ProxySG SGOS 4.1.x

Release Notes

Version: SGOS 4.1.5.3, build 32708
Release Date: 4/9/2008
Revision: 3.2

IMPORTANT: This release adheres to a strict upgrade path. To avoid complications, read these Release Notes before beginning an upgrade (specifically relevant, the Introduction and Upgrade Information sections).

Contents

Introduction

These Release Notes contain information for the Blue Coat SGOS 4.1.x release. Review this information before deploying and configuring this release. Furthermore, if you are upgrading to SGOS 4.1.x from a previous release, read the Blue Coat SGOS 4.x Upgrade Guide, which discusses feature interactions.

For general information about Blue Coat: bcs.info@bluecoat.com.

Direct support questions regarding this release to Blue Coat Technical Support. For more information, visit:
http://www.bluecoat.com/support/.

Important:SGOS 4.1.5 is the last maintenance release for SGOS 4.1. Any future bug fixes and enhancements for SGOS 4.x will be added to SGOS 4.2.x and later releases.

Changes in this Version

This section lists and describes the significant changes to 4.1 provided in subsequent minor releases.

SG 4.1.5.3 (build 32708)
  • Added support to the Seagate 73GB HDD model ST373455LC on the 8000 Series.
SG 4.1.5.2 (build 28121)
  • Daylight Savings Time change (DST). The appliance software has been modified to include new rules for DST. Additionally, all timestamps, which are recorded in Coordinated Universal Time (UTC), are processed differently so that local time displays correctly. The Management Console has been modified to include a more comprehensive time zone selection. To enable flexibility, time zone selection can be associated with an open source time zone database that can be updated at the user’s discretion. The time zone database is not required to set the appliance to UTC.

  • Fixed page Fault at 0x492791A0 - "DNS Service worker" in "Kernel.dll" at .text+0x4590. (B#63580, 2-29007027, 2-30734957).

SGOS 4.1.5.1 (build 27744)

  • Microsoft Internet Explorer 7.0 support.
  • Fix for security vulnerability with Netscape/OpenSSL Cipher Forcing.

  • Websense: Normally, the Blue Coat appliance logs the actual client IP address to the Websense Reporter log. You can configure the Blue Coat appliance to log an address obtained from the X-Forwarded-For HTTP Header (if present and valid) instead. This is useful in some specific network topologies. You can configure this feature from either the Management Console (Configuration > Content Filtering > Websense)or the CLI. From the CLI (config) prompt:
      SGOS#(config) content-filter
      SGOS#(config content-filter) websense
      SGOS#(config websense) log-forwarded-client-address

  • Issues fixed in this release

SGOS 4.1.4.12

  • Fix for security vulnerability with OpenSSL: RSA Signature Forgery (CVE-2006-4339).
  • Fix for security vulnerability with Netscape's SSLv3 implementation. (B#62800, SR 2-29563361)
  • Added support for SSL 5825 Falcon card on 200, 400, 800 and 8000 platforms.
  • Issues fixed in this release

SGOS 4.1.4.6

SGOS 4.1.4

  • Firefox has been added to the user-agent list in VPM.
  • Support for default routes advertisements has been added. Default route advertisements are treated the same as the static default routes; that is, the default route load balancing schemes also apply to the default routes from RIP. By default, RIP ignores the default routes advertisement. Note that ip-forwarding must be enabled before you can use default routes advertisements.
  • Instant Messenger Yahoo 7.0 support has been added.
  • Issues fixed in this release

SGOS 4.1.3

  • A new content-filtering vendor--Digital Arts i-FILTER--is supported.
  • A new switch to disable the license trial period has been added. The license trial period is enabled by default.
  • SGOS 4.1.3 uses a new database download system for SurfControl. A license key is no longer required to download the database; instead, you must configure a username/password (provided by Blue Coat ). If you are an existing SurfControl user, you must do a full download of the new SurfControl database before any content filtering can be done. Until such time, all URLs are categorized as unavailable.
  • SurfControl can now log fully-qualified usernames if the authentication was done by a NTLM realm. If authentication is done by any other realm, only simple usernames are logged.
  • External services (ICAP, Websense off-box) have a reserved connection for health checks (if health checks are created). This means that, as load goes up and the number of connections to the external service maxes out, with additional requests being queued up and waiting, the maximum simultaneous connections is actually one less than the limit as set.
  • Issues fixed in this release

SGOS 4.1.2

  • Session Monitor for RADIUS Realms--You can configure a ProxySG or a cluster of ProxySG appliances to monitor RADIUS accounting messages and to maintain a session table based on the information in these messages. The session table can then be used for logging or authentication.
  • Compression Level Configuration--You can define policy to determine the level of HTTP Compression (Low, Medium, High).
  • Default Authorization Groups--If authentication succeeds but authorization fails, you can apply default policy (typically restrictive) to those users.
  • Embedded URL Detection and Categorization--Blue Coat Web Filter detects and categorizes embedded URLs.
  • Using SSL--You can use SSL between the client and the ProxySG for origin-style challenges on transparent and explicit connections.

New Features

This major SGOS release contains the following new functionality.

Network Management and Performance

Compression

Provides substantial network bandwidth performance gain. Previously, the HTTP proxy did not support compressed content. If the response had a Content-Encoding: header with a value other than identity, the ProxySG made the response non-cacheable.

SGOS 4.x provides Compression support in HTTP. The ProxySG can compress or decompress content on the appliance and cache the response in various forms. For example, you can fetch the content in the uncompressed form, and deliver it to client in compressed form. If the content is cacheable, both compressed and uncompressed forms are stored on the ProxySG for future use. The supported compression formats are gzip and deflate.

Similarly, you can fetch compressed content from the server if it provides compressed content, and decompress it on the ProxySG if the client is not capable to handle compressed content.

Regardless of configuration, the ProxySG always decompresses the content if page transformation (for example: active content removal, Two-Way-URL-Rewrite, or popup blocker) is configured.

Branch Office Acceleration

The co-release of the SGOS ProxySG 200 appliance and SGOS 4.1.x software allows enterprises to extend the same level of Web security and control to the branch offices that exists at the corporate core.

  • SOCKS compression enables customers to reduce bandwidth usage and improve latency between the main office and remote branch office locations. This can be used for non-Web protocols, such as Microsoft Exchange, ERP applications, and tunneling protocols, which constitutes a large percentage of traffic on most enterprise networks.
  • In conjunction with SOCKS compression, the Endpoint Mapper Proxy allows for reduction in bandwidth usage between the core and the branch for the Microsoft RPC service traffic.

Bandwidth Management

Classify, control, and if required, limit the amount of bandwidth used by a class (a unit of bandwidth allocation) of network traffic flowing in or flowing out of the proxy.

Content Filtering and Other Services

Blue Coat Web Filter with Dynamic Categorization

The new name for Cerberian content filtering is Blue Coat Web Filter (BCWF). You can evaluate Blue Coat Web Filter free during the 60-day trial period.

A sub-feature of the BCWF, Dynamic Categorization provides real-time analyzing and content categorization of requested Web pages.

P2P

The ProxySG recognizes Peer-to-Peer (P2P) activity relating to P2P file sharing applications. You can write policy to control or restrict invasive P2P activity, saving precious bandwidth consumption and minimizing employee abuse of resources.

Notify User

Allows you to invoke user compliance for Internet access and coach users on Internet access policies. You can customize these messages and create policy to determine when they appear. All user action compliance actions are logged.

Feature Updates

SGOS 4.1.1 contains the following updates to previously-existing SGOS features:

  • The Blue Coat licensing system changed. Refer to the Blue Coat SGOS 4.x Upgrade Guide, Chapter 2: Licensing.
  • The object limit for all ProxySG platforms has been re-evaluated. For most systems, this means an increase in the maximum number of cacheable objects. This new limit applies to all newly manufactured systems and reinitialized disks.
  • New SSL CLI commands added for the ability to transfer the SSL configuration to another system for a backup, plus other interactive commands.
  • SGOS 4.1 uses a new database download system for SmartFilter, v4. A license key, which was sent to you in an e-mail by Secure Computing when you ordered the database, is required to download the new version. In the e-mail, this key is listed as the Serial Number ( not the Activation Key) and is in the alpha-numeric format of: xxxx-xxxx-xxxx-xxxx. For further details about using SmartFilter v4, see Chapter 18: Content Filtering>Configuring SmartFilter in the Blue Coat ProxySG Configuration and Management Guide.
  • Some RADIUS servers support one-time passwords. One-time passwords are passwords that become invalid as soon as they are used.
  • SGOS 4.1.x features Open SSL 0.9.7.
  • Access Logging contains the following new features:
    • A switch to enable or disable access logging on a global basis, both through the Management Console (Access Logging>General>Global Settings) and the CLI.
    • Signed access logs, which certify that a specific ProxySG wrote and uploaded a specific log file.
    • New substitutions to support SGOS 4.x functionality. (For more information on new substitutions, refer to the Blue Coat SGOS 4.x Upgrade Guide.)
  • CPU Monitoring: You can enable CPU monitoring to see the percentage of CPU being used by specific functional groups.
  • Three new content filtering third-party vendors: InterSafe, Optenet, and Webwasher.
  • Two new authentication realms are available, bringing the total to eleven:
    • Oblix COREid: With Oblix COREid (formerly NetPoint), the ProxySG acts as a custom AccessGate. The ProxySG supports authentication with COREid v6.5 and v7.0.
    • Policy Substitution: A Policy Substitution realm provides a mechanism for identifying and authorizing users based on information in the request to the ProxySG .
  • Visual Policy Manager (VPM):
    • You can view all static and configured objects in one dialog (View>All Objects).
    • The Category Object dialog features parent/child category relationships that are easier to select and deselect.
    • Previous objects replicated in the Source column; new objects relating to new features.

Policy Updates

  • As of SGOS 4.1.1, policy stored in the ProxySG is read using the UTF-8 encoding format and cannot contain international (non-UTF-8) characters. Policy containing non-UTF-8 characters must be corrected.
  • In the Blue Coat SGOS 4.x Upgrade Guide, Chapter 3: Feature-Specific Upgrade Behavior contains the following sections regarding Policy updates for this release:
    • Policy--Provides the CPL and VPM properties and objects added for this release.
    • Policy>Policy Deprecation--Describes the policy interaction between this and the previous release, including how to check for deprecation warnings.
    • CPL--Lists the previous policy syntax that is not supported in this release and lists the replacement syntax.

    IMPORTANT: Do not upgrade unless the policy compiles without deprecation warnings.

System Requirements and Supported Applications

This section lists the system component requirements for this release and which vendor components are supported.

ProxySG Platform (Software and Hardware)

Software: If you are upgrading from a previous Blue Coat release, the ProxySG must be running SGOS 3.2.4 or higher. See the Upgrade Information>Supported Upgrade Path section below.

Hardware: Blue Coat appliance models SG200-x, SG400-x, SG800-x, SG6xxx, 7xxx, and 8000-x can be upgraded to SGOS 4.1.x.

Older Blue Coat appliance models 6xx, 5xx, 7xx, 3xxx, 5xxx, 2xxx, 1xxx, and 1xx cannot be upgraded to this release. To upgrade the hardware to a newer model, contact your local reseller or Blue Coat Sales (at sales@bluecoat.com).

    Note: Before upgrading to SGOS 4.1.x, Blue Coat recommends evaluating the current CPU usage on installed systems. For example, if a SGOS 3.x system is already running between 70-80% CPU usage under average load patterns (50% if you plan to implement the SGOS 4 Compression feature), contact your local Blue Coat sales team to discuss load balancing and hardware upgrade options to ensure sufficient headroom for average and transient/peak loads after the upgrade to SGOS 4.1.x.

Management Interfaces

To upgrade to SGOS 4.1.x, the appliance must be running SGOS 3.2.4 or higher before the upgrade. See the table in the Upgrade Information section below for the upgrade path you must follow.

The Web-based Management Console (MC) and the Visual Policy Manager (VPM) Java application should be used only under the following recommended combinations of OS, Browser and Sun Java Runtime Environment (JRE) versions.

  • OS for MC and VPM: Microsoft 2000 Pro (SP4 or later), XP (SP2 later).
  • Browser for MC and VPM: Internet Explorer 6.0 (SP1 or later) and 7.0, Firefox 1.0, Netscape 7.2.
  • JRE: 1.5.0, 1.4.1_07.

Notes

  • Only JRE 1.4.1._07 and 1.5.0 are supported. Because of a Sun-published security issue regarding JRE 1.4.1_07, only use this version for administrative access to the ProxySG , not for access to external Internet sites. Blue Coat recommends upgrading to JRE 1.5.0.
  • Firefox 1.0 has some problems with downloading and running the JRE, most notably that Management Console panes might display with grayed out boxes. Furthermore, you might experience some display glitches, such as greyed-out screens, when other applications are moved around on the screen. Refreshing the page returns the correct display.
  • On the Sun download page, Sun naming conventions refer to J2SE 1.5.0 and J2SE 5.0 interchangeably. J2SE 5.0 is the new name for JRE 1.5.
  • Before you download JRE 1.5, verify you have the correct file. Select Related Links>Popular Downloads>J2SE 5.0 to access the JRE 1.5 download page. Select the desired file; the first two downloads on that page are for developer kits.
  • If you experience a problem downloading the latest supported JRE through the Management Console because:
    • The browser does not support automatic download (for example, Netscape), or
    • The automatic download hangs

    Enter the following URL to get to the Sun download page (in the second case, first terminate the download):
    http://java.sun.com/products/plugin/index.jsp.

  • Network slowness or slower processor speeds might affect JRE 1.5 performance. The delay increases between the ability to click Management Console menu selections and options.

Blue Coat Director and Reporter

  • This release is compatible with the following Blue Coat Director release: SGME 4.x.
  • This release is compatible with the following Blue Coat Reporter releases: Reporter 7.1.2 and higher.

Anti-Virus

The Blue Coat ProxySG with ProxyAV ™ integration is a high-performance Web anti-virus (AV) solution. For more information, refer to the Blue Coat Web site.

This release is compatible with ProxyAV 2.2.1 and higher.

In this release, SGOS is certified with the following third-party implementation of ICAP:

  • Symantec AntiVirus Scan Engine (SAVSE) 4.3, version 4.3.0.15; ICAP 1.0.
  • Symantec AntiVirus Scan Engine (SAVSE) 4.0, version 4.04.46; ICAP 1.0.
  • WebWasher 4.4, build 552; ICAP 1.0.
  • WebWasher 5.0.1, build 1120; ICAP 1.0.
  • Finjan Vital Security 7.0, Service Pack 3a; build 573; ICAP 1.0.

Dynamic Categorization Languages

The Dynamic Categorization (DRTR) sub-feature of the Blue Coat Web Filter supports the following languages:

  • DRTR-recognized languages--DRTR recognizes 39 languages, but does not categorize in all those languages. The recognized languages are: Arabic, Bulgarian, Catalan, Chinese, Croatian, Czech, Danish, Dutch, English, Estonian, Farsi, Finnish, French, German, Greek, Hebrew, Hungarian, Icelandic, Indonesian, Italian, Japanese, Korean, Latvian, Lithuanian, Maori, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swahili, Swedish, Thai, Turkish, Vietnamese.
  • DRTR-categorized languages--DRTR automatically categorizes Web pages in seven languages: English, Spanish, German, French, Italian, Portuguese and Japanese.

Instant Messaging

Instant Messaging proxy support is limited to the following English-language messaging clients and versions:

  • AOL: v5.1 to 5.9.
  • MSN: v4.6, 5.x, 6.0, 6.1, 6.2, 7.0, and 7.5.
  • Yahoo: v5.5, 5.6, 6.0, and 7.0.

Streaming

Streaming media support is limited to the following media players and servers:

  • The ProxySG supports the following versions and formats:
    • Windows Media Player 6.4, 7, 8, and 9.
    • Windows Media Server 4.1.
    • Windows Media Server 9 and 10.
  • The ProxySG supports the following Real Media Players and Servers:
    • RealOne Player, version 2.
    • RealPlayer 8 and 10.
    • RealServer 8 through 10.
    • Helix Universal Server.
  • The ProxySG supports the following versions and servers, but in pass-through mode only
    • QuickTime Players v7.x, 6.x, and 5.x
    • Darwin Streaming Server 4.1.x and 3.x.
    • Helix Universal Server

Upgrade Information

Downloading Images

A ProxySG appliance H/W Serial Number is required to download the SGOS 4.1.x software. For more information on downloading the software, go to the SGOS 4 Software Download Page.

To purchase an upgrade or renew a support contract, contact your local reseller or Blue Coat Sales (at sales@bluecoat.com.)

Supported Upgrade Path

The ProxySG must be running SGOS 3.2.4 or higher before upgrading to SGOS 4.1.x.

    IMPORTANT: If you attempt to upgrade from an SGOS version other than v3.2.4 or higher, failed policy and lost configurations will occur. This includes a loss of services, which renders the ProxySG inaccessible except by serial console.

Refer to the table below for the upgrade path.

Current OS (range)

Direct SGOS 4.1.x Upgrade Allowed?

Next OS

SGOS 2.1.x , where x <07

No

SGOS 2.1.07 or higher

SGOS 2.1.x, where x >= 07

No

SGOS 3.2.4

SGOS 3.1.x

No

SGOS 3.2.4

SGOS 3.2.x, where x<=3

No

SGOS 3.2.4

SGOS 3.2.4 or higher

Yes

SGOS 4.1.x

For example: if you are running SGOS 2.1.06, upgrade to SGOS 2.1.07, then to SGOS 3.2.4, then to SGOS 4.1.x.

Before upgrading, review the Blue Coat SGOS 4.x Upgrade Guide, accessible through WebPower account access here.

Note: Internet Explorer is the only supported browser when accessing WebPower. Firefox and Netscape 8.0 are not supported.

Upgrading Licenses

You can upgrade to the SGOS 4.1.x license while running SGOS 3.2.4.8 or after installing or upgrading to SGOS 4.1.1. Using the Management Console to retrieve or update a SGOS 3.x to SGOS 4.x license automatically triggers the Blue Coat license server.

    Note: The upgraded SGOS 4.1.x license key file includes an SGOS 3.x license, which allows for transparent upgrading and downgrading between the two OS versions.

License Upgrading Procedure

    1. In the Management Console, select Maintenance>Licensing>Install>License Key Automatic Installation field.

    2. Do one of the following:

    • If you previously used the Management Console to retrieve an SGOS license, and the Update button is enabled, click Update. The Blue Coat license server receives the request, automatically upgrades the SGOS 3.x license to an SGOS 4.1.x license, and returns the new license to the appliance. To verify the SGOS 4.1.x license has been loaded, click the View tab and look for SGOS 4.1.x components.
    • If you have not previously used the Management Console to retrieve and SGOS license, and you have a valid WebPower account login (the same WebPower credentials that the appliance is registered to), click Retrieve. A Request License Key dialog appears. Enter your WebPower credentials and click Send Request. The Blue Coat license server receives the request, automatically upgrades the SGOS 3.x license to an SGOS 4.1.x license, and returns the new license to the appliance. To verify the SGOS 4.1.x license has been loaded, click the View tab and look for SGOS 4.1.x components.

Alternate Methods

  • If you cannot directly access the Internet, contact Blue Coat Support Services for assistance. You will be asked to provide the hardware serial numbers of the appliances to be upgraded and account details, such as contact name, e-mail address, and WebPower account name.
  • If you do not have a WebPower account or if you have lost the password, contact Blue Coat Support Services.

Blue Coat Web Filter Database Updates

Blue Coat changed the URL for access to Blue Coat Web Filter (BCWF) database updates to list.bluecoat.com/bcwf/activity/download/bcwf.db. (The old URL was bluecoat.downloads.cerberian.com/dbupdates/bluecoat.db.)

You can use the Management Console or the CLI to enter the correct URL.

If using the Management Console, go to Configuration>Content Filtering>Blue Coat. Then click the Set to default button.

If using the CLI, enter the following commands from the (config) prompt:
SGOS#(config) content-filter
SGOS#(config content-filter) bluecoat
SGOS#(config bluecoat) download url default

To view the results:

SGOS#(config bluecoat) view

Upgrading the Agent

If you use NTLM, you should use the latest release of the Blue Coat Authentication and Authorization Agent (BCAAA) service. While the SGOS 4.1.x BCAAA services are all compatible, the latest BCAAA service includes the most recent bug fixes.

BCAAA is distributed as a zip file or UNIX shell script, to be installed on a Microsoft® Windows® system or a Solaris™ system. The URLs to download BCAAA are posted, along with the SGOS 4.1.x software images, on the SGOS 4 Software Download Page.

Installation instructions for BCAAA are in Appendix A: "Using the Authentication/Authorization Agent" of the Blue Coat ProxySG Configuration and Management Guide that is accessible through WebPower account access here.

Note: Internet Explorer is the only supported browser when accessing WebPower.

Limitations and FAQs

A set of limitations is maintained by Blue Coat Systems and updated with each dot release at Limitations

For a document that contains FAQs and answers to post-release common issues, visit this link.

Documentation

The following sections regard ProxySG documentation.

Complete Documentation Suite

These manuals are available in Adobe® Acrobat® PDF format located through WebPower access here.

Note: Internet Explorer is the only supported browser when accessing WebPower.

  • Blue Coat ProxySG Release Notes, v 4.1.x (this document)
  • Blue Coat ProxySG Configuration and Management Guide
  • Blue Coat ProxySG Command Line Interface Reference
  • Blue Coat ProxySG Content Policy Language Guide
  • Blue Coat SGOS 4.x Upgrade Guide

In addition to the above documents, the ProxySG Management Console contains online help in the form of a built-in HTML version of the Blue Coat ProxySG Configuration and Management Guide that is linked to Help buttons. However, this online help is not updated for this release. Blue Coat recommends that you visit the Blue Coat Web site for the most current documentation.

Support

Direct support questions regarding this release to Blue Coat Technical Support. For more information, visit http://www.bluecoat.com/support/contact.html

Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxySG™, ProxyAV™, CacheOS™, SGOS™, Spyware Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners.

BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.