Blue Coat Systems SGOS 4.x User Manual
Blue Coat® Systems
ProxySG
SGOS 4.x Upgrade Guide
™
Blue Coat SGOS 4.x Upgrade Guide
Contact Information
Blue Coat Systems Inc.
650 Almanor Avenue
Sunnyvale, California 94085
North America (USA) Toll Free: 1.866.362.2628 (866.36.BCOAT)
North America Direct (USA): 1.408.220.2270
Asia Pacific Rim (Japan): 81.3.5425.8492
Europe, Middle East, and Africa (United Kingdom): +44 (0) 1276 854 101
bcs.info@bluecoat.com
support@bluecoat.com
www.bluecoat.com
Copyright© 1999-2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be
reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part,
or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc.
The Software may not be modified, reproduced (except to the extent specifically allowed by local law), removed
from the product on which it was installed, reverse engineer ed, decompiled, disassembled, or have its source
code extracted. In addition to the above restrictions, the Software, or any part thereof, may not be (i) published,
distributed, rented, leased , sold, sublice nsed, assigned or otherwise transferr ed, (ii) used for competitive analysis
or used to create derivative works thereof,(iii) used for application development, or translated (iv) used to
publish or distribute the results of any benchmark tests run on the Software without the express written
permission of Blue Coat Systems, Inc., or (v) removed or obscured of any Blue Coat Systems, Inc. or licensor
copyrights, trademarks or other proprietary notices or legends from any portion of the Software or any associated
documentation. All right, title and interest in and to the Soft ware and documentation are and shall remain the
exclusive property of Blue Coat Systems, Inc. and its licensors. Blue Coat Systems, Inc. specifications and
documentation are subject to change without notice. Information contained in this document is believed to be
accurate and reliable, however, Blue Coat Systems, Inc. assum e s no responsibility for its use. ProxySG™,
ProxyAV™, CacheOS™, S GOS™, Spywar e Inter c eptor™, S cope ™ ar e trademarks of Blue Coat Syste ms, Inc. and
CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, Access Now®, Ositis®, Powering Internet
Management®, and The Ultimate Internet Sharing Solution® are r egistered trademarks of Blue Coa t Systems, Inc.
All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS,
EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION
FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF
DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR
ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR
ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES. The Software and all related technical information,
documents and materials are subject to export controls under the U.S. Export Administration
Regulations and the export regulations of other countries.
Document Number: 231-02781
Document Revision: SGOS 4.1—6/17/05
ii
Contents
Contact Information
Chapter 1: Upgrading—Overview
Changes Between SGOS 3.x and SGOS 4.x......................................................................................................5
About the Document Organization..................................................................................................................5
Related Blue Coat Documentation.......................................................................................... ..........................5
Document Conventions......................................................................................................................................6
Chapter 2: Upgrade Behavior, General
Upgrading ............................................................................................................................................................7
Restoring to Previous Versions................................................................................. ........................................ 8
Changing Between SGOS 4.x Versions .................................. ........................................................................10
Licensing.............................................................................................................................................................10
Hardware Supported........................................................................................................................................12
Documentation References ..............................................................................................................................12
Chapter 3: Feature-Specific Upgrade Behavior
Access Logging..................................................................................................................................................13
Authentication ...................................................................................................................................................17
Bandwidth Management..................................................................................................................................17
Compression ......................................................................................................................................................18
Content Filtering................................................................................................................................................19
CPU Monitoring ...............................................................................................................................................19
Endpoint Mapper and SOCKS Compression................................................................................................20
ICAP Patience Page...........................................................................................................................................20
Policy...................................................................................................................................................................21
Securing the Serial Port ....................................................................................................................................30
SmartFilter Version 4........................................................................................................................................30
SSL Key Management........................................................................... ............................................................30
Index
iii
Blue Coat SGOS 4.x Upgrade Guide
iv
Chapter 1: Upgrading—Overview
Blue Coat® strongly recommends that you read this document before attempting to upgrade to SGOS
4.x from previous ProxySG operating systems.
Existing features and policies might not perform as with previous versions, and upgrading to this
version might require some additional configuration tuning. This SGOS version provides high
security for the network, so when downgrading to previous versions, not all configurations and
policies are retained.
Changes Between SGOS 3.x and SGOS 4.x
Unlike SGOS 3.x, SGOS 4.x does not permit upgrades from SGOS 2.x or CacheOS 4.x. All systems
must be upgraded to SGOS 3.2.4 before being upgraded to SGOS 4.x. For information on the correct
upgrade path, see Table 2.1, “Upgrade Paths” on page 7.
If you attempt to download the next major release and you receive an error message saying that the
download failed due to policy deprecations, your policy uses constructs that are no longer supported
in SGOS 4.x. You must correct any policy syntax problems before upgrading.For information on
checking on policy deprecation, see "Policy Deprecation" on page 22.
If the upgrade path is followed, most of the current settings on the ProxySG are maintained after the
upgrade. New or transformed settings in SGOS 4.x are taken from the original settings wherever
possible.
About the Document Organization
This document is organized for easy r efer ence, and is divided into the followi ng sections and chapters:
Table 1.1: Document Organization
Chapter Title Description
Chapter 1 – Introducing the Upgrade/Downgrade
Guide
Chapter 2 – Upgrade Behavior, General This chapter discusses general upgrade issues, including the
Chapter 3 – Upgrade Behavior, Specifics This chapter identifies new features in SGOS 4.x and
Related Blue Coat Documentation
• Blue Coat 6000 and 7000 Installation Guide
• Blue Coat 400 Series Installation Guide
• Blue Coat 800 Series Installation Guide
• Blue Coat 8000 Series Installation Guide
Upgrade differences between SGOS 3.2.x and SGOS 4.x. Blue
Coat documentation and documentation conventions are
also discussed.
required upgrade path and licensing.
discusses any upgrade/downgrade issues.
5
Blue Coat SGOS 4.x Upgrade Guide
• Blue Coat ProxySG Configuration and Management Guide
• Blue Coat ProxySG Content Policy Language Guide
• Blue Coat ProxySG Command Line Interface Reference
Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax conventions
used in this manual.
Table 1.2: Typographic Conventions
Conventions Definition
Italics The first use of a new or Blue Coat-proprietary term.
Courier font Command line text that appears on your administrator
Courier Italics A command line variable that is to be substituted with a literal
Courier Boldface
{ } One of the parameters enclos ed within the braces must be
[ ] An optional parameter or parameters.
| Either the parameter before or after the pipe character can or must
workstation.
name or value pertaining to the appropriate facet of your network
system.
A ProxySG literal to be entered as shown.
supplied
be selected, but not both.
6
Chapter 2: Upgrade Beha vior, General
Upgrading
When upgrading to SGOS 4.x from SGOS 3.2.4 or higher, the ProxySG saves a copy of the original
configurations. These configurations remain unaffected when configuring features going forward. If
you downgrade to the previous SGOS version, the saved configuration is used and the ProxySG is
restored to that stat e.
Following the upgrade path provided maintains most of the current settings, the exceptions being
those features that were substantially enhanced in SGOS 4.x.
The only supported direct upgrade is from SGOS 3.2.4 and later. CacheOS 4.x and SGOS 2.x systems
must first be upgraded to the SGOS 3.2.4 release. The following table provides the upgrade paths for
these earlier version.
Table 2.1: Upgrade Paths
Current OS Direct Upgrade
to SGOS 3.2.4?
CA 1.0.00-CA3.1.15 No CA 3.1.16
CA 3.1.16 No CA 4.1.10
CA 3.5.00-CA3.5.07 No CA 3.5.08
CA 3.5.08 No CA 4.1.10
CA 4.0.00-CA4.1.09 No CA 4.1.10
CA 4.1.10 or greater No SG 2.1.07
CA 4.2.00 No CA 4.2.01
CA 4.2.01 or greater Yes None Can directly upgrade to SGOS 3.2.4
SA 1.0.00-SA2.0.x No SA 2.0.x
SA 2.0.x No SA 4.1.10
SA 4.0.00-SA4.1.09 No SA 4.1.10
SA 4.1.10 or greater Yes None Can directly upgrade to SGOS 3.2.4.
SG 2.0.00-SG 2.1.06 No SG 2.1.07
SG 2.1.07 or greater Yes None Can directly upgrade to SGOS 3.2.4.
Next OS version
required
Comments
In SGOS 3.2.4 or greater, deprecation warnings are issued for CPL syntax that is abandoned in SGOS
4.x. Use of abandoned syntax causes CPL compiler errors, the policy will fail to install and the
ProxySG will use the default policy of ALLOW or DENY for all traffic. Following the recommended
upgrade process ensures that policy integrity and therefore network security, are maintained.
7
Blue Coat SGOS 4.x Upgrade Guide
Summary of Changes to the Upgrade Process
• The upgrade path must include a system that shows all possible deprecation warnings, so that
these can be corrected in advance of the upgrade, to avoid policy compilation failures after
upgrading. Migrating through SGOS 3.2.4 or greater satisfies this requirement.
• If the currently installed policy issued deprecation warnings when compiled, downloads of
systems in which that syntax has been abandoned will fail with the error " ". Which error
message you see depends on whether you were using the Management Console or the CLI.
From the Management Console:
Policy deprecation warnings exist. Please resolve them prior to upgrading to the next major release of
system software
From the CLI:
WARNING: The installed policy contains deprecation warnings. Please fix these
warnings prior to upgrading to the next major release, or use load upgrade
ignore-warnings at your own risk. Upgrading to the next major release with
deprecation warnings will cause the policy compilation to fail on boot.
This means that you cannot download major version upgrades while policy contains deprecated
syntax.
Generally, the deprecation warnings indicate the appropriate corrective action. See "Policy
Deprecation" on page 22 for instructions on how to view the deprecation warnings that indicate
the syntax to be corrected.
Note: The Visual Policy Manager (VPM) automatically generates up-to-date CPL syntax. If the
deprecations warnings are issued from the VPM policy file, you should start VPM and
reload the policy to get the latest version of the generated CPL.
You can force an upgrade while deprecation warnings are present using the CLI command
upgrade ignore-warnings
; however, policy compilation will fail after the upgrade and the
ProxySG reverts to the default policy of ALLOW or DENY. Corrective action is requir ed to r e stor e
normal operation.
• Any CPL local policy that performs operations such as ALLOW, DENY, Authenticate, or Redirect,
or that modifies Cookie/Set-Cookie headers, might interfere with the Notify User policy. Before
using the VPM Notify User policy, remove all coaching/splash/notify policy from the CPL local
policy file.
Restoring to Previous Versions
When upgrading from the SGOS 3.2.4 or higher release, a copy of the settings is saved prior to any
transformations by SGOS 4.x so that the original settings are available if the ProxySG is downgraded
to SGOS 3.2.4.
Keep in mind that changes made after upgrade are not preserved on a downgrade. After an upgrade
and a downgrade, the state is exactly what it was before the upgrade.
load
8
Chapter 2: Upgrade Behavior, General
Redoing an Upgrade from SGOS 3.2.4
When the initial SGOS 4.x upgrade occurs, any compatible configurations are converted. This only
happens the first time you upgrade; if you later downgrade to a pre-SGOS 4.x version by selecting an
earlier image on your system, make configuration changes, and re-install SGOS 4.x, the new SGOS
3.2.4 changes are not propagated to SGOS 4.x.
To force the new system's configuration to be regenerated after changes are made to the older system's
configuration, you will need to force the upgrade conversion to occur again. Use the
restore-sgos3-config command, which converts the current SGOS 3.x configuration to the SGOS
4.x configuration.
Note: Previous force commands, restore-sgos2-config and restore-cacheos4-config, are not
available in SGOS 4.x; they can only be run from earlier versions.
The
restore-sgos3-config command first checks if there are saved SGOS 3.2.4 settings on the
ProxySG. If not, the CLI command warns the administrator and exits.
If saved SGOS 3 settings exist, the
restore-sgos3-config command warns the administrator that all
the current SGOS 4.x settings will be lost and that a restart will be initiated, waiting for positive
confirmation before clearing all the current SGOS 4.x settings, and then initiating a restart. The restart
(similar to a
restart regular) triggers the upgrade process, which copies over the SGOS 3 settings
and transforms them to the SGOS 4.x settings.
Redoing an Upgrade from SGOS 2.x or CacheOS 4.x
T o downgrade to captur e changes to the older version’s configuration, you must first launch the SGOS
3.x image, then select the SGOS 2.x or CacheOS 4.x version to launch. After you make the desired
changes, you must follow the upgrade path back to SGOS 3.2.4, using the
restore-cacheos4-config commands. (See Table 2.1 on page 7 for information on upgrade paths.)
The
restore-sgos2-config or restore-cacheos4-config command first checks if there are saved
SGOS 2.x or CacheOS 4.x settings on the ProxySG. If not, the CLI command warns the administrator
and exits.
Important: Check for deprecation warnings after upgrading to 3.2.4 and before proceeding to SGOS
4.x.
If saved settings exist, the command warns the administrator that all the current next version settings
will be lost and that a restart will be initiated, waiting for positive confirmation before clearing all the
current next version settings, and then initiates a restart. The restart (similar to a
triggers the upgrade process, which copies over the settings and transform them to the next version
settings.
restore-sgos2-config or
restart regular)
9
Blue Coat SGOS 4.x Upgrade Guide
Changing Between SGOS 4.x Versions
When moving from one SGOS 4.x release to another SGOS 4.x release, the system maintains all
settings. Changes made after an upgrade continue to be available after a subsequent downgrade as
long as the setting is relevant to the downgraded release.
Note: When upgrading or downgrading between versions of SGOS 4.x, copies of version-specific
configurations are not retained. Instead, all configurations created in an upgrade are retained
if the configuration is relevant to the downgrade version.
Care should be taken when using policy features introduced in a minor release. These cause
compilation errors if you fall back to a previous version of the same major release in which those
features were unsupported.
To prevent accidental fallbacks, you should remove unused system images (using the
i
nstalled_systems delete number, from the (config installed-systems) prompt).
Licensing
In SGOS 4.x, a base license is issued for SGOS 4.x functionality, regardless of whether those features
existed before SGOS 4.x or are new in SGOS 4.x.
If you upgrade from SGOS 3.x with a valid SGOS 4.x component license, the ProxySG li sts the licensed
components with their expiry dates; those components that are not licensed enter a 60-day trial
period.
If you upgrade from SGOS 3.x without a valid SGOS 4.x component license, all licensable components
enter a trial period; the ProxySG attempts to download a license from the Blue Coat license download
site once a day for the duration of the SGOS 4.x trial period.
There are three types of licensable components:
• Required—The SGOS base.
• Included—Additional features provided by Blue Coat.
• Optional— If applicable, any additional purchased features.
When the license key file is created, it consists of all three components. The SGOS base is a required
component of the license key file. The following table lists the ProxySG licensable components,
categorized by type.
Table 2.2: Licensable Components
Type Component Description
Required SGOS 4 Base
Included 3rd Party Onbox
Content Filtering
The ProxySG operating system, plus base features: HTTP, FTP, TCP-Tunnel,
SOCKS, and DNS proxy. The following additional features are also included
in the base license:
Allows use with third-party vendor databases: Intersafe, Optenet, Proventia,
SmartFilter, SurfControl, Websense, and Webwasher.
10
Table 2.2: Licensable Components (Continued)
Type Component Description
Chapter 2: Upgrade Behavior, General
Included Websense
Offbox Content
Filtering
Included ICAP Services External virus and content scanning with ICAP servers.
Included Bandwidth
Management
Included Windows Media
Standard
Included Real Media
Standard
Included Apple QuickTime
Basic
Included Netegrity
SiteMinder
Included Oblix COREid Allows realm initialization and user authentication to COREid servers.
Included Peer-to-Peer Allows you to recognize and manage peer -to-peer P2P activity relating to P2P
Included Compression
For Websense off-box support only.
Allows you to classify, control, and, if required, limit the amount of
bandwidth used by different classes of network traffic flowing into or out of
the ProxySG.
MMS proxy; no caching or splitting; content pass-through. Fu ll policy contr ol
over MMS.
RTSP proxy; no caching or splitting; content pass-through. Full policy contr ol
over RTSP.
RTSP proxy; no caching or splitting; content pass-through. Full policy contr ol
over RTSP.
Allows realm initialization and user authentication to SiteMinder serv ers.
file sharing applications.
Allows reduction to file sizes without losing any data
.
Optional SSL SSL Termination; includes an SSL termination card to be installed on the
appliance.
Optional IM • AOL Instant Messaging: AIM proxy with policy support for AOL Instant
Messenger.
• MSN Instant Messaging: MSN proxy with policy support for MSN Instant
Messenger.
• Yahoo Instant Messaging: Yahoo proxy with policy support for Yahoo
Instant Messenger.
Optional Windows Media
Premium
Optional Real Media
Premium
• MMS proxy; content caching and splitting.
• Full policy control over MMS.
• When the maximum concurrent streams is reached, all further streams are
denied and the client receives a message.
• RTSP proxy; content caching and splitting.
• Full policy control over RTSP.
• When the maximum concurrent streams is reached, all further streams are
denied and the client receives a message.
11
Loading...