You are on page 1of 48

Blue Coat SGOS 6.2.

x Release Notes

Version: SGOS 6.2.2.1 BCAAA Version 130 Release Date: 6/15/2011 Document Revision: 2.0 on 6/15/2011

Release Note Directory


These release notes present information by each release in the SGOS 6.2.x software line. Each section provides feature descriptions, fixes and known issues.

Section A: "SGOS 6.2.x Reference Information" on page 3If you are a new user to SGOS 6.x, Blue Coat strongly recommends that you read this section in its entirety. The section identifies topics such as supported platforms, important upgrade information, BCAAA details, and additional requirements specific to SGOS 6.x version information. Section B: "SGOS 6.2.2.1, build 71419" on page 11 Section C: "SGOS 6.2.1.4, build 71203" on page 17 Section D: "SGOS 6.2.1.3, build 66659" on page 18 Section E: "SGOS 6.2.1.1, build 64600" on page 20 Section F: "Limitations in SGOS 6.2.x" on page 38 Section G: "SGOS 6.x Support Files and Support for Other Products" on page 39

Blue Coat SGOS 6.2.x Release Notes

SGOS 6.2.x Feature Matrix


The following table lists the features introduced in the SGOS 6.2.x release line, with cross-reference links to feature descriptions.
Component Access Logs ADN Feature "Changes to Access Log Formats" on page 25 "ADN Last Peer Detection" on page 22 "Change in Default Setting for Adaptive Compression" on page 23 "Adaptive Byte Caching" on page 24 "Separate Controls for Client IP Reflection on ADN Concentrators" on page 24 "Configure Transparent Tunnel Mode" on page 11 Content Filtering Event Logs Hardware Proxies: Flash Proxies: MAPI Reporting Services Sky UI Licensing "Application Filtering" on page 21 "SMTP Server Configuration" on page 25 "Increased Object Store Capacity" on page 23 "Caching of Flash Video-on-Demand Content" on page 21 "Acceleration of Encrypted MAPI" on page 20 "Report Changes" on page 24 "Separate Controls for Enabling Byte Caching and Compression" on page 23 "New Acceleration Reports in Blue Coat Sky" on page 22 Introduced 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.2.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.1 6.2.1.3

"Licensing Enhancements" on page 18

Blue Coat SGOS 6.2.x Release Notes

Section A: SGOS 6.2.x Reference Information


This section applies to all SGOS 6.2.x releases.

Important Notes About SGOS 6.2.x


Before beginning the upgrade process, you must read the following information:

If you are using the Blue Coat Authentication and Authorization Agent (BCAAA), SGOS 6.2.x requires BCAAA version 130 (located on the 6.2.x BlueTouch Online download page). Even if you are already running version 130, be sure to upgrade to the BCAAA version associated with SGOS 6.2.x because it contains a security vulnerability fix. You must upgrade to BCAAA version 130 before upgrading to SGOS 6.2.x. Do not upgrade SGOS unless you have first installed the compatible BCAAA version.

The Blue Coat SGOS 6.2.x Upgrade/Downgrade Guide provides the specific instructions to upgrade or downgrade BCAAA. For more information, see "About the BCAAA Upgrade/Downgrade Process" on page 8. Direct upgrade from SGOS 4.x to SGOS 6.2.x is not supported. If you are upgrading to SGOS 6.2.x from SGOS 4.x and the appliance has previously run SGOS 5.x, the 5.x configuration is applied during upgrade. You must restore the SGOS 4.x configuration settings. The Blue Coat SGOS 6.2.x Upgrade Guide contains this procedure, but continue reading these Release Notes for further upgrade information.

For SGOS 6.2.x, the oldest supported JRE is 1.5.0_15. See "Java Runtime Environment (JRE) Information" on page 9.

To proceed with the upgrade, go to "About Upgrading to this Release" on page 4.

Product Documentation
Access the SGOS 6.2.x product documentation on BlueTouch Online: https://bto.bluecoat.com/documentation/pubs/view/SGOS 6.2.x

Automatic Notification of New Software Releases


To be automatically notified when new ProxySG software releases are available, you can subscribe to the ProxySG and/or SGOS 6 product information channel in the Knowledge Base: 1. Log in to BTO. 2. Go to: Knowledge Base > Product Information > Products > ProxySG or: Knowledge Base > Product Information > OS > SGOS 6 3. Click Subscribe.

Blue Coat SGOS 6.2.x Release Notes

You will then receive email messages to let you know when new software releases are available for download. Click the link in the email to view the KB article. The article will provide you with the following types of information for the new release: the release number, the date the software was posted, highlights of the release, and links to related documentation and training materials.

Support
Frequently asked questions and more information about this release can be found in the Knowledge Base: https://kb.bluecoat.com Direct support questions regarding this release to:
http://www.bluecoat.com/support/contact.html

For questions or comments related directly to these Release Notes, send an e-mail to: documentation.inbox@bluecoat.com

About Upgrading to this Release


After verifying the prerequisites stated in the following sections, read and follow the SGOS 6.2.x Upgrade/Downgrade Guide (https://bto.bluecoat.com/doc/16295). This document provides the process steps required for upgrading to this release, including BCAAA upgrade procedures. Blue Coat also recommends reading the SGOS 6.2.x Feature Change Reference for an explanation of how new features are affected by the upgrade or downgrade process.
Important:

Schedule your upgrade during off-peak hours. If you have ADN configured, upgrade the ADN ManagersPrimary manager and Backup Managerbefore upgrading the ADN nodes.

Upgrade Prerequisites
To upgrade to this release, you must first determine if your hardware platform is supported, and whether you can upgrade directly or must upgrade through an interim release. You must also familiarize yourself with potential upgrade/ downgrade issues.
Important: Before upgrading to SGOS 6.2.x, you must resolve all deprecated policy notices. This is part of the process is described in the SGOS 6.2.x Upgrade/ Downgrade Guide.

Before installing or upgrading to SGOS 6.2.x, perform the following: 1. Determine if SGOS 6.2.x is supported on your hardware platform. See "Supported ProxySG Appliance Platforms" on page 5. 2. Determine your upgrade path. See "Supported Upgrade/Downgrade Paths" on page 5. 3. Understand the BCAAA process. "Upgrading or Downgrading the BCAAA Authentication Service" on page 6.

Blue Coat SGOS 6.2.x Release Notes

4. Understand how licensing works. See "About SGOS 6.x Licenses" on page 9 5. Ensure that your browser has the correct JRE installed. See "Java Runtime Environment (JRE) Information" on page 9. 6. RecommendedLearn about the changes and fixes in the SGOS version you are upgrading to. See "SGOS 6.2.1.1, build 64600" on page 20. 7. RecommendedLearn about third-party product support. See Section G: "SGOS 6.x Support Files and Support for Other Products" on page 39. 8. When you are ready to upgrade a ProxySG appliance, follow the steps in the Blue Coat SGOS 6.2.x Upgrade Guide.

Supported ProxySG Appliance Platforms


The following ProxySG appliance platforms can be upgraded to SGOS 6.2.x:

32-bit platforms: SG210 (except for 210-5) and SG510 64-bit platforms: SG300, SG600, SG810, SG900, SG8100, and SG9000 Virtual appliances: VA-5, VA-10, VA-15, VA-20

Note: The SG210-10 and SG210-25 can run SGOS 6.2 and later, but the SG210-5 is not supported on these SGOS releases. SGOS 6.2 provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.

Supported Upgrade/Downgrade Paths


Before upgrading to SGOS 6.2.x, the ProxySG appliance must be running: SGOS 5.4.6.1 or higher SGOS 5.5.4.1 or higher SGOS 6.1.2.1 or higher

ProxySG VA Upgrade Path

Existing ProxySG VA customers can directly upgrade from SGOS 5.5 to SGOS 6.2. New ProxySG VA customers must first download and install the SGOS 5.5 Virtual Appliance Package (VAP) and then upgrade to SGOS 6.2.x. For details, refer to the ProxySG V Initial Configuration Guide: A https://bto.bluecoat.com/doc/13286

Blue Coat SGOS 6.2.x Release Notes

Figure 11

Upgrade Path

Upgrading or Downgrading the BCAAA Authentication Service


This section describes the supported BCAAA version and upgrade/downgrade requirements.

Required SGOS 6.2.x BCAAA Version


SGOS 6.2.x requires BCAAA version 130 (if you use the BCAAA service). Even if you are already running version 130, be sure to upgrade to the BCAAA version associated with SGOS 6.2.x because it contains a security vulnerability fix. Note that the BCAAA version number is not indicative of code changes within BCAAA, and only reflects changes to the actual protocol itself. The following list describes the platforms that BCAAA can run on to support the specified authentication method (these are not supported directory services):

Integrated Windows Authentication: Windows Server 2008 (32-bit and 64-bit)

Blue Coat SGOS 6.2.x Release Notes

Windows Server 2008 R2 (64-bit) Windows Server 2003 (32-bit and 64-bit) Windows 2000 Server Windows Server 2008 (32-bit and 64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit) Solaris 5.8 or 5.9 Windows Server 2008 (32-bit and 64-bit) Windows Server 2008 R2 (64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2008 R2 (64-bit) Windows Server 2003 (32-bit and 64-bit) Windows Server 2000 (32-bit)

Oracle COREid version 6.5 and 7.0:

CA eTrust SiteMinder version 5.5 and 6.0:

Windows SSO:

Novell SSO:

BCAAA can run on any hardware as long as the BCAAA sizing requirements are met. When running on a virtual machine, BCAAA has been tested and certified on VMware ESX Server v3.5. The only supported directory service operating systems for the preceding authentication methods are:

Windows Server 2000 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Solaris 5.8 and 5.9 (SiteMinder and COREid only)

Blue Coat SGOS 6.2.x Release Notes

Note:

The BCAAA service cannot be installed on Windows NT or on Windows

Vista.

About the BCAAA Upgrade/Downgrade Process


Before upgrading to or downgrading from a release you must first install the BCAAA version required for the release you are migrating to. This procedure is described in the SGOS 6.2.x Upgrade Guide.
WARNING: If you do not install the compatible BCAAA version before upgrading or downgrading, authentication fails and you will not be able to reach the BCAAA server to download a compatible version.

Using Multiple Versions of the BCAAA Service


Accessing ProxySG appliances running different versions of SGOS requires multiple version of the BCAAA service to be installed on your computer. To ensure compatibility between the supported BCAAA version and SGOS version installed on the ProxySG appliance, refer to the following table.
SGOS Version SGOS 4.3.x SGOS 5.1.1.x, SGOS 5.1.2, SGOS 5.1.3, SGOS 5.1.4 SGOS 5.2.x, SGOS 5.3.x SGOS 5.4.x, SGOS 5.5.x, SGOS 6.1.x, 6.2.x Supported BCAAA Version 120 110

120

130 SGOS 5.4.2 and later included a release of BCAAA 130 that added support for Windows Server 2008. The initial version of BCAAA 130 (which shipped with SGOS 5.4.1.x) did not support Windows Server 2008.

Install the lowest version of the BCAAA service first and the highest version of BCAAA last, allowing each version to uninstall the previous version. This process leaves behind the bcaaa.ini and bcaaa-nn.exe files for the lower version.

Notes

Only one listening port is used, no matter how many versions you have installed. The BCAAA service hands off the connection to the appropriate BCAAA version.

Blue Coat SGOS 6.2.x Release Notes

Installation instructions for BCAAA are located in Blue Coat SGOS 6.2 Administration Guide, BCAAA chapter. This document is accessible through your BlueTouch Online account at https://support.bluecoat.com/ documentation/pubs/view/SGOS 6.2.x

For information on support for other products, see "Support for Other Products" on page 39.

BCAAA Disk Space Requirements


The BCAAA files on Windows require less than 10MB of disk space. However, additional space might be required, depending on the features that have been enabled.

If using Windows SSO with Domain Controller Query


Add 256 bytes for each concurrent login. For example, if 1000 users will be concurrently logged in to the Windows domain during peak hours, then this feature requires 256k (256 bytes record * 1000 concurrently logged in users).

If using Novell SSO


Add 256 to 512 bytes for each user concurrently logged in to Novell eDirectory. You only need to count users that are in containers that are monitored by a Novell SSO realm. For Novell SSO, the record length is dependent on the length of each users distinguished name in eDirectory. Users with long distinguished names require extra storage. Because distinguished names have a maximum length of 256 bytes in eDirectory, an individual Novell SSO record will not be larger than 512 bytes.

About SGOS 6.x Licenses


By default, automatic license check is enabled (the Use Auto-Update option is selected on the Maintenance > Licensing > Install tab). This means that the ProxySG appliance automatically checks for license updates upon reboot or once daily for a month before the currently installed license expires. To verify the current ProxySG appliance/SGOS license, navigate to the Maintenance > Licensing > View tab and review the Licensed Components area.
Important:

Upgrading to a SGOS 6.x license from a previous SGOS version is an important step (that also has prerequisite steps) in the software upgrade process. Refer to the Blue Coat SGOS 6.x Upgrade Guide for the Blue Coat-verified procedure.

Java Runtime Environment (JRE) Information


To run the SGOS 6.2.x Management Console, you must install the Oracle Java JRE version 1.5.0_15 or later, including 1.6 (except for 1.6_05, which causes VPM online help problems). JRE 1.4.x is no longer supported. For SGOS 6.2.x, the earliest supported JRE is 1.5.0_15.

Blue Coat SGOS 6.2.x Release Notes

For additional details about downloading JRE, see "Supported JRE Versions" on page 40.

10

Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419

Section B: SGOS 6.2.2.1, build 71419


Release Date: 6/15/2011, build 71419 BCAAA Version: 130 JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05) Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.1.x, 3.2.x, and 3.3.x

SGOS 6.2.2.1 Contents


See the following sections for information on this release.

"Whats New in SGOS 6.2.2.1" on page 11 "Resolved Issues in SGOS 6.2.2.1" on page 12 "Known Issues in SGOS 6.2.2.1" on page 15

Whats New in SGOS 6.2.2.1


SGOS 6.2.2.1 introduces the following new features.

Configure Transparent Tunnel Mode


SGOS 6.2.2.1 includes a new CLI command that allows acceleration of traffic between a concentrator running SGOS 5.4 and a branch peer running 6.2.2.1. Without this configuration, the traffic would not be accelerated because a concentrator running SGOS 5.4 is not able to accelerate fast transparent tunnel (FTT) mode connections from a ProxySG branch appliance running 5.5 or later. With the new CLI command available in SGOS 6.2.2, traffic between a branch appliance running SGOS 6.2.2.1 and a concentrator running SGOS 5.4 can be accelerated; you just need to enable regular transparent tunnel mode on the 6.2.2.1 appliance.
Note:

SGOS 6.1.4.1 also includes support for this feature.

The following table explains the transparent tunnel modes for various combinations of SGOS at the branch and the core.
Branch SGOS 5.4.x 5.5.x 6.1.1 6.1.2 6.1.3 6.2.1 5.4 Concentrator Regular transparent tunnel Traffic cannot be accelerated 5.5 Concentrator Regular transparent tunnel Fast transparent tunnel 6.x Concentrator Regular transparent tunnel Fast transparent tunnel

11

Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419 Branch SGOS 6.1.4 6.2.2 5.4 Concentrator Regular transparent tunnel when connect-transparent enable regular is used on branch appliance 5.5 Concentrator Fast transparent tunnel 6.x Concentrator Fast transparent tunnel

To control the mode, the CLI connect-transparent is extended as follows:

connect-transparent enable

- allows transparent tunnel initiation, and - enables fast transparent tunnel initiation. - enables regular transparent tunnel

defaults to fast mode.


connect-transparent enable fast

connect-transparent enable regular

initiation. The above setting is persisted, even after a reboot.

Resolved Issues in SGOS 6.2.2.1


This release incorporates the bug fixes from the previous SGOS 6.2.1.x releases. The following issues, reported in previous SGOS versions, have been fixed in SGOS 6.2.2.1.

Security Advisory Issues Fixed

OCSP response validation error was fixed in SGOs 6.2.2.1. The ProxySG incorrectly returned an error when validating the certificate chain for the OCSP responder; the error was that the OCSP responders certificate could not be validated. The workaround was to explicitly import and trust the certificate of the CA that signed the OCSP responders certificate. The explicit trust is no longer needed if the CA that signed the OCSP responders certificate is a CA in the certificate chain for the server certificate being validated. (B# 158111). Sensitive information in ProxySG core files was fixed in SGOS 6.2.2.1. See Security Advisory SA56. (https://kb.bluecoat.com/ index?page=content&id=SA56) (B#159036).

ADN

The incorrect setting of send and receive buffers for ADN sockets led to TCP window advertisements, though there was no window update. This issue, now fixed in SGOS 6.2.2.1, manifested in the form of duplicate acknowledgements. (B#158229) Fixed software restart at 0x810002 in Process: "bdc.rtg.ma.BE5B7A10" in Process group: "PG_BDC_ROUTING" due to a heap corruption issue. (SR 2-376638652; B#160638)

12

Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419

Advanced URL

The Advanced URL statistics page for Core Images is fixed to correctly display Customer release instead of Internal customer release. (B#159739)

Authentication

Users can now be logged out by only providing the IP address without the user name. (B#158211) When a user group contained more than 1500 users, the group policy did not match for the users in the group due to an LDAP compare failure. (B#158246) The ProxySG no longer restarts when BCAAA doesnt respond to requests in time. (B#158684) The BCAAA Siteminder Agent no longer inserts the ? character instead of the & symbol when appending variables at the end of URLs. (B#159026) Fixed intermittent login issue with SiteMinder v6.0 SP5 where the user was sent back to the login page after entering the username and password. This issue only affected those who had disabled the Session max timeout setting on the SiteMinder server. Both SGOS and BCAAA have to be updated in order for the ProxySG to correctly handle this setting. (B#159530)

Cache Engine

Fixed the issue with high object store CPU utilization when deleting an object that was currently in use. (SR 2-375692482; B#160479)

CLI Console

The ProxySG no longer restarts due to a missing SSH configuration file that is created upon system initialization. This sometimes happened when two Directors were used to make configuration changes to the ProxySG at the same time. (B#158682)

Content Filtering

Websense URL filter database downloads now complete even when system memory is fragmented. (B#159114)

Encrypted MAPI Proxy

The keep-alive session is terminated after a time interval for service ticket expiration time. (B#158350)

13

Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419

Flash Proxy

The Blue Coat Director now properly represents the live traffic statistics for the Flash protocol. The Statistics > Protocol details > Streaming history > Current Streaming Data for the Flash protocol does not display as zero. (B#161174; SR 2377797322)

HTTP Proxy

Fixed the issue with IE8 on Windows 7, where cached objects were incorrectly flagged as requiring authentication when using Keberos connection-based authentication. (B#159128)

Management Console

The Management Console now shows the correct total streaming statistics for Windows Media. (B#158903)

SSL Proxy

ProxySG is configured to use OCSP to verify revocation status of certificates and has a CRL imported. If ProxySG received an OCSP response from a server that did not include a signing certificate, it could cause the ProxySG to reboot. This issue has been fixed in SGOS 6.2.2.1. (SR 2-369460521, B#158889)

TCP/IP and General Networking

Fixed high interface and CPU utilization that was due to a forwarding loop in a TCP connection-forwarding configuration where there was either active FTP proxy or Endpoint-Mapper configuration and the same configuration installed on two or more ProxySG appliances that are active members of the same cluster group. With the fix, wildcard listeners within the cluster are no longer announced, hence, TCP connection forwarding will not work for the Active FTP data listener or Endpoint-Mapper. (B#160563)

VPM

Installing large VPM-XML no longer causes the VPM Java applet to consume excessive memory and stall the policy installation. (B#159237)

Windows Media Proxy

Fixed an issue in which the ProxySG stopped processing traffic due to improper memory handling which required a restart of the device. (B#158293) Fixed ProxySG restarts in Process "RTSP_Server" when the RTSP Server worker tried to read packets from OCS while Client worker simultaneously received a PAUSE. This applied to RTSP over HTTP. (B#159154)

14

Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419

Known Issues in SGOS 6.2.2.1


Also see issues listed in "Known Issues in SGOS 6.2.1.x" on page 31. The known that have been fixed from the list above have been annotated with the version in which the issue was fixed.

CLI Console

When you enter the show config command, a system restart is triggered if the accelerated PAC files contain invalid UTF8 characters. (B#161169)

DNS Proxy

When you configure a DNS server using IPv6 link-local address, the ProxySG does not respond to DNS requests. (B#158905)

Flash Proxy

Some video files, when streamed from Flash Media Server 4, may not finish correctly and the player may remain in a continuous buffering state after the video ends. For example, the player displays a spinning wheel on top of the video instead of a play button. If the application has a play list, the next video will not start playing automatically; the user will have to start the next video manually. (B#158720) There may be problems caching certain video files delivered via Flash Media Server 3.0. The workaround is to use bypass_cache(yes) policy to prevent caching these videos. (B#158954)

MAPI Proxy

Restart at 0x810002 in Process: "rpc.658/192.168.0.165:2475" in Keep-Alive logic when the proxy is downgraded to the batching only mode where KeepAlive is not supported. Outlook 2003 and 2000 do not have this behavior because they do not send multiple outstanding RPC Requests simultaneously. (B#161116; SR 2-374193623)

Policy
The ProxySG fails to match the policy request.header.cookie="sslallow" at CI checkpoint when apparent data type policy is present. (B#160176)
action.red(yes)

The workaround is to add a force_exception(policy_redirect, , ) action after the action.red(yes) action. This is only required when a policy condition depends on a server response, for example when high performance malware scanning is enabled. For example:
<proxy> condition=sslallow request.header.cookie="sslallow" action.rewtohttps(yes)

15

Blue Coat SGOS 6.2.x Release Notes Section B: SGOS 6.2.2.1, build 71419
request.header.cookie="sslallow" action.red(yes) force_exception(policy_redirect,"","")

TCP/IP and General Networking

Having both trust-destination-mac and return-to-sender outbound enabled creates a routing issue that causes HTTP traffic to fail. The current workaround is to disable RTS outbound or to disable trust-destination-mac on the bridge. (B#158573)

VPM

The VPM IPv6 subnet evaluation for the url.address= policy does not permit certain valid IPv6 network addresses. The workaround is to create via local policy. (B#159993, SR 2-371139652)

16

Blue Coat SGOS 6.2.x Release Notes Section C: SGOS 6.2.1.4, build 71203

Section C: SGOS 6.2.1.4, build 71203


Release Date: 6/10/2011, build 71203 BCAAA Version: 130 JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05) Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.1.x, 3.2.x, and 3.3.x

Resolved Issue in SGOS 6.2.1.4


Fixed an HDD RMA issue in SG 300/600/900/9000. Without the fix, the ProxySG ignores newly inserted unformatted drives. Blue Coat recommends that customers of these models, running a 6.2.1 release below 6.2.1.4, upgrade to SGOS 6.2.1.4 so they will not encounter this issue if its necessary to replace a drive. Make sure to power off your system after the upgrade to 6.2.1.4, prior to inserting the new drive (900 or 9000), or do a restart regular. (B#167094)

17

Blue Coat SGOS 6.2.x Release Notes Section D: SGOS 6.2.1.3, build 66659

Section D: SGOS 6.2.1.3, build 66659


Release Date: 5/12/2011, build 66659 BCAAA Version: 130 JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05) Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.1.x, 3.2.x, and 3.3.x

SGOS 6.2.1.3 Contents


See the following sections for information on this release.

"Whats New in 6.2.1.3" on page 18 "Resolved Issues in 6.2.1.3" on page 19 "Known Issues in SGOS 6.2.1.3" on page 19

Whats New in 6.2.1.3 Support for New ProxySG Platforms


SGOS 6.2.1.3 and higher versions include support for the SG 900 and the newest SG 9000 models: the SG 9000-30 and SG 9000-40. Note that all multi-disk appliances that are manufactured with SGOS 6.2 have increased object limits enabled by default. See "Increased Object Store Capacity" on page 23 for details.
WARNING! If you fail to use the disk decrease-object-limit command before downgrading to a pre-6.2 release, all data and settings will be lost after the downgrade.

Licensing Enhancements

For SG 300, SG 600, SG 900, and SG 9000 systems, license limits for concurrent users when ADN is enabled have been raised to equal the limits when ADN is not enabled. The one exception is the 300-5 model, which still maintains limits of 30 (without ADN) and 10 (with ADN). For WAN optimization deployments, Blue Coat recommends purchasing a ProxySG model based on the maximum number of client connections it needs to support, not the maximum number of users, since the connection limit is likely to be reached first; your channel partner SE or local Blue Coat SE can assist you with WAN optimization connection counts and sizing for your specific needs.

18

Blue Coat SGOS 6.2.x Release Notes Section D: SGOS 6.2.1.3, build 66659

Beginning May 21, Blue Coat is granting software SSL licenses for all SG 300, SG 600, SG 900, and SG 9000 systems, including systems previously sold. These licenses will be available to customers the next time their appliances connect with the Blue Coat licensing server. Rollout is scheduled to begin May 21, 2011 and will automatically take effect over the course of the following 30 days for most installed appliances. Customers wishing to enable this capability sooner can receive the updated licenses by directing their appliance to contact the licensing server any time after May 21.

Resolved Issues in 6.2.1.3


This release incorporates the bug fixes from SGOS 6.2.1.1. The following issues, reported in previous SGOS versions, have been fixed in SGOS 6.2.1.3.

TCP/IP and General Networking

SG 900/9000 no longer restarts when trying to re-allocate a host route for an IPv6 gateway route. (B#158846)

CLI Console

On multi-processor systems, the output of a CLI command sent through an SSH connection to the ProxySG no longer causes the SSH connection to hang. (B#158738, SR 2-370506110)

Content Filtering

Fixed the issue in which the ProxySG entered a state where it stopped the incremental updating of its local BCWF database. While the ProxySG was in this state, the application filtering information was unavailable. (B#159010)

CIFS Proxy

Fixed the software restart at 0x30000 in Process: "CIFS::Worker: Connection 9 (running)" when the OCS doesn't support the "NT LM 0.12" dialect. (B#159259, SR 2-371491907)

Active Session

Fixed the software restart at 0x11 in Process in "kernel.exe" at .text+0x24a89. Watchdog occurring while services admin is calling the active session module. (B#159313, SR 2-371805601, 2-371854318)

Known Issues in SGOS 6.2.1.3


See issues listed in "Known Issues in SGOS 6.2.1.x" on page 31.

19

Blue Coat SGOS 6.2.x Release Notes Section E: SGOS 6.2.1.1, build 64600

Section E: SGOS 6.2.1.1, build 64600


Release Date: 4/28/2011, build 64600 BCAAA Version: 130 JRE Version: 1.5.0_15 and later, 1.6 (except 1.6_05) Compatible with: SGME 5.5.x, Reporter 8.x and 9.x, ProxyAV 3.x, and ProxyClient 3.1.x, 3.2.x, and 3.3.x

SGOS 6.2.1.1 Contents


See the following sections for information on this release.

"New WebGuide Available" "New Features in SGOS 6.2.1.1" "Resolved Issues in SGOS 6.2.1.1" on page 26 "Security Advisories" on page 30 "Known Issues in SGOS 6.2.1.x" on page 31 "Deprecations" on page 36

New WebGuide Available


Debuting with SGOS 6.2 is the new Acceleration WebGuide. This WebGuide, posted on BTO, is the one-stop resource for acceleration documentation. It contains conceptual information related to WAN optimization, explains how to deploy ProxySG appliances in an application delivery network, and provides solutions on how to use the proxies to achieve different goals: accelerating applications, improving the quality of streaming media, reducing bandwidth usage, and optimizing users Web experience. To view the WebGuide in your browser, click the following link: https://bto.bluecoat.com/sgos/ProxySG/Acceleration_WebGuide/ Acceleration_WebGuide.htm

New Features in SGOS 6.2.1.1


SGOS 6.2.1.1 introduces the following new features.

Acceleration of Encrypted MAPI


This feature provides the ability to transparently accelerate encrypted MAPI traffic between the Outlook client and the Exchange server. The ability to decrypt and encrypt MAPI is transparent to the user, with no knowledge of the user's password. Enabling optimization of the encrypted MAPI protocol requires that you perform a series of tasks on the Domain Controller, the branch ProxySG appliance, and the Concentrator. If these tasks are not performed, the ProxySG appliance tunnels MAPI traffic without optimization.

20

Blue Coat SGOS 6.2.x Release Notes

An SSL license is required for secure ADN on the Branch and the Concentrator peers. The following table illustrates which versions of Microsoft Outlook and Exchange are supported by a particular version of MAPI.
Exchange 2003 Outlook 2003 Outlook 2007* Outlook 2010* MAPI 2003 MAPI 2003 MAPI 2003 Exchange 2007 MAPI 2003 MAPI 2007 MAPI 2007 Exchange 2010* MAPI 2003 MAPI 2007 MAPI 2010

*MAPI encryption enabled by default

For More Information


For feature requirements, limitations, and configuration steps, see Blue Coat SGOS 6.2 Administration Guide, Accelerating the Microsoft Outlook Application chapter. You can also display the Configuration > Proxy Settings > MAPI Proxy tab and click Help.

Caching of Flash Video-on-Demand Content


This feature implements the caching of video-on-demand (VOD) content delivered over Real Time Messaging Protocol (RTMP). As Flash clients stream pre-recorded content from the origin content server (OCS) through the ProxySG, the content is cached on the appliance. After content gets cached on the ProxySG, subsequent requests for the cached portions are served from the appliance; uncached portions are fetched from the OCS. By caching pre-recorded video files and playing subsequent requests from the cache, the ProxySGs Flash proxy can save significant bandwidth. Flash VOD caching requires the Flash streaming proxy license; this is the same license used for Flash splitting.

For More Information


For feature requirements and configuration steps, see Blue Coat SGOS 6.2 Administration Guide, Managing Streaming Media chapter. You can also display the Configuration > Proxy Settings > Streaming Proxies > Flash tab and click Help.

Application Filtering
With the new application filtering policy, you can filter content by Web application and/or specific operations or actions done within those applications. For example, you can create policy to allow users to post comments and chat in Facebook, but block uploading of pictures and videos. The two CPL conditions that allow you to create application filtering policy are:
url.application.name=NAME url.application.operation=OPERATION

21

Blue Coat SGOS 6.2.x Release Notes

where NAME is the exact spelling, spacing, and punctuation listed in the view applications CLI output, and OPERATION is the exact specification listed in the view operations output. Note that the application names and operations are NOT case sensitive. These conditions are not currently available in the VPM, so you will need to use CPL to update your existing policy file with the application filtering conditions you want to implement. This feature requires that you have a valid Blue Coat Web Filter (BCWF) license, which is available for no additional charge to current BCWF customers.

For More Information


For several examples on creating policy for application filtering, see Blue Coat SGOS 6.2 Administration Guide, Filtering Web Content chapter.

ADN Last Peer Detection


In transparent ADN deployments where branch office traffic goes through multiple concentrators on its way to and from an origin content server (OCS), you will want to ensure that the ADN tunnel extends across the entire path, allowing the ADN traffic to be optimized from end to end. To achieve this benefit, you enable the last peer detection feature on the intermediate concentrators. This feature sends out probes to locate the last qualified peerthe upstream concentrator that is closest to the connections destination address; this ProxySG must have a valid SSL license when securing ADN. An ADN tunnel is formed between the branch ProxySG and the last peer enroute to the OCS. If there is a concentrator in the path that does not support last peer detection or has it disabled, the transparent tunnel is formed with that concentrator. Without this feature, the ADN tunnel ends at the first qualified concentrator in the path. The traffic is optimized over this partial segment of the path to the origin content server (OCS). Traffic is not optimized over the rest of the path to the OCS.

For More Information


For supported ADN deployments, limitations, and configuration steps, see Blue Coat SGOS 6.2 Administration Guide, Configuring an Application Delivery Network chapter. You can also display the Configuration > ADN > Tunneling > Connection tab and click Help.

New Acceleration Reports in Blue Coat Sky


The Blue Coat Sky user interface offers five new acceleration reports, as well as additional panels for proxy configuration. You can print these reports using the new Print Preview feature. In addition, you can export the report data to comma separated values (CSV) format to analyze it in Microsoft Excel or in other applications capable of importing CSV.

For More Information


See the Blue Coat Sky v6.2.x Release Notes.

22

Blue Coat SGOS 6.2.x Release Notes

You can also click the help icon any of the reports or panels.

in Blue Coat Sky for context-sensitive help on

Increased Object Store Capacity


All multi-disk systems that are manufactured with SGOS 6.2 have an increased object capacity; you can get this extra capacity on other multi-disk systems by initiating the disk increase-object-limit command after upgrading to 6.2. The disks are re-initialized in a format that is not compatible with SGOS releases prior to 6.2. If your disks have the increased object capacity, you must use the disk decreaseobject-limit command before downgrading to a pre-6.2 release. This command preserves the configuration, registry settings, policy, licensing files, and the appliance birth certificate; it does not retain cache contents, access logs, event log, and sysinfo snapshots. Pre-6.2 images that are incompatible due to the increased object store limit will be marked as such, and will not be automatically selected for boot, unless the disk capacity has been downgraded beforehand. Incompatible images may be manually selected with the "force" option at boot; however, this will result in all data and settings being lost.
WARNING! If you fail to use the disk decrease-object-limit command before downgrading to a pre-6.2 release, all data and settings will be lost after the downgrade.

Separate Controls for Enabling Byte Caching and Compression


For each service, you can now independently control whether byte caching and compression are enabled. Previously, there were a single optimization setting that enabled both features. In cases where byte caching may not provide significant bandwidth gain for an ADN deployment, you can turn off the Enable byte caching option and just use compression (or vice versa). If you know the traffic for this proxy is already compressed or encrypted, you can conserve resources by clearing the Enable byte caching and Enable compression options. These options are available when editing a proxy service (Configuration > Services > Proxy Services > Edit Service). In the command-line interface, the adn-optimize CLI command has been replaced by the adn-byte-cache and adn-compress commands.

For More Information


For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference. For CLI syntax, see the SGOS 6.2 Command Line Interface Reference.

Change in Default Setting for Adaptive Compression


All new 64-bit ProxySG platforms that are manufactured or remanufactured with the SGOS 6.2 release have adaptive compression enabled by default. In the case of an upgrade to SGOS 6.2, the setting matches the configuration before the upgrade. For example, if adaptive compression was disabled in SGOS 6.1, it will be disabled after upgrading to SGOS 6.2.

23

Blue Coat SGOS 6.2.x Release Notes

For More Information


For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

Adaptive Byte Caching


Starting in SGOS 6.2, ADN uses an adaptive byte caching mechanism that automatically adjusts byte caching to the amount of disk I/O latency the ProxySG is experiencing. As a ProxySG handles increasing traffic loads, disk I/O can increase. In these situations, ADN evaluates the efficacy of byte caching and adaptively throttles disk reads and writes to the byte cache in order to maximize throughput.

Separate Controls for Client IP Reflection on ADN Concentrators


SGOS 6.2 offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers. For example, you can have the Concentrator reject client IP reflection requests from ProxyClient peers but allow them from ProxySG peers. In previous releases, when the Concentrator was configured to deny reflect client IP requests from branch peers, there was a special hard-coded override that always used the Concentrators local IP address for ProxyClient tunnel connections; if reflect client IP was set to allow, then the client IP would be reflected.

For More Information


For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

Report Changes
SGOS 6.2 adds granularity to the Traffic Mix report. On the ADN concentrator, the Traffic Mix report previously combined all the inbound ADN traffic into the InboundADN service or the InboundADN proxy bucket. For traffic generated in 6.2, the inbound ADN is now categorized into the various granular service or proxy buckets, but for traffic generated on prior releases, the inbound ADN is not categorized. Thus, the Traffic Mix report now shows inbound ADN traffic broken down into specific categories of traffic. In addition, the ProxySG is able to store certain report data in five-second increments over the last five minutes and 15-minute increments over the last 24 hours; this data provides increased granularity in reports. (Note that the Advanced Management Console does not currently offer reports that graph the last five minutesthese reports are available in the Blue Coat Sky UI.) As a consequence of this change, the above fine granular trend data is not available before the upgrade to SGOS 6.2 for Traffic History reports. If you view the Traffic History report for the last day, there will be no data points for the time before the upgrade.

24

Blue Coat SGOS 6.2.x Release Notes

Changes to Access Log Formats


A new streaming log format is introduced in SGOS 6.2, bcreporterstreaming_v1; this format is the default on new systems. The legacy streaming log format, streaming, is used on upgrades to SGOS 6.2. The existing bcreportermain_v1 format contains new fields to support the application filtering feature.

For More Information


For a list of the fields in each of these formats, see Blue Coat SGOS 6.2 Administration Guide, Creating Custom Access Log Formats chapter. For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

SMTP Server Configuration


New CLI commands are available for configuring the SMTP server that the ProxySG uses for emailing notifications. In addition, the server port is now userconfigurable; previously, it was hard-coded to port 25.
#(config smtp) server {domainname | ip-address} [port] #(config smtp) from from-address #(config smtp) view # show smtp

With the introduction of the smtp subcommands, the following event-log CLI commands are deprecated:
#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway

For More Information


See "Deprecations" on page 36. For CLI syntax, see the SGOS 6.2 Command Line Interface Reference. For upgrading and downgrading impacts related to this feature, see the SGOS 6.2.x Upgrade/Downgrade Feature Change Reference.

Security Enhancement / Behavior Change


SGOS 6.2 introduces a change in behavior with regard to the re-activation of a user account after it has been locked out due to excessive failed authentication attempts. Starting in 6.2, the lockout period is reset on each failed authentication attempt in the local ream; accounts are re-enabled according to the following calculation: time_of_last_failed_login_attempt + lockout_duration. In previous SGOS versions, accounts were re-enabled at time_account_was_locked_out + lockout_duration. This security enhancement potentially lengthens the length of time a user is locked out. The default value of the lockout duration can be changed with the lockout_duration CLI command. (B#150228)

25

Blue Coat SGOS 6.2.x Release Notes

Resolved Issues in SGOS 6.2.1.1


This release incorporates the bug fixes from SGOS 6.1.3, 5.5.4.1, and 5.4.6.1. The following issues, reported in previous SGOS versions, have been fixed in SGOS 6.2.1.1.

Access Logging

Fixed internal issue where created FTP file name is not unique. (B#152506)

Authentication

LDAP authentication no longer fails with the error Could not determine full user name. (B#154899, SR 2-352888122)

Caching

Fixed the issue with stale client connections that sometimes occurred when multiple concurrent connections requested an object larger than 500KB whose response header did not contain content-length information, and was not chunked-encoded. (B#145695, SR 2-317195422) A single cache object can now be deleted via advanced URL. (B#151629, SR 2341552592)

CLI Console

Fixed the Exception: 0x40006 (CEA_OUT_OF_FREE_CACHE_BLOCKS) in Process "CEA Cache Administrator" in "" at .text+0x0. (B#149084, SR 2-330536732) The ProxySG appliance no longer closes the SSH session towards Director during the course of a session. (B#148892, SRs 2-329586429, 2-330623511, 2330669152, 2-330816212) Fixed the issue in which Web management console requests that required very large responses caused the appliance to run out of memory and restart. (B#149084, SR 2-330536732)

DNS Proxy

The links to view and delete DNS entries in the MC now work properly. (B#145809)

Event Logging

Taking a disk offline that has the main copy of the event log no longer results in an empty log. (B#141593)

26

Blue Coat SGOS 6.2.x Release Notes

Flash Proxy

When available bandwidth between the ProxySG appliance and OCS was insufficient, the playback experience for live streams was suboptimal. This issue has been fixed. (B#153929, SR 2-345163102) Video no longer stutters when viewing live news and other channels on www.rtve.es. (B#153921, SR 2-346602532) Fixed the issue in which a worker client connection might leak if the connection closed abruptly without finishing the initial handshake. (B#143303) The Configuration > Access Logging > General > Default Logging tab no longer displays none for Flash streaming. (B#143817) When playing audio-only live streams using version 10.1 of the Adobe Flash plugin, users no longer experience missing audio after a certain sequence of play/pause operations. (B#144180) When Flash Media Server is configured to use the AutoCloseIdleClients option, it no longer times out client connections accessing a live stream that is being split at the ProxySG. (B#141802) In a proxy chaining scenario, pausing a live stream no longer hangs the Flash application on the client end. When communicating with the Flash Media Server, if using HTTP/1.0 or nonpersistent connections, the Flash player no longer hangs. (B#152042)

HTTP Proxy

Fixed the issue in which denied requests appeared in the access log as TCP_ERR_MISS if a policy was defined to check response headers. (B#152503) YouTube videos can now be downloaded on an iPhone routed through a proxy. (B#150742, SR 2-337673439) Fixed the HTTP performance issue on the SG 9000-20. (B#151062, SR 2-339570243) The client worker no longer enters tunnel-on-error mode when both the client worker and server worker access the server socket. (B#150226, SRs 2-336369312, 2-338831809) Internet Explore 6 clients are now able to use Siebel 8 while proxied through the ProxySG appliance. (B#145241) When the ProxySG appliance has URL rewrite policy to rewrite request.header.Referer and request.header.Location, it no longer sends a Zero-chunk block twice when the response is chunk encoded data. (B#144623, SR 2-291847282) The ProxySG appliance now serves the cached copy when the client sends a request for a non-standard accept-encoding, such as x-gzip, and the object is already cached. (B#144684, SR 2-318001457)

27

Blue Coat SGOS 6.2.x Release Notes

IPv6

Fixed the issue that occurred when the local category database contained an IPv4 address, and the DNS lookup from the ProxySG appliance was always IPv4-only, regardless of the policy setting. (B#145286, SR 2-307821662)

Kernel

Fixed the issue with 64-bit platforms hanging while running Windows Media Streaming for video on-demand traffic. (B#152141)

Malware Scanning (ICAP)

When the server sends a compressed object and the ICAP server decides that the object needs to be replaced, the ProxySG appliance now sends a complete response to the client. (B#145318, SR 2-317171186)

Management Console

The advanced URL links in the Management Console now display in Firefox. (B#152185) The Proxied/Errored Sessions on the Active Sessions tab now sort correctly. (B#143988) The Configuration > Network > Adapters > Configure page now properly displays the link speed when a 10GB is installed in the ProxySG appliance. (B#145212)

Networking

The show attack-detection view connection now shows the connection count. (B#152374) For all intercepted inbound connections in a serial in-line failover configuration, the ProxySG now always replies to the client's MAC address and not the router's. (B#152461) The ProxySG appliance no longer restarts while handling fragmented and bad TCP checksum packets. (B#155873, SR 2-356001812, 2-357640952) A memory leak on the concentrator with HTTP over ADN traffic no longer causes the ProxySG appliance to restart. (B#151619, SR 2-355195770) Installing a static route or RIP route that overlaps with the interface route on the ProxySG appliance no longer cause pings to hosts on the same subnet or hosts through gateway route to fail. (B#144441) The ProxySG no longer restarts if bandwidth management was disabled while the system was under heavy load. (B#144958, SR 2-302190883) Fixed issues with bypass configuration. Setting to trigger on connect-error now works properly, and SGOS adds addresses to the dynamic bypass list. (B#145125)

28

Blue Coat SGOS 6.2.x Release Notes

The show configuration command now lists the mode for a failover group. (B#145609) TCP connections for misbehaving servers that do not properly close the connection no longer leave the connection open for an extended period of time. (B#145817, SR 2-320946712) Advertisements addressed to one SGRP group are not processed by other groups. With this fix, the backup ProxySG appliance no longer becomes the master when it isnt actually needed. (B#144800, SR 2-301696882)

Platform-Specific
SG9000

There is no longer a delay with the SG9000 front panel display during initial configuration. (B#137016) Fixed the configuration issue with 10GB interfaces; the CLI, Management Console, and Sky UI do not allow the speed of these interfaces to be adjusted. (B#145218)

Policy

Authentication policy checking user or realm now work reliability when ICAP is set to trickle mode. (B#148991, SR 2-327392552)

Security

BCAAA stack overflow vulnerability fixed. See Security Advisory SA55. (https://kb.bluecoat.com/index?page=content&id=SA55) Note: Because BCAAA for SGOS 6.2.x contains a security vulnerability fix, be sure to upgrade BCAAA even if you are already running version 130.

If the ProxySG appliance is not connected to the network, the restoredefaults factory-defaults operation no longer deletes the appliance factory certificate. (B#144621)

SNMP

Values for the ipNetToNetAddress entries of the ipNetTo table are now reported in the correct order, when snmpwalk or snmpget commands are run. (B#152232)

29

Blue Coat SGOS 6.2.x Release Notes

SSL Proxy

Using Windows 7 and IE 8 with TLS1.2, the FIN is sent back to the client; previously, the ProxySG appliance reset user connections and the OCS connection after getting the FIN from the OCS with TLS 1.2, resulting in a page cannot display error message on users screens. (B#148147, SR 2-334052225)

Streaming

In a proxy chaining deployment, there are no dangling connections after playing a VOD stream until the end of the stream through RTSP. (B#145118)

Timezones and NTP

Updated Timezons.tar with the latest changes in DST for Sao Paulo, Brazil. (B#155961, SR 2-355283652)

Visual Policy Manager (VPM)

Fixed the issue in which invalid ciphers displayed in the "Add Client Negotiated Cipher Object" window. (B#150306, SR 2-336439452) When rules are moved up and down, text in the Comments column is no longer deleted. (B#139384)

WCCP

Applying server side bandwidth management policy now functions correctly in WCCP deployments. (B#142616)

Security Advisories
To see if there are any Security Advisories that apply to the version of SGOS you are running, go to: https://kb.bluecoat.com/index?page=content&channel=SECURITY_ALERTS New advisories are published as security vulnerabilities are discovered and fixed.

30

Blue Coat SGOS 6.2.x Release Notes

Known Issues in SGOS 6.2.1.x


At the time of production, Blue Coat knows of the following issues.

ADN

A Branch peer running a release prior to SGOS 5.5.4 will not be able to form transparent tunnels with a Concentrator peer running 6.2 (or above). The Branch peer must be running SGOS 5.5.4 or higher.

Advanced URL

The Advanced URL statistics page for Core Images shows Internal customer release instead of Customer release. (B#159739; fixed in 6.2.2.1)

Authentication

The ProxySG resets when BCAAA does not respond to requests in time. (SR 2-360160382; B#156674; fixed as B#158684 in 6.2.2.1) BCAAA installs an expired CA Cert PEM. (B#148682) Users cannot be logged out by using the user-logins logout URL without providing the user name. (SR 2-355213592; B#155631; fixed in 6.2.2.1)

CIFS

The show cifs CLI command does not work if the URL contains spaces, even when the URL is enclosed in quotation marks. The workaround is to replace any spaces with %20. (B#155626)

Content Filtering

If the view applications CLI command does not display a list of the supported application names, its possible that your ProxySG has entered a state where it has stopped the incremental updating of its local BCWF database. While the ProxySG is in this state, the application filtering information is unavailable. The regular content categorization is still functional but is using a database that is not up-to-the-minute current. (B#159010fixed in SGOS 6.2.1.3) To restore the regular update cycle and the application filtering functionality, enter the following commands in the CLI:
#(config content-filter)provider bluecoat disable #(config bluecoat)purge #(config content-filter)provider bluecoat enable #(config bluecoat)download get-now

31

Blue Coat SGOS 6.2.x Release Notes

Since application name and operation were introduced into the bcreportermain_v1 log format with the Prowl release, use of that format by an access log may now cause CPU usage to increase by up to 5%. If this is undesirable, create a custom access log format that excludes these new fields. (B#157661)

Encrypted MAPI
Encrypted MAPI acceleration on the ProxySG has the following limitations:

Encrypted and plain MAPI traffic may be bypassed if 64-bit Exchange enterprise and Outlook clients are used. (B#156424) Outlook users must belong to the same domain as the Exchange server and the ProxySG. Multi-domain support is not available in this release. (B#158870) Outlook establishes NTLM connections with Exchange Server over Load Balanced Client Access Array solutions. NTLM connections are tunneled by the ProxySG appliance. Workaround: enable Kerberos support for Load Balanced solutions. (B#155098)

Flash Proxy

Dynamic streaming (play2) may cause video playback to stop in heavily bandwidth-constrained environments when a hierarchy of ProxySG appliances are caching the video. (B#156892, #156896) For Flash video clients that use pauses while seeking, such as Yahoo video, a ProxySG may not be able to cache content or play content from cache after a seek. (B#156268) For some Flash client/server application combinations, playback may freeze after doing a seek. To solve this problem, simply perform another seek and playback should resume. (B#157785) Some video files, when streamed from Flash Media Server 4, may not finish correctly and the player may remain in a continuous buffering state after the video ends. If the video is part of a playlist, the next video might not start playing; if this happens, you can manually play the next video. (B#158720) Advanced functionality, such as stream publishing, may not work optimally through the ProxySG. The ProxySG may have problems caching certain video files delivered via FMS version 3.0.x. The workaround is to use bypass_cache(yes) policy to prevent caching these videos. (B#158954)

HTTP Proxy

There is an issue downloading some YouTube objects via the ProxySG onto an iPhone. The workaround for this issue is to disable client side persistence. (B#155291)

32

Blue Coat SGOS 6.2.x Release Notes

When writing a policy to block a host found in an HTTP request and using the setting Trust Destination IP, some requests may not be blocked. A workaround is to use the resolved IP address for the host you want to block. (B#154935) Software restart in Process "HTTP Waiting Room" in "http.dll" at .text+0x93df7. (SR 2-358661832, 2-360499632; B#156140) When using WebFTP through the ProxySG appliance using a transparent setup with reflect client IP, FTP communications in active mode will not complete. Workaround: Use passive mode or disable reflect client IP. (B#145300) When accessing the advanced URL for the HTTP debug log and trying to delete an ICAP service, sometimes the service is not deleted. Please retry after the debug log has been downloaded fully from the browser. (B#147373) When the Clientless Limits feature is enabled and many clientless requests are in a deferred status, disabling the limit configuration might cause the ProxySG appliance to restart. To prevent, do not disable the limits when more than one thousand request are deferred. (B#143016)

ICAP

With ICAP and Patience pages both configured and downloading a file, the Save As dialog is not prompted with IE-8.0.6001.18702 and IE 7.0.5730.13. Blue Coat recommends using trickling. (B#151088)

IPv6

In an IPv6-only network (no IPv4 connections to the ProxySG appliance) with RCIP disabled, the ProxySG appliance requires the server_url.dns_lookup prefer-ipv6 policy to successfully resolve IPv6 DNS requests. (B#143668) DSCP over IPv6 is not yet supported. (B#143787)

Management Console

The Management Console (Statistics > Protocol Details > Streaming History) is not showing the correct values for Windows Media total streaming statistics. To get the accurate statistics, use the following advanced URL:
https://<ProxySG-IP>:8082/MMS/statistics

(B#158903; fixed in SGOS 6.2.2.1)

The default URL for the malware scanning policy update is not shown in the Management Console (Configuration > Threat Protection > Malware Scanning > Update malware scanning policy). You will need to type in the URL manually (https://bto.bluecoat.com/download/modules/security/SGv6/ threatprotection.tar.gz) and perform the update by clicking the Install button. Alternatively, you can update policy with the threat-protection CLI command. See the SGOS 6.2 Command Line Interface Reference for details on using this command. (B#158970)

33

Blue Coat SGOS 6.2.x Release Notes

MAPI Proxy

Endpoint Mapper does not restrict source IP for secondary MAPI connection interception. Workaround: add the IP address to the static bypass list. (B#154100) Encrypted MAPI connections are bypassed when Outlook generates the user name in User Principal Name format (username@domain). This issue does not occur when the user name is specified in "Down-Level Logon Name" format (domainname\username). (B#157163) Domain controllers have group policies that define the Kerberos service ticket lifetime. To decrypt/encrypt MAPI traffic, the MAPI proxy negotiates the Kerberos security context that expires after the service ticket lifetime is reached; the core ProxySG resets encrypted MAPI connections once this ticket lifetime is reached. (B#158350; fixed in SGOS 6.2.2.1)

Platform-Specific
SG210-5

The SG210-5 is not supported on SGOS 6.2 or higher because this release provides new features and capabilities that require more system resources than available on the SG210-5. The SG210-5 continues to be supported on the SGOS 6.1.x releases. Please contact your sales teams for upgrade options.

SG300 in trial mode

When installing a new license on a ProxySG 300 in trial mode to increase the limits for HTTP connections, the ProxySG appliance must be restarted before the new limits take effect. (B#153815)

SG9000

If an onboard nVidia network interface on the SG9000 platform is configured to auto-negotiate and the device it is connected to is set to 100/full, there is a possibility that the interface will lock up. Once the NIC gets into this state, a power cycle is required to get the NIC back to a functional state. This is a hardware issue nVidia has documented. To resolve this issue, reconfigure the ProxySGs NIC and the external devices NIC to auto-negotiate or to matching speed/duplex settings. Note that this is the recommended configuration for Gigabit interfaces. (B#144158, SR 2-313781541)

ProxySG VA

Under rare circumstances, the ProxySG VA can issue spurious Watchdogs exceptions. There is no unique signature to this failure the appliance will fail with HWE 0x11 and SWE 0x02. This failure usually occurs after the product has experienced a period of load, followed by a sustained idle period. (B#157534)

34

Blue Coat SGOS 6.2.x Release Notes

Services

During high load, a watchdog timeout may be encountered in services admin due to internal locking issues. (B#158567)

TCP/IP and General Networking

In a software bridge with two interfaces attached and Propagate Failure enabled, when one of the interfaces goes down, the other interface also goes downas seen on the device LEDs. (They do not glow for either interface.) However, the Management Console and the show bridge config CLI output show that the link is connected, even though it is not. In addition, when the CLI is reporting this misinformation, event logs will also be generated in the following format:
2011-04-22 20:55:14-00:00UTC "Interface Health Check: Interface 1:2 is up." 0 30209:1 event_logger.cpp:31

This issue is seen only on the Broadcom NICs (integrated or option). (B#154604)

An extraordinarily large connection forwarding table might cause the ProxySG appliance to stop responding to management console requests. (B#144396). For very high bandwidth-delay links using the SCPS feature, it may be necessary to manually set the ADN window size to maximize throughput. Consider manually increasing the ADN window size with satellite links that have more than 14 Mbps of available bandwidth. Note that the ProxySG needs to be restarted for the window size setting to take effect. (B#153174) On the ProxySG 9000-20, CPU3 runs at 100% due to IP fragmentation. (B#151889) Workaround: See Knowledge Base solution 3790 (https://kb.bluecoat.com/ index?page=content&id=KB3790). Link propagation on the optional Intel fiber card: One of the interface remains down while the other interface fluctuates between up and down states; this is triggered when link propagation is enabled on the fiber card and one interface that is part of the bridge losses link and the other does not. (B#150676) After executing a "restore-defaults keep-console," the bridge settings are not preserved on the ProxySG 300, 600, and 9000 platforms. (B#158649) When Bypass Keep-Alive is enabled, only the bypassed connections that are received after it is enabled apply; pre-existing connections continue to exist without sending keep-alive. (B#144923)

SOCKS Proxy

SOCKS services are unavailable on MACH5 licensed ProxySG appliance deployments. (B#152664)

35

Blue Coat SGOS 6.2.x Release Notes

SSL Proxy

The certificate revocation list (CRL) from Comodo (http://crl.comodo.net/ UTN-USERFirst-Hardware.crl) can cause the ProxySG to reset when doing certificate verification; Blue Coat recommends that this CRL not be loaded into the ProxySG. (B#158889)

Virtual Appliance

When the ProxySG VA is under a heavy load and has high RAM usage, the memory alarm might trigger in vCenter Server. Since the ProxySG VA has its own health monitoring system for memory state, you might want to disable the memory alarm in vCenter. (B#147090)

Visual Policy Manager (VPM)

Installing large VPM-XML causes the VPM Java applet to consume excessive memory and stalls the policy installation. (B#157623; fixed in SGOS 6.2.2.1)

Windows Media Proxy

The ProxySG appliance fails to play video files with more than 200 KB SDP header. (B#152909)

Yahoo Instant Messaging

Explicit/SOCKS connection through the ProxySG appliance with Yahoo 8.1 clients: file transfer are successful but no statistics representing as such. (B#141470)

Deprecations
The following CPL properties and CLI commands have been deprecated.

CPL Properties
In the ftp.server_data( ) CPL property, the port and pasv arguments have been deprecated. If you install existing policy with these arguments, they will automatically get converted to active and passive.

CLI Commands
event-log
The following event-log CLI commands are deprecated:
#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address #(config event-log) mail no smtp-gateway

36

Blue Coat SGOS 6.2.x Release Notes

proxy-processing
The proxy processing feature was deprecated starting with SGOS v5.5. In SGOS v6.1.2, the Proxy Processing tab was removed from the Management Console, but the feature can still be configured via the CLI. Since proxy processing will be completely removed from an SGOS release in the future, Blue Coat recommends that you discontinue using this feature and deploy a separate secure web gateway to handle proxy processing. The following CLI command is deprecated:
# (config adn tunnel) proxy-processing http {enable | disable}

37

Blue Coat SGOS 6.2.x Release Notes

Section F: Limitations in SGOS 6.2.x


These issues are known by Blue Coat but are not fixable because of the interaction with third-party products, works as designed but might cause an issue, or other reason.

Director

Director might become unresponsive when executing a profile or restoring a backup on a ProxySG appliance. Director must be rebooted when this issue occurs.

Management Console

The default Active Session list requests limit is 5,000.


successfully, it

After you apply changes and see the message Changes were committed to the SG actually takes the ProxySG about 30 seconds to process the changes. Do not restart the ProxySG during this processing time or you may lose the changes you made.

Licensing

The product description in the licensing component may show as SGOS 5.x even after upgrading to 6.x; SGOS 5.x reflects the version that the system was manufactured with. (B#145068)

SSL/TLS
Due to security reasons, MD2 support for certificate verification has been removed from openssl by default (starting with version 0.9.8m). As a workaround, disable protocol detection from a specific website <web_addr>:
if url=<web_addr> detect_protocol(no) ((B#159333)

TCP/IP and General Networking

When multiple network IP addresses are configured on the same interface, the ProxySG uses the wrong IP address when connecting to an external device. To avoid this issue, Blue Coat recommends that customers requiring multiple IP support should use a unique interface for each subnet. (B#158585)

38

Blue Coat SGOS 6.2.x Release Notes

Section G: SGOS 6.x Support Files and Support for Other Products
This section lists third-party products that interact with the ProxySG appliance.

Support Files
This section provides links to files and documents referenced in the ProxySG appliance documentation set.

.htpasswd File (Perl Script)


This file is used during Local Realm (Authentication) configuration.

https://bto.bluecoat.com/doc/13282

XML Schemas for SOAP


These schemas are used in authentication and authorization responses and requests.

http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-0.xsd http://www.bluecoat.com/xmlns/xml-realm/1.0/xml-realm-1-1.xsd

Support for Other Products


This section provides the required versions of other products that interact with the ProxySG appliance.

Supported Clients and Browsers


The following are the combinations of OS, browser, and Oracle Java Runtime Environment (JRE) versions supported for the Web-based Management Console (MC) and the Visual Policy Manager (VPM).

Supported Operating Systems


The supported operating systems for the Management Console and VPM are as follows:

Microsoft Windows 2000 Pro (SP4 or later) Windows XP (SP2 or later) Windows Vista

Supported Browser Versions


The supported browser versions for the MC and VPM are as follows: Windows: Internet Explorer (IE) 8, IE 7, Firefox 3.6, Firefox 3.5. Apple Mac OSes: Safari 4, Safari 3, Firefox 3.6, Firefox 3.5 Linux: Firefox 3.6, Firefox 3.5

Supported browsers means the browsers on which Blue Coat tested SGOS 6.2. Other browsers might work, but are not guaranteed by Blue Coat.

39

Blue Coat SGOS 6.2.x Release Notes

Supported JRE Versions


Supported Java JRE versions: 1.5.0_15 and later 1.6 (except 1.6_05, which causes VPM Help problems)

Notes

On the Java download page, Java naming conventions refer to JRE 5.0 and JRE 1.5 interchangeably. JRE 5.0 is the new name for JRE 1.5. Blue Coat recommends that you use Internet Explorer to download JRE because it downloads the correct version of JRE. Firefox attempts to install the latest JRE, which might not be compatible with the Management Console. When you start the ProxySG appliance Management Console for the first time after upgrading to SGOS 5.4 or later and your currently installed JRE is earlier than 1.5.0_15, your Web browser attempts to download a more current JRE. You might experience a problem downloading the latest supported JRE through the Management Console if: The browser does not support automatic download. The automatic download hangs. The Java Installer displays an error: HTTP Status Code=302 followed by a popup that Java 1.5.x cannot be downloaded.

If you experience any of these issues, enter the following URL to get to the Java download page (if the automatic download hangs, first terminate the download):
http://www.oracle.com/technetwork/java/index-jsp-141438.html

Network delays and/or slow processor speeds might affect JRE performance, slowing the display of Management Console menu selections and options. Enable the auto-detect encoding feature on your browser so that it uses the encoding specified in the console URLs. The browser does not use the autodetect encoding feature by default. If auto-detect encoding is not enabled, the browser ignores the charset header and uses the native OS language encoding for its display. If your system is running JRE 1.6_05, the VPM Help system does not display or function correctly. If you upgrade JRE from a lower version, clear the browser private data.

40

Blue Coat SGOS 6.2.x Release Notes

Blue Coat Director, Reporter, and ProxyClient


Director
SGOS 6.2.x is compatible with SGME 5.x. If you are using Blue Coat Director to manage your ProxySG appliances, use overlays to fine-tune configuration specifics after upgrade. Do not push a device profile created in an earlier SGOS version to a ProxySG appliance that has been upgraded. For more information on profiles and overlays, refer to the Director documentation. Consult the following table before attempting to manage ProxySG appliance appliances:
SGME version SGME 5.5.x Manages SGOS versions.... SGOS 6.1.x and 6.2.x SGOS 5.3.x, SGOS 5.4.x, and SGOS 5.5.x SGOS 4.3.x SGME 5.4.2.5 SGOS 5.3.x, SGOS 5.4.x, and SGOS 5.5.1.1 SGOS 4.3.x SGME 5.4.2.x SGME 5.4.1.x SGME 5.3.x SGOS 5.3.x and SGOS 5.4.x SGOS 4.3.x SGOS 5.4.x and all SGOS versions supported by SGME 5.3.x SGOS 5.3.x, SGOS 5.2.x, SGOS 5.1.x SGOS 4.2.9 and later, including 4.3.x Limitation: You can use VPM in SGME 5.2.x and later to push policy to devices running SGOS 4.2.x, where x > 9 or SGOS 5.2.2.x or later only. If a device runs SGOS 4.2.9 or earlier or 5.2.1 or earlier, use the SGOS Management Console on each device to change policy on the device. SGME 5.2.1.x, 5.2.2.x SGOS 5.2.x, SGOS 5.1.x SGOS 4.2.9 and later, including 4.3.x Limitation: You can use VPM in SGME 5.2.x and later to push policy to devices running SGOS 4.2.x, where x > 9 or SGOS 5.2.2.x or later only. If a device runs SGOS 4.2.9 or earlier or 5.2.1 or earlier, use the SGOS Management Console on each device to change policy on the device. SGME 5.1.4.x SGOS 5.1.x SGOS 4.2.9 and later, including 4.3.x SGME 5.1.4.x supports SGOS 4.2.9 and later, but the SGME 5.1.4 Management Console does not have the Content tab page.

41

Blue Coat SGOS 6.2.x Release Notes

Reporter
This release is compatible with the following Blue Coat Reporter releases:

Reporter 8.x Reporter 9.x

ProxyClient
ProxyClient versions 3.1.x, 3.2.x, and 3.3.x are compatible with SGOS 6.2. To download the latest version, refer to the Blue Coat ProxyClient Release Notes.

Anti-Malware
The Blue Coat ProxySG appliance with ProxyAV integration is a highperformance Web anti-malware solution. For more information, refer to the Blue Coat Web site. This release is compatible with Blue Coat AVOS 3.x. SGOS 6.2.x works with the following third-party implementations of ICAP:

Symantec AntiVirus Scan Engine (SAVSE) 4.3, version 4.3.0.15; ICAP 1.0 WebWasher 5.3, build 1953; ICAP 1.0

Instant Messaging
This section details the Instant Messaging proxy support for English language versions. While some versions of AIM and Windows Live Messenger (WLM) are not officially supported, they work in most situations. Video and audio are not supported with any of the Instant Message protocols: MSN, Yahoo, AIM, and WLM.

English Language Versions Supported


Table 1-1. IM Client Compatibility Matrix Client Version SGOS 6.x Support Comments

AIM 6.5

Limited

This version was not officially tested, but full proxy support should work. See "Partially Supported IM Protocol Versions" below. AIM 6.8 is supported in explicit SOCKSv5

AIM 6.8

Yes

and HTTP/HTTPS proxy configurations only. For AIM 6.8 support, you must purchase and import a CA signed SSL certificate on the ProxySG appliance.
AIM 6.9 Windows Messenger 4.x Limited Yes This version was not officially tested, but full proxy support should work. (4.0-XP, 4.7-XP+SP2)

42

Blue Coat SGOS 6.2.x Release Notes

Table 1-1. IM Client Compatibility Matrix Client Version SGOS 6.x Support Comments

Windows Messenger 5.x MSN Messenger 7.0 MSN Messenger 7.5 WLM 8.0

Yes Yes Yes Yes Name changed from MSN to Windows Live Messenger (WLM); Microsoft deprecated this version in favor of WLM 8.1. In 2007, Microsoft rendered as obsolete all versions previous to 8.1 because of a security issue. Beginning November 9th, 2009, clients are required to upgrade. In 6.x, WLM 2009 is tunneled. This version is also known as version 14.0. Beginning November 9th, 2009, Messenger 2009 (version 14) users must upgrade their clients. Users who have already installed the latest version, which was released Aug 18th 2009 (Build: 14.0.8089.726), are not required to upgrade. In April 2008, Yahoo! retired these client releases. This is the last version that supports Windows 98 and Windows ME.

WLM 8.1

Yes

WLM 8.5 WLM 2009

Yes Yes

Yahoo 5.5, 5.6 Yahoo 8.0, 8.1 Yahoo 9.0

N/A Yes Yes

In 6.x, Yahoo 9.0 is tunneled.

Partially Supported IM Protocol Versions AIM


The ProxySG appliance does not recognize transparent AIM 6.x as AIM (IM) traffic. In some ProxySG appliance configurations, however, client login and chat do succeed.

AIM 6.x If a SOCKS proxy is configured in the client's Internet Explorer (IE) settings: SOCKS proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally. SOCKS proxy with detect protocol enabled on the ProxySG appliance: The client can log in and chat with a thirty-second delay.

If an HTTP/Secure proxy is configured in the client PC's IE settings:

43

Blue Coat SGOS 6.2.x Release Notes

HTTP proxy with detect protocol disabled on the ProxySG appliance: The client can log in and chat normally HTTP proxy with detect protocol enabled on the ProxySG appliance: The client login fails after about 30 seconds with the message Connection lost.

Transparent deployment: AIM 6.1 cannot log in if an SSL service is configured on port 443. AIM can log in, with a 30-second delay, if a TCP tunnel service is configured on port 443 with protocol detection enabled. AIM can log in if the SSL forward proxy is also enabled and the ProxySG appliance appliance's certificate is installed as the root certificate on the client's IE browser. The client can log in and chat unless the SSL connection is intercepted by the SSL forward proxy. Supported deployments, if the SSL connection is not intercepted by the SSL forward proxy include transparent/TCP tunnel on port 443, transparent/SSL proxy on port 443, and HTTP proxy or SOCKS proxy.

AIM 6.5

To deny login for AIM 6.0, 6.1 clients, and for transparent proxy deployments of AIM 6.5 and 6.8 clients, the following policy can be used:
<Proxy> DENY url.host=kdc.uas.aol.com

Peer-to Peer (P2P)


SGOS 6.2.x supports the following P2P protocols:

BitTorrent, with the exception of encrypted BitTorrent GNUtella eDonkey

Policy

Ask.com has changed its SafeSearch mechanism from a cookie-based one to a query-string based mechanism. If you are using the SafeSearch policy in your network, to ensure that undesirable mature content is blocked, please update the SafeSearch policy as shown below (B#141182): Replace
; === SafeSearch for Ask === ; ; === BC_SafeSearch_Ask Domains/Hostnames === define condition BC_SafeSearch_Ask_Domains url.domain=ask.com url.host=!wzus.ask.com url.host=!mystuff.ask.com url.domain=ask.co.uk url.host=!wzus.ask.com url.host=!mystuff.ask.com end

44

Blue Coat SGOS 6.2.x Release Notes

; ; === BC_SafeSearch_Ask Rules === <proxy BC_SafeSearch_Ask_cookies> condition=BC_SafeSearch_Ask_Domains request.header.cookie="adt=|adlt=" action.BC_SafeSearch_Ask_Cookie_Rewrite(yes) action.BC_SafeSearch_Ask_Cookie_Addition(yes) ; ; === BC_SafeSearch_Ask Defines === define action BC_SafeSearch_Ask_Cookie_Addition append(request.header.cookie, "gset:adlt=0") end define action BC_SafeSearch_Ask_Cookie_Rewrite #if release.version=5.4.. rewrite(request.header.cookie, "(.*)adt=(.*)", "$(1)adt=0$(2)") #endif rewrite(request.header.cookie, "(.*)adlt=(.*)", "$(1)adlt=0$(2)") end ; With ; === SafeSearch for Ask === ; ; === BC_SafeSearch_Ask Domains/Hostnames === define condition BC_SafeSearch_Ask_Domains url.domain=ask.com url.host=!wzus.ask.com url.host=!mystuff.ask.com url.domain=ask.co.uk url.host=!wzus.ask.com url.host=!mystuff.ask.com end ; ; === BC_SafeSearch_Ask Rules === Blue Coat SGOS 5.4.x Release Notes 94 <proxy BC_SafeSearch_Ask_cookies> condition=BC_SafeSearch_Ask_Domains url.query.regex="adt=" action.BC_SafeSearch_Ask_Query_Rewrite(yes) ; ; === BC_SafeSearch_Ask Defines === define action BC_SafeSearch_Ask_Query_Rewrite rewrite(url, "(.*)adt=(.*)", "$(1)adt=0$(2)") end ; ;

45

Blue Coat SGOS 6.2.x Release Notes

RSA SecurID
SGOS 6.2.x supports RSA 6.0 with SecurID.

SOCKS
SGOS 6.2.x supports SOCKS v5, authentication protocol v1.

Streaming
Streaming support is limited to the following players and servers:

The ProxySG appliance supports the following versions and formats: Windows Media Player 7-12 Windows Media Server 9 Microsoft Silverlight

Important:

SGOS 6.x does not support older Windows Servers that do not support WM-HTTP when NTLM authentication is enabled. Newer Windows Clients, such as 11.x, do not support the MMS protocol. Silverlight is supported in SGOS 6.x; however, it must use WM-HTTP streaming protocol for streaming Windows content. WM-HTTP is also known as MS-WMSP.

The ProxySG appliance supports the following Real Players and Servers: RealOne Player, version 2 RealPlayer 8 and 10 RealServer 8 through 10 Helix Universal Server Helix Player 11

The ProxySG appliance supports the following versions and servers, but in pass-through mode only: QuickTime Players v7.x, 6.x, and 5.x Darwin Streaming Server 4.1.x and 3.x

Flash Proxy (RTMP) Support


Flash streaming proxy is compatible with current versions of Flash Server, client plugins, and browsers. Blue Coat recommends using the application versions listed in the table below for full functionality.
Table 11 Supported Applications

Application Adobe Flash plugin

Version 10.x

Operating System Windows XP

46

Blue Coat SGOS 6.2.x Release Notes

Table 11 Supported Applications

Application Adobe Flash Server Internet Explorer or Firefox

Version 3.x, 3.5.x IE 7.x, 8.x

Operating System Windows 2003 Server N/A

FF 3.x

WCCP
SGOS 6.2.x was tested with several releases of Cisco IOS: 12.0.7, 12.1.6E, 12.2.18. For a list of Cisco platforms that support L2 packet return, go to www.cisco.com.

47

Blue Coat SGOS 6.2.x Release Notes

Copyright 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, ProxyOne, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY BLUE COAT) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Americas: Blue Coat Systems, Inc. 410 N. Mary Ave. Sunnyvale, CA 94085

Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland

48