SECURE ICAP Gateway Blue Coat Implementation Guide

Blue Coat Implementation Guide
Technical note
Version 1.0
Product Information
Partner Name
Blue Coat Systems, Inc.
Web Site
Product Name
Version & Platform
SGOS 6.5
Product Description
Blue Coat ProxySG appliances offer a comprehensive foundation for
the Blue Coat Secure Web Gateway solution and advanced WAN
Optimization feature sets. ProxySG appliances combine highperformance hardware with Blue Coat SGOS, a custom, objectbased operating system that enables flexible policy control over
content, users, applications and protocols.
Blue Coat Implementation Guide
Revision 1.0, December, 2013
Published by Clearswift Ltd.
© 1995–2013 Clearswift Ltd.
All rights reserved.
The materials contained herein are the sole property of Clearswift Ltd unless otherwise
stated. The property of Clearswift may not be reproduced or disseminated or transmitted
in any form or by any means electronic, mechanical, photocopying, recording, or
otherwise stored in any retrievable system or otherwise used in any manner whatsoever,
in part or in whole, without the express permission of Clearswift Ltd.
Information in this document may contain references to fictional persons, companies,
products and events for illustrative purposes. Any similarities to real persons, companies,
products and events are coincidental and Clearswift shall not be liable for any loss
suffered as a result of such similarities.
The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All
other trademarks are the property of their respective owners. Clearswift Ltd. (registered
number 3367495) is registered in Britain with registered offices at 1310 Waterside,
Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure
that they comply with all national legislation regarding the export, import, and use of
Clearswift reserves the right to change any part of this document at any time.
Page 2 of 12
Blue Coat Implementation Guide
1 Introduction ................................................................................ 4 2 Architecture Overview ................................................................... 4 3 Clearswift SECURE ICAP Gateway Configuration ..................................... 5 4 Blue Coat ProxySG Configuration ....................................................... 6 5 Feature List ...............................................................................11 5.1 Certified Platform ...................................................................11 5.2 Feature List ..........................................................................11 Page 3 of 12
Blue Coat Implementation Guide
1 Introduction
The Clearswift SECURE ICAP Gateway is an ICAP server that provides all the
Clearswift Content inspection functionality to Blue Coat ProxySG product.
This document describes the steps to take when deploying and integrating both
2 Architecture Overview
The Blue Coat ProxySG is a scalable, high performance web security product that
can extend its capabilities through the addition of external components. The
communication between the different elements is performed using the Internet
Content Adaptation Protocol (ICAP). In such configurations, the ProxySG performs
the communication between the user and the Internet, redirecting the selected
requests or responses to the available ICAP servers.
Blue Coat ProxySG
Clearswift SECURE ICAP Gateway
This configuration allows Blue Coat clients to take advantage of the Clearswift
deep content inspection and adaptive redaction functionality and its ability to
protect an organization’s critical information assets.
Page 4 of 12
Blue Coat Implementation Guide
3 Clearswift SECURE ICAP Gateway Configuration
The Blue Coat ProxySG acts as an ICAP client, as it sends requests for content to be
inspected. The Clearswift ICAP Gateway act as an ICAP server, as it responds to
requests made by the ProxySG.
The ICAP Gateway only scans requests from registered ICAP clients’ served. Thus,
the IP address that the ProxySG will be using to communicate to the ICAP Gateway
is required in order to perform the configuration.
Configuration is done on the “ICAP Server Configuration” page, available under the
System menu.
In the ICAP Clients area all of the ProxySG deployed servers must be configured.
The Clearswift ICAP Gateway is configured to listen on the port 1344, the default
ICAP communications port. This can be modified if required through the
configuration page.
The Blue Coat ProxySG will receive requests from users to access content from the
Internet and obtain responses from web servers. Each of these can be sent for
inspection in the ICAP Gateway. However, each is treated in a different manner. In
Page 5 of 12
Blue Coat Implementation Guide
order to identify them individually, different service URLs are used. These can be
defined in the “ICAP Services Configuration” box, including whether message
previewing option will be accepted or not.
Additionally, the Clearswift SECURE ICAP Gateway can be configured to log specific
actions and to have an appropriate logging level.
It must be noted that a high log level can have a negative performance impact on
the platform.
4 Blue Coat ProxySG Configuration
The Blue Coat ProxySG allows creating policies to send content for inspection by
the ICAP Gateway. The following steps should be taken as a basic configuration
guideline, and never be taken as the optimum configuration.
It is required that the configuration is done by an administrator with working
knowledge of the platforms involved.
The entire configuration of the ProxySG is done through the management web
interface. The steps to redirect the users’ requests and responses follow:
1. Connect to the Blue Coat web interface. Open a web browser and point it to
2. Login to the web UI using the administrator user and password.
Page 6 of 12
Blue Coat Implementation Guide
3. In the Blue Coat Management UI, browse to ICAP Services configuration
under the “External Services” option in the “Configuration” tab.
4. Configure both the policy_sevice_req and the policy_service_resp services
to point to the SECURE ICAP Gateway and to the appropriate service URL. In
the response service the “Preview” option must be selected with a size of 0.
Page 7 of 12
Blue Coat Implementation Guide
5. ICAP feedback can be configured, such as when to show the patience page
to the user while the inspection takes place.
6. A pool of SECURE ICAP Gateways can be configured so that ProxySG will
make requests evenly through the pool. In order to do that, a Service Group
needs to be configured containing the available ICAP Gateways.
Once the basic configuration has been done, the policy needs to be set up so that
the selected requests or responses are sent to the SECURE ICAP Gateway for
inspection. This process will usually be performed on an existing ProxySG. Thus,
the policy will need to be modified for the redirection.
As a simple reference, the following steps show how to configure a basic policy for
inspecting requests from users and responses from servers.
1. Launch the Visual Policy Manager by clicking in the Launch button as shown
in the image below.
Page 8 of 12
Blue Coat Implementation Guide
2. In the appropriate Web Content Layer policy set a new action object.
3. Select the previously created ICAP services so that the content that hits this
rule is redirected to the ICAP Gateway for inspection.
Logs provide information to validate that the integration has been properly done.
1. Enable access logging by selecting the option in the web interface and
clicking the Apply button.
Page 9 of 12
Blue Coat Implementation Guide
2. In the log tail of the main log, new entries should be shown with “404
TCP_NC_MISS” which correspond to the tests that the ProxySG does to
validate that the ICAP Gateway is running.
The policy must be installed in order to be applied.
Page 10 of 12
Blue Coat Implementation Guide
5 Feature List
5.1 Certified Platform
Certification Environment
Product Name
Clearswift SECURE ICAP Gateway
Blue Coat Proxy SG
Version Information
300 Series
500 Series
Operating System
Virtual Appliance
SGOS 6.5.1
5.2 Feature List
ICAP server
Connect to existing ICAP clients within your infrastructure. Supported ICAP client: Blue
Coat Proxy SG
Flexible deployment options: Hardware,
Software image, VMware vSphere
Provides full flexibility to adapt to your organization’s IT strategy.
Active Directory (AD) / LDAP integration
Full user-based policy control for flexible policy and audit reporting by group or individual.
Flexible and granular policy controls
Easily define policies to enable and allow Web 2.0 usage while minimizing risk.
Facebook, LinkedIn, Twitter and YouTube
Allow access to Web 2.0 sites, but only to content and features allowed by your policy.
Policy direction to provide additional context Prevent certain file types, e.g. spreadsheets, from being uploaded but allow them to be
Customizable block pages
Educate users by providing personalized feedback on their actions.
Data Loss Prevention
Adaptive Redaction: Data Redaction
Modify content in real time to avoid delaying business processes while
protecting sensitive information.
Adaptive Redaction: Document Sanitization
Prevent hidden information within documents (e.g. metadata, properties, or
quick save data) from being leaked.
Adaptive Redaction: Structural Sanitization
Detect and strip active content from documents and HTML pages to protect
from APT’s and unknown threats.
Clearswift Information Governance Server
integration (Optional)
Detect full or partial files being uploaded or downloaded. Allow tracking of any
information traversing the SECURE ICAP Gateway.
External data source connection
Accurately identify data from your databases that is found in transit.
Lexical analysis and regular expression rules Search file content for key words and phrases using simple or more complex
pattern matching to identify sensitive data in over 200 character encodings.
Pre-defined sensitive data templates
Identify credit card, bank account, social security and national security
Compliance dictionaries
Multi-language editable compliance dictionaries including GLBA, HIPAA, SEC,
SOX, PCI and PII to minimize risks.
Predefined Tokens
Multiple, including: Credit Card, Social Security, IBAN, National Insurance, Tax
file number, German Identity, Business Identifier Code
MIMEsweeper true ‘binary file-type’
Accurate binary based identification with the ability to define own file
Bi-directional virus and anti-malware
Stops known and unknown malware infection entering or leaving the network.
Bi-directional anti-spyware scanning
Stops spyware, adware, key loggers and spyware call homes from infected
URL filtering database with 84 categories
Prevents access to inappropriate sites and provides context for web reports.
Malware, Phishing and Spyware categories
Prevents access to known high risk URLs and sites with hourly updates.
Page 11 of 12
Blue Coat Implementation Guide
Real-time categorization engine
Prevents access to new or uncategorized sites with inappropriate content.
Content aware recursive inspection
Decomposes the requests and responses to provide true detection of content
like executables even when embedded in other file types or compressed
Management and Reporting
Intuitive web-based interface
Ease of use and no requirement to learn complex syntax or operating system
Pre-defined customizable reports
Easy to modify, run and share graphical reports with intuitive drill down.
Scheduled reporting
Allows create once, run and distribute many times with circulation via email.
Multi-Gateway consolidated reporting
Consolidated reporting view of user’s activities for easier analysis and sharing of
management data.
SNMP, SMTP Alerting
Facilitates ‘lights out’ data center deployment using SNMP or SMTP
management alerts.
Page 12 of 12