Beruflich Dokumente
Kultur Dokumente
Contact Information
Blue Coat Systems Inc. 650 Almanor Avenue Sunnyvale, California 94085 info@bluecoat.com 101 support@bluecoat.com North America (USA) Toll Free: 1.866.362.2628 (866.36.BCOAT) North America Direct (USA): 1.408.220.2270 Asia Pacific Rim (Japan): 81.3.5425.8492 Europe, Middle East, and Africa (United Kingdom): +44 (0) 1276 854 www.bluecoat.com
Copyright 1999-2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. The Software may not be modified, reproduced (except to the extent specifically allowed by local law), removed from the product on which it was installed, reverse engineered, decompiled, disassembled, or have its source code extracted. In addition to the above restrictions, the Software, or any part thereof, may not be (i) published, distributed, rented, leased, sold, sublicensed, assigned or otherwise transferred, (ii) used for competitive analysis or used to create derivative works thereof,(iii) used for application development, or translated (iv) used to publish or distribute the results of any benchmark tests run on the Software without the express written permission of Blue Coat Systems, Inc., or (v) removed or obscured of any Blue Coat Systems, Inc. or licensor copyrights, trademarks or other proprietary notices or legends from any portion of the Software or any associated documentation. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. Blue Coat Systems, Inc. specifications and documentation are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. ProxySG, ProxyAV, CacheOS, SGOS, are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, WinProxy, AccessNow, Ositis, Powering Internet Management, and The Ultimate Internet Sharing Solution are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The Software and all related technical information, documents and materials are subject to export controls under the U.S. Export Administration Regulations and the export regulations of other countries. Document Number: 231-02764 Document Revision: 1.0001/28/2005
ii
Contents
Chapter 1: Introduction The Importance of Web Scanning .....................................................................................................................5 New Features and Enhancements.....................................................................................................................5 Supported Platforms ...........................................................................................................................................5 Hardware ......................................................................................................................................................5 Software .........................................................................................................................................................5 Supported Browsers ....................................................................................................................................6 Upgrade Issues ....................................................................................................................................................6 Organization of This Document........................................................................................................................6 ProxyAV Documentation Suite .........................................................................................................................6 Chapter 2: Basic Network and Access Information Section A: Specifying the Usernames and Passwords Specifying the Administration Username and Password .............................................................................8 Specifying a Read-Only Username and Password.........................................................................................8 Section B: Configuring Network Access Specifying the Appliance Identification Information ....................................................................................9 Specifying the ProxyAV Name ..................................................................................................................9 Specifying the ProxyAV Time ....................................................................................................................9 Specifying the Default Gateway........................................................................................................................9 Specifying the ProxyAV Address....................................................................................................................10 Specifying Client Access...................................................................................................................................10 Configuring Management Console Access ...................................................................................................11 Enabling HTTP Access ..............................................................................................................................11 Enabling HTTPS Access ............................................................................................................................11 Disabling Console Access .........................................................................................................................11 Generating Keyrings and Certificates ............................................................................................................12 Section C: Configuring Network Routing Specifying the DNS Servers .............................................................................................................................14 Specifying an Upstream Proxy Server............................................................................................................14 Adding Routes ...................................................................................................................................................14 Adding ARPs .....................................................................................................................................................15 Specifying Link Speed ......................................................................................................................................15 Chapter 3: Configuring Anti-virus Scanning Section A: Introduction to Anti-virus Protection Introduction........................................................................................................................................................18 File Terminology ...............................................................................................................................................18 Section B: Managing Anti-virus Subscriptions
iii
Registering the ProxyAV.................................................................................................................................. 20 Selecting an Anti-virus Vendor....................................................................................................................... 20 Managing Pattern Files and Scan Engines .................................................................................................... 20 Updating Scan Engines and Pattern Files...................................................................................................... 20 Specifying a Time Interval........................................................................................................................ 20 Specifying Pattern File and Engine Update Locations ......................................................................... 21 Forcing an Update ..................................................................................................................................... 21 Section C: ICAP Configuring the ProxyAV ICAP Service........................................................................................................ 22 About Maximum ICAP Connections ............................................................................................................. 22 Section D: Configuring Anti-virus Parameters Determining Which File Types to Scan.......................................................................................................... 24 ProxySG Policies ........................................................................................................................................ 24 ProxyAV Policies........................................................................................................................................ 25 Configuring Scanning Behavior...................................................................................................................... 26 Enabling Heuristic Parameters ................................................................................................................ 26 Specifying the Anti-virus File Scanning Timeout Value...................................................................... 26 Specifying the Limits of Scannable Files ................................................................................................ 27 Specifying an Action Upon Content Scan Error.................................................................................... 27 Viewing Anti-virus Status ............................................................................................................................... 28 Section E: Configuring Notification Alerts Configuring Alert Notification Information ................................................................................................. 29 Customizing Messages..................................................................................................................................... 29 Chapter 4: Logging Configuring Logging ........................................................................................................................................ 31 Configuring CSV Logging ............................................................................................................................... 32 Viewing Log Files.............................................................................................................................................. 32 Chapter 5: Maintenance and Troubleshooting Section A: Managing Configuration Files Section B: Troubleshooting Debugging ICAP Communication Errors ..................................................................................................... 35 Preventing a ProxyAV Pattern File Update Failure..................................................................................... 35 Pinging................................................................................................................................................................ 36 Retaining Troubleshooting Log Files ............................................................................................................. 36 Troubleshooting Services................................................................................................................................. 37 Troubleshooting Utilities ................................................................................................................................. 37 Reload Drivers............................................................................................................................................ 37 Soft Reboot .................................................................................................................................................. 37 Diagnostics.................................................................................................................................................. 37 DNS Cache .................................................................................................................................................. 37 Resetting the ProxyAV 2000-E Appliance ..................................................................................................... 38
iv
Contents
Resetting the ProxyAV 400-E Appliance ....................................................................................................... 38 Restore the Factory Defaults .................................................................................................................... 38 Reset the Appliance ................................................................................................................................... 38 Chapter 6: Example Scenarios Section A: Scenario 1Basic Anti-virus Deployment The Task.............................................................................................................................................................. 42 ProxySG Configuration .................................................................................................................................... 42 Configure an ICAP Service....................................................................................................................... 42 Create a Patience Page .............................................................................................................................. 43 ProxyAV Configuration ................................................................................................................................... 44 Visual Policy Manager: Create Policy ............................................................................................................ 45 Appendix A: Upgrading the ProxyAV Section A: Upgrade Procedure About Firmware Updating .............................................................................................................................. 48 Upgrading to ProxyAV 2.2.x ........................................................................................................................... 48 Restricting Administrator ProxyAV Access to HTTPS................................................................................ 49 Section B: Upgrade Issues Management IP ................................................................................................................................................. 51 Upgrade Behavior...................................................................................................................................... 51 Downgrade Behavior ................................................................................................................................ 51 Legacy Procedure: Specifying the Management IP Address .............................................................. 51 Appendix B: Deploying the ProxyAV The Challenges of Web Scanning Integration............................................................................................... 53 The Blue Coat ProxyAV Solution.................................................................................................................... 55 Determining Network Location...................................................................................................................... 55 Deployment Diagram 1ProxyAV With a Crossover Cable..................................................................... 56 Deployment Diagram 2ProxyAV With a Switch...................................................................................... 57 Deployment Phases .......................................................................................................................................... 57
vi
Chapter 1:
Introduction
Supported Platforms
This section contains the ProxyAV hardware and software requirements.
Hardware
The ProxyAV only supports the Blue Coat ProxySG. ProxyAV 2.2.x is supported on the Blue Coat 400-E and 2000-E appliances.
Software
To employ the enhanced policy features in ProxyAV 2.2.x, the ProxySG must be running the SGOS 3.2.4.x or later operating systems; however, previously supported SGOS versions are still valid with this release.
Supported Browsers
ProxyAV 2.2.x supports Microsoft Internet Explorer, version 5.x and Netscape Communicator, version 6.x. Other browsers might be compatible, but have not been tested as of the printing of this document.
Upgrade Issues
If you are updating from a previous ProxyAV release to this release, Blue Coat strongly recommends reading Appendix A: "Upgrading the ProxyAV" on page 47 before performing the upgrade.
Chapter 2:
The Activating Your Software Key pamphlet, packed with the software bundle in your ProxyAV shipment, describes how to perform first-time configuration steps, including administrator name and password, appliance network configurations, and AV subscription information. This chapter assumes the ProxyAV is configured according to steps in the pamphlet. If necessary, use the procedures provided in this chapter to alter the default configurations. This chapter contains the following sections: Section A: Specifying the Usernames and Passwords on page 8Describes how to configure access credentials. Section B: Configuring Network Access on page 9Describes how to configure ProxyAV IP addresses and secure Management Console access. Section C: Configuring Network Routing on page 14Describes how to configure routes, including upstream proxy access.
In the Session timeout field, enter the number of elapsed minutes before the administrator is required to enter access credentials again. Click Save Changes.
Note:
Restrict: This IP address and subnet is denied administrative access. Allow ICAP access: This option allows clients to be ICAP clients. Allow admin & ICAP access: This IP address and subnet is allowed administrative and ICAP
When there are no entries in the table (or all entries are set to restricted), remote or ICAP access is not allowed. To access the ProxyAV for remote administrative access, set your browser to use a proxy for HTTP or HTTPS connections. Enter the URL: http://interface_IP:port or https://interface_IP:port. For example, https://10.0.0.2:8082.
10
When HTTPS is enabled, you must enter the URL format: https://interface_IP:port to access the ProxyAV Management Console. For example, https://10.0.0.2:8082.
11
To generate a new keyring and certificate, and specify the ProxyAV to use them: 1. 2. 3. 4. 5. Select Advanced>SSL Keyrings; the SSL Keyrings page appears. Click Create; a new SSL Keyring page displays. In the Keyring Name field, enter a name that identifies this keyring. By selecting Show Keyring, the contents of the keyring are viewable and exportable. Perform one of the following:
Select Create new and enter the keyring strength in the bit keyring field. A length of 1024 bits is the maximum (and default). Longer keypairs provide better security, but with a slight performance expense on the ProxyAV. Be aware that the maximum key length allowed for international export might be different than the default. For deployments reaching outside of the United States, determine the maximum key length allowed for export. Click OK. The keyring, containing a keypair, is created with the name you chose. It does not have a certificate associated with it yet. Select Import keyring. In the Keyring field, paste in an already existing keypair. The certificate associated with this keypair must be imported separately. If the keypair that is being imported has been encrypted with a password, select Keyring Password and enter the password into the field. Click OK.
6.
The ProxyAV ships with a certificate associated with a default keyring. You can add three kinds of SSL certificates:
To create a self-signed certificate: a. b. c. Select Advanced>SSL Certificates; the SSL Certificates page appears. From the Keyring drop-down list, select the newly-created keyring. Click Create; a new SSL Certificates page displays.
12
longer valid. Click OK. After the process is complete, this keyring and certificate can be selected from the Network page for HTTPS encryption.
Select Network. Under Management Console Access, from the Keyring drop-down list, select the newly-created keyring. You can also select an SSL version. Click Save Changes.
13
No Proxy: (The default) This ProxyAV is not proxied and can directly receive updates. HTTP Proxy: Proxies this ProxyAV through the defined HTTP proxy server. SOCKS Proxy: Proxies this ProxyAV through the defined SOCKS proxy server.
4. 5. 6. 7.
In the IP field, enter the IP address of the HTTP or SOCKS proxy server. In the Port field, enter the port number, if necessary. (Optional; only applies to HTTP Proxy) Select Enable Proxy Authorization and specify a user name and password in the appropriate fields. Click Save Changes.
Adding Routes
You can add additional routes for deployments where the ProxyAV default route is not sufficient. A typical requirement for this is when the SMTP or DNS servers to be used by the ProxyAV are located on an internal network.
14
Section C: Configuring Network Routing Added routes do not affect traffic that passes through the ProxyAV; they are only used for connections where the ProxyAV is the client. These include updates of pattern and engine files, searching for updates to ProxyAV firmware, and sending alerts. To add a route to the table: 1. 2. 3. 4. 5. 6. 7. From the Management Console, select Advanced>Route Table. Click Add; the Route entry page appears. In the Destination field, enter an IP address to be used in routing. In the Mask field, enter a subnet value. In the Gateway field, enter a gateway value. Click Save Changes. Repeat as required.
Adding ARPs
Certain firewall configurations require the use of static forwarding tables. Failover configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) addresses. When a client sends an ARP (Address Resolution Protocol) request to the firewall VIP, the firewall replies with a VMAC (which can be an Ethernet multicast address); however, when the firewall sends a packet, it uses a physical MAC address, not the VMAC. The solution is to create a static forwarding table that defines the next hop gateway. You can add static ARPs or clear the dynamic and static ARPs. To add an ARP value to the table: 1. 2. 3. 4. 5. From the Management Console, select Advanced>ARP Table. At the bottom of the table, enter an IP address in the first field. Enter a MAC address. From the drop-down list, select an interface. Click Add.
15
Section C: Configuring Network Routing 2. 3. Select an option from the drop-down lists: Auto, 10 Mbit/Half, 10 Mbit/Full, 100 Mbit/Half, or 100 Mbit/Full. Click Save Changes. The Ethernet media link speed feature contains a failsafe so that users do not accidentally lock themselves out of the Management Console by entering an incompatible duplex setting. After selecting a speed/duplex setting and clicking Save Changes, the page refreshes and a new button appears: Confirm Media Type Changes. If you do not click this button, the ProxyAV reverts to the previous setting after two minutes.
Note:
16
Chapter 3:
This chapter provides basic anti-virus (AV) information, and describes how to integrate and configure the ProxySG and ProxyAV virus protection solution. This chapter contains the following sections: Section A: "Introduction to Anti-virus Protection" on page 18Provides basic AV information and terms. Section B: "Managing Anti-virus Subscriptions" on page 20Describes how to assign your AV vendor and specify pattern file and scan engine update behavior. Section C: "ICAP" on page 22Describes how to configure the ProxyAV ICAP service used by the ProxySG. Section D: "Configuring Anti-virus Parameters" on page 24Describes how to configure ProxyAV AV scanning behavior. Section E: "Configuring Notification Alerts" on page 29Describes how to configure the ProxyAV to send alert messages.
17
Introduction
The total Blue Coat AV capabilities are implemented using ICAP as the communication mechanism between the Blue Coat ProxySG and the ProxyAV. The policy definition for content scanning is fully integrated into the Blue Coat policy framework and defined using the either the Blue Coat Visual Policy Manager (VPM) or the Blue Coat Content Policy Language (CPL). Virus-free content is cached for a scan once, serve many benefit when scanning cacheable Web objects.
File Terminology
This section provides descriptions of file types as they pertain to AV scanning; along with the descriptions are configuration tips. Blue Coat recommends understanding these descriptions and tips before configuring your ProxySG/ProxyAV solution. Simple FileA file type that is not an archive or container of other files. Archive FileA file type that contains additional files inside itself. This characteristic can be nested to multiple levels. Compressed FileA simple or archive file can be in compressed or decompressed format. A compressed format reduces the file size from its original size. When decompressed, the file size expands to its original size. Original File SizeThe size of the file sent to the ProxyAV from the ProxySG for scanning. This can be an archive or a simple file. If the file is compressed, the real size is not known until it is decompressed. Decompressed File SizeFor a simple file, the actual file size after decompressing. Or the total of all files if the original file is an archive file. Maximum Individual File SizeA settings parameter defined by the ProxyAV to regulate the upper limit file size that can be passed to an AV engine. The file size check is applied to the original file size, independent of archive or compressed status. The upper limit for a file size can be negated by the ProxyAV File Scanning Timeout option. If the maximum file size is a large value, but the file scanning value is small, the operation can timeout before the size limit is reached. File Size Within ArchiveIt is common for AV engine vendors to have specific rules for specific decompressed file size limits for individual files in an archive. The AV engine sets the preset value, which is currently set to be equal to the maximum file size, but you can specify the limit on the ProxyAV. Total Size of All Files Within An ArchiveIt is common for AV engine vendors to have specific rules for the total decompressed file size limit for all files in an archive. For Sophos, this is indirectly manageable, and the value is larger than the Maximum File Size. More dynamic control before invoking AV vendor calls is planned for a future release.
18
File Scanning TimeoutOn the ProxyAV, the maximum time allowed for scanning a file; when the timeout value is reached, scanning stops. The time starts when the AV engine receives the file. Connection TimeoutOn the ProxySG, the time ProxySG waits for a response from the ProxyAV after it finishes sending the file for scanning. If the ProxyAV does not complete the scanning operation within this time the ProxySG declares the scanning operation as failed. Maximum Archive DepthThe maximum number archives. For example, if the depth level is 3, the AV engine scans files that are part of a three-embedded zipped file (zipped files in a zipped file in a zip file). Depending on the vendor, the depth is usually in the 16 to 20 range. More dynamic control is planned for a future release. Maximum Archive LayersThe maximum number archive layers. For example, if the depth level is 3, the AV engine scans files that are part of a three-embedded zipped file (zipped files in a zipped file in a zip file). Depending on the vendor, the default depth is usually in the 16 to 20 range. More dynamic control is planned for a future release. File ExtensionThe original files can be distinguished by the file extension following the file name. The ProxySG can prevent the passing of a specific file extension to the ProxyAV. File Extension Within ArchiveIt is common for AV engine vendors to have specific rules for specific file extensions within archives (for example, rules to exclude scanning certain type of file extensions).
19
20
To specify a time interval: 1. 2. 3. 4. From the Management Console, select Antivirus. Click the Update Settings link; the Update Settings page is displayed. In the Update Frequency field, enter a value in minutes (the default is 30). Click Save Changes.
Forcing an Update
You can manually invoke a pattern file and scan engine new-version query and update. To force an update: 1. 2. Select Antivirus. The table at the top of the page displays your current AV vendor, the scan engine and patter file versions, and the number of days remaining in the subscription. In the Action column, select Force update and click Update. The latest engine and pattern files are downloaded and installed, regardless if the most current versions are already installed.
21
Section C: ICAP
This chapter describes how to configure the ProxyAV ICAP service for AV scanning.
3. 4. 5. 6. 7.
8.
The ProxyAV ICAP service is configured, and can communicate with a ProxySG that is configured to communicate with this ProxyAV. The next section discusses how to configure file scanning parameters.
ProxyAV 2000-E:
22
The default values are only used to return a value to the ProxySG when it senses settings. If you require a larger value, you must edit the ICAP service on the ProxySG. In most deployments, 100 ICAP connections are more than adequate, as the ProxySG can multiplex many requests over the 100 ICAP connections. The deployments where this value might require increasing are if there are many slow or long-running connections that cause all 100 ICAP connections to become busy, causing many requests to queue up waiting for a freed connection.
23
At the time of this printing, the following MIME file types are deemed low risk to contain harmful content:
audio; pdf multipart; x director video
Note:
Blue Coat recommends scanning image files, but there might be a noticeable performance latency impact.
ProxySG Policies
To achieve performance increase, you might opt to instruct the ProxySG exclude these types from scanning. CPL Example: Excluding File Types This policy excludes the Real Media file type, which is at very low risk to contain harmful content, from being scanned.
define condition FileExtension_lowrisk url.extension = rm end condition FileExtension_lowrisk <Cache> condition= ! FileExtension_lowrisk response.icap_service(icap,fail_closed)
24
VPM Example: Excluding File Types In the Destination column, a File Extension object is created, which contains the Real Media file type; the object is then negated (notice the symbol):
Figure 3-1: A Web Content Layer with a rule to negate the low-risk file extension.
CPL Example: Including File Types This policy specifies that HTML and Zip file types are scanned:
define condition FileExtension_highrisk url.extension=html url.extension=zip end condition FileExtension_highrisk <Cache> condition=FileExtension_highrisk response.icap_service(icap,fail_closed)
VPM Example: Including File Types Another rule is added. In the Destination column, a File Extension object is created, which contains the HTML and Zip file types:
Figure 3-2: Subsequent rule with the high-risk file types added.
ProxyAV Policies
On the ProxyAV, you can specify files types that are blockedneither scanned, nor served to the client (deny)or served to the client unscanned (allow). To specify blocked or passed-through file types: 1. 2. 3. From the Management Console, select Antivirus. Click Scanning Behavior. Under File Extensions, enter file types as appropriate:
Drop files having extensionsAny file types with these extensions are blocked and not served to
the client.
Dont scan files having extensionsAny file types with these extensions are passed through
unscanned to the client. When considering this option, Blue Coat advises that viruses and other malicious code can be embedded in many file types, including image formats.
25
Additionally, you can specify whether to block or pass-through a file upon scanning timeout by selecting Timeout under Block file if an error occurs during antivirus scan. See "Specifying an Action Upon Content Scan Error" on page 27. To specify a timeout value: 1. 2. 3. 4. From the Management Console, select Antivirus. Click the Scanning Behavior link; the Scanning Behavior page is displayed. Under Files Scanning Timeout, enter the amount of time the ProxyAV is to scan a file. Click Save Changes.
The default is 800 seconds; the minimum is ten seconds; the maximum is 3600 seconds (60 minutes)
26
ProxyAV 400-E: 750 MB. ProxyAV 2000-E1: 750 MB. ProxyAV 2000-E3: 900 MB.
Maximum total uncompressed sizeAn uncompressed file or archive cannot exceed the specified size
maximum is 20 to 100, depending on anti-virus vendor. If any of these options are exceeded, the object is not scanned.
Loggable Errors
Current ProxySG versions do not log the reason for file scanning failures; it just sends ICAP communication error to the client (applies to SGOS 3.2.4 and above). The ProxyAV, however, logs these errors in the file, which is accessible from the Log File screen (See Chapter 4: Logging on page 31). All file-scanning failures are logged in this log. The following are the errors logged in the Alertlogfile.log file for different file scanning failures because of file size limits: If the file is larger than the specified maximum size, you receive a file too big alert. If the unpacked file is larger than the specified maximum size, you receive an unpacked file too big alert (this alert was previously out of space). If the appliance is out of temporary space, you receive an insufficient temporary storage space alert (this was previously out of space).
You can specify what action the ProxyAV takes when a timeout or other errors occurs during a content scan. If enabled, the file is blocked (the default). If no options are selected, the file undergoing scanning when the error occurs is passed on to the client, unscanned.
27
To specify an action upon error: 1. 2. 3. From the Management Console, select Antivirus. Click the Scanning Behavior link; the Scanning Behavior page is displayed. Under Policies For Antivirus Exceptions, select one or more options:
File Scanning TimeoutThe time required to scan the file exceeds the specified or appliance
limit.
Decode/decompress (unsupported compression method, corrupted compression file)An error
occurred during decoding or during decompression of a compressed file. For example, a corrupted file or a method used to decompress the file is unsupported. (Does not apply to Panda.)
Password protected compressed fileA compress file that requires a password to access. (Does
limit.
Maximum total uncompressed size exceededAn uncompressed file size exceeds the specified or
4.
28
4. 5.
By default, the ProxyAV sends all alerts through e-mail. To also keep a log file of events, select Enable alerts logging to file. (See Chapter 4: Logging on page 31.) Click Save Changes.
Customizing Messages
Each alert contains information about the event that triggered it. Because different events can trigger an alert, there can be many different alert forms. In the Advanced>Messages table, you can specify what information is in each type of alert. The first three columnsProtocol, Event, and Command Typedefine each type of event. The Alert column defines what information is included in the alert that is logged or sent through e-mail to the administrator. The Substitute column defines what text is substituted and sent to the client for the original data. Each virus and error message type has a default message. Click Modify in the Alert or Substitute column to go to a page where you can customize the messages using autotext keywords. The following keywords can be used:
29
%CLIENTThe client IP address. %ACTIONWhat action was performed (file passed/dropped). %URLThe URL where the file was downloaded from. %FILEThe original file as received from the ProxySG or a file embedded into HTML object can contain several files; the file name can be changed using the Content-Disposition: HTTP header tag. %SUBFILEA file within archive file that contains a problem or virus. %VIRUSThe virus name. %REASONWhy the event occurred. For example, why can't the file be scanned? %MACHINENAMEThe name of the ProxyAV appliance. %MACHINEIPThe ProxyAV appliance IP address. %PROTOCOLThe scanned protocol. %APPNAMEThe application name (ProxyAV). %APPWEBThe application vendor Web address. %APPVERSIONThe application version. %AVVENDORThe anti-virus vendor. %AVENGINEVERSThe anti-virus engine version. %AVPATTERNVERSThe anti-virus pattern version. %AVPATTERNDATEThe anti-virus pattern date. %TIMESTAMPThe time the event occurred. %ADMINMAILThe administrator mail address.
The % character always precedes the tag name. Capitalization is also important; do not use lowercase variable names.
Exception Pages
For each different X-Error-Code header, it is possible to create separate exception pages on the ProxySG. This requires creating policy on the ProxySG.
30
Chapter 4:
Logging
Configuring Logging
This option allows you to forward detailed logging information to any system on your network. The ProxyAV includes an application for receiving logs, or you may use your own syslog application. The Blue Coat log receiver is called ConnLog.exe and can be downloaded from the Log Files page by clicking Get log receiver application (ConnLog.exe) or Get Windows based log receiver application (ConnLogXP.exe). The logs are in plain text format and can be imported into most log analyzer applications.
ConnLog.exe writes a new log file for each day into the current directory. By default, it listens for a connection from the ProxyAV on port 8001. Run the .exe file from a command line to change this listening port. The .exe /? command displays usage information.
Note:
If configured, the ProxySG logs provide complete information, including ICAP results and virus information. the ProxyAV logging capability is useful for troubleshooting.
To define where logs are sent: 1. 2. 3. 4. 5. From the Management Console, select Log Files. Under Logging, select Enable sending logging information to remote computer. In the Address field, enter the IP address of the destination server. Select the protocol: TCP/IP or UDP. Select the logging format:
ProxyAV Classic: The Blue Coat logging format. MS Proxy 2.0: Microsoft Proxy logging format. ISA W3C: Extended log file format. User Defined: A log format you specify using the format string.
31
6. 7. 8.
If you selected User Defined format, you can select Include W3C headers to include them. If you selected User Defined, you can specify the Delimiter format, Comma, or Space. The Format String field displays the default logging tokens, based on the selected log format, that define what detailed information appears in the logs. If you selected User Defined format, you can modify this as required. To display a list of valid tokens, click Token list. Click Save Changes.
9.
32
Chapter 5:
This chapter describes the features used to maintain and troubleshoot the ProxyAV appliance. This chapter contains the following sections: Section A: Managing Configuration Files on page 34Describes how to save and load the ProxyAV configuration files. Section B: Troubleshooting on page 35Provides help to solve basic problems that might arise on the ProxyAV.
33
To load a configuration file: 1. 2. 3. If you know the location of the configuration file, enter the path in the field ~or~ click Browse and navigate to the file location. (Optional) Select Overwrite current IP configuration with the IP settings from uploaded file to use the IP definitions of the saved file. Click Upload and Apply.
34
Section B: Troubleshooting
Section B: Troubleshooting
This section describes the ProxyAV utilities provided to aid with local troubleshooting.
Important: When you open Alertlogfile.log using the option View log file in browser, the complete file might not be displayed, as the file is often too big to be displayed on the browser. Use a text editor to open the log file directly to see all the error messages. The latest error messages are logged at the bottom of the file.
35
Section B: Troubleshooting VPM: 1. 2. 3. 4. 5. 6. 7. 8. 9. Select Policy>Add Web Access Layer. Right-click the Source column; click Set. Click New; select Request Header. In the Header Name drop-down list, select User-Agent. In the Header Regex field, enter ProxyAV. Click OK; click OK to add the object to the rule. Select Policy>Add Web Content Layer. Right-click the Action column; click Set. Click New; select ICAP Response Service.
10. In the Use ICAP Response Service drop-down list, select the ICAP service. 11. Click OK; click OK to add the object to the rule. 12. Install the policy.
Pinging
Ping a server to verify its state. To ping a server: 1. 2. 3. From the Management Console, select Advanced; click the Ping Utility link. In the IP Address field, enter the IP address of the server to be pinged. Click Ping.
36
To retain log files: 1. 2. 3. From the Management Console, select Advanced; click the Troubleshooting link. Select Enable Keeping Troubleshooting Logs. Click Save Changes.
Troubleshooting Services
The following options allow you to specify additional ProxyAV communication services that can assist administrators or Blue Coat Technical Support to diagnose difficulties. To access these options, from the Management Console, select Advanced; click the Additional Services link.
Enable sending Troubleshooting Information files: Allows files containing troubleshooting information
appliance.
Enable ping to Interface IP: Allows you to ping the interface IP address of this ProxyAV appliance.
If you invoke any of these options, you must click Save Changes.
Troubleshooting Utilities
These options are designed to help you resolve technical troubles with a ProxyAV appliance. To access these options, from the Management Console, select Utilities.
Reload Drivers
The ProxyAV reloads its drivers. This is similar to rebooting the appliance, but is faster. Use this option if you perform a configuration change that does not appear to be in effect.
Soft Reboot
This is the equivalent of resetting a computer. It physically reboots the machine. A new entry in the boot.log occurs.
Diagnostics
These diagnostics create relatively large and detailed log files that provide information for troubleshooting certain network configurations. A Blue Coat Technical Support representative might ask you to invoke these internal diagnostics. This additional logging activity affects system performance; therefore, Blue Coat does not recommend using this option except at the request of Blue Coat Technical Support.
DNS Cache
These options allow you to view and clear the contents of the DNS cache.
37
Button 1Restores the factory defaults. Only use this option in scenarios where you can no longer manage your ProxyAV. For example, your configuration changes have caused the ProxyAV to become unstable or you lost a password. To restore, the appliance must be fully up, which is verified by the lit System LED on the front. Press and hold this button for five seconds. The system default settings are restored (the default settings are defined by the software build) and the appliance reboots. Button 2Resets the power. Only attempt a power reset if the power switch does not power on the appliance.
38
To reset the appliance: 1. 2. 3. Unplug the power cord; re-plug in. While the appliance is booting, press and hold the up arrow until the menu appears. Use the arrow buttons to navigate the menu. Press the enter button to select a menu option (you have two minutes to make a selection):
Restore boot?Forces the ProxyAV 400-E to boot using an archived system image. If the
appliance does not boot upon power-up, Blue Coat recommends invoking this option first.
CancelExits the reboot menu; the ProxyAV 400-E continues to boot.
39
40
Chapter 6:
Example Scenarios
This chapter provides example configurations for common ProxyAV deployments, and contains the following sections: "Section A: Scenario 1Basic Anti-virus Deployment" on page 42Provides examples for a simple AV deployment. Need a more complex example (multiple AVs)?Dont know if I can get to this before GA...can update online PDF later. The External Services chapter of the Blue Coat ProxySG Configuration and Management Guide contains more examples of content scanning policies.
Note:
41
The Task
Deploy ProxyAV as ICAP server to scan for viruses and display a patience page with a customized message if the scan takes longer than five seconds.
Example Data
This scenario uses the following sample data: ProxyAV IP address: 10.0.0.2 ProxySG IP address: 10.1.1.1
ProxySG Configuration
Configure the ProxySG to communicate as an ICAP client with the ProxyAV and process content scanning.
receives a page informing them to wait while a scan is performed. The next section covers creating a Patience Page. Note: Patience pages display regardless of any pop-up blocking policy that is in effect.
42
c.
Notify administrator: Virus detected option: Select this option. An email is sent to the
administrator if the ICAP scan detects a virus. The notification is also sent to the Event Log and the Event Log email list. d. Method supported option: Select response modification. The ProxyAV scans the responses before they are allowed to reach the client. e. Deselect the preview option.
6.
43
Customize the Patience Page 1. 2. 3. Select Configuration>External Services>ICAP>ICAP Patience Page. Click Summary; the Customize Patience Summary dialog appears. Create a message: For security concerns, your request is currently being scanned for viruses, which might
cause a slight delay. Please be patient.
4.
ProxyAV Configuration
Configure the ProxyAV to communicate with the ProxySG and serve as the ICAP server. To configure ICAP from the ProxyAV Management Console: 1. 2. 3. 4. Select ICAP Settings; the ICAP Server Settings page appears. Select ICAP Server enabled. Click Save Changes. Click the Permitted clients link. a. b. c. In the Client Access List table, click Add; the Administration and ICAP server Access List Entry page appears. IP address field: enter 10.1.1.1 (the ProxySG IP address). Select Allow ICAP access.
44
c.
Click OK.
d. With the Corporate_ICAP object highlighted, click OK to add the object to the rule.
45
5. 6. 7. 8.
In the VPM, select Policy>Add Web Access Layer; the Add New Layer dialog appears. Name the layer: Patience Page: Corporate ICAP; click OK. In the Action column, right-click and click Set; the Set Action dialog appears. Click New; select Return ICAP Patience Page; the Add ICAP Patience Page Object dialog appears. a. b. Name the object: ICAP_Patience. In the Return a patience page after field, enter 5. After five seconds during a scan, the patience page with the message customized in the "Create a Patience Page" section is displayed to the user.
c.
Click OK.
d. With the Corporate_ICAP_Patience object highlighted, click OK to add the object to the rule.
9.
46
This appendix describes how to upgrade the ProxyAV to a new release and describes behavior changes attributed to upgrading or downgrading of different ProxyAV releases. This appendix contains the following sections: Section A: Upgrade Procedure on page 48Provides procedures to upgrade the ProxyAV firmware and restrict administrator access to only allow HTTPS. Section B: Upgrade Issues on page 51Describes the features impacted by upgrading to current ProxyAV releases.
47
which could block network traffic for up to three minutes, updates do not occur unless the administrator initiates the update. This allows the update to be performed at the most convenient time. When the update starts, the ProxyAV downloads the update from Blue Coat. These updates are typically one to five MB in size, and might take a few minutes to download, depending on your Internet connection. The updates to software, firmware, or both are then performed, and the ProxyAV resets itself. Depending on the update, the reset might be just a reload of drivers or it could be a full restart of the machine. The entire process can take anywhere from 30 seconds to 3 minutes, excluding the download time. Note: This update applies to the base ProxyAV OS only. The ProxyAV continues to check for updated site filtering and AV engine and pattern files at the interval specified in the Update frequency field on the Antivirus>Update Settings page.
48
HTTPSEnabled by default. The ProxyAV is accessible on port 8082 through the Interface IP; however, you can only access the Management Console if, before upgrading, you specified an IP address for Admin and ICAP access. If you did not, you can create a rule before upgrading to permit access from an administrator client (refer to "Specifying Client Access" on page 10). If you elect to not to do this now, the next section provides a post-upgrade procedure to limit Management Console access to HTTPS, which includes accessing the ProxyAV through the Management IP, adding an administrator client, and removing the Management IP. HTTPDisabled by default. The ProxyAV is not accessible on port 8081 through the Interface IP until this option is enabled (see "Enabling HTTP Access" on page 11).
To upgrade the ProxyAV: 1. 2. In the Management Console, select Firmware Update. This page provides the status of your current build. If a new ProxyAV 2.2.x update is available, the Update Now button is enabled. Click Update Now. A splash screen displays as the ProxyAV prepares to download the build. The Management Console then returns to the Home page. Statistics under Current Downloads track the progress of the build. As the new OS installs, the ProxyAV is temporarily unable to accept the clicking of any option. When the installation completes, the Management Console refreshes itself and is ready for configuration.
To limit the ProxyAV to encrypted access: Note: If you have a permitted Admin and ICAP client and do not require additional clients, skip Steps 1 and 2.
1.
Select Network. Under the Management Console Access field, notice that HTTPS is enabled on port 8082 (a default keyring has also been created).
49
2.
If you do not currently have a permitted administrator client, or want to add a new one, click Add under Administration and ICAP Server Access List. The Administration and ICAP Server Access List Entry screen appears. a. b. c. In the IP address field, enter an IP address to be granted administrator access. In the Mask field, enter the IP subnet. Select Allowed admin and ICAP access.
d. Click Save Changes. 3. In the URL field of the browser, enter the new URL to access the ProxyAV through HTTPS:
https://proxyav_IP_address:8082
4.
Now that secure access is granted through the designated IP address, hide the Management IP option from the Management Console. a. b. c. In the Management Console, select Advanced>Additional Services. Deselect Enable Management IP. Click Save Changes.
d. In the Management Console, select Network. Notice the Management IP option is now hidden. Should you elect to continue using the Management IP feature, "Section B: Upgrade Issues", "Management IP" on page 51 discusses upgrading and downgrading behavior and provides the legacy procedure to configure the Management IP.
50
Management IP
Before ProxyAV 2.2.x, the Management IP was used to administer the appliance. ProxyAV 2.2.x allows the use of the HTTPS protocol, which provides encrypted access.
Upgrade Behavior
The Management IP is still visible and usable; however, for elevated security, Blue Coat recommends hiding this feature and employing HTTPS access (see "Restricting Administrator ProxyAV Access to HTTPS" on page 49).
Downgrade Behavior
If you hid this feature after upgrading to ProxyAV to 2.2.x and you downgrade to a previous version, the Management IP is visible according to legacy configuration.
Use the following addresses with care, as these IP addresses are used as default Management IP addresses by various Blue Coat products.:
1.1.1.5, 1.1.1.7, 1.1.1.9, 1.1.1.11, ...
Before using these addresses, verify the IP and Management IP addresses of other Blue Coat products on your network and confirm there is no conflict before using these addresses.
51
To specify or change the Management IP address: 1. 2. 3. In the Management Console, select Network. Under Global Settings, in the Management IP field, enter the IP address used to administer this appliance. Click Save Changes.
52
This Appendix provides high-level information about the deployment of an AV solution into your network.
53
Deployment 2The virus filter resides between the proxy and the Intranet.
These two deployments present the following issues: Deployment 1A lag time between the presence of a virus and the availability of the pattern file used to purge the virus allows a single threat to get cached and thus easily spread through the entire network.
54
Deployment 2All viruses are intercepted before they can be cached; however, as the virus filter is repeatedly bombarded, denial of service is likely to occur.
Both of these deployments might require the constant clearing of the cache, which negates any gains attained by bandwidth management provided by the proxy.
This provides three benefits: Outbreaks are smaller; Containment is faster; and, Performance gain is attained by not scanning unchanged objects.
The ProxyAV scanning engines allow you to select an AV vendor that is preferred by your enterprise or satisfies your particular requirements. These industry-standard vendors include McAfee, Sophos, and Panda.
55
ProxySG ProxyAV
56
ProxySG
ProxyAV
ProxyAV
ProxyAV
Deployment Phases
The following phases are involved to deploy a ProxyAV appliance with a ProxySG to create an integrated Web scanning service: 1. 2. 3. Configure the ProxySG for ICAP scanning, including specifying the IP address of the ProxyAV as the ICAP service URL. Configure the ProxyAV Web scanning services and features. Define and install Web scanning policies as required in your enterprise. This is accomplished through the Visual Policy Manager (VPM) or by creating Blue Coat Content Policy Language (CPL).
57