Unified Agent Deployment and Administration Guide for Windows
Transcription
Unified Agent Deployment and Administration Guide for Windows
Unified Agent Deployment and Administration Guide for Windows Version 4.7.1 1 Unified Agent: Deployment and Administration Guide for Windows 2 Contact Information https://www.bluecoat.com/support-services https://bto.bluecoat.com/documentation Copyright © 2016 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Symantec Corporation 350 Ellis Street Mountain View, CA 94043 Rest of the World: Symantec Limited Ballycoolin Business Park Blanchardstown, Dublin 15, Ireland Document Revision: Unified Agent 4.7.1 — 16 November 2016 3 Unified Agent: Deployment and Administration Guide for Windows Additional Restrictions ProxySG Appliances Within sixty (60) days of the date from which the User powers up the ProxySG appliance (“Activation Period”), the Administrator must complete the ProxySG appliance licensing requirements as instructed by the ProxySG appliance to continue to use all of the ProxySG appliance features. Prior to the expiration of the Activation Period, the ProxySG appliance software will deliver notices to install the license each time the Administrator logs in to manage the product. Failure to install the license prior to the expiration of the Activation Period may result in some ProxySG appliance features becoming inoperable until the Administrator has completed licensing. Unified Agent The Administrator may install Unified Agent only on the number of personal computers licensed to them. Each personal computer shall count as one “user” or “seat.” The Unified Agent software may only be used with Blue Coat ProxySG appliances. The Administrator shall require each user of the Blue Coat Unified Agent software to agree to a license agreement that is at least as protective of Blue Coat and the Blue Coat Unified Agent software as the Blue Coat EULA. ProxySG appliance Virtual Appliances, MACH5 or Secure Web Gateway (SWG) Edition The ProxySG appliance Virtual Appliances (MACH5 or Secure Web Gateway edition) are licensed on either a perpetual or subscription basis for a maximum number of concurrent users. Support for the Virtual Appliances will be subject to the separate support agreement entered into by the parties if the Administrator licenses the Virtual Appliances on a perpetual basis. The Virtual Appliances will (a) not function upon expiration of the subscription if the Administrator licenses the Virtual Appliances on a subscription basis; or (b) if the traffic exceeds the maximum number of concurrent users/connections, features may not function beyond the maximum number of concurrent users/connections. This means that, in these cases, the network traffic will only be affected by the default policy set by the Administrator (either pass or deny). Such cessation of functionality is by design, and is not a defect in the Virtual Appliances. The Administrator may not install the same license key or serial number on more than one instance of the Virtual Appliance. The Administrator may move the Virtual Appliance along with its license key and serial number to a different server, provided that server is also owned by the Administrator and the Administrator permanently deletes the prior instance of the Virtual Appliance on the server on which it was prior installed. The Virtual Appliances require a third party environment that includes software and/or hardware not provided by Blue Coat, which the Administrator will purchase or license separately. Blue Coat has no liability for such third party products. 4 Contents Audience............................................................................................................... 9 Typographical Conventions in the Unified Agent: Deployment and Administration Guide................................................................................. 9 BlueTouch Online.............................................................................................. 10 Subscribe to Content................................................................................... 10 Chapter 1: Unified Agent Concepts Why Deploy Unified Agent?..................................................................... 13 Software and Hardware Requirements ................................................... 13 Licensing the Unified Agent ..................................................................... 13 ProxySG Appliances and Unified Agent ....................................................... 13 Unified Agent Tamper Resistance .................................................................. 14 Location Awareness .......................................................................................... 14 Unified Agent Web Filtering ........................................................................... 14 Blue Coat WebFilter Categorization ........................................................ 14 Web Filtering on Captive Portals ............................................................. 15 FTP Log Security................................................................................................ 15 Chapter 2: Configure the Client Manager Designate a ProxySG Appliance as the Client Manager.............................. 17 Implement Client Security Measures ............................................................. 19 Certificate Management............................................................................. 19 Unified Agent Tamper Resistance............................................................ 19 Upload Unified Agent Software to the Client Manager .............................. 21 Retrieve the Unified Agent Update Files ................................................ 21 Set Up the Client Manager (ProxySG Appliance CLI)................................. 24 Designate the Client Manager................................................................... 24 Display Unified Agent Settings ................................................................ 24 Clear Unified Agent Statistics ................................................................... 24 Chapter 3: Install Unified Agent Software on Windows Prerequisites ................................................................................................ 25 Obtain the Installation Files ............................................................................. 25 Methods to Install the Unified Agent Software ............................................ 26 Manually Install Unified Agent on a Windows Device ........................ 26 Using Group Policy Object Distribution ................................................. 28 Silent Installations and Uninstallations ................................................... 29 Chapter 4: Configure Location Awareness Introduction to Location Awareness........................................................ 33 Guidelines for Location Conditions ......................................................... 34 5 Unified Agent: Deployment and Administration Guide for Windows Location Awareness Tasks ............................................................................... 35 Configure Locations ................................................................................... 35 Edit Location Conditions ........................................................................... 37 Location Rulebase Ordering ............................................................................ 38 Configure Default Actions......................................................................... 39 Configure Web Filtering Auto‐Detection ...................................................... 40 Install Local Policy on a ProxySG Appliance.......................................... 40 Configure Locations Using the CLI ................................................................ 42 Chapter 5: Configure Unified Agent Web Filtering Introduction to Web Filtering .......................................................................... 43 Web‐Filtering Terminology ....................................................................... 43 Web‐Filtering Process................................................................................. 44 Web Filtering for Users and Groups ........................................................ 45 Web‐Filtering Task Summary.......................................................................... 46 Downloading the BCWF Database ................................................................. 47 Provide BCWF Database Credentials ...................................................... 48 Set the License‐Expiration Action ............................................................ 48 Enable the Blue Coat WebFilter Database............................................... 49 Category‐Provider Databases ................................................................... 50 Set Up the Local Database................................................................................ 50 Configure Web‐Filtering Policies .................................................................... 52 Enable Unified Agent Web Filtering........................................................ 52 Configure HTTPS Filtering and Safe Search........................................... 53 Set Category Policies .................................................................................. 54 Configure Policies for Users and Groups................................................ 55 Configure System and Default Actions ................................................... 56 Add Policy Categories................................................................................ 58 Prioritize Categories in the Rule Base ............................................................ 59 Web Filtering Best Practices............................................................................. 60 Customize Exception Pages ............................................................................. 61 Enable Web Filtering Logging......................................................................... 63 About Web Filtering Logging ................................................................... 63 How to Enable Web‐Filtering Logging.................................................... 64 Configure Proxy Access to the FTP Server.............................................. 66 Interpreting the Log Files .......................................................................... 66 Configure Unified Agent Web Filtering (CLI) .............................................. 68 Chapter 6: Monitor Unified Agent Performance View Unified Agent History Statistics ........................................................... 69 Configurations Served Statistics ............................................................... 69 Active Unified Agent Statistics ................................................................. 70 Unified Agent Software Served ................................................................ 70 Client Details ...................................................................................................... 70 Unified Agent Details................................................................................. 70 6 Options on All Client Detail Pages........................................................... 73 Client Version Count.................................................................................. 74 Chapter 7: Troubleshoot Unified Agent The Unified Agent Status Window................................................................. 75 Unified Agent Menu Bar Icons........................................................................ 77 Troubleshoot Unified Agent Connectivity and Configuration .................. 78 Suggested Remedies for Connectivity Errors ......................................... 78 Resolve “Configuration Download Error” ............................................. 79 Resolve “Error downloading configuration file”................................... 81 Unified Agent Troubleshooting Tools............................................................ 82 Diagnostic Files ........................................................................................... 82 Tracing Information.................................................................................... 83 Troubleshoot Unified Agent Web Filtering................................................... 87 Tools for Web‐Filtering Troubleshooting................................................ 87 Troubleshoot Web Filtering....................................................................... 88 Disputing URL Categorizations ...................................................................... 92 7 Unified Agent: Deployment and Administration Guide for Windows 8 Preface Preface This Preface provides you with an overview of the intended audience for this book, the document organization, Blue Coat typographical conventions, and related documentation for this product. Audience This book is written for administrators responsible for planning and deploying the Blue Coat Unified Agent and assumes that you have knowledge of basic software installation and web filtering concepts. Typographical Conventions in the Unified Agent: Deployment and Administration Guide Blue Coat documents employ the following typographical conventions: Conventions Definition Italics The first use of a new or Blue Coat proprietary term; also used for emphasis. Consolas Command‐line text, to be entered verbatim. <code> The blue angle brackets enclose the name of a command‐line variable. {item1 | item2} One of the parameters enclosed within the braces must be supplied [option] An optional parameter or parameters is contained in the square brackets. 9 Unified Agent: Deployment and Administration Guide for Windows BlueTouch Online BlueTouch Online (BTO) is Blue Coat’s online repository for: Downloads—Software upgrades, release notes Documentation—All product documentation, including the latest version of this document Licensing—Obtain and update licenses for Blue Coat products Cases—Open and manage cases Forums—Ask questions and share information with other Blue Coat users as well as Blue Coat support staff Knowledge Base—Product‐specific solutions and technical issues Security Advisories—Latest vulnerabilities that affect Blue Coat products Training—Webcasts, fee‐based instructor‐led courses, virtual classrooms, and complimentary videos Recommended Releases—Recommendations for long‐term support by software or hardware version. RSS Feeds—Notifications of knowledge‐base releases To access BlueTouch Online: Log in to https://bto.bluecoat.com Note: To request login credentials for BTO, go to https://www.bluecoat.com/forms/contact. Subscribe to Content It is recommended that you subscribe to RSS feeds, user documentation, or security advisories to receive notifications when documents are added or updated. Specific Security Advisories Follow these steps to subscribe to specific advisories: 1. On the BlueTouch Online main page click Security Advisories. 2. Optional—Select a product name in the Select Products list and click Apply. 3. Optional—Click a column heading to sort the list of advisories. 10 Preface 4. Select an advisory that is in Interim status, which means that further updates are expected. 5. Click Subscribe. All Security Advisories Follow these steps to subscribe to all security advisories: 1. On the BlueTouch Online main page click the RSS Feed icon. 2. Under Content Feeds, click Security Advisories. 3. Copy the RSS feed URL from your browser and add it to your preferred RSS reader. Knowledge Base Articles Follow these steps to subscribe to knowledge‐base feeds: 1. On the BlueTouch Online main page click the RSS Feed icon. 2. Under Knowledge Base Feeds, click one or more of the following: • Content Types—Select from among the four article types: • Solution • Cloud Announcement • Product Information • Technical Alert • Products—Select from among Blue Coat products • Software—Select from among Blue Coat software • Topics—Select from among general topics 3. Copy the RSS feed URL from your browser and add it to your preferred RSS reader. 11 Unified Agent: Deployment and Administration Guide for Windows Product Documentation 1. On the BlueTouch Online main page click the Documentation tab. 2. Select the appropriate product from the Product drop‐down list. 3. Place your cursor over the document you would like to subscribe to and click Subscribe. To follow Blue Coat Systems on social media: In the upper‐left corner, click the appropriate icon: 12 • Twitter • Facebook • YouTube Chapter 1: Unified Agent Concepts Chapter 1: Unified Agent Concepts Before installing and configuring Unified Agent, Blue Coat recommends that you understand the information discussed in this chapter. Why Deploy Unified Agent? Organizations seek to extend the same security, policy control, and tracking abilities that are available on the network to their organization’s off‐site devices, such as laptops that employees use when working at home or when out of town. Blue Coat designed the Unified Agent solution to ensure that an organization’s web usage policies are maintained both on‐site and off. Software and Hardware Requirements For information about software and hardware requirements, see the Unified Agent Release Notes. Licensing the Unified Agent Your SGOS license permits you to designate a ProxySG appliance as the Client Manager for an unlimited number of Unified Agent connections. You must size your Unified Agent deployment based on your Client Manager scalability. Only SGOS Proxy Edition can provide web filtering for Unified Agents. To receive Blue Coat WebFilter (BCWF) category updates, valid login credentials must be provided to download the BCWF database to the Client Manager. All Unified Agents must connect to the licensed Client Manager at least once every 30 days. For more information on SGOS licensing, refer to the SGOS Administration Guide. ProxySG Appliances and Unified Agent A ProxySG appliance must be designated as a Client Manager to provide the following services to Unified Agents: Periodic verification of the BCWF license Monitoring Agent configuration management for web‐filtering policies 13 Unified Agent: Deployment and Administration Guide for Windows Unified Agent Tamper Resistance Users who log in to their workstations with administrative (root) privileges have the ability stop or kill daemons, unload drivers, and uninstall software. If a user decides to stop the Unified Agent daemon, web‐content filtering could be circumvented. Blue Coat provides the means to prevent most users from uninstalling the Unified Agent and from disabling web filtering. For more information, see "Unified Agent Tamper Resistance" on page 19. Location Awareness Location awareness enables administrators to enable or disable web filtering based on the user’s location. For example, administrators can disable local web filtering for devices in locations where ProxySG appliances already perform that function, such as in corporate offices. Administrators can then enable web filtering for Unified Agent devices when they are connected to networks that do not have ProxySG web filtering. to ensure that they enjoy the same level of security and productivity control as they do in the office. For more information see Chapter 4: "Configure Location Awareness" on page 33. Unified Agent Web Filtering Enterprises filter web content for security and compliance reasons. Network administrators want to prevent users from accessing web sites with malicious content. Human Resources wants to prevent users from accessing offensive content or from excessive web surfing. Blue Coat’s Unified Agent web‐filtering solution provides an answer for both concerns by providing robust filtering—both in the office and on the road. For more information see Chapter 5: "Configure Unified Agent Web Filtering" on page 43. Blue Coat WebFilter Categorization URL categorization is the process of assigning a classification to a URL according to its content. Blue Coat provides URL categorization through its WebPulse service, which leverages continuous feedback from Blue Coat’s customer base. This web‐filtering feature enables you to allow, block, or warn users about accessing content in categories that you specify, using any of the following sources: 14 Blue Coat WebFilter database categories Local database categories Policy categories (also called custom categories) System and Default categories Chapter 1: Unified Agent Concepts Web Filtering on Captive Portals While traveling, users might be required to access the Internet as the guest of another network. For example, some businesses and hotels provide Internet access through a “captive portal.” When users connect to the network and open a web browser, the browser is redirected to a welcome page that requires user interaction before granting Internet connectivity. The welcome page can be as simple as a click‐through service agreement or as complex as a credit card payment. After users complete the required agreement or transaction, they are allowed to access the Internet. When Unified Agent detects a captive portal, it permits users to view and interact with the welcome page without web filtering. After the user connects to the Internet, Unified Agent applies the web filtering policy. FTP Log Security When you deploy Unified Agent in your network, be aware of the following vulnerabilities regarding the transport of Unified Agent logs to the FTP server: It is possible for users to edit or delete web filtering logs files before they are uploaded to the FTP server. Because the FTP server must allow anonymous access, anyone can download a log file, change it, and upload it again without detection (although your FTP server can report the source IP address used to upload log files). 15 Unified Agent: Deployment and Administration Guide for Windows 16 Chapter 2: Configure the Client Manager Chapter 2: Configure the Client Manager This chapter explains how to configure a ProxySG appliance as a Client Manager. A Client Manager provides the following services for Unified Agent devices: Software update repository Periodic verification of the Blue Coat WebFilter (BCWF) license Monitoring Client configuration management (such as web‐filtering policy) This chapter discusses the following topics: "Designate a ProxySG Appliance as the Client Manager", below "Implement Client Security Measures" on page 19 "Upload Unified Agent Software to the Client Manager" on page 21 "Set Up the Client Manager (ProxySG Appliance CLI)" on page 24 Designate a ProxySG Appliance as the Client Manager You must designate at least one ProxySG appliance in your infrastructure as the Client Manager. The Client Manager is responsible for providing client configuration to the Unified Agent software installed on client devices. For the CLI equivalent of this function, see "Set Up the Client Manager (ProxySG Appliance CLI)" on page 24. To designate a ProxySG as the Client Manager: 1. Log in to the ProxySG’s Management Console with administrator credentials. 2. Select Configuration > Clients > General > Client Manager. 17 Unified Agent: Deployment and Administration Guide for Windows 3. On the Client Manager tab, select the Enable Client Manager check box to designate this ProxySG as a Client Manager. 4. In the Client Manager section, enter or edit the following information: Table 2-1 Client Manager options Option Description Host section Specify the host from which users get the Unified Agent configuration and updates. Blue Coat recommends you specify a fully qualified host name, not an unqualified (short) host name or IP address. If you use a fully qualified host name and the Client Manager’s IP address changes later, you need only to update DNS for the Client Manager’s new address and clients can continue to download the software and updates from the Client Manager. You have the following options: • Use host from initial client request —(Recommended) Select this option to enable clients to download the initial policy configuration and configuration updates from the original host. In a typical Unified Agent deployment, the administrator installs the software from the command line, referring to a specific Client Manager. The host name or IP address in command is used to download the software to the client and is written to the client’s configuration file for use in future software and configuration updates. • Use host—Select this option to download the configuration from the host name you specify. Enter a fully qualified host name or IP address only; do not preface it with https:// or software and configuration file downloads will fail. Port field Enter the port on which the Client Manager listens for requests from clients. The default is 8084. Keyring list Click the name of the keyring to use when clients connect to the Client Manager. Update Interval Specify the length of time (in minutes) between update checks. For example, if the value is 120, each Unified Agent instance will connect to the Client Manager at startup and then initiate an update check every 120 minutes thereafter. field Valid values are 10–432000 (300 days). The default is 120 minutes. 18 Chapter 2: Configure the Client Manager Implement Client Security Measures Before making Unified Agent software available from the Client Manager, set up the following security measures: "Certificate Management", below "Unified Agent Tamper Resistance" on page 19 Certificate Management To prevent man‐in‐the‐middle and other spoofing attacks, the Client Manager will provide a certificate to authenticate the connection when the Unified Agent downloads installer and configuration files. This measure prevents attacks that could compromise the configuration or installer. Blue Coat recommends that you install a Unified Agent‐specific certificate on the Client Manager, using the conventional methods of obtaining a signature from a certificate authority and installing the requisite files on the Unified Agent device. Consult the SGOS Administration Guide for more information on certificate management in ProxySG. It is possible, but not recommended, to use the default set of ProxySG certificates that are already on the Client Manager. Unified Agent will evaluate the validity of the certificate in a manner similar to that of a web browser. If the expiration date has passed, the user is notified that the certificate must be updated and the error is logged. If the domain name/IP address in the certificate does not match the server, Unified Agent will detect an error and prompt the user to manually trust the untrusted certificate. Installing a Certificate on the Unified Agent Client On Windows clients, the certificate must be installed in the local machine certificate store as a trusted root certificate, not in the store for the current user. Only an Administrator account can install a certificate in the local machine store. Unified Agent Tamper Resistance Password Protection Configure the uninstall password on the Client Manager under Configuration > Clients > General > Client Software > Uninstall Password. Setting an uninstall password prevents users from performing the following tasks: Uninstalling the Unified Agent software Disabling Unified Agent features or policies such as web filtering by stopping the Unified Agent service using Task Manager or net stop or sc from the command line. 19 Unified Agent: Deployment and Administration Guide for Windows Config File Edit-Detection If the user edits UnifiedAgentConfig.xml and Unified Agent detects the edit, the behavior is as follows: • Unified Agent rejects that file and retrieves a backup copy of the config file. • If the backup copy has been altered by the user, Unified Agent rejects that file and attempts to download a new version of UnifiedAgentConfig.xml from the Client Manager. • If Unified Agent cannot connect to the Client Manager, the default action is applied from client memory, as specified by the Web Filtering policy on Configuration > Clients > Web Filtering > Policy. See "Configure System and Default Actions" on page 56. • If the default action is not available, Unified Agent 4.6.2 and later will “fail open”; that is, all HTTP(S) requests will be allowed until Unified Agent is able to reconnect with the Client Manager. For more information, see SA102 on bto.bluecoat.com/security-advisories. 20 Chapter 2: Configure the Client Manager Upload Unified Agent Software to the Client Manager Note: ProxySG support for distributing Unified Agent software begins with SGOS 6.6.3. Because ProxySG does not necessarily have the latest Unified Agent software, Blue Coat recommends that you subscribe to the appropriate notification services from BlueTouch Online (BTO). Visit https://bto.bluecoat.com/getting-started-bluetouchonline for more information. After you upload new client software to the Client Manager, users receive a pop‐ up notification that there is a new upgrade available. The users must click a button to upgrade their client software. The interval between uploading new software to the Client Manager and the users receiving the notification depends on how often the client retrieves the configuration files from the Client Manager. To upgrade your client software without user interaction, see "Install Unified Agent Software on Windows" on page 25 for instructions. Retrieve the Unified Agent Update Files Follow these steps to find the Unified Agent update files on BTO. 1. Log on to the BTO downloads page: http://bto.bluecoat.com/downloads • If you do not have a BTO login, go to http://www.bluecoat.com/forms/contact 2. Click Blue Coat Product Downloads. 3. On the My Products List click Unified Agent. 4. On the Recommended LTR/Latest Feature Release tab, click the desired version of Unified Agent; for example, Unified Agent 4.7.1.xxxxxx. 5. Accept the Software Terms and Conditions by clicking I Agree. 6. On the next page you should see four installation files and the release notes. The installation files are as follows: • unifiedagent_4.7.1_xxx.car—Upload to the Client Manager only • bcua‐installer‐4.7.1.xxxxxx.dmg—Mac OS X devices • bcua32‐setup.msi—32‐bit Windows devices • bcua64‐setup.msi—64‐bit Windows devices Note: Do not attempt to upload the .dmg or .msi files to the Client Manager. Use those files for installation using other processes. See "Install Unified Agent Software on Windows" on page 25 for more information. 7. From here you have the option to: • "Install Client Software to the Client Manager from a Remote URL" • "Download the Upgrade Files to a Local Resource" on page 22 21 Unified Agent: Deployment and Administration Guide for Windows Install Client Software to the Client Manager from a Remote URL Use this method if you want to directly retrieve the upgrade files from BTO using the Client Manager or if you have already downloaded the upgrade files and have hosted them on a local web server. Do not use this method if you intend to perform a manual or silent installation or distribute the upgrades via Windows Group Policy Object. 1. On the ProxySG that is functioning as the Client Manager, select Configuration > Clients > General > Client Software. 2. For Install Unified Agent Software from, select Remote URL and click Install. 3. On the Proceed with installation? dialog, click Yes to replace the existing upgrade files. 4. On the InstallUnified Agent Software dialog, paste the Installation URL. Obtain the URL by: • Right‐clicking the link to the .car file on BTO and copying the link location • Inputting the location of the file on your web server 5. Click Install. After a few moments, you are notified that either the upload was successful or that there was an error. If the upload was successful, you should see an updated Last installed date and time. Download the Upgrade Files to a Local Resource Use these methods if you intend to perform a manual or silent installation or distribute the upgrades via Windows Group Policy Object. You can also use this method to upload the .car file to the Client Manager directly. Download to a Workstation Use this method to download one or more files to your workstation. 1. For each client device type that accesses your Client Manager, download its installation file using one of the following methods: • Click the file name to download the file(s) that you need. • Select the check box for each needed file and click Download Selected Files. 2. After the download is completed, you may do one of the following: • Host the file on a web server that the Client Manager can access, and then "Install Client Software to the Client Manager from a Remote URL" on page 22. • Manually upload the file to the Client Manager, as described in "Install Client Software to the Client Manager from a Local File" on page 23. • Distribute the files using another method. See "Install Unified Agent Software on Windows" on page 25. 22 Chapter 2: Configure the Client Manager Transfer to an FTP Server Use this method to transfer the upgrade files to an FTP server. 1. For each file to download, click Advanced Download Options. 2. A pop‐up window contains the instructions for using an FTP client: • Server URL • File Path and File Name • Login (your BTO account name) • How to get an FTP password if you do not already have one 3. After the FTP client retrieves the upgrade files, you may do one of the following: • Host the file on a web server that the Client Manager can access, and then "Install Client Software to the Client Manager from a Remote URL" on page 22. • Manually upload the file to the Client Manager, as described in "Install Client Software to the Client Manager from a Local File" on page 23. • Distribute the files using another method. See "Install Unified Agent Software on Windows" on page 25. Install Client Software to the Client Manager from a Local File Use this method if you downloaded the upgrade files locally. 1. On the ProxySG that is functioning as the Client Manager, select Configuration > Clients > General > Client Software. 2. For Install Unified Agent Software from, select Local File and click Install. 3. On the Proceed with installation? dialog, click Yes to replace the existing upgrade files. 4. In the Open dialog, navigate to the location where you downloaded the upgrade files, select one of the files, and click Open. 5. After a few moments, you are notified that either the upload was successful or that there was an error. If the upload was successful, you should see an updated Last installed date and time. 23 Unified Agent: Deployment and Administration Guide for Windows Set Up the Client Manager (ProxySG Appliance CLI) To set up a ProxySG appliance as a Client Manager using the command line interface (CLI) follow these steps: "Designate the Client Manager" "Display Unified Agent Settings" "Clear Unified Agent Statistics" Designate the Client Manager To configure the Client Manager: 1. At the #(config) command prompt, enter clients 2. Enable this appliance as the Client Manager: #(config clients) enable 3. Configure Client Manager settings: #(config clients) client-manager host {from-client-address | <ip_address> | <host>} #(config clients) client-manager install-port <port> #(config clients) client-manager keyring <keyring> #(config clients) hashed-uninstall-password <hashed‐password> #(config clients) uninstall-password <cleartext‐password> Display Unified Agent Settings To display current Unified Agent settings: #(config) show clients {[exclude-subnets] | clients| locations | web‐ filtering} Note: For Unified Agents only web filtering information is displayed. Clear Unified Agent Statistics To clear current Unified Agent statistics: #(config clients) clear {inactive | all} Clears (that is, sets to zero) the count of inactive Unified Agent users. Note the following: 24 • Agents are automatically cleared after 30 days of inactivity. • After a software upgrade, agents appear twice for 30 days—one entry for the earlier version of agent software and one entry for the newer version of agent software. You can optionally clear the inactive agents to avoid seeing duplicate information. • For an agent to be reported as inactive, 10 minutes or more must elapse between the heartbeat packets it sends to the Client Manager. Chapter 3: Install Unified Agent Software on Windows Chapter 3: Install Unified Agent Software on Windows This chapter discusses how to install Unified Agent for the first time on Windows devices and also how to uninstall Unified Agent: "Obtain the Installation Files" on page 25 "Manually Install Unified Agent on a Windows Device" on page 26 "Using Group Policy Object Distribution" on page 28 "Silent Installations and Uninstallations" on page 29 Note: After initial installation on the client device, users can retrieve updates manually from the Client Manager. See "Upload Unified Agent Client Software to the Client Manager" on page 19. Prerequisites Before continuing, ensure that you have performed all of the following tasks: Upgraded the ProxySG appliance that will act as Client Manager to a version of SGOS that is compatible with the Unified Agent: SGOS 6.5.x or later. • SGOS 6.5.1.1 is required for certificate validation on clients that run Windows 8.1 or Windows 10, because it supports TLS 1.1 and 1.2. Obtain the Installation Files You can download the Unified Agent installation package directly from BTO or indirectly from the Client Manager: To download the Unified Agent installation files from BTO: 1. Log on to BTO at https://bto.bluecoat.com. Note: To request login credentials for BTO, go to https://www.bluecoat.com/forms/contact. 2. Click the Downloads tab and then click Blue Coat Product Downloads. 3. On the product list click Unified Agent. 4. Follow the prompts to download bcuaXX‐setup.msi. Important: If you intend to host the upgrade files on a local server, do not rename bcuaXX‐setup.msi or future updates will fail. 25 Unified Agent: Deployment and Administration Guide for Windows To download the Unified Agent installation files from the Client Manager: To use this method, you must have first uploaded the latest .car file to the Client Manager as shown in "Obtain the Installation Files" on page 25. 1. On the Client Manager, select Configuration > Clients > General > Client Manager. 2. Under Unified Agent Components, locate the URLs for the Client setup MSI (xx-bit Windows) files. 3. If the URL contains host‐from‐client‐request, replace it with the IP address or hostname of the Client Manager. 4. In a browser, navigate to the link and download the .msi file. Methods to Install the Unified Agent Software Administrators can install Unified Agent software on users’ workstations in any of the following ways: Manual installation, launched from command line on the user’s machine. See "Manually Install Unified Agent on a Windows Device" on page 26. Silent installations. See "Silent Installations and Uninstallations" on page 29. Windows Group Policy Object distribution. See "Using Group Policy Object Distribution" on page 28. Windows System Center Configuration Manager (SCCM)—previously referred to as Systems Management Server (SMS)—distribution. For more information about SCCM or SMS, consult the documentation provided with your SCCM or SMS server. Manually Install Unified Agent on a Windows Device Follow these steps to manually install Unified Agent on one Windows device. Important: Unless your users are fairly competent with Windows command‐line operations, Blue Coat does not recommend that users install Unified Agent themselves. For the user to run bcuaXX‐setup.msi, the user must be in the Administrators group on the target device. 1. Use one of the methods in "Obtain the Installation Files" on page 25 to download bcuaXX-setup.msi (bcua32-setup.msi or bcua64-setup.msi) to the device. 2. Locate the CM (client manager) URL parameter on the ProxySG that is designated as Client Manager. a. Select Configuration > Clients > General > Client Manager. b. Make a note of the Client configuration URL under Unified Agent Components (https://<client_manager>:8084/unifiedagent/UnifiedAgentConfig.xml) If the URL is host‐from‐client‐request, replace it with the IP address or hostname of this Client Manager. 26 Chapter 3: Install Unified Agent Software on Windows Important: It is mandatory that this parameter be passed to the setup process from the CLI. c. Provide the users with the CM_URL parameter, if they are installing Unified Agent themselves. 3. In the Windows Start Menu, right‐click the Command Prompt icon and select Run as administrator. 4. Determine the absolute path to bcuaXX-setup.msi. In some Windows configurations, the absolute path to the Downloads folder is c:\Users\<user_name>\Downloads\. 5. At the command line enter the following: <absolute_path>\bcuaXX-setup.msi CM_URL=<client_configuration_URL> where • absolute_path—The absolute file‐system path to bcuaXX-setup.msi • client_configuration_URL—The URL to UnifiedAgentConfig.xml on the Client Manager. For example, c:\users\jane.user\bcua64-setup.msi CM_URL=http://10.0.0.1:8084/ unifiedagent/UnifiedAgentConfig.xml 6. The Unified Agent Setup wizard is launched. Follow the prompts to install Unified Agent. 7. When the installation is complete, click Finish. A restart prompt is displayed. Click Restart Now. Important: Because Unified Agent will not begin to function until after reboot, you must click Restart Now. 8. After you restart the system, a prompt might inform you that the configuration server’s certificate has an invalid CA. 9. Click Yes to accept the certificate. (Blue Coat recommends that you update or fix the Unified Agent certificate on the Client Manager as explained in "Certificate Management" on page 19 and in the SGOS Administration Guide.) 10. Unified Agent then downloads the latest configuration files from the Client Manager. 27 Unified Agent: Deployment and Administration Guide for Windows Note: If the Client Manager is not available, the installation will still succeed. Afterwards, the Unified Agent will try to contact the Client Manager every 10 minutes until the client downloads the latest configuration. If Client Manager communication issues persist, see "Troubleshoot Unified Agent Connectivity and Configuration" on page 78. Important: Do not edit UnifiedAgentConfig.xml on the client computer after it has been downloaded from the Client Manager. Instead, click Check for Updates Now on the Advanced page of the Unified Agent’s console window to get a configuration update. 11. Verify the Unified Agent tray icon state as discussed in "Unified Agent Menu Bar Icons" on page 77. Using Group Policy Object Distribution This section discusses how to distribute the Unified Agent software using Windows Group Policy Object (GPO). The .msi file should be edited using a table‐ editing tool such as the Orca database editor, which is included in the Microsoft SDK. (See Microsoft KB article 255905.) Although Blue Coat does not recommend any particular transform tool, the following instructions assume that you are using Orca. Important: Only an experienced Windows administrator should attempt to complete the tasks discussed in this section. Be advised that changing the Property table invalidates the signature on the .msi. To distribute Unified Agent software using GPO: 1. Open bcuaXX-setup.msi in the transform tool 2. Perform the following changes to the Property table: Table 3-1 Unified Agent setup property table changes Property Action Value CM_URL Add row Required for all installations. URL to UnifiedAgentConfig.xml on the Client Manager, entered as follows: https://<client‐manager>:8084/unifiedagent/ UnifiedAgentConfig.xml REINSTALL 28 Add row Add this row and set it to all only if you want to update the Unified Agent software and configuration using GPO. If clients will get future Unified Agent software and configuration updates from the Client Manager, do not add this row. Chapter 3: Install Unified Agent Software on Windows Table 3-1 Unified Agent setup property table changes Property Action Value REINSTALLMODE Add row Add this row and change it to vamus only if you want to update the Unified Agent software and configuration using GPO. If clients will get future Unified Agent software and configuration updates from the Client Manager, do not add this row. 3. Generate the transformation. Silent Installations and Uninstallations This section discusses how to silently install or uninstall Unified Agent—that is, install and uninstall without user interaction. It includes the following topics: "Parameters for Silent Installations" on page 29 "Command for Silent Uninstallations" on page 30 "Example Installations and Uninstallation" on page 31 Parameters for Silent Installations Table 3-2 shows parameters to use with bcuaXX‐setup.msi for silent installations. Silent Installation Syntax bcuaXX-setup.msi [/qf | /qb | /qr | /qn] CM_URL=<client_configuration_URL> REINSTALL=ALL REINSTALLMODE=vamus /norestart [REBOOTTIME=<secs>] ] [/l*v <logfile>] Silent Installation Parameters The following table shows the meanings of the parameters that can be used for silent installations; for examples, see "Example Installations and Uninstallation" on page 31: Table 3-2 Parameters for Silent Unified Agent Installations Parameter /qf | /qb | /qr | /qn | /quiet Argument Description Sets the user‐interaction level—the extent to which the installer interface is visible and the controls available to the user. /qf (default) — Fully visible and interactive, enables the user to see and interact with the installer and to cancel the installation. /qb (basic) — /qr (reduced) — Enables the user to see and interact with the installer and to cancel the installation. /qn or /quiet (totally silent) — Prevents the user from seeing or interacting with the installer and therefore from canceling the installation. Note: Because this is an msiexec parameter, other options are available. Enter msiexec at a command prompt for more information about other options. 29 Unified Agent: Deployment and Administration Guide for Windows Table 3-2 Parameters for Silent Unified Agent Installations (Continued) Parameter Argument Description CM_URL <URL> URL to UnifiedAgentConfig.xml on the Client Manager, entered as follows: https://<client_manager>:8084/unifiedagent/UnifiedAgentConfig.xml When Unified Agent reads the configuration file, it saves it to C:\ProgramData\bcua. Note: Do not edit UnifiedAgentConfig.xml on the client computer after it has been downloaded from the Client Manager. Instead, click Check for Updates Now on the Advanced page of the Unified Agent’s console window to get a configuration update. REINSTALL ALL Installs all Unified Agent components, even if they are already installed. ALL is the only currently supported value. REINSTALLMODE vamus Blue Coat recommends using vamus. Because this is an msiexec parameter, other options are available. For more information, see the description of the REINSTALLMODE parameter on the MSDN web site. REBOOTTIME secs Default is 0. Number of seconds after the Unified Agent installation completes before the user’s machine is rebooted. A non‐zero value means a counter is displayed on the post‐installation reboot dialog. /l*v logfile If you want the installation to be logged, enter the absolute file‐system path and file name of the log file. The user installing the software must have permission to write to the indicated folder and the folder must be available during the installation; therefore, you should avoid specifying a network drive. Command for Silent Uninstallations To silently uninstall the Unified Agent software, use the following command: msiexec /X{<msi_product_code>} /quiet UNINSTALL_TOKEN=<token> where msi_product_code — The Unified Agent installer’s MSI product code, as follows: • 4.6.1.x — B41CE063-B4D3-4931-87A3-B5DB6985D19C • 4.6.2.x — E56B4DE1-7A31-4EA3-8008-6CBA3DDBD888 • 4.6.4.x — 65E7A44B-F106-4281-98A4-6490F393854A • 4.7.1.x — 37BA9110‐A143‐46B1‐ADAA‐498B263DD885 UNINSTALL_TOKEN — Uninstall password from Configuration > Clients > General > Client Software > Uninstall Password During uninstallation, the Unified Agent removes all Unified Agent drivers, folders, files, and the service. 30 Chapter 3: Install Unified Agent Software on Windows Silently Uninstall Unified Agent This section describes how to uninstall Unified Agent. You can only uninstall Unified Agent from a device if: You have administrator credentials. You know the uninstall password (if one is configured) To uninstall the Unified Agent from Windows: For information about silent uninstallation, see "Example Uninstallation" on page 32. 1. Log in to your machine as a user who is a member of the Administrators group. 2. Select Start > Control Panel. 3. In the Control Panel window icon view, click Programs and Features. In Category view, select Programs > Uninstall a program. 4. Right‐click Unified Agent and select Uninstall. 5. Follow the prompts to uninstall the software. Secondary Procedure If the preceding procedure did not remove all traces of Unified Agent, try uninstalling Unified Agent in safe mode. To uninstall Unified Agent in Windows Safe Mode: 1. Boot into Safe Mode without Networking, which means that no Unified Agent components are loaded by the system. 2. Log in as an administrator 3. Select Start > Settings > Control Panel. 4. In the Control Panel window, select Programs and Features. 5. Click Unified Agent. 6. Click Uninstall. 7. Follow the prompts to uninstall the software. Example Installations and Uninstallation This section contains the following: "Example Installations" on page 32 "Example Uninstallation" on page 32 31 Unified Agent: Deployment and Administration Guide for Windows Example Installations Example 1: Basic manual installation: bcuaXX-setup.msi /qr CM_URL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus /norestart The Unified Agent configuration is downloaded from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters cause all Unified Agent components to install, regardless of any previous installations, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user is prompted to reboot, unless only web filtering is enabled. Example 2: Mandatory reboot either immediately or after 30 seconds. bcuaXX-setup.msi /qr CM_URL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus REBOOTTIME=30 The Unified Agent configuration is downloaded from the Client Manager at https://mysg.example.com:8084. The user sees the installation in progress and can cancel it. The REINSTALL and REINSTALLMODE parameters ensure that all Unified Agent components are installed, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user has the following options: • Wait 30 seconds for the machine to reboot. • Click Restart Now in the dialog to reboot immediately. Example 3: Silent installation. bcuaxx-setup.msi /qn CM_URL=https://mysg.example.com:8084 REINSTALL=ALL REINSTALLMODE=vamus The Unified Agent configuration is downloaded from the Client Manager at https://mysg.example.com:8084. The user does not see the installation in progress and so cannot cancel it. The REINSTALL and REINSTALLMODE parameters ensure that all Unified Agent components are installed, which is useful in cases where you are recovering from an incomplete or previously unsuccessful installation. After the installation is complete, the user has the option to reboot unless only web filtering is enabled. Example Uninstallation msiexec /X{65E7A44B-F106-4281-98A4-6490F393854A} /quiet UNINSTALL_TOKEN=<token> Uninstalls Unified Agent 4.7.1.x, using the uninstall password. 32 Chapter 4: Configure Location Awareness Chapter 4: Configure Location Awareness This chapter addresses the following topics: "Location Awareness Tasks" on page 35 "Location Rulebase Ordering" on page 38 "Configure Web Filtering Auto-Detection" on page 40 "Configure Locations Using the CLI" on page 42 Introduction to Location Awareness The purpose of configuring locations is to enable Unified Agent based on its current network location. For example, when a user works from home on a laptop, Unified Agent must perform web filtering, because the user is not connected to a network where a ProxySG appliance is deployed. Administrators define locations based on one or more of the following criteria: Source IP Ranges Appropriate for situations such as in the office when you know the IP range for client connections. DNS Servers The IP address for the DNS server that is assigned to a network segment can help uniquely identify the location. Virtual NIC IP Ranges VPN software typically creates a virtual NIC. The VPN gateway behind the firewall at the corporate data center provisions IP addresses and DNS server addresses for the virtual NIC. Note: Location conditions are applied using the AND operator, so choosing more than one condition for a location is a good way to uniquely identify a location. When a Unified Agent device’s IP address changes, Unified Agent detects the change and re‐ evaluates the IP address against location rules. 33 Unified Agent: Deployment and Administration Guide for Windows Guidelines for Location Conditions When planning your location conditions, take the following into account: Whether a ProxySG appliance already performs web filtering at this location. Which two of the three available location conditions best define the location. Note: You can configure Unified Agents to automatically detect whether a filtering ProxySG appliance is present on the network; the Unified Agent then disables its own web filtering. See "Configure Web Filtering Auto-Detection" on page 40. Table 4-1 describes how to use these location conditions in a sample deployment: Table 4-1 Guidelines for location conditions Location type Suggested conditions Headquarters with several local ProxySG appliances • Role of local ProxySG appliances—Performs web filtering for Unified Agents, so web filtering should be disabled. • Location conditions—Source IP address range and DNS server IP address. • Role of local ProxySG appliances—None; Unified Agent web filtering should be enabled. Branch office with no local ProxySG appliance Note: If a ProxySG appliance at headquarters performs web filtering for the branch office, disable Unified Agent web filtering. Branch office with a local ProxySG appliance Home office over VPN connection 34 • Location conditions—Source IP address range and DNS server IP address. • Role of local ProxySG—If the local ProxySG performs web filtering, disable Unified Agent web filtering. • Location conditions—Source IP address range and DNS server IP address. • Role of local ProxySG appliances—None; Unified Agent web filtering should be enabled. • Location conditions—Virtual NIC IP range and DNS server IP address. Chapter 4: Configure Location Awareness Location Awareness Tasks The following table summarizes the tasks that are required to set up location awareness: Table 4-2 Location awareness tasks Task Description 1. "Configure Locations" on page 35 Configure locations for office, branch office, home office, and mobile users. 2. "Configure Default Actions" on page 39 Default actions are for users that do not match any configured locations. 3. "Location Rulebase Ordering" on page 38 To make sure users match the correct location, put the most restrictive (that is, more specific) locations in the rulebase before less restrictive locations. Configure Locations This section discusses how to use conditions to define locations such as office headquarters, branch offices, and mobile users. To use the CLI, refer to "Configure Locations Using the CLI" on page 42. To configure locations: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > General > Locations. 3. On the Locations page, click New. The New Locations dialog is displayed. 4. In the Name field, enter a name that identifies this location: Headquarters, for example. Note: The location name cannot be changed later. 35 Unified Agent: Deployment and Administration Guide for Windows 5. In the Conditions section, select one or more conditions that define this location. To add a location condition, perform one or more of the following tasks: Table 4–1 Location-condition settings Condition Tasks Source IP Ranges 1. Select the Match source IP ranges check box. 2. Click New. 3. In the Add IP Source Range dialog, enter starting and ending IP addresses. Note: You must enter a pair of IP addresses; you cannot use CIDR notation. 4. Click OK. 5. Repeat the previous two steps to enter other source IP address ranges, as required. Note: This condition is matched when the network interface has an IP address in ANY of the ranges you define. DNS Servers 1. Select the Match DNS servers check box. 2. Click New. 3. In the Add DNS Servers IPs dialog, enter the server’s IP address. 4. Click OK. 5. Repeat these tasks to enter other DNS server IP addresses if required. Note: This condition is matched only if all DNS servers are matched. For example, if the location specifies DNS IP addresses 10.1.1.1 and 10.1.1.2, and the device has only 10.1.1.2, there is no match. However, if the location condition specifies DNS IP addresses 10.1.1.1 and 10.1.1.2, and the user’s device has 10.1.1.1, 10.1.1.2, and 10.1.1.3, there is a match. Virtual NIC IP Ranges 1. Select the Match Virtual NICs IP check box. 2. Click New. 3. In the Add Virtual NIC IP Range dialog, enter a starting and ending IP address in the provided fields. The range you enter should correspond to a range of IP addresses provisioned by your VPN gateway. Note: You must enter a pair of IP addresses; you cannot use CIDR notation. 4. Click OK. 5. Repeat these tasks to enter other Virtual NIC IP address ranges if required. Note: This condition is matched if the network interface has an VNIC IP address in ANY of the ranges you define. 36 Chapter 4: Configure Location Awareness Configure Actions 1. Under Actions, select or clear the Enable Web Filter check box. Because Unified Agent does not have acceleration functionality, the Enable Acceleration option should be configured only if you have legacy ProxyClients on the network. 2. When the device does not match any of the conditions, the default actions are applied. See "Configure Default Actions" on page 39. Important: All selected conditions must match to enable the selected location features. For example, if Source IP Address and DNS Servers conditions are selected, and if the network interface matches the source IP address but not the DNS server IP address, the location’s actions are not applied. 3. Click OK. The Locations page displays the location names and associated actions. Edit Location Conditions 1. On the Client Manager, select Configuration > Clients > General > Locations. 2. Select the location to edit and click Edit. The Edit Locations dialog is displayed. 3. To add or remove a condition type, select or clear its check box. 4. To edit IP address entries, delete the unwanted address entries and add new ones. 5. To delete a location, select the location and click Delete. 37 Unified Agent: Deployment and Administration Guide for Windows Location Rulebase Ordering Unified Agent applies the location conditions according to their rank in the Locations list (Configuration > Clients > General > Locations). To avoid improper rule matches, put the most restrictive rule at the top of the list and the least restrictive at the bottom. For example, suppose that the “Headquarters” location specifies an IP address range of 10.0.0.0 to 10.255.255.255 but the VPN gateway located at headquarters has a pool of IP addresses that are a subset of that range—10.3.1.1 to 10.3.1.255. Because the VPN gateway is used by home office or mobile users, the administrator should create different location conditions for “Headquarters” and for home and mobile users. Specifically, users at the headquarters location should have web filtering disabled, whereas users in a home office or mobile location should have it enabled. To configure this policy, the administrator creates two locations as follows: Table 4–2 Locations to create Location Conditions Headquarters • Source IP address range—10.0.0.0 to 10.255.255.255 • DNS server IP address—10.0.0.11 and 10.0.0.12 Home/Mobile • DNS server IP address— Same as headquarters • VNIC IP address range—10.3.1.1 to 10.3.1.255 To make sure that the Home/Mobile location is matched first, the administrator must ensure that it appears first in the Locations list. The administrator selects the Home/Mobile location and clicks Promote until it is above the Headquarters location. 38 Chapter 4: Configure Location Awareness Configure Default Actions The purpose of default actions is to apply an action to devices that do not match any of the location conditions. For example, Unified Agent devices that connect to the network without using the corporate VPN have unknown source IP ranges and DNS servers. To ensure that such a device cannot evade location actions, you must configure a default action. To configure default actions: 1. Log in to the Management Console with administrator credentials. 2. Select Configuration > Clients > General > Locations. 3. In the Default Actions section at the bottom of the page, select the check box for the feature to designate as the default action. For the Unified Agent, only the Enable Web Filter action is valid. Enable Acceleration applies only to legacy ProxyClients. 39 Unified Agent: Deployment and Administration Guide for Windows Configure Web Filtering Auto-Detection This section explains how to enable web filtering auto‐detection, which can disable Unified Agent web filtering when a ProxySG is present to perform Blue Coat Web Filtering. When you use web filtering auto‐detection, you do not need to set up a location to specifically disable Unified Agent web filtering. Benefits of Web Filtering Auto-Detection Web filtering auto‐detection is fast, happening within a few seconds after a Unified Agent requests a URL rating. Web filtering auto‐detection prevents double filtering. Double filtering happens when both Unified Agent web filtering and ProxySG web filtering are applied to a URL request, for example, when web filtering is enabled in the Unified Agent’s location and is also enabled by policy in an office network with ProxySG appliance web filtering. Double filtering can result in policy conflicts if the same category is allowed by one policy set and blocked by another policy set. Requirements The ProxySG that is acting as Client Manager must run SGOS 5.3.2.5 or later. Filtering ProxySGs must run any version of SGOS that supports Blue Coat Web Filtering (BCWF). Unified Agent must be deployed in one of the following ways: • In‐path with the filtering ProxySG • The Unified Agent device must use a filtering ProxySG as an explicit proxy Every ProxySG that performs web filtering in a network to which Unified Agents might connect must have the local policy installed. Install Local Policy on a ProxySG Appliance The filtering ProxySG appliance must have a policy installed on it that adds an HTTP response header (X‐BCWF‐License) to rating responses from WebPulse. When Unified Agent detects the header, it determines that web filtering should be disabled (that is, deferred to the ProxySG appliance that sent the header). You must install this policy on all filtering ProxySGs that meet any of the following criteria: 40 The ProxySG appliance is in‐path between the Unified Agent device and the Internet. The ProxySG appliance is used by Unified Agents as an explicit proxy. Chapter 4: Configure Location Awareness To install local policy: 1. Log in to the ProxySG’s Management Console with administrator credentials. 2. Select Configuration > Policy > Policy Files. 3. For Install Local File from, select Text Editor. 4. Click Install. 5. In the dialog box, enter the following: <proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X‐BCWF‐License, "<VendorID>") end where VendorID is your Blue Coat WebFilter database user name. If your enterprise has more than one Vendor ID, enter them in a comma‐separated list. An example with one Vendor ID follows: <proxy> request.header.Host="sp.cwfservice.net" action.i_am_filtering(yes) define action i_am_filtering set (response.x_header.X‐BCWF‐License, "6EAZ8‐BDC17F") end 6. Click Install. If error messages are returned, check the policy syntax and try again. 7. After the policy is successfully installed, click OK on the conformation dialog click Close and then click Apply. 41 Unified Agent: Deployment and Administration Guide for Windows Configure Locations Using the CLI Follow these instructions to configure locations using the command‐line interface. To configure client location settings: 1. Connect to the ProxySG appliance via SSH or Telnet. 2. At the initial prompt, type en to enter enable mode. Enter the enable‐mode password. 3. At the #(config) command prompt, enter clients. 4. At the #(config clients) command prompt, enter locations. 5. Configure location settings: #(config clients locations) create <location_name> #(config clients locations) edit <location_name> #(config clients <location_name>) webfilter {enable | disable} #(config clients <location_name> dns) add <ip‐address> #(config clients <location_name> dns) clear #(config clients <location_name> dns) exit #(config clients <location_name> dns) remove <ip‐address> #(config clients <location_name> dns) view #(config clients <location_name> source) add <ip‐address‐range> #(config clients <location_name> source) clear #(config clients <location_name> source) exit #(config clients <location_name> source) remove <ip‐address‐range> #(config clients <location_name> source) view #(config clients <location_name> vnic) add <vnic‐address‐range> #(config clients <location_name> vnic) clear #(config clients <location_name> vnic) exit #(config clients <location_name> vnic) remove <ip‐address‐range> #(config clients <location_name> vnic) view #(config clients <location_name>) match‐dns {enable | disable} #(config clients <location_name>) source {enable | disable} #(config clients <location_name>) vnic {enable | disable} #(config clients <location_name>) exit #(config clients <location_name>) view #(config clients locations) webfilter {disable | enable} #(config clients locations) {promote <location_name>| demote <location_name>} #(config clients locations) delete <location_name> #(config clients locations) clear #(config clients locations) view 42 Chapter 5: Configure Unified Agent Web Filtering Chapter 5: Configure Unified Agent Web Filtering This chapter discusses how to configure the Client Manager to provide the Blue Coat WebFilter service to Unified Agent devices. This chapter includes the following topics: "Introduction to Web Filtering", below "Web-Filtering Task Summary" on page 46 "Downloading the BCWF Database" on page 47 "Set Up the Local Database" on page 50 "Configure Web-Filtering Policies" on page 52 "Prioritize Categories in the Rule Base" on page 59 "Web Filtering Best Practices" on page 60 "Customize Exception Pages" on page 61 "Enable Web Filtering Logging" on page 63 "Configure Unified Agent Web Filtering (CLI)" on page 68 Introduction to Web Filtering This introduction to web filtering includes the following topics: "Web-Filtering Terminology", below "Web-Filtering Process" on page 44 "Web Filtering for Users and Groups" on page 45 Web-Filtering Terminology This section defines common terms used to discuss Unified Agent web filtering. Blue Coat WebFilter (BCWF) database • The BCWF database contains categories and URLs that are contained in those categories. • The BCWF categories contain mappings between URLs and categories but do not contain the URLs themselves; URLs are categorized and rated by the WebPulse cloud service. • A dedicated Client Manager needs only the BCWF categories to provide Unified Agent web‐filtering services. WebPulse performs the ratings. • A Client Manager that also proxies Internet traffic and performs BCWF web filtering needs the BCWF database. 43 Unified Agent: Deployment and Administration Guide for Windows • The BCWF database and categories are maintained by Blue Coat. • To keep the BCWF license current, the database or categories must be updated on the Client Manager at least once every 30 days. • Administrators choose categories and policy actions for users and groups in each category; these categories and actions are downloaded to Unified Agent in its configuration file. All Unified Agent URL requests are categorized by WebPulse. WebPulse WebPulse Site Review is a cloud‐based service that provides categorizations for URLs. WebPulse is available at http://sitereview.bluecoat.com for manual requests; Unified Agent, ProxySG, and other Blue Coat products can automatically query the cloud or periodically download the BCWF database for local lookups. Policy action The action that is applied to a URL request. Possible actions are allow, block and warn. Policies can be applied to individual users or to user groups. More information about these policy actions can be found in "Set Category Policies" on page 54. Web-Filtering Process If Unified Agent web filtering is enabled for the user’s location, the categorization process is as follows: 1. The user attempts to navigate to a URL or the operating system attempts to check for updates. 2. Unified Agent collects web ‐filtering categories from its configuration file. Categories are defined by the following: • The local database, if enabled. • VPM policy, if configured. • Results of WebPulse lookups that are temporarily cached on the user’s device. 3. Unified Agent requests a category for the URL from WebPulse. The result of the request can be one of the following: • The URL request is categorized by WebPulse if a result was not found in the local cache. (The cache, which is temporary, consists of results from previous lookups.) 44 • If WebPulse cannot determine a URL’s category, the URL is categorized as none and the appropriate policy action is applied. • If WebPulse is not available, the URL is categorized as unavailable and the appropriate policy action is applied. Chapter 5: Configure Unified Agent Web Filtering Note: One web site be associated with many URLs. For example, many web sites have advertisements, each of which causes a categorization request to be sent to WebPulse. 4. After the URL’s category is determined, the Unified Agent’s configuration file determines the policy action (block, deny, or warn) according to the first match in the rule base. • If the policy action is allow, the original request goes to its destination. • If the policy action is block, the “blocked” category exception page is displayed. • If the policy action is warn, the “warn” category exception page is displayed. The user must click an “accept” link, an acknowledgment that the request might violate corporate web use policy. When the user clicks the link, the request goes to its destination. Note: When a user clicks the acceptance link, the requested web site will continue to be accessible for 15 minutes. This accessibility period is not currently configurable. 5. Results of WebPulse lookups are temporarily cached to reduce request traffic to WebPulse, which helps improve performance for commonly accessed web sites. Web Filtering for Users and Groups Unified Agent web filtering can be enforced for users and domain groups. These users and groups are validated against the user’s cached login credentials on the Unified Agent device. In other words, Unified Agent uses credentials for the authentication realm configured for the domain to which the device connects. For HTTP traffic, you can configure Unified Agent to allow, block, or send a warning message to specific users when they particular specific web sites and web site categories. The exception pages for blocks or warnings are customizable. To configure web filtering policies for individual users or for user groups, do any of the following: Unified Agent web filtering categories can be configured for individual users and user groups configured as follows: • Fully qualified account names (for example, domain_name\user_name). • Fully qualified DNS names (for example, domain.example.com\user_name). • User principal names (UPN)—for example, [email protected]. However, be aware that translating isolated names introduces the possibility of name collisions because the same name might be used in multiple domains. 45 Unified Agent: Deployment and Administration Guide for Windows Blue Coat recommends you do not use isolated names such as user_name. Fully qualified names are unambiguous and provide better performance when the lookup is performed. Web-Filtering Task Summary To use Unified Agent web filtering, you must perform the following tasks in the order shown: Table 5-1 1 Tasks to perform for web filtering Task Description Preparation • "Licensing the Unified Agent" on page 13 You can use web filtering only if the Client Manager is properly licensed. • "Designate a ProxySG Appliance as the Client Manager" on page 17 You must designate a Client Manager before you can en‐ able web filtering for Unified Agent. 2 3 Decide how much of the Blue Coat WebFilter (BCWF) database to download. See "Downloading the BCWF Database" on page 47 Download the BCWF database or categories: • If the ProxySG appliance is a dedicated Client Manager: "Downloading the BCWF Database" on page 47 • 4 If the ProxySG is a Client Manager and also performs in‐ office web filtering: "Enable the Blue Coat WebFilter Database" on page 49 "Set Up the Local Database" on page 50 • • If your ProxySG appliance is used only as a Client Manager, download only the BCWF database categories. If your ProxySG appliance is a Client Manager and also performs in‐office web filtering, download the entire BCWF database. Set up updates for the BCWF database or categories; they must be updated on the Client Manager at least once every 30 days. Note: Although you can enable other databases, only the following categories are used by Unified Agent: • Blue Coat WebFilter • Policy, such as VPM policy Categories from other databases are not used by Unified Agent web filtering. The local database is one optional way to create whitelist or blacklist categories. You can also add policy categories (also referred to as custom categories) to set up whitelists and blacklists. Refer to "Set Category Policies" on page 54. 5 "Configure Web-Filtering Policies" on page 52 6 46 "Prioritize Categories in the Rule Base" on page 59 After you have uploaded the current BCWF categories, you can specify policy actions for the categories such as allow, block, or warn. You can also set policy actions for individual users and user groups. Change the order of category policies to ensure that the correct rule is matched. Chapter 5: Configure Unified Agent Web Filtering Table 5-1 7 Tasks to perform for web filtering Task Description "Web Filtering Best Practices" on Suggestions for using web filtering in your organization. page 60 8 "Customize Exception Pages" on page 61 9 "Enable Web Filtering Logging" on page 63 Exception pages are displayed to users when they attempt to access content for which block or warn rules exist. Blue Coat recommends that you customize the default exception pages to provide users with information that is specific to your organization. How to upload Unified Agent web filtering logs to an anonymous FTP server. Downloading the BCWF Database Starting with SGOS version 5.5, you can subscribe to one of two options: • Download the entire BCWF database • Download only the URL categories The following table explains the difference between the entire BCWF database and the categories‐only download. Table 5-2 BCWF downloading options BCWF Download Description Entire BCWF database Refer to "Enable the Blue Coat WebFilter Database" on page 49. Required only if the same ProxySG appliance is used for both the Client Manager and for in‐office web filtering. Only the BCWF database categories, called a “differential update” The BCWF database contains BCWF categories and a list of the URLs that are associated with each category. Any URL that is not found in the BCWF database is referred to WebPulse for categorization. This option is preferable for ProxySG appliance that are is used only as Client Managers but not for in‐office web filtering. Because the differential download is much smaller than the entire BCWF database, it provides faster downloads as well as saves disk space on the ProxySG appliance. 47 Unified Agent: Deployment and Administration Guide for Windows Provide BCWF Database Credentials BCWF credentials are supplied with your BCWF license, and they must be presented to the BCWF database every 30 days to continue to get database updates. To enter credentials for the BCWF database: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Content Filtering > Blue Coat. 3. For Data Source select WebFilter. 4. In the Download section enter the following information and click Apply: Table 5-3 WebFilter page settings Option Description Username field Enter the user name provided with your BCWF subscription. Change Password Click the button and follow the prompts on your screen to set or change your BCWF password. button URL field Enter the URL provided with your BCWF subscription. Typically, the URL is: https://list.bluecoat.com/bcwf/activity/download/bcwf.db Set to default button Click to reset the URL field to its default value of https:// list.bluecoat.com/bcwf/activity/download/bcwf.db Download now button Click to immediately download the BCWF database. View Download Status button Click to see the latest download information such as license type and expiration date, last successful download timestamp, and the location from which the database was downloaded. Automatically check for updates check box Select this check box to automatically check for updates or select Only between the hours of to specify when update checks should occur. Set the License-Expiration Action For the BCWF license to remain current, the Client Manager must download the categories at least once every 30 days. After categories are not retrieved within 30 days, the BCWF license expires and the license‐expiration action is applied. To set the license-expiration action: 1. Select Configuration > Clients > Web Filtering > Policy. 2. For On expiration select Allow All or Block All and click Apply. 48 Chapter 5: Configure Unified Agent Web Filtering Enable the Blue Coat WebFilter Database If the ProxySG appliance that is designated as a Client Manager is not responsible for in‐office web filtering, skip this section and continue to "Set Up the Local Database" on page 50. To enable the Blue Coat WebFilter database: 1. Select Configuration > Content Filtering > General. 2. Under Providers, select the Enable check box for Blue Coat. 3. For Lookup mode, select one of the following: • Always—(Default) The database is always consulted for category information. If a URL is categorized under more than one category in different databases, policy is checked against each category listed. • Uncategorized—The lookup for this database is skipped if the URL match is found in policy, a local database, or the Internet Watch Foundation (IWF) database. 4. Click Apply. 49 Unified Agent: Deployment and Administration Guide for Windows Category-Provider Databases Although it is possible to enable other databases (Internet Watch Foundation, for example), categories in these databases are not used by Unified Agent web filtering. Unified Agent uses categories from only the following sources: Table 5-4 Unified Agent category sources Source More Information BCWF database "Downloading the BCWF Database" on page 47 and "Enable the Blue Coat WebFilter Database" on page 49 Local database "Set Up the Local Database" on page 50 Policies such as VPM policy—including local, central, and forward policies "Set Category Policies" on page 54 System categories (none and unavailable), which cannot "Configure System and Default Actions" on page 56 be edited or deleted Default Action Set Up the Local Database You have the option to use the local database to set up customized whitelists or blacklists which are then uploaded to the Client Manager. To create the local database: 1. Create a text file in the following format: define <category‐name1> <url1> <url2> <urln> end define <category‐name2> <url1> <url2> <urln> end For example, define category whitelist www.cnn.com www.webmd.com end define category blacklist www.gambling.com end Each category can have an unlimited number of URLs. 2. Upload the text file to a web server that the Client Manager can access. 50 Chapter 5: Configure Unified Agent Web Filtering To enable the local database: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Content Filtering > General. 3. In the right pane, select the Enable check box next to Local Database. 4. Click Apply. To upload the local database to the Client Manager: 1. Select Configuration > Content Filtering > Local Database. 2. Enter or edit the following information: Table 5-5 Local Database page settings Option Description Username field Enter the user name required to access the local database, if any. Change Password button Click the button and follow the prompts on your screen to set or change your local database password. URL field Enter the URL of the local database. 3. Click Download Now. 4. Optional—Select the Automatically check for updates check box. 5. Click Apply. See Also The section on configuring the local database in the SGOS Administration Guide on BlueTouch Online. 51 Unified Agent: Deployment and Administration Guide for Windows Configure Web-Filtering Policies The following sections discuss how to configure Unified Agent web‐filtering policies on the Client Manager: "Enable Unified Agent Web Filtering", below "Configure HTTPS Filtering and Safe Search" on page 53 "Configure Policies for Users and Groups" on page 55 "Configure System and Default Actions" on page 56 "Set Category Policies" on page 54 Enable Unified Agent Web Filtering Web filtering must be enabled on the Client Manager to perform Unified Agent web filtering. To enable Unified Agent web filtering: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Policy. 3. Select the Enable Web filtering check box. 4. If you need to configure more settings to complete the web‐filtering setup, a warning message indicates what to do. Table 5-6 Web Filtering error messages Message Suggested Action Client Web filtering will not function when the feature is disabled. Select the Enable Web filtering check box. Client Web filtering is unavailable do to an invalid base license. Please contact Blue Coat Support. Your SGOS license is invalid or expired. Click the link to find more information. The Blue Coat WebFilter service is registering this ProxySG for service. After you enable Unified Agent web filtering, the Client Manager must download the BCWF database categories. This message is displayed while categories are being downloaded. This message is not displayed if you downloaded the entire BCWF database. If this message is displayed for an extended period, try the following: 52 1. Clear the Enable Web Filtering check box and apply the change. 2. Select the Enable Web Filtering check box and apply the change. Chapter 5: Configure Unified Agent Web Filtering Configure HTTPS Filtering and Safe Search This section discusses how to configure the following options: HTTPS filtering—Specify whether to apply web‐filtering actions to HTTPS content. Safe search—Specify whether to require Unified Agent users to use safe search with supported search engines. To configure HTTPS filtering and safe search: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Policy. 3. In the General Settings section, edit the following options: Table 5-7 General settings section Option Description Enforce safe search • Select this option to force a search engine that supports safe search to apply its strictest search filter. Keep in mind that the quality of the filtering is based on the search engine’s built‐in capabilities. The same search string on one engine will yield different results on another, including returning varying levels of inappropriate content. • Safe search is supported on the following search engines: Google and Microsoft Bing. • With safe search enabled, the search engine web page displays “Safe Search ON” or similar. • Enable this option to apply Unified Agent web filtering to both HTTP and HTTPS requests. • Disable this option to allow all HTTPS requests. Enable HTTPS filtering Note: When HTTPS filtering is enabled, users do not see standard exception pages when an HTTPS URL is blocked; instead, they see a standard message from the browser such as “This page cannot be displayed” as well as a system message to inform the user that the URL was blocked. 53 Unified Agent: Deployment and Administration Guide for Windows Set Category Policies This section explains how to set policies for categories. 1. Select Configuration > Clients > Web Filtering > Policy. 2. All currently configured categories from all sources (BCWF, local database, policy, and system) are displayed in this pane. Until the BCWF database has been downloaded, only the System node is populated. After the databases have been downloaded (including the local database, if configured), the nodes are populated with their respective categories. To create a policy action for a category (allow, block, or warn): 1. Expand the node that contains the category and select the check box for the category name. 2. Under Selected Category Rule Base, select the desired Action. 3. This action applies to all users. To apply the action only to certain user groups, you must have configured users and groups on the ProxySG. Note: When users attempt to access content that is not associated with any categories you select, the Default Action is applied. 4. When you have finished assigning policy actions to categories, click Apply. 5. To further refine your category policies, see "Prioritize Categories in the Rule Base" on page 59. 54 Chapter 5: Configure Unified Agent Web Filtering Configure Policies for Users and Groups You can set different category actions to specified users and groups. For example, you can permit IT administrators to access web pages in the Software Downloads category but prohibit all other users from accessing those same pages. Additionally, you can configure category actions that apply to a single user. Select Statistics > Clients > Details > Client Details to see the username and domain associated with each Unified Agent. To set category policies for users or groups: 1. Click (add user/group rule). 2. In the field provided, select the user or group from the list (if the name has already been entered) or enter the name of the user or group in any of the following formats: Note: You must specify users and groups exactly as they are specified in your authentication repository. For example, a typical Windows group name is domain\name, as in BLUECOAT\IT‐ Administrators. • Fully qualified account names (for example, domain_name\user_name). Blue Coat recommends you do not use isolated names (for example, user_name). • Fully qualified DNS names (for example, example.example.com\user_name) • User principal name (UPN) (for example, [email protected]). 3. In the Action column, select the appropriate policy action. 4. Click Apply. 55 Unified Agent: Deployment and Administration Guide for Windows Configure System and Default Actions The System node contains the following categories, which cannot be edited or deleted: • none—Applied when no other category could be obtained from the BCWF database, the local database (if enabled), or policy categories (if configured). Many web pages generate more than one URL request, so it is possible that an allowed web page might create other URL requests that are categorized differently or are categorized as none. For example, images and advertisements that are displayed on an allowed web page are individually classified based on their URLs. Even if you allow users to access a particular web page, each of the ads and images on the site can be blocked separately based on each URL’s categorization. • unavailable—The category that is invoked when all of the following are true: • There is no match in either the local database (if enabled) or policy categories (if configured) • WebPulse cannot be reached The Default action is applied when a URL request is not classified into any of the categories in the Category Rule Base section. Use caution before setting the default action to block—any category that you do not explicitly allow is blocked. 56 Chapter 5: Configure Unified Agent Web Filtering To configure system and default actions: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Policy. 3. In the All Categories pane, expand System. 4. Select the check box for none or unavailable. 5. In the Selected Category Rule Base pane, select Allow or Block from the Default list. 6. For Default Action, select Allow or Block. Note: The default setting is also applied when Unified Agent detects that the user has tampered with the primary and backup versions of UnifiedAgentConfig.xml. See "Config File Edit-Detection" on page 20. 7. Click Apply. 57 Unified Agent: Deployment and Administration Guide for Windows Add Policy Categories The Policy node is empty by default. Policy categories can be created using Content Policy Language (CPL) or by using the Client Manager’s web interface. For information about using CPL to add categories, consult the ProxySG Appliance Content Policy Language Reference on BlueTouch Online. To add URL policy categories: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Policy. 3. Near the bottom of the All Categories pane, click Edit Categories. The Edit Categories dialog displays the currently configured category nodes. . Note: You can manage only the Policy categories using this method. 4. In the Edit Categories dialog, click Policy. 5. Click Add. In the Object Name dialog, enter a name for the category and click OK. 6. In the space provided, enter one URL per line and click OK. 7. Click OK again to close the Edit Categories dialog. Two more dialogs—View Generated CPL and Current SG Appliance VPM Policy Files—are displayed. Close both dialogs. 8. Under All Categories expand Policy to see the new category. Configure actions for this category, as desired. 58 Chapter 5: Configure Unified Agent Web Filtering Prioritize Categories in the Rule Base After you have added categories to the rule base and selected policy actions for each, you must consider the order in which the policies are applied. Many URLs are classified in more than one category, which can affect which policy action is applied. When a URL matches multiple rules, only the action for the first match is applied. In the example below, www.example.com/news is in both the Blogs/Personal Pages and News/Media categories. Table 5-8 Results of example rule-base configurations Rule base configuration Result Because News/Media is first in the rule base and its policy action is block, www.example.com/news is blocked for everyone except for users in the BLUECOAT\Managers group. Because Blogs/Personal Pages is first in the rule base and its policy action is allow, www.example.com/news is allowed for everyone except for users in the BLUECOAT\Managers group. 59 Unified Agent: Deployment and Administration Guide for Windows To arrange categories in the rule base hierarchy: The rule base hierarchy is the structure of category rules, users, and groups in the rule base. Both categories and user‐group rules can be reordered. 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Policy. 3. In the Selected Category Rule Base pane, click the name of a rule to move. See "Web Filtering Best Practices", below, for recommended rule‐base ordering. 4. Click the buttons on the right to move up, move down, move to top, or move to bottom of the list. Web Filtering Best Practices Blue Coat recommends the following practices when configuring Unified Agent web filtering: Set the policy action for the System > unavailable category to Block. This setting prevents Internet access in the event that WebPulse appears to be unavailable, for example, if a personal firewall blocks Unified Agent requests to WebPulse, a temporary network outage occurs, or users attempt to disable Unified Agent. Some software‐update sites will be blocked when the Business/Economy category is set to Block or Warn. For example, the Java update site is rated as Business/Economy. Either allow the Business/Economy category or add the software‐update web sites to a custom category (using either the local database or policies), set its policy action to Allow, and position the rule higher than the Business/Economy category. Blue Coat recommends that you order web filtering rules in the rule base as follows: 1. Whitelist overrides (that is, local database and policy categories you always want to allow) 2. Blacklist overrides (that is, local database and policy categories you always want to block) 3. All other categories with policy action set to block 4. All other categories with policy action set to warn 5. All other categories with policy action set to allow 60 Chapter 5: Configure Unified Agent Web Filtering Customize Exception Pages An exception page is displayed in a userʹs web browser when a URL request triggers a block or warn policy action. Because the exception page is displayed in a web browser it is coded in HTML. You can customize exception pages to provide more detail about why the category is blocked, or provide other information that is specific to your organization. Blue Coat provides default exception pages for the following events: Blocked content—When a URL request matches a block rule, the following message is displayed: Your request was denied because of its content categorization: Category: <offending_category_name> URL: <requested_URL> Warn—When a URL request matches a warn rule, the following message is displayed: It may violate company policy to visit this site. Category: Search Engine/Portals URL: www.google.com Click here to continue anyway. The last line, available only on the Warn exception page, is a link that users click to acknowledge the warning and proceed with the content request. Note: The Warn action only applies to HTTP content. HTTPS content subjected to a Warn action behaves in the same manner as Block. Unavailable rating service—When a user requests a URL that is not in the URL cache and Unified Agent cannot connect to WebPulse and the policy action for the System > unavailable category is block, the following message is displayed in the browser: The Blue Coat WebFilter Service point could not be reached. This may be due to a networking error. When the policy action for the System > unavailable category is allow, all URL requests are allowed. When the policy action for System > unavailable is block the unavailable exception page is displayed for all URL requests. WebPulse might be unreachable because of local connectivity issues—for example, a personal firewall that is blocking the traffic or the device has no IP address. If you decide to change or add to the default text, each exception page is customizable using the Management Console or the command line. 61 Unified Agent: Deployment and Administration Guide for Windows To customize exception pages: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Exceptions. 3. Customize the exception pages: a. From the Exception page for list, select a page type to customize: • Block—A URL request matches a block rule. • Warn—A URL request matches a warn rule. • Unavailable—WebPulse is not reachable. b. Customize the HTML page using any valid HTML code. The Substitution Variables list contains the variables that you can insert into the HTML to provide detailed information about the exception: • url—Displays the requested URL. • cs-categories—A full list of all categories that are assigned to the URL. Many URLs have more than one category. • cs-categories-exception—The category that caused the exception (the first one matched in the rule base). • override-url—Applies to the Warn exception page only. The default warn page override link HTML is <a href="$override-url">Click here to continue anyway.</a> To add a variable to an exception page, place the cursor in the HTML code in the desired location, select a variable from the Substitution Variables list and click Insert. There is no limit to the number of substitution variables per exception page. c. Click Apply. 62 Chapter 5: Configure Unified Agent Web Filtering Enable Web Filtering Logging This section discusses web filtering logging in the following sections: "About Web Filtering Logging" "How to Enable Web-Filtering Logging" on page 64 "Configure Proxy Access to the FTP Server" on page 66 "Interpreting the Log Files" on page 66 About Web Filtering Logging Analyzing user web browsing activity allows you to better customize your content‐filter policies and to verify that your users are abiding by your organization’s policies. You can configure Unified Agent to upload user web browsing activity logs to an anonymous FTP server at regular intervals or when the log file reaches a specified size. The log file is uploaded only when a Unified Agent device has access to the specified FTP server. Note: Because log files are uploaded using anonymous FTP, Blue Coat strongly recommends that you put your FTP server behind your firewall. Configure the FTP server as follows: • To prevent the possibility of data loss, do not allow file overwrites. • For security reasons, do not allow files on the FTP server’s upload directory to be browsed. • The FTP server must support passive FTP clients. • Active FTP is not supported (in other words, log uploads will fail). If the FTP server is deployed behind a firewall, the firewall must be configured to allow FTP data connections over TCP ports higher than 1024. • Placing an FTP server outside the firewall has the advantage that even mobile users can upload log files to it; however, it exposes the server and your company to malicious activity. 63 Unified Agent: Deployment and Administration Guide for Windows How to Enable Web-Filtering Logging This section discusses how to enable web‐filtering logging. You need to know the location and directory path of the anonymous FTP server. You can also configure automatic upload options based on configurable thresholds. If the user exceeds either of the following configurable thresholds, log updates occur as soon as connection to the FTP server is possible: Length of time since the last upload Size in MB of the current log file To enable and configure logging options: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Configuration > Clients > Web Filtering > Log. The Log page is displayed. 3. Select the Enable Logging check box. 4. Select one of the following logging options: • Log All—Log all web‐browsing activity. • Log Exceptions Only—Add a log entry only when a policy exception occurs (blocks, warnings, and rating service unavailability) 5. In the FTP Server Connection section, edit the following information: Table 5-9 FTP Server Connection settings Option Description Settings for list Select the type of host you are configuring: • • Primary FTP Server Alternate FTP Server Hosts field Enter the FTP server’s fully‐qualified domain name or IP address. Do not prepend ftp:// or uploads will fail. Port field Enter the FTP server’s port: default is 21. Make sure that your firewall allows FTP traffic through this port; change the port from the default only if your firewall and FTP server are configured accordingly. Path field Enter the relative path on the server to write the log files. A slash as the first character is optional; a slash as the last character will cause the upload to fail. Leave this field blank to specify the home directory. Examples: Right: /path/to/log/directory Right: path/to/log/directory Wrong: /path/to/log/directory/ 64 Chapter 5: Configure Unified Agent Web Filtering To specify upload settings: 1. Specify the parameters that control when Unified Agent uploads log files to the FTP server. Unified Agent uploads files according to the following rules: • If the size threshold is exceeded before the temporal threshold is reached, the log files are uploaded “early.” • When the threshold values are exceeded for a mobile or offsite user, because the device was not connected to the network for an extended period, an upload occurs as soon as Unified Agent can access the FTP server. • If the amount of disk space on the device drops below 10MB, Unified Agent will stop logging. 2. Edit the following information and click Apply: Table 5-10 Log upload options Option Description Upload periodically every • Hours—Enter the number of hours. • Minutes—Enter the number of minutes. Note: If you enter a non-zero value for both Hours and Minutes, the total amount of time is used. For example, if you enter 24 Hours and 10 Minutes, Unified Agent will attempt to upload the log every 24 hours and 10 minutes. Start an early upload if log reaches Enter the minimum log file size in megabytes. Note: Make sure the system clock on all Unified Agent devices is synchronized with the Client Manager’s clock. (You can do this by configuring them to use the same time standard such as NTP.) Failure to do so will result in inaccurate log upload times and log ages. 65 Unified Agent: Deployment and Administration Guide for Windows Configure Proxy Access to the FTP Server If Unified Agent requires a proxy server to upload log files, first make sure that the proxy server is an FTP proxy and not a proxy that accepts HTTP requests and outputs them as FTP. In addition, you must perform the following tasks on the Unified Agent device: 1. Start Internet Explorer. 2. Select Tools > Internet Options. 3. Click the Connections tab. 4. On the Connections tab page, click LAN Settings. 5. Verify any of the following: • On the LAN Settings dialog, if the Use a proxy server for your LAN check box is selected, make sure the address of the proxy server is an FTP proxy. • If the check box is clear, click Advanced. In the Proxy Settings dialog, make sure the proxy server’s address and port listed in the fields next to FTP. If not, you must enter the address and port number of an FTP server in these fields. 6. Follow the prompts on your screen to accept the settings. Interpreting the Log Files The log‐file format conforms to W3CELFF standards. The header is as follows: #Software: UnifiedAgent 4.7.1.xxxxxx #Version: 1.0 #Fields: date time c‐ip cs-username x-cs-auth-domain c-computername xexception-id cs-categories cs-categories-exception cs(Referer) cs-method csuri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User‐Agent) r-ip The following table defines the fields used in the log: Table 5-11 Log fields 66 Field Description date Date stamp in Universal Time Code (UTC) format. time Time stamp. c-ip Client’s IP address. c-username Client’s login user name. x-cs-auth-domain Client’s domain name (if available). c-computername Client’s device name. Chapter 5: Configure Unified Agent Web Filtering Table 5-11 Log fields Field Description x-exception-id One of the following: • - if the content is allowed. • content_filter_warned if the policy action is warn. • content_filter_denied if the policy action is block. cs-categories Semi‐colon‐delimited categories for the content request. cs-categories-exception The first category match; in other words, the category on which the policy action shown by x‐ exception‐id is based. cs(Referer) Referring URL, if any. cs-method The method used in the content request (for example, GET). cs-uri-scheme The URI’s scheme (http or https). cs-host The host portion of the URI. cs-uri-port The port used to access the URI. cs-uri-path The path relative to cs-host. If cs-uri-scheme is https, this field is blank. cs-uri-query Query string, if any. If cs-uri-scheme is https, this field is blank. cs-uri-extension File extension of the object. cs(User-Agent) Information about the web browser that requested the object. r-ip Web server’s public IP address. Following is a sample log entry for content that was blocked: 2008-07-3117:51:17-joe.jones USA‐TX‐Austin LT-JOEJONEScontent_filter_denied "Vehicles " "Vehicles" -GET http www.mazdausa.com80/--Mozilla/4.0 (compatible; MSIE 8.0; Windows 7; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)129.33.107.81 In the preceding example, user joe.jones requested content from http:// www.mazdausa.com and the content was blocked. The content was categorized as Vehicles, was requested by Internet Explorer 8, and was delivered from a web server with public IP address 129.33.107.81. 67 Unified Agent: Deployment and Administration Guide for Windows Configure Unified Agent Web Filtering (CLI) To configure Unified Agent web-filtering settings: 1. Connect to the ProxySG appliance via SSH or Telnet. 2. At the initial prompt, type en to enter enable mode. Enter the enable mode password. 3. At the #(config) command prompt, enter clients. 4. At the #(config clients) command prompt, enter web‐filtering. 5. Configure web‐filtering settings: #(config clients web‐filtering) disable #(config clients web‐filtering) enable #(config clients web‐filtering) default-action {allow | block} #(config clients web‐filtering) {allow <category_name> | block <category_name> | warn <category_name>} #(config clients web‐filtering) {promote <category_name> | demote <category_name>} #(config clients web‐filtering) {promote-to-top <category_name> | demote-tobottom <category_name>} #(config clients web‐filtering) failure-mode {open | closed} #(config clients web‐filtering) safe-search {disable | enable} #(config clients web‐filtering) https-filtering {disable | enable} #(config clients web‐filtering) user-group‐rules <category_name> #(config clients web‐filtering <category_name>) {allow <category_name> | block <category_name> | warn <category_name>} #(config clients web‐filtering <category_name>) {promote <category_name> | demote <category_name>) #(config clients web‐filtering <category_name>) {promote-to-top <category_name> | demote-to-bottom <category_name>} #(config clients web‐filtering <category_name>) clear <category_name> #(config clients web‐filtering <category_name>) exit #(config clients web‐filtering <category_name>) view #(config clients web‐filtering) inline exception {block | allow | warn} <data end‐of‐file‐marker> #(config clients web‐filtering) log #(config clients web‐filtering log) {disable | enable} #(config clients web‐filtering log) early-update <megabytes> #(config clients web‐filtering log) periodic-upload upload-interval <hours> [<minutes>] #(config clients web‐filtering log) ftp-client {alternate | primary} host <hostname port> #(config clients web‐filtering log) mode {all-requests | exceptions-only} #(config clients web‐filtering) view 68 Chapter 6: Monitor Unified Agent Performance Chapter 6: Monitor Unified Agent Performance This chapter discusses the following topics: "View Unified Agent History Statistics", below Statistics > Clients > History Usage statistics that are related to the Unified Agents that are connected to the Client Manager (for example, number of clients, number of software updates, and number of configuration updates). "Client Details" on page 70 Statistics > Clients > Details Information about active and inactive Unified Agents, such as user name, host name, operating system, whether web filtering is enabled in the client’s location, size of log files, and data related to the Unified Agent software version. View Unified Agent History Statistics The ProxySG appliance that serves as the Client Manager aggregates Unified Agent statistics and displays them as charts for which you can select the time span. To view Unified Agent statistics: 1. Log in to the Client Manager’s Management Console as administrator. 2. Select Statistics > Clients > History. Note: The following pages do not display Unified Agent‐related information: • BW Usage—Because Unified Agent does not support client‐based acceleration, Unified Agents do not generate data in this graph. Only Windows‐based ProxyClients are represented here. • Active ProxyClients—This page displays active ProxyClients. • ProxyClient Software Served—This page shows only ProxyClient software served. Configurations Served Statistics The Statistics > Clients > History > Configurations Served page displays how many times the ProxyClient and Unified Agent configuration files were downloaded from the Client Manager. 69 Unified Agent: Deployment and Administration Guide for Windows Active Unified Agent Statistics The Statistics > Clients > History > Active Unified Agents page displays how many Unified Agents are active on the network. Any Unified Agent that does not report for 10 consecutive minutes is considered to be inactive. Unified Agent Software Served The Statistics > Clients > History > Unified Agent Software Served page displays how many times Unified Agent update software was downloaded by user devices. Client Details Detailed statistics for Unified Agents include information about host names, software version, file encryption, and web filtering features. Unified Agent Details Follow these steps to view Unified Agent detail statistics. To view Unified Agent detail statistics: 1. Log in to the Client Manager’s Management Console with administrator credentials. 2. Select Statistics > Clients > Details > Client Details. The Client Details page is displayed. Client Details Pages The Client Details pages displays the following client lists: 70 General—For each user, this page displays information such user name, domain, host name, host operating system, software version, last known status, age of last known status, location, and which features are enabled for that location. Acceleration—(ProxyClient 3.4 and earlier only) Not applicable for Unified Agent. Filtering—For each user, this page displays web filtering‐related information such as user name, domain, host name, web filtering status, the age of the web filtering log, and the size of the web filtering log file. All—This page displays all information from the preceding pages. Chapter 6: Monitor Unified Agent Performance Client List Columns Consult Table 6-1 for a description of all of the columns for all of the client lists (General, Acceleration, Filtering, All). To filter on a specific column value, select a column from the Add Filter list, enter the attribute in the space provided, and click Add. Table 6-1 All Columns in the Client Details Lists Column Description User Name Name of the user logged in to the client device. Domain Domain to which the Unified Agent device belongs. Host Name Device’s host name. OS Client device operating system version information. Type Type of client: ProxyClient or Unified Agent Version Software version. Status Active client. Inactive client. A client is reported as inactive if 10 minutes or more elapse between heartbeat packets it sends to the Client Manager. Status Age Uninstall Protection The length of time since the client last reported its status (either active or inactive) to the Client Manager. An uninstallation password is configured. An uninstallation password is not configured. Location Acceleration The name of the client’s location. ProxyClient only. Acceleration is enabled in this client’s location. ProxyClient only. Acceleration is disabled in this client’s location, or this is a Unified Agent. WebFilter Web filtering is enabled in this client’s location. Web filtering is disabled in this client’s location. This icon can also indicate user tampering. Web Filter Log Age Displays the size of this client’s web filtering log file. Error in retrieving the data. Place your cursor over this symbol to view the error message. For more detailed information, collect the logs from the user’s device (including the web filter trace file) as discussed in "Tracing Information" on page 83. — Log age is not available, probably because the client is inactive. There could also be a problem preventing this client from uploading its logs to the FTP server. If the issue persists, collect logs from the user’s device (including the web filter trace file) as discussed in "Tracing Information" on page 83. n/a Web filtering is not enabled for this client. 71 Unified Agent: Deployment and Administration Guide for Windows Table 6-1 All Columns in the Client Details Lists Column Description Web Filter Log Size The size of the client’s web filtering log file. File Encryption ProxyClient only. Consult the ProxyClient Administration and Deployment Guide on bto.bluecoat.com for more information. Cache Size Client Bytes Server Byte ADN Peers IID A globally‐unique identifier assigned to every remote client in the network. A Unified Agent’s IID starts with the string CL. An IID is similar to a Peer ID for appliances. 72 Chapter 6: Monitor Unified Agent Performance Options on All Client Detail Pages Consult Table 6-2 for a description of options that are available on all client pages. Table 6-2 Options that are available on every Client Detail page Task Description Sort data by column Click the name of a column to sort data by that column in either ascending or descending order. Filter data by column You can optionally filter data displayed on any page by certain columns displayed on that page. Filters are logically ANDed together. Column values are sorted by type; for example, numeric values are sorted numerically. 1. From the Add Filter list, click the name of a column to use to filter data. If you click the name of a column that has no predetermined values (like Username), a field is displayed next to the Add Filter list. If you click the name of a column that has predetermined values, a list of available values is displayed next to the Add Filter list. 2. From the adjacent field or list, make a selection to use to filter the data. For example, if you clicked Username from the Add Filter list, enter all or part of a user name in the adjacent field. The matching criterion you en‐ ter is not case‐sensitive. Filters are matched by substring; wildcard characters are not supported. For example, to search for a user name that contains the string proxy, enter proxy in the field. 3. Click Add. This adds the filter and updates the data displayed on the page. 4. Optional tasks: • To add another filter, repeat the preceding steps. • Filters are logically ANDed together. To edit an existing filter, click the link in the filter, make changes to filter settings, and click Add. • To delete an existing filter, click x next to the name of the filter. Refresh the data Click Refresh at the bottom of the page. It might take several minutes for configuration changes to be reflected on the page. Download the data to a text file Click Download at the bottom of the page and follow the prompts on your screen to save the text file on your device. The data displayed on that page is saved to the text file. Any filters or sorting options you chose are preserved. 73 Unified Agent: Deployment and Administration Guide for Windows At the bottom of each of the four pages the following information is displayed: • Total displayed clients—The number of clients displayed on the page after filters are applied. When no filters are applied, the total is equal to all available clients. • Available—The total number of clients (both active and inactive) that have contacted this Client Manager since the last time the client list was cleared. Use the #(config clients) clear {all | inactive} command to clear the client list. For more information, see "Clear Unified Agent Statistics" on page 24. Note: Clients are automatically cleared after 30 days of inactivity. For an agent to be reported as inactive, 10 minutes or more must elapse between heartbeat packets that the Unified Agent sends to the Client Manager. Client Version Count The Client Version Count page (Statistics > Clients > Details > Client Version Count) displays the total number of active and inactive clients by software version number. For a client to be reported as inactive, 10 minutes or more must elapse between heartbeat packets it sends to the Client Manager. 74 Chapter 7: Troubleshoot Unified Agent Chapter 7: Troubleshoot Unified Agent This chapter contains the following topics: "The Unified Agent Status Window", below "Unified Agent Menu Bar Icons" on page 77 "Troubleshoot Unified Agent Connectivity and Configuration" on page 78 "Unified Agent Troubleshooting Tools" on page 82 "Troubleshoot Unified Agent Web Filtering" on page 87 "Disputing URL Categorizations" on page 92 The Unified Agent Status Window The Unified Agent status window enables users to provide information to administrators about status, and to enable trace logging (if necessary). Trace logging helps Blue Coat Support resolve issues. To open the Unified Agent status window: 1. Double‐click the Blue Coat menu bar icon . The Unified Agent status window displays information such as filter status, location, and local services. 75 Unified Agent: Deployment and Administration Guide for Windows Table 7-1 Status window fields Status Field Description Filter Status See "Web Filtering Status" on page 87. Location The location that Unified Agent has detected. See "Configure Location Awareness" on page 33. • Local Services Network Version default—No other locations match. Unified Agent service status: • Up—The daemon as well as the driver are running. • Down—One or both services is not running. • available—The device has network connectivity. • unavailable—The device does not have network connectivity. Unified Agent version information. • Current—The version that the device is running. • Latest—The newest version that is available from the Client Manager. 2. Click the Advanced tab. From the Advanced tab, you can initiate a request for configuration updates and view details about past updates. The Advanced tab also provides users with access to diagnostics text files that detail application operations such as log uploads and web filtering activity. A tracing option is also available for more advanced troubleshooting. 76 Chapter 7: Troubleshoot Unified Agent Unified Agent Menu Bar Icons The table shows the state and meaning of the Unified Agent menu bar icon. Table 7-2 Icon Explanations of Unified Agent menu bar icons Explanations Unified Agent is installed and functioning normally. • Unified Agent is not filtering. • The web filter license expired and the unlicensed category policy is Allow. See "Set the License-Expiration Action" on page 48. • Unified Agent cannot connect to the WebPulse service, and the unavailable category policy is Allow. See "Configure HTTPS Filtering and Safe Search" on page 53. • Unified Agent is not filtering because it is in a location where web filtering is disabled. See "Configure Locations" on page 35. • Unified Agent is not filtering because a ProxySG (SWG auto detect) is handling the filtering. • Unified Agent is not filtering but is blocking traffic. • For web filtering errors, see "Client Details Page" on page 88 and "Tracing Information" on page 83. 77 Unified Agent: Deployment and Administration Guide for Windows Troubleshoot Unified Agent Connectivity and Configuration This section describes how to troubleshoot connectivity‐ and configuration‐ related problems. Suggested Remedies for Connectivity Errors Blue Coat recommends troubleshooting the issue in the order presented in the following sections: "Client Manager Communication Issues", below "Resolve “Configuration Download Error”" on page 79 Client Manager Communication Issues Open the Unified Agent status window to get more information about the problem. Symptom—On the Status tab, the Filter Status field shows “Configuration Download Error.” On the Advanced tab the following fields show n/a: • Last Configuration Change • Last Successful Update Check Cause—Client cannot contact the Client Manager to get a configuration after the initial installation of Unified Agent software. Resolution—Click the Change button near the Client Manager Address field to change the hostname or IP address of the Client Manager. To see which IP or host name to use, go to "Client Manager Address" on page 79. Web Filtering and Proxy Servers Integrated Windows Authentication (IWA) is supported for proxy servers. If your proxy server uses IWA authentication, or if it uses no authentication, clients can communicate with the Client Manager and can perform web filtering. IWA authentication to the proxy server is transparent to Unified Agent users. If a proxy server is required for Internet access, the IWA credentials are used to contact the WebPulse cloud service to get a rating for a URL request made from the Unified Agent device. 78 Chapter 7: Troubleshoot Unified Agent Resolve “Configuration Download Error” If the Unified Agent device has not downloaded a configuration since the software was first installed, check the following: VPN Client If the user requires VPN to connect to the network, verify that the user’s VPN client is running. Third-Party Applications Third‐party products such as anti‐virus or personal firewalls must allow Unified Agent (bcua-service) to run and to communicate with Internet ports 80, 443, 21, 53 and with the Client Manager over its listening port (default: 8084). Network Settings On the Unified Agent device, verify that network settings such as default gateway are properly set. Client Manager Address Verify that the Client Manager address has been properly set for the Unified Agent. 1. Open the Blue Coat Unified Agent status window. 2. Click the Advanced tab to see the Client Manager Address setting. 3. Log in to the Client Manager’s Management Console. 4. Select Configuration > Clients > General. 5. The value of Host determines which address is displayed in the Unified Agent status window. 79 Unified Agent: Deployment and Administration Guide for Windows Table 7-3 Description of Host values Host value Description Use host from initial client request During Unified Agent installation from the Client Manager, the UnifiedAgentConfig.xml file sets the IP address in response to the client’s initial request for configuration files. In the Client Manager’s Management Console select Configuration > General > Identification. The value of IP address is the Client Manager’s default IP address, which is the IP address you must use as the Client Manager URL. (If you specified a host name, verify that the host name resolves to this IP address.) Use host The Unified Agent device downloads the web filtering configuration from the host name or IP address that is specified here. This option can be used to migrate users from one Client Manager to another or it can be used if you have multiple, load‐balanced Client Managers. If you are using this host value, check your DNS or load‐balancer configurations as follows: • If you have one Client Manager, check its DNS configuration to verify that the host name resolves to the Client Manager’s default IP address on Configuration > General > Identification. • A load balancer typically advertises one virtual IP (VIP) address. If you have multiple Client Managers behind the load balancer, enter the load balancer’s VIP in the Use host field. 6. Is the value in Client Manager Address the same as the Host value? • Yes—Continue to the next step. • No—Click the Change button next to Client Manager Address and input the new value. 7. Click Check for configuration update to force the client to validate the URL and get a configuration update immediately. 8. Compare Last Configuration Change: <date stamp> <timestamp> with Last Successful Update Check: <date stamp> <timestamp>. If the two fields are identical the update was successful. 80 Chapter 7: Troubleshoot Unified Agent Resolve “Error downloading configuration file” If the Unified Agent device has not successfully downloaded a configuration update for an extended period, check the following: Certificate Error During initial Unified Agent installation (silent and manual), the Certificate Signing Request (CSR) will not be trusted if the hostname from the CM_URL and the common name (CN) in the CSR are different. In this case, Unified Agent appears to accept the certificate, but the configuration file is not downloaded. To resolve the problem, create a new CSR and verify that the CN and the hostname in the CM_URL are identical. Proxy Settings Make sure the same proxy settings are properly configured for the Unified Agent device. For Windows systems, open the Internet Properties dialog from the Network and Sharing Center (Internet Options under See also). On the Connections tab click LAN Settings to set a network proxy. Status Messages In the Unified Agent status window, click the Status tab. Check Unified Agent Status for any error messages. Consult Table 7-4 below to interpret the message. Log Messages In the Unified Agent status window, click the Advanced tab. Under Diagnostics, click Show File and look for any of the following messages: Table 7-4 Unified Agent communication errors and suggested solutions Message Meaning and suggested solution Log—Detected Location Cause—The device was connected to a network but then moved to a location without network access, such as moving out of the range of a Wi‐Fi network or connecting to a defective Ethernet jack. Unified Agent detects the change from being connected to a network to not having network connectivity. Change. Switching from [x] to [y] Status—Network not available Log—Error downloading Resolution—Restore network connectivity. Refer to "Resolve “Configuration Download Error”" on page 79. configuration file Status—Couldn’t connect to server 81 Unified Agent: Deployment and Administration Guide for Windows Unified Agent Troubleshooting Tools The tools discussed in this section should be employed with administrator assistance: Table 7-5 Troubleshooting tools Tool Description Location "Diagnostic Files" on page 82 Collects Unified Agent process information and provides more details than the log file Advanced tab, under Diagnostics "Tracing Information" on page 83 Enables users to collect detailed information about web filtering and configuration updates Advanced tab; under Tracing, click Open Console Diagnostic Files Unified Agent diagnostic files contain information about general Unified Agent operation, web filtering, software upgrades, and configuration updates. Data collection (traces) allows users to send files containing Unified Agent process data that Blue Coat Support can use to diagnose issues. Get detailed diagnostic files 1. Open the Blue Coat Unified Agent Status window and click the Advanced tab. 2. On the Advanced page click Show File. 3. The diagnostic file is copied to the desktop, and Windows Explorer opens to display the file. Unified Agent names the diagnostic files as follows: Unified_Agent_Diag_<creation_date><creation_time>.txt 82 Chapter 7: Troubleshoot Unified Agent Tracing Information Blue Coat support may ask you to collect trace information to troubleshoot problems, including content filtering issues. Trace Levels Unified Agent trace files are filtered by level, such that only the current trace level and lower is logged. By default, levels three and below are logged. Table 7-6 Level Trace levels Name 0 eTraceEmerg 1 eTraceAlert 2 eTraceCrit 3 eTraceErr 4 eTraceWarn 5 eTraceNotice 6 eTraceInfo 255 eTraceDebug Comment Default. Generates the most messages. Use only for short periods. 83 Unified Agent: Deployment and Administration Guide for Windows To set a new trace level using the registry: 1. In the Windows Start menu, launch the Registry Editor: 2. Open HKEY_LOCAL_MACHINE\SOFTWARE\Blue Coat Systems\Unified Agent. 3. Create string values as follows. Specify only one value for TraceLevel: Table 7-7 String Values Key Value TraceLevel 0–6, 255 EnableTrace yes To set a new trace level using the command line: 1. Open a command prompt as Administrator. 2. Execute the following commands: "c:\Program Files\Blue Coat Systems\Unified Agent\bcua-service.exe" -p EnableTrace=yes "c:\Program Files\Blue Coat Systems\Unified Agent\bcua-service.exe" -p TraceLevel=<0–6, 255> 84 Chapter 7: Troubleshoot Unified Agent To start tracing: 1. Open the Blue Coat Unified Agent status window and click the Advanced tab. 2. Click Start Tracing. 3. Reproduce the issue. For example, if the user reports that they are unable to browse to websites in the Games category, browse to a site in that category that the user cannot access, such as www.games.com. After reproducing the issue, go back to the Unified Agent status window and click Stop Tracing. 85 Unified Agent: Deployment and Administration Guide for Windows 4. Click Open Trace Folder. On Windows systems the default trace‐file location is C:\ProgramData\bcua\TraceFiles. Note: ETL files are not user‐readable. 5. Send the appropriate .etl file to Blue Coat Support with detailed information about what caused the issue. 86 Chapter 7: Troubleshoot Unified Agent Troubleshoot Unified Agent Web Filtering This section discusses the following topics related to diagnosing and resolving issues with Unified Agent web filtering: "Tools for Web-Filtering Troubleshooting", below "Troubleshoot Web Filtering" on page 88 Tools for Web-Filtering Troubleshooting The Unified Agent status window and the Client Manager’s Statistics > Clients > Details pages assist you with troubleshooting web filtering issues. Web Filtering Status The Unified Agent status window indicates the current status of web filtering on the Status page: Filter Status: Running indicates that web filtering is operating normally. Table 7-8 describes other status messages for web filtering: Table 7-8 Status messages for web filtering Filter Status Description Disabled due to Location Web filtering is disabled in the Unified Agent device’s current location. For more information about locations, see "Configure Location Awareness" on page 33. Delegated to a Blue Coat Security Gateway A ProxySG was detected on the network, so web filtering is being performed by the ProxySG. For more information, see "Configure Web Filtering Auto-Detection" on page 40. Ratings service unavailable WebPulse is not reachable. As a result, the policy action for the unavailable category is being used. Unlicensed The Blue Coat WebFilter license on the Client Manager is invalid. 87 Unified Agent: Deployment and Administration Guide for Windows Client Details Page On the Client Manager select Statistics > Clients > Details > Client Details > Filtering. If (disabled) is displayed in the WebFilter column for a device that is in a location where Unified Agent web filtering is enabled, it is possible that the user tampered with the web‐filter daemon. See "Unified Agent Tamper Resistance" on page 19. Troubleshoot Web Filtering The following sections provide methods to diagnose web filtering issues reported by users: "Users Are Receiving Blocked or Warn Messages" "Expired Unified Agent Web-Filtering License" on page 89 "Disputing URL Categorizations" on page 92 Users Are Receiving Blocked or Warn Messages The most common complaint that you are likely to receive from your users is that Unified Agent is denying them access to a web site that they believe does not violate web‐use policy. A page might be blocked or warned for the following reasons: WebPulse returned a category for the URL that triggered a block. The exception page displays the category that caused the block action. WebPulse did not return a category, and the policy for the none category is to block. WebPulse is not available, and the policy for the unavailable category is to block. WebPulse might be unavailable because of networking and configuration issues. Also make sure that personal firewalls on the Unified Agent device are not blocking the WebPulse service. The Unified Agent web filtering license has expired on the Client Manager or it does not have a current BCWF database. The Unified Agent status window displays Filter Status: Unlicensed. Some images on requested pages are not displayed, most likely because subsequent requests on an allowed web page are in a blocked category. For example, an advertisement on an allowed web page might contact a blocked site. Advise your users that this is expected behavior. Detailed information for most of these events can be seen in the Advanced Web Filtering Diagnostics text file (see "Tracing Information" on page 83). Various actions to remedy unwanted block (and warn) actions are available, depending on the reason for the block action: 88 Chapter 7: Troubleshoot Unified Agent Add a URL to a custom category or local database that has an Allow action; that is, create a whitelist. Move this category above the category that is causing the block action. This causes the allow action to be processed first. You also have the option to dispute the WebPulse rating by submitting a request for categorization change. See "Disputing URL Categorizations" on page 92. Consider these options: • Change the order of the rules in the rulebase. • Change the policy action for a category to Allow. • Change the policy action to Allow for the none or unavailable categories. • Change the BCWF license On Expiration policy action to Allow All. This option is valid if you are authorized to change your organization’s compliant‐browsing policy. Expired Unified Agent Web-Filtering License If the Unified Agent filter status shows Unlicensed, it means that the BCWF license is no longer valid or that the URL database has not been refreshed in the last 30 days. 1. Log in to the Client Manager with administrator credentials and select Configuration > Clients > Web Filtering > Policy. 2. The Web Filter License field shows whether your license is valid. 89 Unified Agent: Deployment and Administration Guide for Windows 3. To obtain more information, select Configuration > Content Filtering > Blue Coat. 4. From Data Source select WebFilter and click View Download Status. Table 7-9 Database update success messages Type of download Success message Full database Blue Coat download at: 2014/04/04 22:24:00 +0000 Downloading from https://list.bluecoat.com/bcwf/activity/download/ bcwf.db Requesting initial database Download size: 8588 Database date: Fri, 04 Apr 2014 18:50:05 UTC Database expires: Tue, 19 Jan 2040 03:14:05 UTC Database version: 1 Database format: 1.1 Differential update Blue Coat download at: 2015/06/03 15:52:34 +0000 Downloading from https://list.bluecoat.com/bcwf/activity/download/ bcwf.db Requesting differential update Download size: 3124 Added 255 entries to update cache Update cache entries: 4941 Update cache version: 351540236 Total applications: 179 Differential update applied successfully 90 Chapter 7: Troubleshoot Unified Agent The following table shows sample error messages with suggestions about how to correct the error. Table 7-10 Database update failure messages Failure message Suggested remedy ERROR: Socket connect error The Client Manager cannot contact the BCWF URL for any of the following reasons: • • The URL is incorrect. Select Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the URL field with the information provided with your web filtering license. Try clicking Set to default and trying the download again. Network issues prevent the Client Manager from reaching list.bluecoat.com. Log in to the Client Manager over SSH and ping the BCWF URL: > ping list.bluecoat.com If the ping fails, verify that router and firewall configurations permit the Client Manager to reach the site. ERROR: HTTP 401 ‐ Unauthorized Either the user name or password you specified is incorrect. Select Configuration > Content Filtering > Blue Coat WebFilter and verify the value of the Username field. Click Change Password and enter your password again in the provided fields. When you are finished, click Apply. For more information about other options, click Help or see the section on configuring Blue Coat WebFilter in the “Filtering Web Content” chapter in the SGOS Administration Guide. 91 Unified Agent: Deployment and Administration Guide for Windows Disputing URL Categorizations In the event that users report they are blocked from accessing a normally allowable web site, first make sure the problem is not caused by improper ordering of categories in the web filter rulebase. This is particularly true if a single URL is listed in multiple categories. See "Web Filtering Best Practices" on page 60 for more information. If BCWF is blocking access to the web site and you disagree with the URL’s categorization, submit a web site for review, stating Unified Agent as the web filter source. To dispute a WebPulse rating: 1. Navigate to the WebPulse Site Review Request page: http://sitereview.bluecoat.com 2. In the space provided, enter the URL to be reviewed and click Check Rating. The result is displayed. 3. From the Filtering Service drop‐down, select Blue Coat Unified Agent. 4. From the Select a Category list, select a category that you believe the site should belong to. Optionally, you can select a category from the Second Category list. Click Descriptions to see the criteria that Blue Coat uses to categorize URLs. 5. (Optional) Select Send results of the review via email if you want Blue Coat to notify you of the verdict. 6. In the Comments and Site Description field, enter a detailed message to Blue Coat site reviewers to explain your reason for disputing the rating. 7. Click Submit for Review. 92