proxyav cmg guide 2.2.1

Blue Coat® SystemsProxyAV™

Configuration and Management Guide2.2.x

Blue Coat ProxyAV Configuration and Management Guide

ii

Contact Information

Blue Coat Systems Inc. North America (USA) Toll Free: 1.866.362.2628 (866.36.BCOAT)

650 Almanor Avenue North America Direct (USA): 1.408.220.2270

Sunnyvale, California 94085 Asia Pacific Rim (Japan): 81.3.5425.8492

[email protected] Europe, Middle East, and Africa (United Kingdom): +44 (0) 1276 854 101

[email protected] www.bluecoat.com

Copyright© 1999-2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. The Software may not be modified, reproduced (except to the extent specifically allowed by local law), removed from the product on which it was installed, reverse engineered, decompiled, disassembled, or have its source code extracted. In addition to the above restrictions, the Software, or any part thereof, may not be (i) published, distributed, rented, leased, sold, sublicensed, assigned or otherwise transferred, (ii) used for competitive analysis or used to create derivative works thereof,(iii) used for application development, or translated (iv) used to publish or distribute the results of any benchmark tests run on the Software without the express written permission of Blue Coat Systems, Inc., or (v) removed or obscured of any Blue Coat Systems, Inc. or licensor copyrights, trademarks or other proprietary notices or legends from any portion of the Software or any associated documentation. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. Blue Coat Systems, Inc. specifications and documentation are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. ProxySG™, ProxyAV™, CacheOS™, SGOS™, are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, and The Ultimate Internet Sharing Solution® are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The Software and all related technical information, documents and materials are subject to export controls under the U.S. Export Administration Regulations and the export regulations of other countries.

Document Number: 231-02764

Document Revision: 1.00—01/28/2005

iii

Contents

Chapter 1: IntroductionThe Importance of Web Scanning.....................................................................................................................5New Features and Enhancements.....................................................................................................................5Supported Platforms...........................................................................................................................................5

Hardware ......................................................................................................................................................5Software .........................................................................................................................................................5Supported Browsers ....................................................................................................................................6

Upgrade Issues ....................................................................................................................................................6Organization of This Document........................................................................................................................6ProxyAV Documentation Suite .........................................................................................................................6

Chapter 2: Basic Network and Access Information

Section A: Specifying the Usernames and PasswordsSpecifying the Administration Username and Password .............................................................................8Specifying a Read-Only Username and Password.........................................................................................8

Section B: Configuring Network AccessSpecifying the Appliance Identification Information ....................................................................................9

Specifying the ProxyAV Name ..................................................................................................................9Specifying the ProxyAV Time ....................................................................................................................9

Specifying the Default Gateway........................................................................................................................9Specifying the ProxyAV Address....................................................................................................................10Specifying Client Access...................................................................................................................................10Configuring Management Console Access ...................................................................................................11

Enabling HTTP Access ..............................................................................................................................11Enabling HTTPS Access ............................................................................................................................11Disabling Console Access .........................................................................................................................11

Generating Keyrings and Certificates ............................................................................................................12

Section C: Configuring Network RoutingSpecifying the DNS Servers .............................................................................................................................14Specifying an Upstream Proxy Server............................................................................................................14Adding Routes ...................................................................................................................................................14Adding ARPs .....................................................................................................................................................15Specifying Link Speed ......................................................................................................................................15

Chapter 3: Configuring Anti-virus Scanning

Section A: Introduction to Anti-virus ProtectionIntroduction........................................................................................................................................................18File Terminology ...............................................................................................................................................18

Section B: Managing Anti-virus Subscriptions


iv

Registering the ProxyAV.................................................................................................................................. 20Selecting an Anti-virus Vendor....................................................................................................................... 20Managing Pattern Files and Scan Engines .................................................................................................... 20Updating Scan Engines and Pattern Files...................................................................................................... 20

Specifying a Time Interval........................................................................................................................ 20Specifying Pattern File and Engine Update Locations ......................................................................... 21Forcing an Update ..................................................................................................................................... 21

Section C: ICAPConfiguring the ProxyAV ICAP Service........................................................................................................ 22About Maximum ICAP Connections ............................................................................................................. 22

Section D: Configuring Anti-virus ParametersDetermining Which File Types to Scan.......................................................................................................... 24

ProxySG Policies ........................................................................................................................................ 24ProxyAV Policies........................................................................................................................................ 25

Configuring Scanning Behavior...................................................................................................................... 26Enabling Heuristic Parameters ................................................................................................................ 26Specifying the Anti-virus File Scanning Timeout Value...................................................................... 26Specifying the Limits of Scannable Files ................................................................................................ 27Specifying an Action Upon Content Scan Error.................................................................................... 27

Viewing Anti-virus Status ............................................................................................................................... 28

Section E: Configuring Notification AlertsConfiguring Alert Notification Information ................................................................................................. 29Customizing Messages..................................................................................................................................... 29

Chapter 4: LoggingConfiguring Logging ........................................................................................................................................ 31Configuring CSV Logging ............................................................................................................................... 32Viewing Log Files.............................................................................................................................................. 32

Chapter 5: Maintenance and Troubleshooting

Section A: Managing Configuration Files

Section B: TroubleshootingDebugging ICAP Communication Errors ..................................................................................................... 35Preventing a ProxyAV Pattern File Update Failure..................................................................................... 35Pinging................................................................................................................................................................ 36Retaining Troubleshooting Log Files ............................................................................................................. 36Troubleshooting Services................................................................................................................................. 37Troubleshooting Utilities ................................................................................................................................. 37

Reload Drivers............................................................................................................................................ 37Soft Reboot .................................................................................................................................................. 37Diagnostics.................................................................................................................................................. 37DNS Cache .................................................................................................................................................. 37

Resetting the ProxyAV 2000-E Appliance ..................................................................................................... 38

Contents

v

Resetting the ProxyAV 400-E Appliance ....................................................................................................... 38Restore the Factory Defaults .................................................................................................................... 38Reset the Appliance ................................................................................................................................... 38

Chapter 6: Example Scenarios

Section A: Scenario 1—Basic Anti-virus DeploymentThe Task.............................................................................................................................................................. 42ProxySG Configuration.................................................................................................................................... 42

Configure an ICAP Service....................................................................................................................... 42Create a Patience Page .............................................................................................................................. 43

ProxyAV Configuration ................................................................................................................................... 44Visual Policy Manager: Create Policy ............................................................................................................ 45

Appendix A: Upgrading the ProxyAV

Section A: Upgrade ProcedureAbout Firmware Updating .............................................................................................................................. 48Upgrading to ProxyAV 2.2.x ........................................................................................................................... 48Restricting Administrator ProxyAV Access to HTTPS................................................................................ 49

Section B: Upgrade IssuesManagement IP ................................................................................................................................................. 51

Upgrade Behavior...................................................................................................................................... 51Downgrade Behavior ................................................................................................................................ 51Legacy Procedure: Specifying the Management IP Address .............................................................. 51

Appendix B: Deploying the ProxyAVThe Challenges of Web Scanning Integration............................................................................................... 53The Blue Coat ProxyAV Solution.................................................................................................................... 55Determining Network Location...................................................................................................................... 55Deployment Diagram 1—ProxyAV With a Crossover Cable..................................................................... 56Deployment Diagram 2—ProxyAV With a Switch...................................................................................... 57Deployment Phases .......................................................................................................................................... 57


vi

5

Chapter 1: Introduction

The Importance of Web ScanningThe Blue Coat® Systems ProxySG™ with ProxyAV™ integration is a high-performance Web anti-virus (AV) solution. For most enterprises, Web applications and traffic are mission-critical, representing 90% of the total Internet traffic. The umbrella of Web traffic includes: HTTP, FTP, IM, peer-to-peer (P2P), and streaming. While most users are aware that opening unsolicited e-mail attachments can propogate the spread of a virus, Web-based threats, such as the Code Red and NIMDA viruses, do not require user propagation. As these threats continue to rise, it is vital to dedicate more attention to securing Web traffic, with the goal to prevent viruses from entering the network, not just cleaning up infections after they enter.

By deploying the ProxySG/ProxyAV solution, you gain performance and scalability (up to 250+ Mbps HTTP throughput), along with Web content control.

New Features and EnhancementsThe following features are new to this version of ProxyAV:

• HTTPS secure Management Console access—Provides greater security by only allowing authorized administrators to access the ProxyAV.

• Improved scanning behavior policy.

• Improved integration with the ProxySG.

Supported PlatformsThis section contains the ProxyAV hardware and software requirements.

Hardware

• The ProxyAV only supports the Blue Coat ProxySG.

• ProxyAV 2.2.x is supported on the Blue Coat 400-E and 2000-E appliances.

Software

To employ the enhanced policy features in ProxyAV 2.2.x, the ProxySG must be running the SGOS 3.2.4.x or later operating systems; however, previously supported SGOS versions are still valid with this release.

6

Supported Browsers

ProxyAV 2.2.x supports Microsoft Internet Explorer, version 5.x and Netscape Communicator, version 6.x. Other browsers might be compatible, but have not been tested as of the printing of this document.

Upgrade IssuesIf you are updating from a previous ProxyAV release to this release, Blue Coat strongly recommends reading Appendix A: "Upgrading the ProxyAV" on page 47 before performing the upgrade.

Organization of This DocumentThis Configuration and Management Guide is divided into the following chapters:

ProxyAV Documentation SuiteThe complete suite of ProxyAV documentation includes the following:

• Blue Coat Systems 2000-E Series Installation Guide (online only).

• Blue Coat Systems 2000-E Series Quick Start Guide

• Blue Coat Systems ProxyAV 400 Series Installation and Quick Start Guide.

• Activating Your Software License Key

• Online Help

• This Configuration and Management Guide.

Chapter 1: “Introduction” on page 5 Introduces the ProxyAV and this document.

Chapter 2: “Basic Network and Access Information” on page 7

Describes how to specify interface IP addresses and configure the ProxyAV on the network.

Chapter 3: “Configuring Anti-virus Scanning” on page 17

Describes how to configure the ProxyAV to communicate with the ProxySG and how to configure the ProxyAV anti-virus content scanning features.

Chapter 4: “Logging” on page 31 Describes how to configure how the ProxyAV logs information for performance and results analysis.

Chapter 5: “Maintenance and Troubleshooting” on page 33

Describes how to perform simple tasks to maintain the ProxyAV and troubleshoot the appliance locally.

Chapter 6: “Example Scenarios” on page 41 Provides example configurations.

Appendix A: "Upgrading the ProxyAV" on page 47 Describes behaviors associated with upgrading to this version of the OS.

Appendix B: "Deploying the ProxyAV" on page 53 Provides diagrams and information about the AV solution and the location of the ProxyAV on the network.

Table 1.1: Document Contents

7


The Activating Your Software Key pamphlet, packed with the software bundle in your ProxyAV shipment, describes how to perform first-time configuration steps, including administrator name and password, appliance network configurations, and AV subscription information. This chapter assumes the ProxyAV is configured according to steps in the pamphlet. If necessary, use the procedures provided in this chapter to alter the default configurations.

This chapter contains the following sections:

• Section A: “Specifying the Usernames and Passwords” on page 8—Describes how to configure access credentials.

• Section B: “Configuring Network Access” on page 9—Describes how to configure ProxyAV IP addresses and secure Management Console access.

• Section C: “Configuring Network Routing” on page 14—Describes how to configure routes, including upstream proxy access.

8


Section A: Specifying the Usernames and Passwords

Section A: Specifying the Usernames and Passwords

Specifying an administration username and password prevents unauthorized access to the ProxyAV Management Console. You can specify two accounts: one for administrative access and one for read-only access.

Specifying the Administration Username and PasswordOnce an administration username and password is defined, the authentication credential check is enforced and no user can access the Management Console without entering the proper information.

Important: If you do not specify this information, any user can access the Management Console. No credential prompt occurs.

To specify an administration username and password:

1. In the Management Console, select Change Password.

2. Select Require Authentication.

3. In the Username field, enter the administrator user name.

4. In the New Password field:

a. Enter the administrator password. The maximum number of characters is 14.

b. Repeat the entry in the Verify New Password field.

5. In the Session timeout field, enter the number of elapsed minutes before the administrator is required to enter access credentials again.

6. Click Save Changes.

Specifying a Read-Only Username and PasswordYou can specify a separate username and password that allows other users to view the ProxyAV Management Console, yet not have the ability to change any configurations.

To specify a read-only username and password:

1. In the Management Console, select Change Password.

2. Click Change Read-Only User data.

3. Specify the username and password information.


9


Section B: Configuring Network Access


The network configurations in this section identify the ProxyAV to the network.

Specifying the Appliance Identification InformationThis section describes how to specify the appliance name and current time.

Specifying the ProxyAV Name

This option is not required, but if you have multiple ProxyAV appliances installed, naming each one with unique and relevant names easily reminds you of each ProxyAV appliance’s configured purpose.

To specify or change the appliance name:

1. In the Management Console, select Network.

2. Under Global Settings, in the Appliance Name field, enter a name.


Specifying the ProxyAV Time

This option allows you to set the internal ProxyAV clock. Setting the correct local time ensures reliable diagnostic information, such as accurate timestamps in logs.

To set the internal clock:

1. From the Management Console, select Advanced>Set Time.

2. In the respective fields, enter the current hour, minutes, and seconds.


Specifying the Default GatewayThis option specifies the network default gateway address.

To specify or change the default gateway address:


2. Under Global Settings, in the Default Gateway field, enter the gateway address.


Note: If a different IP address is entered from the front panel of the appliance (on supported models), this value is changed accordingly.

10



Specifying the ProxyAV AddressThe ProxyAV connects to the ProxySG or a switch through a network cable that is attached to Interface 0 for ProxyAV 400-E appliances or Interface 1 for ProxyAV 2000-E appliances. Your ProxyAV model dictates which interface number appears on the Network page of the Management Console.

To specify or change the Interface IP address:


2. Under Settings for Interface #, in the IP Address field, enter the IP address of the Interface.

3. In the Subnet Mask field, enter the subnet mask.


Specifying Client AccessThe Client Access List displays the currently defined IP addresses allowed administrative remote access to both the ProxyAV interface IP addresses and ICAP clients. When remote access is enabled, you can access the interface from outside your local network. This feature also allows you deny access to subnets or untrusted hosts, while allowing access from others on the LAN; or allow selected subnets, such as your ProxySG clients and deny other clients from the subnets dedicated for ICAP communications. For security reasons, Blue Coat recommends keeping this list limited and specific.

To configure remote access:


2. Under Client Access List, click Add; the Administration and ICAP Server Access Entry page appears.

3. In the IP Address field, enter the IP address of a client or subnet that will or will not be allowed administrative access to the ProxyAV.

4. In the Mask field, enter a subnet address.

5. Select a Status:

❥ Restrict: This IP address and subnet is denied administrative access.

❥ Allow ICAP access: This option allows clients to be ICAP clients.

❥ Allow admin & ICAP access: This IP address and subnet is allowed administrative and ICAP server access.


When there are no entries in the table (or all entries are set to restricted), remote or ICAP access is not allowed.

To access the ProxyAV for remote administrative access, set your browser to use a proxy for HTTP or HTTPS connections. Enter the URL: http://interface_IP:port or https://interface_IP:port. For example, https://10.0.0.2:8082.

11



Configuring Management Console AccessYou can specify which protocols (HTTP and HTTPS) can be used to access the ProxyAV Management Console.

Note: Upon a new installation or upgrade to this release, the HTTPS protocol on port 8082 is enabled; HTTP is disabled.

Enabling HTTP Access

By enabling HTTP access, the administrator can access the Management Console without a secure connection. You can specify a different port number.

To enable HTTP access:


2. Under Management Console Access, select Enable HTTP Administration.

3. (Optional) Enter a different port number from the default.


Enabling HTTPS Access

With HTTPS, the connection to the Management Console is encrypted.

To configure HTTPS access:


2. Under Management Console Access, select Enable HTTPS Administration.

3. (Optional) Enter a different port number from the default.


When HTTPS is enabled, you must enter the URL format: https://interface_IP:port to access the ProxyAV Management Console. For example, https://10.0.0.2:8082.

Disabling Console Access

To prevent an administrator from accidently rendering the ProxyAV unaccessible, once an access protocol is enabled, it cannot be disabled unless another protocol is active. For example, if HTTPS is enabled, you cannot deselect it if HTTP is not enabled (and saved).

Note: For versions of ProxyAV 2.2.x that were upgraded from 2.1.x, this Management IP is included in this functionality. Refer to Appendix A: "Upgrading the ProxyAV", "Management IP" on page 51 for more information about this feature.

12



Generating Keyrings and CertificatesA default SSL keyring and signing certificate exists upon initial booting of the ProxyAV. You can generate new keyrings and certificates if the Mangement Console is in HTTPS mode.

Note: The Blue Coat Systems ProxySG Configuration and Management Guide provides detailed information about SSL, Keyrings, and Certificates. Refer to that document for conceptual information regarding these topics.

To generate a new keyring and certificate, and specify the ProxyAV to use them:

1. Select Advanced>SSL Keyrings; the SSL Keyrings page appears.

2. Click Create; a new SSL Keyring page displays.

3. In the Keyring Name field, enter a name that identifies this keyring.

4. By selecting Show Keyring, the contents of the keyring are viewable and exportable.

5. Perform one of the following:

❥ Select Create new and enter the keyring strength in the bit keyring field. A length of 1024 bits is the maximum (and default). Longer keypairs provide better security, but with a slight performance expense on the ProxyAV. Be aware that the maximum key length allowed for international export might be different than the default. For deployments reaching outside of the United States, determine the maximum key length allowed for export. Click OK. The keyring, containing a keypair, is created with the name you chose. It does not have a certificate associated with it yet.

❥ Select Import keyring. In the Keyring field, paste in an already existing keypair. The certificate associated with this keypair must be imported separately. If the keypair that is being imported has been encrypted with a password, select Keyring Password and enter the password into the field. Click OK.

6. The ProxyAV ships with a certificate associated with a default keyring.

You can add three kinds of SSL certificates:

❥ A self-signed certificate.

❥ A certificate signed by a Certificate Authority.

❥ An external certificate.

To create a self-signed certificate:

a. Select Advanced>SSL Certificates; the SSL Certificates page appears.

b. From the Keyring drop-down list, select the newly-created keyring.

c. Click Create; a new SSL Certificates page displays.

d. Fill in the fields as appropriate:

• State/Province—Enter the state or province where the machine is located.

• Country Code—Enter the two-character ISO code of the country.

13



• City/Locality—Enter the city.

• Organization—Enter the name of the company.

• Unit—Enter the name of the group that will be managing the machine.

• Common Name—A common name should be the one that contains the URL with which the client accesses that particular origin server.

• E-mail Address—The email address you enter must be 40 characters or less.

• Not valid after—From the drop-down lists, select a date after which the certificate is no longer valid.

e. Click OK. After the process is complete, this keyring and certificate can be selected from the Network page for HTTPS encryption.

7. Select Network.

8. Under Management Console Access, from the Keyring drop-down list, select the newly-created keyring. You can also select an SSL version.


14


Section C: Configuring Network Routing


This section describes how to configure network traffic flow.

Specifying the DNS ServersThe ProxyAV ships with three default DNS server settings. These addresses are for the DNS servers of several large ISPs, and should work upon startup (if the appliance has Internet access). You can replace these servers with the DNS server IP addresses that you normally use when configuring your client systems.

To specify or change the DNS search order:


2. Under DNS Search Order, specify the IP addresses for the primary, secondary, and tertiary DNS servers.


Specifying an Upstream Proxy ServerIf your deployment uses an explicit upstream proxy to the Internet, that server must be identified to allow the ProxyAV to retrieve pattern file and scan engine updates and firmware update information.

To specify a proxy server for outside access:


2. Click Proxy Server for Updates (link); the Proxy Server and Remote Update page appears.

3. Select one of the following:

❥ No Proxy: (The default) This ProxyAV is not proxied and can directly receive updates.

❥ HTTP Proxy: Proxies this ProxyAV through the defined HTTP proxy server.

❥ SOCKS Proxy: Proxies this ProxyAV through the defined SOCKS proxy server.

4. In the IP field, enter the IP address of the HTTP or SOCKS proxy server.

5. In the Port field, enter the port number, if necessary.

6. (Optional; only applies to HTTP Proxy) Select Enable Proxy Authorization and specify a user name and password in the appropriate fields.


Adding RoutesYou can add additional routes for deployments where the ProxyAV default route is not sufficient. A typical requirement for this is when the SMTP or DNS servers to be used by the ProxyAV are located on an internal network.

15



Added routes do not affect traffic that passes through the ProxyAV; they are only used for connections where the ProxyAV is the client. These include updates of pattern and engine files, searching for updates to ProxyAV firmware, and sending alerts.

To add a route to the table:

1. From the Management Console, select Advanced>Route Table.

2. Click Add; the Route entry page appears.

3. In the Destination field, enter an IP address to be used in routing.

4. In the Mask field, enter a subnet value.

5. In the Gateway field, enter a gateway value.


7. Repeat as required.

Adding ARPsCertain firewall configurations require the use of static forwarding tables. Failover configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) addresses. When a client sends an ARP (Address Resolution Protocol) request to the firewall VIP, the firewall replies with a VMAC (which can be an Ethernet multicast address); however, when the firewall sends a packet, it uses a physical MAC address, not the VMAC.

The solution is to create a static forwarding table that defines the next hop gateway.

You can add static ARPs or clear the dynamic and static ARPs.

To add an ARP value to the table:

1. From the Management Console, select Advanced>ARP Table.

2. At the bottom of the table, enter an IP address in the first field.

3. Enter a MAC address.

4. From the drop-down list, select an interface.

5. Click Add.

Specifying Link SpeedBy default, the ProxyAV automatically detects the link settings. The following procedure allows you to change it.

To specify the link speed:

1. From the Management Console, select Advanced>Ethernet Adapter Media Type.

The Current Media State field displays the current configuration for the interface. If a cable is not connected, this is stated.

16



2. Select an option from the drop-down lists: Auto, 10 Mbit/Half, 10 Mbit/Full, 100 Mbit/Half, or 100 Mbit/Full.


Note: The Ethernet media link speed feature contains a failsafe so that users do not accidentally lock themselves out of the Management Console by entering an incompatible duplex setting. After selecting a speed/duplex setting and clicking Save Changes, the page refreshes and a new button appears: Confirm Media Type Changes. If you do not click this button, the ProxyAV reverts to the previous setting after two minutes.

17


This chapter provides basic anti-virus (AV) information, and describes how to integrate and configure the ProxySG and ProxyAV virus protection solution.

This chapter contains the following sections:

• Section A: "Introduction to Anti-virus Protection" on page 18—Provides basic AV information and terms.

• Section B: "Managing Anti-virus Subscriptions" on page 20—Describes how to assign your AV vendor and specify pattern file and scan engine update behavior.

• Section C: "ICAP" on page 22—Describes how to configure the ProxyAV ICAP service used by the ProxySG.

• Section D: "Configuring Anti-virus Parameters" on page 24—Describes how to configure ProxyAV AV scanning behavior.

• Section E: "Configuring Notification Alerts" on page 29—Describes how to configure the ProxyAV to send alert messages.

Blue Coat ProxySG Configuration and Management Guide

18

Section A: Introduction to Anti-virus Protection

This section provides basic information and terminology concerning anti-virus (AV) scanning. For a discussion about deploying the ProxySG/ProxyAV integration, see Appendix B: "Deploying the ProxyAV" on page 53.

IntroductionThe total Blue Coat AV capabilities are implemented using ICAP as the communication mechanism between the Blue Coat ProxySG and the ProxyAV. The policy definition for content scanning is fully integrated into the Blue Coat policy framework and defined using the either the Blue Coat Visual Policy Manager (VPM) or the Blue Coat Content Policy Language (CPL).

Virus-free content is cached for a scan once, serve many benefit when scanning cacheable Web objects.

File TerminologyThis section provides descriptions of file types as they pertain to AV scanning; along with the descriptions are configuration tips. Blue Coat recommends understanding these descriptions and tips before configuring your ProxySG/ProxyAV solution.

• Simple File—A file type that is not an archive or container of other files.

• Archive File—A file type that contains additional files inside itself. This characteristic can be nested to multiple levels.

• Compressed File—A simple or archive file can be in compressed or decompressed format. A compressed format reduces the file size from its original size. When decompressed, the file size expands to its original size.

• Original File Size—The size of the file sent to the ProxyAV from the ProxySG for scanning. This can be an archive or a simple file. If the file is compressed, the real size is not known until it is decompressed.

• Decompressed File Size—For a simple file, the actual file size after decompressing. Or the total of all files if the original file is an archive file.

• Maximum Individual File Size—A settings parameter defined by the ProxyAV to regulate the upper limit file size that can be passed to an AV engine. The file size check is applied to the original file size, independent of archive or compressed status. The upper limit for a file size can be negated by the ProxyAV File Scanning Timeout option. If the maximum file size is a large value, but the file scanning value is small, the operation can timeout before the size limit is reached.

• File Size Within Archive—It is common for AV engine vendors to have specific rules for specific decompressed file size limits for individual files in an archive. The AV engine sets the preset value, which is currently set to be equal to the maximum file size, but you can specify the limit on the ProxyAV.

• Total Size of All Files Within An Archive—It is common for AV engine vendors to have specific rules for the total decompressed file size limit for all files in an archive. For Sophos, this is indirectly manageable, and the value is larger than the Maximum File Size. More dynamic control before invoking AV vendor calls is planned for a future release.


19

• File Scanning Timeout—On the ProxyAV, the maximum time allowed for scanning a file; when the timeout value is reached, scanning stops. The time starts when the AV engine receives the file.

• Connection Timeout—On the ProxySG, the time ProxySG waits for a response from the ProxyAV after it finishes sending the file for scanning. If the ProxyAV does not complete the scanning operation within this time the ProxySG declares the scanning operation as failed.

• Maximum Archive Depth—The maximum number archives. For example, if the depth level is 3, the AV engine scans files that are part of a three-embedded zipped file (zipped files in a zipped file in a zip file). Depending on the vendor, the depth is usually in the 16 to 20 range. More dynamic control is planned for a future release.

• Maximum Archive Layers—The maximum number archive layers. For example, if the depth level is 3, the AV engine scans files that are part of a three-embedded zipped file (zipped files in a zipped file in a zip file). Depending on the vendor, the default depth is usually in the 16 to 20 range. More dynamic control is planned for a future release.

• File Extension—The original files can be distinguished by the file extension following the file name. The ProxySG can prevent the passing of a specific file extension to the ProxyAV.

• File Extension Within Archive—It is common for AV engine vendors to have specific rules for specific file extensions within archives (for example, rules to exclude scanning certain type of file extensions).


20

Section B: Managing Anti-virus Subscriptions

This section describes how to manage your AV subscriptions, which are obtained from Blue Coat.

The ProxyAV ships with at least one license for anti-virus scanning. Licenses can be obtained for each vendor for varying time periods.

Registering the ProxyAVAnti-virus scanning services cannot start without a serial number entered and saved. This step is part of the initial system configuration, as detailed in the ProxyAV Software: Activating Your Software License Key pamphlet shipped with the ProxyAV. The appliance’s serial number, located on a sticker on the software CD, must be entered manually.

Selecting an Anti-virus VendorThe Serial Number and AV Vendor represents your subscription to use the AV engine and pattern files from a particular vendor.

To enter subscription information:

1. From the Management Console, select Subscriptions.

2. Select your AV vendor.

3. Enter a new number to start or extend your subscription. Include the dashes when you enter the number.


Typically, ProxyAVs are sold with a one-year antivirus subscription.

Managing Pattern Files and Scan EnginesThis section concerns pattern file and scan engine update behavior.

AV vendors constantly update their pattern files and scanning engines. On the ProxyAV, there are two methods by which you can obtain updates from your AV vendor: manually force an update and update at a time interval. By default, the ProxyAV checks for new versions every 30 minutes; this value can be changed.

Updating Scan Engines and Pattern FilesThis section describes how to configure when and where the ProxyAV obtains pattern and engine updates.

Specifying a Time Interval

This option allows you to determine how often the ProxyAV contacts the server that provides pattern or engines updates.


21

To specify a time interval:

1. From the Management Console, select Antivirus.

2. Click the Update Settings link; the Update Settings page is displayed.

3. In the Update Frequency field, enter a value in minutes (the default is 30).


Specifying Pattern File and Engine Update Locations

By default, the ProxyAV checks for updates at the default vendor location. You can specify an alternate location to retrieve pattern file or engine updates.

To specify an alternate location for updates:


2. Click the Update Settings link; the Update Settings page is displayed.

3. Under Pattern or Engine Update Location, select Custom.

4. In the field, enter the location of the update information. For example:

http://www.company.com/pattern_file_pointer


Forcing an Update

You can manually invoke a pattern file and scan engine new-version query and update.

To force an update:

1. Select Antivirus. The table at the top of the page displays your current AV vendor, the scan engine and patter file versions, and the number of days remaining in the subscription.

2. In the Action column, select Force update and click Update. The latest engine and pattern files are downloaded and installed, regardless if the most current versions are already installed.


22

Section C: ICAP

This chapter describes how to configure the ProxyAV ICAP service for AV scanning.

Configuring the ProxyAV ICAP ServiceThe ICAP service communicates with the ProxySG, which also has a configured ICAP service.

To configure the ICAP service:

1. In the Management Console, select ICAP Settings.

2. (Prerequisite) If the IP address of the ProxySG has not been added to the allowed list, this must be done. Click Permitted clients to go to the Management Console Network page. Add the IP address to the Client Access List. See "Specifying Client Access" on page 10.

3. Select ICAP Server enabled.

4. In the ICAP server port field, enter port number used to connect to the ICAP server. The default is 1344.

5. In the Options TTL field, enter the number of seconds the OPTIONS response remains valid. If Do not include is selected, the options-ttl tag is not included in the response to the client.

6. (Optional) In the Antivirus service name field, specify the name of the ICAP service performing the scanning. See the example on the page.

7. Select Allow X-Include to include the X-Include tag (support of original source and original destination tags) in the OPTIONS response to the ICAP client (the ProxySG); thus, the ICAP client is informed that these tags are supported. The X-Include tag itself does not contain a source or destination. The value of this tag will be X-Server-IP, X-Client-IP.

8. Under Include extension headers in response, the default option is X-Virus-ID, which includes the known virus identification. Select X-Infection-Found or X-Violations-Found if your deployment warrants their use.

The ProxyAV ICAP service is configured, and can communicate with a ProxySG that is configured to communicate with this ProxyAV. The next section discusses how to configure file scanning parameters.

About Maximum ICAP ConnectionsDependent upon the ProxyAV platform, the default and allowable maximum number of simultaneous ICAP connections varies:

• ProxyAV 400-E:

❐ Default: 50

❐ Maximum: 800

• ProxyAV 2000-E:

❐ Default: 100

❐ Maximum: 1100


23

The default values are only used to return a value to the ProxySG when it senses settings. If you require a larger value, you must edit the ICAP service on the ProxySG.

In most deployments, 100 ICAP connections are more than adequate, as the ProxySG can multiplex many requests over the 100 ICAP connections. The deployments where this value might require increasing are if there are many slow or long-running connections that cause all 100 ICAP connections to become busy, causing many requests to queue up waiting for a freed connection.


24

Section D: Configuring Anti-virus Parameters

This section describes how to configure the ProxyAV virus scanning capabilities.

Determining Which File Types to ScanAs the delivery of viruses and malicious code is ever-evolving, Blue Coat recommends scanning all file types. However, the ProxySG/ProxyAV integrated solution allows you determine which file types are scanned, or more appropriately, not scanned. By default, the ProxySG forwards all file types for scanning, but you can create policy that includes or excludes specific file types.

Blue Coat recommends scanning all file types to attain maximum security against harmful content. The following file types are known to harbor viruses:

"";ARJ;BAT;BIN;BMP;BOO;CAB;CHM;CLA;CLASS;COM;CSC;DAT;DLL;DOC;DOT;DRV;

EML;EXE;GIF;GZ;HLP;HTA;HTM;HTML;INI;JAR;JPG;JPEG;JS;JSE;LNK;LZH;MDB;MPD;MPP;M

PT;MSG;MSO;NWS;OCX;OFT;OVL;PDF;PHP;PIF;PL;POT;PPS;PPT;PRC;RAR;REG;

RTF;SCR;SHS;SYS;TAR;TIF;VBE;VBS;VSD;VSS;VST;VXD;WML;WSF;XLA;XLS;XL

T;XML;Z;ZIP;{*;

At the time of this printing, the following MIME file types are deemed low risk to contain harmful content:

audio; pdf multipart; x director video

Note: Blue Coat recommends scanning image files, but there might be a noticeable performance latency impact.

ProxySG Policies

To achieve performance increase, you might opt to instruct the ProxySG exclude these types from scanning.

CPL Example: Excluding File Types

This policy excludes the Real Media file type, which is at very low risk to contain harmful content, from being scanned.

define condition FileExtension_lowriskurl.extension = rmend condition FileExtension_lowrisk

<Cache>condition= ! FileExtension_lowrisk response.icap_service(icap,fail_closed)


25

VPM Example: Excluding File Types

In the Destination column, a File Extension object is created, which contains the Real Media file type; the object is then negated (notice the symbol):

Figure 3-1: A Web Content Layer with a rule to negate the low-risk file extension.

CPL Example: Including File Types

This policy specifies that HTML and Zip file types are scanned:

define condition FileExtension_highriskurl.extension=htmlurl.extension=zipend condition FileExtension_highrisk

<Cache>condition=FileExtension_highrisk response.icap_service(icap,fail_closed)

VPM Example: Including File Types

Another rule is added. In the Destination column, a File Extension object is created, which contains the HTML and Zip file types:

Figure 3-2: Subsequent rule with the high-risk file types added.

ProxyAV Policies

On the ProxyAV, you can specify files types that are blocked—neither scanned, nor served to the client (deny)—or served to the client unscanned (allow).

To specify blocked or passed-through file types:


2. Click Scanning Behavior.

3. Under File Extensions, enter file types as appropriate:

❐ Drop files having extensions—Any file types with these extensions are blocked and not served to the client.

❐ Don’t scan files having extensions—Any file types with these extensions are passed through unscanned to the client. When considering this option, Blue Coat advises that viruses and other malicious code can be embedded in many file types, including image formats.


26

Configuring Scanning BehaviorThe scanning behavior features allow you to define the parameters and actions the ProxyAV follows when performing AV scans.

Enabling Heuristic Parameters

When Heuristic Parameters is enabled, the ProxyAV learns about traffic patterns on your network and adjusts accordingly to increase performance. After an initial learning period, the ProxyAV should be able to accelerate network traffic by approximately 15% to 30%. The learning process restarts whenever a new virus pattern file or an updated scanning engine is downloaded.

To enable Heuristic Parameters:


2. Click the Scanning Behavior link; the Scanning Behavior page is displayed.

3. Under Heuristic Parameters, select Enabled.


Specifying the Anti-virus File Scanning Timeout Value

Some files, while not viruses themselves, are designed to disable a virus scanner. While these files cannot disable a ProxyAV, they can use up system resources and slow down overall throughput. Defining a timeout value allows the ProxyAV to reclaim those resources.

There are two ICAP Timeout values: a ProxySG Connection Timeout and a ProxyAV File Scanning Timeout.

• The ProxySG Connection Timeout is the duration the ProxySG waits for a response from the ProxyAV after it completes sending the data to the ProxyAV. When the timeout interval is reached, the ProxySG closes the connection with ProxyAV. The default value for the ProxySG Connection Timeout is 70 seconds. This setting protects against TCP connection issues.

• The ProxyAV File Scanning Timeout is the maximum time allowed to scan a file. When the timeout value is reached, the ProxyAV stops scanning the file and sends the ProxySG a 500 - ICAP Communication error. It also logs in Alertslog.log file the reason for file scanning failure. This value is specified on the Antivirus>Scanning Behavior page.

Additionally, you can specify whether to block or pass-through a file upon scanning timeout by selecting Timeout under Block file if an error occurs during antivirus scan. See "Specifying an Action Upon Content Scan Error" on page 27.

To specify a timeout value:



3. Under Files Scanning Timeout, enter the amount of time the ProxyAV is to scan a file.


The default is 800 seconds; the minimum is ten seconds; the maximum is 3600 seconds (60 minutes)


27

Specifying the Limits of Scannable Files

Imposes limits on the file sizes and numbers allowed to be scanned.

• Maximum individual file size—An individual file size cannot exceed the specified size (MB). Dependent upon hardware limits of different ProxyAV platforms, the Maximum Individual File Size that can be scanned is as follows:

❐ ProxyAV 400-E: 750 MB.

❐ ProxyAV 2000-E1: 750 MB.

❐ ProxyAV 2000-E3: 900 MB.

• Maximum total uncompressed size—An uncompressed file or archive cannot exceed the specified size (MB). The maximum is 3000 MB.

• Maximum total number of files in archive—An archive cannot contain more than the specified number of files. The maximum is 100,000.

• Maximum archive layers—The number of layers in the archive that are unpacked for scanning. The maximum is 20 to 100, depending on anti-virus vendor.

If any of these options are exceeded, the object is not scanned.

Loggable Errors

Current ProxySG versions do not log the reason for file scanning failures; it just sends ICAP communication error to the client (applies to SGOS 3.2.4 and above).

The ProxyAV, however, logs these errors in the file, which is accessible from the Log File screen (See Chapter 4: “Logging” on page 31). All file-scanning failures are logged in this log.

The following are the errors logged in the Alertlogfile.log file for different file scanning failures because of file size limits:

• If the file is larger than the specified maximum size, you receive a file too big alert.

• If the unpacked file is larger than the specified maximum size, you receive an unpacked file too big alert (this alert was previously out of space).

• If the appliance is out of temporary space, you receive an insufficient temporary storage space alert (this was previously out of space).

Specifying an Action Upon Content Scan Error

If the ProxyAV experiences an error, or exception, during a content scan of a file, scanning immediately stops. If the file has several potential exceptions, the first error encountered is the one of record.

Note: For certain exceptions, Sophos might continue to scan.

You can specify what action the ProxyAV takes when a timeout or other errors occurs during a content scan. If enabled, the file is blocked (the default). If no options are selected, the file undergoing scanning when the error occurs is passed on to the client, unscanned.


28

To specify an action upon error:



3. Under Policies For Antivirus Exceptions, select one or more options:

❐ File Scanning Timeout—The time required to scan the file exceeds the specified or appliance limit.

❐ Decode/decompress (unsupported compression method, corrupted compression file)—An error occurred during decoding or during decompression of a compressed file. For example, a corrupted file or a method used to decompress the file is unsupported. (Does not apply to Panda.)

❐ Password protected compressed file—A compress file that requires a password to access. (Does not apply to Panda.)

❐ Out of temporary storage space—The ProxyAV buffer capacity for files to be scanned is full.

❐ Maximum individual size exceeded—A file size exceeds the specified or maximum appliance limit.

❐ Maximum total uncompressed size exceeded—An uncompressed file size exceeds the specified or maximum appliance limit.

❐ Maximum total number of files in archive exceeded—An archive contains more files than the specified or maximum appliance limit.

❐ Other errors—Any miscellaneous error that causes irregular behavior.


Viewing Anti-virus StatusThe table on the Antivirus page in the Management Console provides the current status of the AV engine currently employed by the ProxyAV.

In the table, Days Remaining is the current length of your license to use the software. You can extend this period by entering a new serial number on the Management Console Subscriptions page. The ProxyAV checks for new engines and pattern files once per hour (unless specified elsewhere).

If you click Update, the ProxyAV checks if newer files than the ones currently installed exist. If new versions do exist, they are downloaded and installed.

Selecting Force Update and clicking Update forces the ProxyAV to download and install the latest file versions, regardless of the file versions currently residing on the ProxyAV.


29

Section E: Configuring Notification Alerts

This section describes how to configure alerts that are sent to administrators upon detection and action upon a virus.

Configuring Alert Notification InformationThis section describes how to specify recipients of alerts and authentication.

To configure alert notification information:

1. From the Management Console, select Alerts.

2. In the Sender e-mail address field, specify the source e-mail address (the address that identifies to the reader which appliance is sending the notification). For example: [email protected].

3. In the Recipient e-mail address field, specify who the ProxyAV alerts when an event occurs. Send alerts to multiple addresses by using a comma separated list; for example: [email protected],[email protected],[email protected]. If this field does not contain a recipient address, the ProxyAV neither attempts to send an email nor makes an entry in the AlertErrors.log.

4. In the SMTP server address field, enter the server IP address or name (example: mail.company.com).

5. Some SMTP servers require authentication. If yours does:

a. Select SMTP Authorization Enabled.

b. Enter 110 as the port number.

The ProxyAV uses POP before SMTP to authenticate; therefore, your username and password is submitted to the mail server on port 110 before sending the alert.

c. Enter a valid username and password twice.

6. By default, the ProxyAV sends all alerts through e-mail. To also keep a log file of events, select Enable alerts logging to file. (See Chapter 4: “Logging” on page 31.)


Customizing MessagesEach alert contains information about the event that triggered it. Because different events can trigger an alert, there can be many different alert forms. In the Advanced>Messages table, you can specify what information is in each type of alert. The first three columns—Protocol, Event, and Command Type—define each type of event.

The Alert column defines what information is included in the alert that is logged or sent through e-mail to the administrator.

The Substitute column defines what text is substituted and sent to the client for the original data.

Each virus and error message type has a default message. Click Modify in the Alert or Substitute column to go to a page where you can customize the messages using autotext keywords.

The following keywords can be used:


30

• %CLIENT—The client IP address.

• %ACTION—What action was performed (file passed/dropped).

• %URL—The URL where the file was downloaded from.

• %FILE—The original file as received from the ProxySG or a file embedded into HTML object can contain several files; the file name can be changed using the Content-Disposition: HTTP header tag.

• %SUBFILE—A file within archive file that contains a problem or virus.

• %VIRUS—The virus name.

• %REASON—Why the event occurred. For example, why can't the file be scanned?

• %MACHINENAME—The name of the ProxyAV appliance.

• %MACHINEIP—The ProxyAV appliance IP address.

• %PROTOCOL—The scanned protocol.

• %APPNAME—The application name (ProxyAV).

• %APPWEB—The application vendor Web address.

• %APPVERSION—The application version.

• %AVVENDOR—The anti-virus vendor.

• %AVENGINEVERS—The anti-virus engine version.

• %AVPATTERNVERS—The anti-virus pattern version.

• %AVPATTERNDATE—The anti-virus pattern date.

• %TIMESTAMP—The time the event occurred.

• %ADMINMAIL—The administrator mail address.

The % character always precedes the tag name. Capitalization is also important; do not use lowercase variable names.

Exception Pages

For each different X-Error-Code header, it is possible to create separate exception pages on the ProxySG. This requires creating policy on the ProxySG.

31

Chapter 4: Logging

This chapter describes how to configure ProxyAV logging options.

Configuring LoggingThis option allows you to forward detailed logging information to any system on your network. The ProxyAV includes an application for receiving logs, or you may use your own syslog application. The Blue Coat log receiver is called ConnLog.exe and can be downloaded from the Log Files page by clicking Get log receiver application (ConnLog.exe) or Get Windows based log receiver application (ConnLogXP.exe).

The logs are in plain text format and can be imported into most log analyzer applications. ConnLog.exe writes a new log file for each day into the current directory. By default, it listens for a connection from the ProxyAV on port 8001. Run the .exe file from a command line to change this listening port. The .exe /? command displays usage information.

Note: If configured, the ProxySG logs provide complete information, including ICAP results and virus information. the ProxyAV logging capability is useful for troubleshooting.

To define where logs are sent:

1. From the Management Console, select Log Files.

2. Under Logging, select Enable sending logging information to remote computer.

3. In the Address field, enter the IP address of the destination server.

4. Select the protocol: TCP/IP or UDP.

5. Select the logging format:

❥ ProxyAV Classic: The Blue Coat logging format.

❥ MS Proxy 2.0: Microsoft Proxy logging format.

❥ ISA W3C: Extended log file format.

❥ User Defined: A log format you specify using the format string.


32

6. If you selected User Defined format, you can select Include W3C headers to include them.

7. If you selected User Defined, you can specify the Delimiter format, Comma, or Space.

8. The Format String field displays the default logging tokens, based on the selected log format, that define what detailed information appears in the logs. If you selected User Defined format, you can modify this as required. To display a list of valid tokens, click Token list.


Configuring CSV LoggingThis option allows the ProxyAV to log viruses in CSV format.

To configure CSV logging:

1. From the Management Console, select Log Files.

2. Under CSV Logging, select Enable logging of viruses to CSV format.

3. Select to create a new file every Hour, Day, Month, or Week.

4. In the Field delimiter field, enter what symbol is used to separate log entries.


Viewing Log FilesThe Log Files table at the bottom of the Management Console Log Files page allows you to view the generated log files.

• AlertsErrors: This file is a log of alert errors. When the ProxyAV cannot send alerts to the administrator(s) designated in the Alerts page, the event is logged here. The most common entry to this log is an inaccessible SMTP server.

• AlertLogFile.log: If Enable alerts logging to file is enabled on the Alerts page, all events are logged here. This log is different from the AlertErrors.log in that it includes all alerts, not just those that could not be sent to the administrator by e-mail.

• virus-log-date.csv: Log files generated by virus logging in CSV format.

• boot.log: Records all reboots of the machine. Using this information, Blue Coat Technical Support can assist you with troubleshooting.

33


This chapter describes the features used to maintain and troubleshoot the ProxyAV appliance. This chapter contains the following sections:

• Section A: “Managing Configuration Files” on page 34—Describes how to save and load the ProxyAV configuration files.

• Section B: “Troubleshooting” on page 35—Provides help to solve basic problems that might arise on the ProxyAV.

34




This feature allows you to manage the ProxyAV configuration files. You can saves the current ProxyAV configurations to a file and load a ProxyAV configuration from a local file.

To save a configuration file:

1. In the Management Console, select Utilities.

2. Save the configuration file:

a. In the Save Configuration line, click the link. A File Download dialog appears.

b. Click Save. A Save As dialog appears.

c. Navigate to where you want to save the file.

d. (Optional) Name the file.

e. Click Save.

To load a configuration file:

1. If you know the location of the configuration file, enter the path in the field ~or~ click Browse and navigate to the file location.

2. (Optional) Select Overwrite current IP configuration with the IP settings from uploaded file to use the IP definitions of the saved file.

3. Click Upload and Apply.

35


Section B: Troubleshooting


This section describes the ProxyAV utilities provided to aid with local troubleshooting.

Debugging ICAP Communication ErrorsIf you receive a 500-ICAP Communication Error response, perform the following to diagnose the issue:

• Examine the error response. The page contains the description of the error and additional details from the anti-virus engine.

• Examine the ProxySG event log messages. If the ProxySG is not able to establish a connection with ProxyAV, it logs the following message: Cannot establish connection to service.

• Examine the ProxyAV Alertlogfile.log for the failure reasons. All file-scanning failures, such as timeout, file too big, and decompression errors, are logged here.

Important: When you open Alertlogfile.log using the option View log file in browser, the complete file might not be displayed, as the file is often too big to be displayed on the browser. Use a text editor to open the log file directly to see all the error messages. The latest error messages are logged at the bottom of the file.

Preventing a ProxyAV Pattern File Update FailureIf the ProxyAV is proxied through the ProxySG, an error occurs if the ProxySG is serving patience pages during pattern file updates (this does not occur if the ProxyAV has direct Internet access). The reason is that the ProxySG views the ProxyAV as a client during these updates. The following policy instructs the ProxySG to disable patience pages when the user-agent is the ProxyAV:

CPL:

inline policy local eof<Cache>

response.icap_service(respav)

<Proxy>request.header.User-Agent="ProxyAV" patience_page(no)

eof

36



VPM:

1. Select Policy>Add Web Access Layer.

2. Right-click the Source column; click Set.

3. Click New; select Request Header.

4. In the Header Name drop-down list, select User-Agent.

5. In the Header Regex field, enter ProxyAV.

6. Click OK; click OK to add the object to the rule.

7. Select Policy>Add Web Content Layer.

8. Right-click the Action column; click Set.

9. Click New; select ICAP Response Service.

10. In the Use ICAP Response Service drop-down list, select the ICAP service.

11. Click OK; click OK to add the object to the rule.

12. Install the policy.

PingingPing a server to verify its state.

To ping a server:

1. From the Management Console, select Advanced; click the Ping Utility link.

2. In the IP Address field, enter the IP address of the server to be pinged.

3. Click Ping.

Retaining Troubleshooting Log FilesYou can configure the ProxyAV to retain log files containing information that might assist Blue Coat Technical Support should the ProxyAV experience difficulties. If enabled, the ProxyAV saves these log files, which are accessible from a table.


37

To retain log files:

1. From the Management Console, select Advanced; click the Troubleshooting link.

2. Select Enable Keeping Troubleshooting Logs.


Troubleshooting ServicesThe following options allow you to specify additional ProxyAV communication services that can assist administrators or Blue Coat Technical Support to diagnose difficulties. To access these options, from the Management Console, select Advanced; click the Additional Services link.

• Enable sending Troubleshooting Information files: Allows files containing troubleshooting information to be sent by e-mail to Blue Coat Technical Support.

• Enable tech support remote access: Allows Blue Coat Technical Support to access this ProxyAV appliance.

• Enable ping to Interface IP: Allows you to ping the interface IP address of this ProxyAV appliance.

If you invoke any of these options, you must click Save Changes.

Troubleshooting UtilitiesThese options are designed to help you resolve technical troubles with a ProxyAV appliance. To access these options, from the Management Console, select Utilities.

Reload Drivers

The ProxyAV reloads its drivers. This is similar to rebooting the appliance, but is faster. Use this option if you perform a configuration change that does not appear to be in effect.

Soft Reboot

This is the equivalent of resetting a computer. It physically reboots the machine. A new entry in the boot.log occurs.

Diagnostics

These diagnostics create relatively large and detailed log files that provide information for troubleshooting certain network configurations. A Blue Coat Technical Support representative might ask you to invoke these internal diagnostics. This additional logging activity affects system performance; therefore, Blue Coat does not recommend using this option except at the request of Blue Coat Technical Support.

DNS Cache

These options allow you to view and clear the contents of the DNS cache.


38

Resetting the ProxyAV 2000-E ApplianceThe rear of the appliance has two red, recessed buttons.

• Button 1—Restores the factory defaults. Only use this option in scenarios where you can no longer manage your ProxyAV. For example, your configuration changes have caused the ProxyAV to become unstable or you lost a password. To restore, the appliance must be fully up, which is verified by the lit System LED on the front. Press and hold this button for five seconds. The system default settings are restored (the default settings are defined by the software build) and the appliance reboots.

• Button 2—Resets the power. Only attempt a power reset if the power switch does not power on the appliance.

Resetting the ProxyAV 400-E ApplianceThis section describes how to restore default settings and how to reset the appliance.

Restore the Factory Defaults

Only use this option in scenarios where you can no longer manage your ProxyAV. For example, your configuration changes have caused the ProxyAV to become unstable or you lost a password. To restore, the appliance must be fully up, which is verified by the LCD on the front.

To restore the default settings:

1. Press the Enter button to change to Configure mode.

2. Press the up or down arrow to cycle to Restore factory defaults.

3. Press the Enter button to initiate the restoration.

Reset the Appliance

If you experience difficulty booting the ProxyAV 400-E, you can attempt a reset.

Button 1 Button 2


39

To reset the appliance:

1. Unplug the power cord; re-plug in.

2. While the appliance is booting, press and hold the up arrow until the menu appears. Use the arrow buttons to navigate the menu.

3. Press the enter button to select a menu option (you have two minutes to make a selection):

❐ Restore boot?—Forces the ProxyAV 400-E to boot using an archived system image. If the appliance does not boot upon power-up, Blue Coat recommends invoking this option first.

❐ Cancel—Exits the reboot menu; the ProxyAV 400-E continues to boot.

During the process, the LCD displays Restoring....


40

41


This chapter provides example configurations for common ProxyAV deployments, and contains the following sections:

• "Section A: Scenario 1—Basic Anti-virus Deployment" on page 42—Provides examples for a simple AV deployment.

• Need a more complex example (multiple AVs)?—Don’t know if I can get to this before GA...can update online PDF later.

Note: The External Services chapter of the Blue Coat ProxySG Configuration and Management Guide contains more examples of content scanning policies.

42

Section A: Scenario 1—Basic Anti-virus Deployment

The following scenario describes how to configure the ProxySG and ProxyAV appliances to scan for viruses on content responses and display a patience page during scans.

The TaskDeploy ProxyAV as ICAP server to scan for viruses and display a patience page with a customized message if the scan takes longer than five seconds.

Example Data

This scenario uses the following sample data:

• ProxyAV IP address: 10.0.0.2

• ProxySG IP address: 10.1.1.1

ProxySG ConfigurationConfigure the ProxySG to communicate as an ICAP client with the ProxyAV and process content scanning.

Configure an ICAP Service

An ICAP service must be created on the ProxySG. This service identifies the ProxyAV as the ICAP server.

Create and Configure an ICAP Service through the ProxySG Management Console:

1. Select Configuration>External Services>ICAP Services.

2. Click New; the Add List Item dialog appears.

3. In the ICAP service name field, enter virusscan1; click OK.

4. Highlight virusscan1 and click Edit; the Edit ICAP Service dialog appears.

5. Enter or select the following information:

a. Service URL field: enter the location of the ProxyAV: icap://10.0.0.2/avscan.

The default port number is 1344.

b. Patience page delay (seconds) field: select Enable. After ten seconds of the content scan, the user receives a page informing them to wait while a scan is performed. The next section covers creating a Patience Page.

Note: Patience pages display regardless of any pop-up blocking policy that is in effect.

43

c. Notify administrator: Virus detected option: Select this option. An email is sent to the administrator if the ICAP scan detects a virus. The notification is also sent to the Event Log and the Event Log email list.

d. Method supported option: Select response modification. The ProxyAV scans the responses before they are allowed to reach the client.

e. Deselect the preview option.

Figure 6-3: The ProxySG ICAP service.

6. Click OK; click Apply.

Create a Patience Page

Customize the patience page that is displayed when HTTP clients experience delays as Web content is scanned.


44

Customize the Patience Page

1. Select Configuration>External Services>ICAP>ICAP Patience Page.

2. Click Summary; the Customize Patience Summary dialog appears.

3. Create a message: For security concerns, your request is currently being scanned for viruses, which might cause a slight delay. Please be patient.

4. Click OK; click Apply.

ProxyAV ConfigurationConfigure the ProxyAV to communicate with the ProxySG and serve as the ICAP server.

To configure ICAP from the ProxyAV Management Console:

1. Select ICAP Settings; the ICAP Server Settings page appears.

2. Select ICAP Server enabled.


4. Click the Permitted clients link.

a. In the Client Access List table, click Add; the Administration and ICAP server Access List Entry page appears.

b. IP address field: enter 10.1.1.1 (the ProxySG IP address).

c. Select Allow ICAP access.


45

d. Click Save Changes.

Visual Policy Manager: Create PolicyNow that the ProxySG and ProxyAV are configured, you must create a policy to instruct the AV services what actions to perform. This section demonstrates using the Visual Policy Manager (VPM) to create a policy that assigns the created ICAP service and returns a patience page to the client when a scan takes longer than five seconds.

Use the VPM to create policy:

1. In the VPM, select Policy>Add Web Content Layer; the Add New Layer dialog appears.

2. Name the layer: Virus Scan: Corporate; click OK.

3. In the Action column, right-click and click Set; the Set Action dialog appears.

4. Click New; select Set ICAP Response Service; the Add ICAP Response Service Object dialog appears.

a. Name the object: Corporate_ICAP.

b. In the Use ICAP response service drop-down list, select virusscan1.

c. Click OK.

d. With the Corporate_ICAP object highlighted, click OK to add the object to the rule.


46

5. In the VPM, select Policy>Add Web Access Layer; the Add New Layer dialog appears.

6. Name the layer: Patience Page: Corporate ICAP; click OK.

7. In the Action column, right-click and click Set; the Set Action dialog appears.

8. Click New; select Return ICAP Patience Page; the Add ICAP Patience Page Object dialog appears.

a. Name the object: ICAP_Patience.

b. In the Return a patience page after field, enter 5. After five seconds during a scan, the patience page with the message customized in the "Create a Patience Page" section is displayed to the user.

c. Click OK.

d. With the Corporate_ICAP_Patience object highlighted, click OK to add the object to the rule.

9. Click Install Policy.


47


This appendix describes how to upgrade the ProxyAV to a new release and describes behavior changes attributed to upgrading or downgrading of different ProxyAV releases.

This appendix contains the following sections:

• Section A: “Upgrade Procedure” on page 48—Provides procedures to upgrade the ProxyAV firmware and restrict administrator access to only allow HTTPS.

• Section B: “Upgrade Issues” on page 51—Describes the features impacted by upgrading to current ProxyAV releases.


48

Section A: Upgrade Procedure

This section describes how to upgrade the ProxyAV from previous versions.

About Firmware UpdatingFirmware updates can present changes to the functionality of the ProxyAV, and can include new features, changes to the user interface, and optimizations for speed and reliability.

The ProxyAV periodically checks (several times per day) for these updates. If one is available, the Update Now button becomes active. Because these updates might require a restart of the machine, which could block network traffic for up to three minutes, updates do not occur unless the administrator initiates the update. This allows the update to be performed at the most convenient time.

When the update starts, the ProxyAV downloads the update from Blue Coat. These updates are typically one to five MB in size, and might take a few minutes to download, depending on your Internet connection. The updates to software, firmware, or both are then performed, and the ProxyAV resets itself. Depending on the update, the reset might be just a reload of drivers or it could be a full restart of the machine. The entire process can take anywhere from 30 seconds to 3 minutes, excluding the download time.

Note: This update applies to the base ProxyAV OS only. The ProxyAV continues to check for updated site filtering and AV engine and pattern files at the interval specified in the Update frequency field on the Antivirus>Update Settings page.

Upgrading to ProxyAV 2.2.xThis section describes how to update the ProxyAV software and describes the ProxyAV status upon upgrading.

Status Upon Upgrading

Before upgrading, read this section to understand the status of the ProxyAV appliance when the upgrade completes:

• The client access list is carried over.

• The Management IP remains visible and allowable as an access method (through port 80).

Important: If you use the default Management IP (1.1.1.5) to access the ProxyAV, you must specify a different Management IP before upgrading (Network>Global Settings). The 1.1.1.5 Management IP is not accessible following an upgrade. If you do not change the Management IP before upgrading, you will be required to reset the ProxyAV to factory defaults.


49

• HTTPS—Enabled by default. The ProxyAV is accessible on port 8082 through the Interface IP; however, you can only access the Management Console if, before upgrading, you specified an IP address for Admin and ICAP access. If you did not, you can create a rule before upgrading to permit access from an administrator client (refer to "Specifying Client Access" on page 10). If you elect to not to do this now, the next section provides a post-upgrade procedure to limit Management Console access to HTTPS, which includes accessing the ProxyAV through the Management IP, adding an administrator client, and removing the Management IP.

• HTTP—Disabled by default. The ProxyAV is not accessible on port 8081 through the Interface IP until this option is enabled (see "Enabling HTTP Access" on page 11).

To upgrade the ProxyAV:

1. In the Management Console, select Firmware Update. This page provides the status of your current build. If a new ProxyAV 2.2.x update is available, the Update Now button is enabled.

2. Click Update Now.

A splash screen displays as the ProxyAV prepares to download the build. The Management Console then returns to the Home page. Statistics under Current Downloads track the progress of the build. As the new OS installs, the ProxyAV is temporarily unable to accept the clicking of any option. When the installation completes, the Management Console refreshes itself and is ready for configuration.

Restricting Administrator ProxyAV Access to HTTPSTo provide the maximum security, Blue Coat recommends limiting the ProxyAV access to an extremely exclusive and trusted IP address and subnet list (separate from the IP address used for ICAP access), then removing the Management IP feature from the Management Console.

Important: Even if you create an access list of one IP address (not 0.0.0.0), your ProxyAV is accessible by anyone if you do not remove the Management IP option.

To limit the ProxyAV to encrypted access:

Note: If you have a permitted Admin and ICAP client and do not require additional clients, skip Steps 1 and 2.

1. Select Network.

Under the Management Console Access field, notice that HTTPS is enabled on port 8082 (a default keyring has also been created).


50

2. If you do not currently have a permitted administrator client, or want to add a new one, click Add under Administration and ICAP Server Access List. The Administration and ICAP Server Access List Entry screen appears.

a. In the IP address field, enter an IP address to be granted administrator access.

b. In the Mask field, enter the IP subnet.

c. Select Allowed admin and ICAP access.

d. Click Save Changes.

3. In the URL field of the browser, enter the new URL to access the ProxyAV through HTTPS:

https://proxyav_IP_address:8082

4. Now that secure access is granted through the designated IP address, hide the Management IP option from the Management Console.

a. In the Management Console, select Advanced>Additional Services.

b. Deselect Enable Management IP.

c. Click Save Changes.

d. In the Management Console, select Network. Notice the Management IP option is now hidden.

Should you elect to continue using the Management IP feature, "Section B: Upgrade Issues", "Management IP" on page 51 discusses upgrading and downgrading behavior and provides the legacy procedure to configure the Management IP.


51

Section B: Upgrade Issues

This section describes feature behavior changes attributed to updating to a new or previous ProxyAV release.

Management IPBefore ProxyAV 2.2.x, the Management IP was used to administer the appliance. ProxyAV 2.2.x allows the use of the HTTPS protocol, which provides encrypted access.

Upgrade Behavior

The Management IP is still visible and usable; however, for elevated security, Blue Coat recommends hiding this feature and employing HTTPS access (see "Restricting Administrator ProxyAV Access to HTTPS" on page 49).

Downgrade Behavior

If you hid this feature after upgrading to ProxyAV to 2.2.x and you downgrade to a previous version, the Management IP is visible according to legacy configuration.

Legacy Procedure: Specifying the Management IP Address

The information in this section is the legacy procedure, provided should you elect to maintain the use of this feature.

The Management IP address is an address used to administer this ProxyAV appliance. This is a special IP address used for ordinary (non-remote) access to the ProxyAV. It does not require any relation to your local network addresses. The default value of 1.1.1.5 does not need to be changed unless you have multiple Blue Coat appliances on your network or the default address happens to be within your local range and is in use by another device.

If you have multiple boxes—either single boxes at different locations or load-balanced boxes—change the Management IP to a unique address before installing the machine on your network, or administrative access will be erratic. There is no check within the units for duplicate Management IP addresses; you must keep track of this yourself.

Do not use the following IP addresses:

• The same IP address as the appliance IP address.

• 1.1.1.254, 1.1.0.2, or 1.1.0.6.

Use the following addresses with care, as these IP addresses are used as default Management IP addresses by various Blue Coat products.:

1.1.1.5, 1.1.1.7, 1.1.1.9, 1.1.1.11, ...

Before using these addresses, verify the IP and Management IP addresses of other Blue Coat products on your network and confirm there is no conflict before using these addresses.


52

To specify or change the Management IP address:


2. Under Global Settings, in the Management IP field, enter the IP address used to administer this appliance.


53

Appendix B: Deploying the ProxyAV

This Appendix provides high-level information about the deployment of an AV solution into your network.

The Challenges of Web Scanning IntegrationA Web AV solution must accomplish its task without impacting productivity. Previously, because of the number of users and high Web traffic, AV scanning of Web traffic was impractical because of the unacceptable increase in latency.

Most enterprises are configured to provide some level of infrastructure security by the way of firewalls and authentication directories. Furthermore, products, such as the Blue Coat ProxySG appliances, are employed to provide proxy and caching services, which regulate Web usage and increase network performance and bandwidth gain.


54

The following diagram presents a non-integrated AV scanning solution:

Figure 8-1: Non-integrated Web AV deployments

These two deployments present the following issues:

• Deployment 1—A lag time between the presence of a virus and the availability of the pattern file used to purge the virus allows a single threat to get cached and thus easily spread through the entire network.

Deployment 1—The virus filter resides before the proxy.

Deployment 2—The virus filter resides between the proxy and the Intranet.


55

• Deployment 2—All viruses are intercepted before they can be cached; however, as the virus filter is repeatedly bombarded, denial of service is likely to occur.

Both of these deployments might require the constant clearing of the cache, which negates any gains attained by bandwidth management provided by the proxy.

The Blue Coat ProxyAV SolutionWhile the Blue Coat ProxySG product provides flexible and granular control of Web traffic and access, the ProxyAV appliance provides high-performance AV scanning of both cached and non-cached content. The ProxySG and the ProxyAV share underlying Blue Coat processes, which allows for easy deployment and integration. Once integrated, this solution allows for the scanning and purging of harmful viruses and other malicious code without compromising the network control, bandwidth gains, or security attained from the proxy.

If an AV scanner must scan all cached and uncached content, performance suffers. The ProxyAV deployment provides a scan one, serve many benefit when scanning cacheable objects:

• Cached objects are time-stamped and compared against an AV signature database to verify no further scanning is required.

• Non-cacheable objects are fingerprinted against the current AV signature database; these objects are not scanned again unless either the object or AV database changes.

This provides three benefits:

• Outbreaks are smaller;

• Containment is faster; and,

• Performance gain is attained by not scanning unchanged objects.

The ProxyAV scanning engines allow you to select an AV vendor that is preferred by your enterprise or satisfies your particular requirements. These industry-standard vendors include McAfee, Sophos, and Panda.

Determining Network LocationThe ProxyAV appliance must reside on the same network segment as the ProxySG appliance and the PC used to administer the ProxyAV.

Note: If the ProxyAV (2000-E) is connected to a Cisco router, you must use a cross-over cable if the Ethernet Media Link Speed is set to anything but Auto Negotiate. Although a patch cable works with Auto Negotiating, Blue Coat recommends using a cross-over cable if the ProxyAV is connected to a Cisco router to avoid conflicts with the differing behavior. If you are using a Cisco switch, a patch cable can be used.


56

Deployment Diagram 1—ProxyAV With a Crossover CableThe following diagram illustrates a single ProxyAV attached to a ProxySG using a direct connection.

Figure 8-2: A single ProxyAV deployed with a crossover cable.

ProxySG

ProxyAV


57

Deployment Diagram 2—ProxyAV With a SwitchThe following diagram illustrates multiple ProxyAV appliances attached to a ProxySG through an L2 switch.

Figure 8-3: Multiple ProxyAV appliances deployed through a switch.

Deployment PhasesThe following phases are involved to deploy a ProxyAV appliance with a ProxySG to create an integrated Web scanning service:

1. Configure the ProxySG for ICAP scanning, including specifying the IP address of the ProxyAV as the ICAP service URL.

2. Configure the ProxyAV Web scanning services and features.

3. Define and install Web scanning policies as required in your enterprise. This is accomplished through the Visual Policy Manager (VPM) or by creating Blue Coat Content Policy Language (CPL).

ProxySG

ProxyAV

ProxyAV

ProxyAV

proxyav cmg guide 2.2.1

Documents