configuration > ProxyClient > Web Filtering > Policy. 11. Clear the Enable Web Filtering check box and apply the change. 12. Select the Enable Web Filtering check box.
After you enable ProxyClient Web filtering, the Client Manager must download the BCWF database categories. During the time the categories are being downloaded, this message displays. This message does not display if you downloaded the entire BCWF database. For more information about the differences between downloading the database and only the database categories, see "Options for Enabling Blue Coat Web Filtering" on page 129. If this message displays for an extended period of time, try the following: 1. 2. Clear the Enable Web Filtering check box and apply the change. Select the Enable Web Filtering check box and apply the change.
3. After you have successfully enabled the BCWF database with a valid license, continue with "About the Policy Tab Page" on page 139.
138
See Also
"Options for Enabling Blue Coat Web Filtering" on page 129
About the Policy Tab Page

This section discusses general information about the Policy tab page and provides links to subsequent sections that discuss the tab page in more detail. If you have not already done so, click Configuration > ProxyClient > Web Filtering > Policy. Click a section of the figure or use the links following the figure to find more information about the Policy tab page.

"General Settings Pane" "All Categories Pane" on page 140 "Selected Category Rule Base Pane" on page 140
General Settings Pane

To enable ProxyClient Web filtering, first make sure Web Filter Status: Valid displays in the right corner of the General Settings pane. If the status is other than Valid, you must renew your Web filtering license before continuing. Select the Enable Web filtering check box if you have not already done so. If error messages display, see Table 81 on page 136.
139
All Categories Pane

Displays all currently configured categories from all sources (BCWF, local database, policy, and system). Initially, only the System node is populated. After you enable ProxyClient Web filtering and enter valid BCWF credentials, the Blue Coat node is populated as well. To a policy action for a category (allow, block, or warn), expand the node containing the category and select the check box next to the category name. Then configure users and groups to which the action applies in the Selected Category Rule Base pane. For more details about this pane, see "Getting Started With Categories" on page 141. An example follows.
Selected Category Rule Base Pane

After you select a category in the All Categories pane, you configure policy actions for users and groups in the Selected Category Rule Base pane. For more details, see "Configuring Users and Groups" on page 144. An example follows.
Add a user/group rule
Reorder rules
Delete a user/group rule
140
Working With Categories, Users, Groups, and Policy Actions

ProxyClient Web filtering policy works by assigning a policy action (allow, block, or warn) to a category and applying that policy action to a user or group. For example, a category (such as Finance) can be allowed for one user or one group and blocked for other users and groups. This section discusses the following topics:

"Getting Started With Categories" "Selecting Categories" on page 143 "Configuring Users and Groups" on page 144 "ProxyClient Web Filtering and Proxy Servers" on page 144 "Managing Policy Categories" on page 147 "Configuring System and Default Policy Actions" on page 149 "Ordering Categories in the Rulebase" on page 150 "Configuring Other Web Filtering Options" on page 153
If you are configuring ProxyClient Web filtering for the first time, you should complete the tasks discussed in the preceding sections in the order in which they are shown. If you are modifying an existing configuration, choose any task.
Note: Users and groups for ProxyClient Web filtering are validated against the users cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.
Getting Started With Categories

This section discusses how to locate the available categories so you can get started defining categories and their associated policy actions.
To implement Web filtering policy for ProxyClient users:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. On the Policy tab, the All Categories section displays the available category nodes:
Blue Coat:
The BCWF database.
Local: The local database, which is discussed in
"Enabling the Use of the Local Database (Optional)" on page 133.

System: Policy:
Special categories (none and unavailable) that are discussed in more detail in Step 4 on page 149. Categories defined using policy (usually the Visual Policy Manager (VPM)).
141
3. Expand a node to display its categories. 4. Select the check box next to categories for which you want to set policy actions.
Note:
If you are not familiar with ProxySG content filtering, refer to Chapter 18, Filtering Web Content, in the SGOS Administration Guide. Many Web sites generate more than one URL request so it is possible that an allowed Web site might create other URL requests that are categorized differently, or are categorized as the System category none. For example, images and advertisements displayed on an allowed Web site are individually classified based on their URLs. Even if you allow users to access that Web site, each of the ads and images on the site can be blocked based on each URLs categorization.
5. Continue configuring ProxyClient Web filtering. If you are configuring ProxyClient Web filtering for the first time, complete following tasks in the order in which they are presented. If you have already configured Web filtering and need to modify your previous choices, choose a task from the following list. "Selecting Categories" "Configuring Users and Groups" on page 144 "Configuring System and Default Policy Actions" on page 149 "Ordering Categories in the Rulebase" on page 150 "Configuring Other Web Filtering Options" on page 153
142
Selecting Categories
This section discusses how to select categories to use to filter Web content for ProxyClient users. Select only the categories you wish to explicitly allow, deny, or warn users about accessing. If a user accesses content that is not associated with any categories you select, the policy action for Default Action is applied. For more information, see "Configuring System and Default Policy Actions" on page 149. Prerequisites:

"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136
To select categories:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. In the All Categories pane, expand Blue Coat.
Note: If the Client Manager does not have a valid BCWF database, there
are no BCWF categories and the following message displays on the Policy tab page:
ProxyClient Web filtering is unavailable due to an invalid license. Please contact Blue Coat Support.
Contact your Blue Coat representative for more information about getting a valid BCWF license. 4. Select the check box next to each category to enforce a policy action on that category. When you select a category, it automatically displays in the Selected Category Rule Base pane with a policy action the opposite of the Default Action category. 5. Repeat the preceding steps for the local and policy categories. If you have no policy categories defined, see "Managing Policy Categories" . If you do not wish to configure or change your policy categories, skip the next section and continue with "Configuring System and Default Policy Actions" on page 149. 6. Apply policy actions to users and groups as discussed in "Configuring Users and Groups" .
143
Configuring Users and Groups

Every category can have multiple policy actions that are customized for users and groups. You can, for example, enable IT administrators to access Web sites categorized as Software Downloads but prohibit any other users from accessing those same sites. In addition, you can apply the same types of restrictions to individual users. You must specify users and groups exactly as they are specified in your authentication repository. For example, a typical Windows group name is domain\name, such as BLUECOAT\IT-Administrators. If you have ProxyClients configured currently, you can see how they are identified by logging in to the Client Managers Management Console and clicking Statistics > ProxyClient > Details. See one of the following sections for more information:

"ProxyClient Web Filtering and Proxy Servers" "Prerequisites for Configuration Users and Groups" on page 144 "Procedure for Configuring Users and Groups" on page 145
ProxyClient Web Filtering and Proxy Servers

Integrated Windows Authentication (IWA) is supported for proxy servers. If your proxy server uses IWA authentication, or if it uses no authentication, clients can communicate with the Client Manager and can perform Web filtering. IWA authentication to the proxy server is transparent to ProxyClient users. If a proxy server is required for Internet access, the IWA credentials are used to contact the WebPulse cloud service to get a rating for a URL request made from the ProxyClient computer. If the proxy server uses another type of authentication (such as Basic authentication), the ProxyClient will not communicate with the Client Manager, and WebPulse will be unavailable (that is, the configured Unavailable policy action is applied).
Prerequisites for Configuration Users and Groups

Before continuing, make sure you have completed all of the following tasks:

"Enabling ProxyClient Web Filtering" on page 136 "Selecting Categories" on page 143
Note: Users and groups for ProxyClient Web filtering are validated against the users cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.
144
Procedure for Configuring Users and Groups

This section discusses how to configure users and groups for ProxyClient Web filtering. Before continuing, make sure you understand all of the following:

"About ProxyClient Web Filtering" on page 19 "Options for Enabling Blue Coat Web Filtering" on page 129 "ProxyClient Web Filtering and Proxy Servers" on page 144 "Prerequisites for Configuration Users and Groups" on page 144
To configure users and groups for ProxyClient Web filtering:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. On the Policy tab page, in the All Categories pane, select the check box corresponding to each category for which you will configure users and groups. When you select a category, the category name displays in the Selected Category Rule Base pane. The policy action is initially the opposite of Default Action. The Selected Category Rule Base pane initially displays the category with an associated policy action.
4. In the Selected Category Rule Base pane, you have the following options:
Action Assign a policy action to everyone (that is, all users, all groups) Change the name of a user or group Change the order of users and groups in the rulebase Description From the Action list, click the policy action to apply. For more information about policy actions, see Table 82. Click the field with the name you wish to change and enter a new name. "Ordering Categories in the Rulebase" on page 150
145
Action Add a user or group
Description 1. 2. Click (add user-group rule).
In the provided field, enter the name of the user or group to which to apply the policy action in any of the following formats: Fully qualified account names (for example, domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name). Fully qualified DNS names (for example, example.example.com\user_name) User principal names (UPN) (for example, someone@example.com).
If the user or group has been used before, click its name from the list. 3. From the Action list, click the appropriate policy action. For more information about policy actions, see Table 82. 4. Delete a user or group Press Enter. Click the name of the user or group to delete and click (delete user-group rule).
Table 82 has more information about policy actions.

Table 82 ProxyClient Web filtering policy actions
Policy action Allow
Meaning The request goes to its destination. An access log entry occurs
for URL tracking and analyzing Web use (if the value of Log
Exceptions Only on the Configuration > ProxyClient > Web Filtering > Log tab page is set to All).
Block Warn
The blocked category exception page displays and the URL request is blocked. The exception is logged. A warning exception displays. The user must click an acceptance link, which represents an acknowledgment that the content request might violate corporate Web use policy. If the user clicks the acceptance link, the request goes to its destination. The exception is logged. Note: If a user clicks the acceptance link the requested Web site will be accessible for 15 minutes. The accessibility time period is not currently configurable.
146
5. At the bottom of the browser window, click Apply.
See Also
"Getting Started With Categories" on page 141
Managing Policy Categories

This section discusses how to add or edit policy categories. If an administrator has already configured policy categories using VPM, you can add, edit, delete, or edit URLs in any configured category. If you do not already have policy categories, you can add them. For more information about using VPM to add categories, see the Visual Policy Manager Reference. Prerequisites:

"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141
To add, edit, delete, or edit URLs in policy categories:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. Near the bottom of the All Categories pane, click Edit Categories. The Edit Categories dialog displays the currently configured category nodes (for example, Policy, Local, Blue Coat, and System).
Note: You can manage only the Policy categories. With the exception of local categories (that come from the local database, if it is configured), the other categories cannot be changed.
4. In the Edit Categories dialog, expand Policy. 5. You have the following options:
Task Add a policy category Procedure 1. 2. 3. 4. 5. Click Policy. Click Add. In the Object Name dialog, enter a name for the policy category. Click OK. Add URLs to the category as discussed in later in this table.
147
Task Rename a policy category
Procedure 1. 2. 3. Click the name of the category. Click Rename. In the Edit Locally defined category Object dialog, enter a new name for the policy category. Click OK. Optionally add URLs to the category as discussed in later in this table. Click the name of the category. Click Remove. You are required to confirm the deletion. Click the name of the category in which you want to edit the list of URLs. Note: You cannot add URLs to the Policy node. You must first create a category under that node as discussed earlier in this table. 2. 3. Click Edit URLs. In the Edit Locally defined category Object dialog, enter or edit the list of URLs, one URL per line. Click OK.
4. 5. Delete a policy category 1. 2. Edit the list of URLs in a policy category 1.
4.
6. In the Edit Categories dialog, click OK.
See Also
"Configuring Users and Groups" on page 144
148
Configuring System and Default Policy Actions

This section discusses how to configure policy actions for the following categories:
Category System Description The System node contains the following categories, which cannot be edited or deleted:
none, a category for Web sites that are not rated in any available categories and for which the WebPulse could not determine a rating. Available categories mean BCWF database categories, local database categories (if enabled), and policy categories (if configured).
Many Web sites generate more than one URL request so it is possible that an allowed Web site might create other URL requests that are categorized differently, or are categorized as none. For example, images and advertisements displayed on an allowed Web site are individually classified based on their URLs. Even if you allow users to access that Web site, each of the ads and images on the site can be blocked based on each URLs categorization.
unavailable, a category that is used if all of the following are true of a particular URL request:
Default Action
When WebPulse cannot be reached When there is no match either in the local database (if enabled) or policy categories (if configured)
The policy action for the Default Action category is used if a URL request is not classified into any of the categories in the Category Rulebase section. Use caution before setting the policy action of the Default Action category to block. If Default Action is set to block, any URL that is not in a category that you specifically allow will be blocked.
Prerequisites:

"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141 "Selecting Categories" on page 143
To configure the System categories and the Default Action:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. In the All Categories pane, expand System. 4. Select the check box next to the none or unavailable categories.
149
The following table discusses the meanings of policy actions for these categories.
System category
none
Policy action description Set the policy action for Web sites that could not be categorized by the service point. Set the policy action for Web sites for which the ProxyClient could not reach WebPulse to determine a categorization. Typical reasons include local connectivity issues (for example, a personal firewall blocking the traffic or a machine that has no IP address).
unavailable
5. When you are satisfied with your policy configuration, select the Enable Web Filtering check box. 6. Click Apply. 7. In the Selected Category Rulebase pane, from the Default Action list, click a policy action. 8. Click Apply. 9. Continue with "Ordering Categories in the Rulebase" .
Ordering Categories in the Rulebase

After you have added categories to the rulebase and selected policy actions for each, you must consider how the categories are ordered. Many URLs are classified in more than one category, which results in a conflict. In the case of a conflict between policy actions, the policy action associated with the first rulebase match is applied. For example, suppose the same URL (www.example.com/news) is listed in two categories. One category has a policy action of allow and the other category has a policy action of block. In the table that follows, www.example.com/news is in both the Blogs/Personal Pages and News/Media categories. The following table shows how the conflict is resolved.
150
Rulebase configuration
Policy action Because News/Media is first in the rulebase and its policy action is block, www.example.com/news is blocked except for users in the BLUECOAT\Managers group, for which it is allowed.
Because Blogs/Personal Pages is first in the rulebase and its policy action is allow, www.example.com/news is allowed except for users in the BLUECOAT\Users group, for which it is blocked.
Note: If the user is in an office location with ProxyClient Web filtering
disabled, a branch ProxySG performs Web filtering. For more information about configuring a branch ProxySG to perform Web filtering, see TBD. Blue Coat recommends you order Web filtering rules in the category rulebase as follows: 1. Whitelist overrides (that is, local database and policy categories you always want to allow) 2. Blacklist overrides (that is, local database and policy categories you always want to block) 3. All other categories with policy action set to block 4. All other categories with policy action set to warn 5. All other categories with policy action set to allow
151
Prerequisites:

"Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141 "Selecting Categories" on page 143 "Configuring System and Default Policy Actions" on page 149
To order categories in the category rulebase:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. 3. In the Selected Category Rule Base pane, click the name of a category to move. 4. Click one of the following buttons:
Table 83 ProxyClient Web filtering category ordering buttons
Button
Meaning Move the selected category up one position in the rulebase hierarchy. Use this button to move a more restrictive category and action before a less restrictive category and action. Move the selected category down one position in the rulebase hierarchy. Use this button to move a more general category and action after a more restrictive category and action. Move the selected category and action to the top of the rulebase hierarchy. Use this button to move a very specific category and action to the top of the rulebase. Move the selected category and action to the bottom of the rulebase hierarchy.
The rulebase hierarchy is the structure of categories, users, and groups in the rulebase. If you click the name of a category, you can reorder the category (including its users and groups) among the other categories. If you click the name of a user or group, you can reorder that user or group among the other users and groups in that category only.
152
The buttons shown in Table 83 enable you to move users, groups, or categories in the hierarchy. An example is shown in the following figure.
To move users and groups under Blogs/Personal Pages, click the name of a user or group and click one of the buttons shown in Table 83. To move the entire category, click the name of the category and click one of the buttons shown in Table 83. Because the Brokerage/Trading category has no users or groups, you can order it among the other categories only. 5. Continue with "Configuring Other Web Filtering Options" . If you have already configured options for license expiration, HTTPS filtering, and safe search, continue with one of the following sections: "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157 "Enabling Web Filtering Logging" on page 159
Configuring Other Web Filtering Options

This section discusses how to configure the following options:
On license expiration, which sets the behavior of ProxyClient Web filtering in the event the BCWF license expires on the Client Manager HTTPS filtering, which determines whether or not Web filtering policy actions are applied to HTTPS content Safe search, which determines whether or not ProxyClient users are required to use safe search with supported search engines. "Options for Enabling Blue Coat Web Filtering" on page 129 "Enabling the Use of the Local Database (Optional)" on page 133 "Enabling ProxyClient Web Filtering" on page 136 "Getting Started With Categories" on page 141
Prerequisites:

153
"Selecting Categories" on page 143 "Configuring System and Default Policy Actions" on page 149
To configure other Web filtering options:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Policy. The options discussed in this section are in the General Settings section of the Policy tab page.
3. Enter or edit the following information:

Option
On expiration list
Description Select the action to take if the BCWF license expires (usually because the database has not been updated in a 30-day period):
Allow AllUsers are allowed to browse
anywhere; in other words, content is not filtered. Select this option if user Web access is more critical than filtering or security.
Block AllUsers are not allowed to browse to any Web page. A Service Unavailable exception displays in the users Web browser. Select this option if security is your primary concern.
Enforce safe search check box
Select this check box to force a search engine that supports Safe Search to enable its strictest search filter; however, the quality of the filtering is based on the search engines built-in capabilities. The same search string entered on one search engine might yield different results when entered on another search engine (including returning varying levels of inappropriate content). Safe Search is supported on the following search engines: Google, A9, Altavista, Microsoft Bing, Yahoo, Ask, and Orange.co.uk. With safe search enabled, the search engine Web page displays Safe Search ON, Family Filter On, Safe Search Strict, or another engine-specific string. Clear this check box if you do not wish to enforce Safe Search.
154
Option
Enable HTTPS filtering check
Description Select this check box to use Web filtering when the content request is sent over an SSL connection using the default port 443. For exceptions to this behavior, see the ProxyClient Release Notes. Clear this check box to not filter HTTPS traffic if certain browsers are used.
box
See Also
"About ProxyClient Web Filtering" on page 19 "Web Filtering Best Practices" on page 155 "Displaying and Customizing Web Filtering Exception Pages" on page 157 "Enabling Web Filtering Logging" on page 159 "Configuring ProxyClient Web Filtering (CLI)" on page 165
Web Filtering Best Practices

Blue Coat recommends the following best practices when configuring ProxyClient Web filtering:
Set the policy action for the System > unavailable category to Block. This prevents any possibility of Internet access in the event Internet access (specifically, access to WebPulse) is temporarily prevented because a personal firewall blocks the ProxyClient service, a temporary network outage occurs, or users attempt to disable or stop the ProxyClient service. Any of these might result in WebPulse appearing to be unavailable for a period of time.
Some software update sites will be blocked if the Business/Economy category is set to Block or Warn. For example, Java updates would fail because the Java update site is rated as Business/Economy. Either allow the Business/Economy category or add the software update Web sites to a custom category (using either the local database or VPM), set its policy action to Allow, and order the rule before the the Business/Economy category.
Because a particular URL might be listed in more than one category, policy action conflicts can occur.
In the case of a conflict between policy actions, the policy action associated with the first rulebase match is applied. For example, suppose the same URL (www.example.com/news) is listed in two categories. One category has a policy action of allow and the other category has a policy action of block.
155
In the table that follows, www.example.com/news is in both the Blogs/Personal Pages and News/Media categories. The following table shows how the conflict is resolved.
Rulebase configuration Policy action Because News/Media is first in the rulebase and its policy action is block, www.example.com/news is blocked except for users in the BLUECOAT\Managers group, for which it is allowed.
Because Blogs/Personal Pages is first in the rulebase and its policy action is allow, www.example.com/news is allowed except for users in the BLUECOAT\Users group, for which it is blocked.
Note: If the user is in an office location with ProxyClient Web filtering
disabled, a branch ProxySG performs Web filtering. For more information about configuring a branch ProxySG to perform Web filtering, see TBD. Blue Coat recommends you order Web filtering rules in the category rulebase as follows: 1. Whitelist overrides (that is, local database and policy categories you always want to allow) 2. Blacklist overrides (that is, local database and policy categories you always want to block) 3. All other categories with policy action set to block 4. All other categories with policy action set to warn 5. All other categories with policy action set to allow
156
See Also
"Getting Started With Categories" on page 141 "Selecting Categories" on page 143
Displaying and Customizing Web Filtering Exception Pages

An exception page is an HTML message that displays in a users Web browser when a content request triggers a policy action. You have the option of editing the default exception pages to provide more detail about why the category is blocked.
Note: The behavior of exception pages when the user is browsing HTTPS content when HTTPS filtering is enabled is as follows:
Some Web browsers: The exception page displays in the same browser window as the request. All other Web browsers: The exception page displays in a new browser window. For up-to-date information about Web browsers and their behavior with HTTPS filtering, see the ProxyClient Release Notes. To enable HTTPS filtering, in the Client Managers Management Console, click Configuration > ProxyClient > Web Filtering > Policy, and select the Enable HTTPS Filtering check box. Click Help for more information.
For more information, see:
Blue Coat provides default exception pages for the following occurrences:
Blocked content: When a user requests content that violates (matched by category) enterprise Web use policy, the following message displays in the Web browser:
Your request was denied because of its content categorization: Category: offending_category_name URL: requested_URL
Warn: When a user requests content that might violate enterprise Web use policy (for example, you chose a policy action of Warn for the Search Engine/Portals category, and you want to coach a user regarding Web use policies), the following message appears in the browser:
It may violate company policy to visit this site. Category: Search Engine/Portals URL: www.google.com Click here to continue anyway.
The last line, available only (by default) on the Warn exception page, is a link that users click to acknowledge the warning and proceed with the content request. If they elect to opt out of this request, they must navigate to another page, click the Back button on the browser, or exit the browser.
157
Unavailable rating service: If a user requests a URL that is not already categorized, and ProxyClient cannot connect to WebPulse, the following message displays in the browser:
The Blue Coat Web Filter Service point could not be reached. This may be due to a networking error.
Users are not allowed to retrieve Web content until a rating service is reached (unless the System > unavailable category is set to Allow). Typical reasons why WebPulse might be unreachable include local connectivity issues (for example, a personal firewall blocking the traffic or a computer with no IP address). If you decide to change or add to the default text, each exception page is customizable using the Management Console or the command line.
To customize exception pages:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Exceptions.
3. Customize exception pages: a. From the Exception page for list, select a page to customize:
Block:
Display text when a user browses to content blocked by policy.
Warn: Display text to inform users that the content they are requesting might violate Web use policy. Users must click a link to acknowledge this warning before receiving the content. Unavailable:
Display text when WebPulse is not reachable.
158
b. Customize the Web page header and body text. The Substitution Variables field provides variables you can insert to display content information:
url:
Displays the requested URL.
cs-categories: A full list of all category rating assigned to the Web site. Many Web sites have more than one rating. cs-categories-exception: The category that caused the exception (the first one matched in the rulebase). override-url: Applies to the Warn exception page only. This is used if you change the Continue anyway link to something else, such as a button. It will be substituted with the URL that must be pulled through an HTML request to visit the page that was blocked by the exception.
To add a variable to the custom message, insert the cursor in the HTML code where you want the variable to be, select a variable, and click Insert. You can add as many variables as you want. c. Click Apply.
Enabling Web Filtering Logging

This section discusses Web filtering logging in the following sections:

"About Web Filtering Logging" "How to Enable Web Filtering Logging" on page 160 "Configuring Clients That Require a Proxy to FTP Logs" on page 163 "Interpreting the Log Files" on page 163
About Web Filtering Logging

Analyzing user Web browsing activity allows you to better customize your content filter policies and to verify that your users are abiding by company policies. You can configure the ProxyClient to upload user Web browsing activity logs to an anonymous FTP server at regular time intervals or when the local log file reaches a specified size. Connections occur only when the client system has access to the specified FTP server, which is typically when the user connects to the corporate network.
159
Note: Because log files are uploaded using anonymous FTP, Blue Coat strongly recommends you put your FTP server behind the corporate firewall. In addition, configure the FTP server as follows:
To prevent the possibility of data loss, do not allow file overwrites. For security reasons, do not allow files on the FTP servers upload directory to be browsed. The FTP server must support passive FTP clients. Active FTP is not supported (in other words, log uploads will fail). If the FTP server is deployed behind a firewall, the firewall must be configured to allow FTP data connections over TCP ports greater than 1024.
Placing an FTP server outside the firewall has the advantage that even mobile users can upload log files to it; however, it exposes the server and your company to potentially serious malicious activity.
How to Enable Web Filtering Logging

This section discusses how to enable Web filtering logging. You need to know the name of the anonymous FTP server to which to upload files and the directory to which to write the files. You can also configure automatic upload options based on configurable thresholds. If the user exceeds either of the following configurable thresholds, log updates occur as soon as possible:

Length of time since the last upload Size, in MB, of the current log file
To enable logging and configure logging options:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > Web Filtering > Log. The Log tab displays.
160
3. Select the Enable Logging check box. 4. Click one of the following logging options:
Option
Log All Log Exceptions Only
Description Log all Web browsing activity. Add a log entry only when a policy exception occurs (blocks, warnings, and rating service unavailability).
5. In the FTP Server Connection section, enter or edit the following information:
Option
Settings for list
Description Click the type of host you are configuring:

Primary FTP Server Alternate FTP Server
Hosts field
Enter the FTP servers fully-qualified domain name or IP address. Do not precede the name with ftp:// or uploads will fail. Enter the FTP servers listen port. The default is port 21. Make sure your firewall allows FTP traffic through this port, and change the port from the default only if your firewall and FTP server are configured accordingly.
Port field
161
Option
Path field
Description Enter the relative path on the server to write the log files. You can optionally precede the relative path with the / character; uploads will succeed whether or not the first character is /. Examples:
/path/to/log/directory path/to/log/directory
To upload logs to the FTP servers home directory, leave the field blank. Note: Entering / in the field (with no path following the / character) causes uploads to fail.
6. Choose options that determine when files are uploaded from the ProxyClient computer to the FTP server. You can choose either a time interval or the total size, in MB, the current log file occupies on the client computer. If a mobile or offsite user is away from the network for an extended period of time and the threshold values are exceeded, an upload occurs as soon as possible. Enter or edit the following information:
Option
Upload periodically every
Description
Hours field: Enter the maximum number of hours
to wait before attempting to upload logs from the ProxyClient computer to the FTP server.
Minutes field: Enter the maximum number of
minutes to wait before attempting to upload logs from the ProxyClient computer to the FTP server. Note: If you enter a non-zero value for both Hours and Minutes, the total amount of time is used. For example, if you enter 24 Hours and 10 Minutes, the client waits 24 hours and 10 minutes to upload log files.
Start an early upload if log reaches
Enter the minimum log file size, in megabytes, to trigger a log file upload. This value takes precedence over the value you entered in the preceding field. In other words, if you specify 24 hours in the preceding field and 10 megabytes in this field, if the current log file reaches 10 megabytes after only 10 hours, the ProxyClient attempts to upload its log files to the FTP server.
7. Click Apply. 8. Continue with "Configuring Clients That Require a Proxy to FTP Logs" .
162
Note: Make sure the system clock of all ProxyClient computers is synchronized with the Client Managers clock. (You can do this by configuring them to use the same time standard, such as NTP.) Failure to do so will result in inaccurate log upload times and log ages.
Configuring Clients That Require a Proxy to FTP Logs

If the ProxyClient requires a proxy server to upload Web filter log files, first make sure the proxy server is an FTP proxy and not a proxy that accepts HTTP requests and outputs them as FTP. In addition, you must perform the following tasks on the ProxyClient computer: 1. 2. Start Internet Explorer. 3. Click Tools > Internet Options. 4. Click the Connections tab. 5. On the Connections tab page, click LAN Settings. 6. Verify any of the following: On the LAN Settings dialog, if the Use a proxy server for your LAN check box is selected, make sure the address of the proxy server is an FTP proxy. If the check box is clear, click Advanced. In the Proxy Settings dialog, make sure the proxy servers address and port listed in the fields next to FTP. If not, you must enter the address and port number of an FTP server in these fields. 7. Follow the prompts on your screen to accept the settings.
Interpreting the Log Files

The log file starts similarly to the following:
#Software:ProxyClient 3.2.1.1 #Version:1.0 #Fields: date time c-ip c-username x-cs-auth-domain c-computername x-exception-idcs-categoriescs-categories-exception cs(Referer) cs-methodcs-uri-schemecs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extensioncs(User-Agent) r-ip
The following table defines the fields used in the log:

Field
date time c-ip
Description Date stamp in Universal Time Code (UTC) format. Time stamp. Clients IP address.
163
Field
c-username x-cs-auth-domain c-computername x-exception-id
Description Clients login user name. Clients domain name (if available). Clients computer name. One of the following:
- if the content is allowed. content_filter_warned if the policy action is
warn.
content_filter_denied if the policy action is
block.
cs-categories
Semi-colon-delimited categories for the content request. The first category match; in other words, the category on which the policy action shown by xexception-id is based. Referring URL, if any. The method used in the content request (for example, GET). The URIs scheme (http or https). The host portion of the URI. The port used to access the URI. The path relative to cs-host. If cs-uri-scheme is https, this field is blank. Query string, if any. If cs-uri-scheme is https, this field is blank. File extension of the object. Information about the Web browser that requested the object. Web servers public IP address.
cs-categories-exception
cs(Referer) cs-method
cs-uri-scheme cs-host cs-uri-port cs-uri-path
cs-uri-query
cs-uri-extension cs(User-Agent)
r-ip
Following is a sample log entry showing that content was blocked:

2008-07-3117:51:17-joe.jones USA-TX-Austin LT-JOEJONES content_filter_denied"Vehicles" "Vehicles" -GET http www.mazdausa.com80/--Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) 129.33.107.81
In the preceding example, user joe.jones requested content from http:// www.mazdausa.com and the content was blocked. The content was categorized as Vehicles, was requested by Internet Explorer 7, and was delivered from a Web server with public IP address 129.33.107.81.
164
Configuring ProxyClient Web Filtering (CLI)

To configure Proxy Client Web Filtering settings:
1. At the #(config) command prompt, enter proxy-client. 2. At the #(config proxy-client) command prompt, enter web-filtering. 3. Configure Web filtering settings:
#(config proxy-client web-filtering) disable #(config proxy-client web-filtering) enable #(config proxy-client web-filtering) default-action {allow | block} #(config proxy-client web-filtering) {allow category_name | block category_name | warn category_name} #(config proxy-client web-filtering) {promote category_name | demote category_name} #(config proxy-client web-filtering) {promote-to-top category_name | demote-to-bottom category_name} #(config proxy-client web-filtering) failure-mode {open | closed} #(config proxy-client web-filtering) safe-search {disable | enable} #(config proxy-client web-filtering) https-filtering {disable | enable} #(config proxy-client web-filtering) user-group-rules category_name #(config proxy-client web-filtering category_name) {allow user_group_name | block user_group_name | warn user_group_name} #(config proxy-client web-filtering category_name) {promote user_group_name | demote user_group_name) #(config proxy-client web-filtering category_name) {promote-totop user_group_name | demote-to-bottom user_group_name) #(config proxy-client web-filtering category_name) clear user_group_name #(config proxy-client web-filtering category_name) exit #(config proxy-client web-filtering category_name) view #(config proxy-client web-filtering) inline exception {block | allow | warn} data end-of-file-marker #(config proxy-client web-filtering) log #(config proxy-client web-filtering #(config proxy-client web-filtering #(config proxy-client web-filtering interval hours [minutes] #(config proxy-client web-filtering primary} host hostname port #(config proxy-client web-filtering exceptions-only} log) {disable | enable} log) early-update megabytes log) periodic-upload uploadlog) ftp-client {alternate | log) mode {all-requests |
#(config proxy-client web-filtering) view
Troubleshooting ProxyClient Web Filtering

This section discusses the following topics related to diagnosing and resolving issues with ProxyClient Web filtering:

"Overview of Web Filtering Troubleshooting" "More Information About Web Filtering Troubleshooting" on page 167 "Getting Detailed Diagnostics" on page 170 "Using the ProxyClient Web Browser for Troubleshooting" on page 213
For more troubleshooting information, see one of the following sections:
165
"Troubleshooting ProxyClient Installation and Operation" on page 214 "Troubleshooting ProxyClient Acceleration" on page 115 "Other ProxyClient Troubleshooting Tools" on page 224
Overview of Web Filtering Troubleshooting

The ProxyClient Web browser window and the Client Managers Statistics > ProxyClient > Details tab pages assist you with troubleshooting Web filtering issues clients might be experiencing. The following sections provide a brief overview of how you can use these tools:

"Getting Web Filtering Status from the Web Browser Window" on page 166 "Using the Client Manager for Acceleration Troubleshooting" on page 118
Getting Web Filtering Status from the Web Browser Window

The ProxyClient Web browser window indicates the current status of Web filtering as follows:
Status: Running
Figure 81
ProxyClient Web browser window showing Web filtering is running
If Web filtering is enabled and running, Running displays in the Filtering Statistics section heading and the statistics increment as the user browses the Web.
Note: In Figure 81, only Web filtering is enabled. If acceleration is also enabled, the Status tab page also displays the Acceleration Statistics section as shown in Figure 71 on page 116.
The following table lists the meanings of other status messages for Web filtering:
Status message Disabled due to Location Meaning Web filtering is disabled in the clients current location. For more information about locations, see Chapter 6: "Configuring ProxyClient Locations".
166
Status message Delegated to a Blue Coat Security Gateway
Meaning Web filtering auto-detection is being used so that a Web filtering ProxySG appliance is performing Web filtering for the client. For more information, see "Configuring Web Filtering Auto-Detection" on page 100.
Ratings service unavailable
The service that Blue Coat Web filtering uses to get ratings for Web sites is not reachable. As a result, the policy action for the unavailable category is being used. Status is not available because the ProxyClient cannot contact the Client Manager. See "Client Manager Communication Troubleshooting Suggestions" on page 215. The Web filtering license on the Client Manager is invalid. To verify this is the case, log in to the Client Managers Management Console as an administrator and click Configuration > ProxyClient > Web Filtering > Policy. If the message Web Filtering License: Invalid displays below the Enable Web Filtering check box, you know your license is invalid. Contact your Blue Coat representative or Blue Coat Support to resolve the issue.
Not Available
Unlicensed
The Web filtering driver is missing or not functioning properly. See "Web Filtering Internal Service Error" on page 169.
For more detailed information, see "More Information About Web Filtering Troubleshooting" on page 167.
Using the Client Manager for Web Filtering Troubleshooting

The Client Managers Statistics tab page has information you can use to assist you with troubleshooting Web filtering issues. For more information, see "Viewing ProxyClient Detail Statistics" on page 200.
More Information About Web Filtering Troubleshooting

The following sections provide methods to diagnose Web filtering issues reported by users:

"Why Are Users Receiving Blocked or Warn Messages For No Justifiable Reason?" "ProxyClient Web Filtering Licensing" on page 169 "Disputing URL Categorizations For ProxyClient" on page 169 "ProxyClient Web Filtering Licensing" on page 169 "Getting Detailed Diagnostics" on page 170
167
Why Are Users Receiving Blocked or Warn Messages For No Justifiable Reason?
The most common message you are likely to receive from your users is that ProxyClient is denying them access to a Web site that they feel does not violate Web-use policy. The first step is to understand why the page is blocked or warned:
The rating server returned a category that resulted in a block action. The exception page, admin log, and Most Recent Events list display the category that caused the block action. The rating server did not return a category, and the none system category is configured with a block action. WebPulse is not available, and the unavailable system category is associated with a block action. WebPulse might be unavailable because of networking and configuration issues. Also make sure personal firewall software on the ProxyClient computer is not blocking the ProxyClient service.
License expiration is fail closed and the Client Manager is not licensed for ProxyClient Web Filtering or does not have a current BCWF database. ProxyClient displays Not licensed as the Web Filtering status on the Status tab page. Some images on requested pages do not display. This is most likely caused by subsequent requests on an allowed Web page falling into a blocked category. (For example, a section or portlet on an allowed Web page might contact a prohibited site for an advertisement.) Advise your users this is expected behavior.
More detailed information for most of these events can be retrieved by activating the Advanced Web Filtering Admin Log (see "Instructing Users to Perform Data Traces" on page 233). Various actions to remedy unjustified block (and warn) actions are available, depending on the reason for the block action:
Add a URL to a custom category or local database that is associated with an allow action (that is, create a whitelist). Move this category above the category that is causing the block action. This causes the allow action to be processed first. You also have the option to disagree with the rating decision made by BCWF and submit a request for categorization change. See "Disputing URL Categorizations For ProxyClient" on page 169.
Consider modifying the rule base, allowing the blocked category, allowing none or unavailable categories, or changing the unlicensed behavior to fail open. This option is valid if you are authorized to change the corporate compliant browsing policy.
168
Fix the license violation. See "ProxyClient Web Filtering Licensing" on page 169.
ProxyClient Web Filtering Licensing

If your users notify you that the application displays the Unlicensed message, the BCWF license is no longer valid or the URL database has not been refreshed in the last 30 days. On the Configuration > Content Filtering > Blue Coat > Blue Coat Web Filter tab page, and verify your BCWF credentials.
Disputing URL Categorizations For ProxyClient

In the event users report they are blocked from accessing a normally allowable Web site, first make sure the problem is not caused by improper ordering of categories in the Web filter rulebase. This is particularly true if a single URL is listed in multiple categories. For more information, see "Web Filtering Best Practices" on page 155. If BCWF is blocking access to the Web site and you disagree with the URLs categorization, Blue Coat enables you to submit a Web site for review, stating ProxyClient as the Web filter source.
To dispute a ProxyClient Web filter rating:
1. In your Web browsers address or location field, enter:

http://sitereview.bluecoat.com/sitereview.jsp
The Web Page Review Process page displays. 2. In the field, enter the URL to be reviewed and click Submit. 3. On the second Web Page Review Process page, select Blue Coat ProxyClient from the Filtering Service drop-down list. 4. From the first What category or categories does this site belong to? drop-down list, select the category you believe the site belongs to. You can optionally select a secondary category (for example, if your Web filtering policy allows one category, but not the other). 5. (Optional) Select Please send results of the Site Review via email if you want Blue Coat to notify you of the submission verdict. 6. In the Comments and Site Description field, enter a detailed message to Blue Coat site reviewers explaining your reason for this submission. 7. Click Submit.
Web Filtering Internal Service Error

This error displays on the ProxyClient Web browser windows Status tab page when the Web filtering driver does not load properly. (Another way to find the problem is using the Client Managers Statistics tab page. Click Statistics > ProxyClient > Details > Client Details > Filtering tab page. If (disabled) displays in the Web Filter column for a location in which Web
169
filtering is enabled, it is possible the user tampered with the Web filter driver. To confirm this might be the case, look for the Internal Service Error as discussed in the preceding paragraph.) A likely reason for the driver not loading is user tampering; for example, deleting or renaming the driver:
proxyclient-install-dir\drivers\proxyclientwebfilter.sys
Note: To prevent users from renaming or deleting ProxyClient drivers, configure an uninstall password as discussed in "Configure an uninstall password." on page 63.
To make sure it is not a configuration issue, in the ProxyClient Web browser window, click the Advanced tab and click Check for Configuration Updates Now. If that does not resolve the problem, view the Admin log or enable trace logging for Web filtering as discussed in "Performing Data Traces and Data Collection" on page 232. The Admin log displays the following messages to indicate the Web filtering driver did not load:
Failed to start web filter, error 4112 Error starting web filtering module: Internal Error Error initializing web filtering driver: 4112. Please restart your computer. If you continue to experience this problem, contact your administrator.

170
171
172

"ProxyClient Software Distribution Prerequisites" "Overview of Distributing the ProxyClient Software" on page 173 "Preparing Interactive Installations" on page 174 "Preparing Silent Installations and Uninstallations" on page 181 "Using Group Policy Object Distribution" on page 193
ProxyClient Software Distribution Prerequisites

Before continuing, make sure you have performed all of the following tasks:
Upgraded the ProxySG appliances in your network to versions compatible with the ProxyClient as discussed in "ProxyClient Compatibility with SGOS" on page 71. Uploaded the current version of ProxyClient software to the Client Manager as discussed in "Uploading the ProxyClient .car File to the Client Manager" on page 87. "Overview of Distributing the ProxyClient Software" "Preparing Interactive Installations" on page 174 "Preparing Silent Installations and Uninstallations" on page 181 "Using Group Policy Object Distribution" on page 193
After completing these tasks, see one of the following sections:

Overview of Distributing the ProxyClient Software

Prerequisite: Before continuing, complete all of the tasks discussed in "ProxyClient Software Distribution Prerequisites" on page 173. Administrators can make ProxyClient software available to users in any of the following ways:
Interactive installations started from: A command line on the users machine The Client Manager
For more information, see "Preparing Interactive Installations" on page 174
Silent installations For more information, see "Preparing Silent Installations and Uninstallations" on page 181
Windows Group Policy Object distribution For more information, see "Using Group Policy Object Distribution" on page 193
173
Windows System Center Configuration Manager (SCCM)previously referred to as Systems Management Server (SMS)distribution For more information about SCCM or SMS, consult the documentation provided with your SCCM or SMS server.
Note: For the user to run ProxyClientSetup.exe or ProxyClientSetup.msi, the
user must be in the Administrators group on the client machine.
Important:
Do not rename ProxyClientSetup.msi; doing so causes future updates to fail.
Preparing Interactive Installations

This section discusses how to install the ProxyClient interactively; that is, so the user knows the software is being installed and can interact with the installation. To install the ProxyClient silently, see "Preparing Silent Installations and Uninstallations" on page 181. To install ProxyClient using ProxyClientSetup.msi, users must first download it to the client machine, then execute it from the command line as discussed in "Interactive Manual Installations" on page 180. For a complete discussion of ProxyClientSetup.msi command-line parameters, see "Preparing Silent Installations and Uninstallations" on page 181.
ProxyClientSetup.exe ProxyClientSetup.msi Table 91
Users can install the ProxyClient software either by downloading from the Client Manager, or manually by running from a command line, as shown in the following table:
ProxyClient Installation Options
Option Install from Client Manager
Description Provide users the URL to ProxyClientSetup.exe, which displays on the Client Manager tab page when you click Configuration > ProxyClient > General > Client Software.
ProxyClientSetup.exe downloads and runs ProxyClientSetup.msi on the client machine. Users see
the installation in progress and have the option of canceling the installation. For more information about this installation method, see "Interactive Installations from the Client Manager" on page 175.
174
Table 91
ProxyClient Installation Options (Continued)
Option Install from the command line
Description To install ProxyClient using ProxyClientSetup.msi, users must first download it to the client machine, then execute it from the command line as discussed in "Interactive Manual Installations" on page 180. Note: For a complete discussion of
ProxyClientSetup.msi command-line parameters, see
"Preparing Silent Installations and Uninstallations" on page 181. Note: Users who run the ProxyClient setup application must be in the Administrators group on the client machine. Also, although it is possible for users to run the .msi, it is not recommended because the installation will fail unless the user provides parameters on the command-line (for example, BCSI_UPDATEURL).
Interactive Installations from the Client Manager

To interactively install the ProxyClient software from the Client Manager, the user must be in the Administrators group on the client machine.
To enable users to run ProxyClientSetup.exe from the Client Manager:
Send users an e-mail with the URL to ProxyClientSetup.exemsx on the Client Manager. The URL displays when on the ProxyClient > Client Manager > Client Manager tab page.
To install the ProxyClient using this method:
1. Get the URL or location from which you access ProxyClientSetup.exemsx. 2. Click the URL in an e-mail or enter it in your browsers address field. 3. ProxyClientSetup.exe starts the setup applicationProxyClientSetup.msi that installs the ProxyClient software. The following dialog displays if you use Internet Explorer 7:
175
176
4. Click Run. The following dialog displays if your browser is Internet Explorer 7:
Note: The Security Warning dialog displays because ProxyClientSetup.exe is
not signed. This is because ProxyClientSetup.exe is unique to each Client Manager, which in turn makes signing it by a recognized certificate authority difficult. 5. Click Run. The ProxyClient software download begins. During the download, a progress dialog similar to the following displays:
177
When the download completes, the InstallShield Wizard dialog displays.
6. Click Next. 7. The Destination Folder dialog allows you to determine the folder location to which ProxyClient is installed. Blue Coat recommends that you install to the default directory: c:\Program Files\Blue Coat\Proxy Client. To accept the default, click Next and proceed to Step 8. To install to a directory of your choosing, click Change. The Change Current Destination Folder dialog displays. Click the icons to navigate to a folder and click Ok.
178
8. When you are satisfied with your installation preparation decisions, click Install. The Installing Blue Coat ProxyClient wizard dialog displays.
When the installation is complete, a dialog displays if acceleration is enabled.
Click Yes to reboot the system immediately. Click No to reboot the system at a later time. Select this option to save work before you reboot.
179
If only Web filtering is enabled, the following dialog displays.
9. After the machine reboots, verify the state of the ProxyClient as discussed in "ProxyClient Tray Icon States and Meanings" on page 222.
Interactive Manual Installations

This section discusses how to allow users to manually install the ProxyClient software.
To enable users to manually install the ProxyClient software:
Provide a location from which the user can download ProxyClientSetup.msi to the client machine; for example, provide the user the URL to the Client Manager.
Important:
Do not rename ProxyClientSetup.msi; doing so causes future updates to fail. Do not edit ProxyConfig.xml on the client machine; instead, click Check for Updates on the Advanced tab page in the ProxyClient Web browser window to get updates from the Client Manager.
Now
To install the ProxyClient using this method:
1. Download ProxyClientSetup.msi to a location on the local file system. 2. Perform either of the following: Select Start > Run, then enter the command shown in step 3. Open a DOS command prompt window and change to the directory to which you downloaded ProxyClientSetup.msi.
3. Enter the following command:

path\ProxyClientSetup.msi BCSI_UPDATEURL=url-to-config.xml
180
where path is the absolute file system path to ProxyClientSetup.msi (if necessary), url-to-config.xml is the URL to ProxyConfig.xml on the Client Manager.
Client Manager
This URL displays when you select ProxyClient > Client Manager and click the tab as discussed in "Designating a ProxySG as the Client Manager" on page 81. For example,
ProxyClientSetup.msi BCSI_UPDATEURL=http://mysg.example.com:8084/ proxyclient/ProxyClientConfig.xml
Note:
If the Client Manager is not available, the installation succeeds and the ProxyClient tries to contact the Client Manager every 10 minutes until the client gets a configuration. If Client Manager communication issues persist, see "Client Manager Communication Troubleshooting Suggestions" on page 215. Other command-line parameters are available. For a complete list, see "Preparing Silent Installations and Uninstallations" on page 181.
4. The installation proceeds as discussed in "Interactive Installations from the Client Manager" on page 175. 5. Verify the ProxyClient tray icon state as discussed in "ProxyClient Tray Icon States and Meanings" on page 222. If only Web filtering is enabled, you can verify the icon state immediately. If acceleration is enabled, you must reboot the computer first.
Preparing Silent Installations and Uninstallations

This section discusses how to silently install or uninstall the ProxyClient (that is, installations that users do not interact with). To install the ProxyClient interactively, see "Preparing Interactive Installations" on page 174. This section includes the following topics:

"About Silent Web Filtering Installations" "Parameters for Silent Installations" on page 183 "Command for Silent Uninstallations" on page 188 "Example Installations and Uninstallation" on page 189
181
Important:
Do not rename ProxyClientSetup.msi; doing so causes future updates to fail. Do not edit ProxyClientConfig.xml on the client computer after it has been downloaded from the Client Manager. Instead, click Check for Updates Now on the Advanced tab page of the ProxyClients Web browser window to get a configuration update.
For information about distributing the ProxyClient software using Group Object Policy, skip this section and see "Using Group Policy Object Distribution" on page 193.
About Silent Web Filtering Installations

Starting with ProxyClient version 3.2, the users computer does not have to be rebooted if only Web filtering is enabled, and all policies during and after the installation or upgrade are preserved. In other words, if the Pornography category was blocked for the user before an upgrade to ProxyClient version 3.2, the Pornography category is blocked during and after the upgrade. This feature works automatically without any additional configuration. During an upgrade to version 3.2, the user is required to close any open supported Web browser windows (for example, Internet Explorer and Firefox Safari). The exception is that if the ProxyClient tray icon and Start menu shortcut are hidden, no prompt displays. The following table explains what happens after any of the following occurs:

Initial installation of ProxyClient version 3.2. Upgrade to version 3.2 from an earlier version. Upgrade from 3.2 to a later 3.2.x patch.
ProxyClient features enabled Web filtering enabled Acceleration disabled Post-installation behavior Web filtering continues to function as defined by policy; that is, categories that are blocked by policy remain blocked after the installation or upgrade. If the ProxyClient tray icon is visible, a message displays to indicate the operation was successful. If the ProxyClient tray icon is hidden, no message displays so the user is not aware the upgrade occurred. For more information about hiding the tray icon, see "Limiting ProxyClient Visibility and Interactivity" on page 190.
182
ProxyClient features enabled Web filtering enabled Acceleration enabled Web filtering disabled Acceleration enabled
Post-installation behavior If acceleration is enabled, the user must reboot their computer after an installation or upgrade, regardless of whether or not Web filtering is enabled. All existing connections are dropped during the installation or upgrade process and any new connections are accelerated after the computer is rebooted. If Web filtering is enabled, policies remain in effect during the upgrade process. The following applies to the ProxyClient tray icon: If the tray icon is visible, the user is prompted to reboot their computer after the installation or upgrade completes. The balloon message Disabled Until Reboot displays on the tray icon and in the Acceleration Statistics section on the Status tab page in the ProxyClient Web browser window. If the tray icon is not visible, no prompt displays; however, acceleration is disabled until the computer is rebooted.
Note: The only way to downgrade from ProxyClient version 3.2 to version 3.1
is to uninstall version 3.2 and install the earlier version. For more information, see "ProxyClient Compatibility with SGOS" on page 71. Continue with "Parameters for Silent Installations" .
Parameters for Silent Installations

The following table shows parameters to use with ProxyClientSetup.msi for silent installations. For examples, see "Example Installations and Uninstallation" on page 189.
Silent Installation Usage

ProxyClientSetup.msi [/qf | /qb | /qr | /qn] BCSI_UPDATEURL=url REINSTALL=ALL REINSTALLMODE=vamus [AUTOUPDATEPROHIBITED=0|1] [FORCEREBOOT={yes|no} | {y|n}] [REBOOTTIME=secs] [REGISTRYSETTINGS=settings] [NO_UI_SHORTCUT={0|1}] [/l*v logfile] [LOG_APPEND={0|1}]
Continue with any of the following sections:

"Silent Installation Parameters" "Example Installations" on page 189 "Example Uninstallation" on page 190
183
Silent Installation Parameters

The following table shows the meanings of the parameters that can be used for silent installations; for examples, see "Example Installations and Uninstallation" on page 189:
Table 92 Parameters for Silent ProxyClient Installations
Parameter
/qf | /qb | /qr | /qn | /quiet
Argument
Description Sets the user interface level (in other words, the extent to which the installer interface displays to the user).
/qf (fully visible and interactive, the default) enables
the user to see and interact with the installer and to cancel the installation.
/qb (basic) /qr (reduced) enables the user to see and interact with
the installer and to cancel the installation.

/qn or /quiet (totally silent) prevents the user from
seeing or interacting with the installer and from canceling the installation. Note: Because this is an msiexec parameter, other options are available. Enter msiexec at a command prompt for more information about other options.
BCSI_UPDATEURL url
URL to ProxyClientConfig.xml on the Client Manager, which you can find as discussed in "Designating a ProxySG as the Client Manager" on page 81, entered in the following format:
https://client-manager-host:client-managerport[/proxyclient/ProxyClientConfig.xml]
The path to ProxyClientConfig.xml is optional.

REINSTALL ALL
Installs all ProxyClient components, whether they are already installed or not.
ALL is the only supported parameter value in this
release.
REINSTALLMODE vamus
Blue Coat recommends using vamus as the parameter value. Because this is an msiexec parameter, other options are available. For more information, see the description of the REINSTALLMODE parameter on the MSDN Web site.
184
Table 92
Parameters for Silent ProxyClient Installations (Continued)
Parameter
AUTOUPDATEPROHIBITED
Argument
0|1
Description
0 (default) means the ProxyClient automatically implements software updates at the interval the administrator specified for software update interval in "Designating a ProxySG as the Client Manager" on page 81. 1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as SCCM, SMS, or GPO.
Note: Regardless of the value of this setting, the client always gets configuration updates at the next software update interval. Users can also get configuration updates manually.
FORCEREBOOT yes|no y|n yes or y mean the dialog displays with only a Restart Now button and a progress bar that increments until the computer reboots. (However, if REBOOTTIME=0, neither
a dialog nor progress bar displays.)

no or n (default) mean a dialog displays with two options: Restart Now and Restart Later, enabling users to either reboot immediately or wait until a later time of their choosing. REBOOTTIME secs
Number of seconds after the ProxyClient installation completes before the users machine is rebooted. A non-zero value means a counter displays on the postinstallation reboot dialog. If FORCEREBOOT is set to no, this value is ignored. For more information, see "Example Installations and Uninstallation" on page 189. The default is 0.
NOUISHORTCUT
0 | 1
Set to 1 to hide the Start menu option for the ProxyClient: Start > [All] Programs > Blue Coat ProxyClient > ProxyClient. To start the ProxyClient browser window, a user must double-click the ProxyClient shortcut located in
%SystemDrive%:\Program Files\Blue Coat\ProxyClient.
On Windows 7 (64bit), the shortcut is located in

%SystemDrive%:\Program Files (x86)\Blue Coat\ProxyClient.
Set to 0 to show the Start menu option. The default is 0.
185
Table 92
Parameters for Silent ProxyClient Installations (Continued)
Parameter
REGISTRYSETTINGS
Argument
name:datatype:value
Description Colon-delimited, semicolon-separated list of registry settings to create for the client. For more information, see Table 93. If you want the installation to be logged, enter the absolute file system path and file name of the log file. The user installing the software must have permission to write to the indicated folder and the folder must be available during the installation; therefore, you should avoid specifying a network drive.
/l*v
logfile
LOG_APPEND
0 | 1
Set to 0 to overwrite the existing ProxyClient installer log file. Set to 1 to append to the existing ProxyClient installer log file. Default is 0.
Table 93 shows the available arguments for the REGISTRYSETTINGS parameter. This parameter sets the key name, data type, and value of ProxyClient registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Proxy Client. On Windows 7 (64bit), the registry settings are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client. Examples of using these settings can be found in "Limiting ProxyClient Visibility and Interactivity" on page 190. Blue Coat strongly recommends testing these registry settings before deploying them in a production environment. Improper registry settings might cause the installation to fail or to not function as expected.
Important:
Table 93 shows the available arguments for the REGISTRYSETTINGS parameter. This parameter sets the key name, data type, and value of ProxyClient registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Proxy Client. On Windows 7 (64bit), the registry settings are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client. Examples of using these settings can be found in "Limiting ProxyClient Visibility and Interactivity" on page 190.
Important: Blue Coat strongly recommends testing these registry settings before deploying them in a production environment. Improper registry settings might cause the installation to fail or to not function as expected.
186
Table 93
Parameters for ProxyClient registry settings
Key name
CacheDirectory
Data type
REG_SZ
Value Set the folder in which ProxyClient byte and CIFS cache files are stored. The directory you specify must already exist. For example,
REGISTRYSETTINGS="CacheDirectory:REG_SZ: D:\BCCacheDir"
By default, with no registry key specified, cache files are stored in the following folder: Windows XP
%SystemDrive%\Documents and Settings\ LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient
Windows Vista and Windows 7

%SystemDrive%\Windows\system32\config\ systemprofile\AppData\Local\Blue Coat\Blue Coat ProxyClient
ChangeCMAllowed
REG_DWORD
Allowed values: 0 | 1 Set to 1 to allow the user to change the Client Manager. For example,
REGISTRYSETTINGS="ChangeCMAllowed:REG_DWORD:1"
Set to 0 to prevent the user from changing the Client Manager. The default is 0.
DefaultWebPort REG_DWORD
Allowed values: 1024 through 65534 (inclusive) If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000. Default is 8000 For more information, see "Changing the Default Web Server Port" on page 230.
TiNotVisible
REG_DWORD
Allowed values: 0 | 1 Set to 1 to hide the ProxyClient system tray icon and all pop-up messages. For more detail about ProxyClient icon states, see "Limiting ProxyClient Visibility and Interactivity" on page 190. For example,
REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1
Set to 0 to display the ProxyClient tray icon and pop-up messages. The default is 0.
187
Table 93
Parameters for ProxyClient registry settings
Key name
TiNotVisibleForceUpdate
Data type
REG_DWORD
Value Allowed values: 0 | 1 Set to 1 to force ProxyClient software updates on client computers without user interaction. This registry setting does not depend on the setting for TiNotVisible; in other words, setting the value of this key to 1 means clients always get updates regardless of whether or not the tray icon is hidden. For example,
REGISTRYSETTINGS="TiNotVisibleForceUpdate: REG_DWORD:1"
Set to 0 to apply ProxyClient software updates normally; that is, provided updates are allowed, users must install the updates manually. The default value is 0. Note: Regardless of the value of this registry key, clients always get configuration updates automatically at the update interval you set using Configuration > ProxyClient > General > Client Manager. Clients can also get configuration updates manually at any time.
Command for Silent Uninstallations

To silently uninstall the ProxyClient software, use the following command:
msiexec /X{D35B0C7A-4545-4A98-A810-3810B3FE25E5} /quiet PASSWORD=uninstall-password
The string {D35B0C7A-4545-4A98-A810-3810B3FE25E5} identifies the ProxyClient installers MSI product code. During uninstallation, the ProxyClient removes:

The SG Client (this is the pre-SGOS 5.3 version of ProxyClient). All ProxyClient drivers, folders, files, the service, and so on. ProxyClient cache files and the cache folder.
188
Example Installations and Uninstallation

This section shows the following examples:

"Example Installations" on page 189 "Example Uninstallation" on page 190
Additional examples are discussed in "Limiting ProxyClient Visibility and Interactivity" on page 190.
Important:
Do not rename ProxyClientSetup.msi; doing so causes future updates to fail.
Do not edit ProxyClientConfig.xml on the client computer after it has been downloaded. Instead, click Check for Updates Now on the Advanced tab page of the ProxyClients Web browser window to get updates.
Example Installations
Example 1: Basic manual installation:
ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=no REGISTRYSETTINGS="CacheDirectory:REG_SZ:D:\BCCacheDir"
The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters cause all ProxyClient components to install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user is prompted to reboot unless only Web filtering is enabled. The REGISTRYSETTINGS parameter locates the cache directory in D:\BCCacheDir. This directory must exist prior to the installation; otherwise, the default cache directory will be used. Example 2: The user has the ability to change the Client Manager using the ProxyClient browser window
ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes REBOOTTIME=30 REGISTRYSETTINGS="ChangeCMAllowed:REG_DWORD:1"
The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters make sure that all ProxyClient components install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. The REGISTRYSETTINGS parameter creates a registry key that enables users to change the Client Manager using the ProxyClient browser window (for more information, see "" on page 229). After the installation is complete, the user has the following options:
189
Wait 30 seconds for the machine to reboot. Click Restart Now in the dialog to reboot immediately.
Example 3: Automated, interactive installation without a timer

ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes AUTOUPDATEPROHIBITED=1
The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters make sure that all ProxyClient components install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user has the option to reboot unless only Web filtering is enabled.
Important:
The AUTOUPDATEPROHIBITED=1 argument prevents ProxyClient software updates only. Configuration updates are installed from the Client Manager at the next update interval after they are available.
Example Uninstallation
msiexec /X{D35B0C7A-4545-4A98-A810-3810B3FE25E5} /quiet PASSWORD=uninstall-password
The string {D35B0C7A-4545-4A98-A810-3810B3FE25E5} identifies the ProxyClient installers MSI product code.
Limiting ProxyClient Visibility and Interactivity

This section discusses how to limit ProxyClient application visibility and user interaction with the ProxyClient software. You can implement any or all of the following options:
Option Force ProxyClient software updates on clients without user interaction Hide the ProxyClient system tray icon Hide the ProxyClient Start menu option Setting
TiNotVisibleForceUpdate registry key set to 1 TiNotVisible registry key set to 1 NOUISHORTCUT installer switch
Registry keys and installer switches are discussed in more detail in "Command for Silent Uninstallations" on page 188. The following table shows the ProxyClient tray icon states and how they are affected by these settings:
190
Icon
Icon meaning Normal
Registry setting Default: TiNotVisible registry key not present Invisible:

TiNotVisible set to 1
Description Always displays Never displays Always displays to warn users about critical states or when user action is required (for example, to get software updates manually)
Warning state (for example, low disk space or updates are available)
Default:
TiNotVisible
registry key not present

TiNotVisibleForceUpdate set to 0
Invisible but interactive:

TiNotVisible set to 1 TiNotVisibleForceUpdate registry
key not present
Never displays; configuration updates are downloaded automatically but the user must install software updates manually. However, if software updates are disabled (AutoUpdateProhibited registry key set to 1), the user never gets software updates. The tray icon never displays.
Invisible and noninteractive:

TiNotVisible set to 1 TiNotVisibleForceUpdate set to 1
Note: To enable users to get software updates if you hide the system tray icon or Start menu option, set the AutoUpdateProhibited registry key to 0. You can do this by editing the registry or by installing the ProxyClient software with the AUTOUPDATEDPROHIBITED installer option absent or set to 0.
Example
The following example hides the system tray icon, and requires clients to accept software updates without interaction:
ProxyClientSetup.msi /qn BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1; TiNotVisibleForceUpdate:REG_DWORD:1"
191
This example sets the following options:

Option
/qn BCSI_UPDATEURL=https://mysg.example.com:8084
Description Performs a non-interactive installation. Specifies the URL from which clients obtain policy. Installs all ProxyClient components, whether they are already installed or not. For more information, see the description of the REINSTALLMODE parameter on the MSDN Web site. Forces clients to reboot after installing the ProxyClient software.
TiNotVisible:REG_DWORD:1
REINSTALL=ALL
REINSTALLMODE=vamus
FORCEREBOOT=yes
REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1; TiNotVisibleForceUpdate:REG_DWORD:1"
Hides the ProxyClient system tray icon unless software updates are being downloaded. The icon also displays after the updates have been installed to indicate the computer must be rebooted.
TiNotVisibleForceUpdate:REG_DWORD: 1
Requires clients to accept software updates when they are available. User interaction is not permitted. However, if the AutoUpdateProhibited registry key is set to 1, it takes precedence and software updates are never downloaded.
192
Using Group Policy Object Distribution

This section discusses how to distribute the ProxyClient software using Windows Group Policy Object (GPO). Important: Only an experienced Windows administrator should attempt to complete the tasks discussed in this section.
To distribute the ProxyClient software using GPO:
1. Get an .msi transform tool, such as the Orca database editor. Orca is a table-editing tool available in the Windows Installer SDK that can be used to edit your .msi files. You can also use similar tools available from other vendors.
Note: Blue Coat does not recommend a particular transform tool.
For more information about Orca, see Microsoft KB article 255905. The remainder of this section assumes you use Orca. Consult the documentation provided with the transform tool you are using for vendorspecific instructions. 2. Open ProxyClientSetup.msi. 3. Perform the following changes to the Property table:
Note: Be advised, this action invalidates the signature on the MSI.
Table 94
ProxyClient setup property table changes
Property
BCSI_UPDATEURL
Action Add row
Value Required for all installations. URL to ProxyClientConfig.xml on the Client Manager, entered in the following format: https://client-manager-host:clientmanager-port[/proxyclient/ ProxyClientConfig.xml]
Specifying the path to ProxyClientConfig.xml is optional.

FORCEREBOOT
Edit value
Required for all installations. Change the value from n to y. This value causes the users machine to reboot after the ProxyClient is downloaded, which is required to use the ProxyClient.
193
Table 94
ProxyClient setup property table changes
Property
REINSTALL
Action Add row
Value Add this row and set it to all only if you want to update the ProxyClient software and configuration using GPO. If clients get future ProxyClient software and configuration updates from the Client Manager, do not add this row.
REINSTALLMODE
Add row
Add this row and change it to vamus only if you want to update the ProxyClient software and configuration using GPO. If clients will get future ProxyClient software and configuration updates from the Client Manager, do not add this row.
AUTOUPDATEPROHIBITED
Edit value
Change the value from 0 to 1 only if you want to update the ProxyClient software in some way other than from the Client Manager, such as using SCCM, SMS, or GPO. (Configuration updates are obtained from the Client Manager whose URL is specified by the BCSI_UPDATEURL parameter discussed earlier in this table.)
1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as using SCCM, SMS, or GPO.
If clients will get future ProxyClient software updates from the Client Manager, leave this value at 0.
4. To implement registry changes discussed in Table 93 on page 187, use the following steps: a. Add one row to the Registry table for every registry setting you wish to set. b. In the Add Row dialog, enter the following information:
Field
Registry
Description Enter a unique description of the registry entry. The value you enter is not written to the registry; it is used only to identify the entry. The value must begin with Registry. For example, Registry1. Enter 2.
Root
194
Field
Key
Description Enter the ProxyClient registry path relative to HKEY_LOCAL_MACHINE, Software\Blue Coat
Systems\Proxy Client
Name
Enter the name of the registry key; see Table 93 on page 187. Enter the value of the registry key. Note: If the value is REG_DWORD, you must preface the value with the number sign (#). For example, a registry key value of 1 must be entered as #1.
Value
Component
Enter ProxyClientSvc.exe.
c. Generate the transformation.
195
196
"Viewing ProxyClient History Statistics"

Statistics
> ProxyClient > History
Aggregated bandwidth usage statistics related to the ProxyClient and all concentrators in the network, and with the Client Manager (for example, number of clients, number of software updates, and number of configuration updates).
"Viewing ProxyClient Detail Statistics" on page 200

Statistics
> ProxyClient > Details
Information about active and inactive ProxyClients, such as user name, host name, operating system; whether or not acceleration and Web filtering are enabled in the clients location; size of log files; size of the ProxyClient cache; and data related to ProxyClient software version running on clients.
"Viewing ProxyClient ADN History Statistics" on page 209

Statistics
> ADN History
Statistics related to the ProxyClient and a particular concentrator. To view statistics related to ProxyClients and all concentrators on the network, view the BW Usage tab page on Statistics > ProxyClient History.
"Viewing ProxyClient Active Session Statistics" on page 210

Statistics > Sessions > Active Sessions > ADN Inbound Connections
Statistics related to inbound ADN connections to a concentrator from ProxyClients.
Viewing ProxyClient History Statistics

ProxyClient history statistics compile data from the Client Manager and from concentrators that communicate with ProxyClients as follows:
Client Manager: Current active ProxyClients, the number of software updates, number of configuration updates, and ProxyClient version information. Concentrators: Bandwidth usage aggregated for all concentrators.
The ProxySG displays graphs for each tab page in selectable time increments, varying from the last hour to all time periods. Hover the mouse pointer over any graph on the page to see metric data.
197
To view ProxyClient history statistics:
1. Log in to a ProxySG appliances Management Console as an administrator. The statistics you view depend on the role of the appliance, as follows: Client Manager: To view Active Clients, Configurations Served, Software Served, or Client Version Count. Concentrator: To view BW Usage.
2. Click Statistics > ProxyClient > History.

Select time period
Roll mouse over data
3. Click a tab to view statistics and then see one of the following sections: "Viewing ProxyClient Bandwidth (BW) Usage Statistics" "Viewing ProxyClient Active Clients Statistics" on page 199 "Viewing ProxyClient Configurations Served Statistics" on page 199 "Viewing ProxyClient Software Served Statistics" on page 199
198
Viewing ProxyClient Bandwidth (BW) Usage Statistics

This section discusses the BW Usage tab page for the ProxyClient (Statistics > ProxyClient > History > BW Usage). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197. The BW Usage tab page displays aggregated statistics for all ProxyClients that use this Client Manager. The following columns display on this tab page:
C: The number of bytes sent and received by the applications running on the clients computer (that is, corresponding to the Total Demand graph in the ProxyClient browser window). S: The number of bytes sent over the WAN after acceleration was applied (that is, corresponds to the Actual Usage graph in the ProxyClient browser window). Gain:
The magnitude of bandwidth gain. The percentage of bandwidth savings.
Savings:
Viewing ProxyClient Active Clients Statistics

This section discusses the Active Clients tab page for the ProxyClient (Statistics > ProxyClient > History > Active Clients). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197. The Active Clients tab page displays how many ProxyClients are active on the network. Any ProxyClient that does not report for 10 consecutive minutes is treated as inactive.
Viewing ProxyClient Configurations Served Statistics

This section discusses the Configurations Served tab page for the ProxyClient (Statistics > ProxyClient > History > Configurations Served). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197. The Configurations Served tab page displays how many times the ProxyClient configuration file was downloaded from the Client Manager.
Viewing ProxyClient Software Served Statistics

This section discusses the Software Served tab page for the ProxyClient (Statistics > ProxyClient > History > Software Served). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197. The Software Served tab page displays how many times ProxyClient software was downloaded to user systems.
199
Viewing ProxyClient Detail Statistics

ProxyClient detail statistics are aggregated by the Client Manager. Detail statistics include general information about ProxyClients, and information about acceleration and Web filtering features. This section discusses the following topics:

"Viewing ProxyClient Detail Statistics" "About the ProxyClient Detail Tab Pages" on page 200 "Common Tasks on Every Tab Page" on page 201 "For More Information About ProxyClient Details" on page 202
Viewing ProxyClient Detail Statistics

This section discusses general information about viewing ProxyClient detail statistics.
To view ProxyClient detail statistics:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details. The Client Details tab page displays.
The Client Details tab page has four tabs: General, Acceleration, Filtering, and All. For detailed information about each of these tab pages, see "Viewing ProxyClient Client Details" on page 203.
About the ProxyClient Detail Tab Pages

At the bottom of each of the four tab pages, the total number of clients and the number of available clients displays. Following is the meanings of these terms:
200
Total displayed clients: The number of clients displayed on the tab page after filters were applied. If no filters were applied, the total displayed clients is equal to the available clients. More information about filtering is discussed in the sections that follow.
Available clients: Total number of clients (both active and inactive) this Client Manager has seen since the last time the client list was cleared using the #(config proxy-client) clear {all | inactive} command. The #(config proxy-client) clear {all | inactive} command is discussed in "Clearing ProxyClients (CLI)" on page 90.
Note:
Clients are automatically cleared after 30 days of inactivity. After a software upgrade, clients appear twice for 30 daysone entry for the earlier version of client software and one entry for the newer version of client software. You can optionally clear the inactive clients using the clear inactive command to avoid seeing duplicate information. For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.
Common Tasks on Every Tab Page

Task Sort data by column Description Click the name of a column to sort data by that column in either ascending or descending order.
201
Task Filter data by column
Description You can optionally filter data displayed on any tab page by certain columns displayed on that tab page. Filters are logically ANDed together. Column values are sorted by type; for example, numeric values are sorted numerically. 1. From the Add Filter list, click the name of a column to use to filter data. If you click the name of a column that has no predetermined values (like Username), a field displays next to the Add Filter list. If you click the name of a column that has predetermined values, a list of available values displays next to the Add Filter list. 2. From the adjacent field or list, make a selection to use to filter the data. For example, if you clicked Username from the Add Filter list, enter all or part of a user name in the adjacent field. The matching criterion you enter is not case-sensitive. Filters are matched by substring; wildcard characters are not supported. For example, to search for a user name that contains the string proxy, enter proxy in the field. 3. Click Add. This adds the filter and updates the data displayed on the tab page. 4. Optional tasks: To add another filter, repeat the preceding steps. Filters are logically ANDed together. To edit an existing filter, click the link in the filter, make changes to filter settings, and click Add. To delete an existing filter, click x next to the name of the filter.
Refresh the data
Click Refresh at the bottom of the tab page. It might take several minutes for configuration changes to be reflected on the tab page. For example, if you enable acceleration in a location, it might take several minutes after the client receives the configuration update for the data on this page to be updated to reflect the new configuration. Click Download at the bottom of the tab page and follow the prompts on your screen to save the text file on your computer. The data displayed on that tab page is saved to the text file. Any filters or sorting options you chose are preserved.
Download the data to a text file
For More Information About ProxyClient Details

202
"Viewing ProxyClient Client Details" "Viewing ProxyClient Client Version Count" on page 208
Viewing ProxyClient Client Details

ProxyClient details display the following types of statistics:
GeneralFor each user, displays information such user name, domain, host name, host operating system, ProxyClient software version, last known status, age of last known status, location, and which ProxyClient features are enabled for that location. For more information, see "ProxyClient General Details" . AccelerationFor each user, displays acceleration-related information such as user name, domain, host name, acceleration status, client cache size, client bytes, server bytes, and the clients ADN peers. For more information, see "ProxyClient Acceleration Details" on page 205. FilteringFor each user, displays Web filtering-related information such as user name, domain, host name, Web filtering status, the age of the Web filtering log, and the size of the Web filtering log file. For more information, see the "ProxyClient Web Filtering Details" on page 206. AllDisplays all information on the preceding tab pages. For more information, see "All ProxyClient Details" on page 208.
ProxyClient General Details

The General tab page displays general information about active and inactive clients.
To display general ProxyClient details statistics:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details > General. The following table discusses the data displayed in each column of the General tab:
Column User Name Domain Host Name OS Version Status Description Name of the user logged in to the ProxyClient computer. Domain to which the ProxyClient computer belongs. ProxyClient computers host name. ProxyClient computer operating system version information. ProxyClient software version. indicates an active client. indicates an inactive client. A client is reported as inactive if 10 minutes or more elapse between heartbeat packets it sends to the Client Manager.
203
Column Status Age Uninstall Protection Location Acceleration
Description The length of time since the ProxyClient last reported its status (either active or inactive) to the Client Manager. indicates an uninstallation password is configured. indicates an uninstallation password is not configured. The name of the ProxyClients location. indicates acceleration is enabled in this clients location. indicates acceleration is disabled in this clients location.
Web Filter
indicates Web filtering is enabled in this clients location. indicates Web filtering is disabled in this clients location. It could also indicate user tampering; for more information, see "Web Filtering Internal Service Error" on page 169.
File Encryption
indicates this clients cache is encrypted. Provided the user installed the ProxyClient software on an NTFS partition on Windows XP or Windows Vista, the cache and Web filtering log files are encrypted. A value of 0 most likely means the cache has not been used yet or the clients computer has no available space for caching. indicates this clients CIFS cache is not encrypted. If acceleration is enabled in this clients location but the cache is not encrypted, the most likely reason is this client installed the ProxyClient software on a non-NTFS partition.Note: The cache is used for CIFS protocol acceleration and for byte caching.
IID
A globally-unique identifier assigned to every ProxyClient in the ADN network. A ProxyClients IID starts with the string CL. An IID is similar to a Peer ID for appliances.
You have the following options:
Sort data by column: Click the name of a column to sort it in ascending or descending order. Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add. Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect. Download the data to a text file: Click Download and follow the prompts on your screen. For additional information about these options, see "Common Tasks on Every Tab Page" on page 201.
204
ProxyClient Acceleration Details

The Acceleration tab page displays information related to gzip compression, CIFS protocol acceleration, and byte caching.
To display ProxyClient acceleration details:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details > Acceleration. The Acceleration tab page displays.
The following table discusses the data displayed in each column:

Column User Name Domain Host Name Acceleration Description Name of the user logged in to the ProxyClient computer. Domain to which the ProxyClient computer belongs. ProxyClient computers host name. indicates acceleration is enabled in this clients location. indicates acceleration is disabled in this clients location.
205
Column Cache Size
Description Size of the clients cache. If acceleration is enabled for a client but the cache size is 0 bytes in size, check the value of the ADN Peers column. If the client has no ADN peers, most likely the ADN manager or backup manager is not configured properly (for example, no subnets are being accelerated). To resolve this issue, see "Before You Begin Configuring ProxyClient Policy" on page 103.
Client Bytes
The number of bytes sent and received by the applications running on the clients computer (that is, corresponding to the Total Demand graph in the ProxyClient Web browser window). The number of bytes sent over the WAN after acceleration was applied (that is, corresponding to the Actual Usage graph in the ProxyClient Web browser window). The Peer ID of each concentrator that is accelerating traffic for the ProxyClient.
Server Bytes
ADN Peers
Sort data by column: Click the name of a column to sort it in ascending or descending order. Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add. Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect. Download the data to a text file: Click Download and follow the prompts on your screen. For additional information, see "Common Tasks on Every Tab Page" on page 201.
ProxyClient Web Filtering Details

The Filtering tab page displays Web filtering information.
To display ProxyClient Web filtering details statistics:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Details > Filtering. The Filtering tab page displays.
206
The following table discusses the data displayed in each column:

Column User Name Domain Host Name Web Filter Description Name of the user logged in to the ProxyClient computer. Domain to which the ProxyClient computer belongs. ProxyClient computers host name. indicates Web filtering is enabled in this clients location. indicates Web filtering is disabled in this clients location. It could also indicate user tampering; for more information, see "Web Filtering Internal Service Error" on page 169.
207
Column Web Filter Log Age
Description Displays the size of this clients Web filtering log file. indicates there was an error retrieving the data. Hover the mouse pointer over the symbol to display an error message. For more detailed information, collect logs from the users computer (including the the Web filter trace file) as discussed in "Instructing Users to Perform Data Traces" on page 233. means the log age is not available, probably because the client is inactive. There could also be a problem preventing this client from uploading its logs to the FTP server. If the issue persists, collect logs from the users computer (including the Web filter trace file) as discussed in "Instructing Users to Perform Data Traces" on page 233.
n/a means Web filtering is not enabled for this client.
Web Filter Log Size
The size of the clients Web filtering log file.
Sort data by column: Click the name of a column to sort it in ascending or descending order. Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add. Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect. Download the data to a text file: Click Download and follow the prompts on your screen. For additional information, see "Common Tasks on Every Tab Page" on page 201.
All ProxyClient Details

The All tab page combines all the data displayed on the General, Acceleration, and Filtering tab pages. For more information, see one of the following sections:

"ProxyClient General Details" on page 203 "ProxyClient Acceleration Details" on page 205 "ProxyClient Web Filtering Details" on page 206
Viewing ProxyClient Client Version Count

The Client Version Count tab page displays the total number of active and inactive ProxyClients by software version number.
208
To display ProxyClient client version count:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Statistics > ProxyClient > Details > Client Version Count. The Client Version Count tab page displays. For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.
Viewing ProxyClient ADN History Statistics

These statistics relate to bandwidth usage and gain from ProxyClient connections to a specific concentrator. To view aggregated statistics for bandwidth usage and gain for all concentrators in the network, see "Viewing ProxyClient History Statistics" on page 197.
To view ProxyClient ADN History statistics:
1. Log in to a concentrators Management Console as an administrator. 2. Click Statistics > ADN History.
Select time period
Hover mouse over data Select Usage or Gain ProxyClients display in a peer group
3. From the Duration list, click a time frame. 4. View the following statistics: The displayed statistics represent all ADN traffic processed by this concentrator. ProxyClients are aggregated into one peer group, with ProxyClients as the Peer ID and Peer IP. Other appliances on the network devices are listed by IP address. The other attributes for both usage and gain are:
Optimized Bytes:
How many bytes were sent using the ADN tunnel.
209
Unoptimized Bytes:
How many bytes would have been sent over the network had ADN not been used. By comparing optimized bytes and unoptimized bytes, you can determine how much savings was realized by using ADN.
Savings:
The performance gained by ADN processing.
Viewing ProxyClient Active Session Statistics

Active session statistics display current bandwidth usage and savings information between ProxyClients and a particular concentrator.
To view Active Session statistics:
1. Log in to a concentrators Management Console as an administrator. 2. Click Statistics > Sessions > Active Sessions > ADN Inbound Connections.
Click Show
See step 3
3. At the top of the ADN Inbound Connections tab page, click Show to display statistics from active sessions.
ClientThe IP address of the ProxyClient (for example, the outbound IP address of the VPN application). ServerThe IP address of the final destination server (such as a content server). PeerFor ProxyClients, client DurationHow
and peer IP addresses are the same because ProxyClient mimics a branch ProxySG. long the active session has been connected.
Unopt. BytesThe number of bytes served to or from the server before or after ADN optimization. For example, the number of bytes sent to a server before the traffic was optimized by ADN. Opt. BytesThe SavingsThe
number of bytes optimized by ADN processing.
performance gained by ADN processing.
210
CWhether
the data is compressed or not.
(compressed) displays if the data is being compressed. (not compressed) if compression is not being used.
BCWhether
or not byte caching was used.
EWhether or
not the incoming ADN tunnel is encrypted. In this release, ProxyClient connections are not encrypted.
type of TCP tunnel; ProxyClient connections are always identified as Client.
Tunnel TypeThe
211
212

"Using the ProxyClient Web Browser for Troubleshooting" "Troubleshooting ProxyClient Installation and Operation" on page 214 "Troubleshooting ProxyClient Acceleration" on page 115 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
Using the ProxyClient Web Browser for Troubleshooting

The ProxyClient Web browser window enables users to provide information to administrators about current statistics, and to perform trace logging if necessary to help administrators resolve issues. The way users start the Web browser window depends on whether or not the ProxyClient tray icon is visible.
To start the ProxyClient Web browser window if the tray icon is visible:
The user should double-click the tray icon or right-click the tray icon and, from the pop-up menu, click Status.
To start the ProxyClient Web browser window if the tray icon is not visible:
The user should perform any of the following tasks:
Click Start > [All] Programs > Blue Coat ProxyClient > ProxyClient Note that the Start menu option can be hidden. Double-click the ProxyClient shortcut located in %SystemDrive%:\Program
Files\Blue Coat\ProxyClient
On Windows 7 (64bit), the shortcut is located in %SystemDrive%:\Program

Files (x86)\Blue Coat\ProxyClient
Open a supported Web browser and enter the following URL in the browsers location or address field:
http://localhost:web-server-port
where web-server-port is the listen port of the ProxyClient internal Web server. Supported Web browsers are discussed in the ProxyClient Release Notes. By default, the port is 8000 but administrators can change the port as discussed in "Changing the Default Web Server Port" on page 230. The ProxyClient window displays status information as follows. Click any of the circled locations to jump to more information about troubleshooting that ProxyClient feature.
213
Application status
Acceleration status
Web filtering status Figure 111 Blue Coat ProxyClient Web browser window
Continue with one of the following sections:

"Troubleshooting ProxyClient Installation and Operation" "Other ProxyClient Troubleshooting Tools" on page 224 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
Troubleshooting ProxyClient Installation and Operation

The following topics discuss how the ProxyClient tray icon state indicates problems with the client and how you can troubleshoot ProxyClient installation issues:

"Suggested Workarounds for Installation Errors" "ProxyClient Tray Icon States and Meanings" on page 222 "Other ProxyClient Troubleshooting Tools" on page 224 "Troubleshooting ProxyClient Web Filtering" on page 165 "Other ProxyClient Troubleshooting Tools" on page 224
For assistance with other issues, see one of the following sections:

214
Suggested Workarounds for Installation Errors

This section discusses suggested workarounds for some common ProxyClient installation errors:

"Cannot Connect to the Client Manager" "Client Manager Communication Troubleshooting Suggestions" on page 215 "Configuration Error" on page 117
Cannot Connect to the Client Manager

This section discusses how to troubleshoot Client Manager communication issues. These issues might manifest themselves in the following ways:
After installing the ProxyClient software for the first time, the following message displays: Cannot connect to the Client Manager to download configuration updates. The following message displays: Cannot contact the Client Manager.
These messages might display if you hover the mouse pointer over the ProxyClient tray icon or by viewing the Status tab page on the ProxyClient Web browser window as discussed in the next section.
Client Manager Communication Troubleshooting Suggestions

This section discusses how to troubleshoot the following Client Manager communication issues. Blue Coat recommends troubleshooting the issue in the order presented in the following sections:

"Getting Started Troubleshooting Client Manager Communication Issues" "Resolution: Download Error Getting the Initial Configuration" on page 216 "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219 "Resolution: Client Manager Not Available" on page 221
Getting Started Troubleshooting Client Manager Communication Issues

Start the ProxyClient Web browser window to get more information about the problem. See "Using the ProxyClient Web Browser for Troubleshooting" on page 213.
Cause: Client cannot contact the Client Manager to get a configuration after initially installing the ProxyClient software. Result (any of the following): If the tray icon is visible, a balloon message displays: Unable to download
configuration from Client Manager
The following message displays in the Status tab page:
215
To resolve this issue, see "Resolution: Download Error Getting the Initial Configuration" on page 216.
Cause: Client has not been able to download a configuration from the Client Manager for a period of two times the update interval or 30 days (whichever is longer): Result: The following message displays on the Acceleration Statistics section heading if the
Cannot contact the Client Manager.
To resolve this issue, see "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219.
Resolution: Download Error Getting the Initial Configuration

This section discusses how to troubleshoot issues related to the ProxyClient not being able to get a configuration after the software is initially installed. If the client computer has a configuration but has not been able to contact the Client Manager for an extended period of time, skip this section and see "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219 instead. If the ProxyClient computer has not gotten a configuration since the software was installed, try the following: 1. Click the admin log link in the error message to display troubleshooting suggestions and use the following guidelines to resolve the issues: If the user requires VPN to connect to the network, make sure the users VPN client is running. Make sure third-party products like anti-virus or personal firewall software allow the ProxyClient service (ProxyClientSvc.exe) to run and to communicate with the Client Manager using SSL over its listen port (by default, 8084). 1. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213. 2. Click the Advanced tab. 3. On the Advanced tab page, in the Client Manager section, verify the Client Managers host name or IP address. If the address is incorrect, click the (change) link and enter the correct information.
216
4. In the Software Update section, click Check for Updates Now. Use the following guidelines to resolve the issue:
Table 111 ProxyClient manual configuration attempts
Can the client get a configuration update manually? Yes No
Resolution
The issue has been resolved. Check the following: Make sure any required VPN software is running on the users computer. Check your network setup to make sure the user can access the Client Manager.
Verifying the Client Manager URL

If the Client Manager URL is incorrect, the ProxyClient cannot contact the Client Manager to get a configuration, or to get updates to the configuration or to the ProxyClient software. The URL might be incorrect because of a typographical error in command-line installations or incorrect DNS configuration if the Client Managers host name was specified.
To verify the Client Manager URL:
1. Log in to the Client Managers Management Console as an administrator. 2. Click Configuration > ProxyClient > General. 3. For the value of Host, verify the following:
217
Specified value of Host

Use host from initial client request
Troubleshooting suggestions Meaning: This selection means the client uses the Client Manager host name or IP address you specified either from the command line or that you provided to the user. Most likely, the administrator made a typographical error in a command-line installation. As a result, the ProxyClient software installed but the client cannot contact the Client Manager after rebooting the computer. Resolution: Use the following steps to verify the Client Manager URL in the ProxyClient configuration: 1. In to the Client Managers Management Console, click
General > Identification.
The value of IP address specifies the Client Managers default IP address, which is the IP address you must use as the Client Manager URL. (If you specified a host name instead, the host name must resolve to this IP address.) 2. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213. Click the Advanced tab. On the Advanced tab page, in the Software Update section, is the Client Manager Address a link, or is there a (change) link next to the address? Yes: Click the link and change the Client Managers URL. The client validates the URL and gets a configuration update immediately. No: Set a registry key to enable you to change the Client Manager URL as discussed in "" on page 229.
3. 4.
Use host
Meaning: This selection means the client downloads the ProxyClient software and configuration from the host name or IP address you specify. This option can be used to migrate users from one Client Manager to another or it can be used if you have multiple, load-balanced Client Managers. Resolution: Check your DNS or load balancer configuration as follows: If you have one Client Manager, check your DNS configuration and make sure the host name resolves to the Client Managers default IP address. This IP address is specified in General > Identification in the Client Managers Management Console. A load balancer typically advertises one Virtual IP (VIP) address. For each Client Manager behind the load balancer, enter the load balancers VIP in the Use host field.
218
Resolution: Cannot Contact the Client Manager to Get the Configuration

This section discusses how to resolve an issue of the client computers not being able to contact the Client Manager for a period of time equal to two times the update interval or 30 days (whichever is longer). If the client computer has not gotten a configuration after the ProxyClient software was initially installed, skip this section and see "Resolution: Download Error Getting the Initial Configuration" on page 216 instead. If the ProxyClient computer has not been able to get a configuration update for an extended period of time, verify the following: Make sure any proxy server settings are configured for Internet Explorer. For example, if the users default Web browser is Firefox and you have proxy server settings configured for Firefox, configure the same settings for Internet Explorer. The ProxyClient uses proxy server settings configured in Internet Explorer only; it ignores proxy server settings configured for other Web browsers. Also make sure you are using a supported Web browser. Supported Web browsers are listed in the ProxyClient Release Notes.
In the ProxyClient Web browser window, click the Advanced tab. In the Admin Log section, click View Log and look for any of the following errors:
Table 112 Typical ProxyClient communication errors and suggested solutions
Log message The cause of the error is highlighted in boldface text:

Trying all connection types in order Direct connection (no proxy settings): Failed [Cannot resolve the server name] WinHttp registry settings: Failed [Attempted proxy settings do not exist] Per-user IE settings: Failed [No logged on session to get settings from]
Cause and suggested solution Cause: The Client Managers host name is not DNSresolvable. Suggested actions: Make sure the ProxyClient computer is connected to the network physically or using VPN. Make sure a DNS server is available. Ping the Client Managers host name from the ProxyClient computer. To change the Client Managers host name, on the Advanced tab page, click the (change) link and enter the correct name in the provided field. In the Software Update section, click Check for
Updates Now.
See Table 111 on page 217.
219
Table 112 Typical ProxyClient communication errors and suggested solutions
Log message The cause of the error is highlighted in boldface text:

Trying all connection types in order Direct connection (no proxy settings): Failed [Cannot connect to the server] WinHttp registry settings: Failed [Attempted proxy settings do not exist] Per-user IE settings: Failed [No logged on session to get settings from]
Cause and suggested solution Causes: The Client Managers IP address is not available. You entered the incorrect Client Manager IP address. You entered the IP address of a device that is not a Client Manager. Make sure the ProxyClient computer is connected to the network physically or using VPN. Ping the Client Managers IP address from the ProxyClient computer. To change the Client Managers IP address, in the Advanced tab page, click the (change) link and enter the Client Managers IP address. In the Software Update section, click Check for
Updates Now.
Solutions:
See Table 111 on page 217. The cause of the error is highlighted in boldface text:
Trying all connection types in order Direct connection (no proxy settings): Failed [URL is invalid or the scheme is not supported] Trying all connection types in order Direct connection (no proxy settings): Failed [Unhandled http status 404] WinHttp registry settings: Failed [Attempted proxy settings do not exist] Per-user IE settings: Failed [No logged on session to get settings from] Trying all connection types in order Direct connection (no proxy settings): Failed [Invalid server response] WinHttp registry settings: Failed [Attempted proxy settings do not exist] Per-user IE settings: Failed [No logged on session to get settings from]
Cause: You entered a Client Manager URL that contained invalid characters, did not use the https:// scheme, or that used an invalid path to
ProxyClientConfig.xml
Description: Examples of invalid characters include the following: \, $, and space. Examples of invalid schemes include: ftp://, http://, and scp:// Because the path to ProxyClientConfig.xml is optional, you can exclude it from the URL to reduce the possibility of errors. For examples of command line installations, see Chapter 9: "Distributing the ProxyClient Software".
Solutions: See "Solutions to Invalid URLs or Schemes" on page 221.
220
Solutions to Invalid URLs or Schemes

Use the following suggestions to resolve these issues:
Table 113 Suggested solutions to invalid URLs or schemes
Problem Wrong path to

ProxyClientConfig. xml
Description The Client Managers address might be correct in the ProxyClient Web browser window but because the URL or scheme was not valid, the configuration file could not be loaded. Re-entering the Client Manager address should resolve the issue.
Solution Change the Client Managers address. 1. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213. Click the Advanced tab. On the Advanced tab page, in the Client Manager section, click the (change) link. Note: If the (change) link does not display, see "" on page 229. 4. 5. Enter the Client Managers IP address or host name in the provided field. Click Change. The ProxyClient contacts the Client Manager and downloads the configuration file. If this does not resolve the problem, verify the Client Managers address and try again. Change the Client Managers address; see the preceding row in this table.
Illegal characters in the path to

ProxyClientConfig. xml
2. 3.
http:// scheme
No scheme
ftp:// scheme scp:// scheme
Typically, the Client Managers address displays as the name of the scheme. Changing the address should resolve the issue.
Resolution: Client Manager Not Available

This section discusses how to resolve issues with the clients computer not being able to contact the Client Manager. This error can indicate any of the following:
The Client Manager is down. Make sure the Client Manager appliance is running. If the Client Manager runs SGOS 5.4 or later, log in to the its Management Console as an administrator and click Statistics > Summary and make sure the interface to which ProxyClients connect is up.
Network issues are preventing the users computer from contacting the Client Manager. Review your networking topology, verify that switches and routers are configured correctly, and so on.
If the user requires VPN to connect to the network, make sure the users VPN client is running.
221
Make sure third-party products like anti-virus or personal firewall software allow the ProxyClient service (ProxyClientSvc.exe) to run and to communicate with the Client Manager using SSL over its listen port (by default, 8084).
The Client Managers host was specified incorrectly or it has changed since the ProxyClient software was installed. To verify the Client Managers host name, log in to the Client Managers Management Console and click Configuration > ProxyClient > General > Client Manager. Correct the value specified in the Use host field. The user can change the Client Manager host name or IP address if any of the following is true: The ProxyClient has not successfully contacted the Client Manager since it was installed. The ProxyClient software was installed with the ChangeCMAllowed registry key set to 1.
To change the Client Manager URL, start the ProxyClient Web browser window, click the Advanced tab, and, in the Client Manager section, click the (change) link next to the current Client Manager URL. Enter the new URL in the provided fields and click OK.
ProxyClient Tray Icon States and Meanings

The following table shows the state of the ProxyClient tray icon and its meaning.
Tray icon state Messagea Blue Coat ProxyClient Acceleration: state Web filtering: state Location: name Meaning The ProxyClient is installed and functioning normally.
222
Tray icon state
Messagea Cannot contact the Client Manager
Meaning The ProxyClient has been unable to download a configuration update for a period of two times the update interval or 30 days (whichever is longer). ProxyClient is using the last configuration file it was able to get from the Client Manager. Likely causes: Firewall configuration problems. Verify the following: If the user has a firewall on the computer, make sure it allows the Client Managers host name or IP address as a destination. The corporate firewall must allow SSL traffic through the Client Managers listen port (by default, 8084). To confirm the port, in the Client Managers Management Console, click Configuration > ProxyClient > General > Client Manager. If the user is located offsite, the user must first connect to the network (for example, using a VPN client). Make sure the Client Manager appliance is running. If the Client Manager runs SGOS 5.4.x, log in to the Client Managers Management Console as an administrator and click Statistics > Summary and make sure the interface to which ProxyClients connect is up.
Network problems. Verify the following:
223
Tray icon state
Messagea Unable to download configuration from Client Manager
Meaning The ProxyClient was unable to download a configuration file from the Client Manager after the software was first installed, most likely due to communication problems between the client and the Client Manager. To resolve this issue, see "Client Manager Communication Troubleshooting Suggestions" on page 215.
(continued)
Software Update Available Configuration error
A ProxyClient software update is available from the Client Manager. This message never displays if software updates are disabled. The ADN manager or backup manager is not providing any routing information, most likely because concentrators not advertising any routes to the managers. See "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.
Displays if either acceleration or Web filtering drivers are not operational. Do any of the following: For Web filtering errors, see "Web Filtering Internal Service Error" on page 169 If the error indicates a problem with acceleration, ask the user to reboot the computer, enable trace logging, and repeat the actions that caused the internal service error. See "Instructing Users to Perform Data Traces" on page 233.
a. To display the message, either hover the mouse pointer over the ProxyClient tray icon or double-click the icon and look for the message in one of the locations shown in "Using the ProxyClient Web Browser for Troubleshooting" on page 213.
Other ProxyClient Troubleshooting Tools


"ProxyClient Troubleshooting Tools Summary" "Changing the Client Manager" on page 229 "Changing the Default Web Server Port" on page 230
224
"Uninstalling the ProxyClient Software" on page 231 "Performing Data Traces and Data Collection" on page 232 "Using the ProxyClient VPN Whitelist Utility" on page 238 "Client Manager Logging" on page 240
ProxyClient Troubleshooting Tools Summary

This section discusses advanced troubleshooting tools and procedures for administrators. The tasks discussed in this section should be performed only by administrators, or by users with assistance from administrators. Following is a brief discussion of each troubleshooting tool:
Task Change the Client Manager URL Description Enables you to connect to a Client Manager other than the one from which you initially downloaded the ProxyClient software. The typical use is running ProxySG demonstrations, trials, and evaluations from different ADN networks. Collects ProxyClient process information (that is, both acceleration or Web filtering) and provides more details than the Admin Log. Enables users to collect detailed trace information for acceleration or Web filtering individually, or for both. Detail After you set the required registry key, click the Advanced tab. In the Client Manager section, the Client
Manager Address
For more information "" on page 229
value is a link.
Advanced tab page, in the Diagnostic Tools section.
Support trace
"Instructing Users to Perform Data Traces" on page 233 "Performing Data Traces and Data Collection" on page 232 "Instructing Users to Run the ProxyClient Data Collector" on page 234
Advanced logs
Advanced tab page, in the Diagnostic Tools section. Click More under Admin Log.
Data collector
Collects diagnostic information useful to troubleshoot unexpected behavior and connectivity problems.
Enables users to collect logs and system information so you can analyze the problem and refer it to Blue Coat Support, if necessary. If you have an SR number, you can attach data collector output to the SR ticket. The default port is 8000. You can change the port to 1024 through 65534, inclusive.
Changing the Web server port
Enables the administrator to change the default port the ProxyClient internal Web server uses to start the Web browser window.
"Changing the Default Web Server Port" on page 230
225
Task Uninstall the ProxyClient software Registry settings
Description
Detail
For more information "Uninstalling the ProxyClient Software" on page 231
Enables users with administrative privileges on the computer to uninstall the ProxyClient software.
Table 114 on page 227 Table 115 on page 229
226
Table 114summarizes ProxyClient registry settings in

HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\ProxyClient.
On Windows 7
(64bit), the registry settings are in

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client.
Table 114
ProxyClient registry settings
Key name
AutoUpdateProhibited
Data type REG_DWORD
Allowed values
0 (default) means the ProxyClient automatically implements software updates at the interval the administrator specified for software update interval in "Designating a ProxySG as the Client Manager" on page 81. 1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as SCCM, SMS, or GPO.
Note: Regardless of the value of this setting, the client always gets configuration updates automatically when they are available. Users can also get configuration updates manually.
CacheDirectory
REG_SZ
Set the folder in which ProxyClient cache files are stored. The path must already exist; otherwise, the default cache directory is used. The default cache directory follows: Windows XP
%SystemDrive%:\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient
Windows Vista and Windows 7

%SystemDrive%:\Windows\ system32\config\systemprofile\ AppData\Local\Blue Coat\Blue Coat ProxyClient
DefaultWebPort
REG_DWORD
Allowed values: 1024 through 65534 (inclusive) If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000. Default is 8000 For more information, see "Changing the Default Web Server Port" on page 230.
227
Table 114
ProxyClient registry settings
Key name
TiNotVisible
Data type REG_DWORD
Allowed values Allowed values: 0 | 1 Set to 1 to hide the ProxyClient system tray icon and pop-up messages. Set to 0 to display the ProxyClient tray icon and popup messages. By default, this registry key does not exist.
TiNotVisibleForceUpdate
REG_DWORD
Allowed values: 0 | 1 Set to 1 to force users to accept software and configuration updates without interaction. This key is independent of TiNotVisible; in other words, the setting for this key determines update behavior whether or not the ProxyClient tray icon is hidden. Set to 0 to allow updates normally; that is, users always get configuration updates. Software updates can be installed manually. By default, this registry key does not exist. Note: The availability of software updates is controlled by the AutoUpdateProhibited registry key. If AutoUpdateProhibited is set to 1, users cannot get software updates, regardless of the value of this registry key. For more information, see "Parameters for Silent Installations" on page 183.
228
Table 115 summarizes ProxyClient registry settings in

HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\ProxyClient\config.
On
Windows 7 (64bit), the registry settings are in

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client. Table 115 ProxyClient registry settings (config subnode)
Key name
ChangeCMAllowed
Data type REG_DWORD
Allowed values Allowed values: 0 | 1 Set to 1 to allow the user to change the Client Manager. Set to 0 to prevent the user from changing the Client Manager. The default is 0. For more information, see "" on page 229.
Changing the Client Manager

You can change which Client Manager the ProxyClient uses if, for example, you want to run trials or demonstrations on a different ADN network than the one for which you initially configured the ProxyClient. You can also change the Client Manager to troubleshoot connectivity issues or in the event the Client Managers address is incorrect or has changed.
Note: After you change the Client Manager address, the client gets a configuration update immediately. The behavior of software updates is not changed; in other words, if you prohibited software updates, the client will not attempt get a software update after it connects to the new Client Manager. If software updates are allowed, the client gets an update at the next update interval. To change the Client Manager URL:
1. Set the ChangeCMAllowed registry key in any of the following ways: When the ProxyClient software is installed as discussed in Table 92, "Parameters for Silent ProxyClient Installations" on page 184. After installing the ProxyClient software as discussed in the next step.
2. If a user is not allowed to change the Client Manager URL and the ProxyClient is already installed, perform the following tasks: a. Start plist editor application like Property List Editor with sudo privileges. b. Browse to the following key:
/Library/Prefrences/com.bluecoat.proxyclient.config.plist
c. Double-click the ChangeCMAllowed registry value.
229
d. In the Value field, enter 1. e. Click OK. f. Another way to plist values is to use the defaults command. Example: sudo defaults write /Library/Preferences com.bluecoat.proxyclient.config ChangeCMAllowed 1
Note: It is safe to set this while the service is running.
3. In the ProxyClient Web browser window, click the Advanced tab. 4. In the Client Manager section, click the change link next to the current Client Manager address. The Change Client Manager dialog displays. 5. In the Change Client Manager dialog, enter or edit the following information:
Field
New Address
Description Enter the Client Managers fully qualified host name or IP address. Enter the Client Managers listen port.
New Port
6. Click OK. A success or fail message displays in the Change ProxyClient Manager browser window as the URL is verified. The client gets a configuration update from the new Client Manager immediately. If software updates are ready to download at the next update interval, and if the client is allowed to get software updates, you are notified before the updates are installed. When the operation is complete, the Advanced tab page displays the new Client Manager host name or IP address. 7. Close the registry editor application. 8. Reboot the computer for the changes to take effect. The tray icon and pop-up messages are not visible except to notify the user that a software update is being downloaded, and to notify the user to reboot the computer after updates have been installed. If you prohibit automatic software updates, the icon never displays.
Changing the Default Web Server Port

By default, the ProxyClients internal Web server listens on port 8000 so that when you open the ProxyClient Web server window, it defaults to the following URL:
http://127.0.0.1:8000/#Status
You can change the default port as follows:
230
Install the ProxyClient software with the DefaultWebPort registry setting from the installer command line as discussed in "Preparing Silent Installations and Uninstallations" on page 181. If the ProxyClient software is already installed, add the DefaultWebPort registry key as discussed in the following procedure.
To optionally change the ProxyClient Web server listen port:
Start a registry editor like regedit. 1. Create a registry value named DefaultWebPort of type DWORD in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\ProxyClient
On Windows 7 (64bit), the key is located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client
2. Set the value of DefaultWebPort as follows: Allowed values: 1024 through 65534 If the port you specify is in use, the ProxyClient attempts to use the nexthighest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000. 3. Exit the registry editor. 4. Restart the computer for the changes to take effect.
Uninstalling the ProxyClient Software

This section describes how to uninstall the ProxyClient application software from user systems. You can uninstall ProxyClient from your system only if you are in the
Administrators group on the computer and if you know the uninstall password (if one is configured).
For information about silent uninstallation, see "Example Uninstallation" on page 190.
To uninstall the ProxyClient software on Windows:
1. Log in to your machine as a user who is a member of the Administrators group. 2. Click Start > Control Panel. 3. In the Control Panel window, select: Windows XP and Vista: In Classic View, double-click Add or Remove Programs. Windows Vista and Windows 7: In Category view, select Uninstall a program. 4. Click Blue Coat ProxyClient. 5. Click Remove. In Windows Vista and Windows 7, select Uninstall. 6. If prompted, enter the uninstall password.
231
7. Follow the prompts to uninstall the software.
Secondary Procedure
If you discover the preceding procedure did not remove all traces of the
ProxyClient software, perform the tasks discussed in this section. To uninstall the ProxyClient in Windows Safe Mode:
1. Boot into Safe Mode without Networking, which means that no ProxyClient components are loaded by the system. 2. Log in as an administrator 3. Click Start > Settings > Control Panel. 4. In the Control Panel window, select: Windows XP and Vista: In Classic View, double-click Add or Remove Programs. Windows Vista and Windows 7: In Category view, select Uninstall a program. 5. Click Blue Coat ProxyClient. 6. Click Remove. In Windows Vista and Windows 7, select Uninstall. 7. If prompted, enter the uninstall password. 8. Follow the prompts to uninstall the software.
Performing Data Traces and Data Collection

Traces, logs, and data collection allows users to send you files containing ProxyClient process data that you or Blue Coat Support can use to diagnose issues. This section discusses the following topics:

"About ProxyClient Logs" "About the Data Collection Application" on page 233 "Instructing Users to Perform Data Traces" on page 233 "Instructing Users to Run the ProxyClient Data Collector" on page 234
About ProxyClient Logs

Logs are written to the following folder:
Windows XP:
%SystemDrive%\Documents and Settings\All Users\Application Data\Blue Coat Systems\ProxyClient\support
Windows Vista and Windows 7:

%SystemDrive%\ProgramData\Blue Coat Systems\proxyclient\support
The ProxyClient creates the following log files:
232
Log file name

proxyclientautoupdate.log
Used by Logs automatic software updates but not configuration updates. Admin log (the log users can view on the ProxyClient Web browser windows Advanced tab page) and the advanced admin logs. The admin log and advanced admin log contain information about acceleration, Web filtering, software upgrades, and configuration updates. These logs are written during the entire time the ProxyClient is running.
proxyclientlog.etl
proxyclientdebug.etl
Support trace, which records all client activity in detail.
About the Data Collection Application

The ProxyClientDC application gathers system information to send to Blue Coat Support for troubleshooting and debugging purposes. Users have the option of collecting logs and e-mailing them to you or sending them directly to Blue Coat support and attaching them to an existing Service Request (SR). For more information, see "Instructing Users to Run the ProxyClient Data Collector" on page 234.
Instructing Users to Perform Data Traces

To create trace logs to get assistance from Blue Coat support, ask users to enable any of the following:

The support trace records all client activity. Detailed trace activity for acceleration, Web filtering, or both.
For users to start a trace:
1. The user starts the ProxyClient Web browser window. 2. Click the Advanced tab. 3. On the Advanced tab page, in the Diagnostic Tools section, click More under Admin Log. 4. Click the Start Trace link next to the trace you wish to start. 5. Repeat the activity that caused the problem. 6. Click the Stop Trace link. 7. Click Open Trace Folder. 8. Send the appropriate .etl file to Blue Coat Support with detailed information about what caused the issue.
233
Note: These instructions are included in the ProxyClient on-line help that is
available to users. Users can click Help either on the ProxyClient system tray icon or in the Web browser window.
Instructing Users to Run the ProxyClient Data Collector
Installed in the ProxyClient folder on user systems, the ProxyClient Data Collector is a utility that end users run to collect comprehensive system information that administrators or Blue Coat Support can use to diagnose problems with the ProxyClient application and network connectivity. When users access the Data Collector, they must select one of two data collection modes:
System Administrator Mode: This mode collects the following information, which is intended for corporate network administrators: All ProxyClient logs, including installation logs and diagnostic trace messages. A memory dump of the ProxyClient service process. The current configuration file and registry settings. A list of all running processes on the system. Packet capture Various network-related information (IP configuration, trace route, netstat data, and so on).
Blue Coat Mode: Same as Administrator Mode except this option uploads the information to an existing support case. If your issue was assigned a Service Response (SR) number, the user must enter the SR number to enter Blue Coat mode.
To run the ProxyClient Data Collector utility:
1. The user starts Windows Explorer or double-clicks My Computer. 2. Locate the ProxyClient installation folder. The default location is %SystemDrive%:\Program Files\Blue Coat\Proxy Client\. On Windows 7 (64bit), the location is %SystemDrive%:\Program Files (x86)\Blue Coat\ProxyClient.
234
Double-click
3. Double-click the ProxyClientDC application. The Blue Coat ProxyClient Data Collector dialog displays.
4. Choose the mode in which to run the Data Collector. Options are discussed in the following table.
Option Action Ask users to select this option if you suspect a configuration or network problem.
235
Option
Action If you have entered a support case with Blue Coat Support and have received an SR number, provide users with that number. The user should select the check box and enter the SR number in the provided field. Alternate: If you do not have an SR number but want to collect detailed information for Blue Coat Support, clear the check box. After the data collection process completes, ask the user to send you the file so you can contact Blue Coat Support.
5. Click Next. The Data Collector starts and displays the Blue Coat ProxyClient Data Collector dialog.
236
Figure 112 Green check marks indicate successful task completion.
Note: The preceding example shows collecting data in System Administrator
mode. If the user selects Blue Coat Support mode, additional tasks are performed. A green check mark displays next to each task as it completes successfully (some tasks might require several minutes to complete). At any time, click Stop to stop the data collection process (for example, the process appears hung on one stage). 6. After ProxyClient completes all of the tasks: System Administrator Mode or Blue Coat mode without selecting the check box to send the data to Blue Coat. Instruct users to:
a b
Click View collected data. The collected files display in Windows Explorer. Right-click the .zip file (begins with proxyclientdc- and ends with the users system name and date/timestamp) and select Send to > My Documents.
E-mail the .zip file (begins with proxyclientdc- and ends with the users system name and date/timestamp) to yourself. Click Exit.
c d
237
Blue Coat Mode (with the Automatically upload data directly to Blue Coat option selected): ProxyClient automatically forwards the information and associated case number to Blue Coat Support. Click Exit. Blue Coat Modeconnection error: If users experience a connection errorthat is, ProxyClient cannot upload to Blue Coatinstruct them to run the Data Collector in Blue Coat Mode again, but do not select Automatically upload data directly to Blue Coat.
Using the ProxyClient VPN Whitelist Utility

This section discusses how to use CardList.exe, a utility that assists you in making certain that VPN adapters are recognized by the ProxyClient as Virtual NICs for location awareness purposes. For more information about location awareness, see "About ProxyClient Location Awareness" on page 13. Because certain software does not flag a Virtual NIC as a virtual device, these adapters are seen by the ProxyClient as physical adapters. To resolve this potential issue, when you install the ProxyClient, the following registry key is created:
HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\Proxy Client\VPN Whitelist
On Windows 7 (64bit), the registry key is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client\VPN Whitelist
You must edit the registry key to include values that enable the ProxyClient to recognize the VPN adapter for location awareness purposes. The CardList.exe utility identifies these values.
CardList.exe

outputs the following types of values:
MAC address IP address Comment
Choose an output from CardList.exe that is common among multiple users' computers. When it is available, use the MAC address; avoid using the IP address because it is likely to be different on different computers. Examples follow.
To use CardList.exe:
1. Log in as an administrator to a computer with a VPN adapter that is not recognized by the ProxyClient. 2. Download CardList.exe to that computer.
CardList.exe
is attached to KB article 2945.
For more information about the Blue Coat Knowledge Base, see "Blue Coat Knowledge Base" on page 9. 3. Connect to the VPN network. 4. Double-click CardList.exe.
238
Following is example output from Windows Vista and Windows 7:

Card List Tool ----------------------------------------------------------------This tool lists out all of the network cards that are considered when comparing against the "VPN Whitelist" registry key. Under each card is a list of the strings that can be used to match it. (Only complete strings are matched.) The order of the strings is: MAC address (if one exists), IP address, and description. Please note that these strings may be different between different machines and different OS versions. ----------------------------------------------------------------[List of identifiers for adapter "{8A9E4847-A044-46FE-8E9299EEE0C0B7AF}"] 192.168.192.124 click to connect to network access using firepass 1200 [List of identifiers for adapter "{3D4E88D4-6A70-11DB-B1BA806E6F6E6963}"] 127.0.0.1 software loopback interface 1 Press any key to continue...
Note that in the preceding example, the VPN adapter's MAC address is not output by CardList.exe but the IP address is (192.168.192.124).
239
Following is example output from Windows XP:

Card List Tool ----------------------------------------------------------------This tool lists out all of the network cards that are considered when comparing against the "VPN Whitelist" registry key. Under each card is a list of the strings that can be used to match it. (Only complete strings are matched.) The order of the strings is: MAC address (if one exists), IP address, and description. Please note that these strings may be different between different machines and different OS versions. -----------------------------------------------------------------[List of identifiers for adapter "{DE548E90-ED21-4DCE-A7B46D53318BA85E}"] 00-53-45-00-00-00 192.168.192.125 wan (ppp/slip) interface [List of identifiers for adapter "MS TCP Loopback interface"] 127.0.0.1 ms tcp loopback interface Press any key to continue...
In the preceding example, both the MAC address (00-53-45-00-00-00) and the IP address (192.168.192.125) are output by CardList.exe. 5. Start a registry editor utility like regedit. 6. Locate the HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\Proxy Client\VPN Whitelist registry key. On Windows 7 (64bit), the registry key is located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client
7. Edit the existing RG_SZ (string) registry value containing one or more of the following values (using a comma to separate multiple values): Virtual NIC IP address MAC address Any other string output by the utility; in the example, click to connect to network access using firepass 1200. Note that you can enter a portion of the string; you do not have to enter the entire string.
For example:
00-53-45-00-00-00,click to connect to network access using firepass 1200
8. Save your changes to the registry and reboot the computer. When the computer reboots, the ProxyClient recognizes the Virtual NIC.
Client Manager Logging

The Client Manager logs success or failure events related to users downloading the ProxyClient software and configuration. Each log should include timestamp, HTTP GET string (including the HTTP return code), and client machine name.
240
To obtain Client Manager logs:
Enter the following URL in your browsers address field:

https://host:port/proxyclient/log
where host is the fully qualified host name or IP address of the Client Manager, and port is the ProxySG appliances listen port.
Using the ProxyClient VPN Whitelist Utility

This section discusses how to use VPN whitelisting, a feature that makes certain that VPN adapters to be recognized by the ProxyClient as Virtual NICs for location awareness purposes. For more information about location awareness, see "About ProxyClient Location Awareness" on page 13. Because certain software does not flag a Virtual NIC as a virtual device, these adapters are seen by the ProxyClient as physical adapters. To resolve this potential issue, when you install the ProxyClient, a plist entry "VPN Whitelist" is created in: /
LibraryPreferencescom.bluecoat.proxyclient.plist
You must edit the plist entry to include values that enable the ProxyClient to recognize the VPN adapter for location awareness purposes. The value can be anyone of the following:

Virtual NIC IP address MAC address Adapter name
241
242
Appendix A: About the ProxyClient System Footprint
This chapter lists the files, folders, and registry keys created by the ProxyClient application. This chapter divides the information into the following sections:
"Installation" on page 243 "Folders" on page 243 "Files" on page 244 "Setup MSI" on page 244 "Setup MSI" on page 244 "Installed Files" on page 244 "Shortcuts" on page 246
"During Runtime" on page 247 "Logging and Support" on page 247 "Web Filter Files" on page 248 "Data Collector" on page 248
"Removal" on page 248
Installation
This section lists all of the folders and files affected by installation.
Folders
Installation affects the following folders.
Table A1 Folders affected by installation
Name Used in the Document Temp Installation Location
Default Path
%temp% $TMPDIR %SystemDrive%\Documents and Settings\All Users\Application Data\Blue Coat Systems\ProxyClient\support
Notes
This is the user's temporary directory.

ProxyClient service and other related files are installed here
Windows 7 (64bit):
%SystemDrive%\ProgramData\Blue Coat Systems\ProxyClient\support/ opt/.bluecoatsystems/proxyclient
243
Table A1
Folders affected by installation
Name Used in the Document Application Location
Default Path
/Applications/Blue\ Coat/ Proxyclient/
Notes The Tray Icon Application and the DataCollector tool are installed here. Diagnostic data is stored here Plist entries are located in this directory
Application Support
/Library/Application\ Support/ Blue\ Coat\ Systems/proxyclient/ support
plist files Directory
Files
Installation affects the following files.
Table A2 Files affected by installation
File Name
ProxyClientSetup.msi .pkg InstallSupport.log proxyclientsetup_msi.log
Location
%TEMP%
Temp
Support folder
Setup MSI
The user can download the setup executable to any location on the system (disk). This executable creates a .pkg file in the Temp directory, which proceeds with the actual installation.
Setup pkg
This is created either by setup bsx in the Temp directory during installation or by extracting it to a location specified by the user (usually Administrator). This file initiates installation.
Installed Files
The MSI installs the majority of the ProxyClient files to the installation target. Table A4 lists the files for a 32bit Windows platform, and Table A5 lists the files installed on a 64bit Windows 7 platform.
List of installed files in the Application location:
244
Table A4
List of installed files on a 32bit platform.
File Name
ProxyClient ProxyClientSvc.exe ProxyClientUI.exe ProxyClient32.dll Easyhook32.lib ProxyClientDC.exe SGClientEula.html Chartdir.dll SGCustomAction.dll Bridge.pyc StringTable.pyc ProxyClientConfig.xml
Description Shortcut for the ProxyClient application ProxyClient service executable ProxyClient tray icon executable ProxyClient acceleration/web filtering library ProxyClient Data Collector utility End User License Agreement User interface support library Installation support library User interface support file User interface support file ProxyClient configuration and policy file (downloaded from Client Manager) Acceleration driver Web filter driver Required by the Easyhook library.
ProxyClientFlt32.sys ProxyClientWebFilter32.sys License.txt Readme.txt
Other files created during installation:

Table A5 List of installed files on a 64bit platform.
File Name
ProxyClient ProxyClientSvc.exe ProxyClientUI.exe ProxyClient64.dll Easyhook64.lib ProxyClientDC.exe SGClientEula.html Chartdir.dll SGCustomAction.dll Bridge.pyc
Description Shortcut for the ProxyClient application ProxyClient service executable ProxyClient tray icon executable ProxyClient acceleration/web filtering library ProxyClient Data Collector utility End User License Agreement User interface support library Installation support library User interface support file
245
Table A5
List of installed files on a 64bit platform.
File Name
StringTable.pyc ProxyClientConfig.xml
Description User interface support file ProxyClient configuration and policy file (downloaded from Client Manager) Acceleration driver Web filter driver Required by the Easyhook library. Injects a 64bit process with the 32bit ProxyClient service.
ProxyClientFlt64.sys ProxyClientWebFilter64.sys License.txt Readme.txt Inject64.exe
Table A6 Other files created during installation
File Name
Location
Description Service launch daemon Webfilter driver ProxyClient configuration plist files
com.bluecoat.proxyclientserv / ice.plist LibraryLaunchDaemons/ proxyclientwebfilter.kext /System/Library/ Extensions/
com.bluecoat.proxyclient.plis Plist files directory t com.bluecoat.proxyclient.con fig.plist com.bluecoat.proxyclient.dat acollector.plist com.bluecoat.proxyclient.int ernal.plist Proxyclientlog.etl Proxyclientdebug.etl Support Directory Support Directory
ProxyClient admin log ProxyClient debug log
Additionally, several user interface files are written to the include and webroot folders under the installation target. The total size of the installed files (not including the initial configuration file) is approximately 15 MB. The size of the configuration file varies in size, from 2 KB to several MB.
Shortcuts
The MSI also creates a shortcut in the Start menu. The shortcut is called ProxyClient, and is in the Blue Coat ProxyClient folder. No shortcuts are created on the desktop.
Table A7 lists some of the registry keys used by the ProxyClient. In the table, the following abbreviations are used:
HKCR
means HKEY_CLASSES_ROOT
246
HKCU HKLM
means HKEY_CURRENT_USER means HKEY_LOCAL_MACHINE

List of registry keys
Table A7
Path
HKCR\AppID\{5CDD0A2B-2C5C-4313-83EFA3F4A4551918} HKLM\Software\Blue Coat Systems\Proxy Client\
Purpose Key: Contains data required by the service Key: Software settings for ProxyClient Keys under this node are discussed in Table 114, "ProxyClient registry settings" on page 227. Table 115, "ProxyClient registry settings (config subnode)" on page 229
Windows 7 (64bit):
HKLM\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client
HKLM\Software\Blue Coat Systems\Proxy Client\config
Windows 7 (64bit):
HKLM\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client\config HKLM\Software\Microsoft\Windows\ CurrentVersion\Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\ProxyClient Service HKLM\System\CurrentControlSet\Services\ (proxyclientflt, ProxyClientSvc, proxyclientwebfilter, WebFilter) HKLM\System\CurrentControlSet\Control\ SafeBoot\Network\proxyclientsvc
Value: Start tray icon on login Key: Diagnostic settings
Sub-keys (in parentheses) created for acceleration and web filter drivers Key: Start ProxyClient when booting in Safe Mode
During Runtime
As the ProxyClient runs, it creates additional files depending on what functionality is enabled. When the service runs, an encrypted folder is created under the Windows user folder for the LocalService account. This provides a more secure environment for storing sensitive data.
Logging and Support

In the Support folder, if tracing is enabled a file named proxyclientdebug.etl is created. Additionally, if the service crashes for any reason, a memory dump file is generated in the Support folder.
Note: Trace files and memory dumps must be sent to Blue Coat Support for
interpretation.
247
Windows XP
%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient
Windows Vista
%SystemDrive%\Windows\system32\config\systemprofile\ AppData\Local\Blue Coat\Blue Coat ProxyClient
Windows 7 (64bit)
%SystemDrive%\Windows\SysWOW64\config\systemprofile\ AppData\Local\Blue Coat\Blue Coat ProxyClient
To change the location of the cache directory, see one of the following sections:
To set the cache directory when you install the ProxyClient software, see "Parameters for Silent Installations" on page 183.
Web Filter Files

When Web filtering is enabled, activity is written to an encrypted log file. The log files are periodically uploaded, and the extent of the data to be logged is determined by the administrator.
Data Collector
The Data Collector utility, which is installed with the ProxyClient, creates a subfolder of Temp as a repository for the collected data. The contents of the Support folder are copied here, and several new files are created. The specifics of the folder's contents are discussed in other documents about the Data Collector.
Note: The Data Collector is a troubleshooting utility. For more details, see
"Instructing Users to Run the ProxyClient Data Collector" on page 234.
Removal
When the ProxyClient is removed from a user's system, all installed software, drivers and supported files are removed.
Contents Left Behind

No files that were created in the Temp folder are removed. There is currently no mechanism to track all of the files that are created there. However, these files are safe for removal at any time. Immediately following the removal of the ProxyClient (but before rebooting), it might appear that some files created by the software or the installation process have not yet been removed. This is because the files are still in use by other system processes. When this happens, the removal process marks the files for removal upon reboot. Mac automatically removes them the next time that the system is restarted.Windows automatically removes them the next time that the system is restarted.
248

Proxy Client Administration and Deployment Guide For Windows 3.4.x.1

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Proxy Client Administration and Deployment Guide For Windows 3.4.x.1

Загружено:

Авторское право:

Доступные форматы

Blue Coat Systems ProxyClient Administration and Deployment Guide for Windows

ProxyClient Version 3.4 SGOS Version 6.2.x

ProxyClient Administration and Deployment Guide

Document Number: 231-03077 Document Revision: ProxyClient 3.4.x11/2011

ProxyClient Administration and Deployment Guide

ProxyClient Configuration Overview ........................................................................................... 67 Where To Go From Here ................................................................................................................. 69

Before You Begin Configuring the Client Manager..................................................................... 81

ProxyClient Administration and Deployment Guide

Chapter 10: Monitoring ProxyClient Performance

ProxyClient Administration and Deployment Guide

Courier New Courier New Italic

Courier New Boldface { }

Blue Coat Knowledge Base

Solutions FAQs Alertsincluding security alerts

ProxyClient Administration and Deployment Guide

Technical field information

Notes and Warnings

Chapter 1: ProxyClient Concepts

This chapter discusses the following topics:

ProxyClient Administration and Deployment Guide

Whats New in This Release

About ProxyClient Tamper Resistance

More information about each feature follows:

Chapter 1: ProxyClient Concepts

About ProxyClient Location Awareness

Overview of Location Awareness

ProxyClient Administration and Deployment Guide

Continue with "About Web Filtering Auto-Detection" .

About Web Filtering Auto-Detection

ProxyClients must run 3.2 or later.

Chapter 1: ProxyClient Concepts

Continue with "General Guidelines for Location Conditions" .

General Guidelines for Location Conditions

ProxyClient Administration and Deployment Guide

Location type Headquarters with several local ProxySGs

Branch office with a local ProxySG

Also see "About Web Filtering Auto-Detection" on page 14.

For a step-by-step example of setting up locations, see Chapter 2: "ProxyClient Deployments".

About Condition Rulebase Ordering

Chapter 1: ProxyClient Concepts

To accomplish that, the administrator creates the two locations as follows.

About ProxyClient CIFS Acceleration

ProxyClient Administration and Deployment Guide

Chapter 1: ProxyClient Concepts

About ProxyClient Web Filtering

Web Filtering Terminology

ProxyClient Administration and Deployment Guide

Enabling or Disabling Web Filtering Based on Location

Web Filtering for Users and Groups

Chapter 1: ProxyClient Concepts

About the BCWF Database and Categorization

"About BCWF Categories" "About Categorization" on page 21

About BCWF Categories

ProxyClient Administration and Deployment Guide

About Security With Guest User Scenarios

Chapter 1: ProxyClient Concepts

About ADN Feature Support in ProxyClient

ADN and ProxyClient Terminology

ProxyClient Administration and Deployment Guide

Chapter 1: ProxyClient Concepts

About the Roles of ProxySG Appliances With the ProxyClient

The following diagram illustrates a high-level network architecture involving ProxyClient.