Technical note Version 1.0 23/12/13 Product Information Partner Name Web Site Product Name Blue Coat Systems, Inc. www.bluecoat.com ProxySG Version & Platform SGOS 6.5 Product Description Blue Coat ProxySG appliances offer a comprehensive foundation for the Blue Coat Secure Web Gateway solution and advanced WAN Optimization feature sets. ProxySG appliances combine highperformance hardware with Blue Coat SGOS, a custom, objectbased operating system that enables flexible policy control over content, users, applications and protocols.
Copyright Revision 1.0, December, 2013 Published by Clearswift Ltd. 1995 2013 Clearswift Ltd. All rights reserved. The materials contained herein are the sole property of Clearswift Ltd unless otherwise stated. The property of Clearswift may not be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd. Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss suffered as a result of such similarities. The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside, Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography. Clearswift reserves the right to change any part of this document at any time. Page 2 of 12 2
Contents 1 Introduction... 4 2 Architecture Overview... 4 3 Clearswift SECURE ICAP Gateway Configuration... 5 4 Blue Coat ProxySG Configuration... 6 5 Feature List... 11 5.1 Certified Platform... 11 5.2 Feature List... 11 Page 3 of 12 3
1 Introduction The Clearswift SECURE ICAP Gateway is an ICAP server that provides all the Clearswift Content inspection functionality to Blue Coat ProxySG product. This document describes the steps to take when deploying and integrating both products. 2 Architecture Overview The Blue Coat ProxySG is a scalable, high performance web security product that can extend its capabilities through the addition of external components. The communication between the different elements is performed using the Internet Content Adaptation Protocol (ICAP). In such configurations, the ProxySG performs the communication between the user and the Internet, redirecting the selected requests or responses to the available ICAP servers. ICAP Blue Coat ProxySG Clearswift SECURE ICAP Gateway Users This configuration allows Blue Coat clients to take advantage of the Clearswift deep content inspection and adaptive redaction functionality and its ability to protect an organization s critical information assets. Page 4 of 12 4
3 Clearswift SECURE ICAP Gateway Configuration The Blue Coat ProxySG acts as an ICAP client, as it sends requests for content to be inspected. The Clearswift ICAP Gateway act as an ICAP server, as it responds to requests made by the ProxySG. The ICAP Gateway only scans requests from registered ICAP clients served. Thus, the IP address that the ProxySG will be using to communicate to the ICAP Gateway is required in order to perform the configuration. Configuration is done on the ICAP Server Configuration page, available under the System menu. In the ICAP Clients area all of the ProxySG deployed servers must be configured. The Clearswift ICAP Gateway is configured to listen on the port 1344, the default ICAP communications port. This can be modified if required through the configuration page. The Blue Coat ProxySG will receive requests from users to access content from the Internet and obtain responses from web servers. Each of these can be sent for inspection in the ICAP Gateway. However, each is treated in a different manner. In Page 5 of 12 5
order to identify them individually, different service URLs are used. These can be defined in the ICAP Services Configuration box, including whether message previewing option will be accepted or not. Additionally, the Clearswift SECURE ICAP Gateway can be configured to log specific actions and to have an appropriate logging level. It must be noted that a high log level can have a negative performance impact on the platform. 4 Blue Coat ProxySG Configuration The Blue Coat ProxySG allows creating policies to send content for inspection by the ICAP Gateway. The following steps should be taken as a basic configuration guideline, and never be taken as the optimum configuration. It is required that the configuration is done by an administrator with working knowledge of the platforms involved. The entire configuration of the ProxySG is done through the management web interface. The steps to redirect the users requests and responses follow: 1. Connect to the Blue Coat web interface. Open a web browser and point it to https://blue_coat_ip_address:8082. 2. Login to the web UI using the administrator user and password. Page 6 of 12 6
3. In the Blue Coat Management UI, browse to ICAP Services configuration under the External Services option in the Configuration tab. 4. Configure both the policy_sevice_req and the policy_service_resp services to point to the SECURE ICAP Gateway and to the appropriate service URL. In the response service the Preview option must be selected with a size of 0. Page 7 of 12 7
5. ICAP feedback can be configured, such as when to show the patience page to the user while the inspection takes place. 6. A pool of SECURE ICAP Gateways can be configured so that ProxySG will make requests evenly through the pool. In order to do that, a Service Group needs to be configured containing the available ICAP Gateways. Once the basic configuration has been done, the policy needs to be set up so that the selected requests or responses are sent to the SECURE ICAP Gateway for inspection. This process will usually be performed on an existing ProxySG. Thus, the policy will need to be modified for the redirection. As a simple reference, the following steps show how to configure a basic policy for inspecting requests from users and responses from servers. 1. Launch the Visual Policy Manager by clicking in the Launch button as shown in the image below. Page 8 of 12 8
2. In the appropriate Web Content Layer policy set a new action object. 3. Select the previously created ICAP services so that the content that hits this rule is redirected to the ICAP Gateway for inspection. Logs provide information to validate that the integration has been properly done. 1. Enable access logging by selecting the option in the web interface and clicking the Apply button. Page 9 of 12 9
2. In the log tail of the main log, new entries should be shown with 404 TCP_NC_MISS which correspond to the tests that the ProxySG does to validate that the ICAP Gateway is running. The policy must be installed in order to be applied. Page 10 of 12 10
5 Feature List 5.1 Certified Platform Certification Environment Product Name Version Information Operating System Clearswift SECURE ICAP Gateway 3.1.1 Virtual Appliance Blue Coat Proxy SG 300 Series 500 Series SGOS 6.5.1 5.2 Feature List Feature ICAP server Flexible deployment options: Hardware, Software image, VMware vsphere Active Directory (AD) / LDAP integration Flexible and granular policy controls Facebook, LinkedIn, Twitter and YouTube policy Benefit Platform Connect to existing ICAP clients within your infrastructure. Supported ICAP client: Blue Coat Proxy SG Provides full flexibility to adapt to your organization s IT strategy. Full user-based policy control for flexible policy and audit reporting by group or individual. Policy Easily define policies to enable and allow Web 2.0 usage while minimizing risk. Allow access to Web 2.0 sites, but only to content and features allowed by your policy. Policy direction to provide additional context Prevent certain file types, e.g. spreadsheets, from being uploaded but allow them to be downloaded. Customizable block pages Adaptive Redaction: Data Redaction (Optional) Adaptive Redaction: Document Sanitization (Optional) Adaptive Redaction: Structural Sanitization (Optional) Clearswift Information Governance Server integration (Optional) External data source connection Educate users by providing personalized feedback on their actions. Data Loss Prevention Modify content in real time to avoid delaying business processes while protecting sensitive information. Prevent hidden information within documents (e.g. metadata, properties, or quick save data) from being leaked. Detect and strip active content from documents and HTML pages to protect from APT s and unknown threats. Detect full or partial files being uploaded or downloaded. Allow tracking of any information traversing the SECURE ICAP Gateway. Accurately identify data from your databases that is found in transit. Lexical analysis and regular expression rules Search file content for key words and phrases using simple or more complex pattern matching to identify sensitive data in over 200 character encodings. Pre-defined sensitive data templates Compliance dictionaries Predefined Tokens MIMEsweeper true binary file-type identification Bi-directional virus and anti-malware scanning Bi-directional anti-spyware scanning URL filtering database with 84 categories Malware, Phishing and Spyware categories Identify credit card, bank account, social security and national security numbers. Multi-language editable compliance dictionaries including GLBA, HIPAA, SEC, SOX, PCI and PII to minimize risks. Multiple, including: Credit Card, Social Security, IBAN, National Insurance, Tax file number, German Identity, Business Identifier Code Accurate binary based identification with the ability to define own file signatures. Hygiene Stops known and unknown malware infection entering or leaving the network. Stops spyware, adware, key loggers and spyware call homes from infected machines. Prevents access to inappropriate sites and provides context for web reports. Prevents access to known high risk URLs and sites with hourly updates. Page 11 of 12 11
Feature Real-time categorization engine Content aware recursive inspection Intuitive web-based interface Pre-defined customizable reports Scheduled reporting Multi-Gateway consolidated reporting SNMP, SMTP Alerting Benefit Prevents access to new or uncategorized sites with inappropriate content. Decomposes the requests and responses to provide true detection of content like executables even when embedded in other file types or compressed containers. Management and Reporting Ease of use and no requirement to learn complex syntax or operating system commands. Easy to modify, run and share graphical reports with intuitive drill down. Allows create once, run and distribute many times with circulation via email. Consolidated reporting view of user s activities for easier analysis and sharing of management data. Facilitates lights out data center deployment using SNMP or SMTP management alerts. Page 12 of 12 12