Blue Coat® Systems ProxySG™ SGOS 4.
Blue Coat SGOS 4.x Upgrade Guide Contact Information Blue Coat Systems Inc. 650 Almanor Avenue Sunnyvale, California 94085 North America (USA) Toll Free: 1.866.362.2628 (866.36.BCOAT) North America Direct (USA): 1.408.220.2270 Asia Pacific Rim (Japan): 81.3.5425.8492 Europe, Middle East, and Africa (United Kingdom): +44 (0) 1276 854 101 bcs.info@bluecoat.com support@bluecoat.com www.bluecoat.com Copyright© 1999-2005 Blue Coat Systems, Inc. All rights reserved worldwide.
Contents Contact Information Chapter 1: Upgrading—Overview Changes Between SGOS 3.x and SGOS 4.x......................................................................................................5 About the Document Organization ..................................................................................................................5 Related Blue Coat Documentation....................................................................................................................
Blue Coat SGOS 4.
Chapter 1: Upgrading—Overview Blue Coat® strongly recommends that you read this document before attempting to upgrade to SGOS 4.x from previous ProxySG operating systems. Existing features and policies might not perform as with previous versions, and upgrading to this version might require some additional configuration tuning. This SGOS version provides high security for the network, so when downgrading to previous versions, not all configurations and policies are retained. Changes Between SGOS 3.
Blue Coat SGOS 4.x Upgrade Guide • Blue Coat ProxySG Configuration and Management Guide • Blue Coat ProxySG Content Policy Language Guide • Blue Coat ProxySG Command Line Interface Reference Document Conventions The following section lists the typographical and Command Line Interface (CLI) syntax conventions used in this manual. Table 1.2: Typographic Conventions Conventions 6 Definition Italics The first use of a new or Blue Coat-proprietary term.
Chapter 2: Upgrade Behavior, General Upgrading When upgrading to SGOS 4.x from SGOS 3.2.4 or higher, the ProxySG saves a copy of the original configurations. These configurations remain unaffected when configuring features going forward. If you downgrade to the previous SGOS version, the saved configuration is used and the ProxySG is restored to that state.
Blue Coat SGOS 4.x Upgrade Guide Summary of Changes to the Upgrade Process • The upgrade path must include a system that shows all possible deprecation warnings, so that these can be corrected in advance of the upgrade, to avoid policy compilation failures after upgrading. Migrating through SGOS 3.2.4 or greater satisfies this requirement.
Chapter 2: Upgrade Behavior, General Redoing an Upgrade from SGOS 3.2.4 When the initial SGOS 4.x upgrade occurs, any compatible configurations are converted. This only happens the first time you upgrade; if you later downgrade to a pre-SGOS 4.x version by selecting an earlier image on your system, make configuration changes, and re-install SGOS 4.x, the new SGOS 3.2.4 changes are not propagated to SGOS 4.x.
Blue Coat SGOS 4.x Upgrade Guide Changing Between SGOS 4.x Versions When moving from one SGOS 4.x release to another SGOS 4.x release, the system maintains all settings. Changes made after an upgrade continue to be available after a subsequent downgrade as long as the setting is relevant to the downgraded release. Note: When upgrading or downgrading between versions of SGOS 4.x, copies of version-specific configurations are not retained.
Chapter 2: Upgrade Behavior, General Table 2.2: Licensable Components (Continued) Type Component Description Included Websense Offbox Content Filtering For Websense off-box support only. Included ICAP Services External virus and content scanning with ICAP servers. Included Bandwidth Management Allows you to classify, control, and, if required, limit the amount of bandwidth used by different classes of network traffic flowing into or out of the ProxySG.
Blue Coat SGOS 4.x Upgrade Guide Hardware Supported With SGOS v4.x, support for the ProxySG Series 600 and 700 systems has been dropped. Users with these systems must either upgrade their hardware or stay with SGOS v3.x.
Chapter 3: Feature-Specific Upgrade Behavior This chapter provides critical information concerning how specific features are affected by upgrading to SGOS 4.x (and if relevant downgrading from) and provides actions administrators must or are recommended to take as a result of upgrading. This chapter contains the following sections:. • "Access Logging"—Discusses the new global enable/disable switch, the Peer-to-Peer (P2P) format and log, and the new substitutions.
Blue Coat SGOS 4.x Upgrade Guide Global Enable/Disable Switch In SGOS 4.x, you can enable or disable access logging on a global basis, both through the Management Console (Access Logging>General>Global Settings) and the CLI. When logging is disabled, that setting overrides both policy and logging configuration. When access logging is enabled, policy settings override the access logging configuration.
Chapter 3: Feature-Specific Upgrade Behavior Peer-to-Peer The ProxySG recognizes peer-to-peer (P2P) activity relating to P2P file sharing applications. By constructing policy, you can control, block, and log P2P activity and limit the bandwidth consumed by P2P traffic. Upgrade Behavior • A new default format and a log called p2p is created. • The default p2p format is associated with the p2p log. • If a format called p2p already exists, the format is renamed to p2p_user.
Blue Coat SGOS 4.x Upgrade Guide Table 3.2: New Substitutions (Continued) ELFF CPL Description x-exception-category -review-message $(exception.category_ review_message) An HTML-formatted message suitable for inclusion in an exception page. The values are empty if the selected content filter provider does not support review messages, or if the provider was not consulted for categorization, or if the categorization process failed due to an error. x-p2p-client-type $(p2p.
Chapter 3: Feature-Specific Upgrade Behavior Authentication Two new realms—policy substitution and Oblix COREid—have been added in SGOS 4.x. • COREid Realm—The ProxySG can be configured to consult an Oblix COREid (formerly known as Oblix NetPoint) Access Server for authentication and session management decisions. This requires that a COREid realm be configured on the ProxySG and policy written to use that realm for authentication.
Blue Coat SGOS 4.x Upgrade Guide Upgrade Behavior As BWM is a new feature, upgrade issues are restricted to previously existing bandwidth configuration that will now be subsumed into the BWM configuration. BWM does not replace the older bandwidth limiting features currently available in Streaming (max streaming, max Real and max MMS). It complements it. BWM replaces the bandwidth-limiting configuration in Access Logging.
Chapter 3: Feature-Specific Upgrade Behavior On an upgrade, cached HTTP objects are usable. On a downgrade, cached HTTP objects fetched after the upgrade are re-fetched. Documentation References • Chapter 6, “Configuring Proxies,” in the Blue Coat ProxySG Configuration and Management Guide • The Blue Coat Content Policy Language Guide Content Filtering • Cerberian content filtering has changed its name to Blue Coat Web Filter (BCWF). No upgrade issues exist.
Blue Coat SGOS 4.x Upgrade Guide Endpoint Mapper and SOCKS Compression The Endpoint Mapper proxy accelerates Microsoft RPC traffic between branch and main offices, automatically creating TCP tunnels to ports where RPC services are running. The Endpoint Mapper proxy can be used in both explicit and transparent mode. Using SOCKS compression for TCP/IP tunnels reduces bandwidth consumption and improves latency. No configuration is required on the main office ProxySG to support SOCKS compression.
Chapter 3: Feature-Specific Upgrade Behavior • SGOS#(config external-services) view http icap-patience details • SGOS#(config external-services) view http icap-patience header • SGOS#(config external-services) view http icap-patience help • SGOS#(config external-services) view http icap-patience summary Documentation References Chapter 11, “External Services,” in the Blue Coat ProxySG Configuration and Management Guide Policy In SGOS 4.
Blue Coat SGOS 4.x Upgrade Guide • user= • user.domain= • user.x509.issuer= • user.x509.serialNumber= • user.x509.subject= The authenticated= condition can be used to test whether or not the user information is available. Forward layer rules containing the other new authentication conditions will fail to match if there is no associated user, regardless of the value specified in the test. Two new named definitions have been added—define policy and define strong.
Chapter 3: Feature-Specific Upgrade Behavior CPL Syntax that was deprecated in SGOS 3.x has been abandoned in SGOS 4.x. Policy that includes abandoned syntax should be corrected before you attempt to upgrade the system. The standard upgrade path and process are designed to ensure the integrity of policy and the security of your network. Blue Coat strongly recommends that you follow the approved upgrade path and correct any policy deprecation warnings prior to upgrading to SGOS 4.x.
Blue Coat SGOS 4.x Upgrade Guide Table 3.8: Abandoned Policy Conditions (Continued) (Continued) protocol= url.scheme= proxy_address= proxy.address proxy_card= proxy.card proxy_port= proxy.port release_id= release.id= release_version= release.version= request_header.= request.header.= request_header_address.= request.header..address= request_x_header.= request.x_header.= request_x_header_address.= request.x_header..address= response_header.
Chapter 3: Feature-Specific Upgrade Behavior Table 3.9: Abandoned Policy Properties (Continued) prefetch() pipeline() proxy_authentication() authenticate() reflect_vip() reflect_ip() service() allow or deny trace_destination() trace.destination() trace_level() trace.level() trace_request() trace.request() trace_rules() trace.rules() Table 3.10: Abandoned Policy Actions Abandoned Syntax Replacement Syntax replace() rewrite() virus_check() response.icap_service() (a property) Table 3.
Blue Coat SGOS 4.x Upgrade Guide Table 3.11: Abandoned Substitution Tokens (Continued) 26 Abandoned CPL Current CPL request_header.Content-Language request.header.Content-Language request_header.Content-Length request.header.Content-Length request_header.Content-Location request.header.Content-Location request_header.Content-MD5 request.header.Content-MD5 request_header.Content-Range request.header.Content-Range request_header.Content-Type request.header.Content-Type request_header.
Chapter 3: Feature-Specific Upgrade Behavior Table 3.11: Abandoned Substitution Tokens (Continued) Abandoned CPL Current CPL request_header.User-Agent request.header.User-Agent request_header.Vary request.header.Vary request_header.Via request.header.Via request_header.WWW-Authenticate request.header.WWW-Authenticate request_header.Warning request.header.Warning request_header.X-BlueCoat-Error request.header.X-BlueCoat-Error request_header.X-BlueCoat-MC-Client-Ip request.header.
Blue Coat SGOS 4.x Upgrade Guide Table 3.11: Abandoned Substitution Tokens (Continued) Abandoned CPL Current CPL response_header.Proxy-Authenticate response.header.Proxy-Authenticate response_header.Proxy-Authorization response.header.Proxy-Authorization response_header.Proxy-Connection response.header.Proxy-Connection response_header.Range response.header.Range response_header.Referer response.header.Referer response_header.Refresh response.header.Refresh response_header.
Chapter 3: Feature-Specific Upgrade Behavior • • • HTML Notification ❐ notify ❐ notify_missing_cookie Compression ❐ transformation_error ❐ unsupported_encoding ❐ invalid_response ICAP ❐ icap_error (should be used in place of the existing icap_communications_error exception page) On a downgrade to SGOS 3.2.4, the ProxySG reverts to using the SGOS 3.x policy that was in use the last time that SGOS 3.x was running.
Blue Coat SGOS 4.x Upgrade Guide On an upgrade, objects that cannot be named by the user are automatically updated to have the underscore character prefix the object name. Documentation Reference Chapter 14, “VPM,” in the Blue Coat ProxySG Configuration and Management Guide Securing the Serial Port When the secure serial port is enabled (recommended): Once the secure serial port is enabled: • The Setup Console password is required to access the Setup Console.
Chapter 3: Feature-Specific Upgrade Behavior SGOS#(config SGOS#(config SGOS#(config SGOS#(config SGOS#(config ssl)import ssl)import ssl)import ssl)import ssl)import keyring show|no-show keyring_id certificate keyring_id signing-request keyring_id ca-certificate keyring_id external-certificate keyring_id Documentation References Chapter 7, “Using Secure Services,” in the Blue Coat ProxySG Configuration and Management Guide Chapter 21, “Maintenance,” in the Blue Coat ProxySG Configuration and Management G
Blue Coat SGOS 4.
Index A D access logging default logs, protocols 14 global enable/disable switch, CLI commands 14 global enable/disable switch, overview 14 new features in 13 P2P log, format 15 P2P upgrade behavior 15 substitutions, new 15 authentication BCAAA, installing 17 COREid realm, added 17 Policy Substitution realm, added 17 upgrade behavior 17 definition syntax, abandoned 23 document conventions 6 downgrading CacheOS 4.x 9 SGOS 2.x 9 to SGOS 3.2.
Blue Coat SGOS 4.x Upgrade Guide substitutions abandoned 25 additional 15 substitution syntax, abandoned 23 U upgrading changes between SGOS 3.2.3 and SGOS 4.