Blue Coat
®
Systems
ProxySG
®
Appliance
Configuration and Management Suite
Volume 6: The Visual Policy Manager and Advanced Policy
Tasks
SGOS Version 5.4.x
Volume 6: The VPM and Policy
ii
Contact Information
Americas:
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation:
documentation@bluecoat.com
Copyright© 1999-2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®,
PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®,
Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems,
Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL
WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND
DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT,
ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER
LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Americas: Rest of the World:
Blue Coat Systems, Inc. Blue Coat Systems International SARL
420 N. Mary Ave. 3a Route des Arsenaux
Sunnyvale, CA 94085 1700 Fribourg, Switzerland
Document Number: 231-03015
Document Revision: SGOS 5.4.2—11/2009
iii
Contents
Contact Information
Chapter 1: Introduction
Document Conventions ................................................................................................................... 13
Notes and Warnings......................................................................................................................... 14
About Procedures ............................................................................................................................. 14
Illustrations ........................................................................................................................................15
Chapter 2: Managing Policy Files
Creating and Editing Policy Files ................................................................................................... 18
Using the Management Console ..............................................................................................18
Using the CLI Inline Command ..............................................................................................21
Unloading Policy Files ..................................................................................................................... 23
Configuring Policy Options.............................................................................................................23
Policy File Evaluation ................................................................................................................ 23
Transaction Settings: Deny and Allow....................................................................................24
Policy Tracing ............................................................................................................................. 25
Managing the Central Policy File ................................................................................................... 25
Configuring Automatic Installation ........................................................................................ 26
Configuring a Custom Central Policy File for Automatic Installation...............................26
Configuring E-mail Notification .............................................................................................. 26
Configuring the Update Interval .............................................................................................27
Checking for an Updated Central Policy File......................................................................... 27
Resetting the Policy Files........................................................................................................... 27
Moving VPM Policy Files from One ProxySG to Another................................................... 27
Viewing Policy Files ......................................................................................................................... 28
Viewing the Installed Policy..................................................................................................... 28
Viewing Policy Source Files...................................................................................................... 28
Viewing Policy Statistics ........................................................................................................... 29
Chapter 3: The Visual Policy Manager
Section A: VPM Overview
Launching the Visual Policy Manager...........................................................................................32
About the Visual Policy Manager User Interface......................................................................... 33
Menu Bar ..................................................................................................................................... 33
Tool Bar........................................................................................................................................35
Volume 6: VPM and Advanced Policy
iv
Policy Layer Tabs ....................................................................................................................... 35
Rules and Objects....................................................................................................................... 36
About Code Sharing With the Management Console .......................................................... 36
About VPM Components ................................................................................................................ 37
Policy Layers............................................................................................................................... 37
Rule Objects ................................................................................................................................ 38
Policy Layer/Object Matrix......................................................................................................40
The Set Object Dialog ....................................................................................................................... 41
The Add/Edit Object Dialog........................................................................................................... 42
Online Help ....................................................................................................................................... 43
Section B: Policy Layer and Rule Object Reference
About the Reference Tables............................................................................................................. 44
Administration Authentication Policy Layer Reference............................................................. 45
Administration Access Policy Layer Reference ........................................................................... 45
DNS Access Policy Layer Reference .............................................................................................. 46
SOCKS Authentication Policy Layer Reference ........................................................................... 46
SSL Intercept Layer Reference ........................................................................................................ 47
SSL Access Layer Reference............................................................................................................ 47
Web Authentication Policy Layer Reference................................................................................ 48
Web Access Policy Layer Reference...............................................................................................49
Web Content Policy Layer Reference ............................................................................................ 53
Forwarding Policy Layer Reference...............................................................................................54
Section C: Detailed Object Column Reference
Source Column Object Reference ................................................................................................... 56
Any............................................................................................................................................... 56
Streaming Client......................................................................................................................... 56
Client Hostname Unavailable .................................................................................................. 56
Authenticated User.................................................................................................................... 56
Guest User................................................................................................................................... 56
IM User Agent Unsupported.................................................................................................... 57
Client IP Address/Subnet......................................................................................................... 57
Client Hostname......................................................................................................................... 57
Proxy IP Address/Port.............................................................................................................. 57
User .............................................................................................................................................. 57
Group........................................................................................................................................... 60
Attribute ...................................................................................................................................... 63
LDAP Attribute .......................................................................................................................... 65
User Login Address ................................................................................................................... 65
User Login Time......................................................................................................................... 65
User Login Count....................................................................................................................... 66
Contents
v
Client Address Login Count..................................................................................................... 66
User Authentication Error ........................................................................................................ 66
User Authorization Error.......................................................................................................... 67
DNS Request Name ................................................................................................................... 67
RDNS Request IP Address/Subnet......................................................................................... 68
DNS Request Opcode ................................................................................................................ 68
DNS Request Class..................................................................................................................... 68
DNS Request Type..................................................................................................................... 68
DNS Client Transport................................................................................................................ 68
SOCKS Version........................................................................................................................... 69
User Agent .................................................................................................................................. 69
IM User Agent ............................................................................................................................ 69
Request Header .......................................................................................................................... 70
Client Certificate......................................................................................................................... 70
IM User ........................................................................................................................................ 70
P2P Client .................................................................................................................................... 71
Client Negotiated Cipher.......................................................................................................... 71
Client Negotiated Cipher Strength.......................................................................................... 71
Client Negotiated SSL Version................................................................................................. 71
Client Connection DSCP Trigger............................................................................................. 72
Combined Source Object........................................................................................................... 73
Source Column/Policy Layer Matrix...................................................................................... 73
Destination Column Object Reference........................................................................................... 74
Any............................................................................................................................................... 74
DNS Response Contains No Data............................................................................................ 74
Destination IP Address/Subnet............................................................................................... 75
Destination Host/Port............................................................................................................... 75
Request URL ............................................................................................................................... 75
Request URL Category.............................................................................................................. 76
Category ...................................................................................................................................... 78
Server URL .................................................................................................................................. 78
Server Certificate........................................................................................................................ 78
Server Certificate Category....................................................................................................... 78
Server Negotiated Cipher ......................................................................................................... 79
Server Negotiated Cipher Strength ......................................................................................... 79
Server Negotiated SSL Version ................................................................................................ 79
File Extensions ............................................................................................................................ 79
HTTP MIME Types.................................................................................................................... 80
Apparent Data Type .................................................................................................................. 80