Sie sind auf Seite 1von 23


This page displays the current Blue Coat ProxyAV content scanning and network statistics.

Displays the current Internet Content Adaptation Protocol (ICAP) statistics.

Blue Coat ProxyAV Appliance

Displays the hardware serial number and the Health Status for this ProxyAV. Click the health status link to display more health details in the On Board Diagnostics table. Note: For 2000-E models, displays N/A.

Connection Statistics
Displays the network traffic statistics and ProxyAV MAC addresses. Information is segregated by Terabytes (TB), Gigabytes (GB), Megabytes (MB), Kilobytes (KB), and Bytes. Also gives the number of traffic processed per second. Click Reset Counters to reset data to 0.

Current Downloads
Displays current ProxyAV download activity.

This page allows you to specify basic network configurations on the ProxyAV.

Global Settings
Enter a new name or change the existing name of the ProxyAV. If you have more than one ProxyAV on your network, consider using names that can help you distinguish between machines.

Proxy Servers for Updates (link)

Click this link to identify any proxy servers in your deployment so the ProxyAV can receive pattern file and scan engine updates and firmware update information.

Settings for Interface 0

Specifies the network gateway address and the IP address and subnet mask of the first interfacethe one connected to the network. Note: If a different IP network gateway address is entered from the front panel of the ProxyAV (on supporting models), this value is changed accordingly. The label of the first interface on the rear of the ProxyAV varies by Blue Coat model number:

Blue Coat AV 400-E: 0 Blue Coat AV 510/810: 0 2000-E: 1 If you are only using one connection to the ProxyAV, you must use Interface 0.

Settings for Interface 1

Connection to the second interface is optional. It can be used for either a secondary management connection, a redundant ICAP connection, or both. The IP address for Interface 1 must be different than the IP address specified for Interface 0 (forwarding between interfaces is not supported) and Interface 1 must be configured on a different subnet than Interface 0. Select Enabled to activate the IP address and Subnet Mask fields.

DNS Search Order

Enter the DNS server IP addresses that you normally use when configuring your client systems.

Management Console Access

Specifies what protocol the ProxyAV Management Console uses for administrative access. By default (new installation or upgrade), the HTTPS protocol on port 8082 is enabled. You can also enable non-encrypted HTTP access (the default port is 8081).

Enabling HTTP Access

By enabling HTTP access, the administrator can access the Management Console without a secure connection. You can specify a different port number.

Enabling HTTPS Access

By enabling HTTPS access, the access to the Management Console is secure and might require a username and password if the ProxyAV is configured to request credentials. You can specify a different port number. When HTTPS is enabled, you must enter the URL format https://interface_IP:port to access the ProxyAV Management Console. For example,

Keyring and SSL versions

An SSL encryption keyring is created and used by default. SSL is the standard protocol for secure communication over the network. Select a Keyring and SSL version from the drop-down lists, and click Save Changes. Note: To create another keyring or certificate, select Advanced > SSL Keyrings or Advanced > SSL Certificates, then click the Help icon for detailed instructions.

Ciphers list for HTTPS administration (link)

Click this link to display the Ciphers list if you have enabled HTTPS access to the Management Console.

Ciphers List
You can select the SSL ciphers to allow for HTTPS Web interface access. However, it is important to verify your browser settings before changing the cipher configuration, and to be very cautious about making changes. For example, disabling any high ciphers could lead to losing access to the HTTPS Management Console. IMPORTANT: Before you enable or disable SSL ciphers for HTTPS access, be sure to configure the ProxyAV to be accessed through HTTP. Doing so ensures that you will not lose access to the ProxyAV while making changes to the SSL ciphers for HTTPS. If you disable or enable any of the ciphers in the list, click Save Changes, and be sure to switch from HTTP access back to HTTPS access when you are finished with the SSL cipher configuration.

Administration and ICAP Server Access List

This table displays the currently defined IP addresses (and interfaces) that are allowed administrative remote access to the ProxyAV interface IP addresses or ICAP clients. When there are no entries in the table (or all entries are set to restricted), administration or ICAP access is not allowed. For security reasons, Blue Coat recommends keeping this list limited and specific. To add IP addresses to this list, click Add.

Administration and ICAP Server Access List Entry

For security reasons, Blue Coat recommends keeping this list limited and specific.

1. In the IP Address field, enter the IP address of a client or subnet that is or is not
allowed administrative, ICAP, or SNMP access to the ProxyAV.

2. In the Mask field, enter a subnet address. 3. From the Interface drop-down list, specify whether this IP address has access to
one or both ProxyAV interfaces.

4. Select a Status:
Allowed Admin Access: This IP address and subnet is allowed administrative access. Allowed ICAP Access: This IP address and subnet is allowed to be an ICAP client. Allowed SNMP Access: This IP address and subnet is allowed SNMP access. Click Save Changes.


Proxy Servers for Updates

If your deployment requires one or more servers that proxy to the Internet, they must be identified to allow the ProxyAV to receive pattern file and scan engine updates and firmware update information. To add a server:

1. Click Add. The Proxy Server page displays, which contains fields for adding

2. Select one of the following:

3. 4. 5. 6. 7.

HTTP Proxy: Proxy this AV appliance through the defined HTTP proxy server. SOCKS Proxy: Proxy this AV appliance through the defined SOCKS proxy server. In the Host field, enter the IP address or host name of the HTTP or SOCKS proxy server. In the Port field, enter the port number. (Optional) This only applies to HTTP Proxy: Select Enable Proxy Authorization and enter a username and password in the appropriate fields. Click Add. Repeat the procedure to add more servers, if required.

Change Administration Password

The ProxyAV allows you to create two different usernames and passwords for access to the Management Console: one for full administrative access and one for read-only access. After a password is set here, users cannot access the configuration Web pages without it. To change the password for a read-only administrative user:

1. Click the Change Read-Only User Data link. 2. In the New Password field, enter the administrator password; repeat for the
Verify New Password field. The maximum number of characters is 16.

3. Click Save Changes.

To change the password for a full-access administrative user.

1. Select Require Authentication. 2. In the Username field, enter the administrator user name. 3. In the New Password field, enter the administrator password; repeat for the
Verify New Password field. The maximum number of characters is 16.

4. In the Session timeout field, enter the number of minutes before re-entering of
the credentials is required.

5. Click Save Changes.

This page enables you to view the status of your antivirus vendor license, register the ProxyAV automatically or through the Blue Coat Licensing Portal (BCLP), and update your antivirus license key automatically or retrieve a license key from the BCLP.

Licensed Components
This table displays the AV vendor currently licensed on your ProxyAV, the active status, the expiration date, and the number of days left on your current license.

General License Information

This section displays the hardware serial number (for ProxyAV models 400E, 510, and 810) or MAC address (for ProxyAV model 2000) and the date and time the license key file was generated.

License Administration
This section allows you to automatically register a ProxyAV vendor license or retrieve an AV vendor license key file manually using the BCLP. To register a ProxyAV vendor license automatically: Click Register appliance automatically (recommended). To retrieve an AV vendor license from the BCLP:

1. Click Activate/Manage to display the BCLP Web page. 2. Enter your WebPower credentials and click Login. 3. Enter the Activation Code or Subscription number from the e-mail received from
Blue Coat, or click Retrieve a license file for your appliance. To retrieve a license file, enter your hardware serial number (for ProxyAV models 400E, 510, and 810) or MAC address (for ProxyAV model 2000), and click Submit. Click Download License File. The File Download dialog displays. Click Save to save the license file to your computer.

4. 5.

License Key Automatic Installation

If this ProxyAV is configured to have access to the outside network, click Update to retrieve the license key. To allow automatic license-key updates, select Use Auto-Update, then click Save Changes.

License Key Manual Installation

Use this field if the ProxyAV is configured for a closed network (see Advanced > Closed Network Setup), which means that it cannot connect to the outside Internet for updates. Paste the license file contents into this field and click Save Changes.

Save Changes
If you make any changes on this page, you must click Save Changes to activate the changes.

ProxyAV Automatic Registration

This page allows you to register an antivirus license at initial startup or later. Blue Coat recommends registering the antivirus license at initial startup if it is a fresh box that meets the following prerequisites: There is no previous subscription number or license key file on the appliance. You have not previously declined the End-User License Agreement (EULA). Note: To register an antivirus license after initial startup, select Licenses in the Management Console and click Register appliance automatically (recommended). To register an antivirus license automatically:

1. In the ProxyAV Automatic Registration page, enter your WebPower credentials 2. 3.

and your Activation Code or Subscription Number (from an e-mail you received from Blue Coat). Click Register ProxyAV. If you entered an activation code, the EULA displays. Select Accept. If you entered a subscription number, the EULA does not display. Click Continue. The registration status displays on the ProxyAV Automatic Registration page. If you receive an error, check to be sure that you have entered the correct WebPower credentials and activation code or subscription number.

Antivirus Settings
This page allows you to view AV information and display pages to configure scanning behavior.

The table at the top of this page displays information about the current antivirus vendor. The Days Remaining column displays the current length of your license to use the software. If the license has expired, that date displays, as well as the date on which the grace period expires. The ProxyAV checks for new engines and pattern files once every 30 minutes. Selecting Force Update forces the ProxyAV to download and install the latest file versions, regardless of the file versions currently residing on the ProxyAV.

Scanning Behavior (link)

Click this link to display the Scanning Behavior page and set parameters and options for antivirus scanning.

Update Settings (link)

Click this link to display the Update Settings page to configure the duration between AV updates.

Scanning Behavior
Using the options on this page, you can set parameters and options for antivirus scanning.

Heuristic Parameters
When the Heuristic Parameters option is enabled, the ProxyAV learns about traffic patterns on your network and adjusts accordingly to increase performance. After an initial learning period, the ProxyAV should be able to accelerate about 15% to 30% of the network's traffic. The learning process restarts whenever a new virus pattern file or an updated scanning engine is downloaded.

Extended Options
This field is dynamic, based on which AV engine you are using: Detect Spyware/Detect Adware (Kaspersky AV engine only) Detect Potentially Unwanted Programs (McAfee AV engine only) Detect Spyware (Panda AV engine only) Detect Potentially Unwanted Programs (Sophos AV engine only)

Enabled: Scanning stops after the first instance of a virus or spyware. For Kaspersky, Detect Adware is enabled by default. It can be deselected, but it cannot be selected without selecting Detect Spyware. Disabled: Scanning stops only after the first instance of a virus, not spyware.

File scanning timeout

Some files, while not viruses themselves, are designed to disable a virus scanner. While these files cannot disable a ProxyAV, they can use up system resources and slow down overall throughput. Defining a timeout value allows the ProxyAV to reclaim those resources. The default is 800 seconds; the minimum is ten seconds; the maximum is 3600 seconds (60 minutes).

Policies for file types (link)

Click this link to display the Policies for file types page to set scanning behavior based on the apparent file types (Kaspersky or Sophos) and extensions.

File size/count limitations

Imposes limits on the file sizes and numbers allowed to be scanned. Maximum individual file size-An individual file size cannot exceed the specified size (MB). This limitation also applies to each file within an archive. Dependent upon RAM and disk size of different ProxyAV platforms, the Maximum Individual File size that can be scanned is as follows: ProxyAV 400-E and AV510: 768 MB; AV810: 2GB; ProxyAV 2000-E: 2 GB. Maximum total uncompressed size: An uncompressed file or archive cannot exceed the specified size (MB). The maximum is: ProxyAV 400-E and AV510: 3000 MB; AV810: 4GB; 2000-E: 4GB. Maximum total number of files in archive: An archive cannot contain more than the specified number of files. The maximum is 100,000. Maximum archive layers: An archive cannot contain more than the specified number of layers. The maximum is: Panda: 30; McAfee: 300; All others: 100. If any of these options are exceeded, the object is not scanned. For more information about files and archives, refer to the Blue Coat ProxyAV Appliance Configuration and Management Guide.

Policies for Antivirus exceptions

This section defines how the ProxyAV behaves when a timeout or other scanning error occurs. If Block is selected for an error type, the file is dropped. If Serve is selected, the file is passed on to the client, unscanned. The default for all options is Block.

Save Changes

You must click Save Changes to enable the changes made on this page.

Policies for file types

The settings on this page allow you to determine scanning behavior based on the apparent file types (Kaspersky or Sophos) and extensions.

Apparent Data Types (Kaspersky or Sophos)

This feature is only available if you have selected either the Kaspersky or Sophos AV engine. These options allow you to determine what is blocked, scanned, and served unscanned, based on file contents. The ProxyAV is able to identify various file types, including graphics (such as JPG and GIF files), documents, archives, executables, encodings, media, macros, and other file types. Furthermore, the ProxyAV recognizes all files within an archived or compound Microsoft file. If any individual files in these compound files are specified to be blocked, the entire compound file is blocked. For example, a zip file contains Word files and JPG files. By policy, Word files are allowed, but JPG files are to be blocked. Therefore, the entire zip file is blocked. To specify apparent data types and policy for each type:

1. Select Enabled. 2. (Optional) Depending on whether you are using Kaspersky or Sophos, do one of
the following: a. (Kaspersky only) Select True type of ... container to enable recognition of individual files in compound files. If this option is enabled, when an unknown file is detected within a container, the unknown policy is applied to the entire container file. If this option disabled, then unknown files within containers are scanned. b. (Sophos only) Select Detect weak types to enable recognition of file types that otherwise might be difficult for the ProxyAV to identify with 100 percent confidence. Specify policy for each file type: Don't scan-The file is served back to the ProxySG without AV scanning occurring. Block-No scanning occurs and the ProxyAV returns a response to the ProxySG that the file was blocked (code type: file_type_blocked). Scan-The ProxyAV scans the object for malicious content and returns the content or modified response to the ProxySG. Click Save Changes.



Note: The Unknown file type applies to all files not recognizable by the ProxyAV.

File extensions
Specifies scanning behavior based on file name extension. These options can increase performance, but also increase security risks. Drop files having extensions: Any file types with these extensions are blocked and not served to the client. Don't scan files having extensions: Any file types with these extensions are passed through unscanned to the client. If you enable this option, consider the

Blue Coat advisory that viruses and other malicious code can be embedded in many file types, including image formats. Click Save Changes to commit your changes to the ProxyAV.

Update Settings
This page configures the duration between AV updates, and where to look for them. In the Update frequency field, specify the number of minutes of the interval between updates.

Update location
To get the update from a location other than the default, enter a URL in the Custom field. Note: If an https:// URL is entered, the update uses HTTPS for downloads. When using the default update URLs, the AV update occurs over HTTPS or HTTP, depending on whether Enable Client/Server HTTPs Connection is selected on the Advanced/SSL client page.

Save Changes
You must click Save Changes to enable the changes made on this page.

ICAP Server Settings

As the ProxyAV uses its own antivirus scanning interface, deploying the ProxyAV as an ICAP server is independent of the selected antivirus vendor; the only impact is how each vendor processes errors. Note: Currently, the ProxyAV only supports the Blue Coat ProxySG as an ICAP client. To configure and use secure ICAP, you must be running SGOS 5.3 with a valid SSL license. You must also configure both the ProxySG and ProxyAV to use secure ICAP. To change ICAP settings:

1. Select plain, secure, or both plain and secure ICAP.

Select plain ICAP if your ICAP client (ProxySG) supports only plain ICAP and is configured for plain ICAP. Select secure ICAP if your ICAP client (ProxySG) supports and is configured for secure ICAP. Select both plain and secure ICAP if your ICAP client (ProxySG) supports and is configured for both plain and secure ICAP. Set the port(s) to connect to the ICAP server. For plain ICAP, the default port is 1344. For secure ICAP, the default port is 11344. If you enabled secure ICAP, select the SSL keyring to use from the Keyring dropdown list. To create or import new keyrings, select Advanced > SSL Keyrings. In the Antivirus service name field, enter the name of the ICAP service performing the scanning. Click Save Changes.

2. 3. 4. 5. Default Settings

Click this to revert any custom changes back to the default settings.

This page allows you to enable e-mail alerts, logging, and SNMP traps for various events on the ProxyAV. E-mail: Sends an e-mail to the administrator. To configure e-mail alerts, click Alerts Settings. Logging: Creates an entry in the AlertLogFile.log file. SNMP Trap: Sends a trap to the SNMP manager. To configure SNMP traps, select Advanced > SNMP Settings. Note: If all of the alert settings are disabled, one entry is still written to the InternalInfo.log file for each state change. For each event type in the following list, select the alert options in the table: Virus is found: A virus was found in an ICAP session. File was passed through without being scanned: Several settings on the Antivirus page enable the administrator to allow files to pass through ProxyAV unscanned. For example, there is an antivirus file scanning timeout. File was blocked (exclude virus case): A file is blocked for any reason other than a virus infection. For example, the administrator decides to block password protected compressed files. Failed to connect for update: The ProxyAV looks for new AV updates once every 30 minutes. This fails if the ProxyAV does not have access to the Internet or if the file servers are down or unreachable. Successful update: The ProxyAV checks for AV updates once per 30 minutes. These files are updated regularly. Enable this alert to find out when a new pattern file has been downloaded. Subscription Expiring: Your license to use AV software on the ProxyAV requires annual renewals. The ProxyAV reminds you when the end of the subscription period is getting near. On Board Diagnostics: If the state of a monitored ProxyAV appliance metric changes, and that metric is selected to trigger an alert or SNMP trap, an alert or SNMP trap is sent. Intelligent Connection Traffic Monitoring (ICTM): If the maximum specified concurrent slow connection warning or critical thresholds are reached, an alert is sent. Click Save Changes to enable the changes made on this page.

Alerts Settings
The options on this page allow you to configure: Sender e-mail address: The source mail address to use for alert e-mails. For example: Recipient e-mail address: Defines who the ProxyAV alerts when an event occurs. Send alerts to multiple addresses by using a comma separated list; for example:,, If

this field does not contain a recipient address, the ProxyAV neither attempts to send an e-mail nor makes an entry in the AlertErrors.log. SMTP server address: Messages are sent to the address listed above through the SMTP server listed here. SMTP Authorization (POP-Before-SMTP) Enabled: The ProxyAV uses POP before SMTP to authenticate; therefore, your username and password is submitted to the mail server on port 110 before sending the alert. You must click Save Changes to enable the changes made on this page.

Log Files
The options on this page allow you to configure ProxyAV logging options.

This option allows you to forward detailed connection log (connections between the Management Console and the file scans) information to any system on your network. The ProxyAV includes an application for receiving logs called ConnLog.exe and can be downloaded by clicking Get log receiver application or Get Windows based log receiver application. Note: This is not syslog-type information. The logs are in plain text format and can be imported into most log analyzer applications. ConnLog.exe writes a new log file for each day into the current directory. By default, it listens for a connection from the ProxyAV on port 8001. Run ConnLog.exe from a command line to change this listening port. The ConnLog.exe /? command displays usage information. To define where logs are sent:

1. 2. 3. 4.

5. 6. 7.

8. CSV Logging

Select Enable sending logging information to remote computer. In the Address field, enter the IP address of the destination server. Select the protocol: TCP/IP or UDP. Select the logging format: ProxyAV Classic: The Blue Coat logging format. MS Proxy 2.0: Microsoft Proxy logging format. ISA W3C: Extended log file format. User Defined: A log format you specify using the format string. If you selected User Defined format, you can select Include W3C headers to include them. If you selected User Defined, you can specify the Delimiter format, Comma or Space. The Format String field displays the default logging tokens, based on the selected log format, that define what detailed information appears in the logs. If you selected User Defined format, you can modify this as required. To display a list of valid tokens, click Token list. Click Save Changes.

This option allows the ProxyAV to log viruses in CSV format. To configure CSV logging:

1. Select Enable logging of viruses to CSV format.

2. Select to create a new file every Hour, Day, Month, or Week. 3. In the Field delimiter field, enter what symbol is used to separate log entries. 4. Click Save Changes. Log Files
This table allows you to view the generated log files. The first column link saves a text file to a specified location. Click the link in the second column to display the log file in a Web browser. Note: You can download all the logs as a single zip file; see the Advanced > Troubleshooting page. AdminInfo.log: Logs all admin actions, such as access times and changes made. This information assists in detecting the current state of the ProxyAV and in efficiently troubleshooting any issues. Note: When the AdminInfo.log file size reaches 100 Kb, the file is renamed to AdminInfo.log~ and a new AdminInfo.log file is created. If a previous AdminInfo.log~ file exists, it is deleted. o AlertErrors.log: This file is a log of alert errors. When the ProxyAV cannot send alerts to the administrator(s) designated in the Alerts page, the event is logged here. The most common entry to this log is an inaccessible SMTP server. AlertLogFile.log: This log is different from the AlertErrors.log in that it includes all alerts, not just those that could not be sent to the administrator by e-mail.

Note: When the AlertLogFile.log reaches 1 MB, it is renamed to AlertLogFile_YYYY_MM_DD_N.log and the AlertLogFile log starts over. When the total of AlertLogFile log files reaches 35 MB, the ProxyAV begins deleting the oldest alert logs. o o o o o o virus-log-date.csv: Log files generated by virus logging in CSV format. boot.log: Records all reboots of the machine. Using this information, Blue Coat Technical Support can assist you with troubleshooting. diagnosticS.log: Debug information: thread counts for AV scanning; number of active threads, and scanning queue length. diagnosticSprev.log: When the diagnosticS.log grows to more than 3MB, it is renamed to diagnosticSprev.log. diagnosticT.log: Periodic dumps of internal information. Blue Coat might request the contents for diagnosing any issue. diagnosticTprev.log: When the diagnosticT.log grows to more than 3MB, it is renamed to diagnosticTprev.log.

When a diagnostic log file reaches 3 MB or an internal log reaches 100 KB, it is copied to a backup file (overwriting it) and starts over. The packet log can run until the free space on the disk drops below 20 MB.

This page provides advanced configuration options.

Route Table

This page allows you to enter additional routes for deployments where the ProxyAV default route (see Network) is not sufficient. A typical use for the Route Table is when the SMTP or DNS servers to be used by the ProxyAV are located on an internal network. Routes entered here do not affect traffic that is scanned by the ProxyAV; they are only used for connections where the ProxyAV is the client. These include updates of pattern and engine files, checking for updates to ProxyAV firmware, and sending alerts. To add a route to the table:

1. 2. 3. 4. 5. 6.

Click Add; the Route entry page appears. In the Destination field, enter an IP address to be used in routing. In the Mask field, enter a subnet value. In the Gateway field, enter a gateway value. Click Save Changes. Repeat as required.

ARP Table
This page allows you to enter static ARPs or clear the dynamic and static ARPs. To add an ARP value to the table:

1. 2. 3. 4.

At the bottom of the table, enter an IP address in the first field. Enter a MAC address. From the drop-down list, select an interface. Click Add.

Each alert contains information about the event that triggered it. Because different events can trigger an alert, there can be many different alert forms. In the Customize Messages table, you can specify what information is in each type of alert. The first three columns-Protocol, Event, and Command Type-define each type of event. The Alert column defines what information is included in the alert that is logged or sent through email to the administrator. The Substitute column defines what text is substituted for the original data. For example, for HTTP downloads, the ProxyAV replaces the entire infected file with the substitute text. Autotext keywords can be used in the Alert and Substitute messages to get contextual information about the event into the messages:

1. Click Modify to call the Message screen. The first few fields provide information 2.
about the event. Under State, the default is to use the default message. Click Custom to alter or annotate the message and character set.

The following keywords may be used: %CLIENT: The client IP address. %ACTION: The action that was performed (file passed/dropped). %URL: The URL from which the file was downloaded. %VIRUS: The virus or potentially unwanted software (PUS) name. %REASON: Why the event occurred. For example, why was the file scanned?

%MACHINENAME: The name of the ProxyAV. %MACHINEIP: The ProxyAV IP address. %HWSERIALNUMBER: The ProxyAV serial number. %PROTOCOL: The scanned protocol. %APPNAME: The application name (ProxyAV). %APPWEB: The application vendor Web address. %APPVERSION: The application version. %AVVENDOR: The AV vendor. %AVENGINEVERS: The AV engine version. %AVPATTERNVERS: The AV pattern version. %AVPATTERNDATE: The AV pattern date. %TIMESTAMP: The time the event occurred. %ADMINMAIL: The administrator mail address. The % character always precedes the tag name. Capitalization is also important; do not use lowercase variable names.

3. Click Save Changes.

On Board Diagnostics
The ProxyAV monitors its vital system components and displays the current status for each component. The metrics vary slightly for each model, as follows: AV510 and AV810-CPU, memory, hardware, and network metrics are available. AV400 and AV2000-CPU, memory, and network metrics are available. The table includes the following information: Alert Enabled: Depending on the type of alerts you have enabled, sends an email alert or creates a log entry when there are changes in the metric's state. Clear a check box to prevent an alert from being sent for that metric. SNMP Traps Enabled: When selected, SNMP traps are enabled for CPU, memory, and network interfaces. However, SNMP traps will only be sent when a the current state changes from OK or Warning to Critical. Important: If alerts are not enabled, the check boxes in the On Board Diagnostics table are not available.To enable SNMP Traps, E-mail, and Logging alerts for On Board Diagnostics, select Alerts, then select the appropriate check boxes. The current state, unit, numerical value, and state change interval for each metric is provided, as well as the acceptable upper and lower critical and non-critical values.The state indicates the severity of the metric as a health issue: OK-The monitored system or device is behaving normally. WARNING-The monitored system or device is outside typical operating parameters and might require attention. CRITICAL-The monitored system or device is either failing or is far outside normal parameters and requires immediate attention. Note: You can configure the state change interval, upper critical, and upper non-critical values for CPU, memory, and network interfaces. The default values display in the table. Click Save Changes to save any changes you make to the options in this table.

Date/Time Settings
Specifies the clock of the ProxyAV. Enter the current date and time values. Select a time zone from the Time Zone Information drop-down list. Click Save Changes.

Network Time Protocol

Adjusts the ProxyAV clock to synchronize with a configured time server or servers on specified intervals. To configure NTP:

1. 2. 3. 4. 5. 6.

Enter the hostname of the time server and click Add. If entering more than one server, repeat Step 1. Promote or demote servers, if required. Select Enable. In the Query Interval field, enter the duration between synchronization checks. The default is 60 minutes. Click Save Settings.

Ping Utility
This option allows you to send pings to verify status.

This option allows you to do the following: Configure the ProxyAV to save log files containing information that might assist Blue Coat Customer Support should the ProxyAV experience difficulties. Download log files in a zip file format. Upload log files to the Blue Coat Support server that are related to a service request (SR) number. To receive an SR number, contact Blue Coat Customer Support. Note: If outgoing ProxyAV connections go through the ProxySG, make sure that SSL intercept is not enabled for If SSL intercept is enabled, it can cause the upload of log files to fail. If you are using a proxy server, be sure to configure it at Network > Proxy Servers for Updates. To save log files:

1. Select the Enable Keeping Troubleshooting Information Files check box. 2. Click Save Changes.
To download log files:

1. Click the link to download troubleshooting files (log files). The File Download 2. 3.
dialog displays, prompting you to open or save the zip file. Click Save. The Save As dialog box displays. Navigate to the location where you want to save the zip file and click Save.

To upload log files to the Blue Coat Support server:

1. Enter the SR number in the Service Request Number field. 2. Click Send. The ProxyAV initiates the upload of the file to the Blue Coat 3. 4.
Support server. The Send Service Information dialog displays the SR number and the upload status. To stop the upload, click Cancel. If the ProxyAV cannot connect to, the status prompts you that there was a problem connecting to the remote host. To attempt the upload again, click Send.

Note: If the transfer continues to fail, verify that the SR number is valid and has not previously been resolved.

Additional Services
These options allow you to specify additional ProxyAV communication services that can assist administrators or Blue Coat Technical Support to diagnose difficulties. Enable sending Troubleshooting Information files: Allows files containing troubleshooting information to be sent by e-mail or HTTPS upload to Blue Coat Technical Support. Enable tech support remote access: Allows Blue Coat Technical Support to access this ProxyAV. Enable ping to Interface IP: Allows you to ping the interface IP address of this ProxyAV. Enable advanced DNS: Enables use of the emergency list of DNS servers and recursive DNS. Enable connectivity test: Periodically tests connectivity to Blue Coat servers on the Internet; displays a warning on the main page if connectivity is lost. Click Save Changes if you make any changes to these options.

SSL Keyrings
Note: If you are logged in to the ProxyAV Management Console through HTTP, not HTTPS, you cannot configure these options. A keyring holds a key pair and a certificate. When a keyring is created, it only contains a key pair. You can associate a certificate with this keyring. With multiple certificates, you can configure multiple keyrings and associate the certificates and the keyrings. The ProxyAV ships with a default keyring already created. The default keyring contains a certificate and an automatically-generated key pair. Because the default keyring is self-signed, you can create other keyrings signed by a well-known Certificate Signing Authority (CSA). This page allows you to generate new keyrings. To create a new keyring:

1. Click Create; the SSL Keyrings page appears. 2. In the Keyring name field, enter a name. 3. Selecting Show keyring allows the keys, and everything in the keys, to be viewed
and exported.

4. Perform one of the following:

Select Create new and enter the keyring strength in the bit keyring field. A length of 1024 bits is the maximum (and default). Longer key pairs provide better security, but with a slight performance expense on the ProxyAV. Be aware that the maximum key length allowed for international export might be different than the default. For deployments reaching outside of the United States, determine the maximum key length allowed for export. Click OK. The keyring, containing a keypair, is created with the name you chose. It does not have a certificate associated with it yet. Select Import keyring. In the Keyring field, paste in an already existing keypair. The certificate associated with this keypair must be imported separately. If the keypair that is being imported has been encrypted with a password, select Keyring Password and enter the password into the field. Click OK.

SSL Certificates
Note: If you are logged into the ProxyAV Management Console through HTTP, not HTTPS, you cannot configure these options. The ProxyAV ships with a certificate associated with a default keyring. The certificate, self-signed and associated with the default keyring, can be reused in other keyrings meant for internal use. You can add three kinds of SSL certificates: A self-signed certificate A certificate signed by a CA An external certificate To create a self-signed certificate:

1. From the Keyring drop-down list, select a keyring. 2. Click Create; the SSL Certificates page displays. 3. Fill in the fields as appropriate:
State/Province: Enter the state or province where the machine is located. Country Code: Enter the two-character ISO code of the country. City/Locality: Enter the city. Organization: Enter the name of the company. Unit: Enter the name of the group that will be managing the machine. Common Name: A common name should be the one that contains the URL with which the client access that particular origin server. E-mail Address: The e-mail address you enter must be 40 characters or less. A longer e-mail address will generate an error. Not valid after: From the drop-down lists, select a date after which the certificate is no longer valid. Click OK. After the process is complete, this keypair and certificate can be selected from the Network page for HTTPS encryption.


SSL Client
Select Enable Client/Server HTTPS Connection to enable default AV downloads using HTTPS. Note: The custom AV update location on the Anti-virus > Update settings page operates independently of this option. You can enter a custom https:// location URL there, yet not select to enable HTTPS connections here. To configure the SSL client:

1. Select a Keyring: the default or one that you already created on the Network 2. 3. 4.
page. Select an SSL version. By default, all cipher types and strengths are selected. De-select any if required. Click Save Changes.

CA Certificates
Imports a Certificate Authority certificate to be used for server authentication. Select a certificate and click Import. Select a certificate and click View to examine the certificated details.

Ethernet Adapter Media Type

By default, the ProxyAV automatically detects the link settings. This option allows you to manually specify the Ethernet media adapter type for each interface. The Current Media State field displays the current configuration (or if a cable is not connected). To change the configuration, select an option from the drop-down lists and click Save Changes. Note: For AV 400-E appliances, 10 Mbit/Half and 10 Mbit/Full are not valid selections, and do not appear in the drop-down list. AV 510 appliances have a selection for 1000Mbit/full. For AV 810 and 2000E appliances, this must be set to Auto to autosense Gbit.

History Statistics
Displays various resource usage, connections, and object statistics in three grades: every minute for the last 60 minutes; every hour during the last 24 hours; and every day for the last 30 days. Click a button to change the view: CPU Usage: Displays the percentage of CPU resource consumed, on average for the interval. Memory Usage: Displays the highest level of memory percentage used during the interval. ICAP Objects: The number of ICAP objects received during the interval. Connections: The maximum number of concurrent connections made during the interval. ICAP Bytes: The total size in bytes of ICAP objects received during the interval.

Detailed Statistics
Displays detailed statistics of current transactions. Requests History: Click this link to view the Requests History page, which displays the results of past anti-virus scans. Concurrent connections: Displays the current number of connections to the ProxyAV. Total objects being processed: Displays the number of objects the ProxyAV is currently scanning. A table provides detailed statistics of the objects currently being scanned. The path and name of the object being scanned. The current state of the transaction: Receiving, Queued, Scanning, or Replying. The IP address of the ProxySG that sent the request.

The number of bytes received for scanning. The total time spent processing the object (including the receiving time). The mode used for scanning: Plain or Secure ICAP. For example: Receiving, 111 bytes, 14 ms, Plain http://banners.advertise/adview.php?what=welcome Scanning, 21,631,234 bytes, 30 ms, Secure

Requests History
These options allow you to set the number of past requests to view and refresh the list of requests. Number of requests: This number determines the number of requests that display in the list. Enter a number from zero to 1,000. When the number is set to zero, request logging is disabled. The default number of requests is 50. Click Save Changes to commit your changes to the ProxyAV. o List of requests: Requests are listed in reverse chronological order. The list includes the following information for each request: Timestamp: Date and time the request was processed. ProxySG IP: IP address of the ProxySG that generated the request. Size: Total size (in bytes) of the requested object. Result: Scan result of Clean, Virus, or Error. Time taken: Total time (in ms) it took for the ProxyAV to process the request. Mode: Corresponding ICAP service mode (Plain or Secure).

Click Refresh Now to obtain the most current data about processed requests.

These options allow you to configure SNMP information, which allows for integration with network management tools. MIB II and AV MIB are supported, and SNMPv2 and SNMPv3 are both supported. To configure SNMP options:

1. Select Enable SNMP. 2. In the sysLocation field, enter a string that describes the physical location of the 3. 4. 5. 6. 7. 8.
system. For example: 1stFloorLab. In the sysContact field, enter a string that describes the contact person responsible for maintaining this appliance. For example: LabTechNigel. Specify the Trap Community in the Trap Community field, and enter it again in the Verify Trap Community field. Select an Interface for SNMP from the drop-down list: In the Send Traps To fields, enter up to three IP addresses that receive the traps. Select Enable Authorization Traps to allow the ProxyAV to send traps when SNMP authentication failures occur. Select SNMPv2 or SNMPv3: For SNMPv2: Enter the read community name and verification.

For SNMPv3: Specify the settings for a read-only user.

9. Click Save Changes.

Note: You must also allow SNMP access for your SNMP clients; see Network > Administration and ICAP Access List.

Downloading MIBs
A Management Information Base (MIB) is a document (written in the ASN.1 data description language) that contains descriptions of managed objects. SNMP uses a specified set of commands and queries, and the MIBs contain information on these commands and the target objects. To download the MIB files: Click Download MIBs here. The Opening dialog displays. To open the zip file, click Open. To save the zip file to your hard drive, select Save and navigate to the location on your hard drive to save the file. Note: Depending on your Web browser, the procedure to open or save the zip file might vary slightly.

Intelligent Connection Traffic Monitoring (ICTM)

These options enable the ProxyAV to drop download connections that are taking longer than a normal time frame to complete. This keeps resources available to download other objects. These slow downloads might be suspected infinite stream connections, such as a stock ticker. As this type of download never ends, excessive Blue Coat ProxySG and ProxyAV resources are consumed. When Intelligent Connection Traffic Monitoring (ICTM) is enabled, the ProxyAV checks for slow downloads. If the warning threshold is reached, the ProxyAV notifies the administrator of the dropped URLs (through an e-mail or SNMP trap, if the option is selected), which allows for the creation of Blue Coat ProxySG policy to ignore these URLs. If the critical threshold is reached, the ProxyAV terminates the oldest, slowest connections so that the level below the threshold is maintained. To configure ICTM:

1. Select Enable Intelligent Connection Traffic Monitoring (ICTM). 2. Specify how many seconds a connection lasts before it is determined to be a
slow download. The minimum is 30 seconds. Blue Coat recommends the default of 60 seconds. The larger the value, the more resources are wasted on suspected infinite stream URLs. Conversely, lower values might tag the downloads of large objects as slow, thus targeting them for termination before the download is complete. Specify the warning threshold: a. Specify how many concurrent connections that have exceeded the duration specified in Step 2 before a warning message is sent. The allowed maximum is the maximum number of ICAP connections allowed by the ProxyAV platform.


Note: By default, an e-mail warning is sent if this threshold is reached. The e-mail is sent to recipients specified on the Alerts > Alerts Settings page. If you disable this option, no warning is sent and nothing is logged in the AlertLog file.

b. Specify the interval, in minutes, that the ProxyAV repeats the warning 4.
messages if the threshold remains breached. Specify the critical threshold. If the number of concurrent slow connections reaches this threshold, the ProxyAV drops enough of these connections (beginning with the oldest connections) to maintain a level below the critical threshold. Oldest connections are dropped first. Keep this value more than the warning threshold (Step 3). Just as for the warning threshold (Step 3b), you can select to send an alert to administrators for each connection that is dropped. See the table below for how default values are calculated. Click Save Changes.


Default Threshold Calculations

Warning threshold (Step 3): 70% of the recommended maximum ICAP connections: 400-E and SG 510: 35. 2000-E and SG 810: 70. Critical threshold (Step 4): 90% of the recommended maximum ICAP connections: 400-E and SG 510: 45. 2000-E and SG 810: 90.

Closed Network Setup

This page allows you to ensure the ProxyAV receives critical updates when connection to the Internet is not possible or allowable. Some options on this page redirect you to other settings in the ProxyAV Management Console. Firmware update-After obtaining the firmware update and locating it on an internal server, enter the location on the Firmware Update page and select Direct update. Antivirus update-Specify a custom location (internal server) that contains the latest AV update file. Click the set URL link to go to the Update Settings page. Automatic license update-This is a status field. When Closed Network is enabled, this feature is disabled because no outside Internet connection is permitted. You must manually update any license changes (from the Licensing page). Send troubleshooting information files-This is a status field. When Closed Network is enabled, this feature is disabled because no outside Internet connection is permitted. Connectivity test-This is a status field. When Closed Network is enabled, this feature is disabled because no outside Internet connection is permitted. Advanced DNS-This is a status field. When Closed Network is enabled, this feature is disabled because no outside Internet connection is permitted NTP-You can configure the ProxyAV to use internal NTP servers. Click Configure to go to the Network Time Protocol page. After you click Closed Network, all of the settings display as Disabled, except for Antivirus update. To exit Closed Network status, you must manually set each feature on its respective Management Console page and click Save Changes.


These options are designed to help you resolve technical troubles with a ProxyAV.

Reload AV Engines
The ProxyAV reloads its current AV engine by stopping and restarting it. This is similar to rebooting the appliance, but is faster, because it reloads only the AV engine. Reloading the AV engine temporarily interrupts the TCP/IP traffic until the reload is complete.

Reload Drivers
The ProxyAV reloads its drivers. This is similar to rebooting the ProxyAV, but is faster. Use this option if you perform a configuration change that does not appear to be in effect. Reloading the drivers temporarily interrupts the TCP/IP traffic until the reload is complete.

Soft Reboot
This is the equivalent of resetting a computer. It physically reboots the machine. A new entry in the boot.log occurs. Performing a soft reboot temporarily interrupts the TCP/IP traffic until the reboot is complete.

These diagnostics create relatively large and detailed log files that provide information for troubleshooting certain network configurations. A Blue Coat Technical Support representative might ask you to invoke these internal diagnostics. This additional logging activity affects system performance; therefore, Blue Coat does not recommend using this option except at the request of Blue Coat Technical Support.

DNS Cache
These options allow you to view and clear the contents of the DNS cache.

Configuration Management
These options enable you to manage the ProxyAV configuration files. Save Configuration: Saves the current ProxyAV configurations to a file. Load Configuration: Loads ProxyAV configurations saved to a local file. Click Browse to navigate to the file. (Optional) Select Overwrite current IP configuration with the IP settings from uploaded file to use the IP definitions of the saved file. Click Upload and Apply.

Firmware Updates
The firmware updates represent changes to the functionality of the ProxyAV and can include new features, changes to the user interface, and optimizations for speed and reliability. You can manage update behavior:

Disable Firmware updates-The ProxyAV does not check for the latest update package and you cannot perform a manual update without first deselecting this option. Check, but don't retrieve updates-The default. Once every four hours, the ProxyAV checks for package updates. If one newer software version is identified on the server, the information changes, but no update occurs. You must invoke the update manually (see below). Check and retrieve update-At the specified interval, the ProxyAV checks for package updates. If a new software version is identified on the server, it is downloaded to the ProxyAV, but not installed. To install the update, click Update Now. Direct update-If your network topography requires that the ProxyAV cannot be connected to the Internet, select this option and enter the URL (http://) of your internal server that serves as the repository for software updates. Under Update Location, you can select Use Default for the default Blue Coat location, or enter a URL in the field (Default must be deselected). The ProxyAV checks periodically (several times per day) for these updates. If one is available, the Update Now button becomes active. Because these updates might require a restart of the machine, which could block network traffic for up to three minutes, updates do not occur unless the administrator initiates the update. This allows the update to be performed at the most convenient time. These updates are typically one to five MB in size, and might take a few minutes to download, depending on your Internet connection. The updates to software, firmware, or both are then performed, and the ProxyAV resets itself. Depending on the update, the reset might be just a reload of drivers or it could be a full restart of the machine. The entire process can take anywhere from 30 seconds to 3 minutes, excluding the download time. Note: The ProxyAV continues to check for updated anti-virus engine and pattern files at the interval specified in the Update frequency field on the Antivirus > Update Settings page.

This page displays the contact information for Blue Coat Technical Support. Copyright 1999-2008 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, CacheOS, SGOS, SG, Spyware Interceptor, Scope, RA Connector, RA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.