Version--03.27.2015 Deployment Brief: Proxy Forwarding
Version--03.27.2015
Deployment Brief:
Proxy Forwarding
- 2 -
Copyrights© 2015 Blue Coat Systems, Inc.All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DSAPPLIANCE, CONTENT ANALYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITYEMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coatlogos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certainother countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not atrademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in thisdocument owned by third parties are the property of their respective owners. This document is for informational pur-poses only.
BLUE COATMAKES NOWARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATIONIN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICALDATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TOU.S. EXPORT CONTROLAND SANCTIONSLAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TOEXPORTOR IMPORTREGULATIONS IN OTHER COUNTRIES. YOU AGREE TOCOMPLY STRICTLY WITH THESE LAWS,REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TOOBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THATMAY BE REQUIRED IN ORDER TOEXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TOYOU.
Americas Rest of the World
Blue Coat Systems, Inc.420 N. Mary Ave.Sunnyvale, CA 94085
Blue Coat Systems International SARL3a Route des Arsenaux1700 Fribourg, Switzerland
- 3 -
Web Security Service: Proxy Foward Accesing MethodThe Blue Coat Web Security Service solutions provideWeb Security and real-time protection against web-bornethreats. As a cloud-based product, theWeb Security Service (ThreatPulse) leverages Blue Coat's proven securitytechnology as well as theWebPulse™ cloud community of over 75million users.
With extensive web application controls and detailed reporting features, IT administrators can use theWeb SecurityService to create and enforce granular policies that are instantly applied to all covered users, including fixed locationsand roaming users.
This document describes how to send logs from an existing Blue Coat ProxySG orMicrosoft appliance (ISA Proxy orForefront Threat Management Gateway ) to theWeb Security Service for security scanning and policy checks.
n "Learn..." on page 7n "Configure..." on page 12n "Verify Web Security Service Connectivity to Locations" on page 51n "References" on page 54
This document contains topics collected from theWeb Security Service online documentation. For the complete docset, see:
https://bto.bluecoat.com/documentation/All-Documents/Web Security Service
- 5 -
- 7 -
Learn...This section describes the purpose of the Unified Agent application, which provides security to users who use cor-porate clients, such as laptops, outside of the corporate network.
n "About ProxySG Appliance Forwarding" on the next pagen "About Microsoft ISA/TMGProxy Forwarding" on page 10
Learn...
About ProxySG Appliance Forwarding
The Proxy Forwarding access method allows you to configure an existing Blue Coat ProxySG appliance (or other sup-ported proxy) to forward non-internal Web traffic to the Blue Coat Web Security Service. AES encryption providescentral yet secure reporting solution for all locations.
This topic references Blue Coat ProxySG appliances. TheWeb Security Servicealso supports Microsoft ISA/TMG proxies. See "About Microsoft ISA/TMGProxy For-warding" on page 10.
Data Flow:
1—The gateway ProxySG appliance accepts requests from a downstream proxy or directly from clients.
2—Host forwarding configuration on the gateway ProxySG appliance routes requests to theWeb Security Serviceover ports 8080 (HTTP proxy for HTTPS and SSL traffic) and 8443 (unintercepted SSL traffic plus user/groupheader information). If the ProxySG appliance is running SGOS 6.4.x or later, you can configure it to intercept someSSL traffic locally; you can then create an additional forwarding host on port 8084.
The gateway ProxySG sends the user identity and group affiliation (added to the request).
The gateway firewall must allow ports 8080, 8443, and 8084 (if con-figured). SeeRequired Ports and Protocols.
Learn...
- 8 -
- 9 -
3—The Blue Coat Auth Connector application allows theWeb Security Service to communicate with your Active Dir-ectory and provide the user/group information to the service for use in custom policy creation. See Enable User-/Group Names Custom Policy (AuthConnector).
If the Primary Active Directory goes down and you have a Backup Active Directory/Auth Connector configuration,seamless failover occurs.
4—TheWeb Security Service configuration and policy extracts the user information from the request to completetransaction authentication and sends the content request to theWeb.
Why Select This Method?
l Your Secure WebGateway solution already implements proxies.l Supports using any standardmethod to route user web traffic: PAC file (explicit proxy), browser settings,WCCP, and inline.
l Enables you to leverage policy-based routing and route selected groups to theWeb Security Service.
Learn...
About Microsoft ISA/TMG Proxy Forwarding
The Blue Coat Web Security Service supports a deployment whereMicrosoft® Internet Security and Acceleration(ISA)™ 2006 or Microsoft Forefront Threat Management Gateway (TMG)™ proxy servers forward information aboutauthenticated user sessions. To do this, youmust install the Blue Coat Internet Server Application ProgrammingInterface (ISAPI) filter (also known as the Blue Coat ISA Filter) on the ISA/TMG server. This filter, which is aDynamic Link Library (DLL), extends the functionality of the ISA/TMG server to add the authenticated user name andclient IP address to the HTTP headers in the client requests it forwards to theWeb Security Service, which in turnuses this information to perform user-based policy decisions. AES encryption provides central yet secure reportingsolution for all locations.
By default, when the Blue Coat ISA filter is installed, the ISA/TMG adds the following HTTP headers to the requestsit sends to the service:
n X-Forwarded-For: Used to forward the client IP address.n BC_Auth_User and BC_Auth_Groups: Used to forward the authenticated user name (if available). The
value in this field is base-64 encoded. If the current session is unauthenticated, the ISA/TMG server will notinclude a value for this header.
Although these are the only headers that the Blue Coat ISA filter adds by default, you can edit the bc-isapi-filter.ini file to include any additional headers that you require by associating a header namewith an ISA servervariable and an encoding type for the header value. Non-standard HTTP headers typically begin with X- and theymust end with a colon (:).
Learn...
- 10 -
- 11 -
Data Flow
1—The gateway ISA/TMG appliance accepts requests directly from clients (or a downstream proxy) and validatesuser and groupmemberships.
2—The installed ISA filter on the ISA/TMG device routes requests to theWeb Security Service over ports 8080(HTTP proxy for HTTPS and SSL traffic) and 8443. The filter adds information to the header: HTTPS server forHTTP traffic plus user/group header information.
3—TheWeb Security Service extracts the user information from the request to complete transaction authentication.The service processes theWeb request and returns the content to the user if that content is allowable by policy andis found free of malware.
Why Select This Method?
l Your Secure WebGateway solution already implements an ISA/TMG proxy.l Supports using any standardmethod to route userWeb traffic: PAC file (explicit proxy), browser settings,WCCP, and inline.
l Enables you to leverage policy-based routing and route selected groups to theWeb Security Service.
Learn...
Configure...To connect remote users to the Blue Coat Web Security Service, youmust download the Unified Agent applicationand install it on client systems, then configure various options on the service.
Plan
n "Plan the Forwarding Access Method" on the facing page
Install
1. Prerequisite—Tomake use of user and group names in policy, the Auth Connector application integration withyour Active Directory deployment is required.
n WebResource: http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Tasks/Auth/auth_cnnctr_config_ta.htm
n PDF Resource: https://bto.bluecoat.com/documentation/web-security-service-solution-brief-auth-connector
2. If not yet existing, define a Proxy Forward location in theWeb Security Service. A location instructs theWebSecurity Service to listen for traffic from specific proxy device IP addresses. " Add a Proxy Forward Location"on page 17.
3. Configure proxy device to forward web requests to theWeb Security Service.
Blue Coat
n "Proxy Forwarding: SGOS 5.x/6.x toWeb Security Service" on page 19n "Proxy Forwarding: SGOS 4.3.x toWeb Security Service" on page 26n "Reference: Additional Authentication CPL for SGOS MACH 5Proxy Forwarding" on page 59
Microsoft
n "ISA/TMG: Install the ISA Filter" on page 29 (required for Microsoft proxy deployments).n "ConfigureMicrosoft ISA Proxy Forwarding toWeb Security Service" on page 31n "ConfigureMicrosoft TMGProxy Forwarding to theWeb Security Service" on page 41
Verify
n "Verify Web Security Service Connectivity to Locations" on page 51
Reference
n "Reference: Proxy Forwarding Policy" on page 55n "Reference: Additional Authentication CPL for SGOS MACH 5Proxy Forwarding" on page 59
Configure...
- 12 -
- 13 -
Plan the Forwarding Access Method
The Blue Coat Web Security Service supports routing web/gateway traffic from ProxySG appliances or MicrosoftInternet Security and Acceleration (ISA) 2006 or Microsoft Forefront Threat Management Gateway (TMG) proxydevices to the service for security processing.
Before beginning device configuration, Blue Coat recommends that you pre-record the required information. The fol-lowing planning sheets provide default information and forms for you to enter information specific to your network.
ProxySG Appliance
Information Comments Values
Web Security Ser-vicehostname
Required during hostname con-figuration. proxy.threatpulse.net
SGOS Version 4.3.x
5.5.x/6.1-6.3.x
6.5.x+
Firewall Ports Must be opened:
SGOS 6.4.x+/inspect some SSLtraffic locally:
8080, 8443
8084
Interest Group 1 Group of interest forwarded totheWeb Security Service.
Interest Group 2
Interest Group 3
Interest Group 4
Interest Group 5
Next Step
n If you did not define a proxy forward location during the Initial Configuration process, proceed to " Add a ProxyForward Location" on page 17.
n If a proxy forward location already exists, proceed to "Forward Traffic Through a ProxySGAppliance to theWeb Security Service" on page 18.
Configure...
Microsoft ISA/TMG Proxy Device
Information Comments Values
ISA/TMG Server
Location
Network Information
Proxy Type:
Domain:
Server Name:
Folder for Blue Coat FilterFile:
____ ISA (Windows Server 32-bit)
____ TMG (Windows Server 64-bit)
Default
Other:
Firewall Ports Must be opened. 8080, 8443
Authentication FilterPresent on Proxy?
Required. Look in: System > Web Filters
Yes No (must install one)
Web Security Ser-vice IP Addresses
Entered during ISA/TMG configuration. Your region dictates which IP addresses toenter.
The format is: Region (Data Center location).
Configure...
- 14 -
- 15 -
Information Comments Values
__ = Primary location; ... = Backup location
_____________________________________________
__ .... North America: West (Sunnyvale, CA):
199.19.248.164
__ .... North America: West (Seattle, WA):
199.116.168.164
__ .... North America: Central (Denver, CO):
8.39.233.132
__ ... .North America: Central (Chicago, IL):
__ .... North America: South (Dallas, TX):
199.116.171.164
__ .... North America: East (Ashburn, VA):
199.19.250.164
__ .... North America: North East (New York,NY):
199.116.175.164
__ .... North America: South East (Miami, FL):
199.19.251.164
__ .... North America: North/Canada East(Toronto, Ontario, Canada):
38.64.174.164
__ .... North America: North/Canada East(Montreal, Quebec, Canada):
199.19.253.164
__ .... Central America (Mexico City, Mexico):
162.97.9.84
__ .... South America: North (Sao Paulo, Brazil):
189.125.138.212
__ .... South America: South (Buenos Aires,Argentina):
200.41.18.228
__ .... United Kingdom/Ireland/Scandinavia(London, England):
Location 1: 46.235.152.164
Location 2: 185.2.196.164
__ .... France (Paris, France):
46.235.153.164
__ .... Switzerland/Italy (Zurich, Switzerland):
154.47.224.36
__ .... Sweden (Stockholm, Sweden):
46.235.155.164
__ .... Norway (Oslo, Norway):
193.240.54.68
__ .... Finland (Helsinki, Finland):
46.235.157.164
__ .... Australia (Sydney, Australia):
103.246.36.164
__ .... Eastern Europe (Frankfurt, Germany):
46.235.154.164
__ .... Spain/Portugal (Madrid, Spain):
193.240.117.164
__ .... Italy (Milan, Italy):
193.240.122.164
__ .... Israel (Tel Aviv, Israel):
81.218.44.68
__ .... South Africa (Johannesburg, South Africa):
197.96.129.164
__ .... Japan/Far East (Tokyo):
103.246.39.164
__ .... South Korea (Seoul, South Korea):
203.246.168.164
__ .... Singapore (Singapore):
103.246.37.164 (Active 12/11/14)
__ .... Hong Kong (Hong Kong):
103.246.37.132
Configure...
Information Comments Values
__ .... India/Western APAC (Mumbai, India):
180.179.142.84
__ .... India/Western APAC (Chennai, India):
180.179.40.84
__ .... Taiwan (Taipei, Taiwan):
61.58.46.164
__ .... China (Shanghai, China ):
211.147.76.84 (Active 12/10/14
Blue Coat continues to add global locations. If you are not in a location specified above,use the following guidelines:
l Southern Europe (Mediterranean): Use Frankfurt or Paris, but not London.l Middle East and North Africa: Use Frankfurt or Paris, but not London.l Netherlands and Belgium: Use London or Paris.
Interest Group 1 Group of interest sent totheWeb Security Ser-
vice.
Interest Group 2
Interest Group 3
Interest Group 4
Interest Group 5
Next Step
n If you did not define a proxy forward location during the Initial Configuration process, proceed to " Add a ProxyForward Location" on the facing page.
n If a proxy forward location already exists, proceed to "Proxy Forwarding: ISA 2006/TMG 2010 to theWebSecurity Service" on page 28.
Configure...
- 16 -
- 17 -
Add a Proxy Forward Location
Each forwarding host that is configured to send web traffic to the Blue Coat Web Security Service requires an equi-valent location configuration. The service supports forwarded traffic from Blue Coat ProxySG appliances andMicrosoft Internet Security and Acceleration (ISA) 2006 or Microsoft Forefront Threat Management Gateway (TMG)proxy servers.
For more proxy forwarding information, refer to Blue CoatWeb Security ServiceWebGuide: Access Methods.
1. In ServiceMode, select Network > Locations.2. Click Add Location.3. Complete the Location dialog.
a. Name the location. For example, a location designation or employee group identification name.b. Select Proxy Forwarding as the Access Method.c. Enter the gateway IP/Subnet that you defined in the ProxySG forwarding host configuration dialog or
ISA/TWG policy.d. Select the Estimated User range that will sendWeb requests through this gateway interface. Blue
Coat uses this information to ensure proper resources.e. Select the Country where the gateway device resides and the Time Zone, fill out location information,
and (optional) enter Comments.f. Click Save.
Configure...
Forward Traffic Through a ProxySG Appliance to the WebSecurity Service
The Blue Coat Web Security Service supports forwarding web (ports 80 and 443) traffic from existing gatewayProxySGs running 4.3.x, 5.4.x, 5.5.x, or 6.x.
n "Proxy Forwarding: SGOS 4.3.x toWeb Security Service" on page 26n "Proxy Forwarding: SGOS 5.x/6.x toWeb Security Service" on the facing page
Configure...
- 18 -
- 19 -
Proxy Forwarding: SGOS 5.x/6.x to Web Security Service
To configure an existing gateway ProxySG appliance to forward HTTP/HTTPS traffic from downstream devices/cli-ents up to the Blue Coat Web Security Service, youmust create forwarding hosts that carry HTTP, HTTPS, and SSLtraffic. The forwarding policy installed on the ProxySG directs traffic to the correct forwarding host.
n Required: HTTP—Traffic forwarded on port 8443 (encrypted).n Required: Unintercepted SSL—Traffic forwarded on port 8080.n Optional: Intercepted SSL—A gateway ProxySG appliance running SGOS 6.4.x or later supports the
deployment option where the local proxy performs SSL interception and forwards the user authenticationinformation (in addition to traffic) to theWeb Security Service on port 8084. While you will likely configure theProxySG to intercept some SSL traffic (specific categories), youmust create this additional service if you do.
This task assumes that the ProxySG appliance is configured and functioning as agateway proxy. The procedure demonstrates the SGOS 6.5.x SGOS/Man-agement Console.
TIPS
n Have your planning sheet ready for reference.n If you create hosts with the example names in this procedure, you do not need to edit the installed forwarding
policy.
Prerequisite—Verify that proper authentication is configured on the ProxySG appliance.
To display user names in reports andmake user names and groups available for custom policy, the ProxySG appli-ancemust have authentication configured. For more information about Proxy Edition authentication, refer to the doc-ument for your SGOS release:
n SGOS 5.5: https://bto.bluecoat.com/doc/12586n SGOS 6.1: https://bto.bluecoat.com/doc/14781n SGOS 6.2: https://bto.bluecoat.com/doc/16698n SGOS 6.3 and 6.4: https://bto.bluecoat.com/sgos/ProxySG/63/Authentication_WebGuide/Authentication_
WebGuide.htmn SGOS 6.5: https://bto.bluecoat.com/sgos/ProxySG/65/Authentication_WebGuide/Authentication_
WebGuide.htm
ForMACH 5Edition ProxySG appliances, authentication configuration requires adding additional authentication Con-tent Policy Language (CPL) to the Local policy file. See "Reference: Additional Authentication CPL for SGOS MACH5Proxy Forwarding" on page 59.
Step 1—Verify that the External/Explicit HTTP proxy services are enabled and set the HTTPS proxy serviceProxy Setting to TCP Tunnel.
To avoid connection issues, the External HTTP or Explicit HTTP proxy services (configured together for ports 80and 8080) must be enabled and the HTTPS proxy service configured use TCP Tunnel as the Proxy Setting.
1. In the ProxySG applianceManagement Console, select Configuration > Services > Proxy Services.2. Verify that either the Explicit HTTP or the External HTTP service is enabled (set to Intercept); which service
depends on your gateway deployment method.3. Configure the HTTPS service to use TCP_Tunnel.
Configure...
a. Select the Explicit HTTP or External HTTP service.b. In Proxy Settings, select TCP Tunnel; clear the Detect Protocol option.c. (Recommended) Select Early Intercept.d. Clear the Enable ADN option.e. Set the Action to Intercept.f. Click OK.
4. Click Apply.
Configure...
- 20 -
- 21 -
Step 2—Create a Server Forwarding Host for HTTP (Port 8443).
Forwards HTTP traffic, with an encrypted connection, to theWeb Security Service.
1. In theManagement Console, select the Configuration > Forwarding > Forwarding Hosts > ForwardingHosts tab.
2. Click New. TheManagement Console displays the Add Forwarding Hosts dialog.3. Create theWeb Security Service host.
a. Enter an Alias name the host. For example: ThreatPulseSecure8443.b. Enter theWeb Security Service Host name: proxy.threatpulse.net (unless you were given
another service point name).c. Select Server.d. Clear the Ports: HTTP option.e. Enter 8443 in the Ports: HTTPS field and clear the Verify SSL server certificate option.
Configure...
f. Host Affinity Methods—HTTP: Select Client IP Address.g. Click OK to close the dialog.
4. Click Apply.
Step 3—Create a Proxy Forwarding Host for Unintercepted SSL (Port 8080)
Forwards HTTPS, SSL, and TCP traffic to theWeb Security Service. Installed policy directs the traffic over port8080 or 443. If configured, theWeb Security Service intercepts SSL for policy inspection.
1. In theManagement Console, select the Configuration > Forwarding > Forwarding Hosts > ForwardingHosts tab.
2. Click New. TheManagement Console displays the Add Forwarding Hosts dialog.3. Create theWeb Security Service host.
Configure...
- 22 -
- 23 -
a. Enter an Alias name for the host. For example: ThreatPulseHTTP8080.b. Enter theWeb Security Service Host name: proxy.threatpulse.net (unless you were given
another service point name).c. Select Proxy.d. Enter 8080 in the Ports: HTTP field.e. Click OK to close the dialog.
4. Click Apply.
Step 4—(Optional) Create a Proxy Forwarding Host for Locally Intercepted SSL Traffic (Port 8084).
If your gateway ProxySG appliance is running SGOS 6.4.x or later and you have configured it to intercept some SSLtraffic for local inspection and user authentication forwarding, configure a forwarding host for port 8084.
1. In theManagement Console, select the Configuration > Forwarding > Forwarding Hosts > ForwardingHosts tab.
2. Click New. TheManagement Console displays the Add Forwarding Hosts dialog.3. Create theWeb Security Service host.
a. Enter an Alias name the host. For example: ThreatPulseInterceptedHTTPS8084.b. Enter the ThreatPulse service Host name: proxy.threatpulse.net (unless you were given
another service point name).c. Select Proxy.
Configure...
d. Enter 8084 in the Ports: HTTP field.e. Host Affinity Methods—HTTP: Select Client IP Address.f. Click OK to close the dialog.
4. Click Apply.
Step 5—On the gateway ProxySG appliance, define policy that sends traffic to the forwarding host.
1. In theManagement Console, select the Configuration > Policy > Policy Files tab.
2. Install the forwarding policy:
a. In the Install Policy area, select Text Editor from the Install Forward File From drop-down list.b. Click Install; the Edit and Install the Forward File dialog displays.c. Enter the forwarding policy to the end of any existing forwarding policy. To copy and paste in a
template created by Blue Coat, see "Reference: Proxy Forwarding Policy" on page 55.d. Click Install to close the dialog.
3. This step is required if these groups are not currently referenced in the gateway proxy policies or if you wantthe ability to defineWeb Security Service policy against these groups.
Define policy that lists the groups of interest that are allowed access to theWeb Security Service. Add thispolicy to the Forward file or the Central file (if you use one for easier distribution).
a. In the Install Policy area, select Text Editor from the Install Forward File From or Install CentralFile From drop-down list.
b. Click Install; the Edit and Install the File dialog displays.
c. Paste in the following policy, which defines the groups of interest that are subject toWeb SecurityService policy and are visible in reports. Add this at the end of any existing central policy:
define condition threatpulse_groups group = (group_name, group_name, group_name)end
d. Click Install to close the dialog.4. Click Apply.
Step 6—Other Required ProxySG appliance configuration best practices.
Enable port randomization and allow for the full TCP-IP port range.
From the ProxySGCLI (enable > configuremode), enter the following commands:
#config term
#(config)tcp-ip inet-lowport 16384
#(config)tcp-ip tcp-randomize-port enable
#(config)exit
Do not use the Reflect Client IP option because this disables port randomization, which forces the use ofanother, not-recommended port mapping algorithm.
n ProxySGManagement Console: Select the Configuration > Proxy Settings > General > General tab andclear the Reflect client’s source IP when connecting to servers option.
n ProxySGCLI (enable > configuremode):
SGOS#(config) general
SGOS#(config general) reflect-client-ip disable
Configure...
- 24 -
- 25 -
The Reflect Client IP option is also available in policy. Verify that you do not haveany policy actions that enable Reflect Client IP.
Next Steps
1. Configure the gateway firewall device to allow traffic from the gateway ProxySG appliance on ports 8080,8443, and, if configured here, 8084.
2. Return to theWeb Security Service and verify that it is processing web traffic forwarded from the proxy. See"Verify Web Security Service Connectivity to Locations" on page 51.
Configure...
Proxy Forwarding: SGOS 4.3.x to Web Security Service
To configure an existing gateway ProxySG to forward HTTP/HTTPS traffic from downstream devices/clients up tothe Blue Coat Web Security Service, youmust create one HTTP proxy forwarding host that carries encrypted traffic(HTTPS and SSL) to theWeb Security Service and one HTTPS server host that carries HTTP traffic and the user-/group information (both encrypted).
This task assumes that the ProxySG appliance is configured and functioningas a gateway proxy.
Have your planning sheet ready for reference.
Step 1—Add HTTP proxy forwarding host for ports 8080 and 8083 to the Forwarding File on the Gateway ProxySG Appli-ance.
1. In theManagement Console, select the Configuration > Forwarding > Forwarding Hosts > InstallForwarding File tab.
a. From the drop-down list, select Text Editor.b. Click Install. The device displays the Edit and Install the Forwarding Settings dialog.
c. Add (or paste in) the following host information:
fwd_host ThreatPulseHTTP8080 proxy.threatpulse.net http=8080 ssl-verify-server=no
Configure...
- 26 -
- 27 -
fwd_host ThreatPulseSecure8443 proxy.threatpulse.net https=8443 ssl-verify-server=no server host-affinity-ssl=client-ip-address
d. Click Install.
Step 2—On the gateway ProxySG appliance, define policy that sends traffic to the forwarding host.
1. In theManagement Console, select the Configuration > Policy > Policy Files tab.
2. Install the forwarding policy:
a. In the Install Policy area, select Text Editor from the Install Forward File From drop-down list.b. Click Install; the device displays the Edit and Install the Forward File dialog.c. Enter the forwarding policy to the end of any existing forwarding policy. To copy and paste in a
template created by Blue Coat, see "Reference: Proxy Forwarding Policy" on page 55.d. Click Install to close the dialog.
3. This step is required if these groups are not currently referenced in the gateway proxy policies or if you wantthe ability to defineWeb Security Service policy against these groups.
Define policy that lists the groups of interest that are allowed access to theWeb Security Service. Add thispolicy to the Forward file or the Central file (if you use one for easier distribution).
a. In the Install Policy area, select Text Editor from the Install Forward File From or Install CentralFile From drop-down list.
b. Click Install; the Edit and Install the Central File dialog displays.
c. Paste in the following policy, which defines the groups of interest that are subject toWeb SecurityService policy and are visible in reports. Add this at the end of any existing central policy:
define condition threatpulse_groups group = (group_name, group_name, group_name)end
d. Click Install to close the dialog.4. Click Apply.
Next Steps
1. Configure the gateway firewall device to allow traffic from the gateway ProxySG on ports 8080 and 8443.2. Return to theWeb Security Service and verify that it is processing web traffic forwarded from the proxy. See
"Verify Web Security Service Connectivity to Locations" on page 51.
Configure...
Proxy Forwarding: ISA 2006/TMG 2010 to the Web Secur-ity Service
You are here in the Initial Configuration process:
Configure an existing gateway Microsoft Internet Security and Acceleration (ISA) 2006 or Microsoft Forefront ThreatManagement Gateway (TMG) proxy servers to forward HTTP/HTTPS traffic from downstream devices/clients up tothe Blue Coat Web Security Service.
Configuration requires two high-level steps:
1. Download and install the Blue Coat ISA filter on the ISA or TMG device. See "ISA/TMG: Install the ISA Filter"on the facing page.
2. Configure the ISA or TMG device policy that sends the appropriate information to theWeb Security Service.
n "ConfigureMicrosoft ISA Proxy Forwarding toWeb Security Service" on page 31n "ConfigureMicrosoft TMGProxy Forwarding to theWeb Security Service" on page 41
Configure...
- 28 -
- 29 -
ISA/TMG: Install the ISA Filter
You are here in the Initial Configuration process:
Configuring aMicrosoft Internet Security and Acceleration (ISA) 2006 or Forefront Threat Management Gateway(TMG) proxy/firewall server to sendWeb requests plus user identification information to the Blue Coat Web SecurityService requires two phases. The first phase, described on this page, is install the Blue Coat ISA filter program onthe ISA/TMG device. The installation process copies the appropriate DLL and INI files to the selected folder andregisters the filter with the ISA/TMG server.
Step 1—Download the ISA filter.
1. Access the download location.
http://portal.threatpulse.com/dl/isa/filter/bcisafilter-setup.exe
2. When prompted, save the bcisafilter.zip file to the ISA/TMG server.
Step 2—Unzip the ISA filter file and begin the wizard.
1. Unzip the bcisafilter.zip file.2. Double-click the bcisafilter.exe file, which launches the installation wizard.3. Click Next on the first screen.
Step 3—As prompted by the wizard, install the filter file.
1. Specify an Installation Folder for the ISA Filter. Accept the default location (C:\Program Files\Blue CoatSystems\ISAFilter) or browse to a different location. Click Next.
2. Select Forwarding to the ThreatPulse Cloud Service and click Next.3. To begin the installation, click Install. When the installation completes, click Next.
Step 4—Verify that the Blue Coat ISA filter successfully registered.
On the ISA server:
1. Select Start > Programs > Microsoft ISA Server > ISA Server Management.2. In the Configuration section, select Add-ins.3. Select theWeb-filter tab and verify that the Blue Coat ISAPI Filter displays.
On the TMG server:
1. Select Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management2. In the System section, select Add-in.3. Select theWeb-filter tab and verify that the Blue Coat ISAPI Filter displays.
Next Step
Click one of the following links, determined by which Microsoft proxy you have deployed, to proceed to the secondphase:
Configure...
n "ConfigureMicrosoft ISA Proxy Forwarding toWeb Security Service" on the facing pagen "ConfigureMicrosoft TMGProxy Forwarding to theWeb Security Service" on page 41
Configure...
- 30 -
- 31 -
Configure Microsoft ISA Proxy Forwarding to Web Security Service
Configuring aMicrosoft Internet Security and Acceleration (ISA) 2006 proxy/firewall server to send web requestsplus user identification information to the Blue CoatWeb Security Service requires two phases. The first phase wasto install the Blue Coat ISA filter ("ISA/TMG: Install the ISA Filter" on page 29). The second phase, described on thispage, is to define policy on the ISA server.
Prerequisites.
n Have your planning sheet available.n The ISA server must be runningWindows 2003 Server—32-bit.n This procedure assumes that the server is already configured and operating.n Verify existence of authentication filter. An authentication filter that can perform the authentication to the
users workstationmust be configured. This is usually aMicrosoft Web filter and is usually already installed bydefault. Look in System > Web Filters.
Step 1—Create a Firewall Policy/Access Rule for Web traffic (HTTP and HTTPS).
1. If the default location was set during the ISA server installation, select Start > All Programs > MicrosoftISA Server > ISA Server Management. The sever management interface displays.
2. From the left-side option tree, select Arrays > Firewall Policy.3. Add a new Access Rule.
a. In the Task tab, click Create Access Rule. The interface displays the New Access RuleWizard.b. Name the access rule. For example, Web Browsing.c. Click Next.
4. On the Rule Action screen, select Allow and click Next.5. Add the HTTP and HTTPS protocols.
Configure...
a. Click Add. The interface displays the Add Protocols dialog.b. Select HTTP and click Add.c. Repeat for HTTPS.d. Close the dialog.e. Click Next.
6. This rule applies to all networks and local hosts.
Configure...
- 32 -
- 33 -
a. Click Add. The interface displays the Add Network Entities dialog.b. Select Network Sets > All Networks (and Local Host) and click Add.c. Close the dialog.d. Click Next.
7. This rule applies to all external destinations.
Configure...
a. Click Add. The interface displays the Add Network Entities dialog.b. Select Enterprise Networks > External and click Add.c. Close the dialog.d. Click Next.
8. This rule applies to authenticated users.
a. The default is All Users. Select this object and click Remove.b. Click Add. The interface displays the Add Users dialog.c. Select All Authenticated Users and Close the dialog.
9. Review the rule summary and click Finish.
Step 2—Create another access rule for DNS for all users to both internal and external sources.
1. Click Create Access Rule. The interface displays the New Access RuleWizard.
2. Follow the wizard:
a. Name: DNS Allow.b. Rule Action: Allow.c. Protocols: DNS.d. Source: Internal.e. Destination: Internal and External.f. User Sets: All Users (the default).g. Click Next and Finish to add the rule.
Step 3—Create an access rule to allow for Auth Connector TCP connections on port 443 (SSL) .
1. Click Create Access Rule. The interface displays the New Access RuleWizard.2. Name the rule. For example, AuthConnector-SSL. Click Next.3. Rule Action: select Allow.
Configure...
- 34 -
- 35 -
4. Youmust add the SSL protocol with the 443 port.
a. Select Add > Protocol. The interface displays the Add Protocols dialog.b. Name the new protocol. For example, TCP-SSL.c. Click Next.
5. Add the 443 port.
Configure...
a. Click New. The interface displays the New/Edit Protocol Connection dialog.b. Port Range: enter 443 in both the From and To fields.c. Click OK.d. Secondary Connections: No.e. Click Finish.f. Add the protocol.
Configure...
- 36 -
- 37 -
The new object is in the User-Defined folder of the Add Protocols dialog. Add it and click Close.
6. Complete the rule wizard:
a. Source: Internal.b. Destination: External.c. User Sets: All Users.d. Click Finish to complete the rule.
Step 4—Create a Network/Web Chaining rule that sends Web traffic to the Web Security Service.
1. Modify the existing default WebChaining rule:
a. From the left-side option tree, select Arrays > Configuration > Networks.b. Click theWeb Chaining tab.c. Double-click the default Last Default Rule. The interface displays the Default Rule Properties dialog.
2. Add theWeb Security Service IP address for your region.
Configure...
a. Select the Redirecting them to a specified upstream server option.b. Click Settings. The interface displays the Upstream Server Setting dialog.c. Enter the Server address, which is theWeb Security Service IP address for your region. Refer to your
planning sheet or this region list.d. Click OK in each dialog to add the rule.
3. If your region requires a secondWeb Security Service IP address, repeat Step 4 and add it.
Step 5-Verify that the Microsoft Firewall service is running.
1. InWindows, select Start > Run. The interface displays the Run dialog.2. Enter services.msc and click OK.3. Scroll down to theMicrosoft services and verify that the Status column for Microsoft Firewall displays
Started.
If it is not, right-click the line and select Start.
Step 6-Add AD groups of interest to the bc-isapifilter.ini file.
To forward credentials from the Active Directory to theWeb Security Service, youmust add those groups to the bc-isapifilter.ini file. Blue Coat recommends adding all groups of interest. If a group is not added, theWeb
Configure...
- 38 -
- 39 -
Security Service still generates theWeb traffic from those clients; however, the user names are not available forpolicy.
1. InWindows Explorer, navigate to where the bc-isapifilter.ini files resides.
a. By default, the location is C:/Program Files/Blue Coat Systems/ISAFilter.b. Double-click the bc-isapifilter text file (not the .dll file).
2. Add the groups of interest.
Configure...
The format for each group of interest is: Domain\Group_Name. Ensure that they precisely match the ActiveDirectory entries.
Paste or define groups of interest in a separate file, validate them, and pastethem into this file.
3. Save and close the file.
Next Steps
1. Configure the gateway firewall device to allow traffic from the gateway ProxySG on ports 8080 and 8443.2. Return to theWeb Security Service and verify that it is processing web traffic forwarded from the proxy. See
"Verify Web Security Service Connectivity to Locations" on page 51.
Configure...
- 40 -
- 41 -
Configure Microsoft TMG Proxy Forwarding to the Web Security Service
Configuring a Forefront Threat Management Gateway (TMG) 2010 proxy/firewall server to sendWeb requests plususer identification information to the ThreatPulse service requires two phases. The first phase was to install the BlueCoat ISA filter. The second phase, described on this page, is defining policy on the TMG server.
Prerequisites
n Have your planning sheet available. Click this link.n The TMG server must be runningWindows 2008 Server—64-bit.n This procedure assumes that the server is already configured and operating.n Verify existence of authentication filter. An authentication filter that can perform the authentication to the
users workstationmust be configured. This is usually aMicrosoft Web filter and is usually already installed bydefault. Look in System > Web Filters. If it is not, work with your Microsoft account.
Step 1—Create a Firewall Policy/Access Rule for Web traffic (HTTP and HTTPS).
1. If the default location was set during the ISA server installation, select Start > All Programs > MicrosoftForefront TMG> Forefront TMG Management. The device displays the server management interface.
2. From the left-side option tree, select Forefront TMG> Firewall Policy.3. Add a new Access Rule.
a. In the Task tab, click Create Access Rule. The interface displays the New Access RuleWizard.b. Name the access rule. For example, Web Browsing.c. Click Next.
4. On the Rule Action screen, select Allow and click Next.5. Add the HTTP and HTTPS protocols.
Configure...
a. Click Add. The interface displays the Add Protocols dialog.b. Select HTTP and click Add.c. Repeat for HTTPS.d. Close the dialog.e. Click Next.
6. Select Do not enable malware inspection for this rule and click Next.7. This rule applies to all networks and local hosts.
Configure...
- 42 -
- 43 -
a. Click Add. The interface displays the Add Network Entities dialog.b. Select Network Sets > All Networks (and Local Host) and click Add.c. Close the dialog.d. Click Next.
8. This rule applies to all external destinations.
Configure...
a. Click Add. The interface displays the Add Network Entities dialog.b. Select Enterprise Networks > External and click Add.c. Close the dialog.d. Click Next.
9. This rule applies to authenticated users.
a. The default is All Users. Select this object and click Remove.b. Click Add. The interface displays the Add Users dialog.c. Select All Authenticated Users and Close the dialog.
10. Review the rule summary and click Finish.
Step 2—Create another access rule for DNS for all users to both internal and external sources.
1. Click Create Access Rule. The interface displays the New Access RuleWizard.
2. Follow the wizard:
a. Name: DNS Allow.b. Rule Action: Allow.c. Protocols: DNS.d. Source: Internal.e. Destination: Internal and External.f. User Sets: All Users (the default).g. Click Next and Finish to add the rule.
Step 3—Create an access rule to allow for Auth Connector TCP connections on port 443 (SSL).
1. Click Create Access Rule. The interface displays the New Access RuleWizard.2. Name the rule. For example, AuthConnector-SSL. Click Next.3. Rule Action: select Allow.
Configure...
- 44 -
- 45 -
4. Youmust create the SSL protocol with the 443 port.
a. Click Add > Protocol. The interface displays the Add Protocols dialog.b. Name the new protocol. For example, TCP-SSL.c. Click Next.
5. Add the 443 port.
Configure...
a. Click New. The interface displays the New/Edit Protocol Connection dialog.b. Port Range: enter 443 in both the From and To fields.c. Click OK.d. Secondary Connections: No.e. Click Finish.f. Add the protocol.
Configure...
- 46 -
- 47 -
The new object is in the User-Defined folder of the Add Protocols dialog. Add it and click Close.
6. Complete the rule wizard:
a. Source: Internal.b. Destination: External.c. User Sets: All Users.d. Click Finish to complete the rule.
Step 4—Create a Network/Web Chaining rule that sends Web traffic to the ThreatPulse service.
1. Modify the existing default WebChaining rule:
a. From the left-side option tree, select Networking.b. Click theWeb Chaining link.c. Double-click the default Last Default Rule. The interface displays the Default Rule Properties dialog.
2. Add theWeb Security Service IP address for your region.
Configure...
a. Select the Redirecting them to a specified upstream server option.b. Click Settings. The interface displays the Upstream Server Setting dialog.c. Enter the Server address, which is theWeb Security Service IP address for your region. Refer to your
planning sheet or this region list.d. Click OK in each dialog to add the rule.
3. If your region requires a secondWeb Security Service IP address, repeat Step 4 and add it.
Step 5-Verify that the Microsoft Firewall service is running.
1. InWindows, select Start > Run. The interface displays the Run dialog.2. Enter services.msc and click OK.3. Scroll down to theMicrosoft services and verify that the Status column for Microsoft Firewall displays
Started.
If it is not, right-click the line and select Start.
Step 6-Add AD groups of interest to the bc-isapifilter.ini file.
To forward credentials from the Active Directory to theWeb Security Service, youmust add those groups to the bc-isapifilter.ini file. Blue Coat recommends adding all groups of interest. If a group is not added, theWeb
Configure...
- 48 -
- 49 -
Security Service still generates the web traffic from those clients; however, the user names are not available forpolicy.
1. InWindows Explorer, navigate to where the bc-isapifilter.ini files resides.
a. By default, the location is C:/Program Files/Blue Coat Systems/ISAFilter.b. Double-click the bc-isapifilter text file (not the .dll file).
2. Add the groups of interest.
Configure...
The format for each group of interest is: Domain\Group_Name. Ensure that they precisely match the ActiveDirectory entries.
Paste or define groups of interest in a separate file, validate them, and pastethem into this file.
3. Save and close the file.
Next Steps
1. Configure the gateway firewall device to allow traffic from the gateway ProxySG on ports 8080 and 8443.2. Return to theWeb Security Service and verify that it is processing web traffic forwarded from the proxy. See
"Verify Web Security Service Connectivity to Locations" on page 51.
Configure...
- 50 -
- 51 -
Section 1 Verify Web Security Service Connectivity to Loca-tions
After configuring access to the Blue Coat Web Security Service, verify that the service is receiving and processingcontent requests.
This is a generic section that demonstrates connection bymultipleaccessmethods.
All Locations
1. Click the Service link (upper-right corner).2. Select Network > Locations.3. Verify the status of each location.
Various icons represent the connection status.
Icon Connection Status Description
TheWeb Security Service recognizes the location and accepts web traffic.
A location has been configured, but theWeb Security Service cannot connect. Verify that theweb gateway device is properly configured to route traffic.
Section 1 Verify Web Security Service Connectivity to Locations
Icon Connection Status Description
A previously successful Web gateway toWeb Security Service configuration is currently notconnected.
n Firewall/VPNn Verify your firewall’s public gateway address.n Verify the Preshared Key (PSK) in the portal matches that of your firewall
configuration.n Verify that the server authenticationmode is set to PSK.
n Explicit Proxy
n Verify the PAC file installation and deployment.n Verify that your network allows outbound requests on port 8080.n Do not attempt to use Explicit Proxy in conjunction with the Unified Agent– the
client will detect that a proxy is in effect, assume aman-in-the-middle attack,and fail (open or closed depending on the settings).
n Proxy Forwarding—Verify the gateway address in the forwarding host is correct.n Remote Users—Verify the Unified Agent/Client Connector installation. See the section
below for more information.
Additional Step For Remote Users
To further verify that Unified Agent running on remote clients is communicating with theWeb Security Service, click(or double-click) the application icon in themenu bar and click Status.
Windows
If the system detects a corporate network that provides web access and security, the Unified Agent enters into pass-ivemode.
Section 1 Verify Web Security Service Connectivity to Locations
- 52 -
- 53 -
Mac
If the system detects a corporate network that provides web access and security, the Unified Agent enters into pass-ivemode.
Section 1 Verify Web Security Service Connectivity to Locations
ReferencesThis section describes the purpose of the Unified Agent application, which provides security to users who use cor-porate clients, such as laptops, outside of the corporate network.
n "Reference: Proxy Forwarding Policy" on the facing pagen "Reference: Additional Authentication CPL for SGOS MACH 5Proxy Forwarding" on page 59
References
- 54 -
- 55 -
Reference: Proxy Forwarding Policy
The Blue Coat Web Security Service Proxy Forwarding Access Method requires policy that routes web traffic to ser-vice. Specifically, the policy achieves the following:
n To protect credential information in the headers, the policy forwards HTTP traffic over a secure service.n The policy forwards HTTPS and SSL traffic over the standard proxy service.n The policy ignores all other traffic.
The following is the Content Policy Language (CPL) template that Blue Coat recommends appending to the existingProxySG appliance Local policy file.
The lines that being with a semi-colon (;) are CPL comments that provide commentaryregarding the purpose of each policy construct.
The forwarding host names are examples; youmust enter hosts that you defined in theProxy Forwarding configuration topic.
For easier copy and pasting and saving, right-click thisProxyForwardingCPLlink and save the text file locally.
;;; $module=proxy_forwarding.cpl; $version=1
;
;
; Template for the Blue Coat Web Security Service Proxy Forwarding access method
; Version Date: 20130423
;
; IMPORTANT: This template contains sample policy. You might need
; customize it for your location.
;
; The purpose of this policy is to decide what traffic is sent to; the Blue Coat Web Security Service(the Cloud), and how that traffic; gets forwarded.; In most cases, it's easier to specify what not to route, such as:; - Internal traffic.; - Blue Coat Web Security Service Service management portal traffic.; While it is difficult to inadvertently lock yourself; out of administrative access, you can safely bypass it.
;
; Because of the restrictions on the type of condition referenced from; CPL layers, define the bypass list twice--once for use in; <Proxy> and <Cache> layers and once for use in <Forward> layers.; These conditions unavoidably identify the same traffic.
References
;
; SGOS 5.4 supports a configuration definition for the internal; network that can be directly tested. Previous versions must test; against the internal network addresses explicitly.
;
#if release.version=5.4..define condition BC_Cloud_Proxy_Bypass_List
url.host.is_private=yes ; internal traffic ; Add any other public IPs that are not to route to the Web Security Service url.domain=portal.threatpulse.com ; threatpulse portal url.domain=bluecoat.com ; style sheetsend
define condition BC_Cloud_Forward_Bypass_List server_url.host.is_private=yes ; internal traffic health_check=yes ; Normally, don't forward health checks ; And any other additions required to keep it in line ; with the above BC_Cloud_Proxy_Bypass_List server_url.domain=portal.threatpulse.com ; threatpulse portal
end
#endif
#if release.version=..5.3define subnet BC_Internal_subnets 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8
172.16.0.0/12 169.254.0.0/16 192.168.0.0/16 224.0.0.0/3 ; Add any other subnets that are treated as internalend
define condition BC_Cloud_Proxy_Bypass_List ; internal traffic url.address=BC_Internal_subnets ; Add any other public IPs that are not to route to the Web Security Service. url.domain=portal.threatpulse.com ; threatpulse portalend
define condition BC_Cloud_Forward_Bypass_List ; internal traffic server_url.address=BC_Internal_subnets ; Add any other entries required to keep it in line ; with the above BC_Cloud_Proxy_Bypass_List server_url.domain=portal.threatpulse.com ; threatpulse portalend#endif
; Upon user authentication,; pass the user-name and groups to the Web Security Service.
References
- 56 -
- 57 -
;<Proxy Cloud_Auth> condition=!BC_Cloud_Proxy_Bypass_List authenticated=yes action.Auth_Cloud(yes)
; User and Group information are passed to the Web Security Service in; special headers added to the request.;define action Auth_Cloud set( request.x_header.BC_Auth_User, "$(user:encode_base64)" ) set( request.x_header.BC_Auth_Groups, "$(groups:encode_base64)" )end
; If you plan to use the the Web Security Service to enforce; appropriate use policies (content filtering and application control),; then you must either disable caching or ensure that you always; verify access requests with the Web Security Service.;; Blue Coat recommends leaving caching on, and using always_verify().;<Cache Cloud_Verify_Cached_Authorization> condition=!BC_Cloud_Proxy_Bypass_List always_verify(yes) ; check for authorization
; In SGOS 6.1, has_client= is available in <Cache> layers,; which provides the ability to mark the system (mostly refresh traffic) with; a specific userID. This feature is not available in; previous releases of SGOS (such as 5.x).; This template marks the traffic with the userID "Refresh User"; by setting the BC_Auth_User header to the base-64; encoded version of that string.;#if release.version=6.1.. <Cache Cloud_Tag_System_traffic> condition=!BC_Cloud_Proxy_Bypass_List ; it is a system request (mostly refresh?) has_client=false action.Cloud_Auth_Refresh_Traffic(yes) define action Cloud_Auth_Refresh_Traffic set( request.x_header.BC_Auth_User, "UmVmcmVzaCBVc2Vy" )end#endif
; Forward the desired traffic to the cloud.; - Do not forward traffic on the bypass list.; - Generally, do not forward health checks.; - Because HTTP traffic has user and group information added, it is sent; over a secure tunnel.; - Unintercepted HTTPS traffic is forwarded directly (however, no user auth isavailable).;; In SGOS 6.4.x, forwarding can be based on the server_url.category; and this provides an opportunity to separate unintercepted SSL from; intercepted SSL, which can be authenticated to the cloud service.;#if release.version=6.4..
define condition SSL_Unintercepted_category ; this is a typical unintercepted category list ; it should be modified to match your local interception policy ; server_url.category=(Brokerage/Trading, "Financial Services", Health)
References
; ; exempt this to get the style sheets for exception pages
server_url.domain=portal.threatpulse.com end <Forward Cloud> condition=!BC_Cloud_Forward_Bypass_List
[Rule] proxy.port=(443, 8080) url.scheme=https,ssl,tcp condition=SSL_Unintercepted_category forward(ThreatPulseHTTP8080) ; exist-ing forward(ThreatPulseInterceptedHTTPS8084) ; new
[Rule] url.scheme=http forward(ThreatPulseSecure8443)#endif
#if release.version=..6.3<Forward Cloud> condition=!BC_Cloud_Forward_Bypass_List proxy.port=(443, 8080) url.scheme=https,ssl,tcp forward(ThreatPulseHTTP8080) url.scheme=http forward(ThreatPulseSecure8443)#endif
; For reporting purposes, forward the client IP addresses rather than the ProxySG; appliance IP address.;<Proxy Forwarding_Client_IP> action.Forwarding_Client_IP(yes)
define action Forwarding_Client_IP set( request.header.Client-IP, "$(client.address)" )end
The forwarding host names are examples; youmust enter hosts that you defined in theProxy Forwarding configuration topic.
Next Step
Return to "Forward Traffic Through a ProxySGAppliance to theWeb Security Service" on page 18.
References
- 58 -
- 59 -
Reference: Additional Authentication CPL for SGOS MACH5 Proxy Forwarding
Configuring a ProxySGMACH 5 appliance to forward authenticated web requests through the Blue Coat Web Secur-ity Service requires creating an authentication realm configuring additional CPL added to the Local policy file.
1. Verify the ProxySG appliance is running the correct version of the Blue Coat Authentication and AuthorizationAgent (BCAAA).
2. Access the Advanced Configuration page in theManagement Console.3. Create an authentication realm. Blue Coat has tested and recommends an IWA realm.
4. Add the following policy to the Local policy file (Configuration > Policy):
define condition __CondList1port80and443
References
url.port=443
url.port=80
end
<Proxy>
condition=__CondList1port80and443 authenticate(realm_name)authenticate.force(no) authenticate.mode(auth_mode)
Where realm_name is the name of the authentication realm you created and auth_mode is the authenticationmode appropriate for your deployment. See Reference: Authentication Modes.
5. Add the other forwarding policy, as described in "Proxy Forwarding: SGOS 5.x/6.x toWeb Security Service"on page 19.
References
- 60 -