bluecoat training-24.2.2012 (1)

© Copyright Dimension Data 117 April 2023

Bluecoat Deployment and Troubleshooting


Agenda

• General Knowledge

• Products

• Deployment Method

• Initial Setup

• Content Filter & Authentication

• Policy Management - VPM

• Access Logging & Failover

• Bluecoat Reporter

• Troubleshooting


Why do we need Proxy?

Introduction


Proxy Servers

• Designed to:• Enhance security• Control content• Increase performances

• Two roles for the proxy:• Gateway proxy• WAN Acceleration proxy


Firewall and Proxy


Gateway Proxy


WAN Acceleration Proxy


Bluecoat Product List

Hardware Based Software Based

Blue Coat SG Bluecoat Reporter

Blue Coat AV Bluecoat Web Filter

Blue Coat Director Bluecoat K9

Blue Coat RA

Bluecoat Packetshaper

Bluecoat DLP


SG510 SeriesSG600 Series



Rem

ote

O

ffic

es

Co

rpo

rate

H

ead

qu

arte

rs

Up to 250 150 to 1,000 800 to 4,000 3,000 to 50,000+

Med

ium

bu

sin

esse

s


Bluecoat SG Product Family


Bluecoat SG Deployment

Client Connections Method

• Explicit Proxy

• Transparent Proxy

Proxy Role

• Forward Proxy

• Reverse Proxy


Explicit Proxy


Transparent Proxy


Forward Proxy

The Proxy is on the same network with the clients


The proxy is on the same network with the servers

Reverse Proxy


Out of Path Deployment


Using WCCP


Proxy Auto Configuration File


Proxy SG Initial Setup

• Physical Installation

• Basic Setup

• Licensing


Initial Setup


Configuration Options


Access Control


Registering Device


Initial Setup & Registration

Microsoft Office Word 97 - 2003 Document



Content Filtering

Enable Proxy to make smarter decisions

• Based policy control on type of content• Offer more than just protocol and URL match

Attempt to categorize the Internet

• Categorise the 20% of sites that generate 80% of the traffic• Use artificial intelligence to cover the remaining 80%

User defined category set

• Local database


Logical Flow


Dynamic Real Time Rating

Extend Blue Coat Web Filter capabilities

• Scan and categorize the contents of a web page

• Immediate categorization

Provide a network service to accomplish dynamic classification

• Analysis is accomplished on the external service

• No performance impact on the ProxySG


Authentication Realms

IWA

• Windows NT Domains and Active Directory

• Basic, NTLM, and Kerberos credentials

• BCAAA agent is required for integrating with Micrsoft AD

• BCCAA version and the Proxy version has to be the same

LDAP

• Active Directory and other LDAP Databases

Sequence

• List of authentication realms to be processed


LDAP Authentication Example

D:\New Folder (2) on My DC Laptop (10.45


Policy Management

Set Default Proxy Policy

• Setting global security level

Understand Visual Policy Manager (VPM)

• Managing Layers


Deny

• Default option for Blue Coat SG

• All network traffic received by the proxy is blocked

Allow

• Network traffic is allowed through the proxy

• Other policies can deny selected traffic

Default Policy


Visual Policy Manager


“Block all users from Hacking web sites”

Source: ANY Destination: Hacking Service: ANY Time: ANY Action: DENY Track: none

Policy Transactions : Rule #1


Policy Transactions : Rule #2

“Employees can visit travel web sites only outside regular working hours”

• Source: ANY

• Destination: Travel

• Service: ANY

• Time: Mon-Fri; 08:00..17:00

• Action: DENY

• Track: none


VPM Example



Access Logging

Record transaction information

• Information specific per protocol

• Necessary to run reports

• Customizable

Track Usage

• Entire network

• Specific information

• User or department usage patterns


Failover

• Failover allows a second machine to take over in case a primary machine fails

• Works on master-slave model

• Similar to VRRP with following exceptions

o A configurable IP multicast address is the destination of the advertisements.

o The advertisements’ interval is included in protocol messages and is learned by the slaves.

o A virtual router identifier (VRID) is not used.

o Virtual MAC addresses are not used.

o MD5 is used for authentication at the application level.

• Master takes over once online


Failover Example



Bluecoat Reporter

• Analyzes comprehensive log files from Bluecoat SG

• 150 pre-defined reports including spyware, IM, P2P , popular sites etc.

• Provides visibility to web content, performance, threats and trending over defined time

• Two types of Reporter

Standard Reporter

Enterprise Reporter


Bluecoat Reporter


Troubleshooting


Commonly Faced Issues

• Not able to access particular URL

• Not able to view images on a particular site

• Internet access is very slow

• frequently asked for authentication prompt

• High Memory & CPU utilization

• Messenger not working through Proxy


Troubleshooting Data

• Access Logs

• Event Logs

• Policy Trace

• Packet Capture on Bluecoat

• Packet Capture on User Machine

• Health Check


Event Logs

•Management logs

•Hardware specific logs

•Event logs can be viewed from StatisticsAdvanced option

•It can also be viewed from URL https://x.x.x.x:8082/eventlog/statistics


Policy Trace

To find –

• traffic is hitting which policy

• Reason of Blocking/Allowing the connection

• Authentication is working fine or not


Policy Trace

To enable Policy Trace :

• Open the visual policy manager• From the 'Policy' menu, click on 'Add Web access layer'• Name it and click ok• Right-Click the source and click on 'Set', 'New', 'Client IP Address/Subnet'• Enter the IP address of the workstation you are going to test from, and as subnet, enter 255.255.255.255 since we only want that specific host.• Right click the "Deny" item in the 'Action' column and click 'Delete'. The action should now be "None"• Right click the 'None' in the "Track" column and click 'Set', 'New', 'Trace...'• Choose 'Verbose tracking', enable 'Trace file' and enter a file name• Click 'Ok'• You should now have a layer with a single rule, the source would be the IP address of the workstation, and the track object should be the object just created.• Install the policy• Reproduce the issue• Disable or delete the web access layer just created. It's best to disable it for now in case another test needs to be done.


Policy Trace

C:\Documents and Settings\badal.chandani


Packet Capture

• Packet capture can be run from Maintenance->Service Information->Packet Captures

• We can apply filter as well based on IP address, Ports

• Client- Proxy and Proxy-Server communication

• Can be useful for slowness , authentication issue etc.


Packet Capture Example


Health Check

• Proxy can perform health check on HTTP, HTTPS, ICAP, Websense and SOCKS gateways

• Periodically verifies availability and health status of the host

• Time interval is configurable

• Failed health check results in administrator notification

• Health checks are configurable in the Management Console by going to the Management Console > Configuration tab > Health Checks > General


Questions?