Professional Documents
Culture Documents
Integrating The ProxySG and ProxyAV Appliances (SGOS 5.4) .E
Integrating The ProxySG and ProxyAV Appliances (SGOS 5.4) .E
Contact Information
Americas: Blue Coat Systems Inc. 410 North Mary Ave Sunnyvale, CA 94085-4121 Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
http://www.bluecoat.com/support/ contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation: documentation@bluecoat.com
Copyright 1999-2010 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV, CacheOS, SGOS, SG, Spyware Interceptor, Scope, ProxyRA Connector, ProxyRA Manager, Remote Access and MACH5 are trademarks of Blue Coat Systems, Inc. and CacheFlow, Blue Coat, Accelerating The Internet, ProxySG, WinProxy, PacketShaper, PacketShaper Xpress, PolicyCenter, PacketWise, AccessNow, Ositis, Powering Internet Management, The Ultimate Internet Sharing Solution, Cerberian, Permeo, Permeo Technologies, Inc., and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
ii
Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA 94085
Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland
iii
iv
Table of Contents
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Stated Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Supported Blue Coat Devices and Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Hardware Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Software Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Chapter Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
ProxySG/ProxyAV With Direct Internet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 ProxySG/ProxyAV in a Closed Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Basic Deployment: One ProxySG to One ProxyAV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Redundant Appliance Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Deployment Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Deployment Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Configuring and Installing the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Configuring and Installing the ProxyAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10
Table of Contents
Displaying ICAP Statistical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Monitoring ICAP-Enabled Sessions on the ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Displaying Active ICAP-Enabled Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Viewing Statistics on the ProxyAV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Creating Anti-Malware Reports in Blue Coat Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-10
vi
Table of Contents
Best Practices for PDF Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10 Avoiding Processing of Cancelled Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1
The ProxyAV isnt Scanning Web Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2 Users Cant Access Any Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3 ProxySG Runs Out of Memory During Heavy Traffic Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Scans are Taking Too Long . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 My ProxyAV isnt Getting Virus Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
vii
Table of Contents
viii
Introduction
Stated Purpose
This document provides conceptual information about malware threats, deployment guidelines and workflows, configuration steps for getting the ProxyAV and ProxySG to communicate with each another, and best practices to consider when deploying the integrated Blue Coat malware solution. This solution involves the deployment of Blue Coat ProxyAV appliances in the network to perform malware content scanning on Web responses and/or requests sent through ProxySG appliances. This integration guide supplements existing product-specific guides. For details and instructions on each product, use the context-sensitive online help or refer to the following guides:
Blue Coat ProxyAV Configuration and Management Guide (version 3.2) Blue Coat ProxySG Configuration and Management Suite (version 5.4) The products installation or quick start guide
You can download these manuals from BlueTouch Online at:
https://support.bluecoat.com/documentation
Audience
The intended audience for this document is current and potential customers seeking to understand the Blue Coat malware solution. ProxySG and ProxyAV customers deploying an anti-malware solution will benefit from having configuration information in a single document. This document assumes you are knowledgeable with basic network concepts and terminology. Basic familiarity with Blue Coat products is also recommended but not a prerequisite.
Hardware Platforms
ProxySG models: SG200-x (except 200-A), SG210, SG510, SG800-x, SG810, SG8000-x, SG8100 ProxyAV models: AV2000-E, AV400-E, AV210, AV510, AV810
1-1
Introduction
Software Versions
This guide assumes the latest software versions are installed on the ProxySG (SGOS 5.4) and ProxyAV (AVOS 3.2). Some of the features (such as ICAP monitoring on the ProxySG) are not available in earlier versions. If you are consulting this document and your software is more current than the ones listed above, review the release notes for that release to learn about any new features not yet implemented in this document. If a concept or feature is not compatible with a specific AVOS or SGOS release, it is so noted in the document.
Chapter Reference
This document is structured to be read in its entirety before implementing the AV solution. Deployments not requiring redundancy can skip chapters 7 and 8. This document contains the following chapters: Chapter 1: Introduction Chapter 2: Benefits of the Blue Coat Anti-Malware Solution Chapter 3: Deployment Chapter 4: Configuring the ProxySG and ProxyAV Appliances Chapter 5: Monitoring ICAP Scanning Chapter 6: Additional Configuration Chapter 7: Load Balancing Between Multiple ProxyAV Appliances Chapter 8: Configuring ProxyAV Failover Chapter 9: Configuration Best Practices Chapter 10: Troubleshooting
1-2
This chapter includes conceptual information about malware and describes benefits of using the integrated Blue Coat anti-malware solution. It includes the following topics:
About Web Malwareon page 2-2 The Blue Coat Anti-Malware Solutionon page 2-4
2-1
Types of Malware
Malware is defined as software designed to infiltrate or damage a computer system without the owner's informed consent. It can be downloaded from Web pages without a users knowledge, often piggybacking on a users trust of a known domain. The following table lists common types of malware. Malware Adware Backdoor Description Software that automatically displays advertisements on a computer A method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected A program that downloads and installs malicious software Mobile malicious code. Software obtained from remote systems, transferred across a network, and then downloaded and executed on a local system without the users explicit installation. It can be delivered via visits to a Web site, Web e-mail, or e-mail with attachments. Examples of MMC include: Scripts, Java applets, ActiveX, flash animations, Shockwave movies, and macros embedded within Microsoft Office documents. Software that encrypts data in an unreadable format and then demands payment in exchange for the decryption key (the ransom) A program designed to take fundamental control of a computer system, without authorization of the systems owners and legitimate managers. Root comes from the UNIX term root access, which is equivalent to administrator access in Windows.
Downloader MMC
Ransomware Rootkit
2-2
Malware Spyware
Description Computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the users interaction with the computer, without the users consent Software that appears to perform a desirable function but in fact performs undisclosed malicious functions. A computer worm or virus may be a Trojan horse. A computer program that attaches itself to an existing program and can copy itself and infect a computer without a users permission or knowledge A self-replicating computer program that uses a network to send copies of itself to other nodes, without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.
Trojan horse
Virus Worm
2-3
Firewall
ProxySG
ProxyAV
Figure 2-1
The ProxyAV appliance is designed to work specifically with the ProxySG proxy architecture. Each appliance contains industry-leading technology that communicates together to form a cohesive integration. All ProxySG and ProxyAV appliances are available in different capacities. Blue Coat provides sizing information to assist you with determining the correct combination of appliances to deploy. With a proxy appliance architecture, scalability from a few dozen users to multiple thousands of users is attainable. The Blue Coat anti-malware solution is designed to prevent malicious code penetration with negligible network performance impact. Blue Coat achieves this with the ProxyAV software that is designed for performance and security combined with the power of the ProxySG proxy. If an AV scanner must scan all cached and uncached content, performance suffers. The Blue Coat AV deployment provides a scan-once, serve-many benefit when scanning:
Once an object is cached, it doesnt need to be scanned again until either the object contents change or
the AV database changes. The AV database is a pattern file that allows anti-virus software to identify viruses. Whenever the database changes, the ProxyAV needs to rescan any requested objects that are in the cache, because the new database might know about viruses that the old database didnt.
For a non-cacheable object, the ProxyAV scans the object and creates a fingerprint a secure hash of the
files contents. The ProxyAV compares the files fingerprint against a database of fingerprints that is constructed as a result of scanning objects. The object will not be scanned again unless either its fingerprint changes (indicating the content has changed) or the AV database changes.
2-4
The ProxyAVs scanning methods and capabilities provide three main benefits:
Outbreaks are smaller. Containment is faster. Performance gain is attained by not scanning unchanged objects.
The integration of the ProxyAV with the ProxySG allows you to manage inbound (response) and outbound (request) communications. The power of the proxies allows you implement malware scanning processes as follows:
By customizing ProxySG policy, you determine what application protocols are allowed in your
enterprise, then create policy that determines what type of content is sent for malware scanning. For example, you might decide GIF files represent a lower risk and instruct the ProxySG to not send them to the ProxyAV.
Processing performance is optimized through different configuration options. You can set small and
large object thresholds to differentiate between smaller, common Web objects and larger objects, such as content streams. Furthermore, a cache timeout is not used to resend files. The ProxyAV retains a fingerprint, and only resets it when there is a definition update. Only a solution that understands Web scanning can implement this.
The final piece includes the user experience. Policy configured on the both the ProxySG and ProxyAV
allows you to determine what happens when an exception (error) occurs. You can allow content to continue to the client or deny the content. The ProxySG allows you to display patience pages with custom messages to users when content scans exceed a customizable time limit. Therefore, users are aware of exactly what is occurring on their desktops, thus reducing the number of IT help desk tickets.
ICAP
Blue Coats ProxySG and ProxyAV appliances communicate using Internet Content Adaptation Protocol (ICAP). The ProxySG is the ICAP client, and the ProxyAV is the ICAP server. As the ICAP client, the ProxySG delivers to the ICAP server the Web content that needs to be scanned. As the ICAP server, the ProxyAV provides content scanning, filtering, and repair service for Internet-based malicious code. To eliminate
2-5
threats to the network and to maintain caching performance, the ProxySG sends objects to the ProxyAV for checking and saves the scanned objects in its object store. With subsequent content requests, the appliance serves the scanned object rather than rescanning the same object for each request. You can scan your data using plain ICAP, secure ICAP, or both. Plain ICAP is useful for scanning non-confidential data (HTTP); secure ICAP sends data that may be confidential (HTTPS) through a secure data channel. Secure ICAP is available beginning with SGOS 5.3 and AVOS 3.2. The Blue Coat solution uses an enhanced ICAP+ version that offers improved performance, reliability, integrated reporting, and detailed error/exception handling and reporting.
2-6
Figure 2-2
2-7
2-8
Deployment
This chapter illustrates several deployment topologies for incorporating one or more ProxySG and ProxyAV appliances in your network. It also includes high-level guidelines and workflows for physically installing the appliances into your network. It includes the following topics:
ProxySG/ProxyAV With Direct Internet Accesson page 3-2 ProxySG/ProxyAV in a Closed Networkon page 3-3 Redundant Appliance Topologieson page 3-5 Deployment Guidelineson page 3-7 Deployment Workflowon page 3-8
3-1
Deployment
Figure 3-1
Blue Coat appliances deployed with direct Internet access for updates.
The admin PC is used to perform configuration and policy changes on any Blue Coat appliance.
3-2
Deployment
Legend:
1: Retrieve the latest AV appliance firmware update file. 2: Retrieve the latest AV vendor pattern files. Use a script to prepare the files (remove absolute links, for example). 3: Copy the files to an internal server connected to the AV appliance. 4: Configure the AV appliance to retrieve the update files from the server (HTTP/URL).
Figure 3-2
3-3
Deployment
Figure 3-3
This basic deployment is the easiest type of topology to configure and because it doesnt require redundant appliances to be purchased, is the least expensive to deploy. However, due to its lack of redundancy, the basic deployment has the following limitations:
No Web malware scanning if the ProxyAV goes down. Depending on the policy you implement on the
ProxySG, when the ProxyAV fails, users either receive unscanned content or notices that the content cannot be delivered.
No load balancing for ICAP scanning if the ProxyAV gets overwhelmed with ICAP requests. No failover if the ProxySG goes down.
3-4
Deployment
Figure 3-4
Chapter 7: Load Balancing Between Multiple ProxyAV Appliances Chapter 8: Configuring ProxyAV Failover
3-5
Deployment
Enterprises who need ProxySG failover, without redundant ProxyAV appliances, might use the following type of topology.
Figure 3-5
Enterprises with hundreds to thousands of users require the processing power of multiple ProxySG and ProxyAV devices, working together to provide efficient scanning power plus failover capability.
.
Figure 3-6
For information on configuring failover on the ProxySG, refer to the ProxySG Configuration and Management Suite (Volume 1: Getting Started and Volume 5: Advanced Networking).
3-6
Deployment
Deployment Guidelines
Deployment Guidelines
When planning the installation of your Blue Coat appliances, consider the following deployment guidelines:
Blue Coat recommends that all ProxySG appliances reside on the same subnet as the ProxyAV
appliances they are clients to. This includes using multiple ProxySG appliances sharing multiple ProxyAV appliances. Make sure to keep the ProxyAV physically and logically close to the ProxySG. Although you can put the ProxyAV in California and the ProxySG in New York, performance will suffer. It is recommended that the ProxyAV be on the next-hop VLAN.
The ProxyAV must have access to the Internet for system and pattern file updates. In a closed network,
youll need to download these files from a system that has Internet access and then copy these files to an internal server connected to the AV appliance; the ProxyAV must be configured to retrieve the update files from this server. See "ProxySG/ProxyAV in a Closed Network" on page 3-3.
The ProxyAV can use the ProxySG as a proxy for downloading pattern file and firmware updates, but
this is not required.
The ProxySG can be deployed in explicit or transparent mode. In explicit mode, each client Web
browser is explicitly configured to use the ProxySG as a proxy server. In transparent mode, the client Web browser does not know the traffic is being processed by a machine other than the origin content server. Transparent proxy requires that you use a bridge, a Layer-4 switch, or Web Cache Communication Protocol (WCCP) to redirect traffic to the ProxySG.
3-7
Deployment Workflow
Deployment
Deployment Workflow
Before installing the ProxyAV, you should install the ProxySG in the network and verify it is functioning properly as a secure Web gateway. Once you have done tests to determine that the ProxySG is performing as expected, you can proceed with the ProxyAV installation and configuration.
To register and license your ProxySG: Open a Web browser and navigate to:
a. Your ProxySG ships with a temporary (60-day) license. You can register your appliance at any time b. during that period. c. Step 4 Log in to the ProxySG Management a. Console. b.
https://support.bluecoat.com/licensing
Enter your BlueTouch Online credentials. Follow the instructions to register your appliance and download a license. Open a Web browser. Enter the IP address you assigned to the ProxySG followed by port number 8082. For example: https://192.0.2.2:8082 Select Statistics > Summary > Efficiency. Verify that each configured interface is up.
b.
Click the Device tab. Verify connectivity to the DNS server and other external devices.
c.
3-8
Deployment
Deployment Workflow
Configure and Install the ProxySG Step 6 Set the Explicit HTTP proxy service a. to intercept, and add a rule in the Web access layer to allow this traffic. Select Configuration > Services > Proxy Services.
b. Open the Visual Policy Manager (Configuration > Policy > Visual Policy Manager > Launch) and create a Web access layer that allows the Explicit HTTP service name.
Install the policy. Make sure there are clients running traffic. Note: The browser must be explicitly or transparently redirected to the ProxySG appliance.
b. Select Statistics > Sessions > Active Sessions. c. Click Show. The Proxied Sessions table should list the active sessions of current traffic.
Step 8 If necessary, upgrade to SGOS 5.4. This Integration Guide assumes the ProxySG is running SGOS 5.4.
Select Maintenance > Upgrade. For details, refer to the ProxySG Configuration and Management Suite. See Volume 9: Managing the Blue Coat ProxySG Appliance, Chapter 3: Maintaining the ProxySG.
3-9
Deployment Workflow
Deployment
a. b.
c.
d. Enter your activation code from the e-mail received from Blue Coat. e. Step 5 If necessary, upgrade to AVOS 3.2. This Integration Guide assumes the ProxyAV is running AVOS 3.2. a. Click Register ProxyAV. Select Firmware Update.
Now that the two Blue Coat appliances are installed on the same subnet, you can configure them to work together. Proceed to the next chapter.
3 - 10
This chapter provides the configuration steps required to integrate the ProxySG and ProxyAV to perform Web malware scanning. It includes the following topics:
About the Taskson page 4-2 Task 1: Prepare the ProxyAVon page 4-3 Task 2: Create the ICAP Serviceon page 4-4 Task 3: Create Malware Scanning Policyon page 4-8 Task 4: Test the Anti-Malware Policyon page 4-14
4-1
On the ProxyAV, specify the ICAP service name Task 1: Prepare the ProxyAV on page 4-3 and configure secure ICAP (if desired). On the ProxySG, create an ICAP response service to communicate with the ProxyAV. Response services scan Web content requested by clients (users). Task 2: Create the ICAP Service on page 4-4
3 4
On the ProxyAV, configure scan settings. On the Task 3: Create Malware Scanning Policy on ProxySG, create policy for the ICAP service. page 4-8 Make sure the policies are working correctly. Task 4: Test the Anti-Malware Policy on page 4-14
4-2
d. Click Save Changes. Step 4 Save the settings. Click Save Changes.
4-3
c.
d. Click OK. The new ICAP object displays in the services list. Step 3 Edit the new service. a. b. Highlight the new ICAP service name. Click Edit. The Edit ICAP Service dialog displays.
4-4
Create the ProxySG ICAP Service Step 4 Configure the service communication options. a. In the Service URL field, enter the URL of the ProxyAV. The URL includes the scheme, the ProxyAVs hostname or IP address, and the ICAP service name. For example: icap://10.10.10.10/avscan b. Maximum number of connections specifies the maximum possible connections at any given time that can occur between the ProxySG and the ProxyAV. Do not change this valueuse the Sense settings button to get the correct value that your platform supports. c. In the Connection timeout field, enter the number of seconds the ProxySG waits for replies from the ProxyAV. The default timeout is 70 seconds, but you will likely want it set to a higher value because large (several hundred MB) archives can easily take more than 70 seconds. If the ProxyAV gets a large file that takes more then the configured timeout to scan, the ProxySG will close the connection and the user will not get the file. The value you enter for the timeout is related to the maximum file size configured on the ProxyAV; larger file sizes require longer to scan so the connection timeout should be higher. If you allow only 100 MB file sizes, 70 seconds would be a sufficient timeout value. But if you allow 2 GB files, a timeout value of 70 would be too low. The range is 1 to 65535.
d. Select Defer scanning at threshold to set the threshold at which the ProxySG defers the oldest ICAP connection that has not yet received a full object. By default, the deferred scanning threshold is disabled when an ICAP service is created. When enabled, the defer threshold scanning defaults to 80 percent. For more information about scanning deferral, see "Avoiding Network Outages due to Infinite Streaming Issues" on page 6-5. e. Select Notify administrator when virus detected to send an e-mail to the administrator if the ICAP scan detects a virus. The notification is also sent to the Event Log and the Event Log e-mail list. Note that the ProxyAV also has settings for notifying administrators when a virus is detected; this configuration is explained in "Getting Notified about Detected Viruses" on page 6-7. Select Use vendors virus found page to display the default vendor error exception page to the client instead of the ProxySG exception page.
f.
4-5
Create the ProxySG ICAP Service Step 5 Configure service ports for plain You can enable one or both types of ICAP connections at the ICAP (Step 5a) and/or secure ICAP same time. (Step 5b).
a.
Select This service supports plain ICAP connections. Use plain ICAP when you are scanning plain data (HTTP). In this case, if the HTTPS proxy is enabled on the ProxySG, the data is decrypted first on the ProxySG and then sent to the ICAP server. In the Plain ICAP port field, enter a port number. The default port is 1344. Select This service supports secure ICAP connections to use secure ICAP. In the Secure ICAP port field, enter a port number. The default port is 11344. Make sure that you select a valid SSL profile for secure ICAP in the SSL Device Profile field. This associates an SSL device profile with the secure ICAP service.
b. Step 5b Configure service ports for secure a. ICAP if you are scanning sensitive or confidential data (HTTPS). b. c.
4-6
Create the ProxySG ICAP Service Step 8 Determine the maximum number of a. Click Sense settings. connections that your b. Click OK to confirm. ProxySG/ProxyAV can support.
c.
Click OK to confirm your changes. If the Sense settings command was able to retrieve the settings from the ProxyAV, you will see the following message:
d. Click OK. Step 9 Refresh your browser to see the maximum number of connections that were sensed. a. Click your browsers refresh button. b. Edit the response service you created and look at the value that was entered for Maximum number of connections.
At this point, the ProxyAV and ProxySG are configured to communicate with one another. To verify that the two appliances are communicating, look at the ICAP service health check on the ProxySG. Verify Communication Between the ProxySG and ProxyAV Step 1 Log in to the ProxySG Management Console. Step 2 Check the status of the ICAP service. a. Select Statistics > Health Checks. b. For the icap.response service, look at the State. If the appliances are communicating, the State looks like this:
Go through Tasks 1 and 2 again and verify that you have followed the configuration steps properly. Make sure the ProxySG and ProxyAV are on the same subnet. Verify that the ProxySG and ProxyAV have the same ICAP service ports. On the ProxyAV, go to ICAP
Settings. On the ProxySG, go to Configuration > External Services > ICAP > Edit.
4-7
ProxyAV Management Console: Determine maximum scannable file sizes; when exceptions occur,
determine what is sent to the ProxySG; ignore files with specified file extensions.
ProxySG Management Console: In most enterprise deployments, the default is to scan all Web sites and
objects by default, and create exception rules for specific groups or content types and locations as required. Use the Visual Policy Manager (VPM) tool to define the scanning policy; advanced users can use Content Policy Language (CPL). Before you begin implementing policy, create a plan that answers the following questions:
What sites are not to be scanned (for example: intranet sites)? What objects are not to be scanned (for example: GIF files)? What policy is implemented if the ProxyAV becomes unavailable (for example: deny or allow all
requests not scanned)?
What message is displayed when a virus is found? What policy is implemented when the object could not be scanned (for example, password protected
files cannot be scanned)? Is this policy specific to users or groups of users?
When the Heuristic Parameters option is enabled, the AV appliance learns about traffic patterns on your network and adjusts accordingly to increase performance. After an initial learning period, the ProxyAV should be able to accelerate about 15 to 30 percent of the networks traffic. The learning process restarts whenever a new virus pattern file or an updated scanning engine is downloaded. Because of the benefits it offers, Blue Coat recommends that you leave Heuristic Parameters at its default setting (enabled).
4-8
The option names in the Extended options section vary according the AV vendor engine you are using. Most options are associated with spyware/malware. Regardless of the option name, the behavior is as follows: Enabled: Scanning stops after the first instance of a virus or spyware. For Kaspersky, Detect Adware is enabled by default. It can be deselected, but it cannot be selected without selecting Detect Spyware. Disabled: Scanning stops only after the first instance of a virus, not spyware. Step 5 Define a file scanning timeout value. File scanning timeout Some files, while not viruses themselves, are designed to disable a virus scanner. Although these files cannot disable a ProxyAV, they can use up system resources and slow down overall throughput. Defining a timeout value allows the ProxyAV to reclaim those resources. Blue Coat recommends that you use the default value (800 seconds). If long scans are a problem, implement the best practices for conserving scanning resources discussed in Chapter 9, Configuration Best Practices.
4-9
Configure Scanning Settings on the ProxyAV Step 6 Impose limits on the file sizes and numbers allowed to be scanned.
cannot exceed the specified size. This limitation also applies to each file within an archive. Dependent upon RAM and disk size of different AV appliance platforms, the maximum individual file size that can be scanned is as follows: Blue Coat AV210: 768 MB Blue Coat AV510: 768 MB Blue Coat AV810: 2 GB
Maximum total uncompressed size: An uncompressed file or archive cannot exceed the specified size. The maximum is:
Blue Coat AV210: 3GB Blue Coat AV510: 3GB Blue Coat AV810: 4GB
Maximum total number of files in archive: An archive cannot contain more than the specified number of files. The maximum is 100,000. Maximum archive layers: An archive cannot contain
more than the specified number of layers. The maximum number of layers for each AV engine is: Panda: 30 McAfee: 300 All others: 100
The ProxyAV scans objects unless the file exceeds any of the above limitations. Step 7 Define how the ProxyAV behaves when a timeout or other scanning error occurs.
Policies for Antivirus exceptions:
4 - 10
Configure Scanning Settings on the ProxyAV Step 8 Save the settings. Click Save Changes.
response to the ProxySG that the file was blocked (code type: file_type_blocked).
4 - 11
Configure Scanning Behavior Based on File Contents Step 4 Save the settings. Click Save Changes.
To accelerate the scanning process, you can specify scanning behavior based on file name extension. You can block certain file extensions (ones that are notorious for containing viruses) or choose to never scan certain file types (low-risk ones that are unlikely to contain viruses). Although you can configure file extension scanning policy on either appliance, it is preferable to configure this type of policy on the ProxySG. That way, the ProxySG doesnt waste resources sending files to the ProxyAV that you dont want scanned. If you configure the file extension policy on the ProxyAV, the ProxySG will send all file types to the ProxyAV, and the ProxyAV policy determines which files to scan; this method isnt as efficient. The procedure below explains how to configure scanning behavior based on file extensions. For instructions on configuring file extension policy on the ProxySG, see Chapter 9, Configuration Best Practices.
Note
Although file extension scanning policy can increase performance, it can present security risks. Unlike the Apparent Data Type feature, the File Extensions feature does not inspect the file contents, so it is possible to disguise an EXE virus with an apparently innocuous file extension (such as TIF).
Configuring Scanning Behavior Based on File Extensions Step 1 Indicate which file extensions to block and not serve to the client. a. On the Scanning Behavior page, click the Policies for file types link. The Policies For File Types page displays. Locate the File extensions section.
b.
In the Block files having extensions field, enter each file extension that should be blocked, separated by semicolons. For example: .vbs; .exe In the Dont scan files having extensions field, enter each file extension that you dont want to be scanned, separated by semi-colons. For example: .gif; .tif
c. Step 2 Indicate which file extensions neednt be scanned because they are unlikely to contain viruses; these file types will be served to the client without any attempt at scanning. Step 3 Save the settings.
4 - 12
Configure the ICAP Response Policy Step 2 Launch the VPM. a. Select Configuration > Policy > Visual Policy Manager. Select Policy > Web Content Layer. b. Click Launch. The VPM appears in a new window. Step 3 Create a Web content layer. a.
b. Assign a descriptive name to the layer (for example, AVresponse). c. Step 4 Create an action for the rule. a. Click OK. Right-click the Action column; select Set. The Set Action Object dialog displays. Select Set ICAP Response Service. The Add ICAP Response Service Object dialog displays. Select Use ICAP response service.
b. In the Available Services list, select the response service (created in Task 2) and click Add. c. Select Deny the client request. This option doesnt serve Web content when an error occurs during processing (for example, if the ProxyAV is down and scanning cannot be completed). The alternative (Continue without further ICAP response processing) is less secure, but it doesnt block network access if the ICAP server goes down.
a. c.
b. Click OK.
4 - 13
The Files Scanned value should increment as clients make Web requests. (The browser must be explicitly or transparently redirected to the ProxySG appliance.) a. Step 4 Verify that the ProxyAV is configured to log ICAP requests. b. (You will check the log history later to make sure the test worked.) c. Step 5 Log in to the ProxySG Management Console. Step 6 Prepare the ProxySG for test validation by enabling access logging. a. b. c. Step 7 Display the log, so that log entries can be viewed during testing. Step 8 Request an infected test file. a. b. a. Select Configuration > Access Logging > General > Default Logging. Enable the Enable Access Logging checkbox. Click Apply. Select Statistics > Access Logging > Log Tail. Click Start Tail. Open a browser that is either explicitly or transparently redirected to the ProxySG. Select Advanced > Detailed stats > Requests history. Make sure that the Collect last ___ requests field contains a value greater than 0 (zero). Click Save Changes.
Note: The file is not actually infected b. Go to http://www.eicar.org. but has a virus signature that c. Click the Anti-Malware Testfile link. identifies it as infected for testing d. Read the information about the test files, and select one purposes. of the files to download (such as eicar.com).
4 - 14
Test the Policies Step 9 Confirm that you were not provided a. with the infected file. A page should display indicating that the ProxyAV has detected a virus in the file, and that the file has been dropped.
a.
b. Verify that the access log entry for the eicar file contains an entry for virus detection.
2009-03-12 17:39:51 382 10.9.16.75 - - virus_detected PROXIED "none" http://www.eicar.org/anti_virus_test_file.htm 200 TCP_DENIED GET text/html;%20charset=%220%22 http www.eicar.org 80 /download/eicar.com.txt - txt "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" 10.9.16.76 1000 383 "EICAR test file"
a. c. e.
Go to the ProxyAV browser window. Click Refresh Now. Verify that the Result field contains VIRUS.
b. Select Advanced > Detailed stats > Requests history. d. Locate the request for the eicar file.
Step 12 Request the same infected test file a. and verify that ProxySG doesnt b. send a previously-scanned object to c. the ProxyAV since the response for the object is now in the ProxySGs cache.
Request the same infected test file. Go to the ProxyAV Requests History window. Click Refresh Now and verify that there is NOT a second request for the eicar file. (Since the response for the object was served from the ProxySG cache, it should not have been sent to the ProxyAV for scanning.)
4 - 15
4 - 16
This chapter describes different ways to monitor ICAP scanning on the ProxySG, on the ProxyAV, and in Blue Coat Reporter. It includes the following topics:
Displaying ICAP Graphs and Statistics on the ProxySGon page 5-2 Monitoring ICAP-Enabled Sessions on the ProxySGon page 5-5 Viewing Statistics on the ProxyAVon page 5-8 Creating Anti-Malware Reports in Blue Coat Reporteron page 5-10
5-1
Table 5-1
Statistic Plain Requests Secure Requests Deferred Requests Queued Requests Successful Requests Failed Requests Bytes Sent
Definition ICAP scanning transactions that are not encrypted ICAP scanning transactions that are encrypted and tunneled over SSL ICAP scanning transactions that have been deferred until the full object has been received ICAP scanning transactions that are waiting until a connection is available ICAP scanning transactions that completed successfully ICAP scanning transactions that failed because of a scanning timeout, connection failure, server error, or a variety of other situations Bytes of ICAP data sent to the ICAP service or service group Note: Bytes Sent does not include secure ICAP traffic.
Bytes of data received from the ICAP service or service group Number of connections between the ProxySG and the ProxyAV across which plain ICAP scanning requests are sent Note: This statistic is not tracked for service groups.
Secure Connections
Number of connections between the ProxySG and the ProxyAV across which encrypted ICAP scanning requests are sent Note: This statistic is not tracked for service groups.
5-2
Display ICAP Graphs on the ProxySG Step 2 Select Statistics > ICAP. The ICAP statistics screen displays.
Step 3 Choose what you want to graph. Choose one of the following: Step 4 Select the time period to graph.
From the Duration drop-down list, choose from Last Hour, Last Day, Last Week, Last Month, or Last Year.
ICAP transactions
Bytes Bytes sent to the ICAP service and received from
the ICAP service Each statistic displays as a different color on the stacked bar graph. By default, all relevant statistics are displayed. Step 6 Select the name of what you want to In the Name column in the table beneath the graph, select graph. one of the following:
Select the service name. Select the service group name. Select the Totals row (graphs all services or service
groups) Step 7 (Optional) Disable checkboxes For example:
Additional Information While the ICAP statistics screen is displayed, you can view new graphs by selecting different services,
service groups, time periods, or graph types.
5-3
Graphs automatically refresh every minute. This may be noticeable only on graphs with the Last Hour
duration.
To see the actual statistics associated with a bar on the graph, hover the mouse pointer anywhere on the
bar. A box showing the statistics and total appears at the mouse pointer.
Step 2 Choose what you want to graph. Choose one of the following: Step 3 Select the time period to graph.
From the Duration drop-down list, choose from Last Hour, Last Day, Last Week, Last Month, or Last Year.
For the time period you selected, the ProxySG displays statistics for individual services as well as totals for all services.
5-4
Type of ICAP service: REQMOD (request) or RESPMOD (response) Service name ICAP status (for example, display only the deferred connections)
Note that these additional filters are optional. If you leave all the options set to Any, all ICAP-enabled sessions will be displayed.
Step 4 (Optional) Filter by type of ICAP Choose REQMOD or RESPMOD. Or choose Any to display both types of services. service. Step 5 (Optional) Filter by service name. Select the service name from the Service drop-down list, or choose Any to display all services.
connections to view.
Select Display the most recent and enter a number in the results field. This helps optimize performance when there is a large number of connections.
5-5
List ICAP-Enabled Sessions Step 8 (Optional) View only the current Select Show errored sessions only.
sessions.
Click Show. The Proxied Sessions table displays the ICAP-enabled sessions.
Of particular interest in the Proxied Sessions table is the ICAP (I) column. This column indicates the status of the ICAP-enabled session, with unique icons identifying the ICAP status. Table 6-2 describes each of the ions.
Table 5-2 ICAP Icons
(arrow)
(clock)
Deferred ICAP scanning requests have been deferred until the full object has been received Completed ICAP scanning requests completed successfully
(checkmark)
(i)
no icon
Additional Information
Icon TooltipsWhen you mouse over an ICAP icon, a tooltip displays details about the session:
The type of ICAP service (REQMOD and/or RESPMOD) The name of the service The ICAP state (transferring, deferred, scanning, or completed), for example:
REQMOD Service: icap1 (completed)
5-6
When only one type of service is used for a session, the tooltip indicates whether the other type is
inactive or unsupported, for example:
RESPMOD Service: inactive
SortingIf you click the I column heading, the sessions are sorted in the following order:
5-7
a. b.
the interval
Connections: Maximum number of concurrent
during the interval For each type of statistic, graphs of three time periods are shown: last 60 minutes, last 24 hours, and last 30 days. Heres an example of the ICAP Objects graph for the last 60 minutes:
5-8
View Statistics on the ProxyAV Step 5 Display details on the objects the ProxyAV is currently scanning. a. Select Advanced > Detailed stats. The following details are displayed:
Concurrent connections: Current number of connections
to the ProxyAV.
Total objects being processed: Number of objects the ProxyAV is currently scanning.
b. Click Refresh Now to see detailed statistics of the objects currently being scanned.
Step 6 Display the results of past anti-virus a. Select Advanced > Detailed stats. scans. b. Select Requests History. c. In the Collect last ___ requests field, enter the number (0-1000) of requests to display in the list. When the number is set to zero, request logging is disabled. Click Refresh Now to obtain the most current data about processed requests.
5-9
Report Name ICAP virus IDs ICAP virus URL ICAP virus user detail
Description Lists the IDs of detected viruses Lists the URL associated with each detected virus Lists the clients login name or IP address associated with each detected virus
Malware Requested Blocked by Lists all URLs that were blocked because of Site suspected malware presence Potential Malware Infected Clients Lists all client IP addresses that might be infected by malicious content This data is derived by the URLs requested by each client.
9.1
ProxyAV Malware Detected: Client IP ProxyAV Malware Detected: Names ProxyAV Malware Detected: Site
Lists each instance of malware encountered during employee Web browsing, based on the client IP address that browsed the URL Lists the name of each malware code encountered during employee Web browsing Lists all URLs that were detected as suspected malware sources
9.1 9.1
5 - 10
Additional Configuration
This chapter describes techniques for improving the user experience during ICAP scanning (via patience pages or data trickling), ways to notify administrators about detected viruses, and several additional ICAP policies that you can implement. It includes the following topics:
Improving the User Experienceon page 6-2 Getting Notified about Detected Viruseson page 6-7 Implementing Response and Request (Two-Way) ICAPon page 6-10 Creating User-Based ICAP Policyon page 6-14
6-1
Additional Configuration
Patience pages are displayed to the user if an ICAP content scan exceeds the specified duration. Two other techniques for mitigating scanning delays are data trickling and deferred scanning. All three of these techniques are discussed below.
This feature is supported for the HTTP proxy only; data trickling for FTP connections is not supported.
6-2
Additional Configuration
If the object is deemed to be clean (no response modification is required), the ProxySG sends the rest of
the object bytes to the client at the best speed allowed by the connection.
If the object is deemed to be malicious, the ProxySG terminates the connection and the remainder of the
response object bytes are not sent to the client. Deployment Notes
This method is the more secure option because the client receives only a small amount of data pending
the outcome of the virus scan.
One drawback is that users might become impatient, especially if they notice the browser display of
bytes received. They might assume the connection is poor or the server is busy, close the client, and restart a connection.
Blue Coat recommends this method for media content, such as Flash objects. This method is more user-friendly than trickle at start because users tend to be more patient when they
notice that 99 percent of the object is downloaded. Therefore, they are less likely to perform a connection restart. However, network administrators might perceive this method as the less secure method, as a majority of the object is delivered before the results of the ICAP scan.
Blue Coat defines interactive as the request involving a Web browser. Web browsers support data
trickling and patience pages.
Non-interactive traffic originates from non-browser applications, such as automatic software download
or update clients. Such clients are not compatible with patience pages; therefore, data trickling or no feedback are the only supported options. Based on whether the requirements of your enterprise places a higher value either on security or availability, the ProxySG allows you to specify the appropriate policy.
6-3
Additional Configuration
available)
Trickle object data from start (more secure form of
trickling)
Trickle object data at end (this form of trickling provides
a better user experience) a. Step 4 For non-interactive traffic, specify the amount of time to wait before notifying a client than an ICAP scan is occurring. Locate the ICAP Feedback for Non-Interactive Traffic section.
Click Apply.
These settings are global. You may want to define additional feedback policy that applies to specific user and conditional subsets. In the Visual Policy Manager, the object is located in the Web Access Layer: Return ICAP Feedback.
6-4
Additional Configuration
To customize the text on HTTP and FTP patience pages, select Configuration > External Services > ICAP >
ICAP Patience Page.
6-5
Additional Configuration
b.
a. b.
6-6
Additional Configuration
The ProxySG and the ProxyAV each have facilities for notifying network administrators about detected viruses. Because the ProxyAV has options for notifying administrators about blocked and unscanned files, in addition to detected viruses, this section focuses on configuring notification on the ProxyAV.
Configure Alert Settings on the ProxyAV Step 1 Log in to the ProxyAV Management Console. Step 2 Specify e-mail addresses. a. Select Alerts > Alert Settings. b. In the Send e-mail address field, enter the source mail address to use for alert e-mails. (This address will appear in the From field of the e-mail.) For example: proxyav123@company.com c. In the Recipient e-mail address field, enter the addresses of the people who should receive the alert e-mails, with each address separated by a comma. For example: user1@company.com,user2@company.com, consultant@another.com In the SMTP server address field, enter the IP address for the server.
a.
b. If your server requires that POP authentication be used, select SMTP Authorization (POP-Before-SMTP) Enabled, and then enter the authentication information. Step 4 Save the settings. Click Save Changes.
6-7
Additional Configuration
b.
After configuring the alert settings and selecting the types of alerts you want to be notified about, the configured recipients will receive e-mail messages to alert them of detected viruses, blocked files, and any other events you have configured. In addition, an entry will be added to the alert log.
6-8
Additional Configuration
6-9
Additional Configuration
6 - 10
Additional Configuration
b. In the Available services list, select the response service (created in Task 1) and click Add. c. Select Deny the client request. d. Click OK; click OK again to add the object.
b. Assign a descriptive name to the layer (for example, DLP). c. Click OK.
6 - 11
Additional Configuration
Configure the ICAP Request Policy Step 2 Create an HTTP/HTTPS service object for the request policy. a. b. c. Right-click the Service column; select Set. The Set Service Object dialog displays. Click New. Select Protocol Methods. The Add Methods Object dialog displays.
d. Name the protocol method HTTP and select HTTP/HTTPS from the Protocol list. e. In the Common methods section, select the POST and PUT checkboxes, and click OK.
a. b. c.
In the Set Action Object dialog, click New. Select Protocol Methods. The Add Methods dialog displays. Name the protocol method FTP and select FTP from the
Protocol list.
d. In the Commands that modify data section, select the STOR checkbox, and click OK.
In the Set Action Object dialog, click New. Select the HTTP object and click Add. Select the FTP object and click Add. Click OK again to set the Combined Service object as the Web Access Layer service.
d. Click OK.
6 - 12
Additional Configuration
Configure the ICAP Request Policy Step 5 Set the action for the Request policy. a. Right-click the Action column and select Set. b. Click New and select Set ICAP Request Service. The Add ICAP Request Service Object dialog appears. c. e. Select the DLP ICAP Request service and click Add. Click OK again. d. Click OK.
a. c.
b. Click OK.
6 - 13
Additional Configuration
Note
6 - 14
Additional Configuration
Create a Virus Scanning Rule that Fails Open Step 3 Create an action for the rule. a. Right-click the Action column; select Set. The Set Action Object dialog displays. Select Set ICAP Response Service. The Add ICAP Response Service Object dialog displays. Select Use ICAP response service.
b. In the Available Services list, select the response service (created in the previous task) and click Add. c. Select Continue without further ICAP response processing.
b. Click New. c.
6 - 15
Additional Configuration
Create a Rule that Prompts for Web Authentication Step 4 Specify the realm name for authentication. a. b. In the Name field, accept the proposed name or type a descriptive name for the object. In the Realm drop-down list, select the name of the previously-configured realm.
c.
f.
6 - 16
Additional Configuration
Create Rules for Allowing/Denying Access to Blocked File Types Step 4 Create a service object based on an ICAP error code. a. Right-click the Service column; select Set. The Set Service Object dialog displays. Select ICAP Error Code. The Add ICAP Error Code Object dialog displays.
b. Click New. c.
e. f.
Select File Type Blocked from the list of Available Errors. Click Add. File Type Blocked moves into the Selected Errors list.
g. In the Name field, change the name to ICAPError_FileTypeBlocked. h. Click OK; click OK again to add the object. Step 5 Indicate that this user should be a. allowed access to blocked file types. Right-click the Action column; select Allow. The Set Service Object dialog displays. The rule should look similar to the following:
Step 6 In the same Web access layer, create a. Click Add Rule. A new rule row displays. a rule for another user/group. This b. Right-click the Service column; select Set. The Set rule will deny access to the Service Object dialog displays. user/group. c. From the existing service objects, select
ICAPError_FileTypeBlocked.
d. Click OK to add the object. The rule should look similar to the following: Note that the default action is Deny, so it is already correctly set. Step 7 Create other users/groups to whom Follow the above steps to create appropriate rules in the you want to allow or deny access. Web access layer. Step 8 Install the policy (all layers). a. c. Click Install Policy. Close the VPM window. b. Click OK.
6 - 17
Additional Configuration
Once this policy is in place, users may be prompted to enter their credentials upon opening a Web browser; some realms may authenticate without prompting. Users who have an Allow rule will be able to access URLs that point to blocked file types or have archive files containing a blocked file type (for instance, a ZIP file that contains an EXE file). Users who have a Deny rule will see a screen similar to the following when attempting to access a blocked file type:
6 - 18
This chapter describes how to set up load balancing of scanning requests when your deployment includes multiple ProxyAV appliances. It includes the following topics:
About Service Groupson page 7-2 Creating an ICAP Service Groupon page 7-5 Creating Load Balancing Policyon page 7-6
7-1
Legend: A: AV1; a ProxyAV with 10 maximum connections and a specified weight of 1. B: AV2; a ProxyAV with 10 maximum connections and a specified weight of 1. C: AV3, a ProxyAV with 25 maximum connections and a specified weight of 3. D: A ProxySG with a Service Group named AV_Reponse that contains AV1, AV2, and AV3. Figure 7-1 ICAP service group of three ProxyAV ICAP servers.
Your anti-malware deployment can have multiple ProxySG appliances, each using an identical ICAP service group of multiple ProxyAV appliances. To help distribute and balance the load of scanning requests when the ProxySG is forwarding requests to multiple services within a service group, the ProxySG uses an intelligent load balancing algorithm. When deciding which service in the service group to send a scanning request, this algorithm takes into consideration the following factors:
Number of requests that are in a waiting state on each service (a request is in this state when it has
been sent to the service but the response hasnt been received)
Number of unused connections available on each service (calculated by subtracting the number of
active transactions from the connection maximum on the server)
7-2
Weighting
Weighting determines what proportion of the load one ProxyAV bears relative to the others. If all ProxyAV servers have either the default weight (1) or the same weight, each share an equal proportion of the load. If one server has weight 25 and all other servers have weight 50, the 25-weight server processes half as much as any other server. Before configuring weights, consider the capacity of each server. Factors that could affect assigned weight of a ProxyAV include the following:
The processing capacity of one ProxyAV in relationship to other ProxyAV appliances (for example, the
number and performance of CPUs or the number of network interface cards).
The maximum number of connections configured for the service. The maximum connections setting
pertains to how many simultaneous scans can be performed on the server, while weighting applies to throughput in the integration. While these settings are not directly related, consider both when configuring weighted load balancing.
Note
External services (ICAP, Websense off-box) have a reserved connection for health checks. This means that as the load goes up and the number of connections to the external service reaches the maximum, with additional requests being queued up and waiting, the maximum simultaneous connections is actually one less than the limit.
Having appropriate weights assigned to your services is critical when all ProxyAV servers in a service group become overloaded. As servers reach their capacity, proper weighting is important because requests are queued according to weight. One technique for determining weight assignments is to start out by setting equal weights to each service in a group; then, after several thousand requests, make note of how many requests were handled by each service. For example, suppose there are two services in a group: Service A handled 1212 requests, Service B handled 2323. These numbers imply that the second service is twice as powerful as the first. So, the weights would be 1 for Service A and 2 for Service B. Setting the weight value to 0 (zero) disables weighted load balancing for the ICAP service. Therefore, if one ProxyAV of a two-server group has a weight value of 1 and the second a weight value of 0, should the first ProxyAV go down, a communication error results because the second ProxyAV cannot process the request.
Load Balancing
When load balancing between services, how does the ProxySG decide which ICAP service to send a scanning request to? For each service, it calculates an index by dividing the number of waiting transactions by the server weight (think of this as wait/weight). The ICAP service with the lowest index value will handle the new ICAP action, assuming that the service has an available connection to use. If it doesnt, it will send the request to the service with the next lowest index value that has a free connection. Load will be distributed among services proportionally according to their configured weights until the maximum connection limit is reached on all services.
Example 1
Service A and B are in the same service group.
7-3
Service A can handle up to 50 connections, is assigned a weight of 1, has 17 active transactions, with 5
transactions in the waiting state. The index is calculated by dividing the wait by the weight: 5/1 = 5.
Service B can handle up to 100 connections, is assigned a weight of 2, has 17 active connections, with 15
waiting transactions. The index is 15/2 = 7.5. Which service will the ProxySG assign the next ICAP action? Service A because it has a lower index.
Example 2
Service C and D are in the same service group.
Service C can handle up to 5 connections, is assigned a weight of 1, has 5 active transactions, with 1
transaction in the waiting state. The index is 1/1=1.
Service D can handle up to 10 connections, is assigned a weight of 1, has 7 active transactions, with 5
waiting transactions. The index is 5/1=5. To which service will the ProxySG assign the next ICAP action? Although Service C has a lower index than Service D, it doesnt have any available connections; therefore, the ProxySG will assign the next ICAP action to Service D which has several free connections.
7-4
c.
From the list of existing services, select the ones to add to this group. Hold the Control or Shift key to select multiple services. Select a service and click Edit; the Edit Service Group Entry weight dialog appears.
d. Click OK to add the selected services to the group. Step 4 Assign weights to services. a.
b. In the Entry Weight field, assign a weight value. The valid range is 0-255. c. e. f. Repeat steps a and b for other services, as required. Click OK again to close the Edit Service Group Entry dialog. Click Apply. d. Click OK to close the dialog.
7-5
c.
Select Deny the client request. Click Install Policy. Click OK. Close the VPM window.
d. Click OK; click OK again to add the object. Step 6 Install the policy. a. b. c.
Result: Using the ICAP load balancing policy, the ProxySG sends ICAP response modification requests to ProxyAV appliances in the service group. The load carried by each ProxyAV in the group is determined by the weight values.
7-6
This chapter describes how to use two ProxyAV appliances to provide redundancy in case the primary ProxyAV fails. It includes the following topics:
About ProxyAV Failoveron page 8-2 Creating ProxyAV Failover Policyon page 8-3
8-1
Failover is configured as part of the ICAP policy definition. You cannot configure failover policy until ICAP services are configured on the ProxySG. To avoid errors, ICAP service names cannot be named fail_open or fail_closed (the CLI commands
prevent these names from being created).
8-2
b. In the Available services list, select the primary ProxyAV service and click Add. c. In the Available services list, select the secondary (standby) ProxyAV service and click Add.
d. Select Deny the client request. e. Step 6 Install the policy. a. c. Click OK; click OK again to add the object. Click Install Policy. Close the VPM window.
b. Click OK.
8-3
Result: Using the ICAP failover policy, the ProxySG sends all ICAP response modification requests to the primary ProxyAV. If this appliance fails, the ProxySG sends all requests to the standby ProxyAV until the primary appliance is healthy again.
8-4
This chapter describes strategies for improving scanning performance. It includes the following topics:
9-1
9-2
Configure ICTM on the ProxyAV Step 3 Define what you consider to be a slow download. Blue Coat recommends the default of 60 seconds. The larger the value, the more resources are wasted on suspected infinite stream URLs. Conversely, lower values might tag the downloads of large objects as slow, thus targeting them for termination before the download is complete. Step 4 Specify warning threshold parameters. If desired, modify the default setting (60) in the ICAP
connections are considered slow when the download exceeds ___ seconds field.
a.
In the Log a warning when more than ___ connections are slow field, enter the number of concurrent slow connections at which the ProxyAV will send a warning message. The default setting is 70% of the recommended maximum ICAP connections for the ProxyAV platform.
b. To send an e-mail warning when this threshold is reached, make sure the Send an alert when warning level is reached checkbox is selected. The e-mail is sent to recipients specified on the Alerts > Alerts Settings page. If you clear this option, no warning is sent and nothing is logged in the AlertLog file. c. In the Repeat warning alert every ___ minutes field, enter the interval, in minutes, that the ProxyAV repeats the warning messages if the threshold remains breached. In the Drop older "slow" connections when more than ___ connections are slow field, enter the number of concurrent slow connections at which the ProxyAV will start dropping connections to maintain a level below the critical threshold. Oldest connections are dropped first. This value must be larger than the warning threshold (Step 4). The default setting is 90% of the recommended maximum ICAP connections for the ProxyAV platform.
a.
b. Just as for the warning threshold (Step 4b), you can select to send an alert to administrators for each connection that is dropped. Step 6 Save the settings. Click Save Changes.
9-3
In addition to enabling ICTM, you should also implement a policy to control scanning of infinite streams. The example policies below offer two different approaches and are not intended to co-exist. Select only one.
or refer to the text after this procedure. b. c. Save the file to your desktop or other convenient location. Modify the policy to meet your requirements. For example, you can add URL domains that you know contain infinite streams.
Step 2 Log in to the ProxySG Management Console. Step 3 Install the policy file. a. b. c. Select Configuration > Policy > Policy Files. From the Install Local File from drop-down list, select Text Editor. Click Install. A browser window displays the Edit and Install the Local Policy File page. Return to the Edit and Install the Local Policy File page, and paste the contents of the file at the end of the local policy file on your ProxySG. Click Install. A dialog displays, informing you whether the installation was successful. If necessary, correct any errors in the file and reinstall it.
f.
9-4
9-5
request.header.User-Agent="forest" request.header.User-Agent="Scottrader" request.header.User-Agent="SVN" end condition MissBehaving_Old_UserAgents define condition HTTPv0.9_UserAgents http.response.version=0.9 condition=MissBehaving_Old_UserAgents end condition HTTPv0.9_UserAgents define condition NOICAP condition=VIDEO_AUDIO_with_NO_or_LARGE_CONTENT_LENGTH condition=HTTPv0.9_UserAgents condition=UserAgents_with_NO_or_LARGE_CONTENT_LENGTH ; Yahoos stock ticker problem -15sep06 url.domain=//streamerapi.finance.yahoo.com url.domain=//stream.aol.com url.domain=//finance.google.com ; Other streaming media exceptions url.domain=//youtube.com url.domain=//pandora.com end condition NOICAP ; -------------End ICAP Best Practices-------------------------
or refer to the text after this procedure. b. c. Save the file to your desktop or other convenient location. Replace <resp_service> with the name of your ICAP response service name.
d. Modify the policy to meet your requirements. Step 2 Log in to the ProxySG Management Console.
9-6
Install a No Scan Policy for Slow Downloads Step 3 Install the policy file. a. Select Configuration > Policy > Policy Files. b. From the Install Local File from drop-down list, select Text Editor. c. Click Install. A browser window displays the Edit and Install the Local Policy File page. Return to the Edit and Install the Local Policy File page, and paste the contents of the file at the end of the local policy file on your ProxySG. Click Install. A dialog displays, informing you whether the installation was successful. If necessary, correct any errors in the file and re-install it.
f.
9-7
Table 9-1
Web Content Layer with a rule to negate the low-risk file extension.
9-8
Table 9-2
9-9
Use trickle_end if you want the data trickling to occur at the end of the download.
9 - 10
10
Troubleshooting
This chapter provides solutions to problems customers may have when integrating the ProxySG and ProxyAV anti-malware solution. It includes the following topics:
The ProxyAV isnt Scanning Web Trafficon page 10-2 Users Cant Access Any Web Siteson page 10-3 ProxySG Runs Out of Memory During Heavy Traffic Loadon page 10-5 Scans are Taking Too Longon page 10-5 My ProxyAV isnt Getting Virus Updateson page 10-6
10 - 1
Troubleshooting
Did you create an ICAP service on the ProxySG? (See "Task 2: Create the ICAP Service" on page 4-4.) Does the ICAP service have the correct URL of the ProxyAV? Does the URL include the same antivirus
service name specified on the ProxyAV? If you changed the antivirus service name from its default (avscan), you must make sure to include this same name as part of the Service URL for the ICAP service on the ProxySG. The Service URL should look something like this:
Did you create a policy for the ICAP service? (See "Task 3: Create Malware Scanning Policy" on page
4-8.)
10 - 2
Troubleshooting
Solution 1: If the ProxyAV is down and your ICAP policy is set to Deny the client request if an error occurs during ICAP processing, users will not be able to browse the Internet all requests will be denied. Thus, if you have created your ICAP policy on the ProxySG before setting up the ProxyAV, users will not have Web access. Therefore, its important to have the ProxyAV up and running before you install the ICAP policy.
To avoid the inevitable support calls that result from lack of Web access when the ProxyAV is down, you may want to consider changing the ICAP policy to Continue without further ICAP response processing. With this setting, users will be able to browse the Internet when the ProxyAV is down. However, this opens up the network to potential viruses being downloaded during the ProxyAV downtime. (Although desktop virus scanners might prevent this.) Solution 2: This problem can also be caused by inconsistent secure ICAP settings for the ICAP service, ProxyAV, and ICAP policy. If you want to use secure ICAP for HTTPS, you need to enable it in all three places. The following series of screenshots shows the proper settings that should be in place to allow users to browse secure Web sites (scanned with secure ICAP) and non-secure Web sites (scanned with plain ICAP).
Figure 10-1
10 - 3
Troubleshooting
Figure 10-2
Figure 10-3
Secure ICAP enabled in the policy for the ICAP response service (configured in the VPM)
Solution 3: This problem can be caused by incorrect SSL configuration for secure ICAP. Make sure you have followed the steps below: 1. 2. 3. 4. Copy the ProxyAV appliance certificate (Advanced > SSL Certificates). Import the ProxyAV appliance certificate as a CA certificate on the ProxySG (Configuration > SSL > CA
Certificates > Import).
Create a new CA certificate list specifically for secure ICAP and add the ProxyAV CA certificate created in step 2 (Configuration > SSL > CA Certificates > CA Certificate Lists > New). Create a new SSL device profile for secure ICAP. Select the default keyring and the CCL you created in step 3 (Configuration > SSL > Device Profiles > New).
5.
Configure the ICAP service to use the SSL device profile created in step 4 (Configuration > External
Services > ICAP > Edit).
Solution 4: The anti-virus license could be invalid or expired. To check the status of the anti-virus license on the ProxyAV, click Antivirus.
10 - 4
Troubleshooting
If you have two ProxySGs sending ICAP requests to a single ProxyAV, you also need to be careful about not setting too high of a value for Maximum number of connections. If the Sense settings button determines that the maximum number of connections is 10, you should divide this value by two, and enter this setting on each of the ProxySGs.
10 - 5
Troubleshooting
Solution 2: Each anti-virus vendor provides pattern file updates that necessarily contain portions (or descriptions) of viruses. Generally, these virus segments are encoded and are too small to be mistaken as a true virus by other AV vendors. But occasional false positives occur. These can be prevented by exempting virus pattern update locations from scanning, as the following example policy illustrates (place this policy after all other ICAP policies on the ProxySG): <cache> url.host=download.bluecoat.com response.icap_service(no) url.host=av-download.bluecoat.com response.icap_service(no)
10 - 6