Professional Documents
Culture Documents
Explict Proxy Solution
Explict Proxy Solution
SGOS 6.5
Third Party Copyright Notices
2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,
POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS
APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the
Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of
Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the
absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using
the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective
owners. This document is for informational purposes only.
Americas:
Sunnyvale, CA 94085
Contents
3
Deploy an Explicit Proxy
Note: You can configure user agents such as browsers, e-mail clients, FTPclients, and client-side
applications.Because browsers are by far the most widely used user agents in a typical network, this solution cov-
ers how to configure them for explicit proxy.
For allowed transactions, the appliance either services the user's request from a cached version of the page stored on the
appliance's disk, or it connects to theOCS to retrieve the content to cache and serve to the user.
1. A user enters a URL in the browser's address bar. (This browser has already been configured to send traffic to the
appliance explicitly.)
2. The browser connects to the proxy service and sends the user request.The destination IP address is that of the
ProxySG appliance.
3. The appliance examines the request details (client IP, username/group if configured, URL, path, category) and
compares them against allow and deny policy. Based on proxy service and policy settings, the appliance allows
this request.
4. The ProxySG forwards the user's request to the OCS. The source IPaddress of the request is that of the
appliance.
5. When the OCS responds, the appliance adds the content to its cache and forwards the response to the user.
4
Blue Coat Security First Steps
1. A user enters a URL in the browser's address bar. (The browser has already been configured to send traffic to the
appliance explicitly.)
2. The browser connects to the proxy service and sends the user request.The destination IP address is that of the
ProxySG appliance.
3. The appliance examines the request details (client IP, username/group if configured, URL, path, category) and
compares them against allow and deny policy. Based on proxy service and policy settings, the appliance denies
this request.
4. The appliance sends the user an exception page providing details on why the request was denied.
Whether an explicit deployment is appropriate for your organization could depend on business and security policy. You
should analyze your requirements to determine if explicit deployment is appropriate for you. For example, the deployment
type that best suits your needs could depend on whether your organization has a "bring your own device" (BYOD)policy.
To configure your network for explicit proxy, select a method to perform to deploy proxy settings to users, and then verify
that client connections are proxied explicitly.
1. Configure the ExplicitHTTP services to intercept. See Set Services to Intercept - Explicit Proxy for instructions.
2. Make sure that clients can access the Internet only by going through the appliance. Configure the firewall to restrict
outbound access to ports 80, 443, and 21 to the appliance's IP address.
Refer to your firewall documentation if you require more information.
3. Determine which method to use to set up the explicit proxy; refer to the following table.
5
Deploy an Explicit Proxy
Tip Depending on your network configuration and users' requirements, you might want to use more than one of the
methods described above to deploy proxy settings. For example, you could use a PAC file for all client work-
stations in the network, but have users manually configure the browsers on their laptops.
6
Blue Coat Security First Steps
Select the appropriate browser for instructions. If users use a different version, instructions might differ slightly.
7
Deploy an Explicit Proxy
8
Blue Coat Security First Steps
3. On the Connection Settings dialog that appears, select Manual proxy configuration.
9
Deploy an Explicit Proxy
10
Blue Coat Security First Steps
8. (If necessary) Select your active network interface (usually Ethernet or Wi-Fi).
9. Select Advanced.
14. Under Web Proxy Server, enter the ProxySG appliance IP address and port.
11
Deploy an Explicit Proxy
l a read-only default PAC file, which specifies to use the appliance as the proxy server:
http://<ProxySG_IP_address>:<port>/proxy_pac_file
l an editable PAC file, which specifies when to use the appliance as the proxy and which ports to use for specific
types of requests, as well as when to connect directly to the origin content server (OCS):
http://<ProxySG_IP_address>:<port>/accelerated_pac_base.pac
12
Blue Coat Security First Steps
Caution: The PACfile is written in JavaScript. You should be familiar with JavaScript functions before attempting
to edit the file.
Refer to this example of an edited PAC file. The PAC file contents in the example are as follows:
l If the hostname matches yourdomain.com anywhere in the URL, redirect requests to 198.51.100.0; if the proxy
can't be reached, go direct
l take the same action if the URL matches the specified ftp, images, or graphics URLs
l If the request contains a Windows Media protocol (mmsor rtsp) redirect to 198.51.100.1 or 198.51.100.2
respectively; if the proxy can't be reached, go direct
l If the request is for streaming media on yourdomain.com, redirect to 198.51.100.3; if the proxy can't be reached, go
direct
l If the hostname is not a fully-qualified domain name(FQDN), is an internal FQDN, or is any host in the
altyourdomain.com domain, go direct
l If none of the previous conditions apply, redirect to 198.51.100.10; if the proxy can't be reached, go direct
After you edit the accelerated PAC file you can load it directly on the appliance; see Deploy the PAC File from the
ProxySG Appliance.
n Serve the PACFile from a WebServer - Upload the file to an internal web server, and then download the file to the
appliance.
n Specify the PAC File Location in the Browser - Upload the file to an internal web server, and then instruct users to
specify the URL to the file in the browser.
Use this method if you plan to create your own PAC file and deploy it from the appliance.
where:
<PAC_file_contents> is the PACfile contents you copied in step 3; paste the contents here
n
<eof> is an end-of-file marker; choose one that does not match any string in the PACfile itself
n
6. The CLI responds ok.
13
Deploy an Explicit Proxy
For an explanation of the contents of the file in this example, see Edit the Accelerated PAC File.
You can upload the edited PACfile to your internal web server and then instruct the ProxySG appliance to download it
from the web server.
Note: Before proceeding, ensure that read permissions are set on the web server so the appliance can read the
PAC file.
In addition, configure the web server with one of the MIME types for PAC files:
application/x-ns-proxy-autoconfig
application/x-javascript-config
If the MIME type is not configured for .pac extensions, users may experience connection issues.
14
Blue Coat Security First Steps
If you want certain users or groups of users to use the same PAC file, you can instruct them to specify the location of the
PACfile in their browsers.
Note: Configure the web server with one of the MIME types for PAC files:
application/x-ns-proxy-autoconfig
application/x-javascript-config
If the MIME type is not configured for .pac extensions, users may experience connection issues.
The browser can retrieve the PAC file URL via DHCP option 252 if your DHCP server is configured to send option
252 and the host is using DHCP (as opposed to a host configured with a static IP address.) For some DHCP
servers, you might have to add the entry for option 252.
15
Deploy an Explicit Proxy
16
Blue Coat Security First Steps
17
Deploy an Explicit Proxy
18
Blue Coat Security First Steps
7. (If necessary) Select your active network interface (usually Ethernet or Wi-Fi).
8. Select Advanced.
9. Click Proxies.
11. Enter the URL of the hosted PAC file in the URL field.
19
Deploy an Explicit Proxy
Tip If you want users' browsers to determine the location of the PAC file using DNS, you must use the Web Proxy
Auto-Discovery Protocol (WPAD) method. See Allow Browsers to Auto-Detect Settings.
20
Blue Coat Security First Steps
Tip The appliance must be actively listening on whatever port you specify in the service. Port 80 is the
default and thus does not have to be specified in browsers; however, if you want to use a different port, you
must enable it for listening and then specify the port when configuring the explicit HTTP service. For
instructions, see Set Services to Intercept - Explicit Proxy .
<Proxy>
end
When the user launches a browser, the browser attempts to detect proxy settings and issues an HTTP GET request to the
hostname on the internal DNS server. The browser then installs the PAC file.
4. Go to various web pages using the browser. You should be able to access the web pages.
5. Use one of the following methods to verify that connections are being proxied:
l View active sessions
1. Go to various web pages using the browser.
2. View Active Sessions statistics and verify that they show explicit HTTPconnections. See List
Active Sessions for a Proxy for instructions,
21
Deploy an Explicit Proxy
3. In the Client column, look for HTTP connections originating from the IPaddress of the ProxySG
appliance.
Requests sent to the origin content server(OCS) on behalf of the client display the ProxySG
appliance IP address in the Client column.
22
Blue Coat Security First Steps
1. In the Management Console, select Statistics > Sessions > Active Sessions > Proxied Sessions.
2. From the Filter drop-down list, select Proxy.
4. Click Show to see the list of connections for the selected proxy.
23
Deploy an Explicit Proxy
Solution 1:The PACfile is large and has too many lines. Each line in the PAC file, including comments, is parsed each
time the browser encounters a URL on an HTMLpage. If your PAC file has extraneous lines, try to rewrite it to make it
more efficient.
Solution 2:The Proxy Auto-Configuration (PAC)file location was specified using a hostname, which could cause a per-
formance hit due to excessive DNS lookups. If you suspect this could be the cause of the issue, use an IPaddress for the
PAC file location.
Resolution: You updated the PAC file, but some users' browsers cached the previous PAC settings. Instruct users to do
one of the following:
Tip You can verify that requests are connecting directly by using a network monitoring utility such as TCPView.exe
to determine where the browser is redirecting.
Solution 1:If the PAC file specifies that requests go direct if the proxy server cannot be reached, verify that the proxy in
question is reachable.
Solution 2:Debug the JavaScript in the PAC file. Look for incorrect syntax and other errors.
24