ICAP and Patience Page Functionality

Version: SGOS 3.2.6 build 23661
Release Date: 12/15/2004
Revision: 1.03 on 10/17/2005

In SGOS 3.2.4.8 the patience page functionality has changed to work around the strict default enforcement of pop-up blocking inherent in Internet Explorer (IE) v6 XP Service Pack 2 (SP2). Previous to SGOS 3.2.4.8, if an ICAP scan exceeds the configured patience page delay (in seconds; 10 seconds by default), the ProxySG triggers a patience page to the client PC in the form of a pop-up window that uses JavaScript to supply download and scan progress information and refresh itself every 10 seconds. Upon completion of the download and scan process the JavaScript terminates the pop-up window, leading to the file save-as dialog. With IE v6 XP SP2 the default behavior is to block pop-up windows, which prevent the ProxySG’s patience page pop-up window from launching, resulting in a failure to retrieve the file. While the same end outcome will result with any pop-up blocker, the problem can generally be avoided by disabling client side pop-up blocking. Unfortunately this is not so with the security enhancements introduced in IE v6 XP SP2. So in SGOS 3.2.4.8, software changes have been made to remove the dependence of a successful patience page on the client side pop-up blocking configuration.

Bypassing AV Pattern Update Scanning to Improve Performance

Each anti-virus vendor provides pattern file updates that necessarily contain portions (or descriptions thereof) of viruses. Generally, these virus segments are encoded and are too small to be mistaken as a true virus by other anti-virus vendors. But occasional falsepositives do occur. These can be prevented by exempting virus pattern update locations from scanning, as the following example policy illustrates (note that this policy is intended to be placed after all other ICAP policies):

<cache>
url.host=download.bluecoat.com response.icap_service(no)
url.host=download.ositis.com response.icap_service(no)
url.host=www.ositis.com response.icap_service(no)

Basic Functionality in SGOS 3.2.4.8

If an ICAP scan exceeds the configured patience page delay (in seconds; 10 seconds by default), the ProxySG triggers the patience page to the client PC in the form of JavaScript that first aims to detect the presence or absence of a pop-up blocker.  If the JavaScript does not detect the presence of a pop-up blocker it attempts to launch the patience page in a pop-up window to showcase the download and scan progress. If however the JavaScript does detect the presence of a pop-up blocker it proceeds to display the patience page in the root window (that where the download was initially attempted). Note that the browser status bar at the bottom of the browser will also showcase this information if the status bar is enabled for view and enabled for edit.

If a pop-up blocker is not detected and the browser is not IE v6 XP SP2, then upon completion of the download and scan process, the patience page pop-up window is terminated and a save-as dialog is presented.  If the browser is IE v6 XP SP2, then the patience page pop-up window is not terminated and the download is initially blocked, however an alert dialog panel within the browser is immediately opened indicating that while the download was prevented it can still be manually overridden and file obtained by selecting the ‘Download File…’ option.  The patience page pop-up window can then be manually terminated by the user.

If a pop-up blocker is detected and the browser is not IE v6 XP SP2, then upon completion of the download and scan process, a save-as dialog is presented (note patience page is operating in the root window).  If the browser is IE v6 XP SP2, then the download is initially blocked, however an alert dialog panel within the browser is immediately opened indicating that while the download was prevented it can still be manually overridden and file obtained by selecting the ‘Download File…’ option.


Known Issues and Limitations

• In the case where a pop-up blocker is not detected it is likely that a patience page download and scan progress snapshot is displayed in the root window (that where the download was initially attempted) for a brief moment before the patience page pop-up window is launched and the root window taken back to the page where the download was initially attempted. If the page where the download was initially attempted is the browser’s default blank page, the patience page download and scan progress snapshot is displayed indefinitely in the root window (until user navigates elsewhere). Note that while this behavior may appear to show two instances of the patience page, in reality the root window only consists of a snapshot of the download and scan progress at the time the patience page was triggered, while the patience page in the pop-up window is live and updating.
• In the case where a pop-up blocker is not detected and a patience page pop-up is launched, it is not always possible for the root window to be automatically re-directed back to the page where the download was initially attempted. This is more prevalent in pages using HTML frames. The user can however manually navigate back by selecting the browser back button. Additionally, if the page where the download was initially attempted is the browser’s default blank page, selecting the browser ‘back’ button in the root window can lead to another download of the file initially selected (and hence another patience page pop-up window). Manual user intervention is required to terminate any additional unnecessary download.
• In the case where a pop-up blocker is detected and the download and scan process complete and initially blocked by IE v6 XP SP2, multiple manual overrides may be required to successfully retrieve the file (i.e. you may have to execute consecutive manual overrides where the first attempt to click on ‘Download File…’ does not succeed while the second attempt does). This is more prevalent in pages using HTML frames.
• It is beneficial to enable status bar view and write so that patience page download and scan progress information may be displayed. While this information is the same as that displayed in the body of the patience page, it can be invaluable in situations in which the detection of a pop-up blocker has caused the patience page to be displayed in the root window but displayed in a potentially minute frame (if site makes use of HTML frames) likening it to almost appearing invisible.
• Some web pages that are equipped with scripting capabilities or HTTP refresh header or refresh capability in meta tags, can automatically start downloads after a brief delay. In these cases, when the patience page pop-up window is successfully displayed and the root window is successfully redirected back to the original page where the download was initially attempted, the original page can automatically start the same download again resulting in yet another patience page pop-up window and thus an indefinite download loop. Manual intervention is required in such instances.
• Some popular download sites (i.e. download.com) launch a pop-up window before triggering the actual download of the requested object. Since the download is actually triggered by the pop-up window initiated by the web site if the ProxySG is configured for patience page, two things can happen:
  
  Browser pop-up blocker enabled:
  
  -the download was attempted in the small pop-up initiated by the web site.
  -the patience page launches and is displayed in the small pop-up.  If the pop-up initiated by the web site does not allow for resizing then it may be difficult to decipher but
    the patience page is successfully refreshing the download status.
  -As part of the patience page you will see a link to display the patience page in a separate window.  If you click on this link the patience page will launch in a new
    window that is representative of the size typically observed.
  
  Browser pop-up blocker disabled:
  
  -the download was attempted in the small pop-up launched by the web site.
  -the patience page first launches in the small pop-up but immediately fires in a separate window.  You will see a remnant of the patience page text in the original pop-up
    window but this is merely an artifact of downloading an object from a browsers blank page (see the first bullet above).
• While the pop-up blocker detection functionality has been tested with IE v6 XP SP2, Firefox v1 and Netscape v7.1, there is no guarantee that detection will always be successful. Identification of unsuccessful detection should be brought to the attention of Blue Coat Support.
• The patience page pop-up blocker detection behavior does not apply to patience page functionality for native FTP.
• For Web over FTP request, a patience page loop occurs when the browser is served a final patience page and then proceeds to re-requests the original object. In this request, the browser will send an Authorization header that causes the Proxy SG to revalidate the object. Therefore, the object needs to be fetched from the server again causing the virus scanning cycle to restart The workaround is to set policy to make Web over FTP requests non-cacheable by setting policy as follows:
  The policy:
  
  
  condition=__PROTO_1 authenticated=yes bypass_cache(yes) ;check if the user is authenticated.
  ; Definitions
  define condition __PROTO_1
  client.protocol=http url.scheme=ftp
  end condition __PROTO_1