Blue Coat® Systems Integration GuideIntegrating the ProxySG and ProxyAV Appliances For SGOS 5.4 and AVOS 3.2 Contact Information Americas: Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland http://www.bluecoat.com/support/contactsupport http://www.bluecoat.com For concerns or feedback about the documentation:
[email protected] Copyright© 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®, PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland Document Number: 231-03045 Document Revision: 5/2009 Rev. A ii Table of Contents Table of Contents Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Stated Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Supported Blue Coat Devices and Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Hardware Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Chapter Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Benefits of the Blue Coat Anti-Malware Solution . . . . . . . . . . . . . . . . . . . . . 2-1 About Web Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Types of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 The Blue Coat Anti-Malware Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Malware Scanning Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 ICAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Response and Request Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Web Malware Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 ProxySG/ProxyAV With Direct Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 ProxySG/ProxyAV in a Closed Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Basic Deployment: One ProxySG to One ProxyAV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Redundant Appliance Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Deployment Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Deployment Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Configuring and Installing the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Configuring and Installing the ProxyAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10 Configuring the ProxySG and ProxyAV Appliances . . . . . . . . . . . . . . . . . . . 4-1 About the Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 Task 1: Prepare the ProxyAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Task 2: Create the ICAP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Task 3: Create Malware Scanning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Configuring ProxyAV Scanning Settings and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Configuring ProxySG Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12 Task 4: Test the Anti-Malware Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14 Monitoring ICAP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Displaying ICAP Graphs and Statistics on the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Displaying ICAP Graphs on the ProxySG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Integrating the ProxySG and ProxyAV Appliances iii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 Task 3: Enable Web Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10 Additional Configuration . . . . 6-8 Implementing Response and Request (Two-Way) ICAP . . . . . . . . . . . . .9-1 Conserving Scanning Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Monitoring ICAP-Enabled Sessions on the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Creating Anti-Malware Reports in Blue Coat Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Solution B: Scan-Until-Error Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Load Balancing. . . . . .7-1 About Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Determining Which File Types to Scan. . . . . . . . . . . . . . . . . . . . . 9-9 VPM Example: Including File Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2 Solution A: No-Scan Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 About Data Trickling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 Selecting Alert Types . . . . . . . . . 6-14 Task 2: Create a Virus Scanning Rule (Web Content Layer) . . . . . . . . . . . . . 7-2 Weighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Creating an ICAP Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 Task 4: Create Authorization Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8 Viewing the Alert Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Configuring ICAP Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 About Patience Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 Configuring ProxyAV Failover . . . . . . . . . . . . . . . . 9-8 VPM Example: Excluding File Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 CPL Example: Including File Types . . . . 7-5 Creating Load Balancing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Displaying ICAP Statistical Data . . . . . . . . . . . . . . . . . . . . . . . . 6-10 Task 2: Create an ICAP Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9 iv Integrating the ProxySG and ProxyAV Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 Avoiding Network Outages due to Infinite Streaming Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1 About ProxyAV Failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 Load Balancing Between Multiple ProxyAV Appliances . . . . . . . . . . . . . . . . . . . . . . . . 9-8 CPL Example: Excluding File Types . . . . 6-5 Getting Notified about Detected Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Configuration Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Viewing Statistics on the ProxyAV. . . . . . . 6-10 Task 1: Define the ICAP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 Improving the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Displaying Active ICAP-Enabled Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 Creating User-Based ICAP Policy. 8-2 Creating ProxyAV Failover Policy . . . . . . . . . . . . . . . . . . . . . . 6-11 Task 3: Create an ICAP Request Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 Task 1: Create the ICAP Response Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 Troubleshooting . . . . . . . . . . . . . . . . 10-3 ProxySG Runs Out of Memory During Heavy Traffic Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 Avoiding Processing of Cancelled Connections . . . . . . . . . . . . . . . . 10-2 Users Can’t Access Any Web Sites . . . . . . . . . . . . . . . 10-5 Scans are Taking Too Long . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 The ProxyAV isn’t Scanning Web Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Best Practices for PDF Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 My ProxyAV isn’t Getting Virus Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Integrating the ProxySG and ProxyAV Appliances v . . . . . . . . . . . . . . . . Table of Contents vi Integrating the ProxySG and ProxyAV Appliances . AV510. AV810 Integrating the ProxySG and ProxyAV Appliances 1-1 . SG510. This document assumes you are knowledgeable with basic network concepts and terminology.1 Introduction Stated Purpose This document provides conceptual information about malware threats.bluecoat. Hardware Platforms ProxySG models: SG200-x (except 200-A).2) • Blue Coat ProxySG Configuration and Management Suite (version 5. SG210. the integration guide covers the following Blue Coat products and software releases. AV400-E. This solution involves the deployment of Blue Coat ProxyAV appliances in the network to perform malware content scanning on Web responses and/or requests sent through ProxySG appliances. AV210. configuration steps for getting the ProxyAV and ProxySG to communicate with each another. deployment guidelines and workflows. SG8000-x. use the context-sensitive online help or refer to the following guides: • Blue Coat ProxyAV Configuration and Management Guide (version 3. Basic familiarity with Blue Coat products is also recommended but not a prerequisite. SG800-x. and best practices to consider when deploying the integrated Blue Coat malware solution. ProxySG and ProxyAV customers deploying an anti-malware solution will benefit from having configuration information in a single document. SG8100 ProxyAV models: AV2000-E.com/documentation Audience The intended audience for this document is current and potential customers seeking to understand the Blue Coat malware solution. This integration guide supplements existing product-specific guides. Supported Blue Coat Devices and Operating Systems As of the production of this document. For details and instructions on each product. SG810.4) • The product’s installation or quick start guide You can download these manuals from BlueTouch Online at: https://support. If a concept or feature is not compatible with a specific AVOS or SGOS release. If you are consulting this document and your software is more current than the ones listed above. Chapter Reference This document is structured to be read in its entirety before implementing the AV solution. Deployments not requiring redundancy can skip chapters 7 and 8. This document contains the following chapters: Chapter 1: Introduction Chapter 2: Benefits of the Blue Coat Anti-Malware Solution Chapter 3: Deployment Chapter 4: Configuring the ProxySG and ProxyAV Appliances Chapter 5: Monitoring ICAP Scanning Chapter 6: Additional Configuration Chapter 7: Load Balancing Between Multiple ProxyAV Appliances Chapter 8: Configuring ProxyAV Failover Chapter 9: Configuration Best Practices Chapter 10: Troubleshooting 1-2 Integrating the ProxySG and ProxyAV Appliances . Some of the features (such as ICAP monitoring on the ProxySG) are not available in earlier versions. it is so noted in the document.2).Introduction Software Versions This guide assumes the latest software versions are installed on the ProxySG (SGOS 5.4) and ProxyAV (AVOS 3. review the release notes for that release to learn about any new features not yet implemented in this document. It includes the following topics: ❐ ❐ About Web Malware—on page 2-2 The Blue Coat Anti-Malware Solution—on page 2-4 Integrating the ProxySG and ProxyAV Appliances 2-1 .2 Benefits of the Blue Coat Anti-Malware Solution This chapter includes conceptual information about malware and describes benefits of using the integrated Blue Coat anti-malware solution. and manufactured for compatibility. and macros embedded within Microsoft Office documents. In addition. without authorization of the system’s owners and legitimate managers. which is equivalent to administrator access in Windows. The following table lists common types of malware. peer-to-peer (P2P). These appliances offer advanced malware detection at the gateway. Shockwave movies. Software that encrypts data in an unreadable format and then demands payment in exchange for the decryption key (the ransom) A program designed to take fundamental control of a computer system. and Web mail. malware has increased fivefold. and so on. Web e-mail. It can be downloaded from Web pages without a user’s knowledge. Root comes from the UNIX term “root” access. obtaining access to plaintext. When the ProxyAV is integrated with the ProxySG. Java applets. Examples of MMC include: Scripts. Hackers are constantly creating new attacks. Malware Adware Backdoor Description Software that automatically displays advertisements on a computer A method of bypassing normal authentication. Software obtained from remote systems.About Web Malware Benefits of the Blue Coat Anti-Malware Solution About Web Malware Although the AV in ProxyAV is an acronym for anti-virus. you have two appliances that have been designed. It can be delivered via visits to a Web site. or e-mail with attachments. the ProxyAV secures rogue channels that threaten the enterprise network. transferred across a network. These nefarious techniques use Web and secure Web access because they are typically permitted for legitimate business purposes. ActiveX. Types of Malware Malware is defined as software designed to infiltrate or damage a computer system without the owner's informed consent. flash animations. A recent Google study on the prevalence of Web-based malware found 10 percent of the URLs examined successfully launched automatic installation of malware binaries. securing remote access to a computer. The majority of malware comes from two vectors: hidden downloads in popular and trusted Web sites. tested. and malware distribution through social networking. often piggybacking on a user’s trust of a known domain. By detecting and blocking viruses. with 90 percent coming from trusted sites. Malicious Web outbreaks cost enterprises millions of dollars per year in terms of repairing networks and lost productivity. the ProxyAV does a lot more than scan for viruses. How big of a problem is malware? In the last year alone. and spyware. You have the ProxyAV with its malware threat detection and the ProxySG with its extensive Web content controls. worms. the Blue Coat solution provides a layered malware defense. and then downloaded and executed on a local system without the user’s explicit installation. Downloader MMC Ransomware Rootkit 2-2 Integrating the ProxySG and ProxyAV Appliances . while attempting to remain undetected A program that downloads and installs malicious software Mobile malicious code. trojans. Unlike a virus. Trojan horse Virus Worm Integrating the ProxySG and ProxyAV Appliances 2-3 . A computer worm or virus may be a Trojan horse. without any user intervention.Benefits of the Blue Coat Anti-Malware Solution About Web Malware Malware Spyware Description Computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer. A computer program that attaches itself to an existing program and can copy itself and infect a computer without a user’s permission or knowledge A self-replicating computer program that uses a network to send copies of itself to other nodes. it does not need to attach itself to an existing program. without the user’s consent Software that appears to perform a desirable function but in fact performs undisclosed malicious functions. The ProxyAV compares the file’s fingerprint against a database of fingerprints that is constructed as a result of scanning objects. performance suffers. • For a non-cacheable object. Blue Coat achieves this with the ProxyAV software that is designed for performance and security combined with the power of the ProxySG proxy. With a proxy appliance architecture.The Blue Coat Anti-Malware Solution Benefits of the Blue Coat Anti-Malware Solution The Blue Coat Anti-Malware Solution The Blue Coat ProxySG and ProxyAV appliance solution leverages the benefit of a proxy/cache device integrated with a powerful scanning server that analyzes Web content for viruses. because the new database might know about viruses that the old database didn’t. The Blue Coat AV deployment provides a scan-once. If an AV scanner must scan all cached and uncached content. thus preventing penetration into the network. The ProxyAV appliance is designed to work specifically with the ProxySG proxy architecture. The AV database is a pattern file that allows anti-virus software to identify viruses. scalability from a few dozen users to multiple thousands of users is attainable. and spyware before it is cached. The Blue Coat anti-malware solution is designed to prevent malicious code penetration with negligible network performance impact. serve-many benefit when scanning: • Once an object is cached. Blue Coat provides sizing information to assist you with determining the correct combination of appliances to deploy. it doesn’t need to be scanned again until either the object contents change or the AV database changes. Each appliance contains industry-leading technology that communicates together to form a cohesive integration. malware. the ProxyAV scans the object and creates a fingerprint — a secure hash of the file’s contents. Whenever the database changes. Firewall ProxySG ProxyAV Figure 2-1 ProxySG integrated with a ProxyAV. The object will not be scanned again unless either its fingerprint changes (indicating the content has changed) or the AV database changes. 2-4 Integrating the ProxySG and ProxyAV Appliances . the ProxyAV needs to rescan any requested objects that are in the cache. All ProxySG and ProxyAV appliances are available in different capacities. The integration of the ProxyAV with the ProxySG allows you to manage inbound (response) and outbound (request) communications. For example. and you select one vendor for your malware scanning. and only resets it when there is a definition update. As the ICAP server. you determine what application protocols are allowed in your enterprise. The ProxySG allows you to display patience pages with custom messages to users when content scans exceed a customizable time limit. and repair service for Internet-based malicious code. the ProxyAV provides content scanning. Blue Coat provides the option to renew it or obtain an engine license from a different vendor. a cache timeout is not used to resend files. then create policy that determines what type of content is sent for malware scanning. • Containment is faster. such as content streams. filtering. You can allow content to continue to the client or deny the content. • Processing performance is optimized through different configuration options. The ProxySG is the ICAP client.Benefits of the Blue Coat Anti-Malware Solution The Blue Coat Anti-Malware Solution The ProxyAV’s scanning methods and capabilities provide three main benefits: • Outbreaks are smaller. Malware Scanning Engines The ProxyAV supports the leading malware scanning engines including: • Kaspersky • Sophos • McAfee • Panda Blue Coat provides licenses from the above vendors. The ProxyAV retains a fingerprint. • Performance gain is attained by not scanning unchanged objects. The power of the proxies allows you implement malware scanning processes as follows: • By customizing ProxySG policy. You can set small and large object thresholds to differentiate between smaller. Policy configured on the both the ProxySG and ProxyAV allows you to determine what happens when an exception (error) occurs. To eliminate Integrating the ProxySG and ProxyAV Appliances 2-5 . Only a solution that understands Web scanning can implement this. and the ProxyAV is the ICAP server. the ProxySG delivers to the ICAP server the Web content that needs to be scanned. Therefore. you might decide GIF files represent a lower risk and instruct the ProxySG to not send them to the ProxyAV. Furthermore. ICAP Blue Coat’s ProxySG and ProxyAV appliances communicate using Internet Content Adaptation Protocol (ICAP). users are aware of exactly what is occurring on their desktops. thus reducing the number of IT help desk tickets. As the ICAP client. common Web objects and larger objects. When your vendor engine license is about to expire. • The final piece includes the user experience. If malware scanning detects malicious content. That is. A request service is typically used to scan documents and Web mail attachments before users post them to file servers (such as Gmail and HotMail servers). or both. including the types of files scanned or ignored. the client receives the Web objects (that comprise Web pages). and detailed error/exception handling and reporting. reliability. thus preventing users from propagating malicious content they might unknowingly have on their desktops. You can scan your data using plain ICAP.3 and AVOS 3. exceptions for groups or protocols. the type of user feedback messages. With subsequent content requests. 2-6 Integrating the ProxySG and ProxyAV Appliances . the objects are not cached. The Blue Coat solution uses an enhanced ICAP+ version that offers improved performance. you control and track (log) the various aspects of Web malware scanning. secure ICAP sends data that may be confidential (HTTPS) through a secure data channel. The response component refers to the client-requested information that is pending entrance to the cache and thus the network. and the client receives a message indicating that a virus was found. at a high level. Response and Request Services Two types of ICAP services are available: response and request. the ProxySG sends objects to the ProxyAV for checking and saves the scanned objects in its object store. the response contains Web objects from the origin content server. the data flow in the Blue Coat Web anti-malware solution. Secure ICAP is available beginning with SGOS 5. integrated reporting. the event is logged. If the content is verified as clean (and also allowable by corporate policy).The Blue Coat Anti-Malware Solution Benefits of the Blue Coat Anti-Malware Solution threats to the network and to maintain caching performance. the ProxyAV scans it for malicious code.2. data trickling. The following diagram illustrates. The ProxySG refers to these ICAP services as REQMOD (request modification) and RESPMOD (response modification). Most Web malware deployments involve the use of a response service. secure ICAP. the response is quarantined. and more. Plain ICAP is useful for scanning non-confidential data (HTTP). Before this content is allowed into the network. Web Malware Data Flow Through configuration options and policy. the appliance serves the scanned object rather than rescanning the same object for each request. Integrating the ProxySG and ProxyAV Appliances 2-7 .Benefits of the Blue Coat Anti-Malware Solution The Blue Coat Anti-Malware Solution Figure 2-2 Basic Web malware data flow. The Blue Coat Anti-Malware Solution Benefits of the Blue Coat Anti-Malware Solution 2-8 Integrating the ProxySG and ProxyAV Appliances . It includes the following topics: ❐ ❐ ❐ ❐ ❐ ProxySG/ProxyAV With Direct Internet Access—on page 3-2 ProxySG/ProxyAV in a Closed Network—on page 3-3 Redundant Appliance Topologies—on page 3-5 Deployment Guidelines—on page 3-7 Deployment Workflow—on page 3-8 Integrating the ProxySG and ProxyAV Appliances 3-1 . It also includes high-level guidelines and workflows for physically installing the appliances into your network.3 Deployment This chapter illustrates several deployment topologies for incorporating one or more ProxySG and ProxyAV appliances in your network. The following diagram illustrates the ProxySG with ProxyAV architecture. The admin PC is used to perform configuration and policy changes on any Blue Coat appliance. multiple ProxySG appliances to one ProxyAV. one ProxySG to multiple ProxyAV appliances. Figure 3-1 Blue Coat appliances deployed with direct Internet access for updates.ProxySG/ProxyAV With Direct Internet Access Deployment ProxySG/ProxyAV With Direct Internet Access In most enterprises. 3-2 Integrating the ProxySG and ProxyAV Appliances . or multiple ProxySG appliances to multiple ProxyAV appliances. Work with a Blue Coat sales engineer to determine the appropriate sizing for your enterprises. The ProxySG has the capability to load balance Web scanning between multiple ProxyAV appliances or to designate a sequence of ProxyAV appliances as failover devices should the primary ProxyAV go offline. You can deploy the appliances in different combinations: one ProxySG to one ProxyAV. the ProxySG and ProxyAV are deployed with direct access to the Internet. 2: Retrieve the latest AV vendor pattern files. The following diagram illustrates a closed network topography. for example). : Legend: 1: Retrieve the latest AV appliance firmware update file. 4: Configure the AV appliance to retrieve the update files from the server (HTTP/URL).Deployment ProxySG/ProxyAV in a Closed Network ProxySG/ProxyAV in a Closed Network For heightened security. Figure 3-2 Blue Coat appliances deployed in a closed network. 3: Copy the files to an internal server connected to the AV appliance. some network architectures (particularly in government or military environments) prevent devices from having direct Internet access. Integrating the ProxySG and ProxyAV Appliances 3-3 . Use a script to prepare the files (remove absolute links. due to its lack of redundancy. the basic deployment has the following limitations: • No Web malware scanning if the ProxyAV goes down. • No failover if the ProxySG goes down. This basic deployment is the easiest type of topology to configure and because it doesn’t require redundant appliances to be purchased. • No load balancing for ICAP scanning if the ProxyAV gets overwhelmed with ICAP requests. Figure 3-3 One ProxySG to one ProxyAV. is the least expensive to deploy. users either receive unscanned content or notices that the content cannot be delivered.Basic Deployment: One ProxySG to One ProxyAV Deployment Basic Deployment: One ProxySG to One ProxyAV This basic deployment has one ProxySG and one ProxyAV and is suitable for a small enterprise or network segment. 3-4 Integrating the ProxySG and ProxyAV Appliances . when the ProxyAV fails. Depending on the policy you implement on the ProxySG. However. Figure 3-4 One ProxySG to multiple ProxyAV appliances. Redundant appliances address the limitations of the single-ProxyAV/single-ProxySG deployment. see: ❐ ❐ Chapter 7: Load Balancing Between Multiple ProxyAV Appliances Chapter 8: Configuring ProxyAV Failover Integrating the ProxySG and ProxyAV Appliances 3-5 . Similarly. secondary ProxySG appliances can be configured as failover devices should the primary ProxySG go down or can provide further proxy support in the network. For configuration details. The ProxySG can load balance Web scanning between multiple ProxyAV appliances or designate a sequence of ProxyAV appliances as failover devices should the primary ProxyAV go offline. The most common type of redundant topology in a Blue Coat integrated deployment is multiple ProxyAV appliances with a single ProxySG.Deployment Redundant Appliance Topologies Redundant Appliance Topologies Larger enterprises may require redundancy in the network: multiple ProxySG and/or multiple ProxyAV appliances. For information on configuring failover on the ProxySG. Figure 3-6 Multiple ProxySG appliances to multiple ProxyAV appliances.Redundant Appliance Topologies Deployment Enterprises who need ProxySG failover. . without redundant ProxyAV appliances. working together to provide efficient scanning power plus failover capability. might use the following type of topology. refer to the ProxySG Configuration and Management Suite (Volume 1: Getting Started and Volume 5: Advanced Networking). Figure 3-5 Multiple ProxySG appliances to one ProxyAV Enterprises with hundreds to thousands of users require the processing power of multiple ProxySG and ProxyAV devices. 3-6 Integrating the ProxySG and ProxyAV Appliances . Make sure to keep the ProxyAV physically and logically close to the ProxySG. In explicit mode. In transparent mode. Although you can put the ProxyAV in California and the ProxySG in New York. or Web Cache Communication Protocol (WCCP) to redirect traffic to the ProxySG. but this is not required. you’ll need to download these files from a system that has Internet access and then copy these files to an internal server connected to the AV appliance. each client Web browser is explicitly configured to use the ProxySG as a proxy server. Transparent proxy requires that you use a bridge. • The ProxyAV must have access to the Internet for system and pattern file updates. • The ProxyAV can use the ProxySG as a proxy for downloading pattern file and firmware updates.Deployment Deployment Guidelines Deployment Guidelines When planning the installation of your Blue Coat appliances. Integrating the ProxySG and ProxyAV Appliances 3-7 . It is recommended that the ProxyAV be on the next-hop VLAN. performance will suffer. • The ProxySG can be deployed in explicit or transparent mode. This includes using multiple ProxySG appliances sharing multiple ProxyAV appliances. See "ProxySG/ProxyAV in a Closed Network" on page 3-3. a Layer-4 switch. In a closed network. the ProxyAV must be configured to retrieve the update files from this server. the client Web browser does not know the traffic is being processed by a machine other than the origin content server. consider the following deployment guidelines: • Blue Coat recommends that all ProxySG appliances reside on the same subnet as the ProxyAV appliances they are clients to. Once you have done tests to determine that the ProxySG is performing as expected.2. the ProxySG with basic network settings. b. Verify connectivity to the DNS server and other external devices. 3-8 Integrating the ProxySG and ProxyAV Appliances . c. c. https://support. run Novice ProxySG users may need to refer to the ProxySG the initial setup wizard to configure Quick Start Guide for specific steps.0. Step 2 Rack mount the ProxySG and connect the appliance to the network. Step 5 Verify a successful configuration. To register and license your ProxySG: Open a Web browser and navigate to: a. Your ProxySG ships with a temporary (60-day) license. Step 3 Register and license the ProxySG. Enter the IP address you assigned to the ProxySG followed by port number 8082.bluecoat. See the ProxySG Quick Start Guide for specific steps. during that period. Console.Deployment Workflow Deployment Deployment Workflow Before installing the ProxyAV. You can register your appliance at any time b. Configure and Install the ProxySG Step 1 With a serial console connection.2:8082 Select Statistics > Summary > Efficiency. Verify that each configured interface is up. Step 4 Log in to the ProxySG Management a. you should install the ProxySG in the network and verify it is functioning properly as a secure Web gateway. you can proceed with the ProxyAV installation and configuration. Follow the instructions to register your appliance and download a license. For example: https://192. b. Make sure the ProxySG health status is green (OK). Click the Device tab. In the Management Console: a. Configuring and Installing the ProxySG The following procedure provides high-level steps for performing the initial configuration and physical installation of the ProxySG.com/licensing Enter your BlueTouch Online credentials. Open a Web browser. The Proxied Sessions table should list the active sessions of current traffic. Step 7 Verify that the ProxySG is seeing network traffic. b. Select Statistics > Sessions > Active Sessions. a. Chapter 3: Maintaining the ProxySG. Select Maintenance > Upgrade. Select Configuration > Services > Proxy Services. c. and add a rule in the Web access layer to allow this traffic. Make sure there are clients running traffic.4.4. to intercept. Integrating the ProxySG and ProxyAV Appliances 3-9 . b. See Volume 9: Managing the Blue Coat ProxySG Appliance. This Integration Guide assumes the ProxySG is running SGOS 5. upgrade to SGOS 5. Install the policy. For details. refer to the ProxySG Configuration and Management Suite. Note: The browser must be explicitly or transparently redirected to the ProxySG appliance. Open the Visual Policy Manager (Configuration > Policy > Visual Policy Manager > Launch) and create a Web access layer that allows the Explicit HTTP service name.Deployment Deployment Workflow Configure and Install the ProxySG Step 6 Set the Explicit HTTP proxy service a. c. Step 8 If necessary. Click Show. Select Firmware Update.2. e.2. d. Click Register. disk drive(s). upgrade to AVOS 3. Step 5 If necessary. Open a Web browser. Use a serial console connection or the buttons on the ProxyAV front panel. insert the See the ProxyAV Quick Start Guide for specific steps. Console.2. Enter your activation code from the e-mail received from Blue Coat. Enter your WebPower (or BlueTouch Online) credentials. Step 2 Configure the ProxyAV with basic network settings. For example: https://192. 3 . Step 3 Log in to the ProxyAV Management a. you can configure them to work together. This Integration Guide assumes the ProxyAV is running AVOS 3.0. Click Register ProxyAV. b. Enter the IP address you assigned to the ProxyAV followed by port number 8082. Now that the two Blue Coat appliances are installed on the same subnet. c.Deployment Workflow Deployment Configuring and Installing the ProxyAV The following procedure provides high-level steps for performing the initial configuration and physical installation of the ProxyAV.3:8082 Select Licensing. Proceed to the next chapter. The ProxyAV installation should be done after the ProxySG installation. a. Configure and Install the ProxyAV Step 1 Rack mount the ProxyAV.10 Integrating the ProxySG and ProxyAV Appliances . Step 4 Activate the license on the appliance. and power on the ProxyAV. connect the appliance to the network. a. b. 4 Configuring the ProxySG and ProxyAV Appliances This chapter provides the configuration steps required to integrate the ProxySG and ProxyAV to perform Web malware scanning. It includes the following topics: ❐ ❐ ❐ ❐ ❐ About the Tasks—on page 4-2 Task 1: Prepare the ProxyAV—on page 4-3 Task 2: Create the ICAP Service—on page 4-4 Task 3: Create Malware Scanning Policy—on page 4-8 Task 4: Test the Anti-Malware Policy—on page 4-14 Integrating the ProxySG and ProxyAV Appliances 4-1 . specify the ICAP service name “Task 1: Prepare the ProxyAV” on page 4-3 and configure secure ICAP (if desired). Implementing the Blue Coat Web anti-malware scanning solution requires the following tasks: Task 1 2 Description Section Procedure On the ProxyAV.About the Tasks Configuring the ProxySG and ProxyAV Appliances About the Tasks As described in Chapter 2. The most common deployment is scanning incoming data and downloads (responses to users’ requests). The tasks in this section describe this deployment. create an ICAP response service to communicate with the ProxyAV. there are two types of anti-malware scanning services: response and request. create policy for the ICAP service. configure scan settings. On “Task 3: Create Malware Scanning Policy” on the ProxySG. page 4-8 Make sure the policies are working correctly. which requires a response service. On the ProxySG. Response services scan Web content requested by clients (users). “Task 2: Create the ICAP Service” on page 4-4 3 4 On the ProxyAV. “Task 4: Test the Anti-Malware Policy” on page 4-14 4-2 Integrating the ProxySG and ProxyAV Appliances . 2. Accept the default keyring or select a keyring you have created. Note that the default settings work fine in most situations. Select ICAP Settings. In the ICAP Server Ports area.3. select secure. and the ProxySG.Configuring the ProxySG and ProxyAV Appliances Task 1: Prepare the ProxyAV Task 1: Prepare the ProxyAV The following steps prepare the ProxyAV for communication with the ProxySG. c. Click Save Changes. Step 4 Save the settings. you will use a. If you change the port. enter a name that ProxyAV when configuring the identifies the service. Note: This feature requires AVOS 3. Note: To create a keyring. In most deployments. Step 3 (Optional) Use a secure ICAP connection between the ProxyAV b. d. ProxySG. which is performed during Task 2. Click Save Changes. you must specify the same port during the ProxySG configuration in Task 2. Prepare the ProxyAV Step 1 Log in to the ProxyAV Management Console. Select ICAP Settings. the default port (11344) is acceptable. This is a two-step process that requires a configuration selection on the ProxySG. c.x and later releases. Integrating the ProxySG and ProxyAV Appliances 4-3 . Click Save Changes. In the Antivirus Service Name field. go to Advanced > SSL Keyrings on the ProxySG.x and SGOS 5. this name to help identify the b. a. Step 2 Name the ICAP service. before caching and serving a response from the origin content server. Assign a descriptive name to the service. Step 3 Edit the new service. Create the ProxySG ICAP Service Step 1 Log in to the ProxySG Management Console. Highlight the new ICAP service name. a.Task 2: Create the ICAP Service Configuring the ProxySG and ProxyAV Appliances Task 2: Create the ICAP Service The ProxySG must be configured to communicate with the ProxyAV as an ICAP client. 4-4 Integrating the ProxySG and ProxyAV Appliances . Select Configuration > External Services > ICAP > ICAP Services. b. Click New. a. The Edit ICAP Service dialog displays. The new ICAP object displays in the services list. d. Click OK. Step 2 Create a new ICAP service. b. once this is configured. the ProxySG forwards the first portion of the Web object to the ProxyAV to determine if malicious code is present. c. Click Edit. e. the ProxySG will close the connection and the user will not get the file. f. The default timeout is 70 seconds. Note that the ProxyAV also has settings for notifying administrators when a virus is detected. enter the URL of the ProxyAV. Select Use vendor’s “virus found” page to display the default vendor error exception page to the client instead of the ProxySG exception page. The value you enter for the timeout is related to the maximum file size configured on the ProxyAV.10. When enabled.10. Integrating the ProxySG and ProxyAV Appliances 4-5 . see "Avoiding Network Outages due to Infinite Streaming Issues" on page 6-5. If you allow only 100 MB file sizes. larger file sizes require longer to scan so the connection timeout should be higher. and the ICAP service name. a. 70 seconds would be a sufficient timeout value. Select Notify administrator when virus detected to send an e-mail to the administrator if the ICAP scan detects a virus. the ProxyAV’s hostname or IP address. In the Service URL field. The range is 1 to 65535. enter the number of seconds the ProxySG waits for replies from the ProxyAV. the defer threshold scanning defaults to 80 percent. the deferred scanning threshold is disabled when an ICAP service is created. Maximum number of connections specifies the maximum possible connections at any given time that can occur between the ProxySG and the ProxyAV. this configuration is explained in "Getting Notified about Detected Viruses" on page 6-7. For more information about scanning deferral. c.10/avscan b. If the ProxyAV gets a large file that takes more then the configured timeout to scan. a timeout value of 70 would be too low. but you will likely want it set to a higher value because large (several hundred MB) archives can easily take more than 70 seconds. The URL includes the scheme. For example: icap://10. The notification is also sent to the Event Log and the Event Log e-mail list. Select Defer scanning at threshold to set the threshold at which the ProxySG defers the oldest ICAP connection that has not yet received a full object. But if you allow 2 GB files. d. By default. In the Connection timeout field.Configuring the ProxySG and ProxyAV Appliances Task 2: Create the ICAP Service Create the ProxySG ICAP Service Step 4 Configure the service communication options. Do not change this value—use the Sense settings button to get the correct value that your platform supports. enter 0 in the Preview size (bytes) field. enter a port number. ICAP if you are scanning sensitive or confidential data (HTTPS). In this case. Select This service supports plain ICAP connections. c. Step 6 Select the ICAP method. receives the remainder of the object for scanning) or opts out of the transaction.Task 2: Create the ICAP Service Configuring the ProxySG and ProxyAV Appliances Create the ProxySG ICAP Service Step 5 Configure service ports for plain You can enable one or both types of ICAP connections at the ICAP (Step 5a) and/or secure ICAP same time. and select enabled. b. Use plain ICAP when you are scanning plain data (HTTP). and select enabled. In the Secure ICAP port field. enter a port number. Step 5b Configure service ports for secure a. With a 0 bytes preview size. The default port is 11344. or If you have enabled the Kaspersky Apparent Data Types feature on the ProxyAV. Select response modification. if the HTTPS proxy is enabled on the ProxySG. a. the data is decrypted first on the ProxySG and then sent to the ICAP server. Step 5a Configure service ports for plain ICAP. Step 7 Determine whether you need to use the preview feature. Make sure that you select a valid SSL profile for secure ICAP in the SSL Device Profile field. enter a value (512 is recommended) in the Preview size (bytes) field. b. • • 4-6 Integrating the ProxySG and ProxyAV Appliances . This associates an SSL device profile with the secure ICAP service. or Unselect enabled if the above two situations don’t apply to you. only response headers are sent to the ProxyAV. The ProxyAV reads the object up to the specified byte total. and then either continues with the transaction (that is. (Step 5b). more object data is only sent if requested by the ProxyAV. Select This service supports secure ICAP connections to use secure ICAP. In the Plain ICAP port field. • If you are using file scanning policies based on file extensions on the ProxyAV. do not use the preview option. The default port is 1344. To verify that the two appliances are communicating.response service. go to ICAP Settings. the State looks like this: If the ICAP health check failed: • Go through Tasks 1 and 2 again and verify that you have followed the configuration steps properly. For the icap. If the appliances are communicating. Click OK to confirm your changes. the ProxyAV and ProxySG are configured to communicate with one another. Integrating the ProxySG and ProxyAV Appliances 4-7 . go to Configuration > External Services > ICAP > Edit. you will see the following message: d. b. connections that your b. • Verify that the ProxySG and ProxyAV have the same ICAP service ports. look at the ICAP service health check on the ProxySG. ProxySG/ProxyAV can support.Configuring the ProxySG and ProxyAV Appliances Task 2: Create the ICAP Service Create the ProxySG ICAP Service Step 8 Determine the maximum number of a. At this point. Step 9 Refresh your browser to see the maximum number of connections that were “sensed. Edit the response service you created and look at the value that was entered for Maximum number of connections. • Make sure the ProxyAV has a valid license. On the ProxyAV. If the Sense settings command was able to retrieve the settings from the ProxyAV. On the ProxySG.” a. Verify Communication Between the ProxySG and ProxyAV Step 1 Log in to the ProxySG Management Console. Select Statistics > Health Checks. look at the State. a. the State looks like this: If the appliances aren’t communicating. • Make sure the ProxySG and ProxyAV are on the same subnet. Step 2 Check the status of the ICAP service. Click your browser’s refresh button. Click OK to confirm. Click Sense settings. b. c. Click OK. the ProxyAV should be able to accelerate about 15 to 30 percent of the network’s traffic. ignore files with specified file extensions. Configure Scanning Settings on the ProxyAV Step 1 Log in to the ProxyAV Management Console. The learning process restarts whenever a new virus pattern file or an updated scanning engine is downloaded. • ProxyAV Management Console: Determine maximum scannable file sizes. a. determine what is sent to the ProxySG. create a plan that answers the following questions: • What sites are not to be scanned (for example: intranet sites)? • What objects are not to be scanned (for example: GIF files)? • What policy is implemented if the ProxyAV becomes unavailable (for example: deny or allow all requests not scanned)? • What message is displayed when a virus is found? • What policy is implemented when the object could not be scanned (for example. the ProxySG does not yet know what traffic to send to the ProxyAV. b. the AV appliance learns about traffic patterns on your network and adjusts accordingly to increase performance. Before you begin implementing policy. Because of the benefits it offers. the default is to scan all Web sites and objects by default.Task 3: Create Malware Scanning Policy Configuring the ProxySG and ProxyAV Appliances Task 3: Create Malware Scanning Policy Although the ProxySG and ProxyAV can now communicate with each other. 4-8 Integrating the ProxySG and ProxyAV Appliances . Use the Visual Policy Manager (VPM) tool to define the scanning policy. Blue Coat means any configuration—either on the ProxySG or the ProxyAV—that impacts malware scanning. When the Heuristic Parameters option is enabled. After an initial learning period. Blue Coat recommends that you leave Heuristic Parameters at its default setting (enabled). • ProxySG Management Console: In most enterprise deployments. Step 2 Display the Scanning Behavior page. Implementing policy involves configurations on both Management Consoles. and create exception rules for specific groups or content types and locations as required. Click the Scanning Behavior link. including results. Select Antivirus. By the term policy. advanced users can use Content Policy Language (CPL). when exceptions occur. Step 3 Enable heuristic parameters. password protected files cannot be scanned)? Is this policy specific to users or groups of users? Configuring ProxyAV Scanning Settings and Policies The ProxyAV Management Console provides several options that allow you to set scanning thresholds and determine what happens when an exception—or event outside a normal scan process—occurs. Defining a timeout value allows the ProxyAV to reclaim those resources. Detect Adware is enabled by default. they can use up system resources and slow down overall throughput. but it cannot be selected without selecting Detect Spyware. If long scans are a problem.” Integrating the ProxySG and ProxyAV Appliances 4-9 . while not viruses themselves. not spyware.Configuring the ProxySG and ProxyAV Appliances Task 3: Create Malware Scanning Policy Configure Scanning Settings on the ProxyAV Step 4 Enable/disable extended options. Step 5 Define a file scanning timeout value. implement the best practices for conserving scanning resources discussed in Chapter 9. Although these files cannot disable a ProxyAV. are designed to disable a virus scanner. the behavior is as follows: Enabled: Scanning stops after the first instance of a virus or spyware. For Kaspersky. “Configuration Best Practices. Most options are associated with spyware/malware. Blue Coat recommends that you use the default value (800 seconds). Extended options The option names in the Extended options section vary according the AV vendor engine you are using. File scanning timeout Some files. It can be deselected. Disabled: Scanning stops only after the first instance of a virus. Regardless of the option name. the file is dropped.000. The maximum number of layers for each AV engine is: – – – Panda: 30 McAfee: 300 All others: 100 The ProxyAV scans objects unless the file exceeds any of the above limitations. Maximum archive layers: An archive cannot contain • more than the specified number of layers.Task 3: Create Malware Scanning Policy Configuring the ProxySG and ProxyAV Appliances Configure Scanning Settings on the ProxyAV Step 6 Impose limits on the file sizes and numbers allowed to be scanned. Step 7 Define how the ProxyAV behaves when a timeout or other scanning error occurs. • If Serve is selected. • Maximum individual file size: An individual file size cannot exceed the specified size. The maximum is: – – – Blue Coat AV210: 3GB Blue Coat AV510: 3GB Blue Coat AV810: 4GB • Maximum total number of files in archive: An archive cannot contain more than the specified number of files. unscanned. Dependent upon RAM and disk size of different AV appliance platforms. This is the default for all options. The maximum is 100. 4 . the maximum individual file size that can be scanned is as follows: – – – Blue Coat AV210: 768 MB Blue Coat AV510: 768 MB Blue Coat AV810: 2 GB • Maximum total uncompressed size: An uncompressed file or archive cannot exceed the specified size. the file is passed on to the client. Policies for Antivirus exceptions: • If Block is selected for an error type. This limitation also applies to each file within an archive.10 Integrating the ProxySG and ProxyAV Appliances . This option is available only if you have selected the Kaspersky or Sophos AV engine. The Apparent Data Types option is at the top. By policy. Step 2 Enable other options. Configuring Policies for File Types The AV appliance is able to identify various file types. If any individual files in these compound files are specified to be blocked. the ProxyAV will inspect the file contents and determine that the file is actually an executable file and will apply appropriate policy for EXE files. Scan: The ProxyAV scans the object for malicious content and returns the content or modified response to the ProxySG. Click Save Changes. If this option is enabled. Therefore. including graphics (such as JPG and GIF files). • (Sophos only) Select Detect weak types to enable recognition of file types that otherwise might be difficult for the ProxyAV to identify with 100 percent confidence. Select Enabled.. and served unscanned. scanned. Integrating the ProxySG and ProxyAV Appliances 4 . Word files are allowed. • Block: No scanning occurs and the ProxyAV returns a response to the ProxySG that the file was blocked (code type: file_type_blocked). the unknown policy is applied to the entire container file. a.. then unknown files within containers are scanned. When this feature is enabled. the entire ZIP file is blocked. select one of the following: • • Don’t scan: The file is served back to the ProxySG without malware scanning. For each file type. On the Scanning Behavior page. Configure Scanning Behavior Based on File Contents Step 1 Enable inspection of file contents. the AV appliance recognizes all files within an archived or compound Microsoft file. If this option disabled. b.11 . but JPG files are to be blocked. even if an EXE file is renamed with an “innocent” file extension (such as JPG). The Policies For File Types page displays. For example. and archive files. the entire compound file is blocked. Microsoft application files. based on file contents. Furthermore. a ZIP file contains Word files and JPG files. when an unknown file is detected within a container. container to enable recognition of individual files in compound files. click the Policies for file types link. • (Kaspersky only) Select True type of . The Apparent Data Types feature allows you to determine what is blocked. Adobe PDF files.Configuring the ProxySG and ProxyAV Appliances Task 3: Create Malware Scanning Policy Configure Scanning Settings on the ProxyAV Step 8 Save the settings. Step 3 Specify policy for each file type. see Chapter 9.” Note Although file extension scanning policy can increase performance. Step 2 Indicate which file extensions needn’t be scanned because they are unlikely to contain viruses.Task 3: Create Malware Scanning Policy Configuring the ProxySG and ProxyAV Appliances Configure Scanning Behavior Based on File Contents Step 4 Save the settings. The procedure below explains how to configure scanning behavior based on file extensions. enter each file extension that you don’t want to be scanned. separated by semicolons. . Locate the File extensions section. Configuring Scanning Behavior Based on File Extensions Step 1 Indicate which file extensions to block and not serve to the client. separated by semi-colons.exe In the Don’t scan files having extensions field. the ProxySG doesn’t waste resources sending files to the ProxyAV that you don’t want scanned.12 Integrating the ProxySG and ProxyAV Appliances . this method isn’t as efficient. For example: . That way. click the Policies for file types link. You can block certain file extensions (ones that are notorious for containing viruses) or choose to never scan certain file types (low-risk ones that are unlikely to contain viruses). For instructions on configuring file extension policy on the ProxySG. these file types will be served to the client without any attempt at scanning.tif c. For example: . and the ProxyAV policy determines which files to scan. Configuring ProxySG Policy Use the Visual Policy Manger (VPM) to configure policy on the ProxySG. 4 . a. you can specify scanning behavior based on file name extension. The Policies For File Types page displays. In the Block files having extensions field. it can present security risks. so it is possible to disguise an EXE virus with an apparently innocuous file extension (such as TIF). it is preferable to configure this type of policy on the ProxySG. To accelerate the scanning process. the File Extensions feature does not inspect the file contents. Click Save Changes. On the Scanning Behavior page. . Although you can configure file extension scanning policy on either appliance. Step 3 Save the settings.gif.vbs. Click Save Changes. “Configuration Best Practices. Configure the ICAP Response Policy Step 1 Log in to the ProxySG Management Console. If you configure the file extension policy on the ProxyAV. b. the ProxySG will send all file types to the ProxyAV. enter each file extension that should be blocked. Unlike the Apparent Data Type feature. Select Deny the client request. c. Integrating the ProxySG and ProxyAV Appliances 4 . c. Step 4 Create an action for the rule. The VPM appears in a new window. c. AVresponse). b. Click OK.13 . Close the VPM window. a.Configuring the ProxySG and ProxyAV Appliances Task 3: Create Malware Scanning Policy Configure the ICAP Response Policy Step 2 Launch the VPM. a. select Set. Assign a descriptive name to the layer (for example. Right-click the Action column. click OK again to add the object. Select Configuration > Policy > Visual Policy Manager. This option doesn’t serve Web content when an error occurs during processing (for example. Step 6 Install the policy. Click Install Policy. select the response service (created in Task 2) and click Add. b. b. Step 5 Configure the response service object. b. The Set Action Object dialog displays. The Add ICAP Response Service Object dialog displays. Click Launch. if the ProxyAV is down and scanning cannot be completed). Select Policy > Web Content Layer. The alternative (Continue without further ICAP response processing) is less secure. Click OK. Select Use ICAP response service. Click OK. b. a. In the Available Services list. a. but it doesn’t block network access if the ICAP server goes down. Step 3 Create a Web content layer. d. c. Click New. Select Set ICAP Response Service. a. Click the Anti-Malware Testfile link. (You will check the log history later to make sure the test worked. Note: The file is not actually infected b. a. Step 7 Display the log. 4 . If the home page is not already displayed. so that log entries can be viewed during testing. Step 6 Prepare the ProxySG for test validation by enabling access logging. Select Statistics > Access Logging > Log Tail. Step 3 Confirm that the ProxyAV is scanning files. test the basic deployment to verify the ProxyAV is scanning content. Click Save Changes. Step 4 Verify that the ProxyAV is configured to log ICAP requests.) c. click Home.) a. Step 8 Request an “infected” test file. but has a virus signature that c. Go to http://www. Test the Policies Step 1 Log in to the ProxyAV Management Console. b. detecting viruses. of the files to download (such as eicar. c.com). (The browser must be explicitly or transparently redirected to the ProxySG appliance. Select Advanced > Detailed stats > Requests history. Step 2 The ProxyAV home page displays statistics about the number of files scanned and number of viruses caught. identifies it as infected for testing d. b. Select Configuration > Access Logging > General > Default Logging.org. Read the information about the test files. b. Click Start Tail. Enable the Enable Access Logging checkbox. Step 5 Log in to the ProxySG Management Console. and select one purposes. Look at the top of the ProxyAV home page: The Files Scanned value should increment as clients make Web requests. and preventing intrusion. Click Apply.14 Integrating the ProxySG and ProxyAV Appliances . a. a. Open a browser that is either explicitly or transparently redirected to the ProxySG.Task 4: Test the Anti-Malware Policy Configuring the ProxySG and ProxyAV Appliances Task 4: Test the Anti-Malware Policy Before proceeding with further configuration.eicar. Make sure that the Collect last ___ requests field contains a value greater than 0 (zero). NET CLR 2.%20charset=%220%22 http www. Step 10 Check the ProxySG access log.virus_detected PROXIED "none" http://www.9.txt "Mozilla/4. Go to the ProxySG’s Access Log Tail window. SV1.0.eicar. Step 12 Request the same “infected” test file a. e. Verify that the Result field contains VIRUS.eicar. send a previously-scanned object to c.htm 200 TCP_DENIED GET text/html. d. Go to the ProxyAV browser window. and that the file has been dropped. Windows NT 5.txt .) Integrating the ProxySG and ProxyAV Appliances 4 . with the “infected” file.0. b. Go to the ProxyAV Requests History window. it should not have been sent to the ProxyAV for scanning. Locate the request for the eicar file.1.16. a.76 1000 383 "EICAR test file" Step 11 Check the ProxyAV ICAP request history. and verify that ProxySG doesn’t b. the ProxyAV since the response for the object is now in the ProxySG’s cache. 2009-03-12 17:39:51 382 10. Request the same “infected” test file.50727)" 10.org 80 /download/eicar.75 . A page should display indicating that the ProxyAV has detected a virus in the file.16. c. b.0 (compatible.Configuring the ProxySG and ProxyAV Appliances Task 4: Test the Anti-Malware Policy Test the Policies Step 9 Confirm that you were not provided a.15 .. MSIE 6.org/anti_virus_test_file.9. . (Since the response for the object was served from the ProxySG cache. Click Refresh Now and verify that there is NOT a second request for the eicar file. Click Refresh Now. a. Verify that the access log entry for the eicar file contains an entry for virus detection. Select Advanced > Detailed stats > Requests history.com. Task 4: Test the Anti-Malware Policy Configuring the ProxySG and ProxyAV Appliances 4 - 16 Integrating the ProxySG and ProxyAV Appliances 5 Monitoring ICAP Scanning This chapter describes different ways to monitor ICAP scanning — on the ProxySG, on the ProxyAV, and in Blue Coat Reporter. It includes the following topics: ❐ ❐ ❐ ❐ Displaying ICAP Graphs and Statistics on the ProxySG—on page 5-2 Monitoring ICAP-Enabled Sessions on the ProxySG—on page 5-5 Viewing Statistics on the ProxyAV—on page 5-8 Creating Anti-Malware Reports in Blue Coat Reporter—on page 5-10 Integrating the ProxySG and ProxyAV Appliances 5-1 Displaying ICAP Graphs and Statistics on the ProxySG Monitoring ICAP Scanning Displaying ICAP Graphs and Statistics on the ProxySG On the ProxySG, you can display a variety of ICAP statistics in bar chart form as well as in a statistical table. Table 5-1 defines the ICAP statistics that the ProxySG tracks for each ICAP service and service group. Note ICAP monitoring on the ProxySG requires SGOS 5.4 or higher. ICAP Statistics Table 5-1 Statistic Plain Requests Secure Requests Deferred Requests Queued Requests Successful Requests Failed Requests Bytes Sent Definition ICAP scanning transactions that are not encrypted ICAP scanning transactions that are encrypted and tunneled over SSL ICAP scanning transactions that have been deferred until the full object has been received ICAP scanning transactions that are waiting until a connection is available ICAP scanning transactions that completed successfully ICAP scanning transactions that failed because of a scanning timeout, connection failure, server error, or a variety of other situations Bytes of ICAP data sent to the ICAP service or service group Note: Bytes Sent does not include secure ICAP traffic. Bytes Received Plain Connections Bytes of data received from the ICAP service or service group Number of connections between the ProxySG and the ProxyAV across which plain ICAP scanning requests are sent Note: This statistic is not tracked for service groups. Secure Connections Number of connections between the ProxySG and the ProxyAV across which encrypted ICAP scanning requests are sent Note: This statistic is not tracked for service groups. Displaying ICAP Graphs on the ProxySG ICAP graphs can be used as diagnostic and troubleshooting tools. For instance, if the Active Requests graph shows excessive queued ICAP requests on a regular basis, this may indicate the need for a higher capacity ProxyAV. Display ICAP Graphs on the ProxySG Step 1 Log in to the ProxySG Management Console. 5-2 Integrating the ProxySG and ProxyAV Appliances or Last Year. secure. time periods. The ICAP statistics screen displays.Monitoring ICAP Scanning Displaying ICAP Graphs and Statistics on the ProxySG Display ICAP Graphs on the ProxySG Step 2 Select Statistics > ICAP. service groups. you can view new graphs by selecting different services. Step 5 Select the type of graph. Last Week. and queued active ICAP transactions (sampled once per minute) Connections — Plain and secure ICAP connections (sampled once per minute) Completed Requests — Successful and failed completed ICAP transactions Bytes — Bytes sent to the ICAP service and received from the ICAP service Each statistic displays as a different color on the stacked bar graph. Additional Information • While the ICAP statistics screen is displayed. all relevant statistics are displayed. one of the following: • Select the service name. deferred. Integrating the ProxySG and ProxyAV Appliances 5-3 . Step 6 Select the name of what you want to In the Name column in the table beneath the graph. select graph. Last Day. Last Month. Step 3 Choose what you want to graph. • Select the service group name. Select one of the following tabs: Active Requests — Plain. • Select the Totals row (graphs all services or service groups) Step 7 (Optional) Disable checkboxes For example: next to any statistics you don’t want displayed on the graph. Choose one of the following: Step 4 Select the time period to graph. choose from Last Hour. or graph types. By default. From the Duration drop-down list. Last Week. This may be noticeable only on graphs with the Last Hour duration. the ProxySG displays statistics for individual services as well as totals for all services. From the Duration drop-down list. hover the mouse pointer anywhere on the bar. beneath the graph is a concise table that displays the number of successful and failed requests and number of bytes sent and received for each service or service group during the selected time period. the ICAP statistics screen displays this information as well. Step 2 Choose what you want to graph. The ICAP statistics screen displays. Last Month. Last Day. choose from Last Hour. Choose one of the following: Step 3 Select the time period to graph.Displaying ICAP Graphs and Statistics on the ProxySG Monitoring ICAP Scanning • Graphs automatically refresh every minute. A box showing the statistics and total appears at the mouse pointer. 5-4 Integrating the ProxySG and ProxyAV Appliances . Displaying ICAP Statistical Data If you are more interested in the data than in the graphs. Step 4 Review the statistics. • To see the actual statistics associated with a bar on the graph. Display ICAP Statistical Data Step 1 Select Statistics > ICAP. or Last Year. The table also calculates totals for each statistic across all services or service groups. For the time period you selected. Step 5 (Optional) Filter by service name. it’s helpful to filter the list to display only ICAP-enabled sessions. Step 7 (Optional) Limit the number of connections to view. If you leave all the options set to Any. Displaying Active ICAP-Enabled Sessions By default. Use the Filter drop-down list. deferred.Monitoring ICAP Scanning Monitoring ICAP-Enabled Sessions on the ProxySG Monitoring ICAP-Enabled Sessions on the ProxySG For detailed information about active and errored sessions that have ICAP scanning enabled. Additional ICAP filters are available as well. so that you can easily view the ICAP state of each session (transferring. Step 3 Select the ICAP filter. display only the deferred connections) Note that these additional filters are optional. Step 4 (Optional) Filter by type of ICAP Choose REQMOD or RESPMOD. scanning. This helps optimize performance when there is a large number of connections. server name. Select the service name from the Service drop-down list. Select Display the most recent and enter a number in the results field. all ICAP-enabled sessions will be displayed. bytes. and protocol). savings. When analyzing ICAP functionality. Choose one of the following from the Status drop-down list: transferring. You can also filter by: • Type of ICAP service: REQMOD (request) or RESPMOD (response) • Service name • ICAP status (for example. service. completed. view the Active Sessions and Errored Sessions pages. Or choose Any to display both types of services. You can filter the session list to display only the ICAP-enabled sessions. the Active Sessions screen displays all active sessions. Select Statistics > Sessions > Active Sessions > Proxied Sessions. Or choose Any to display all types of connections. scanning. or choose Any to display all services. deferred. Integrating the ProxySG and ProxyAV Appliances 5-5 . Step 2 Display active sessions. List ICAP-Enabled Sessions Step 1 Log in to the ProxySG Management Console. completed) and see fine-grained details (such as client IP address. Step 6 (Optional) Select the ICAP state. deferred. a tooltip displays details about the session: • The type of ICAP service (REQMOD and/or RESPMOD) • The name of the service • The ICAP state (transferring. Table 5-2 ICAP Icons ICAP Icon (magnifying glass) Description Scanning — ICAP requests are in the process of being scanned (arrow) Transferring — ICAP requests are being transferred to the ICAP server (clock) Deferred — ICAP scanning requests have been deferred until the full object has been received Completed — ICAP scanning requests completed successfully (checkmark) (i) Inactive — The ICAP feature is inactive for the session or connection no icon Unsupported — ICAP is not supported for the corresponding session or connection Additional Information Icon Tooltips—When you mouse over an ICAP icon. with unique icons identifying the ICAP status. errored proxied sessions. for example: REQMOD Service: icap1 (completed) 5-6 Integrating the ProxySG and ProxyAV Appliances . Table 6-2 describes each of the ions. Of particular interest in the Proxied Sessions table is the ICAP (I) column.Monitoring ICAP-Enabled Sessions on the ProxySG Monitoring ICAP Scanning List ICAP-Enabled Sessions Step 8 (Optional) View only the current Select Show errored sessions only. or completed). Step 9 Display the ICAP-enabled sessions. scanning. Click Show. The Proxied Sessions table displays the ICAP-enabled sessions. This column indicates the status of the ICAP-enabled session. the tooltip indicates whether the other type is inactive or unsupported. for example: RESPMOD Service: inactive Sorting—If you click the I column heading. the sessions are sorted in the following order: • Transferring • Deferred • Scanning • Completed • Inactive • Unsupported Integrating the ProxySG and ProxyAV Appliances 5-7 .Monitoring ICAP Scanning Monitoring ICAP-Enabled Sessions on the ProxySG • When only one type of service is used for a session. graphs of three time periods are shown: last 60 minutes. Step 2 The ProxyAV home page displays statistics about the number of files scanned and number of viruses caught. If the home page is not already displayed. last 24 hours. Step 3 View the statistics about number of At the top of the home page: files scanned and number of viruses caught. Select Advanced > History stats. View Statistics on the ProxyAV Step 1 Log in to the ProxyAV Management Console. These statistics are accumulated since the last reboot of the appliance or the last reset of counters. Here’s an example of the ICAP Objects graph for the last 60 minutes: 5-8 Integrating the ProxySG and ProxyAV Appliances . a. Step 4 View historical data about ICAP objects and connections. click Home. b. Select one of the following: ICAP Objects: Number of ICAP objects received during the interval Connections: Maximum number of concurrent connections made during the interval ICAP Bytes: Total size in bytes of ICAP objects received during the interval For each type of statistic. and last 30 days.Viewing Statistics on the ProxyAV Monitoring ICAP Scanning Viewing Statistics on the ProxyAV The ProxyAV tracks historical and current statistics on scanned objects and found viruses. scans. Step 6 Display the results of past anti-virus a. Select Requests History. c. When the number is set to zero. The following details are displayed: Concurrent connections: Current number of connections to the ProxyAV. request logging is disabled. Select Advanced > Detailed stats. Click Refresh Now to see detailed statistics of the objects currently being scanned. e.Monitoring ICAP Scanning Viewing Statistics on the ProxyAV View Statistics on the ProxyAV Step 5 Display details on the objects the ProxyAV is currently scanning. enter the number (0-1000) of requests to display in the list. Integrating the ProxySG and ProxyAV Appliances 5-9 . b. Click Save Changes. Click Refresh Now to obtain the most current data about processed requests. a. In the Collect last ___ requests field. Select Advanced > Detailed stats. b. Total objects being processed: Number of objects the ProxyAV is currently scanning. d. 10 Integrating the ProxySG and ProxyAV Appliances .1 5 .Creating Anti-Malware Reports in Blue Coat Reporter Monitoring ICAP Scanning Creating Anti-Malware Reports in Blue Coat Reporter For those using Blue Coat Reporter for their reporting needs. based on the client IP address that browsed the URL Lists the name of each malware code encountered during employee Web browsing Lists all URLs that were detected as suspected malware sources 9.1 9. 9.3 8.3 8. there are several anti-malware reports available.1 Report Name ICAP virus IDs ICAP virus URL ICAP virus user detail Description Lists the IDs of detected viruses Lists the URL associated with each detected virus Lists the client’s login name or IP address associated with each detected virus Malware Requested Blocked by Lists all URLs that were blocked because of Site suspected malware presence Potential Malware Infected Clients Lists all client IP addresses that might be infected by malicious content This data is derived by the URLs requested by each client.3 9. Table 5-1 Anti-Virus Reports in Reporter Reporter Version 8.1 9.1 ProxyAV Malware Detected: Client IP ProxyAV Malware Detected: Names ProxyAV Malware Detected: Site Lists each instance of malware encountered during employee Web browsing. It includes the following topics: ❐ ❐ ❐ ❐ Improving the User Experience—on page 6-2 Getting Notified about Detected Viruses—on page 6-7 Implementing Response and Request (Two-Way) ICAP—on page 6-10 Creating User-Based ICAP Policy—on page 6-14 Integrating the ProxySG and ProxyAV Appliances 6-1 . and several additional ICAP policies that you can implement.6 Additional Configuration This chapter describes techniques for improving the user experience during ICAP scanning (via patience pages or data trickling). ways to notify administrators about detected viruses. About Patience Pages Patience pages are HTML pages displayed to the user if an ICAP content scan exceeds the specified duration. to maintain security. Two other techniques for mitigating scanning delays are data trickling and deferred scanning. Note This feature is supported for the HTTP proxy only. At that point. the full object is not delivered until the results of the content scan are complete (and the object is determined to not be infected). ICAP scanning cannot begin until the object download completes. Patience pages refresh every five seconds and disappear when object scanning is complete. the ProxySG continues downloading until the maximum ICAP file size limit is breached. Patience pages are not compatible with infinite stream connections—or live content streamed over HTTP— such as a webcam or video feed. After the ProxyAV completes its scan: 6-2 Integrating the ProxySG and ProxyAV Appliances . See Chapter 9: Configuration Best Practices for some alternate solutions. Please be patient. Depending on the trickling mode you enable. Patience pages are displayed to the user if an ICAP content scan exceeds the specified duration. You can configure the content of these pages to include a custom message and a help link. To prevent such time-outs. As the ProxyAV continues to scan the response. Because this never occurs with this type of content.Improving the User Experience Additional Configuration Improving the User Experience To avoid having users abort and reinitiate their Web requests due to scanning delays. About Data Trickling Patience pages provide a solution to appease users during relatively short delays in object scans.. scanning relatively large objects. an HTML page that displays an informative message. Trickling Data From the Start In trickle from start mode. the delay added to downloading this large amount of data is often enough to cause the user to give up before reaching that point. However. you can allow data trickling to occur. or high loads on servers might disrupt the user experience because connection timeouts occur. the ProxySG allows one byte per second to the client. even when configured to fail open and serve the content. The ProxySG begins serving server content without waiting for the ICAP scan result. However. the ProxySG either returns an error or attempts to serve the content to the client (depending on fail open/closed policy). you may want to provide feedback to let users know that scanning is in progress. This feedback can take the form of a patience page. the ProxySG buffers a small amount of the beginning of the response body. scanning objects over a smaller bandwidth pipe. such as The content of the page you requested is currently being scanned.. However. All three of these techniques are discussed below. the ProxySG either trickles—or allows at a very slow rate—bytes to the client at the beginning of the scan or near the very end. data trickling for FTP connections is not supported. Such clients are not compatible with patience pages. Based on whether the requirements of your enterprise places a higher value either on security or availability. the ProxySG sends the response to the client at the best speed allowed by the connection. such as automatic software download or update clients. the ProxySG sends the rest of the object bytes to the client at the best speed allowed by the connection. Deciding between Data Trickling and Patience Pages ProxySG configuration options plus policy allow you to provide different ICAP feedback actions depending upon the type of traffic detected: • Blue Coat defines interactive as the request involving a Web browser. the ProxySG terminates the connection and the remainder of the response object bytes are not sent to the client. close the client. the ProxySG allows you to specify the appropriate policy. Deployment Notes • Blue Coat recommends this method for media content. the behavior is the same as described in "Trickling Data From the Start" on page 6-2. Web browsers support data trickling and patience pages. Therefore. Deployment Notes • This method is the more secure option because the client receives only a small amount of data pending the outcome of the virus scan. Trickling Data at the End In trickle at end mode. such as Flash objects. the ProxySG allows one byte per second to the client. Integrating the ProxySG and ProxyAV Appliances 6-3 .Additional Configuration Improving the User Experience • If the object is deemed to be clean (no response modification is required). • This method is more user-friendly than trickle at start because users tend to be more patient when they notice that 99 percent of the object is downloaded. They might assume the connection is poor or the server is busy. • One drawback is that users might become impatient. General Deployment Notes This section provides information about data trickling deployments. except for the last 16 KB of data. as a majority of the object is delivered before the results of the ICAP scan. As the ProxyAV performs the content scan. network administrators might perceive this method as the less secure method. After the ProxyAV completes its scan. • If the object is deemed to be malicious. therefore. • Non-interactive traffic originates from non-browser applications. and restart a connection. data trickling or no feedback are the only supported options. However. especially if they notice the browser display of bytes received. they are less likely to perform a connection restart. These settings are global. Locate the ICAP Feedback for Interactive Traffic section. Step 4 For non-interactive traffic. The steps for configuring the global feedback settings appear below. Choose one of the following: • • • Return patience page (HTTP and FTP patience pages are available) Trickle object data from start (more secure form of trickling) Trickle object data at end (this form of trickling provides a better user experience) a. Step 5 Select the feedback for non-interactive traffic. You may want to define additional feedback policy that applies to specific user and conditional subsets. specify the amount of time to wait before notifying a client than an ICAP scan is occurring. Locate the ICAP Feedback for Non-Interactive Traffic section. Enter a value in the Provide feedback after ___ seconds field. 6-4 Integrating the ProxySG and ProxyAV Appliances . what type of feedback you want to use for interactive (browser-based) and non-interactive traffic. Configure ICAP Feedback for Interactive and Non-Interactive Traffic Step 1 Log in to the ProxySG Management Console. the object is located in the Web Access Layer: Return ICAP Feedback. b. Enter a value in the Provide feedback after ___ seconds field. In the Visual Policy Manager. Step 3 Select the feedback method for interactive (browser-based) traffic. a. Choose one of the following: • • Trickle object data from start Trickle object data at end Step 6 Save the settings. Step 2 Specify the amount of time to wait before notifying a Web-browser client than an ICAP scan is occurring. b. Select Configuration > External Services > ICAP > ICAP Feedback. Click Apply.Improving the User Experience Additional Configuration Configuring ICAP Feedback After reading the previous section. c. you should have concluded if you want to provide ICAP feedback to your users and if so. When an ICAP connection is deferred. For example. the connection between the ProxySG and the ProxyAV remains. Integrating the ProxySG and ProxyAV Appliances 6-5 . Once the defer threshold has been reached. The new ICAP request may still be queued if there are no available ICAP connections. then up to 70 connections are allowed before the ProxySG begins to defer connections that have not finished downloading a complete object. due to the trickle buffer requirement. however.Additional Configuration Improving the User Experience To customize the text on HTTP and FTP patience pages. the ProxySG starts deferring scanning of the oldest outstanding ICAP requests. If there is a queue when a deferred action has received a complete object. The application response continues to be received. there may be a delay. the ProxySG waits to receive the full object before restarting the request. the ICAP request is restarted. before the ProxySG starts sending a response. The defer threshold is specified by the administrator as a percentage. Once a request is deferred. for every new ICAP request. If the data trickle options are configured. when the download is complete. Because the object cannot be fully downloaded. However. the ProxySG defers the oldest ICAP connection that has not yet received a full object. which wastes finite connection resources. if the defer threshold is set to 70 percent and the maximum connections are set to 100. with or without deferred scanning. the browser continues to receive a patience page until the object is fully received and the outstanding ICAP actions have completed. The deferred scanning feature solves the infinite streaming issue by detecting ICAP requests that are unnecessarily holding up ICAP connections (without requiring the ProxyAV) and defers those requests until the full object has been received. that action is queued behind other deferred actions that have finished. Deferred Scanning and Setting the Feedback Options Depending on how you configure the ICAP feedback option (patience page or data trickling) and the size of the object. the ICAP content scan cannot start. Avoiding Network Outages due to Infinite Streaming Issues Infinite streams are connections such as webcams or Flash media—traffic over an HTTP connection—that conceivably have no end. However. deferred scanning may cause a delay in ICAP response because the entire response must be sent to the ProxyAV at once. slow data rate and long response time. the connection to the ProxyAV is closed. If a patience page is configured. Characteristics of infinite streams may include no content length. the object continues to trickle during deferred scanning. it will be queued before other new requests. How Deferred Scanning Works When the number of ICAP resources in use has reached a certain threshold. select Configuration > External Services > ICAP > ICAP Patience Page. b. Enter a value (0-100) to set the threshold at which the ProxySG defers the oldest ICAP connection that has not yet received a full object. a. (See "Task 2: Create the ICAP Service" on page 4-4.) The steps for enabling scanning deferral and setting its threshold appear below. Click Apply. Select Configuration > External Services > ICAP > ICAP Services. The Edit ICAP Service window appears. 6-6 Integrating the ProxySG and ProxyAV Appliances . Select Defer scanning at threshold to enable the defer scanning feature. b. Select the ICAP service. Step 2 Edit the ICAP service.Improving the User Experience Additional Configuration Enabling the Scanning Deferral Feature You may have already enabled the scanning deferral feature when creating the ICAP service. Click OK to close the Edit ICAP Service window. Step 4 Save the settings. Click Edit. a. c. b. Step 3 Enable scanning deferral. a. Enable Scanning Deferral for an ICAP Service Step 1 Log in to the ProxySG Management Console. In the Send e-mail address field. Configure Alert Settings on the ProxyAV Step 1 Log in to the ProxyAV Management Console. this section focuses on configuring notification on the ProxyAV.com. Step 2 Specify e-mail addresses. in addition to detected viruses. b. In the Recipient e-mail address field.Additional Configuration Getting Notified about Detected Viruses Getting Notified about Detected Viruses To be cognizant of the ProxyAV’s actions on your network traffic. blocked files. you can have the ProxyAV send you an e-mail each time it blocks a file or detects a virus. If your server requires that POP authentication be used. select SMTP Authorization (POP-Before-SMTP) Enabled. you can choose to have these events recorded in an alert log that you can view at any time. Integrating the ProxySG and ProxyAV Appliances 6-7 . Step 3 Enter the SMTP server settings.com c. enter the source mail address to use for alert e-mails.com In the SMTP server address field. enter the IP address for the server.user2@company. E-mail notification requires that you configure e-mail settings as well as designate which types of events trigger notification: found viruses. and then enter the authentication information. Click Save Changes. b. Because the ProxyAV has options for notifying administrators about blocked and unscanned files.) For example: proxyav123@company. Select Alerts > Alert Settings. a. In addition to (or as an alternative to) e-mail notification. consultant@another. For example:
[email protected]. Step 4 Save the settings. (This address will appear in the From field of the e-mail. Note The ProxySG and the ProxyAV each have facilities for notifying network administrators about detected viruses. enter the addresses of the people who should receive the alert e-mails. with each address separated by a comma. or unscanned files. a. By default. In addition. Viewing the Alert Log To view the alert log on the ProxyAV. b. Select Alerts. blocked files. Enable/disable alerts as desired. an entry will be added to the alert log. The first three pertain to scanning results: Virus is found File was passed through without being scanned File was blocked Step 3 Save the settings.log. Step 2 Select which alerts you want e-mail a. notification and/or alert log entries created.Getting Notified about Detected Viruses Additional Configuration Selecting Alert Types Select the types of alerts for which you want notification and/or alert log entries. The Alerts table appears. the configured recipients will receive e-mail messages to alert them of detected viruses. Click Save Changes. and any other events you have configured. After configuring the alert settings and selecting the types of alerts you want to be notified about. 6-8 Integrating the ProxySG and ProxyAV Appliances . select Log Files and then choose View log file in browser for the AlertLogFile. Select Alert Types Step 1 Log in to the ProxyAV Management Console. all alerts are enabled for e-mail and logging. 2.com/ Machine name: ProxyAV Machine IP address: 10.2.74 Server: unknown Client: unknown Protocol: ICAP Integrating the ProxySG and ProxyAV Appliances 6-9 .Additional Configuration Getting Notified about Detected Viruses An alert log entry looks similar to the following: ATEXT=Cause: Blocked file extension detected (engine error code: None) File has been dropped.16.BlueCoat.1(36678)) .9. 2009-03-06 05:24:05-08:00PST Hardware serial number: 2808101126 ProxyAV (Version 3.http://www. Create the ICAP Response and Request Services Step 1 Log in to the ProxySG Management Console. To set up two-way ICAP on the ProxySG appliance. c.10. b. enter the URL of the ProxyAV. The URL includes the scheme. and the ICAP service name. e. Edit the service. Create a policy for the ICAP Request service for data leak protection on outbound traffic. 2. g.10/avscan e. The URL includes the scheme. the ProxyAV’s hostname or IP address.10/avscan d. 6 . Click Sense settings. Create a new service named DLP (for example). 3. Step 2 Create an ICAP response modification service. you must complete the following tasks: 1. Task 1: Define the ICAP Services Follow these general steps for creating the ICAP request and response modification services. Change other settings as required. c. For example: icap://10.10.10. 4. a. The same client request can have request-modification applied before it is forwarded to the origin-content server and response-modification applied as the object data returns. ICAP request modifications for outgoing traffic are mostly used for data leak protection (DLP). Change other settings as required. For the Service URL. Edit the service. Select request modification for the ICAP method. Select response modification for the ICAP method. a.10 Integrating the ProxySG and ProxyAV Appliances . d. Click Sense settings. the ProxyAV’s hostname or IP address. Create a policy for the ICAP Response service for virus scanning of inbound traffic. enter the URL of the ProxyAV. Select Configuration > External Services > ICAP > ICAP Services. For the Service URL. b. f. and the ICAP service name. f.Implementing Response and Request (Two-Way) ICAP Additional Configuration Implementing Response and Request (Two-Way) ICAP ICAP response modifications for incoming traffic are used for virus protection. For example: icap://10. Configure two ICAP services on the ProxySG: one for requests and one for responses. Test the policies. see "Task 2: Create the ICAP Service" on page 4-4. Create a new service named avresponse (for example). For details on all of the service options.10. Step 3 Create an ICAP request modification service. Click OK. Step 4 Create an action for the rule. Configure the ICAP Response Policy Step 1 Log in to the ProxySG Management Console. b. In the Available services list. Select Configuration > Policy > Visual Policy Manager. Assign a descriptive name to the layer (for example. Click OK. b. Assign a descriptive name to the layer (for example. a. c. Right-click the Action column. c. a. a. Step 5 Configure the response service object. Select Use ICAP response service. c. select the response service (created in Task 1) and click Add. Select Policy > Web Access Layer. The Add ICAP Response Service Object dialog displays. a.11 . Click OK. Integrating the ProxySG and ProxyAV Appliances 6 . The Set Action Object dialog displays. AVresponse). d. Select Deny the client request. Step 3 Create a Web content layer. Click New. Select Set ICAP Response Service. select Set. b. Task 3: Create an ICAP Request Policy Configure the policy for ICAP requests. This policy is identical to the one configured in Chapter 4. Select Policy > Web Content Layer.Additional Configuration Implementing Response and Request (Two-Way) ICAP Task 2: Create an ICAP Response Policy Use the Visual Policy Manger (VPM) to configure an ICAP response policy on the ProxySG. Click Launch. b. b. Step 2 Launch the VPM. click OK again to add the object. a. Configure the ICAP Request Policy Step 1 Create a Web access layer. c. DLP). select the POST and PUT checkboxes. b. In the Commands that modify data section. Select the FTP object and click Add. Name the protocol method HTTP and select HTTP/HTTPS from the Protocol list. Click OK again to set the Combined Service object as the Web Access Layer service. service object. Select Protocol Methods. The Add Methods Object dialog displays. c. and click OK. b. Select Protocol Methods. 6 . d. Name the protocol method FTP and select FTP from the Protocol list. Click New. e. select the STOR checkbox. c. b. and click OK. The Add Methods dialog displays. Select the HTTP object and click Add. d. In the Set Action Object dialog.12 Integrating the ProxySG and ProxyAV Appliances .Implementing Response and Request (Two-Way) ICAP Additional Configuration Configure the ICAP Request Policy Step 2 Create an HTTP/HTTPS service object for the request policy. Right-click the Service column. a. In the Set Action Object dialog. Step 4 Create a combined (HTTP and FTP) a. a. Click OK. In the Common methods section. e. select Set. The Set Service Object dialog displays. d. click New. click New. c. Step 3 Create an FTP service object. Select the DLP ICAP Request service and click Add. c. The Add ICAP Request Service Object dialog appears. a. Click OK.Additional Configuration Implementing Response and Request (Two-Way) ICAP Configure the ICAP Request Policy Step 5 Set the action for the Request policy. Click OK. d. b. Right-click the Action column and select Set. e. Click Install Policy. Click OK again. Close the VPM window. c. b. Step 6 Install the policy (all layers). Integrating the ProxySG and ProxyAV Appliances 6 . Click New and select Set ICAP Request Service. a.13 . Create a Web authentication layer that prompts for user credentials when a Web browser is opened. Create a Virus Scanning Rule that Fails Open Step 1 Launch the Visual Policy Manager. or other authentication servers) and created a realm on the ProxySG to connect to these servers. However. you may want to allow administrators to download certain file types (such as EXE files) that are blocked for other users.Creating User-Based ICAP Policy Additional Configuration Creating User-Based ICAP Policy You may want to have different policies in place for different users or groups of users. b. AVresponse). you may already have created one earlier. 4. Assign a descriptive name to the layer (for example. 2. b. This policy must fail open. LDAP. a virus or other malware will always be denied. you may already have created this rule. Perhaps administrators should have less restrictive rules than other users. Microsoft Active Directory. 6 . Create a Web content layer that contains a rule for the ICAP response service for virus scanning of inbound traffic. To set up user-based ICAP policies. Click Launch. Configure an ICAP response service. the ICAP response service must fail open (allow requests). you must complete the following tasks: 1. Step 2 Create a new ICAP response service. Step 2 Create a Web content layer. In other policies discussed in this guide.14 Integrating the ProxySG and ProxyAV Appliances . Click OK. Note Task 1: Create the ICAP Response Service The first task is to create the ICAP response service. Create a Web access layer with authorization rules that allow certain users access to blocked files and deny access to other users. Select Policy > Web Content Layer. Refer to "Task 2: Create the ICAP Service" on page 4-4 for instructions on creating this service. the ICAP response service fails closed (deny requests). a. Create the ICAP Response Service Step 1 Log in to the ProxySG Management Console. For example. 3. with user-based ICAP policies. These steps assume you have already configured users and groups for authentication (using RADIUS. Select Configuration > Policy > Visual Policy Manager. c. Note that even with a fail open policy. a. Task 2: Create a Virus Scanning Rule (Web Content Layer) The next task is to create a virus scanning rule in the Web content layer. c. Task 3: Enable Web Authentication To have users prompted for user name and password when they open a Web browser. c. you need to create a Web authentication layer. Click OK. a. Select Use ICAP response service. The Add Authenticate Object dialog displays. a. b.15 . Click New. Step 2 Create a Web authentication layer. Right-click the Action column. In the Available Services list. a. The Add ICAP Response Service Object dialog displays. select Set. click OK again to add the object. Select Set ICAP Response Service. d. c. b. b. Integrating the ProxySG and ProxyAV Appliances 6 . Select Authenticate. Create a Rule that Prompts for Web Authentication Step 1 The Visual Policy Manager should still be open. Click New. Click OK. Select Policy > Web Authentication Layer. Right-click the Action column.Additional Configuration Creating User-Based ICAP Policy Create a Virus Scanning Rule that Fails Open Step 3 Create an action for the rule. Select Continue without further ICAP response processing. c. b. Accept the proposed name or assign a descriptive name to the layer. Step 4 Configure the response service object. The Set Action Object dialog displays. a. select Set. The Set Action Object dialog displays. select the response service (created in the previous task) and click Add. Step 3 Configure an authentication action. Accept the proposed name or assign a descriptive name to the layer. based on groups instead of individual users. you can create a group object instead of a user object. Task 4: Create Authorization Rules The final task is to set up rules that designate which users/groups are allowed access to blocked file types and which users/groups are denied access. In the Realm drop-down list. click OK again to add the object. In the Authentication Realm drop-down list. Note: Case is significant for local realms. want to allow access to blocked file type. Click New. b. The Set Source Object dialog displays. f.Creating User-Based ICAP Policy Additional Configuration Create a Rule that Prompts for Web Authentication Step 4 Specify the realm name for authentication. 6 . Select Policy > Web Access Layer. Follow the steps to the right. Create Rules for Allowing/Denying Access to Blocked File Types Step 1 The Visual Policy Manager should still be open. Click OK. Step 2 Create a Web access layer. Right-click the Source column. b. Click OK. Note: If you have created user c. click OK again to add the object. c. b. select the name of the previously-configured realm. select the name of the previously-configured realm. a.16 Integrating the ProxySG and ProxyAV Appliances . The Add User Object dialog displays. type the user name. Click OK. c. accept the proposed name or type a descriptive name for the object. Select User. e. groups and want to create rules d. except specify group information. In the Name field. Step 3 Create a user object for the user you a. In the User field. a. select Set. From the existing service objects. d. Right-click the Action column. Click OK to add the object. The rule should look similar to the following: Step 6 In the same Web access layer. b. click OK again to add the object. select Allow. Click Add Rule. h. d. Click Add. Integrating the ProxySG and ProxyAV Appliances 6 . Step 5 Indicate that this user should be a. select ICAPError_FileTypeBlocked. File Type Blocked moves into the Selected Errors list. Select File Type Blocked from the list of Available Errors. Right-click the Service column. f. The Set Service Object dialog displays. a. Step 8 Install the policy (all layers). The Set Service Object dialog displays. Click New. Click Install Policy. Web access layer. select Set. In the Name field. The Set rule will deny access to the Service Object dialog displays. b. e. Choose Selected errors. a. c.17 . The rule should look similar to the following: Note that the default action is Deny. Right-click the Service column. A new rule row displays. create a. Close the VPM window. Click OK. user/group. a rule for another user/group. change the name to ICAPError_FileTypeBlocked. Step 7 Create other users/groups to whom Follow the above steps to create appropriate rules in the you want to allow or deny access. Select ICAP Error Code. g. This b. c. Click OK. allowed access to blocked file types. The Add ICAP Error Code Object dialog displays.Additional Configuration Creating User-Based ICAP Policy Create Rules for Allowing/Denying Access to Blocked File Types Step 4 Create a service object based on an ICAP error code. c. so it is already correctly set. select Set. some realms may authenticate without prompting. a ZIP file that contains an EXE file). Users who have a Deny rule will see a screen similar to the following when attempting to access a blocked file type: 6 .18 Integrating the ProxySG and ProxyAV Appliances . Users who have an Allow rule will be able to access URLs that point to blocked file types or have archive files containing a blocked file type (for instance. users may be prompted to enter their credentials upon opening a Web browser.Creating User-Based ICAP Policy Additional Configuration Once this policy is in place. It includes the following topics: ❐ ❐ ❐ About Service Groups—on page 7-2 Creating an ICAP Service Group—on page 7-5 Creating Load Balancing Policy—on page 7-6 Integrating the ProxySG and ProxyAV Appliances 7-1 .7 Load Balancing Between Multiple ProxyAV Appliances This chapter describes how to set up load balancing of scanning requests when your deployment includes multiple ProxyAV appliances. When deciding which service in the service group to send a scanning request. You will need to create service groups when you are using multiple ProxyAV appliances to process a large volume of scanning requests (load balancing). each using an identical ICAP service group of multiple ProxyAV appliances. Your anti-malware deployment can have multiple ProxySG appliances. D: A ProxySG with a Service Group named AV_Reponse that contains AV1.About Service Groups Load Balancing Between Multiple ProxyAV Appliances About Service Groups A ProxySG ICAP service is a named entity that identifies the ProxyAV. A service group is a named set of ICAP services. Figure 7-1 ICAP service group of three ProxyAV ICAP servers. a ProxyAV with 10 maximum connections and a specified weight of 1. To help distribute and balance the load of scanning requests when the ProxySG is forwarding requests to multiple services within a service group. Legend: A: AV1. and AV3. and the supported number of connections. the ICAP method. B: AV2. this algorithm takes into consideration the following factors: • Number of requests that are in a “waiting” state on each service (a request is in this state when it has been sent to the service but the response hasn’t been received) • Number of unused connections available on each service (calculated by subtracting the number of active transactions from the connection maximum on the server) • The user-assigned weight given to each server (see "Weighting" below) 7-2 Integrating the ProxySG and ProxyAV Appliances . the ProxySG uses an intelligent load balancing algorithm. a ProxyAV with 10 maximum connections and a specified weight of 1. C: AV3. a ProxyAV with 25 maximum connections and a specified weight of 3. AV2. If one server has weight 25 and all other servers have weight 50. consider the capacity of each server. As servers reach their capacity. For example. • The maximum number of connections configured for the service. Note External services (ICAP. suppose there are two services in a group: Service A handled 1212 requests. with additional requests being queued up and waiting. assuming that the service has an available connection to use. Websense off-box) have a reserved connection for health checks. the number and performance of CPUs or the number of network interface cards). If it doesn’t. the maximum simultaneous connections is actually one less than the limit. Service B handled 2323. then. it calculates an index by dividing the number of waiting transactions by the server weight (think of this as wait/weight). the weights would be 1 for Service A and 2 for Service B. Load will be distributed among services proportionally according to their configured weights until the maximum connection limit is reached on all services. make note of how many requests were handled by each service. Example 1 Service A and B are in the same service group. if one ProxyAV of a two-server group has a weight value of 1 and the second a weight value of 0. it will send the request to the service with the next lowest index value that has a free connection. Load Balancing When load balancing between services. One technique for determining weight assignments is to start out by setting equal weights to each service in a group. Factors that could affect assigned weight of a ProxyAV include the following: • The processing capacity of one ProxyAV in relationship to other ProxyAV appliances (for example. Therefore. Before configuring weights. So. how does the ProxySG decide which ICAP service to send a scanning request to? For each service. Setting the weight value to 0 (zero) disables weighted load balancing for the ICAP service. Having appropriate weights assigned to your services is critical when all ProxyAV servers in a service group become overloaded. while weighting applies to throughput in the integration. consider both when configuring weighted load balancing. Integrating the ProxySG and ProxyAV Appliances 7-3 . If all ProxyAV servers have either the default weight (1) or the same weight. The ICAP service with the lowest index value will handle the new ICAP action. These numbers imply that the second service is twice as powerful as the first. proper weighting is important because requests are queued according to weight. a communication error results because the second ProxyAV cannot process the request. This means that as the load goes up and the number of connections to the external service reaches the maximum. each share an equal proportion of the load. after several thousand requests. should the first ProxyAV go down. The maximum connections setting pertains to how many simultaneous scans can be performed on the server. While these settings are not directly related. the 25-weight server processes half as much as any other server.Load Balancing Between Multiple ProxyAV Appliances About Service Groups Weighting Weighting determines what proportion of the load one ProxyAV bears relative to the others. The index is 15/2 = 7. is assigned a weight of 1. is assigned a weight of 1. 7-4 Integrating the ProxySG and ProxyAV Appliances . The index is 5/1=5. with 5 waiting transactions. • Service B can handle up to 100 connections. therefore. The index is calculated by dividing the wait by the weight: 5/1 = 5. The index is 1/1=1. has 5 active transactions. To which service will the ProxySG assign the next ICAP action? Although Service C has a lower index than Service D.About Service Groups Load Balancing Between Multiple ProxyAV Appliances • Service A can handle up to 50 connections. is assigned a weight of 2. has 7 active transactions. Example 2 Service C and D are in the same service group. has 17 active connections. • Service D can handle up to 10 connections. with 1 transaction in the waiting state. Which service will the ProxySG assign the next ICAP action? Service A because it has a lower index. the ProxySG will assign the next ICAP action to Service D which has several free connections. has 17 active transactions. • Service C can handle up to 5 connections. with 5 transactions in the waiting state. with 15 waiting transactions. is assigned a weight of 1. it doesn’t have any available connections.5. Integrating the ProxySG and ProxyAV Appliances 7-5 . In the Entry Weight field. Click Apply. In the Add Service Group field. c. Hold the Control or Shift key to select multiple services. d. select the ones to add to this group. c. Highlight the new service group name and click Edit. assign a weight value. Click OK to add the selected services to the group. Step 4 Assign weights to services. Select Configuration > External Services > Service-Groups. c. the Add List Item dialog appears. f. e. b. the Edit Service Group Entry weight dialog appears. d. Click New. Note that all services in the group must be of the same type (for instance. It is assumed that you have already created an ICAP service for each ProxyAV in the load balancing group. as required. response modification). The valid range is 0-255. the Add Service Group Entry dialog appears. Step 3 Edit the service group. Click OK to close the dialog. a. b. enter an alphanumeric name. From the list of existing services.Load Balancing Between Multiple ProxyAV Appliances Creating an ICAP Service Group Creating an ICAP Service Group The following procedure explains how to create an ICAP service group and add existing ICAP services to it. d. a. This example creates a group called avcluster. Repeat steps a and b for other services. Click OK. Create an ICAP Service Group Step 1 Log in to the ProxySG Management Console. Select a service and click Edit. a. Step 2 Add a new service group. the Edit Service Group dialog appears. Click New. b. Click OK again to close the Edit Service Group Entry dialog. Click New. Select Policy > Web Content Layer. 7-6 Integrating the ProxySG and ProxyAV Appliances . a. Step 2 Launch the VPM. c. Result: Using the ICAP load balancing policy. a. Click OK. b. b. select the response service group (the one created in "Creating an ICAP Service Group" on page 7-5) and click Add. c. In the Available services list. click OK again to add the object. Click OK. Step 3 Create a Web content layer. c. Click OK. Close the VPM window. Select Set ICAP Response Service. b. The load carried by each ProxyAV in the group is determined by the weight values. Select Configuration > Policy > Visual Policy Manager. b. a. Step 5 Configure the response service group object. Configure Load Balancing Policy Step 1 Log in to the ProxySG Management Console. The Set Action Object dialog displays. Step 6 Install the policy. Click Install Policy. the ProxySG sends ICAP response modification requests to ProxyAV appliances in the service group.Creating Load Balancing Policy Load Balancing Between Multiple ProxyAV Appliances Creating Load Balancing Policy An ICAP response load balancing policy is essentially the same as a standard ICAP response policy. Click Launch. The Add ICAP Response Service Object dialog displays. a. select Set. Assign a descriptive name to the layer (for example. Step 4 Create an action for the rule. a. c. the only difference is that you specify the service group as the response service object (instead of the service). Right-click the Action column. Select Deny the client request. Select Use ICAP response service. avcluster). d. b. It includes the following topics: ❐ ❐ About ProxyAV Failover—on page 8-2 Creating ProxyAV Failover Policy—on page 8-3 Integrating the ProxySG and ProxyAV Appliances 8-1 .8 Configuring ProxyAV Failover This chapter describes how to use two ProxyAV appliances to provide redundancy in case the primary ProxyAV fails. The primary ProxyAV resumes ICAP processing when the next health check is successful. the ProxySG uses the next healthy service on the list to perform the scanning. If the first service in the list does not pass the health checks. This alternate ProxyAV is called the standby server. • You cannot configure failover policy until ICAP services are configured on the ProxySG. you specify a list of ICAP services to use. When creating an ICAP policy.About ProxyAV Failover Configuring ProxyAV Failover About ProxyAV Failover To ensure your network is never without malware scanning. Notes • Failover is configured as part of the ICAP policy definition. ICAP service names cannot be named fail_open or fail_closed (the CLI commands prevent these names from being created). • To avoid errors. 8-2 Integrating the ProxySG and ProxyAV Appliances . the standby ProxyAV does not retain the primary responsibility. you can deploy two ProxyAV appliances on the same subnet and configure ICAP processing to fail over to the second appliance if the primary ProxyAV goes down. in order of preference. Select Set ICAP Response Service. The Set Action Object dialog displays. In the Available services list. The order in which you select the services determines which ProxyAV is considered the primary server and which is considered the standby server: the primary should be selected first.) Note that the services must be of the same type (for instance. Click Install Policy. Click New. Step 5 Configure the response service group object. Step 6 Install the policy. Configure the ProxyAV Failover Policy Step 1 Log in to the ProxySG Management Console. Assign a descriptive name to the layer (for example. except that you add two services to the policy (one for each ProxyAV). Select Deny the client request. a. b. a.Configuring ProxyAV Failover Creating ProxyAV Failover Policy Creating ProxyAV Failover Policy A ProxyAV failover policy is similar to a standard ICAP response policy. a. Close the VPM window. Right-click the Action column. The following procedure assumes that you have already created an ICAP service for each ProxyAV. a. select Set. c. select the primary ProxyAV service and click Add. Select Policy > Web Content Layer. Integrating the ProxySG and ProxyAV Appliances 8-3 . The Add ICAP Response Service Object dialog displays. e. Select Use ICAP response service. the ProxySG will use the standby ProxyAV for scanning until the primary server is healthy again. b. c. Click OK. a. Step 2 Launch the VPM. avfailover). b. response modification). (See "Task 2: Create the ICAP Service" on page 4-4. Select Configuration > Policy > Visual Policy Manager. Step 3 Create a Web content layer. c. Step 4 Create an action for the rule. Click Launch. In the Available services list. Click OK. click OK again to add the object. c. Click OK. d. select the secondary (standby) ProxyAV service and click Add. b. b. The policy tells the ProxySG to use the primary ProxyAV for all ICAP scanning. If the primary server fails. the ProxySG sends all ICAP response modification requests to the primary ProxyAV. the ProxySG sends all requests to the standby ProxyAV until the primary appliance is healthy again. 8-4 Integrating the ProxySG and ProxyAV Appliances . If this appliance fails.Creating ProxyAV Failover Policy Configuring ProxyAV Failover Result: Using the ICAP failover policy. 9 ❐ ❐ ❐ ❐ Configuration Best Practices Conserving Scanning Resources—on page 9-2 Determining Which File Types to Scan—on page 9-8 Best Practices for PDF Documents—on page 9-10 Avoiding Processing of Cancelled Connections—on page 9-10 This chapter describes strategies for improving scanning performance. It includes the following topics: Integrating the ProxySG and ProxyAV Appliances 9-1 . Configure ICTM on the ProxyAV Step 1 Log in to the ProxyAV Management Console. When a client application is especially aggressive. However. b. the ProxyAV notifies the administrator of the slow URL via an e-mail or SNMP trap. Also. Some client applications automatically retry a request if no response is received in a certain amount of time. they don’t work for infinite streams such as Web cams and stock tickers. If allowed to continue. While these settings are appropriate for other types of Web objects. HTTP Web objects range from very small to very large in size. Make sure that the Intelligent Connection Traffic Monitoring (ICTM) checkbox is selected. thereby freeing up a scanning resource for another transaction. Refreshing the request can lead to a high number of queued requests for the same object. you can instruct the ProxyAV to abandon scanning of an object after a specified time. When ICTM is enabled. If the number of “slow” connections exceeds a warning threshold (such as 35 concurrent ICAP connections). Step 2 Confirm that ICTM is enabled. 9-2 Integrating the ProxySG and ProxyAV Appliances . A scanning resource (connection) is used for each object. such as stock tickers which are data streams transmitted over HTTP through a Web browser. Although the ProxyAV cannot detect infinite streaming objects by the type. This feature is called Intelligent Connection Traffic Monitoring (ICTM). a.Conserving Scanning Resources Configuration Best Practices Conserving Scanning Resources The ProxyAV has a finite number of ICAP connections available at any given time. Attempting to virus scan this type of data can potentially consume significant time and ProxyAV resources (potentially slowing other scans)—until an error is returned. which increases the competition for ProxyAV scanning resources. some objects do not have finite object ends. Terms used to describe this type of content are infinite streams or slow downloads. the ProxyAV uses a specified download time (such as 60 seconds) to evaluate whether a connection is considered slow. it impacts all network traffic as the ProxySG waits for ProxyAV responses. these transfers fail with one of the following ICAP error codes: • Maximum file size exceeded • Scan timeout The default configuration of the ProxyAV triggers such errors after the file size exceeds 100MB or after 800 seconds of scanning. users might attempt to refresh the request when a response is delayed. Select Advanced > Intelligent Connection Traffic Monitoring. The ProxyAV doesn’t start dropping these slow connections until their number exceeds a critical threshold (such as 45 concurrent connections). If you clear this option. The larger the value. no warning is sent and nothing is logged in the AlertLog file. that the ProxyAV repeats the warning messages if the threshold remains breached. Oldest connections are dropped first. Step 6 Save the settings. If desired. Conversely. b. The default setting is 70% of the recommended maximum ICAP connections for the ProxyAV platform. thus targeting them for termination before the download is complete. Step 5 Specify critical threshold parameters. The e-mail is sent to recipients specified on the Alerts > Alerts Settings page. Step 4 Specify warning threshold parameters. lower values might tag the downloads of large objects as slow. Click Save Changes. a. you can select to send an alert to administrators for each connection that is dropped. enter the number of concurrent slow connections at which the ProxyAV will start dropping connections to maintain a level below the critical threshold. In the Log a warning when more than ___ connections are “slow” field. This value must be larger than the warning threshold (Step 4). make sure the Send an alert when warning level is reached checkbox is selected. To send an e-mail warning when this threshold is reached. c.Configuration Best Practices Conserving Scanning Resources Configure ICTM on the ProxyAV Step 3 Define what you consider to be a slow download. a. Just as for the warning threshold (Step 4b). b. the more resources are wasted on suspected infinite stream URLs. enter the interval. in minutes. modify the default setting (60) in the ICAP connections are considered “slow” when the download exceeds ___ seconds field. The default setting is 90% of the recommended maximum ICAP connections for the ProxyAV platform. Blue Coat recommends the default of 60 seconds. Integrating the ProxySG and ProxyAV Appliances 9-3 . In the Drop older "slow" connections when more than ___ connections are “slow” field. In the Repeat warning alert every ___ minutes field. enter the number of concurrent slow connections at which the ProxyAV will send a warning message. 9-4 Integrating the ProxySG and ProxyAV Appliances . the actions in the policy will reset it back to (no) upon an attempt to scan a streaming object or an object that shouldn’t be scanned. Solution A: No-Scan Policy To enhance user satisfaction and achieve maximum performance from the ProxyAV. Select Configuration > Policy > Policy Files. A browser window displays the Edit and Install the Local Policy File page. Step 3 Install the policy file.bluecoat.com/policy/icap_noscan. Return to the Edit and Install the Local Policy File page. Modify the policy to meet your requirements. If necessary. you should also implement a policy to control scanning of infinite streams. The policy also looks for common infinite streaming media types as well as user agents that are known to cause scanning problems.com) because they are known to contain infinite streams. f. The policy looks for very long content or objects in which no content length is provided. a. Open your CPL file and copy the text. and install it on your ProxySG. the policy defines URL domains that shouldn’t be scanned (such as finance. Click Install. This policy is based on request/response patterns that indicate an overly large or slow download. select Text Editor. Install a No Scan Policy for Slow Downloads Step 1 Download the CPL text file. Blue Coat has written the Content Policy Language (CPL) for this policy and you can download the file. informing you whether the installation was successful. a.Conserving Scanning Resources Configuration Best Practices In addition to enabling ICTM. e. Go to: http://techlabs. The example policies below offer two different approaches and are not intended to co-exist. The risk is that the exemption could potentially allow malicious content to slip viruses through unscanned. b. For example.com and youtube.google. and paste the contents of the file at the end of the local policy file on your ProxySG. these are signs that this object may tie up ProxyAV resources. d. From the Install Local File from drop-down list.txt or refer to the text after this procedure. c. c. One benefit of this policy is reduced load on the ProxyAV. some customers choose not to scan data streams that are known to cause issues. In addition. Select only one. Click Install. you can add URL domains that you know contain infinite streams. correct any errors in the file and reinstall it. Step 2 Log in to the ProxySG Management Console. Save the file to your desktop or other convenient location. A dialog displays. customize it for your own needs. b. This policy assumes that the ICAP response rule is already defined. .. .header.header.....scheme=http condition=NOICAP response... these will . Both of ..rn" response. The actual ICAP respmod rule should already be defined. Here are some common infinite stream media types.request...Content-Type="video/" response...Content-Type="application/vnd...header. these are signs that this may tie up a thread on the AV for too long.header.. 99. define condition MEDIA_MIME_TYPES response... .User-Agent="Winamp" request.User-Agent="NSPlayer" request.999.Content-Type="audio/" response.icap_service(no) <Proxy> request.....Content-Type="application/x-streamingmedia" response.Content-Type="application/ogg" response.User-Agent="" end condition Missbehaving_Modern_UserAgents define condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH condition=NO_or_LARGE_CONTENT_LENGTH condition=MEDIA_MIME_TYPES end condition VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH define condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH condition=NO_or_LARGE_CONTENT_LENGTH condition=Missbehaving_Modern_UserAgents end condition UserAgents_with_NO_or_LARGE_CONTENT_LENGTH define condition MissBehaving_Old_UserAgents request.......header.... or no content length is provided.. also block some threads on the AV.header..User-Agent="RMA" request......Content-Type="application/streamingmedia" response. define condition NO_or_LARGE_CONTENT_LENGTH response. Add modern user-agents known to missbehave to this condition .. that shouldn't be scanned <cache> delete_on_abandonment(yes) <cache> url.. reset it back to (no) upon an attempt to scan a streaming object or an object ....header. This condition will match if the content length is greater than .......header.header....... None of these exist right now define condition Missbehaving_Modern_UserAgents . and remove the comment character (semicolon) before Rule 3 above.header.User-Agent="ProxyAV" patience_page(no) ..8}$" end condition NO_or_LARGE_CONTENT_LENGTH ..Content-Type="application/x-ogg" response.....Content-Length=!"^[0-9]{1. these actions will .header.header.header...........header... -------------ICAP Best Practices---------------------------------------------.999 bytes..User-Agent="ultravox" Integrating the ProxySG and ProxyAV Appliances 9-5 ..header.Content-Length=!"" response.Content-Type="multipart/x-mixed-replace" end condition MEDIA_MIME_TYPES .Configuration Best Practices Conserving Scanning Resources CPL for No-Scan Policy ..header... Modify the policy to meet your requirements.domain=//youtube. Blue Coat has written the CPL for this policy and you can download the file.header. and install it on your ProxySG. other errors are denied. Install a No Scan Policy for Slow Downloads Step 1 Download the CPL text file. This approach ensures that all data is still sent to the ProxyAV—thus. Replace <resp_service> with the name of your ICAP response service name.com end condition NOICAP .User-Agent="forest" request.header.yahoo. customize it for your own needs. Step 2 Log in to the ProxySG Management Console. This policy example serves the data stream if the error is Maximum file size exceeded or Scan timeout. Other streaming media exceptions url.com url.com/policy/icap_scan. the request queue will slow or delay other traffic.com url.com url. Save the file to your desktop or other convenient location.txt or refer to the text after this procedure. The downside to this approach is that all requests for infinite data streams must reach the maximum file size or scan timeout configured on the ProxyAV. d.Conserving Scanning Resources Configuration Best Practices request.google.response.9_UserAgents http. Go to: http://techlabs.bluecoat.aol.domain=//pandora. a.9 condition=MissBehaving_Old_UserAgents end condition HTTPv0.User-Agent="Scottrader" request.finance. -------------End ICAP Best Practices------------------------- Solution B: Scan-Until-Error Policy Some administrators choose to wait for one of the symptomatic errors (Maximum file size exceeded or Scan timeout) to occur and then serve the data stream unscanned.9_UserAgents define condition NOICAP condition=VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH condition=HTTPv0.User-Agent="SVN" end condition MissBehaving_Old_UserAgents define condition HTTPv0.User-Agent="itunes" request. If a sufficient number of concurrent requests for such data streams occur.version=0. 9-6 Integrating the ProxySG and ProxyAV Appliances . the maximum amount of scanning can occur. c.domain=//finance.domain=//streamerapi.9_UserAgents condition=UserAgents_with_NO_or_LARGE_CONTENT_LENGTH . Yahoos stock ticker problem -15sep06 url.domain=//stream.header.com .header. b. A browser window displays the Edit and Install the Local Policy File page. Open your CPL file and copy the text.icap_service(<resp_service>. Return to the Edit and Install the Local Policy File page. c. From the Install Local File from drop-down list. Click Install. Select Configuration > Policy > Policy Files. A dialog displays. e. Code for Scan-Until-Error Policy . b. informing you whether the installation was successful. fail_open) <proxy> condition=!maxfilesizeexceeded_or_scantimeout_errors exception(icap_error) define condition maxfilesizeexceeded_or_scantimeout_errors_or_none icap_error_code=max_file_size_exceeded icap_error_code=scan_timeout icap_error_code=none end condition maxfilesizeexceeded_or_scantimeout_errors_or_none Integrating the ProxySG and ProxyAV Appliances 9-7 . correct any errors in the file and re-install it. f. and paste the contents of the file at the end of the local policy file on your ProxySG. If necessary. a. d. select Text Editor.Configuration Best Practices Conserving Scanning Resources Install a No Scan Policy for Slow Downloads Step 3 Install the policy file. Click Install. edit the <resp_service> below to be the name of your ICAP respmod service name <cache> response. Determining Which File Types to Scan Configuration Best Practices Determining Which File Types to Scan As the delivery of viruses and malicious code is ever-evolving, Blue Coat recommends scanning all file types. However, the ProxySG/ProxyAV integrated solution allows you to determine which file types are scanned, or more appropriately, not scanned. By default, the ProxySG forwards all file types for scanning, but you can create policy that includes or excludes specific file types. Blue Coat recommends scanning all file types to attain maximum security against harmful content. The following file types are known to harbor viruses: "";ARJ;BAT;BIN;BMP;BOO;CAB;CHM;CLA;CLASS;COM;CSC;DAT;DLL;DOC;DOT;DRV; EML;EXE;GIF;GZ;HLP;HTA;HTM;HTML;INI;JAR;JPG;JPEG;JS;JSE;LNK;LZH;MDB;MPD;MPP;M PT;MSG;MSO;NWS;OCX;OFT;OVL;PDF;PHP;PIF;PL;POT;PPS;PPT;PRC;RAR;REG; RTF;SCR;SHS;SYS;TAR;TIF;VBE;VBS;VSD;VSS;VST;VXD;WML;WSF;XLA;XLS;XL T;XML;Z;ZIP;{*; At the time of this printing, the following MIME file types are deemed low risk to contain harmful content: audio; x director video To achieve a performance increase, you might opt to instruct the ProxySG to exclude these types from scanning. Here are several examples for excluding/including file types, using Content Policy Language (CPL) and Visual Policy Manager (VPM). CPL Example: Excluding File Types The following policy excludes the Real Media file type from being scanned because it is considered to be a very low risk to contain harmful content. define condition FileExtension_lowrisk url.extension = rm end condition FileExtension_lowrisk <Cache> condition= ! FileExtension_lowrisk response.icap_service(avresponse,fail_closed) VPM Example: Excluding File Types In the Destination column, a File Extensions object is created, which contains the Real Media file type; the object is then negated (notice the symbol): Table 9-1 Web Content Layer with a rule to negate the low-risk file extension. 9-8 Integrating the ProxySG and ProxyAV Appliances Configuration Best Practices Determining Which File Types to Scan CPL Example: Including File Types The following policy specifies that HTML and ZIP file types are to be scanned: define condition FileExtension_highrisk url.extension=html url.extension=zip end condition FileExtension_highrisk <Cache> condition=FileExtension_highrisk response.icap_service(avresponse,fail_closed) VPM Example: Including File Types Another rule is added. In the Destination column, a File Extensions object is created, which contains the HTML and ZIP file types: Table 9-2 Subsequent rule with the high-risk file types added. Integrating the ProxySG and ProxyAV Appliances 9-9 Best Practices for PDF Documents Configuration Best Practices Best Practices for PDF Documents Some versions of the Adobe Acrobat browser plug-ins, when interacting with certain PDF documents, make requests with very large numbers of byte-range groupings. The HTTP byte-range request is a method of requesting only a portion of the data within an object. A single HTTP request can specify multiple byte ranges in a list using start and stop byte offsets. The ProxyAV supports up to 70 byte ranges per request. For requests with fewer than 70 byte ranges, the object data is retrieved from the origin server and scanned normally. If the entire object is already in the cache, each byte range is extracted and served from the cached data. However, if a request has more than 70 byte ranges, the ProxySG is unable to serve the data from the cache and instead must retrieve the data from the origin server and rescan it. Some Acrobat plug-ins fail to handle the patience-page behavior of the ProxySG during these 70+ byte-range retrievals and, instead, display a blank screen. Such Acrobat plug-ins operate correctly for all other requests, even with regard to patience-page operation. Normally, this issue can be resolved by upgrading the Acrobat plug-in. However, if an upgrade is not possible, or the particular PDF files continue to trigger this behavior, you can use a different type of ICAP feedback instead of patience pages: data trickling. You needn’t change the default ICAP feedback; you can specify data trickling for PDF objects from a specific domain. The following example policy enables data trickling for PDF objects from Blue Coat sites: <proxy> url.domain=bluecoat.com url.extension=(pdf) response.icap_feedback.interactive(trickle_start,5) Use trickle_end if you want the data trickling to occur at the end of the download. Avoiding Processing of Cancelled Connections When an HTTP request appears cacheable, the ProxySG completes the download, even if the requesting client has abandoned the connection. This allows the ProxySG to store a cached version of the object for future requests. However, for slow downloads, this behavior can result in each client request queuing a separate instance for scanning. To avoid the continued processing of a request after the client application has disconnected, you can enable the CPL property delete_on_abandonment for certain client applications. The following example policy prevents queuing of duplicate requests for a known aggressive client: <cache> request.header.User-Agent="Winamp" delete_on_abandonment(yes) Note that delete_on_abandonment does not work when patience pages are enabled. It only works with data trickling or with no ICAP feedback. Alternatively, you can enable delete_on_abandonment for all clients, using the following code: <proxy> delete_on_abandonment(yes) 9 - 10 Integrating the ProxySG and ProxyAV Appliances 10 Troubleshooting This chapter provides solutions to problems customers may have when integrating the ProxySG and ProxyAV anti-malware solution.1 . It includes the following topics: ❐ ❐ ❐ ❐ ❐ The ProxyAV isn’t Scanning Web Traffic—on page 10-2 Users Can’t Access Any Web Sites—on page 10-3 ProxySG Runs Out of Memory During Heavy Traffic Load—on page 10-5 Scans are Taking Too Long—on page 10-5 My ProxyAV isn’t Getting Virus Updates—on page 10-6 Integrating the ProxySG and ProxyAV Appliances 10 . The Service URL should look something like this: • Did you create a policy for the ICAP service? (See "Task 3: Create Malware Scanning Policy" on page 4-8.) 10 .) • Does the ICAP service have the correct URL of the ProxyAV? Does the URL include the same antivirus service name specified on the ProxyAV? If you changed the antivirus service name from its default (avscan). Solutions: If the ProxyAV isn’t scanning Web traffic. The ProxySG’s ICAP statistics page doesn’t show any requests.The ProxyAV isn’t Scanning Web Traffic Troubleshooting The ProxyAV isn’t Scanning Web Traffic Symptoms: The ProxyAV’s Home page doesn’t show any files being scanned. The History Stats page doesn’t show any ICAP objects. or bytes for the last hour (or other recent time period). there is likely a configuration error that is preventing the ProxySG from sending traffic to the ProxyAV. connections. you must make sure to include this same name as part of the Service URL for the ICAP service on the ProxySG. connections. or bytes for the last hour (or other recent time period).2 Integrating the ProxySG and ProxyAV Appliances . Here are a few things to double-check: • Did you create an ICAP service on the ProxySG? (See "Task 2: Create the ICAP Service" on page 4-4. Solution 1: If the ProxyAV is down and your ICAP policy is set to Deny the client request if an error occurs during ICAP processing. you need to enable it in all three places. it’s important to have the ProxyAV up and running before you install the ICAP policy.Troubleshooting Users Can’t Access Any Web Sites Users Can’t Access Any Web Sites Symptoms: All users get a denied message in their Web browsers when trying to go to any Web site. Therefore. users will not be able to browse the Internet — all requests will be denied. users will be able to browse the Internet when the ProxyAV is down. ProxyAV. users will not have Web access. if you have created your ICAP policy on the ProxySG before setting up the ProxyAV. Thus. (Although desktop virus scanners might prevent this.) Solution 2: This problem can also be caused by inconsistent secure ICAP settings for the ICAP service. and ICAP policy.3 . If you want to use secure ICAP for HTTPS. The following series of screenshots shows the proper settings that should be in place to allow users to browse secure Web sites (scanned with secure ICAP) and non-secure Web sites (scanned with plain ICAP). With this setting. To avoid the inevitable support calls that result from lack of Web access when the ProxyAV is down. Figure 10-1 Secure ICAP enabled on the ProxyAV Integrating the ProxySG and ProxyAV Appliances 10 . this opens up the network to potential viruses being downloaded during the ProxyAV downtime. However. you may want to consider changing the ICAP policy to Continue without further ICAP response processing. To check the status of the anti-virus license on the ProxyAV. Import the ProxyAV appliance certificate as a CA certificate on the ProxySG (Configuration > SSL > CA Certificates > Import).Users Can’t Access Any Web Sites Troubleshooting Figure 10-2 Secure ICAP enabled on the ICAP service (configured on the ProxySG) Figure 10-3 Secure ICAP enabled in the policy for the ICAP response service (configured in the VPM) Solution 3: This problem can be caused by incorrect SSL configuration for secure ICAP. Select the default keyring and the CCL you created in step 3 (Configuration > SSL > Device Profiles > New). Copy the ProxyAV appliance certificate (Advanced > SSL Certificates). Solution 4: The anti-virus license could be invalid or expired. 2.4 Integrating the ProxySG and ProxyAV Appliances . Configure the ICAP service to use the SSL device profile created in step 4 (Configuration > External Services > ICAP > Edit). 5. Make sure you have followed the steps below: 1. 10 . 4. Create a new SSL device profile for secure ICAP. click Antivirus. 3. Create a new CA certificate list specifically for secure ICAP and add the ProxyAV CA certificate created in step 2 (Configuration > SSL > CA Certificates > CA Certificate Lists > New). When editing the ICAP service. Scans are Taking Too Long Symptoms: Users complain about delays in Web browsing. If the Sense settings button determines that the maximum number of connections is 10. Solution: Slow scanning is most likely caused by the ProxyAV attempting to virus scan infinite streams. you also need to be careful about not setting too high of a value for Maximum number of connections. Blue Coat recommends that customers implement one of the policies described in the Best Practices chapter. ICAP connections start queuing up. you should divide this value by two. With too high of a value. and enter this setting on each of the ProxySGs.Troubleshooting ProxySG Runs Out of Memory During Heavy Traffic Load ProxySG Runs Out of Memory During Heavy Traffic Load Symptoms: The ProxySG becomes unresponsive and needs to be restarted. Integrating the ProxySG and ProxyAV Appliances 10 . Solution: The most common cause of this problem is setting too high of a value for the Maximum number of connections for the ICAP service. and eventually the ProxySG will run out of memory and need to be restarted. If you have two ProxySGs sending ICAP requests to a single ProxyAV. you should use the Sense settings button to have the ProxySG retrieve the appropriate setting from the ProxyAV.5 . Blue Coat recommends that you not modify the Maximum number of connections value manually. To avoid this problem. let the Sense settings feature determine the appropriate value. See "Conserving Scanning Resources" on page 9-2 for additional details. host=download.com response. as the following example policy illustrates (place this policy after all other ICAP policies on the ProxySG): <cache> url.com response.icap_service(no) url.icap_service(no) 10 . These can be prevented by exempting virus pattern update locations from scanning. Solution 1: It’s possible that the DNS server was temporarily down or some other network problem interfered with the virus update. Generally. But occasional false positives occur.bluecoat. Try forcing the update: Solution 2: Each anti-virus vendor provides pattern file updates that necessarily contain portions (or descriptions) of viruses.host=av-download.6 Integrating the ProxySG and ProxyAV Appliances .bluecoat.My ProxyAV isn’t Getting Virus Updates Troubleshooting My ProxyAV isn’t Getting Virus Updates Symptoms: The network administrator gets an email notification that the antivirus update failed. these virus segments are encoded and are too small to be mistaken as a true virus by other AV vendors. Documents Similar To SGOS 5.4 - Integrating the ProxySG and ProxyAV AppliancesSkip carouselcarousel previouscarousel nextEset Eea Userguide Enuvipre-business-increasing-performance-in-enterprise-antimalware-softwareHandeld Device Securitysophosendpointprotectiondsna.pdfSynopsisInternetLabAnswerKey_Module7_ImplementingEndpointProtectionbyUsingSC2012CM.pdf1. How to Protect Your Computer From Malware and HackersData ProtectionComputer Virus1 IJAEST Volume No 2 Issue No 1 Malware Analysis Using Assembly Level Program 000 012ESSv7 Solutions OverviewBcs Ds Content Analysis System S200 S400 S500 en v1aANDROID MALWARE_report.docxHackerProof Your Guide to PC Security-Manteshmalware--computing-s-dirty-dozenAvtest 2013-01 Android Testreport EnglishSOPHOS - Advanced Persistent Threats, Detection, Protection and PreventionDMIANP2013_Chapter03Time Line AnalysisUnified Threat ManagementAn Overview of Social Engineering Malware Trends, Tactics, And Implicationssurmonte crosby aup personal comments 10 02 16 643pmtheeawd2014 Trustwave Global Security ReportAllahabad Bank PO Sample Paper 4qewqtyhfThe Art of Computer Virus Research and DefenseFooter MenuBack To TopAboutAbout ScribdPressOur blogJoin our team!Contact UsJoin todayInvite FriendsGiftsLegalTermsPrivacyCopyrightSupportHelp / FAQAccessibilityPurchase helpAdChoicesPublishersSocial MediaCopyright © 2018 Scribd Inc. .Browse Books.Site Directory.Site Language: English中文EspañolالعربيةPortuguês日本語DeutschFrançaisTurkceРусский языкTiếng việtJęzyk polskiBahasa indonesiaSign up to vote on this titleUsefulNot usefulYou're Reading a Free PreviewDownloadClose DialogAre you sure?This action might not be possible to undo. Are you sure you want to continue?CANCELOK