| Issue | Service Request | Description |
|---|
| 16274 | 1-1105901 | The Management Console GUI does not use the browser's proxy settings. |
| 17966 | NONE | Improper TFTP method handling in SGOS |
| 19365 | NONE | VPM window prompts you to save work on exit, even if no changes were made |
| 19455 | NONE | When taking a disk off-line from the MC, the request appears to fail when in fact it succeeds. From Management Console>Statistics>General>Disk, select a disk and press “Take disk # offline”, and click “OK” in the pop up window. The Management Console will become unresponsive for a few seconds and then pop up a message “Request rejected. This request cannot be honored. The disk is in an invalid state, or otherwise inaccessible, and cannot be taken offline.” In reality, the disk was successfully taken offline, and can be verified from the CLI or by refreshing the Management Console. |
| 19515 | NONE | Starting VPM may generate an error using the combination of JRE 1.3.1, Netscape 4.78/4.79 and Win98/NT4. |
| 20613 | 1-2741922 | WebSense4 per-user does not work when the base DN for IPlanet/Novell Directory servers have "dc". |
| 21330 | NONE | Selecting View->Object Occurrences... from the VPM menu currently works only for the Source & Destination columns. |
| 21440 | NONE | Starting VPM may generate an error using the combination of JRE 1.3.1, Netscape 4.78/4.79 and Win98/NT4. |
| 21577 | NONE | The Management Console allows invalid base DNs to be specified. If these happen to be numeric, the CLI misinterprets them as IP addresses, rather than as illegal base DNs. |
| 21643 | NONE | If you select an LDAP realm and add a location string while you are running on WinXP, Netscape 4.79, and Sun's JRE 1.4.0, the dialog box might not close. The only way it closes is when you cancel the operation. |
| 21645 | NONE | Enabling "Reject inbound connections" should warn the administrator about the possibility of losing that interface. |
| 21667 | NONE | Configuring an incorrect port for the management console will only result in the standard error message |
| 21712 | NONE | Starting VPM may generate an error using the combination of JRE 1.3.1, Netscape 4.78/4.79 and Win98/NT4. |
| 21771 | NONE | The XML version of the page does not translate all the & into the XML representation of &. This causes an error when trying to display in Netscape or IE. Please use the SYSInfo or SYSInfo/html console URL instead. |
| 21775 | NONE | If you download a JRE from Sun instead of using the JRE shipped with your browser, the fonts change and some text, such as the serial number in the Management Console>Statistics>Disks, might be difficult to read. For best results, use the JRE that is shipped with the browser. |
| 21857 | NONE | When the DNS service is down or if DNS server is not a real DNS server, an "ICMP port unreachable" message is returned from the DNS server. Blue Coat's DNS code interpreted this as CE_DNS_CONNECTION_REFUSED error. The code should convert this error to "DNS server failed". |
| 21898 | NONE | Transparent NTLM single sign-on does not work if the explicit attribute is disabled on the transparent port (default 80). The workaround is to enable the explicit attribute on that port. |
| 21959 | NONE | If the first attempt to full download SF database is interrupted, any subsequent attempts will fail until a new version of the database is available. New Smartfilter databases are published once a day, the workaround is to try again after 24 hours. |
| 22088 | NONE | The fan and power supply expansion numbering do not start at 0 in the CLI. The numbering is correct in the Management Console. |
| 22370 | NONE | Editing a port from the Management>Services window to an existing port deletes that port. |
| 22614 | NONE | When changing the bandwidth options through the Management Console (Management>Caching>Bandwidth), the pipelining configuration (enabled/disabled) might toggle between the default and custom options. Use the (config bandwidth-gain) view CLI command to verify the pipelining feature status. |
| 22723 | NONE | The Management Console fails to load some gifs; this appears to be an issue IE parsing javascript in some versions of IE (IE 6.0.2800.1106). |
| 23151 | NONE | Only the first 59 characters are used for the filename prefix for archive-configuration |
| 23153 | NONE | When the archive configuration password is greater than 31 characters, during the FTP upload the password is sent as "NULL". |
| 23196 | NONE | A page fault occurs in process "HTTP WRK01809:: FD09FF80RW" in "policy_enforcement.dll" at .text+0x22C21 |
| 23366 | NONE | When encrypted passwords are set, they are not decrypted to determine if the cleartext length of the password is greater than the allowed length. Administrators need to ensure that the encrypted password corresponds to a cleartext password that would be valid on the ProxySG |
| 23439 | 1-3409423 | VPM only support ASCII - it does not support international or double byte character sets |
| 23466 | NONE | If you use VPM and a string of 512 characters, including the attribute in the Group field is entered, AND if the Base DN is chosen or entered in the Group Base-DN field, VPM does not give an error saying that the max group length is exceeded. It just ignores the Base-DN configured and uses the value configured in the Group name field. |
| 23767 | 1-3495430 | TWURL: url_rewrite transform sometimes does not execute. |
| 23768 | 1-3495430 | N/A |
| 24032 | NONE | The .asx file doesn't get rewritten if certain conditions are not met: for example, type of file-extension, MIME type, and user-agent. |
| 24219 | 1-3473024 | N/A |
| 24259 | 1-3632946 | N/A |
| 24546 | NONE | No matter what number you set for maximum connections, Real Proxy only allows number-1 players to play. This only happens if you use port 554. It does not happen if you use port 1091. |
| 24566 | 1-3370635, 1-3915246, 1-4285348 | Authorization policy differences between CA4.x and SG 2.x inhibits the ProxySG from distinguishing Denied (forbidden) from Unauthorized policy decision results. The result of such a decision is a HTTP 403 DENIED response for users that result in a Unauthorized when a 401/407 challenge would be desired. |
| 24655 | 1-3686912 | N/A |
| 25393 | 1-3906122 | N/A |
| 25419 | NONE | When entering an invalid time in the MC Realm timeout field and applying the change, the invalid time is not applied, but the original value is reapplied. |
| 25480 | NONE | The ProxySG gives an error page if the redirect request url does not have a trailing slash after the domain name of the origin content server. |
| 26376 | NONE | All base-DNs from all LDAP realms are listed in the VPM dropdown lists for domain and base DN. |
| 26546 | NONE | Entering unprintable ASCII characters--arrows, ESC, and the like--inside the CLI inline policy command could have unexpected results. |
| 26803 | 1-4373228, 1-4373232 | A Page fault 0xAF3D97EA in RealProxy deployments. The workaround is to change RealProxy pull splitting protocol to tcp from udp. |
| 26829 | NONE | You cannot cut and paste the output of http://x.x.x.x:8081/config_policy_source.xml. Unusual characters will display in the output. Instead, refer to the SGOS documentation through the Documentation link at the top of the screen, and check Chapter 7 for proper procedures to "Share VPM Files Among Multiple Port 80 Security Appliances." |
| 26986 | NONE | If you have difficulty launching VPM, see if your browser is running a native pop-ad suppression program. These programs must be disabled for VPM to be launched. |
| 27045 | NONE | For WebFTP requests, if always_verify() policy is configured then content should be scanned using an ICAP policy, which is not configured for patience page delivery. |
| 27051 | NONE | You might experience problems with download agents and virus scanning due to the potentially long scan times. If the agents do not get a response before their timeout time, they will attempt to reconnect and re-download the request file and will eventually stop trying. To avoid this, the timeout times for these agents are increased significantly (scans on loaded ICAP servers can take minutes) . |
| 27353 | 1-4480801 | N/A |
| 27765 | 1-4536015, 1-4551808, 1-4581367, 1-4598701, 1-5286745, 1-5459516 | If you have a ProxySG SG-400 series model, do not use NIC-0 at 10 Mb/sec or half duplex. It might hang, although you will still be able to ping the system. Instead, use NIC-1 (B#27765). |
| 28913 | 1-4740516 | Incomplete invalid requests that begin with numeric values such as www.1 or www.2332 result in a POLICY_DENIED regardless of the policy configured when the desired effect should be a UNRESOLVED_HOSTNAME. |
| 29126 | 1-4809640 | Executing complex transforms in server portalling deployments may not work correctly - this deployment scenario is supported in SG3. |
| 29579 | 1-4990801 | Using degenerative regexes such as url_regex="(\w\w\w\w)*\.solidworks\.com\/." may lead to a PF in "Policy Decision Worker" in "shared_dll.dll" at .text+0x14D16. The solution is to rewrite such regexes. |
| 29885 | 1-5028411 | Use of a "?" in (config smartfilter)download path "http://www.myurl.com/mypath?" does not work for configuring the smartfilter URL. Workaround is to use the MC GUI or reconfigure downloading via FTP. |
| 29992 | 1-5067041 | If response from OCS is missing the HTTP-version field in the first line of the response as required by RFC 2616, then the ProxySG will mistakenly send an ICAP RESP-MOD request without a res-hdr but will include a res-body. Most ICAP servers will reject such a message with a 400 Bad Request response. Work around is to not scan http version 0.9 responses. i.e. http.response.version =! 0.9 response.icap_service(icapservicename) |
| 30095 | NONE | The ProxySG does not return a patience page if the requested object does not contain HTTP headers. The workaround is to modify the requested object to contain the HTTP version line (such as "HTTP/1.0 200 OK" ). |
| 30441 | 1-5191660 | N/A |
| 30587 | NONE | Page fault, process "SSPIAdmin" in "authsspi.dll" at .text+0x2C6C |
| 30787 | 1-4807809, 1-4807824, 1-5252951 | Manufacturing error |
| 30916 | 1-5310751 | Directory listing FTP objects can be served from cache despite being state. The workaround is to delete such objects from the cache. To prevent these objects from being served stale in the future enable "http strict-expiration serve" and install the following example policy in the cache layer, "method=GET url_scheme=ftp response_header.Last-Modified=!".*" ttl(x)", where x is the desired ttl in seconds for directory list objects. |
| 32123 | 1-5693114 | Under certain circumstances, if the newly downloaded system image is not completely written to disk before the unit is restarted, a failure to load the new OS can occur. |
| 32726 | 1-5974751 | The ProxySG's syslog daemon fails to start if the DNS lookup of the configured loghost fails. |
| 32815 | NONE | Remove extraneous "Invalid EEPROM checksum" message from serial console at startup. |
| 42012 | 1-5936941, 1-5936948 | ICAP Respmod messages are flawed when OCS sends a partial response. |
| 42875 | NONE | If a large object download is initiated when browser is displaying blank home page and the ProxySG is configured to show progress notification pop up window while ICAP virus scanning, the browser goes to the URL that was last visited and since the starting point was a blank home page, the javascript revisits the last request in history (i.e. the patience page). To work around, visit some other URLs and then initiate the large download. |
| 46579 | 1-7654357 | It is possible for the daily HB stats report from the ProxySG to drift by approximately 5 minutes per day |