Symantec Blue Coat ProxySG

Prerequisites

  • Symantec ProxySG is installed and license is activated
  • Nullafi Shield ICAP service is started and configured (with backing configuration and activity databases, and Web Management Console).

ProxySG Management Console

The ProxySG configuration should be done from the ProxySG Management Console interface. Below is the minimum configuration required for Nullafi Shield integration with ProxySG. Open a web browser and load the ProxySG Management Console (e.g. https://<ip address>:8082). Please refer to the ProxySG manual for details about how to open the ProxySG Management Console, ICAP integration, and advanced proxy configuration.

Accessing the ProxySG Management Console

  • Open the Symantec Blue Coat ProxySG management console using a web browser (default URL: http://<bluecoat proxy IP>:8082/)

  • When prompted, enter your user name and password and click "Ok".

  • In the Blue Coat management console, click on the "Configure" tab)

image

  • On the "Configuration" page, click on the "Advanced configuration" button

image

  • In the management console menu, go to Policy -> Visual Policy Manager.

image

  • Click "Launch" to start the Visual Policy Manager.

image

Configure ICAP Services

Adding RESPMOD Service (Download Mode)

  1. Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'
  2. Click 'New'
  3. Enter a service name for the Shield service (in this example we use 'ShieldRespmod') and click 'OK'
  4. In the services list, select 'ShieldRespmod' and click 'Edit'

  5. Update the following values

    1. In ICAP Service

      1. Set Service URL to 'icap://<Shield hostname or IP>/respmod'
      2. Select 'Use vendor's "virus found" page'

    2. In ICAP Service Ports

      1. Check 'This service supports plain ICAP connections
      2. Set the 'Plain ICAP port' value to you Shield instance ICAP port (1344 by default)

    3. In ICAP v1.0 Options

      1. Check 'Response modification'
      2. Check 'Send Client address'

  6. Click 'OK'

  7. Click 'Apply' to save the configuration

Adding REQMOD Service (Upload Mode)

  1. Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'
  2. Click 'New'
  3. Enter a service name for the Shield service (in this example we use 'ShieldReqmod') and click 'OK'
  4. In the services list, select 'ShieldReqmod' and click 'Edit'

  5. Update the following values

    1. In ICAP Service

      1. Set Service URL to 'icap://<Shield hostname or IP>/reqmod'
      2. Select 'Use vendor's "virus found" page'

    2. In ICAP Service Ports

      1. Check 'This service supports plain ICAP connections
      2. Set the 'Plain ICAP port' value to you Shield instance ICAP port (1344 by default)

    3. In ICAP v1.0 Options

      1. Check 'Request modification'
      2. Check 'Send Client address'

  6. Click 'OK'

  7. Click 'Apply' to save the configuration

Create RESPMOD Policy

  1. Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'
  2. Click the 'Launch' button
  3. In the 'Blue Coat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'
  4. Enter a layer name (in this example we use 'Nullafi Shield ICAP RespMod') and click 'OK'
  5. In the newly created 'Nullafi Shield ICAP RespMod' tab, right click on 'Use Default Caching' and choose 'Set...'
  6. In the 'Set Action Object' window, click 'New' and select 'Set ICAP Response Service...'

  7. In the 'Add ICAP Response Service Object' window, set the following values

    1. Set 'name' to 'Nullafi Shield ICAP Response Service'
    2. In 'Available services', select 'ShieldRespmod' and click 'Add'

  8. Click 'OK' to finish and 'Apply' to save

Create REQMOD Policy

  1. Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'
  2. Click the 'Launch' button
  3. In the 'Blue Coat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'
  4. Enter a layer name (in this example we use 'Nullafi Shield ICAP ReqMod') and click 'OK'
  5. In the newly created 'Nullafi Shield ICAP ReqMod' tab, right click on 'Use Default Caching' and choose 'Set...'
  6. In the 'Set Action Object' window, click 'New' and select 'Set ICAP Request Service...'

  7. In the 'Add ICAP Request Service Object' window, set the following values

    1. Set 'name' to 'Nullafi Shield ICAP Request Service'
    2. In 'Available services', select 'ShieldReqmod' and click 'Add'

  8. Click 'OK' to finish and 'Apply' to save

Configure Blue Coat SSL

Enabling ProxySG To Intercept SSL traffic

By default SSL (HTTPS) connections are not intercepted by ProxySG and therefore data in them are not scanned by the ICAP Server. If you would like to scan files which were sent using secure connections, then you must configure ProxySG to decrypt SSL connections.

How To Configure

Please refer to Blue Coat documentation.

Limitations

  • If the ICAP server and ProxySG are not connected via a private network, then the connection between them should be configured to use SSL (ICAPS, default port 11344). (See "Securing access to an ICAP Server")
  • Valid SSL certificates are needed for Blue Coat and user experience could be altered by certification notifications.

How to overcome certificate issues

  1. When the SSL Proxy intercepts an SSL connection, it presents an emulated server certificate to the client browser. If the browser does not trust the ProxySG issuer certificate, it issues a security pop-up to the end-user. This pop-up does not occur if the issuer certificate used by SSL Proxy is imported as a trusted root in the client browser’s certificate store.
  2. The ProxySG appliance makes all configured certificates available for download via its management console. You can ask end users to download the issuer certificate through the browser and install it as a trusted CA in their browser of choice. This eliminates the certificate popup for emulated certificates.
  3. See Blue Coat documentation for more detailed information.

Additional Configuration Options

Some further advanced options related to using ICAP services alongside policy in ProxySG
Use of Data Trickling

Overview

Blue Coat ProxySG appliances implement Data Trickling to improve the user experience during ICAP scanning. Internet Content Adaptation Protocol (ICAP) is the protocol used by Blue Coat ProxySG and ProxyAV appliances, as well as some third party partner appliances, to perform scanning of objects to detect viruses, worms, spyware, and Trojans. Data Trickling is a mechanism implemented by Blue Coat ProxySG appliances performing ICAP scanning that slowly delivers, or trickles, data to the client as it is being scanned. By trickling data, users do not experience the timeouts sometimes associated with waiting for large objects to be scanned, or when scanning is delayed by high loads on content servers or upstream bandwidth limitations.

How does Data Trickling work?

Data Trickling is designed to prevent the timeouts that can sometimes be associated with patience pages. To prevent such timeouts, Data Trickling trickles – or transmits at a very slow rate – bytes to the client at the beginning of the scan or near the very end. Because the ProxySG appliance begins serving content without waiting for the ICAP scan result, timeouts do not occur. However, to maintain security, the full object is not delivered until the results of the content scan are complete (and the object is determined to not be infected). Two types of Data Trickling are available on Blue Coat ProxySG appliances – trickle from start and trickle at end.

Trickle from start

In trickle from start mode, the ProxySG appliance buffers a small amount of the beginning of the response body. As the ICAP server continues to scan the response, the ProxySG appliance allows one byte per second to the client. After the ICAP server completes its scan, if the object is deemed to be clean (no response modification is required), the ProxySG appliance sends the rest of the object bytes to the client at the best speed allowed by the connection. If the object is deemed to be malicious, the ProxySG appliance terminates the connection and the remainder of the response object. Trickling from the start is the more secure Data Trickling option because the client receives only a small amount of data pending the outcome of the virus scan.

Trickle at end

In trickle at end mode, the ProxySG appliance sends the response to the client at the best speed allowed by the connection, except for the last 16KB of data. As the ICAP server performs the content scan, the ProxySG appliance allows one byte per second to the client. After the ICAP server completes its scan, if the object is deemed to be clean (no response modification is required), the ProxySG appliance sends the rest of the object bytes to the client at the best speed allowed by the connection. This method is more user-friendly than trickle at start. This is because users tend to be more patient when they notice that 99% of the object is downloaded versus 1%, and are less likely to perform a connection restart. However, network administrators might perceive this method as the less secure method, as a majority of the object is delivered before the results of the ICAP scan.

Step-by-step guide

To enable data trickling:

  1. Open the BlueCoat Management Console.

  2. Go to "Configuration" tab > "Advanced configuration" button.

  3. Enter credentials if prompted.

  4. In the Advanced configuration menu, go to "Configuration" tab > "External Services" > "ICAP".

  5. Click the "ICAP Feedback" tab.

  6. In the "ICAP Feedback for Interactive Traffic" section:

    1. Check "Provide feedback after X seconds" checkbox

    2. Set the number of seconds to the time you want to wait for ICAP to respond before starting trickling

      • 8 seconds is a usually a good timing, long enough for average file sizes to be fully scanned by ICAP, short enough for browsers to not timeout before trickling starts.

    3. Check the "Trickle object data from start" or "Trickle object data at end" depending on the trickling type you want (see "How does Data Trickling work" section).

      • "From start" is the most secure.

      • "At end" is the most user friendly.

  7. In the "ICAP Feedback for Non-Interactive Traffic" section:

    1. Check "Provide feedback after X seconds" checkbox

    2. Set the number of seconds to the time you want to wait for ICAP to respond before starting trickling

      • 5 seconds is a usually a good timing for non-interactive traffic

    3. Check the "Trickle object data from start" or "Trickle object data at end" depending on the trickling type you want (see "How does Data Trickling work" section).

      • "From start" is the most secure.

      • "At end" is the most user friendly.

More info

https://www.bluecoat.com/sites/default/files/documents/files/ICAP_Data_Trickling.7.pdf

Temporarily bypassing ICAP servers

Overview

This guide describes how to quickly enable and disable a previously configured ICAP server on Symantec Blue Coat ProxySG.

Enable ICAP Server

To enable the Nullafi Shield ICAP Server on ProxySG:

  1. Open the Blue Coat Management Console.

  2. Go to "Configure" tab > "Advanced configuration" button.

  3. In the left side menu, go to "Policy" > "Visual Policy Manager"

  4. Click "Launch"

  5. In the Visual Policy Manager window, right click on the layer you want to enable (the tab name, typically "ICAP Respmod" or "ICAP Reqmod")

  6. Click "Enable layer".

    • The tab color should turn black.

  7. Click "Install policy

image

Disable MetaDefender ICAP Server

To disable ICAP server on Blue Coat:

  1. Open the Blue Coat Management Console.

  2. Go to "Configure" tab > "Advanced configuration" button.

  3. In the left side menu, go to "Policy" > "Visual Policy Manager"

  4. Click "Launch"

  5. In the Visual Policy Manager window, right click on the layer you want to disable (the tab name, typically "ICAP Respmod" or "ICAP Reqmod")

  6. Click "Disable layer".

    • The tab color should turn red.

  7. Click "Install policy"

image

Disable ProxySG caching

To prevent the transmission of stale content or other issues caused by object caching, you can use either cache(no) or bypass_cache(yes) in content policy language (CPL). For a comparison of cache(no) and bypass_cache(yes), see KB167726.

This sample provides instructions for disabling object caching for specific URLs by adding a policy rule in the Web Access Layer.

  1. In the Management Console, select Configuration > Policy > Visual Policy Manger, and then click Launch.
  2. From the Visual Policy Manager (VPM) dialog box, select Policy > Add Web Access Layer. The Add New Layer dialog box appears.
  3. In the Add New Layer dialog box, name the layer to reflect the purpose of the layer, such as "Web Access Layer (bypass cache)," then click OK.
  4. Right click the Destination field and select Set from the drop-down list.
  5. In the Set Destination Object dialog box, click New > Request URL, and enter the URL you want to exclude from the cache. Click Add, then OK.
  6. Right click on Action and select Set > Bypass Cache. Then, click OK.
  7. Click Install policy to apply the new policy.

To use CPL code for the same policy rules, add the following CPL code in the local policy file or in a VPM CPL Policy Layer:

<Proxy> url.domain=<url> bypass_cache(yes)

In the example above, <url> is the URL you want to exclude from caching.

More info

https://support.symantec.com/us/en/article.tech241976.html