ProxySG TechBrief – Content Filter Override

What is Password Content Filter Override?

Many organizations implement content filtering solutions to control employee Web access.
However, in some cases some blocked categories need to be allowed for certain users, the usual
exception to the rule. The Blue Coat ProxySG allows you to define an exception policy based on
a shared password. This specialized Blue Coat policy, known as a password content filter
override, is “static” and is managed and enabled by a company’s security administrator. The
content filter override feature allows employees to view their own restrictions in terms of Web
access. Users can be blocked from accessing certain categories. However, designated users can
access a blocked site by entering the shared password that has been previously defined.

This TechBrief describes how coaching (user instructions) can be implemented using the Blue
Coat Content Policy Language (CPL) feature set to allow specific users access to normally
blocked sites.

How does Password Content Filter Override work?

The Blue Coat coaching policy is based on:

A custom error page that provides a link that will authorize access to blocked Web sites
A Policy based on “cookie” and “referrer header” to secure authenticated access

Note: Coaching with the Blue Coat appliance only works with HTTP

When users click on the predefined coaching link, they are redirected to where they will be
authorized access the site via a ‘Set Cookie’ mechanism.

Custom Error Page

When a user attempts to access a Web site that has been blocked by the company, the custom
error page is generated as shown later. The HTML page is also customized to add a form that
requests http://requestedsite/?bcovcf=password so that users needing access to the site will be
prompted to enter a password.

When the user enters the password, the password content filter override policy is applied, as
explained in the next section. The following Blue Coat CPL (Content Policy Language) can be
used for defining the coaching page and will prompt a user to enter a special password to gain
access to the particular Web site:

UFS_SMARTFILTER_DENIED
{
http
{
http_rsp_403
HTTP_HDR_NOCACHE
HTTP_HDR_CONTENT_LENGTH
HTTP_HDR_CONTENT_TYPE "text/html"
}

1 Technical Brief
 content
{
<head>
<title>Deferred Access Policy </title>
<meta name="author" content="Blue Coat Systems">
<meta name="description" content="Deferred Access Policy">
</head>
<body>
<center>
<p>
<font face="Arial, Helvetica, sans-serif" size="4"
color="Red"><b>ACCESS TO THE URL: $(URL:Full)
<br>HAS BEEN BARRED UNDER COMPANY POLICY ON USAGE OF THE
INTERNET, OR TO PREVENT EXCESSIVE DEMAND CONFLICTING WITH CORE
BUSINESS ACTIVITIES.</b></font>
<br>
<font face="Arial, Helvetica, sans-serif" size="4"
color="Red">INTERNET USAGE IS ROUTINELY MONITORED AND
LOGGED.</font>
<p>
<font face="Arial, Helvetica, sans-serif" size="3"
color="Red"><b> Your IP address: $(CLIENT:IP)<br>Your username:
$(CLIENT:ProxyUser)<br> The URL is:$(URL:Full)<br>The category of
this URL is:$(UFS:Category)</b></font>
<p>
<font face="Arial, Helvetica, sans-serif" size="4"
color="red">STAFF WHO IGNORE THIS WARNING AND PERSIST IN REPEATED
ATTEMPTS TO ACCESS BARRED SITES WILL BE TRACED AND REPORTED TO
THEIR MANAGER FOR DISCIPLINARY ACTION.
<p>
<FORM action="/" method="get">
<table border=1 cellspacing=0 cellpadding=8><tr><td nowrap>
If you have a legitimate reason to access this site please enter
your access password or email <A
href='mailto:yogi@cacheflow.com?subject=Barred web page
$(URL:Full) category: $(UFS:category), IP address: $(CLIENT:IP),
User ID: $(CLIENT:ProxyUser)'>Customer Service Centre </a>
<br>
<p>
Enter your password:
<INPUT type="password" name="bcovcf" size=15>
<INPUT type="submit" value="Submit Password">
</table> </FORM>
</center>
</body>
}
}

Password Content Filter Override Policy

The following example was also written using the Blue Coat Content Policy Language (CPL) and
can be appended to your existing policy definitions. Be sure to have a backup of your existing
policy definitions before making any changes or additions to your existing policy.

The password content filter override policy is an example of how the categories WEBMAIL and
GAMBLING are controlled.

<Proxy>

2 Technical Brief
 ALLOW response_header.location=""
request_header.Cookie="blue"
ALLOW condition=referrer_yes request_header.Cookie="blue"
ALLOW condition=referrer_yes url_query_regex="bcovcf=robert"
condition=is_html block_category(webmail,sex,nudity,gambling)

<Cache>
url_query_regex="(^|\?)bcovcf=robert$" action.red2(yes)

define condition is_html

response_header.Content-Type="text/html"
end condition is_html

define condition referrer_yes

request_header.Referer=""
end condition referrer_yes

define action red2

redirect(302, "^(.*)\?bcovcf=robert$", "'1" )
set(exception.response_header.Set-Cookie, "blue" )
end action red2

Note: The password in this policy is robert

You can install the policy by performing the following steps:

1. Open a text editor and add the policy text as shown above
2. Place the new text file on your ProxySG for download into the local policy file

Or you can paste the policy commands directly into the ProxySG using the Command Line
Interface (See the built-in Help menus on the ProxySG GUI for more information on how to use
CLI) and the ‘inline’ command from the enable prompt:

SG800#inline policy local zzz

<paste the policy here>
zzz

where zzz is the end-of-file marker and tells the ProxySG that you are finished entering CPL and
are ready to compile.

As shown in this example you can also load the policy by using the Blue Coat Visual Policy
Manager and selecting Policy files. Click on View to view the policy and then Install to install the
new policy. Again, you can use a text editor to add this policy segment to your existing policy.

3 Technical Brief
With the policy installed you can now verify that the category WEBMAIL and GAMBLING is
controlled and by entering the appropriate password before the user gets authorized.

30.BCOAT

4 Technical Brief
 Conclusion
Password Content Filter Override policy offers a great flexibility to security administrators to
provide granular policies with Content Filtering. By using content filtering overrides and a
coaching page, you can control which users are granted access to particular Web sites.

Copyright ©2003 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to
any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information
contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use, Blue Coat is
a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their
respective owners.

Contact Blue Coat Systems • 1.866.30BCOAT • 408.220.2200 Direct • 408.220.2250 Fax • www.bluecoat.com

5 Technical Brief