SGOS_RelNotes_6.2.4.1

1

Blue Coat SGOS 6.2.x Release Notes

Version: SGOS 6.2.4.1BCAAA Version 130Release Date: 9/2/2011Document Revision: 12/20/2011

Release Note DirectoryThese release notes present information by each release in the SGOS 6.2.x software line. Each section provides feature descriptions, fixes and known issues.

❐ Section A: "SGOS 6.2.x Reference Information" on page 3—If you are a new user to SGOS 6.x, Blue Coat strongly recommends that you read this section in its entirety. The section identifies topics such as supported platforms, important upgrade information, BCAAA details, and additional requirements specific to SGOS 6.x version information.

❐ Section B: "SGOS 6.2.4.1, build 75374" on page 11

❐ Section C: "SGOS 6.2.3.3, build 75373" on page 18

❐ Section D: "SGOS 6.2.3.1, build 72867" on page 19

❐ Section E: "SGOS 6.2.2.1, build 71419" on page 23

❐ Section F: "SGOS 6.2.1.4, build 71203" on page 28

❐ Section G: "SGOS 6.2.1.3, build 66659" on page 29

❐ Section H: "SGOS 6.2.1.1, build 64600" on page 31

❐ Section I: "Limitations in SGOS 6.2.x" on page 49

❐ Section J: "SGOS 6.x — Support Files and Support for Other Products" on page 50


2

SGOS 6.2.x Feature MatrixThe following table lists the features introduced in the SGOS 6.2.x release line, with cross-reference links to feature descriptions.

Component Feature Introduced

Access Logs "Changes to Access Log Formats" on page 36 6.2.1.1

ADN "ADN Last Peer Detection" on page 33 6.2.1.1

"Change in Default Setting for Adaptive Compression" on page 34

6.2.1.1

"Adaptive Byte Caching" on page 35 6.2.1.1

"Separate Controls for Client IP Reflection on ADN Concentrators" on page 35

6.2.1.1

"Configure Transparent Tunnel Mode" on page 23

6.2.2.1

"IPv6 Support for ADN" on page 11 6.2.4.1

Content Filtering

"Application Filtering" on page 32 6.2.1.1

Event Logs "SMTP Server Configuration" on page 36 6.2.1.1

Hardware "Increased Object Store Capacity" on page 34 6.2.1.1

Proxies:Flash

"Caching of Flash Video-on-Demand Content" on page 32

6.2.1.1

Proxies: MAPI

"Acceleration of Encrypted MAPI" on page 31 6.2.1.1

Reporting "Report Changes" on page 35 6.2.1.1

Services "Separate Controls for Enabling Byte Caching and Compression" on page 34

6.2.1.1

Sky UI "New Acceleration Reports in Blue Coat Sky" on page 33

6.2.1.1

Licensing "Licensing Enhancements" on page 29 6.2.1.3

VPM "GUI Support for Controlling Web Applications" on page 19

6.2.3.1


3

Section A: SGOS 6.2.x Reference Information

This section applies to all SGOS 6.2.x releases.

Important Notes About SGOS 6.2.xBefore beginning the upgrade process, you must read the following information:

❐ If you are using the Blue Coat Authentication and Authorization Agent

(BCAAA), SGOS 6.2.x requires BCAAA version 130 (located on the 6.2.x BlueTouch Online download page). Even if you are already running version 130, be sure to upgrade to the BCAAA version associated with SGOS 6.2.x because it contains a security vulnerability fix. You must upgrade to BCAAA

version 130 before upgrading to SGOS 6.2.x. Do not upgrade SGOS unless you have first installed the compatible BCAAA version.

❐ The Blue Coat SGOS 6.2.x Upgrade/Downgrade Guide provides the specific instructions to upgrade or downgrade BCAAA. For more information, see "About the BCAAA Upgrade/Downgrade Process" on page 8.

❐ Direct upgrade from SGOS 4.x to SGOS 6.2.x is not supported. If you are

upgrading to SGOS 6.2.x from SGOS 4.x and the appliance has previously run SGOS 5.x, the 5.x configuration is applied during upgrade. You must restore

the SGOS 4.x configuration settings. The Blue Coat SGOS 6.2.x Upgrade Guide contains this procedure, but continue reading these Release Notes for further upgrade information.

❐ For SGOS 6.2.x, the oldest supported JRE is 1.5.0_15. See "Java Runtime Environment (JRE) Information" on page 9.

To proceed with the upgrade, go to "About Upgrading to this Release" on page 4.

Product DocumentationAccess the SGOS 6.2.x product documentation on BlueTouch Online:

https://bto.bluecoat.com/documentation/pubs/view/SGOS 6.2.x

Automatic Notification of New Software ReleasesTo be automatically notified when new ProxySG software releases are available, you can subscribe to the ProxySG and/or SGOS 6 product information channel in the Knowledge Base:

1. Log in to BTO.

2. Go to: Knowledge Base > Product Information > Products > ProxySG

or: Knowledge Base > Product Information > OS > SGOS 6

3. Click Subscribe.

https://bto.bluecoat.com/documentation/pubs/view/SGOS 6.2.x


4

You will then receive email messages to let you know when new software releases are available for download. Click the link in the email to view the KB article. The article will provide you with the following types of information for the new release: the release number, the date the software was posted, highlights of the release, and links to related documentation and training materials.

SupportFrequently asked questions and more information about this release can be found in the Knowledge Base:

https://kb.bluecoat.com

Direct support questions regarding this release to: http://www.bluecoat.com/support/contact.html

For questions or comments related directly to these Release Notes, send an e-mail to: [email protected]

About Upgrading to this ReleaseAfter verifying the prerequisites stated in the following sections, read and follow the SGOS 6.2.x Upgrade/Downgrade Guide (https://bto.bluecoat.com/doc/16295). This document provides the process steps required for upgrading to this release, including BCAAA upgrade procedures. Blue Coat also recommends reading the SGOS 6.2.x Feature Change Reference for an explanation of how new features are affected by the upgrade or downgrade process.

Upgrade PrerequisitesTo upgrade to this release, you must first determine if your hardware platform is supported, and whether you can upgrade directly or must upgrade through an interim release. You must also familiarize yourself with potential upgrade/downgrade issues.

Before installing or upgrading to SGOS 6.2.x, perform the following:

1. Determine if SGOS 6.2.x is supported on your hardware platform. See "Supported ProxySG Appliance Platforms" on page 5.

2. Determine your upgrade path. See "Supported Upgrade/Downgrade Paths" on page 5.

3. Understand the BCAAA process. "Upgrading or Downgrading the BCAAA Authentication Service" on page 6.

Important: Schedule your upgrade during off-peak hours. If you have ADN configured, upgrade the ADN Managers—Primary manager and Backup Manager—before upgrading the ADN nodes.

Important: Before upgrading to SGOS 6.2.x, you must resolve all deprecated policy notices. This is part of the process is described in the SGOS 6.2.x Upgrade/Downgrade Guide.

https://bto.bluecoat.com/doc/16295

http://www.bluecoat.com/support/contact.html

https://kb.bluecoat.com


5

4. Understand how licensing works. See "About SGOS 6.x Licenses" on page 9

5. Ensure that your browser has the correct JRE installed. See "Java Runtime Environment (JRE) Information" on page 9.

6. Recommended—Learn about the changes and fixes in the SGOS version you are upgrading to. See "SGOS 6.2.1.1, build 64600" on page 31.

7. Recommended—Learn about third-party product support. See Section J: "SGOS 6.x — Support Files and Support for Other Products" on page 50.

8. When you are ready to upgrade a ProxySG appliance, follow the steps in the Blue Coat SGOS 6.2.x Upgrade Guide.

Supported ProxySG Appliance PlatformsThe following ProxySG appliance platforms can be upgraded to SGOS 6.2.x:

❐ 32-bit platforms: SG210 (except for 210-5) and SG510

❐ 64-bit platforms: SG300, SG600, SG810, SG900, SG8100, and SG9000

❐ Virtual appliances: VA-5, VA-10, VA-15, VA-20

Note: The SG210-10 and SG210-25 can run SGOS 6.2 and later, but the SG210-5 is not supported on these SGOS releases. SGOS 6.2 provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.

Supported Upgrade/Downgrade PathsBefore upgrading to SGOS 6.2.x, the ProxySG appliance must be running:

SGOS 5.4.6.1 or higher



ProxySG VA Upgrade Path❐ Existing ProxySG VA customers can directly upgrade from SGOS 5.5 to

SGOS 6.2.

❐ New ProxySG VA customers must first download and install the SGOS 5.5 Virtual Appliance Package (VAP) and then upgrade to SGOS 6.2.x. For details, refer to the ProxySG VA Initial Configuration Guide:https://bto.bluecoat.com/doc/13286

https://bto.bluecoat.com/doc/13286


6

Figure 1–1 Upgrade Path

Upgrading or Downgrading the BCAAA Authentication ServiceThis section describes the supported BCAAA version and upgrade/downgrade requirements.

Required SGOS 6.2.x BCAAA VersionSGOS 6.2.x requires BCAAA version 130 (if you use the BCAAA service). Even if you are already running version 130, be sure to upgrade to the BCAAA version associated with SGOS 6.2.x because it contains a security vulnerability fix. Note that the BCAAA version number is not indicative of code changes within BCAAA, and only reflects changes to the actual protocol itself.

The following list describes the platforms that BCAAA can run on to support the specified authentication method (these are not supported directory services):

❐ Integrated Windows Authentication:

• Windows® Server 2008 (32-bit and 64-bit)


7

• Windows® Server 2008 R2 (64-bit)


• Windows® 2000 Server

❐ Oracle COREid version 6.5 and 7.0:

• Windows Server 2008 (32-bit and 64-bit)


• Windows Server 2000 (32-bit)

• Windows Server 2008 R2 (32-bit and 64-bit)

❐ CA eTrust SiteMinder version 5.5 and 6.0:




• Windows Server 2008 R2 (32-bit and 64-bit)

• Solaris 5.8 or 5.9

❐ Windows SSO:





❐ Novell SSO:





BCAAA can run on any hardware as long as the BCAAA sizing requirements are met. When running on a virtual machine, BCAAA has been tested and certified on VMware ESX Server v3.5.

The only supported directory service operating systems for the preceding authentication methods are:

❐ Windows Server 2000


❐ Windows Server 2003 R2


❐ Windows Server 2008 R2

❐ Solaris 5.8 and 5.9 (SiteMinder and COREid only)


8

Note: The BCAAA service cannot be installed on Windows NT or on Windows Vista.

About the BCAAA Upgrade/Downgrade ProcessBefore upgrading to or downgrading from a release you must first install the BCAAA version required for the release you are migrating to. This procedure is described in the SGOS 6.2.x Upgrade Guide.

Using Multiple Versions of the BCAAA ServiceAccessing ProxySG appliances running different versions of SGOS requires multiple version of the BCAAA service to be installed on your computer.

To ensure compatibility between the supported BCAAA version and SGOS version installed on the ProxySG appliance, refer to the following table.

Install the lowest version of the BCAAA service first and the highest version of BCAAA last, allowing each version to uninstall the previous version. This process leaves behind the bcaaa.ini and bcaaa-nn.exe files for the lower version.

Notes❐ Only one listening port is used, no matter how many versions you have

installed. The BCAAA service hands off the connection to the appropriate BCAAA version.

WARNING: If you do not install the compatible BCAAA version before upgrading or downgrading, authentication fails and you will not be able to reach the BCAAA server to download a compatible version.

SGOS Version Supported BCAAA Version

SGOS 4.3.x 120

SGOS 5.1.1.x, SGOS 5.1.2, SGOS 5.1.3, SGOS 5.1.4

110

SGOS 5.2.x, SGOS 5.3.x

120

SGOS 5.4.x, SGOS 5.5.x, SGOS 6.1.x, 6.2.x

130SGOS 5.4.2 and later included a release of BCAAA 130 that added support for Windows Server 2008. The initial version of BCAAA 130 (which shipped with SGOS 5.4.1.x) did not support Windows Server 2008.


9

❐ Installation instructions for BCAAA are located in Blue Coat SGOS 6.2 Administration Guide, BCAAA chapter. This document is accessible through your BlueTouch Online account at https://support.bluecoat.com/documentation/pubs/view/SGOS 6.2.x

For information on support for other products, see "Support for Other Products" on page 50.

BCAAA Disk Space RequirementsThe BCAAA files on Windows require less than 10MB of disk space. However, additional space might be required, depending on the features that have been enabled.

If using Windows SSO with Domain Controller QueryAdd 256 bytes for each concurrent login. For example, if 1000 users will be concurrently logged in to the Windows domain during peak hours, then this feature requires 256k (256 bytes record * 1000 concurrently logged in users).

If using Novell SSOAdd 256 to 512 bytes for each user concurrently logged in to Novell eDirectory. You only need to count users that are in containers that are monitored by a Novell SSO realm.

For Novell SSO, the record length is dependent on the length of each user’s distinguished name in eDirectory. Users with long distinguished names require extra storage. Because distinguished names have a maximum length of 256 bytes in eDirectory, an individual Novell SSO record will not be larger than 512 bytes.

About SGOS 6.x LicensesBy default, automatic license check is enabled (the Use Auto-Update option is selected on the Maintenance > Licensing > Install tab). This means that the ProxySG appliance automatically checks for license updates upon reboot or once daily for a month before the currently installed license expires. To verify the current ProxySG appliance/SGOS license, navigate to the Maintenance > Licensing > View tab and review the Licensed Components area.

Java Runtime Environment (JRE) InformationTo run the SGOS 6.2.x Management Console, you must install the Oracle Java JRE version 1.5.0_15 or later, including 1.6 (except for 1.6_05, which causes VPM on-line help problems).

JRE 1.4.x is no longer supported. For SGOS 6.2.x, the earliest supported JRE is 1.5.0_15.

Important: Upgrading to a SGOS 6.x license from a previous SGOS version is an important step (that also has prerequisite steps) in the software upgrade process. Refer to the Blue Coat SGOS 6.x Upgrade Guide for the Blue Coat-verified procedure.

https://support.bluecoat.com/documentation/pubs/view/SGOS 6.2.x

https://support.bluecoat.com/documentation/pubs/view/SGOS 6.2.x

http://java.com/en/download/manual.jsp


10

For additional details about downloading JRE, see "Supported JRE Versions" on page 51.


11

Section B: SGOS 6.2.4.1, build 75374


Release Date: 9/2/2011, build 75374 BCAAA Version: 130JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05)Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.x

SGOS 6.2.4.1 Contents See the following sections for information on this release.

❐ "What’s New in SGOS 6.2.4.1" on page 11

❐ "Resolved Issues in SGOS 6.2.4.1" on page 12

❐ "Known Issues in SGOS 6.2.4.1" on page 15

What’s New in SGOS 6.2.4.1SGOS 6.2.4.1 introduces the following new features.

IPv6 Support for ADNSGOS 6.2.4.1 expands the ProxySG support for IPv6 to include ADN. Blue Coat’s WAN optimization solution now works in an IPv4, IPv6, or combination IPv4/IPv6 Application Delivery Network (ADN). IPv6 is supported on the following types of ADN deployments:

• Open, unmanaged ADN

• Managed ADN

• Transparent deployments

• Explicit deployments

• Transparent load balancing

• Explicit load balancing

For more information, see the following chapters in the SGOS 6.2 Administration Guide: “Using the ProxySG in an IPv6 Environment” and “Configuring an Application Delivery Network.”

Change to Initial Configuration WizardWhen the Acceleration option is selected during the Initial Configuration Wizard, the following values are now applied:

reflect-client-ip peer-sg: allow (this was use-local-ip in earlier 6.2 versions)reflect-client-ip proxy-client: use-local-ip (no change)


12


Resolved Issues in SGOS 6.2.4.1The following issues, reported in previous SGOS 6.2.x versions, have been fixed in SGOS 6.2.4.1.

ADN❐ Fixed the memory leak that occurred when the SSL connection between

ProxySG peers failed to establish. (B#164935, SR 2-391422482, 2-395907512)

❐ Zip files no longer become corrupted when transferred over PASV FTP using FTP stor command through transparent ProxySG appliances using ADN. (B#164449, SR 2-382926552)

Authentication❐ Previously, domain controllers were not discovered if the Computer Browser

service was disabled on Windows 2008 machines. The code in SGOS 6.2.4 has been changed so that domain controllers can be discovered regardless of the state of the Computer Browser service. (B#163269)

❐ It is no longer necessary to reboot the ProxySG appliance or manually refresh the realm in order for the ProxySG to detect the addition of a nested group to an LDAP realm. (B#163827)

Cache Engine❐ If a clear cache operation was executed after installing a 6.x release, an issue

present in 6.2.2.x and 6.2.3.1 could result in a loss of system and security files, causing lost configuration and connectivity issues. After upgrading, you should back up your configuration and restore to the factory defaults. This will re-create any missing system files.

If you are running with a multi-disk system, you will be upgraded to the new disk layout.

If you wish to allow downgrades to pre-6.2 builds, you need to run the disk decrease-object-limit command on the CLI to convert to a compatible disk layout to allow for downgrades. You should delete the affected systems from your system to prevent running them by accident. View the installed-systems configuration command in the CLI to delete the system(s) with the issue. (B#163986, SR 2-388522713, SR 2-389372596, SR 2-389606862, SR 2-394963012)

❐ Fixed software restart at 0x48019 in Process group: "PG_OBJECT_STORE" and Process: "CEA Cache Administrator" due to an inconsistent state. (B#162893, SR 2-391572872, 2-394743542, 2-396401062)

CIFS Proxy❐ If a server disconnected before the client, the CIFS connection was sometimes

orphaned. This issue has been fixed in SGOS 6.2.4. (B#160978)


13


Content Filtering❐ Fixed the issue where the ProxySG was unresponsive due to a Health Check

watchdog registry deadlock while reading the internal configuration. (B#159889, SR 2-381973472, 2-382371833)

❐ Optimized look-ups in the Websense Real Time Security Updates database. (B#165001)

Flash Proxy❐ Fixed the restart issue related to having multiple streams in a connection.

(B#162336, SR 2-385747192)

HTTP Proxy❐ Fixed restart in Process: "HTTP RW 6E2CA3B50" in "libstack.exe.so" that

occasionally occurred when the ProxySG could not successfully establish and open a connection with the peer. (B#163875, SR 2-381194172, 2-394953142)

❐ Fixed intermittent issue where the ProxySG returned a 403-Policy denied exception when a redirect response was misinterpreted as a “policy denied” error. (B#164656)

❐ Fixed the issue where the response.header.Location and Content-Location were incorrectly rewritten due to a URL rewrite policy error when the pattern in the policy and the matched sub-string in the URL are different in the way special characters are represented. (B#164661)

❐ Fixed restart at 0x810002 in Process "HTTP CW 43C5FBB50" in "kernel.exe" due to a wrong boundary header value used during parsing. (B#164878, SR 2-390848905)

❐ Policy evaluation for CPL with http.response.code statements sometimes wrongly matched with the ProxySG appliance response to the client rather than with the OCS response code. This issue has been fixed. (B#164907)

IPv6❐ The ProxySG now consistently chooses the correct source IPv6 address for

outbound connections. (B#165023, SR 2-379687987)

Management Console❐ The default URL for the malware scanning policy update is now shown in the

Management Console (Configuration > Threat Protection > Malware Scanning > Update malware scanning policy). (B#158970)


14


Net Security/Attack Detection❐ Attack detection now triggers correctly on client connection limit; the event

log will now show “connection denied to client due to connection limit” events. (B#164518)

Policy❐ Fixed issue with Skype control policy not allowing a detect_protocol() action

based on user information. (B#164364, SR 2-390041632)

❐ When trying to access a URL where the domain could not be resolved, a policy that contained the condition url.host.is_private=yes would match even if the condition was irrelevant. This issue has been fixed. (B#164908)

Simple Network Management Protocol (SNMP)❐ It is no longer necessary to reboot the ProxySG after hostname updates when

using SNMP. (B#163729)

SSL❐ Previously, you were allowed to create two CCLs with the same name as long

as the upper/lower case was different, but you weren’t able to delete them unless both the CCLs were empty. A fix was implemented that allows you to delete these CCLs. (B#162224)

SSL Proxy❐ If ssl-intercept policy was enabled on the ProxySG, the event logs were

flooded with “Failed to get the peer certificate” messages whenever the OCS didn’t send the certificate during the SSL handshake. These messages no longer appear in the event logs. (B#163272)

Storage❐ The Cache Engine now recognizes faulty disks. With this fix, the system

attempts to recover the disk and marks it as bad if the recovery fails. (B#163797)

TCP/IP and General Networking❐ The 10GB interface did not report the correct link status in the Management

Console or CLI when there was a link propagation failure. (B#161454)

❐ When an external user connected directly to the transparent tunnel listener using the destination IP of the ProxySG, there was high CPU activity on the ProxySG. This issue has been fixed. (B#163796, SR 2-374134252, 2-387634822, 2-389634312)


15


❐ VLANs now function correctly with the Intel 10GB fiber card on the SG9000. (B#163993)

❐ Bypassed one-way connections that go idle for extended periods are no longer dropped when reused. (B#164411, SR 2-381203882)

❐ Changed the distribution algorithm used for WCCP mask assignment so that it more evenly distributes the remainder across the caches. (B#164475)

❐ Fixed issue with improperly closed TCP sessions between the base level proxies and the upstream gateway proxies. The ProxySG was sending TCP retransmissions for non-acknowledged packets even after it had finished the connection. (B#164488)

❐ Increased the maximum allowed size of WCCP configuration so that WCCP settings don’t get lost after reboot. (B#164904)

Visual Policy Manager (VPM)❐ Comments are now saved in the VPM Layer Guard without having to click

back into a field within the layer guard. (B#163747)

❐ The VPM no longer generates incorrect policy that blocks an entire category if a category is selected but not some of its sub-categories. (B#163851)

Known Issues in SGOS 6.2.4.1The list of known issues for this release are listed below. Also see Known Issues for other SGOS 6.2.x releases later in this document (1-21, 1-27, and 1-42).

Cache Engine❐ Running the disk decrease-object-limit or decrease-object-limit CLI

commands while traffic is passing through the system causes the appliance to reboot; this command should be executed on an idle system only. (B#165555)

Content Filtering❐ You cannot currently create policy for Mobile Gmail operations (such as

Upload Attachment). (B#165727, SR 2-390168522)

DNS Proxy❐ When a DNS server is configured with an IPv6 link-local address, the

ProxySG does not respond to the DNS requests. (B#158905)

FTP Proxy❐ The ProxySG fails to process extended passive FTP commands (EPSV, EPRT,

PORT, and so forth). (B#165258, SR 2-393744502)


16


ICAP❐ When using the ProxyAV with response modification and a client sends a

POST to the ProxySG with the header “Expect: 100-Continue,” the ProxySG returns the 100, and the client sends the XML-based POST data. When the ProxySG then forwards the request to the OCS and receives a 200 OK response, the appliance immediately returns the client a 503 ICAP error. (B#164753, SR 2-386873622)

Management Console❐ The Management Console’s Configuration > Network > Advanced > VIPs > New

command does not accept IPv6 virtual IP addresses. The workaround is to use the (config)virtual-ip address CLI command. (B#165010, SR 2-394068609)

❐ Editing a restricted intercept list causes the Restrict interception to clients and servers listed below setting to switch to Use proxy service rules for interception. After editing the list, you will need to re-select the Restrict interception to clients and servers listed below option. (B#166135, SR 2-390779617)

❐ Certain commands (server subnets, Internet gateways, VLANs) do not accept a slash in the IP Address field, so you cannot enter a subnet with CIDR notation (for example, 10.10.10.0/24). Because of this limitation, you will need to define a subnet by entering the IP address and subnet mask/prefix length in separate fields (IP Address: 10.10.10.0, Subnet Mask: 255.255.255.0). (B#164612)

❐ When a read-only user is logged into the Management Console, the Configuration > SSL > Keyrings screen is unresponsive in Firefox and Internet Explorer. (B#164390)

Security❐ If an error is encountered when configuring encrypted MAPI, the error

message displays the Windows Domain password in the clear. (B#165412)

TCP and General Networking❐ When failover is configured between two ProxySG appliances, the group is

not formed when the secret key is more than 32 characters; both the appliances become the master. (B#165649)

Visual Policy Manager (VPM)❐ Request URL Application destination object: When the list of web applications is

filtered (for example, by Upload Attachment), the Select All option actually selects all applications (not just the filtered applications). Workaround: change the filter to All before clicking OK; you will then see the entire list of applications, with only the filtered items selected.


17


Windows Media❐ Windows Media advanced statistics URL for /mms/statistics does not show

the correct statistics for 'Current client bps - live' when client throughput is more than 1.8Gbps. (B#165694)


18

Section C: SGOS 6.2.3.3, build 75373

Section C: SGOS 6.2.3.3, build 75373

Release Date: 9/2/2011, build 75373BCAAA Version: 130JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05)Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.x




ADNFixed the memory leak that occurred when the SSL connection between ProxySG peers failed to establish. (B#164935, SR 2-391422482, 2-395907512)

Cache EngineIf a clear cache operation was executed after installing a 6.x release, an issue present in 6.2.2.x and 6.2.3.1 could result in a loss of system and security files, causing lost configuration and connectivity issues. After upgrading, you should back up your configuration and restore to the factory defaults. This will re-create any missing system files.

If you are running with a multi-disk system, you will be upgraded to the new disk layout.

If you wish to allow downgrades to pre-6.2 builds, you need to run the disk decrease-object-limit command on the CLI to convert to a compatible disk layout to allow for downgrades. You should delete the affected systems from your system to prevent running them by accident. View the installed-systems configuration command in the CLI to delete the system(s) with the issue. (B#163986, SR 2-388522713, SR 2-389372596, SR 2-389606862, SR 2-394963012)

TCP/IP and General NetworkingWhen an external user connected directly to the transparent tunnel listener using the destination IP of the ProxySG, there was high CPU activity on the ProxySG. This issue has been fixed. (B#163796, SR 2-374134252, 2-387634822, 2-389634312)


19

Section D: SGOS 6.2.3.1, build 72867


Release Date: 7/22/2011, build 72867BCAAA Version: 130JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05)Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.x






GUI Support for Controlling Web ApplicationsSGOS 6.2.3.1 adds VPM support to allow more granular control over Web applications and operations. The Web Access layer of the Visual Policy Manager (VPM) includes support for blocking URLs belonging to specific Web applications such as Facebook. It also allows you to restrict certain operations such as blocking file uploads for an application. The following new objects have been added to the Web Access layer in the VPM:

❐ Request URL Application - This option enables you to create a rule that specifies an action for a Web application.

❐ Request URL Operation - This option enables you to create a rule that allows or denies the user the ability to perform the defined operation. For example, block users from uploading attachments.

For More Information❐ For more information on this feature, see Chapter 3: The Visual Policy Manager,

VPM Reference Guide.

Support for New Hardware Components❐ Added support for the Seagate 500GB HDD SST500NM0001 for the ProxySG

9000-5/10/20 and ProxySG 900-10 appliances.

❐ Added support for the Seagate 1TB HDD ST1000NM0001 and Toshiba MK1001TRKB for the ProxySG 900-10B/20/30/45 and ProxySG 9000-20B/30/40 appliances.


20



Access Logging❐ Fixed the issue that caused the ProxySG appliance to be unresponsive when

uploading access logs using Active FTP. Periodic uploads will now occur as scheduled. (B#161300)

ADN❐ Fixed the issue that caused the ADN Translucent (port preserving) connection

failure during connection setup. (B#162356)

Authentication❐ Fixed the issue with SSO authorization failure that was caused due to a failure

in initializing SSO when configuring an "ignoreuser" in SSO.ini file under [SSOServiceUser] using the LDAP FQDN: cn=ignoreuser,ou=division,ou=location,o=company (B#161215)

Cache Engine❐ Fixed the obsolete data block issue that caused a software restart at 0x40060 in

Process: CEA Cache Administrator. (B#159797)

CIFS Proxy❐ Fixed the issue where MS Word 2003, 2007, and 2010 files could not be saved

using CIFS, when ADN was enabled. (B#161304)

CLI Console❐ Fixed the issue with the on-screen display of the enable password when the

tab and backspace keys were used after entering the password. (B#161749)

Flash Proxy❐ Fixed page fault in process group: PG_POLICY_RTMP in Process: RTMP::Worker

DE5F0BE0 while compiling a huge policy. (B#160361)

Hardware Driver❐ Fixed the hardware watchdog restart in process CAG_Maintenance in ata.dll

that occurred occasionally when the ProxySG appliance was restarted after an upgrade. (B#161163)


21

Health Checks❐ The health of a composite health check is no longer affected by a change in the

health state of a host that is not a member of the composite group. (B#161312)

HTTP Proxy❐ Fixed the issue with the page fault in process PDW in http.dll when

evaluating a policy for raw-header regex pattern match, for a request exceeding 2^16 bytes. (B#162074)

❐ Fixed the issue with incorrect rewriting of chunked-encoded Javascript substrings. Now the Javascript substrings with chunk encoding will be written correctly. (B#161231)

Kernel❐ Fixed the issue with false watchdog trigger after the Real Time Clock (RTC) is

updated with the current time. (B#161271)

MAPI Proxy❐ Fixed the restart issue in the keep-alive logic when the ProxySG appliance

downgraded to the batching-only mode, where keep-alive is not supported. (B#161116, SR 2-374193623)

URL Filtering❐ Fixed the issue with memory fragmentation that caused allocation failures

when using SmartFilter. (B#161327)

Visual Policy Manager (VPM)❐ Fixed the issue where the VPM IPv6 subnet evaluation for the url.address=

policy did not permit certain valid IPv6 network addresses. (SR 2-371139652; B#159993)

Windows Media❐ Fixed the memory regulation issue that caused the ProxySG appliance to

restart. (B#161785)

Known Issues in SGOS 6.2.3.1 The list of known issues for this release are listed below. Also see issues listed in "Known Issues in SGOS 6.2.2.1" on page 27 and "Known Issues in SGOS 6.2.1.1" on page 42.

ADN❐ The SG9000-5 and SG8100-5 report high memory usage when running SGOS

6.2.x. (B#163709)


22

Authentication❐ The ProxySG appliance does not detect the addition of a nested group to an

LDAP realm, until the ProxySG is rebooted or the realm is manually refreshed. Workaround: To refresh the authorization, click the following link: https://<ProxySG_IPaddress>:8082/Auth/User-Logins/Refresh-authorization/ and select the realm on which a refresh is needed. (B#163827) Fixed in SGOS 6.2.4.1

❐ WinSSO DC query fails on Windows 2008 machines due to a disabled computer browser service. (B#163269)

CLI Console❐ Rare connectivity issues may occur after an upgrade to 6.2.2.1 and downgrade

to 6.1.x or 5.5.x. Workaround: After the downgrade, if you are unable to access the ProxySG appliance Management Console (HTTP and HTTPS) or Telnet, SSH, you must reset the appliance to factory defaults. (B#163986) Fixed in SGOS 6.2.3.3

MAPI Proxy❐ When intercepting Outlook 2007 MAPI traffic in standalone mode, when a

connection is closed, the closed connection is treated as an error and recorded as a MAPI 2007 error in the list of errored MAPI sessions. (B#163064)

Simple Network Management Protocol (SNMP)❐ Hostname updates are not reflected via SNMP until you reboot the ProxySG

appliance. (B#163729) Fixed in SGOS 6.2.4.1

SSL Proxy❐ If the SSL-Intercept policy is enabled on the ProxySG appliance, in case of

malfunctioning servers where the OCS does not send the certificate during an SSL handshake, the event log is flooded with Failed to get the peer certificate logs. (B#163272)

TCP/IP and General Networking❐ VLAN functionality does not work with Intel 10GB fiber card on the SG9000.

(B#163993) Fixed in SGOS 6.2.4.1

Visual Policy Manager (VPM)❐ To save the comment in the VPM Layer Guard, you must click back into a field

within the layer guard. (B#163747) Fixed in SGOS 6.2.4.1


23

Section E: SGOS 6.2.2.1, build 71419

Release Date: 6/15/2011, build 71419BCAAA Version: 130JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05)Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.1.x, 3.2.x, and 3.3.x

SGOS 6.2.2.1 ContentsSee the following sections for information on this release.





Configure Transparent Tunnel ModeSGOS 6.2.2.1 includes a new CLI command that allows acceleration of traffic between a concentrator running SGOS 5.4 and a branch peer running 6.2.2.1. Without this configuration, the traffic would not be accelerated because a concentrator running SGOS 5.4 is not able to accelerate fast transparent tunnel (FTT) mode connections from a ProxySG branch appliance running 5.5 or later. With the new CLI command available in SGOS 6.2.2, traffic between a branch appliance running SGOS 6.2.2.1 and a concentrator running SGOS 5.4 can be accelerated; you just need to enable regular transparent tunnel mode on the 6.2.2.1 appliance.

Note: SGOS 6.1.4.1 also includes support for this feature.

The following table explains the transparent tunnel modes for various combinations of SGOS at the branch and the core.

Branch SGOS

5.4 Concentrator 5.5 Concentrator 6.x Concentrator

5.4.x Regular transparent tunnel Regular transparent tunnel

Regular transparent tunnel

5.5.x6.1.16.1.26.1.36.2.1

Traffic cannot be accelerated Fast transparent tunnel Fast transparent tunnel


24

To control the mode, the CLI connect-transparent is extended as follows:

❐ connect-transparent enable - allows transparent tunnel initiation, and defaults to fast mode.

❐ connect-transparent enable fast - enables fast transparent tunnel initiation.

❐ connect-transparent enable regular - enables regular transparent tunnel initiation.

The above setting is persisted, even after a reboot.

Resolved Issues in SGOS 6.2.2.1This release incorporates the bug fixes from the previous SGOS 6.2.1.x releases.

The following issues, reported in previous SGOS versions, have been fixed in SGOS 6.2.2.1.

Security Advisory Issues Fixed❐ OCSP response validation error was fixed in SGOS 6.2.2.1. The ProxySG

incorrectly returned an error when validating the certificate chain for the OCSP responder; the error was that the OCSP responder’s certificate could not be validated. The workaround was to explicitly import and trust the certificate of the CA that signed the OCSP responder’s certificate. The explicit trust is no longer needed if the CA that signed the OCSP responder’s certificate is a CA in the certificate chain for the server certificate being validated. (B# 158111).

❐ Sensitive information in ProxySG core files was fixed in SGOS 6.2.2.1. See Security Advisory SA56. (https://kb.bluecoat.com/index?page=content&id=SA56) (B#159036).

ADN❐ The incorrect setting of send and receive buffers for ADN sockets led to TCP

window advertisements, though there was no window update. This issue, now fixed in SGOS 6.2.2.1, manifested in the form of duplicate acknowledgements. (B#158229)

❐ Fixed software restart at 0x810002 in Process: "bdc.rtg.ma.BE5B7A10" in Process group: "PG_BDC_ROUTING" due to a heap corruption issue. (SR 2-376638652; B#160638)

6.1.46.2.2

Regular transparent tunnel when connect-transparent enable regular is used on branch appliance

Fast transparent tunnel Fast transparent tunnel

Branch SGOS

5.4 Concentrator 5.5 Concentrator 6.x Concentrator

https://kb.bluecoat.com/index?page=content&id=SA56



25

Advanced URL❐ The Advanced URL statistics page for Core Images is fixed to correctly

display “Customer release” instead of “Internal customer release.” (B#159739)

Authentication❐ Users can now be logged out by only providing the IP address without the

user name. (B#158211)

❐ When a user group contained more than 1500 users, the group policy did not match for the users in the group due to an LDAP compare failure. (B#158246)

❐ The ProxySG no longer restarts when BCAAA doesn’t respond to requests in time. (B#158684)

❐ The BCAAA Siteminder Agent no longer inserts the ? character instead of the & symbol when appending variables at the end of URLs. (B#159026)

❐ Fixed intermittent login issue with SiteMinder v6.0 SP5 where the user was sent back to the login page after entering the username and password. This issue only affected those who had disabled the Session max timeout setting on the SiteMinder server. Both SGOS and BCAAA have to be updated in order for the ProxySG to correctly handle this setting. (B#159530)

Cache Engine❐ Fixed the issue with high object store CPU utilization when deleting an object

that was currently in use. (SR 2-375692482; B#160479)

CLI Console❐ The ProxySG no longer restarts due to a missing SSH configuration file that is

created upon system initialization. This sometimes happened when two Directors were used to make configuration changes to the ProxySG at the same time. (B#158682)

Content Filtering❐ Websense URL filter database downloads now complete even when system

memory is fragmented. (B#159114)

Encrypted MAPI Proxy❐ The keep-alive session is terminated after a time interval for service ticket

expiration time. (B#158350)


26

Flash Proxy❐ The Blue Coat Director now properly represents the live traffic statistics for

the Flash protocol. The Statistics > Protocol details > Streaming history > Current Streaming Data for the Flash protocol does not display as zero. (B#161174; SR 2-377797322)

HTTP Proxy❐ Fixed the issue with IE8 on Windows 7, where cached objects were incorrectly

flagged as requiring authentication when using Keberos connection-based authentication. (B#159128)

Management Console❐ The Management Console now shows the correct total streaming statistics for

Windows Media. (B#158903)

SSL Proxy❐ ProxySG is configured to use OCSP to verify revocation status of certificates

and has a CRL imported. If ProxySG received an OCSP response from a server that did not include a signing certificate, it could cause the ProxySG to reboot. This issue has been fixed in SGOS 6.2.2.1. (SR 2-369460521, B#158889)

TCP/IP and General Networking❐ Fixed high interface and CPU utilization that was due to a forwarding loop in

a TCP connection-forwarding configuration where there was either active FTP proxy or Endpoint-Mapper configuration and the same configuration installed on two or more ProxySG appliances that are active members of the same cluster group. With the fix, wildcard listeners within the cluster are no longer announced, hence, TCP connection forwarding will not work for the Active FTP data listener or Endpoint-Mapper. (B#160563)

VPM❐ Installing large VPM-XML no longer causes the VPM Java applet to consume

excessive memory and stall the policy installation. (B#159237)

Windows Media Proxy❐ Fixed an issue in which the ProxySG stopped processing traffic due to

improper memory handling which required a restart of the device. (B#158293)

❐ Fixed ProxySG restarts in Process "RTSP_Server" when the RTSP Server worker tried to read packets from OCS while Client worker simultaneously received a PAUSE. This applied to RTSP over HTTP. (B#159154)


27

Known Issues in SGOS 6.2.2.1 Also see issues listed in "Known Issues in SGOS 6.2.1.1" on page 42. The known that have been fixed from the list above have been annotated with the version in which the issue was fixed.

CLI Console❐ When you enter the show config command, a system restart is triggered if the

accelerated PAC files contain invalid UTF8 characters. (B#161169)

DNS Proxy❐ When you configure a DNS server using IPv6 link-local address, the ProxySG

does not respond to DNS requests. (B#158905)

Flash Proxy❐ Some video files, when streamed from Flash Media Server 4, may not finish

correctly and the player may remain in a continuous buffering state after the video ends. For example, the player displays a spinning wheel on top of the video instead of a play button. If the application has a play list, the next video will not start playing automatically; the user will have to start the next video manually. (B#158720)

❐ There may be problems caching certain video files delivered via Flash Media Server 3.0. The workaround is to use bypass_cache(yes) policy to prevent caching these videos. (B#158954)

MAPI Proxy❐ Restart at 0x810002 in Process: "rpc.658/192.168.0.165:2475" in Keep-Alive

logic when the proxy is downgraded to the batching only mode where Keep-Alive is not supported. Outlook 2003 and 2000 do not have this behavior because they do not send multiple outstanding RPC Requests simultaneously. (B#161116; SR 2-374193623) Fixed in SGOS 6.2.3.1

TCP/IP and General Networking❐ Having both trust-destination-mac and return-to-sender outbound enabled

creates a routing issue that causes HTTP traffic to fail. The current workaround is to disable RTS outbound or to disable trust-destination-mac on the bridge. (B#158573)

VPM❐ The VPM IPv6 subnet evaluation for the url.address= policy does not permit

certain valid IPv6 network addresses. The workaround is to create via local policy. (B#159993, SR 2-371139652) Fixed in SGOS 6.2.3.1


28

Section F: SGOS 6.2.1.4, build 71203


Resolved Issue in SGOS 6.2.1.4Fixed an HDD RMA issue in SG 300/600/900/9000. Without the fix, the ProxySG ignores newly inserted ”unformatted” drives. Blue Coat recommends that customers of these models, running a 6.2.1 release below 6.2.1.4, upgrade to SGOS 6.2.1.4 so they will not encounter this issue if it’s necessary to replace a drive. Make sure to power off your system after the upgrade to 6.2.1.4, prior to inserting the new drive (900 or 9000), or do a “restart regular.” (B#167094)


29

Section G: SGOS 6.2.1.3, build 66659



❐ "What’s New in 6.2.1.3" on page 29

❐ "Resolved Issues in 6.2.1.3" on page 30


What’s New in 6.2.1.3

Support for New ProxySG PlatformsSGOS 6.2.1.3 and higher versions include support for the SG 900 and the newest SG 9000 models: the SG 9000-30 and SG 9000-40. Note that all multi-disk appliances that are manufactured with SGOS 6.2 have increased object limits enabled by default. See "Increased Object Store Capacity" on page 34 for details.WARNING! If you fail to use the disk decrease-object-limit command before downgrading to a pre-6.2 release, all data and settings will be lost after the downgrade. For more infromation read FAQ 1429, click on the link: https://kb.bluecoat.com/index?page=content&id=FAQ1429.

Licensing Enhancements❐ For SG 300, SG 600, SG 900, and SG 9000 systems, license limits for concurrent

users when ADN is enabled have been raised to equal the limits when ADN is not enabled. The one exception is the 300-5 model, which still maintains limits of 30 (without ADN) and 10 (with ADN).

For WAN optimization deployments, Blue Coat recommends purchasing a ProxySG model based on the maximum number of client connections it needs to support, not the maximum number of users, since the connection limit is likely to be reached first; your channel partner SE or local Blue Coat SE can assist you with WAN optimization connection counts and sizing for your specific needs.


30

❐ Beginning May 21, Blue Coat is granting software SSL licenses for all SG 300, SG 600, SG 900, and SG 9000 systems, including systems previously sold. These licenses will be available to customers the next time their appliances connect with the Blue Coat licensing server. Rollout is scheduled to begin May 21, 2011 and will automatically take effect over the course of the following 30 days for most installed appliances. Customers wishing to enable this capability sooner can receive the updated licenses by directing their appliance to contact the licensing server any time after May 21.

Resolved Issues in 6.2.1.3This release incorporates the bug fixes from SGOS 6.2.1.1.


TCP/IP and General Networking❐ SG 900/9000 no longer restarts when trying to re-allocate a host route for an

IPv6 gateway route. (B#158846)

CLI Console❐ On multi-processor systems, the output of a CLI command sent through an

SSH connection to the ProxySG no longer causes the SSH connection to hang. (B#158738, SR 2-370506110)

Content Filtering❐ Fixed the issue in which the ProxySG entered a state where it stopped the

incremental updating of its local BCWF database. While the ProxySG was in this state, the application filtering information was unavailable. (B#159010)

CIFS Proxy❐ Fixed the software restart at 0x30000 in Process: "CIFS::Worker: Connection 9

(running)" when the OCS doesn't support the "NT LM 0.12" dialect. (B#159259, SR 2-371491907)

Active Session❐ Fixed the software restart at 0x11 in Process in "kernel.exe" at .text+0x24a89.

Watchdog occurring while services admin is calling the active session module. (B#159313, SR 2-371805601, 2-371854318)

Known Issues in SGOS 6.2.1.3See issues listed in "Known Issues in SGOS 6.2.1.1" on page 42.


31

Section H: SGOS 6.2.1.1, build 64600



❐ "New “WebGuide” Available"

❐ "New Features in SGOS 6.2.1.1"


❐ "Security Advisories" on page 41


❐ "Deprecations" on page 47

New “WebGuide” AvailableDebuting with SGOS 6.2 is the new Acceleration WebGuide. This WebGuide, posted on BTO, is the one-stop resource for acceleration documentation. It contains conceptual information related to WAN optimization, explains how to deploy ProxySG appliances in an application delivery network, and provides solutions on how to use the proxies to achieve different goals: accelerating applications, improving the quality of streaming media, reducing bandwidth usage, and optimizing users’ Web experience.

To view the WebGuide in your browser, click the following link:

https://bto.bluecoat.com/sgos/ProxySG/Acceleration_WebGuide/Acceleration_WebGuide.htm

New Features in SGOS 6.2.1.1SGOS 6.2.1.1 introduces the following new features.

Acceleration of Encrypted MAPIThis feature provides the ability to transparently accelerate encrypted MAPI traffic between the Outlook client and the Exchange server. The ability to decrypt and encrypt MAPI is transparent to the user, with no knowledge of the user's password.

Enabling optimization of the encrypted MAPI protocol requires that you perform a series of tasks on the Domain Controller, the branch ProxySG appliance, and the Concentrator. If these tasks are not performed, the ProxySG appliance tunnels MAPI traffic without optimization.

https://bto.bluecoat.com/sgos/ProxySG/Acceleration_WebGuide/Acceleration_WebGuide.htm


32

An SSL license is required for secure ADN on the Branch and the Concentrator peers.

The following table illustrates which versions of Microsoft Outlook and Exchange are supported by a particular version of MAPI.

For More InformationFor feature requirements, limitations, and configuration steps, see Blue Coat SGOS 6.2 Administration Guide, Accelerating the Microsoft Outlook Application chapter.

You can also display the Configuration > Proxy Settings > MAPI Proxy tab and click Help.

Caching of Flash Video-on-Demand ContentThis feature implements the caching of video-on-demand (VOD) content delivered over Real Time Messaging Protocol (RTMP). As Flash clients stream pre-recorded content from the origin content server (OCS) through the ProxySG, the content is cached on the appliance. After content gets cached on the ProxySG, subsequent requests for the cached portions are served from the appliance; uncached portions are fetched from the OCS. By caching pre-recorded video files and playing subsequent requests from the cache, the ProxySG’s Flash proxy can save significant bandwidth.

Flash VOD caching requires the Flash streaming proxy license; this is the same license used for Flash splitting.

For More InformationFor feature requirements and configuration steps, see Blue Coat SGOS 6.2 Administration Guide, Managing Streaming Media chapter.

You can also display the Configuration > Proxy Settings > Streaming Proxies > Flash tab and click Help.

Application FilteringWith the new application filtering policy, you can filter content by Web application and/or specific operations or actions done within those applications. For example, you can create policy to allow users to post comments and chat in Facebook, but block uploading of pictures and videos.

The two CPL conditions that allow you to create application filtering policy are:url.application.name=NAME

url.application.operation=OPERATION

Exchange 2003 Exchange 2007 Exchange 2010*

Outlook 2003 MAPI 2003 MAPI 2003 MAPI 2003

Outlook 2007* MAPI 2003 MAPI 2007 MAPI 2007

Outlook 2010* MAPI 2003 MAPI 2007 MAPI 2010

*MAPI encryption enabled by default


33

where NAME is the exact spelling, spacing, and punctuation listed in the view applications CLI output, and OPERATION is the exact specification listed in the view operations output. Note that the application names and operations are NOT case sensitive.

These conditions are not currently available in the VPM, so you will need to use CPL to update your existing policy file with the application filtering conditions you want to implement.

This feature requires that you have a valid Blue Coat Web Filter (BCWF) license, which is available for no additional charge to current BCWF customers.

For More InformationFor several examples on creating policy for application filtering, see Blue Coat SGOS 6.2 Administration Guide, Filtering Web Content chapter.

ADN Last Peer DetectionIn transparent ADN deployments where branch office traffic goes through multiple concentrators on its way to and from an origin content server (OCS), you will want to ensure that the ADN tunnel extends across the entire path, allowing the ADN traffic to be optimized from end to end. To achieve this benefit, you enable the last peer detection feature on the intermediate concentrators. This feature sends out probes to locate the last qualified peer—the upstream concentrator that is closest to the connection’s destination address; this ProxySG must have a valid SSL license when securing ADN. An ADN tunnel is formed between the branch ProxySG and the last peer enroute to the OCS. If there is a concentrator in the path that does not support last peer detection or has it disabled, the transparent tunnel is formed with that concentrator.

Without this feature, the ADN tunnel ends at the first qualified concentrator in the path. The traffic is optimized over this partial segment of the path to the origin content server (OCS). Traffic is not optimized over the rest of the path to the OCS.

For More InformationFor supported ADN deployments, limitations, and configuration steps, see Blue Coat SGOS 6.2 Administration Guide, Configuring an Application Delivery Network chapter.

You can also display the Configuration > ADN > Tunneling > Connection tab and click Help.

New Acceleration Reports in Blue Coat SkyThe Blue Coat Sky user interface offers five new acceleration reports, as well as additional panels for proxy configuration. You can print these reports using the new Print Preview feature. In addition, you can export the report data to comma separated values (CSV) format to analyze it in Microsoft Excel or in other applications capable of importing CSV.

For More InformationSee the Blue Coat Sky v6.2.x Release Notes.


34

You can also click the help icon in Blue Coat Sky for context-sensitive help on any of the reports or panels.

Increased Object Store CapacityAll multi-disk systems that are manufactured with SGOS 6.2 have an increased object capacity; you can get this extra capacity on other multi-disk systems by initiating the disk increase-object-limit command after upgrading to 6.2. The disks are re-initialized in a format that is not compatible with SGOS releases prior to 6.2.

If your disks have the increased object capacity, you must use the disk decrease-object-limit command before downgrading to a pre-6.2 release. This command preserves the configuration, registry settings, policy, licensing files, and the appliance birth certificate; it does not retain cache contents, access logs, event log, and sysinfo snapshots. Pre-6.2 images that are incompatible due to the increased object store limit will be marked as such, and will not be automatically selected for boot, unless the disk capacity has been downgraded beforehand. Incompatible images may be manually selected with the "force" option at boot; however, this will result in all data and settings being lost.WARNING! If you fail to use the disk decrease-object-limit command before downgrading to a pre-6.2 release, all data and settings will be lost after the downgrade. For more information read FAQ 1429, click on the link: https://kb.bluecoat.com/index?page=content&id=FAQ1429.

Separate Controls for Enabling Byte Caching and CompressionFor each service, you can now independently control whether byte caching and compression are enabled. Previously, there were a single optimization setting that enabled both features. In cases where byte caching may not provide significant bandwidth gain for an ADN deployment, you can turn off the Enable byte caching option and just use compression (or vice versa). If you know the traffic for this proxy is already compressed or encrypted, you can conserve resources by clearing the Enable byte caching and Enable compression options. These options are available when editing a proxy service (Configuration > Services > Proxy Services > Edit Service).

In the command-line interface, the adn-optimize CLI command has been replaced by the adn-byte-cache and adn-compress commands.

For More InformationFor upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

For CLI syntax, see the SGOS 6.2 Command Line Interface Reference.

Change in Default Setting for Adaptive CompressionAll ProxySG platforms that are manufactured or remanufactured with the SGOS 6.2 release have adaptive compression enabled by default. In the case of an upgrade to SGOS 6.2, the setting matches the configuration before the upgrade. For example, if adaptive compression was disabled in SGOS 6.1, it will be disabled after upgrading to SGOS 6.2.


35


Adaptive Byte CachingStarting in SGOS 6.2, ADN uses an adaptive byte caching mechanism that automatically adjusts byte caching to the amount of disk I/O latency the ProxySG is experiencing. As a ProxySG handles increasing traffic loads, disk I/O can increase. In these situations, ADN evaluates the efficacy of byte caching and adaptively throttles disk reads and writes to the byte cache in order to maximize throughput.

Separate Controls for Client IP Reflection on ADN ConcentratorsSGOS 6.2 offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers. For example, you can have the Concentrator reject client IP reflection requests from ProxyClient peers but allow them from ProxySG peers. In previous releases, when the Concentrator was configured to deny reflect client IP requests from branch peers, there was a special hard-coded override that always used the Concentrator’s local IP address for ProxyClient tunnel connections; if reflect client IP was set to allow, then the client IP would be reflected.


Report ChangesSGOS 6.2 adds granularity to the Traffic Mix report. On the ADN concentrator, the Traffic Mix report previously combined all the inbound ADN traffic into the InboundADN service or the InboundADN proxy bucket. For traffic generated in 6.2, the inbound ADN is now categorized into the various granular service or proxy buckets, but for traffic generated on prior releases, the inbound ADN is not categorized. Thus, the Traffic Mix report now shows inbound ADN traffic broken down into specific categories of traffic.

In addition, the ProxySG is able to store certain report data in five-second increments over the last five minutes and 15-minute increments over the last 24 hours; this data provides increased granularity in reports. (Note that the Advanced Management Console does not currently offer reports that graph the last five minutes—these reports are available in the Blue Coat Sky UI.)

As a consequence of this change, the above fine granular trend data is not available before the upgrade to SGOS 6.2 for Traffic History reports. If you view the Traffic History report for the last day, there will be no data points for the time before the upgrade.


36

Changes to Access Log FormatsA new streaming log format is introduced in SGOS 6.2, bcreporterstreaming_v1; this format is the default on new systems. The legacy streaming log format, streaming, is used on upgrades to SGOS 6.2.

The existing bcreportermain_v1 format contains new fields to support the application filtering feature.

For More InformationFor a list of the fields in each of these formats, see Blue Coat SGOS 6.2 Administration Guide, Creating Custom Access Log Formats chapter.

For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

SMTP Server ConfigurationNew CLI commands are available for configuring the SMTP server that the ProxySG uses for emailing notifications. In addition, the server port is now user-configurable; previously, it was hard-coded to port 25.#(config smtp) server {domainname | ip-address} [port]#(config smtp) from from-address#(config smtp) view

# show smtp

With the introduction of the smtp subcommands, the following event-log CLI commands are deprecated:#(config event-log) mail smtp-gateway {domain_name | ip_address}#(config event-log) mail from from_address#(config event-log) mail no smtp-gateway

For More InformationSee "Deprecations" on page 47.

For CLI syntax, see the SGOS 6.2 Command Line Interface Reference.

For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

Security Enhancement / Behavior ChangeSGOS 6.2 introduces a change in behavior with regard to the re-activation of a user account after it has been locked out due to excessive failed authentication attempts. Starting in 6.2, the lockout period is reset on each failed authentication attempt in the local ream; accounts are re-enabled according to the following calculation: time_of_last_failed_login_attempt + lockout_duration. In previous SGOS versions, accounts were re-enabled at time_account_was_locked_out + lockout_duration. This security enhancement potentially lengthens the length of time a user is locked out. The default value of the lockout duration can be changed with the lockout_duration CLI command. (B#150228)


37

Resolved Issues in SGOS 6.2.1.1This release incorporates the bug fixes from SGOS 6.1.3, 5.5.4.1, and 5.4.6.1.


Access Logging❐ Fixed internal issue where created FTP file name is not unique. (B#152506)

Authentication❐ LDAP authentication no longer fails with the error “Could not determine full

user name.” (B#154899, SR 2-352888122)

Caching❐ Fixed the issue with stale client connections that sometimes occurred when

multiple concurrent connections requested an object larger than 500KB whose response header did not contain content-length information, and was not chunked-encoded. (B#145695, SR 2-317195422)

❐ A single cache object can now be deleted via advanced URL. (B#151629, SR 2-341552592)

CLI Console❐ Fixed the Exception: 0x40006 (CEA_OUT_OF_FREE_CACHE_BLOCKS) in

Process "CEA Cache Administrator" in "" at .text+0x0. (B#149084, SR 2-330536732)

❐ The ProxySG appliance no longer closes the SSH session towards Director during the course of a session. (B#148892, SRs 2-329586429, 2-330623511, 2-330669152, 2-330816212)

❐ Fixed the issue in which Web management console requests that required very large responses caused the appliance to run out of memory and restart. (B#149084, SR 2-330536732)

DNS Proxy❐ The links to view and delete DNS entries in the MC now work properly.

(B#145809)

Event Logging❐ Taking a disk offline that has the main copy of the event log no longer results

in an empty log. (B#141593)

http://ice.bluecoat.com/cachezilla/show_bug.cgi?id=149084



https://ice.bluecoat.com/cachezilla/siebelview.cgi?ri=2-5GSJRW


38

Flash Proxy❐ When available bandwidth between the ProxySG appliance and OCS was

insufficient, the playback experience for live streams was suboptimal. This issue has been fixed. (B#153929, SR 2-345163102)

❐ Video no longer stutters when viewing live news and other channels on www.rtve.es. (B#153921, SR 2-346602532)

❐ Fixed the issue in which a worker client connection might leak if the connection closed abruptly without finishing the initial handshake. (B#143303)

❐ The Configuration > Access Logging > General > Default Logging tab no longer displays none for Flash streaming. (B#143817)

❐ When playing audio-only live streams using version 10.1 of the Adobe Flash plugin, users no longer experience missing audio after a certain sequence of play/pause operations. (B#144180)

❐ When Flash Media Server is configured to use the AutoCloseIdleClients option, it no longer times out client connections accessing a live stream that is being split at the ProxySG. (B#141802)

❐ In a proxy chaining scenario, pausing a live stream no longer hangs the Flash application on the client end.

❐ When communicating with the Flash Media Server, if using HTTP/1.0 or non-persistent connections, the Flash player no longer hangs. (B#152042)

HTTP Proxy❐ Fixed the issue in which denied requests appeared in the access log as

TCP_ERR_MISS if a policy was defined to check response headers. (B#152503)

❐ YouTube videos can now be downloaded on an iPhone routed through a proxy. (B#150742, SR 2-337673439)

❐ Fixed the HTTP performance issue on the SG 9000-20. (B#151062, SR 2-339570243)

❐ The client worker no longer enters tunnel-on-error mode when both the client worker and server worker access the server socket. (B#150226, SRs 2-336369312, 2-338831809)

❐ Internet Explore 6 clients are now able to use Siebel 8 while proxied through the ProxySG appliance. (B#145241)

❐ When the ProxySG appliance has URL rewrite policy to rewrite request.header.Referer and request.header.Location, it no longer sends a Zero-chunk block twice when the response is chunk encoded data. (B#144623, SR 2-291847282)

❐ The ProxySG appliance now serves the cached copy when the client sends a request for a non-standard accept-encoding, such as x-gzip, and the object is already cached. (B#144684, SR 2-318001457)




39

IPv6❐ Fixed the issue that occurred when the local category database contained an

IPv4 address, and the DNS lookup from the ProxySG appliance was always IPv4-only, regardless of the policy setting. (B#145286, SR 2-307821662)

Kernel❐ Fixed the issue with 64-bit platforms hanging while running Windows Media

Streaming for video on-demand traffic. (B#152141)

Malware Scanning (ICAP)❐ When the server sends a compressed object and the ICAP server decides that

the object needs to be replaced, the ProxySG appliance now sends a complete response to the client. (B#145318, SR 2-317171186)

Management Console❐ The advanced URL links in the Management Console now display in Firefox.

(B#152185)

❐ The Proxied/Errored Sessions on the Active Sessions tab now sort correctly. (B#143988)

❐ The Configuration > Network > Adapters > Configure page now properly displays the link speed when a 10GB is installed in the ProxySG appliance. (B#145212)

Networking❐ The show attack-detection view connection now shows the connection

count. (B#152374)

❐ For all intercepted inbound connections in a serial in-line failover configuration, the ProxySG now always replies to the client's MAC address and not the router's. (B#152461)

❐ The ProxySG appliance no longer restarts while handling fragmented and bad TCP checksum packets. (B#155873, SR 2-356001812, 2-357640952)

❐ A memory leak on the concentrator with HTTP over ADN traffic no longer causes the ProxySG appliance to restart. (B#151619, SR 2-355195770)

❐ Installing a static route or RIP route that overlaps with the interface route on the ProxySG appliance no longer cause pings to hosts on the same subnet or hosts through gateway route to fail. (B#144441)

❐ The ProxySG no longer restarts if bandwidth management was disabled while the system was under heavy load. (B#144958, SR 2-302190883)

❐ Fixed issues with bypass configuration. Setting to trigger on connect-error now works properly, and SGOS adds addresses to the dynamic bypass list. (B#145125)


40

❐ The show configuration command now lists the mode for a failover group. (B#145609)

❐ TCP connections for misbehaving servers that do not properly close the connection no longer leave the connection open for an extended period of time. (B#145817, SR 2-320946712)

❐ Advertisements addressed to one SGRP group are not processed by other groups. With this fix, the backup ProxySG appliance no longer becomes the master when it isn’t actually needed. (B#144800, SR 2-301696882)

Platform-Specific

SG9000❐ There is no longer a delay with the SG9000 front panel display during initial

configuration. (B#137016)

❐ Fixed the configuration issue with 10GB interfaces; the CLI, Management Console, and Sky UI do not allow the speed of these interfaces to be adjusted. (B#145218)

Policy❐ Authentication policy checking user or realm now work reliability when ICAP

is set to trickle mode. (B#148991, SR 2-327392552)

Security❐ BCAAA stack overflow vulnerability fixed. See Security Advisory SA55.

(https://kb.bluecoat.com/index?page=content&id=SA55)

Note: Because BCAAA for SGOS 6.2.x contains a security vulnerability fix, be sure to upgrade BCAAA even if you are already running version 130.

❐ If the ProxySG appliance is not connected to the network, the restore-defaults factory-defaults operation no longer deletes the appliance factory certificate. (B#144621)

SNMP❐ Values for the ipNetToNetAddress entries of the ipNetTo table are now

reported in the correct order, when snmpwalk or snmpget commands are run. (B#152232)



41

SSL Proxy❐ Using Windows 7 and IE 8 with TLS1.2, the FIN is sent back to the client;

previously, the ProxySG appliance reset user connections and the OCS connection after getting the FIN from the OCS with TLS 1.2, resulting in a “page cannot display error message” on user’s screens. (B#148147, SR 2-334052225)

Streaming❐ In a proxy chaining deployment, there are no dangling connections after

playing a VOD stream until the end of the stream through RTSP. (B#145118)

Timezones and NTP❐ Updated Timezons.tar with the latest changes in DST for Sao Paulo, Brazil.

(B#155961, SR 2-355283652)

Visual Policy Manager (VPM)❐ Fixed the issue in which invalid ciphers displayed in the "Add Client

Negotiated Cipher Object" window. (B#150306, SR 2-336439452)

❐ When rules are moved up and down, text in the Comments column is no longer deleted. (B#139384)

WCCP❐ Applying server side bandwidth management policy now functions correctly

in WCCP deployments. (B#142616)

Security AdvisoriesTo see if there are any Security Advisories that apply to the version of SGOS you are running, go to:

https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS

New advisories are published as security vulnerabilities are discovered and fixed.

https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS


42

Known Issues in SGOS 6.2.1.1At the time of production, Blue Coat knows of the following issues.

ADN❐ A Branch peer running a release prior to SGOS 5.5.4 will not be able to form

transparent tunnels with a Concentrator peer running 6.2 (or above). The Branch peer must be running SGOS 5.5.4 or higher.

Advanced URL❐ The Advanced URL statistics page for Core Images shows “Internal

customer release” instead of “Customer release.” (B#159739) Fixed in SGOS 6.2.2.1

Authentication❐ The ProxySG resets when BCAAA does not respond to requests in time.

(SR 2-360160382; B#156674; fixed as B#158684 in 6.2.2.1)

❐ BCAAA installs an expired CA Cert PEM. (B#148682)

❐ Users cannot be logged out by using the user-logins logout URL without providing the user name. (SR 2-355213592; B#155631) Fixed in SGOS 6.2.2.1

CIFS❐ The show cifs CLI command does not work if the URL contains spaces, even

when the URL is enclosed in quotation marks. The workaround is to replace any spaces with %20. (B#155626)

Content Filtering❐ If the view applications CLI command does not display a list of the

supported application names, it’s possible that your ProxySG has entered a state where it has stopped the incremental updating of its local BCWF database. While the ProxySG is in this state, the application filtering information is unavailable. The regular content categorization is still functional but is using a database that is not up-to-the-minute current. (B#159010) Fixed in SGOS 6.2.1.3

To restore the regular update cycle and the application filtering functionality, enter the following commands in the CLI:

#(config content-filter)provider bluecoat disable

#(config bluecoat)purge

#(config content-filter)provider bluecoat enable

#(config bluecoat)download get-now


43

❐ Since application name and operation were introduced into the bcreportermain_v1 log format with the Prowl release, use of that format by an access log may now cause CPU usage to increase by up to 5%. If this is undesirable, create a custom access log format that excludes these new fields. (B#157661)

Encrypted MAPIEncrypted MAPI acceleration on the ProxySG has the following limitations:

❐ Encrypted and plain MAPI traffic may be bypassed if 64-bit Exchange enterprise and Outlook clients are used. (B#156424)

❐ Outlook users must belong to the same domain as the Exchange server and the ProxySG. Multi-domain support is not available in this release. (B#158870)

❐ Outlook establishes NTLM connections with Exchange Server over Load Balanced Client Access Array solutions. NTLM connections are tunneled by the ProxySG appliance. Workaround: enable Kerberos support for Load Balanced solutions. (B#155098)

Flash Proxy❐ Dynamic streaming (play2) may cause video playback to stop in heavily

bandwidth-constrained environments when a hierarchy of ProxySG appliances are caching the video. (B#156892, #156896)

❐ For Flash video clients that use pauses while seeking, such as Yahoo video, a ProxySG may not be able to cache content or play content from cache after a seek. (B#156268)

❐ For some Flash client/server application combinations, playback may freeze after doing a seek. To solve this problem, simply perform another seek and playback should resume. (B#157785)

❐ Some video files, when streamed from Flash Media Server 4, may not finish correctly and the player may remain in a continuous buffering state after the video ends. If the video is part of a playlist, the next video might not start playing; if this happens, you can manually play the next video. (B#158720)

❐ Advanced functionality, such as stream publishing, may not work optimally through the ProxySG.

❐ The ProxySG may have problems caching certain video files delivered via FMS version 3.0.x. The workaround is to use bypass_cache(yes) policy to prevent caching these videos. (B#158954)

HTTP Proxy❐ There is an issue downloading some YouTube objects via the ProxySG onto an

iPhone. The workaround for this issue is to disable client side persistence. (B#155291)


44

❐ When writing a policy to block a host found in an HTTP request and using the setting Trust Destination IP, some requests may not be blocked. A workaround is to use the resolved IP address for the host you want to block. (B#154935)

❐ Software restart in Process "HTTP Waiting Room" in "http.dll" at .text+0x93df7. (SR 2-358661832, 2-360499632; B#156140)

❐ When using WebFTP through the ProxySG appliance using a transparent setup with reflect client IP, FTP communications in active mode will not complete. Workaround: Use passive mode or disable reflect client IP. (B#145300)

❐ When accessing the advanced URL for the HTTP debug log and trying to delete an ICAP service, sometimes the service is not deleted. Please retry after the debug log has been downloaded fully from the browser. (B#147373)

❐ When the Clientless Limits feature is enabled and many clientless requests are in a deferred status, disabling the limit configuration might cause the ProxySG appliance to restart. To prevent, do not disable the limits when more than one thousand request are deferred. (B#143016)

ICAP❐ With ICAP and Patience pages both configured and downloading a file, the

Save As dialog is not prompted with IE-8.0.6001.18702 and IE 7.0.5730.13. Blue Coat recommends using trickling. (B#151088)

IPv6❐ In an IPv6-only network (no IPv4 connections to the ProxySG appliance) with

RCIP disabled, the ProxySG appliance requires the server_url.dns_lookup prefer-ipv6 policy to successfully resolve IPv6 DNS requests. (B#143668)

❐ DSCP over IPv6 is not yet supported. (B#143787)

Management Console❐ The Management Console (Statistics > Protocol Details > Streaming History) is not

showing the correct values for Windows Media total streaming statistics. To get the accurate statistics, use the following advanced URL: https://<ProxySG-IP>:8082/MMS/statistics(B#158903) Fixed in SGOS 6.2.2.1

❐ The default URL for the malware scanning policy update is not shown in the Management Console (Configuration > Threat Protection > Malware Scanning > Update malware scanning policy). You will need to type in the URL manually (https://bto.bluecoat.com/download/modules/security/SGv6/threatprotection.tar.gz) and perform the update by clicking the Install button. Alternatively, you can update policy with the threat-protection CLI command. See the SGOS 6.2 Command Line Interface Reference for details on using this command. (B#158970) Fixed in SGOS 6.2.4.1


45

MAPI Proxy❐ Endpoint Mapper does not restrict source IP for secondary MAPI connection

interception. Workaround: add the IP address to the static bypass list. (B#154100)

❐ Encrypted MAPI connections are bypassed when Outlook generates the user name in User Principal Name format (username@domain). This issue does not occur when the user name is specified in "Down-Level Logon Name" format (domainname\username). (B#157163)

❐ Domain controllers have group policies that define the Kerberos service ticket lifetime. To decrypt/encrypt MAPI traffic, the MAPI proxy negotiates the Kerberos security context that expires after the service ticket lifetime is reached; the core ProxySG resets encrypted MAPI connections once this ticket lifetime is reached. (B#158350) Fixed in SGOS 6.2.2.1

Platform-Specific

SG210-5❐ The SG210-5 is not supported on SGOS 6.2 or higher because this release

provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.

SG300 in trial mode❐ When installing a new license on a ProxySG 300 in trial mode to increase the

limits for HTTP connections, the ProxySG appliance must be restarted before the new limits take effect. (B#153815)

SG9000❐ If an onboard nVidia network interface on the SG9000 platform is configured

to auto-negotiate and the device it is connected to is set to 100/full, there is a possibility that the interface will lock up. Once the NIC gets into this state, a power cycle is required to get the NIC back to a functional state. This is a hardware issue nVidia has documented. To resolve this issue, reconfigure the ProxySG’s NIC and the external device’s NIC to auto-negotiate or to matching speed/duplex settings. Note that this is the recommended configuration for Gigabit interfaces. (B#144158, SR 2-313781541)

ProxySG VA❐ Under rare circumstances, the ProxySG VA can issue spurious Watchdogs

exceptions. There is no unique signature to this failure – the appliance will fail with HWE 0x11 and SWE 0x02. This failure usually occurs after the product has experienced a period of load, followed by a sustained idle period. (B#157534)


46

Policy The ProxySG fails to match the policy request.header.cookie="sslallow" action.red(yes) at CI checkpoint when apparent data type policy is present. (B#160176)

The workaround is to add a force_exception(policy_redirect, “”, “”) action after the action.red(yes) action. This is only required when a policy condition depends on a server response, for example when high performance malware scanning is enabled.

For example:<proxy>

condition=sslallow request.header.cookie="sslallow" action.rewtohttps(yes)request.header.cookie="sslallow" action.red(yes) force_exception(policy_redirect,"","")

Services❐ During high load, a watchdog timeout may be encountered in services admin

due to internal locking issues. (B#158567)

TCP/IP and General Networking❐ In a software bridge with two interfaces attached and Propagate Failure

enabled, when one of the interfaces goes down, the other interface also goes down—as seen on the device LEDs. (They do not glow for either interface.) However, the Management Console and the show bridge config CLI output show that the link is connected, even though it is not. In addition, when the CLI is reporting this misinformation, event logs will also be generated in the following format:

2011-04-22 20:55:14-00:00UTC "Interface Health Check: Interface 1:2 is up." 0 30209:1 event_logger.cpp:31

This issue is seen only on the Broadcom NICs (integrated or option). (B#154604)

❐ An extraordinarily large connection forwarding table might cause the ProxySG appliance to stop responding to management console requests. (B#144396).

❐ For very high bandwidth-delay links using the SCPS feature, it may be necessary to manually set the ADN window size to maximize throughput. Consider manually increasing the ADN window size with satellite links that have more than 14 Mbps of available bandwidth. Note that the ProxySG needs to be restarted for the window size setting to take effect. (B#153174)

❐ On the ProxySG 9000-20, CPU3 runs at 100% due to IP fragmentation. (B#151889)Workaround: See Knowledge Base solution 3790 (https://kb.bluecoat.com/index?page=content&id=KB3790).



47

❐ Link propagation on the optional Intel fiber card: One of the interface remains down while the other interface fluctuates between up and down states; this is triggered when link propagation is enabled on the fiber card and one interface that is part of the bridge losses link and the other does not. (B#150676)

❐ After executing a "restore-defaults keep-console," the bridge settings are not preserved on the ProxySG 300, 600, and 9000 platforms. (B#158649)

❐ When Bypass Keep-Alive is enabled, only the bypassed connections that are received after it is enabled apply; pre-existing connections continue to exist without sending keep-alive. (B#144923)

SOCKS Proxy❐ SOCKS services are unavailable on MACH5 licensed ProxySG appliance

deployments. (B#152664)

SSL Proxy❐ The certificate revocation list (CRL) from Comodo (http://crl.comodo.net/

UTN-USERFirst-Hardware.crl) can cause the ProxySG to reset when doing certificate verification; Blue Coat recommends that this CRL not be loaded into the ProxySG. (B#158889)

Virtual Appliance❐ When the ProxySG VA is under a heavy load and has high RAM usage, the

memory alarm might trigger in vCenter Server. Since the ProxySG VA has its own health monitoring system for memory state, you might want to disable the memory alarm in vCenter. (B#147090)

Visual Policy Manager (VPM)❐ Installing large VPM-XML causes the VPM Java applet to consume excessive

memory and stalls the policy installation. (B#157623) Fixed in SGOS 6.2.2.1

Windows Media Proxy❐ The ProxySG appliance fails to play video files with more than 200 KB SDP

header. (B#152909)

Yahoo Instant Messaging❐ Explicit/SOCKS connection through the ProxySG appliance with Yahoo 8.1

clients: file transfer are successful but no statistics representing as such. (B#141470)

DeprecationsThe following CPL properties and CLI commands have been deprecated.


48

CPL PropertiesIn the ftp.server_data( ) CPL property, the port and pasv arguments have been deprecated. If you install existing policy with these arguments, they will automatically get converted to active and passive.

CLI Commands

event-logThe following event-log CLI commands are deprecated:#(config event-log) mail smtp-gateway {domain_name | ip_address}#(config event-log) mail from from_address#(config event-log) mail no smtp-gateway

proxy-processingThe proxy processing feature was deprecated starting with SGOS v5.5. In SGOS v6.1.2, the Proxy Processing tab was removed from the Management Console, but the feature can still be configured via the CLI. Since proxy processing will be completely removed from an SGOS release in the future, Blue Coat recommends that you discontinue using this feature and deploy a separate secure web gateway to handle proxy processing.

The following CLI command is deprecated:# (config adn tunnel) proxy-processing http {enable | disable}


49

Section I: Limitations in SGOS 6.2.xThese issues are known by Blue Coat but are not fixable because of the interaction with third-party products, works as designed but might cause an issue, or other reason.

Director❐ Director might become unresponsive when executing a profile or restoring a

backup on a ProxySG appliance. Director must be rebooted when this issue occurs.

Management Console❐ The default Active Session list requests limit is 5,000.

❐ After you apply changes and see the message Changes were committed to the SG successfully, it actually takes the ProxySG about 30 seconds to process the changes. Do not restart the ProxySG during this processing time or you may lose the changes you made.

Licensing❐ The product description in the licensing component may show as SGOS 5.x

even after upgrading to 6.x; SGOS 5.x reflects the version that the system was manufactured with. (B#145068)

SSL/TLSDue to security reasons, MD2 support for certificate verification has been removed from openssl by default (starting with version 0.9.8m). As a workaround, disable protocol detection from a specific website <web_addr>:

if url=<web_addr> detect_protocol(no) ((B#159333)

TCP/IP and General Networking❐ When multiple network IP addresses are configured on the same interface, the

ProxySG uses the wrong IP address when connecting to an external device. To avoid this issue, Blue Coat recommends that customers requiring multiple IP support should use a unique interface for each subnet. (B#158585)


50

Section J: SGOS 6.x — Support Files and Support for Other ProductsThis section lists third-party products that interact with the ProxySG appliance.

Support FilesThis section provides links to files and documents referenced in the ProxySG appliance documentation set.

.htpasswd File (Perl Script)This file is used during Local Realm (Authentication) configuration.❐ https://bto.bluecoat.com/doc/13282

XML Schemas for SOAPThese schemas are used in authentication and authorization responses and requests.❐ http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-0.xsd

❐ http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-1.xsd

Support for Other ProductsThis section provides the required versions of other products that interact with the ProxySG appliance.

Supported Clients and BrowsersThe following are the combinations of OS, browser, and Oracle Java Runtime Environment (JRE) versions supported for the Web-based Management Console (MC) and the Visual Policy Manager (VPM).

Supported Operating SystemsThe supported operating systems for the Management Console and VPM are as follows:

❐ Microsoft Windows™ 2000 Pro (SP4 or later)

❐ Windows XP (SP2 or later)

❐ Windows Vista

Supported Browser VersionsThe supported browser versions for the MC and VPM are as follows:

• Windows: Internet Explorer (IE) 8, IE 7, Firefox 3.6, Firefox 3.5.

• Apple Mac OSes: Safari 4, Safari 3, Firefox 3.6, Firefox 3.5

• Linux: Firefox 3.6, Firefox 3.5

Supported browsers means the browsers on which Blue Coat tested SGOS 6.2. Other browsers might work, but are not guaranteed by Blue Coat.


51

Supported JRE VersionsSupported Java JRE versions:

• 1.5.0_15 and later

• 1.6 (except 1.6_05, which causes VPM Help problems)

Notes ❐ On the Java download page, Java naming conventions refer to JRE 5.0 and JRE

1.5 interchangeably. JRE 5.0 is the new name for JRE 1.5.

❐ Blue Coat recommends that you use Internet Explorer to download JRE because it downloads the correct version of JRE. Firefox attempts to install the latest JRE, which might not be compatible with the Management Console.

❐ When you start the ProxySG appliance Management Console for the first time after upgrading to SGOS 5.4 or later and your currently installed JRE is earlier than 1.5.0_15, your Web browser attempts to download a more current JRE.

❐ You might experience a problem downloading the latest supported JRE through the Management Console if:

• The browser does not support automatic download.

• The automatic download hangs.

• The Java Installer displays an error: HTTP Status Code=302 followed by a popup that Java 1.5.x cannot be downloaded.

If you experience any of these issues, enter the following URL to get to the Java download page (if the automatic download hangs, first terminate the download):

http://www.oracle.com/technetwork/java/index-jsp-141438.html

❐ Network delays and/or slow processor speeds might affect JRE performance, slowing the display of Management Console menu selections and options.

❐ Enable the auto-detect encoding feature on your browser so that it uses the encoding specified in the console URLs. The browser does not use the auto-detect encoding feature by default. If auto-detect encoding is not enabled, the browser ignores the charset header and uses the native OS language encoding for its display.

❐ If your system is running JRE 1.6_05, the VPM Help system does not display or function correctly.

❐ If you upgrade JRE from a lower version, clear the browser private data.


52

Blue Coat Director, Reporter, and ProxyClient

DirectorSGOS 6.2.x is compatible with SGME 5.x. If you are using Blue Coat Director to manage your ProxySG appliances, use overlays to fine-tune configuration specifics after upgrade. Do not push a device profile created in an earlier SGOS version to a ProxySG appliance that has been upgraded. For more information on profiles and overlays, refer to the Director documentation.

Consult the following table before attempting to manage ProxySG appliance appliances:

ReporterThis release is compatible with the following Blue Coat Reporter releases:

❐ Reporter 8.x

❐ Reporter 9.x

ProxyClientProxyClient versions 3.1.x, 3.2.x, and 3.3.x are compatible with SGOS 6.2. To download the latest version, refer to the Blue Coat ProxyClient Release Notes.

Anti-MalwareThe Blue Coat ProxySG appliance with ProxyAV™ integration is a high-performance Web anti-malware solution. For more information, refer to the Blue Coat Web site.

This release is compatible with Blue Coat AVOS 3.x.

SGOS 6.2.x works with the following third-party implementations of ICAP:

Director Version Manages SGOS versions....

6.x and 5.5.x SGOS 6.1.x and 6.2.xSGOS 5.3.x, SGOS 5.4.x, and SGOS 5.5.xSGOS 4.3.x

5.4.2.x

5.4.2.5

SGOS 5.3.x and SGOS 5.4.xSGOS 4.3.xException: DIrector V 5.4.2.5 manages SGOS 5.5.1.1 in addition to the above versions.

5.4.1.x SGOS 5.4.x, SGOS 5.3.x, SGOS 5.2.x, SGOS 5.1.xSGOS 4.2.9 and later, including 4.3.xLimitation: You can use VPM in SGME 5.2.x and later to push policy to devices running SGOS 4.2.x, where x > 9 or SGOS 5.2.2.x or later only. If a device runs SGOS 4.2.9 or earlier or 5.2.1 or earlier, use the SGOS Management Console on each device to change policy on the device.


53

❐ Symantec AntiVirus Scan Engine (SAVSE) 4.3, version 4.3.0.15; ICAP 1.0

❐ WebWasher 5.3, build 1953; ICAP 1.0

Instant MessagingThis section details the Instant Messaging proxy support for English language versions. While some versions of AIM and Windows Live Messenger (WLM) are not officially supported, they work in most situations.

Video and audio are not supported with any of the Instant Message protocols: MSN, Yahoo, AIM, and WLM.

English Language Versions Supported

Table 1-1. IM Client Compatibility Matrix

Client Version SGOS 6.x Support

Comments

AIM 6.5 Limited This version was not officially tested, but full proxy support should work. See "Partially Supported IM Protocol Versions" below.

AIM 6.8 Yes AIM 6.8 is supported in explicit SOCKSv5 and HTTP/HTTPS proxy configurations only. For AIM 6.8 support, you must purchase and import a CA signed SSL certificate on the ProxySG appliance.

AIM 6.9 Limited This version was not officially tested, but full proxy support should work.

Windows Messenger 4.x

Yes (4.0-XP, 4.7-XP+SP2)

Windows Messenger 5.x

Yes

MSN Messenger 7.0 Yes This is the last version that supports Windows 98 and Windows ME.

MSN Messenger 7.5 Yes

WLM 8.0 Yes Name changed from MSN to Windows Live Messenger (WLM); Microsoft deprecated this version in favor of WLM 8.1.

WLM 8.1 Yes In 2007, Microsoft rendered as obsolete all versions previous to 8.1 because of a security issue.

WLM 8.5 Yes Beginning November 9th, 2009, clients are required to upgrade.


54

Partially Supported IM Protocol Versions

AIMThe ProxySG appliance does not recognize transparent AIM 6.x as AIM (IM) traffic. In some ProxySG appliance configurations, however, client login and chat do succeed.

❐ AIM 6.x

• If a SOCKS proxy is configured in the client's Internet Explorer (IE) settings:

• SOCKS proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally.

• SOCKS proxy with detect protocol enabled on the ProxySG appliance: The client can log in and chat with a thirty-second delay.

• If an HTTP/Secure proxy is configured in the client PC's IE settings:

• HTTP proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally

• HTTP proxy with detect protocol enabled on the ProxySG appliance: The client login fails after about 30 seconds with the message Connection lost.

• Transparent deployment: AIM 6.1 cannot log in if an SSL service is configured on port 443. AIM can log in, with a 30-second delay, if a TCP tunnel service is configured on port 443 with protocol detection enabled. AIM can log in if the SSL forward proxy is also enabled and the ProxySG appliance appliance's certificate is installed as the root certificate on the client's IE browser.

❐ AIM 6.5

WLM 2009 Yes In 6.x, WLM 2009 is tunneled. This version is also known as version 14.0. Beginning November 9th, 2009, Messenger 2009 (version 14) users must upgrade their clients. Users who have already installed the latest version, which was released Aug 18th 2009 (Build: 14.0.8089.726), are not required to upgrade.

Yahoo 5.5, 5.6 N/A In April 2008, Yahoo! retired these client releases.

Yahoo 8.0, 8.1 Yes

Yahoo 9.0 Yes In 6.x, Yahoo 9.0 is tunneled.

Table 1-1. IM Client Compatibility Matrix

Client Version SGOS 6.x Support

Comments


55

• The client can log in and chat unless the SSL connection is intercepted by the SSL forward proxy. Supported deployments, if the SSL connection is not intercepted by the SSL forward proxy include transparent/TCP tunnel on port 443, transparent/SSL proxy on port 443, and HTTP proxy or SOCKS proxy.

To deny login for AIM 6.0, 6.1 clients, and for transparent proxy deployments of AIM 6.5 and 6.8 clients, the following policy can be used:

<Proxy>DENY url.host=kdc.uas.aol.com

Peer-to Peer (P2P)SGOS 6.2.x supports the following P2P protocols:

❐ BitTorrent, with the exception of encrypted BitTorrent

❐ GNUtella

❐ eDonkey

Policy❐ Ask.com has changed its SafeSearch mechanism from a cookie-based one to a

query-string based mechanism. If you are using the SafeSearch policy in your network, to ensure that undesirable mature content is blocked, please update the SafeSearch policy as shown below (B#141182):

Replace

; === SafeSearch for Ask ===

;

; === BC_SafeSearch_Ask Domains/Hostnames ===

define condition BC_SafeSearch_Ask_Domains

url.domain=ask.com url.host=!wzus.ask.com

url.host=!mystuff.ask.com

url.domain=ask.co.uk url.host=!wzus.ask.com


end

;

; === BC_SafeSearch_Ask Rules ===

<proxy BC_SafeSearch_Ask_cookies>

condition=BC_SafeSearch_Ask_Domains

request.header.cookie="adt=|adlt="

action.BC_SafeSearch_Ask_Cookie_Rewrite(yes)

action.BC_SafeSearch_Ask_Cookie_Addition(yes)

;

; === BC_SafeSearch_Ask Defines ===

define action BC_SafeSearch_Ask_Cookie_Addition

append(request.header.cookie, "gset:adlt=0")

end


56

define action BC_SafeSearch_Ask_Cookie_Rewrite

#if release.version=5.4..

rewrite(request.header.cookie, "(.*)adt=(.*)", "$(1)adt=0$(2)")

#endif

rewrite(request.header.cookie, "(.*)adlt=(.*)",

"$(1)adlt=0$(2)")

end

;

With

; === SafeSearch for Ask ===

;

; === BC_SafeSearch_Ask Domains/Hostnames ===

define condition BC_SafeSearch_Ask_Domains

url.domain=ask.com url.host=!wzus.ask.com


url.domain=ask.co.uk url.host=!wzus.ask.com


end

;

; === BC_SafeSearch_Ask Rules ===


94

<proxy BC_SafeSearch_Ask_cookies>

condition=BC_SafeSearch_Ask_Domains

url.query.regex="adt="

action.BC_SafeSearch_Ask_Query_Rewrite(yes)

;

; === BC_SafeSearch_Ask Defines ===

define action BC_SafeSearch_Ask_Query_Rewrite

rewrite(url, "(.*)adt=(.*)", "$(1)adt=0$(2)")

end

;

;

RSA SecurIDSGOS 6.2.x supports RSA 6.0 with SecurID.

SOCKSSGOS 6.2.x supports SOCKS v5, authentication protocol v1.

StreamingStreaming support is limited to the following players and servers:

❐ The ProxySG appliance supports the following versions and formats:

• Windows Media Player 7-12


57

• Windows Media Server 9

• Microsoft Silverlight

❐ The ProxySG appliance supports the following Real Players and Servers:

• RealOne Player, version 2

• RealPlayer 8 and 10

• RealServer 8 through 10

• Helix Universal Server

• Helix Player 11

❐ The ProxySG appliance supports the following versions and servers, but in pass-through mode only:

• QuickTime Players v7.x, 6.x, and 5.x

• Darwin Streaming Server 4.1.x and 3.x

Flash Proxy (RTMP) SupportFlash streaming proxy is compatible with current versions of Flash Server, client plugins, and browsers. Blue Coat recommends using the application versions listed in the table below for full functionality.

WCCPSGOS 6.2.x was tested with several releases of Cisco IOS: 12.0.7, 12.1.6E, 12.2.18. For a list of Cisco platforms that support L2 packet return, go to www.cisco.com.

Important: SGOS 6.x does not support older Windows Servers that do not support WM-HTTP when NTLM authentication is enabled.

Newer Windows Clients, such as 11.x, do not support the MMS protocol.

Silverlight is supported in SGOS 6.x; however, it must use WM-HTTP streaming protocol for streaming Windows content. WM-HTTP is also known as MS-WMSP.

Table 1–1 Supported Applications

Application Version Operating System

Adobe Flash plugin 10.x Windows XP

Adobe Flash Server 3.x, 3.5.x Windows 2003 Server

Internet ExplorerorFirefox

IE 7.x, 8.x

FF 3.xN/A


58

Copyright© 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, ProxyOne™, CacheOS™, SGOS™, SG™, Spyware Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®, PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

America’s: Rest of the World:

Blue Coat Systems, Inc. Blue Coat Systems International SARL410 N. Mary Ave. 3a Route des ArsenauxSunnyvale, CA 94085 1700 Fribourg, Switzerland

Documents

SGOS_RelNotes_6.2.4.1