Version: SGOS 3.2.8 build 33164
Release Date: 2/5/2005
Revision: 1.6 on 3/28/2008

Introduction

SGOS 3.2.8 is a maintenance release of the Blue Coat® Systems ProxySG™ Appliance software. This release mainly provides bug fixes. Please note that since SG was NIAP certified with SG 3.2.4.8, there are no changes in the code that affect the NIAP certification.

Note: ProxySG is the name for Blue Coat secure proxy appliances.

These release notes apply to Blue Coat appliances that are currently running or will be upgraded to the SGOS 3.2.x8 release. Before starting the upgrade process, please review the Upgrade Instructions and the Limitations and Known Issues section.

For general information about Blue Coat, e-mail us at: bcsi.info@bluecoat.com.
Direct support questions regarding this release to Blue Coat Technical Support. For more information, visit http://www.bluecoat.com/support/contact.html.

Features in this Release

All new features are documented in the Blue Coat ProxySG Configuration and Management Guide that accompanies SGOS 3.2. See the Documentation section for information on how to access the documents for the release. For changes, including the SurfControl commands, see also Changes in this Version in this document.

Changes in this Version

• Guard against Potential SSL 2.0 Rollback (CAN-2005-2969) (B#54121, SR 1-16030684).

• Added event logging to report occasional BCAAA acceptor timeouts. (#51467, 1-9856220)
• Issues fixed in this release

SG 3.2.5.5 (build 23247)

• Pagefault in process "tcpip" in "tcpip.dll" at .text+0x1262C. (B#52341, 1-14171543, 1-14589290, 1-14723391, 1-14781183, 1-15133701, 1-15162586, 1-15224499, 1-1533701, 1-15368289)
• Page fault in "HTTP SW " in "http.dll" at .text+0x54064. (B#51925, 1-14188851, 1-14226261, 1-14600123, 1-14668211, 1-14770288, 1-14805721, 1-14937648, 1-14978471, 1-15030471, 1-15334671, 1-15439073, 1-15789643, 1-16100154)
• Issues fixed in this release

SG 3.2.5.2 (build 23058)

SG 3.2.5.1 (build 23013)

SG 3.2.4.8 (build 22001)

New features in SGOS 3.2.4 include:

• ICAP: In SGOS 3.2.4, patience page functionality has changed to work around the strict default enforcement of pop-up blocking inherent in Internet Explorer (IE) v6 XP Service Pack 2 (SP2)

For more information on patience page functionality, go to ICAP

• ICAP: Several conditions have been added to policy for ICAP: icap_error_code and virus_detected. Note that in this release, native FTP proxy does not support the icap_error_code condition.
• ICAP: The icap_communication_error Exception Page has been modified to include icap_error_code and icap_error_reason substitution variables.
• Content Filtering: You can now request that specific URLs be reviewed for correct categorization, if your content-filtering provider supports this. For information on the categorization feature, refer to the Chapter 17, "Content Filtering," in the Blue Coat ProxySG Configuration and Management Guide; for information on using exception pages to request categorization, refer to Chapter 14, "Advanced Policy."

Note: In this release, only Cerberian supports categorization review.

• Content Filtering: InterSafe has been added to the list of supported third-party content filters
• Event log: You can now view the contents of the event log through the CLI, The show and view event-log commands now display the event-log output, while a new configuration option has been added to display the event-log configuration. For more information, refer to Chapter 20, "Maintenance," in the Blue Coat ProxySG Configuration and Management Guide.
• Management Console: The serial port can now be secured, preventing unauthorized access to the setup console and requiring administrator credentials to use the CLI through the serial console. For information on enabling the secure serial port, refer to the Quick Start Guide for your platform.
• Management Console: You can configure a local user list so that each user account is automatically disabled if too many failed login attempts occur for the account in too short a period, indicating a brute-force password attack on the ProxySG. For information on using lockout parameters with local user lists, refer to Chapter 9, Using Authentication Services, in the Blue Coat ProxySG Configuration and Management Guide.
• DNS: Previously, if the ProxySG received a negative DNS response (a response with an error code set to Name Error), it cached that negative response. Now, you can configure the ProxySG to set the time-to-live (TTL) value for a negative DNS response to be cached. For information on configuring DNS negative response caching, refer to Chapter 4, Configuring the System, in the Blue Coat ProxySG Configuration and Management Guide.
• New CPL and VPM properties in this release include:
• Error_code ( )
• Virus_detection ( )
• Licensing: The license key file size limit has been increased.
• Issues fixed in this release
• List of future fixes

SG 3.2.3.16 (build 22277)

• Support new 73GB drive models (SEAGATE ST373207LC 10K.7, ST373454LC 15K.4) for SG800 and SG8000 platforms.

SG 3.2.3.3 (build 21579)

New features in SGOS 3.2.3.3 include:

• Support for Proventia Web Filter-a new content filtering product/service-has been added.
• Content Filtering Database Management--Ordinarily, the ProxySG checks to see if the database has changed before initiating a download. If the database is up to date, then no download is necessary and none is done. You can override this check and force a download by selecting the Force Full Update checkbox; this option is not needed under normal circumstances.
• FTP virus scanning--Virus scanning for FTP uploads is now supported; previously, only FTP downloads could be scanned.
• URL Rewrite--rewrite_script_substring, used for rewriting arbitrary substrings inside Javascript. The substrings do not have to be URLs. This is used in specialized cases where the Javascript code for a web application must be changed to make a server portal work correctly.
• Spoofing Proxy Authentication-If you use an LDAP, RADIUS, or Local Realm, you can specify whether to forward authenticated credentials to the origin content server or for proxy authentication. You can only choose one.
• DNS and IP addresses--The DNS server maintains the order of the IP addresses to be sure the ProxySG always uses the same origin content server to get content when client affinity is enabled.
• FTP spoofing--Using policy, the ProxySG can spoof the IP addresses for FTP data connections in both transparent and explicit deployments, for active data connections back to clients and passive data connections to origin servers.
• Installing an image from a local PC--You can now upload a system image to the ProxySG from your PC, as well as downloading an image directly to the ProxySG. For more information, refer to the Blue Coat ProxySG Configuration and Management Guide, Maintenance chapter.
• SurfControl version 5--Blue Coat provides support for SurfControl version 5. To download the new version, contact SurfControl for a version 5 download URL. You will no longer need to enter a username and password to download the database. Instead, you will use the license number issued to you by SurfControl (contact SurfControl for your license number if you cannot find it).
• SmartReporter--The SmartReporter access log format string has been changed, and now uses localtime instead of gmttime. If you had a previous version of the SmartReporter access log format before upgrading to this release, it will be converted to the smartreporter_user format, which still uses gmttime. The smartreporter_user format is, however, editable, and you can change the format so it uses localtime instead (edit the format string by changing gmttime to localtime).
• PMTU Discovery--PMTU (Path Maximum Transmission Unit) is a mechanism designed to dynamically discover the largest packet size that can be sent that will not be fragmented anywhere along the path between two communicating ProxySG Appliances that are not directly attached to the same link. PMTU is disabled by default.
• IM Handoff--IM Handoff allows the Blue Coat HTTP proxy to handle requests from supported IM protocols. If IM HTTP handoff is disabled, requests are passed through, and IM-specific policies are not applied.
• Forwarding hosts or host groups can now use the accelerator-cookie method of host affinity for use with SSL.
• Deprecated CPL Syntax-The following has been deprecated for this version of SGOS:

Deprecated Substitutions      Replacement Substitutions
subst_embedded                       rewrite_url_substring
subst_prefix                              rewrite_url_prefix
caseless                                    no replacement needed

Also deprecated:

• $, when used in a policy substitution pattern expression, if not followed by $ or (.
• Issues fixed in this release
• List of Future Fixes

SG 3.2.2.1 (build 21395)

• SurfControl users need to use a SurfControl license key to download a new database from the SurfControl site (rather than a username and password, as before).
• Blue Coat supports Cerberian (version 3) content filtering onbox.
• A new access log field has been added in 3.2.2: rs-time-taken, which measures the total time taken (in milliseconds) to send the request and receive the response from the origin server in order to pinpoint the location of performance bottlenecks in the system.
• Websense incremental download may cause high CPU utilization. This issue has been fixed, but as an additional safeguard, a new CLI command, download full-get-now, has been added to manually force a full download if necessary. To use this command in the CLI, enter the following commands from the (config) prompt:

SGOS#(config) content filter
SGOS#(config content-filter) websense
SGOS#(config websense) download full-get-now

• Issues fixed in this release
• List of future fixes

SG 3.2.1.2 (build 21246)

New features in SG 3.2.1.2 include:

• Private keys entered through the Management console have the possibility of being insecure. Please refer to this advisory notice for more details.
• If policy contains a combined service object, it generates an empty list.

SG 3.2.1.1 (build 21179)

New features in SG 3.2.1.1 include:

• URL/Content Filtering:
• Websense Reporter V5.2 integration
• Locally Defined Category Lists:
• Secure's SmartFilter V4 list onbox
• Application Proxies:
• DNS: Policy support added: Administrators can define how DNS requests should be handled.
• TP: Configurable multi-line banner: You can define the banners used during login for the FTP proxy.
• IM:
• Reflection DNS Redirection.
• HTTP Proxy Support.
• AOL Encryption Handling (applicable to AOL client version 5.2 and above)
• HTTP:
• Strict parsing of both request URLs and headers to protect against potentially malicious use of the HTTP protocol (using malformed headers or URLs). This is now the ProxySG default behavior. Note that this feature does not block requests in which the "Host" header value does not match the host name in the request line, since some legitimate requests may exhibit this behavior.
• Parsing of Pragma: no-cache and cache-control meta tags.
• Support for HTTP "If-Match" and "If-Unmodified-Since" headers.
• HTTPS connections to ports other than 443 are now denied by default, even if there is a policy to allow based on the client.protocol=http condition:
  
  <proxy>
  ALLOW client.protocol=http

  Previous to 3.2.1, these connections were allowed if the stated policy was installed.
• Shell:
• Support for Telnet Proxy.
• SOCKS:
• Allow UDP forwarding through upstream SOCKS Proxy.
• Services:
• Removed the hard limit on the number of configurable services.
• Authentication:
• Forms based Authentication
• Use Netegrity SiteMinder as an authenticating authority:
• Improved installation of BCAAA agent (formerly named CAASNT).
• The ProxySG now supports origin servers doing Kerberos authentication for HTTP requests.
• Security:
• Encrypted Access Logs: Access logs for specific traffic can be separated based on traffic, encrypted, and securely transferred to another system for further analysis as necessary.
• Archive Configuration:
• Archive configuration is available from the Management Console (by going to Management Console>Configuration>General>Archive).
• Attack Detection:
• The ProxySG can prevent many distributed Denial of Service (DDoS) attacks and port scanning, two of the most common virus infections. Through the CLI configuration mode, you can use the attack-detection submode to enable or disable attack detection, set the number of simultaneous connections permitted from any one client, and determine the behavior if a client exceeds the permitted number of connections.
  
  In general, enabling this feature might marginally increase overall CPU utilization. However, using "drop" instead of "reset" (the "reset-at-connection-limit no" command) has less impact on the overall CPU utilization.
• Policy:
• Policy based on source name: Provides policy triggers on information in the source hostname in a request.
• Added ability to test DNS/RDNS status for certain CPL objects.
• Policy Properties to control timeouts and retries.
• Policy trigger to test negotiated key strength: Provides triggers on negotiated key strength for SSL.
• Forwarding:
• Load balancing and host affinity configuration per host
• ICAP:
• Support for X-Authenticated-User and X-Authenticated Groups: This allows you to forward username and group information to an associated ICAP server.
• Customizable FTP patience page
• Serviceability:
• PCAP options in Management Console
• Added a mode to allow automatic upload of service data
• Licensing:
• Update an existing license either automatically, when it is updated by Blue Coat, or manually, through the Update button on the Management Console>Maintenance>Licensing>Install tab.

Hardware Requirements

Blue Coat appliance models SG400-x, SG800-x, 6xx (except 610), SG6xxx, 7xx, 7xxx, and 8000-x can be upgraded to SGOS 3.2.x.

Older Blue Coat appliance models 610, 5xx, 3xxx, 5xxx, 2xxx, 1xxx, and 1xx cannot be upgraded to this release. Contact your local reseller or Blue Coat Sales (at sales@bluecoat.com) to upgrade your hardware to a newer model.

Before upgrading to SGOS 3.2.7, Blue Coat recommends evaluating the current CPU usage on installed systems. For example, if a SGOS 2.x system is already running between 70-80% CPU utilization under average load patterns, contact your local Blue Coat sales team to discuss load balancing and hardware upgrade options to ensure sufficient headroom to handle both average and transient/peak loads after the upgrade to SGOS 3.2.7.

Software Requirements

To upgrade to SGOS 3.2.7, the appliance must be running specific versions of CacheOS CA/SA 4.x, SGOS 2.1.x, or SGOS 3.1.x before the upgrade. See the table in the Upgrade Instructions section below on the upgrade path you must follow to upgrade to SGOS 3.2.7.

The Web-based Management Console (MC) and the Visual Policy Manager (VPM) Java application should be used only under the following recommended combinations of OS, Browser, and Sun Java Runtime Environment (JRE) versions.

• OS for MC and VPM: 2000 Pro (SP2 or later), XP (SP1a or later)
• Browser for MC: Internet Explorer 7.0, Netscape 7.1
• JRE for VPM: 1.4.1 07
• For limitations on using browsers and JRE, see Known Issues and Limitations

ICAP

The Blue Coat ProxySG with ProxyAV™ integration is a high-performance Web anti-virus (AV) solution. For more information, refer to the Blue Coat web site

In this release, SGOS is also certified with the following third-party vendors' implementation of ICAP:

• Symantec AntiVirus Scan Engine (SAVSE) 4.3, version 4.3.0.15; ICAP 1.0
• Symantec AntiVirus Scan Engine (SAVSE) 4.0, version 4.04.46; ICAP 1.0
• WebWasher 4.4, build 552; ICAP 1.0
• WebWasher 5.0.1, build 1120; ICAP 1.0
• Finjan Vital Security 7.0, Service Pack 3a; build 573; ICAP 1.0

Note: Finjan has re-branded their line of servers from SurfinGate to Vital Security for Web.

Important: While SGOS 2.x supported ICAP v0.95 servers and services, SGOS 3.2.7 does not. Upon upgrading to SGOS 3.2.x, any configured v0.95 services become inactive.

Blue Coat WebFilter Database Updates

With the release of SG3.2.5 in July 2005, Blue Coat changed the URL for access to Blue Coat WebFilter (BCWF) database updates to list.bluecoat.com/bcwf/activity/download/bcwf.db. Effective October 24, 2005, Blue Coat retired access to BCWF database updates through the old URL located at bluecoat.downloads.cerberian.com/dbupdates/bluecoat.db. The old URL will remain active for an indefinite period of time to allow time for you to modify your configuration if necessary.

Make sure you are using the correct URL.

• Customers still running ProxySG software between versions SGOS 3.2.2.x and SGOS 3.2.4.x must manually enter the new default BCWF URL.

  Management Console: Go to Configuration -> Content Filtering -> Blue Coat on the Blue Coat Web Filter tab and enter the correct URL: list.bluecoat.com/bcwf/activity/download/bcwf.db.

  CLI:
  From the config prompt, complete the following commands:
  SGOS#(config) content-filter
SGOS#(config content-filter) bluecoat
SGOS#(config bluecoat) download url list.bluecoat.com/bcwf/activity/download/bcwf.db
  To view the results:
  SGOS#(config bluecoat) view

Note that SGOS 3.2.6.x (and earlier) is no longer actively supported with the release of SGOS 3.2.8 and later.

• Customers who have upgraded to SG3.2.5.x and greater and are still using the old BCWF URL can use the Management Console "Set to default" button or the CLI to reset the default BCWF URL.

  Management Console: Go to Configuration -> Content Filtering -> Blue Coat on the Blue Coat Web Filter tab; press the "Set to default" button.

  CLI: From the config prompt, complete the following commands:
  SGOS#(config) content-filter
SGOS#(config content-filter) bluecoat
SGOS#(config bluecoat) download url default
  To view the results:
  SGOS#(config bluecoat) view

• ProxySG units shipped from the factory preloaded with version SGOS 3.2.5.x or greater do not need to take any action. The default URL is already set to: list.bluecoat.com/bcwf/activity/download/bcwf.db.

Upgrade Paths Supported

Please refer to the table below on the upgrade path you must follow to upgrade to SGOS 3.2.x..

For example:

If you are running SGOS 2.1.06, upgrade to SGOS 2.1.07, and then to SGOS 3.

• Two or more major revisions higher than the current system. The reason is that if the new system were booted (and downloading it makes it the next boot system by default), you have skipped a major release version in which policy syntax was deprecated, without seeing any deprecation warnings. Policy would fail to compile and the box would become unusable.
• A Major revision higher, if there are deprecation warnings for the current policy. You can use the CLI to override this.

If you are doing a major upgrade, you should also review the Blue Coat ProxySG SGOS 3.x Upgrade Guide, found at http://www.bluecoat.com. If you are updating from SGOS 3.1.x to SGOS 3.2.7, no special procedures are needed.

NTLM Agent Upgrade (from CAASNT to BCAAA)

If you use NTLM, you must use the 3.2 release of the Blue Coat Authentication and Authorization Agent (BCAAA) service with SGOS 3.2 and higher. You can also use the BCAAA service in place of the deprecated CAASNT application for SGOS 2.x and SGOS 3.1.x. You cannot use CAASNT with SGOS 3.2 and higher.

BCAAA is distributed as a zip file or UNIX shell script, to be installed on a Microsoft® Windows® system or a Solaris™ system. The URLs to download BCAAA are posted, along with the SGOS 3.2 software images, on the SGOS 3 Software Download Page.

Installation instructions for BCAAA on Windows are in Appendix A: "Using the Authentication/Authorization Agent" of the Blue Coat ProxySG Configuration and Management Guide that is available at the Blue Coat web site.

To install BCAAA on Solaris, complete the following instructions. You must be root to complete installation.

1. Download the shell script to your system.
2. Execute the shell script:

# sh bcaaa-version_number-SOLARIS-install.sh

Answer the questions to install the service on your Solaris system. A sample session is shown below:

Enter a path to a scratch directory [/tmp]:


Install Blue Coat Systems Authentication and Authorization Agent (BCAAA)? (y/n) y


Enter user that should own the installed files [root]
Enter group for the installed files [root]
/usr/local/bin/bcaaa installed
/usr/local/bin/bcaaa-99 installed
Libraries installed in /usr/local/lib/BlueCoatSystems/
/usr/local/etc/bcaaa.ini installed

If you use inetd, append the following line to /etc/services

bcaaa 16101/tcp # Blue Coat Systems Authentication Agent

If you use inetd, append the following line to /etc/inetd.conf, then signal inetd to re-read the configuration file. If you use something else, make the equivalent changes.

bcaaa stream tcp nowait root /usr/local/bin/bcaaa bcaaa -c /usr/local/etc/bcaaa.ini
Installation complete

Accessing and Configuring the ProxySG

Some changes related to accessing and configuring the appliance should be recognizable if you are familiar with previous SGOS releases.

• The Management Console services are now available by default over secure protocols. The Management Console is accessible through HTTPS (port 8082) as opposed to HTTP (port 8081), and the Command Line Interface (CLI) is now accessible through SSH (version 2) by default, not through Telnet. Also, HTTP (port 8081) and Telnet (port 23) console services are created by default, but disabled. However, if before the upgrade you had HTTP or Telnet console services enabled, they will continue to work on the same ports that were in your previous configuration.
• The entire Management Console was redesigned and reorganized (in SGOS 3.1.0) to be more intuitive to navigate. For details, refer to the Blue Coat ProxySG Configuration and Management Guide.
• Numerous CLI commands have been changed or moved from their previous locations. For more details, refer to the Blue Coat ProxySG Command Line Interface Reference.
• All proxy and console services are now configured at a single location through Configuration>Services in the Management Console, or through CLI (config) services as opposed to the subsystem-specific configuration screens or CLI commands in previous OS releases. For example, the creation of a Windows Media MMS proxy is now in the Services configuration as opposed to the Windows Media configuration.

Troubleshooting Installation Issues

When upgrading from builds prior to SGOS 3.1.x, such as 2.1.x or 3.0.x, the upgrade sometimes fails with an error message similar to:

"Starter: No object data at offset 24,420,352 on disk 1"

If you encounter this issue, complete the following steps:

1. Reboot the appliance to a version on the system that supports an upgrade path (see Upgrade Paths Supported).
2. Download the image again that you want to boot (such as SGOS 3.2.x).
3. Do a load upgrade of the newly downloaded image, using either the CLI or the Management Console.
4. Give the system time to flush the newly-downloaded system to disk, at least one minute.
5. Use the restart upgrade button or command to boot the appliance to the new version.

Troubleshooting Upgrade/Downgrade for Forwarding

If you upgrade from SGOS 2.x to SGOS 3.2 and restore the SGOS 2.x configuration SGOS# restore-sgos2-config ), then try to delete the forwarding host ( SGOS# restore-sgos2-config ), you will receive the following message:

% Cannot delete a host now in use by policy.

This occurs because, on upgrade, the forwarding host is included in the default forwarding host sequence. To delete the forwarding host, you need to issue the following commands to clear the default fail-over sequence:

SGOS#(config) forwarding
SGOS#(config forwarding) sequence clear

Netegrity SiteMinder Component

A new licensable component, Netegrity SiteMinder, has been introduced as part of base SGOS functionality in the SGOS 3.2 release. Users who already have a valid SGOS 3.1.x license will NOT have this feature enabled until they update their license key. When viewing licensable components, they will see Netegrity SiteMinder as a component that is not yet valid. To update the license key, please login to the Blue Coat License Configuration and Management site, select hardware and go to Manage Customer Licenses Customer Information and click on Update License Key. Please note that license keys installed in SGOS 3.1.x are forward compatible with SGOS 3.2, except they do not activate the Netegrity SiteMinder feature until the license key has been updated. Users requesting a license key for the very first time (upgrading from CA/SA 4.x and SGOS 2.1.x) automatically get the Netegrity SiteMinder component included in the license key.