Proxy Client Administration and Deployment Guide for Windows 3.4.x.1

Blue Coat® SystemsProxyClient Administration and Deployment Guide for Windows

ProxyClient Version 3.4SGOS Version 6.2.x

ProxyClient Administration and Deployment Guide

ii

Contact Information

Americas:Blue Coat Systems Inc.410 North Mary Ave Sunnyvale, CA 94085-4121

Rest of the World:Blue Coat Systems International SARL3a Route des Arsenaux1700 Fribourg, Switzerland

http://www.bluecoat.com/support/contactsupport

http://www.bluecoat.com

For concerns or feedback about the documentation: [email protected]© 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, ProxyOne™, CacheOS™, SGOS™, SG™, Spyware Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®, PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

America’s: Rest of the World:

Blue Coat Systems, Inc. Blue Coat Systems International SARL410 N. Mary Ave. 3a Route des ArsenauxSunnyvale, CA 94085 1700 Fribourg, Switzerland

Document Number: 231-03077 Document Revision: ProxyClient 3.4.x—11/2011

http://www.bluecoat.com/support/contactsupport

http://www.bluecoat.com

mailto:[email protected]

Contents

iii

Contents

Preface

Audience .............................................................................................................................................. 9Typographical Conventions.............................................................................................................. 9Blue Coat Knowledge Base ............................................................................................................... 9Notes and Warnings......................................................................................................................... 10

Chapter 1: ProxyClient Concepts

What’s New in This Release............................................................................................................ 12About ProxyClient Tamper Resistance ......................................................................................... 12About ProxyClient Location Awareness....................................................................................... 13

Overview of Location Awareness............................................................................................ 13About Web Filtering Auto-Detection...................................................................................... 14General Guidelines for Location Conditions ......................................................................... 15About Condition Rulebase Ordering ...................................................................................... 16

About ProxyClient CIFS Acceleration ........................................................................................... 17About ProxyClient Web Filtering................................................................................................... 19

Web Filtering Terminology ...................................................................................................... 19Enabling or Disabling Web Filtering Based on Location ..................................................... 20Web Filtering for Users and Groups ....................................................................................... 20About the BCWF Database and Categorization .................................................................... 21About Security With Guest User Scenarios............................................................................ 22

About ADN Feature Support in ProxyClient ............................................................................... 23ADN and ProxyClient Terminology ....................................................................................... 23About the Roles of ProxySG Appliances With the ProxyClient.......................................... 25ADN Features and the ProxyClient......................................................................................... 26

ProxyClient Security Disclaimers................................................................................................... 30About ProxyClient Licensing.......................................................................................................... 31Software and Hardware Requirements......................................................................................... 31Why Deploy ProxyClient?............................................................................................................... 31About Blue Coat in the Network.................................................................................................... 32

Chapter 2: ProxyClient Deployments

Assumptions...................................................................................................................................... 35ProxySG Assumptions .............................................................................................................. 35ProxyClient Computer Setup Assumptions........................................................................... 35Network Assumptions .............................................................................................................. 36Location Awareness Assumptions .......................................................................................... 36


iv

ProxyClient Deployment Roadmap............................................................................................... 37Step 1: Configure a Primary ADN Manager and Internet Gateway ......................................... 38Step 2: Configure the Concentrator................................................................................................ 41Step 3: Configure the Client Manager ........................................................................................... 42Step 4: Configuring ProxyClient Acceleration ............................................................................. 43Step 5: Configuring ProxyClient Web Filtering ........................................................................... 46Step 6: Configure ProxyClient Locations ...................................................................................... 48Step 7: Install the ProxyClient Software ........................................................................................ 53Performing Basic Verification ......................................................................................................... 53

Verifying Location Awareness................................................................................................. 54Viewing Acceleration Details ................................................................................................... 56Viewing Web Filtering Details ................................................................................................. 57Viewing the Admin Log............................................................................................................ 57Verifying Tamper Resistance ................................................................................................... 58For More Information About ProxyClient Troubleshooting ............................................... 58

Step 8: (Optional) Using Web Filtering Auto-Detection ............................................................. 58Sample Local Policy File............................................................................................................ 62Verifying Web Filtering Auto-Detection ................................................................................ 63

Chapter 3: Getting Started with the ProxyClient

ProxyClient Configuration Overview ........................................................................................... 67Where To Go From Here ................................................................................................................. 69

Chapter 4: ADN Network Configuration Prerequisites

ProxyClient Compatibility with SGOS.......................................................................................... 71Recommended Upgrade Information ..................................................................................... 71ProxyClient and SGOS Compatibility..................................................................................... 72Important Information About Web Filtering Support.......................................................... 72For More Information About ADN Networks....................................................................... 73

Preparing the ADN Configuration for ProxyClient Deployment ............................................. 73About Open ADN and Closed ADN With the ProxyClient....................................................... 74

Configuring a Closed or Open ADN Network...................................................................... 75Enabling ADN Managers.......................................................................................................... 76

About Manager Listening Mode With the ProxyClient.............................................................. 77About Tunneling Listening Mode With the ProxyClient ........................................................... 78Configuring Manager and Tunneling Ports ................................................................................. 79Configuring Concentrators to Advertise Subnets........................................................................ 79About Secure Outbound Mode ...................................................................................................... 80About Internet Gateways ................................................................................................................ 80

Chapter 5: Configuring the Client Manager

Before You Begin Configuring the Client Manager..................................................................... 81

Contents

v

Designating a ProxySG as the Client Manager ............................................................................ 81Uploading the ProxyClient Software to the Client Manager ..................................................... 85

Overview of the ProxyClient Upload Process ....................................................................... 85Getting the ProxyClient Software............................................................................................ 86Running Windows.msi.............................................................................................................. 87Uploading the ProxyClient .car File to the Client Manager ................................................ 87

Setting Up the Client Manager (CLI) ............................................................................................. 89Configuring the Client Manager (CLI) ................................................................................... 90Loading the Software (CLI) ...................................................................................................... 90Showing ProxyClient Settings (CLI) ....................................................................................... 90Clearing ProxyClients (CLI) ..................................................................................................... 90

Chapter 6: Configuring ProxyClient Locations

Location Awareness Overview....................................................................................................... 93Location Awareness Decision Diagram ........................................................................................ 94Location Awareness Task Summary ............................................................................................. 95Configuring ProxyClient Locations ............................................................................................... 95

Ordering Locations in the Rulebase ........................................................................................ 98Configuring Default Actions .................................................................................................... 99

Configuring Web Filtering Auto-Detection................................................................................ 100Installing Local Policy on ProxySGs...................................................................................... 100

Configuring ProxyClient Locations (CLI)................................................................................... 101

Chapter 7: Configuring ProxyClient Acceleration

Before You Begin Configuring ProxyClient Policy.................................................................... 103Specifying the ProxyClient ADN Manager ................................................................................ 103

Troubleshooting ProxyClient Acceleration Configuration................................................ 106Tuning the ADN Configuration ................................................................................................... 107

Excluding Subnets from Being Accelerated ......................................................................... 108Excluding and Including Ports .............................................................................................. 109

Enabling File Sharing Acceleration.............................................................................................. 111Configuring ProxyClient Acceleration Settings (CLI)............................................................... 114Troubleshooting ProxyClient Acceleration ................................................................................ 115

Overview of Acceleration Troubleshooting ......................................................................... 115Getting Detailed Diagnostics.................................................................................................. 118More Information About ProxyClient Acceleration Troubleshooting............................. 119Getting Detailed Diagnostics.................................................................................................. 126

Chapter 8: Configuring ProxyClient Web Filtering

Web Filtering Task Summary ....................................................................................................... 128Options for Enabling Blue Coat Web Filtering........................................................................... 129Enabling the Blue Coat Web Filter Database (Optional) .......................................................... 130


vi

Enabling Other Databases....................................................................................................... 133Enabling the Use of the Local Database (Optional)................................................................... 133

Enabling the Local Database .................................................................................................. 134Setting Up ProxyClient Web Filtering ......................................................................................... 135

Entering BCWF Database Credentials .................................................................................. 135Enabling ProxyClient Web Filtering ..................................................................................... 136About the Policy Tab Page...................................................................................................... 139

Working With Categories, Users, Groups, and Policy Actions ............................................... 141Getting Started With Categories ............................................................................................ 141Selecting Categories................................................................................................................. 143Configuring Users and Groups.............................................................................................. 144Managing Policy Categories................................................................................................... 147Configuring System and Default Policy Actions................................................................. 149Ordering Categories in the Rulebase .................................................................................... 150Configuring Other Web Filtering Options ........................................................................... 153

Web Filtering Best Practices .......................................................................................................... 155Displaying and Customizing Web Filtering Exception Pages ................................................. 157Enabling Web Filtering Logging .................................................................................................. 159

About Web Filtering Logging ................................................................................................ 159How to Enable Web Filtering Logging ................................................................................. 160Configuring Clients That Require a Proxy to FTP Logs..................................................... 163Interpreting the Log Files........................................................................................................ 163

Configuring ProxyClient Web Filtering (CLI)............................................................................ 165Troubleshooting ProxyClient Web Filtering .............................................................................. 165

Overview of Web Filtering Troubleshooting ....................................................................... 166More Information About Web Filtering Troubleshooting ................................................. 167Getting Detailed Diagnostics.................................................................................................. 170

Chapter 9: Distributing the ProxyClient Software

ProxyClient Software Distribution Prerequisites....................................................................... 173Overview of Distributing the ProxyClient Software ................................................................. 173Preparing Interactive Installations ............................................................................................... 174

Interactive Installations from the Client Manager .............................................................. 175Interactive Manual Installations ............................................................................................ 180

Preparing Silent Installations and Uninstallations .................................................................... 181About Silent Web Filtering Installations............................................................................... 182Parameters for Silent Installations ......................................................................................... 183Command for Silent Uninstallations..................................................................................... 188Example Installations and Uninstallation ............................................................................ 189Limiting ProxyClient Visibility and Interactivity................................................................ 190

Using Group Policy Object Distribution ..................................................................................... 193

Contents

vii

Chapter 10: Monitoring ProxyClient Performance

Viewing ProxyClient History Statistics ....................................................................................... 197Viewing ProxyClient Bandwidth (BW) Usage Statistics .................................................... 199Viewing ProxyClient Active Clients Statistics ..................................................................... 199Viewing ProxyClient Configurations Served Statistics ...................................................... 199Viewing ProxyClient Software Served Statistics ................................................................. 199

Viewing ProxyClient Detail Statistics.......................................................................................... 200Viewing ProxyClient Client Details ...................................................................................... 203Viewing ProxyClient Client Version Count......................................................................... 208

Viewing ProxyClient ADN History Statistics ............................................................................ 209Viewing ProxyClient Active Session Statistics........................................................................... 210

Chapter 11: Troubleshooting the ProxyClient

Using the ProxyClient Web Browser for Troubleshooting....................................................... 213Troubleshooting ProxyClient Installation and Operation........................................................ 214

Suggested Workarounds for Installation Errors.................................................................. 215ProxyClient Tray Icon States and Meanings ........................................................................ 222

Other ProxyClient Troubleshooting Tools.................................................................................. 224ProxyClient Troubleshooting Tools Summary .................................................................... 225Changing the Client Manager ................................................................................................ 229Changing the Default Web Server Port ................................................................................ 230Uninstalling the ProxyClient Software ................................................................................. 231Performing Data Traces and Data Collection ...................................................................... 232Using the ProxyClient VPN Whitelist Utility ...................................................................... 238Client Manager Logging ......................................................................................................... 240Using the ProxyClient VPN Whitelist Utility ...................................................................... 241

Installation ....................................................................................................................................... 243Folders ....................................................................................................................................... 243Files ............................................................................................................................................ 244Setup MSI .................................................................................................................................. 244Setup pkg................................................................................................................................... 244

During Runtime .............................................................................................................................. 247Logging and Support............................................................................................................... 247Web Filter Files ......................................................................................................................... 248Data Collector ........................................................................................................................... 248

Removal ........................................................................................................................................... 248


viii

9

Preface

This Preface provides you with an overview of the intended audience for this book, the document organization, Blue Coat typographical conventions, and related documentation for this product.

AudienceThis book is written for administrators responsible for planning and deploying the Blue Coat ProxyClient and assumes that you have knowledge of basic ADN networking.

Typographical ConventionsBlue Coat documents employ the following typographical conventions:

Blue Coat Knowledge BaseBlue Coat now has a Knowledge Base, which contains information about this product that might not be available in the documentation or Release Notes. The Knowledge Base contains information in the following categories:

❐ Solutions

❐ FAQs

❐ Alerts—including security alerts

Conventions Definition

Italics The first use of a new or Blue Coat-proprietary term; also used for emphasis.

Courier New Command-line text.

Courier New Italic A command-line variable that is to be replaced by a name or value pertaining to your network system.

Courier New Boldface A literal value to be entered as shown.

{ } One of the parameters enclosed within the braces must be supplied

[ ] An optional parameter or parameters.

| You can select the parameter before or after the pipe character. (I think this needs a better description/JR)


10

❐ Technical field information

Blue Coat recommends you regularly search the Knowledge Base for late-breaking information that might not be available in product documentation or Release Notes.

To view articles in the Knowledge Base:

1. Enter the following URL in your browser’s address or location field:

https://kb.bluecoat.com

2. Do any of the following:

• To get an answer to a specific question, enter the question in the Ask a

question field, and click Ask.

• To view a specific set of articles, click a selection in the horizontal navigation bar (Solutions, FAQs, and so on).

All of the sections enable you to browse by product, operating system, type of deployment, or topic.

3. Follow the prompts on your screen to locate the desired information.

To view solutions for the ProxyClient:

a. Click Solutions.

b. On the Solutions page, click Products.

c. On the Products page, click ProxyClient.

Note: Not all products are listed in alphabetical order; ProxyClient is listed in the first column.

Notes and WarningsThe following is provided for your information and to caution you against actions that can result in data loss or personal injury:

Note: Information to which you should pay attention.

Important: Critical information that is not related to equipment damage or personal injury (for example, data loss).

https://kb.bluecoat.com

11


Before configuring the ProxyClient, Blue Coat recommends that you understand the conceptual information discussed in this chapter.

This chapter discusses the following topics:

❐ "What’s New in This Release" ❐ "ADN and ProxyClient Terminology" on page 23❐ "About Blue Coat in the Network" on page 32❐ "About the Roles of ProxySG Appliances With the ProxyClient" on page 25❐ "About ProxyClient Tamper Resistance" on page 12❐ "About ProxyClient Location Awareness" on page 13❐ "About ProxyClient CIFS Acceleration" on page 17❐ "About ProxyClient Web Filtering" on page 19❐ "About ADN Feature Support in ProxyClient" on page 23❐ "ADN Features and the ProxyClient" on page 26❐ "About ProxyClient Licensing" on page 31❐ "Software and Hardware Requirements" on page 31❐ "Why Deploy ProxyClient?" on page 31❐ "About Blue Coat in the Network" on page 32

Note: This book assumes that you are familiar with the Blue Coat Application Delivery Network (ADN) concepts and features, as discussed in "ADN Acceleration Techniques" on page 770 in the SGOS Administration Guide.


12

What’s New in This ReleaseThis section summarizes the new features and significant enhancements in the ProxyClient 3.4 release.

For more information about ProxyClient features, see the following sections:

❐ "About ProxyClient Tamper Resistance" on page 12❐ "About ProxyClient Location Awareness" on page 13❐ "About Web Filtering Auto-Detection" on page 14❐ "About ProxyClient CIFS Acceleration" on page 17❐ "About ProxyClient Web Filtering" on page 19

About ProxyClient Tamper ResistanceUsers who log in with the local administrative privilege on their computer have the authority to perform tasks like stop services, kill processes, and uninstall software. For example, a user who can stop the ProxyClient service can circumvent Web content filtering.

To help prevent that, ProxyClient 3.4 offers the following tamper resistance features:

More information about each feature follows:

❐ Uninstalling the software—Only a local administrator who knows the password can uninstall the ProxyClient software.

❐ Stopping the service—No user, even a local administrator, can permanently stop the service. The uninstall password must be configured to enable this feature but a password prompt is not presented to the user.

Feature Summary

Support for Mac OS X

ProxyClient can be run on Mac OS X platforms.

Tamper resistance feature Requires uninstall password?

Users cannot uninstall the ProxyClient software unless they know the uninstall password

Yes

Users cannot permanent stop the ProxyClient service using the Services application in the Windows Control panel, the Windows Task Manager, or using the net stop ProxyClientSvc.exe command

Yes

Users cannot stop the ProxyClient services using net stop from the command line

Yes

Users cannot alter or delete ProxyClient policy No


13

A user who is a local administrator can temporarily stop the service but after a short period of time, the service restarts itself.

Note for ProxyClient Web filtering: Blue Coat recommends you set the policy action for the Unavailable category to Block to prevent Internet access in the event users attempt to defeat Web filtering by stopping the service. See "Web Filtering Best Practices" on page 155.

❐ Altering policy—Even if a user succeeds in editing the encrypted configuration file, the user’s changes are ignored.

About ProxyClient Location AwarenessThis following sections discuss location awareness:

❐ "Overview of Location Awareness" ❐ "About Web Filtering Auto-Detection" on page 14❐ "General Guidelines for Location Conditions" on page 15❐ "About Condition Rulebase Ordering" on page 16

Overview of Location AwarenessLocation awareness enables administrators to enable or disable ProxyClient acceleration and Web filtering functionality based on the location from which the client connects.

For example, the administrator should disable both acceleration and Web filtering for users in the office and if ProxySG concentrators and branch proxies to perform those functions. Administrators should enable both acceleration and Web filtering for mobile users because there is no local ProxySG to perform those functions. (In general, enable the ProxyClient to perform functionality a local ProxySG does not perform.)

Locations are defined by the ProxySG administrator using one or more the following location conditions (Configuration > ProxyClient > General > Locations):

❐ Source IP range, which is appropriate for situations (such as in the office) where you know the IP address range from which clients connect.

❐ DNS server IP address

In some situations, the client’s IP address might not be enough to uniquely define a location. If that is the case, DNS servers can be used as additional location conditions.

❐ Virtual network interface IP address, which should be used whenever clients connect to the corporate network using VPN software.

Note: The ProxyClient version 3.2 or later can be configured to detect whether it is in a network where a ProxySG appliance is performing Web filtering. For more information, see "About Web Filtering Auto-Detection" on page 14.


14

VPN software typically creates a virtual network adapter (referred to as a virtual NIC) that is assigned an IP address to be used when the client connects to the corporate network over VPN.

A VPN gateway behind the firewall at the corporate data center provisions IP addresses and DNS server addresses to VPN clients.

Continue with "About Web Filtering Auto-Detection" .

About Web Filtering Auto-DetectionThis section discusses the prerequisites and benefits of Web filtering auto-detection, which disables ProxyClient Web filtering if the ProxyClient is deployed in any of the following ways:

❐ In-path with a ProxySG that performs Web filtering

❐ The ProxyClient uses a filtering ProxySG as an explicit proxy

With this new feature, introduced in SGOS 5.5 and ProxyClient 3.2, you are no longer required to create an in-office location to disable ProxyClient Web filtering.

Prerequisites: All of the following must be true:

❐ The Client Manager must run SGOS 5.3.2.5 or later.

❐ Filtering ProxySGs can run any version of SGOS that supports Blue Coat Web Filtering (BCWF).

❐ The ProxyClient must be deployed in any of the following ways:

• In-path with the filtering ProxySG

• The ProxyClient computer must use the filtering ProxySG as an explicit proxy

❐ ProxyClients must run 3.2 or later.

Note:

• Some VPN client software creates a virtual NIC as a physical adapter, and that prevents the adapter from being used as a location criterion. To work around this issue, see "Using the ProxyClient VPN Whitelist Utility" on page 238.

• Location conditions are logically ANDed together so choosing more than one location condition for a location is a good way to uniquely identify the location.

• If the computer’s IP address changes, the ProxyClient detects the IP address change and evaluates it against location rules. For example, if a user takes a laptop from the office to a mobile location and installs a wireless adapter in the laptop, as soon as the IP address changes, the laptop’s location is evaluated against defined locations.


15

❐ Every ProxySG that performs Web filtering in a network to which ProxyClients might connect must have local policy installed.

For details, see "Configuring Web Filtering Auto-Detection" on page 100.

❐ Benefits:

• Web filtering auto-detection is fast, happening within a few seconds after a ProxyClient requests a rating for a URL.

• Web filtering auto-detection prevents double filtering. Double filtering happens when both ProxyClient Web filtering and ProxySG Web filtering are applied to a URL request. (For example, if Web filtering is enabled in the ProxyClient’s location and is also enabled by policy in an office network with ProxySG Web filtering.)

Double filtering can result in policy conflicts if the same category is allowed by one policy set and blocked by another policy set.

Continue with "General Guidelines for Location Conditions" .

General Guidelines for Location ConditionsIn general, configure the ProxyClient to perform the features that a ProxySG does not perform (acceleration or Web filtering). Also see "Step 6: Configure ProxyClient Locations" on page 48 for a step by step example.

When planning your ProxyClient deployment, Blue Coat recommends you take the following into account:

❐ Whether or not a ProxySG at the location performs acceleration or Web filtering

❐ Which two of the three available location conditions uniquely defines the location

The following table shows how to use these guidelines in a sample four-location deployment:

Location type How to apply the guidelines

Mobile with no local ProxySG

• Role of local ProxySG: There is none so the location should enable both ProxyClient acceleration and Web filtering.

• Location conditions: To uniquely identify the location, choose Virtual NIC IP address and DNS server IP address.


16

For a step-by-step example of setting up locations, see Chapter 2: "ProxyClient Deployments".

About Condition Rulebase OrderingThe order in which locations display on the Configuration > ProxyClient > General >

Locations tab page determine the order in which the rules are evaluated when users connect to the Client Manager. To avoid mismatches, order the rules from most to least restrictive.

For example, suppose headquarters uses IP addresses in the range from 10.0.0.0 to 10.255.255.255 but the VPN gateway located at headquarters has a pool of IP addresses in a subset of that range; for example, 10.3.1.1 to 10.3.1.255. Because the VPN gateway is used by home office or mobile users, the administrator wants to use different policy actions for headquarters and home office users.

Users at the headquarters location should have ProxyClient acceleration and Web filtering disabled but users in a home office or mobile location should have both ProxyClient features enabled.

Headquarters with several local ProxySGs

• Role of local ProxySGs: Perform both acceleration and Web filtering so the location should disable both features.

• Location conditions: To uniquely identify the location, choose source IP address range and DNS server IP address.

Also see "About Web Filtering Auto-Detection" on page 14.

Branch office with no local ProxySG

• Role of local ProxySG: There is none so the location should enable ProxyClient acceleration. However, if a ProxySG at headquarters performs Web filtering, you should disable Web filtering at the branch office.


Branch office with a local ProxySG

• Role of local ProxySG: If the local ProxySG performs both acceleration and Web filtering, the location should disable both. However, if the local ProxySG performs only accel-eration, the location should disable ProxyClient ac-celeration and enable Web filtering.


Also see "About Web Filtering Auto-Detection" on page 14.

Location type How to apply the guidelines


17

To accomplish that, the administrator creates the two locations as follows.

To make sure the home office or mobile location is detected first, the administrator must order it in the rulebase before the headquarters location. An example follows.

About ProxyClient CIFS AccelerationThe ProxyClient accelerates file shares located on remote servers by locally caching regions of files that are read or written by the client. CIFS object caching applies to both read and write file activities.

Starting with ProxyClient version 3.2, two new options enhance these capabilities:

❐ Remote storage optimization

Improves performance by causing Windows Explorer to minimize the amount of data transfer when users browse to a remote accelerated file share.

Location Conditions

Headquarters • Source IP address range: 10.0.0.0 to 10.255.255.255• DNS server IP address: For example, 10.0.0.11 and

10.0.0.12

Home office or mobile • DNS server IP address: Same as headquarters• VNIC IP address range: 10.3.1.1 to 10.3.1.255

Note: You can set the maximum percentage of total disk space (as opposed to available disk space) the ProxyClient allocates to the byte cache and the CIFS cache. The ProxyClient always leaves at least 1GB of available disk space on the client computer. By default, the cache is located on the system root volume.


18

Specifically, this feature limits read ahead. Excessive read ahead slows performance if users enable the Display file size information in folder tips option for folders in Windows Explorer (On Windows XP and Vista: Tools > Folder Options > View tab page under Files and Folders. On Windows 7: Organize > Folder and

Search Options > View tab page under Files and Folders). When a user browses to a folder if read ahead is enabled, Windows Explorer waits while folder and file metadata is retrieved; if you enable remote storage optimization, metadata is not requested so performance is improved.

The amount of performance improvement from enabling ProxyClient remote storage optimization depends on how many files are in the remote folder and how many subfolders are nested under the folder.

❐ Suppress folder customization

This setting can improve performance when a user browses to a remote accelerated file share that has a large number of customized nested folders. (An example of customizing a folder is changing its display icon.)

Customized folders have the Windows read only attribute. Read only folders are not the same as read-only files in the following ways:

• Windows, Windows components, and accessories usually ignore the read-only attribute of a folder.

• Windows does not usually enable a user to view or change read-only or system attributes of a folder.

Windows uses the read-only and system attributes of folders to specify them as special folders (for example, system folders and folders like My Documents that are customized by Windows). If an accelerated file share has a large number of nested customized folders, performance can be degraded because of the time Windows waits to retrieve properties for the folder (in particular, desktop.ini).

As discussed in Microsoft KB article 326549, Microsoft recommends you disable the read-only attribute of remote folders for this reason.

Note:

• It takes time for a configuration change to take effect. For example, if a client has two connection open to an accelerated file share at the time the client receives a configuration update from the Client Manager, it might take several minutes before a change from Enable to Disable takes effect for these open connections.

On the other hand, the first connection after a configuration change is received by the client uses the current configuration setting.

http://support.microsoft.com/Default.aspx?id=326549


19

About ProxyClient Web FilteringWeb filtering is used by many enterprises for security and compliance reasons. Network managers want the security of knowing users can be prevented from accessing Web sites with malicious content. Human Resources wants to prevent users from accessing offensive content or from losing productivity due to too much Web surfing.

Blue Coat’s ProxyClient Web filtering solution provides an answer for both concerns by providing robust filtering—both in the office and on the road.

This section discusses ProxyClient Web filtering in the following sections:

❐ "Web Filtering Terminology" ❐ "Enabling or Disabling Web Filtering Based on Location" on page 20❐ "Web Filtering for Users and Groups" on page 20❐ "About the BCWF Database and Categorization" on page 21❐ "About Security With Guest User Scenarios" on page 22

Web Filtering TerminologyThis section defines common terms used to discuss ProxyClient Web filtering.

❐ Blue Coat WebFilter (BCWF) database and categories

• The BCWF database contains categories and URLs that are contained in those categories.

• The BCWF categories contain mappings between URLs and categories but do not contain the URLs themselves; URLs are categorized and rated by the WebPulse cloud service.

A dedicated Client Manager needs only the BCWF categories to provide ProxyClient Web filtering services. WebPulse performs the ratings.

A Client Manager that also proxies Internet traffic and performs BCWF Web filtering needs the BCWF database.

The BCWF database and categories are maintained by Blue Coat.

To enable and use ProxyClient Web filtering, the BCWF database or categories must be updated on the Client Manager at least once every 30 days.

Note: It takes time for a configuration change to take effect. For example, if a client has two tunnels open to an accelerated file share at the time the client receives a configuration update from the Client Manager, it might take several minutes before a change from Enable to Disable takes effect for these open connections.

On the other hand, the first connection opened to an accelerated file share after a configuration change is received by the client will use the current configuration setting.


20

The administrator chooses categories and policy actions for users and groups in each category; these categories and actions are downloaded to the ProxyClient in its configuration file. All ProxyClient URL requests are categorized by WebPulse.

❐ WebPulse

An Internet cloud service consisting of many service points located around the globe, WebPulse categorizes all URLs requested by ProxyClients.

❐ Policy action

The action that is applied to a ProxyClient URL request. Possible actions are allow, block and warn. Policies can be applied to individual users or to user groups.

More information about these policy actions can be found in "Working With Categories, Users, Groups, and Policy Actions" on page 141.

Enabling or Disabling Web Filtering Based on LocationYou can enable or disable Web filtering based on a user’s location. For example, if the user is at headquarters or in a branch office where there is a branch ProxySG that performs Web filtering, you should disable ProxyClient Web filtering. You should enable ProxyClient Web filtering in mobile locations because mobile users do not connect to a branch ProxySG.

Use location awareness to enable or disable ProxyClient features as discussed in "About ProxyClient Location Awareness" on page 13.

Web Filtering for Users and GroupsProxyClient Web filtering can be enforced for users and domain groups. These users and groups are validated against the user’s cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.

In other words, you can allow, block, or warn on content according to the specific user or to the domain group to which the user belongs.

To configure Web filtering policies for individual users or for user groups, do any of the following:

❐ ProxyClient Web filtering categories can be configured for individual users and user groups configured as follows:

• Fully qualified account names (for example, domain_name\user_name).

Note: One major difference between ProxyClient Web filtering and branch ProxySG Web filtering is that categorization for the ProxyClient is performed by WebPulse. ProxyClient categorization is not performed by the Client Manager.


21

• Fully qualified DNS names (for example, domain.example.com\user_name).

• User principal names (UPN)—for example, [email protected]. However, be aware that translating isolated names introduces the possibility of name collisions because the same name might be used in multiple domains.

Blue Coat recommends you do not use isolated names such as user_name. Fully qualified names are unambiguous and provide better performance when the lookup is performed.

• Using CPL or VPM, you can configure the branch ProxySG to apply different Web filtering policies for users or groups. More information about performing these tasks can be found in "Managing Policy Categories" on page 147.

About the BCWF Database and CategorizationThis section discusses the following topics:

❐ "About BCWF Categories" ❐ "About Categorization" on page 21

About BCWF Categories

For ProxyClients to use Web filtering, the Client Manager must get the current BCWF categories at least once every 30 days. If the categories are not updated within 30 days since its last update, BCWF becomes unlicensed and all URL requests are either allowed or blocked, depending on the administrator’s choice for the On expiration option located on the Configuration > ProxyClient > Web Filtering > Policy tab page.

About Categorization

Categorization is the process of assigning a classification to a particular requested URL. If ProxyClient Web filtering is enabled for the user’s location, the categorization process is as follows:

1. The user requests a URL.

2. The ProxyClient collects Web filtering categories from its configuration file. Categories are defined by the following:

• The local database, if enabled.

• VPM policy, if configured.

• Results of WebPulse lookups that are temporarily cached on the user’s computer.

3. The ProxyClient requests a category for the URL from WebPulse.

The result of the request can be one of the following:


22

• The URL request is categorized by WebPulse, if a result was not found in the local cache.

(The cache, which is temporary, consists of results from previous lookups.)

• If WebPulse cannot determine a URL’s category, the URL is categorized as none and the appropriate policy action is applied.

• If WebPulse is not available, the URL is categorized as unavailable and the appropriate policy action is applied.

4. After the URL’s category is determined, the ProxyClient’s configuration file determines the policy action (block, deny, or warn) according to the first match in the rulebase.

• If the policy action is allow, the request goes to its destination.

• If the policy action is block, the blocked category exception page displays.

• If the policy action is warn, a warning message displays.

The user must click an acceptance link, which represents an acknowledgment that the content request might violate corporate Web use policy. If the user clicks the acceptance link, the request goes to its destination.

Note: If a user clicks the acceptance link, the requested Web site will be accessible for 15 minutes. The accessibility time period is not currently configurable for the Web site.

5. Results of WebPulse lookups are temporarily cached.

About Security With Guest User ScenariosWhen travelling, users might be required to initially access the Internet as a guest. For example, some businesses and hotels provide WiFi or hard-wired networks, but require users to gain access through a portal. When the user connects to the network and opens their Web browser, the browser redirects to a welcome page from which the user must interact to gain connectivity to the Internet.

The welcome page can be as simple as a click-through service agreement or as complex as a service that requires a credit card payment for Internet access. After users complete the required agreement or transaction, they are allowed to access the Internet.

When the ProxyClient detects this, it enables the user to view the welcome page and complete whatever authentication transaction is required to gain additional connectivity without applying Web filtering. After the user can connect to the Internet, the ProxyClient applies Web filtering policy.

Note: One Web site can have many URLs associated with it. For example, many Web sites have advertisements that each trigger a URL request and therefore a categorization request to WebPulse.


23

ProxyClient operates within the restricted network before completing the welcome page transaction, yet prevents any unauthorized user access.

About ADN Feature Support in ProxyClientThis section discusses topics related to how the ProxyClient functions in an ADN network. For more information, see one of the following topics:

❐ "ADN and ProxyClient Terminology" ❐ "About the Roles of ProxySG Appliances With the ProxyClient" on page 25❐ "ADN Features and the ProxyClient" on page 26❐ "About Internet Gateways" on page 28❐ "About Reflecting the ProxyClient IP Address" on page 28

ADN and ProxyClient TerminologyThis chapter uses the following common terms:

❐ ProxyClient

Downloaded and installed on user systems, the ProxyClient provides increased network performance and Web filtering when the connection is not fronted by a Blue Coat ProxySG.

❐ ADN Manager

Every ADN network in which ProxyClient acceleration is enabled must have a ProxySG designated as the ADN Manager, which is responsible for publishing the routing table to ProxyClients (and to other ProxySG ADN peers).

You can optionally designate another ProxySG appliance as the backup manager. This appliance takes over the duty of providing routing information to ProxyClients in the event the ADN manager becomes unavailable.


24

If you are using ProxyClient Web filtering only, you do not need to specify an ADN manager.

❐ Concentrator

A ProxySG appliance that receives inbound ADN tunnels from the ProxyClient (and other ProxySG appliances on the ADN network) and accelerates data center resources (such as file servers and Web applications).

❐ Branch ProxySG

A ProxySG deployed near a branch office router (where branch office means a small or regional office). To retrieve client file and data requests from servers located in the corporate data center, the branch proxy connects to the ADN concentrators—which are advertised by the ADN manager or discovered transparently—in the data centers at the corporate location.

If the branch location has servers, the branch peer also serves as a concentrator. A branch ProxySG can provide acceleration, Web filtering, or both for the branch office.

❐ Client Manager

A Client Manager is a ProxySG (running a compatible version of SGOS) that provides the ProxyClient software to users, maintains the software and the client configuration of all clients in the ADN network. Commonly, the Client Manager appliance is deployed in the intranet behind the enterprise VPN gateway, with a router connection to the Internet.

For details, including which SGOS versions are supported, see "ProxyClient Compatibility with SGOS" on page 71.

❐ Mobile user

Employees who use laptops with ProxyClient installed and travel from corporate locations to other locations, such as customer sites, hotels, or home offices. Mobile users does not refer to users with hand-held devices.

❐ Location awareness

The ability of the ProxyClient to detect the presence of a network connection and enable or disable acceleration and Web filtering as determined by policy. For example, you typically disable both ProxyClient acceleration and Web filtering in the office but enable them for mobile users.

The ProxySG administrator determines the criteria that define locations and enables or disables acceleration and Web filtering for each location.

❐ Byte caching

A specific form of compression that looks for repeated data patterns transmitted over the WAN. Byte caching plus other forms of compression (such as gzip) optimizes the data sent over the TCP tunnel.


25

❐ Common Internet File System (CIFS) optimization

ProxyClient significantly enhances WAN file service delivery by implementing the following:

• CIFS protocol optimization, which improves performance by consolidating data forwarded across the WAN.

• Client object caching, which enables clients to get previously obtained data from the cache rather than from across the WAN.

About the Roles of ProxySG Appliances With the ProxyClientOne or more ProxySG appliances interact with ProxyClients in the following ways:

❐ ADN Manager and backup manager—As discussed in "ADN and ProxyClient Terminology" on page 23, to use ProxyClient acceleration, you must configure an ADN Manager and Blue Coat recommends you also configure a backup manager.

If you are using ProxyClient Web filtering only, no ADN manager is required.

❐ Client Manager—The ProxySG that provides the management infrastructure to ProxyClients, including the following services:

• Software for the client (initial deployment and updates)

• Periodic verification of the Blue Coat Web Filter (BCWF) license and database (required to use BCWF)

• Monitoring

• Client configuration management (such as Web filtering policy)

❐ Concentrator—A ProxySG that terminates ProxyClient ADN tunnels, and provides two-way compression and data forwarding to and from the appropriate server. A concentrator accelerates network traffic.

❐ Branch ProxySG—Depending on how it is configured, a branch ProxySG might provide acceleration and Web filtering for a branch office.

The following diagram illustrates a high-level network architecture involving ProxyClient.

Note: The Client Manager can be any appliance in the ADN network, including a concentrator, the ADN manager, or a backup manager. For example, the Client Manager could also be the ADN manager, but that is not a requirement.


26

Figure 1–1 High-level ProxyClient network diagram

ADN Features and the ProxyClientThe ProxyClient supports the following ADN features:

❐ "Open ADN and Closed ADN" ❐ "Byte Caching and gzip Compression" on page 27❐ "CIFS Optimization and Caching" on page 27❐ "Load Balancing and Failover" on page 27❐ "Cache Encryption" on page 28❐ "About Internet Gateways" on page 28❐ "About Reflecting the ProxyClient IP Address" on page 28

Open ADN and Closed ADN

ADN managers and concentrators that run SGOS 5.4 and later support ADN configurations referred to as open ADN and closed ADN.

The terms open and closed refer to whether or not the ADN manager accepts connections from approved peers. For more information, see the section on ADN modes in the chapter on configuring an ADN network in the SGOS Administration Guide.

To use ProxyClient acceleration, you must specify a primary ADN manager and optionally a backup ADN manager; the managers can use either open ADN or closed ADN.

For more information about using open ADN or closed ADN with the ProxyClient, see "About Open ADN and Closed ADN With the ProxyClient" on page 74.

Note: To use ProxyClient Web filtering only, no ADN manager is required.


27

Byte Caching and gzip Compression

Enabling ProxyClient acceleration enables both byte caching and gzip compression. gzip compression uses a lossless compression algorithm for data sent across the WAN.

Byte caching is a compression mechanism where data tokens that represent larger blocks of repeated data are sent across the WAN.

When one of these data tokens matches tokens in the data dictionary cached on the ProxyClient computer, the entire block of data is passed to the application that requested it, resulting in reduced WAN bandwidth usage. For example, if you request a file using Internet Explorer and a data dictionary match is found, the data is sent to Internet Explorer.

If no data dictionary match is found, the token and its corresponding byte values are added to the data dictionary cached on the ProxyClient computer.

A data token is a few bytes in size; the corresponding block of data for a token is much larger.

CIFS Optimization and Caching

Regions of files that are read or written by the client are placed in the cache. CIFS object caching applies to both read and write file activities.

For additional details, see "About ProxyClient CIFS Acceleration" on page 17.

Load Balancing and Failover

The ProxyClient attempts three types of connections in the ADN network: the routing connection, the ADN tunneling connection, and a control connection. The routing connection obtains the routing table from the ADN Manager or backup Manager; the tunneling connection transfers data to the ADN network; and the control connection contains client identification information.

The ProxyClient first attempts to connect to the primary ADN manager to get routing information; if the ADN Manager is not available, the client attempts to connect to the backup ADN Manager. If the backup ADN manager is also not available, the connection continues on (bypassed by ADN) because an ADN route is not provided. When either of the ADN Managers becomes available again, acceleration automatically resumes.

Client connections that do not go through a concentrator are not accelerated and remain unaccelerated as long as the connection is open (that is, until the connection is closed by the application).

After a concentrator becomes available, new connections are accelerated.

ADN peer affinity helps maintain fast application performance by persisting connections from a ProxyClient to a particular concentrator and therefore reusing the byte cache. After establishing a connection to an ADN peer, ProxyClient always attempts to connect to that peer; a connection to another peer occurs only when the initial peer becomes unavailable.


28

Cache Encryption

To maintain a high security level after content is retrieved over the network connection, ProxyClient supports the Microsoft Encrypting File System (EFS), which makes it extremely difficult for malicious users to hack into a user system’s cache to retrieve company-sensitive files.

No other user can access the data in the cache, even the system administrator.

If ProxyClient is uninstalled, the EFS encrypted caches are also deleted.

About Internet Gateways

The ProxyClient honors Internet Gateway settings. Network traffic that is not bound by ADN routing rules routes to the specified gateway unless an exception rule applies.

There are some routes, such as those for local hosts, that are not required to go through the ADN Internet gateway. You can define these routes using the a concentrator’s Management Console (Configuration > ADN > Routing > Internet

Gateway). ProxyClient uses this configuration.

About Reflecting the ProxyClient IP Address

When the ProxyClient version 3.1 or later attempts to connect to a destination, it always requests the concentrator reflect its IP address. The concentrator can be configured to either reflect the client’s IP address or to reject the reflection request.

Concentrator client IP reflection configuration determines what IP address the concentrator advertises to the origin server as the source address—the concentrator’s own address (referred to as use local IP) or as the ProxyClient computer’s address (referred to as reflect the client IP).

Note:

❐ EFS is supported only on the New Technology File System (NTFS) partitions, although Windows XP Home Edition supports NTFS, but not EFS. File Allocation Table (FAT) or FAT32 partitions do not support EFS and therefore, the cache is not encrypted on those partitions.

The Web filtering log folder is also encrypted but the folder is in a location separate from the cache.

❐ For computers that are connected to a network, the EFS domain certificate is required for encryption. Therefore, if the domain certificate has expired, no EFS encryption occurs.

When the computer is not connected to the network, it uses its local EFS certificate and in that case, encryption works properly.


29

For example, suppose the ProxyClient requests data from a server in the corporate data center. The ProxyClient request is accepted by a ProxySG concentrator, which sends the request to the server. When the concentrator sends the request, you can configure the following IP reflection options:

❐ Allow the request and reflect the client IP—The concentrator can present its own IP address as the source address.

Select this option if your network is configured so that the origin server cannot reach a ProxyClient computer with an outside IP address; in other words, an IP address located outside the internal network.

❐ Allow the request but connect using a local IP—The concentrator can present the ProxyClient computer IP address as the source address.

❐ Reject the request—If the concentrator can be configured to deny client reflection, in which case one of the following occurs:

• If the concentrator runs SGOS 5.3 or later, the concentrator presents its own IP address as the source address. This option is equivalent to Allow the

request but connect using a local IP.

• If the concentrator runs an SGOS version earlier than 5.3, the connection fails.

SGOS 6.2 and later offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers. For example, you can have the Concentrator reject client IP reflection requests from ProxyClient peers but allow them from ProxySG peers. In previous releases, when the Concentrator was configured to deny reflect client IP requests from branch peers, there was a special hard-coded override that always used the Concentrator's local IP address for ProxyClient tunnel connections; if reflect client IP was set to allow, then the client IP would be reflected. For more information, see "Configuring IP Address Reflection" on page 791 of the SGOS 6.2 Administration Guide.

Note: For client IP reflection to work, the concentrator used by the ProxyClient should be deployed in-path between the ProxyClient and the origin server. In other words, the return packets will have ProxyClient's IP address as the destination address and must be routed back through the same concentrator.

If the origin server is able to connect directly back to the ProxyClient computer, the connection fails. This happens because the concentrator opens a different connection to the origin server than the one originally opened by the ProxyClient, so response packets going directly from the origin server to the ProxyClient will be rejected and the connection will fail.

If the concentrator is deployed out of path, you can configure the concentrator to use local IP.


30

ProxyClient Security DisclaimersWhen you deploy the ProxyClient in your network, be aware of the following:

❐ Avoid allowing users with FAT and FAT32 partitions to download the ProxyClient for the following reasons:

• EFS encryption is not supported; therefore, the object cache (that is, the byte cache and CIFS cache) and Web filtering logs will not be encrypted.

• Because the ProxyClient uses NTFS permissions, Web filtering can be bypassed on FAT or FAT32 partitions and logs can be deleted.

❐ Although unlikely, it is possible for a user to edit or delete Web filtering log files before they are uploaded to the FTP server.

In addition, because the FTP server allows anonymous access, anyone can download a log file, change it, and upload it again without detection (although your FTP server can report the source IP address used to upload log files).

These vulnerabilities can be exploited by a legitimate user or by an unauthorized user (such as a hacker or malware).

❐ If a user runs a VMWare image on their computer, even if the computer has the ProxyClient, the VMWare image can access the Internet without restrictions, effectively circumventing Web filtering. (The VMWare image also operates without acceleration.)

To avoid this issue, install the ProxyClient software on the VMWare image.

Note: If a ProxyClient connects to a concentrator running an SGOS version earlier than 5.3, and that concentrator that is configured to reject client IP reflection requests, you must change the configuration. Otherwise, ProxyClients cannot connect to origin servers.

Any of the following options can be used with the ProxyClient:

• Management Console using the Configuration > ADN > Tunneling > Network tab page.

Choose either of the following options (click Help for more information about the options):• Allow the request and reflect the client IP

• Allow the request but connect using a local IP

• Command line:

• SGOS#(config adn tunnel) reflect-client-ip allow

• SGOS#(config adn tunnel) reflect-client-ip use-local-ip


31

About ProxyClient LicensingYour SGOS trial or permanent license enables you to designate a ProxySG appliance as the Client Manager and it enables unlimited ProxyClient connections, provided the SGOS base license is valid. However, you must size your ProxyClient deployment based on Client Manager scalability.

User or client licenses for the ProxyClient software are not required.

For more information on SGOS licensing, refer to the SGOS Administration Guide.

Software and Hardware RequirementsFor information about software and hardware requirements, see the ProxyClient Release Notes.

Why Deploy ProxyClient?As mobile technology efficiency has advanced, so has the ability for enterprises and other organizations to mobilize their workforce and allow access to remote systems. Employees who are often in the field, at home, or in small offices—including those who log into the corporate network through a Virtual Private Network (VPN) connection—require the same performance that is achieved when in the corporate network environment.

Likewise, corporations seek to extend the same security, policy control, and tracking abilities that are available in the corporate network. Blue Coat designed the ProxyClient solution to provide accelerated application delivery and Web filtering in the following scenarios:

❐ For employees using laptops and who work from both the office and the field.These users enjoy accelerated network performance while on the corporate network, but lose that performance when they must, from a remote location, connect to the enterprise network using VPN.

❐ For users in micro-branches, or offices with a very small number of users, where it might not be cost-justifiable to deploy even the smallest Blue Coat ProxySG acceleration gateway appliance.

Important:

• ProxyClient Web filtering can be used only with the SGOS Proxy Edition. Web filtering cannot be used with the SGOS Mach5 Edition.

• ProxyClient Web Filtering licensing requires a valid Blue Coat Web Filter (BCWF) database installed on the Client Manager and a user name and password to use to update the BCWF database categories at least once every 30 days. The BCWF license is available with trial and permanent licenses.

Even if the Client Manager is being used as a forward proxy, you must download the BCWF database on the Client Manager for licensing purposes.


32

In both of these scenarios, the ProxyClient maintains user productivity levels by providing enterprise-grade performance, while also ensuring that the corporate Web usage policies are maintained on company-owned systems in the field (only users with administrator privileges can remove or disable the ProxyClient).

About Blue Coat in the NetworkProxyClient optimizes the enterprise network conduit between remote or micro-branch office systems and ProxySG appliances. Figure 1–2 provides a high-level, logical view of Blue Coat deployed in the network.

Figure 1–2 Blue Coat in the network

Blue Coat does not provide strict guidelines for determining whether a remote location requires a local ProxySG. Generally, use a local ProxySG if the branch office has a data center (that is, file servers and so on) and to offload acceleration and Web filtering functions from the corporate ProxySGs to the branch.

Blue Coat recommends considering a ProxyClient-only solution at a remote location if any of the following is true:

❐ The remote location is a mobile user whose location changes.

❐ The remote location is a home office.

❐ The remote location has a few users and therefore does not justify a local ProxySG appliance.


33

In any of the proceeding locations, you might provide connectivity to the corporate network with VPN client software; however, that is not a requirement for using the ProxyClient.

Note: Refer to the ProxyClient Release Notes for the latest list of supported VPN technologies and operating systems.


34

35


This chapter provides a step by step example of configuring the ADN manager, concentrator, and Client Manager; and installing the ProxyClient software. You can use the information in this section to quickly install the ProxyClient in an evaluation environment. Additional tasks are generally required to deploy the ProxyClient in a production environment.


❐ "Assumptions" ❐ "ProxyClient Deployment Roadmap" on page 37❐

❐ "Step 2: Configure the Concentrator" on page 41❐ "Step 3: Configure the Client Manager" on page 42❐ "Step 4: Configuring ProxyClient Acceleration" on page 43❐ "Step 5: Configuring ProxyClient Web Filtering" on page 46❐ "Step 6: Configure ProxyClient Locations" on page 48❐ "Step 7: Install the ProxyClient Software" on page 53❐ "Performing Basic Verification" on page 53❐ "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58

AssumptionsThis section discusses the assumptions that will be made in the examples discussed in this sample ProxyClient deployment. See one of the following sections for more information:

❐ "ProxySG Assumptions" ❐ "ProxyClient Computer Setup Assumptions" on page 35❐ "Network Assumptions" on page 36❐ "Location Awareness Assumptions" on page 36

ProxySG AssumptionsIt is assumed that one ProxySG appliance acts as the ADN manager, concentrator, and Client Manager. The ADN network is set up as open, managed, meaning there is an ADN manager but that transparent connections to the ADN manager would be allowed. (Because the ProxyClient requires explicit routes, ADN transparency is irrelevant in this example deployment.)

ProxyClient Computer Setup AssumptionsThe deployment example discussed in this chapter assumes the following about the computer on which the ProxyClient software is installed:

❐ The ProxyClient software gets installed from the Client Manager (as opposed to installing it from the command line).


36

❐ Prerequisites for optional Web filtering auto-detection are discussed in "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58.

❐ For location awareness, the computer can have one or two network adapters: one to physically connect to the network using a cable and the other to connect to the network wirelessly. Furthermore, it is assumed that these network adapters have IP addresses in different ranges. If the computer has only one network adapter, ensure separate IP addresses are used for each location.

If it is necessary for you to access network resources like file shares using VPN software, you must start the VPN software and connect to the network before determining the computer’s IP address.

These adapters will be used to set up ProxyClient locations.

Network AssumptionsThe following assumptions apply to how the ADN manager and concentrator are set up:

Location Awareness AssumptionsWhen you set up ProxyClient location awareness, it is assumed your laptop has two network adapters:

ProxyClient location conditions are based on the following criteria:

❐ IP address ranges for physical connections to the network

Property Value

Primary ADN manager IP address Self (192.168.0.2)

Backup ADN manager None

Subnets advertised by the concentrator 172.0.0.0/810.0.0.0/8 192.168.0.0/16

Internet gateway? No

ProxyClient acceleration? Enabled/disabled based on location

ProxyClient Web filtering? Enabled/disabled based on location (can optionally be automatically detected as well)

Adapter IP address range DNS server

Physical network 192.168.0.200—192.168.0.254 192.168.1.55

Wireless network 10.5.0.0—10.5.4.254 10.5.5.54


37

❐ Virtual network interface card (NIC) address ranges for VPN-assigned IP addresses (for example, an offsite laptop with a wireless adapter that uses VPN to connect to the network)

❐ DNS server IP addresses which are useful if there are overlaps between IP address ranges. For example, if VPN IP address ranges overlap with physical IP address ranges, you need to specify a DNS server to distinguish your locations. However, if you know that there are no IP address overlaps, you do not need to use a DNS server IP address as a location condition.

Unlike the other location conditions, DNS server IP addresses are logically ANDed together; users must match all DNS servers listed to match the location.

ProxyClient Deployment RoadmapThe following high-level tasks are required to configure the ProxySG and install the ProxyClient software:

❐ "Step 1: Configure a Primary ADN Manager and Internet Gateway" ❐ "Step 2: Configure the Concentrator" on page 41❐ "Step 3: Configure the Client Manager" on page 42❐ "Step 4: Configuring ProxyClient Acceleration" on page 43❐ "Step 5: Configuring ProxyClient Web Filtering" on page 46❐ "Step 6: Configure ProxyClient Locations" on page 48❐ "Step 7: Install the ProxyClient Software" on page 53❐ "Performing Basic Verification" on page 53


38

Step 1: Configure a Primary ADN Manager and Internet GatewayConfigure a ProxySG to be a primary ADN manager for this sample deployment:

# Description What to do

1 Enable ADN and select this ProxySG to be the primary ADN manager.

1. Log in to the ProxySG’s Management Console as an administrator and click Configuration > ADN > General.

2. Select the Enable Application Delivery Network check box.

3. In the Primary ADN Manager section, click Self.

4. Apply the changes.An example is shown in Figure 2–1.

2 Set listening mode options.Because the ProxyClient uses plain tunneling, you cannot use secure ADN exclusively in a network that has ProxyClients.

1. Click Configuration > ADN > General > Device Security.

2. From the SSL Device Profile list, click the name of a profile to use.An example is shown in Figure 2–2.

3. Click Configuration > ADN > General > Connection Security.

4. For Manager Listening Mode, click Plain Read-Only.

5. For Tunnel Listening Mode, click Both.6. For Secure Listening Mode, click any option.7. Apply the changes.

An example is shown in Figure 2–3.

3 Continue with the next step. "Step 2: Configure the Concentrator"


39

Figure 2–1 shows enabling the ADN manager.

Figure 2–1 Enabling the primary ADN manager is required for any ProxyClient deployment that uses acceleration

Figure 2–2 shows the Device Security tab.

Figure 2–2 Secure ADN requires you to select an SSL device profile for the ProxySG appliance


40

Figure 2–3 shows the Connection Security tab.

Figure 2–3 Selecting listening mode options that are compatible with the ProxyClient

For More Information

❐ "About Manager Listening Mode With the ProxyClient" on page 77

❐ "About Tunneling Listening Mode With the ProxyClient" on page 78

❐ "About Secure Outbound Mode" on page 80


41

Step 2: Configure the ConcentratorThis section shows step by step how to configure the concentrator to advertise subnets to the ProxyClient in this sample deployment:

Figure 2–4 shows how to configure the concentrator to advertise the sample subnets used in this deployment. You must replace these ranges with the appropriate values for your network.

Figure 2–4 Example of setting up server subnets advertised by your concentrator


1 Configure subnets to advertise. 1. Click Configuration > ADN > Routing > Server Subnets.

2. At the bottom of the Server Subnets tab, click Add.

3. Enter the subnets your concentrator advertises.The following steps show how to set up the sample ranges discussed in "Network Assumptions" on page 36. Replace the sample ranges with those advertised by your concentrator.

4. In the IP/Prefix field, enter 172.0.0.0/8.5. Click OK.6. At the bottom of the Server Subnets tab,

click Add.7. In the IP/Prefix field, enter 10.0.0.0/8.8. Click OK.9. Repeat these steps to add 192.168.0.0/16.10. Apply the changes.

Figure 2–4 shows an example.

2 Continue with the next step. "Step 3: Configure the Client Manager"


42


❐ "Advertising Server Subnets" on page 786 in the SGOS Administration Guide.

Step 3: Configure the Client ManagerThis section shows step by step how to enable the ProxySG to be the Client Manager and how to upload the latest ProxyClient software to it.

Figure 2–5 shows the Client Software tab with ProxyClient version 3.4 software installed.


1 Enable the Client Manager. 1. Click Configuration > ProxyClient > General > Client Manager.

2. Select the Enable Client Manager check box.

2 Upload ProxyClient software.This task, which is sometimes overlooked, is highly recommended because SGOS does not necessarily ship with the latest ProxyClient software.

1. Log in to http://support.bluecoat.com.2. Click the Downloads tab.3. Click the link to download the ProxyClient

3.x software.4. At the prompts, enter your BlueTouch

Online user name and password.5. Follow the prompts on your screen to

download the .car file.6. Click Configuration > ProxyClient > General

> Client Software.7. From the Install ProxyClient software from

list, click Local file.8. Click Install.9. Follow the prompts on your screen to

upload the .car file to the Client Manager. 10. Wait a few minutes for the upload to

complete.11. At the confirmation dialog, click OK.

Figure 2–5 shows an example of ProxyClient version 3.4.1.1 software on the Client Manager.

3 Continue with the next step. "Step 4: Configuring ProxyClient Acceleration"

http://support.bluecoat.com


43

Figure 2–5 The Current ProxyClient Software section displays the version of ProxyClient software currently on the Client Manager


❐ "Designating a ProxySG as the Client Manager" on page 81

❐ "Uploading the ProxyClient Software to the Client Manager" on page 85

❐ "Configuring ProxyClient Locations" on page 93

Step 4: Configuring ProxyClient AccelerationThis section shows step by step how to enable the ProxyClient to perform acceleration for this sample deployment (that is, gzip compression, CIFS protocol optimization, and byte caching).

All tasks discussed in this section must be performed on the Client Manager.


1 Configure the concentrator to advertise subnets; otherwise, nothing will be accelerated.

"Step 2: Configure the Concentrator" on page 41

2 Specify the primary ADN manager. 1. Click Configuration > ProxyClient > Acceleration > General.

2. In the ADN Manager section, click Use ProxySG ADN Managers.


44

Figure 2–6 shows the primary ADN manager being enabled on the Client Manager.

Figure 2–6 Enabling ProxyClient acceleration enables both gzip compression and byte caching; it requires the Client Manager to get the list of published routes from the ADN manager

3 Enable acceleration features. 1. Click Configuration > ProxyClient > Acceleration > General.

2. Select the Enable Acceleration check box.Figure 2–6 shows an example.

3. Click the ADN Rules tab.For the purposes of this sample deployment you should change the defaults only if there is a particular application you want to accelerate and you know the ports it uses. Figure 2–7 shows default settings.

4. Click the CIFS tab.5. Select the Enable CIFS acceleration check

box.6. Your choices for Remote Storage

Optimization and Suppress Folder Customizations do not matter in this example deployment.To learn more about these features, see "About ProxyClient CIFS Acceleration" on page 17.

7. Apply the changes.Figure 2–8 shows an example.

4 Continue with the next step. "Step 5: Configuring ProxyClient Web Filtering"



45

Figure 2–7 shows the ADN Rules tab with default settings.

Figure 2–7 The ADN Rules tab enables you to customize acceleration features which is not nec-essary for this sample deployment

Figure 2–8 shows the CIFS tab.

Figure 2–8 The CIFS tab enables you to set CIFS acceleration options


❐ "Specifying the ProxyClient ADN Manager" on page 103

❐ "Other ProxyClient Troubleshooting Tools" on page 224

❐ "Tuning the ADN Configuration" on page 107

❐ "Enabling File Sharing Acceleration" on page 111


46

Step 5: Configuring ProxyClient Web FilteringThis section shows step by step how to enable the ProxyClient to perform Web filtering for this sample deployment.

All tasks discussed in this section must be performed on the Client Manager.


1 Enable ProxyClient Web filtering. 1. Click Configuration > ProxyClient > Web Filtering > Policy.

2. Select the Enable Web Filtering check box.3. Apply the changes.

If any errors occur, you must resolve them before continuing. For more information, see "Enabling the Blue Coat Web Filter Database (Optional)" on page 130.Note: Unlike in past releases, you do not need to enable or download the Blue Coat WebFilter database to use ProxyClient Web filtering. If the Client Manager runs SGOS 5.5 or later, all you must do is enable ProxyClient Web filtering. (The exception is if the same ProxySG appliance also performs in-office Web filtering.)

2 Enable ProxyClient Web filtering. 1. Click Configuration > ProxyClient > Web Filtering > Policy.

2. Select the Enable Web Filtering check box.


47

Figure 2–9 shows sample ProxyClient Web filtering policy that allows, warns, and blocks content based on selections from the BCWF database. In this sample deployment, neither CPL/VPM nor local database categories are used.

Figure 2–9 Setting up ProxyClient Web filtering with allow, block, and warn on various Blue Coat categories

3 Configure ProxyClient Web filtering policies. 1. Click Configuration > ProxyClient > Web Filtering > Policy.

2. In the All Categories pane, expand a category.

3. Select the check box corresponding to a category.

4. In the Selected Category Rule Base pane, in the Action column, click a policy action.

5. To configure policies per user or group, click the name of a category in the Selected

Category Rule Base pane and click (Add user-group rule).

6. In the provided field, enter a user or group in any of the following formats:• Fully qualified account names (for

example, domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name).

• Fully qualified DNS names (for example, example.example.com\user_name)

• User principal names (UPN) (for example, [email protected]).

7. Apply the changes.Figure 2–9 shows some sample categories.

6 Continue with the next step. "Step 6: Configure ProxyClient Locations"



48


❐ "Web Filtering Task Summary" on page 128

❐ "Options for Enabling Blue Coat Web Filtering" on page 129

❐ "Enabling the Use of the Local Database (Optional)" on page 133

❐ "Managing Policy Categories" on page 147

❐ "Web Filtering Best Practices" on page 155

❐ "Enabling Web Filtering Logging" on page 159

Step 6: Configure ProxyClient LocationsThis section shows step by step how to set up ProxyClient locations for this sample deployment.

Note: This example does not discuss Web filtering auto-detection. To use Web filtering auto-detection, additional configuration is required as discussed in "Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58.


1 Prerequisite Your computer must have all of the following:• Physical adapter • Wireless adapter

When you connect wirelessly, you must have the ability to connect to the network using VPN. Otherwise, you do not have access to remote accelerated resources like file shares.

The adapters must use different IP address ranges. The samples being used in this deployment are discussed in "Location Awareness Assumptions" on page 36.


49

2 Define an in-office location. The in-office location has acceleration enabled and Web filtering disabled because when you are in the office, a ProxySG appliance is assumed to perform Web filtering for you.1. Configuration > ProxyClient > General >

Locations.2. In the Name field, enter In office.3. Select the Match source IP ranges check box

if you select the Source IP range or select the Virtual NIC IP range checkbox if you select the virtual NIC IP range.

4. In the Source IP Ranges section, click New.The steps that follow show how to set up the sample IP address ranges discussed in "Location Awareness Assumptions" on page 36. Replace these values with the appropriate IP address ranges.

5. In the IP Source Ranges fields, enter 192.168.0.200 and 192.168.0.254.

6. Click OK.7. Select the Match DNS Servers check box.8. In the Match DNS Servers section, click New.9. In the Add DNS Server field, enter

192.168.1.55.10. Click OK.11. In the Actions section, select the Enable

Acceleration check box.12. Clear the Web Filtering check box.13. In the New Locations dialog, click OK.14. Apply the changes.

Figure 2–10 shows an example in-office location.



50

3 Define an out-of-office location. The out-of-office location has both acceleration and Web filtering enabled.1. Configuration > ProxyClient > General >

Locations.2. In the Name field, enter Out of office.3. Select the Match source IP ranges check box.4. Is the IP address you get when you connect

wirelessly assigned by a router or by a VPN device?• If it is assigned by a router, click New in

the Source IP Ranges section.• If it is assigned by VPN, click New in the

Virtual NIC IP Ranges section.The steps that follow show how to set up the sample IP address ranges discussed in "Location Awareness Assumptions" on page 36. Replace these values with the appropriate IP address ranges for your network.

5. In the provided fields, enter 10.5.0.0 and 10.5.4.254.

6. Click OK.7. Select the Match DNS Servers check box.8. In the Match DNS Servers section, click New.9. In the Add DNS Server field, enter

10.5.5.54.10. Click OK.11. In the Actions section, select the Enable

Acceleration check box and the Web Filtering check box.

12. In the New Locations dialog, click OK.13. Apply the changes.

Figure 2–11 shows a sample out-of-office location.

4 Continue with the next step. "Step 7: Install the ProxyClient Software"



51

Figure 2–10 shows the sample in-office location used in this deployment. You must replace the sample IP address ranges with the IP address ranges used in your network.

Figure 2–10 Setting up an in office location that enables acceleration but disables ProxyClient Web filtering, assuming a ProxySG appliance performs Web filtering in the office


52

Figure 2–11 shows the sample out-of-office location used in this deployment. You must replace the sample IP address ranges with the IP address ranges used in your network.

Figure 2–11 Sample out of office location that enables both acceleration and Web filtering for the ProxyClient


53

Step 7: Install the ProxyClient SoftwareThis section shows how to install the ProxyClient software from the Client Manager.


❐ "Distributing the ProxyClient Software" on page 173

❐ "Interactive Installations from the Client Manager" on page 175

❐ "Troubleshooting ProxyClient Installation and Operation" on page 214

Performing Basic VerificationThis section discusses how to verify the ProxyClient is performing acceleration and Web filtering. The information discussed in this section is not intended to be exhaustive.

To view details about ProxyClient operation, you must start the ProxyClient Web browser window.

To start the ProxyClient Web browser window:

Double-click the tray icon or right-click the tray icon and, from the pop-up menu, click Show Status.

Now see one of the following topics:


1 Prerequisite "Step 3: Configure the Client Manager" on page 42

2 Download and install the software 1. See the ProxyClient Release Notes for a list of supported Web browsers.

2. Start a supported Web browser and enter the following URL in its address or location field:

https://client-manager_host-or-ip:8084/proxyclient/ProxyClientSetup.exe

3. Follow the prompts to install the software.4. When prompted, reboot your computer.

After you reboot, the ProxyClient begins accelerating network traffic. (Web filtering, if enabled, starts immediately after installation.)For more information refer the section: "Preparing Silent Installations and Uninstallations" on page 181

4 (Optional.) Configure Web filtering auto-detection

"Step 8: (Optional) Using Web Filtering Auto-Detection" on page 58

3 Verify the installation "Performing Basic Verification" on page 53


54

❐ "Verifying Location Awareness" on page 54❐ "Viewing Acceleration Details" on page 56❐ "Viewing Web Filtering Details" on page 57❐ "Viewing the Admin Log" on page 57❐ "Verifying Tamper Resistance" on page 58❐ "For More Information About ProxyClient Troubleshooting" on page 58

Verifying Location AwarenessThis section discusses how to verify your location awareness rules are set up correctly. To switch locations, switch from being physically connected to the network (which corresponds to the In office location) to wirelessly connecting to the network (which corresponds to the Out of office location).

To verify that location awareness is configured correctly:

1. Physically connect to the network and make sure that acceleration is enabled but that Web filtering is disabled due to your location.

An example follows.

2. Disconnect from the network and enable your wireless adapter. If necessary, log in to your VPN application.

Location displays as In office

Web filtering is disabled due to location

Acceleration is running


55

Your location should change to Out of office and both acceleration and Web filtering should be enabled.

3. Browse to some Web sites that will either be blocked or that will warn you.

This will generate some Web filtering events and confirm that Web filtering is functioning.

An example follows.

Acceleration is running

Web filtering is running and some events have been generated

Location displays as Out of office


56

Viewing Acceleration DetailsTo generate activity for ProxyClient acceleration, copy files from a file share on a file server behind your concentrator or start an application (such as an intranet application) that runs from a Web server that is accelerated by your concentrator.

The ProxyClient Web browser window indicates the current status of acceleration as follows.

Figure 2–12 ProxyClient Web browser window showing acceleration is running

If acceleration is enabled and running, the following display:

❐ The Network tab displays (if acceleration is disabled or not running, there is no Network tab page)

❐ The Acceleration Statistics section on the Status tab page displays (if acceleration is disabled or not running, there is no Acceleration Statistics section)

❐ Running displays in the Acceleration Statistics section heading

To view results from byte caching and CIFS protocol optimization, click the Advanced tab. The cache utilization displayed in the Disk Cache section on the Advanced tab page should increment as you copy files from a file share behind your concentrator.

Display only if acceleration is enabled

Current acceleration status


57

For More Information About ProxyClient Acceleration


❐ "Using the Client Manager for Acceleration Troubleshooting" on page 118

❐ "Using a Concentrator for Acceleration Troubleshooting" on page 118

❐ "Getting Detailed Diagnostics" on page 126

Viewing Web Filtering DetailsTo generate activity for ProxyClient Web filtering, go to URLs that belong to categories you are allowing or blocking.

The ProxyClient Web browser window indicates the current status of Web filtering as follows:

Figure 2–13 ProxyClient Web browser window showing Web filtering is running

If Web filtering is enabled and running, Running displays in the Filtering Statistics section heading and the statistics increment as the user browses the Web.

For More Information About ProxyClient Web Filtering

❐ "Troubleshooting ProxyClient Web Filtering" on page 165

❐ "Getting Web Filtering Status from the Web Browser Window" on page 166

❐ "Using the Client Manager for Web Filtering Troubleshooting" on page 167

❐ "Getting Detailed Diagnostics" on page 170

Viewing the Admin LogThe ProxyClient Admin Log contains information about the operations the ProxyClient is performing. To view the Admin Log, start the ProxyClient Web browser window and click the Advanced tab.

In the Diagnostic Tools section, click View Log. (You can also click the ProxyClient tray icon and click View Log from the pop-up menu.)


58

Verifying Tamper ResistanceEven though you did not configure an uninstall password on the Client Manager in "Step 3: Configure the Client Manager" on page 42, the ProxyClient software is still protected from its policy file being changed or deleted.

To verify this, locate the following directory in Windows Explorer:%SystemDrive%\Program Files\Blue Coat\ProxyClient

On Windows 7 (64bit), locate the following directory:%SystemDrive%\Program Files (x86)\Blue Coat\ProxyClient

Right-click ProxyClientConfig.xml (the ProxyClient policy file) and try to edit it. Even if you edit it and save it, the policy file will not be used because it is not possible to encrypt it properly.

Delete or rename ProxyClientConfig.xml. The configured policy remains in effect. You can verify this if you have Web filtering enabled by trying to access a blocked Web site. If you have only acceleration enabled, copy or open a file on an accelerated file share and notice the cache usage increases and the acceleration statistics change.

To recover ProxyClientConfig.xml, either restart the ProxyClient service or change the policy on the Client Manager and get a configuration update. (From the ProxyClient Web browser window, click the Advanced tab and click Check For

Updates Now.)

See Also

"For More Information About ProxyClient Troubleshooting" on page 58

For More Information About ProxyClient Troubleshooting

❐ "Troubleshooting ProxyClient Installation and Operation" on page 214


❐ "Troubleshooting ProxyClient Web Filtering" on page 165

Step 8: (Optional) Using Web Filtering Auto-DetectionWeb filtering auto-detection—introduced in SGOS 5.5 and ProxyClient 3.2—means you no longer have to specifically disable ProxyClient Web filtering in an in-office location. The ProxyClient automatically detects an in-line ProxySG that is performing Web filtering and disables ProxyClient Web filtering functionality.

Prerequisites: All of the following must be true:






59




In this sample deployment, you can do this as follows:

• Connect the ProxyClient computer to the ProxySG’s LAN port and make sure the ProxySG can connect to the Internet.

• If you have an in-office ProxySG is already in-path between the ProxyClient computer and the Internet, you must install the local policy discussed in the next bullet on that ProxySG.

Note: The procedure uses the following terminology:

• The filtering ProxySG is an in-office appliance that performs Blue Coat WebFiltering for users in the office, including ProxyClients.

• Your ProxySG is the appliance you configured as the ADN Manager, Client Manager, and concentrator.

All of the following must be true of this appliance you use for Web filtering auto-detection:

• It must have the BCWF database installed on it

• It must be in-path between the ProxyClient computer and the Internet

• It must be able to access the Internet

• It must be configured as a proxy (that is, it must intercept traffic)

• It must have Web filtering policy configured

Depending on your office network, this could be one ProxySG appliance or more than one appliance.


60

To enable and verify Web filtering auto-detection, use the following steps:


1 Install local policy on the ProxySG that performs in-office Web filtering

1. Log in to filtering ProxySG’s Management Console as an administrator.This ProxySG can be either an in-office filtering proxy that is in-line with the ProxyClient computer or a filtering proxy that is configured as an explicit proxy for the ProxyClient computer.

2. Configuration > Policy > Policy Files.3. From the Install Local Policy from list, click Text Editor.4. Click Install.5. In the provided field, enter the following:<proxy>

request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes)

define action i_am_filtering set (response.x_header.X-BCWF-License, "VendorID")end

where VendorID is your Blue Coat WebFilter database user name.

For an example, see "Sample Local Policy File" on page 62.

3 Required if your ProxySG will perform Web filtering.

Download the BCWF database.

1. Log in to your ProxySG appliance as an administrator.2. Configuration > Content Filtering > General.3. Select the Blue Coat WebFilter check box.4. Apply the changes.5. Configuration > Content Filtering > Blue Coat WebFilter.6. Click Download Now.7. At the configuration dialog, click OK.8. Click View Download Status.

It takes several minutes to download the database. Click View Download Status until a success message similar to the following displays:

Download log: Blue Coat download at: 2009/10/01 19:02:44 +0000 Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db Requesting differential update Download size: 194115948 Database date: Thu, 01 Oct 2009 16:05:59 UTC Database expires: Sat, 31 Oct 2009 16:05:59 UTC Database version: 292740400 Database format: 1.1

If errors display, see the suggestions in "Enabling the Blue Coat Web Filter Database (Optional)" on page 130 to resolve the issue before continuing.


61

4 Optional. Enable the local database.

1. Create a text file with categories and URLs in the following format:define category-nameurl1url2urlnend

2. Put the text file on a Web server your ProxySG can access.3. Click Configuration > Content Filtering > General.4. Select the Enable check box for the Local Database.5. Click Configuration > Content Filtering > Local Database.6. If a user name and password are required, follow the prompts

on your screen to enter them.7. Click Download Now.8. Click View Download Status and verify the database

downloaded successfully.

5 Optional. Configure Web filtering policies.

Use CPL or VPM to configure Web filtering policies as discussed in "Defining Custom Categories in Policy" on page 404 in the SGOS Administration Guide.

6 Connect the ProxyClient computer to the ProxySG in-path.

Do any of the following:• Connect the ProxyClient computer’s network cable to the

LAN port on the rear panel of the ProxySG appliance. For more information, see the Quick Start Guide provided with the appliance.Depending on the appliance, it might be necessary to configure a software bridge; for more information, click Configure > Network > Adapters and click Help.

• For a filtering ProxySG that is either in-path with the ProxyClient or is used by the ProxyClient computer as an explicit proxy, make sure you installed the local policy in step 1 on that ProxySG.



62

Sample Local Policy FileFollowing is a sample local policy file where the Vendor ID is 6EAZ8-BDC17F.

<proxy>

request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes)

define action i_am_filtering set (response.x_header.X-BCWF-License, "6EAZ8-BDC17F")end

7 Delete your in-office location This is necessary because your in-office location already has ProxyClient Web filtering disabled, which will prevent auto-detection from being enabled. As a result of deleting the in-office location, you will use the default location, which has ProxyClient Web filtering enabled.1. Configuration > ProxyClient > General > Locations

2. Click your in-office location.3. Click Delete.4. At the configuration dialog, click Yes.5. Apply the changes.6. Start the ProxyClient Web browser window.7. Click the Advanced tab.8. On the Advanced tab page, in the Software Update section,

click Check For Updates Now.9. At the confirmation dialog, click Close.

8 Request a URL Before Web filtering auto-detection is enabled, you must request a URL. It does not matter whether the URL is one that should be allowed or blocked.

9 Verify auto-detection is working

"Verifying Web Filtering Auto-Detection" on page 63



63

Verifying Web Filtering Auto-DetectionAfter you make a URL request, start the ProxyClient Web browser window. The status of Web filtering displays as Delegated to the Blue Coat Security Gateway. A sample follows.

Click More logs at the bottom of the window and look for this message:Web Filtering has been delegated to a Blue Coat Security Gateway.

Status: Delegated to Blue Coat Security Gateway


1 Configure an uninstall password. 1. Log in to the Client Manager’s Management Console as an administrator.

2. Configuration > ProxyClient > General > Client Software.

3. In the Uninstall Password section, click Change Password.

4. Enter a password in the provided fields (for example, bluecoat).

5. Click OK.6. At the confirmation dialog, click OK.


64

2 Manually get the configuration update on the ProxyClient.

1. Start the ProxyClient Web browser window.2. Click the Advanced tab.3. On the Advanced tab page, in the Software

Update section, click Check For Updates Now.

4. At the confirmation dialog, click Close.

3 Stop the ProxyClient service. 1. Start > [Settings] > Control Panel.2. Double-click Administrative Tools.3. Double-click Services.4. Right-click Blue Coat ProxyClient.5. From the pop-up menu, click either Stop or

Restart.An error displays and the service does not stop or restart.

6. Open a DOS command window.7. Enter the following command:net stop ProxyClientSvc.exe

An error displays and the service does not stop.

8.9.10.

4 Attempt to uninstall the ProxyClient software using the incorrect password.

1. Start > [Settings] > Control Panel.2. Double-click Add or Remove Programs.3. Click Blue Coat ProxyClient.4. Click Remove.5. At the confirmation dialog, click Yes.6. At the Enter Password dialog, enter the

incorrect uninstall password and click OK.An error displays and the uninstallation does not proceed.



65

5 Attempt to rename or delete ProxyClientConfig.xml

1.2. Locate the following folder in Windows

Explorer:%SystemDrive%\Program Files\Blue Coat\ProxyClient

On Windows 7 (64bit), locate this folder:%SystemDrive%\Program Files (x86)\Blue Coat\ProxyClient

3. Right-click ProxyClientConfig.xml4. From the pop-up menu, click Rename.5. Enter a new name and press Enter.

An error displays.6. Delete ProxyClientConfig.xml

An error displays.



66

67



❐ "ProxyClient Configuration Overview" ❐ "Where To Go From Here" on page 69

ProxyClient Configuration OverviewFigure 3–1 provides an overview of the Application Delivery Network (ADN), Client Manager, and ProxyClient configuration tasks you must perform in an acceleration only, Web filtering only, and mixed feature environment.

Click the Blue Coat logo to jump to a section with more information about that feature or see "Where To Go From Here" on page 69 for a list of links for ProxyClient configuration tasks.

See Also

For a step by step sample deployment, see Chapter 2: "ProxyClient Deployments".


68

Figure 3–1 High-level overview of ProxyClient configuration tasks


69

Where To Go From HereChapter 2: "ProxyClient Deployments"

Chapter 4: "ADN Network Configuration Prerequisites"

Chapter 5: "Configuring the Client Manager"

Chapter 6: "Configuring ProxyClient Locations"

Chapter 7: "Configuring ProxyClient Acceleration"

Chapter 8: "Configuring ProxyClient Web Filtering"


70

71


This chapter discusses ADN configuration tasks that must be performed before you can start to configure the ProxyClient.


❐ "ProxyClient Compatibility with SGOS" ❐ "Preparing the ADN Configuration for ProxyClient Deployment" on page

73❐ "About Open ADN and Closed ADN With the ProxyClient" on page 74❐ "About Manager Listening Mode With the ProxyClient" on page 77❐ "About Tunneling Listening Mode With the ProxyClient" on page 78❐ "Configuring Manager and Tunneling Ports" on page 79❐ "Configuring Concentrators to Advertise Subnets" on page 79❐ "About Secure Outbound Mode" on page 80❐ "About Internet Gateways" on page 80

ProxyClient Compatibility with SGOSThis section discusses the following topics:

❐ "Recommended Upgrade Information" ❐ "ProxyClient and SGOS Compatibility" on page 72❐ "Important Information About Web Filtering Support" on page 72

Recommended Upgrade InformationBefore you deploy the ProxyClient, make sure the ADN manager, backup manager (if any), concentrators and the Client Manager isin your ADN network are running compatible versions of SGOS. In general, use the following guidelines:

❐ Make sure the ADN manager, ADN backup manager (if any), concentrators, and Client Manager are running the most recent version of SGOS.

❐ If you need to upgrade ProxySG appliances, do so in the following order:

a. ADN Manager and ADN backup manager, if any

b. Concentrators

c. Client Manager

ProxyClient software on client computers


72

ProxyClient and SGOS CompatibilityThe following table summarizes SGOS compatibility with the ProxyClient (version 3.1.x, 3.2.x, and 3.3.x):

To use the ProxyClient version 3.2.x or later in your ADN network, Blue Coat strongly recommends your Client Manager and ADN Manager (and backup manager, if any) run SGOS version 5.5.x or later. In addition, Blue Coat recommends all concentrators that provide ADN tunnels for ProxyClients be upgraded to SGOS version 5.5.x or later.

SGOS 5.4.x or later ADN managers, backup managers, and concentrators enable you to use either open, managed ADN or closed ADN with the ProxyClient. Open ADN and closed ADN are backward compatible with SGOS versions 5.1.4 and later (in other words, SGOS versions that support secure ADN).

Important Information About Web Filtering SupportBecause of recent changes made to Blue Coat WebFilter categories, not all combinations of Client Manager and ProxyClient are compatible. The following table discusses compatible and incompatible versions.

Issues result when all of the following are true:

6.1.x CM6.1.x ADN Mgr6.1.x Conc

5.3—5.5 CM5.3—5.5 ADN Mgr5.3—5.5 Conc

5.3—5.5 CM5.3—5.5 ADN Mgr5.2 Conc

5.3—5.5 CM5.2 ADN Mgr5.2 Conc

5.2 CM5.2 ADN Mgr5.2 Conc

5.2 CM5.3—5.5 ADN Mgr5.2 Conc

5.2 CM5.3—5.5 ADN Mgr5.3—5.5 Conc

ProxyClient version 3.1.x

Compatible Compatible Compatible Compatible Not compatible

Not compatible

Not compatible



Not compatible

Not compatible



Not compatible

Not compatible

Note: SGOS 5.5.x and later does not support the SG Client 2.x.

SGOS 5.3.1.x SGOS 5.3.2.x SGOS 5.3.3.x and later

ProxyClient 3.1.2.x or earlier

Possible issues Compatible Possible issues

ProxyClient 3.1.3.x or later, including 3.2.x and 3.4.x

Possible issues Compatible Compatible


73

❐ A ProxyClient user requests a URL that matches a category that changed. (Ten new categories were added and five existing categories were renamed.)

For example, the Arts/Entertainment category is now split into the Arts/Culture and Entertainment categories.

❐ You configured a policy action for one of the categories that changed.

When a client requests a URL that is categorized as Arts/Culture, for example, but you set a policy action for Arts/Entertainment, the URL is classified as Unknown and the policy action is applied (allow, block, or warn).

❐ The resulting Unknown categorization has a policy action that is different from the policy action for the policy you configured.

To complete the example, suppose you blocked Arts/Entertainment but you allowed Unknown. In that case, the URL request is allowed when you intended for it to be blocked.

For more information, see one of the following Blue Coat Knowledge Base articles:

❐ KB2966

❐ KB1567

For More Information About ADN NetworksFor more information about open ADN and closed ADN, see "ADN Modes" on page 773 in the chapter on configuring ADN networks in the SGOS Administration Guide.

For more information about using open, managed ADN and closed ADN with the ProxyClient, see "About Open ADN and Closed ADN With the ProxyClient" on page 74.

Preparing the ADN Configuration for ProxyClient DeploymentThis section discusses deployment considerations for the ProxyClient in your ADN network. The following list summarizes the choices you have:

❐ To use Web filtering only, you can set up your ADN network to use open ADN without an ADN manager.

If you use Web filtering only, and you do have ADN managers in your network, you do not need to continue reading this chapter. You should continue with Chapter 5: "Configuring the Client Manager".

❐ To use acceleration, your ADN network must use explicit deployment (that is, the ProxyClient must obtain routes from the ADN manager). Therefore, you must specify a primary ADN manager and backup manager (if any). The ProxyClient does not advertise routes.

https://kb.bluecoat.com/index?page=content&id=KB2966



74

If your primary ADN manager and backup manager (if any) run SGOS 5.4 or later, you have the option of selecting open, managed ADN or closed ADN. Both options support the use of the ProxyClient.

ADN configuration for the ProxyClient with open ADN and closed ADN is discussed in "About Open ADN and Closed ADN With the ProxyClient" on page 74.

❐ Because the ProxyClient uses plain communications only, the options you select for manager listening mode and tunneling listening mode must be compatible with the ProxyClient. These options are discussed in the sections that follow.

❐ You can configure the ADN network to use the same port for plain manager and plain tunnel and the same port for secure manager and secure tunnel.

You set these options in the Management Console as follows:

Configuration > ADN > General > General, Manager Ports section

Configuration > ADN > Tunneling > Connection, Inbound section

This section discusses the following topics:

❐ "About Open ADN and Closed ADN With the ProxyClient" ❐ "About Manager Listening Mode With the ProxyClient" on page 77❐ "About Tunneling Listening Mode With the ProxyClient" on page 78❐ "About Secure Outbound Mode" on page 80

About Open ADN and Closed ADN With the ProxyClientOpen ADN and closed ADN are configurable on ADN managers that run SGOS 5.4 or later. If your ADN manager and backup manager (if any) run SGOS 5.3 or earlier, these options are not available.

Use the following guidelines to configure open ADN or closed ADN with the ProxyClient:

❐ ProxyClient requires explicit deployments (that is, there must be an ADN manager that publishes routes advertised by concentrators).

Note: Manager listening mode and tunneling listening mode options are available only in a secure ADN network. To set up secure ADN, all appliances must run SGOS 5.1.4 or later and you must first set up an SSL device profile on each ProxySG. For more information about SSL device profiles, see the section on SSL device profiles in the chapter on managing SSL traffic in the SGOS Administration Guide.

Note: Blue Coat strongly recommends you upgrade your ADN manager, backup manager, and concentrators to the latest SGOS release; however, if you choose not to do so, skip this section and continue with "About Manager Listening Mode With the ProxyClient" on page 77.


75

You can therefore use either an open, managed ADN network or a closed ADN network. You cannot use an open,

ADN network with the ProxyClient unless ProxyClient is used only for Web filtering.

❐ If you use a backup ADN manager, configure it the same as the primary ADN manager. In particular, make sure both managers use the same open or closed ADN options.

❐ To use ProxyClient Web filtering only, no ADN manager is required. You can configure your ADN network to be either closed or open. You do not need to continue reading this chapter; instead, continue with Chapter 5: "Configuring the Client Manager".

See one of the following sections for more information:

❐ "Configuring a Closed or Open ADN Network" ❐ "Enabling ADN Managers" on page 76

Configuring a Closed or Open ADN NetworkThis section discusses how to configure your ADN network as either open or closed.

To configure open or closed ADN options:

1. Log in to the ADN manager’s Management Console as an administrator.

2. Click Configuration > ADN > Manager > Peer Authorization.

3. Do any of the following:

• To configure an open ADN network, clear the Allow transparent tunnels only

within this managed network check box.

• To configure a closed ADN network, select the Allow transparent tunnels only

within this managed network check box.

4. Optionally configure peer authorization and load balancing options as discussed in "ADN Peer Authentication" on page 778 and "ADN Load Balancing" on page 775 in the SGOS Administration Guide.

5. Repeat these tasks on the backup ADN manager, if any.

6. See one of the following sections:

• To configure ADN managers (for either a managed or unmanaged open ADN network or for a closed ADN network), see "Enabling ADN Managers" .

• To configure concentrators to advertise subnets to accelerate (for any type of ADN network), see "Configuring Concentrators to Advertise Subnets" on page 79.

If you do not set up concentrators to advertise subnets, the ProxyClient will not accelerate network traffic.


76

Enabling ADN ManagersThis section discusses how to enable a primary ADN manager and, optionally, a back ADN manager. For the ProxyClient to be able to accelerate network traffic, you must configure a primary ADN manager.

To configure ADN managers:

1. Log in as an administrator to the Management Console of a concentrator that will accelerate traffic for ProxyClients.

2. Click Configuration > ADN > General.

3. Select the Enable Application Delivery Network check box.

4. In the Primary ADN Manager section, specify the primary ADN manager’s IP address.

5. If your ADN network has a backup ADN manager, in the Backup ADN Manager section, specify the backup ADN manager’s IP address.

The following error most likely indicates you entered the IP address of the wrong device (for example, another Client Manager, a proxy, or a ProxySG appliance that is not an ADN manager):

% Device ID is needed to support security authorization

If this error displays, re-enter the ADN manager’s IP address.

6. Continue with the following sections:

• "About Manager Listening Mode With the ProxyClient"

• "About Tunneling Listening Mode With the ProxyClient" on page 78

• "Configuring Concentrators to Advertise Subnets" on page 79

• "About Secure Outbound Mode" on page 80

• "About Internet Gateways" on page 80


77

About Manager Listening Mode With the ProxyClientManager listening mode determines the way routes are advertised in the ADN network: using the plain manager port (non-secure communication) or the secure manager port (secure communication), or both.

Select manager listening mode options on the ADN manager and backup manager only. Manager listening mode options are not available on other ProxySG appliances.

To set manager listening mode options:

1. Log in to the primary or backup ADN manager’s Management Console as an administrator.


3. Click one of the following options:

• Secure Only

Only ProxySG appliances using secure connections can advertise routes. However, because selecting this option means that only the secure listener is active, you cannot select this option if you have ProxyClients in your ADN network because ProxyClients use only plain connections.

• Plain Read-Only

(Recommended.) Select this option if all ProxySG appliances in the ADN network use SGOS version 5.1.4 or later—where all appliances support secure routing, and you have enabled secure routing on those ProxySG appliances.

This option means that only ProxySG appliances that use secure connections can advertise routes. Devices that use plain communications (such as ProxyClients) can obtain routes but cannot advertise routes.

• Plain Only

Select this option in cases where you do not secure any ADN connections between ProxySG appliances.

This option means that only ProxySG appliances that use plain connections can advertise routes.

Note: Select this option only if all appliances in the ADN network run SGOS version 5.1.4 or later.


78

• Both

Select this option if you use the ProxyClient in your ADN network and some appliances in the network are not capable of using secure connections (for example, some appliances run SGOS version 5.1.3 or earlier).

This option means that ProxySG appliances that use either secure or plain connections can advertise routes. If secure is enabled and available, it is used by default.

4. Apply the changes.

For more information about setting the plain manager port and the secure manager port, see the section on configuring ADN managers in the chapter on configuring an ADN network in the SGOS Administration Guide.

5. Continue with "About Tunneling Listening Mode With the ProxyClient" .

About Tunneling Listening Mode With the ProxyClientTunneling listening mode determines the type of incoming tunnel communications this ProxySG appliance accepts: using the plain tunnel port (non-secure communications) or the secure tunnel port (secure communications).

Select options for tunneling listening mode on every concentrator to which you expect ProxyClients to connect.

To set tunneling listening mode options:

1. Log in to a concentrator’s Management Console as an administrator.


Click one of the following options:

• Secure Only

This option means the ProxySG appliance accepts only secure tunneling connections. Because the ProxyClient uses only plain connections, you cannot select this option if you have ProxyClients in your ADN network.

• Plain

Select this option to enable the ProxyClient to connect to the appliance in cases where you do not secure any ADN connections between ProxySG appliances.

This option means this appliance accepts only plain tunneling connections.


79

• Both

Recommended for ProxyClient deployments in ADN networks in which secure ADN is used. Select this option if you use the ProxyClient in your ADN network and some appliances in the network use secure ADN. This option also enables you to support appliances that are not capable of accepting incoming secure tunneling connections (for example, some appliances run SGOS version 5.1.3 or earlier).

This option means this appliance accepts both plain and secure tunneling connections.

3. Apply the changes.

For more information about the plain tunnel port and the secure tunnel port, see the section on configuring ADN managers in the chapter on configuring an ADN network in the SGOS Administration Guide.

4. Continue with "About Secure Outbound Mode" .

Configuring Manager and Tunneling PortsYou can configure the ADN network to use the same port for plain manager and plain tunnel and the same port for secure manager and secure tunnel.

You set these options in the Management Console as follows:

Configuration > ADN > General > General, Manager Ports section

Configuration > ADN > Tunneling > Connection, Inbound section

Configuring Concentrators to Advertise SubnetsTo use ProxyClient acceleration, concentrators that front content servers must advertise the servers’ subnets; otherwise, network traffic to those servers is not accelerated. For example, if you have file servers that store data that ProxyClients need to access, those file servers should be fronted by concentrators that advertise the subnets on which the file servers reside.

To configure a concentrator to advertise subnets:

1. Log in to the concentrator’s Management Console as an administrator.

2. Click Configuration > ADN > Routing > Server Subnets.

3. Click Add.

4. In the IP/ Subnet dialog, enter the following information:

• IP / Subnet Prefix field: Enter either an IP address or an IP address in CIDR notation (for example, 172.16.0.0/16). If you enter the address in CIDR notation, you do not need to enter a subnet mask.

• Subnet Mask field: Enter a valid subnet mask for the IP address you entered in the preceding field.

5. In the IP / Subnet dialog, click OK.

6. Repeat these tasks to set up all subnets advertised by the concentrator.


80

7. When you are finished, apply the changes.

About Secure Outbound ModeThe Secure Outbound Mode options have no impact on the ProxyClient because these options determine how ProxySG appliances communicate with each other. For a tunneling connection to be established between two ProxySG appliances, the initiating appliance’s secure outbound mode must be compatible with the tunneling listening mode of the receiving appliance.

About Internet GatewaysThe ProxyClient honors Internet Gateway settings. Network traffic that is not bound by ADN routing rules routes to the specified gateway unless an exception rule applies.

There are some routes, such as those for local hosts, that are not required to go through the ADN Internet gateway.

You can optionally define these routes using the a concentrator’s Management Console (Configuration > ADN > Routing > Internet Gateway). ProxyClient uses this configuration.

81


This chapter discusses how to configure a ProxySG appliance as the Client Manager.The Client Manager can function in other roles in an ADN network (for example, it can be a concentrator, ADN manager, or both).


❐ "Before You Begin Configuring the Client Manager" ❐ "Designating a ProxySG as the Client Manager" on page 81❐ "Uploading the ProxyClient Software to the Client Manager" on page 85❐ "Setting Up the Client Manager (CLI)" on page 89

Before You Begin Configuring the Client ManagerTo use ProxyClient acceleration, you must perform the following tasks at minimum:

❐ Configure an ADN manager and optionally a backup ADN manager.

See "Enabling ADN Managers" on page 76

❐ Configure your concentrators to advertise subnets.

See "Configuring Concentrators to Advertise Subnets" on page 79

Also see the following topics:

❐ Concepts discussed in the chapter on configuring an ADN network in the SGOS Administration Guide.

❐ Chapter 4: "ADN Network Configuration Prerequisites"❐ "About ProxyClient Licensing" on page 31

Continue with "Designating a ProxySG as the Client Manager" .

Designating a ProxySG as the Client ManagerThis section discusses how to configure an appliance in the ADN network as the Client Manager.

You must configure one ProxySG in your ADN network as the Client Manager. The Client Manager is responsible for providing the ProxyClient software, software updates, and client configuration to ProxyClient applications installed on user computers.

Note: To use ProxyClient Web filtering only, you do not need to configure an ADN manager. You must configure a Client Manager as discussed in this chapter, however.


82

To designate a ProxySG as the Client Manager:

1. Perform the tasks discussed in "Before You Begin Configuring the Client Manager" on page 81.

2. Log in to the Client Manager’s Management Console as an administrator.

3. Click ProxyClient > General > Client Manager.

4. On the Client Manager tab page, select the Enable Client Manager check box.

Doing this designates this ProxySG as a Client Manager.

The Features message displays the current state of ProxyClient features. If ProxyClient features are currently disabled, you can click a link to go to the appropriate page and configure that feature.

For more information about enabling ProxyClient features, see one of the following sections:

• "Specifying the ProxyClient ADN Manager" on page 103• Chapter 8: "Configuring ProxyClient Web Filtering"

5. In the Client Manager section, enter or edit the following information:

Note: The Client Manager can be a different appliance than the ADN manager or the backup ADN manager. That is, you can configure the ADN manager or the backup ADN manager as the Client Manager, but it is not required.


83

Table 5–1 Client Manager options

Option Description

Host section Specify the host from which users get the ProxyClient software, configuration, and updates. Blue Coat recommends you specify a fully qualified host name, and not an unqualified (short) host name or IP address. If you use a fully qualified host name and the Client Manager’s IP address changes later, you need only to update DNS for the Client Manager’s new address and clients can continue to download the software and updates from the Client Manager.You have the following options:• Use host from initial client request: (Recommended.) Select this option to

enable clients to download the ProxyClient software, configuration, and updates from the original host. In other words, in a typical ProxyClient deployment, the administrator e-mails users a URL from which they obtain the ProxyClient software and configuration initially. The host name or IP address in this URL is used to download the software to the client and is written to the client’s configuration file for use in future software and configuration updates.This option is compatible with all methods of deploying the ProxyClient, including Windows Group Policy Object (GPO), Microsoft System Center Configuration Manager (SCCM), or Systems Management Server (SMS). For more information about these deployment options, see Chapter 9: "Distributing the ProxyClient Software".

• Use host: Select this option to download the ProxyClient software and configuration from the host name you specify. Enter a fully qualified host name or IP address only; do not preface it with http:// or https:// because software and configuration downloads will fail. Use this option to migrate users from one Client Manager to another Client Manager or if you have more than one Client Manager behind a load balancer. Because a load balancer typically advertises one Virtual IP (VIP) address, you should enter the load balancer’s VIP in the Use host field.To migrate users from one Client Manager to another, see also "" on page 229.)

Port field Enter the port on which the Client Manager listens for requests from clients. The default is 8084.

Keyring list Click the name of the keyring to use when clients connect to the Client Manager.

Update Interval field Specify the length of time (in minutes) between update checks. For example, if the value is 120, each ProxyClient application connects to the Client Manager every 120 minutes for configuration and software updates (beginning at startup).Valid values are 10-432000 (that is, 300 days). The default is 120 minutes.


84

After you apply the changes, the Client Components section displays a summary of the information you selected.

Table 5–2 discusses the meaning of this information.

Table 5–2 Client Components section

Item Description

Client setup Displays the URL from which users download the ProxyClient setup application. The setup application (ProxyClientSetup.exe) downloads the Microsoft installer (ProxyClientSetup.msi) to the client. This information is intended for interactive client installations from the Client Manager; for more information, see "Preparing Interactive Installations" on page 174.Provide this URL to users so they can install the ProxyClient software on their computers. To install the software this way, the user must have administrator privileges on the client machine.Note: If you selected Use host from client request for Host, the URL displays as follows:https://host-from-client-request:8084/proxyclient/ProxyClientSetup.bsx

To download the ProxyClient using this URL, substitute the Client Manager’s host name or IP address for host-from-client-request.

Client install MSI Displays the URL from which ProxyClientSetup.exe downloads ProxyClientSetup.msi.This information is intended for non-interactive installations using SCCM, SMS, or GPO, as discussed in "Using Group Policy Object Distribution" on page 193. Note: Blue Coat recommends users not run the .msi on their computers because the installation fails unless the user enters parameters on the command line (for example, BCSI_UPDATEURL).

Client configuration Displays the URL from which the ProxyClient installer downloads the client configuration file (ProxyClientConfig.xml).This information is provided for your reference only. For more information, see one of the following sections:• "Preparing Silent Installations and Uninstallations" on

page 181• "Using Group Policy Object Distribution" on page 193

Client configuration last modified

Displays the most recent date and time ProxyClientConfig.xml was updated on the Client Manager.


85

See Also

"Uploading the ProxyClient Software to the Client Manager" on page 85

Chapter 7: "Configuring ProxyClient Acceleration"

Chapter 9: "Distributing the ProxyClient Software"

"Setting Up the Client Manager (CLI)" on page 89

Uploading the ProxyClient Software to the Client ManagerThis section discusses how to upload ProxyClient software to the Client Manager and how to protect the ProxyClient from being tampered with by setting an uninstall password.

Because SGOS does not necessarily have the latest ProxyClient software, you should check BlueTouch Online regularly for updates and provide the updates to ProxyClients.

Setting an uninstall password prevents users from performing the following tasks:

❐ Uninstalling the ProxyClient software

❐ Disabling ProxyClient features or policy (Web filtering or acceleration) by:

• Stopping the ProxyClient service using Task Manager or net stop or sc from the command line

• Viewing or editing the ProxyClient configuration file


❐ "Overview of the ProxyClient Upload Process" ❐ "Getting the ProxyClient Software" on page 86❐ "Running Windows.msi" on page 87❐ "Uploading the ProxyClient .car File to the Client Manager" on page 87

See Also

Chapter 2: "ProxyClient Deployments"

Overview of the ProxyClient Upload ProcessYou have the following options to upgrade the ProxyClient software on the Client Manager and on client computers:

❐ Upload the ProxyClient software to the Client Manager and let clients get the software from the Client Manager as discussed in the procedure that follows.

Upgrading the Client Manager to the most recent version of SGOS does not replace the ProxyClient software on the Client Manager.

❐ Manually run ProxyClientSetup.msi on client computers.

The other installer, named ProxyClientSetup.exe, should be used only to download the ProxyClient software from the Client Manager.


86

❐ Automated updates using Group Policy Object (GPO) or Microsoft Systems Management Server (SMS).

To upgrade the software, see the following sections in the order shown:

1. "Getting the ProxyClient Software"

2. "Running Windows.msi" on page 87

3. "Uploading the ProxyClient .car File to the Client Manager" on page 87

See Also

Chapter 9: "Distributing the ProxyClient Software"

Getting the ProxyClient SoftwareThis section discusses how to get any of the following:

❐ The ProxyClient.msi file, which you use to install the ProxyClient software on client machines—including distributing the software using SCCM, SMS, GPO, or a similar method.

❐ The ProxyClient .car file, which you upload to the Client Manager.

Client computers receive the updated ProxyClient software at the next update interval, with the exception of any client computers for which updates are prohibited.

To get the ProxyClient software:

1. Go to the following URL:


2. Click the link to download the ProxyClient 3.4.2.0 software.

3. At the prompts, enter your BlueTouch Online user name and password.

If you do not have a BlueTouch Online login, go to http://www.bluecoat.com/support/supportservices/btorequest

Note: If the ProxyClient software was installed on the client machine with the option to prohibit software updates, you must update the ProxyClient software on client computers using one of the following methods:

• Manually running ProxyClientSetup.msi on client computers.

• Automatically using GPO or SMS.


http://www.bluecoat.com/support/supportservices/btorequest

http://www.bluecoat.com/support/supportservices/btorequest


87

4. Follow the prompts on your screen to download any of the following:

5. If you chose to download the ProxyClient .car file, locate it in any of the following:

• On the local file system of the computer you run the Client Manager’s Management Console.

That is, to upload the ProxyClient software from your local file system or from a network share drive (as opposed to uploading it from a remote URL), you must copy ProxyClient.car to an accessible location.

• On a Web server the Client Manager can access.

6. Continue with "Running Windows.msi" .

Running Windows.msiThe Windows.msi file should be used for manual installations or installations distributed by SCCM, SMS, GPO, or a similar system as discussed in Chapter 9: "Distributing the ProxyClient Software".

To distribute the ProxyClient software from the Client Manager instead, see "Uploading the ProxyClient .car File to the Client Manager" .

Uploading the ProxyClient .car File to the Client ManagerThis section discusses how to upload the ProxyClient .car file to the Client Manager, which makes the ProxyClient software available to client computers at the next update interval, with the exception of any client computers for which updates are prohibited.

File Description

Windows.msi file Manually install the ProxyClient software on client computers.If you choose this option, skip the rest of this procedure after downloading the file.

ProxyClient.car file Upload the ProxyClient software to the Client Manager, which enables clients to upgrade to the latest version.On the Download ProxyClient.car page, you also have the option to copy the link displayed on the page to download the .car file to the Client Manager. To use this link, the Client Manager must be able to contact http://bto.bluecoat.com. The link expires in 24 hours. If you choose this option, skip the rest of this procedure after copying the link location.

Note: The Windows.msi and ProxyClient.car files can install the 32-bit or 64-bit version of the ProxyClient software.


88

To install the ProxyClient software manually from the command line, or using SCCM, SMS, GPO, or a similar system, skip this section and see Chapter 9: "Distributing the ProxyClient Software" instead.

To upload the ProxyClient .car file to the Client Manager:


2. Click Configuration > ProxyClient > General > Client Manager > Client Software.

The Current ProxyClient Software section displays information about the ProxyClient software this Client Manager is currently using.

Do any of the following:

• To upload the ProxyClient .car file, see step 3.

• To use the link from the Blue Coat download site, see step 4.

3. This step discusses how to upload to the Client Manager the ProxyClient .car file you got from the Blue Coat download site.

To use the link provided on the download page instead, skip this step and see step 4.

To upload the ProxyClient .car file:

a. From the Install ProxyClient software from list, click Local file.

b. Click Install.

c. At the confirmation dialog, click Yes.

d. In the Open dialog, locate the ProxyClient .car file and click Open.

The .car file has a name similar to the following:proxyclient_3[4].3.1.1_12345_ProxyClientSetup.car

Notes:

• The name of the ProxyClient .car file changes with every release.

• Depending on the Web browser you used to download the software, square brackets might not be in the file name.

e. Wait a few minutes for the upload to complete.

A confirmation dialog displays the message File successfully installed. If errors display, try the upload again. If errors continue, try getting the ProxyClient .car file again or try using the link displayed on the download page.

Using the link to the ProxyClient software displayed on the download page is discussed in more detail in step 4.

f. At the confirmation dialog, click OK.

At the next update interval, the software will be distributed to all ProxyClient users except those for which you disabled automatic software updates.


89

4. This step discusses how to upload the ProxyClient software to the Client Manager using the link provided on the Blue Coat download site.

To upload the ProxyClient .car file instead, skip this step and see step 3.

To use the link provided on the Blue Coat download page to update the ProxyClient software on the Client Manager:

a. From the Install ProxyClient software from list, click Remote URL.

b. Click Install.

c. At the confirmation dialog, click Yes.

The Install ProxyClient Software dialog displays.

d. In the Installation URL field, paste the URL displayed on the Blue Coat download page.

The URL has a format similar to the following:https://bto.bluecoat.com/download/direct/56549919812997134284474771733824

Note: Every download URL link is unique.

e. In the Install ProxyClient Software dialog, click Install.

f. Wait a few minutes for the upload to complete.

A confirmation displays the message The file was successfully downloaded and installed. If errors display, try the upload again. If errors continue, try using the ProxyClient .car file as discussed earlier.

g. At the confirmation dialog, click OK.

h. In the Install ProxyClient Software dialog, click OK.

At the next update interval, the software will be distributed to all ProxyClient users except those for which you disabled automatic software updates.

Setting Up the Client Manager (CLI)This section discusses the following topics:

❐ "Configuring the Client Manager (CLI)"

Important: After you update the ProxyClient software on the Client Manager, whenever users connect using the ProxyClient, they must update their ProxyClient software unless software updates are disabled. You have the option of disabling software updates from the Client Manager if you plan to distribute updates some other way (for example, by SCCM, SMS, or GPO). For more information, see "Parameters for Silent Installations" on page 183.

Before uploading the ProxyClient software, verify the Client Manager is running compatible SGOS software. For example, ProxyClient 3.2.x requires SGOS 5.4.x or later. Compatibility information is discussed in the ProxyClient Release Notes.


90

❐ "Loading the Software (CLI)" on page 90❐ "Showing ProxyClient Settings (CLI)" on page 90❐ "Clearing ProxyClients (CLI)" on page 90

Configuring the Client Manager (CLI)

To configure the Client Manager:

1. At the #(config) command prompt, enter proxy-client.

2. Enable this appliance as the Client Manager:#(config proxy-client) enable

3. Configure Client Manager settings: #(config proxy-client) client-manager host {from-client-address | ip_address | host}#(config proxy-client) client-manager install-port port#(config proxy-client) client-manager keyring keyring#(config proxy-client) hashed-uninstall-password hashed-password#(config proxy-client) uninstall-password cleartext-password

Loading the Software (CLI)The following commands enable you to upload an updated ProxyClient.car file to the Client Manager.

#(config proxy-client) software-upgrade-path path-to-proxyclient-car

You can use any of the following commands to load the ProxyClient software on the Client Manager:

#(config) load proxy-client-software

Showing ProxyClient Settings (CLI)To show current ProxyClient settings:

#(config) show proxy-client [adn [exclude-subnets] | clients | cifs | locations | web-filtering]

Clearing ProxyClients (CLI)To show current ProxyClient settings:

#(config proxy-client) clear {inactive | all}

Clears (that is, sets to zero) the count of inactive ProxyClients or all ProxyClients.

Note the following:

• Clients are automatically cleared after 30 days of inactivity.

• After a software upgrade, clients appear twice for 30 days—one entry for the earlier version of client software and one entry for the newer version of client software. You can optionally clear the inactive clients to avoid seeing duplicate information.


91

• For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.


92

93



❐ "Location Awareness Overview" ❐ "Location Awareness Decision Diagram" on page 94❐ "Location Awareness Task Summary" on page 95❐ "Configuring ProxyClient Locations" on page 95❐ "Configuring Web Filtering Auto-Detection" on page 100❐ "Configuring ProxyClient Locations (CLI)" on page 101

Location Awareness OverviewThe ProxyClient application automatically detects its location by matching a combination of IP address, virtual NIC IP address, and DNS server address as specified by the ProxySG administrator.

The purpose of configuring locations is to enable ProxyClient features based on where the user connects. For example, a user who works from home on a laptop needs the ProxyClient to perform both acceleration and Web filtering because the user does not connect to a network with a local ProxySG that performs those functions. However, if the user brings the same laptop to work, both ProxyClient acceleration and Web filtering should be disabled because a local ProxySG concentrator or branch appliance performs those functions.


❐ "Configuring ProxyClient Locations" ❐ "Configuring Default Actions" on page 99

For conceptual information and examples, see "About ProxyClient Location Awareness" on page 13 and "Step 6: Configure ProxyClient Locations" on page 48.


94

Location Awareness Decision DiagramThe following figure shows how to decide which ProxyClient features to enable in your locations, as well as how to decide when to use Web filtering auto-detection. For more information about Web filtering auto-detection, either click one of the blue rectangles in the figure or see "Configuring Web Filtering Auto-Detection" on page 100.

Continue with "Location Awareness Task Summary" .


95

Location Awareness Task SummaryThe following table summarizes the tasks required to set up location awareness:

Configuring ProxyClient LocationsThis section discusses how to use location conditions to define specific locations, such as office headquarters, branch offices with ProxySG concentrators, and mobile users.

For more information and examples, see the following sections:

❐ "Location Awareness Overview" on page 93❐ "Location Awareness Task Summary" on page 95❐ "General Guidelines for Location Conditions" on page 15❐ "About Condition Rulebase Ordering" on page 16❐ "Step 6: Configure ProxyClient Locations" on page 48

To specify locations:


2. Select Configuration > ProxyClient > General > Locations.

3. On the Locations tab page, click New.

The New Locations dialog displays.

4. In the Name field, enter a name that identifies this location. For example, Headquarters.

Task Description

1. "About ProxyClient Location Awareness" on page 13

Understand your network; specifically, how clients use VPN to access your network, IP source address ranges, and DNS server IP addresses.

2. "Step 6: Configure ProxyClient Locations" on page 48

See a step by step example of setting up locations.

3. "Configuring ProxyClient Locations" on page 95

Configure locations for office, branch office, home office, and mobile users.

4. "Configuring Default Actions" on page 99

Default actions are for users that do not match any configured locations.

5. "Ordering Locations in the Rulebase" on page 98

To make sure users match the correct location, put the most restrictive (that is, more specific) locations in the rulebase before less restrictive locations.

Note: The location name cannot be changed later.


96

5. In the Conditions section, select one or more conditions that define this location.

The Conditions section enables you to specify one or more conditions that define the location, and therefore the ProxyClient features to apply to users in the location. For more information and examples of setting up locations, see the following sections:

• "General Guidelines for Location Conditions" on page 15• "About Condition Rulebase Ordering" on page 16

To add a location condition, perform the following tasks:

Condition Tasks

Source IP ranges 1. Select the Match source IP ranges check box.2. Click New.

Note: You cannot directly edit an existing condition. First de-lete the existing condition and then add a new one.

3. In the Add IP Source Range dialog, enter a starting and ending IP address in the provided fields.You must enter a pair of IP addresses; you cannot enter CIDR notation.

4. Click OK.5. Repeat these tasks to enter other source IP address ranges if

required.Note: This condition is matched if the user has an IP address in any of the ranges you define.

DNS servers 1. Select the Match DNS servers check box.2. Click New.


3. In the Add DNS Servers IPs dialog, enter the server’s IP address.

4. Click OK.5. Repeat these tasks to enter other DNS server IP addresses if

required.Note: This condition is matched only if all DNS servers are matched. For example, if the location defines DNS IP addresses 10.1.1.1 and 10.1.1.2, and the user’s computer has only 10.1.1.2 defined, there is no match. However, if the location condition defines DNS IP addresses 10.1.1.1 and 10.1.1.2, and the user’s computer has 10.1.1.1, 10.1.1.2, and 10.1.1.3 defined, there is a match.


97

6. Select the check box corresponding to which features are enabled for this location:

• Select Enable Acceleration to accelerate network traffic using all of the following:

• gzip

• CIFS protocol acceleration

• byte caching

• Select Enable Web Filter to perform Web filtering in this location.

7. Click OK.

Virtual NIC IP ranges

1. Select the Match Virtual NICs IP check box.2. Click New.


3. In the Add Virtual NIC IP Range dialog, enter a starting and ending IP address in the provided fields. The range you enter should correspond to a range of IP addresses provisioned by your VPN gateway.

• You must enter a pair of IP addresses; you cannot enter CIDR notation.

4. Click OK.5. Repeat these tasks to enter other Virtual NIC IP address ranges

if required.Note: This condition is matched if the user has an VNIC IP ad-dress in any of the ranges you define.

Note: If VPN client software does not recognize a Virtual NIC (and instead recognizes it as a physical adapter), see "Using the ProxyClient VPN Whitelist Utility" on page 238.

Important: All selected conditions must match to enable the selected location features. For example, if Source IP Address and DNS Servers conditions are selected, and if the user matches the source IP address but not the DNS server IP address, the user does not match this location and the features enabled by the location will not be applied to the user.

Users who do not match any location conditions have default actions applied to them as discussed in "Configuring Default Actions" on page 99.

Condition Tasks


98

The location name and associated policy actions display on the Locations tab page.

See Also

"Overview of Location Awareness" on page 13

"General Guidelines for Location Conditions" on page 15

"About Condition Rulebase Ordering" on page 16

Ordering Locations in the RulebaseThe order in which locations display on the Configuration > ProxyClient > General >

Locations tab page determine the order in which the rules are evaluated when users connect to the Client Manager. To avoid mismatches, order the rules from most to least restrictive.

For example, suppose headquarters uses IP addresses in the range from 10.0.0.0 to 10.255.255.255 but the VPN gateway located at headquarters has a pool of IP addresses in a subset of that range; for example, 10.3.1.1 to 10.3.1.255. Because the VPN gateway is used by home office or mobile users, the administrator wants to use different policy actions for headquarters and home office users.

Users at the headquarters location should have ProxyClient acceleration and Web filtering disabled but users in a home office or mobile location should have both ProxyClient features enabled.

To accomplish that, the administrator creates the two locations as follows.

To make sure the home office or mobile location is detected first, the administrator must order it in the rulebase before the headquarters location. An example follows.

Location Conditions

Headquarters • Source IP address range: 10.0.0.0 to 10.255.255.255• DNS server IP address: For example, 10.0.0.11 and

10.0.0.12

Home office or mobile • DNS server IP address: Same as headquarters• VNIC IP address range: 10.3.1.1 to 10.3.1.255


99

Configuring Default ActionsThe purpose of default actions is to enable ProxyClient features for users that do not match any location conditions.

For example, mobile users that do not connect to the network using VPN have unknown source IP ranges and DNS servers. If a mobile user connects to the network using VPN, the user has a VNIC IP address you can use to establish the user’s location.

To configure default actions:

1. Log in to the Management Console as an administrator.

2. Click Configuration > ProxyClient > General > Locations.

3. At the bottom of the Locations tab page, in the Default Actions section, select the check box corresponding to features to enable for clients who do not match any defined location conditions.

The following figure shows an example of enabling both acceleration and Web filtering by default:

See Also

"Overview of Location Awareness" on page 13

"General Guidelines for Location Conditions" on page 15


100

Configuring Web Filtering Auto-DetectionThis section discusses the prerequisites and benefits of Web filtering auto-detection, which disables ProxyClient Web filtering when a ProxySG is available to perform Blue Coat Web filtering.

Using Web filtering auto-detection, you no longer need to set up a location to specifically disable ProxyClient Web filtering.

No additional Client Manager configuration is required; the only requirements follow:








Installing Local Policy on ProxySGsThis section discusses how to configure local policy on a ProxySG appliance that performs Web filtering. The ProxySG appliance must have policy installed on it that adds an HTTP response header (X-BCWF-License) to rating responses from service points.

This header is interpreted by the ProxyClient to determine whether ProxyClient Web filtering should be disabled (that is, deferred to the ProxySG appliance). You must install this policy on all filtering ProxySGs that meet any of the following criteria:

❐ ProxySGs in-path between the ProxyClient computer and the Internet

❐ ProxySGs that are used by ProxyClients as an explicit proxy

To install local policy on a ProxySG that performs Web filtering for ProxyClients:

1. Log in to the ProxySG’s Management Console as an administrator.

2. Click Configuration > Policy > Policy Files.

3. In the right pane, for Install Local File from, click Text Editor from the list.

4. Click Install.


101

5. In the provided field, enter the following:<proxy>

request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes)define action i_am_filtering set (response.x_header.X-BCWF-License, "VendorID")

end

where VendorID is your Blue Coat WebFilter database user name. If your enterprise has more than one Vendor ID, enter them as a comma-separated list.

An example with one Vendor ID follows:

<proxy>

request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes)define action i_am_filtering set (response.x_header.X-BCWF-License, "6EAZ8-BDC17F")

end

6. Click Install.

If errors display, check the command syntax and try again.

7. After the policy successfully installs, click OK at the conformation dialog and then click Close.

Configuring ProxyClient Locations (CLI)

To configure client location settings:


2. At the #(config proxy-client) command prompt, enter locations.

3. Configure location settings: #(config proxy-client locations) create location_name#(config proxy-client locations) edit location_name

#(config proxy-client name) acceleration {enable | disable}#(config proxy-client name) webfilter {enable | disable}

#(config proxy-client name dns) add ip-address#(config proxy-client name dns) clear#(config proxy-client name dns) exit #(config proxy-client name dns) remove ip-address#(config proxy-client name dns) view

#(config proxy-client name source) add ip-address-range#(config proxy-client name source) clear #(config proxy-client name source) exit #(config proxy-client name source) remove ip-address-range#(config proxy-client name source) view

#(config proxy-client name vnic) add vnic-address-range#(config proxy-client name vnic) clear #(config proxy-client name vnic) exit #(config proxy-client name vnic) remove vnic-address-range#(config proxy-client name vnic) view

#(config proxy-client name) match-dns {enable | disable}#(config proxy-client name) source {enable | disable}#(config proxy-client name) vnic {enable | disable}


102

#(config proxy-client name) exit

#(config proxy-client name) view

#(config proxy-client locations) acceleration {disable | enable}#(config proxy-client locations) webfilter {disable | enable}#(config proxy-client locations) {promote location_name | demote location_name}#(config proxy-client locations) delete location_name#(config proxy-client locations) clear#(config proxy-client locations) view

103



❐ "Before You Begin Configuring ProxyClient Policy" ❐ "Specifying the ProxyClient ADN Manager" on page 103❐ "Tuning the ADN Configuration" on page 107❐ "Enabling File Sharing Acceleration" on page 111❐ "Troubleshooting ProxyClient Acceleration" on page 115

Before You Begin Configuring ProxyClient PolicyBefore performing the tasks discussed in this section, perform the following tasks in the order shown:

1. "Preparing the ADN Configuration for ProxyClient Deployment" on page 73

2. "Enabling ADN Managers" on page 76

3. "Configuring Concentrators to Advertise Subnets" on page 79

4. Optional. "About Internet Gateways" on page 80

Specifying the ProxyClient ADN ManagerThis section discusses how to configure the Client Manager to contact the ADN managers, which publish routes to the ProxyClient.

To specify the ADN manager for the ProxyClient:


2. Click Configuration > ProxyClient > Acceleration > General.


104

3. On the General tab page, enter or edit the following information:

Item Description

Enable Acceleration check box You must select this check box to enable ProxyClient to accelerate network traffic using all of the following methods:• gzip• CIFS protocol acceleration• byte cachingIf you clear the check box, the ProxyClient performs no acceleration.

Acceleration License Displays the status of your acceleration license as either Valid or Invalid.The ProxyClient—Acceleration license component is part of the base SGOS license. If the status is Invalid, there is a problem with your Blue Coat license. Verify a valid base SGOS license is installed (Maintenance > Licensing > View). Contact Blue Coat Support for license troubleshooting issues.


105

4. Click Apply.

If errors display, see "Troubleshooting ProxyClient Acceleration Configuration" on page 106.

Otherwise, continue with "Tuning the ADN Configuration" on page 107.

Maximum percentage of disk space to use for caching field

Enter the maximum percentage of total client disk space (as opposed to available disk space) to use for caching objects, such as CIFS objects. Valid values are 1–90; the default is 10. The higher you set the value, the more information is cached on user systems, but at the expense of disk space that might be required to run other applications.

Primary manager IP address Enter the IP address of the ADN manager for the ADN network to which the ProxyClient connects.You have the following options:• To use the current ADN configuration on this

ProxySG, click Use ProxySG ADN Managers.The primary and backup ADN manager IP ad-dress and plain manager port values are copied into the appropriate fields.

• To enable this ProxySG to be the primary or backup ADN manager, click Configure ADN.

For assistance troubleshooting issues with this tab page, see "Troubleshooting ProxyClient Acceleration Configuration" on page 106.For more information about the role of the ADN manager, see "ADN and ProxyClient Terminology" on page 23 and "About the Roles of ProxySG Appliances With the ProxyClient" on page 25.

Backup manager IP address Enter the IP address of the backup ADN manager, if any.

ADN manager port Enter the ADN manager’s plain listen port (by default, 3034).

Important: Do not enter a secure port number, because the ProxyClient version 3.2.x does not support secure tunnels.

Item Description


106

Troubleshooting ProxyClient Acceleration ConfigurationThe following table discusses the meanings of error messages on the General tab page:

Message Meaning and suggested workaround

ProxyClient acceleration might not function when the Client Manager is disabled.

Meaning: You enabled ProxyClient acceleration without designating this appliance as the Client Manager. Workaround: Either click the link or click Configuration > ProxyClient > General and enable this appliance to be the Client Manager as discussed in "Designating a ProxySG as the Client Manager" on page 81.

ProxySG ADN must be enabled with primary or backup manager Self to use this configuration for ProxyClient acceleration.

Meaning: You entered the primary IP address of this ProxySG appliance as either the primary or backup ADN manager but you did not enable this appliance to be either the primary or backup ADN manager. (The primary IP address is the IP address assigned to the appliance’s lowest-numbered interface; for example, interface 0:0. To confirm the primary IP address, click General > Identification.)Workaround: Use the following steps:1. Click Configure ADN or click Configuration > ADN >

General.2. Select the Enable Application Delivery Network check box.3. In the Primary ADN Manager section, click Self to use this

ProxySG appliance as the primary ADN manager, or click IP Address and enter the primary ADN manager’s IP address.

4. Click Apply.5. Click Configuration > ProxyClient > Acceleration > General.6. Click Use ProxySG ADN Managers.

This copies the ADN manager configuration from the Con-figuration > ADN > General tab page.

7. Click Apply.See also "Enabling ADN Managers" on page 76.For more detailed information, see Chapter 2, Configuring an Application Delivery Network.

Primary ADN Manager IP address is required

Meaning: You enabled ProxyClient acceleration but did not enter the IP address of the primary ADN manager.Workaround: 1. Click Use ProxySG ADN Managers.

This copies the ADN manager configuration from the Con-figuration > ADN > General tab page.

2. Click Apply.


107

Tuning the ADN ConfigurationThe ProxySG enables you to customize include and exclude subnets and port lists, which are advanced settings that limit the traffic that is accelerated by the ADN network. Because the ADN manager sets options for both its peers in the ADN network and for ProxyClients, you can use the include or exclude ports list to fine-tune the way ProxySG appliances interact with the ProxyClient.

For example, if you know that ProxyClient traffic over particular ports is not compressible, you can add those ports in the exclude ports list.

Specifically, you must understand the following:

❐ Include and exclude ports—Includes or excludes TCP ports in ADN tunnels. Assuming ProxyClients can connect to a ProxySG that can optimize traffic to the destination address, this setting determines which ports are accelerated (or are not accelerated) for clients. You can use either the excluded ports list or included ports list, but not both.

❐ Excluded subnets—You can exclude intranet connections from being forwarded to a ProxySG configured as an Internet gateway. This is important if your network is designed such that a connection to an intranet server fails if it is sent through an Internet gateway.

Provided an Internet gateway is configured, forwarding occurs as follows:

a. If the destination IP address is a local address, do not attempt to use an ADN tunnel; instead, connect directly. This is the end of the process.

b. If the destination IP address is in the ProxyClient’s excluded subnets list, do not attempt to use an ADN tunnel; instead, connect directly. This is the end of the process.

Otherwise, if the IP address is not in the ProxyClient’s exclude list, continue with the next step.

c. If the destination IP address matches an entry in the ADN routing table, forward the connection over an ADN tunnel; otherwise, continue with the next step.

Important: Blue Coat strongly recommends you test the include/exclude ports settings in a controlled environment before using them in production because improper settings can have an adverse impact on performance.

Note: Make sure you know which ports are used by applications you want to accelerate and put them in the include ports list; otherwise, the traffic is not accelerated.


108

d. If a ProxySG is configured as an Internet gateway, look up the destination IP address in the Internet gateway’s exception list.

If the address does not match, forward the connection over an ADN tunnel to the Internet gateway; otherwise, connect directly to the destination IP address.


❐ "Excluding Subnets from Being Accelerated" ❐ "Excluding and Including Ports" on page 109

Excluding Subnets from Being AcceleratedThis section discusses how to prevent subnets from being accelerated when clients connect using the ProxyClient.

To exclude subnets:


2. Click Configuration > ProxyClient > Acceleration > ADN Rules.

3. On the ADN Rules tab page, in the Excluded Subnets section, click Add.

The Add IP/Subnet dialog displays.


109

4. Enter or edit the following information:

5. In the Add IP/ Subnet dialog, click OK.

6. Repeat these tasks to exclude more subnets, if required.

Excluding and Including PortsThis section discusses how to include and exclude from traffic on certain TCP ports; in other words, traffic on these ports either will be accelerated (if included) or will not be accelerated (if excluded). Note that if you include ports, traffic on all other ports is not accelerated.

The following table discusses typical ports you can include.

In addition, consider the following sources of information:

❐ On any ProxySG configured as a proxy, Configuration > Services > Proxy Services. For any protocol the proxy is intercepting, consider adding the protocol’s port to the include list.

❐ Internet Assigned Numbers Authority reference.

Option Description

IP / Subnet Prefix field Enter either an IP address or an IP address and subnet in Classless Inter-Domain Routing (CIDR) notation (for example, 192.168.0.0/16).

Subnet Mask field Use this field if you entered only an IP address in the preceding field (that is, if you used CIDR notation in the preceding field, you do not need to enter a value in this field).

Port or port range Description

49152-65534 Passive FTP

443 HTTPS

139, 445 CIFS

21 FTP control port

8080 Commonly used by Web applications.

http://www.iana.org/assignments/port-numbers


110

To exclude or include ports:


2. Click Configuration > ProxyClient > Acceleration > ADN Rules.

The ports section displays.

3. In the Ports section, click one of the following options:

• Exclude: Client traffic from specified ports is not routed through the ADN tunnel. All other traffic is accelerated.

Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash character). For example:

22,88,443,993,995,1352,1494,1677,3389,5900-5902

• Include: Client traffic from specified ports is routed through the ADN tunnel and therefore is accelerated. All other traffic bypasses the tunnel and is not accelerated.

Valid values: Comma-separated list of ports and port ranges (no spaces, separated by a dash character). For example:

80,139,445,8080-8088

Include ports 139 and 445 for file sharing (CIFS services) acceleration.

4. Click Apply.

Note: The include and exclude ports lists are advanced settings that limit the traffic that is accelerated by the ADN network.


111

Enabling File Sharing AccelerationThis section discusses how to enable the ProxyClient to enable Common Internet File System (CIFS) protocol acceleration, which is the protocol used to access files and directories across the WAN. Using CIFS acceleration improves performance when users request the same files from a file server at headquarters, for example.

To enable file sharing acceleration using the ProxyClient:


2. Verify the CIFS ports are listed in the Included Port list as discussed in "Enabling File Sharing Acceleration" on page 111.

3. Click Configuration > ProxyClient > Acceleration > CIFS.

The CIFS tab displays.

Note: The ProxyClient does not perform CIFS acceleration to a server that has SMB message signing enabled. For more information, see Microsoft KB article 887429. Also see any other CIFS-related information discussed in the ProxyClient Release Notes.

For file sharing conceptual information, see "About ProxyClient CIFS Acceleration" on page 17.

For more detailed information about CIFS optimization on the ProxySG, see the chapter on the CIFS proxy in the SGOS Administration Guide.

http://support.microsoft.com/kb/887429

http://support.microsoft.com/kb/887429


112

4. On the CIFS tab, enter or edit the following information:

Option Description

Enable CIFS acceleration check box

You must select this check box to enable clients to accelerate CIFS traffic.

Remote Storage Optimization option

When a user browses to an accelerated remote file share using Windows Explorer, setting this option to Enable to improve access to remote file shares by causing Windows Explorer to avoid read ahead on those folders. Setting the option to Disable to allow Windows Explorer to read ahead on remote file shares.Note: This setting is not related to Windows offline folders.

For more information, see "About ProxyClient CIFS Acceleration" on page 17.

Suppress Folder Customization option

Setting this option to Enable can improve performance when using Windows Explorer to browse to a remote accelerated file share that has a large number of customized nested folders that are set to read-only. (An example of customizing a folder is changing its display icon.)Click Disable to cause Windows to enforce the read-only attribute for all folders on accelerated remote file shares.

For more information, see "About ProxyClient CIFS Acceleration" on page 17.

Write Back options Write back options determine whether or not user connections continue sending data to the ProxySG appliance while the appliance is writing data on the back end. Select one of the following:• Select Full to enable write-back, which causes the

ProxyClient to send data to the ProxySG appliance without waiting for acknowledgement that the data was written successfully. This setting improves responsiveness but can lead to data loss in the rare circumstance in which the ProxyCli-ent crashes or the link drops before delivering all the data to the ProxySG appliance.

• Select None to disable write-back. Disabling write-back can introduce substantial latency while clients send data to the appliance and wait for acknowledgement before sending more data. One reason to set this option to None is the risk of data loss if the link from the branch to the core server fails. There is no way to recover queued data if such a link fail-ure occurs.


113

5. Click Apply.

See Also

"ADN Features and the ProxyClient" on page 26

More About ProxyClient Caching

The following is a summary of how CIFS protocol acceleration and byte caching work on the client computer:

1. The ProxyClient starts.

2. The user requests a cacheable object, such as a file.

3. The ProxyClient allocates sufficient disk space on the client computer to cache the object—up to the limit set by the administrator. That is, if the client computer’s system has 100GB of total space and the administrator configures the cache to use a maximum of 10%, the ProxyClient allocates up to 10GB for the cache.

Cache space is divided equally between the CIFS cache and the byte cache.

However, if the maximum cache size leaves less than 1GB of available disk space, the cache size is further limited. Continuing this example, if the client has only 9GB of available space, the maximum cache size is 8GB instead of 10GB.

4. If any single object (such as a file) exceeds the maximum CIFS cache size, that object is not cached in the CIFS cache; however, tokens associated with the object are cached in the byte cache.

For example, if the maximum size of the CIFS cache is 5GB, and the client requests a file that is 6GB in size, that file is not cached in the CIFS cache.

5. If the cache is full, objects are expired from the cache based on a number of criteria, such as unopened files and oldest objects first.

Directory cache time field

Enter the number of seconds for directory listings to remain in the client’s cache.

Option Description


114

Configuring ProxyClient Acceleration Settings (CLI)

To set up ProxyClient acceleration:


2. Configure general client settings: #(config proxy-client) max-cache-disk-percent percentage#(config proxy-client) software-upgrade-path url#(config proxy-client) update-interval minutes#(config proxy-client) view

To configure ProxyClient ADN rules settings:


2. At the #(config proxy-client) prompt, enter adn.

3. Configure ADN rules settings: #(config proxy-client acceleration adn) port-list {exclude-ports | include-ports}#(config proxy-client acceleration adn) {exclude-ports | include-ports} {port | port-list | port-range}#(config proxy-client acceleration adn) exclude-subnets

#(config proxy-client acceleration adn exclude-subnets) {add | remove} subnet_prefix[/prefix length]#(config proxy-client acceleration adn exclude-subnets) clear#(config proxy-client acceleration adn exclude-subnets) exit#(config proxy-client acceleration adn exclude-subnets) view

#(config proxy-client acceleration adn) exit

To configure ProxyClient ADN manager settings:


2. At the #(config proxy-client) prompt, enter adn.

3. Configure ADN manager settings: #(config proxy-client acceleration adn) primary-manager ip-address#(config proxy-client acceleration adn) backup-manager ip-address#(config proxy-client acceleration adn) manager-port plain-port

To configure ProxyClient CIFS settings:


2. At the #(config proxy-client) command prompt, enter cifs.

3. Configure CIFS settings: #(config proxy-client acceleration cifs) directory-cache-time seconds#(config proxy-client acceleration cifs) {disable | enable} #(config proxy-client acceleration cifs) exit#(config proxy-client acceleration cifs) write-back {full | none}#(config proxy-client acceleration cifs) remote-storage-optimization {disable | enable}#(config proxy-client acceleration cifs) suppress-folder-customization {disable | enable}#(config proxy-client acceleration cifs) view


115

Troubleshooting ProxyClient AccelerationThis section discusses the following topics related to diagnosing and resolving issues with ProxyClient acceleration:

❐ "Overview of Acceleration Troubleshooting" ❐ "More Information About ProxyClient Acceleration Troubleshooting" on page

119❐ "Getting Detailed Diagnostics" on page 126

For more troubleshooting information, see one of the following sections:

❐ "Using the ProxyClient Web Browser for Troubleshooting" on page 213❐ "Troubleshooting ProxyClient Installation and Operation" on page 214❐ "Troubleshooting ProxyClient Web Filtering" on page 165❐ "Other ProxyClient Troubleshooting Tools" on page 224

Overview of Acceleration TroubleshootingFollowing are typical reasons why a connection is not accelerated:

❐ Concentrator is not available

To confirm which concentrators are advertising routes in the ADN network, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119

❐ The destination is not defined in ADN routing table

To confirm which routes have been published, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119

❐ Acceleration is disabled

To confirm that acceleration is enabled and running properly, see "Getting Acceleration Status from the Web Browser Window" on page 115

The ProxyClient Web browser window and the Client Manager’s Statistics > ProxyClient > Details tab pages assist you with troubleshooting acceleration issues clients might be experiencing. The following sections provide a brief overview of how you can use these tools:

❐ "Getting Acceleration Status from the Web Browser Window" on page 115❐ "Configuration Error" on page 117❐ "Using the Client Manager for Acceleration Troubleshooting" on page 118

Getting Acceleration Status from the Web Browser Window

The ProxyClient Web browser window indicates the current status of acceleration as follows:


116

Figure 7–1 ProxyClient Web browser window showing that acceleration is running

If acceleration is enabled and running, the following display:

❐ The Network tab displays (if acceleration is disabled or not running, there is no Network tab)

❐ The Acceleration Statistics section on the Status tab page displays (if acceleration is disabled or not running, there is no Acceleration Statistics section)

❐ Running displays in the Acceleration Statistics section heading

The following table lists the meanings of other status messages for acceleration:

Status message Meaning

Configuration Error The routing table the ProxyClient gets from the ADN manager or backup manager is empty. The most likely reason is that concentrators are advertising no routes to the managers.For more information, see "Configuration Error" on page 117.

Disabled due to Location Acceleration is disabled in the client’s current location. For more information about locations, see Chapter 6: "Configuring ProxyClient Locations".

Not Available Status is not available because the ProxyClient cannot contact the ADN Manager. See "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.

Display only if acceleration is enabled

Current acceleration status


117

For more detailed information, see "More Information About ProxyClient Acceleration Troubleshooting" on page 119.

Configuration Error

This section discusses how to resolve issues related to the error message Configuration Error. This message indicates the routing table the ProxyClient gets from the ADN manager or backup manager is empty. The most likely reason is that concentrators are advertising no routes to the managers.

To resolve the configuration error:


2. Click Configuration > ProxyClient > Acceleration > General.

3. In the ADN Manager section, click Use ProxySG ADN Managers.

This causes the Client Manager to use the ADN manager configuration.


5. Click Configuration > ADN > Routing > Server Subnets.

6. Click Help and make sure the settings are correct.

Unlicensed Your acceleration license is invalid. To verify this is the case, log in to the Client Manager’s Management Console as an administrator and click Configuration > ProxyClient > Acceleration > General. If the message Acceleration License: Invalid displays below the Enable Acceleration check box, you know your license is invalid.Contact your Blue Coat representative or Blue Coat Support to resolve the issue.

Disabled by Safe Mode Acceleration is always disabled if the user boots their computer in Safe Mode. Resolve the issue that caused the user to boot in Safe Mode.

Internal Service Error This message displays in the heading of the component (acceleration or Web filtering) that is experiencing errors. If the error indicates a problem with Web filtering, see "Web Filtering Internal Service Error" on page 169.If the error indicates a problem with acceleration, ask the user to reboot the computer, enable trace logging, and repeat the actions that caused the internal service error.For more information about trace logging, see "Performing Data Traces and Data Collection" on page 232.



118

7. If the concentrator is being used as an internet gateway, click Configuration > ADN > Routing > Internet Gateway.

8. Click Help and make sure the settings are correct.

9. Repeat steps 4 through 8 on all concentrators that front servers the ProxyClient needs to access.

Any changes to the routing table (for example, adding server subnets) are received by the ProxyClient immediately.

If you suspect there are communication issues between the ProxyClient and the ADN manager(s) or concentrators, see "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.

Using the Client Manager for Acceleration Troubleshooting

The Client Manager’s Statistics tab page has information you can use to assist you with troubleshooting acceleration issues. For more information, see Chapter 10: "Monitoring ProxyClient Performance".

Using a Concentrator for Acceleration Troubleshooting

This section discusses how you can isolate acceleration issues to a particular concentrator. To use the information discussed in this section, log in as an administrator to the Management Console of a concentrator that accelerates traffic for ProxyClients.

Getting Detailed DiagnosticsIf the information displayed on the ProxyClient Web browser window is not sufficient, get trace logs or run the ProxyClient Data Collection utility as discussed in "Performing Data Traces and Data Collection" on page 232.


119

The following information can be useful to isolate acceleration issues to a particular concentrator:

❐ Statistics > Active Sessions > ADN Inbound Sessions displays information about currently active sessions, including sessions with ProxyClients. Use a client IP address filter to view tunnels from a specific client.

For more information, see "Viewing ProxyClient Active Session Statistics" on page 210

To view related client statistics, see "Getting Acceleration Status from the Web Browser Window" on page 115

❐ Statistics > Advanced > ADN:

• The Peer statistics link displays aggregate information per peer (client). For each peer, it shows byte cache information such as dictionary status and cache size.

• The tunnel connection link shows information per each active connection.

• The tunnel connection pool link shows information about idle tunnels. This correspond to the idle tunnels displayed on the client’s Network tab page.

• The dashboard link and other links display aggregate information for components such as tunnels and dictionary sizes.

More Information About ProxyClient Acceleration TroubleshootingThis section focuses on using the ProxyClient Web browser window and the ADN manager to get detailed information about routing issues that might cause acceleration issues. This section discusses the following topics:

❐ "Starting the ProxyClient Web Browser Window" ❐ "Troubleshooting ADN Manager or Concentrator Connection Issues" on page

119❐ "About the Network Tab Page" on page 122

Starting the ProxyClient Web Browser Window

See "Using the ProxyClient Web Browser for Troubleshooting" on page 213.

Troubleshooting ADN Manager or Concentrator Connection Issues

This section discusses how to determine whether an acceleration issue is due to loss of connectivity to either the ADN manager or to a concentrator fronting servers the ProxyClient needs to access. Remember that concentrators advertise subnets to be accelerated; the ADN manager advertises the routes to the ProxyClient.


120

The Status tab page displays as follows if the ADN Manager is not reachable:

Hovering the mouse pointer over the Not Available link displays the following message:

Cannot accelerate:Not connected to Acceleration Network

If the ProxyClient shows that acceleration is enabled but that no routes are being accelerated, most likely the connectivity issue is with the ADN manager. However, if routes are advertised but connections are going direct to their destinations, there is likely an issue communicating with a concentrator.

To confirm the acceleration issue is due to loss of connectivity to the ADN manager or concentrator:

1. Ask the user to start the ProxyClient Web browser window as discussed in "Starting the ProxyClient Web Browser Window" on page 119.

2. Verify the Network tab page displays; if so, acceleration is enabled.

Status: Not Available

Savings Over Time displays No Accelerated Traffic or shows periods of no acceleration


121

3. If the Network tab page does not display, click the Status tab.

• If the message Configuration error displays, no concentrators are advertising subnets to be accelerated. This indicates a configuration error on the concentrators. Verify the following:

• Every concentrator fronting a server that accelerates traffic for ProxyClients uses managed ADN (that is, there is an ADN manager specified on each concentrator).

• Verify the Client Manager specifies the same ADN manager as the concentrator. (Log in to the Client Manager’s Management Console and click Configuration > ProxyClient > Acceleration > General and click Use

ProxySG ADN Managers.)

• If the message Not Available displays, the ProxyClient has lost contact with the ADN manager.

View the Admin Log on the client computer and, if necessary, request the user perform trace logging as discussed in "Performing Data Traces and Data Collection" on page 232.

4. Click the Network tab.

• If the Network tab page displays no subnets, most likely the error is caused by a loss of communication with the ADN manager. An example follows.

To confirm this is the case, click the Advanced tab and click View Log in the Diagnostic Tools section. The message Cannot connect to any ADN manager confirms the ProxyClient cannot connect to the ADN manager.


122

• If Current Direct Connections is not zero, it means that a concentrator in the client’s routing table is not reachable by the client. (The routing table is displayed in the Subnets section.)

As long as that concentrator’s IP address remains in the client’s routing table, connections go directly to their destinations. If the client connects to a host that is not in the routing table, connections go directly to that host but are not counted as Current Direct Connections.

An example follows.

For additional information about the direct connections, click the More Info link in the ADN Tunnels section and see "Network Tab Page—ADN Tunnels Section" on page 123.

About the Network Tab Page

This section discusses the following topics related to the Network tab page on the ProxyClient Web browser window:

❐ "Network Tab Page—Configuration Section" ❐ "Network Tab Page—ADN Tunnels Section" on page 123❐ "Network Tab Page—Subnets Section" on page 125❐ "Network Tab Page—Exempt Routes Section" on page 125❐ "Network Tab Page—Excluded Subnets Section" on page 126

Network Tab Page—Configuration Section

The Configuration section displays the following information about your ProxyClient network connections:

❐ The Primary ADN Manager and Backup ADN Manager (if any) display the IP addresses of the primary and backup ADN managers.


123

❐ Ports can be either included in acceleration or excluded from acceleration (but not both), as follows:

• Included Ports displays specific ports that are accelerated; traffic on all other ports is not accelerated.

The ports correspond to the following setting on the Client Manager’s Management Console: Configuration > ProxyClient > Client Manager > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107.

• Excluded Ports displays which ports are excluded from acceleration.

The ports correspond to the following setting on the Client Manager’s Management Console: Configuration > ProxyClient > Client Manager > Acceleration > ADN Rules. For more information, see "Tuning the ADN Configuration" on page 107.

If there is a mismatch between the ports displayed on the ProxyClient and the ports configured on the Client Manager, make sure the ProxyClient is using the correct Client Manager. (Click the Advanced tab and review the information in the Client Manager section. You can change the Client Manager as discussed in "Changing the Client Manager" on page 229.)

If the ports specified are incorrect, change them on the Client Manager and update the ProxyClient configuration (Advanced tab page, click Check for

Updates Now.)

Network Tab Page—ADN Tunnels Section

The ADN Tunnels section displays the following information about current ADN tunneling:

❐ Current Active Tunnels: An active tunnel is a connection, currently in use, used to accelerate network traffic.

❐ Current Idle Tunnels: An idle tunnel is a connection, not currently in use, that was used at one time to accelerate network traffic. For performance reasons, the ProxyClient keeps open a certain number of idle tunnels; this is not unusual.

❐ Current Direct Connections: A connection to an external resource (such as a Web site) that goes directly to its destination and is therefore not accelerated. A direct connection means the concentrator is in the client’s routing table but the client cannot connect to the concentrator. (The client’s routing table displays in the Subnets section on the Network tab page.)

A non-zero Current Direct Connections count means the ADN manager has the concentrator in its routing table but the ProxyClient cannot contact the concentrator.

If the ADN manager removes the concentrator from the routing table, connections to servers fronted by that concentrator go direct to their destinations but the Current Direct Connections count does not increment. In other words, these connections bypass the client entirely.

Click More Info to display more detailed information.


124

Following is a discussion of the information displayed in the Active Tunnels section:

❐ A row displays with alternating white and gray backgrounds as long as the connection is open.

❐ A row displays with a green background to indicate the ADN tunnel has been opened recently.

❐ A row displays with a red background to indicate the ADN tunnel is about to close.

Note: The View ADN Tunnels window displays current information, while the Status tab page displays information aggregated over a selectable time period.


125

The following table discusses the meanings of the columns on this page:

Network Tab Page—Subnets Section

Displays subnets that are configured to be accelerated. This information corresponds to the following configuration in the ADN Manager’s Management Console: Configuration > ADN > Routing > Server Subnets.

The ADN Next Hop column displays the IP address of the concentrator accelerating the tunnel.

Network Tab Page—Exempt Routes Section

Displays routes that are configured to not be accelerated by a concentrator configured as an Internet Gateway. This information corresponds to the following configuration in the concentrator’s Management Console: Configuration > ADN > Routing > Internet Gateway.

Column name Description

PID Process ID of the process listed in the next column.

Process Name Name of the process that created the tunnel. A value of svchost.exe means this is a CIFS tunnel.

Client The ProxyClient’s IP address and the port over which the tunnel opened.

Server The server’s IP address and the port over which the server accepted the request.

ADN Next Hop The IP address of the concentrator accelerating the network traffic.

Total Demand The number of bytes sent and received by the applications running on the client’s computer.

Actual Usage The number of bytes sent over the WAN after acceleration was applied.

Details Additional information about the connection; for example:• CIFS—The connection uses CIFS. Provided CIFS

protocol acceleration is enabled, the connection should be accelerated. (Log in to the Client Manager’s Management Console and click Configuration > ProxyClient > Acceleration > CIFS.)

• CIFS Bypass or N/A—The CIFS connection is not optimized. The reason it was bypassed can be found in the admin log. In the ProxyClient Web browser window, click the Advanced tab and click View Log in the Diagnostic Tools section.

Savings (Actual Usage / Total Demand) x 100.

Gain Total Demand / Actual Usage expressed as a decimal.


126

Network Tab Page—Excluded Subnets Section

Displays subnets that are configured to not be accelerated for the ProxyClient. This information corresponds to the following configuration in the Client Manager’s Management Console: Configuration > ProxyClient > Acceleration > ADN

Rules. For more information, see "Tuning the ADN Configuration" on page 107.


127


This chapter discusses how to configure the Client Manager to provide the Blue Coat WebFilter service for ProxyClient users. Web filtering enables you to allow, block, or warn users about accessing content in categories you specify using any of the following:

❐ The Blue Coat WebFilter database categories

❐ Local database categories

❐ Policy categories (also referred to as custom categories)

❐ System and Default categories, which are discussed in more detail later in this chapter

For conceptual information about Web filtering, see "About ProxyClient Web Filtering" on page 19.


❐ "Web Filtering Task Summary" ❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "Enabling the Blue Coat Web Filter Database (Optional)" on page 130❐ "Enabling the Use of the Local Database (Optional)" on page 133❐ "Setting Up ProxyClient Web Filtering" on page 135❐ "Working With Categories, Users, Groups, and Policy Actions" on page 141❐ "Web Filtering Best Practices" on page 155❐ "Displaying and Customizing Web Filtering Exception Pages" on page 157❐ "Enabling Web Filtering Logging" on page 159❐ "Configuring ProxyClient Web Filtering (CLI)" on page 165


128

Web Filtering Task SummaryTo use ProxyClient Web filtering, you must perform the following tasks in the order shown:

Task Description

1. Prerequisites • "About ProxyClient Licensing" on page 31You can use Web filtering only if the Client Manager is properly licensed.

• "Designating a ProxySG as the Client Manager" on page 81You must designate a Client Manager before you can enable Web filtering for the ProxyClient.

2. Understand the options for downloading the entire Blue Coat WebFilter (BCWF) database or only the BCWF database categories.

• If your ProxySG appliance is used only as a Client Manager, download only the BCWF database categories.

• If your ProxySG appliance is a Client Manager and also performs in-office Web filtering, download the BCWF database.

"Options for Enabling Blue Coat Web Filtering" on page 129

3. Download the BCWF database or categories:

• If theProxySG is a dedicated Client Manager: "Entering BCWF Database Credentials" on page 135

• If the ProxySG is a Client Manager and also performs in-office Web filtering: "Enabling the Blue Coat Web Filter Database (Optional)" on page 130

Set up updates for the BCWF database or categories; they must be updated on the Client Manager at least once every 30 days.Note: Although it is possible to enable other databases (for example, Internet Watch Foundation), only the following categories can be used by the ProxyClient:• Blue Coat Web Filter• Policy, such as VPM policy• The local database• System and Default categoriesCategories from other databases are not used by ProxyClient Web filtering.

4. Optional. "Enabling the Use of the Local Database (Optional)" on page 133

The local database is one way you can optionally create categories to whitelist or blacklist specific lists of URLs for your employees.You can also add policy categories (also referred to as custom categories) to set up whitelists and blacklists. For more information, see "Managing Policy Categories" on page 147.

5. "Setting Up ProxyClient Web Filtering" on page 135

After you have the current BCWF database or categories, you can enable the ProxyClient to perform Web filtering.


129

Options for Enabling Blue Coat Web Filtering Starting with SGOS version 5.5, you have the option of downloading to the Client Manager either the entire BCWF database or only the categories in the BCWF database.

The following table discusses the differences.

Regardless of whether you choose to download the entire BCWF database or only the categories, you must obtain a BCWF license, which entitles you to a BCWF user name and password. For more information, contact your Blue Coat representative.

Because the BCWF database or categories must be updated at least once every 30 days, make sure the Client Manager is capable of accessing the Internet.

6. "Working With Categories, Users, Groups, and Policy Actions" on page 141

Define categories of content you will allow users to access, block users from accessing, or warn users about accessing. You can fine-tune policy actions for individual users and user groups.

7. "Web Filtering Best Practices" on page 155

Information about how to best use Web filtering in your corporation.

8. "Displaying and Customizing Web Filtering Exception Pages" on page 157

Exception pages are displayed to users when they attempt to access content that the administrator chose to either block or to warn about. Blue Coat recommends you customize the default exception pages to provide users with more specific information.

9. "Enabling Web Filtering Logging" on page 159

How to upload client Web filtering logs to an anonymous FTP server.

Task Description

BCWF download Description

Entire BCWF database Required only if the same ProxySG appliance is used for both the Client Manager and for in-office Web filtering (sometimes also referred to as “on-box” Web filtering). The BCWF database contains BCWF categories and URLs contained in those categories. Any client request that does not match a category in the database is referred to WebPulse for categorization.

Only the BCWF database categories

Required for dedicated Client Managers. Downloading only the categories saves hard disk space on the ProxySG appliance and speeds up downloads because the categories are much smaller than the entire BCWF database.


130

Continue with any of the following sections:

❐ If you are starting out configuring ProxyClient Web filtering, see "Setting Up ProxyClient Web Filtering" on page 135

❐ To download the entire BCWF database, see "Enabling the Blue Coat Web Filter Database (Optional)" on page 130

❐ To download only the BCWF database categories, see "Entering BCWF Database Credentials" on page 135

Enabling the Blue Coat Web Filter Database (Optional)This section discusses how to enable and download the Blue Coat Web Filter database. Starting with SGOS 5.5, downloading the entire BCWF database is required only if the same ProxySG appliance is used as both the Client Manager and for in-office Web filtering. For more information, see "Options for Enabling Blue Coat Web Filtering" on page 129.

If your Client Manager is not responsible for in-office Web filtering, skip this section and continue with "Enabling the Use of the Local Database (Optional)" on page 133.

To enable the Blue Coat Web Filter database:


2. Click Configuration > Content Filtering > General.

3. In the right pane, select the Enable check box for Blue WebFilter.

4. Click Apply.


131

5. To download the BCWF database, on the Blue Coat WebFilter tab page, enter the following information:

6. Click Download Now.

This starts the download process. Make sure you verify the download was successful as discussed in the next step.

7. Allow a few minutes for the download to complete and click Verify

Download.

The following table shows sample success messages.

Option Description

Username field Enter the user name provided with your BCWF subscription.

Change Password button Click the button and follow the prompts on your screen to set or change your BCWF password.

URL field Enter the URL provided with your BCWF subscription. Typically, the URL is:https://list.bluecoat.com/bcwf/activity/download/bcwf.db

Set to default button Click to reset the URL field to its default value of https://list.bluecoat.com/bcwf/activity/download/bcwf.db

Type of download Success message

Full database Blue Coat download at: 2009/09/11 23:28:00 +0000Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.dbRequesting initial databaseDownload size: 7507Database date: Fri, 11 Sep 2009 23:25:02 UTCDatabase expires: Tue, 19 Jan 2038 03:14:07 UTCDatabase version: 1Database format: 1.1

https://list.bluecoat.com/bcwf/activity/download/bcwf.db


132

The following table shows sample error messages with suggestions about how to correct the error.

For more information about other options, click Help or see the section on configuring Blue Coat Web filter in "Configuring Blue Coat WebFilter" on page 359 in the SGOS Administration Guide.

8. Select the Automatically check for updates check box.

Differential update Blue Coat download at: 2009/09/11 16:00:41 +0000Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db

Requesting differential updateDifferential update applied successfullyDownload size: 3208Database date: Fri, 11 Sep 2009 15:50:05 UTCDatabase expires: Sun, 11 Oct 2009 15:50:05 UTCDatabase version: 292540200Database format: 1.1

Failure message Suggested workaround

ERROR: Socket connect error

The Client Manager cannot contact the BCWF URL, most likely for any of the following reasons:• The URL is incorrect

Click Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the URL field with the information provided with your Web filtering license. Try clicking Set to default and trying the download again.

• Network issues prevent the Client Manager from reaching the site.Using an SSH application, log in to the Client Manager and enter the following command at the command line:> ping list.bluecoat.com

If you cannot ping the list.bluecoat.com Web site, check the configuration of routers and firewalls to make sure the Client Manager can reach the site.

ERROR: HTTP 401 - Unauthorized

Either the user name or password you specified is incorrect. Click Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the Username field. Click Change Password and enter your password again in the provided fields. When you are finished, click Apply.

Type of download Success message


133

9. Click Apply.

10. Continue with "Enabling Other Databases" .

Enabling Other DatabasesAlthough it is possible to enable other databases (for example, Internet Watch Foundation), categories in these databases are not used by ProxyClient Web filtering. Categories from only the following sources are used by the ProxyClient:

❐ The BCWF database

For more information, see "Options for Enabling Blue Coat Web Filtering" on page 129

❐ The local database

For more information, see "Enabling the Use of the Local Database (Optional)" on page 133

❐ Policy, such as VPM policy (including local, central, and forward policies)

For more information, see "Managing Policy Categories" on page 147

❐ System categories (none and unavailable), which cannot be edited or deleted

For more information, see "Configuring System and Default Policy Actions" on page 149

❐ The Default Action, which enables you to allow or block any content request that is not classified into any of the preceding categories

For more information, see "Configuring System and Default Policy Actions" on page 149

Enabling the Use of the Local Database (Optional)The local database can be used by administrators to set up whitelists or blacklists; in other words, it enables you to add categories with particular URLs that you can allow, block, or warn.

If you do not wish to enable the local database, skip this section and continue with "Setting Up ProxyClient Web Filtering" on page 135.

This section discuses the following topics:

❐ "Creating the Local Database" ❐ "Enabling the Local Database" on page 134

Creating the Local Database

To create the local database:

1. Create a text file in the following format:


134

define category-nameurl1url2urlnend

define category-nameurl1url2urlnend

For example,

define category whitelistwww.cnn.comwww.webmd.comend

define category blacklistwww.gambling.comend

Each category can have an unlimited number of URLs.

2. Upload the text file to a Web server that the Client Manager can access.

3. Continue with "Enabling the Local Database" .

Enabling the Local Database

To enable the local database:


2. Click Configuration > Content Filtering > General.

3. In the right pane, select the Enable check box next to Local Database.

4. Click Apply.

5. Continue with the next section.

Uploading the Local Database to the Client Manager

To upload the local database to the Client Manager:


2. Click Configuration > Content Filtering > Local Database.

3. In the right pane, enter or edit the following information:

Option Description

Username field Enter the user name required to access the local database, if any.


135

4. Click Download Now.

5. To verify the download, click Verify Download.

6. Select the Automatically check for updates check box.

7. Click Apply.

8. Continue with "Setting Up ProxyClient Web Filtering" on page 135.

See Also

Section on configuring the local database in "Creating a Local Database" on page 366 in the SGOS Administration Guide.

Setting Up ProxyClient Web FilteringThe following sections discuss how to enable and configure ProxyClient Web filtering on the Client Manager:

❐ "Entering BCWF Database Credentials" ❐ "Enabling ProxyClient Web Filtering" on page 136❐ "About the Policy Tab Page" on page 139❐ "Getting Started With Categories" on page 141❐ "Selecting Categories" on page 143❐ "Configuring Users and Groups" on page 144❐ "Managing Policy Categories" on page 147❐ "Configuring System and Default Policy Actions" on page 149❐ "Ordering Categories in the Rulebase" on page 150❐ "Configuring Other Web Filtering Options" on page 153

For an overview of the entire process, see "Web Filtering Task Summary" on page 128. Continue with "Enabling ProxyClient Web Filtering" .

Entering BCWF Database CredentialsThis section discusses how to enter credentials to get the BCWF database categories. These credentials are supplied with your BCWF license and the credentials must be updated every 30 days to enable you to get the most recent categories and to continue to use WebPulse.

The tasks discussed in this section are not required if you already downloaded the entire BCWF database as discussed in "Enabling the Blue Coat Web Filter Database (Optional)" on page 130. In that case, skip this section and continue with "Enabling ProxyClient Web Filtering" on page 136.

Change Password button Click the button and follow the prompts on your screen to set or change your local database password.

URL field Enter the URL to the local database.

Option Description


136

To enter credentials for the BCWF database:


2. Click Configuration > Content Filtering > Blue Coat WebFilter.

3. On the Blue Coat WebFilter tab page, enter the following information:

4. Continue with "Enabling ProxyClient Web Filtering" on page 136

Enabling ProxyClient Web FilteringThis section discusses how to enable the Client Manager to perform ProxyClient Web filtering.

Prerequisites:

❐ "Web Filtering Task Summary" on page 128❐ "Options for Enabling Blue Coat Web Filtering" on page 129

To enable ProxyClient Web filtering:


2. Click Configuration > ProxyClient > Web Filtering > Policy.

Under the Enable Web Filtering check box, one of the following messages might display. Use the following table to take the appropriate action:

Option Description

Username field Enter the user name provided with your BCWF subscription.

Change Password button Click the button and follow the prompts on your screen to set or change your BCWF password.

URL field Enter the URL provided with your BCWF subscription. Typically, the URL is:https://list.bluecoat.com/bcwf/activity/download/bcwf.db

Set to default button Click to reset the URL field to its default value of https://list.bluecoat.com/bcwf/activity/download/bcwf.db

Table 8–1 ProxyClient Web filtering status messages

Message

Meaning and suggested action

https://list.bluecoat.com/bcwf/activity/download/bcwf.db


137

Blue Coat Web filtering is set up properly. Continue with Step 3 on page 138.

Select the Enable Web Filtering check box and click Apply. Other messages might display; if so, consult later rows in this table.

Your SGOS license is invalid or expired. Click the link to find more information.


Message



138

3. After you have successfully enabled the BCWF database with a valid license, continue with "About the Policy Tab Page" on page 139.

You have not entered credentials required to download the BCWF database or categories to this ProxySG appliance. Action: Use the following steps:1. Click the link in the error message or click Configuration > Content Filtering

> Blue Coat.2. In the Username field, enter the Blue Coat Web Filter database user name

provided with your Web filtering license.3. Click Change Password.4. In the provided fields, enter the Blue Coat Web Filter database password.5. Click OK.6. At the confirmation dialog, click OK.7. Click Apply.8. Click Download Now.

This starts the download using the credentials you entered.9. Click View Download Status to confirm the database downloaded

successfully.10. Click Configuration > ProxyClient > Web Filtering > Policy.11. Clear the Enable Web Filtering check box and apply the change.12. Select the Enable Web Filtering check box.

After you enable ProxyClient Web filtering, the Client Manager must download the BCWF database categories. During the time the categories are being downloaded, this message displays.This message does not display if you downloaded the entire BCWF database. For more information about the differences between downloading the database and only the database categories, see "Options for Enabling Blue Coat Web Filtering" on page 129.If this message displays for an extended period of time, try the following:1. Clear the Enable Web Filtering check box and apply the change.2. Select the Enable Web Filtering check box and apply the change.


Message



139

See Also

"Options for Enabling Blue Coat Web Filtering" on page 129

About the Policy Tab PageThis section discusses general information about the Policy tab page and provides links to subsequent sections that discuss the tab page in more detail. If you have not already done so, click Configuration > ProxyClient > Web Filtering > Policy.

Click a section of the figure or use the links following the figure to find more information about the Policy tab page.


❐ "General Settings Pane" ❐ "All Categories Pane" on page 140❐ "Selected Category Rule Base Pane" on page 140

General Settings Pane

To enable ProxyClient Web filtering, first make sure Web Filter Status: Valid displays in the right corner of the General Settings pane. If the status is other than Valid, you must renew your Web filtering license before continuing.

Select the Enable Web filtering check box if you have not already done so. If error messages display, see Table 8–1 on page 136.


140

All Categories Pane

Displays all currently configured categories from all sources (BCWF, local database, policy, and system). Initially, only the System node is populated. After you enable ProxyClient Web filtering and enter valid BCWF credentials, the Blue Coat node is populated as well.

To a policy action for a category (allow, block, or warn), expand the node containing the category and select the check box next to the category name. Then configure users and groups to which the action applies in the Selected Category Rule Base pane.

For more details about this pane, see "Getting Started With Categories" on page 141.

An example follows.

Selected Category Rule Base Pane

After you select a category in the All Categories pane, you configure policy actions for users and groups in the Selected Category Rule Base pane. For more details, see "Configuring Users and Groups" on page 144.

An example follows.

Add a user/group rule

Delete a user/group rule

Reorder rules


141

Working With Categories, Users, Groups, and Policy ActionsProxyClient Web filtering policy works by assigning a policy action (allow, block, or warn) to a category and applying that policy action to a user or group. For example, a category (such as Finance) can be allowed for one user or one group and blocked for other users and groups.


❐ "Getting Started With Categories" ❐ "Selecting Categories" on page 143❐ "Configuring Users and Groups" on page 144❐ "ProxyClient Web Filtering and Proxy Servers" on page 144❐ "Managing Policy Categories" on page 147❐ "Configuring System and Default Policy Actions" on page 149❐ "Ordering Categories in the Rulebase" on page 150❐ "Configuring Other Web Filtering Options" on page 153

If you are configuring ProxyClient Web filtering for the first time, you should complete the tasks discussed in the preceding sections in the order in which they are shown. If you are modifying an existing configuration, choose any task.

Getting Started With CategoriesThis section discusses how to locate the available categories so you can get started defining categories and their associated policy actions.

To implement Web filtering policy for ProxyClient users:



On the Policy tab, the All Categories section displays the available category nodes:

• Blue Coat: The BCWF database.

• Local: The local database, which is discussed in "Enabling the Use of the Local Database (Optional)" on page 133.

• System: Special categories (none and unavailable) that are discussed in more detail in Step 4 on page 149.

• Policy: Categories defined using policy (usually the Visual Policy Manager (VPM)).

Note: Users and groups for ProxyClient Web filtering are validated against the user’s cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.


142

3. Expand a node to display its categories.

4. Select the check box next to categories for which you want to set policy actions.

5. Continue configuring ProxyClient Web filtering.

If you are configuring ProxyClient Web filtering for the first time, complete following tasks in the order in which they are presented. If you have already configured Web filtering and need to modify your previous choices, choose a task from the following list.

• "Selecting Categories" • "Configuring Users and Groups" on page 144• "Configuring System and Default Policy Actions" on page 149• "Ordering Categories in the Rulebase" on page 150• "Configuring Other Web Filtering Options" on page 153

Note:

• If you are not familiar with ProxySG content filtering, refer to Chapter 18, Filtering Web Content, in the SGOS Administration Guide.

• Many Web sites generate more than one URL request so it is possible that an allowed Web site might create other URL requests that are categorized differently, or are categorized as the System category none.

For example, images and advertisements displayed on an allowed Web site are individually classified based on their URLs. Even if you allow users to access that Web site, each of the ads and images on the site can be blocked based on each URL’s categorization.


143

Selecting CategoriesThis section discusses how to select categories to use to filter Web content for ProxyClient users. Select only the categories you wish to explicitly allow, deny, or warn users about accessing.

If a user accesses content that is not associated with any categories you select, the policy action for Default Action is applied. For more information, see "Configuring System and Default Policy Actions" on page 149.

Prerequisites:

❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "Enabling the Use of the Local Database (Optional)" on page 133❐ "Enabling ProxyClient Web Filtering" on page 136

To select categories:



3. In the All Categories pane, expand Blue Coat.

4. Select the check box next to each category to enforce a policy action on that category.

When you select a category, it automatically displays in the Selected Category

Rule Base pane with a policy action the opposite of the Default Action

category.

5. Repeat the preceding steps for the local and policy categories.

If you have no policy categories defined, see "Managing Policy Categories" .

If you do not wish to configure or change your policy categories, skip the next section and continue with "Configuring System and Default Policy Actions" on page 149.

6. Apply policy actions to users and groups as discussed in "Configuring Users and Groups" .

Note: If the Client Manager does not have a valid BCWF database, there are no BCWF categories and the following message displays on the Policy tab page:

ProxyClient Web filtering is unavailable due to an invalid license. Please contact Blue Coat Support.

Contact your Blue Coat representative for more information about getting a valid BCWF license.


144

Configuring Users and GroupsEvery category can have multiple policy actions that are customized for users and groups. You can, for example, enable IT administrators to access Web sites categorized as Software Downloads but prohibit any other users from accessing those same sites. In addition, you can apply the same types of restrictions to individual users.

You must specify users and groups exactly as they are specified in your authentication repository. For example, a typical Windows group name is domain\name, such as BLUECOAT\IT-Administrators. If you have ProxyClients configured currently, you can see how they are identified by logging in to the Client Manager’s Management Console and clicking Statistics > ProxyClient > Details.


❐ "ProxyClient Web Filtering and Proxy Servers" ❐ "Prerequisites for Configuration Users and Groups" on page 144❐ "Procedure for Configuring Users and Groups" on page 145

ProxyClient Web Filtering and Proxy Servers

Integrated Windows Authentication (IWA) is supported for proxy servers. If your proxy server uses IWA authentication, or if it uses no authentication, clients can communicate with the Client Manager and can perform Web filtering.

IWA authentication to the proxy server is transparent to ProxyClient users. If a proxy server is required for Internet access, the IWA credentials are used to contact the WebPulse cloud service to get a rating for a URL request made from the ProxyClient computer.

If the proxy server uses another type of authentication (such as Basic authentication), the ProxyClient will not communicate with the Client Manager, and WebPulse will be unavailable (that is, the configured Unavailable policy action is applied).

Prerequisites for Configuration Users and Groups

Before continuing, make sure you have completed all of the following tasks:

❐ "Enabling ProxyClient Web Filtering" on page 136❐ "Selecting Categories" on page 143

Note: Users and groups for ProxyClient Web filtering are validated against the user’s cached login credentials on the ProxyClient computer. In other words, ProxyClient uses credentials for the authentication realm configured for the domain to which the computer connects.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true


145

Procedure for Configuring Users and Groups

This section discusses how to configure users and groups for ProxyClient Web filtering. Before continuing, make sure you understand all of the following:

❐ "About ProxyClient Web Filtering" on page 19❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "ProxyClient Web Filtering and Proxy Servers" on page 144❐ "Prerequisites for Configuration Users and Groups" on page 144

To configure users and groups for ProxyClient Web filtering:



3. On the Policy tab page, in the All Categories pane, select the check box corresponding to each category for which you will configure users and groups.

When you select a category, the category name displays in the Selected Category Rule Base pane. The policy action is initially the opposite of Default Action.

The Selected Category Rule Base pane initially displays the category with an associated policy action.

4. In the Selected Category Rule Base pane, you have the following options:

Action Description

Assign a policy action to everyone (that is, all users, all groups)

From the Action list, click the policy action to apply. For more information about policy actions, see Table 8–2.

Change the name of a user or group

Click the field with the name you wish to change and enter a new name.

Change the order of users and groups in the rulebase

"Ordering Categories in the Rulebase" on page 150


146

Table 8–2 has more information about policy actions.

Add a user or group1. Click (add user-group rule).2. In the provided field, enter the name of the user

or group to which to apply the policy action in any of the following formats:• Fully qualified account names (for example,

domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name).

• Fully qualified DNS names (for example, example.example.com\user_name)

• User principal names (UPN) (for example, [email protected]).

If the user or group has been used before, click its name from the list.

3. From the Action list, click the appropriate policy action.For more information about policy actions, see Table 8–2.

4. Press Enter.

Delete a user or group Click the name of the user or group to delete and

click (delete user-group rule).

Table 8–2 ProxyClient Web filtering policy actions

Policy action Meaning

Allow The request goes to its destination. An access log entry occurs for URL tracking and analyzing Web use (if the value of Log

Exceptions Only on the Configuration > ProxyClient > Web

Filtering > Log tab page is set to All).

Block The blocked category exception page displays and the URL request is blocked. The exception is logged.

Warn A warning exception displays.The user must click an acceptance link, which represents an acknowledgment that the content request might violate corporate Web use policy. If the user clicks the acceptance link, the request goes to its destination. The exception is logged.Note: If a user clicks the acceptance link the requested Web site will be accessible for 15 minutes. The accessibility time period is not currently configurable.

Action Description


147

5. At the bottom of the browser window, click Apply.

See Also

"Getting Started With Categories" on page 141

Managing Policy CategoriesThis section discusses how to add or edit policy categories. If an administrator has already configured policy categories using VPM, you can add, edit, delete, or edit URLs in any configured category. If you do not already have policy categories, you can add them.

For more information about using VPM to add categories, see the Visual Policy Manager Reference.

Prerequisites:

❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "Enabling the Use of the Local Database (Optional)" on page 133❐ "Enabling ProxyClient Web Filtering" on page 136❐ "Getting Started With Categories" on page 141

To add, edit, delete, or edit URLs in policy categories:



3. Near the bottom of the All Categories pane, click Edit Categories.

The Edit Categories dialog displays the currently configured category nodes (for example, Policy, Local, Blue Coat, and System).

4. In the Edit Categories dialog, expand Policy.

5. You have the following options:

Note: You can manage only the Policy categories. With the exception of local categories (that come from the local database, if it is configured), the other categories cannot be changed.

Task Procedure

Add a policy category 1. Click Policy.2. Click Add.3. In the Object Name dialog, enter a name

for the policy category.4. Click OK.5. Add URLs to the category as discussed in

later in this table.


148

6. In the Edit Categories dialog, click OK.

See Also

"Configuring Users and Groups" on page 144

Rename a policy category 1. Click the name of the category.2. Click Rename.3. In the Edit Locally defined category Object

dialog, enter a new name for the policy category.

4. Click OK.5. Optionally add URLs to the category as

discussed in later in this table.

Delete a policy category 1. Click the name of the category.2. Click Remove.

You are required to confirm the deletion.

Edit the list of URLs in a policy category

1. Click the name of the category in which you want to edit the list of URLs.Note: You cannot add URLs to the Policy node. You must first create a category under that node as discussed earlier in this table.

2. Click Edit URLs.3. In the Edit Locally defined category Object

dialog, enter or edit the list of URLs, one URL per line.

4. Click OK.

Task Procedure


149

Configuring System and Default Policy ActionsThis section discusses how to configure policy actions for the following categories:

Prerequisites:

❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "Enabling the Use of the Local Database (Optional)" on page 133❐ "Enabling ProxyClient Web Filtering" on page 136❐ "Getting Started With Categories" on page 141❐ "Selecting Categories" on page 143

To configure the System categories and the Default Action:



3. In the All Categories pane, expand System.

4. Select the check box next to the none or unavailable categories.

Category Description

System The System node contains the following categories, which cannot be edited or deleted:• none, a category for Web sites that are not rated in any available categories

and for which the WebPulse could not determine a rating. Available categories mean BCWF database categories, local database categories (if enabled), and policy categories (if configured).Many Web sites generate more than one URL request so it is possible that an allowed Web site might create other URL requests that are categorized differently, or are categorized as none.For example, images and advertisements displayed on an allowed Web site are individually classified based on their URLs. Even if you allow users to access that Web site, each of the ads and images on the site can be blocked based on each URL’s categorization.

• unavailable, a category that is used if all of the following are true of a particular URL request: • When WebPulse cannot be reached• When there is no match either in the local database (if enabled) or policy

categories (if configured)

Default Action The policy action for the Default Action category is used if a URL request is not classified into any of the categories in the Category Rulebase section.Use caution before setting the policy action of the Default Action category to block. If Default Action is set to block, any URL that is not in a category that you specifically allow will be blocked.


150

The following table discusses the meanings of policy actions for these categories.

5. When you are satisfied with your policy configuration, select the Enable Web

Filtering check box.

6. Click Apply.

7. In the Selected Category Rulebase pane, from the Default Action list, click a policy action.

8. Click Apply.

9. Continue with "Ordering Categories in the Rulebase" .

Ordering Categories in the RulebaseAfter you have added categories to the rulebase and selected policy actions for each, you must consider how the categories are ordered. Many URLs are classified in more than one category, which results in a conflict.

In the case of a conflict between policy actions, the policy action associated with the first rulebase match is applied.

For example, suppose the same URL (www.example.com/news) is listed in two categories. One category has a policy action of allow and the other category has a policy action of block.

In the table that follows, www.example.com/news is in both the Blogs/Personal Pages and News/Media categories. The following table shows how the conflict is resolved.

System category Policy action description

none Set the policy action for Web sites that could not be categorized by the service point.

unavailable Set the policy action for Web sites for which the ProxyClient could not reach WebPulse to determine a categorization. Typical reasons include local connectivity issues (for example, a personal firewall blocking the traffic or a machine that has no IP address).


151

Blue Coat recommends you order Web filtering rules in the category rulebase as follows:

1. Whitelist overrides (that is, local database and policy categories you always want to allow)

2. Blacklist overrides (that is, local database and policy categories you always want to block)

3. All other categories with policy action set to block

4. All other categories with policy action set to warn

5. All other categories with policy action set to allow

Rulebase configuration Policy action

Because News/Media is first in the rulebase and its policy action is block, www.example.com/news is blocked except for users in the BLUECOAT\Managers group, for which it is allowed.

Because Blogs/Personal Pages is first in the rulebase and its policy action is allow, www.example.com/news is allowed except for users in the BLUECOAT\Users group, for which it is blocked.

Note: If the user is in an office location with ProxyClient Web filtering disabled, a branch ProxySG performs Web filtering. For more information about configuring a branch ProxySG to perform Web filtering, see TBD.


152

Prerequisites:

❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "Enabling the Use of the Local Database (Optional)" on page 133❐ "Enabling ProxyClient Web Filtering" on page 136❐ "Getting Started With Categories" on page 141❐ "Selecting Categories" on page 143❐ "Configuring System and Default Policy Actions" on page 149

To order categories in the category rulebase:



3. In the Selected Category Rule Base pane, click the name of a category to move.

4. Click one of the following buttons:

The rulebase hierarchy is the structure of categories, users, and groups in the rulebase. If you click the name of a category, you can reorder the category (including its users and groups) among the other categories. If you click the name of a user or group, you can reorder that user or group among the other users and groups in that category only.

Table 8–3 ProxyClient Web filtering category ordering buttons

Button Meaning

Move the selected category up one position in the rulebase hierarchy. Use this button to move a more restrictive category and action before a less restrictive category and action.

Move the selected category down one position in the rulebase hierarchy. Use this button to move a more general category and action after a more restrictive category and action.

Move the selected category and action to the top of the rulebase hierarchy. Use this button to move a very specific category and action to the top of the rulebase.

Move the selected category and action to the bottom of the rulebase hierarchy.


153

The buttons shown in Table 8–3 enable you to move users, groups, or categories in the hierarchy. An example is shown in the following figure.

To move users and groups under Blogs/Personal Pages, click the name of a user or group and click one of the buttons shown in Table 8–3.

To move the entire category, click the name of the category and click one of the buttons shown in Table 8–3. Because the Brokerage/Trading category has no users or groups, you can order it among the other categories only.

5. Continue with "Configuring Other Web Filtering Options" .

If you have already configured options for license expiration, HTTPS filtering, and safe search, continue with one of the following sections:

• "Web Filtering Best Practices" on page 155 • "Displaying and Customizing Web Filtering Exception Pages" on page

157• "Enabling Web Filtering Logging" on page 159

Configuring Other Web Filtering OptionsThis section discusses how to configure the following options:

❐ On license expiration, which sets the behavior of ProxyClient Web filtering in the event the BCWF license expires on the Client Manager

❐ HTTPS filtering, which determines whether or not Web filtering policy actions are applied to HTTPS content

❐ Safe search, which determines whether or not ProxyClient users are required to use safe search with supported search engines.

Prerequisites:

❐ "Options for Enabling Blue Coat Web Filtering" on page 129❐ "Enabling the Use of the Local Database (Optional)" on page 133❐ "Enabling ProxyClient Web Filtering" on page 136❐ "Getting Started With Categories" on page 141


154

❐ "Selecting Categories" on page 143❐ "Configuring System and Default Policy Actions" on page 149

To configure other Web filtering options:



The options discussed in this section are in the General Settings section of the Policy tab page.

3. Enter or edit the following information:

Option Description

On expiration list Select the action to take if the BCWF license expires (usually because the database has not been updated in a 30-day period):• Allow All—Users are allowed to browse

anywhere; in other words, content is not filtered. Select this option if user Web access is more critical than filtering or security.

• Block All—Users are not allowed to browse to any Web page. A Service Unavailable exception displays in the user’s Web browser. Select this option if security is your primary concern.

Enforce safe search check box Select this check box to force a search engine that supports Safe Search to enable its strictest search filter; however, the quality of the filtering is based on the search engine’s built-in capabilities. The same search string entered on one search engine might yield different results when entered on another search engine (including returning varying levels of inappropriate content).Safe Search is supported on the following search engines: Google, A9, Altavista, Microsoft Bing, Yahoo, Ask, and Orange.co.uk.With safe search enabled, the search engine Web page displays Safe Search ON, Family Filter On, Safe Search Strict, or another engine-specific string.Clear this check box if you do not wish to enforce Safe Search.


155

See Also

"About ProxyClient Web Filtering" on page 19

"Web Filtering Best Practices" on page 155

"Displaying and Customizing Web Filtering Exception Pages" on page 157

"Enabling Web Filtering Logging" on page 159

"Configuring ProxyClient Web Filtering (CLI)" on page 165

Web Filtering Best PracticesBlue Coat recommends the following best practices when configuring ProxyClient Web filtering:

❐ Set the policy action for the System > unavailable category to Block.

This prevents any possibility of Internet access in the event Internet access (specifically, access to WebPulse) is temporarily prevented because a personal firewall blocks the ProxyClient service, a temporary network outage occurs, or users attempt to disable or stop the ProxyClient service. Any of these might result in WebPulse appearing to be unavailable for a period of time.

❐ Some software update sites will be blocked if the Business/Economy category is set to Block or Warn.

For example, Java updates would fail because the Java update site is rated as Business/Economy. Either allow the Business/Economy category or add the software update Web sites to a custom category (using either the local database or VPM), set its policy action to Allow, and order the rule before the the Business/Economy category.

❐ Because a particular URL might be listed in more than one category, policy action conflicts can occur.

In the case of a conflict between policy actions, the policy action associated with the first rulebase match is applied.

For example, suppose the same URL (www.example.com/news) is listed in two categories. One category has a policy action of allow and the other category has a policy action of block.

Enable HTTPS filtering check box

Select this check box to use Web filtering when the content request is sent over an SSL connection using the default port 443. For exceptions to this behavior, see the ProxyClient Release Notes.Clear this check box to not filter HTTPS traffic if certain browsers are used.

Option Description


156

In the table that follows, www.example.com/news is in both the Blogs/Personal Pages and News/Media categories. The following table shows how the conflict is resolved.

Blue Coat recommends you order Web filtering rules in the category rulebase as follows:

1. Whitelist overrides (that is, local database and policy categories you always want to allow)

2. Blacklist overrides (that is, local database and policy categories you always want to block)

3. All other categories with policy action set to block

4. All other categories with policy action set to warn

5. All other categories with policy action set to allow

Rulebase configuration Policy action

Because News/Media is first in the rulebase and its policy action is block, www.example.com/news is blocked except for users in the BLUECOAT\Managers group, for which it is allowed.

Because Blogs/Personal Pages is first in the rulebase and its policy action is allow, www.example.com/news is allowed except for users in the BLUECOAT\Users group, for which it is blocked.

Note: If the user is in an office location with ProxyClient Web filtering disabled, a branch ProxySG performs Web filtering. For more information about configuring a branch ProxySG to perform Web filtering, see TBD.


157

See Also

"Getting Started With Categories" on page 141

"Selecting Categories" on page 143

Displaying and Customizing Web Filtering Exception PagesAn exception page is an HTML message that displays in a user’s Web browser when a content request triggers a policy action. You have the option of editing the default exception pages to provide more detail about why the category is blocked.

Blue Coat provides default exception pages for the following occurrences:

❐ Blocked content: When a user requests content that violates (matched by category) enterprise Web use policy, the following message displays in the Web browser:

Your request was denied because of its content categorization:Category: offending_category_nameURL: requested_URL

❐ Warn: When a user requests content that might violate enterprise Web use policy (for example, you chose a policy action of Warn for the Search Engine/Portals category, and you want to coach a user regarding Web use policies), the following message appears in the browser:

It may violate company policy to visit this site.Category: Search Engine/PortalsURL: www.google.comClick here to continue anyway.

The last line, available only (by default) on the Warn exception page, is a link that users click to acknowledge the warning and proceed with the content request. If they elect to opt out of this request, they must navigate to another page, click the Back button on the browser, or exit the browser.

Note: The behavior of exception pages when the user is browsing HTTPS content when HTTPS filtering is enabled is as follows:

• Some Web browsers: The exception page displays in the same browser window as the request.

• All other Web browsers: The exception page displays in a new browser window.

For more information, see:

• For up-to-date information about Web browsers and their behavior with HTTPS filtering, see the ProxyClient Release Notes.

• To enable HTTPS filtering, in the Client Manager’s Management Console, click Configuration > ProxyClient > Web Filtering > Policy, and select the Enable

HTTPS Filtering check box. Click Help for more information.


158

❐ Unavailable rating service: If a user requests a URL that is not already categorized, and ProxyClient cannot connect to WebPulse, the following message displays in the browser:

The Blue Coat Web Filter Service point could not be reached. This may be due to a networking error.

Users are not allowed to retrieve Web content until a rating service is reached (unless the System > unavailable category is set to Allow). Typical reasons why WebPulse might be unreachable include local connectivity issues (for example, a personal firewall blocking the traffic or a computer with no IP address).

If you decide to change or add to the default text, each exception page is customizable using the Management Console or the command line.

To customize exception pages:


2. Click Configuration > ProxyClient > Web Filtering > Exceptions.

3. Customize exception pages:

a. From the Exception page for list, select a page to customize:

• Block: Display text when a user browses to content blocked by policy.

• Warn: Display text to inform users that the content they are requesting might violate Web use policy. Users must click a link to acknowledge this warning before receiving the content.

• Unavailable: Display text when WebPulse is not reachable.


159

b. Customize the Web page header and body text. The Substitution

Variables field provides variables you can insert to display content information:

• url: Displays the requested URL.

• cs-categories: A full list of all category rating assigned to the Web site. Many Web sites have more than one rating.

• cs-categories-exception: The category that caused the exception (the first one matched in the rulebase).

• override-url: Applies to the Warn exception page only. This is used if you change the Continue anyway link to something else, such as a button. It will be substituted with the URL that must be pulled through an HTML request to visit the page that was blocked by the exception.

To add a variable to the custom message, insert the cursor in the HTML code where you want the variable to be, select a variable, and click Insert. You can add as many variables as you want.

c. Click Apply.

Enabling Web Filtering LoggingThis section discusses Web filtering logging in the following sections:

❐ "About Web Filtering Logging" ❐ "How to Enable Web Filtering Logging" on page 160❐ "Configuring Clients That Require a Proxy to FTP Logs" on page 163❐ "Interpreting the Log Files" on page 163

About Web Filtering LoggingAnalyzing user Web browsing activity allows you to better customize your content filter policies and to verify that your users are abiding by company policies. You can configure the ProxyClient to upload user Web browsing activity logs to an anonymous FTP server at regular time intervals or when the local log file reaches a specified size.

Connections occur only when the client system has access to the specified FTP server, which is typically when the user connects to the corporate network.


160

How to Enable Web Filtering LoggingThis section discusses how to enable Web filtering logging. You need to know the name of the anonymous FTP server to which to upload files and the directory to which to write the files. You can also configure automatic upload options based on configurable thresholds.

If the user exceeds either of the following configurable thresholds, log updates occur as soon as possible:

❐ Length of time since the last upload

❐ Size, in MB, of the current log file

To enable logging and configure logging options:


2. Click Configuration > ProxyClient > Web Filtering > Log.

The Log tab displays.

Note: Because log files are uploaded using anonymous FTP, Blue Coat strongly recommends you put your FTP server behind the corporate firewall. In addition, configure the FTP server as follows:

• To prevent the possibility of data loss, do not allow file overwrites.

• For security reasons, do not allow files on the FTP server’s upload directory to be browsed.

• The FTP server must support passive FTP clients. Active FTP is not supported (in other words, log uploads will fail).

• If the FTP server is deployed behind a firewall, the firewall must be configured to allow FTP data connections over TCP ports greater than 1024.

Placing an FTP server outside the firewall has the advantage that even mobile users can upload log files to it; however, it exposes the server and your company to potentially serious malicious activity.


161

3. Select the Enable Logging check box.

4. Click one of the following logging options:

5. In the FTP Server Connection section, enter or edit the following information:

Option Description

Log All Log all Web browsing activity.

Log Exceptions Only Add a log entry only when a policy exception occurs (blocks, warnings, and rating service unavailability).

Option Description

Settings for list Click the type of host you are configuring: • Primary FTP Server • Alternate FTP Server

Hosts field Enter the FTP server’s fully-qualified domain name or IP address. Do not precede the name with ftp:// or uploads will fail.

Port field Enter the FTP server’s listen port. The default is port 21. Make sure your firewall allows FTP traffic through this port, and change the port from the default only if your firewall and FTP server are configured accordingly.


162

6. Choose options that determine when files are uploaded from the ProxyClient computer to the FTP server.

You can choose either a time interval or the total size, in MB, the current log file occupies on the client computer. If a mobile or offsite user is away from the network for an extended period of time and the threshold values are exceeded, an upload occurs as soon as possible.

Enter or edit the following information:

7. Click Apply.

8. Continue with "Configuring Clients That Require a Proxy to FTP Logs" .

Path field Enter the relative path on the server to write the log files. You can optionally precede the relative path with the / character; uploads will succeed whether or not the first character is /.Examples:/path/to/log/directory

path/to/log/directory

To upload logs to the FTP server’s home directory, leave the field blank. Note: Entering / in the field (with no path following the / character) causes uploads to fail.

Option Description

Upload periodically every • Hours field: Enter the maximum number of hours to wait before attempting to upload logs from the ProxyClient computer to the FTP server.

• Minutes field: Enter the maximum number of minutes to wait before attempting to upload logs from the ProxyClient computer to the FTP server.Note: If you enter a non-zero value for both Hours and Minutes, the total amount of time is used. For example, if you enter 24 Hours and 10 Minutes, the client waits 24 hours and 10 minutes to upload log files.

Start an early upload if log reaches

Enter the minimum log file size, in megabytes, to trigger a log file upload. This value takes precedence over the value you entered in the preceding field. In other words, if you specify 24 hours in the preceding field and 10 megabytes in this field, if the current log file reaches 10 megabytes after only 10 hours, the ProxyClient attempts to upload its log files to the FTP server.

Option Description


163

Configuring Clients That Require a Proxy to FTP LogsIf the ProxyClient requires a proxy server to upload Web filter log files, first make sure the proxy server is an FTP proxy and not a proxy that accepts HTTP requests and outputs them as FTP.

In addition, you must perform the following tasks on the ProxyClient computer:

1.

2. Start Internet Explorer.

3. Click Tools > Internet Options.

4. Click the Connections tab.

5. On the Connections tab page, click LAN Settings.

6. Verify any of the following:

• On the LAN Settings dialog, if the Use a proxy server for your LAN check box is selected, make sure the address of the proxy server is an FTP proxy.

• If the check box is clear, click Advanced.

In the Proxy Settings dialog, make sure the proxy server’s address and port listed in the fields next to FTP. If not, you must enter the address and port number of an FTP server in these fields.

7. Follow the prompts on your screen to accept the settings.

Interpreting the Log FilesThe log file starts similarly to the following:

#Software:ProxyClient 3.2.1.1#Version:1.0#Fields: date time c-ip c-username x-cs-auth-domain c-computername x-exception-idcs-categoriescs-categories-exception cs(Referer) cs-methodcs-uri-schemecs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extensioncs(User-Agent) r-ip

The following table defines the fields used in the log:

Note: Make sure the system clock of all ProxyClient computers is synchronized with the Client Manager’s clock. (You can do this by configuring them to use the same time standard, such as NTP.) Failure to do so will result in inaccurate log upload times and log ages.

Field Description

date Date stamp in Universal Time Code (UTC) format.

time Time stamp.

c-ip Client’s IP address.


164

Following is a sample log entry showing that content was blocked:2008-07-3117:51:17-joe.jones USA-TX-Austin LT-JOEJONEScontent_filter_denied"Vehicles" "Vehicles" -GET http www.mazdausa.com80/--Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)129.33.107.81

In the preceding example, user joe.jones requested content from http://www.mazdausa.com and the content was blocked. The content was categorized as Vehicles, was requested by Internet Explorer 7, and was delivered from a Web server with public IP address 129.33.107.81.

c-username Client’s login user name.

x-cs-auth-domain Client’s domain name (if available).

c-computername Client’s computer name.

x-exception-id One of the following:• - if the content is allowed.• content_filter_warned if the policy action is

warn.• content_filter_denied if the policy action is

block.

cs-categories Semi-colon-delimited categories for the content request.

cs-categories-exception The first category match; in other words, the category on which the policy action shown by x-exception-id is based.

cs(Referer) Referring URL, if any.

cs-method The method used in the content request (for example, GET).

cs-uri-scheme The URI’s scheme (http or https).

cs-host The host portion of the URI.

cs-uri-port The port used to access the URI.

cs-uri-path The path relative to cs-host. If cs-uri-scheme is https, this field is blank.

cs-uri-query Query string, if any. If cs-uri-scheme is https, this field is blank.

cs-uri-extension File extension of the object.

cs(User-Agent) Information about the Web browser that requested the object.

r-ip Web server’s public IP address.

Field Description


165

Configuring ProxyClient Web Filtering (CLI)

To configure Proxy Client Web Filtering settings:


2. At the #(config proxy-client) command prompt, enter web-filtering.

3. Configure Web filtering settings: #(config proxy-client web-filtering) disable#(config proxy-client web-filtering) enable#(config proxy-client web-filtering) default-action {allow | block}#(config proxy-client web-filtering) {allow category_name | block category_name | warn category_name}#(config proxy-client web-filtering) {promote category_name | demote category_name}#(config proxy-client web-filtering) {promote-to-top category_name | demote-to-bottom category_name}#(config proxy-client web-filtering) failure-mode {open | closed}#(config proxy-client web-filtering) safe-search {disable | enable}#(config proxy-client web-filtering) https-filtering {disable | enable}#(config proxy-client web-filtering) user-group-rules category_name

#(config proxy-client web-filtering category_name) {allow user_group_name | block user_group_name | warn user_group_name}#(config proxy-client web-filtering category_name) {promote user_group_name | demote user_group_name)#(config proxy-client web-filtering category_name) {promote-to-top user_group_name | demote-to-bottom user_group_name)#(config proxy-client web-filtering category_name) clear user_group_name#(config proxy-client web-filtering category_name) exit#(config proxy-client web-filtering category_name) view

#(config proxy-client web-filtering) inline exception {block | allow | warn} data end-of-file-marker#(config proxy-client web-filtering) log

#(config proxy-client web-filtering log) {disable | enable}#(config proxy-client web-filtering log) early-update megabytes#(config proxy-client web-filtering log) periodic-upload upload-interval hours [minutes]#(config proxy-client web-filtering log) ftp-client {alternate | primary} host hostname port#(config proxy-client web-filtering log) mode {all-requests | exceptions-only}

#(config proxy-client web-filtering) view

Troubleshooting ProxyClient Web FilteringThis section discusses the following topics related to diagnosing and resolving issues with ProxyClient Web filtering:

❐ "Overview of Web Filtering Troubleshooting" ❐ "More Information About Web Filtering Troubleshooting" on page 167❐ "Getting Detailed Diagnostics" on page 170

For more troubleshooting information, see one of the following sections:

❐ "Using the ProxyClient Web Browser for Troubleshooting" on page 213


166

❐ "Troubleshooting ProxyClient Installation and Operation" on page 214❐ "Troubleshooting ProxyClient Acceleration" on page 115❐ "Other ProxyClient Troubleshooting Tools" on page 224

Overview of Web Filtering TroubleshootingThe ProxyClient Web browser window and the Client Manager’s Statistics > ProxyClient > Details tab pages assist you with troubleshooting Web filtering issues clients might be experiencing. The following sections provide a brief overview of how you can use these tools:

❐ "Getting Web Filtering Status from the Web Browser Window" on page 166❐ "Using the Client Manager for Acceleration Troubleshooting" on page 118

Getting Web Filtering Status from the Web Browser Window

The ProxyClient Web browser window indicates the current status of Web filtering as follows:

Figure 8–1 ProxyClient Web browser window showing Web filtering is running

If Web filtering is enabled and running, Running displays in the Filtering Statistics section heading and the statistics increment as the user browses the Web.

The following table lists the meanings of other status messages for Web filtering:

Note: In Figure 8–1, only Web filtering is enabled. If acceleration is also enabled, the Status tab page also displays the Acceleration Statistics section as shown in Figure 7–1 on page 116.


Disabled due to Location Web filtering is disabled in the client’s current location. For more information about locations, see Chapter 6: "Configuring ProxyClient Locations".

Status: Running


167

For more detailed information, see "More Information About Web Filtering Troubleshooting" on page 167.

Using the Client Manager for Web Filtering Troubleshooting

The Client Manager’s Statistics tab page has information you can use to assist you with troubleshooting Web filtering issues. For more information, see "Viewing ProxyClient Detail Statistics" on page 200.

More Information About Web Filtering TroubleshootingThe following sections provide methods to diagnose Web filtering issues reported by users:

❐ "Why Are Users Receiving Blocked or Warn Messages For No Justifiable Reason?"

❐ "ProxyClient Web Filtering Licensing" on page 169❐ "Disputing URL Categorizations For ProxyClient" on page 169❐ "ProxyClient Web Filtering Licensing" on page 169❐ "Getting Detailed Diagnostics" on page 170

Delegated to a Blue Coat Security Gateway

Web filtering auto-detection is being used so that a Web filtering ProxySG appliance is performing Web filtering for the client.For more information, see "Configuring Web Filtering Auto-Detection" on page 100.

Ratings service unavailable The service that Blue Coat Web filtering uses to get ratings for Web sites is not reachable. As a result, the policy action for the unavailable category is being used.

Not Available Status is not available because the ProxyClient cannot contact the Client Manager. See "Client Manager Communication Troubleshooting Suggestions" on page 215.

Unlicensed The Web filtering license on the Client Manager is invalid. To verify this is the case, log in to the Client Manager’s Management Console as an administrator and click Configuration > ProxyClient > Web Filtering > Policy. If the message Web Filtering License: Invalid displays below the Enable Web Filtering check box, you know your license is invalid.Contact your Blue Coat representative or Blue Coat Support to resolve the issue.

Internal Service Error The Web filtering driver is missing or not functioning properly. See "Web Filtering Internal Service Error" on page 169.



168

Why Are Users Receiving Blocked or Warn Messages For No Justifiable Reason?

The most common message you are likely to receive from your users is that ProxyClient is denying them access to a Web site that they feel does not violate Web-use policy.

The first step is to understand why the page is blocked or warned:

❐ The rating server returned a category that resulted in a block action. The exception page, admin log, and Most Recent Events list display the category that caused the block action.

❐ The rating server did not return a category, and the none system category is configured with a block action.

❐ WebPulse is not available, and the unavailable system category is associated with a block action.

WebPulse might be unavailable because of networking and configuration issues. Also make sure personal firewall software on the ProxyClient computer is not blocking the ProxyClient service.

❐ License expiration is fail closed and the Client Manager is not licensed for ProxyClient Web Filtering or does not have a current BCWF database. ProxyClient displays Not licensed as the Web Filtering status on the Status tab page.

❐ Some images on requested pages do not display. This is most likely caused by subsequent requests on an allowed Web page falling into a blocked category. (For example, a section or portlet on an allowed Web page might contact a prohibited site for an advertisement.)

Advise your users this is expected behavior.

More detailed information for most of these events can be retrieved by activating the Advanced Web Filtering Admin Log (see "Instructing Users to Perform Data Traces" on page 233).

Various actions to remedy unjustified block (and warn) actions are available, depending on the reason for the block action:

❐ Add a URL to a custom category or local database that is associated with an allow action (that is, create a whitelist). Move this category above the category that is causing the block action. This causes the allow action to be processed first.

You also have the option to disagree with the rating decision made by BCWF and submit a request for categorization change.

See "Disputing URL Categorizations For ProxyClient" on page 169.

❐ Consider modifying the rule base, allowing the blocked category, allowing none or unavailable categories, or changing the unlicensed behavior to fail open. This option is valid if you are authorized to change the corporate compliant browsing policy.


169

❐ Fix the license violation. See "ProxyClient Web Filtering Licensing" on page 169.

ProxyClient Web Filtering Licensing

If your users notify you that the application displays the Unlicensed message, the BCWF license is no longer valid or the URL database has not been refreshed in the last 30 days.

On the Configuration > Content Filtering > Blue Coat > Blue Coat Web Filter tab page, and verify your BCWF credentials.

Disputing URL Categorizations For ProxyClient

In the event users report they are blocked from accessing a normally allowable Web site, first make sure the problem is not caused by improper ordering of categories in the Web filter rulebase. This is particularly true if a single URL is listed in multiple categories.

For more information, see "Web Filtering Best Practices" on page 155.

If BCWF is blocking access to the Web site and you disagree with the URL’s categorization, Blue Coat enables you to submit a Web site for review, stating ProxyClient as the Web filter source.

To dispute a ProxyClient Web filter rating:

1. In your Web browser’s address or location field, enter:http://sitereview.bluecoat.com/sitereview.jsp

The Web Page Review Process page displays.

2. In the field, enter the URL to be reviewed and click Submit.

3. On the second Web Page Review Process page, select Blue Coat ProxyClient from the Filtering Service drop-down list.

4. From the first What category or categories does this site belong to? drop-down list, select the category you believe the site belongs to. You can optionally select a secondary category (for example, if your Web filtering policy allows one category, but not the other).

5. (Optional) Select Please send results of the Site Review via email if you want Blue Coat to notify you of the submission verdict.

6. In the Comments and Site Description field, enter a detailed message to Blue Coat site reviewers explaining your reason for this submission.

7. Click Submit.

Web Filtering Internal Service Error

This error displays on the ProxyClient Web browser window’s Status tab page when the Web filtering driver does not load properly.

(Another way to find the problem is using the Client Manager’s Statistics tab page. Click Statistics > ProxyClient > Details > Client Details > Filtering tab page. If

(disabled) displays in the Web Filter column for a location in which Web

http://sitereview.bluecoat.com/sitereview.jsp


170

filtering is enabled, it is possible the user tampered with the Web filter driver. To confirm this might be the case, look for the Internal Service Error as discussed in the preceding paragraph.)

A likely reason for the driver not loading is user tampering; for example, deleting or renaming the driver:

proxyclient-install-dir\drivers\proxyclientwebfilter.sys

To make sure it is not a configuration issue, in the ProxyClient Web browser window, click the Advanced tab and click Check for Configuration Updates Now.

If that does not resolve the problem, view the Admin log or enable trace logging for Web filtering as discussed in "Performing Data Traces and Data Collection" on page 232.

The Admin log displays the following messages to indicate the Web filtering driver did not load:

Failed to start web filter, error 4112Error starting web filtering module: Internal ErrorError initializing web filtering driver: 4112. Please restart your computer. If you continue to experience this problem, contact your administrator.


Note: To prevent users from renaming or deleting ProxyClient drivers, configure an uninstall password as discussed in "Configure an uninstall password." on page 63.


171


172

173



❐ "ProxyClient Software Distribution Prerequisites" ❐ "Overview of Distributing the ProxyClient Software" on page 173❐ "Preparing Interactive Installations" on page 174❐ "Preparing Silent Installations and Uninstallations" on page 181❐ "Using Group Policy Object Distribution" on page 193

ProxyClient Software Distribution PrerequisitesBefore continuing, make sure you have performed all of the following tasks:

❐ Upgraded the ProxySG appliances in your network to versions compatible with the ProxyClient as discussed in "ProxyClient Compatibility with SGOS" on page 71.

❐ Uploaded the current version of ProxyClient software to the Client Manager as discussed in "Uploading the ProxyClient .car File to the Client Manager" on page 87.

After completing these tasks, see one of the following sections:

❐ "Overview of Distributing the ProxyClient Software" ❐ "Preparing Interactive Installations" on page 174❐ "Preparing Silent Installations and Uninstallations" on page 181❐ "Using Group Policy Object Distribution" on page 193

Overview of Distributing the ProxyClient SoftwarePrerequisite: Before continuing, complete all of the tasks discussed in "ProxyClient Software Distribution Prerequisites" on page 173.

Administrators can make ProxyClient software available to users in any of the following ways:

❐ Interactive installations started from:

• A command line on the user’s machine

• The Client Manager

For more information, see "Preparing Interactive Installations" on page 174

❐ Silent installations

For more information, see "Preparing Silent Installations and Uninstallations" on page 181

❐ Windows Group Policy Object distribution

For more information, see "Using Group Policy Object Distribution" on page 193


174

❐ Windows System Center Configuration Manager (SCCM)—previously referred to as Systems Management Server (SMS)—distribution

For more information about SCCM or SMS, consult the documentation provided with your SCCM or SMS server.

Preparing Interactive InstallationsThis section discusses how to install the ProxyClient interactively; that is, so the user knows the software is being installed and can interact with the installation. To install the ProxyClient silently, see "Preparing Silent Installations and Uninstallations" on page 181.

To install ProxyClient using ProxyClientSetup.msi, users must first download it to the client machine, then execute it from the command line as discussed in "Interactive Manual Installations" on page 180.

For a complete discussion of ProxyClientSetup.msi command-line parameters, see "Preparing Silent Installations and Uninstallations" on page 181.

Users can install the ProxyClient software either by downloading ProxyClientSetup.exe from the Client Manager, or manually by running ProxyClientSetup.msi from a command line, as shown in the following table:

Note: For the user to run ProxyClientSetup.exe or ProxyClientSetup.msi, the user must be in the Administrators group on the client machine.

Important: Do not rename ProxyClientSetup.msi; doing so causes future updates to fail.

Table 9–1 ProxyClient Installation Options

Option Description

Install from Client Manager

Provide users the URL to ProxyClientSetup.exe, which displays on the Client Manager tab page when you click Configuration > ProxyClient > General > Client Software. ProxyClientSetup.exe downloads and runs ProxyClientSetup.msi on the client machine. Users see the installation in progress and have the option of canceling the installation.For more information about this installation method, see "Interactive Installations from the Client Manager" on page 175.


175

Interactive Installations from the Client ManagerTo interactively install the ProxyClient software from the Client Manager, the user must be in the Administrators group on the client machine.

To enable users to run ProxyClientSetup.exe from the Client Manager:

Send users an e-mail with the URL to ProxyClientSetup.exemsx on the Client Manager.

The URL displays when on the ProxyClient > Client Manager > Client Manager tab page.

To install the ProxyClient using this method:

1. Get the URL or location from which you access ProxyClientSetup.exemsx.

2. Click the URL in an e-mail or enter it in your browser’s address field.

3. ProxyClientSetup.exe starts the setup application—ProxyClientSetup.msi—that installs the ProxyClient software.

The following dialog displays if you use Internet Explorer 7:

Install from the command line

To install ProxyClient using ProxyClientSetup.msi, users must first download it to the client machine, then execute it from the command line as discussed in "Interactive Manual Installations" on page 180.Note: For a complete discussion of ProxyClientSetup.msi command-line parameters, see "Preparing Silent Installations and Uninstallations" on page 181.

Note: Users who run the ProxyClient setup application must be in the Administrators group on the client machine. Also, although it is possible for users to run the .msi, it is not recommended because the installation will fail unless the user provides parameters on the command-line (for example, BCSI_UPDATEURL).

Table 9–1 ProxyClient Installation Options (Continued)

Option Description


176


177

4. Click Run. The following dialog displays if your browser is Internet Explorer 7:

5. Click Run.

The ProxyClient software download begins. During the download, a progress dialog similar to the following displays:

Note: The Security Warning dialog displays because ProxyClientSetup.exe is not signed. This is because ProxyClientSetup.exe is unique to each Client Manager, which in turn makes signing it by a recognized certificate authority difficult.


178

When the download completes, the InstallShield Wizard dialog displays.

6. Click Next.

7. The Destination Folder dialog allows you to determine the folder location to which ProxyClient is installed. Blue Coat recommends that you install to the default directory: c:\Program Files\Blue Coat\Proxy Client. To accept the default, click Next and proceed to Step 8.

To install to a directory of your choosing, click Change. The Change Current Destination Folder dialog displays. Click the icons to navigate to a folder and click Ok.


179

8. When you are satisfied with your installation preparation decisions, click Install. The Installing Blue Coat ProxyClient wizard dialog displays.

When the installation is complete, a dialog displays if acceleration is enabled.

• Click Yes to reboot the system immediately.

• Click No to reboot the system at a later time. Select this option to save work before you reboot.


180

If only Web filtering is enabled, the following dialog displays.

9. After the machine reboots, verify the state of the ProxyClient as discussed in "ProxyClient Tray Icon States and Meanings" on page 222.

Interactive Manual InstallationsThis section discusses how to allow users to manually install the ProxyClient software.

To enable users to manually install the ProxyClient software:

Provide a location from which the user can download ProxyClientSetup.msi to the client machine; for example, provide the user the URL to the Client Manager.

To install the ProxyClient using this method:

1. Download ProxyClientSetup.msi to a location on the local file system.

2. Perform either of the following:

• Select Start > Run, then enter the command shown in step 3.

• Open a DOS command prompt window and change to the directory to which you downloaded ProxyClientSetup.msi.

3. Enter the following command:path\ProxyClientSetup.msi BCSI_UPDATEURL=url-to-config.xml


Do not edit ProxyConfig.xml on the client machine; instead, click Check for Updates

Now on the Advanced tab page in the ProxyClient Web browser window to get updates from the Client Manager.


181

where path is the absolute file system path to ProxyClientSetup.msi (if necessary), url-to-config.xml is the URL to ProxyConfig.xml on the Client Manager.

This URL displays when you select ProxyClient > Client Manager and click the Client Manager tab as discussed in "Designating a ProxySG as the Client Manager" on page 81.

For example,

ProxyClientSetup.msi BCSI_UPDATEURL=http://mysg.example.com:8084/proxyclient/ProxyClientConfig.xml

4. The installation proceeds as discussed in "Interactive Installations from the Client Manager" on page 175.

5. Verify the ProxyClient tray icon state as discussed in "ProxyClient Tray Icon States and Meanings" on page 222.

• If only Web filtering is enabled, you can verify the icon state immediately.

• If acceleration is enabled, you must reboot the computer first.

Preparing Silent Installations and UninstallationsThis section discusses how to silently install or uninstall the ProxyClient (that is, installations that users do not interact with).

To install the ProxyClient interactively, see "Preparing Interactive Installations" on page 174.

This section includes the following topics:

❐ "About Silent Web Filtering Installations" ❐ "Parameters for Silent Installations" on page 183❐ "Command for Silent Uninstallations" on page 188❐ "Example Installations and Uninstallation" on page 189

Note:

• If the Client Manager is not available, the installation succeeds and the ProxyClient tries to contact the Client Manager every 10 minutes until the client gets a configuration. If Client Manager communication issues persist, see "Client Manager Communication Troubleshooting Suggestions" on page 215.

• Other command-line parameters are available. For a complete list, see "Preparing Silent Installations and Uninstallations" on page 181.


182

For information about distributing the ProxyClient software using Group Object Policy, skip this section and see "Using Group Policy Object Distribution" on page 193.

About Silent Web Filtering InstallationsStarting with ProxyClient version 3.2, the user’s computer does not have to be rebooted if only Web filtering is enabled, and all policies during and after the installation or upgrade are preserved. In other words, if the Pornography category was blocked for the user before an upgrade to ProxyClient version 3.2, the Pornography category is blocked during and after the upgrade.

This feature works automatically without any additional configuration.

During an upgrade to version 3.2, the user is required to close any open supported Web browser windows (for example, Internet Explorer and Firefox Safari). The exception is that if the ProxyClient tray icon and Start menu shortcut are hidden, no prompt displays.

The following table explains what happens after any of the following occurs:

❐ Initial installation of ProxyClient version 3.2.❐ Upgrade to version 3.2 from an earlier version.❐ Upgrade from 3.2 to a later 3.2.x patch.


Do not edit ProxyClientConfig.xml on the client computer after it has been downloaded from the Client Manager. Instead, click Check for Updates Now on the Advanced tab page of the ProxyClient’s Web browser window to get a configuration update.

ProxyClient features enabled

Post-installation behavior

Web filtering enabledAcceleration disabled

Web filtering continues to function as defined by policy; that is, categories that are blocked by policy remain blocked after the installation or upgrade.If the ProxyClient tray icon is visible, a message displays to indicate the operation was successful.If the ProxyClient tray icon is hidden, no message displays so the user is not aware the upgrade occurred. For more information about hiding the tray icon, see "Limiting ProxyClient Visibility and Interactivity" on page 190.


183

Continue with "Parameters for Silent Installations" .

Parameters for Silent InstallationsThe following table shows parameters to use with ProxyClientSetup.msi for silent installations. For examples, see "Example Installations and Uninstallation" on page 189.

Silent Installation UsageProxyClientSetup.msi [/qf | /qb | /qr | /qn] BCSI_UPDATEURL=url REINSTALL=ALL REINSTALLMODE=vamus [AUTOUPDATEPROHIBITED=0|1] [FORCEREBOOT={yes|no} | {y|n}] [REBOOTTIME=secs] [REGISTRYSETTINGS=settings] [NO_UI_SHORTCUT={0|1}] [/l*v logfile] [LOG_APPEND={0|1}]

Continue with any of the following sections:

❐ "Silent Installation Parameters" ❐ "Example Installations" on page 189❐ "Example Uninstallation" on page 190

Web filtering enabledAcceleration enabled

If acceleration is enabled, the user must reboot their computer after an installation or upgrade, regardless of whether or not Web filtering is enabled. All existing connections are dropped during the installation or upgrade process and any new connections are accelerated after the computer is rebooted.If Web filtering is enabled, policies remain in effect during the upgrade process.The following applies to the ProxyClient tray icon:• If the tray icon is visible, the user is prompted to

reboot their computer after the installation or upgrade completes. The balloon message Disabled Until Reboot displays on the tray icon and in the Acceleration Statistics section on the Status tab page in the ProxyClient Web browser window.

• If the tray icon is not visible, no prompt displays; however, acceleration is disabled until the computer is rebooted.

Web filtering disabledAcceleration enabled

Note: The only way to downgrade from ProxyClient version 3.2 to version 3.1 is to uninstall version 3.2 and install the earlier version. For more information, see "ProxyClient Compatibility with SGOS" on page 71.

ProxyClient features enabled

Post-installation behavior


184

Silent Installation Parameters

The following table shows the meanings of the parameters that can be used for silent installations; for examples, see "Example Installations and Uninstallation" on page 189:

Table 9–2 Parameters for Silent ProxyClient Installations

Parameter Argument Description

/qf | /qb | /qr | /qn | /quiet

Sets the user interface level (in other words, the extent to which the installer interface displays to the user)./qf (fully visible and interactive, the default) enables the user to see and interact with the installer and to cancel the installation./qb (basic) /qr (reduced) enables the user to see and interact with the installer and to cancel the installation./qn or /quiet (totally silent) prevents the user from seeing or interacting with the installer and from canceling the installation.Note: Because this is an msiexec parameter, other options are available. Enter msiexec at a command prompt for more information about other options.

BCSI_UPDATEURL url URL to ProxyClientConfig.xml on the Client Manager, which you can find as discussed in "Designating a ProxySG as the Client Manager" on page 81, entered in the following format:https://client-manager-host:client-manager-port[/proxyclient/ProxyClientConfig.xml]

The path to ProxyClientConfig.xml is optional.

REINSTALL ALL Installs all ProxyClient components, whether they are already installed or not.ALL is the only supported parameter value in this release.

REINSTALLMODE vamus Blue Coat recommends using vamus as the parameter value. Because this is an msiexec parameter, other options are available. For more information, see the description of the REINSTALLMODE parameter on the MSDN Web site.

http://msdn2.microsoft.com/en-us/library/aa371182.aspx


185

AUTOUPDATEPROHIBITED 0|1 0 (default) means the ProxyClient automatically implements software updates at the interval the administrator specified for software update interval in "Designating a ProxySG as the Client Manager" on page 81.

1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as SCCM, SMS, or GPO.Note: Regardless of the value of this setting, the client always gets configuration updates at the next software update interval. Users can also get configuration updates manually.

FORCEREBOOT yes|no

y|n

yes or y mean the dialog displays with only a Restart Now button and a progress bar that increments until the computer reboots. (However, if REBOOTTIME=0, neither a dialog nor progress bar displays.)no or n (default) mean a dialog displays with two options: Restart Now and Restart Later, enabling users to either reboot immediately or wait until a later time of their choosing.

REBOOTTIME secs Number of seconds after the ProxyClient installation completes before the user’s machine is rebooted. A non-zero value means a counter displays on the post-installation reboot dialog.If FORCEREBOOT is set to no, this value is ignored. For more information, see "Example Installations and Uninstallation" on page 189.The default is 0.

NOUISHORTCUT 0 | 1 Set to 1 to hide the Start menu option for the ProxyClient: Start > [All] Programs > Blue Coat ProxyClient > ProxyClient. To start the ProxyClient browser window, a user must double-click the ProxyClient shortcut located in %SystemDrive%:\Program Files\Blue Coat\ProxyClient.

On Windows 7 (64bit), the shortcut is located in %SystemDrive%:\Program Files (x86)\Blue Coat\ProxyClient. Set to 0 to show the Start menu option.The default is 0.

Table 9–2 Parameters for Silent ProxyClient Installations (Continued)



186

Table 9–3 shows the available arguments for the REGISTRYSETTINGS parameter. This parameter sets the key name, data type, and value of ProxyClient registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Proxy Client. On Windows 7 (64bit), the registry settings are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client.

Examples of using these settings can be found in "Limiting ProxyClient Visibility and Interactivity" on page 190.

Table 9–3 shows the available arguments for the REGISTRYSETTINGS parameter. This parameter sets the key name, data type, and value of ProxyClient registry settings under HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Proxy Client. On Windows 7 (64bit), the registry settings are under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client.

Examples of using these settings can be found in "Limiting ProxyClient Visibility and Interactivity" on page 190.

REGISTRYSETTINGS “name:data-type:value”

Colon-delimited, semicolon-separated list of registry settings to create for the client. For more information, see Table 9–3.

/l*v logfile If you want the installation to be logged, enter the absolute file system path and file name of the log file.The user installing the software must have permission to write to the indicated folder and the folder must be available during the installation; therefore, you should avoid specifying a network drive.

LOG_APPEND 0 | 1 Set to 0 to overwrite the existing ProxyClient installer log file.Set to 1 to append to the existing ProxyClient installer log file.Default is 0.

Table 9–2 Parameters for Silent ProxyClient Installations (Continued)


Important: Blue Coat strongly recommends testing these registry settings before deploying them in a production environment. Improper registry settings might cause the installation to fail or to not function as expected.

Important: Blue Coat strongly recommends testing these registry settings before deploying them in a production environment. Improper registry settings might cause the installation to fail or to not function as expected.


187

Table 9–3 Parameters for ProxyClient registry settings

Key name Data type Value

CacheDirectory REG_SZ Set the folder in which ProxyClient byte and CIFS cache files are stored. The directory you specify must already exist. For example, REGISTRYSETTINGS="CacheDirectory:REG_SZ:D:\BCCacheDir"

By default, with no registry key specified, cache files are stored in the following folder:• Windows XP

%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient

• Windows Vista and Windows 7%SystemDrive%\Windows\system32\config\systemprofile\AppData\Local\Blue Coat\Blue Coat ProxyClient

ChangeCMAllowed REG_DWORD Allowed values: 0 | 1Set to 1 to allow the user to change the Client Manager. For example, REGISTRYSETTINGS="ChangeCMAllowed:REG_DWORD:1"

Set to 0 to prevent the user from changing the Client Manager.The default is 0.

DefaultWebPort REG_DWORD Allowed values: 1024 through 65534 (inclusive)If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000.Default is 8000For more information, see "Changing the Default Web Server Port" on page 230.

TiNotVisible REG_DWORD Allowed values: 0 | 1Set to 1 to hide the ProxyClient system tray icon and all pop-up messages. For more detail about ProxyClient icon states, see "Limiting ProxyClient Visibility and Interactivity" on page 190.For example, REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1”

Set to 0 to display the ProxyClient tray icon and pop-up messages.The default is 0.


188

Command for Silent UninstallationsTo silently uninstall the ProxyClient software, use the following command:

msiexec /X{D35B0C7A-4545-4A98-A810-3810B3FE25E5} /quiet PASSWORD=uninstall-password

The string {D35B0C7A-4545-4A98-A810-3810B3FE25E5} identifies the ProxyClient installer’s MSI product code.

During uninstallation, the ProxyClient removes:

❐ The SG Client (this is the pre-SGOS 5.3 version of ProxyClient).

❐ All ProxyClient drivers, folders, files, the service, and so on.

❐ ProxyClient cache files and the cache folder.

TiNotVisibleForce-Update

REG_DWORD Allowed values: 0 | 1Set to 1 to force ProxyClient software updates on client computers without user interaction. This registry setting does not depend on the setting for TiNotVisible; in other words, setting the value of this key to 1 means clients always get updates regardless of whether or not the tray icon is hidden. For example, REGISTRYSETTINGS="TiNotVisibleForceUpdate:REG_DWORD:1"

Set to 0 to apply ProxyClient software updates normally; that is, provided updates are allowed, users must install the updates manually.The default value is 0.Note: Regardless of the value of this registry key, clients always get configuration updates automatically at the update interval you set using Configuration > ProxyClient > General > Client Manager. Clients can also get configuration updates manually at any time.

Table 9–3 Parameters for ProxyClient registry settings

Key name Data type Value


189

Example Installations and UninstallationThis section shows the following examples:

❐ "Example Installations" on page 189

❐ "Example Uninstallation" on page 190

Additional examples are discussed in "Limiting ProxyClient Visibility and Interactivity" on page 190.

Example Installations

Example 1: Basic manual installation:ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=no REGISTRYSETTINGS="CacheDirectory:REG_SZ:D:\BCCacheDir"

The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it.

The REINSTALL and REINSTALLMODE parameters cause all ProxyClient components to install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation.

After the installation is complete, the user is prompted to reboot unless only Web filtering is enabled.

The REGISTRYSETTINGS parameter locates the cache directory in D:\BCCacheDir. This directory must exist prior to the installation; otherwise, the default cache directory will be used.

Example 2: The user has the ability to change the Client Manager using the ProxyClient browser window

ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes REBOOTTIME=30 REGISTRYSETTINGS="ChangeCMAllowed:REG_DWORD:1"

The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters make sure that all ProxyClient components install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation.

The REGISTRYSETTINGS parameter creates a registry key that enables users to change the Client Manager using the ProxyClient browser window (for more information, see "" on page 229).

After the installation is complete, the user has the following options:


Do not edit ProxyClientConfig.xml on the client computer after it has been downloaded. Instead, click Check for Updates Now on the Advanced tab page of the ProxyClient’s Web browser window to get updates.


190

• Wait 30 seconds for the machine to reboot.

• Click Restart Now in the dialog to reboot immediately.

Example 3: Automated, interactive installation without a timer ProxyClientSetup.msi /qr BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes AUTOUPDATEPROHIBITED=1

The ProxyClient configuration downloads from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters make sure that all ProxyClient components install, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation.

After the installation is complete, the user has the option to reboot unless only Web filtering is enabled.

Example Uninstallationmsiexec /X{D35B0C7A-4545-4A98-A810-3810B3FE25E5} /quiet PASSWORD=uninstall-password

The string {D35B0C7A-4545-4A98-A810-3810B3FE25E5} identifies the ProxyClient installer’s MSI product code.

Limiting ProxyClient Visibility and InteractivityThis section discusses how to limit ProxyClient application visibility and user interaction with the ProxyClient software. You can implement any or all of the following options:

Registry keys and installer switches are discussed in more detail in "Command for Silent Uninstallations" on page 188.

The following table shows the ProxyClient tray icon states and how they are affected by these settings:

Important: The AUTOUPDATEPROHIBITED=1 argument prevents ProxyClient software updates only. Configuration updates are installed from the Client Manager at the next update interval after they are available.

Option Setting

Force ProxyClient software updates on clients without user interaction

TiNotVisibleForceUpdate registry key set to 1

Hide the ProxyClient system tray icon TiNotVisible registry key set to 1

Hide the ProxyClient Start menu option NOUISHORTCUT installer switch


191

Example

The following example hides the system tray icon, and requires clients to accept software updates without interaction:

ProxyClientSetup.msi /qn BCSI_UPDATEURL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus FORCEREBOOT=yes REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1;TiNotVisibleForceUpdate:REG_DWORD:1"

Icon Icon meaning Registry setting Description

Normal Default: TiNotVisible registry key not present

Always displays

Invisible:TiNotVisible set to 1

Never displays

Warning state (for example, low disk space or updates are available)

Default:• TiNotVisible

registry key not present

• TiNotVisible-

ForceUpdate set to 0

Always displays to warn users about critical states or when user action is required (for example, to get software updates manually)

Invisible but interactive:• TiNotVisible set to 1• TiNotVisible-

ForceUpdate registry key not present

Never displays; configuration updates are downloaded automatically but the user must install software updates manually. However, if software updates are disabled (AutoUpdate-Prohibited registry key set to 1), the user never gets software updates.

Invisible and non-interactive:• TiNotVisible set to 1• TiNotVisible-

ForceUpdate set to 1

The tray icon never displays.

Note: To enable users to get software updates if you hide the system tray icon or Start menu option, set the AutoUpdateProhibited registry key to 0. You can do this by editing the registry or by installing the ProxyClient software with the AUTOUPDATEDPROHIBITED installer option absent or set to 0.


192

This example sets the following options:

Option Description

/qn Performs a non-interactive installation.

BCSI_UPDATEURL=https://mysg.example.com:8084 Specifies the URL from which clients obtain policy.

REINSTALL=ALL Installs all ProxyClient components, whether they are already installed or not.

REINSTALLMODE=vamus For more information, see the description of the REINSTALLMODE parameter on the MSDN Web site.

FORCEREBOOT=yes Forces clients to reboot after installing the ProxyClient software.

REGISTRYSETTINGS="TiNotVisible:REG_DWORD:1; TiNotVisibleForceUpdate:REG_DWORD:1"

• TiNotVisible:REG_DWORD:1

Hides the ProxyClient system tray icon unless software updates are being downloaded. The icon also displays af-ter the updates have been installed to indicate the computer must be reboot-ed.

• TiNotVisibleForceUpdate:REG_DWORD:1

Requires clients to accept software up-dates when they are available. User in-teraction is not permitted. However, if the AutoUpdateProhibit-ed registry key is set to 1, it takes prece-dence and software updates are never downloaded.

http://msdn2.microsoft.com/en-us/library/aa371182.aspx


193

Using Group Policy Object DistributionThis section discusses how to distribute the ProxyClient software using Windows Group Policy Object (GPO). Important: Only an experienced Windows administrator should attempt to complete the tasks discussed in this section.

To distribute the ProxyClient software using GPO:

1. Get an .msi transform tool, such as the Orca database editor.

Orca is a table-editing tool available in the Windows Installer SDK that can be used to edit your .msi files. You can also use similar tools available from other vendors.

For more information about Orca, see Microsoft KB article 255905.

The remainder of this section assumes you use Orca. Consult the documentation provided with the transform tool you are using for vendor-specific instructions.

2. Open ProxyClientSetup.msi.

3. Perform the following changes to the Property table:

Note: Blue Coat does not recommend a particular transform tool.

Note: Be advised, this action invalidates the signature on the MSI.

Table 9–4 ProxyClient setup property table changes

Property Action Value

BCSI_UPDATEURL Add row

Required for all installations.

URL to ProxyClientConfig.xml on the Client Manager, entered in the following format:https://client-manager-host:client-manager-port[/proxyclient/ProxyClientConfig.xml]

Specifying the path to ProxyClientConfig.xml is optional.

FORCEREBOOT Edit value

Required for all installations.

Change the value from n to y. This value causes the user’s machine to reboot after the ProxyClient is downloaded, which is required to use the ProxyClient.

http://support.microsoft.com/kb/255905/en-us


194

4. To implement registry changes discussed in Table 9–3 on page 187, use the following steps:

a. Add one row to the Registry table for every registry setting you wish to set.

b. In the Add Row dialog, enter the following information:

REINSTALL Add row

Add this row and set it to all only if you want to update the ProxyClient software and configuration using GPO.

If clients get future ProxyClient software and configuration updates from the Client Manager, do not add this row.

REINSTALLMODE Add row

Add this row and change it to vamus only if you want to update the ProxyClient software and configuration using GPO.

If clients will get future ProxyClient software and configuration updates from the Client Manager, do not add this row.

AUTOUPDATEPROHIBITED Edit value

Change the value from 0 to 1 only if you want to update the ProxyClient software in some way other than from the Client Manager, such as using SCCM, SMS, or GPO. (Configuration updates are obtained from the Client Manager whose URL is specified by the BCSI_UPDATEURL parameter discussed earlier in this table.)

1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as using SCCM, SMS, or GPO.

If clients will get future ProxyClient software updates from the Client Manager, leave this value at 0.

Field Description

Registry Enter a unique description of the registry entry. The value you enter is not written to the registry; it is used only to identify the entry. The value must begin with Registry.For example, Registry1.

Root Enter 2.

Table 9–4 ProxyClient setup property table changes

Property Action Value


195

c. Generate the transformation.

Key Enter the ProxyClient registry path relative to HKEY_LOCAL_MACHINE, Software\Blue Coat Systems\Proxy Client

Name Enter the name of the registry key; see Table 9–3 on page 187.

Value Enter the value of the registry key.Note: If the value is REG_DWORD, you must preface the value with the number sign (#). For example, a registry key value of 1 must be entered as #1.

Component Enter ProxyClientSvc.exe.

Field Description


196

197



❐ "Viewing ProxyClient History Statistics"

Statistics > ProxyClient > History

Aggregated bandwidth usage statistics related to the ProxyClient and all concentrators in the network, and with the Client Manager (for example, number of clients, number of software updates, and number of configuration updates).

❐ "Viewing ProxyClient Detail Statistics" on page 200

Statistics > ProxyClient > Details

Information about active and inactive ProxyClients, such as user name, host name, operating system; whether or not acceleration and Web filtering are enabled in the client’s location; size of log files; size of the ProxyClient cache; and data related to ProxyClient software version running on clients.

❐ "Viewing ProxyClient ADN History Statistics" on page 209

Statistics > ADN History

Statistics related to the ProxyClient and a particular concentrator. To view statistics related to ProxyClients and all concentrators on the network, view the BW Usage tab page on Statistics > ProxyClient History.

❐ "Viewing ProxyClient Active Session Statistics" on page 210

Statistics > Sessions > Active Sessions > ADN Inbound Connections

Statistics related to inbound ADN connections to a concentrator from ProxyClients.

Viewing ProxyClient History StatisticsProxyClient history statistics compile data from the Client Manager and from concentrators that communicate with ProxyClients as follows:

❐ Client Manager: Current active ProxyClients, the number of software updates, number of configuration updates, and ProxyClient version information.

❐ Concentrators: Bandwidth usage aggregated for all concentrators.

The ProxySG displays graphs for each tab page in selectable time increments, varying from the last hour to all time periods. Hover the mouse pointer over any graph on the page to see metric data.


198

To view ProxyClient history statistics:

1. Log in to a ProxySG appliance’s Management Console as an administrator.

The statistics you view depend on the role of the appliance, as follows:

• Client Manager: To view Active Clients, Configurations Served, Software Served, or Client Version Count.

• Concentrator: To view BW Usage.

2. Click Statistics > ProxyClient > History.

3. Click a tab to view statistics and then see one of the following sections:

• "Viewing ProxyClient Bandwidth (BW) Usage Statistics"

• "Viewing ProxyClient Active Clients Statistics" on page 199

• "Viewing ProxyClient Configurations Served Statistics" on page 199

• "Viewing ProxyClient Software Served Statistics" on page 199

Roll mouse over data

Select time period


199

Viewing ProxyClient Bandwidth (BW) Usage StatisticsThis section discusses the BW Usage tab page for the ProxyClient (Statistics > ProxyClient > History > BW Usage). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197.

The BW Usage tab page displays aggregated statistics for all ProxyClients that use this Client Manager. The following columns display on this tab page:

❐ C: The number of bytes sent and received by the applications running on the client’s computer (that is, corresponding to the Total Demand graph in the ProxyClient browser window).

❐ S: The number of bytes sent over the WAN after acceleration was applied (that is, corresponds to the Actual Usage graph in the ProxyClient browser window).

❐ Gain: The magnitude of bandwidth gain.

❐ Savings: The percentage of bandwidth savings.

Viewing ProxyClient Active Clients StatisticsThis section discusses the Active Clients tab page for the ProxyClient (Statistics > ProxyClient > History > Active Clients). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197.

The Active Clients tab page displays how many ProxyClients are active on the network. Any ProxyClient that does not report for 10 consecutive minutes is treated as inactive.

Viewing ProxyClient Configurations Served StatisticsThis section discusses the Configurations Served tab page for the ProxyClient (Statistics > ProxyClient > History > Configurations Served). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197.

The Configurations Served tab page displays how many times the ProxyClient configuration file was downloaded from the Client Manager.

Viewing ProxyClient Software Served StatisticsThis section discusses the Software Served tab page for the ProxyClient (Statistics > ProxyClient > History > Software Served). For general information about ProxyClient history statistics, see "Viewing ProxyClient History Statistics" on page 197.

The Software Served tab page displays how many times ProxyClient software was downloaded to user systems.


200

Viewing ProxyClient Detail StatisticsProxyClient detail statistics are aggregated by the Client Manager. Detail statistics include general information about ProxyClients, and information about acceleration and Web filtering features.


❐ "Viewing ProxyClient Detail Statistics" ❐ "About the ProxyClient Detail Tab Pages" on page 200❐ "Common Tasks on Every Tab Page" on page 201❐ "For More Information About ProxyClient Details" on page 202

Viewing ProxyClient Detail Statistics

This section discusses general information about viewing ProxyClient detail statistics.

To view ProxyClient detail statistics:


2. Click Statistics > ProxyClient > Details > Client Details.

The Client Details tab page displays.

The Client Details tab page has four tabs: General, Acceleration, Filtering, and All. For detailed information about each of these tab pages, see "Viewing ProxyClient Client Details" on page 203.

About the ProxyClient Detail Tab Pages

At the bottom of each of the four tab pages, the total number of clients and the number of available clients displays. Following is the meanings of these terms:


201

• Total displayed clients: The number of clients displayed on the tab page after filters were applied.

If no filters were applied, the total displayed clients is equal to the available clients. More information about filtering is discussed in the sections that follow.

• Available clients: Total number of clients (both active and inactive) this Client Manager has seen since the last time the client list was cleared using the #(config proxy-client) clear {all | inactive} command.

The #(config proxy-client) clear {all | inactive} command is discussed in "Clearing ProxyClients (CLI)" on page 90.

Common Tasks on Every Tab Page

Note:

• Clients are automatically cleared after 30 days of inactivity.

• After a software upgrade, clients appear twice for 30 days—one entry for the earlier version of client software and one entry for the newer version of client software. You can optionally clear the inactive clients using the clear inactive command to avoid seeing duplicate information.

• For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.

Task Description

Sort data by column Click the name of a column to sort data by that column in either ascending or descending order.


202

For More Information About ProxyClient Details


Filter data by column You can optionally filter data displayed on any tab page by certain columns displayed on that tab page. Filters are logically ANDed together.Column values are sorted by type; for example, numeric values are sorted numerically.1. From the Add Filter list, click the name of a column to use to

filter data.If you click the name of a column that has no predetermined val-ues (like Username), a field displays next to the Add Filter list. If you click the name of a column that has predetermined values, a list of available values displays next to the Add Filter list.

2. From the adjacent field or list, make a selection to use to filter the data.For example, if you clicked Username from the Add Filter list, en-ter all or part of a user name in the adjacent field. The matching criterion you enter is not case-sensitive.Filters are matched by substring; wildcard characters are not sup-ported. For example, to search for a user name that contains the string proxy, enter proxy in the field.

3. Click Add.This adds the filter and updates the data displayed on the tab page.

4. Optional tasks:• To add another filter, repeat the preceding steps.

Filters are logically ANDed together.• To edit an existing filter, click the link in the filter, make

changes to filter settings, and click Add.• To delete an existing filter, click x next to the name of the

filter.

Refresh the data Click Refresh at the bottom of the tab page. It might take several minutes for configuration changes to be reflected on the tab page. For example, if you enable acceleration in a location, it might take several minutes after the client receives the configuration update for the data on this page to be updated to reflect the new configuration.

Download the data to a text file Click Download at the bottom of the tab page and follow the prompts on your screen to save the text file on your computer. The data displayed on that tab page is saved to the text file. Any filters or sorting options you chose are preserved.

Task Description


203

❐ "Viewing ProxyClient Client Details" ❐ "Viewing ProxyClient Client Version Count" on page 208

Viewing ProxyClient Client DetailsProxyClient details display the following types of statistics:

❐ General—For each user, displays information such user name, domain, host name, host operating system, ProxyClient software version, last known status, age of last known status, location, and which ProxyClient features are enabled for that location. For more information, see "ProxyClient General Details" .

❐ Acceleration—For each user, displays acceleration-related information such as user name, domain, host name, acceleration status, client cache size, client bytes, server bytes, and the client’s ADN peers. For more information, see "ProxyClient Acceleration Details" on page 205.

❐ Filtering—For each user, displays Web filtering-related information such as user name, domain, host name, Web filtering status, the age of the Web filtering log, and the size of the Web filtering log file. For more information, see the "ProxyClient Web Filtering Details" on page 206.

❐ All—Displays all information on the preceding tab pages. For more information, see "All ProxyClient Details" on page 208.

ProxyClient General Details

The General tab page displays general information about active and inactive clients.

To display general ProxyClient details statistics:


2. Click Statistics > ProxyClient > Details > Client Details > General.

The following table discusses the data displayed in each column of the General tab:

Column Description

User Name Name of the user logged in to the ProxyClient computer.

Domain Domain to which the ProxyClient computer belongs.

Host Name ProxyClient computer’s host name.

OS ProxyClient computer operating system version information.

Version ProxyClient software version.

Statusindicates an active client.

indicates an inactive client. A client is reported as inactive if 10 minutes or more elapse between heartbeat packets it sends to the Client Manager.


204

You have the following options:

❐ Sort data by column: Click the name of a column to sort it in ascending or descending order.

❐ Filter data: From the Add Filter list, click the name of a column by which to filter data. From the adjacent list or field, enter the required data to filter and click Add.

❐ Refresh data: Click Refresh. Note that it might take several minutes for configuration changes to take effect.

❐ Download the data to a text file: Click Download and follow the prompts on your screen.

For additional information about these options, see "Common Tasks on Every Tab Page" on page 201.

Status Age The length of time since the ProxyClient last reported its status (either active or inactive) to the Client Manager.

Uninstall Protection indicates an uninstallation password is configured.

indicates an uninstallation password is not configured.

Location The name of the ProxyClient’s location.

Acceleration indicates acceleration is enabled in this client’s location.

indicates acceleration is disabled in this client’s location.

Web Filter indicates Web filtering is enabled in this client’s location.

indicates Web filtering is disabled in this client’s location. It could also indicate user tampering; for more information, see "Web Filtering Internal Service Error" on page 169.

File Encryption indicates this client’s cache is encrypted. Provided the user

installed the ProxyClient software on an NTFS partition on Windows XP or Windows Vista, the cache and Web filtering log files are encrypted. A value of 0 most likely means the cache has not been used yet or the client’s computer has no available space for caching.

indicates this client’s CIFS cache is not encrypted. If acceleration is enabled in this client’s location but the cache is not encrypted, the most likely reason is this client installed the ProxyClient software on a non-NTFS partition.Note: The cache is used for CIFS protocol acceleration and for byte caching.

IID A globally-unique identifier assigned to every ProxyClient in the ADN network. A ProxyClient’s IID starts with the string CL.An IID is similar to a Peer ID for appliances.

Column Description


205

ProxyClient Acceleration Details

The Acceleration tab page displays information related to gzip compression, CIFS protocol acceleration, and byte caching.

To display ProxyClient acceleration details:


2. Click Statistics > ProxyClient > Details > Client Details > Acceleration.

The Acceleration tab page displays.

The following table discusses the data displayed in each column:

Column Description




Acceleration indicates acceleration is enabled in this client’s

location.

indicates acceleration is disabled in this client’s location.


206






For additional information, see "Common Tasks on Every Tab Page" on page 201.

ProxyClient Web Filtering Details

The Filtering tab page displays Web filtering information.

To display ProxyClient Web filtering details statistics:


2. Click Statistics > ProxyClient > Details > Client Details > Filtering.

The Filtering tab page displays.

Cache Size Size of the client’s cache. If acceleration is enabled for a client but the cache size is 0 bytes in size, check the value of the ADN Peers column.If the client has no ADN peers, most likely the ADN manager or backup manager is not configured properly (for example, no subnets are being accelerated).To resolve this issue, see "Before You Begin Configuring ProxyClient Policy" on page 103.

Client Bytes The number of bytes sent and received by the applications running on the client’s computer (that is, corresponding to the Total Demand graph in the ProxyClient Web browser window).

Server Bytes The number of bytes sent over the WAN after acceleration was applied (that is, corresponding to the Actual Usage graph in the ProxyClient Web browser window).

ADN Peers The Peer ID of each concentrator that is accelerating traffic for the ProxyClient.

Column Description


207

The following table discusses the data displayed in each column:

Column Description




Web Filter indicates Web filtering is enabled in this client’s

location.

indicates Web filtering is disabled in this client’s location. It could also indicate user tampering; for more information, see "Web Filtering Internal Service Error" on page 169.


208






For additional information, see "Common Tasks on Every Tab Page" on page 201.

All ProxyClient Details

The All tab page combines all the data displayed on the General, Acceleration, and Filtering tab pages.

For more information, see one of the following sections:

❐ "ProxyClient General Details" on page 203❐ "ProxyClient Acceleration Details" on page 205❐ "ProxyClient Web Filtering Details" on page 206

Viewing ProxyClient Client Version CountThe Client Version Count tab page displays the total number of active and inactive ProxyClients by software version number.

Web Filter Log Age Displays the size of this client’s Web filtering log file.

indicates there was an error retrieving the data. Hover the mouse pointer over the symbol to display an error message. For more detailed information, collect logs from the user’s computer (including the the Web filter trace file) as discussed in "Instructing Users to Perform Data Traces" on page 233.— means the log age is not available, probably because the client is inactive. There could also be a problem preventing this client from uploading its logs to the FTP server. If the issue persists, collect logs from the user’s computer (including the Web filter trace file) as discussed in "Instructing Users to Perform Data Traces" on page 233.n/a means Web filtering is not enabled for this client.

Web Filter Log Size The size of the client’s Web filtering log file.

Column Description


209

To display ProxyClient client version count:


2. Click Statistics > ProxyClient > Details > Client Version Count.

The Client Version Count tab page displays. For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager.

Viewing ProxyClient ADN History StatisticsThese statistics relate to bandwidth usage and gain from ProxyClient connections to a specific concentrator. To view aggregated statistics for bandwidth usage and gain for all concentrators in the network, see "Viewing ProxyClient History Statistics" on page 197.

To view ProxyClient ADN History statistics:


2. Click Statistics > ADN History.

3. From the Duration list, click a time frame.

4. View the following statistics:

The displayed statistics represent all ADN traffic processed by this concentrator. ProxyClients are aggregated into one peer group, with ProxyClients as the Peer ID and Peer IP.

Other appliances on the network devices are listed by IP address.

The other attributes for both usage and gain are:

• Optimized Bytes: How many bytes were sent using the ADN tunnel.

Select time period

Hover mouse over data

Select Usage or GainProxyClients display in a peer group


210

• Unoptimized Bytes: How many bytes would have been sent over the network had ADN not been used.

By comparing optimized bytes and unoptimized bytes, you can determine how much savings was realized by using ADN.

• Savings: The performance gained by ADN processing.

Viewing ProxyClient Active Session StatisticsActive session statistics display current bandwidth usage and savings information between ProxyClients and a particular concentrator.

To view Active Session statistics:


2. Click Statistics > Sessions > Active Sessions > ADN Inbound Connections.

3. At the top of the ADN Inbound Connections tab page, click Show to display statistics from active sessions.

• Client—The IP address of the ProxyClient (for example, the outbound IP address of the VPN application).

• Server—The IP address of the final destination server (such as a content server).

• Peer—For ProxyClients, client and peer IP addresses are the same because ProxyClient mimics a branch ProxySG.

• Duration—How long the active session has been connected.

• Unopt. Bytes—The number of bytes served to or from the server before or after ADN optimization. For example, the number of bytes sent to a server before the traffic was optimized by ADN.

• Opt. Bytes—The number of bytes optimized by ADN processing.

• Savings—The performance gained by ADN processing.

Click Show

See step 3


211

• C—Whether the data is compressed or not.

(compressed) displays if the data is being compressed.

(not compressed) if compression is not being used.

• BC—Whether or not byte caching was used.

• E—Whether or not the incoming ADN tunnel is encrypted. In this release, ProxyClient connections are not encrypted.

Tunnel Type—The type of TCP tunnel; ProxyClient connections are always identified as Client.


212

213



❐ "Using the ProxyClient Web Browser for Troubleshooting" ❐ "Troubleshooting ProxyClient Installation and Operation" on page 214❐ "Troubleshooting ProxyClient Acceleration" on page 115❐ "Troubleshooting ProxyClient Web Filtering" on page 165❐ "Other ProxyClient Troubleshooting Tools" on page 224

Using the ProxyClient Web Browser for TroubleshootingThe ProxyClient Web browser window enables users to provide information to administrators about current statistics, and to perform trace logging if necessary to help administrators resolve issues.

The way users start the Web browser window depends on whether or not the ProxyClient tray icon is visible.

To start the ProxyClient Web browser window if the tray icon is visible:

The user should double-click the tray icon or right-click the tray icon and, from the pop-up menu, click Status.

To start the ProxyClient Web browser window if the tray icon is not visible:

The user should perform any of the following tasks:

❐ Click Start > [All] Programs > Blue Coat ProxyClient > ProxyClient

Note that the Start menu option can be hidden.

❐ Double-click the ProxyClient shortcut located in %SystemDrive%:\Program Files\Blue Coat\ProxyClient

On Windows 7 (64bit), the shortcut is located in %SystemDrive%:\Program Files (x86)\Blue Coat\ProxyClient

❐ Open a supported Web browser and enter the following URL in the browser’s location or address field:

http://localhost:web-server-port

where web-server-port is the listen port of the ProxyClient internal Web server. Supported Web browsers are discussed in the ProxyClient Release Notes.

By default, the port is 8000 but administrators can change the port as discussed in "Changing the Default Web Server Port" on page 230.

The ProxyClient window displays status information as follows. Click any of the circled locations to jump to more information about troubleshooting that ProxyClient feature.


214

Figure 11–1 Blue Coat ProxyClient Web browser window

Continue with one of the following sections:

❐ "Troubleshooting ProxyClient Installation and Operation" ❐ "Other ProxyClient Troubleshooting Tools" on page 224❐ "Troubleshooting ProxyClient Web Filtering" on page 165❐ "Other ProxyClient Troubleshooting Tools" on page 224

Troubleshooting ProxyClient Installation and OperationThe following topics discuss how the ProxyClient tray icon state indicates problems with the client and how you can troubleshoot ProxyClient installation issues:

❐ "Suggested Workarounds for Installation Errors" ❐ "ProxyClient Tray Icon States and Meanings" on page 222

For assistance with other issues, see one of the following sections:

❐ "Other ProxyClient Troubleshooting Tools" on page 224❐ "Troubleshooting ProxyClient Web Filtering" on page 165❐ "Other ProxyClient Troubleshooting Tools" on page 224

Application status Acceleration status

Web filtering status


215

Suggested Workarounds for Installation ErrorsThis section discusses suggested workarounds for some common ProxyClient installation errors:

❐ "Cannot Connect to the Client Manager" ❐ "Client Manager Communication Troubleshooting Suggestions" on page 215❐ "Configuration Error" on page 117

Cannot Connect to the Client Manager

This section discusses how to troubleshoot Client Manager communication issues. These issues might manifest themselves in the following ways:

❐ After installing the ProxyClient software for the first time, the following message displays: Cannot connect to the Client Manager to download configuration updates.

❐ The following message displays: Cannot contact the Client Manager.

These messages might display if you hover the mouse pointer over the ProxyClient tray icon or by viewing the Status tab page on the ProxyClient Web browser window as discussed in the next section.

Client Manager Communication Troubleshooting Suggestions

This section discusses how to troubleshoot the following Client Manager communication issues. Blue Coat recommends troubleshooting the issue in the order presented in the following sections:

❐ "Getting Started Troubleshooting Client Manager Communication Issues" ❐ "Resolution: Download Error Getting the Initial Configuration" on page 216❐ "Resolution: Cannot Contact the Client Manager to Get the Configuration" on

page 219❐ "Resolution: Client Manager Not Available" on page 221

Getting Started Troubleshooting Client Manager Communication Issues

Start the ProxyClient Web browser window to get more information about the problem. See "Using the ProxyClient Web Browser for Troubleshooting" on page 213.

❐ Cause: Client cannot contact the Client Manager to get a configuration after initially installing the ProxyClient software.

Result (any of the following):

• If the tray icon is visible, a balloon message displays: Unable to download configuration from Client Manager

• The following message displays in the Status tab page:


216

To resolve this issue, see "Resolution: Download Error Getting the Initial Configuration" on page 216.

❐ Cause: Client has not been able to download a configuration from the Client Manager for a period of two times the update interval or 30 days (whichever is longer):

Result: The following message displays on the Acceleration Statistics section heading if the

Cannot contact the Client Manager.

To resolve this issue, see "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219.

Resolution: Download Error Getting the Initial Configuration

This section discusses how to troubleshoot issues related to the ProxyClient not being able to get a configuration after the software is initially installed. If the client computer has a configuration but has not been able to contact the Client Manager for an extended period of time, skip this section and see "Resolution: Cannot Contact the Client Manager to Get the Configuration" on page 219 instead.

If the ProxyClient computer has not gotten a configuration since the software was installed, try the following:

1. Click the admin log link in the error message to display troubleshooting suggestions and use the following guidelines to resolve the issues:

If the user requires VPN to connect to the network, make sure the user’s VPN client is running.

Make sure third-party products like anti-virus or personal firewall software allow the ProxyClient service (ProxyClientSvc.exe) to run and to communicate with the Client Manager using SSL over its listen port (by default, 8084).

1. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213.

2. Click the Advanced tab.

3. On the Advanced tab page, in the Client Manager section, verify the Client Manager’s host name or IP address.

If the address is incorrect, click the (change) link and enter the correct information.


217

4. In the Software Update section, click Check for Updates Now.

Use the following guidelines to resolve the issue:

Verifying the Client Manager URL

If the Client Manager URL is incorrect, the ProxyClient cannot contact the Client Manager to get a configuration, or to get updates to the configuration or to the ProxyClient software. The URL might be incorrect because of a typographical error in command-line installations or incorrect DNS configuration if the Client Manager’s host name was specified.

To verify the Client Manager URL:


2. Click Configuration > ProxyClient > General.

3. For the value of Host, verify the following:

Table 11–1 ProxyClient manual configuration attempts

Can the client get a configuration update manually?

Resolution

Yes The issue has been resolved.

No Check the following:• Make sure any required VPN software is running on

the user’s computer.• Check your network setup to make sure the user can

access the Client Manager.


218

Specified value of Host Troubleshooting suggestions

Use host from initial client request Meaning: This selection means the client uses the Client Manager host name or IP address you specified either from the command line or that you provided to the user.Most likely, the administrator made a typographical error in a command-line installation. As a result, the ProxyClient software installed but the client cannot contact the Client Manager after rebooting the computer.Resolution: Use the following steps to verify the Client Manager URL in the ProxyClient configuration:1. In to the Client Manager’s Management Console, click

General > Identification.The value of IP address specifies the Client Manager’s default IP address, which is the IP address you must use as the Client Manager URL. (If you specified a host name instead, the host name must resolve to this IP address.)

2. Start the ProxyClient Web browser window as discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213.

3. Click the Advanced tab.4. On the Advanced tab page, in the Software Update

section, is the Client Manager Address a link, or is there a (change) link next to the address?• Yes: Click the link and change the Client Manager’s

URL. The client validates the URL and gets a configuration update immediately.

• No: Set a registry key to enable you to change the Client Manager URL as discussed in "" on page 229.

Use host Meaning: This selection means the client downloads the ProxyClient software and configuration from the host name or IP address you specify. This option can be used to migrate users from one Client Manager to another or it can be used if you have multiple, load-balanced Client Managers.Resolution: Check your DNS or load balancer configuration as follows:• If you have one Client Manager, check your DNS

configuration and make sure the host name resolves to the Client Manager’s default IP address. This IP address is specified in General > Identification in the Client Manager’s Management Console.

• A load balancer typically advertises one Virtual IP (VIP) address. For each Client Manager behind the load balancer, enter the load balancer’s VIP in the Use host field.


219

Resolution: Cannot Contact the Client Manager to Get the Configuration

This section discusses how to resolve an issue of the client computer’s not being able to contact the Client Manager for a period of time equal to two times the update interval or 30 days (whichever is longer). If the client computer has not gotten a configuration after the ProxyClient software was initially installed, skip this section and see "Resolution: Download Error Getting the Initial Configuration" on page 216 instead.

If the ProxyClient computer has not been able to get a configuration update for an extended period of time, verify the following:

Make sure any proxy server settings are configured for Internet Explorer. For example, if the user’s default Web browser is Firefox and you have proxy server settings configured for Firefox, configure the same settings for Internet Explorer. The ProxyClient uses proxy server settings configured in Internet Explorer only; it ignores proxy server settings configured for other Web browsers.

Also make sure you are using a supported Web browser. Supported Web browsers are listed in the ProxyClient Release Notes.

❐ In the ProxyClient Web browser window, click the Advanced tab. In the Admin Log section, click View Log and look for any of the following errors:

Table 11–2 Typical ProxyClient communication errors and suggested solutions

Log message Cause and suggested solution

The cause of the error is highlighted in boldface text:Trying all connection types in orderDirect connection (no proxy settings):Failed [Cannot resolve the server name] WinHttp registry settings:Failed [Attempted proxy settings do not exist]Per-user IE settings:Failed [No logged on session to get settings from]

Cause: The Client Manager’s host name is not DNS-resolvable. Suggested actions:• Make sure the ProxyClient computer is connected

to the network physically or using VPN.• Make sure a DNS server is available.• Ping the Client Manager’s host name from the

ProxyClient computer.• To change the Client Manager’s host name, on the

Advanced tab page, click the (change) link and enter the correct name in the provided field. In the Software Update section, click Check for Updates Now.See Table 11–1 on page 217.


220

The cause of the error is highlighted in boldface text:Trying all connection types in orderDirect connection (no proxy settings):Failed [Cannot connect to the server]WinHttp registry settings:Failed [Attempted proxy settings do not exist]Per-user IE settings:Failed [No logged on session to get settings from]

Causes: • The Client Manager’s IP address is not available.• You entered the incorrect Client Manager IP

address.• You entered the IP address of a device that is not a

Client Manager.Solutions:• Make sure the ProxyClient computer is connected

to the network physically or using VPN.• Ping the Client Manager’s IP address from the

ProxyClient computer.• To change the Client Manager’s IP address, in the

Advanced tab page, click the (change) link and enter the Client Manager’s IP address. In the Software Update section, click Check for Updates Now.See Table 11–1 on page 217.

The cause of the error is highlighted in boldface text:Trying all connection types in orderDirect connection (no proxy settings):Failed [URL is invalid or the scheme is not supported]

Cause: You entered a Client Manager URL that contained invalid characters, did not use the https:// scheme, or that used an invalid path to ProxyClientConfig.xml

Description:• Examples of invalid characters include the

following: \, $, and space.• Examples of invalid schemes include: ftp://,

http://, and scp://• Because the path to ProxyClientConfig.xml is

optional, you can exclude it from the URL to reduce the possibility of errors. For examples of command line installations, see Chapter 9: "Distributing the ProxyClient Software".

Solutions: See "Solutions to Invalid URLs or Schemes" on page 221.

Trying all connection types in orderDirect connection (no proxy settings):Failed [Unhandled http status 404]WinHttp registry settings:Failed [Attempted proxy settings do not exist]Per-user IE settings:Failed [No logged on session to get settings from]

Trying all connection types in orderDirect connection (no proxy settings):Failed [Invalid server response]WinHttp registry settings:Failed [Attempted proxy settings do not exist]Per-user IE settings:Failed [No logged on session to get settings from]

Table 11–2 Typical ProxyClient communication errors and suggested solutions

Log message Cause and suggested solution


221

Solutions to Invalid URLs or Schemes

Use the following suggestions to resolve these issues:

Resolution: Client Manager Not Available

This section discusses how to resolve issues with the client’s computer not being able to contact the Client Manager. This error can indicate any of the following:

❐ The Client Manager is down.

Make sure the Client Manager appliance is running. If the Client Manager runs SGOS 5.4 or later, log in to the its Management Console as an administrator and click Statistics > Summary and make sure the interface to which ProxyClients connect is up.

❐ Network issues are preventing the user’s computer from contacting the Client Manager.

Review your networking topology, verify that switches and routers are configured correctly, and so on.

If the user requires VPN to connect to the network, make sure the user’s VPN client is running.

Table 11–3 Suggested solutions to invalid URLs or schemes

Problem Description Solution

• Wrong path to ProxyClientConfig.xml

• Illegal characters in the path to ProxyClientConfig.xml

• http:// scheme• No scheme

The Client Manager’s address might be correct in the ProxyClient Web browser window but because the URL or scheme was not valid, the configuration file could not be loaded. Re-entering the Client Manager address should resolve the issue.

Change the Client Manager’s address. 1. Start the ProxyClient Web browser window as

discussed in "Using the ProxyClient Web Browser for Troubleshooting" on page 213.

2. Click the Advanced tab.3. On the Advanced tab page, in the Client

Manager section, click the (change) link.Note: If the (change) link does not display, see "" on page 229.

4. Enter the Client Manager’s IP address or host name in the provided field.

5. Click Change.The ProxyClient contacts the Client Manager and downloads the configuration file. If this does not resolve the problem, verify the Client Manager’s address and try again.

• ftp:// scheme• scp:// scheme

Typically, the Client Manager’s address displays as the name of the scheme. Changing the address should resolve the issue.

Change the Client Manager’s address; see the preceding row in this table.


222

Make sure third-party products like anti-virus or personal firewall software allow the ProxyClient service (ProxyClientSvc.exe) to run and to communicate with the Client Manager using SSL over its listen port (by default, 8084).

❐ The Client Manager’s host was specified incorrectly or it has changed since the ProxyClient software was installed.

To verify the Client Manager’s host name, log in to the Client Manager’s Management Console and click Configuration > ProxyClient > General > Client

Manager. Correct the value specified in the Use host field.

The user can change the Client Manager host name or IP address if any of the following is true:

• The ProxyClient has not successfully contacted the Client Manager since it was installed.

• The ProxyClient software was installed with the ChangeCMAllowed registry key set to 1.

To change the Client Manager URL, start the ProxyClient Web browser window, click the Advanced tab, and, in the Client Manager section, click the (change) link next to the current Client Manager URL. Enter the new URL in the provided fields and click OK.

ProxyClient Tray Icon States and MeaningsThe following table shows the state of the ProxyClient tray icon and its meaning.

Tray icon state

Messagea Meaning

Blue Coat ProxyClientAcceleration: stateWeb filtering: stateLocation: name

The ProxyClient is installed and functioning normally.


223

Cannot contact the Client Manager

The ProxyClient has been unable to download a configuration update for a period of two times the update interval or 30 days (whichever is longer). ProxyClient is using the last configuration file it was able to get from the Client Manager. Likely causes:• Firewall configuration problems. Verify the

following:• If the user has a firewall on the

computer, make sure it allows the Client Manager’s host name or IP address as a destination.

• The corporate firewall must allow SSL traffic through the Client Manager’s listen port (by default, 8084). To confirm the port, in the Client Manager’s Management Console, click Configuration > ProxyClient > General > Client Manager.

• Network problems. Verify the following:• If the user is located offsite, the user

must first connect to the network (for example, using a VPN client).

• Make sure the Client Manager appliance is running. If the Client Manager runs SGOS 5.4.x, log in to the Client Manager’s Management Console as an administrator and click Statistics > Summary and make sure the interface to which ProxyClients connect is up.

Tray icon state

Messagea Meaning


224

Other ProxyClient Troubleshooting ToolsThis section discusses the following topics:

❐ "ProxyClient Troubleshooting Tools Summary" ❐ "Changing the Client Manager" on page 229❐ "Changing the Default Web Server Port" on page 230

(continued)

Unable to download configuration from Client Manager

The ProxyClient was unable to download a configuration file from the Client Manager after the software was first installed, most likely due to communication problems between the client and the Client Manager.To resolve this issue, see "Client Manager Communication Troubleshooting Suggestions" on page 215.

Software Update Available

A ProxyClient software update is available from the Client Manager. This message never displays if software updates are disabled.

Configuration error The ADN manager or backup manager is not providing any routing information, most likely because concentrators not advertising any routes to the managers.See "Troubleshooting ADN Manager or Concentrator Connection Issues" on page 119.

Internal Service Error Displays if either acceleration or Web filtering drivers are not operational.Do any of the following:• For Web filtering errors, see "Web Filtering

Internal Service Error" on page 169• If the error indicates a problem with

acceleration, ask the user to reboot the computer, enable trace logging, and repeat the actions that caused the internal service error.See "Instructing Users to Perform Data Traces" on page 233.

a. To display the message, either hover the mouse pointer over the ProxyClient tray icon or double-click the icon and look for the message in one of the locations shown in "Using the ProxyClient Web Browser for Troubleshooting" on page 213.

Tray icon state

Messagea Meaning


225

❐ "Uninstalling the ProxyClient Software" on page 231❐ "Performing Data Traces and Data Collection" on page 232❐ "Using the ProxyClient VPN Whitelist Utility" on page 238❐ "Client Manager Logging" on page 240

ProxyClient Troubleshooting Tools SummaryThis section discusses advanced troubleshooting tools and procedures for administrators. The tasks discussed in this section should be performed only by administrators, or by users with assistance from administrators.

Following is a brief discussion of each troubleshooting tool:

Task Description Detail For more information

Change the Client Manager URL

Enables you to connect to a Client Manager other than the one from which you initially downloaded the ProxyClient software. The typical use is running ProxySG demonstrations, trials, and evaluations from different ADN networks.

After you set the required registry key, click the Advanced tab. In the Client Manager section, the Client Manager Address value is a link.

"" on page 229

Support trace Collects ProxyClient process information (that is, both acceleration or Web filtering) and provides more details than the Admin Log.

Advanced tab page, in the Diagnostic Tools section.

"Instructing Users to Perform Data Traces" on page 233

Advanced logs Enables users to collect detailed trace information for acceleration or Web filtering individually, or for both.

Advanced tab page, in the Diagnostic Tools section. Click More under Admin Log.

"Performing Data Traces and Data Collection" on page 232

Data collector Collects diagnostic information useful to troubleshoot unexpected behavior and connectivity problems.

Enables users to collect logs and system information so you can analyze the problem and refer it to Blue Coat Support, if necessary. If you have an SR number, you can attach data collector output to the SR ticket.

"Instructing Users to Run the ProxyClient Data Collector" on page 234

Changing the Web server port

Enables the administrator to change the default port the ProxyClient internal Web server uses to start the Web browser window.

The default port is 8000. You can change the port to 1024 through 65534, inclusive.

"Changing the Default Web Server Port" on page 230


226

Uninstall the ProxyClient software

Enables users with administrative privileges on the computer to uninstall the ProxyClient software.

"Uninstalling the ProxyClient Software" on page 231

Registry settings

• Table 11–4 on page 227• Table 11–5 on page 229

Task Description Detail For more information


227

Table 11–4summarizes ProxyClient registry settings in HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\ProxyClient. On Windows 7 (64bit), the registry settings are in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client.

Table 11–4 ProxyClient registry settings

Key name Data type Allowed values

AutoUpdateProhibited REG_DWORD 0 (default) means the ProxyClient automatically implements software updates at the interval the administrator specified for software update interval in "Designating a ProxySG as the Client Manager" on page 81.

1 means only the ProxyClient configuration can be updated (automatically or manually), but the ProxyClient software cannot be updated. Use this setting if you want to distribute software updates in some way other than the Client Manager, such as SCCM, SMS, or GPO.Note: Regardless of the value of this setting, the client always gets configuration updates automatically when they are available. Users can also get configuration updates manually.

CacheDirectory REG_SZ Set the folder in which ProxyClient cache files are stored. The path must already exist; otherwise, the default cache directory is used.The default cache directory follows:• Windows XP

%SystemDrive%:\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient

• Windows Vista and Windows 7%SystemDrive%:\Windows\ system32\config\systemprofile\AppData\Local\Blue Coat\Blue Coat ProxyClient

DefaultWebPort REG_DWORD Allowed values: 1024 through 65534 (inclusive)If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000.Default is 8000For more information, see "Changing the Default Web Server Port" on page 230.


228

TiNotVisible REG_DWORD Allowed values: 0 | 1Set to 1 to hide the ProxyClient system tray icon and pop-up messages.Set to 0 to display the ProxyClient tray icon and pop-up messages.By default, this registry key does not exist.

TiNotVisibleForceUpdate REG_DWORD Allowed values: 0 | 1Set to 1 to force users to accept software and configuration updates without interaction. This key is independent of TiNotVisible; in other words, the setting for this key determines update behavior whether or not the ProxyClient tray icon is hidden.Set to 0 to allow updates normally; that is, users always get configuration updates. Software updates can be installed manually.By default, this registry key does not exist.Note: The availability of software updates is controlled by the AutoUpdateProhibited registry key. If AutoUpdateProhibited is set to 1, users cannot get software updates, regardless of the value of this registry key. For more information, see "Parameters for Silent Installations" on page 183.

Table 11–4 ProxyClient registry settings



229

Table 11–5 summarizes ProxyClient registry settings in HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\ProxyClient\config. On Windows 7 (64bit), the registry settings are in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client.

Changing the Client ManagerYou can change which Client Manager the ProxyClient uses if, for example, you want to run trials or demonstrations on a different ADN network than the one for which you initially configured the ProxyClient. You can also change the Client Manager to troubleshoot connectivity issues or in the event the Client Manager’s address is incorrect or has changed.

To change the Client Manager URL:

1. Set the ChangeCMAllowed registry key in any of the following ways:

• When the ProxyClient software is installed as discussed in Table 9–2, "Parameters for Silent ProxyClient Installations" on page 184.

• After installing the ProxyClient software as discussed in the next step.

2. If a user is not allowed to change the Client Manager URL and the ProxyClient is already installed, perform the following tasks:

a. Start plist editor application like Property List Editor with sudo privileges.

b. Browse to the following key:/Library/Prefrences/com.bluecoat.proxyclient.config.plist

c. Double-click the ChangeCMAllowed registry value.

Table 11–5 ProxyClient registry settings (config subnode)


ChangeCMAllowed REG_DWORD Allowed values: 0 | 1Set to 1 to allow the user to change the Client Manager.Set to 0 to prevent the user from changing the Client Manager.The default is 0.For more information, see "" on page 229.

Note: After you change the Client Manager address, the client gets a configuration update immediately. The behavior of software updates is not changed; in other words, if you prohibited software updates, the client will not attempt get a software update after it connects to the new Client Manager. If software updates are allowed, the client gets an update at the next update interval.


230

d. In the Value field, enter 1.

e. Click OK.

f. Another way to plist values is to use the defaults command.

Example: sudo defaults write /Library/Preferences com.bluecoat.proxyclient.config ChangeCMAllowed 1

3. In the ProxyClient Web browser window, click the Advanced tab.

4. In the Client Manager section, click the change link next to the current Client Manager address.

The Change Client Manager dialog displays.

5. In the Change Client Manager dialog, enter or edit the following information:

6. Click OK.

A success or fail message displays in the Change ProxyClient Manager browser window as the URL is verified.

The client gets a configuration update from the new Client Manager immediately. If software updates are ready to download at the next update interval, and if the client is allowed to get software updates, you are notified before the updates are installed.

When the operation is complete, the Advanced tab page displays the new Client Manager host name or IP address.

7. Close the registry editor application.

8. Reboot the computer for the changes to take effect.

The tray icon and pop-up messages are not visible except to notify the user that a software update is being downloaded, and to notify the user to reboot the computer after updates have been installed. If you prohibit automatic software updates, the icon never displays.

Changing the Default Web Server PortBy default, the ProxyClient’s internal Web server listens on port 8000 so that when you open the ProxyClient Web server window, it defaults to the following URL:

http://127.0.0.1:8000/#Status

You can change the default port as follows:

Note: It is safe to set this while the service is running.

Field Description

New Address Enter the Client Manager’s fully qualified host name or IP address.

New Port Enter the Client Manager’s listen port.


231

❐ Install the ProxyClient software with the DefaultWebPort registry setting from the installer command line as discussed in "Preparing Silent Installations and Uninstallations" on page 181.

❐ If the ProxyClient software is already installed, add the DefaultWebPort registry key as discussed in the following procedure.

To optionally change the ProxyClient Web server listen port:

Start a registry editor like regedit.

1. Create a registry value named DefaultWebPort of type DWORD in the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\ProxyClient

On Windows 7 (64bit), the key is located here:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client

2. Set the value of DefaultWebPort as follows:

Allowed values: 1024 through 65534

If the port you specify is in use, the ProxyClient attempts to use the next-highest port until an available port is found. If the maximum value is reached, the ProxyClient starts over at port 8000.

3. Exit the registry editor.

4. Restart the computer for the changes to take effect.

Uninstalling the ProxyClient SoftwareThis section describes how to uninstall the ProxyClient application software from user systems. You can uninstall ProxyClient from your system only if you are in the Administrators group on the computer and if you know the uninstall password (if one is configured).

For information about silent uninstallation, see "Example Uninstallation" on page 190.

To uninstall the ProxyClient software on Windows:

1. Log in to your machine as a user who is a member of the Administrators group.

2. Click Start > Control Panel.

3. In the Control Panel window, select:

Windows XP and Vista: In Classic View, double-click Add or Remove Programs.

Windows Vista and Windows 7: In Category view, select Uninstall a program.

4. Click Blue Coat ProxyClient.

5. Click Remove.

In Windows Vista and Windows 7, select Uninstall.

6. If prompted, enter the uninstall password.


232

7. Follow the prompts to uninstall the software.

Secondary Procedure

If you discover the preceding procedure did not remove all traces of the ProxyClient software, perform the tasks discussed in this section.

To uninstall the ProxyClient in Windows Safe Mode:

1. Boot into Safe Mode without Networking, which means that no ProxyClient components are loaded by the system.

2. Log in as an administrator

3. Click Start > Settings > Control Panel.

4. In the Control Panel window, select:

Windows XP and Vista: In Classic View, double-click Add or Remove Programs.

Windows Vista and Windows 7: In Category view, select Uninstall a program.

5. Click Blue Coat ProxyClient.

6. Click Remove.

In Windows Vista and Windows 7, select Uninstall.

7. If prompted, enter the uninstall password.

8. Follow the prompts to uninstall the software.

Performing Data Traces and Data CollectionTraces, logs, and data collection allows users to send you files containing ProxyClient process data that you or Blue Coat Support can use to diagnose issues.


❐ "About ProxyClient Logs" ❐ "About the Data Collection Application" on page 233❐ "Instructing Users to Perform Data Traces" on page 233❐ "Instructing Users to Run the ProxyClient Data Collector" on page 234

About ProxyClient Logs

Logs are written to the following folder:

❐ Windows XP:

%SystemDrive%\Documents and Settings\All Users\Application Data\Blue Coat Systems\ProxyClient\support

❐ Windows Vista and Windows 7:

%SystemDrive%\ProgramData\Blue Coat Systems\proxyclient\support

The ProxyClient creates the following log files:


233

About the Data Collection Application

The ProxyClientDC application gathers system information to send to Blue Coat Support for troubleshooting and debugging purposes. Users have the option of collecting logs and e-mailing them to you or sending them directly to Blue Coat support and attaching them to an existing Service Request (SR).

For more information, see "Instructing Users to Run the ProxyClient Data Collector" on page 234.

Instructing Users to Perform Data Traces

To create trace logs to get assistance from Blue Coat support, ask users to enable any of the following:

❐ The support trace records all client activity.

❐ Detailed trace activity for acceleration, Web filtering, or both.

For users to start a trace:

1. The user starts the ProxyClient Web browser window.

2. Click the Advanced tab.

3. On the Advanced tab page, in the Diagnostic Tools section, click More under Admin Log.

4. Click the Start Trace link next to the trace you wish to start.

5. Repeat the activity that caused the problem.

6. Click the Stop Trace link.

7. Click Open Trace Folder.

8. Send the appropriate .etl file to Blue Coat Support with detailed information about what caused the issue.

Log file name Used by

proxyclientautoupdate.log Logs automatic software updates but not configuration updates.

proxyclientlog.etl Admin log (the log users can view on the ProxyClient Web browser window’s Advanced tab page) and the advanced admin logs.The admin log and advanced admin log contain information about acceleration, Web filtering, software upgrades, and configuration updates. These logs are written during the entire time the ProxyClient is running.

proxyclientdebug.etl Support trace, which records all client activity in detail.


234

Instructing Users to Run the ProxyClient Data Collector

Installed in the ProxyClient folder on user systems, the ProxyClient Data Collector is a utility that end users run to collect comprehensive system information that administrators or Blue Coat Support can use to diagnose problems with the ProxyClient application and network connectivity.

When users access the Data Collector, they must select one of two data collection modes:

❐ System Administrator Mode: This mode collects the following information, which is intended for corporate network administrators:

• All ProxyClient logs, including installation logs and diagnostic trace messages.

• A memory dump of the ProxyClient service process.

• The current configuration file and registry settings.

• A list of all running processes on the system.

• Packet capture

• Various network-related information (IP configuration, trace route, netstat data, and so on).

❐ Blue Coat Mode: Same as Administrator Mode except this option uploads the information to an existing support case.

If your issue was assigned a Service Response (SR) number, the user must enter the SR number to enter Blue Coat mode.

To run the ProxyClient Data Collector utility:

1. The user starts Windows Explorer or double-clicks My Computer.

2. Locate the ProxyClient installation folder.

The default location is %SystemDrive%:\Program Files\Blue Coat\Proxy Client\. On Windows 7 (64bit), the location is %SystemDrive%:\Program Files (x86)\Blue Coat\ProxyClient.

Note: These instructions are included in the ProxyClient on-line help that is available to users. Users can click Help either on the ProxyClient system tray icon or in the Web browser window.


235

3. Double-click the ProxyClientDC application.

The Blue Coat ProxyClient Data Collector dialog displays.

4. Choose the mode in which to run the Data Collector.

Options are discussed in the following table.

Option Action

Ask users to select this option if you suspect a configuration or network problem.

Double-click


236

5. Click Next.

The Data Collector starts and displays the Blue Coat ProxyClient Data Collector dialog.

If you have entered a support case with Blue Coat Support and have received an SR number, provide users with that number. The user should select the check box and enter the SR number in the provided field.

Alternate: If you do not have an SR number but want to collect detailed information for Blue Coat Support, clear the check box. After the data collection process completes, ask the user to send you the file so you can contact Blue Coat Support.

Option Action


237

Figure 11–2 Green check marks indicate successful task completion.

A green check mark displays next to each task as it completes successfully (some tasks might require several minutes to complete). At any time, click Stop to stop the data collection process (for example, the process appears hung on one stage).

6. After ProxyClient completes all of the tasks:

• System Administrator Mode or Blue Coat mode without selecting the check box to send the data to Blue Coat. Instruct users to:

Note: The preceding example shows collecting data in System Administrator mode. If the user selects Blue Coat Support mode, additional tasks are performed.

a Click View collected data. The collected files display in Windows Explorer.

b Right-click the .zip file (begins with proxyclientdc- and ends with the user’s system name and date/timestamp) and select Send to >

My Documents.

c E-mail the .zip file (begins with proxyclientdc- and ends with the user’s system name and date/timestamp) to yourself.

d Click Exit.


238

• Blue Coat Mode (with the Automatically upload data directly to Blue Coat option selected): ProxyClient automatically forwards the information and associated case number to Blue Coat Support. Click Exit.

• Blue Coat Mode—connection error: If users experience a connection error—that is, ProxyClient cannot upload to Blue Coat—instruct them to run the Data Collector in Blue Coat Mode again, but do not select Automatically upload data directly to Blue Coat.

Using the ProxyClient VPN Whitelist UtilityThis section discusses how to use CardList.exe, a utility that assists you in making certain that VPN adapters are recognized by the ProxyClient as Virtual NICs for location awareness purposes. For more information about location awareness, see "About ProxyClient Location Awareness" on page 13.

Because certain software does not flag a Virtual NIC as a “virtual device,” these adapters are seen by the ProxyClient as physical adapters.

To resolve this potential issue, when you install the ProxyClient, the following registry key is created:

HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\Proxy Client\VPN Whitelist

On Windows 7 (64bit), the registry key is located at:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client\VPN Whitelist

You must edit the registry key to include values that enable the ProxyClient to recognize the VPN adapter for location awareness purposes. The CardList.exe utility identifies these values.

CardList.exe outputs the following types of values:

❐ MAC address

❐ IP address

❐ Comment

Choose an output from CardList.exe that is common among multiple users' computers. When it is available, use the MAC address; avoid using the IP address because it is likely to be different on different computers. Examples follow.

To use CardList.exe:

1. Log in as an administrator to a computer with a VPN adapter that is not recognized by the ProxyClient.

2. Download CardList.exe to that computer.

CardList.exe is attached to KB article 2945.

For more information about the Blue Coat Knowledge Base, see "Blue Coat Knowledge Base" on page 9.

3. Connect to the VPN network.

4. Double-click CardList.exe.



239

• Following is example output from Windows Vista and Windows 7:

Card List Tool

-----------------------------------------------------------------

This tool lists out all of the network cards that are considered when comparing against the "VPN Whitelist" registry key. Under each card is a list of the strings that can be used to match it. (Only complete strings are matched.) The order of the strings is: MAC address (if one exists), IP address, and description. Please note that these strings may be different between different machines and different OS versions.

-----------------------------------------------------------------

[List of identifiers for adapter "{8A9E4847-A044-46FE-8E92-99EEE0C0B7AF}"]

192.168.192.124

click to connect to network access using firepass 1200

[List of identifiers for adapter "{3D4E88D4-6A70-11DB-B1BA-806E6F6E6963}"]

127.0.0.1

software loopback interface 1

Press any key to continue...

Note that in the preceding example, the VPN adapter's MAC address is not output by CardList.exe but the IP address is (192.168.192.124).


240

• Following is example output from Windows XP:

Card List Tool

-----------------------------------------------------------------

This tool lists out all of the network cards that are considered when comparing against the "VPN Whitelist" registry key. Under each card is a list of the strings that can be used to match it. (Only complete strings are matched.) The order of the strings is: MAC address (if one exists), IP address, and description. Please note that these strings may be different between different machines and different OS versions.

------------------------------------------------------------------

[List of identifiers for adapter "{DE548E90-ED21-4DCE-A7B4-6D53318BA85E}"]

00-53-45-00-00-00

192.168.192.125

wan (ppp/slip) interface

[List of identifiers for adapter "MS TCP Loopback interface"]

127.0.0.1

ms tcp loopback interface

Press any key to continue...

In the preceding example, both the MAC address (00-53-45-00-00-00) and the IP address (192.168.192.125) are output by CardList.exe.

5. Start a registry editor utility like regedit.

6. Locate the HKEY_LOCAL_MACHINE\Software\Blue Coat Systems\Proxy Client\VPN Whitelist registry key.

On Windows 7 (64bit), the registry key is located at: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client

7. Edit the existing RG_SZ (string) registry value containing one or more of the following values (using a comma to separate multiple values):

• Virtual NIC IP address

• MAC address

• Any other string output by the utility; in the example, click to connect to network access using firepass 1200. Note that you can enter a portion of the string; you do not have to enter the entire string.

For example:

00-53-45-00-00-00,click to connect to network access using firepass 1200

8. Save your changes to the registry and reboot the computer.

When the computer reboots, the ProxyClient recognizes the Virtual NIC.

Client Manager LoggingThe Client Manager logs success or failure events related to users downloading the ProxyClient software and configuration. Each log should include timestamp, HTTP GET string (including the HTTP return code), and client machine name.


241

To obtain Client Manager logs:

Enter the following URL in your browser’s address field:https://host:port/proxyclient/log

where host is the fully qualified host name or IP address of the Client Manager, and port is the ProxySG appliance’s listen port.

Using the ProxyClient VPN Whitelist UtilityThis section discusses how to use VPN whitelisting, a feature that makes certain that VPN adapters to be recognized by the ProxyClient as Virtual NICs for location awareness purposes. For more information about location awareness, see "About ProxyClient Location Awareness" on page 13. Because certain software does not flag a Virtual NIC as a “virtual device,” these adapters are seen by the ProxyClient as physical adapters.

To resolve this potential issue, when you install the ProxyClient, a plist entry "VPN Whitelist" is created in: /LibraryPreferencescom.bluecoat.proxyclient.plist

You must edit the plist entry to include values that enable the ProxyClient to recognize the VPN adapter for location awareness purposes. The value can be anyone of the following:

❐ Virtual NIC IP address

❐ MAC address

❐ Adapter name


242

243

Appendix A: About the ProxyClient System Footprint

This chapter lists the files, folders, and registry keys created by the ProxyClient application. This chapter divides the information into the following sections:

❐ "Installation" on page 243

• "Folders" on page 243

• "Files" on page 244

• "Setup MSI" on page 244

• "Setup MSI" on page 244

• "Installed Files" on page 244

• "Shortcuts" on page 246

❐ "During Runtime" on page 247

• "Logging and Support" on page 247

• "Web Filter Files" on page 248

• "Data Collector" on page 248

❐ "Removal" on page 248

InstallationThis section lists all of the folders and files affected by installation.

FoldersInstallation affects the following folders.

Table A–1 Folders affected by installation

Name Used in the Document

Default Path Notes

Temp %temp%

$TMPDIR

This is the user's temporary directory.

Installation Location %SystemDrive%\Documents and Settings\All Users\Application Data\Blue Coat Systems\ProxyClient\support

Windows 7 (64bit):%SystemDrive%\ProgramData\Blue Coat Systems\ProxyClient\support/opt/.bluecoatsystems/proxyclient

ProxyClient service and other related files are installed here


244

FilesInstallation affects the following files.

Setup MSIThe user can download the setup executable to any location on the system (disk). This executable creates a .pkg file in the Temp directory, which proceeds with the actual installation.

Setup pkgThis is created either by setup bsx in the Temp directory during installation or by extracting it to a location specified by the user (usually Administrator). This file initiates installation.

Installed Files

The MSI installs the majority of the ProxyClient files to the installation target. Table A–4 lists the files for a 32bit Windows platform, and Table A–5 lists the files installed on a 64bit Windows 7 platform.

List of installed files in the Application location:

Application Location /Applications/Blue\ Coat/Proxyclient/

The Tray Icon Application and the DataCollector tool are installed here.

Application Support /Library/Application\ Support/Blue\ Coat\ Systems/proxyclient/support

Diagnostic data is stored here

plist files Directory Plist entries are located in this directory

Table A–1 Folders affected by installation

Name Used in the Document

Default Path Notes

Table A–2 Files affected by installation

File Name Location

ProxyClientSetup.msi %TEMP%

.pkg Temp

InstallSupport.log

proxyclientsetup_msi.log Support folder


245

Other files created during installation:

Table A–4 List of installed files on a 32bit platform.

File Name Description

ProxyClient Shortcut for the ProxyClient application

ProxyClientSvc.exe ProxyClient service executable

ProxyClientUI.exe ProxyClient tray icon executable

ProxyClient32.dll

Easyhook32.lib

ProxyClient acceleration/web filtering library

ProxyClientDC.exe ProxyClient Data Collector utility

SGClientEula.html End User License Agreement

Chartdir.dll User interface support library

SGCustomAction.dll Installation support library

Bridge.pyc User interface support file

StringTable.pyc User interface support file

ProxyClientConfig.xml ProxyClient configuration and policy file (downloaded from Client Manager)

ProxyClientFlt32.sys Acceleration driver

ProxyClientWebFilter32.sys Web filter driver

License.txt

Readme.txt

Required by the Easyhook library.



ProxyClient Shortcut for the ProxyClient application

ProxyClientSvc.exe ProxyClient service executable

ProxyClientUI.exe ProxyClient tray icon executable

ProxyClient64.dll

Easyhook64.lib

ProxyClient acceleration/web filtering library

ProxyClientDC.exe ProxyClient Data Collector utility

SGClientEula.html End User License Agreement

Chartdir.dll User interface support library

SGCustomAction.dll Installation support library

Bridge.pyc User interface support file


246

Additionally, several user interface files are written to the include and webroot folders under the installation target. The total size of the installed files (not including the initial configuration file) is approximately 15 MB. The size of the configuration file varies in size, from 2 KB to several MB.

Shortcuts

The MSI also creates a shortcut in the Start menu. The shortcut is called ProxyClient, and is in the Blue Coat ProxyClient folder. No shortcuts are created on the desktop.

Table A–7 lists some of the registry keys used by the ProxyClient. In the table, the following abbreviations are used:

❐ HKCR means HKEY_CLASSES_ROOT

StringTable.pyc User interface support file

ProxyClientConfig.xml ProxyClient configuration and policy file (downloaded from Client Manager)

ProxyClientFlt64.sys Acceleration driver

ProxyClientWebFilter64.sys Web filter driver

License.txt

Readme.txt

Required by the Easyhook library.

Inject64.exe Injects a 64bit process with the 32bit ProxyClient service.

Table A–6 Other files created during installation

File Name Location Description

com.bluecoat.proxyclientservice.plist

/LibraryLaunchDaemons/

Service launch daemon

proxyclientwebfilter.kext /System/Library/Extensions/

Webfilter driver

com.bluecoat.proxyclient.plistcom.bluecoat.proxyclient.config.plistcom.bluecoat.proxyclient.datacollector.plistcom.bluecoat.proxyclient.internal.plist

Plist files directory ProxyClient configuration plist files

Proxyclientlog.etl Support Directory ProxyClient admin log

Proxyclientdebug.etl Support Directory ProxyClient debug log




247

❐ HKCU means HKEY_CURRENT_USER

❐ HKLM means HKEY_LOCAL_MACHINE

During RuntimeAs the ProxyClient runs, it creates additional files depending on what functionality is enabled. When the service runs, an encrypted folder is created under the Windows user folder for the LocalService account. This provides a more secure environment for storing sensitive data.

Logging and SupportIn the Support folder, if tracing is enabled a file named proxyclientdebug.etl is created. Additionally, if the service crashes for any reason, a memory dump file is generated in the Support folder.

Table A–7 List of registry keys

Path Purpose

HKCR\AppID\{5CDD0A2B-2C5C-4313-83EF-A3F4A4551918}

Key: Contains data required by the service

HKLM\Software\Blue Coat Systems\Proxy Client\

Windows 7 (64bit): HKLM\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client

Key: Software settings for ProxyClientKeys under this node are discussed in Table 11–4, "ProxyClient registry settings" on page 227.

HKLM\Software\Blue Coat Systems\Proxy Client\config

Windows 7 (64bit): HKLM\SOFTWARE\Wow6432Node\Blue Coat Systems\Proxy Client\config

Table 11–5, "ProxyClient registry settings (config subnode)" on page 229

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Value: Start tray icon on log-in

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\ProxyClient Service

Key: Diagnostic settings

HKLM\System\CurrentControlSet\Services\(proxyclientflt, ProxyClientSvc, proxyclientwebfilter, WebFilter)

Sub-keys (in parentheses) created for acceleration and web filter drivers

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\proxyclientsvc

Key: Start ProxyClient when booting in Safe Mode

Note: Trace files and memory dumps must be sent to Blue Coat Support for interpretation.


248

❐ Windows XP

%SystemDrive%\Documents and Settings\LocalService\Local Settings\Application Data\Blue Coat\Blue Coat ProxyClient

❐ Windows Vista

%SystemDrive%\Windows\system32\config\systemprofile\AppData\Local\Blue Coat\Blue Coat ProxyClient

❐ Windows 7 (64bit)

%SystemDrive%\Windows\SysWOW64\config\systemprofile\AppData\Local\Blue Coat\Blue Coat ProxyClient

To change the location of the cache directory, see one of the following sections:

❐ To set the cache directory when you install the ProxyClient software, see "Parameters for Silent Installations" on page 183.

Web Filter FilesWhen Web filtering is enabled, activity is written to an encrypted log file. The log files are periodically uploaded, and the extent of the data to be logged is determined by the administrator.

Data CollectorThe Data Collector utility, which is installed with the ProxyClient, creates a subfolder of Temp as a repository for the collected data. The contents of the Support folder are copied here, and several new files are created. The specifics of the folder's contents are discussed in other documents about the Data Collector.

RemovalWhen the ProxyClient is removed from a user's system, all installed software, drivers and supported files are removed.

Contents Left Behind

No files that were created in the Temp folder are removed. There is currently no mechanism to track all of the files that are created there. However, these files are safe for removal at any time.

Immediately following the removal of the ProxyClient (but before rebooting), it might appear that some files created by the software or the installation process have not yet been removed. This is because the files are still in use by other system processes.

When this happens, the removal process marks the files for removal upon reboot. Mac automatically removes them the next time that the system is restarted.Windows automatically removes them the next time that the system is restarted.

Note: The Data Collector is a troubleshooting utility. For more details, see "Instructing Users to Run the ProxyClient Data Collector" on page 234.