ProxyAV CMG Guide 2.2.1

Blue Coat Systems ProxyAV
Configuration and Management Guide 2.2.x
Blue Coat ProxyAV Configuration and Management Guide
Contact Information
Blue Coat Systems Inc. 650 Almanor Avenue Sunnyvale, California 94085 info@bluecoat.com 101 support@bluecoat.com North America (USA) Toll Free: 1.866.362.2628 (866.36.BCOAT) North America Direct (USA): 1.408.220.2270 Asia Pacific Rim (Japan): 81.3.5425.8492 Europe, Middle East, and Africa (United Kingdom): +44 (0) 1276 854 www.bluecoat.com
Copyright 1999-2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. The Software may not be modified, reproduced (except to the extent specifically allowed by local law), removed from the product on which it was installed, reverse engineered, decompiled, disassembled, or have its source code extracted. In addition to the above restrictions, the Software, or any part thereof, may not be (i) published, distributed, rented, leased, sold, sublicensed, assigned or otherwise transferred, (ii) used for competitive analysis or used to create derivative works thereof,(iii) used for application development, or translated (iv) used to publish or distribute the results of any benchmark tests run on the Software without the express written permission of Blue Coat Systems, Inc., or (v) removed or obscured of any Blue Coat Systems, Inc. or licensor copyrights, trademarks or other proprietary notices or legends from any portion of the Software or any associated documentation. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. Blue Coat Systems, Inc. specifications and documentation are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. ProxySG, ProxyAV, CacheOS, SGOS, are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, WinProxy, AccessNow, Ositis, Powering Internet Management, and The Ultimate Internet Sharing Solution are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The Software and all related technical information, documents and materials are subject to export controls under the U.S. Export Administration Regulations and the export regulations of other countries. Document Number: 231-02764 Document Revision: 1.0001/28/2005
ii
Contents
Chapter 1: Introduction The Importance of Web Scanning .....................................................................................................................5 New Features and Enhancements.....................................................................................................................5 Supported Platforms ...........................................................................................................................................5 Hardware ......................................................................................................................................................5 Software .........................................................................................................................................................5 Supported Browsers ....................................................................................................................................6 Upgrade Issues ....................................................................................................................................................6 Organization of This Document........................................................................................................................6 ProxyAV Documentation Suite .........................................................................................................................6 Chapter 2: Basic Network and Access Information Section A: Specifying the Usernames and Passwords Specifying the Administration Username and Password .............................................................................8 Specifying a Read-Only Username and Password.........................................................................................8 Section B: Configuring Network Access Specifying the Appliance Identification Information ....................................................................................9 Specifying the ProxyAV Name ..................................................................................................................9 Specifying the ProxyAV Time ....................................................................................................................9 Specifying the Default Gateway........................................................................................................................9 Specifying the ProxyAV Address....................................................................................................................10 Specifying Client Access...................................................................................................................................10 Configuring Management Console Access ...................................................................................................11 Enabling HTTP Access ..............................................................................................................................11 Enabling HTTPS Access ............................................................................................................................11 Disabling Console Access .........................................................................................................................11 Generating Keyrings and Certificates ............................................................................................................12 Section C: Configuring Network Routing Specifying the DNS Servers .............................................................................................................................14 Specifying an Upstream Proxy Server............................................................................................................14 Adding Routes ...................................................................................................................................................14 Adding ARPs .....................................................................................................................................................15 Specifying Link Speed ......................................................................................................................................15 Chapter 3: Configuring Anti-virus Scanning Section A: Introduction to Anti-virus Protection Introduction........................................................................................................................................................18 File Terminology ...............................................................................................................................................18 Section B: Managing Anti-virus Subscriptions
iii
Registering the ProxyAV.................................................................................................................................. 20 Selecting an Anti-virus Vendor....................................................................................................................... 20 Managing Pattern Files and Scan Engines .................................................................................................... 20 Updating Scan Engines and Pattern Files...................................................................................................... 20 Specifying a Time Interval........................................................................................................................ 20 Specifying Pattern File and Engine Update Locations ......................................................................... 21 Forcing an Update ..................................................................................................................................... 21 Section C: ICAP Configuring the ProxyAV ICAP Service........................................................................................................ 22 About Maximum ICAP Connections ............................................................................................................. 22 Section D: Configuring Anti-virus Parameters Determining Which File Types to Scan.......................................................................................................... 24 ProxySG Policies ........................................................................................................................................ 24 ProxyAV Policies........................................................................................................................................ 25 Configuring Scanning Behavior...................................................................................................................... 26 Enabling Heuristic Parameters ................................................................................................................ 26 Specifying the Anti-virus File Scanning Timeout Value...................................................................... 26 Specifying the Limits of Scannable Files ................................................................................................ 27 Specifying an Action Upon Content Scan Error.................................................................................... 27 Viewing Anti-virus Status ............................................................................................................................... 28 Section E: Configuring Notification Alerts Configuring Alert Notification Information ................................................................................................. 29 Customizing Messages..................................................................................................................................... 29 Chapter 4: Logging Configuring Logging ........................................................................................................................................ 31 Configuring CSV Logging ............................................................................................................................... 32 Viewing Log Files.............................................................................................................................................. 32 Chapter 5: Maintenance and Troubleshooting Section A: Managing Configuration Files Section B: Troubleshooting Debugging ICAP Communication Errors ..................................................................................................... 35 Preventing a ProxyAV Pattern File Update Failure..................................................................................... 35 Pinging................................................................................................................................................................ 36 Retaining Troubleshooting Log Files ............................................................................................................. 36 Troubleshooting Services................................................................................................................................. 37 Troubleshooting Utilities ................................................................................................................................. 37 Reload Drivers............................................................................................................................................ 37 Soft Reboot .................................................................................................................................................. 37 Diagnostics.................................................................................................................................................. 37 DNS Cache .................................................................................................................................................. 37 Resetting the ProxyAV 2000-E Appliance ..................................................................................................... 38
iv
Contents
Resetting the ProxyAV 400-E Appliance ....................................................................................................... 38 Restore the Factory Defaults .................................................................................................................... 38 Reset the Appliance ................................................................................................................................... 38 Chapter 6: Example Scenarios Section A: Scenario 1Basic Anti-virus Deployment The Task.............................................................................................................................................................. 42 ProxySG Configuration .................................................................................................................................... 42 Configure an ICAP Service....................................................................................................................... 42 Create a Patience Page .............................................................................................................................. 43 ProxyAV Configuration ................................................................................................................................... 44 Visual Policy Manager: Create Policy ............................................................................................................ 45 Appendix A: Upgrading the ProxyAV Section A: Upgrade Procedure About Firmware Updating .............................................................................................................................. 48 Upgrading to ProxyAV 2.2.x ........................................................................................................................... 48 Restricting Administrator ProxyAV Access to HTTPS................................................................................ 49 Section B: Upgrade Issues Management IP ................................................................................................................................................. 51 Upgrade Behavior...................................................................................................................................... 51 Downgrade Behavior ................................................................................................................................ 51 Legacy Procedure: Specifying the Management IP Address .............................................................. 51 Appendix B: Deploying the ProxyAV The Challenges of Web Scanning Integration............................................................................................... 53 The Blue Coat ProxyAV Solution.................................................................................................................... 55 Determining Network Location...................................................................................................................... 55 Deployment Diagram 1ProxyAV With a Crossover Cable..................................................................... 56 Deployment Diagram 2ProxyAV With a Switch...................................................................................... 57 Deployment Phases .......................................................................................................................................... 57
vi
Chapter 1:
Introduction
The Importance of Web Scanning

The Blue Coat Systems ProxySG with ProxyAV integration is a high-performance Web anti-virus (AV) solution. For most enterprises, Web applications and traffic are mission-critical, representing 90% of the total Internet traffic. The umbrella of Web traffic includes: HTTP, FTP, IM, peer-to-peer (P2P), and streaming. While most users are aware that opening unsolicited e-mail attachments can propogate the spread of a virus, Web-based threats, such as the Code Red and NIMDA viruses, do not require user propagation. As these threats continue to rise, it is vital to dedicate more attention to securing Web traffic, with the goal to prevent viruses from entering the network, not just cleaning up infections after they enter. By deploying the ProxySG/ProxyAV solution, you gain performance and scalability (up to 250+ Mbps HTTP throughput), along with Web content control.
New Features and Enhancements

The following features are new to this version of ProxyAV: HTTPS secure Management Console accessProvides greater security by only allowing authorized administrators to access the ProxyAV. Improved scanning behavior policy. Improved integration with the ProxySG.
Supported Platforms
This section contains the ProxyAV hardware and software requirements.
Hardware
The ProxyAV only supports the Blue Coat ProxySG. ProxyAV 2.2.x is supported on the Blue Coat 400-E and 2000-E appliances.
Software
To employ the enhanced policy features in ProxyAV 2.2.x, the ProxySG must be running the SGOS 3.2.4.x or later operating systems; however, previously supported SGOS versions are still valid with this release.
Supported Browsers
ProxyAV 2.2.x supports Microsoft Internet Explorer, version 5.x and Netscape Communicator, version 6.x. Other browsers might be compatible, but have not been tested as of the printing of this document.
Upgrade Issues
If you are updating from a previous ProxyAV release to this release, Blue Coat strongly recommends reading Appendix A: "Upgrading the ProxyAV" on page 47 before performing the upgrade.
Organization of This Document

This Configuration and Management Guide is divided into the following chapters:
Chapter 1: Introduction on page 5 Chapter 2: Basic Network and Access Information on page 7 Chapter 3: Configuring Anti-virus Scanning on page 17 Chapter 4: Logging on page 31 Chapter 5: Maintenance and Troubleshooting on page 33 Chapter 6: Example Scenarios on page 41 Appendix A: "Upgrading the ProxyAV" on page 47 Appendix B: "Deploying the ProxyAV" on page 53 Table 1.1: Document Contents Introduces the ProxyAV and this document. Describes how to specify interface IP addresses and configure the ProxyAV on the network. Describes how to configure the ProxyAV to communicate with the ProxySG and how to configure the ProxyAV anti-virus content scanning features. Describes how to configure how the ProxyAV logs information for performance and results analysis. Describes how to perform simple tasks to maintain the ProxyAV and troubleshoot the appliance locally. Provides example configurations. Describes behaviors associated with upgrading to this version of the OS. Provides diagrams and information about the AV solution and the location of the ProxyAV on the network.
ProxyAV Documentation Suite

The complete suite of ProxyAV documentation includes the following: Blue Coat Systems 2000-E Series Installation Guide (online only). Blue Coat Systems 2000-E Series Quick Start Guide Blue Coat Systems ProxyAV 400 Series Installation and Quick Start Guide. Activating Your Software License Key Online Help This Configuration and Management Guide.
Chapter 2:
Basic Network and Access Information
The Activating Your Software Key pamphlet, packed with the software bundle in your ProxyAV shipment, describes how to perform first-time configuration steps, including administrator name and password, appliance network configurations, and AV subscription information. This chapter assumes the ProxyAV is configured according to steps in the pamphlet. If necessary, use the procedures provided in this chapter to alter the default configurations. This chapter contains the following sections: Section A: Specifying the Usernames and Passwords on page 8Describes how to configure access credentials. Section B: Configuring Network Access on page 9Describes how to configure ProxyAV IP addresses and secure Management Console access. Section C: Configuring Network Routing on page 14Describes how to configure routes, including upstream proxy access.
Section A: Specifying the Usernames and Passwords
Section A: Specifying the Usernames and Passwords

Specifying an administration username and password prevents unauthorized access to the ProxyAV Management Console. You can specify two accounts: one for administrative access and one for read-only access.
Specifying the Administration Username and Password

Once an administration username and password is defined, the authentication credential check is enforced and no user can access the Management Console without entering the proper information. Important: If you do not specify this information, any user can access the Management Console. No credential prompt occurs. To specify an administration username and password: 1. 2. 3. 4. In the Management Console, select Change Password. Select Require Authentication. In the Username field, enter the administrator user name. In the New Password field: a. b. 5. 6. Enter the administrator password. The maximum number of characters is 14. Repeat the entry in the Verify New Password field.
In the Session timeout field, enter the number of elapsed minutes before the administrator is required to enter access credentials again. Click Save Changes.
Specifying a Read-Only Username and Password

You can specify a separate username and password that allows other users to view the ProxyAV Management Console, yet not have the ability to change any configurations. To specify a read-only username and password: 1. 2. 3. 4. In the Management Console, select Change Password. Click Change Read-Only User data. Specify the username and password information. Click Save Changes.
Chapter 2: Basic Network and Access Information
Section B: Configuring Network Access

The network configurations in this section identify the ProxyAV to the network.
Specifying the Appliance Identification Information

This section describes how to specify the appliance name and current time.
Specifying the ProxyAV Name

This option is not required, but if you have multiple ProxyAV appliances installed, naming each one with unique and relevant names easily reminds you of each ProxyAV appliances configured purpose. To specify or change the appliance name: 1. 2. 3. In the Management Console, select Network. Under Global Settings, in the Appliance Name field, enter a name. Click Save Changes.
Specifying the ProxyAV Time

This option allows you to set the internal ProxyAV clock. Setting the correct local time ensures reliable diagnostic information, such as accurate timestamps in logs. To set the internal clock: 1. 2. 3. From the Management Console, select Advanced>Set Time. In the respective fields, enter the current hour, minutes, and seconds. Click Save Changes.
Specifying the Default Gateway

This option specifies the network default gateway address. To specify or change the default gateway address: 1. 2. 3. In the Management Console, select Network. Under Global Settings, in the Default Gateway field, enter the gateway address. Click Save Changes. If a different IP address is entered from the front panel of the appliance (on supported models), this value is changed accordingly.
Note:
Specifying the ProxyAV Address

The ProxyAV connects to the ProxySG or a switch through a network cable that is attached to Interface 0 for ProxyAV 400-E appliances or Interface 1 for ProxyAV 2000-E appliances. Your ProxyAV model dictates which interface number appears on the Network page of the Management Console. To specify or change the Interface IP address: 1. 2. 3. 4. In the Management Console, select Network. Under Settings for Interface #, in the IP Address field, enter the IP address of the Interface. In the Subnet Mask field, enter the subnet mask. Click Save Changes.
Specifying Client Access

The Client Access List displays the currently defined IP addresses allowed administrative remote access to both the ProxyAV interface IP addresses and ICAP clients. When remote access is enabled, you can access the interface from outside your local network. This feature also allows you deny access to subnets or untrusted hosts, while allowing access from others on the LAN; or allow selected subnets, such as your ProxySG clients and deny other clients from the subnets dedicated for ICAP communications. For security reasons, Blue Coat recommends keeping this list limited and specific. To configure remote access: 1. 2. 3. 4. 5. In the Management Console, select Network. Under Client Access List, click Add; the Administration and ICAP Server Access Entry page appears. In the IP Address field, enter the IP address of a client or subnet that will or will not be allowed administrative access to the ProxyAV. In the Mask field, enter a subnet address. Select a Status:

Restrict: This IP address and subnet is denied administrative access. Allow ICAP access: This option allows clients to be ICAP clients. Allow admin & ICAP access: This IP address and subnet is allowed administrative and ICAP
server access. 6. Click Save Changes.
When there are no entries in the table (or all entries are set to restricted), remote or ICAP access is not allowed. To access the ProxyAV for remote administrative access, set your browser to use a proxy for HTTP or HTTPS connections. Enter the URL: http://interface_IP:port or https://interface_IP:port. For example, https://10.0.0.2:8082.
10
Configuring Management Console Access

You can specify which protocols (HTTP and HTTPS) can be used to access the ProxyAV Management Console. Note: Upon a new installation or upgrade to this release, the HTTPS protocol on port 8082 is enabled; HTTP is disabled.
Enabling HTTP Access

By enabling HTTP access, the administrator can access the Management Console without a secure connection. You can specify a different port number. To enable HTTP access: 1. 2. 3. 4. In the Management Console, select Network. Under Management Console Access, select Enable HTTP Administration. (Optional) Enter a different port number from the default. Click Save Changes.
Enabling HTTPS Access

With HTTPS, the connection to the Management Console is encrypted. To configure HTTPS access: 1. 2. 3. 4. In the Management Console, select Network. Under Management Console Access, select Enable HTTPS Administration. (Optional) Enter a different port number from the default. Click Save Changes.
When HTTPS is enabled, you must enter the URL format: https://interface_IP:port to access the ProxyAV Management Console. For example, https://10.0.0.2:8082.
Disabling Console Access

To prevent an administrator from accidently rendering the ProxyAV unaccessible, once an access protocol is enabled, it cannot be disabled unless another protocol is active. For example, if HTTPS is enabled, you cannot deselect it if HTTP is not enabled (and saved). Note: For versions of ProxyAV 2.2.x that were upgraded from 2.1.x, this Management IP is included in this functionality. Refer to Appendix A: "Upgrading the ProxyAV", "Management IP" on page 51 for more information about this feature.
11
Generating Keyrings and Certificates

A default SSL keyring and signing certificate exists upon initial booting of the ProxyAV. You can generate new keyrings and certificates if the Mangement Console is in HTTPS mode. Note: The Blue Coat Systems ProxySG Configuration and Management Guide provides detailed information about SSL, Keyrings, and Certificates. Refer to that document for conceptual information regarding these topics.
To generate a new keyring and certificate, and specify the ProxyAV to use them: 1. 2. 3. 4. 5. Select Advanced>SSL Keyrings; the SSL Keyrings page appears. Click Create; a new SSL Keyring page displays. In the Keyring Name field, enter a name that identifies this keyring. By selecting Show Keyring, the contents of the keyring are viewable and exportable. Perform one of the following:
Select Create new and enter the keyring strength in the bit keyring field. A length of 1024 bits is the maximum (and default). Longer keypairs provide better security, but with a slight performance expense on the ProxyAV. Be aware that the maximum key length allowed for international export might be different than the default. For deployments reaching outside of the United States, determine the maximum key length allowed for export. Click OK. The keyring, containing a keypair, is created with the name you chose. It does not have a certificate associated with it yet. Select Import keyring. In the Keyring field, paste in an already existing keypair. The certificate associated with this keypair must be imported separately. If the keypair that is being imported has been encrypted with a password, select Keyring Password and enter the password into the field. Click OK.
6.
The ProxyAV ships with a certificate associated with a default keyring. You can add three kinds of SSL certificates:

A self-signed certificate. A certificate signed by a Certificate Authority. An external certificate.
To create a self-signed certificate: a. b. c. Select Advanced>SSL Certificates; the SSL Certificates page appears. From the Keyring drop-down list, select the newly-created keyring. Click Create; a new SSL Certificates page displays.
d. Fill in the fields as appropriate:

State/ProvinceEnter the state or province where the machine is located. Country CodeEnter the two-character ISO code of the country.
12
Section B: Configuring Network Access e. 7. 8. 9.

City/LocalityEnter the city. OrganizationEnter the name of the company. UnitEnter the name of the group that will be managing the machine. Common NameA common name should be the one that contains the URL with which the client accesses that particular origin server. E-mail AddressThe email address you enter must be 40 characters or less. Not valid afterFrom the drop-down lists, select a date after which the certificate is no
longer valid. Click OK. After the process is complete, this keyring and certificate can be selected from the Network page for HTTPS encryption.
Select Network. Under Management Console Access, from the Keyring drop-down list, select the newly-created keyring. You can also select an SSL version. Click Save Changes.
13
Section C: Configuring Network Routing
Section C: Configuring Network Routing

This section describes how to configure network traffic flow.
Specifying the DNS Servers

The ProxyAV ships with three default DNS server settings. These addresses are for the DNS servers of several large ISPs, and should work upon startup (if the appliance has Internet access). You can replace these servers with the DNS server IP addresses that you normally use when configuring your client systems. To specify or change the DNS search order: 1. 2. 3. In the Management Console, select Network. Under DNS Search Order, specify the IP addresses for the primary, secondary, and tertiary DNS servers. Click Save Changes.
Specifying an Upstream Proxy Server

If your deployment uses an explicit upstream proxy to the Internet, that server must be identified to allow the ProxyAV to retrieve pattern file and scan engine updates and firmware update information. To specify a proxy server for outside access: 1. 2. 3. In the Management Console, select Network. Click Proxy Server for Updates (link); the Proxy Server and Remote Update page appears. Select one of the following:

No Proxy: (The default) This ProxyAV is not proxied and can directly receive updates. HTTP Proxy: Proxies this ProxyAV through the defined HTTP proxy server. SOCKS Proxy: Proxies this ProxyAV through the defined SOCKS proxy server.
4. 5. 6. 7.
In the IP field, enter the IP address of the HTTP or SOCKS proxy server. In the Port field, enter the port number, if necessary. (Optional; only applies to HTTP Proxy) Select Enable Proxy Authorization and specify a user name and password in the appropriate fields. Click Save Changes.
Adding Routes
You can add additional routes for deployments where the ProxyAV default route is not sufficient. A typical requirement for this is when the SMTP or DNS servers to be used by the ProxyAV are located on an internal network.
14
Section C: Configuring Network Routing Added routes do not affect traffic that passes through the ProxyAV; they are only used for connections where the ProxyAV is the client. These include updates of pattern and engine files, searching for updates to ProxyAV firmware, and sending alerts. To add a route to the table: 1. 2. 3. 4. 5. 6. 7. From the Management Console, select Advanced>Route Table. Click Add; the Route entry page appears. In the Destination field, enter an IP address to be used in routing. In the Mask field, enter a subnet value. In the Gateway field, enter a gateway value. Click Save Changes. Repeat as required.
Adding ARPs
Certain firewall configurations require the use of static forwarding tables. Failover configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) addresses. When a client sends an ARP (Address Resolution Protocol) request to the firewall VIP, the firewall replies with a VMAC (which can be an Ethernet multicast address); however, when the firewall sends a packet, it uses a physical MAC address, not the VMAC. The solution is to create a static forwarding table that defines the next hop gateway. You can add static ARPs or clear the dynamic and static ARPs. To add an ARP value to the table: 1. 2. 3. 4. 5. From the Management Console, select Advanced>ARP Table. At the bottom of the table, enter an IP address in the first field. Enter a MAC address. From the drop-down list, select an interface. Click Add.
Specifying Link Speed

By default, the ProxyAV automatically detects the link settings. The following procedure allows you to change it. To specify the link speed: 1. From the Management Console, select Advanced>Ethernet Adapter Media Type. The Current Media State field displays the current configuration for the interface. If a cable is not connected, this is stated.
15
Section C: Configuring Network Routing 2. 3. Select an option from the drop-down lists: Auto, 10 Mbit/Half, 10 Mbit/Full, 100 Mbit/Half, or 100 Mbit/Full. Click Save Changes. The Ethernet media link speed feature contains a failsafe so that users do not accidentally lock themselves out of the Management Console by entering an incompatible duplex setting. After selecting a speed/duplex setting and clicking Save Changes, the page refreshes and a new button appears: Confirm Media Type Changes. If you do not click this button, the ProxyAV reverts to the previous setting after two minutes.
Note:
16
Chapter 3:
Configuring Anti-virus Scanning
This chapter provides basic anti-virus (AV) information, and describes how to integrate and configure the ProxySG and ProxyAV virus protection solution. This chapter contains the following sections: Section A: "Introduction to Anti-virus Protection" on page 18Provides basic AV information and terms. Section B: "Managing Anti-virus Subscriptions" on page 20Describes how to assign your AV vendor and specify pattern file and scan engine update behavior. Section C: "ICAP" on page 22Describes how to configure the ProxyAV ICAP service used by the ProxySG. Section D: "Configuring Anti-virus Parameters" on page 24Describes how to configure ProxyAV AV scanning behavior. Section E: "Configuring Notification Alerts" on page 29Describes how to configure the ProxyAV to send alert messages.
17
Blue Coat ProxySG Configuration and Management Guide
Section A: Introduction to Anti-virus Protection

This section provides basic information and terminology concerning anti-virus (AV) scanning. For a discussion about deploying the ProxySG/ProxyAV integration, see Appendix B: "Deploying the ProxyAV" on page 53.
Introduction
The total Blue Coat AV capabilities are implemented using ICAP as the communication mechanism between the Blue Coat ProxySG and the ProxyAV. The policy definition for content scanning is fully integrated into the Blue Coat policy framework and defined using the either the Blue Coat Visual Policy Manager (VPM) or the Blue Coat Content Policy Language (CPL). Virus-free content is cached for a scan once, serve many benefit when scanning cacheable Web objects.
File Terminology
This section provides descriptions of file types as they pertain to AV scanning; along with the descriptions are configuration tips. Blue Coat recommends understanding these descriptions and tips before configuring your ProxySG/ProxyAV solution. Simple FileA file type that is not an archive or container of other files. Archive FileA file type that contains additional files inside itself. This characteristic can be nested to multiple levels. Compressed FileA simple or archive file can be in compressed or decompressed format. A compressed format reduces the file size from its original size. When decompressed, the file size expands to its original size. Original File SizeThe size of the file sent to the ProxyAV from the ProxySG for scanning. This can be an archive or a simple file. If the file is compressed, the real size is not known until it is decompressed. Decompressed File SizeFor a simple file, the actual file size after decompressing. Or the total of all files if the original file is an archive file. Maximum Individual File SizeA settings parameter defined by the ProxyAV to regulate the upper limit file size that can be passed to an AV engine. The file size check is applied to the original file size, independent of archive or compressed status. The upper limit for a file size can be negated by the ProxyAV File Scanning Timeout option. If the maximum file size is a large value, but the file scanning value is small, the operation can timeout before the size limit is reached. File Size Within ArchiveIt is common for AV engine vendors to have specific rules for specific decompressed file size limits for individual files in an archive. The AV engine sets the preset value, which is currently set to be equal to the maximum file size, but you can specify the limit on the ProxyAV. Total Size of All Files Within An ArchiveIt is common for AV engine vendors to have specific rules for the total decompressed file size limit for all files in an archive. For Sophos, this is indirectly manageable, and the value is larger than the Maximum File Size. More dynamic control before invoking AV vendor calls is planned for a future release.
18
Chapter 3: Configuring Anti-virus Scanning
File Scanning TimeoutOn the ProxyAV, the maximum time allowed for scanning a file; when the timeout value is reached, scanning stops. The time starts when the AV engine receives the file. Connection TimeoutOn the ProxySG, the time ProxySG waits for a response from the ProxyAV after it finishes sending the file for scanning. If the ProxyAV does not complete the scanning operation within this time the ProxySG declares the scanning operation as failed. Maximum Archive DepthThe maximum number archives. For example, if the depth level is 3, the AV engine scans files that are part of a three-embedded zipped file (zipped files in a zipped file in a zip file). Depending on the vendor, the depth is usually in the 16 to 20 range. More dynamic control is planned for a future release. Maximum Archive LayersThe maximum number archive layers. For example, if the depth level is 3, the AV engine scans files that are part of a three-embedded zipped file (zipped files in a zipped file in a zip file). Depending on the vendor, the default depth is usually in the 16 to 20 range. More dynamic control is planned for a future release. File ExtensionThe original files can be distinguished by the file extension following the file name. The ProxySG can prevent the passing of a specific file extension to the ProxyAV. File Extension Within ArchiveIt is common for AV engine vendors to have specific rules for specific file extensions within archives (for example, rules to exclude scanning certain type of file extensions).
19
Section B: Managing Anti-virus Subscriptions

This section describes how to manage your AV subscriptions, which are obtained from Blue Coat. The ProxyAV ships with at least one license for anti-virus scanning. Licenses can be obtained for each vendor for varying time periods.
Registering the ProxyAV

Anti-virus scanning services cannot start without a serial number entered and saved. This step is part of the initial system configuration, as detailed in the ProxyAV Software: Activating Your Software License Key pamphlet shipped with the ProxyAV. The appliances serial number, located on a sticker on the software CD, must be entered manually.
Selecting an Anti-virus Vendor

The Serial Number and AV Vendor represents your subscription to use the AV engine and pattern files from a particular vendor. To enter subscription information: 1. 2. 3. 4. From the Management Console, select Subscriptions. Select your AV vendor. Enter a new number to start or extend your subscription. Include the dashes when you enter the number. Click Save Changes.
Typically, ProxyAVs are sold with a one-year antivirus subscription.
Managing Pattern Files and Scan Engines

This section concerns pattern file and scan engine update behavior. AV vendors constantly update their pattern files and scanning engines. On the ProxyAV, there are two methods by which you can obtain updates from your AV vendor: manually force an update and update at a time interval. By default, the ProxyAV checks for new versions every 30 minutes; this value can be changed.
Updating Scan Engines and Pattern Files

This section describes how to configure when and where the ProxyAV obtains pattern and engine updates.
Specifying a Time Interval

This option allows you to determine how often the ProxyAV contacts the server that provides pattern or engines updates.
20
To specify a time interval: 1. 2. 3. 4. From the Management Console, select Antivirus. Click the Update Settings link; the Update Settings page is displayed. In the Update Frequency field, enter a value in minutes (the default is 30). Click Save Changes.
Specifying Pattern File and Engine Update Locations

By default, the ProxyAV checks for updates at the default vendor location. You can specify an alternate location to retrieve pattern file or engine updates. To specify an alternate location for updates: 1. 2. 3. 4. 5. From the Management Console, select Antivirus. Click the Update Settings link; the Update Settings page is displayed. Under Pattern or Engine Update Location, select Custom. In the field, enter the location of the update information. For example:
http://www.company.com/pattern_file_pointer
Click Save Changes.
Forcing an Update
You can manually invoke a pattern file and scan engine new-version query and update. To force an update: 1. 2. Select Antivirus. The table at the top of the page displays your current AV vendor, the scan engine and patter file versions, and the number of days remaining in the subscription. In the Action column, select Force update and click Update. The latest engine and pattern files are downloaded and installed, regardless if the most current versions are already installed.
21
Section C: ICAP
This chapter describes how to configure the ProxyAV ICAP service for AV scanning.
Configuring the ProxyAV ICAP Service

The ICAP service communicates with the ProxySG, which also has a configured ICAP service. To configure the ICAP service: 1. 2. In the Management Console, select ICAP Settings. (Prerequisite) If the IP address of the ProxySG has not been added to the allowed list, this must be done. Click Permitted clients to go to the Management Console Network page. Add the IP address to the Client Access List. See "Specifying Client Access" on page 10. Select ICAP Server enabled. In the ICAP server port field, enter port number used to connect to the ICAP server. The default is 1344. In the Options TTL field, enter the number of seconds the OPTIONS response remains valid. If Do not include is selected, the options-ttl tag is not included in the response to the client. (Optional) In the Antivirus service name field, specify the name of the ICAP service performing the scanning. See the example on the page. Select Allow X-Include to include the X-Include tag (support of original source and original destination tags) in the OPTIONS response to the ICAP client (the ProxySG); thus, the ICAP client is informed that these tags are supported. The X-Include tag itself does not contain a source or destination. The value of this tag will be X-Server-IP, X-Client-IP. Under Include extension headers in response, the default option is X-Virus-ID, which includes the known virus identification. Select X-Infection-Found or X-Violations-Found if your deployment warrants their use.
3. 4. 5. 6. 7.
8.
The ProxyAV ICAP service is configured, and can communicate with a ProxySG that is configured to communicate with this ProxyAV. The next section discusses how to configure file scanning parameters.
About Maximum ICAP Connections

Dependent upon the ProxyAV platform, the default and allowable maximum number of simultaneous ICAP connections varies: ProxyAV 400-E:

Default: 50 Maximum: 800
ProxyAV 2000-E:

Default: 100 Maximum: 1100
22
The default values are only used to return a value to the ProxySG when it senses settings. If you require a larger value, you must edit the ICAP service on the ProxySG. In most deployments, 100 ICAP connections are more than adequate, as the ProxySG can multiplex many requests over the 100 ICAP connections. The deployments where this value might require increasing are if there are many slow or long-running connections that cause all 100 ICAP connections to become busy, causing many requests to queue up waiting for a freed connection.
23
Section D: Configuring Anti-virus Parameters

This section describes how to configure the ProxyAV virus scanning capabilities.
Determining Which File Types to Scan

As the delivery of viruses and malicious code is ever-evolving, Blue Coat recommends scanning all file types. However, the ProxySG/ProxyAV integrated solution allows you determine which file types are scanned, or more appropriately, not scanned. By default, the ProxySG forwards all file types for scanning, but you can create policy that includes or excludes specific file types. Blue Coat recommends scanning all file types to attain maximum security against harmful content. The following file types are known to harbor viruses:
"";ARJ;BAT;BIN;BMP;BOO;CAB;CHM;CLA;CLASS;COM;CSC;DAT;DLL;DOC;DOT;DRV; EML;EXE;GIF;GZ;HLP;HTA;HTM;HTML;INI;JAR;JPG;JPEG;JS;JSE;LNK;LZH;MDB;MPD;MPP;M PT;MSG;MSO;NWS;OCX;OFT;OVL;PDF;PHP;PIF;PL;POT;PPS;PPT;PRC;RAR;REG; RTF;SCR;SHS;SYS;TAR;TIF;VBE;VBS;VSD;VSS;VST;VXD;WML;WSF;XLA;XLS;XL T;XML;Z;ZIP;{*;
At the time of this printing, the following MIME file types are deemed low risk to contain harmful content:
audio; pdf multipart; x director video
Note:
Blue Coat recommends scanning image files, but there might be a noticeable performance latency impact.
ProxySG Policies
To achieve performance increase, you might opt to instruct the ProxySG exclude these types from scanning. CPL Example: Excluding File Types This policy excludes the Real Media file type, which is at very low risk to contain harmful content, from being scanned.
define condition FileExtension_lowrisk url.extension = rm end condition FileExtension_lowrisk <Cache> condition= ! FileExtension_lowrisk response.icap_service(icap,fail_closed)
24
VPM Example: Excluding File Types In the Destination column, a File Extension object is created, which contains the Real Media file type; the object is then negated (notice the symbol):
Figure 3-1: A Web Content Layer with a rule to negate the low-risk file extension.
CPL Example: Including File Types This policy specifies that HTML and Zip file types are scanned:
define condition FileExtension_highrisk url.extension=html url.extension=zip end condition FileExtension_highrisk <Cache> condition=FileExtension_highrisk response.icap_service(icap,fail_closed)
VPM Example: Including File Types Another rule is added. In the Destination column, a File Extension object is created, which contains the HTML and Zip file types:
Figure 3-2: Subsequent rule with the high-risk file types added.
ProxyAV Policies
On the ProxyAV, you can specify files types that are blockedneither scanned, nor served to the client (deny)or served to the client unscanned (allow). To specify blocked or passed-through file types: 1. 2. 3. From the Management Console, select Antivirus. Click Scanning Behavior. Under File Extensions, enter file types as appropriate:

Drop files having extensionsAny file types with these extensions are blocked and not served to
the client.
Dont scan files having extensionsAny file types with these extensions are passed through
unscanned to the client. When considering this option, Blue Coat advises that viruses and other malicious code can be embedded in many file types, including image formats.
25
Configuring Scanning Behavior

The scanning behavior features allow you to define the parameters and actions the ProxyAV follows when performing AV scans.
Enabling Heuristic Parameters

When Heuristic Parameters is enabled, the ProxyAV learns about traffic patterns on your network and adjusts accordingly to increase performance. After an initial learning period, the ProxyAV should be able to accelerate network traffic by approximately 15% to 30%. The learning process restarts whenever a new virus pattern file or an updated scanning engine is downloaded. To enable Heuristic Parameters: 1. 2. 3. 4. From the Management Console, select Antivirus. Click the Scanning Behavior link; the Scanning Behavior page is displayed. Under Heuristic Parameters, select Enabled. Click Save Changes.
Specifying the Anti-virus File Scanning Timeout Value

Some files, while not viruses themselves, are designed to disable a virus scanner. While these files cannot disable a ProxyAV, they can use up system resources and slow down overall throughput. Defining a timeout value allows the ProxyAV to reclaim those resources. There are two ICAP Timeout values: a ProxySG Connection Timeout and a ProxyAV File Scanning Timeout. The ProxySG Connection Timeout is the duration the ProxySG waits for a response from the ProxyAV after it completes sending the data to the ProxyAV. When the timeout interval is reached, the ProxySG closes the connection with ProxyAV. The default value for the ProxySG Connection Timeout is 70 seconds. This setting protects against TCP connection issues. The ProxyAV File Scanning Timeout is the maximum time allowed to scan a file. When the timeout value is reached, the ProxyAV stops scanning the file and sends the ProxySG a 500 - ICAP Communication error. It also logs in Alertslog.log file the reason for file scanning failure. This value is specified on the Antivirus>Scanning Behavior page.
Additionally, you can specify whether to block or pass-through a file upon scanning timeout by selecting Timeout under Block file if an error occurs during antivirus scan. See "Specifying an Action Upon Content Scan Error" on page 27. To specify a timeout value: 1. 2. 3. 4. From the Management Console, select Antivirus. Click the Scanning Behavior link; the Scanning Behavior page is displayed. Under Files Scanning Timeout, enter the amount of time the ProxyAV is to scan a file. Click Save Changes.
The default is 800 seconds; the minimum is ten seconds; the maximum is 3600 seconds (60 minutes)
26
Specifying the Limits of Scannable Files

Imposes limits on the file sizes and numbers allowed to be scanned.
Maximum individual file sizeAn individual file size cannot exceed the specified size (MB). Dependent upon hardware limits of different ProxyAV platforms, the Maximum Individual File Size that can be scanned is as follows:

ProxyAV 400-E: 750 MB. ProxyAV 2000-E1: 750 MB. ProxyAV 2000-E3: 900 MB.
Maximum total uncompressed sizeAn uncompressed file or archive cannot exceed the specified size
(MB). The maximum is 3000 MB.

Maximum total number of files in archiveAn archive cannot contain more than the specified number
of files. The maximum is 100,000.

Maximum archive layersThe number of layers in the archive that are unpacked for scanning. The
maximum is 20 to 100, depending on anti-virus vendor. If any of these options are exceeded, the object is not scanned.
Loggable Errors
Current ProxySG versions do not log the reason for file scanning failures; it just sends ICAP communication error to the client (applies to SGOS 3.2.4 and above). The ProxyAV, however, logs these errors in the file, which is accessible from the Log File screen (See Chapter 4: Logging on page 31). All file-scanning failures are logged in this log. The following are the errors logged in the Alertlogfile.log file for different file scanning failures because of file size limits: If the file is larger than the specified maximum size, you receive a file too big alert. If the unpacked file is larger than the specified maximum size, you receive an unpacked file too big alert (this alert was previously out of space). If the appliance is out of temporary space, you receive an insufficient temporary storage space alert (this was previously out of space).
Specifying an Action Upon Content Scan Error

If the ProxyAV experiences an error, or exception, during a content scan of a file, scanning immediately stops. If the file has several potential exceptions, the first error encountered is the one of record. Note: For certain exceptions, Sophos might continue to scan.
You can specify what action the ProxyAV takes when a timeout or other errors occurs during a content scan. If enabled, the file is blocked (the default). If no options are selected, the file undergoing scanning when the error occurs is passed on to the client, unscanned.
27
To specify an action upon error: 1. 2. 3. From the Management Console, select Antivirus. Click the Scanning Behavior link; the Scanning Behavior page is displayed. Under Policies For Antivirus Exceptions, select one or more options:

File Scanning TimeoutThe time required to scan the file exceeds the specified or appliance
limit.
Decode/decompress (unsupported compression method, corrupted compression file)An error
occurred during decoding or during decompression of a compressed file. For example, a corrupted file or a method used to decompress the file is unsupported. (Does not apply to Panda.)

Password protected compressed fileA compress file that requires a password to access. (Does
not apply to Panda.)

Out of temporary storage spaceThe ProxyAV buffer capacity for files to be scanned is full. Maximum individual size exceededA file size exceeds the specified or maximum appliance
limit.
Maximum total uncompressed size exceededAn uncompressed file size exceeds the specified or
maximum appliance limit.

Maximum total number of files in archive exceededAn archive contains more files than the
specified or maximum appliance limit.

Other errorsAny miscellaneous error that causes irregular behavior.
4.
Click Save Changes.
Viewing Anti-virus Status

The table on the Antivirus page in the Management Console provides the current status of the AV engine currently employed by the ProxyAV. In the table, Days Remaining is the current length of your license to use the software. You can extend this period by entering a new serial number on the Management Console Subscriptions page. The ProxyAV checks for new engines and pattern files once per hour (unless specified elsewhere). If you click Update, the ProxyAV checks if newer files than the ones currently installed exist. If new versions do exist, they are downloaded and installed. Selecting Force Update and clicking Update forces the ProxyAV to download and install the latest file versions, regardless of the file versions currently residing on the ProxyAV.
28
Section E: Configuring Notification Alerts

This section describes how to configure alerts that are sent to administrators upon detection and action upon a virus.
Configuring Alert Notification Information

This section describes how to specify recipients of alerts and authentication. To configure alert notification information: 1. 2. 3. From the Management Console, select Alerts. In the Sender e-mail address field, specify the source e-mail address (the address that identifies to the reader which appliance is sending the notification). For example: ProxyAV_123@company.com. In the Recipient e-mail address field, specify who the ProxyAV alerts when an event occurs. Send alerts to multiple addresses by using a comma separated list; for example: user1@company.com,user2@company.com,consultant@otherco.com. If this field does not contain a recipient address, the ProxyAV neither attempts to send an email nor makes an entry in the AlertErrors.log. In the SMTP server address field, enter the server IP address or name (example: mail.company.com). Some SMTP servers require authentication. If yours does: a. b. Select SMTP Authorization Enabled. Enter 110 as the port number. The ProxyAV uses POP before SMTP to authenticate; therefore, your username and password is submitted to the mail server on port 110 before sending the alert. c. 6. 7. Enter a valid username and password twice.
4. 5.
By default, the ProxyAV sends all alerts through e-mail. To also keep a log file of events, select Enable alerts logging to file. (See Chapter 4: Logging on page 31.) Click Save Changes.
Customizing Messages
Each alert contains information about the event that triggered it. Because different events can trigger an alert, there can be many different alert forms. In the Advanced>Messages table, you can specify what information is in each type of alert. The first three columnsProtocol, Event, and Command Typedefine each type of event. The Alert column defines what information is included in the alert that is logged or sent through e-mail to the administrator. The Substitute column defines what text is substituted and sent to the client for the original data. Each virus and error message type has a default message. Click Modify in the Alert or Substitute column to go to a page where you can customize the messages using autotext keywords. The following keywords can be used:
29
%CLIENTThe client IP address. %ACTIONWhat action was performed (file passed/dropped). %URLThe URL where the file was downloaded from. %FILEThe original file as received from the ProxySG or a file embedded into HTML object can contain several files; the file name can be changed using the Content-Disposition: HTTP header tag. %SUBFILEA file within archive file that contains a problem or virus. %VIRUSThe virus name. %REASONWhy the event occurred. For example, why can't the file be scanned? %MACHINENAMEThe name of the ProxyAV appliance. %MACHINEIPThe ProxyAV appliance IP address. %PROTOCOLThe scanned protocol. %APPNAMEThe application name (ProxyAV). %APPWEBThe application vendor Web address. %APPVERSIONThe application version. %AVVENDORThe anti-virus vendor. %AVENGINEVERSThe anti-virus engine version. %AVPATTERNVERSThe anti-virus pattern version. %AVPATTERNDATEThe anti-virus pattern date. %TIMESTAMPThe time the event occurred. %ADMINMAILThe administrator mail address.
The % character always precedes the tag name. Capitalization is also important; do not use lowercase variable names.
Exception Pages
For each different X-Error-Code header, it is possible to create separate exception pages on the ProxySG. This requires creating policy on the ProxySG.
30
Chapter 4:
Logging
This chapter describes how to configure ProxyAV logging options.
Configuring Logging
This option allows you to forward detailed logging information to any system on your network. The ProxyAV includes an application for receiving logs, or you may use your own syslog application. The Blue Coat log receiver is called ConnLog.exe and can be downloaded from the Log Files page by clicking Get log receiver application (ConnLog.exe) or Get Windows based log receiver application (ConnLogXP.exe). The logs are in plain text format and can be imported into most log analyzer applications.
ConnLog.exe writes a new log file for each day into the current directory. By default, it listens for a connection from the ProxyAV on port 8001. Run the .exe file from a command line to change this listening port. The .exe /? command displays usage information.
Note:
If configured, the ProxySG logs provide complete information, including ICAP results and virus information. the ProxyAV logging capability is useful for troubleshooting.
To define where logs are sent: 1. 2. 3. 4. 5. From the Management Console, select Log Files. Under Logging, select Enable sending logging information to remote computer. In the Address field, enter the IP address of the destination server. Select the protocol: TCP/IP or UDP. Select the logging format:

ProxyAV Classic: The Blue Coat logging format. MS Proxy 2.0: Microsoft Proxy logging format. ISA W3C: Extended log file format. User Defined: A log format you specify using the format string.
31
6. 7. 8.
If you selected User Defined format, you can select Include W3C headers to include them. If you selected User Defined, you can specify the Delimiter format, Comma, or Space. The Format String field displays the default logging tokens, based on the selected log format, that define what detailed information appears in the logs. If you selected User Defined format, you can modify this as required. To display a list of valid tokens, click Token list. Click Save Changes.
9.
Configuring CSV Logging

This option allows the ProxyAV to log viruses in CSV format. To configure CSV logging: 1. 2. 3. 4. 5. From the Management Console, select Log Files. Under CSV Logging, select Enable logging of viruses to CSV format. Select to create a new file every Hour, Day, Month, or Week. In the Field delimiter field, enter what symbol is used to separate log entries. Click Save Changes.
Viewing Log Files

The Log Files table at the bottom of the Management Console Log Files page allows you to view the generated log files.
AlertsErrors: This file is a log of alert errors. When the ProxyAV cannot send alerts to the administrator(s) designated in the Alerts page, the event is logged here. The most common entry to
this log is an inaccessible SMTP server.

AlertLogFile.log: If Enable alerts logging to file is enabled on the Alerts page, all events are logged here. This log is different from the AlertErrors.log in that it includes all alerts, not just those that
could not be sent to the administrator by e-mail.

virus-log-date.csv: Log files generated by virus logging in CSV format. boot.log: Records all reboots of the machine. Using this information, Blue Coat Technical Support can assist you with troubleshooting.
32
Chapter 5:
Maintenance and Troubleshooting
This chapter describes the features used to maintain and troubleshoot the ProxyAV appliance. This chapter contains the following sections: Section A: Managing Configuration Files on page 34Describes how to save and load the ProxyAV configuration files. Section B: Troubleshooting on page 35Provides help to solve basic problems that might arise on the ProxyAV.
33
Section A: Managing Configuration Files
Section A: Managing Configuration Files

This feature allows you to manage the ProxyAV configuration files. You can saves the current ProxyAV configurations to a file and load a ProxyAV configuration from a local file. To save a configuration file: 1. 2. In the Management Console, select Utilities. Save the configuration file: a. b. c. In the Save Configuration line, click the link. A File Download dialog appears. Click Save. A Save As dialog appears. Navigate to where you want to save the file.
d. (Optional) Name the file. e. Click Save.
To load a configuration file: 1. 2. 3. If you know the location of the configuration file, enter the path in the field ~or~ click Browse and navigate to the file location. (Optional) Select Overwrite current IP configuration with the IP settings from uploaded file to use the IP definitions of the saved file. Click Upload and Apply.
34
Chapter 5: Maintenance and Troubleshooting
Section B: Troubleshooting
Section B: Troubleshooting
This section describes the ProxyAV utilities provided to aid with local troubleshooting.
Debugging ICAP Communication Errors

If you receive a 500-ICAP Communication Error response, perform the following to diagnose the issue: Examine the error response. The page contains the description of the error and additional details from the anti-virus engine. Examine the ProxySG event log messages. If the ProxySG is not able to establish a connection with ProxyAV, it logs the following message: Cannot establish connection to service. Examine the ProxyAV Alertlogfile.log for the failure reasons. All file-scanning failures, such as timeout, file too big, and decompression errors, are logged here.
Important: When you open Alertlogfile.log using the option View log file in browser, the complete file might not be displayed, as the file is often too big to be displayed on the browser. Use a text editor to open the log file directly to see all the error messages. The latest error messages are logged at the bottom of the file.
Preventing a ProxyAV Pattern File Update Failure

If the ProxyAV is proxied through the ProxySG, an error occurs if the ProxySG is serving patience pages during pattern file updates (this does not occur if the ProxyAV has direct Internet access). The reason is that the ProxySG views the ProxyAV as a client during these updates. The following policy instructs the ProxySG to disable patience pages when the user-agent is the ProxyAV: CPL:
inline policy local eof <Cache> response.icap_service(respav) <Proxy> request.header.User-Agent="ProxyAV" patience_page(no) eof
35
Section B: Troubleshooting VPM: 1. 2. 3. 4. 5. 6. 7. 8. 9. Select Policy>Add Web Access Layer. Right-click the Source column; click Set. Click New; select Request Header. In the Header Name drop-down list, select User-Agent. In the Header Regex field, enter ProxyAV. Click OK; click OK to add the object to the rule. Select Policy>Add Web Content Layer. Right-click the Action column; click Set. Click New; select ICAP Response Service.
10. In the Use ICAP Response Service drop-down list, select the ICAP service. 11. Click OK; click OK to add the object to the rule. 12. Install the policy.
Pinging
Ping a server to verify its state. To ping a server: 1. 2. 3. From the Management Console, select Advanced; click the Ping Utility link. In the IP Address field, enter the IP address of the server to be pinged. Click Ping.
Retaining Troubleshooting Log Files

You can configure the ProxyAV to retain log files containing information that might assist Blue Coat Technical Support should the ProxyAV experience difficulties. If enabled, the ProxyAV saves these log files, which are accessible from a table.
36
To retain log files: 1. 2. 3. From the Management Console, select Advanced; click the Troubleshooting link. Select Enable Keeping Troubleshooting Logs. Click Save Changes.
Troubleshooting Services
The following options allow you to specify additional ProxyAV communication services that can assist administrators or Blue Coat Technical Support to diagnose difficulties. To access these options, from the Management Console, select Advanced; click the Additional Services link.
Enable sending Troubleshooting Information files: Allows files containing troubleshooting information
to be sent by e-mail to Blue Coat Technical Support.

Enable tech support remote access: Allows Blue Coat Technical Support to access this ProxyAV
appliance.
Enable ping to Interface IP: Allows you to ping the interface IP address of this ProxyAV appliance.
If you invoke any of these options, you must click Save Changes.
Troubleshooting Utilities
These options are designed to help you resolve technical troubles with a ProxyAV appliance. To access these options, from the Management Console, select Utilities.
Reload Drivers
The ProxyAV reloads its drivers. This is similar to rebooting the appliance, but is faster. Use this option if you perform a configuration change that does not appear to be in effect.
Soft Reboot
This is the equivalent of resetting a computer. It physically reboots the machine. A new entry in the boot.log occurs.
Diagnostics
These diagnostics create relatively large and detailed log files that provide information for troubleshooting certain network configurations. A Blue Coat Technical Support representative might ask you to invoke these internal diagnostics. This additional logging activity affects system performance; therefore, Blue Coat does not recommend using this option except at the request of Blue Coat Technical Support.
DNS Cache
These options allow you to view and clear the contents of the DNS cache.
37
Resetting the ProxyAV 2000-E Appliance

The rear of the appliance has two red, recessed buttons.
Button 1 Button 2
Button 1Restores the factory defaults. Only use this option in scenarios where you can no longer manage your ProxyAV. For example, your configuration changes have caused the ProxyAV to become unstable or you lost a password. To restore, the appliance must be fully up, which is verified by the lit System LED on the front. Press and hold this button for five seconds. The system default settings are restored (the default settings are defined by the software build) and the appliance reboots. Button 2Resets the power. Only attempt a power reset if the power switch does not power on the appliance.
Resetting the ProxyAV 400-E Appliance

This section describes how to restore default settings and how to reset the appliance.
Restore the Factory Defaults

Only use this option in scenarios where you can no longer manage your ProxyAV. For example, your configuration changes have caused the ProxyAV to become unstable or you lost a password. To restore, the appliance must be fully up, which is verified by the LCD on the front. To restore the default settings: 1. 2. 3. Press the Enter button to change to Configure mode. Press the up or down arrow to cycle to Restore factory defaults. Press the Enter button to initiate the restoration.
Reset the Appliance

If you experience difficulty booting the ProxyAV 400-E, you can attempt a reset.
38
To reset the appliance: 1. 2. 3. Unplug the power cord; re-plug in. While the appliance is booting, press and hold the up arrow until the menu appears. Use the arrow buttons to navigate the menu. Press the enter button to select a menu option (you have two minutes to make a selection):

Restore boot?Forces the ProxyAV 400-E to boot using an archived system image. If the
appliance does not boot upon power-up, Blue Coat recommends invoking this option first.
CancelExits the reboot menu; the ProxyAV 400-E continues to boot.
During the process, the LCD displays Restoring....
39
40
Chapter 6:
Example Scenarios
This chapter provides example configurations for common ProxyAV deployments, and contains the following sections: "Section A: Scenario 1Basic Anti-virus Deployment" on page 42Provides examples for a simple AV deployment. Need a more complex example (multiple AVs)?Dont know if I can get to this before GA...can update online PDF later. The External Services chapter of the Blue Coat ProxySG Configuration and Management Guide contains more examples of content scanning policies.
Note:
41
Section A: Scenario 1Basic Anti-virus Deployment

The following scenario describes how to configure the ProxySG and ProxyAV appliances to scan for viruses on content responses and display a patience page during scans.
The Task
Deploy ProxyAV as ICAP server to scan for viruses and display a patience page with a customized message if the scan takes longer than five seconds.
Example Data
This scenario uses the following sample data: ProxyAV IP address: 10.0.0.2 ProxySG IP address: 10.1.1.1
ProxySG Configuration
Configure the ProxySG to communicate as an ICAP client with the ProxyAV and process content scanning.
Configure an ICAP Service

An ICAP service must be created on the ProxySG. This service identifies the ProxyAV as the ICAP server. Create and Configure an ICAP Service through the ProxySG Management Console: 1. 2. 3. 4. 5. Select Configuration>External Services>ICAP Services. Click New; the Add List Item dialog appears. In the ICAP service name field, enter virusscan1; click OK. Highlight virusscan1 and click Edit; the Edit ICAP Service dialog appears. Enter or select the following information: a. Service URL field: enter the location of the ProxyAV: icap://10.0.0.2/avscan. The default port number is 1344. b.
Patience page delay (seconds) field: select Enable. After ten seconds of the content scan, the user
receives a page informing them to wait while a scan is performed. The next section covers creating a Patience Page. Note: Patience pages display regardless of any pop-up blocking policy that is in effect.
42
c.
Notify administrator: Virus detected option: Select this option. An email is sent to the
administrator if the ICAP scan detects a virus. The notification is also sent to the Event Log and the Event Log email list. d. Method supported option: Select response modification. The ProxyAV scans the responses before they are allowed to reach the client. e. Deselect the preview option.
Figure 6-3: The ProxySG ICAP service.
6.
Click OK; click Apply.
Create a Patience Page

Customize the patience page that is displayed when HTTP clients experience delays as Web content is scanned.
43
Customize the Patience Page 1. 2. 3. Select Configuration>External Services>ICAP>ICAP Patience Page. Click Summary; the Customize Patience Summary dialog appears. Create a message: For security concerns, your request is currently being scanned for viruses, which might
cause a slight delay. Please be patient.
4.
Click OK; click Apply.
ProxyAV Configuration
Configure the ProxyAV to communicate with the ProxySG and serve as the ICAP server. To configure ICAP from the ProxyAV Management Console: 1. 2. 3. 4. Select ICAP Settings; the ICAP Server Settings page appears. Select ICAP Server enabled. Click Save Changes. Click the Permitted clients link. a. b. c. In the Client Access List table, click Add; the Administration and ICAP server Access List Entry page appears. IP address field: enter 10.1.1.1 (the ProxySG IP address). Select Allow ICAP access.
44
Chapter 6: Example Scenarios
d. Click Save Changes.
Visual Policy Manager: Create Policy

Now that the ProxySG and ProxyAV are configured, you must create a policy to instruct the AV services what actions to perform. This section demonstrates using the Visual Policy Manager (VPM) to create a policy that assigns the created ICAP service and returns a patience page to the client when a scan takes longer than five seconds. Use the VPM to create policy: 1. 2. 3. 4. In the VPM, select Policy>Add Web Content Layer; the Add New Layer dialog appears. Name the layer: Virus Scan: Corporate; click OK. In the Action column, right-click and click Set; the Set Action dialog appears. Click New; select Set ICAP Response Service; the Add ICAP Response Service Object dialog appears. a. b. Name the object: Corporate_ICAP. In the Use ICAP response service drop-down list, select virusscan1.
c.
Click OK.
d. With the Corporate_ICAP object highlighted, click OK to add the object to the rule.
45
5. 6. 7. 8.
In the VPM, select Policy>Add Web Access Layer; the Add New Layer dialog appears. Name the layer: Patience Page: Corporate ICAP; click OK. In the Action column, right-click and click Set; the Set Action dialog appears. Click New; select Return ICAP Patience Page; the Add ICAP Patience Page Object dialog appears. a. b. Name the object: ICAP_Patience. In the Return a patience page after field, enter 5. After five seconds during a scan, the patience page with the message customized in the "Create a Patience Page" section is displayed to the user.
c.
Click OK.
d. With the Corporate_ICAP_Patience object highlighted, click OK to add the object to the rule.
9.
Click Install Policy.
46
Appendix A: Upgrading the ProxyAV
This appendix describes how to upgrade the ProxyAV to a new release and describes behavior changes attributed to upgrading or downgrading of different ProxyAV releases. This appendix contains the following sections: Section A: Upgrade Procedure on page 48Provides procedures to upgrade the ProxyAV firmware and restrict administrator access to only allow HTTPS. Section B: Upgrade Issues on page 51Describes the features impacted by upgrading to current ProxyAV releases.
47
Section A: Upgrade Procedure

This section describes how to upgrade the ProxyAV from previous versions.
About Firmware Updating

Firmware updates can present changes to the functionality of the ProxyAV, and can include new features, changes to the user interface, and optimizations for speed and reliability. The ProxyAV periodically checks (several times per day) for these updates. If one is available, the
Update Now button becomes active. Because these updates might require a restart of the machine,
which could block network traffic for up to three minutes, updates do not occur unless the administrator initiates the update. This allows the update to be performed at the most convenient time. When the update starts, the ProxyAV downloads the update from Blue Coat. These updates are typically one to five MB in size, and might take a few minutes to download, depending on your Internet connection. The updates to software, firmware, or both are then performed, and the ProxyAV resets itself. Depending on the update, the reset might be just a reload of drivers or it could be a full restart of the machine. The entire process can take anywhere from 30 seconds to 3 minutes, excluding the download time. Note: This update applies to the base ProxyAV OS only. The ProxyAV continues to check for updated site filtering and AV engine and pattern files at the interval specified in the Update frequency field on the Antivirus>Update Settings page.
Upgrading to ProxyAV 2.2.x

This section describes how to update the ProxyAV software and describes the ProxyAV status upon upgrading.
Status Upon Upgrading

Before upgrading, read this section to understand the status of the ProxyAV appliance when the upgrade completes: The client access list is carried over. The Management IP remains visible and allowable as an access method (through port 80). Important: If you use the default Management IP (1.1.1.5) to access the ProxyAV, you must specify a different Management IP before upgrading (Network>Global Settings). The 1.1.1.5 Management IP is not accessible following an upgrade. If you do not change the Management IP before upgrading, you will be required to reset the ProxyAV to factory defaults.
48
HTTPSEnabled by default. The ProxyAV is accessible on port 8082 through the Interface IP; however, you can only access the Management Console if, before upgrading, you specified an IP address for Admin and ICAP access. If you did not, you can create a rule before upgrading to permit access from an administrator client (refer to "Specifying Client Access" on page 10). If you elect to not to do this now, the next section provides a post-upgrade procedure to limit Management Console access to HTTPS, which includes accessing the ProxyAV through the Management IP, adding an administrator client, and removing the Management IP. HTTPDisabled by default. The ProxyAV is not accessible on port 8081 through the Interface IP until this option is enabled (see "Enabling HTTP Access" on page 11).
To upgrade the ProxyAV: 1. 2. In the Management Console, select Firmware Update. This page provides the status of your current build. If a new ProxyAV 2.2.x update is available, the Update Now button is enabled. Click Update Now. A splash screen displays as the ProxyAV prepares to download the build. The Management Console then returns to the Home page. Statistics under Current Downloads track the progress of the build. As the new OS installs, the ProxyAV is temporarily unable to accept the clicking of any option. When the installation completes, the Management Console refreshes itself and is ready for configuration.
Restricting Administrator ProxyAV Access to HTTPS

To provide the maximum security, Blue Coat recommends limiting the ProxyAV access to an extremely exclusive and trusted IP address and subnet list (separate from the IP address used for ICAP access), then removing the Management IP feature from the Management Console. Important: Even if you create an access list of one IP address (not 0.0.0.0), your ProxyAV is accessible by anyone if you do not remove the Management IP option.
To limit the ProxyAV to encrypted access: Note: If you have a permitted Admin and ICAP client and do not require additional clients, skip Steps 1 and 2.
1.
Select Network. Under the Management Console Access field, notice that HTTPS is enabled on port 8082 (a default keyring has also been created).
49
2.
If you do not currently have a permitted administrator client, or want to add a new one, click Add under Administration and ICAP Server Access List. The Administration and ICAP Server Access List Entry screen appears. a. b. c. In the IP address field, enter an IP address to be granted administrator access. In the Mask field, enter the IP subnet. Select Allowed admin and ICAP access.
d. Click Save Changes. 3. In the URL field of the browser, enter the new URL to access the ProxyAV through HTTPS:
https://proxyav_IP_address:8082
4.
Now that secure access is granted through the designated IP address, hide the Management IP option from the Management Console. a. b. c. In the Management Console, select Advanced>Additional Services. Deselect Enable Management IP. Click Save Changes.
d. In the Management Console, select Network. Notice the Management IP option is now hidden. Should you elect to continue using the Management IP feature, "Section B: Upgrade Issues", "Management IP" on page 51 discusses upgrading and downgrading behavior and provides the legacy procedure to configure the Management IP.
50
Section B: Upgrade Issues

This section describes feature behavior changes attributed to updating to a new or previous ProxyAV release.
Management IP
Before ProxyAV 2.2.x, the Management IP was used to administer the appliance. ProxyAV 2.2.x allows the use of the HTTPS protocol, which provides encrypted access.
Upgrade Behavior
The Management IP is still visible and usable; however, for elevated security, Blue Coat recommends hiding this feature and employing HTTPS access (see "Restricting Administrator ProxyAV Access to HTTPS" on page 49).
Downgrade Behavior
If you hid this feature after upgrading to ProxyAV to 2.2.x and you downgrade to a previous version, the Management IP is visible according to legacy configuration.
Legacy Procedure: Specifying the Management IP Address

The information in this section is the legacy procedure, provided should you elect to maintain the use of this feature. The Management IP address is an address used to administer this ProxyAV appliance. This is a special IP address used for ordinary (non-remote) access to the ProxyAV. It does not require any relation to your local network addresses. The default value of 1.1.1.5 does not need to be changed unless you have multiple Blue Coat appliances on your network or the default address happens to be within your local range and is in use by another device. If you have multiple boxeseither single boxes at different locations or load-balanced boxeschange the Management IP to a unique address before installing the machine on your network, or administrative access will be erratic. There is no check within the units for duplicate Management IP addresses; you must keep track of this yourself. Do not use the following IP addresses: The same IP address as the appliance IP address.
1.1.1.254, 1.1.0.2, or 1.1.0.6.
Use the following addresses with care, as these IP addresses are used as default Management IP addresses by various Blue Coat products.:
1.1.1.5, 1.1.1.7, 1.1.1.9, 1.1.1.11, ...
Before using these addresses, verify the IP and Management IP addresses of other Blue Coat products on your network and confirm there is no conflict before using these addresses.
51
To specify or change the Management IP address: 1. 2. 3. In the Management Console, select Network. Under Global Settings, in the Management IP field, enter the IP address used to administer this appliance. Click Save Changes.
52
Appendix B: Deploying the ProxyAV
This Appendix provides high-level information about the deployment of an AV solution into your network.
The Challenges of Web Scanning Integration

A Web AV solution must accomplish its task without impacting productivity. Previously, because of the number of users and high Web traffic, AV scanning of Web traffic was impractical because of the unacceptable increase in latency. Most enterprises are configured to provide some level of infrastructure security by the way of firewalls and authentication directories. Furthermore, products, such as the Blue Coat ProxySG appliances, are employed to provide proxy and caching services, which regulate Web usage and increase network performance and bandwidth gain.
53
The following diagram presents a non-integrated AV scanning solution:
Deployment 1The virus filter resides before the proxy.
Deployment 2The virus filter resides between the proxy and the Intranet.
Figure 8-1: Non-integrated Web AV deployments
These two deployments present the following issues: Deployment 1A lag time between the presence of a virus and the availability of the pattern file used to purge the virus allows a single threat to get cached and thus easily spread through the entire network.
54
Deployment 2All viruses are intercepted before they can be cached; however, as the virus filter is repeatedly bombarded, denial of service is likely to occur.
Both of these deployments might require the constant clearing of the cache, which negates any gains attained by bandwidth management provided by the proxy.
The Blue Coat ProxyAV Solution

While the Blue Coat ProxySG product provides flexible and granular control of Web traffic and access, the ProxyAV appliance provides high-performance AV scanning of both cached and non-cached content. The ProxySG and the ProxyAV share underlying Blue Coat processes, which allows for easy deployment and integration. Once integrated, this solution allows for the scanning and purging of harmful viruses and other malicious code without compromising the network control, bandwidth gains, or security attained from the proxy. If an AV scanner must scan all cached and uncached content, performance suffers. The ProxyAV deployment provides a scan one, serve many benefit when scanning cacheable objects: Cached objects are time-stamped and compared against an AV signature database to verify no further scanning is required. Non-cacheable objects are fingerprinted against the current AV signature database; these objects are not scanned again unless either the object or AV database changes.
This provides three benefits: Outbreaks are smaller; Containment is faster; and, Performance gain is attained by not scanning unchanged objects.
The ProxyAV scanning engines allow you to select an AV vendor that is preferred by your enterprise or satisfies your particular requirements. These industry-standard vendors include McAfee, Sophos, and Panda.
Determining Network Location

The ProxyAV appliance must reside on the same network segment as the ProxySG appliance and the PC used to administer the ProxyAV. Note: If the ProxyAV (2000-E) is connected to a Cisco router, you must use a cross-over cable if the Ethernet Media Link Speed is set to anything but Auto Negotiate. Although a patch cable works with Auto Negotiating, Blue Coat recommends using a cross-over cable if the ProxyAV is connected to a Cisco router to avoid conflicts with the differing behavior. If you are using a Cisco switch, a patch cable can be used.
55
Deployment Diagram 1ProxyAV With a Crossover Cable

The following diagram illustrates a single ProxyAV attached to a ProxySG using a direct connection.
ProxySG ProxyAV
Figure 8-2: A single ProxyAV deployed with a crossover cable.
56
Deployment Diagram 2ProxyAV With a Switch

The following diagram illustrates multiple ProxyAV appliances attached to a ProxySG through an L2 switch.
ProxySG
ProxyAV
ProxyAV
ProxyAV
Figure 8-3: Multiple ProxyAV appliances deployed through a switch.
Deployment Phases
The following phases are involved to deploy a ProxyAV appliance with a ProxySG to create an integrated Web scanning service: 1. 2. 3. Configure the ProxySG for ICAP scanning, including specifying the IP address of the ProxyAV as the ICAP service URL. Configure the ProxyAV Web scanning services and features. Define and install Web scanning policies as required in your enterprise. This is accomplished through the Visual Policy Manager (VPM) or by creating Blue Coat Content Policy Language (CPL).
57

ProxyAV CMG Guide 2.2.1

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ProxyAV CMG Guide 2.2.1

Hochgeladen von

Copyright:

Verfügbare Formate

Blue Coat Systems ProxyAV

Configuration and Management Guide 2.2.x

Blue Coat ProxyAV Configuration and Management Guide

Blue Coat ProxyAV Configuration and Management Guide

Blue Coat ProxyAV Configuration and Management Guide

The Importance of Web Scanning

New Features and Enhancements

Organization of This Document

ProxyAV Documentation Suite

Basic Network and Access Information

Blue Coat ProxyAV Configuration and Management Guide

Section A: Specifying the Usernames and Passwords

Section A: Specifying the Usernames and Passwords

Specifying the Administration Username and Password

Specifying a Read-Only Username and Password

Chapter 2: Basic Network and Access Information

Section B: Configuring Network Access

Section B: Configuring Network Access

Specifying the Appliance Identification Information

Specifying the ProxyAV Name

Specifying the ProxyAV Time

Specifying the Default Gateway

Chapter 2: Basic Network and Access Information

Section B: Configuring Network Access

Specifying the ProxyAV Address

Specifying Client Access

server access. 6. Click Save Changes.

Chapter 2: Basic Network and Access Information

Section B: Configuring Network Access

Configuring Management Console Access

Enabling HTTP Access

Enabling HTTPS Access

Disabling Console Access

Blue Coat ProxyAV Configuration and Management Guide

Section B: Configuring Network Access

Generating Keyrings and Certificates

A self-signed certificate. A certificate signed by a Certificate Authority. An external certificate.

d. Fill in the fields as appropriate:

Chapter 2: Basic Network and Access Information

Section B: Configuring Network Access e. 7. 8. 9.

Blue Coat ProxyAV Configuration and Management Guide

Section C: Configuring Network Routing

Section C: Configuring Network Routing

Specifying the DNS Servers

Specifying an Upstream Proxy Server

Chapter 2: Basic Network and Access Information

Specifying Link Speed

Blue Coat ProxyAV Configuration and Management Guide

Configuring Anti-virus Scanning

Blue Coat ProxySG Configuration and Management Guide

Section A: Introduction to Anti-virus Protection

Chapter 3: Configuring Anti-virus Scanning

Blue Coat ProxySG Configuration and Management Guide

Section B: Managing Anti-virus Subscriptions

Registering the ProxyAV

Selecting an Anti-virus Vendor

Typically, ProxyAVs are sold with a one-year antivirus subscription.

Managing Pattern Files and Scan Engines

Updating Scan Engines and Pattern Files

Specifying a Time Interval

Chapter 3: Configuring Anti-virus Scanning

Specifying Pattern File and Engine Update Locations

Click Save Changes.