Symantec Blue Coat ProxySG

Prerequisites

Configuring MetaDefender ICAP Server
Enable persistent connections (recommended) - Blue Coat is reusing connections to the ICAP server, so it is highly recommended to enable persistent connections on the ICAP side or the Blue Coat might detect some ICAP connection drop errors under high load.

The ProxySG configuration should be done from the ProxySG Management Console interface. Below is the minimum configuration required for MetaDefender ICAP Server integration with ProxySG. Please refer to the ProxySG manual for advanced proxy configuration. Open a web browser and load the ProxySG Management Console. (Please refer to the ProxySG manual for details about how to open the ProxySG Management Console.) The ProxySG configuration should be done from the ProxySG Management Console interface. Below is the minimum configuration required for MetaDefender Core ICAP integration with ProxySG. Please refer to the ProxySG manual for advanced proxy configuration. Open a web browser and load the ProxySG Management Console. (e.g. https://<ip address>:8082 Please refer to the ProxySG manual for details about how to open the ProxySG Management Console.)

Disable Automatic Cache Refresh

Select the 'Freshness' tab and select the 'Disable refreshing' option
Select the 'Acceleration Profile' tab and uncheck the following options
1. Pipeline embedded objects in client request
2. Pipeline redirects for client request
3. Pipeline embedded objects in prefetch request
4. Pipeline redirects for prefetch request
Click 'Apply' to save these settings

Adding REQMOD Service (Upload Mode)

Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'
Click 'New'
Enter a service name for the Metascan service (in this example we use 'MetascanReqmod') and click 'OK'
In the services list, select 'MetascanReqmod' and click 'Edit'
Update the following values
1. In ICAP Service
  1. Set Service URL to 'icap://<Metascan Server>/OMSScanReq-AV'
  2. Select 'Use vendor's "virus found" page'
2. In ICAP Service Ports
  1. Check 'This service supports plain ICAP connections
  2. Set the 'Plain ICAP port' value to your Metascan's ICAP port (1344 by default)
3. In ICAP v1.0 Options
  1. Check 'Request modification'
  2. Check 'Send Client address'
Click 'OK'
Click 'Apply' to save the configuration

Adding RESPMOD Service (Download Mode)

Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'
Click 'New'
Enter a service name for the Metascan service (in this example we use 'MetascanRespmod') and click 'OK'
In the services list, select 'MetascanReqmod' and click 'Edit'
Update the following values
1. In ICAP Service
  1. Set Service URL to 'icap://<Metascan Server>/OMSScanResp-AV'
  2. Select 'Use vendor's "virus found" page'
2. In ICAP Service Ports
  1. Check 'This service supports plain ICAP connections
  2. Set the 'Plain ICAP port' value to your Metascan's ICAP port (1344 by default)
3. In ICAP v1.0 Options
  1. Check 'Response modification'
  2. Check 'Send Client address'
Click 'OK'
Click 'Apply' to save the configuration

Create MetaDefender REQMOD Policy

Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'
Click the 'Launch' button
In the 'Blue Coat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'
Enter a layer name (in this example we use 'MetaDefender ICAP Server ReqMod') and click 'OK'
In the newly created 'MetaDefender ICAP Server ReqMod' tab, right click on 'Use Default Caching' and choose 'Set...'
In the 'Set Action Object' window, click 'New' and select 'Set ICAP Request Service...'
In the 'Add ICAP Request Service Object' window, set the following values
1. Set 'name' to 'MetaDefender ICAP Server Request Service'
2. In 'Available services', select 'MetascanReqMod' and click 'Add'
Click 'OK' to finish and 'Apply' to save

Create MetaDefender RESPMOD Policy

Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'
Click the 'Launch' button
In the 'Blue Coat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'
Enter a layer name (in this example we use 'MetaDefender ICAP Server RespMod') and click 'OK'
In the newly created 'MetaDefender ICAP Server RespMod' tab, right click on 'Use Default Caching' and choose 'Set...'
In the 'Set Action Object' window, click 'New' and select 'Set ICAP Response Service...'
In the 'Add ICAP Response Service Object' window, set the following values
1. Set 'name' to 'MetaDefender ICAP Server Response Service'
2. In 'Available services', select 'MetascanRespMod' and click 'Add'
Click 'OK' to finish and 'Apply' to save

Configure Blue Coat SSL

Enabling Blue Coat To Intercept SSL traffic

By default SSL (HTTPS) connections are not intercepted by Blue Coat and therefore data in them are not scanned by the MetaDefender ICAP Server. If you would like to scan files which were sent using secure connection, then you can optionally configure Blue Coat to decrypt SSL connections.

How To Configure

Please refer to Blue Coat documentation.

Limitations

If the ICAP server is not connected directly to Blue Coat or it is not in a private network, then the connection between Blue Coat and ICAP won't be secure anymore and the decrypted data could be in danger. (https://symwisedownload.symantec.com/resources/sites/SYMWISE/content/live/DOCUMENTATION/11000/DOC11474/en_US/SGOSAdmin71.pdf "Securing access to an ICAP Server")
Valid SSL certificates are needed for Blue Coat and user experience could be altered by certification notifications.

How to overcome certificate issues

When creating a keyring and certificate explained in the Blue Coat documentation please give attention to that the Common name"must match the ProxySG name or IP address that the client expects"
After the keyring and the certificate is ready go to Statics → Advanced → SSL → Download a ProxySG Certificate as a CA certificate in ProxySG Management Console
Select the previously created certificate and download/install it to the browser in use
This certificate should be set under Proxy Settings → SSL Proxy and under the SSLInterception which was created during configuring SSL interception

Last updated on

Was this page helpful?