Reverse Proxy Deployment

Guide
PDF of the Online WebGuide

SGOS 6.5.x and Later

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Third Party Copyright Notices

2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,
POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS
APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the
Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of
Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the
absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using
the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective
owners. This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN
THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA
REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS,
REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN
OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND
REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES,
PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT,
TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Contents
About Reverse Proxy
Pre-Deployment Checklist
Deploy a Reverse Proxy
Virtual IP
Create an HTTP Service for Your Reverse Proxy
Create an HTTPS Service for Your Reverse Proxy
Create an SSLCertificate Keyring
Set up a Basic Policy

4
6
7
8
9
11
13
14

Authenticating Users
Configure an IWA Authentication Realm
Create an LDAP-Based Authentication Realm
Configure a Local Authentication Realm
Create a RADIUS Authentication Realm
SAMLAuthentication
Authentication Policy

15
16
17
18
19
20
23

Authentication Modes

23

Advanced Policy Tasks

Two-Way URLRewrite
ProxyAVIntegration
Regional Access Control
Monitoring Users and Resources
Monitoring the Appliance
SNMPMonitoring
Monitor User Activity

25
26
27
28
30
31
32
33

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

About Reverse Proxy

A reverse proxy acts as a front-end for general purpose Web, FTP, streaming, and other content servers, typically to
secure those servers and improve access performance. In a typical Blue Coat reverse proxy implementation, web applications reside behind a firewall, which forwards traffic to the secured ProxySG inside environment. Because the firewall
allows only the ProxySG to communicate with the web application. Potential attackers would need to bypass both the firewall and the ProxySGappliance, which obscures the internal URL structure of the content server from external users.
Restricting access to the content servers to only the ProxySG's IP address provides further security.
In addition to securing your content and application servers, The ProxySGappliance further improves user access in the
following ways:
l

l
l

User Authentication
Functioning as an intermediary between users on the Internet and your content servers, the ProxySGcan
challenge users to authenticate, or transparently check for existing authentication credentials. Supported
authentication servers include Windows Active Directory, SiteMinder, and Oracle, with authentication methods
ranging from Integrated Windows Authentication to SAML.
Real-Time Virus, Malware and Trojan Scanning
When deployed in conjunction with your ProxySGReverse Proxy, a ProxyAVappliance can scan the data users
upload to your content and application servers for most of today's Internet-borne threats.
SSL Encryption and Termination
Reducing the resource load on your content and application servers, the Reverse Proxy solution can terminate
HTTPSconnections from users and forward those connections to the server using HTTP. User connections
remain secure with the proxy translating HTTPresponses into HTTPS.
Ensuring protocol compliance, limiting exposure to vulnerabilities based on non-RFC-compliant attacks.
HTTPCompression
To further expedite delivery of Web applications, the ProxySG provides built-in gzip and deflate HTTPcompression
support. These compression services effectively reduce the bandwidth required for serving content.
Content Acceleration
With an optimized TCP stack, the ProxySGappliance can serve HTTPand HTTPScontent very quickly. Chief
among the methods the appliance uses to accelerate content are object pipelining (retrieving several related
elements at the same time) and adaptive refresh, where content stored in cache is evaluated regularly for
freshness based on how frequently it is requested. With these advanced caching measures in place, the strain on
your content servers is greatly reduced.

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Typical Reverse Proxy Deployment
With your ProxySGappliance deployed as detailed in the proceeding image, your content servers remain protected while
the proxy transparently processes Internet-based requests for access.

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Pre-Deployment Checklist
Before you configure your ProxySGappliance to handle incoming traffic from the Internet, there are a few things that need
to be set up.
n

Public DNSResolution
n

Firewall configuration and port forwarding

n

With a public IPaddress defined to accept traffic at your network's edge, configure your firewall to forward
traffic to the ProxySG Appliance's internal IP address. This is known as port forwarding or Virtual IP
addressing, depending on the firewall vendor

For security, only forward the ports for which your web server serves data. Typically, that's TCP ports 80
and 443 for HTTP and HTTPS, and in some cases, FTPon TCPport 21.

If your firewall provides Intrusion Detection or Prevention, (IDS/IPS)functionality or inspects and controls
the flow of data, be sure to consult the manufacturer's documentation for managing these security services
when hosting websites.

Initial setup of your ProxySGAppliance

n

To enable Internet users to reach your web server, you'll need to have a public DNSrecord set up. When
you have identified the dedicated public IPaddress you'll be using for this web server, contact a
DNShosting service to have them translate your domain name, (www.example.com) to that public
IPaddress.

Follow the steps to cable and configure your ProxySGAppliance in the Quick Start Guide provided with your
hardware. This information is also available at https://bto.bluecoat.com/documentation/pubs/ProxySG.

Extra Blue Coat Security: ProxyAV

n

If you would like to secure your reverse proxy infrastructure and the content that flows in and out of your
network, Blue Coat recommends deploying a ProxyAVAppliance.

Please see the ProxySG/AVIntegration Guide at https://bto.bluecoat.com/doc/12901 for help with initial
ProxyAVconfiguration tasks.

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Deploy a Reverse Proxy

The topics in this chapter will guide you through the initial steps of configuring your ProxySGappliance as a Reverse
Proxy.

Virtual IP

Create an HTTP Service for Your Reverse Proxy

Create an HTTPS Service for Your Reverse Proxy

11

Create an SSLCertificate Keyring

13

Set up a Basic Policy

14

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Virtual IP
A Virtual IPaddress (VIP) is an IPaddress that can configured on the ProxySGappliance to take the place of a physical
IP. This is especially useful if you will be configuring your appliance to handle multiple Reverse Proxy-hosted websites on
the same TCPport. If your deployment serves only a single host, VIPconfiguration and use is optional.
1. Log in to the web-based management console
2. Browse to the Configuration tab > Network > Advanced.
3. In the VIPs Tab, click New. The Add Virtual IPdialog appears. .

4. Enter the IPAddress. The IPaddress must be unique and congruent with the other IPaddresses defined on the
appliance. In your initial planning stages, this is the IPaddress that will be used to handle incoming traffic from
either your Edge Firewall or if your ProxySGAppliance is not protected by a Firewall, the public address defined in
public DNSfor your website.
5. Click OK to create the VIPobject.
6. Click Apply to save this object to your ProxySG's configuration.

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Create an HTTP Service for Your Reverse Proxy

This topic explains how to configure a listener for reverse proxy. This object contains the IP address and TCPport that the
ProxySGAppliance will use to intercept traffic from the Internet or your edge firewall.
1. Log in to the web-based management console.
2. Browse to the Configuration tab > Services > Proxy Services .

3. Click the New Service button at the bottom of the page.

4. Enter a name for the new service.
5. Choose the type of Proxy Service that will be used. Proxy service types are responsible for how the
ProxySGAppliance interprets and manages the traffic being passed through the service. Choose HTTP to handle a
simple HTTP-based web site.
6. Enable Detect Protocol.
7. Disable the Enable ADNcheck mark.
8. In the Listeners section, New.

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

9. The Source Address configuration is used to restrict the source of clients connecting through this service. Unless
your Reverse Proxy is deployed in a completely closed environment, we recommend to leave this at the default
setting, All.
10. The Destination Address section is used to define the address the ProxySGis monitoring for connections that are
relevant to this Reverse Proxy configuration. This can be either a physical IPaddress already assigned to one of
the ProxySG's interfaces or a Virtual IP(or VIP)Address you've configured previously. See Creating a Virtual IP
Address for steps to add a VIP to your ProxySGAppliance configuration.
11. Define a port or a range or ports that the appliance will monitor for connections. If you plan to add multiple ports for
your Reverse Proxy configuration, define only one port number per service object and repeat for as many ports as
you'll be configuring.
12. Set the Action to Intercept.
13. Click OK to create the new Service Object.
14. Click Apply to save the configuration.

10

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Create an HTTPS Service for Your Reverse Proxy

This topic will guide you through configuring a listener for your secure reverse proxy. This object contains the IP address
and TCPport that the ProxySGAppliance will use to intercept traffic from the Internet or your edge firewall.
1. Log in to the ProxySG's web-based management console.
2. Browse to the Configuration tab > Services > Proxy Services. .

3. Click the New Service button at the bottom of the page.

4. Enter a name for the new service.
5. Choose the type of Proxy Service that will be used. Proxy service types are responsible for how the
ProxySGAppliance interprets and manages the traffic being passed through the service. Choose HTTPSReverse
Proxy for this configuration.
6. Select the Keyring you've created for this configuration. If you have not yet done so, please follow the steps in the
topic, Create a New Keyring.
7. Select the CACertificate List that will be used to validate the certificate being presented to users. <All
CACertificates>is the default here, and will suffices for most configurations.

11

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

8. Enable support for SSLprotocols. SSLv3 and v2 are not enabled by default as they are not recommended due to
their insecure nature.
9. Disable the Enable ADNcheck mark.
10. In the Listeners section, click New.
11. The Source Address configuration is used to restrict the source of clients connecting through this service. Unless
your Reverse Proxy is deployed in a completely closed environment, we recommend to leave this at the default
setting, All.
12. The Destination Address section is used to define the address the ProxySGis monitoring for connections that are
relevant to this Reverse Proxy configuration. This can be either a Physical IPaddress already assigned to one of
the ProxySG's interfaces or a Virtual IP(or VIP)Address you've configured previously. See Creating a Virtual IP
Address for steps to add a VIP to your ProxySGAppliance configuration.
13. Define a port or a range or ports that the appliance will monitor for connections. If you plan to add multiple ports for
your Reverse Proxy configuration, define only one port number per Service Object and repeat for as many ports as
you'll be configuring. For a standard HTTPSweb server, enter 443 as the port number.
14. Set the Action to Intercept.
15. Click OK to create the new service object.
16. Click Apply to save the configuration.

12

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Create an SSLCertificate Keyring

If your Reverse Proxy deployment hosts HTTPS websites or services, the certificate for those services can be served
from the ProxySGappliance. This relieves the web server behind the appliance from having to spend resources managing
SSLtermination. The connection between the ProxySGappliance and the server running web services can then be HTTPbased.
1. Browse to the Configuration tab >SSL >Keyrings and click Create.
2. Enter a name for the new keyring.
3. Select Show Key Pair to permit backup and portability of the configuration and click OK.
4. Click Apply to commit the configuration to your appliance.
5. Select the new keyring from the list and click the Edit button
6. Generate a Certificate Signing Request (CSR)by clicking the Create button. The Create CSRdialog displays.
7. Complete the form, paying close attention to the Common Name field. This should be a hostname or FQDNthat
resolves to the ProxySGappliancefrom outside of your protected network. This is the first step in ensuring that
Internet-based browsers can trust the certificate the proxy presents. When you've completed the form, click OK,
Close then Apply.
8. Edit the keyring again and you will find the Certificate Signing Request field has created a CSR in PKCS#10
format. Highlight the text from -----BEGIN CERTIFICATE REQUEST to -----ENDCERTIFICATEREQUEST
and copy using CTRL+C (or on Apple systems, the Apple key and C) to copy to your system's clipboard.
9. Paste the CSR into a new text file on your local workstation. Save the file with a .csr extension.
10. Send the CSRto be signed by a Certificate Authority (CA). The CAshould provide you with a Root CA certificate
as well as a server certificate. In some cases, an intermediate CAcertificate is also provided.
11. Edit the keyring again. This time, click the Import button under Certificate.
12. Paste the certificates into the Import Certificate text box that appears. The server certificate should be listed first,
followed by the intermediate. The CAcertificate should be pasted into this field last. When all certificates have
been entered into the text box, click OK, Close and Apply.

13

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Set up a Basic Policy

The ProxySGappliance uses policy to control how users on the Internet to access your content servers. The steps below
will guide you through creating policy to permit user access and to forward their requests to your back-end content server
(s).
1. Log in to the web-based management console.
2. Browse to the Configuration tab > Policy > Visual Policy Manager and click Launch.
3. From the menu at the top of the Visual Policy Manager (VPM) click Policy > Add Web Access Layer
4. Right-click the Destination field in the rule that's been created, click Set >New > Request URL.
5. Enter the domain name users will use to access the reverse proxy web site.
6. Click Add, Close and OK.
7. Right-click the Action field, click Allow.

8. From the menu at the top of the VPM, click Policy > Add Forwarding Layer.
9. Right-click the Destination field, click Set > New Server URL.
10. Enter the domain name users will use to access the reverse proxy web site.
11. Right-click the Action field.
12. Click Set > New > Select Forwarding.
13. Name the object, (for example, MyWebServer)
14. Under Forward To, select the forwarding host you created earlier.
15. Click Add>> to add the forwarding host to the box on the right.
16. Click OK, OK.

17. Click Install Policy.

14

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Authenticating Users
There are many options available on the ProxySGAppliance for securing user access to your web server. Based on your
existing security infrastructure, find the steps for configuring each type of authentication realm in this chapter.

Configure an IWA Authentication Realm

16

Create an LDAP-Based Authentication Realm

17

Configure a Local Authentication Realm

18

Create a RADIUS Authentication Realm

19

SAMLAuthentication

20

Authentication Policy

23

Authentication Modes

23

15

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Configure an IWA Authentication Realm

If your enterprise environment uses a Windows domain and Integrated Windows Authentication (IWA), the
ProxySGappliance can communicate with it to authenticate incoming users and authorize their access to web servers in
your protected network.
Join the ProxySGapplianceto the Domain.
1. Browse to the Configuration tab > Authentication > Windows Domain.
2. Enter a hostname for your ProxySGappliancein the Hostname field. This same hostname must be configured in
your internal DNSserver if you will be using Kerberos IWAauthentication.
3. Click Add New Domain.
4. Enter a text label for the new domain entry. Use the same name you defined in the hostname field and click OK and
Apply.
5. Select the entry in the Domains list and click the Join button.
6. Enter the Windows Active Directory domain name in the DNSDomain Name field and a domain administrator
account with password into the subsequent fields. When done, click OK.
7. A confirmation dialog box is displayed to report success or failure in joining the domain.

Configure the Authentication Realm

1. Browse to the Configuration tab > Authentication >IWA
2. Click New and set a name for the IWArealm. Choose Direct and select the domain you created earlier, then click
OK and Apply.

Test the configuration

1. Click the IWAServers tab in Authentication > IWA
2. Click the Test Configuration button. A prompt is displayed to enter a username and password. Enter a user name
and password for an account in the Active Directory and click OK to see the results of the test.

16

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Create an LDAP-Based Authentication Realm

In order for your ProxySGapplianceto authenticate users against an LDAPserver, you need to create an LDAPrealm. Follow the steps below to configure an LDAPauthentication realm. For more information on LDAPrealm support and
advanced configuration items, please see the Authentication WebGuide at https://bto.bluecoat.com/sgos/ProxySG/65/Authentication_WebGuide/Authentication_WebGuide.htm#Topics/Authentication/Tasks/LDAP/LDAP_configure_st.htm.

1. In the web-based management console, browse to Configuration > Authentication >LDAP.

2. In the LDAPRealms tab, click New.
3. Enter a name for the new realm, choose the type of LDAPserver and enter the server host IP address. Click OK.
4. Click the LDAPServers tab to define:
a. LDAP Protocol Version used by your LDAP directory.
b. Enable the Follow Referrals check box if your LDAP directories are distributed across several servers that
use continuation references. This option allows your searches to follow referrals and return all matching
entries found during a search operation.
c. Select the Case Sensitive check box if your LDAP directory uses case-sensitive values for the user names
and passwords.
d. Enter the IP address for your alternate LDAPdirectory server, if present, in the Alternate Server Host field.
5. Click the LDAPDNtab to configure the base Distinguished Names that will be used to match user and group
names within the LDAPtree.
a. Click New to create a new Base DNobject.
b. Enter the base DN, based on your LDAPstructure, to identify the point at which user objects will be
searched.
6. Click the LDAPSearch &Groups tab to define a Base DN; a set of user credentials that the
ProxySGappliancewill use to perform searches against the LDAPdirectory.
a. Enable the Anonymous search allowed check box if your LDAPstructure supports it, . If not, remove the
check mark.
b. In the Search user DNfield, enter the LDAPaccount that will be used to perform LDAPsearches, in
LDAPstructure (for example, cn=BC_Admin,cn=Users,dc=acme,dc=com).
c. Click the Change Password button to enter the password for the search account.
d. (Optional)To support nested group searches, enable the Nested Groups Support check box.
7. Click Apply to save your LDAPRealm configuration.

17

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Configure a Local Authentication Realm

Follow these steps to configure a Local authentication realm and some users.

1. Log in to the web-based management console.

2. Browse to the Configuration tab > Authentication > Local
3. In the Local Realms tab, click New.
4. Enter a name for the local realm. For this example, "Local"will be used as the realm name.
5. Click the Local Main tab. Make note of the local user list name, as it will be necessary in the next section.
6. Click Apply.
User and group definitions are managed from the Command Line Interface (CLI). The steps below will guide you through
creating users and groups.
1. Log in to the CLI and enter enable and configuration terminal mode.
2. At the (config)prompt, type:security local-user-list edit local_user_database
3. Add a group with the following command:group create users
4. (optional)Add another group with the following command:group create administrators
5. Create user accounts with the following steps:user create user1
6. Edit the user account to define the password and user group details for the user account:user edit user1
7. Create a password for the account by entering:password 123456(Replace 123456 with an appropriate
password)
8. (optional) Associate this user account with a local user group with the command: group add administrators
Repeat this process for all user accounts you want to create.

18

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Create a RADIUS Authentication Realm

1. Browse to the Configuration tab >Authentication >RADIUS.

2. Click the RADIUS Realms tab and click New. The Add RADIUSRealm dialog displays.

3. Enter a name for the realm, Primary Server host IP or hostname and define the server password, known as a
RADIUSSecret. Click OK.
4. Click the RADIUSServers tab if you have additional RADIUSservers in your environment you wish to configure
for redundancy or if you wish to set server encoding, timeout values and case-sensitivity.
5. Click Apply to save your new realm.

19

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

SAMLAuthentication
Your ProxySGappliance can authenticate incoming requests using SAML, (Security Assertion Markup Language). With
the steps below, you'll be able to configure an Authentication Realm to authenticate users with this single-sign-on authentication configuration, based on your own authentication server infrastructure. In a SAML realm configuration, the
ProxySGacts as the Service Provider (SP) and a back-end authentication server, (Microsoft Active Directory Federation
Services server, Siteminder Federation Partnership R12, or Oracle Identity Federation) is used as the Identity Provider
(IDP). For more information on configuring a SAMLrealm, please refer to the SGOS6.6 Administration Guide.
The ProxySGappliance and the IDP exchange data in XML documents called assertions. After a user is authenticated,
the IDP sends an authentication assertion to the Proxy and establishes an authenticated session with the appropriate
authorization for the user.
Before you set up a SAML realm, perform the following tasks on your IDP:
l

Install and configure the administration software.

Set up the identity store for authentication.

Identify the default user attribute to be passed in SAML assertions. For example, the User Principal Name attribute
in LDAP.
Identify any additional attributes that you want to be passed in assertions, for example, the memberOf attribute,
which identifies the groups of which a user is a direct member in LDAP.
Determine the location (URL) of the IDPs metadata file. This is needed to complete the realm configuration.

Export the IDP Metadata File

To export the IDP metadata file, log in to the IDPs administration software. Exporting IDP metadata entails saving the
XML document to disk. It is important to save the metdata file without opening it in a browser first. Browsers do not necessarily support XML file structure and may change the XML tags. If you use SiteMinder or Oracle, you will need to copy and
paste the metadata file contents to the CLI using the inline idp-metadata command. Because XML files are text-based, it
is best to use a text editor such as Notepad to open the file to copy its contents.
To ensure that the SAML realm is configured correctly, Blue Coat recommends that
you import metadata instead of entering the information manually. To import
SiteMinder and Oracle metadata, use the #(config saml<realm-name>)inline
idp-metadata <XML> CLI command.

Export Metadata from Active Directory Federation Server Show steps.

1. Log in to the AD FS MMC.
2. Select Endpoints and look under Metadata for the URL beside the Federation Metadata type
3. Copy the URL and paste it into a browser address bar.
4. Save the XMLdocument to disk.

Export Metadata from SiteMinder Show steps.

Before you can export metadata, make sure that you have created a SAML 2.0 IDP. The steps below assume that you

20

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

have already created the IDP (entity) in SiteMinder.
1. Log in to the CA Federation Manager
2. Select Federation > Entities
3. Beside the entity you created, select Action > Export Metadata
4. In the Partnership Name field, enter a name to identify the partnership between the ProxySGapplianceand
Siteminder.
5. Click Export. Siteminder generates the metadata document.
6. Save the XMLdocument to disk.

Export Metadata from Oracle Show steps.

1. Log in to the Oracle Enterprise Manager.
2. In the navigation tree on the left, select Identity and Access > OIF.
3. On the main page, select Oracle Identity Federation > Administration > Security and Trust.
4. Click the Provider Metadata tab.
5. In the Generate Metadata section, select Identity Provider from the Provider Type menu.
6. Select SAML 2.0 from the Protocol menu.
7. Click Generat. OIF generates the metadata document.
8. Save the XMLdocument to disk.

Prepare the ProxySGfor SAML Authentication

1. Configure the CACertificate List
The ProxySGappliance CCL must contain at least one root certification authority (CA) certificate, but depending
on other considerations, you may require more certificates. Refer to the following list to determine which
certificates you must import to the CCL:
l

Root CA certificateRequired.Add the certificate for the root CA that issued the IDPs signing certificate to
the CCL
IDPs signing certificateRequired if self-signed.If the IDPs signing certificate is self-signed, add it to the
CCL. Certificates signed by the CA are included in SAML assertions.
intermediate CA certificateOptional. You must import intermediate CA certificates to the ProxySG, but it is
not necessary to add them to the CCL. For instructions on importing certificates to the ProxySG appliance,
see the SGOS6.5 Administration guide section, "Importing CA Certificates" (page 1178).

2. Set up an HTTPS reverse proxy service.

The IDPredirects browsers to an HTTPSreverse proxy service on the appliance. While Blue Coat recommends
this for security, it is only required for Active Directory IDPdeployments where the SAML realm is using an HTTPS
POST endpoint (SiteMinder and Oracle-based SAMLrealms can use HTTP). If your Reverse Proxy deployment
already incorporates an HTTPSReverse Proxy service, ensure that it is associated with a CCLthat includes the
CAcertificate for your IDP.

Configure SAML Attributes

21

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

The ProxySG appliance maps policy conditions to assertion attribute values. If you require more attributes than the ones
included in SAML assertions, you can define them in the SAML realm.
To define assertion attributes:
1. In the web-based management console, select Configuration > Authentication > SAML > Attributes.
2. Click New. A dialog displays.
3. Enter attribute settings:
l

Attribute nameThis is the name of the attribute as it appears in the ProxySGappliance and IDP configuration,
and when referring to the attribute in the attribute.<name>= policy condition. The name must be unique
Attribute data typeSelect case-exact-string or case-ignore-string. The ProxySGappliance uses this setting to
match assertion attribute values with policy conditions.
SAMLname This is the name of the attribute as it will appear in assertions from the IDP, in the Name=XML
attribute of the <Attribute> element. For example, an assertion might include the line
<saml:AttributeName="mail"> where mail is the SAML attribute name.

4. Click OKand Apply.

Create SAML Realms

1. In the web-based management console, select Configuration > Authentication > SAML.
2. Click New. The New SAMLRealm dialog displays.
3. Enter a name for the realm in the Realm name field.
4. From the Federated IDP CCL drop-down, select the CCL you created in "Configure the CCL" step earlier.
5. Do one of the following to specify configuration parameters:
l

AD FS : Use preconfigured settings for the IDP. Copy and paste the URL for the metadata into the
Federated IDP metadata URL field.
SiteMinder and Oracle FS:Import metadata through the inline idpmetadata CLI command.)

6. From the Encryption keyring (optional) drop-down menu, select the keyring to use for decrypting encrypted
assertions.
7. (Optional) If you need to encrypt assertions from the IDP, check the Require encryption check box.
As long as encryption keyring is configured, the ProxySG appliance attempts to
decrypt encrypted assertions whether or not the Require encryption check is enabled.
8. Specify the hostname for the SAML endpoint ; in other words, point to the HTTPS reverse proxy listener you set
up. In the Virtual host field, enter the host and port in format <hostname_or_IP_address>:<port_number>. The
hostname must match the common name in the SSL certificate for the HTTPS reverse proxy service.
9. (Optional) Define limits for assertions timestamps. Assertions with timestamps that fall outside of these limits are
invalid.
l

Specify an interval before the current time. Assertions stamped before this interval are invalid. In the Not
before field, specify the number of seconds. The default value is 60.

Once your realm is configured and verified, click here to configure authenticated user access policies.

22

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Authentication Policy
With an authentication realm configured, you can now configure policy on the ProxySGappliance to authenticate, log and
control user access to your web server. The steps below will guide you through setting up a rules to authenticate users,
restrict access for specific users and groups and to deny all other access to the web server.
Create a Rule to Authenticate users:
1. Browse to the Configuration tab > Policy > Visual Policy Manager and click Launch.
2. Click the Policy menu and select Add Web Authentication Layer
3. Right-click the Destination field, click Set, New, Request URL.
4. Enter the URLfor your web server, as users will access it from the Internet. Click add, close, OK.
5. Right-click the Action field, click Set, New, Authenticate.
6. Choose the authentication realm you would like to use to authenticate users.
7. Select an Origin authentication mode from the Mode dropdown, ("Authentication Modes" on page 23 for more
information on Origin authentication modes) to ensure that the ProxySG sends the appropriate type of challenge to
users.
8. Click OK, then OK.
Secure your existing Web Access rules:
1. Browse to your Web Access layer in the VPM.
2. Identify the rule that permits users to access your Reverse Proxy web server.
3. Right-click the source in the rule, click Set, New, Group
4. Enter the group IDfor the authentication realm you've selected. If your realm is an IWA or LDAPrealm, you can
click Browse to search the directory tree for a user group.
5. Click OK, OK once the group is defined.
Prevent unauthorized access:
1. Click Add Rule and move the new rule beneath the existing Web Access Layer rule.
2. Position the rule beneath the existing allow rule.
3. Right-click the rule number next to the existing rule, click Copy.
4. Right-click the rule number next to the new rule, click Paste.
5. Right-click the Source object (currently showing the authentication user group) and select Negate.
6. Right-click the Action in this rule, select Deny.
7. Click Install Policy to commit these changes.

Authentication Modes
When authenticating your users, it's important to consider how the authentication challenge will be sent to the user and
how the ProxySGappliancewill track that information. Specific to Reverse Proxy deployments, the Origin authentication
mode will act as the Origin Content Server and issue authentication challenges as such. Every request that triggers an

23

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

authentication rule in policy will be subjected to additional authentication challenges, though they may be imperceptible to
users as their browsers can store and serve their entered credentials.
To reduce the amount of authentication challenges sent, (which can significantly reduce load on your authentication servers) authentication surrogates provide the opportunity to cache authenticated sessions with either an IP address or a
cookie, stored in users' browsers.
If your firewall configuration uses Network Address Translation to
obscure users' source public IP addresses, only use Origin or Origin-Cookie authentication modes.

More details on each of the available origin authentication modes:

Origin
The ProxySG acts like an OCS and issues OCS challenges. The authenticated connection serves as the surrogate
credential.
Origin-IP
The ProxySG acts like an OCS and issues OCS challenges. The client IP address is used as a surrogate
credential. Origin-IP is used to support IWA authentication to the upstream device when the client cannot handle
cookie credentials. This mode is primarily used for automatic downgrading, but it can be selected for specific
situations.
Origin-cookie
The ProxySG acts like an origin server and issues origin server challenges. A cookie is used as the surrogate
credential. Origin-cookie is used in forward proxies to support pass-through authentication more securely than
origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other protocols
are automatically downgraded to origin-ip.

24

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Advanced Policy Tasks

Now that your ProxySGappliance is configured to pass user requests from the Internet to your back-end content server,
there are some advanced configuration tasks you can use to improve performance, security and control.

Two-Way URLRewrite

26

ProxyAVIntegration

27

Regional Access Control

28

25

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Two-Way URLRewrite
The ProxySGappliancecan use policy to accept the URLentered by a user on the Internet and alter it to match what the
internal web server expects. The two primary uses for this are:
1. SSL offloading.The proxy accepts secure connections from users on HTTPS, while the back-end web server
hosts the website as HTTP.
2. Web Servers configured with absolute links. This affects cases where users will access the web server from
the Internet via one address, (http://www.example.com) but the structure of the web servers URL links includes an
absolute link (http://internal.example.com).
This set of policy elements will ensure that absolute links work as expected, while users never see internal or nonsecure
addresses while accessing your web site content.

Policy Example
In this example, users on the Internet access the page via https://portal.example.com/ while the web server URLs are
defined as absolute links to http://internal.example.com/. For your scenario, simply replace the URLs with your own. Note
the order: the publicly accessible URLthat will direct users to the ProxySGappliance is first, while the second URLin the
rewrite represents the URLthe proxy will use to communicate with the web server.
define url_rewrite P
rewrite_url_prefix "https://portal.example.com/" "http://internal.example.com/"
end
define action portal
rewrite(url,"https://portal.example.com/(.*)","http://internal.example.com/$(1)")
transform P
end
define action force_uncompressed
delete (request.header.Accept-Encoding)
end
<Proxy>
url=https://portal.example.com/ action.portal(yes)
<Cache>
action.force_uncompressed(yes)

26

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

ProxyAVIntegration
While the ProxySGappliancecan help to secure and control access to your content servers, a ProxyAVAppliance can
help to further protect your data by scanning for viruses and control the types of files that can be transferred.
Before you start
In order to make use of your ProxyAVin your ProxySGReverse Proxy deployment, you will need to make sure that your
ProxyAVis configured and licensed, with the most up-to-date virus definitions for the anti-virus provider of your choice. A
specialized webguide located here will help you with your initial configuration.
Policy Configuration - Virus Scanning
Scan data uploaded to your content server.
1. Launch the Visual Policy Manager.
2. In the Policy menu, click Add Web Access layer.
3. Name the new layer "AVScan"
4. Right-click the action in the default rule, click Set, New, ICAPRequest Service.
5. Choose your ICAPserver from the list of available services on the left, click Add>> to move the server to the list of
selected servers.
6. Error handling - Decide if you want to permit users to upload files if the ProxyAV appliance is unavailable. Select
either Deny the client request or Continue without further ICAPrequest processing, depending on your
security practices.
7. Click OK and Install Policy.

Policy Configuration - File Upload Control

Configure a policy to control the types of files users can upload to your back-end content server. To use the
ICAPscanning function here, you make sure that a ICAPRequest Modification rule is in place.
1. Launch the Visual Policy Manager.
2. In the Policy menu, click Add Web Access Layer, name it "File access" or something similar to identify this
policy layer as the one used to control the types of files that can be uploaded.
3. Right-click the source field, click New, Apparent Data Type.
4. Name the object "blocked file types".
5. Select the file types you do not want users to be able to upload to your server.
6. Check the Enable ICAPScanning box to leverage the ProxyAV to examine the file types contained within file
archives (such as zip, rar, or gz).Click OK, OK.

27

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Regional Access Control

Blue Coat's Geolocationservice identifies public IP address blocks and their countries of origin. This allows you to control
what regions can access your Reverse Proxy-protected web services.
Enable GeolocationServices
1. In the web-based management console, browse to the Configuration tab > Geolocation > General.
2. Check the Enable Geolocation box to enable Blue Coat's geographic location service on the device and click
Apply.
If you receive an error message at this point that reads: Device is not entitled to
download Geolocation Database your ProxySGAppliance is not licensed for Blue
Coat's Geolocation service. Speak with your Blue Coat sales point of contact or Blue
Coat Customer Care to inquire about adding this service to your appliance.

Define Geolocation Policy

1. In the web-based management console, browse to the Configuration tab > Policy > Visual Policy Manager and
click Launch.
2. Open your Web Access layer and add a new rule to the top of the list.
3. Right-click the source field and click Set> New > Client Geolocation. The Set New Client Geolocation dialog
displays. .

4. Select the countries your intended users are in and click OK, OK.
5. Right-click the Action field and click Allow.

Define Restrictive Geolocation Policy

28

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

1. Still in your Web Access layer, create a new rule beneath your initial Geolocation rule.
2. Right-click the source field, click Set > New > Client Geolocation.
3. Select all of the countries except for those you defined in the preceding rule and click OK, OK.
4. Click Install Policy.

29

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Monitoring Users and Resources

The ProxySGappliance offers several solutions for monitoring your deployment. From on-box tracking of users and system resources to our off-box Blue CoatReporter solution, it's easy to monitor your Reverse Proxy.

Monitoring the Appliance

31

SNMPMonitoring

32

Monitor User Activity

33

30

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Monitoring the Appliance

TheProxySGappliance offers in-depth on-box monitoring capabilities in the Statistics tab of the web-based management
console.This is where to find your appliance's health and other system monitoring information.
ProxySGappliance Statistics Tab

Important sections
1. System
Here you'll find detailed statistics for system resources including CPU, Memory and Disk usage. Data is displayed
in time-selectable graphs that show hourly, daily, weekly or monthly resource statistics.
2. Active/Errored Sessions
This section shows the session details for all users on the system in real time. You can see how much data is
transferred, how long they've been connected and what URLthey are accessing. Options are also present here for
terminating individual sessions or all sessions.
3. Health Monitoring
System health is reported here. That includes CPU, memory, and interface utilization. You can set thresholds for
alerts when these values reach or exceed usage percentage points.The Status tab in this section reports the state
of hardware monitors as well as overall health check status.
4. Health Checks
This page displays the access and test results for all authentication realms, DNSservers, external services like
ICAPservers, and forwarding hosts. Here, you can see the current state of these services, how long they've been
in that state, and what the results of automated health check were at past intervals.
5. Authentication
Authenticated user sessions are tracked here. You can view user details such as authentication duration, bytes
transferred and their connecting IP address. Available options include logout for one or all users and to refresh
authentication surrogates or credentials.

31

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

SNMPMonitoring
All ProxySGappliancesystem events are logged to the local event log. If configured, these same events are also sent
SNMPserver.
Enable the SNMPmanagement service
1. Browse to the Configuration tab of the web management console.
2. Click Services > Management Services.
3. Click the empty checkbox in the Enabled column and click Apply.
4. Browse to the Maintenance tab > SNMP.
Your ProxySGappliancecan now be queried by your SNMPtool. To configure SNMP reporting, continue to step 5.
5. Define your SNMPversion 1, 2, or 3 server settings here and click Apply.

For more information on interpreting SNMPevents on your monitoring utility, see the Critical Resource Monitoring Guide
here:https://bto.bluecoat.com/doc/19469.

32

Blue Coat Systems, Inc Reverse Proxy Deployment Guide

Monitor User Activity

You can monitor user access to your content servers in real-time via the Log Tail option in the Statistics tab > Access
Logging.

To view the current requests being made to your content servers, click Start Tail to output the access log to this live window. Depending on the busyness of your content servers, this might appear to flow too fast to read. Click Stop Tail to
stop the output for easier reading.
For longer-term and archival reporting, the ProxySGappliance can be configured to upload access log data to several
types of log processing services. Blue Coat Reporter is uniquely tasked as the best method to analyze and report on user
activity. Information about installing and configuring Blue Coat Reporter in your environment can be found on Blue Touch
Online here:https://bto.bluecoat.com/documentation/pubs/view/Reporter 9.x.

33