Beruflich Dokumente
Kultur Dokumente
x Release Notes
Version: SGOS 6.2.11.2 BCAAA Version 130 Release Date: 12/10/2012 Document Revision 12/19/2012
Section A: "SGOS 6.2.x Reference Information" on page 4If you are a new user to SGOS 6.x, Blue Coat strongly recommends that you read this section in its entirety. The section identifies topics such as supported platforms, important upgrade information, and additional requirements specific to SGOS 6.x version information. Section B: "SGOS 6.2.11.2, build 99292" on page 9 Section C: "SGOS 6.2.10.7, build 95827" on page 16 Section D: "SGOS 6.2.10.3, build 90684" on page 18 Section E: "SGOS 6.2.10.1, build 88383" on page 20 Section F: "SGOS 6.2.9.1, build 83027" on page 28 Section G: "SGOS 6.2.8.1, build 79699" on page 35 Section H: "SGOS 6.2.7.2, build 79516" on page 42 Section I: "SGOS 6.2.7.1, build 79296" on page 43 Section J: "SGOS 6.2.6.1, build 78274" on page 49 Section K: "SGOS 6.2.5.1, build 76459" on page 57 Section L: "SGOS 6.2.4.1, build 75374" on page 62 Section M: "SGOS 6.2.3.3, build 75373" on page 68 Section N: "SGOS 6.2.3.1, build 72867" on page 69 Section O: "SGOS 6.2.2.1, build 71419" on page 74 Section P: "SGOS 6.2.1.4, build 71203" on page 79 Section Q: "SGOS 6.2.1.3, build 66659" on page 80
Section R: "SGOS 6.2.1.1, build 64600" on page 82 Section S: "Limitations in SGOS 6.2.x" on page 100 Section T: "SGOS 6.x Support Files and Support for Other Products" on page 102
"Licensing Enhancements" on page 80 "GUI Support for Controlling Web Applications" on page 69
If you are using the Blue Coat Authentication and Authorization Agent (BCAAA), SGOS 6.2.x requires BCAAA version 130 (located on the 6.2.x BlueTouch Online download page). Even if you are already running version 130, be sure to upgrade to the BCAAA version associated with SGOS 6.2.x because it contains a security vulnerability fix. You must upgrade to BCAAA version 130 before upgrading to SGOS 6.2.x. Do not upgrade SGOS unless you have first installed the compatible BCAAA version. Refer to the following documents for more information: The BCAAA Read me for BCAAA sizing requirements. This Read me is posted with the BCAAA version on the BTO download portal. The Blue Coat SGOS 6.2.x Upgrade/Downgrade Guide for instructions to upgrade or downgrade BCAAA.
Direct upgrade from SGOS 4.x to SGOS 6.2.x is not supported. If you are upgrading to SGOS 6.2.x from SGOS 4.x and the appliance has previously run SGOS 5.x, the 5.x configuration is applied during upgrade. You must restore the SGOS 4.x configuration settings. The Blue Coat SGOS 6.2.x Upgrade Guide contains this procedure, but continue reading these Release Notes for further upgrade information.
For SGOS 6.2.x, the oldest supported JRE is 1.5.0_15. See "Java Runtime Environment (JRE) Information" on page 8.
Product Documentation
Access the SGOS 6.2.x product documentation on BlueTouch Online: https://bto.bluecoat.com/documentation/pubs/view/SGOS 6.2.x
or: Knowledge Base > Product Information > OS > SGOS 6 3. Click Subscribe. You will then receive email messages to let you know when new software releases are available for download. Click the link in the email to view the KB article. The article will provide you with the following types of information for the new release: the release number, the date the software was posted, highlights of the release, and links to related documentation and training materials.
Support
Frequently asked questions and more information about this release can be found in the Knowledge Base: https://kb.bluecoat.com Direct support questions regarding this release to:
http://www.bluecoat.com/support/contact.html
For questions or comments related directly to these Release Notes, send an e-mail to: documentation.inbox@bluecoat.com
Upgrade Prerequisites
To upgrade to this release, you must first determine if your hardware platform is supported, and whether you can upgrade directly or must upgrade through an interim release. You must also familiarize yourself with potential upgrade/ downgrade issues.
Important: Before upgrading to SGOS 6.2.x, you must resolve all deprecated policy notices. This is part of the process is described in the SGOS 6.2.x Upgrade/ Downgrade Guide.
Before installing or upgrading to SGOS 6.2.x, perform the following: 1. Determine if SGOS 6.2.x is supported on your hardware platform. See "Supported ProxySG Appliance Platforms" on page 6. 2. Determine your upgrade path. See "Supported Upgrade/Downgrade Paths" on page 6.
3. Understand the BCAAA process. See the BCAAA Read Me, which is posted with the BCAAA version on the BTO download portal. 4. Understand how licensing works. See "About SGOS 6.x Licenses" on page 7 5. Ensure that your browser has the correct JRE installed. See "Java Runtime Environment (JRE) Information" on page 8. 6. RecommendedLearn about the changes and fixes in the SGOS version you are upgrading to. See "SGOS 6.2.1.3, build 66659" on page 80. 7. RecommendedLearn about third-party product support. See Section T: "SGOS 6.x Support Files and Support for Other Products" on page 102. 8. When you are ready to upgrade a ProxySG appliance, follow the steps in the Blue Coat SGOS 6.2.x Upgrade Guide.
32-bit platforms: SG210 (except for 210-5) and SG510 64-bit platforms: SG300, SG600, SG810, SG900, SG8100, and SG9000 Virtual appliances: VA-5, VA-10, VA-15, VA-20
Note:
The SG210-10 and SG210-25 can run SGOS 6.2 and later, but the SG210-5 is not supported on these SGOS releases. SGOS 6.2 provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.
Existing ProxySG VA customers can directly upgrade from SGOS 5.5 to SGOS 6.2. New ProxySG VA customers must first download and install the SGOS 5.5 Virtual Appliance Package (VAP) and then upgrade to SGOS 6.2.x. For details, refer to the ProxySG VA Initial Configuration Guide: https://bto.bluecoat.com/doc/13286
Figure 11
Upgrade Path
"Whats New in 6.2.11.2" on page 9 "Resolved Issues in SGOS 6.2.11.2" on page 9 "Known Issues in SGOS 6.2.11.2" on page 13
Access Logging
Fixed an issue where a configuration restore failed, and delete and no default-logging were displayed. The internal order of the Access Logs was incorrect. (B#178312; SR 2-486585102)
Authentication
When Domain Controller Querying for SSO was enabled, BCAAA was not querying DCs and the user was seeing configuration errors. This has been resolved. (B#176748; SR 2-465952782, 2-504085234) The ProxySG appliance software unexpectedly restarted at 0x810002 in process LDAP Authorization Refresh Worker. This has been fixed. (B#176963; SR 2-474934072) Fixed an issue where the ProxySG appliance software would restart unexpectedly at 0x810002 in Process group PG_POLICY_HTTP, Process PDW t=1673788506 for=3081BFBF when using an LDAP realm under heavy load and instances of authentication failure. (B#179204; SR 2-492494652) The event log now shows the user name correctly, no longer displaying unknown user when authentication fails. (B#180321; SR 2-497140142)
CIFS Proxy
The customer was unable to edit the registry on a remote machine, using CIFS proxy or ADN with CIFS optimization. It appeared the request was fragmented, and the customer saw a STATUS_PIPE_DISCONNECTED error. This has been fixed. (B#176944; SR 2-464532082) Clients which don't support the NT LM 0.12 dialect are now able to connect to servers through the CIFS proxy. (B#181816; SR 2-505187176)
CLI Consoles
When there are no transactions to view in the Management Console (Maintenance > Service Info > Send info > Send service info > view progress), a page fault, at 0xc3401000 in Process CLI_Worker_2 in con_agent.dll, no longer occurs. (B#178917)
DNS Proxy
The execution of the ProxySG appliance command disk decrease-objectlimit no longer causes CPU usage to spike to 100%. This occurred when the Proxy SG LAN cable was unplugged. (B#181576; SR 2-504246792)
FTP Proxy
Resolved the issue where the ProxySG appliance experienced increasing memory usage when FTP objects ICAP were scanned and cached. (B#181163)
Hardware Drivers
Running an HTTPS Reverse Proxy with SSL hardware (vs. with a SSL Hardware Offload bypass) no longer results in very slow download speeds. (B#180450; SR 2-496109132)
Health Check
(B#175424; SR 2-458582882)
Fixed an issue where the ProxySG appliance would restart due to a watchdog timeout which might occur when deleting a composite health check. (B#175722) Health check failures no longer occur when forward hosts are being created. (B#178514) Fixed a rare issue where the ProxySG appliance hardware restarted at 0x3 in process group PG_HEALTH_CHECKS in process HC_Admin. (B#180035)
10
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.11.2, build 99292
HTTP Proxy
Fixed an issue where performing a test on www.yahoo.com (test http get www.yahoo.com) failed with the following errors: % Error receiving from localhost HTTP proxy and % HTTP get test failed. (B#177206) When an HTTP link points to a file that has Content-type: video/x-ms-asf, but the content served is an xml file, a transformation error no longer prevents users from browsing certain websites through the ProxySG. (B#178036, SR 2481859203) Fixed the issue where the ProxySG appliance was returning negative values for the Content-Range header; the problem occurred when a large video file was requested in a reverse proxy. (B#177916; SR 2-482467762) The ProxySG appliance responded incorrectly when an invalid URL was in the request. It no longer returns an Appliance Error instead of a Request Error. (B#177942) In a transparent deployment, the ProxySG appliance does not present an error or prevent WMV video playback from megaexthi3.nefficient.com. (B#178121 SR 2-482358602) The ProxySG appliance now treats URLs starting with encoded forward slashes as relative URLs when transforming HTML pages. This occurred after a SAP upgrade, where traffic to SAP servers from reverse_proxy was blocked. (B#178318) When the OCS sends a response with set-cookie and location headers, the ProxySG appliance includes a new cookie in the pipeline request. (B#178858; SR 2-485658272) Fixed the issue in which the ProxySG appliance ignored clientless connection limits, when large content prepopulation jobs were run from Director or elsewhere. (B#179755) The ProxySG appliance no longer performs a page fault restart at 0x5d92e000, in process HTTP CW BF26DEC0, in shared_dll.dll at .text+0xf659. The problem occurred when a character was partially encoded in one message segment, and partially encoded in another segment. (B#180690) Resolved an issue where a page fault occurred at 0x173811d28, in process group PG_POLICY_HTTP, process HTTP CW 173817B50 in kernel.exe at .text+0xf5360. The issue took place when the same request was being made over the explicit 8080 port where detect protocol was enabled. (B#181705; SR 2-508038338) Fixed an issue where the ProxySG appliance repeatedly restarted with a page fault at 0x173811d28, in process group PG_POLICY_HTTP, process HTTP CW 173817B50 in kernel.exe at .text+0xf5360. The issue occurred when a request was made over the explicit 8080 port which had detect protocol enabled. (B#181705; SR 2-508038338)
11
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.11.2, build 99292
Fixed an issue where the ProxySG appliance erroneously returned an HTTP Precondition Failed (412) response code to the client when the OCS responded with an HTTP Unauthorized (401) error code. This occurred when the ProxySG appliance was configured for cache bypass mode on the client IP. (B#182169, SR# 2-512490989)
Configuration archive files containing invalid characters in the file name prefix could not be FTPd to a remove server, though Access Logs worked correctly. This has been resolved. (B#180728; SR 2-478056164) Java 1.7 Proxy Services are visible by default on Windows 7 Ultimate, SP1, 32 bit OS, and tool tips appear appropriately when the mouse hovers over them. (B#178434)
MAPI Proxy
Page faults due to unresolved internal objects integrity no longer occur in EPM and services. (B#178630) Fixed a watchdog timeout issue, where the ProxySG appliance software unexpectedly restarted with a fault at PG_Mapi in Process rpc.386/
10.227.50.79:50836
in libbinmsg.so at .text+0x15CB. It occurred when the decompression time for a particular attachment exceeded thirty seconds. (B#182129; SR 2-514553240, 2-515079876)
Policy
Fixed incorrect define condition evaluation in the policy processing code, which was due to a missing check of AFL_Evaluatables tree. (B#179176) The transformation of relative URLs starting with "../" now perform correctly. (B#181307)
Services
Disabling the SNMP management service via the Management Console no longer causes the ProxySG appliance to reboot. (B#178040, SR 2-484216742)
Sky UI
The Sky user interface does not throw a Multiple IP addresses have been configured on this interface error when a second attempt to change an IP address occurs. (B#-178307; SR 2-486823632)
12
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.11.2, build 99292
SOCKS Proxy
The SOCKS proxy no longer returns port unreachable, so it is able to connect to a server when the ProxySG appliance LAN interface is connected to a private network, and its WAN interface is connected to a public network with the default gateway in a public network. (B#179660)
Resolved an issue where the ProxySG appliance software restarted when imported certificates contained validity dates formatted in generalized time format, which prevented an upgrade to 6.3.x releases. (B#177285) The ProxySG appliance SSL and Cryptography features no longer excessively utilize memory, which had caused the appliance not to accept connection requests. (B#179861; SR 2-495561552)
The customer was experiencing errors and slowness, and saw a corrupt syncache timer under a large number of Syn Retransmissions from the client on the same port; this seemed to occur when a loopback was placed before the ProxySG appliance. This has been fixed. (B#177694; SG 2-475456212) Tunneled IPv6 6-in-6 packets are now correctly bridged across the ProxySG appliance. (B#178112; SR 2-485738657) When #(config)tcp-ip tcp-bad-dupack-detect was enabled, the TCP Ack storm condition is properly detected and handled. (B#179199; 2-491313742) A parsing error in processing RIP configuration CLI commands no longer occurs. (B#179578; SR 2-488950432) Fixed slow performance while transferring a 30 GB file via FTP, when packet re-ordering occurred on the network. (B#180308) When deleting a keyring after a certificate was entered inline, the ProxySG appliance no longer performs a software restart in process group PG_CLI in process CLI_Worker_4.(B#181850; SR 2-511391192) Resolved an issue where the ProxySG appliance sent a large quantity of ACKS, leading to high CPU utilization. (B#178614; SR 2-486922932)
13
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.11.2, build 99292
Authentication
When the ProxySG appliance is logged into the wrong domain when using certain authentication realms, Event Logs for failed authentication show unknown user instead of the proper user ID. (B#181875) Workaround: Use an authentication realm other than SiteMinder or IWA in order to see the user name in the Event Log on failed authentication attempts.
If user authentication fails, the ProxySG appliance does not display and log domain usernames. (B#182849; SR 2-521139171) The ProxySG appliance software restarts unexpectedly in process group: PG_POLICY_HTTP in process PDW t=13079893 for=B740506F, when the LDAP realm is configured and authentication software is attempting to evaluate the user= condition for a username in the LDAP Domain Name. (B#182875; SR 2429397945 2-492242202 2-492756952 2-496067932 2-519374059)
Cache Engine
ProxySG appliance refresh statistics do not show accurate values due to an internal calculation error. Workaround: Treat values of <0 as 0, treat values >100% as 100%. (B#182544; SR 2-516217392)
Due to a page fault in the cache lister at the linear address 0x38657B01C in process Cache lister with software exception code 0x810002, the ProxySG appliance restarts unexpectedly. The problem occurs at during the listing of cache content. (B#182261; SR 2-515651912, 2-516806712)
Flash Proxy
Flash video stops streaming when the ProxySG appliance is configured in explicit mode, with HTTP handoff enabled. (B#181553; SR 2-505803897, 2507217284, 2-512173702R) Workaround: Disable HTTP handoff.
When the user tries to display the health status of the ProxySG appliance, the management console health status link does not open the page. (B#181532; SR 2-494631002) Workaround: Remove any ampersands in health check names. This may also involve modifying policy conditions that specify host labels containing ampersands, since health checks with the same name are automatically created for these labels.
When running the management console in a Firefox browser, the Proxy SG does not upload and install a system image. (B#182195; SR 2-458324372)
14
Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.11.2, build 99292
Workaround: Use a browser other than Firefox, or use a HTTP (insecure) connection with Firefox.
When a corrupted CRL (certificate revocation list) object is encountered, the ProxySG appliance experiences a software restart in process group PG_CFSSL, in process CFSSL Cert Proprietor, in libstdc++_sgos.so. (B#177347; SR 2478403752)
When Path MTU is disabled, the ProxySG appliance generates IPv6 packets with the invalid length of 1098 bytes (1280 is the required minimum). (B#182728; SR 2-512229382)
URL Filtering
The ProxySG appliance cannot block Web.de Freemail control operations such as Upload/Download Attachment and Send Email. (B#181159; SR 2505168932)
15
Blue Coat SGOS 6.2.x Release Notes Section C: SGOS 6.2.10.7, build 95827
SSL Proxy
Fixed an issue where the ProxySG appliance was intercepting SSL traffic under negative condition, and users had been unable to browse; a reboot temporarily fixed the issue. (B#176959; SR 2-473535582 2-476735992 2486301042 2-492238662 2-493076982)
Authentication
Manual user logout policy was not taking effect when an authentication and logout action were being processed in the same transaction. This issue has been fixed.(B#179941, SR 2-495512802)
CIFS Proxy
Resolved an issue where the ProxySG appliance software restarted at 0x810002 in Process CIFS::Worker: Connection 27519 (running), when multiple clients were accessing the same directory on the server simultaneously while Directory prefetching was enabled. (B#179118; SR 2492780962, 2-497556942, 2-498260942, 2-504546022, 2-505757992)
16
Blue Coat SGOS 6.2.x Release Notes Section C: SGOS 6.2.10.7, build 95827
HTTP Proxy
Software restart at 0x810002 in Process: HTTP CW 81EE9B50 under the following conditions: there is an SSL connection error upstream, https intercept on exception is enabled (is on by default) and the request header size is greater than 8K.The restart doesn't occur if the ProxySG appliance is not intercepting SSL connections using HTTPS proxy (by explicitly providing https.forward_proxy gestures in the policy) and intercept on exception is disabled, which can be done using the following policy.<ssl-intercept> ssl.forward_proxy(no)>. (B#178246, SR# 2-486396552)
17
Blue Coat SGOS 6.2.x Release Notes Section D: SGOS 6.2.10.3, build 90684
Authentication
When the ProxySG received RADIUS accounting packets while using Session Monitor, it created high memory pressure. This issue has been fixed. (B#178356, SR# 2-487098719)
Flash Proxy
When opening two players for the same RTMPT live stream, the page no longer fails with process RTMP Live Splitter 1898DEC60. (B#179008)
Hardware Drivers
Fixed the issue in which CPU0 and CPU1 increased and stayed at a high level without a change in traffic or load. (B#177855, SR# 2-480033793)
HTTP Proxy
The ProxySG rebooted in the rare situation when the field content in the HTML meta-tag parser was non-empty, but contained only characters that were normally ignored (spaces, single- and double-quotes) and the area in memory immediately before the buffer happened to also have one of those characters. This issue has been fixed. (B#178057, SR 2-484593242) The ProxySG software restarts at 0x4001c in process group PG_HTTP, Process HTTP CW 424E3DB50. (B#177935, SR 2-483378672, 2-485965784, 2-487284992, 2488878582)
18
Blue Coat SGOS 6.2.x Release Notes Section D: SGOS 6.2.10.3, build 90684
MAPI Proxy
When Microsoft Outlook requests a Policy Handle from the Exchange server without userDN in the DoConnect message, the software no longer restarts at 0x810002 in Process group PG_MAPI in Process rpc.1686/10.227.56.190:1223. (B#178432, SR 2-469130302)
19
Blue Coat SGOS 6.2.x Release Notes Section E: SGOS 6.2.10.1, build 88383
"Whats New in 6.2.10.1" on page 20 "Security Fixes" on page 21 "Resolved Issues in SGOS 6.2.10.1" on page 22 "Known Issues in SGOS 6.2.10.1" on page 26
The ProxySG must have the MACH5 Edition license. The ProxySG must be in-path (not virtually in-path or out-of-path). The computer system you are using to remotely configure the appliance must be on the same LAN as the appliance and have a direct network communication path to the ProxySG. The computer system must also have a default route whose destination is a router on the other side of the ProxySG. If the computers connectivity to the Internet goes through the ProxySG, this condition is satisfied. If you are not physically at the computer system on the LAN side of the ProxySG, you should have Remote Desktop (or similar functionality) enabled on the computer system.
20
Use the following procedure to configure the basic network settings on an appliance that you plan to deploy in-path as an acceleration peer. 1. (If applicable) If you are not physically at the computer system on the LAN side of the ProxySG, initiate a Remote Desktop session (or similar functionality) to the computer system that will be used for configuring the ProxySG. 2. On a client PC that is on the same LAN as the ProxySG appliance, open a Web browser. 3. Enter http://proxysg.bluecoat.com:8083. The Welcome screen displays. 4. Click Next. The Security panel appears, with the Console tab selected. 5. Follow the screen prompts to configure the security options for the Console, CLI, and Serial Port. 6. Follow the screen prompts to configure the network settings. With the Web Wizard, you will be able to configure a single interface or a hardware bridge that operates as a network interface. 7. When prompted to confirm your settings, click Configure. 8. Click the displayed link (for example, https://192.12.14.12:8082) to log into the configured appliance.
https://kb.bluecoat.com/index?page=content&id=TFA109
https://kb.bluecoat.com/index?page=content&id=FAQ2197
Security Fixes
The ProxySG is no longer vulnerable to denial-of-service (DoS) attacks via Server Gated Cryptography (SGC) renegotiation. (CVE-2011-4619) (B#174184)
21
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. This OpenSSL vulnerability has been fixed in SGOS 6.2.10.1. See CVE-2011-4576. (B#174529) Fixed OpenSSL: ASN1 BIO vulnerability (CVE-2012-2110 and CVE-20122131). (B#176490) The wording on the logout page has been changed to make sure that the administrator is aware that the browser window must be closed in order to fully log out. The new message is: Please close the browser window to log out. (B#173246)
22
Access Logging
Uploads of access logs no longer fail when either encryption or signing are on. (B#175382, SR 2-454418982, 2-461083052)
ADN
After a restart, if ADN is enabled, the Management Console may become unresponsive and the event log may fill up with "Mdf_Writeable_stream_ handles - deleting master file" messages due to a rare timing issue. With this fix, when this problem occurs, ADN will be disabled and the byte cache will be cleared. The health monitoring status changes to Critical. If this occurs, you must reboot the ProxySG appliance. (B#176281, SR 2-468549258) The Management Console now shows ADN operationally disabled--reboot required when it has been operationally disabled due to an error, and the health state shows as Critical. Previously, the health state showed as OK in this situation. (B#176901)
Authentication
After issuing the security transparent-proxy-auth meta-refresh enable CLI command, some Flash videos stopped working. This issue has been fixed. (B#173093, SR 2-381785352) The ProxySG appliance intermittently disconnected from BCAAA after receiving some unexpected link type errors in the event log. (B#177114, SRs 2475881022, 2-476102722, 2-478037922, 2-481457752)
Cache Engine
Running the disk decrease-object-limit or disk increase-object-limit CLI commands while traffic is passing through the system no longer causes the appliance to reboot. (B#165555) Fixed the intermittent ProxySG appliance restart that sometimes occurred while viewing the cache listing in the advanced URL. (B#172848, SR 2454002162)
CIFS Proxy
Fixed an issue whereby occasionally the CIFS proxy would fail to detect that a file had been updated locally on the server and would serve a stale version of the file from cache. (B#176496, SR 2-480061458) When processing large CIFS directories (100K+ files), it was possible for the ProxySG to consume a lot of CPU time, eventually causing the ProxySG appliance to reboot. This issue has been fixed. (B#176279, SR 2-467948433)
23
Due to the way Excel handles shared workbooks, it is possible for the contents of the workbook to have changed without the LastWriteTime for the file being updated. If this happens external to the ProxySG, then, upon next opening the file, the ProxySG has no means to determine that the contents have changed. In previous SGOS versions, the ProxySG either served a stale version from its cache or the file got corrupted. In SGOS 6.2.10.1, when determining whether a cached file is still fresh, the ProxySG will now check LastChangeTime in addition to LastWriteTime and Filesize, ensuring that stale files are not served from the cache. This will happen for all files (not just Excel). (B#176424, SR 2-472230152) Shutting down an active print spooler no longer causes the ProxySG to reboot. (B#177676)
CLI Consoles
If the word inline was present anywhere in the policy, the VPM-XML text editor in the Management Console was not populated with the XML policy installed on the ProxySG. This issue has been fixed. (B#176471, SR 2-467934282) After performing a major upgrade (for example, from SGOS 5.5 to 6.2.10), the SSH host pair key is now displayed in the Management Console and in the #show config output. In addition, previously configured client keys will be properly recognized and used during SSH connections. (B#177591, SR 2-478917202)
Diagnostic Tools
Fixed restart with signature: HWE:0x0, SWE:0x810002, PFLA:0x0, Process group: "PG_DIAGS" Process: "Stats Worker - context" in "" at .text+0x0. (B#174609, SR 2-453261857)
Director
Director can now push overlays to SG8100s during heavy network load. (B#176321, SR 2-461230492)
FTP Proxy
Fixed the issue with the connection between the downstream FTP proxy and the upstream FTP proxy timing out before a scan is complete. (B#174718, SR 2-421093162)
HTTP Proxy
The ProxySG now is able to rewrite URLs located in conditional HTML comments, such as:
<!--[if IE 7.0]><img src="http://internal-web-server/ image.jpg"><![endif]-->
(B#168554, SR 2-409713042)
24
Fixed the ProxySG restart issue that occurred in the following scenario: the HTTP response had a large number of headers, ICAP response mode scanning was enabled on the ProxySG, the ICAP server returned ICAP_REPLACEMENT_REQUIRED with a modified response with the same large number (> 128) of header fields, and the same object was accessed twice. The restart occurred when the ProxySG tried to serve the object from cache. (B#170748, SR 2-420531855, 2-473964502, 2-478553192) Fixed the intermittent corruption of cache objects that occurred when doing a multi-block read ahead. (B#174681, SR 2-444437822) Exception pages now display in explicit deployments where the SSL proxy is set to intercept all traffic. Previously, generic browser error pages displayed. (B#174752) It is now possible to access HTTPS sites with http.response.apparent_data_type and malware scanning policy in explicit deployments. (B#175814, SR 2-455371601, 2-464087217, 2-465910371, 2-470385027, 2-470957362) Objects are no longer served from the cache after Cache-Control: max-age= value expires. (B#176173, SR 2-466163771, 2-481129901)
Note: As part of this fix, the CLI option http strict-expiration serve will always be enabled. If you disable the setting, an ok displays indicating the configuration is set, but it will actually have no effect.
When apparent data type was used in policy, EXE files needed to be cached to match the rule to deny. With this fix, EXE files do not need to be cached for the policy to work properly. (B#176800, SR 2-467166795) Fixed an error condition where the ProxySG incorrectly sent a 503 response to its clients. This happened in a corner case in which an ICAP action (decided while sending a request to the server) was changed due a policy action on the server response. (B#177214, SR 2-472845982)
MAPI Proxy
Fixed software restart at 0x810002 in Process group: "PG_MAPI" Process: "rpc.13364/10.227.0.5:3164" when MAPI client sends MAPI RPC Bind without an authentication header. (B#176430, SR 2-469130302) Fixed ProxySG restart with software watchdog in PG_MAPI, Process: "rpc.620/10.181.72.47:1926" in "libbinmsg.so" in case where fragmented RPC messages were causing slow message decompression. (B#176587, SR 2-471551310) Fixed issue with intermittent MS Outlook disconnections from Exchange 2010 occurring with file attachments that caused Outlook to generate RPC fragment on 4KB boundary. (B#177167, SR 2-471636242) During certain network outages, Outlook clients could cause the ProxySG to leak memory. This issue has been fixed. (B#177442, SR 2-477532302)
25
Policy
Policy traces will only show authentication information if it was requested for the current transaction. Formerly, it would share the authentication information from a prior transaction in the session if authentication was not requested for the current transaction. (B#175660, SR 2-453221962) In a transparent deployment, when 'Intercept on exception' was triggered for a request, and a custom exception page was to be served, the category variable was not being displayed in the exception page to the client. The ProxySG displayed an exception page with category unavailable. This fix allows the exception page variables $(cs-categories) and $(cs-category) to be displayed properly. (B#174471, SR 2-431555691)
ProxyClient
Previously, when the Client Manager was enabled, the ProxySG was not able to restart after entering restart regular. This issue has been resolved. (B#173781, SR 2-436511661, 2-454263192) ProxyClient download links now work with clients running Microsoft Security patch KB2585542. (B#175910, SR 2-452814412) The maximum disk space for caching (max-cache-disk-percent) can now be configured on MACH5 Edition; previously, it was configurable only on Proxy Edition. (B#177339, SR 2-478770302)
Proxy Forwarding
If you modified the SOCKS gateway to an invalid host address using the
Configuration > Forwarding > Install SOCKS Gateway File > Install SOCKS Gateway file from: [Text Editor] command, the health check did not fail in previous versions
because the old host address was probed instead of the new one. This issue has been fixed In SGOS 6.2.10.1: the health check will probe the newly configured host address. (B#177022, SR 2-475408132)
SSL Proxy
In previous versions, SGOS did not forward the Server Name TLS extension information to the original content server (OCS). As a result, the Subject common name in the certificate presented by the OCS sometimes did not match the URL hostname at the client browser, resulting in a hostname mismatch error in the client browser and the termination of the connection. This issue has been fixed in SGOS 6.2.10.1. (B#172292, SR 2-432663601) When both the intermediate and server certificates on an SSL server were expired, and the traffic was being intercepted/tunneled, repeated access to that website sometimes led to the ProxySG restarting at 0x810002 in Process: "SSLW 68AA27180" in "libcrypto.exe.so." This issue has been fixed. (B#176665, SR 2-470226052 2-471170772 2-474485002 2-475763562 2-476889427 2-478447861 2-478875212 2-478989780 2-482126228 2-482877128)
26
Fixed the memory leak that occurred when OCSP was configured to use the OCSP responder URL from the certificate. (B#177061) In previous versions, the SSL certificate cache did not remove expired certificates if they were being accessed continually. This issue occurred when an OCS updated its expired certificate to a new valid one and the ProxySG didnt refresh its certificate cache with the new certificate, unless the server was not accessed for a period of two hours (the internal cache timeout value). With this fix, the ProxySG will validate the OCS certificate in the cache against the peer OCS certificate during the initial handshake; if they are different, the ProxySG will delete the cached certificate. (B#172574, SR 2-485700069)
Storage
Fixed software restart at 0x56 in Process group: "PG_IDLER" in Process: "idler 0" in "kernel.exe" due to a reset of the Adaptec chip. It is recommended to make sure that drives are well seated and to check the SCSI cable on the Adaptec card. (B#174082, SR 2-444072642 2-465357702)
Fixed the ProxySG restart that occurred under the following conditions: RIP was enabled, there were RIP routes existing in the RIP routing table, there was a host route (with netmask 255.255.255.255) configured on the ProxySG, and there were many occurrences of TCP retransmission on this host route (due to packet loss, latency, etc.). (B#176158, SR 2-473880468) It is no longer required to reboot the ProxySG in order to get a new WCCP mask-value to take effect. (B#176221, SR 2-468349332) On the SG 9000, the fail-open bridge setting for passthru-0 is now shown in the configuration archive. (B#177075, SR 2-476408302) When Spanning Tree is involved, software bridge failover to the second bridge took too long to occur. (B# 175651, SR 2-447276202)
Authentication
When Domain Controller Querying for SSO is enabled, BCAAA is failing to associate IP addresses with user names; configuration errors are being reported to end users.
27
Workaround: Add the host record for the decommissioned Domain Controller (DC) back into DNS. The corresponding IP address doesnt have to belong to a live system. If BCAAA fails to connect to the IP address, it will mark the DC as offline and will continue to monitor the other DCs for the domain.
HTTP Proxy
Performing a test on www.yahoo.com (test http get www.yahoo.com) always fails with the following errors: % Error receiving from localhost HTTP proxy and % HTTP get test failed. This is not an issue with other websites. (B#177206, SR 2-482034528) fixed in SGOS 6.2.11.2. When an HTTP link points to a file that has Content-type: video/x-ms-asf, but the content served is an xml file, a transformation error prevents users from browsing certain websites through the ProxySG. (B#178036, SR 2-481859203) fixed in SGOS 6.2.11.2. The ProxySG reboots in the rare situation when the field content in the HTML meta-tag parser is non-empty, but contains only characters that are normally ignored (spaces, single- and double-quotes) and the area in memory immediately before the buffer happens to also have one of those characters. (B#178057, SR 2-484593242) fixed in SGOS 6.2.10.3
Management Console
The latest Java update (version 7) causes issues in the ProxySG Management Console. For example, the services on the Configuration > Services > Proxy Services tab do not display and cannot be edited. (B#178391) Workaround: Do not install the latest Java update, or if you already have installed it, downgrade to an earlier version of Java.
Services
Disabling the SNMP management service via the Management Console, sometimes causes the ProxySG to reboot. (B#178040, SR 2-484216742) fixed in SGOS 6.2.11 Workaround: Disable the service using the CLI.
Sky UI
SkyUI displays the status Device Health: OK with an expired trial license. (B#177967) Workaround: The Advanced Management Console displays the correct device health status when a trial license is expired: critical.
SNMP
The ProxySG sometimes fails to respond to SNMP GETs during high CPU load in TCP/IP and SNMP. (B#177240, SR 2-477554179)
28
"Changes in 6.2.9.1" on page 28 "Resolved Issues in SGOS 6.2.9.1" on page 28 "Known Issues in SGOS 6.2.9.1" on page 33
Changes in 6.2.9.1
This section describes changes in the SGOS 6.2.9.1 release.
Policy
Several SSL conditions and actions were available in CPL but not in the Web Access layer of the VPM. (B#174106) The following SSL conditions are now available in the VPM for the Web Access layer: Destination: Server Certificate (host name and subject) Source: Client Certificate (common name and subject)
Set Client Certificate Validation Set Server Certificate Validation
These actions are now available in the VPM for the Web Access layer:
Authentication
In previous versions, the Session Monitor bin was not being synchronized between a master and slave after the slave was rebooted. The following errors were reported in the Session Monitor log: Error parsing incoming bin entry during bin transfer and invalid IP address type. (B#175124, SR 2-454888577)
29
When the LDAP server didnt return the FQDN for a user name, the user LDAP authentication failed, and the user was asked to re-login, despite correct user credentials. With this fix, the ProxySG ensures that the name returned from the LDAP server contains valid UTF-8 sequences before adding it to the cache. (B#175145, SR 2-455838132)
Cache Engine
If a replicated object is opened, but never closed, the multi-instance object scanner no longer blocks indefinitely. This issue could potentially prevent a disk from being re-initialized from the CLI because the scan had not completed. (B#174544) On a drive that is exhibiting read errors, if a read error occurs when deleting an object in the cache, this situation will not prevent new objects from being created. (B#174581, SR 2-452692675) Fixed software restart in Process: "CEA Cache Administrator" in "" at .text+0x0, if the connection was closed while processing a multi-range request for a truncated object. (B#161115, SR 2-418627282 2-432308112 2-453628072)
CIFS Proxy
Fixed the issue where folder/file transfers sometimes failed over ADN. This issue occasionally occurred in an ADN deployment when copying large amounts of data (such as a 1GB file or a folder with several files exceeding 10MB in size) from a Windows XP machine. (B#173997, SR 2-444022491) Workaround: Attempt to limit the number of requests outstanding on the server at any given time by disabling read ahead on the branch ProxySG. Note that this may only work when copying from the server and not when copying to the server.
Fixed restart in Process "Threshold_Monitor" in "kernel_shim.dll" when the ProxySG was under memory regulation. (B#173759)
CLI Console
The ProxySG no longer restarts when the load threat-protection malwarescanning CLI command is entered without an update-path. (B#175014) The console agent was unable to parse HTTP GET requests if the header was over 512 bytes; this happened when the URL in the GET request was over 512 bytes. With this fix, the buffer for parsing the URL out of a request was increased from 512 to 2048 bytes. (B#174725, SR 2-453533592) In SGOS 6.2.8.1 and 6.2.8.2, choosing the Acceleration solution in the Initial Configuration Wizard did not set up a proper acceleration configuration. For instance, Client IP Reflection was disabled and Resource Overflow action was set to drop. This issue has been fixed in the 6.2.9.1 wizard. (B#175508, SR 2-458338342)
30
Event Logs
In previous versions, when attack detect was enabled and a denial of service attack occurred, the event log filled up with thousands of messages, potentially overloading the ProxySG unnecessarily. With the fix in SGOS 6.2.9.1, the number of event log messages has been substantially reduced. (B#174895, SR 2-454448962)
Flash Proxy
When rejecting a connection due to a missing Flash license, the RTMP proxy was not closing the socket and the policy session, causing new connections to not be accepted. This issue has been fixed. (B#173843, SR 2-426438922) Workaround: Disable the RTMP service or install the Flash license. Fixed ProxySG restart in Process "RTMP Live Splitter EC560EC60" in "" at .text+0x0. This only occurred when the following rare sequence of events took place for a given live stream: (B#174196, SR 2-439513592) The filler client needs to disconnect while all other clients are paused. A different client, which is currently in the middle of receiving a message larger than one chunk, needs to become the filler. A new client needs to start playing the stream, before a keyframe is reached.
Health Monitoring
The ProxySG now reports the correct health status for composite health checks. (B#174362, SR 2-441645992) If the ProxySG detects that a disk is failing, it reports its disk status as a warning; previously it reported the disk status as OK. (B#174715, SR 2-453261930)
HTTP Proxy
When a client request was forwarded over port 8443 (SSL) to an upstream proxy, sometimes the request was not encrypted but an encrypted alert was sent back to the client over port 80; the web browser could not parse the encrypted response. With this fix, the ProxySG will not send plain text to a secure host and will return an error to the client (gateway error for no upstream match). (B#166169, SR 2-386617899, 2-396171932) Workaround: ThreatPulse users may need to also disable the tunnel-onerror feature via the CLI.
URL rewrites now function properly after upgrades from 6.1.1.5; previously, the URL rewrite would fail when the URLs in the server response had uppercase letters and policy tried to rewrite them using rewrite_url_prefix. (B#173778, SR 2-434800392)
31
The ProxySG now closes the client connection when the server connection cannot be persisted. Previously, when the server wasnt the one that closed the connection, the ProxySG didnt implement the client persistence policy. As a result, the client connection stayed open, and then caused the ProxySG to reuse the connection it just closed with the server. (B#174244, SR 2-441978446) Users no longer get a 503 Server Unavailable message when accessing their Web access server through the ProxySG. (B#175851, SR 2-462560052) Fixed the issue in which the transformation of a web page was not performed when rewriting via reverse proxy. (B#174671)
Policy
Upgrading to SGOS 6.2.8 removed the malware scanning policy from the policy configuration, and the Enable malware scanning option could not be selected to regenerate the policy. With the fix in SGOS 6.2.9.1, the malware scanning policy is generated properly after enabling malware scanning. (B#174564) Response x_header substitutions in a policy will now be parsed correctlythe extra period that appeared during parsing no longer is added. (B#174515, SR 2-443216752)
SSL Proxy
In previous versions, when the ProxySG appliance was set to intercept on exception, bad DNS names or unavailable servers did not result in SSL interception. With this fix, the dns_unresolved_hostname exception page will be displayed when a domain name cannot be resolved. (B#162625, SR 2-368355072) When a server returned an expired intermediate CA, the ProxySG returned an expired certificate error even when the updated intermediate was in the browser trusted CCL. The ProxySG now checks the local certificate store to see if it has a newer certificate and sets the error accordingly. (B#173305, SR 2-436738472, 2-438160182) Workaround: Disable server certificate validation: server.certificate.validate(no).
SSL/TLS
After upgrading to SGOS 6.2.8.1, users reported SSL untrusted certificate errors when browsing to a website using a certificate not contained within the ProxySGs local store. (B#175121, SR 2-457241262) In addition to adding a missing Verisign CA, SGOS 6.2.9.1 has added several intermediate CAs: VRSN_Class3_International_Server_CA_G3 DigiCert_High_Assurance_CA_3 DigiCert_High_Assurance_EV_Root_CA
32
Storage
Fixed the issue with write failures to Disk 2 that occurred on disk reinititalization (restore default, factory default) on an ATA drive (SG 510, SG 300, SG 600). (B#174801)
When performing a packet capture in the Management Console, the ProxySG to client traffic is now captured when capture filters are set. (B#174194) When attempting to join the ProxySG to a domain, if the DNS servers SRV response did not contain additional records with the A-records for the target hosts, the join domain process failed. The error returned from the ProxySG was: A bad packet was received from a DNS server. Potentially the requested address does not exist. With this fix, the join domain process no longer fails if the SRV response does not contain additional records. (B#173836) Fixed the slow memory leak observed when using virtual IP6 addresses or multicast related packets on the ProxySG. (B#173727, SR 2-438203128) Reordered the RFC-1323 TCP options in the SYN packet sent by the ProxySG so that all servers can recognize these options. With the TCP option order that was previously implemented, a TCP error would occur on some servers. (B#175607, SR 2-462560052) Fixed ProxySG restarts in process "tcpip_admin" in "libstack.exe.so." (B#172950, SR 2-436822463, 2-443800322, 2-463721122)
ipAddressIfIndex
reported the wrong index under certain circumstances, for example if a physical and virtual interface were assigned the same IP address. Because it does not make sense to report on the virtual interfaces for SNMP, they will be skipped as the list of interfaces is being traversed. (B#175145, SR 2-428559692)
IPv4 netmasks with more than four octets should not be installed into the ProxySG static route table. With this fix, an error is returned if the netmask is invalid (more than four octets). (B#170404, SR 2-418607571)
URL Filtering
Fixed the SmartFilter issue in which incremental updates were not being performed; instead of the incremental update, the full SmartFilter database was being downloaded. (B#175148, SR 2-457458792, 2-457478602, 2-458639622)
33
VPM
VPM error checking has been enhanced so that an error message is displayed if you try to create a custom object that has the same name as a factory static object (for example, a URL destination object with the name 'Any'). (B#174424)
Fixed ProxySG restarts in Process "RTSP_WM_Server" when the RTSP Windows Media Server worker tried to read packets from the origin content server and the client worker simultaneously received a PAUSE. This applied to WM-RTSP. (B#163829, SR 2-451802602)
Access Logging
Uploads of access logs fail if either encryption or signing is on. Note that if both encryption and signing are enabled, uploads do not fail. (B#175382, SR 2-454418982 2-456373117 2-461083052) Fixed in SGOS 6.2.10.1 Workaround: Disable encryption or signing, or enable both.
Authentication
The ProxySG can experience periods of high CPU every 15 minutes when it refreshes its group authorization information from LDAP, and the LDAP requests respond with referrals. (B#175898) Workaround: Use the global catalog when configuring the LDAP authorization realm. The global catalog should have the group information and will prevent referrals.
FTP Proxy
When the FTP client uploads a large file, it can take the ICAP Request Mod server several minutes to scan the file before the parent proxy gets to upload to the server. This may result in the connection between the downstream FTP proxy and the upstream FTP proxy timing out before the scan is complete. A solution is to use an FTP client that supports FTP keep-alive. NOOP and PWD commands are forwarded upstream. However, the FTP proxy only forwards the Type I command used for keep-alive to the upstream proxy the first time; the command does not get forwarded on subsequent attempts, even with a policy to bypass_cache. (B#174718, SR 2-421093162) Fixed in SGOS 6.2.10.1
34
Sky UI
Newer versions of Firefox (8.0.1, 10.0.2, 11.0) have issues installing the SGOS license via SkyUI over HTTPS-Console (https://sg_IP:8082/sky). Workaround: Install the license over HTTP-Console (http://sg_IP:8081/sky) or use the Advanced Management Console (https://sg_IP:8082/mgmt). (B#175719; SR 2-458324372)
35
"Changes in 6.2.8.1" on page 35 "Resolved Issues in SGOS 6.2.8.1" on page 35 "Known Issues in SGOS 6.2.8.1" on page 38
Changes in 6.2.8.1
This section describes changes in the SGOS 6.2.8.1 release.
Hardware Drivers
The SSL hardware-bypass CLI configuration is now persistent across ProxySG restarts. (B#173340, SR 2-416143381)
Access Logging
User names in the cs-username field are no longer appended with %00 in the access logs. (B#172052, SR 2-427177992)
ADN
The transparent ADN load balancer bypassed transparent connections from the branch because it could not find a concentrator that supported the address type of the destination address. This issue has been fixed. (B#172690)
Authentication
Fixed ProxySG restarts that sometimes occurred when SSL was configured between the ProxySG and BCAAA and responses from BCAAA were delayed. (B#172056, SR 2-416143381) Fixed software restart at 0x810002 in Process "policy.reaper.pro" triggered by a timing issue in the nested groups feature in the LDAP realm. (B#173563, SR 2-440092352, SR 2-443407212)
36
When users were using QuickTime Player with proxy authentication enabled, the ProxySG inadvertently sent the BASIC credentials in the authorization header upstream to the OCS during the RTSP 'SETUP' process. The authorization header is now stripped off between the ProxySG and OCS. (B#173116) Fixed software restart at 0x810002 in Process "Session Monitor Bin Worker" that was due to an issue with the management of expired authentication sessions. (B#174519, SR 2-442131282, 2-452465723)
Cache Engine
Invalid block entry messages no longer appear in the Event Log after upgrading to 6.2.x. (B#172764, SR 2-433051365)
CIFS Proxy
When upgrading from SGOS 5.x to 6.x, SMB signing credentials are now displayed with "show config" after restoring a configuration backup. (B#166822, SR 2-400479742) Microsoft Office sometimes reported issues when attempting to open previously saved files. This write-back issue has been fixed. (B#173956, SR 2-428744542)
CLI Console
After upgrading from SGOS 5.5 to 6.2 MACH5 Edition, the Threat-Protection configuration is no longer generated in the configuration archive/Sysinfo. (B#172844, SR 2-434977362) Fixed the issue with SSH sessions staying open indefinitely and not being able to be terminated with the kill command; this only occurred when the ProxySG was monitored by a Blue Coat Director. (B#172799, SR 2-431739524) Fixed the issue in which the SG 9000 Management Console took 10 minutes to start after a software upgrade. (B#161196, SR 2-439446032) The show advanced-url base64 command now generates a valid base64 encoded output. (B#172810)
Flash Proxy
DSCP policy now tags native RTMP traffic and upstream RTMPT connections. (B#173593, SR 2-440358272)
Hardware Drivers
The firmware for the Cavium SSL acceleration card was updated to fix several issues that occurred when SSL acceleration was enabled. These issues included the ProxySG not responding to HTTP/HTTPS requests as well as the management console being unresponsive. (B#174024, SR 2-416143381, SR 2-429745951)
37
HTTP Proxy
After upgrading to 6.2.6.1, the ProxySG used the _RST suffixes (which indicate a connection reset) for cache-misses in the access log. The values are now mapped to the correct fields in the access log. (B#171947, SR 2-429763822)
Policy
Fixed the problem with high memory usage in HTTP policy evaluation that was caused by clientless sessions. (B#172678)
ProxyClient
The ProxyClient software download is now maintained on the ProxySG after an upgrade and a restart. (B#172703, SR 2-434556102)
SNMP
On SG 810 appliances, the IP address OID was reported in 64 bits instead of the RFC standard of 4 bytes, causing SNMP monitoring to fail. This issue has been fixed. (B#172453)
SSL Proxy
Fixed ProxySG restarts in process "SSLW D3DA5190" that sometimes occurred when performing CRL checks for the certificate. (B#172680, SR 2-420860431) In previous versions, the ProxySG event log was flooded with SSL handshake and certificate related errors when a client or the server dropped the connection in the middle of the SSL handshake. These error messages are now logged in the SSL debug log. (B#172055, SR 2-408255562, SR 2-425204852 , SR 2-432683182) Cipher suite configuration changes are now persistent across ProxySG restarts. (B#172208)
Fixed the issue with slow Internet access caused by the ProxySG failing to resolve certain sites when recursion was enabled. This occurred when the DNS server sent a CNAME answer and the CNAME couldnt be resolved by the authoritative server. (B#172015, SR 2-416841112) Fixed the issue in which the ProxySG sometimes caused timeouts on CIFS sessions when bypassed remote clients were accessing NetApp file servers. (B#172833)
38
Cache Engine
If a replicated object is opened, but never closed, the multi-instance object scanner will block indefinitely. This issue can potentially prevent a disk from being re-initialized from the CLI because the scan has not completed. (B#174544) Fixed in SGOS 6.2.9.1 Software restart in process: CEA Cache Administrator in at .text+0x0, if the connection is closed while processing a multi-range request for truncated objects. (B#161115, SR 2-418627282, 2-432308112) Fixed in SGOS 6.2.9.1 To prevent HTTP from accessing the truncated objects in a non-sequential fashion on SGOS 6.2.8.1 and higher, set policy to check for commas in the range request and bypass the cache in those instances. For example:
<proxy> request.header.range.regex="\," bypass_cache(yes)
CIFS Proxy
Restart in Process "Threshold_Monitor" in "kernel_shim.dll" when the ProxySG is under memory regulation. Since CIFS connections are long lived, acceptance regulation may not be effective for already existing connections. (B#173759) Fixed in SGOS 6.2.9.1 Workaround: Disable pre-fetching explicitly.
Health Check
A composite health check (for example, a Forwarding health check set to Composite) sometimes updates its health incorrectly, depending on the order it evaluates the group members. As a result, if you replace the system default health check for forwarding host with a composite check, you may break the health check for that forwarding host. This issue applies to the Management Console, not the CLI. (B#174362, SR 2-441645992) Fixed in SGOS 6.2.9.1
HTTP Proxy
The http.client.persistence(preserve) policy, which is used to prevent TCP port re-use, does not apply when the following conditions are true: Reflect Client IP is configured Object caching is enabled
39
Transparent deployment
Because the server isnt the one that closed the connection, the ProxySG doesn't implement the client persistence policy. As a result, the client connection stays open, and then causes the ProxySG to re-use the connection it just closed with the server. (B#174244, SR 2-441978446) Fixed in SGOS 6.2.9.1
URL rewrite fails to function after upgrade from 6.1.1.5 to 6.2.6.1. (B#173778, SR 2-434800392) Fixed in SGOS 6.2.9.1 Workaround: Use only lowercase in the second argument of rewrite_url_prefix (that is, the server_url_substring part) CPL gesture. For example, change:
rewrite_url_prefix "http://xyz.com/XPath1" "http://abc.com/APath2"
to
rewrite_url_prefix "http://xyz.com/XPath1" "http://abc.com/apath2"
Policy
During SSL intercept on exception, the ProxySG displays an exception page to a user where the category shows as unavailable. For example, if a user tries to go to http://porn.com, the policy denies access and an exception page displays with the web category listed. However, if the user tries to go to https://porn.com, the exception page displays but the URL category shows as unavailable. This happens because a very limited amount of information gets passed from the SSL transaction (where the block policy happens) into the subsequent HTTPS transaction (which is where the exception page gets generated and returned to the user). (B#174471, SR 2-431555691) Fixed in SGOS 6.2.10.1 Workaround: Use the pre-defined exception (content_filter_denied) for the SSL exceptions, and a user-defined exception for HTTP exceptions. In the user-defined version for HTTP, include more informative exception text with the specifically blocked category.
Several SSL conditions and actions are available in CPL but not VPM. (B#174106) Fixed in SGOS 6.2.9.1 SSL conditions in the <proxy> layer that arent yet in VPM:
server.certificate.hostname server.certificate.subject client.certificate.common_name client.certificate.subject
variants)
40
When the SSL user-accept policy and the Notify-User policy are both in place for a particular site/URL and that site has an untrusted certificate, the user will be presented with the SSL user-accept exception page; when accepted, the same page is shown again rather than moving onto the Notify-User policy. (B#173723) After upgrading to SGOS 6.2.8, the malware scanning policy is no longer in the policy configuration, nor can the Enable malware scanning option be selected to regenerate the policy. (B#174564) Fixed in SGOS 6.2.9.1 To restore the policy, you will need to copy and paste the code found in the following article in the Knowledge Base: https://kb.bluecoat.com/index?page=content&id=FAQ1977
SSL Proxy
When a reverse proxy is connecting to an HTTPS server behind the ProxySG, that server must use a cipher other than DES-CBC3-MD5 or DES-CBC-MD5. These ciphers are not supported at this time. (B#174510)
When performing a packet capture in the Management Console, the ProxySG to client traffic is not captured if capture filters are set. (B#174194) Fixed in SGOS 6.2.9.1 Workaround: Instead of using: ip host <name> or ip host <ip> use:
ip host <ip> or ip host <name>
When attempting to join the ProxySG to a domain, if the DNS servers SRV response does not contain 'additional records' with the 'A-records' for the target hosts, the join domain process fails. The error returned from the ProxySG is: A bad packet was received from a DNS server. Potentially the requested address does not exist. (B#173836) Fixed in SGOS 6.2.9.1 Workaround: A general case workaround is to use a DNS server that supports returning 'additional records' in the SRV response. A MAPI-specific workaround is to not use the acceleration feature for encrypted MAPI.
Slow memory leak observed when using virtual IP6 addresses or multicast related packets on the ProxySG. (B#173727, SR 2-438203128) Fixed in SGOS 6.2.9.1
41
If you create a custom object that has the same name as a factory static object (for example, a URL destination object with the name 'Any'), the policy gets corrupted. Avoid creating VPM conditions or actions with the reserved VPM names, such as Any, Allow, or Deny. If your VPM gets corrupted, you will need to perform a restore-defaults keep-console and re-apply your configuration to the ProxySG. (B#174424) Fixed in SGOS 6.2.4
42
"Whats New in SGOS 6.2.7.2" on page 42 "Resolved Issues in SGOS 6.2.7.2" on page 42
CLI Console
Fixed an issue where the show advanced-url <URL> base64 CLI command does not generate a valid base64 encoded output. (B#172810)
HTTP Proxy
Fixed an issue where after upgrading to SGOS 6.2.6.1, the ProxySG appliance uses the _RST suffixes (which indicate a connection reset) for cache-misses in the access log. The sc-status field in the access log shows an incorrect value for many access types. (SR 2-429763822, B#171947)
When a connection is transparently intercepted by the ProxySG appliance over bridge interfaces, it sometimes opens a server connection to the OCS to fulfill the clients request. However, the MSS value within the SYN packet of the server connection may not reflect the change of the MTU value on the interface. With the wrong MSS value in the SYN packet, some sites may be inaccessible. (B#173837)
43
"Changes in 6.2.7.1" on page 43 "Resolved Issues SGOS 6.2.7.1" on page 44 "Known Issues in SGOS 6.2.7.1" on page 47
Changes in 6.2.7.1
This section describes important changes in SGOS 6.2.7.1 release.
Authentication
ProxySG now supports up to 200 IWA realms. The realm count on IWA realms has been increased from 40 to 200. It will continue to support up to 40 realms of all other types. (B#169407) Regex modifier has been added to user in policy (user.regex=). This will allow to do a case-sensitive regular expression match against full user name. This can be used to solve the domain\pc-name$ issue where background services for example, NCSI get authenticated as domain\pc-name$. (B#172523)
44
Active Sessions
Fixed the issue in which the errored session statistics in Management console (Statistics > Sessions > Errored Sessions) displayed the Age attribute as zero seconds in the downloading session report. (B#171153, SR 2-421869472)
Cache Engine
Fixed the issue in which changing the refresh bandwidth allocation from the CLI disabled automatic bandwidth management until it was re-enable or the machine was restarted. (B#167216) Fixed the issue in which executing the disk decrease-object-limit command causes a software restart in process: RTMP VOD Cacher 6F21A7BB0 in at .text+0x0 due to disk I/O errors. (B# 172083, SR 2-429660731)
CIFS Proxy
Fixed software restart process Cache Administrator in ce_admin.dll due to an incorrectly constructed URL. (B#168511) Fixed the issue with Proxy SG not responding to traffic, but accessible by SSH. (B#170892)
CLI Console
Fixed the issue in which the user was unable to view the Proxy SG access log information from the ProxySG appliance console using tail-f advanced URL. This caused a memory leak in the ProxySG. (B# 171933, SR 2-425271991)
FTP Proxy
Fixed the issue for Proxy-IP authentication. If the IP address has been already authenticated through some other protocol, the FTP proxy will server further requests. Otherwise, it will reject all the requests. This method ensures that the client knows that the FTP proxy does not require proxy credentials. (B#163084)
HTTP Proxy
Fixed the issue with hardware restart in process HTTP Admin in http.dll due to a race condition and timing issues after a memory allocation failure. (B#170995)
45
Fixed the issue with software restart in process HTTP CW B904CEC0 in kernel_shim.dll due to an unexpected signal sent to a HTTP client worker waiting for ICAP. (B#171128) The @import rule allows users to import style rules from other style sheets. In a reverse Proxy configuration, import fields aren't re-written as expected (W3C in CSSv2). (B# 171494, SR 2-222442482)
IPv6
IPv6 DNS servers now appear in the show configuration command output. (B#171041)
Management Console
Fixed the issue in which a policy trace file could not be uploaded using the send service information option. (B#169837) Fixed the issue in which the physical IP address of the ProxySG appliance failed to display in the Existing IP drop-down list of the Add Failover Group dialog. (B# 170676)
MAPI Proxy
Fixed the issue with EMAPI connections being bypassed when the domain is configured to use an alternate UPN suffix. (B# 166371) Fixed the issue in which the ProxySG appliance restarted unexpectedly when keepalive is enabled and the server rejects Keep Alive request during throttle condition. (B#171118)
Policy
Fixed the issue in which the ProxySG appliance failed to match the policy request.header.cookie=sslallow action.red(yes) at CI checkpoint when apparent data type policy is present. (B#160176, SR 2-423013023) Fixed the issue in which Proxy SG stopped responding due to a memory leak in HTTP policy evaluation and had to be restarted. (B#171056, SR 2-419348172) Fixed the issue in which the authentication related CPL conditions (for example, user=) were not properly evaluated by SSL intercept transaction. (B#169702, SR 2-414377182)
46
In the previous release, if the router affinity was turned on for WCCP, the Proxy SG appliance could not perform the bandwidth management for server outbound traffic. This issue has been fixed. The bandwidth management on server outbound works when WCCP GRE and router affinity are turned on. (B#168264) When the ProxySG appliance is unable to join an MS 2003 AD domain, the call to Kerberos 5 failed error message is displayed. This issue has been resolved. (B#169983) Fixed the issue in which the UDP response traffic is sent through the incorrect routing path when a static route is expanded. (B#170926) Fixed the issue in which the RIP advertisements caused the RIP table to constantly flip next default routes. (B#170743) Fixed the issue in which the ProxySG appliance caused a restart in process tcpip_protocol_worker_2 when SCPS was enabled. (B#171084, SR 2-421931136, 2-424548675) Fixed the issue in which the ProxySG 9000-30/40 models restarted after 49 days of up time due to a watchdog timeout. (B#171514, SR 2-422689592, 2-426183411) Fixed the issue in which high latency and drop probability conditions in the WAN caused software restart in process: tcpip_admin in libstack.exe.so at .text+0x4986de. (B#172099, SR 2-434168372) Fixed the issue with SGRP failover after upgrade to 6.2.6.1. (B#172133, SR 2-430609812) Fixed the issue in which the ProxySG appliance restarted unexpectedly when the ICMP feature was redirected. This created dynamic routes are enabled. Fixed the issue in which the ProxySG appliance restarts when features that lead to creation of dynamic routes, such as ICMP redirects, are enabled. (B#170910)
VPM
Updated the list of browser versions used when adding a custom user agent in Policy > Add Web Access Layer. (B#169988) The following browser versions were added: Firefox 4.x, 5.x, 6.x, 7.x Microsoft Internet Explorer 8.x, 9.x Opera 10.x, 11.x Chrome 12 and lower, 13.x, 14.x, 15.x
47
Safari 4.x, 5.x iPhone, iPad, iPod, Blackberry, Android, Windows Mobile -Wget 1.x
Fixed the issue in which the appliance was unable to import the request URL category object from 5.5 after upgrade to SGOS 6.2.6.1. (B#172402, SR 2-433429201)
statistics)
Fixed the issue with Windows Media advanced statistics URL (/mms/ failed to show correct statistics for Current client bps - live when client throughput was more than 1.8Gbps. (B#165694)
Access Logging
All user names in the cs-username field are appended with %00 in the access logs. (B#172052, SR 2-427177992) Fixed in SGOS 6.2.8.1
Authentication
The Management Console stops responding while viewing authentication realms if more than 40 realms of a particular type are created. Condition: This happens if more than 40 realms of the same type are created. Workaround: If you create more than 40 realms of a given type, you must manage the authentication realms with the CLI. (B# 171831)
Cache Engine
Running the disk decrease-object-limit or disk increase-object-limit CLI commands while traffic is passing through the system causes the appliance to reboot; this command should be executed on an idle system only. (B#165555) Fixed in SGOS 6.2.10.1 Software restart in process: CEA Cache Administrator in at .text+0x0, if the connection is closed while processing a multi-range request for a truncated objects. (B#161115, SR 2-418627282, 2-432308112) Fixed in SGOS 6.2.9.1
CLI Consoles
The show advanced-url base64 command does not generate a valid base64 encoded output. (B#172810) Fixed in SGOS 6.2.8.1
48
Flash Proxy
RTMP VOD plays for 1-1.5 minutes and then stops playing. Workaround: Use TCP tunneling for the streaming video/live broadcast.
HTTP Proxy
Some requests are sent over port 8443 without being encrypted. (B#166169) Fixed in SGOS 6.2.9.1 With upgrade to 6.2.6.1, the ProxySG appliance uses the _RST suffixes (which indicate a connection reset) for cache-misses in the access log. (B#171947) Fixed in SGOS 6.2.8.1
SSL Proxy
The ProxySG appliance event log is flooded with SSL handshake and certificate related errors. (B#172055, SR 2-408255562, 2-425204852) Fixed in
SGOS 6.2.8.1
When the ProxySG appliance is set to intercept on exception, bad DNS names or unavailable servers do not result in SSL interception. (B#162625, SR 2-368355072) Fixed in SGOS 6.2.9.1
49
"Whats New in SGOS 6.2.6.1" on page 49 "Resolved Issues SGOS 6.2.6.1" on page 50 "Known Issues in SGOS 6.2.6.1" on page 56
Performance Updates
This release has optimizations to ProxySG 9000-20B performance in trial mode and when ADN is enabled.
They are replaced starting in SGOS 6.2.6 by the following commands, also in caching configuration mode:
#(config caching) refresh bandwidth {automatic | kbps } #(config caching) no refresh
In addition, refresh bandwidth is now disabled by default. For more information, see the SGOS 6.2 Feature Change Reference.
This command enables/disables interface muting when a bridge loop is detected. Muting is enabled by default.
50
Active Sessions
The Active Sessions report failed to display active connections with userdefined exception page under the following three conditions: (1) exception summaries containing <, >, or characters; (2) there are active connections for which the user has been shown the exception page with condition (1); and (3) the Active Sessions proxied connections are accessed using the Management Console or Sky UI. As a workaround, you can use the /AS/ ProxiedConnections advanced URL. (B#170470, SR 2-418665157)
ADN
IPv6 addressesif configured for the ADN Primary Manager IP, Backup Manager IP, and External VIPare now displayed in the show configuration output. (B#167611, SR 2-405592881) ADN is now able to retrieve device IDs when IPv6 addresses are used for ADN managers. (B#167610, SR 2-403799863) ADN peers are now listed in the Management Console on the Statistics > ADN History tab on the branch ProxySG appliances. (B#166805, SR 2-387414632)
Authentication
Fixed software restart in process "LDAP Authorization Refresh Worker" when an LDAP realm is being removed while its authorization is being actively computed. (B#167445, SR 2-405127884, 2-422047692)
CIFS Proxy
When Remote Storage Optimization is disabled, the CIFS proxy no longer generates a lot of SMB Trans2's Find_First2 requests, which created high CPU utilization of Windows servers. As part of this fix, the behavior of the CIFS proxy was changed so that it would not attempt to prefetch directories when directory cache time is set to 0. (B#166765)
Flash Proxy
In previous versions, Flash streams of changing chunk size failed to load through the RTMP proxy. These flash videos were reachable via outside Internet access, but got netstream.play.streamnotfound at the proxy, and users could not view the video. This issue has been fixed. (B#169637, SR 2-412423002)
51
FTP Proxy
While going through the FTP Proxy, users no longer get denied access when trying to access an FTP server that requires a lengthy (for example, 100character) password. (B#168074, SR 2-406735244) The ProxySG appliance is now able to process extended passive FTP commands (such as EPSV, EPRT, PORT) with the default settings in transparent deployments. (B#165258, SR# 2-393744502) Fixed software restart in Process "FTP CW 75EED6A70" due to the server sending only a single-line response to MLST command. (B#166756)
HTTP Proxy
Fixed the issue with Internet slowness that sometimes occurred as the bandwidth class of one OCS is getting applied to another OCS across transactions, in the case of persistent connections. This slowness was observed after upgrading from SGOS version 5.4 to 6.x. (B#166764) When two consecutive requests on the same persistent connection are resolved to different HTTPS servers using a rewrite rule, the handshake to the second server failed with SSL Certificate Hostname Mismatch (ssl_domain_invalid). This issue has been resolved. (B#167021) In previous versions, when the HTTP client didnt specify gzip, the ProxySG returned the uncompressed object client, but included chunked response with Chunk size 0, causing the client to RST the connection improperly. This situation no longer causes an improper reset of the connection. (B#169330) When the request header had a Content-Length over 2 GB, the ProxySG did not forward the HTTP 201 response on large file transfers. This problem has been fixed. (B#170562)
ICAP
After an ICAP service is deleted, the ICAP statistics page no longer includes data for the deleted service. (B#168240)
IM Proxy
The im.alert() policy action can now be compiled and installed without errors. (B#170346, SR 2-418440241)
IPv6
IPv6 SGRP now works correctly when both master and slave are up during switch-over. (B#167345, SR 2-382345972)
52
Kernel
Fixed ProxySG appliance restarts due to a page fault at 0x483fff020 in process group "PG_OBJECT_STORE" in Process: "CEA Cache Administrator." This restart was caused by a rare internal kernel error that only happened on systems that were low on linear address space. (B#160239, SR 2-394047362, 2-404590912, 2-414166414, 2-414205452)
Management Console
In the Statistics > Resources tabs, some numbers had an extra ".0" appended to them in non-US locales. This issue has been fixed. (B#167430, SR 2-399044472) When configuring encrypted MAPI, the Windows Domain password no longer displays in the clear in the error message if an error is encountered. (B#165412, SR# 2-39481793) The Management Consoles Configuration > Network > Advanced > VIPs > New command now accepts IPv6 virtual IP addresses. (B#165010, SR 2-394068609) The Management Console no longer becomes unresponsive when importing a configuration file archive that generates errors. (B#165872) Fixed compatibility issues that occurred when the Management Console was run in Internet Explorer with Java 6u27. With this fix, buttons in the Management Console that open a new browser window or tab now work properly. (B#168879)
MAPI Proxy
In cases where an intercepted message fragment length was more than 8192 bytes, the MAPI Proxy dropped the connection preventing the user from retrieving messages in Outlook 2003. This issue has been resolved. (B#168397, SR 2-398068482) The ProxySG no longer restarts when running attachment upload protocol optimization in batching-only mode. This sometimes happened over userless connections when the proxy had not identified the user. (B#168292) Fixed the issue with Outlook cache mode data not syncing with Exchange that occurred when the Exchange server rejected a client request during attachment upload protocol optimization, due to overload. (B#168326) Previously, server-client throttling was not supported during attachment download optimization, and users sometimes experienced Outlook reconnects or software restart of the ProxySG. This issue has been fixed. (B#169343) Large attachments no longer get corrupted when cache mode and batching are both enabled. (B#170086)
Policy
Fixed rare restart in Process "PDW t=61 for=400265" when doing LDAP authentication. (B#162206, SR 2-408122422)
53
The ProxySG no longer stops caching large objects (greater than 1MB) after setting the max-cache-size to 4096 MB. (B#166107) Fixed the issue with URL rewrites for ports policy not firing with certain policy conditions: dynamic_bypass, request.filter_service, request.icap_service, request.icap_service.secure_connection, bypass_cache, check_authorization, im.strip_attachments, dns.impute, im.block_encryption, im.reflect, server.authenticate.basic, deny.unauthorized, socks.accelerate, and url rewrite logic. (B#168561)
ProxyClient Manager
In previous versions, an archived configuration from a Mach5 licensed system sometimes contained commands that prevented the configuration from being reloaded onto the ProxySG. This could occur on a ProxySG with a MACH5 license and where a user-defined location had been created using the proxyclient locations configuration command. This is no longer an issue. (B#168198, SR 2-397650476)
Real Media
Any media player that did not identify itself via the user-agent header was rejected by the ProxySG; as a consequence, streaming using ffmpeg player on Linux didnt work due to the lack of a user agent. The RTSP log message is 'No license for vendor 0'. After the fix, any player that does not transmit a user-agent header is enabled and communicates with the ProxySG exactly the same way as a Quicktime player would. (B#169278, SR 2-413270982) Fixed the ProxySG restart that sometimes occurred when multiple users played a cacheable Real Media audio/video continuously for more than four hours, frequently pausing and playing. (B#167099)
SNMP
The ProxySG MIB files have been updated so that they are compliant with the RFC regarding capitalization. You will need to download the latest MIB for SGOS 6.2 to see these changes. (B#167441) Fixed in SGOS 6.2.6.1
SSL Proxy
The ProxySG appliance no longer restarts when a race condition occurred as two users accessed the same website. (B#167414, SR 2-392837381, 2-408244442, 2-408427372) The Watchdog timer does not expire while generating 2K keys. (B#166077)
54
When the ProxySG appliance was inline between the MPLS router and a Checkpoint firewall, the VRRP multicast traffic between the Checkpoint firewalls did not work because VRRPE packets caused a bridge loop resulting in interface muting. Checkpoint firewalls can now establish VRRP. (B#169568, SR 2-410619992) Fixed restart in process: tcpip_admin due to an HTTP client trying to access a closed reference to a server socket. (B#168313, SR 2-408146882) Fixed page fault in process tcpip_admin during a read time out on a BDC connection. (B#163279, SR 2-386312064, 2-397072292) ProxySG reported Bridge_Looped detected and muted one of the bridge interfaces causing a network outage. This fix adds a new bridge CLI command:
#(config bridge bridgename) mute-on-loop {enable | disable}
Mute-on-loop is enabled by default. Information about detecting a bridge loop appears in the event log. (B#165582)
Validity checking was added to prevent an invalid netmask from being installed into the static route table with the inline static-route-table CLI command. (B#166768) Fixed the issue in which IPv6 DNS queries were still sent after setting IPv4only policy. (B#166802) When the ProxySG was configured with an NTP server that belonged to an NTP server pool, where one NTP domain could have multiple IP addresses, the following NTP error was logged: NTP: Response received from wrong NTP Server even though the NTP server was reachable from the ProxySG. This error no longer appears in this situation. (B#167010) Fixed software restart in Process "libnet_admin" when a DNS resolution fails with a name error. (B#167718) Fixed the issue in which the interface based host route used by WCCP for an offnet home router IP would be permanently marked as down if ARP resolution for that IP was not successful after several attempts. (B#167824) Client traffic no longer gets blocked when the IP address of an interface that connects to the access logging network is changed. (B#170197)
URL Filtering
Fixed issue with ProxySG restart when two or more workers have just been categorized using BCWF, and an attempt was made to release a lock. (B#169429, SR 2-413284582) Updated the SmartFilter look-up to allow for look-ups of URLs with .xxx domain. (B#167628).
55
VPM
Improved the usability of the Select All functionality in the URL Application Name and URL Operation VPM object dialogs. When you filter the list of applications or operations and choose Select All, only the items on the filtered list are selected, as one would expect. (B#165731, SR 2-390798162)
Fixed the issue with media streams failing to play via the Microsoft Silverlight plug-in. (B#168114) Windows Media live streaming sessions no longer get blocked when Retry_play is issued to the server. (B#169212)
56
Active Sessions
The errored session statistics displayed in the Management Console (Statistics > Sessions > Errored Sessions), has an Age value always set to zero. (B#171153, SR 2-421869472) Fixed in SGOS 6.2.7.1
CIFS Proxy
Using a Windows 2008 server that doesn't have SMB signing enabled and uses Access Based Enumeration permissions may cause issues with the CIFS directory caching. (B#166062, SR 2-388049254)
Management Console
The physical IP address of the ProxySG does not show up in the Existing IP drop-down list of the Add Failover Group dialog. The workaround is to use the CLI to add the physical IP address of the ProxySG to a failover group. (B#170676, SR 2-417719352) Fixed in SGOS 6.2.7.1
Windows Scaling works differently for SGOS 5.3.3.1 and 6.2.4.1 when using RFC 1323. (B#170918, SR 2-417925602) If router affinity is turned on for WCCP, the ProxySG cannot perform bandwidth management (BWM) for server outbound traffic. BWM fails only when the ProxySG is configured with WCCP with Router Affinity together, without any prior WCCP configuration. (B#168264, SR 2-402456763) Fixed in SGOS 6.2.7.1 The ProxySG may restart in Process "tcpip_protocol_worker_2" when SCPS is enabled. (B#171084, SR 2-421931136) Fixed in SGOS 6.2.7.1
57
"Whats New in SGOS 6.2.5.1" on page 57 "Resolved Issues SGOS 6.2.5.1" on page 57 "Known Issues in SGOS 6.2.5.1" on page 59
Access Logging
A memory leak in access logging caused access log upload with FTP to fail after some time. (B#167045, SR 2-402757283)
Cache Engine
No core was produced when a no valid master disk error occurred. (B#164670, SR #392495372)
Software restart at 0x810002 in Process group: "PG_OBJECT_STORE" in Process: "CEA Cache Administrator" because of erroneous object access
Problem when searching for largest objects on disk when hard drive was full. (B#168260, SR#2-408757009)
CIFS Proxy
"CIFS::Worker: Connection 27119 (running)" returned from server because of negative filename length. (B#166819, SR#2-394446672)
58
CLI Consoles
SSH Host and client keys were not retained when upgrading from SGOS 5.5.x to SGOS 6.x. This caused proxies to become disconnected from Director. The only way to reconnect the proxy to Director was to re-add it to Director. (B#162779)
Flash Proxy
when simultaneous RTMP connections were open to the same video. (B#167353, SR 2-396998207)
Restart in Process: "RTMP::Admin"
Adobe stream failed to load through RTMP proxy. Adobe Connect sends play requests (for non-audio/non-video streams) with the parameter Reset=2 or 3. The application broke if the server does not receive that parameter value. Previously, only true and false values were supported. Values 2 and 3 are now supported (which add the additional bit ignore timestamps). (B#167409)
HTTP Proxy
Client Worker counts increased when form-based authentication is enabled. An infinite loop caused large CE objects to be created, resulting in disk space starvation. (B#167481, SR# 2-402015388)
ICAP
When using ProxyAV with Response Modification and a client sent a POST to the ProxySG appliance with the header "Expect: 100-Continue", the appliance returned a 100, and the client sent the XML-based POST data. When the ProxySG appliance forwarded the request to the OCS and received a 200 OK response, the appliance immediately returned to the client a 503 ICAP error. (B#164753, SR#2-386873622, SR# 2-402187602, SR# 2-404986482)
IM Proxy
MSN IM: Software restart at 0x810002 in Process: "MSN IM Worker 120D9D020" with MSN version 7.0 and 7.5. (B#164443, SR# 2-388366622)
MAPI Proxy
A memory leak in EP Mapper caused memory pressure on the ProxySG appliance. (B#166551, SR#2-3858734, SR#2-400023611)
Editing a restricted intercept list caused the setting to switch to Use proxy when enabled. (B#166135, SR# 2-39077617)
59
Policy
when the referrer header length was more than 64K. (B#165837, SR# 2-397078152, SR# 403558171)
A software restart in Process "tcpip_admin" because of fragmented SYN packet with the TCP option (or part of) on the second fragment. (B#166596) When the is TCP-IP window size is large (4m), CPU usage for TCP-IP on ADN deployment was not optimal. (B# 166780, SR#2-400343947) SNMP did not work if response passes through bridge ports because of the dynamic rules created while bypassing the redirect packet. (B#167429)
Software restart at 0x230000 in Process "RTSP_WM_Dispatcher" specific to implementation of Windows Media Server, where the server returned the whole file instead of metadata for a DESCRIBE WM-HTTP request and there is policy to deny streaming content. (B#166185, SR # 2-398722742))
SSL
SSL Proxy: Restart in Process "HTTP CW 51D71B50" in "kernel.exe" under stress conditions with SSL Proxy interception turned on. (B#161392, SR#2378858702, SR#2-379294372, SR#2-388001572, SR#2-393606452, SR#2393846926, SR#2-406191482)
ADN
ADN was unable to retrieve device IDs when IPv6 addresses are used for ADN managers. (B#167610, SR# 2-403799863) Fixed in SGOS 6.2.6.1 IPv6 configurations for ADN Primary Manager IP, Backup Manager IP and External VIP configuration do not display in show configuration output. (B# 167611, SR# 2-405592881) Fixed in SGOS 6.2.6.1 Reduction of the amount of memory reserved for ADN management for 210, 300-5/10, 810-5 and 9000-10 platforms is needed to reduce the risk of memory regulation. (B#165749).
60
Authentication
ProxySG appliance restarts at 0x810002 in Process: "LDAP Authorization Refresh Worker" when an LDAP realm is being removed while its authorization is actively computed. (B#167445, SR# 2-405127884) Fixed in SGOS 6.2.6.1
Client Manager
Archived configuration from a Mach5 licensed system might contain commands that prevent the configuration from being reloaded onto the ProxySG appliance. This can occur on an appliance with a MACH5 license and where a user-defined location has been created using the proxy-client locations configuration command. (B#168198 SR#2-397650476) Fixed in SGOS 6.2.6.1
FTP Proxy
In transparent deployment the ProxySG appliance fails to process extended passive FTP commands (EPSV, EPRT, PORT, and so on.) with default settings. The ftp.match_client_data_ip(yes) policy rule is the default. EPSV works in explicit configuration. (B#165258, SR# 2-393744502) Fixed in SGOS 6.2.6.1 While going through the FTP Proxy, user is denied access when trying to access an FTP server that requires a 100 character password. (B#168074, SR#2406735244) Fixed in SGOS 6.2.6.1
Kernel
ProxySG appliance restarts because of a page fault at 0x483fff020 in process group "PG_OBJECT_STORE" in Process: "CEA Cache Administrator" that is caused by a rare internal kernel error only happening on 32-bit systems that are low on linear address space. (B#160239, SR# 2-39047362) Fixed in SGOS 6.2.6.1
MC Legacy
Management Console does not accept Virtual IPv6 addresses, but CLI works fine. (B# 165010, SR# 2-394068609) Fixed in SGOS 6.2.6.1 When configuring encrypted MAPI, if an error is encountered the Windows Domain password displays in the clear in the error message. (B#165412, SR# 2-39481793) Fixed in SGOS 6.2.6.1
Serviceability
Boot: There are no warnings on image load and information to sysinfo indicating the platform version of code loaded on the system. (B#165672, SR# 2-371493702)
61
SNMP
MIB files are not compliant with the RFC regarding capitalization. (B#167441) Fixed in SGOS 6.2.6.1
SSL
The ProxySG appliance occasionally restarts due to a race condition occurring when two users access the same website and one is tunneled and the other is intercepted. (B#167414, SR#2-392837381, SR#2-408427372) Fixed in SGOS 6.2.6.1 High memory consumption causing random client application failures (leaks seem to be in SSL) on SGOS 6.2.3.1. (B#166599, SR #2-396278512, SR #2407786582)
Invalid netmask is allowed to be installed into the static route table with the inline static-route-add command. (B#166768) Fixed in SGOS 6.2.6.1 ProxySG appliance restarts when receiving and handling fragmented and bad TCP checksum packets. (B#166770) IPv6 DNS queries are still sent after setting IPv4-only policy. (B#166802) Fixed in SGOS 6.2.6.1
URL Filtering
SmartFilter not matching domains with .xxx (dot TripleX( domain. (B#167628). Fixed in SGOS 6.2.6.1
VPM
The URL Application Name (or operation) VPM object dialog Select All functionality is not intuitive. The CPL generates as expected, but the VPN displays all application as active. It is not possible to know what was configured or intended. (B#165731) Fixed in SGOS 6.2.6.1
62
"Whats New in SGOS 6.2.4.1" on page 62 "Resolved Issues in SGOS 6.2.4.1" on page 63 "Known Issues in SGOS 6.2.4.1" on page 66
For more information, see the following chapters in the SGOS 6.2 Administration Guide: Using the ProxySG in an IPv6 Environment and Configuring an Application Delivery Network.
63
ADN
Fixed the memory leak that occurred when the SSL connection between ProxySG peers failed to establish. (B#164935, SR 2-391422482, 2-395907512) Zip files no longer become corrupted when transferred over PASV FTP using FTP stor command through transparent ProxySG appliances using ADN. (B# 164449, SR 2-382926552)
Authentication
Previously, domain controllers were not discovered if the Computer Browser service was disabled on Windows 2008 machines. The code in SGOS 6.2.4 has been changed so that domain controllers can be discovered regardless of the state of the Computer Browser service. (B#163269) It is no longer necessary to reboot the ProxySG appliance or manually refresh the realm in order for the ProxySG to detect the addition of a nested group to an LDAP realm. (B#163827)
Cache Engine
If a clear cache operation was executed after installing a 6.x release, an issue present in 6.2.2.x and 6.2.3.1 could result in a loss of system and security files, causing lost configuration and connectivity issues. After upgrading, you should back up your configuration and restore to the factory defaults. This will re-create any missing system files. If you are running with a multi-disk system, you will be upgraded to the new disk layout. If you wish to allow downgrades to pre-6.2 builds, you need to run the disk decrease-object-limit command on the CLI to convert to a compatible disk layout to allow for downgrades. You should delete the affected systems from your system to prevent running them by accident. View the installedsystems configuration command in the CLI to delete the system(s) with the issue. (B#163986, SR 2-388522713, SR 2-389372596, SR 2-389606862, SR 2394963012)
Fixed software restart at 0x48019 in Process group: "PG_OBJECT_STORE" and Process: "CEA Cache Administrator" due to an inconsistent state. (B#162893, SR 2-391572872, 2-394743542, 2-396401062)
CIFS Proxy
If a server disconnected before the client, the CIFS connection was sometimes orphaned. This issue has been fixed in SGOS 6.2.4. (B#160978)
64
Content Filtering
Fixed the issue where the ProxySG was unresponsive due to a Health Check watchdog registry deadlock while reading the internal configuration. (B#159889, SR 2-381973472, 2-382371833) Optimized look-ups in the Websense Real Time Security Updates database. (B#165001)
Flash Proxy
Fixed the restart issue related to having multiple streams in a connection. (B#162336, SR 2-385747192)
HTTP Proxy
Fixed restart in Process: "HTTP RW 6E2CA3B50" in "libstack.exe.so" that occasionally occurred when the ProxySG could not successfully establish and open a connection with the peer. (B#163875, SR 2-381194172, 2-394953142) Fixed intermittent issue where the ProxySG returned a 403-Policy denied exception when a redirect response was misinterpreted as a policy denied error. (B#164656) Fixed the issue where the response.header.Location and Content-Location were incorrectly rewritten due to a URL rewrite policy error when the pattern in the policy and the matched sub-string in the URL are different in the way special characters are represented. (B#164661) Fixed restart at 0x810002 in Process "HTTP CW 43C5FBB50" in "kernel.exe" due to a wrong boundary header value used during parsing. (B#164878, SR 2-390848905) Policy evaluation for CPL with http.response.code statements sometimes wrongly matched with the ProxySG appliance response to the client rather than with the OCS response code. This issue has been fixed. (B#164907)
IPv6
The ProxySG now consistently chooses the correct source IPv6 address for outbound connections. (B#165023, SR 2-379687987)
Management Console
The default URL for the malware scanning policy update is now shown in the Management Console (Configuration > Threat Protection > Malware Scanning > Update malware scanning policy). (B#158970)
Attack detection now triggers correctly on client connection limit; the event log will now show connection denied to client due to connection limit events. (B#164518)
65
Policy
Fixed issue with Skype control policy not allowing a detect_protocol() action based on user information. (B#164364, SR 2-390041632) When trying to access a URL where the domain could not be resolved, a policy that contained the condition url.host.is_private=yes would match even if the condition was irrelevant. This issue has been fixed. (B#164908)
It is no longer necessary to reboot the ProxySG after hostname updates when using SNMP. (B#163729)
SSL
Previously, you were allowed to create two CCLs with the same name as long as the upper/lower case was different, but you werent able to delete them unless both the CCLs were empty. A fix was implemented that allows you to delete these CCLs. (B#162224)
Storage
The Cache Engine now recognizes faulty disks. With this fix, the system attempts to recover the disk and marks it as bad if the recovery fails. (B#163797)
The 10GB interface did not report the correct link status in the Management Console or CLI when there was a link propagation failure. (B#161454) When an external user connected directly to the transparent tunnel listener using the destination IP of the ProxySG, there was high CPU activity on the ProxySG. This issue has been fixed. (B#163796, SR 2-374134252, 2-387634822, 2-389634312) VLANs now function correctly with the Intel 10GB fiber card on the SG9000. (B#163993) Bypassed one-way connections that go idle for extended periods are no longer dropped when reused. (B#164411, SR 2-381203882) Changed the distribution algorithm used for WCCP mask assignment so that it more evenly distributes the remainder across the caches. (B#164475) Fixed issue with improperly closed TCP sessions between the base level proxies and the upstream gateway proxies. The ProxySG was sending TCP retransmissions for non-acknowledged packets even after it had finished the connection. (B#164488) Increased the maximum allowed size of WCCP configuration so that WCCP settings dont get lost after reboot. (B#164904)
66
Comments are now saved in the VPM Layer Guard without having to click back into a field within the layer guard. (B#163747) The VPM no longer generates incorrect policy that blocks an entire category if a category is selected but not some of its sub-categories. (B#163851)
Cache Engine
Running the disk decrease-object-limit or disk increase-object-limit CLI commands while traffic is passing through the system causes the appliance to reboot; this command should be executed on an idle system only. (B#165555)
Content Filtering
You cannot currently create policy for Mobile Gmail operations (such as Upload Attachment). (B#165727, SR 2-390168522)
FTP Proxy
The ProxySG fails to process extended passive FTP commands (EPSV, EPRT, PORT, and so forth). (B#165258, SR 2-393744502) Fixed in SGOS 6.2.6.1
ICAP
When using the ProxyAV with response modification and a client sends a POST to the ProxySG with the header Expect: 100-Continue, the ProxySG returns the 100, and the client sends the XML-based POST data. When the ProxySG then forwards the request to the OCS and receives a 200 OK response, the appliance immediately returns the client a 503 ICAP error. (B#164753, SR 2-386873622) Fixed in SGOS 6.2.5.1
Management Console
The Management Consoles Configuration > Network > Advanced > VIPs > New command does not accept IPv6 virtual IP addresses. The workaround is to use the (config)virtual-ip address CLI command. (B#165010, SR 2-394068609) Fixed in SGOS 6.2.6.1 Editing a restricted intercept list causes the Restrict interception to clients and servers listed below setting to switch to Use proxy service rules for interception. After editing the list, you will need to re-select the Restrict interception to clients and servers listed below option. (B#166135, SR 2-390779617) Fixed in SGOS 6.2.5.1
67
Certain commands (server subnets, Internet gateways, VLANs) do not accept a slash in the IP Address field, so you cannot enter a subnet with CIDR notation (for example, 10.10.10.0/24). Because of this limitation, you will need to define a subnet by entering the IP address and subnet mask/prefix length in separate fields (IP Address: 10.10.10.0, Subnet Mask: 255.255.255.0). (B#164612) When a read-only user is logged into the Management Console, the Configuration > SSL > Keyrings screen is unresponsive in Firefox and Internet Explorer. (B#164390)
Security
If an error is encountered when configuring encrypted MAPI, the error message displays the Windows Domain password in the clear. (B#165412) Fixed in SGOS 6.2.6.1
When failover is configured between two ProxySG appliances, the group is not formed when the secret key is more than 32 characters; both the appliances become the master. (B#165649)
Request URL Application destination object: When the list of web applications is filtered (for example, by Upload Attachment), the Select All option actually selects all applications (not just the filtered applications). Workaround: change the filter to All before clicking OK; you will then see the entire list of applications, with only the filtered items selected.
Windows Media
Windows Media advanced statistics URL for /mms/statistics does not show the correct statistics for 'Current client bps - live' when client throughput is more than 1.8Gbps. (B#165694) Fixed in SGOS 6.2.7.1
68
ADN
Fixed the memory leak that occurred when the SSL connection between ProxySG peers failed to establish. (B#164935, SR 2-391422482, 2-395907512)
Cache Engine
If a clear cache operation was executed after installing a 6.x release, an issue present in 6.2.2.x and 6.2.3.1 could result in a loss of system and security files, causing lost configuration and connectivity issues. After upgrading, you should back up your configuration and restore to the factory defaults. This will re-create any missing system files. If you are running with a multi-disk system, you will be upgraded to the new disk layout. If you wish to allow downgrades to pre-6.2 builds, you need to run the disk decrease-object-limit command on the CLI to convert to a compatible disk layout to allow for downgrades. You should delete the affected systems from your system to prevent running them by accident. View the installed-systems configuration command in the CLI to delete the system(s) with the issue. (B#163986, SR 2-388522713, SR 2-389372596, SR 2-389606862, SR 2-394963012)
69
"Whats New in SGOS 6.2.3.1" on page 69 "Resolved Issues in SGOS 6.2.3.1" on page 70 "Known Issues in SGOS 6.2.3.1" on page 72
Request URL Application - This option enables you to create a rule that specifies an action for a Web application. Request URL Operation - This option enables you to create a rule that allows or denies the user the ability to perform the defined operation. For example, block users from uploading attachments.
For more information on this feature, see Chapter 3: The Visual Policy Manager, VPM Reference Guide.
Added support for the Seagate 500GB HDD SST500NM0001 for the ProxySG 9000-5/10/20 and ProxySG 900-10 appliances. Added support for the Seagate 1TB HDD ST1000NM0001 and Toshiba MK1001TRKB for the ProxySG 900-10B/20/30/45 and ProxySG 9000-20B/ 30/40 appliances.
70
Access Logging
Fixed the issue that caused the ProxySG appliance to be unresponsive when uploading access logs using Active FTP. Periodic uploads will now occur as scheduled. (B#161300)
ADN
Fixed the issue that caused the ADN Translucent (port preserving) connection failure during connection setup. (B#162356)
Authentication
Fixed the issue with SSO authorization failure that was caused due to a failure in initializing SSO when configuring an "ignoreuser" in SSO.ini file under [SSOServiceUser] using the LDAP FQDN: cn=ignoreuser,ou=division,ou=location,o=company (B#161215)
Cache Engine
Fixed the obsolete data block issue that caused a software restart at 0x40060 in Process: CEA Cache Administrator. (B#159797)
CIFS Proxy
Fixed the issue where MS Word 2003, 2007, and 2010 files could not be saved using CIFS, when ADN was enabled. (B#161304)
CLI Console
Fixed the issue with the on-screen display of the enable password when the tab and backspace keys were used after entering the password. (B#161749)
Flash Proxy
Fixed page fault in process group: PG_POLICY_RTMP in Process: RTMP::Worker DE5F0BE0 while compiling a huge policy. (B#160361)
Hardware Driver
Fixed the hardware watchdog restart in process CAG_Maintenance in ata.dll that occurred occasionally when the ProxySG appliance was restarted after an upgrade. (B#161163)
71
Health Checks
The health of a composite health check is no longer affected by a change in the health state of a host that is not a member of the composite group. (B#161312)
HTTP Proxy
Fixed the issue with the page fault in process PDW in http.dll when evaluating a policy for raw-header regex pattern match, for a request exceeding 2^16 bytes. (B#162074) Fixed the issue with incorrect rewriting of chunked-encoded Javascript substrings. Now the Javascript substrings with chunk encoding will be written correctly. (B#161231)
Kernel
Fixed the issue with false watchdog trigger after the Real Time Clock (RTC) is updated with the current time. (B#161271)
MAPI Proxy
Fixed the restart issue in the keep-alive logic when the ProxySG appliance downgraded to the batching-only mode, where keep-alive is not supported. (B#161116, SR 2-374193623)
URL Filtering
Fixed the issue with memory fragmentation that caused allocation failures when using SmartFilter. (B#161327)
Fixed the issue where the VPM IPv6 subnet evaluation for the url.address= policy did not permit certain valid IPv6 network addresses. (SR 2-371139652; B#159993)
Windows Media
Fixed the memory regulation issue that caused the ProxySG appliance to restart. (B#161785)
72
ADN
The SG9000-5 and SG8100-5 report high memory usage when running SGOS 6.2.x. (B#163709)
Authentication
The ProxySG appliance does not detect the addition of a nested group to an LDAP realm, until the ProxySG is rebooted or the realm is manually refreshed. Workaround: To refresh the authorization, click the following link: https://<ProxySG_IPaddress>:8082/Auth/User-Logins/Refreshauthorization/ and select the realm on which a refresh is needed. (B#163827) Fixed in SGOS 6.2.4.1 WinSSO DC query fails on Windows 2008 machines due to a disabled computer browser service. (B#163269) Fixed in SGOS 6.2.4.1
CLI Console
Rare connectivity issues may occur after an upgrade to 6.2.2.1 and downgrade to 6.1.x or 5.5.x. Workaround: After the downgrade, if you are unable to access the ProxySG appliance Management Console (HTTP and HTTPS) or Telnet, SSH, you must reset the appliance to factory defaults. (B#163986) Fixed in SGOS 6.2.3.3
MAPI Proxy
When intercepting Outlook 2007 MAPI traffic in standalone mode, when a connection is closed, the closed connection is treated as an error and recorded as a MAPI 2007 error in the list of errored MAPI sessions. (B#163064)
Hostname updates are not reflected via SNMP until you reboot the ProxySG appliance. (B#163729) Fixed in SGOS 6.2.4.1
SSL Proxy
If SSL Intercept policy is enabled on the ProxySG appliance and there are malfunctioning servers where the OCS does not send the certificate during SSL handshake, the event logs are flooded with Failed to get the peer certificate messages. (B#163272, SR# 2-408255562)
73
VLAN functionality does not work with Intel 10GB fiber card on the SG9000. (B#163993) Fixed in SGOS 6.2.4.1
To save the comment in the VPM Layer Guard, you must click back into a field within the layer guard. (B#163747) Fixed in SGOS 6.2.4.1
74
"Whats New in SGOS 6.2.2.1" on page 74 "Resolved Issues in SGOS 6.2.2.1" on page 75 "Known Issues in SGOS 6.2.2.1" on page 78
The following table explains the transparent tunnel modes for various combinations of SGOS at the branch and the core.
Branch SGOS 5.4.x 5.5.x 6.1.1 6.1.2 6.1.3 6.2.1 5.4 Concentrator Regular transparent tunnel Traffic cannot be accelerated 5.5 Concentrator Regular transparent tunnel Fast transparent tunnel 6.x Concentrator Regular transparent tunnel Fast transparent tunnel
75
5.4 Concentrator Regular transparent tunnel when connect-transparent enable regular is used on branch appliance
connect-transparent enable
- allows transparent tunnel initiation, and - enables fast transparent tunnel initiation. - enables regular transparent tunnel
OCSP response validation error was fixed in SGOS 6.2.2.1. The ProxySG incorrectly returned an error when validating the certificate chain for the OCSP responder; the error was that the OCSP responders certificate could not be validated. The workaround was to explicitly import and trust the certificate of the CA that signed the OCSP responders certificate. The explicit trust is no longer needed if the CA that signed the OCSP responders certificate is a CA in the certificate chain for the server certificate being validated. (B# 158111). Sensitive information in ProxySG core files was fixed in SGOS 6.2.2.1. See Security Advisory SA56. (https://kb.bluecoat.com/ index?page=content&id=SA56) (B#159036).
ADN
The incorrect setting of send and receive buffers for ADN sockets led to TCP window advertisements, though there was no window update. This issue, now fixed in SGOS 6.2.2.1, manifested in the form of duplicate acknowledgements. (B#158229) Fixed software restart at 0x810002 in Process: "bdc.rtg.ma.BE5B7A10" in Process group: "PG_BDC_ROUTING" due to a heap corruption issue. (SR 2-376638652; B#160638)
76
Advanced URL
The Advanced URL statistics page for Core Images is fixed to correctly display Customer release instead of Internal customer release. (B#159739)
Authentication
Users can now be logged out by only providing the IP address without the user name. (B#158211) When a user group contained more than 1500 users, the group policy did not match for the users in the group due to an LDAP compare failure. (B#158246) The ProxySG no longer restarts when BCAAA doesnt respond to requests in time. (B#158684) The BCAAA Siteminder Agent no longer inserts the ? character instead of the & symbol when appending variables at the end of URLs. (B#159026) Fixed intermittent login issue with SiteMinder v6.0 SP5 where the user was sent back to the login page after entering the username and password. This issue only affected those who had disabled the Session max timeout setting on the SiteMinder server. Both SGOS and BCAAA have to be updated in order for the ProxySG to correctly handle this setting. (B#159530)
Cache Engine
Fixed the issue with high object store CPU utilization when deleting an object that was currently in use. (SR 2-375692482; B#160479)
CLI Console
The ProxySG no longer restarts due to a missing SSH configuration file that is created upon system initialization. This sometimes happened when two Directors were used to make configuration changes to the ProxySG at the same time. (B#158682)
Content Filtering
Websense URL filter database downloads now complete even when system memory is fragmented. (B#159114)
The keep-alive session is terminated after a time interval for service ticket expiration time. (B#158350)
77
Flash Proxy
The Blue Coat Director now properly represents the live traffic statistics for the Flash protocol. The Statistics > Protocol details > Streaming history > Current Streaming Data for the Flash protocol does not display as zero. (B#161174; SR 2377797322)
HTTP Proxy
Fixed the issue with IE8 on Windows 7, where cached objects were incorrectly flagged as requiring authentication when using Kerberos connection-based authentication. (B#159128)
Management Console
The Management Console now shows the correct total streaming statistics for Windows Media. (B#158903)
SSL Proxy
ProxySG is configured to use OCSP to verify revocation status of certificates and has a CRL imported. If ProxySG received an OCSP response from a server that did not include a signing certificate, it could cause the ProxySG to reboot. This issue has been fixed in SGOS 6.2.2.1. (SR 2-369460521, B#158889)
Fixed high interface and CPU utilization that was due to a forwarding loop in a TCP connection-forwarding configuration where there was either active FTP proxy or Endpoint-Mapper configuration and the same configuration installed on two or more ProxySG appliances that are active members of the same cluster group. With the fix, wildcard listeners within the cluster are no longer announced, hence, TCP connection forwarding will not work for the Active FTP data listener or Endpoint-Mapper. (B#160563)
VPM
Installing large VPM-XML no longer causes the VPM Java applet to consume excessive memory and stall the policy installation. (B#159237)
Fixed an issue in which the ProxySG stopped processing traffic due to improper memory handling which required a restart of the device. (B#158293) Fixed ProxySG restarts in Process "RTSP_Server" when the RTSP Server worker tried to read packets from OCS while Client worker simultaneously received a PAUSE. This applied to RTSP over HTTP. (B#159154)
78
CLI Console
When you enter the show config command, a system restart is triggered if the accelerated PAC files contain invalid UTF8 characters. (B#161169)
DNS Proxy
When you configure a DNS server using an IPv6 link-local address, the ProxySG does not respond to DNS requests. (B#158905)
MAPI Proxy
Restart at 0x810002 in Process: "rpc.658/192.168.0.165:2475" in Keep-Alive logic when the proxy is downgraded to the batching only mode where KeepAlive is not supported. Outlook 2003 and 2000 do not have this behavior because they do not send multiple outstanding RPC Requests simultaneously. (B#161116; SR 2-374193623) Fixed in SGOS 6.2.3.1
Having both trust-destination-mac and return-to-sender outbound enabled creates a routing issue that causes HTTP traffic to fail. The current workaround is to disable RTS outbound or to disable trust-destination-mac on the bridge. (B#158573)
VPM
The VPM IPv6 subnet evaluation for the url.address= policy does not permit certain valid IPv6 network addresses. The workaround is to create via local policy. (B#159993, SR 2-371139652) Fixed in SGOS 6.2.3.1
79
80
"Whats New in 6.2.1.3" on page 80 "Resolved Issues in 6.2.1.3" on page 81 "Known Issues in SGOS 6.2.1.3" on page 81
Licensing Enhancements
For SG 300, SG 600, SG 900, and SG 9000 systems, license limits for concurrent users when ADN is enabled have been raised to equal the limits when ADN is not enabled. The one exception is the 300-5 model, which still maintains limits of 30 (without ADN) and 10 (with ADN). For WAN optimization deployments, Blue Coat recommends purchasing a ProxySG model based on the maximum number of client connections it needs to support, not the maximum number of users, since the connection limit is likely to be reached first; your channel partner SE or local Blue Coat SE can assist you with WAN optimization connection counts and sizing for your specific needs.
Beginning May 21, Blue Coat is granting software SSL licenses for all SG 300, SG 600, SG 900, and SG 9000 systems, including systems previously sold. These licenses will be available to customers the next time their appliances connect with the Blue Coat licensing server. Rollout is scheduled to begin May 21, 2011 and will automatically take effect over the course of the following 30 days for most installed appliances. Customers wishing to enable this capability sooner can receive the updated licenses by directing their appliance to contact the licensing server any time after May 21.
81
SG 900/9000 no longer restarts when trying to re-allocate a host route for an IPv6 gateway route. (B#158846)
CLI Console
On multi-processor systems, the output of a CLI command sent through an SSH connection to the ProxySG no longer causes the SSH connection to hang. (B#158738, SR 2-370506110)
Content Filtering
Fixed the issue in which the ProxySG entered a state where it stopped the incremental updating of its local BCWF database. While the ProxySG was in this state, the application filtering information was unavailable. (B#159010)
CIFS Proxy
Fixed the software restart at 0x30000 in Process: "CIFS::Worker: Connection 9 (running)" when the OCS doesn't support the "NT LM 0.12" dialect. (B#159259, SR 2-371491907)
Active Session
Fixed the software restart at 0x11 in Process in "kernel.exe" at .text+0x24a89. Watchdog occurring while services admin is calling the active session module. (B#159313, SR 2-371805601, 2-371854318)
82
"New WebGuide Available" "New Features in SGOS 6.2.1.1" "Resolved Issues in SGOS 6.2.1.1" on page 88 "Security Advisories" on page 92 "Known Issues in SGOS 6.2.1.1" on page 93 "Deprecations" on page 98
83
An SSL license is required for secure ADN on the Branch and the Concentrator peers. The following table illustrates which versions of Microsoft Outlook and Exchange are supported by a particular version of MAPI.
Exchange 2003 Outlook 2003 Outlook 2007* Outlook 2010* MAPI 2003 MAPI 2003 MAPI 2003 Exchange 2007 MAPI 2003 MAPI 2007 MAPI 2007 Exchange 2010* MAPI 2003 MAPI 2007 MAPI 2010
Application Filtering
With the new application filtering policy, you can filter content by Web application and/or specific operations or actions done within those applications. For example, you can create policy to allow users to post comments and chat in Facebook, but block uploading of pictures and videos. The two CPL conditions that allow you to create application filtering policy are:
url.application.name=NAME url.application.operation=OPERATION
84
where NAME is the exact spelling, spacing, and punctuation listed in the view applications CLI output, and OPERATION is the exact specification listed in the view operations output. Note that the application names and operations are NOT case sensitive. These conditions are not currently available in the VPM, so you will need to use CPL to update your existing policy file with the application filtering conditions you want to implement. This feature requires that you have a valid Blue Coat Web Filter (BCWF) license, which is available for no additional charge to current BCWF customers.
85
You can also click the help icon any of the reports or panels.
kb.bluecoat.com/index?page=content&id=FAQ1429.
86
Report Changes
SGOS 6.2 adds granularity to the Traffic Mix report. On the ADN concentrator, the Traffic Mix report previously combined all the inbound ADN traffic into the InboundADN service or the InboundADN proxy bucket. For traffic generated in 6.2, the inbound ADN is now categorized into the various granular service or proxy buckets, but for traffic generated on prior releases, the inbound ADN is not categorized. Thus, the Traffic Mix report now shows inbound ADN traffic broken down into specific categories of traffic. In addition, the ProxySG is able to store certain report data in five-second increments over the last five minutes and 15-minute increments over the last 24 hours; this data provides increased granularity in reports. (Note that the Advanced Management Console does not currently offer reports that graph the last five minutesthese reports are available in the Blue Coat Sky UI.) As a consequence of this change, the above fine granular trend data is not available before the upgrade to SGOS 6.2 for Traffic History reports. If you view the Traffic History report for the last day, there will be no data points for the time before the upgrade.
87
With the introduction of the smtp subcommands, the following event-log CLI commands are deprecated:
#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway
88
Access Logging
Fixed internal issue where created FTP file name is not unique. (B#152506)
Authentication
LDAP authentication no longer fails with the error Could not determine full user name. (B#154899, SR 2-352888122)
Caching
Fixed the issue with stale client connections that sometimes occurred when multiple concurrent connections requested an object larger than 500KB whose response header did not contain content-length information, and was not chunked-encoded. (B#145695, SR 2-317195422) A single cache object can now be deleted via advanced URL. (B#151629, SR 2341552592)
CLI Console
Fixed the Exception: 0x40006 (CEA_OUT_OF_FREE_CACHE_BLOCKS) in Process "CEA Cache Administrator" in "" at .text+0x0. (B#149084, SR 2-330536732) The ProxySG appliance no longer closes the SSH session towards Director during the course of a session. (B#148892, SRs 2-329586429, 2-330623511, 2330669152, 2-330816212) Fixed the issue in which Web management console requests that required very large responses caused the appliance to run out of memory and restart. (B#149084, SR 2-330536732)
DNS Proxy
The links to view and delete DNS entries in the MC now work properly. (B#145809)
Event Logging
Taking a disk offline that has the main copy of the event log no longer results in an empty log. (B#141593)
89
Flash Proxy
When available bandwidth between the ProxySG appliance and OCS was insufficient, the playback experience for live streams was suboptimal. This issue has been fixed. (B#153929, SR 2-345163102) Video no longer stutters when viewing live news and other channels on www.rtve.es. (B#153921, SR 2-346602532) Fixed the issue in which a worker client connection might leak if the connection closed abruptly without finishing the initial handshake. (B#143303) The Configuration > Access Logging > General > Default Logging tab no longer displays none for Flash streaming. (B#143817) When playing audio-only live streams using version 10.1 of the Adobe Flash plugin, users no longer experience missing audio after a certain sequence of play/pause operations. (B#144180) When Flash Media Server is configured to use the AutoCloseIdleClients option, it no longer times out client connections accessing a live stream that is being split at the ProxySG. (B#141802) In a proxy chaining scenario, pausing a live stream no longer hangs the Flash application on the client end. When communicating with the Flash Media Server, if using HTTP/1.0 or nonpersistent connections, the Flash player no longer hangs. (B#152042)
HTTP Proxy
Fixed the issue in which denied requests appeared in the access log as TCP_ERR_MISS if a policy was defined to check response headers. (B#152503) YouTube videos can now be downloaded on an iPhone routed through a proxy. (B#150742, SR 2-337673439) Fixed the HTTP performance issue on the SG 9000-20. (B#151062, SR 2-339570243) The client worker no longer enters tunnel-on-error mode when both the client worker and server worker access the server socket. (B#150226, SRs 2-336369312, 2-338831809) Internet Explore 6 clients are now able to use Siebel 8 while proxied through the ProxySG appliance. (B#145241) When the ProxySG appliance has URL rewrite policy to rewrite request.header.Referer and request.header.Location, it no longer sends a Zero-chunk block twice when the response is chunk encoded data. (B#144623, SR 2-291847282) The ProxySG appliance now serves the cached copy when the client sends a request for a non-standard accept-encoding, such as x-gzip, and the object is already cached. (B#144684, SR 2-318001457)
90
IPv6
Fixed the issue that occurred when the local category database contained an IPv4 address, and the DNS lookup from the ProxySG appliance was always IPv4-only, regardless of the policy setting. (B#145286, SR 2-307821662)
Kernel
Fixed the issue with 64-bit platforms hanging while running Windows Media Streaming for video on-demand traffic. (B#152141)
When the server sends a compressed object and the ICAP server decides that the object needs to be replaced, the ProxySG appliance now sends a complete response to the client. (B#145318, SR 2-317171186)
Management Console
The advanced URL links in the Management Console now display in Firefox. (B#152185) The Proxied/Errored Sessions on the Active Sessions tab now sort correctly. (B#143988) The Configuration > Network > Adapters > Configure page now properly displays the link speed when a 10GB is installed in the ProxySG appliance. (B#145212)
Networking
The show attack-detection view connection now shows the connection count. (B#152374) For all intercepted inbound connections in a serial in-line failover configuration, the ProxySG now always replies to the client's MAC address and not the router's. (B#152461) The ProxySG appliance no longer restarts while handling fragmented and bad TCP checksum packets. (B#155873, SR 2-356001812, 2-357640952) A memory leak on the concentrator with HTTP over ADN traffic no longer causes the ProxySG appliance to restart. (B#151619, SR 2-355195770) Installing a static route or RIP route that overlaps with the interface route on the ProxySG appliance no longer cause pings to hosts on the same subnet or hosts through gateway route to fail. (B#144441) The ProxySG no longer restarts if bandwidth management was disabled while the system was under heavy load. (B#144958, SR 2-302190883) Fixed issues with bypass configuration. Setting to trigger on connect-error now works properly, and SGOS adds addresses to the dynamic bypass list. (B#145125)
91
The show configuration command now lists the mode for a failover group. (B#145609) TCP connections for misbehaving servers that do not properly close the connection no longer leave the connection open for an extended period of time. (B#145817, SR 2-320946712) Advertisements addressed to one SGRP group are not processed by other groups. With this fix, the backup ProxySG appliance no longer becomes the master when it isnt actually needed. (B#144800, SR 2-301696882)
Platform-Specific
SG9000
There is no longer a delay with the SG9000 front panel display during initial configuration. (B#137016) Fixed the configuration issue with 10GB interfaces; the CLI, Management Console, and Sky UI do not allow the speed of these interfaces to be adjusted. (B#145218)
Policy
Authentication policy checking user or realm now work reliability when ICAP is set to trickle mode. (B#148991, SR 2-327392552)
Security
BCAAA stack overflow vulnerability fixed. See Security Advisory SA55. (https://kb.bluecoat.com/index?page=content&id=SA55) Note: Because BCAAA for SGOS 6.2.x contains a security vulnerability fix, be sure to upgrade BCAAA even if you are already running version 130.
If the ProxySG appliance is not connected to the network, the restoreoperation no longer deletes the appliance factory certificate. (B#144621)
defaults factory-defaults
SNMP
Values for the ipNetToNetAddress entries of the ipNetTo table are now reported in the correct order, when snmpwalk or snmpget commands are run. (B#152232)
92
SSL Proxy
Using Windows 7 and IE 8 with TLS1.2, the FIN is sent back to the client; previously, the ProxySG appliance reset user connections and the OCS connection after getting the FIN from the OCS with TLS 1.2, resulting in a page cannot display error message on users screens. (B#148147, SR 2-334052225)
Streaming
In a proxy chaining deployment, there are no dangling connections after playing a VOD stream until the end of the stream through RTSP. (B#145118)
Updated Timezons.tar with the latest changes in DST for Sao Paulo, Brazil. (B#155961, SR 2-355283652)
Fixed the issue in which invalid ciphers displayed in the "Add Client Negotiated Cipher Object" window. (B#150306, SR 2-336439452) When rules are moved up and down, text in the Comments column is no longer deleted. (B#139384)
WCCP
Applying server side bandwidth management policy now functions correctly in WCCP deployments. (B#142616)
Security Advisories
To see if there are any Security Advisories that apply to the version of SGOS you are running, go to: https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS New advisories are published as security vulnerabilities are discovered and fixed.
93
ADN
A Branch peer running a release prior to SGOS 5.5.4 will not be able to form transparent tunnels with a Concentrator peer running 6.2 (or above). The Branch peer must be running SGOS 5.5.4 or higher.
Advanced URL
The Advanced URL statistics page for Core Images shows Internal customer release instead of Customer release. (B#159739) Fixed in SGOS 6.2.2.1
Authentication
The ProxySG resets when BCAAA does not respond to requests in time. (SR 2-360160382; B#156674; fixed as B#158684 in SGOS 6.2.2.1) BCAAA installs an expired CA Cert PEM. (B#148682) Users cannot be logged out by using the user-logins logout URL without providing the user name. (SR 2-355213592; B#155631) Fixed in SGOS 6.2.2.1
CIFS
The show cifs CLI command does not work if the URL contains spaces, even when the URL is enclosed in quotation marks. The workaround is to replace any spaces with %20. (B#155626)
Content Filtering
If the view applications CLI command does not display a list of the supported application names, its possible that your ProxySG has entered a state where it has stopped the incremental updating of its local BCWF database. While the ProxySG is in this state, the application filtering information is unavailable. The regular content categorization is still functional but is using a database that is not up-to-the-minute current. (B#159010) Fixed in SGOS 6.2.1.3 To restore the regular update cycle and the application filtering functionality, enter the following commands in the CLI:
#(config content-filter)provider bluecoat disable #(config bluecoat)purge #(config content-filter)provider bluecoat enable #(config bluecoat)download get-now
94
Since application name and operation were introduced into the bcreportermain_v1 log format with the Prowl release, use of that format by an access log may now cause CPU usage to increase by up to 5%. If this is undesirable, create a custom access log format that excludes these new fields. (B#157661)
Encrypted MAPI
Encrypted MAPI acceleration on the ProxySG has the following limitations:
Encrypted and plain MAPI traffic may be bypassed if 64-bit Exchange enterprise and Outlook clients are used. (B#156424) Outlook users must belong to the same domain as the Exchange server and the ProxySG. Multi-domain support is not available in this release. (B#158870) Outlook establishes NTLM connections with Exchange Server over Load Balanced Client Access Array solutions. NTLM connections are tunneled by the ProxySG appliance. Workaround: enable Kerberos support for Load Balanced solutions. (B#155098)
Flash Proxy
Dynamic streaming (play2) may cause video playback to stop in heavily bandwidth-constrained environments when a hierarchy of ProxySG appliances are caching the video. (B#156892, #156896) For Flash video clients that use pauses while seeking, such as Yahoo video, a ProxySG may not be able to cache content or play content from cache after a seek. (B#156268) For some Flash client/server application combinations, playback may freeze after doing a seek. To solve this problem, simply perform another seek and playback should resume. (B#157785) Some video files, when streamed from Flash Media Server 4, may not finish correctly and the player may remain in a continuous buffering state after the video ends. If the video is part of a playlist, the next video might not start playing; if this happens, you can manually play the next video. (B#158720) Advanced functionality, such as stream publishing, may not work optimally through the ProxySG.
HTTP Proxy
There is an issue downloading some YouTube objects through the ProxySG appliance onto an iPhone. The workaround for this issue is to disable client side persistence. (B#155291) When writing a policy to block a host found in an HTTP request and using the setting Trust Destination IP, some requests may not be blocked. A workaround is to use the resolved IP address for the host you want to block. (B#154935)
95
When using WebFTP through the ProxySG appliance using a transparent setup with reflect client IP, FTP communications in active mode will not complete. Workaround: Use passive mode or disable reflect client IP. (B#145300) When accessing the advanced URL for the HTTP debug log and trying to delete an ICAP service, sometimes the service is not deleted. Please retry after the debug log has been downloaded fully from the browser. (B#147373) When the Clientless Limits feature is enabled and many clientless requests are in a deferred status, disabling the limit configuration might cause the ProxySG appliance to restart. To prevent, do not disable the limits when more than one thousand request are deferred. (B#143016)
ICAP
With ICAP and Patience pages both configured and downloading a file, the Save As dialog is not prompted with IE-8.0.6001.18702 and IE 7.0.5730.13. Blue Coat recommends using trickling. (B#151088)
IPv6
In an IPv6-only network (no IPv4 connections to the ProxySG appliance) with RCIP disabled, the ProxySG appliance requires the server_url.dns_lookup prefer-ipv6 policy to successfully resolve IPv6 DNS requests. (B#143668) DSCP over IPv6 is not yet supported. (B#143787)
Management Console
The Management Console (Statistics > Protocol Details > Streaming History) is not showing the correct values for Windows Media total streaming statistics. To get the accurate statistics, use the following advanced URL:
https://<ProxySG-IP>:8082/MMS/statistics
The default URL for the malware scanning policy update is not shown in the Management Console (Configuration > Threat Protection > Malware Scanning > Update malware scanning policy). You will need to type in the URL manually (https://bto.bluecoat.com/download/modules/security/SGv6/ threatprotection.tar.gz) and perform the update by clicking the Install button. Alternatively, you can update policy with the threat-protection CLI command. See the SGOS 6.2 Command Line Interface Reference for details on using this command. (B#158970) Fixed in SGOS 6.2.4.1
MAPI Proxy
Endpoint Mapper does not restrict source IP for secondary MAPI connection interception. Workaround: add the IP address to the static bypass list. (B#154100)
96
Encrypted MAPI connections are bypassed when Outlook generates the user name in User Principal Name format (username@domain). This issue does not occur when the user name is specified in "Down-Level Logon Name" format (domainname\username). (B#157163) Domain controllers have group policies that define the Kerberos service ticket lifetime. To decrypt/encrypt MAPI traffic, the MAPI proxy negotiates the Kerberos security context that expires after the service ticket lifetime is reached; the core ProxySG resets encrypted MAPI connections once this ticket lifetime is reached. (B#158350) Fixed in SGOS 6.2.2.1
Platform-Specific
SG210-5
The SG210-5 is not supported on SGOS 6.2 or higher because this release provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.
When installing a new license on a ProxySG 300 in trial mode to increase the limits for HTTP connections, the ProxySG appliance must be restarted before the new limits take effect. (B#153815)
SG9000
If an onboard nVidia network interface on the SG9000 platform is configured to auto-negotiate and the device it is connected to is set to 100/full, there is a possibility that the interface will lock up. Once the NIC gets into this state, a power cycle is required to get the NIC back to a functional state. This is a hardware issue nVidia has documented. To resolve this issue, reconfigure the ProxySGs NIC and the external devices NIC to auto-negotiate or to matching speed/duplex settings. Note that this is the recommended configuration for Gigabit interfaces. (B#144158, SR 2-313781541)
ProxySG VA
Under rare circumstances, the ProxySG VA can issue spurious Watchdogs exceptions. There is no unique signature to this failure the appliance will fail with HWE 0x11 and SWE 0x02. This failure usually occurs after the product has experienced a period of load, followed by a sustained idle period. (B#157534)
Policy
The ProxySG fails to match the policy request.header.cookie="sslallow" action.red(yes) at CI checkpoint when apparent data type policy is present. (B#160176) Fixed in SGOS 6.2.7.1
97
The workaround is to add a force_exception(policy_redirect, , ) action after the action.red(yes) action. This is only required when a policy condition depends on a server response, for example when high performance malware scanning is enabled. For example:
<proxy> condition=sslallow request.header.cookie="sslallow" action.rewtohttps(yes) request.header.cookie="sslallow" action.red(yes) force_exception(policy_redirect,"","")
Services
During high load, a watchdog timeout may be encountered in services admin due to internal locking issues. (B#158567)
In a software bridge with two interfaces attached and Propagate Failure enabled, when one of the interfaces goes down, the other interface also goes downas seen on the device LEDs. (They do not glow for either interface.) However, the Management Console and the show bridge config CLI output show that the link is connected, even though it is not. In addition, when the CLI is reporting this misinformation, event logs will also be generated in the following format:
2011-04-22 20:55:14-00:00UTC "Interface Health Check: Interface 1:2 is up." 0 30209:1 event_logger.cpp:31
This issue is seen only on the Broadcom NICs (integrated or option). (B#154604)
An extraordinarily large connection forwarding table might cause the ProxySG appliance to stop responding to management console requests. (B#144396). For very high bandwidth-delay links using the SCPS feature, it may be necessary to manually set the ADN window size to maximize throughput. Consider manually increasing the ADN window size with satellite links that have more than 14 Mbps of available bandwidth. Note that the ProxySG needs to be restarted for the window size setting to take effect. (B#153174) On the ProxySG 9000-20, CPU3 runs at 100% due to IP fragmentation. (B#151889) Workaround: See Knowledge Base solution 3790 (https://kb.bluecoat.com/ index?page=content&id=KB3790). Link propagation on the optional Intel fiber card: One of the interface remains down while the other interface fluctuates between up and down states; this is triggered when link propagation is enabled on the fiber card and one interface that is part of the bridge losses link and the other does not. (B#150676) After executing a "restore-defaults keep-console," the bridge settings are not preserved on the ProxySG 300, 600, and 9000 platforms. (B#158649)
98
When Bypass Keep-Alive is enabled, only the bypassed connections that are received after it is enabled apply; pre-existing connections continue to exist without sending keep-alive. (B#144923)
SOCKS Proxy
SOCKS services are unavailable on MACH5 licensed ProxySG appliance deployments. (B#152664)
SSL Proxy
The certificate revocation list (CRL) from Comodo (http://crl.comodo.net/ UTN-USERFirst-Hardware.crl) can cause the ProxySG to reset when doing certificate verification; Blue Coat recommends that this CRL not be loaded into the ProxySG. (B#158889) Fixed in SGOS 6.2.2.1
Virtual Appliance
When the ProxySG VA is under a heavy load and has high RAM usage, the memory alarm might trigger in vCenter Server. Since the ProxySG VA has its own health monitoring system for memory state, you might want to disable the memory alarm in vCenter. (B#147090)
Installing large VPM-XML causes the VPM Java applet to consume excessive memory and stalls the policy installation. (B#157623) Fixed in SGOS 6.2.2.1
The ProxySG appliance fails to play video files with more than 200 KB SDP header. (B#152909)
Explicit/SOCKS connection through the ProxySG appliance with Yahoo 8.1 clients: file transfer are successful but no statistics representing as such. (B#141470)
Deprecations
The following CPL properties and CLI commands have been deprecated.
CPL Properties
In the ftp.server_data( ) CPL property, the port and pasv arguments have been deprecated. If you install existing policy with these arguments, they will automatically get converted to active and passive.
99
CLI Commands
event-log
The following event-log CLI commands are deprecated:
#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway
proxy-processing
The proxy processing feature was deprecated starting with SGOS v5.5. In SGOS v6.1.2, the Proxy Processing tab was removed from the Management Console, but the feature can still be configured via the CLI. Since proxy processing will be completely removed from an SGOS release in the future, Blue Coat recommends that you discontinue using this feature and deploy a separate secure web gateway to handle proxy processing. The following CLI command is deprecated:
# (config adn tunnel) proxy-processing http {enable | disable}
100
ADN
With the ADN manager protocol update in SGOS 6.2.4.1, ADN managers will close connection attempts by the peers if the peers are upgraded but the manager isnt. Blue Coat recommends that ADN managers be upgraded first, before upgrading the peers. (B#167402, SR 2-402108182)
Authentication
Non-domain users in an IWA-LDAP-Windows SSO sequence realm dont get authentication pop-ups. (B#174991, SR 2-437068912) Workaround: Enable Basic authentication for the IWA realm and delete LDAP from the realm sequence.
CIFS Proxy
The CIFS pre-population feature cannot pre-populate from DFS shares. (B#165190)
Content Filtering
Director
Director might become unresponsive when executing a profile or restoring a backup on a ProxySG appliance. Director must be rebooted when this issue occurs.
Flash Proxy
There may be problems playing FMS (version 3.0.x) videos that have been cached. (B#158954) Workaround: Use bypass_cache(yes) policy to prevent caching these videos.
FTP Proxy
Proxy authentication passwords must contain English characters only. NonEnglish characters (such as ) will not work. (B#173790, SR 2-428941914)
101
HTTP Proxy
Header injection fails for CONNECT request when protocol detection is enabled. (B#170647, SR 2-415698995) URL rewrites fail to rewrite text if a script tag appears in a quoted text string in a write command. (B#168369, SR 2-405580852)
IM Proxy
When a firewall in front of the ProxySG is blocking port 5050, the ProxySG is not able to tunnel Yahoo IM version 11, an unsupported version; login will fail. The ProxySG is able to tunnel Yahoo 10, also an unsupported version. (B#173825) Workaround: To use Yahoo 11, remove the policy that tunnels unsupported versions:
<Proxy> im.user_agent.supported=no im.tunnel(yes)
Management Console
After you apply changes and see the message Changes were committed to the SG successfully, it actually takes the ProxySG about 30 seconds to process the changes. Do not restart the ProxySG during this processing time or you may lose the changes you made.
Licensing
The product description in the licensing component may show as SGOS 5.x even after upgrading to 6.x; SGOS 5.x reflects the version that the system was manufactured with. (B#145068)
SNMP
Avoid snmpwalk commands during periods of heavy load on the ProxySG. (B#175222)
SSL/TLS
Due to security reasons, MD2 support for certificate verification has been removed from openssl by default (starting with version 0.9.8m). (B#159333) Workaround: Disable protocol detection from a specific website <web_addr>:
if url=<web_addr> detect_protocol(no)
When multiple network IP addresses are configured on the same interface, the ProxySG uses the wrong IP address when connecting to an external device. To avoid this issue, Blue Coat recommends that customers requiring multiple IP support should use a unique interface for each subnet. (B#158585)
102
Section T: SGOS 6.x Support Files and Support for Other Products
This section lists third-party products that interact with the ProxySG appliance.
Support Files
This section provides links to files and documents referenced in the ProxySG appliance documentation set.
https://bto.bluecoat.com/doc/13282
http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-0.xsd http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-1.xsd
Microsoft Windows 2000 Pro (SP4 or later) Windows XP (SP2 or later) Windows Vista Windows 7
103
Supported browsers means the browsers on which Blue Coat tested SGOS 6.2. Other browsers might work, but are not guaranteed by Blue Coat.
Notes
On the Java download page, Java naming conventions refer to JRE 5.0 and JRE 1.5 interchangeably. JRE 5.0 is the new name for JRE 1.5. Blue Coat recommends that you use Internet Explorer to download JRE because it downloads the correct version of JRE. Firefox attempts to install the latest JRE, which might not be compatible with the Management Console. When you start the ProxySG appliance Management Console for the first time after upgrading to SGOS 5.4 or later and your currently installed JRE is earlier than 1.5.0_15, your Web browser attempts to download a more current JRE. You might experience a problem downloading the latest supported JRE through the Management Console if: The browser does not support automatic download. The automatic download hangs. The Java Installer displays an error: HTTP Status Code=302 followed by a popup that Java 1.5.x cannot be downloaded.
If you experience any of these issues, enter the following URL to get to the Java download page (if the automatic download hangs, first terminate the download):
http://www.oracle.com/technetwork/java/index-jsp-141438.html
Network delays and/or slow processor speeds might affect JRE performance, slowing the display of Management Console menu selections and options. Enable the auto-detect encoding feature on your browser so that it uses the encoding specified in the console URLs. The browser does not use the autodetect encoding feature by default. If auto-detect encoding is not enabled, the browser ignores the charset header and uses the native OS language encoding for its display. If your system is running JRE 1.6_05, the VPM Help system does not display or function correctly. If you upgrade JRE from a lower version, clear the browser private data.
104
Reporter
This release is compatible with the following Blue Coat Reporter releases:
ProxyClient
ProxyClient versions 3.1.x, 3.2.x, and 3.3.x are compatible with SGOS 6.2. To download the latest version, refer to the Blue Coat ProxyClient Release Notes.
Anti-Malware
The Blue Coat ProxySG appliance with ProxyAV integration is a highperformance Web anti-malware solution. For more information, refer to the Blue Coat Web site. This release is compatible with Blue Coat AVOS 3.x. SGOS 6.2.x works with the following third-party implementations of ICAP:
Symantec AntiVirus Scan Engine (SAVSE) 4.3, version 4.3.0.15; ICAP 1.0 WebWasher 5.3, build 1953; ICAP 1.0
105
Instant Messaging
This section details the Instant Messaging proxy support for English language versions. While some versions of AIM and Windows Live Messenger (WLM) are not officially supported, they work in most situations. Video and audio are not supported with any of the Instant Message protocols: MSN, Yahoo, AIM, and WLM.
AIM 6.5
Limited
This version was not officially tested, but full proxy support should work. See "Partially Supported IM Protocol Versions" below. AIM 6.8 is supported in explicit SOCKSv5
AIM 6.8
Yes
and HTTP/HTTPS proxy configurations only. For AIM 6.8 support, you must purchase and import a CA signed SSL certificate on the ProxySG appliance.
AIM 6.9 Windows Messenger 4.x Windows Messenger 5.x MSN Messenger 7.0 MSN Messenger 7.5 WLM 8.0 Limited Yes Yes Yes Yes Yes Name changed from MSN to Windows Live Messenger (WLM); Microsoft deprecated this version in favor of WLM 8.1. In 2007, Microsoft rendered as obsolete all versions previous to 8.1 because of a security issue. Beginning November 9th, 2009, clients are required to upgrade. In 6.x, WLM 2009 is tunneled. This version is also known as version 14.0. Beginning November 9th, 2009, Messenger 2009 (version 14) users must upgrade their clients. Users who have already installed the latest version, which was released Aug 18th 2009 (Build: 14.0.8089.726), are not required to upgrade. This is the last version that supports Windows 98 and Windows ME. This version was not officially tested, but full proxy support should work. (4.0-XP, 4.7-XP+SP2)
WLM 8.1
Yes
Yes Yes
106
Table 1-1. IM Client Compatibility Matrix Client Version SGOS 6.x Support Comments
In 6.x, Yahoo 9 and 10 are tunneled. Yahoo 11 is not supported in tunneling mode.
AIM 6.x If a SOCKS proxy is configured in the client's Internet Explorer (IE) settings: SOCKS proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally. SOCKS proxy with detect protocol enabled on the ProxySG appliance: The client can log in and chat with a thirty-second delay. HTTP proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally HTTP proxy with detect protocol enabled on the ProxySG appliance: The client login fails after about 30 seconds with the message Connection lost.
Transparent deployment: AIM 6.1 cannot log in if an SSL service is configured on port 443. AIM can log in, with a 30-second delay, if a TCP tunnel service is configured on port 443 with protocol detection enabled. AIM can log in if the SSL forward proxy is also enabled and the ProxySG appliance appliance's certificate is installed as the root certificate on the client's IE browser. The client can log in and chat unless the SSL connection is intercepted by the SSL forward proxy. Supported deployments, if the SSL connection is not intercepted by the SSL forward proxy include transparent/TCP tunnel on port 443, transparent/SSL proxy on port 443, and HTTP proxy or SOCKS proxy.
AIM 6.5
To deny login for AIM 6.0, 6.1 clients, and for transparent proxy deployments of AIM 6.5 and 6.8 clients, the following policy can be used:
107
Policy
Ask.com has changed its SafeSearch mechanism from a cookie-based one to a query-string based mechanism. If you are using the SafeSearch policy in your network, to ensure that undesirable mature content is blocked, please update the SafeSearch policy as shown below (B#141182): Replace
; === SafeSearch for Ask === ; ; === BC_SafeSearch_Ask Domains/Hostnames === define condition BC_SafeSearch_Ask_Domains url.domain=ask.com url.host=!wzus.ask.com url.host=!mystuff.ask.com url.domain=ask.co.uk url.host=!wzus.ask.com url.host=!mystuff.ask.com end ; ; === BC_SafeSearch_Ask Rules === <proxy BC_SafeSearch_Ask_cookies> condition=BC_SafeSearch_Ask_Domains request.header.cookie="adt=|adlt=" action.BC_SafeSearch_Ask_Cookie_Rewrite(yes) action.BC_SafeSearch_Ask_Cookie_Addition(yes) ; ; === BC_SafeSearch_Ask Defines === define action BC_SafeSearch_Ask_Cookie_Addition append(request.header.cookie, "gset:adlt=0") end define action BC_SafeSearch_Ask_Cookie_Rewrite #if release.version=5.4.. rewrite(request.header.cookie, "(.*)adt=(.*)", "$(1)adt=0$(2)") #endif rewrite(request.header.cookie, "(.*)adlt=(.*)", "$(1)adlt=0$(2)") end ;
108
With ; === SafeSearch for Ask === ; ; === BC_SafeSearch_Ask Domains/Hostnames === define condition BC_SafeSearch_Ask_Domains url.domain=ask.com url.host=!wzus.ask.com url.host=!mystuff.ask.com url.domain=ask.co.uk url.host=!wzus.ask.com url.host=!mystuff.ask.com end ; ; === BC_SafeSearch_Ask Rules === Blue Coat SGOS 5.4.x Release Notes 94 <proxy BC_SafeSearch_Ask_cookies> condition=BC_SafeSearch_Ask_Domains url.query.regex="adt=" action.BC_SafeSearch_Ask_Query_Rewrite(yes) ; ; === BC_SafeSearch_Ask Defines === define action BC_SafeSearch_Ask_Query_Rewrite rewrite(url, "(.*)adt=(.*)", "$(1)adt=0$(2)") end ; ;
RSA SecurID
SGOS 6.2.x supports RSA 6.0 with SecurID.
SOCKS
SGOS 6.2.x supports SOCKS v5, authentication protocol v1.
Streaming
Streaming support is limited to the following players and servers:
The ProxySG appliance supports the following versions and formats: Windows Media Player 7-12 Windows Media Server 9 Microsoft Silverlight
109
Important: SGOS 6.x does not support older Windows Servers that do not support WM-HTTP when NTLM authentication is enabled.
Newer Windows Clients, such as 11.x, do not support the MMS protocol. Silverlight is supported in SGOS 6.x; however, it must use WM-HTTP streaming protocol for streaming Windows content. WM-HTTP is also known as MS-WMSP.
The ProxySG appliance supports the following Real Players and Servers: RealOne Player, version 2 RealPlayer 8 and 10 RealServer 8 through 10 Helix Universal Server Helix Player 11
The ProxySG appliance supports the following versions and servers, but in pass-through mode only: QuickTime Players v7.x, 6.x, and 5.x Darwin Streaming Server 4.1.x and 3.x
Application Adobe Flash plugin Adobe Flash Server Internet Explorer or Firefox
FF 3.x
WCCP
SGOS 6.2.x was tested with several releases of Cisco IOS: 12.0.7, 12.1.6E, 12.2.18. For a list of Cisco platforms that support L2 packet return, go to www.cisco.com.
110
Copyright 1999-2012 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085
Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
111
112