SGOS 3.1.x is a major release of the Blue Coat Systems Proxy SG appliance software.
Note: Proxy SG is the new name for Blue Coat Systems Secure Proxy Appliances.
These release notes apply to Blue Coat Systems Appliances that are currently running or will be upgraded to the SGOS 3.1.x release. Before starting the upgrade process, please review the Upgrade Instructions and the Limitations and Known Issues section.
Direct support questions regarding this release to Blue Coat Systems Support. For more information, visit http://www.bluecoat.com/support/ or send email to support@bluecoat.com.
SGOS 3.1.x delivers significant new features and enhancements over previous releases of software for Blue Coat Systems ProxySG appliances.
Major features of SGOS 3 include:
All of the above new features are documented in the new ProxySG Configuration and Management Guide that accompanies SGOS 3.1.x. Refer to the Documentation section for information on how to access the documents for the release.
Blue Coat Systems appliance models SG400-x, SG800-x, SG8000-x, 6xx (except 610), SG6xxx, 7xx, and 7xxx can be upgraded to SGOS 3.1.x.
Older Blue Coat appliance models 610, 5xx, 3xxx, 5xxx, 2xxx, 1xxx, and 1xx cannot be upgraded to this release. Contact your local reseller or Blue Coat Sales (at sales@bluecoat.com) to upgrade your hardware to a newer model.
Before upgrading to SGOS 3.1.x, Blue Coat recommends evaluating the current CPU usage on installed systems. For example, if a SGOS 2.x system is already running between 70-80% CPU utilization under average load patterns, then you should contact your local Blue Coat sales team to discuss load balancing and hardware upgrade options to ensure sufficient headroom to handle both average and transient/peak loads after the upgrade to SGOS 3.1.x.
To upgrade to SGOS 3.1.x, the appliance must be running specific versions of CacheOS CA/SA 4.x or SGOS 2.1.x before the upgrade. Refer to the table in the Upgrade Instructions section below on the upgrade path you must follow to upgrade to SGOS 3.1.x.
The Web-based Management Console (MC) and the Visual Policy Manager (VPM) Java application should be used only under the following recommended combinations of OS, Browser and Sun Java Runtime Environment (JRE) versions.
In this release, SGOS is certified with the following third-party vendors' implementation of ICAP:
Note: Finjan has re-branded their line of servers to from SurfinGate to Vital Security for Web.
IMPORTANT: While SGOS 2.x supported ICAP v0.95 servers and services, SGOS 3.1.x does not. Upon upgrading to SGOS 3.1.x, any configured v0.95 services become inactive.
A Blue Coat WebPower User ID/Password and a ProxySG appliance H/W Serial Number are required to download the SGOS 3.1.x software. For more information on how to download the software, go to the SGOS 3 Software Download Page.
To purchase an upgrade or renew a support contract, contact your local reseller or Blue Coat Sales (at sales@bluecoat.com.)
Once you download and install the software, all features are enabled during an initial pre-registration "Trial Period" of 60 days. During this period, you must register your ProxySG with Blue Coat and obtain and install a license key on your appliance. For more information on the new licensing scheme in SGOS 3.1.x, refer to the Licensing section.
Please refer to the table below on the upgrade path you must follow to upgrade to SGOS 3.1.x.
If you use NTLM, you must upgrade to the version of the Blue Coat NTLM Authentication Agent (CAASNT) available with SGOS 3.1.x, as the SGOS 2.x version will not work with a ProxySG running SGOS 3.1.x. However, the SGOS 3 version of CAASNT can be used with appliances running both SGOS 3.1.x and SGOS 2.x. Blue Coat Systems recommends upgrading CAASNT with each new major, minor, or dot release of SGOS.
CAASNT is distributed as a zip archive, to be installed on a Microsoft Windows system. The URLs to download the CAASNT are posted, along with the SGOS 3.1.x software images, on the SGOS 3 Software Download Page.
Installation instructions for the Blue Coat NTLM Authentication Agent Service are in Appendix A: "NTLM and CAASNT" of the ProxySG Configuration and Management Guide that is available at the Blue Coat Systems Product Documentation Page.
All of the ProxySG appliance configurations from the current OS are upgraded to equivalent configurations in SGOS 3.1.x. However, because of significant changes in the functionality in SGOS 3 over previous releases, some configuration upgrades are not straightforward. For more information on configuration upgrade, refer to the ProxySG SGOS 3.1.x Upgrade Guide available at the Blue Coat Product Documentation Page.
SGOS 2.x allowed you to independently configure maximum object sizes for HTTP and FTP. In SGOS 3.1.3, the max-cache-size CLI command defines the maximum object size for both HTTP and FTP.
After upgrading to SGOS 3.1.x, any changes made to the appliance configuration are saved in the SGOS 3.1.x copy of the internal configuration registry. If for some reason you reboot the appliance back into an earlier major OS version, such as SGOS 2.x or CacheOS CA/SA 4, the configuration changes that you made under SGOS 3.1.x are not reflected under the older OS. Instead, the configuration falls back to what was available before you first upgraded to SGOS 3.1.x.
Some changes related to accessing and configuring the appliance should be recognizable if you are familiar with previous SGOS releases.
The Management Console services are now available by default over secure protocols. The Management Console is accessible through HTTPS (port 8082) as opposed to HTTP (port 8081), and the Command Line Interface (CLI) is now accessible through SSH (version 2) by default, not through Telnet. Also, HTTP (port 8081) and Telnet (port 23) console services are created by default, but disabled. However, if before the upgrade you had HTTP or Telnet console services enabled, they will continue to work on the same ports that were in your previous configuration.
The entire Management Console has been redesigned and reorganized to be more intuitive to navigate. For details, refer to the Blue Coat ProxySG Configuration and Management Guide .
Numerous CLI commands have been changed or moved from their previous locations. For more details, refer to the Blue Coat ProxySG Command Line Reference .
All proxy and console services are now configured at a single location through Configuration>Services in the Management Console, or through CLI ((config) services), as opposed to the subsystem-specific configuration screens or CLI commands in previous OS releases. For example, the creation of a Windows Media MMS proxy is now in the Services configuration as opposed to the Windows Media configuration.
If you are running any of the previous SGOS 3.1.x Limited Availability (LA) or pre-LA builds, you can upgrade directly to SGOS 3.1.0.0 and your configuration is maintained, except in the following cases:
If upgrading from an early SGOS 3.1.x LA build (3.0.0.x), all configurations related to Policy-Aware Exception Pages (Customizable Response Pages) are lost. You must use the appliance CLI to save the configuration related to exception pages (using the show configuration CLI command), upgrade to SGOS 3.1.0.0, and re-apply the configuration (using configure terminal).
If upgrading from a SGOS 3 pre-LA Controlled Release (CR) version (96.99.99.99), automatic configuration upgrade is not supported. You must use the appliance CLI and save the configuration (using show configuration command or the upload configuration command to upload an archive configuration to an FTP/TFTP server).
Then enter the following commands to load the new image:
SGOS#(config) upgrade-path download-image-url-path SGOS#(config) exit SGOS# load upgrade
SGOS# reinitialize
This reinitializes the system and reboots into the new image.
Re-apply the configuration (using "configure terminal" or "configure network").
Note: Do not reinitialize before performing the upgrade because the reinitialization causes the system to reboot automatically into the old system. Also, do not wait to reinitialize until after booting into the new system because you might not be able to boot into the new system without reinitializing before booting into the new system.
If you used NTLM in an early SGOS 3 LA build (3.0.0.x), you must upgrade to the 3.1.0.0 version of the Blue Coat Systems NTLM Authentication Agent (CAASNT) when you upgrade your ProxySG to the SGOS 3.1.0.0 because SGOS 3.1.0.0 is not compatible with early LA CAASNT versions and vice-versa.
The Blue Coat-hosted Central Policy and Central Bypass files have been moved to a secure URL accessible only through HTTPS. If you are upgrading from an early SGOS 3 LA build (3.0.0.x), the old HTTP URLs are not automatically changed to the new HTTPS URLs. You must manually change the URLs through the CLI or Management Console to the following:
Central Policy File: https://download.bluecoat.com/release/SG3/files/CentralPolicy.txt
Central Bypass File: https://download.bluecoat.com/release/SG3/files/CentralBypassList.txt
When upgrading from builds prior to SGOS 3.1.1, the upgrade sometimes fails with an error message similar to:
"Starter: No object data at offset 24,420,352 on disk 1"
If you encounter this issue, complete the following steps:
restart upgrade
command.SGOS 3 introduces a new licensing scheme for software options on all ProxySG Appliances. The licensing scheme requires an appliance hardware serial number to be linked with a set of software serial numbers (one for each saleable software option) and the creation of an appliance-specific license key. You must register yourself as a customer, register your appliance hardware serial number with Blue Coat Systems, link your purchased software serial numbers to your hardware serial number, generate and download a license key and install it onto the appliance. This must occur within 60 days of starting to use the appliance. During this 60-day period (known as the Trial Period), until you load a license key, all components on the appliance are enabled and available for you to try.
n most cases, if you bought your ProxySG Appliance and software options together, Blue Coat Systems automatically links your hardware and software serial numbers and pre-generates a license key. The license key can be automatically downloaded on to your appliance from Blue Coat Systems by logging in to the Management Console and navigating to Maintenance>Licensing>Install and clicking the Request button in the License Key Automatic Installation section. You need a Blue Coat Systems WebPower User ID/Password and a hardware (H/W) serial number to automatically load the license key. Note: For SG400s, SG800s, and newer SG6000 models, the H/W serial number is burned into the appliance's EPROM. For other models, you must manually enter the hardware serial number from the label in the back into the Management Console by navigating to Configuration>General>Identification.
For more information on customer registration, hardware serial number registration, and license key management, visit the Blue Coat Systems License Configuration and Management Page.
Note : The old PAK key based licensing is longer supported with SGOS 3. Blue Coat will contact all customers with PAK keys and provide information on how to enable the same features under the new licensing scheme, if they are eligible to enable the features under SGOS 3.
SGOS 3.x adheres to licensing agreements set forth by the following third-party vendors that have partnered with Blue Coat to develop integrated solution offerings:
Blue Coat has moved to using a new four-digit numbering scheme for all new software releases. The purpose of the four-digit version number is to provide a very clear numerical versioning scheme for releases to the customer that describes when new features are introduced and when patch fixes are applied.
The release numbering assumes of the form a.b.c.d build e, where:
a is the major release number and is incremented when a release has extensive new functionality;
b is the minor release number and is incremented when a release has significant new features;
c is the dot release number and is incremented when a release has a collection of bug fixes or unintrusive features;
d is the patch release number and is incremented when a interim bug fix is provided to a restricted set of users;
e is the internal build number, primarily of interest to Blue Coat. It does not imply anything about the release contents.
-- Support new 36GB drive model (SEAGATE ST336807LC 10K.7) for SG645, SG6045 and SG800 platforms. .
-- When archiving a configuration, the archive-configuration filename-prefix filename command can use % strings to represent the information in the upload. For more information, see "Archiving and Restoring a System Configuration" in Chapter 20 of the Blue Coat ProxySG Configuration and Management Guide .
-- Support has been added for new 73GB hard disk drives in the Proxy SG 800 and 8000 series.appliance.
-- A list of issues fixed in this release: List of Fixes.
Resolve a series of edge case issues involving ICAP and ICAP with patience page enabled.
Prevent possible VPM loss or corruption in policy layers.
Relax handling of CONNECT requests with non-zero content length headers. A future release of SG3.2.x will allow policy control for strict enforcement.
Private keys entered through the Management console have the possibility of being insecure. Please refer to this advisory notice for more details.
Apply fixes for TCP vulnerability CAN-2004-0230.
The ProxySG can prevent distributed Denial of Service (DDoS) attacks and port scanning, two of the most common virus infections. Through the CLI configuration mode, you can use the attack-detection submode to enable or disable attack detection, set the number of simultaneous connections permitted from any one client, and determine the behavior if a client exceeds the permitted number of connections.
In general, enabling this feature will increase overall CPU utilization. However, using the "drop" instead of "reset" (the "reset-at-connection-limit no" command) has less impact on the overall CPU utilization.
Also, you must disable RDNS lookups, as all viruses send requests for http://a.b.c.d, where a.b.c.d is an IP address. If RDNS is enabled, Blue Coat floods the DNS server and eventually things slow down.
Note that disabling RDNS may not be practical in many deployment scenarios, so this recommendation should be evaluated based on specific needs.
The syntax is:
attack-detection [enable | disable] | connection-limit integer | reset-at-connection-limit [yes | no]
where
"connection-limit" specifies the number of simultaneous allowable connections (default value is 10, range 1-65535).
"reset-at-connection-limit no" indicates that connections beyond the permitted number are silently dropped instead of being reset.
A list of issues fixed in this release: List of Fixes.
A list of issues expected to be fixed in a future release: List of Future Fixes
A set of limitations and known issues with the release is maintained by Blue Coat and updated with each dot release. Read through the issues before upgrading to this release. After upgrading, review issues if you encounter an issue to verify it is not a known limitation or issue before contacting Blue Coat.
The following documents are available at the Blue Coat Web site.
In addition to the above documents, the ProxySG Management Console contains online help in the form of a built-in HTML version of the Configuration and Management Guide that is linked to Help buttons. However, this online help is updated with every dot release. Therefore, Blue Coat recommends that you visit the Blue Coat Web site for the most up-to-date documentation.
Support questions regarding this release should be directed to Blue Coat Support. To contact Blue Coat Systems:
Copyright© 1999-2005 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. The Software may not be modified, reproduced (except to the extent specifically allowed by local law), removed from the product on which it was installed, reverse engineered, decompiled, disassembled, or have its source code extracted. In addition to the above restrictions, the Software, or any part thereof, may not be (i) published, distributed, rented, leased, sold, sublicensed, assigned or otherwise transferred, (ii) used for competitive analysis or used to create derivative works thereof,(iii) used for application development, or translated (iv) used to publish or distribute the results of any benchmark tests run on the Software without the express written permission of Blue Coat Systems, Inc., or (v) removed or obscured of any Blue Coat Systems, Inc. or licensor copyrights, trademarks or other proprietary notices or legends from any portion of the Software or any associated documentation. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. Blue Coat Systems, Inc. specifications and documentation are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. ProxySG™, ProxyAV™, CacheOS™, SGOS™, are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, and The Ultimate Internet Sharing Solution® are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.