ProxySG SGOS 4.1.x

Release Notes: Known Issues and Limitations

Version: SGOS 4.1.5.1, build 27744
Release Date: 12/22/2006
Revision: 4.1

This document provides a subset of limitations and known issues with the Blue Coat SGOS 4.1.x release that might be encountered by more than a few customers. It is updated with every SGOS 4.1.x dot release.

Read through the following issues before upgrading to the SGOS 4.1.x release. Also, if an operation issue arises, before contacting Blue Coat, visit this page to verify it is not a limitation or a known issue.

Browsers

If you are using HTTP to connect to the Management Console, pressing the Back button in the browser results in the following error message:

Unable to obtain session secret from ProxySG. Please try reloading the current page.

Refresh the current page to continue. (B#45351a)

Netscape 4.x browsers are incapable of handling compressed content for certain content types. For now, it is advised to disable compression for all requests from Netscape 4.x browser. You can use following policy for this (B#46368a):

<proxy> request.header.User-Agent="Mozilla/4." request.header.User-Agent=!".MSIE." http.allow_compression(no)

If you are using Firefox to access one Management Console and open another Firefox browser to access a different ProxySG Management Console, the second browser might not be fully functional. This is a Firefox issue, not one with the Proxy SG (B#48146).
When running JRE v1.4.1_07, resizing the window does not repaint the browser. To repaint, reselect the applet.

Access Logging

If you change log formats on the fly, the ProxySGcontinues logging to the same log object, resulting in a log upload of a file that contains two different formats. This is a transient condition that affects only a certain number of entries (the number depends on the load) after which the new file is generated with the correct ELFF header. This has the effect of Reporter not reporting that “certain number of entries”.

Authentication

Forms-based authentication is not supported through explicit proxy when a user attempts to visit an HTTPS site.
Credential caching is applicable only for authentication modes involving surrogates.
Invalid certificate error: If BCAAA is set up to save its certificates (which it is by default), and more than one agent realm is referenced in policy, and each of those realms is configured to use SSL, you might see an error message similar to the following:
The message or signature supplied for verification has been altered
When the policy is activated, the multiple realms each attempt to connect to BCAAA. Each connection spawns a separate process and each process attempts to create a certificate since none is available. If more than one process creates a certificate, multiple certificates are placed in the certificate store. Since only one certificate is permitted, the Windows 2003 SSL library fails.
If this occurs, do the following:

Bandwidth Management

There might be transient statistics measurements when changing the priority level of a bandwidth class. (B#483902a)
Bandwidth Management hierarchy might need to be re-configured when copying the output of show config to reconfigure a ProxySG. (B#50382a, B#51418a)

Branch Deployment

Before deploying ProxySG appliances for branch office acceleration through SOCKS compression, review the following:

Enable SOCKS Proxy on Concentrator Proxy to compress Outlook/CIFS traffic between Branch Proxies and the Concentrator Proxy.
Enable HTTP Proxy on Concentrator Proxy to compress HTTP responses Branch Proxies.
SOCKS Compression and HTTP Compression are CPU and memory-intensive functions.
Do not use existing Gateway Proxy or Reverse Proxy as a Concentrator Proxy.
SOCKS Compression and HTTP Compression can be simultaneously active on Concentrator Proxy with certain caveats listed below.
Do not enable other functions that require large memory allocations on Concentrator Proxy, such as:

HTTPS termination/origination.
HTTP decompression.
Policy for page transforms, response data and apparent data type triggers.

Do not enable other high CPU intensive applications, such as:

HTTPS termination/origination.
Spyware policy.

Implement Page transforms and Spyware policies on the Gateway Proxy ( not the Concentrator Proxy).
Implement HTTPS termination/origination on the Reverse Proxy ( not the Concentrator Proxy).
The same Branch Proxy can be used for SOCKS Compression and other protocols, such as HTTP.
Blue Coat recommends that the Branch Proxy use the Concentrator Proxy as the HTTP Proxy for forwarding HTTP traffic (not as SOCKS Proxy).
The ProxySG does not support load balancing across SOCKS gateways.
To compress Microsoft Outlook traffic, the ProxySG in the branch office must be in line as a bridge. Because of dynamic traffic, you cannot use an L4 switch or a WCCP router to intercept RPC services.
Verify duplex settings are compatible in bridged deployments (in branch offices).
Specifying the ports that intercept the CIFS/printing protocol: In a deployment where one group of CIFS/printing services listens on both ports 139 and 445 and another group of CIFS/printing services listens only on port 139, configure the branch ProxySG to only intercept port 139; do not configure to intercept both ports 139 and 445. Otherwise, the port-139-only services will break. This presents the limitation that when clients choose to use port 445, that content is not compressed because 445 traffic is not intercepted.

Bridging

When a ProxySG is deployed inline as a bridge, it intercepts traffic (such as HTTP Port 80 traffic) from both inside (Intranet) and outside (Internet). This makes the ProxySG an Open Proxy unless it is explicitly configured to deny connections from the outside. If this is not intended, you must create explicit policy rules to only proxy connection from the inside.
The PCAP bridging filter does not work in software bridge implementation. (B#53918a)

Compression

The following content types are already recognized by Internet Explorer as compressed. Regardless of the user-agent, these types are not compressed by the ProxySG (B#44032a):

image/gif image/jpeg image/png image/pjpeg application/x-compressed application/x-zip-compressed application/x-gzip-compressed application/futuresplash application/x-rtsp-tunnelled application/x-shockwave-flash

Additionally, the following (standard) content-types are not able to be compressed:

application/zip application/x-gzip application/pdf audio video

Blue Coat recommends using gzip encoding (or allowing both gzip and deflate) when using HTTP compression, for the following reasons:

Servers return deflate-encoded content, but do not return an Accept-encoding : header.
Deflate is discussed in two standards: RFC1950 and RFC1951. Most servers return RFC1951, while the HTTP/1.1 standard requires RFC1950.
IIS HTTPZIP plugin (older versions) returns gzip when asked for deflate. (This is treated by SGOS 4.x as an unsolicited response and passed through to the browser).
IIS HTTPZIP plugin (newer versions) returns gzip when asked for deflate, but claims it is deflate. This appears as corrupt data to browsers and the ProxySG.

Content Filtering

The renamed SmartFilter categories are hard-linked between old-name and new-name (example: High Bandwidth and Media Downloads), regardless if SmartFilter is the selected vendor.(B#50420a)
When the Oblix COREid 6.5 WebGate server software is upgraded to Oracle COREid 7.0, the SSO feature might stop working even if the ipvalidation value in the WebGate configuration file (WebGateStatic.lst) is set to false by the administrator afterwards. The workaround is to uninstall and reinstall the Oracle COREid 7.0 WebGate software, and set IPValidation to false. Then restart the COREid Access server and the IIS server. (B#55167a)
The Blue Coat SG might experience slowness due to slow CFS lookup. This is solved in SGOS 4.2 and later releases. (B#64859, 2-39694930)
ALOGAdmin:Websense is blocked on DNS lookup which blocks all other client worker lookups. Upgrade to SGOS 4.2.x.(B#59055, 2-23391391)

DNS

Page Fault at 0x492791A0 - "DNS Service worker" in "Kernel.dll" at .text+0x4590. This issue doesn't occur with SG 4.2. (B#63580, 2-29007027 2-30734957)

Exceptions

There is a cross-site scripting vulnerability in exception.not_implemented. (B#57490, 2-20614905)
To workaround this problem using the CLI:
SGOS#(config) exceptions SGOS#(config exceptions) edit not_implemented SGOS#(config exceptions not_implemented) inline details end_of_file_marker Your requested operation: $(quot)$(method) $(url.host)$(quot) is not supported. end_of_file_marker
Management Console (Configuration > General > Archive Tab): When installing an archived configuration using the Text Editor or Local File options, a timeout error occurs. This is because the Console Agent interprets the % (percent) character as an error. The workaround is to prepend any character but a percent sign before the percent character anywhere in the file. (B#55638, 1-16540673 )

FTP

An FTP proxy username cannot contain a space; if a username contains a space, the FTP proxy does not send the entire username to the authentication server. (B#53890a)
If, after establishing an upload connection using FTP client, the connection is closed (for example, by rotating the remote file) without sending any data to the remote server, then the ProxySG creates a zero-byte file on the remote server. (B#54654a)
Firefox causes a patience page loop with WebFTP. (#B56534, 1-16666535)

Hardware

You cannot check the environmental statistics for a 400 Series ProxySG appliance. In the Management Console, the Statistics>General>Environment panel does not display and in the CLI; the command SGOS# show environmental is invalid. (B#45188a)
SG8000 Adapter Configuration: Configuration of services for Interface 1 might not be possible through the Management Console. Blue Coat recommends using the equivalent CLI commands instead.
There is a remote chance the network interface is disabled after the duplex/speed mode is changed. The workaround is to change the mode again.
If you have a ProxySG SG-400 series model, do not use NIC-0 at 10 Mb/sec or half duplex. It might hang, although you will still be able to ping the system. Instead, use NIC-1 (B#27765a, B#57032a).
Disk replacement or removal can result in event or access log loss. Replacement or removal of drives that contain mirrored event or access log objects can result in loss of portions of the logs (B#59321a). As a workaround, if disk removal or replacement is necessary, do the following:
- Take the system offline to ensure minimal traffic on the box
- Upload all access logs.
- Save the event log
- Replace or remove the disks.
- Bring the system back online.

Health Checks

Whether Health Check notification emails are sent depend upon the event log threshold. If the event log threshold is set to less than Informational, notification emails are not sent for ICAP, Websense off-box, or manually created health checks. (B#53917a)
Health check names are limited to 31 characters. If using the Management Console, the characters icap_hc_ are automatically added to the prefix of the health check name, making the useable number of characters even smaller. To use the full allotment of characters, use the CLI. (B#58081a).

HTTP

Authorization header credential mismatch causing redirect loop. This can occur if an already authenticated Web session is not closed and web traffic is redirected to go through a ProxySG with transparent cookie-based authentication enabled. The issue comes from the proxy not realizing that the credentials in the transaction are for the origin content server and not for the ProxySG. (B#55841, SR 1-17096328)

HTTPS

Creating HTTPS services on 255.255.255.255:443 can result in a service that cannot be deleted. This should not prevent the creation of other valid HTTPS services on the same port. (B#50384a)

Instant Messaging

Video and audio are not supported with any of the Instant Message protocols: MSN, Yahoo!, AOL. (B#52283a, 1-13536917)
The ProxySg sends alert messages to the user in-band or out-of-band as specified by the configuration variable exceptions. However, alert messages for those activities such as file transfer (that use direct connections), are always sent out-of-band. (B#54481a, 1-16108722)
Connection through SOCKS V5 from a Windows 2000 desktop might fail when using MSN 7.0. (B#54009)
IM Proxy creates incorrect accesslog entries for login method for all three IM protocols. (B#54721)
When using explicit socks proxy on MSN 7.0 and 7.5 clients, the MSN client sometimes connects to the server via native MSN port 1863. In that case, the client may connect directly to the MSN server, bypassing the ProxySG. To ensure that the MSN client connects through the ProxySG appliance's socks proxy in explicit proxy mode, port 1863 should be blocked on the client side with a firewall or other means. (B#58795)

JRE 1.5 (5.0)

If you experience system slowness issues with JRE 1.5, enter the following command from the (config) prompt:

SGOS#(config) netbios SGOS#(config netbios) nbstat responder enable

(B#48920a)

JRE 1.5 on Windows XP; Visual Policy Manager: In the All Objects dialog, when you select New, then a policy layer, an extra, unselectable field appears below Combined Objects.

Passive FTP Exception

For a configuration that uses Passive FTP through SOCKS, the above policy might not avoid the 30-second delay caused by protocol detection. The reason for this is because a separate DATA connection is created to transfer data and the port used on this DATA connection is random, and policy cannot be enforced. If this configuration is necessary, there are two options:

Generate a white list of FTP servers that can be accessed. For example:

<proxy>

  client.protocol=socks condition=ftp_destination detect_protocol(none)

  define condition ftp_destination

  url.address = 
  IP_address

  url.address = IP_address


end condition

Implement policy to disable protocol detection for all SOCKS tunnels. For example:


<proxy>

    client.protocol=socks detect_protocol(none)

Peer to Peer

The following peer-to-peer (P2P) clients cannot connect to the ProxySG using SOCKS V5 authentication (B#45540a):

eMule Version 0.43b
KazaaPlus 2.6.4

Policy

Cutting and pasting of a category does not work as expected. Once policy is installed, the effect of an earlier cut and paste disappears. (B#49036a)
CPL: When constructing policy, Blue Coat recommends that Forwarding layers be placed after Proxy layers; otherwise, the Forwarding layer might not be evaluated.
VPM: When creating a time object, if you enable some of the options, the tabbing sequence does not select the newly enabled fields. It simply runs through all the enable checkboxes, through the buttons, and back to the top. For example, if you enable Only Between The Following Times of the Day and tab through all the options, the From and To fields do not get selected. (B#48267a)
VPM: The progress bar in the Management Console VPM applet is editable, but does not result in any action. (B#48694a)
VPM: After declaring patience on an object, if the server connection is reset, the object re-fetches and re-scans, causing repeat patience pages.
(B#50386a)
VPM: Category-URLs should not contain the equal (=) character. If a user enter category=name as part of URLs of a category, it is treated as subcategory. (B#50420a)
VPM: If a category exists under more than one parent, the generated policy also contains repetitive entries of the same category; this does not present any complications.(B#50424a)
Content Filtering: The test-url command with an embedded '&' might create extra newlines in the output. (B#51298a)

Protocol Detection

A 30-second delay occurs when the ProxySG tunnels any protocol where the server speaks first. Examples of these protocols are FTP, SMTP, POP3, and IMAP. Currently, the ProxySG does not support protocol detection for such protocols; therefore, the delay occurs in all three types of tunnels:

TCP tunnel
SOCKS tunnel
HTTP CONNECT tunnel

The workaround for this is to define policy that disables the protocol detection for all tunnels where the tunneled protocol is the one where the server speaks first. The following is an example of such policy.

<Proxy>
;Rule 1
condition=server_speaks_first_port_list condition=tunneling_protocol detect_protocol(none)

; Definitions
define condition server_speaks_first_port_list

  url.port=25
  url.port=143
  url.port=21
  url.port=110
end

define condition tunneling_protocol
  client.protocol=http
  client.protocol=tcp
  client.protocol=socks
end

Notes:

The destination-based condition in Rule-1 must be included to avoid a security issue.
If a server is listening on a non-default port, you must add a line in with that port (for this example, in the server_speaks_first_port_list condition).

P2P

When a CONNECT is issued with a Content-Length header, the ProxySG attempts to parse the request entity body to determine whether it is from a known P2P agent. If no data is received within 30 seconds, the ProxySG aborts the transaction. Because this client is broken and is sending an invalid content-length header, the ProxySG stalls on this request. Use the following CLI command to enable tolerant-request-parsing:

#(config) http tolerant-request-parsing

RADIUS

The output for show config displays the RADIUS shared secret output as shared_secret. This is incorrect, as it should be shared-secret. If the output is used for a restore configuration operation, this option is not recognized.
Blue Coat does not support the RADIUS challenge/response (that is, ACCESS-CHALLENGE is treated like ACCESS-REJECT). (#B48196)

SSH

If you execute a number of commands in quick succession using the command line execution feature of ssh, the SSH client might terminate the connection before displaying the output of all the commands. For example:
ssh -T -l user -i user_private_key proxysg_IP test
where file test contains a list of CLI commands. This might not give the output of all the commands listed in file test. (B#48912a)

Statistics

Policy/Statistics sometimes report active FTP sessions when there are no active FTP sessions. FTP/Statistics properly reports no active sessions in such cases. This inconsistency is a known issue.(B#48565a)
Freshness statistics with values of greater than 1000 are being displayed as 0. The workaround is to clear the system's cache and reboot. (B#60821, 2-24017561)

VPM

If you create a request URL object and a server URL object that contain the same URL, such as www.bluecoat.com, while using SGOS 4.2, and then downgrade to SGOS 4.1,the two objects become identical. Their behavior, however, is as expected.

The workaround is to delete one of the objects. (B#56533a)

Windows

A Windows update for either Windows 5 or 6 might fail if you access the Windows Update Version 5 or Version 6 Web site through authenticating proxy servers, such as the ProxySG.

The message you see is similar to the following:
Windows Update has encountered an error and cannot display the requested page.
You might also see [Error number: 0x80072F78] in the upper-right corner of the Web page.

To correct this situation, you must upgrade to SGOS 4.1.3 or higher; in addition, you must apply the fix found in the Microsoft knowledge base.

Support

Direct support questions regarding this release to Blue Coat Technical Support. For more information, visit http://www.bluecoat.com/support/ or send e-mail to support@bluecoat.com.

Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxySG™, ProxyAV™, CacheOS™, SGOS™, Spyware Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.