Unified Agent Access Method

Transcription

1 Unified Agent Access Method Version 6.8.5/Doc Revision: 04/21/16

2 Blue Coat Web Security Service/Page 2

3 Page 3 Copyrights 2016 Blue Coat Systems, Inc.All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, CONTENT ANALYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas Blue Coat Systems, Inc. 384 Santa Trinita Avenue Sunnyvale, CA Rest of the World Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland

4

5 Page 5 Blue Coat Web Security Service: Unified Agent Guide The Blue Coat Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based product, the Web Security Service leverages Blue Coat's proven security technology as well as the WebPulse cloud community of over 75 million users. With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to create and enforce granular policies that are instantly applied to all covered users, including fixed locations and roaming users. To provide security to employees who take corporate clients beyond the corporate network, such as laptops on business trips, Blue Coat provides the Unified Agent that routes web requests through the Web Security Service. This brief provides remote client conceptual information and installation tasks. The document breaks out information into phases. "Learn..." on page 9 "Configure..." on page 21 "Troubleshoot..." on page 63 This document contains topics collected from the Web Security Service online documentation. For the complete doc set, see: Table Of Contents Copyrights 3 Blue Coat Web Security Service:Unified Agent Guide 5 Table Of Contents 5 Learn... 9 About Remote User Protection 10 Additional Security with the Unified Agent 10 High-Level Example 10 Example Data Flow 11 Dynamic User Location Example 12 About Bypyassed Non-Routable IP Addresses 12 About Proxy Avoidance Attempts 13 About Password Protection 13 Challenge-based Authentication (Captive Portal) 13 About Time Zones 13

6 Blue Coat Web Security Service/Page 6 Why Select This Method? 13 About Challenge-based Auth (Captive Portal) 14 A On-Premise WiFi (Captive Portal Over IPsec) 15 B Explicit Proxy 15 C Remote Users (Unified Agent) 16 D Quick Authentication Demonstration (Roaming Captive Portal) 16 Additional Information 16 About Challenges 16 Enable Captive Portal? 17 Reference: Required Locations, Ports, and Protocols 18 Access Methods 18 Additional Trans-Proxy Information 18 Authentication 19 Supported Client Operating Systems 20 Unified Agent 20 Legacy Client Connector 20 Configure Plan 21 Install 21 Configure Service 21 Plan the Remote User Access Method 22 Select Remote Client Access Method 23 Windows 7, 8, Windows XP 23 Apple OS X 9.x/10.x 23 Windows: Unified Agent Single Client Installation 25 Next Selection 27 Windows: Unified Agent GPO Distribution 28 Next Selection 30 Windows: Client Connector Single Client Installation 31 Next Selection 35 Mac OS X: Unified Agent JAMF Distribution 36 Next Selection 38

7 Unified Agent Guide/Page 7 Mac OS X: Unified Agent Single Client Installation 40 Next Selection 42 Set Unified Agent Network/Security Options 43 Prevent IP/Subnet From Routing to the Web Security Service 46 Notes 46 Manually Add IP Addresses 46 Import IP Address Entries From a Saved List 47 Prevent a Domain From Routing to the Web Security Service 48 Notes 48 Manually Add Domain Entries 48 Import Domain Entries From a Saved List 49 Block Web Access When Service is Unavailable to Remote Users 50 Prevent Automatic Updates to Remote Clients 51 Route Remote Connections Through an HTTP Proxy 52 Next Step 53 Forward a Specific Port from Remote Clients 54 Require Authentication Challenges 55 Verify Service Connectivity to Locations 56 Mac 57 Uninstall the Unified Agent 59 Available Options 59 Unified Agent With Uninstall Token 59 Information 59 Procedure 59 Windows 60 OS X 61 No Token Defined/Client Connector 61 Windows 62 OS X 62 CLI 62 Reference MSI Versions 62 MSI Version Mis-Match (Unknown MSI) 62 Troubleshoot... 63

8 Blue Coat Web Security Service/Page 8 Unified Agent Drops Connections 64 Manage Web Security Service Client Connections 65 Manually Disable the Unified Agent 66 Activate the Disable Option 66 Instruct Employess How to Disable the Unified Agent 66 Windows 66 OS X 66 Reference: Remote Client Application Package Versions 67 Captive Portal Diagnostic Messages 68 Review System Events Generated by Remote Clients 69 Capture Remote Client Trace Log 70

9 Learn... This section describes the purpose of the Unified Agent application, which provides security to users who use corporate clients, such as laptops, outside of the corporate network. "About Remote User Protection" on page 10 "About Challenge-based Auth (Captive Portal)" on page 14 "Reference: Required Locations, Ports, and Protocols" on page 18 "Supported Client Operating Systems" on page 20

10 Blue Coat Web Security Service/Page 10 About Remote User Protection The Blue Coat Unified Agent (Client Connector for older OSes) provides Web security to remote users when a route through the Corporate network is not possible or practical. Remote users are defined as: Users with laptops that are taken outside of the corporate network. Users in micro-branch offices where it is not practical to deploy a corporate firewall or proxy. Users in micro-branch offices where the firewall does not support IPsec or in the case where the firewall is controlled by another entity such as an Internet service provider. When installed on client systems, the Unified Agent works as part of the client system's configuration; after the application is installed, no further configuration is required on the client system. It directs content requests to the Blue Coat Web Security Service (ThreatPulse) over a secure connection (port 443). To enforce proxy avoidance, the Unified Agent detects and drops HTTP_CONNECT method requests to any external, non-web Security Service IP address. As such connections are dropped, the user is unable to circumvent filtering and malware scanning. Additional Security with the Unified Agent Furthermore, the Unified Agent provides additional security features. The Unified Agent prevents employees from stopping and starting the service from the Services Management Console, even if such employee has Windows Administrator privileges. You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routing traffic through another egress device. You can give the ability to employees to temporarily disable the Unified Agent should they be experiencing connection issues. High-Level Example The following diagram illustrates how the Web Security Service Unified Agent facilitates web requests.

11 Unified Agent Guide/Page 11 Example Data Flow 1 A Sales person on business trip in India initiates a web request for a website. 2 The Unified Agent initiates a connection to the Web Security Service because it detects web-bound traffic on a port it is capturing. DNS performs a lookup on client.threatpulse.net to obtain the IP address of the nearest geographical Blue Coat Web Security Service data center. In this example, it is Mumbai. The connection to the Data Pod occurs over port If this is the initial connection, the client receives additional configuration. 3 The client establishes a tunnel to the service for each logged in user, which serves content from the destination website. 4 In addition, the client establishes a default tunnel that is used for system level requests, such as Windows update or other requests initiated by a system owned process. The Web Security Service provides the policy rule enforcement. 5 Requests for internally-hosted resources do not transport through the Web Security Service. Furthermore, the Unified Agent cannot compete with other installed VPNs, such as Cisco AnyConnect. You must configure other VPN applications to Split Tunnel so that Internet-hosted destinations route through the Web Security Service.

12 Blue Coat Web Security Service/Page 12 Dynamic User Location Example If the user logs in while on a protected network for example, a corporate location the client agent goes into passive mode. That is, the use policies are enforced by the on-site web service. The following diagram illustrates the various access points from remote users to the Web Security Service. A An employee logs in and is detected by the on-premise network. As a gateway ProxySG appliance provides the security and web access policies, the Unified Agent enters into Passive Mode; that is, it does not intercept any traffic. B The same employee travels to a hotel near a client and logs into the hotel's WiFi service. The Unified Agent now engages and connects to the nearest Blue Coat Web Security Service datacenter, which provides the web access policies. This allows you to write different policies for corporate locations versus remote locations; or you can implement common policy autosnychronization. About Bypyassed Non-Routable IP Addresses By default, the Web Security Service bypasses the following RFC 1918 addresses / / / /16 If a destination request contains one of these IP addresses, the traffic bypasses the Web Security Service the client connects directly.

13 Unified Agent Guide/Page 13 About Proxy Avoidance Attempts To enforce proxy avoidance, the Unified Agent detects proxy HTTP requests in outbound streams for ports other than those configured to be forwarded to the service (typically 80 and 443). Such connections are dropped and the user is unable to circumvent filtering and malware scanning. Furthermore, the Unified Agent does not interpret proxy autoconfiguration (PAC) settings as a proxy avoidance attempt. If your deployment uses a PAC control to manage outbound web connections, the Unified Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and by default). If the Unified Agent cannot connect with the PAC settings, it attempts a direct connection to the Web Security Service IP address. You can allow additional ports. Also, Blue Coat recommends adding internal subnets to the IP Bypass List so that internal traffic is not sent to the Web Security Service. About Password Protection You can configure a un-installation token in the portal. Users cannot uninstall the remote client application from their systems without the token. (For Client Connector, this involves uses a CLI command during setup.) Challenge-based Authentication (Captive Portal) For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours after their previous successful entry). This eliminates cached credential access. For more information, see "About Challenge-based Auth (Captive Portal)" on page 14. MAC CLIENT NOTE You can install Unified Agent on Windows and Mac clients. If a Mac user's username is the same as in the your AD and there is only one domain in your AD, then user based policy is applied for the Mac client. The domain defaults to the single domain in the AD. You can, however, enable the Captive Portal feature, which allows users and groups to be available for policy checks. About Time Zones When a user's system connects to the Web Security Service from the Unified Agent, the time zone is the recognized system time of their machine. Why Select This Method? Always active. The user does not have to log in to the agent. Works in the background and is transparent to users. Captures the user and system names for reporting.

14 Blue Coat Web Security Service/Page 14 About Challenge-based Auth (Captive Portal) By definition, challenge-based authentication displays a credential dialog to users each time they open a web browser. Users must enter their corporate network username and password into the dialog and click Accept before performing web content requests. In this context, this feature is also commonly referred to as Captive Portal. The Blue Coat Web Security Service provides the Captive Portal as an alternative method to check user credentials rather than the method provided natively by the Unified Agent application that is installed on remote systems The Web Security Service provides the Captive Portal for the following deployment methods: As an alternative method to check user credentials rather than the method provided by the Unified Agent application that is installed on remote systems. Allows an authentication method for BYOD employees access the network from their personal devices. This option also provides user credential checks for Explicit Proxy (PAC file) deployments. Required for SAML Authentication integration (Firewall/VPN and Explicit Proxy Access Methods). Quickly configure a browser or device for authentication demonstration. The following diagram illustrates the various Captive Portal solutions based on employee-to-network connection method. All Captive Portal deployments require the Auth Connector application that integrates with your Active Directory to verify user credentials.

15 Unified Agent Guide/Page 15 A On-Premise WiFi (Captive Portal Over IPsec) With the proliferation of bring your own devices (BYOD), companies must find a way to accommodate employees who use their personal phones and tablets for both work and personal use. One method is to maintain a separate WiFi for BYOD use. The WiFi network might be seen by the Web Security Service as its own location or as one or subnets. With Captive Portal enabled, users must enter their network credentials. Credentials are cached for one day; however, a timeout occurs after one hour of inactivity. Closing and re-opening a browser window within that time does not trigger a new authentication challenge. DEPLOYMENT NOTE: After a user authenticates from an IP address, all further requests from that IP address are treated as from that user. If the client is behind a NAT or on a multi-user system, the first user s credentials will be used. For example, Employee A requests web content and the Web Security Service successfully authenticates him. Employee B then connects, but she is not sent an authentication challenge. She is seen as Employee A and thus receives all policy designated for Employee A. B Explicit Proxy By default, the Explicit Proxy access method neither provides authentication nor sends user and group information to the Web Security Service for use in reports or custom policy. To make username/group information available, you must enable the Captive Portal option for each location configured in the Web Security Service.

16 Blue Coat Web Security Service/Page 16 C Remote Users (Unified Agent) Without Captive Portal enabled, remote users log into the corporate network using their cached credentials. With Captive Portal enabled, the challenge dialog initiates from the client system, which ensures that the correct person logging in is recorded. This allows the system to be accessed by multiple users. Furthermore, the benefit for network administrators is that you have more control of your network access. If a laptop becomes lost or you need to deny a remote employee access, change their status in the Active Directory and that user's access credentials are now denied. D Quick Authentication Demonstration (Roaming Captive Portal) Roaming Captive Portal allows you to quickly connect a non-enrolled device (mobile device or laptop) to the Web Security Service and receive an authentication challenge. For browsers, this allows the enforcement of employee credentials to access web content. For mobile devices, this allows for quick demonstrations of authentication and policy. These browsers/devices are configured to explicitly proxy to the Web Security Service and a user's corporate addresses are used to validate access. Additional Information Client systems must have third-party cookies enabled. Client systems must have the Blue Coat Web Security Service SSL Root Certificate on their browsers. This is described in the configuration topics. If your enterprise comprises multiple domains, users must enter the full domain name rather than just their login name. For example, they must enter alan.user@company.com, not just alan.user. If the Auth Connector becomes unavailable, the user receives the following error message: Authentication server error, connecting as unauthenticated user (also, the Web Security Service adds the event to the diagnostic log). The behavior defaults to what happens when Captive Portal is not enabled. That is, the users' access credentials creates a tunnel. For diagnostic analysis, this Advanced dialog entry is unauthenticated (user_name). For other diagnostic entries, see "Captive Portal Diagnostic Messages" on page 68. Verify that each user to be authenticated has their address attribute populated in the AD (User Properties dialog > General > ). For example, EXAMPLECORP\alan.user has an attribute of alan.user@examplecorp.com. If you are employing Exchange, default policies automatically create this attribute. If you are not employing Exchange and have a large number of users with undefined attributes in the AD, search online for resources about how to use a script to populate. About Challenges When Captive Portal is enabled: Challenges are based on each browser session. For example, users are challenged when they open Firefox and then can browse (including new tabs). If they then open a Internet Explorer browser, they must enter their credentials in that browser to continue. Entered passwords, represented as auth tokens, are retained in a credential cache on the device in the data center that is processing authentication for that client. They are not stored permanently in the cloud. The credentials are valid for 24 hours for Captive Portal and 60 minutes for Roaming Captive Portal. The following conditions prompt employees to re-enter their credentials. When the user attempts to reconnect to the web after those respective time thresholds. If the user is inactive on the web for 60 minutes. Other network activity, such as that employee's data getting moved from one data pod to another. The Auth Connector abides by the lockout settings in the AD. For example, the AD is configured to allow three attempts to log in. If the third attempt fails, the user is locked out for 30 minutes before they can attempt again.

17 Unified Agent Guide/Page 17 If a lockout configuration exists and the user triggers it or if the user attempts to use an expired password: All web-bound transaction intended for the Web Security Service is dropped; all other traffic continues normally. If the fault is an Auth Connector problem, the user connects to the Web Security Service as an unauthenticated user. If you render an employee disabled, the Web Security Service requires 15 minutes to complete the transaction; the employee is still able to browse during that time period. Enable Captive Portal? To edit an existing location and enable Captive Portal, in Service mode select Network > Locations. Select a Location and click Edit.

18 Blue Coat Web Security Service/Page 18 Reference: Required Locations, Ports, and Protocols Depending on your configured Blue Coat Web Security Service Access Methods, some ports, protocols, and locations must be opened on your firewalls to allow connectivity to the various cloud service components and data centers. Access Methods Access Method Port(s) Protocol Resolves To Web Security Service IP addresses Firewall/VPN (IPsec) 80/443 UDP 500 (ISAKMP) Proxy Forwarding 8080/ * IPsec/ESP HTTP/HTTPS Port 8080 to proxy.threatpulse.net Port 8443 to proxy.threatpulse.net Port 8084 to proxy.threatpulse.net* Explicit Proxy 8080 To proxy.threatpulse.net Trans-Proxy 80 (VPN Tunnel) ep.threatpulse.net resolves to the following pseudo address.* Unified Agent/Client Connector (* See more information after this table) 443 SSL Port 443 to client.threatpulse.net Port 443 to proxy.threatpulse.net MDM (registered ios and Android devices) Roaming Captive Portal 8880 UDP 500 (ISAKMP) UDP 4500 (NAT-T) IPSec/ESP *If this forwarding host is configured for local SSL interception. Port 443 to portal.threatpulse.net ( ) Additional Trans-Proxy Information A second pseudo-address, , as available for redundancy. However, Blue Coat strongly recommends using only the address in the above table. Using both Virtual IPs might cause one of them to stop responding and intermittent outages or other unexpected results. If redundancy is imperative, Blue Coat Technical Support might be able to provide guidelines, but the solution is not guaranteed.

19 Unified Agent Guide/Page 19 Authentication Auth Method Port(s) Protocol Resolves To Auth Connector 443 SSL to auth.threatpulse.net: portal.threatpulse.net: Auth Connector to Active Directory 139,445 TCP 389 LDAP 3268 ADSI LDAP 135 Location Services 88 Kerberos SAML 8443 Explicit and IPSec Additional Required Information: Reference: Authentication IP Addresses.

20 Blue Coat Web Security Service/Page 20 Supported Client Operating Systems If you plan to install the Unified Agent (or Client Connector) application onto employee systems to support remote access to the Blue Coat Web Security Service, those client systems must be one of the following operating systems: Unified Agent Windows 7.x bit (Pro and Enterprise) Windows 8.x bit (Pro and Enterprise) Windows 10.x Apple OS X (Mavericks (version 10.9.x)) Apple OS X (Yosemite (version x)) Legacy Client Connector Windows XP SP3 32 Bit Split Tunnel Prerequisite The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service.

21 Configure... To connect remote users to the Blue Coat Web Security Service, you must download the Unified Agent application and install it on client systems, then configure various options on the service. Plan "Plan the Remote User Access Method" on the next page Install "Select Remote Client Access Method" on page 23 "Route Remote Connections Through an HTTP Proxy" on page 52 "Set Unified Agent Network/Security Options" on page 43 Configure Service "Prevent IP/Subnet From Routing to the Web Security Service" on page 46 "Prevent a Domain From Routing to the Web Security Service" on page 48 "Block Web Access When Service is Unavailable to Remote Users" on page 50 "Prevent Automatic Updates to Remote Clients" on page 51 "Route Remote Connections Through an HTTP Proxy" on page 52 "Forward a Specific Port from Remote Clients" on page 54 "Require Authentication Challenges" on page 55 "Verify Service Connectivity to Locations" on page 56

22 Blue Coat Web Security Service/Page 22 Plan the Remote User Access Method Complete the forms in the following sheet (one per location). Information Comments Values Remote Client OS Windows Entrust Root CA 2048 Installed? Network Information Applies to Windows clients. Required for Internet connection. Proxy server locations: To where is the application downloaded (network/folder location)? 5 Unified Agent 5 Windows bit (excluding Home editions) 5 Windows bit (Pro and Enterprise) 5 Windows 10 5 Client Connector 5 Windows XP SP3 Apple OS X 5 Unified Agent 5 Mavericks (version 10.9.x) 5 Yosemite (version x) Consult the following Knowledge Base article. Entrust KB Article VPN Client Tunnel Corporate Web Use Policy Captive Portal List trusted sources: List trusted destinations: List blocked categories/types: Enable challenge-based auth? 5 Yes 5 Split tunnel (cannot be full tunnel) 5 No

23 Unified Agent Guide/Page 23 Select Remote Client Access Method To provide Blue CoatWeb Security Service to remote users, you must download the Unified Agent and install it on client systems. Windows 7, 8, 10 Select a Unified Agent installation method. Manual Group Policy Object (GPO) Windows XP Windows XP (SP3, 32 Bit) clients must run the legacy Client Connector application. Manual Group Policy Object (GPO): KB Article Apple OS X 9.x/10.x Select a Unified Agent installation method. Manual

24 Blue Coat Web Security Service/Page 24 JAMF

25 Unified Agent Guide/Page 25 Windows: Unified Agent Single Client Installation To provide Blue CoatWeb Security Service to remote users on Windows 7.x, 8.x, or 10.x clients, you must download the Unified Agent and install it on client systems. See "About Remote User Protection" on page 10. For Windows XP, see "Windows: Client Connector Single Client Installation" on page 31. Split Tunnel Prerequisite The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service. Step 1 HTTP Proxy Connection Required? (Unified Agent 4.4+ only) This applies to Unified Agent 4.4 and later only. You must make the following decision before installing the Unified Agent. In Service Mode; select Mobility > Unified Agent. A scenario might require this or other clients require to connect to the Web Security Service through an HTTP proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation. For increased security in a production installation, Blue Coat recommends clearing this option, which means that the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system. If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it, return to this page and enable it. However, the Unified Agent on does not display the tab until after the next client restart/reboot. Step 2 Entrust Certificate Prerequisite Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the Web Security Service. For more notes and installation steps, consult the following Blue Coat Knowledge Base article: Step 3 Download the Unified Agent Installer. If you downloaded the Unified Agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client. 1. In Service Mode; select Mobility > Unified Agent. 2. In the Installers area, click the 32-bit or 64-bit buttons in the Windows 7.x, 8.x and 10.x Unified Agent section.

26 Blue Coat Web Security Service/Page If this is the first time you are attempting to download the application after the Web Security Service version went live, the service displays the Profile dialog. As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Unified Agent. The fields with blue asterisks (*) are required. Click Save to update your profile and then close the dialog. 4. Download the installation file. Step 4 Install the Unified Agent on a Client System. 1. Launch the installer. a. In Windows, navigate to the directory where you saved the UnifiedAgentInstaller[32 64]- version_number.msi file. Blue Coat strongly recommends that you record this full MSI name; it might be required for future uninstallation tasks. b. Double-click the file, which launches the installer. 2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The installation begins. 4. Click Finish to complete the installation. 5. The service displays the Installer Information dialog. Click Yes to reboot the computer. Step 5 Verify the Client Installation.

27 Unified Agent Guide/Page 27 When the system reboots, it connects to the Web Security Service and begins intercepting web-bound traffic. 1. In the Windows system tray, locate the Unified Agent icon and double-click it. Windows displays the a dialog with the Status tab. 2. Verify that the connection to the Web Security Service is active. (If the system detects a defined location, the agent displays...in Passive Mode). 3. Use a browser on the client and attempt to access a site that belongs to a blocked category. The browser displays an exception (blocked content) page. Next Selection If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 52. If not, proceed to "Set Unified Agent Network/Security Options" on page 43.

28 Blue Coat Web Security Service/Page 28 Windows: Unified Agent GPO Distribution To provide Blue Coat Web Security Service to remote users on Windows 7.x or 8.x clients, you must download the Unified Agent and install it on client systems. See "About Remote User Protection" on page 10. This section describes how to use Group Policy Object (GPO) to distribute the Unified Agent to multiple Windows 7.x or 8.x clients. This method does not support using a command line to add optional parameters. Server Prerequisites This method requires the following. A Windows 2008 or 2012 domain controller. A DNS server. The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller. Verify the client system can resolve the name of the AD server that contains the client library. Split Tunnel Prerequisite The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service. Step 1 HTTP Proxy Connection Required? (Unified Agent 4.4+ only) This applies to Unified Agent 4.4 and later only. You must make the following decision before installing the Unified Agent. In Service Mode; select Mobility > Unified Agent. A scenario might require this or other clients require to connect to the Web Security Service through an HTTP proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation. For increased security in a production installation, Blue Coat recommends clearing this option, which means that the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system. You cannot regain visibility of the Proxy tab post-installation. You must re-install the Unified Agent with this option enabled. Step 2 Entrust Certificate Prerequisite Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the Web Security

29 Unified Agent Guide/Page 29 Service. For more notes and installation steps, consult the following Blue Coat Knowledge Base article: Step 3 Download the Unified Agent Installer. If you downloaded the Unified Agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client. 1. In Service Mode; select Mobility > Unified Agent. 2. In the Installers area, click the 32-bit or 64-bit buttons in the Windows 7+Unified Agent section. 3. If this is the first time you are attempting to download the application after the Web Security Service version went live, the service displays the Profile dialog. As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Unified Agent. The fields with blue asterisks (*) are required. Click Save to update your profile and then close the dialog. 4. Download the installation file. If the location of the file is not a Windows share, create a share. Verify that the directory and files have Read and Execute file system rights. Step 4 Distribute the Unified Agent 1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Users and Computers.

30 Blue Coat Web Security Service/Page Right-click the domain and select Properties. 3. On the Group Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO object and click Edit. 4. Navigate to Computer Configuration > Software Settings > Software installation. a. Right-click Software Installation and select New > Package. Verify that you have a valid UNC path. Click My Network Places > Entire Network > Microsoft Windows Network > server_domain > server_name > client_binary_share_name > select_the_ binary. b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click Software Installation and click Refresh. 5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup) and executes policy. The workstation installs the client and reboots once more. 6. Test. Next Selection If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 52. If not, proceed to "Set Unified Agent Network/Security Options" on page 43.

31 Unified Agent Guide/Page 31 Windows: Client Connector Single Client Installation To provide Blue CoatWeb Security Service to remote users on Windows XP clients, you must download the legacy Client Connector and install it on client systems. See "About Remote User Protection" on page 10. There are two Client Connector installation methods. The standard (default) installation provides the full web security service. With password protection. Users cannot uninstall the remote client application from their systems without a password, which you define and distribute as necessary. (Requires you to launch the installation wizard with a CLI command). Split Tunnel Prerequisite The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service. Step 1 Entrust Certificate Prerequisite Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the Web Security Service. For more notes and installation steps, consult the following Blue Coat Knowledge Base article: Step 2 Download the Client Connector Installer. If you downloaded the Client Connector during the Initial Configuration Wizard process, begin with Step 4: Install the Client. 1. In Service Mode; select Mobility > Unified Agent. 2. In the Installers area, click the button in the Windows Vista/XP section. 3. If this is the first time you are attempting to download the application after the Web Security Service version went live, the service displays the Profile dialog. Show screen...

32 Blue Coat Web Security Service/Page 32 As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Client Connector. The fields with blue asterisks (*) are required. Click Save to update your profile and then close the dialog. 4. Download the installation file. Step 4 Install the Client. Perform one of the following tasks. Standard Installation 1. Launch the wizard: In Windows, navigate to the directory where you saved the ClientInstaller32-version_number.msi file and double-click it to launch the installation wizard. The system displays the setup dialog. 2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The installation begins. 4. Click Finish to complete the installation. 5. The service displays the Installer Information dialog. Click Yes to reboot the computer. Option 1 With Password Protection

33 Unified Agent Guide/Page Launch the wizard: Open a command prompt (run as administrator), navigate to the directory that contains the installer and execute the following command, which is the installer name plus the option: ClientInstaller32-version_number.msi SUP=password Entering this command launches the installation wizard. 2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The remote client application installation begins. 4. Click Finish to complete the installation. 5. The service displays the Installer Information dialog. Click Yes to reboot the computer. Option 2 With Tamper Proofing (Hide the Proxy Settings tab). 1. Launch the wizard: Open a command prompt (run as administrator), navigate to the directory that contains the installer and execute the following command, which is the installer name plus the option: ClientInstaller32-version_number.msi HPUI=1 Entering this command launches the installation wizard. 2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The remote client application installation begins. 4. Click Finish to complete the installation. 5. The service displays the Installer Information dialog. Click Yes to reboot the computer. Option 3 With Password Protection and Tamper Proofing (Hide the Proxy Settings tab).

34 Blue Coat Web Security Service/Page Launch the wizard: Open a command prompt (run as administrator), navigate to the directory that contains the installer and execute the following command, which is the installer name plus the options: ClientInstaller32-version_number.msi SUP=passwordHPUI=1 Entering this command launches the installation wizard. 2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The Client Connector installation begins. 4. Click Finish to complete the installation. 5. The service displays the Installer Information dialog. Click Yes to reboot the computer. Step 5 Verify the Client Installation. 1. In the Windows system tray, locate the Client Connector icon and double-click it. Windows displays the a dialog with the Status tab. 2. Verify that the connection to the Web Security Service is active. (If the system detects a corporate WiFi connection, the agent displays...in Passive Mode). 3. Use a browser on the client and attempt to access a site that belongs to a blocked category.

35 Unified Agent Guide/Page 35 Next Selection If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 52. If not, proceed to "Set Unified Agent Network/Security Options" on page 43.

36 Unified Agent Guide/Page 36 Mac OS X: Unified Agent JAMF Distribution To provide Blue Coat Web Security Service to remote users on Apple Mac OS X 9.x or later, you must download the Unified Agent and install it on client systems. See "About Remote User Protection" on page 10. JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the Unified Agent to Mac/OS X clients. For general information about using JAMF polices and packages, see the user documentation for JAMF at Split Tunnel Prerequisite The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service. Step 1 HTTP Proxy Connection Required? (Unified Agent 4.4+ only) This applies to Unified Agent 4.4 and later only. You must make the following decision before installing the Unified Agent. In Service Mode; select Mobility > Unified Agent. A scenario might require this or other clients require to connect to the Web Security Service through an HTTP proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation. For increased security in a production installation, Blue Coat recommends clearing this option, which means that the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system. You cannot regain visibility of the Proxy tab post-installation. You must re-install the Unified Agent with this option enabled. Step 2 Download the Unified Agent Installer. If you downloaded the Unified Agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client. 1. In Service Mode; select Mobility > Unified Agent. 2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section. 3. If this is the first time you are attempting to download the application after the Web Security Service version went live, the service displays the Profile dialog.

37 Blue Coat Web Security Service/Page 37 As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Unified Agent. The fields with blue asterisks (*) are required. Click Save to update your profile and then close the dialog. 4. Download the installation file. Step 3 High-Level JAMF Procedure 1. Create the upgrade packages for Unified Agent installation. If you deploy both the on-box and cloud versions of the Unified Agent on your network, create two packages with different names. 2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory. 3. Create a policy with the following settings. Category Select the appropriate setting for your network. Triggers Select the appropriate setting for your network. Execution Frequency Once per device. Add the following script. sudo defaults write com.bluecoat.ua cmurl

38 Unified Agent Guide/Page 38 Priority Before. This permits the CMURL to be set before installation. Scope Add the devices to update. Each of the devices must be marked as Managed. Restart Not needed. The interface displays the new policy in the list. What Occurs on Employee Clients? After you use JAMF to push the update package, the following events occur on the employee OS X client. 1. The client displays a Management Notification dialog. 2. The employee follows the prompts to accept and install the Unified Agent application. Employee Template (Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copy contents in an ; edit as needed; send. [Company] is distributing a security update to your corporate Mac client. You will be prompted to [install / update] an application called Unified Agent. Perform the following steps. 1. When your Mac client receives the update, the client displays a Management Notification. 2. To complete the installation, click through the prompts. 3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application. If you have any questions or issues, contact IT. Next Selection If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 52. If not, proceed to "Set Unified Agent Network/Security Options" on page 43.

39

40 Unified Agent Guide/Page 40 Mac OS X: Unified Agent Single Client Installation To provide Blue Coat Web Security Service to remote users on Apple Mac OS X 10.9.x or later, you must download the Unified Agent and install it on client systems. See "About Remote User Protection" on page 10. Split Tunnel Prerequisite The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service. Step 1 HTTP Proxy Connection Required? (Unified Agent 4.4+ only) This applies to Unified Agent 4.4 and later only. You must make the following decision before installing the Unified Agent. In Service Mode; select Mobility > Unified Agent. A scenario might require this or other clients require to connect to the Web Security Service through an HTTP proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation. For increased security in a production installation, Blue Coat recommends clearing this option, which means that the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system. If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it, return to this page and enable it. However, the Unified Agent on does not display the tab until after the next client restart/reboot. Step 2 Download the Unified Agent Installer. If you downloaded the Unified Agent during the Initial Configuration Wizard process, begin with Step 3: Install the Client. 1. In Service Mode; select Mobility > Unified Agent. 2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section. 3. If this is the first time you are attempting to download the application after the Web Security Service version went live, the service displays the Profile dialog.

41 Blue Coat Web Security Service/Page 41 As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Unified Agent. The fields with blue asterisks (*) are required. Click Save to update your profile and then close the dialog. 4. Download the installer. Step 3 Install the Unified Agent on a Client System. 1. Launch the installer assistant. a. Navigate to the directory where you saved the installer. Double-click it to mount the disk image. b. Navigate in the Finder and select the Unified Agent.pkg file; double-click. The OS displays the Unified Agent

42 Unified Agent Guide/Page 42 installer. 2. Click Continue. The Unified Agent Installation wizard begins. 3. The installer displays a prompt for the administrator user name and password. 4. When the installation completes, click Close. From the toolbar, select the Unified Agent icon and select Status. On the Advanced tab, verify that agent is running (if you still require a proxy connection to the Internet, see below). Next Selection If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 52. If not, proceed to "Set Unified Agent Network/Security Options" on page 43.

43 Blue Coat Web Security Service/Page 43 Set Unified Agent Network/Security Options The Web Security Service provides several options that allow you to specify how the Unified Agent behaves on the client and how to route traffic. In Service Mode; select Mobility > Unified Agent. This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the displayed message. Step 1 Configure client-side options. a. Determine the Fail Behavior, which is what happens to web requests if the Web Security Service is not available from remote locations. For more details, see "Block Web Access When Service is Unavailable to Remote Users" on page 50. b. You have the option to Prompt users when a new Unified Agent version is available or prevent automatic updates and distribute from a central location at a time of your choosing. For more details, see "Prevent Automatic Updates to Remote Clients" on page 51. Step 2 Define Unified Agent-specific options. The following configurations apply only to the Unified Agent. a. The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decision performed before installation. Return to "Select Remote Client Access Method" on page 23.

44 Unified Agent Guide/Page 44 b. Allow agent to be disabled by user (only available for Unified Agent v4.4+). If you select Yes, your employees can (temporarily) disable the Unified Agent. For a business use case and more information, see "Manually Disable the Unified Agent" on page 66. c. Available for Unified Agent v4.4+. See "Uninstall the Unified Agent" on page 59 for more details. Step 3 Select what connection provides the username (v.4.6+ only). By default, a Unified Agent process sends the User ID through the tunnel to the Web Security Service. This ensures an accurate account of who initiated the request and allows for policy enforcement and reporting. Your network might have third-party products that also intercept these connections, which causes the Web Security Service to erroneously view the username as something similar to the following. Examples of these products include anti-virus programs and applications run browsers in a secure virtual container. NT AUTHORITY\SYSTEM This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause this issue, instruct the Unified Agent to send the logged-in username (applies to Unified Agent v4.6+). On the Mobility > Unified Agent page, select Logged in User ID from the Username Format drop-down list. For a current list of known third-party applications that cause this issue, see NT AUTHORITY\SYSTEM Username Returned From the UA. Step 4 Define Network Connections. 1. Change listening ports.

45 Blue Coat Web Security Service/Page 45 If clients are configured to have ports other than the defaults (80, 443, and 8080) listen for web requests, add those ports to the Web Security Service. For more information, see "Forward a Specific Port from Remote Clients" on page Bypass IP addresses/subnets and domains. By default, the Web Security Service bypasses the following RFC 1918 addresses / / / /16 If a destination request contains one of these IP addresses, the traffic bypasses the Web Security Service the client connects directly. Personal choices or business requirements might require you to configure the Web Security Service to bypass additional IP addresses/subnets and Domains. For example, bypass test networks. Clicking Network > Bypassed Sites link takes you to that screen, as this is a shared configuration with other Web Security Service features. For more details, see "Prevent IP/Subnet From Routing to the Web Security Service" on page 46. Client Connector only: the Web Security Service can only bypass the first 256 items in the list. If you require more, consider deploying the Unified Agent. Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a Domain From Routing to the Web Security Service" on page 48. Step 5 (Optional) Enable challenge-based authentication (Captive Portal). To enforce accurate user credentials rather than rely on locally cached credentials, select Enable Captive Portal for remote users (using Unified Agent). This option requires deployment of the Auth Connector application, which integrates with your Active Directory to provide username and group information. For more details about the network footprint, see "About Challenge-based Auth (Captive Portal)" on page 14.

46 Unified Agent Guide/Page 46 Prevent IP/Subnet From Routing to the Web Security Service Some source IP addresses or subnets do not require Blue Coat Web Security Service processing. For example, you want to exclude test networks. Configure the service to ignore these connections. Notes The Web Security Service allows an unlimited number of bypassed IP addresses/subnets. The exception is Client Connector, which only bypasses the first 256 entries. The setting is global; that is, it applies to every location/client in your Web Security Service account. Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off campus and connects through a non-corporate network), the client checks against any updates to the list. Manually Add IP Addresses 1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab. 2. Click Add Bypass IP(s). The service displays a dialog. a. Enter an IP/Subnet. b. (Optional) Enter a Comment. c. (Optional) Click the + icon to add another row for another entry. d. Click Add Bypass IP(s). The new entries display in the tab view. You can edit or delete any entry from here.

47 Blue Coat Web Security Service/Page 47 Import IP Address Entries From a Saved List This procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each entry in the file must be on its own line. 1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab. 2. Click Add Bypass IP(s). The service displays the Add Bypass IP Address/Subnet dialog. 3. Click Add Bypass IP(s). The portal displays a dialog. a. Select Import From File. b. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it. c. Click Add Bypass IP(s). All of the new entries display in the tab view. You can edit or delete any entry from here. If you linked to this page from the Remote User Location solution page, return to Connect Remote Users.

48 Unified Agent Guide/Page 48 Prevent a Domain From Routing to the Web Security Service IMPORTANT This topic only applies to locations that use the Explicit Proxy and Unified Agent (v4.4+) Access Methods to connect to the Blue Coat Web Security Service. All other access methods ignore any bypass domain configurations. Some destinations, such as intranets, do not require Web Security Service processing. Configure the service to ignore these connections. Another use case is you have use policy enabled, such as blocking several leisure categories, but you want to relax restraints for remote users and allow their requests to bypass the Web Security Service en route to specific sites. Notes The Web Security Service allows an unlimited number of bypassed domains. The setting is global; that is, it applies to every location/client in your Web Security Service account. Be advised that multi-homed domains might lead to over-bypassing a site. Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off campus and connects through a non-corporate network), the client checks against any updates to the list. Manually Add Domain Entries 1. In Service Mode, select the Network > Bypassed Sites > Bypassed Domains/URL tab. 2. Click Add Bypass Domain(s). The service displays the Add Bypass Domain dialog. 3. Click Add Bypass Domain(s). The portal displays a dialog.

49 Blue Coat Web Security Service/Page 49 a. Enter a valid Domain. b. (Optional) Enter a Comment. c. (Optional) Click the + icon to add another row for another entry. d. Click Add Bypass Domain. The new entries display in the tab view. You can edit or delete any entry from here. Import Domain Entries From a Saved List This procedure assumes that you have already created an accessible list (text file) of domains to be bypassed. Each entry in the file must be on its own line. 1. In Service Mode, select the Network > Bypassed Sites > Bypassed Domains/URL tab. 2. Click Add Bypass Domain(s). The service displays the Add Bypass Domain dialog. 3. Click Add Bypass Domain(s). The portal displays a dialog. a. Select Import From File. b. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it. c. Click Add Bypass Domain. All of the new entries display in the tab view. You can edit or delete any entry from here. If you linked to this page from the Remote User Location solution page, return to Connect Remote Users.

50 Unified Agent Guide/Page 50 Block Web Access When Service is Unavailable to Remote Users By default, theblue Coat Web Security Service allows remote clients unabated web access if the service becomes unavailable. For maximum security, set the fail behavior to block access until IT or Blue Coat restores the service. 1. In Service Mode, select Mobility > Unified Agent. 2. The default is Allow All Traffic. From the Fail Behavior drop-down list, select Block All Traffic. This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the displayed message.

51 Blue Coat Web Security Service/Page 51 Prevent Automatic Updates to Remote Clients Blue Coat periodically updates the Unified Agent (or Client Connector), which is an application that allows remote users to connect to the Web Security Service. By default, the Web Security Service alerts remote users when a new Unified Agent software version is available. Similar to other application updates, the end user receives a prompt to update the software. They must click Install and follow the manual process to replace the current version with the new version (this operation does not require administrative access). Your standard practices might not now allow for users to manage their own business applications. Or you might find it more efficient to roll out all business software updates on a set calendar basis. You can configure the Web Security Service to not notify end users of new Unified Agent updates, which allows you to download the new version to your central location and distribute at a time of your choosing. 1. In Service Mode, select Mobility > Unified Agent. 2. For the Prompt client user for update option, select No. There is no Apply button on this page. Selecting the option sets the configuration, as indicated by the displayed message.

52 Unified Agent Guide/Page 52 Route Remote Connections Through an HTTP Proxy If you encounter a situation that requires the Unified Agent or Client Connector to connect to the Blue CoatWeb Security Service through an HTTP proxy, such as a test network trial or demonstration, you must provide the proxy IP address. Perform the following steps on Windows or Mac clients. If you do not see the Proxy tab, you or another administrator installed the client with the option to hide that tab enabled. This is a higher-security measure that prevents employees from evading the corporate-to-internet egress addresses that are linked to enforced browsing policies. If a particular client requires this setting, you must re-install the agent on the system. In Windows This section demonstrates the Unified Agent. 1. Right-click the Unified Agent icon in the system tray and select Proxy Settings. In OS X: a. Select the Connect to the Blue Coat Cloud Service using the HTTP proxy at: option. b. Enter the IP address and port number in the appropriate fields. c. (Optional) If required to gain access to the proxy server, enter the proxy user name and password. d. Click Apply. This section demonstrates the Unified Agent. 1. Click the Unified Agent icon in the menu bar (located at the upper right-hand corner of the screen) and click Status. The system displays the dialog. 2. Click the Proxy tab.

53 Blue Coat Web Security Service/Page 53 a. Select Connect to the Blue Coat Cloud Service using the HTTP proxy at. b. Enter the HTTP proxy IP Address and Port. c. (Optional) If the HTTP proxy requires a User Name and Password for access, enter those. 3. Click Apply. Next Step Proceed to "Set Unified Agent Network/Security Options" on page 43.

54 Unified Agent Guide/Page 54 Forward a Specific Port from Remote Clients By default, the Blue Coat Web Security Service accepts traffic from the Unified Agent (or Client Connector), that is installed on client systems, from common gateway ports of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP). The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS traffic, configure the Web Security Service to listen on those ports. For example, the Web Security Service must also listen to ports 8000 (HTTP) and 8083 (HTTPS). 1. In Service Mode, select Mobility > Unified Agent. 2. In the Forwarding Ports area, click Edit Ports. The service displays the Edit Forward Ports dialog. 3. Specify the ports. a. Select Ports to Forward. b. Defaults Ports You cannot select the default ports of 80 and 443, but you can select c. Additional Ports If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriate traffic type and entering the port. You can only enter one port in each field. d. Click Save. Return to Connect Remote Users.

55 Blue Coat Web Security Service/Page 55 Require Authentication Challenges To enforce accurate user credentials rather than rely on locally cached credentials, you enable Captive Portal on the Web Security Service. See About Challenge-based Auth (Captive Portal). This option requires deployment of the Blue Coat Auth Connector application, which integrates with your Active Directory to provide username and group information. 1. In Service Mode; select Network > Mobility. 2. Enable Captive Portal. 3. As mentioned above, Captive Portal requires a deployed Auth Connector, which forward user and group information to the service. The blue Authentication section link in the descriptive paragraph takes you to this location in the user interface.

56 Unified Agent Guide/Page 56 Verify Service Connectivity to Locations After configuring access to the Blue CoatWeb Security Service, verify that the service is receiving and processing content requests. 1. Click the Service link (upper-right corner). 2. Select Network > Locations. 3. Verify the status of each location. Various icons represent the connection status. Icon Connection Status Description The Web Security Service recognizes the location and accepts web traffic. A location has been configured, but the Web Security Service cannot connect. Verify that the web gateway device is properly configured to route traffic. A previously successful web gateway to Web Security Service configuration is currently not connected. Proxy Forwarding Verify the gateway address in the forwarding host is correct. If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive mode.

57 Blue Coat Web Security Service/Page 57 Mac If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive mode. From a client system that has web access (or the specific test client if so configured), browse to the following site:

58 Unified Agent Guide/Page 58 test.threatpulse.com The test is successful if you see the following webpage.

59 Blue Coat Web Security Service/Page 59 Uninstall the Unified Agent The Blue Coat Unified Agent and Client Connector are applications installed on remote systems that frequently connect to the Internet from non-corporate networks. You have the option to require an uninstall token, which employees must enter to remove the Unified Agent. Available Options "Unified Agent With Uninstall Token" below "No Token Defined/Client Connector" on page 61 "CLI" on page 62 "MSI Version Mis-Match (Unknown MSI)" on page 62 Unified Agent With Uninstall Token Employees attempting to uninstall the Unified Agent require an uninstall token that you define in the Web Security Service portal. Information This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014). If you have previously deployed Unified Agent to clients and used the CLI options (Windows: SUP=password; OSX: "--args -SUP password"), those passwords are no longer valid. You must log in to the portal and define the uninstall token. Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off campus and connects through a non-corporate network), the client receives the latest uninstall token. If you did not define an uninstall token, you can use the Control Panel. Procedure 1. In Service mode, select Mobility > Unified Agent. 2. Define the uninstall token.

60 Unified Agent Guide/Page 60 a. Select Require token to uninstall agent: Yes. b. Click Uninstall Token (or Change Token if you or someone previously obtained a token). The service displays the Set Unified Agent Uninstall Token dialog. Windows c. Name the Uninstall Token and click Set Token. The service displays that an uninstall token was set on a given date and time. d. Distribute the uninstall token and instructions (see below) to those who have permission to uninstall the Unified Agent. You can change the uninstall token any time. If it still exists on the client, running the correct MSI installer allows you to remove the client application. If the MSI does not exist, you can download it again from the Web Security Service portal. If you attempt this method and receive an error string that begins with Another version of this product is already installed..., see "MSI Version Mis-Match (Unknown MSI)" on page 62 below.

61 Blue Coat Web Security Service/Page 61 Execute the Unified Agent installer (MSI). Show screen... In the Removal...uninstall token field, enter the token and click Validate. The equivalent CLI command is UNINSTALL_TOKEN=password, where password is the token obtained from the portal. If an employee attempts to remove the Unified Agent from the Windows > Control Panel menu, they receive a popmessage prompting them to contact their Administrator for removal permission. OS X 1. In the menu bar, click the Unified Agent icon. 2. Hold down the Option and Alt keys. The Quit menu changes to Uninstall. 3. The system prompts you for the uninstall token. Show screen... Enter the uninstall token and click OK. 4. Click Uninstall. No Token Defined/Client Connector If an uninstall token was not generated in the token, follow the standard process for removing a program.

62 Unified Agent Guide/Page 62 Windows (Start > Control Panel > Add/Remove Programs). You must have administrative rights to the system. OS X 1. In the menu bar, click the Unified Agent or Client Connector icon. 2. Hold down the Option and Alt keys. The Quit menu changes to Uninstall. 3. Click Uninstall. Alternative Navigate to /Library/Application Support/Blue Coat Systems and double-click the cloud-client-uninstaller. CLI If you know or recorded the exact MSI that was used to install the application, use the CLI command to remove it. msiexec /x {MSI_Value} [/quiet UNINSTALL_TOKEN=password] Reference MSI Versions See "Reference: Remote Client Application Package Versions" on page 67 for versions. MSI Version Mis-Match (Unknown MSI) The following scenario creates an MSI-version mis-match. You configured the option in the Web Security Service portal to allow Unified Agent clients to automatically update. You defined an uninstall token. For example, you downloaded and installed Unified Agent 4.4, then (per configuration) the portal automatically updates the installed client versions to 4.5 when Blue Coat posts it to datacenters. With the uninstall token option defined, you or employees cannot uninstall the application because no MSI was downloaded and paired with the upgraded product ID. To remove the application, you must use the CLI command with correct product ID code. msiexec /x {product_id_code} /quiet UNINSTALL_TOKEN=password You find this code one of two ways: (Recommended) Review the MSI uninstall failure log. Find it in the registry. For more information about this method, see the Knowledge Base article. The product ID is the same for all installation instances, which means you can create scripts to remove the application from multiple clients.

63 Page 63 Troubleshoot... Attempt to solve remote client application connections. "Unified Agent Drops Connections" on the next page "Manage Web Security Service Client Connections" on page 65 "Captive Portal Diagnostic Messages" on page 68 "Capture Remote Client Trace Log" on page 70

64 Blue Coat Web Security Service/Page 64 Unified Agent Drops Connections Symptom The Unified Agent or Client Connector randomly loses connection and then reconnect causing interruptions to internet access. Check On computers with a wired and wireless network connection, ensure both interfaces are not connected at the same time. This causes the client to roll from one interface to the other, which might connection interruptions.

65 Unified Agent Guide/Page 65 Manage Web Security Service Client Connections If employees are sending complaint requests regarding dropped connections to the web, reviewing the Blue Coat Web Security Service client connections status might help you determine if this is a widespread or minimal issue. Also, if you see a client on the system that you do not believe belongs in your organization (for example, a stolen laptop), you can log in to the Web Security Service portal and block access to that client while you investigate. To review client connections, in Service Mode click the Service mode > Mobility > Agent Status tab. Your organization might have hundreds to thousands of client connections at any given moment. Use the search field to yield targeted results. As you enter text, the portal uses auto-fill to match entries. Select the option on which to sort. See Manage Remote/Mobile Device Connections for more details.

66 Blue Coat Web Security Service/Page 66 Manually Disable the Unified Agent TheBlue Coat Unified Agent, installed on employee devices such as laptops, provides web security when the client is not connected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseen environment might cause connection issues or prevent the Unified Agent from passing web traffic to the Web Security Service. Your business might depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet connection. You can configure the Web Security Service to allow employees to temporarily disable the Unified Agent should connection issues occur. The Unified Agent remains disabled only until the client machine reboots or the employee initiates a reconnect from the Unified Agent interface. Furthermore, this setting in the Web Security Service applies to all Unified Agents in the field. You cannot selectively target which installations receive the disable option. This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014). Activate the Disable Option 1. In Service Mode; select Mobility > Unified Agent. 2. In the Unified Agent Settings area, select Yes for the Allow agent to be disabled by user option. Instruct Employess How to Disable the Unified Agent Windows In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return here and Enable the agent. OS X Click the Unified Agent icon in the menu bar and select Disable Unified Agent. Employees can also return here and Enable the agent.

67 Unified Agent Guide/Page 67 Reference: Remote Client Application Package Versions MSI String Unified Agent o UnifiedAgentInstaller64-v msi {D6FD56F5-00E CED-DC1F9F2887F6} o o UnifiedAgentInstaller msi {61BDFA31-62A5-41CB-9833-D602056B8751} UnifiedAgentInstaller msi o o o o MacUnifiedAgentInstaller dmg UnifiedAgentInstaller msi UnifiedAgentInstaller msi MacUnifiedAgentInstaller dmg {216652C2-709F-449B-B92F-9723C7E78384}

68 Blue Coat Web Security Service/Page 68 Captive Portal Diagnostic Messages When Captive Portal is enabled for remote clients on the Blue Coat Web Security Service, various messages are logged in association with user login activities and authentication. They display on the Service mode > Troubleshooting > Mobile Clients page. Log Entry CAResp<0> Captive Portal enabled: true Captive portal authentication succeeded for username Authentication server error, connecting as unauthenticated user Account restricted - CP auth failed for user: username Description Indicates when Captive Portal was enabled (Service mode > Network > Mobility).. Indicates when a user successfully logged in. If the Auth Connector becomes unavailable, the user receives the following error message: Authentication server error, connecting as unauthenticated user (also, Web Security Service adds the event to the diagnostic log). The behavior defaults to what happens when Captive Portal is not enabled. That is, the users' access credentials creates a tunnel. For diagnostic analysis, this Advanced dialog entry is unauthenticated (user_name). A user attempted to login in with incorrect credentials more times than the set limit in the Active Directory.

69 Unified Agent Guide/Page 69 Review System Events Generated by Remote Clients You can view a list of system events recorded by the Unified Agent or Client Connector by opening the diagnostics log file. This text file displays events with time stamps whenever the network or client status changes as a result of user input or other system disturbances. The diagnostic log file is automatically created by the remote client application and does not require setup. To view the auto-generated log file, refer to the following action steps. In Windows: 1. In the system tray, double-click the installed client icon. The service displays the Status tab of the client dialog. 2. Click the Advanced tab. 3. Click Show File to open the folder containing the log files. Double-click a log file to view the contents. The log filename shows log creation date (for example, the filename ThreatPulse_CC_Diag_ txt indicates the file was created on February 7, 2014 at 10:47 AM). In OS X: 1. Click the installed client icon in the menu bar (located at the upper right-hand corner of the screen) and click Status. The service displays the Status tab of the client dialog. 2. Click the Advanced tab. 3. Click Show File to open the folder containing the log files. Double-click a log file to view the contents. The log filename shows log creation date (for example, the filename ThreatPulse_CC_Diag_ txt indicates the file was created on February 7, 2014 at 10:47 AM).

70 Blue Coat Web Security Service/Page 70 Capture Remote Client Trace Log If your remote user employees are sending complaints about network access to the web and they have the Unified Agent or Client Connector installed and routing web requests to the Blue Coat Web Security Service, you can capture tracing logs from the client to help diagnose client-related issues (if you are working with Technical Support, they might also request this information). As the capture must be performed on the client system, you must initiate the process by performing one of the following actions: Have the employee bring you their client system. Gain access to their system through a remote connection. Instruct the employee on how to perform the capture and send you the file. To perform a packet capture, refer to the following action steps: In Windows 1. In the system tray, double-click the installed client icon. The system displays the Status tab of the client dialog. 2. Click the Advanced tab. In OS X a. Click Start Tracing to initiate a trace capture. When you begin a trace capture, the service displays the path to the trace file. b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option, restart Windows, and return to this dialog to stop the capture. c. Stop the trace capture by clicking Stop Tracing. d. Click Open Trace Folder to display the folder that contains the trace file to send to support. 1. Click the installed client icon in the menu bar (located at the upper right-hand corner of the screen) and click Status. The system displays the Status tab of the client dialog.

71 Unified Agent Guide/Page Click the Advanced tab. a. Click Start Tracing to initiate a trace capture. b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option, restart the computer, and return to this dialog to stop the capture. c. Stop the trace capture by clicking Stop Tracing. d. To view the trace (packet capture) information, use the OS X Console application to open the System Log. You can find the Console application in the OS X Utilities folder. Unified Agent trace messages are added to the system log. To just see these messages, enter bcua in the search field (upper-right) in the Console application. To copy/paste all of the messages, select one and select Select All from the Edit menu; paste into a text file.