Userguige New Server

CACHEBOX
Web Caching Appliance
USER GUIDE
Service Provider Edition
Published By:
ApplianSys Limited
ApplianSys House
Harry Weston Road
Coventry, CV3 2UB
Copyright © 2017 ApplianSys Ltd. All Rights Reserved. No part of the contents of this document may be reproduced or
transmitted in any form or by any means electronic or otherwise without the written permission of ApplianSys Limited.
15 Sept 2017
A soft copy of the latest user guide can be found at: www.appliansys.com/url/cb-spe-userguide
CACHEBOX Service Provider Edition User Guide
Contents
Using This Guide 2
SECTION 1: PLANNING DEPLOYMENT 5
Introduction to Caching 6
CACHEBOX Overview 13
SECTION 2: GETTING STARTED 21
Initial Installation 22
Completing Network Integration 46
Checking Your Deployment 73
SECTION 3: CONFIGURATION REFERENCE 77
Introduction 78
System Menu 78
Network Menu 111
Cache Menu 133
Content Menu 162
Reports Menu 171
SECTION 4: FREQUENTLY ASKED QUESTIONS 189
Deployment 190
Appliance Management 191
Security 191
Hardware 191
APPENDICES 192
Appendix A: SSH Command Line Access 192
Appendix B: HTTP Status Codes 194
Appendix C: IP-KVM option 195
Notes 201
Using This Guide
Products Covered
This guide will help you deploy and configure CACHEBOX web cache appliances.
It applies to all current models in the CACHEBOX range:
 CACHEBOX050
 CACHEBOX110
 CACHEBOX130
 CACHEBOX210
 CACHEBOX230
 CACHEBOX310
 CACHEBOX420
These models all share the same software and core features. A few software features
are hardware dependent so see minor variations in different models. These variations
are noted in the guide.
How This Guide Is Organised

This guide is organised into different sections to help you find the information you need
at different stages:
 ‘PLANNING DEPLOYMENT’ – before you start, make sure the big picture is clear so
that you make good decisions about how to deploy CACHEBOX in your network.
- Understand the different modes for deploying CACHEBOX and the basic
principles of network architecture each should use
- Be familiar with the main features of CACHEBOX. As a result, you will have
a good idea on the range of tasks you can carry out with this appliance
 ‘GETTING STARTED’ - step-by-step instructions for the main tasks involved in

deploying CACHEBOX:
- Install and start the appliance
- Integrate CACHEBOX into your network to operate in the deployment
mode you have chosen
 The remaining sections are for you to refer to whenever you need a specific
piece of information:
- ‘CONFIGURATION REFERENCE’ - describes in detail each of the screens
you can find in your appliance’s web administration interface
- ‘FREQUENTLY ASKED QUESTIONS’ – on deployment, support, managing the
appliance, performance, security and hardware
- ‘APPENDICES’ – further information you might need in specific scenarios
2 I Using This Guide

Conventions Used in This Guide

The following formats have been used to help you work with this guide:
 [KEYSTROKE]
 Something you have to type or select from a drop down or radio
button setting (fixed width font)
 ACLs and CACHEBOX commands (fixed width font)
 ‘Menu Option'
 Fieldname
 ON SCREEN BUTTON
 URLs: www.example.com
Alert: be aware of a potential issue - something you should avoid or something you are
advised to do. You will find a description of the risk and how to resolve or avoid it in the
Alert format.
Critical Alerts are written in a bold, red font. It is very important that you pay attention to
these.
Note: extra information, not directly part of the instructions or reference material, but
which may still be useful for you to know
Tip: advice to help you make faster or more efficient use of the product with
workarounds and timesaving techniques
Using This Guide I 3

SECTION 1:
PLANNING DEPLOYMENT
Make sure the big picture is clear so that you

IN THIS SECTION
make good decisions about how to deploy
CACHEBOX in your network. Introduction to Caching 6
 Understand the different modes for Deployment Scenarios and Options 6

deploying CACHEBOX and the basic CACHEBOX Overview 13
principles of network architectures each
Cache Application 14
should use. This should help you decide Appliance Management 15
which mode you will use in your network. Operating System 16
CompactFlash 16
 Be familiar with the main features of Hardware 17
CACHEBOX. As a result, you will have a
good idea on the range of tasks you can
carry out with this appliance.
PLANNING DEPLOYMENT I 5
Introduction to Caching
A proxy is a network device used to create connections on behalf of other computers.
A caching proxy or cache keeps copies of the data requested, so that it can serve
future requests for the same content without downloading it again. This saves
bandwidth and decreases response times.
Web caches are widely deployed to boost delivery of web content (primarily HTTP
content on port 80). They have two specific uses:
 Forward caches are deployed near to users to speed up delivery of general web
traffic over the internet. CACHEBOX is an example of a forward cache
 Reverse caches are deployed in front of web servers to accelerate responses to
requests from the internet. CACHEBOX does not act as a reverse cache.
Forward caches are deployed by service providers to save bandwidth and to improve
web performance for their customers.
Deployment Scenarios and Options

When you deploy a forward cache, you need to select the appropriate mode of
deployment in your network from various possibilities:
Here we will look at the possible options and help you decide which are best for you.
Transparent vs Explicit
In transparent deployments, client computers do not need to be reconfigured and web
traffic is automatically rerouted via the cache. In this mode, users are not aware of the
cache.
In explicit deployments, the user's client software (usually web browser) is configured to
make requests directly via the cache.
Because it entails configuring client devices, Explicit Mode is not a sensible option for
service providers (and is not discussed further in this edition of the manual).
All the options presented below involve transparency of the cache to the clients.
6 I PLANNING DEPLOYMENT - Introduction to Caching

Redirection vs Interception
There are several ways of achieving transparent deployments. They involve either:
HTTP Redirection - web traffic is diverted via the cache, while the remaining network
traffic remains on its original route. The cache doesn’t need to handle unnecessary
traffic so can do more caching.
This architecture needs a device which is capable of redirecting HTTP traffic.

Such a device could be:
 A switch, router or firewall which supports Policy-Based Routing
 A switch or router which supports Cisco’s WCCP protocol
 A load-balancer, when deploying multiple caches
HTTP Interception - all traffic is directed via the cache. HTTP traffic is intercepted and
processed by the caching software, while non-HTTP traffic is passed straight through the
device.
The three possible interception modes are:

 Physical Gateway mode, where the cache is placed directly inline between the
router and the network devices. The cache is used as a gateway between two
or more subnets and is used as the default gateway by clients.
 Logical Gateway mode, which is similar, but the cache is logically inline rather
than physically inline. A switch inline switches all traffic to the cache.
 Bridge mode, where the cache is placed directly inline. Bridged network
interfaces on the cache mean it becomes logically a ‘piece of wire’ inserted
between the network devices and the router on the same subnet.
PLANNING DEPLOYMENT - Introduction to Caching I 7

How to choose the right mode

Of the theoretically possible 8 modes:
 We can eliminate Explicit mode as unsuitable for service providers because it
involves configuring client devices
 We can eliminate Physical Gateway and Logical Gateway mode because they
leave your internet traffic particularly vulnerable to a failure of the cache, and
there will always be another option available which is better
 Redirection with a load balancer is only an option to consider in exceptional
cases when you are looking to cluster multiple caches.
You therefore typically have 3 possible options to consider at this stage:
 Redirection with WCCP
 Interception with Bridge mode
 Redirection with Policy-Based Routing
Choosing between these options is a 2-part process:

1 Understand which options are available to you with your network equipment and
architecture
2 If there is more than one option available, compare the pros and cons of each
The relevant factors if you have more than one option could include:
 Internet traffic resilience – what happens if the cache fails?
- Does non-HTTP traffic continue to flow anyway?
- Does HTTP traffic continue to flow automatically?
- Or if intervention is required, how much?
- Does ensuring internet resilience involve extra cost (e.g. extra hardware)?
 Outbound (client > web server) transparency – can you send requests with the IP
addresses of your users, rather than that of the cache?
- This is often a requirement for service providers. It is relevant if you want to
identify the IP addresses which requests originate from, to help monitor
and control web usage
- Equally, there are often cases where transparency is not needed – the
service provider is happy for the IP address of the cache to be identified
with the HTTP request, rather than the IP address of the client.
- The issue is whether transparency is needed, and if so, whether and how it
can be achieved.
 How much do you need to make changes in your network? Physical changes?
Reconfiguration of network equipment or client devices?
 Scalability – can this mode support a cluster of caches, or just a single device?
 In the following pages, the three remaining options are assessed in detail.

WCCP
The Web Cache Communication Protocol (WCCP), developed by Cisco Systems,
specifies interactions between one or more routers (or Layer 3 switches) and one or
more web caches. The purpose of the interaction is to establish and maintain the
transparent redirection of selected types of traffic flowing through a group of routing
devices. The selected traffic is redirected to a group of web caches with the aim of
optimizing resource usage and lowering response times.
CACHEBOX supports version 2 of the WCCP protocol.
Requires
 Router, switch or firewall (typically Cisco) which supports WCCP. This means
having a suitable Cisco IOS version - see recommended IOS versions in
deployment guide.
 Source Address Spoofing enabled on cache if you want to maintain outbound
(client -> web server) transparency
 Changes made to the router’s routing policy
Pros
 No client configuration required
 Redirection - only HTTP traffic is redirected to the cache
 Full resilience - no traffic loss in case of cache failure
 Can scale and introduce redundancy by clustering multiple caches
 No physical network changes needed
Cons
 Relatively complex Cisco router and cache configuration required to achieve
source address spoofing
 A potential issue when using a standard WCCP ‘Web-cache’ deployment is that
CACHEBOX will originate all HTTP requests from its primary IP address. This can be
a problem for some web sites.
 WCCP GRE can result in higher router load where L2 redirection is not available
So what
 If your network uses Cisco routers, L3 switches or firewalls, then WCCP may be
your best deployment option
 It fits requirements where ISPs are looking at clustering multiple caches to scale
and/or for redundancy.

Bridge Mode
When a cache is configured in Bridge mode, two of its network interfaces are used to
create a special bridged interface. The cache is then connected in-line into the
network and all network traffic passes over the bridge.
This is a simple in-line deployment with a minimum of changes required to your network.
Bridge mode is a form of HTTP Interception caching. As such, it would normally be
deployed with Source Address Spoofing to minimise the impact on the logical network.
One of the potential issues with Bridge mode deployments is that in a simple scenario it
can become a single point of failure; if the device fails, then all internet connectivity is
lost. This could be avoided with a Fail-to-Wire option, as it is in CACHEBOX.
Requires
 Source Address Spoofing enabled on cache if you want to maintain outbound
(client > web server) transparency
 To avoid single point of failure leading to possible traffic loss, fail-to-wire capability
on cache
 A cache with at least 2 NICs
Pros
 Minimal physical changes required to the network
 Relatively simple to bypass the cache should it become necessary. With Fail-to-
Wire card, bypass is automatic in case of cache failure.
Cons
 Requires physical deployment
 Without Fail-to-Wire, cache is a single point of failure for all network traffic
 All traffic passes through cache
So what
 High availability solution – either with Fail-to-Wire option or by deploying on
redundant trunk links

Policy-Based Routing (PBR)

In Forward Transparent Policy-Based Routing mode, a router, switch or firewall, redirects
HTTP traffic to the cache.
Requires
 Router capable of Policy-Based Routing
 Router capable of preserving outbound (client > web server) transparency, if you
need it: needs to be able to distinguish traffic direct from the client vs traffic
diverted the cache (e.g. Cisco equipment does this using the MAC addresses)
 You to modify the router’s routing policy
 You to enable Source Address Spoofing on the cache if you want to maintain
outbound (client > web server) transparency
Pros
 Redirection - only HTTP traffic is redirected to the cache. So the cache doesn’t
need to handle unnecessary traffic and can do more caching.
 No physical network changes needed
Cons
 If cache fails, users lose web access. You will need to reconfigure your routing
device to restore web traffic - some devices are able to perform this
automatically e.g. Mikrotik
 Scalability by clustering not possible
So what
 This can be a sensible deployment option for small ISPs with low-cost routing
devices – as long as they support PBR.

Deployment Modes Compared
Feature WCCP Bridge mode PBR
Can be clustered
Only HTTP traffic to the cache
Source Address Spoofing
Ease of installation
Resilience to network disruption
Only with certain equipment
So what
 If you have appropriate network equipment which supports WCCP, this is the
recommended deployment method
 Bridge Mode – with a Fail-to-Wire option – is preferred to Policy-Based Routing in
most situations:
- Resilience is the key factor giving Bridge Mode a clear advantage
- In terms of other factors, Bridge Mode edges it on balance

CACHEBOX Overview
CACHEBOX is a web caching appliance designed to help you save bandwidth and/or
improve the speed at which your end-users can access web content. As a proxy, it also
allows network administrators to monitor and control web traffic.
It comes in a range of models which all share the same software and core feature set
but differ in hardware specification and performance.
CACHEBOX is engineered to make using it much easier for network administrators than
the alternative of installing software on a general purpose server. It is a device designed
for the specific task of caching, with fully integrated components:
 Pre-installed caching application software

- Core cache engine, based on the world’s most popular web caching
software
- Software extensions to allow caching of different types of HTTP objects.
This greatly increases the benefits of the cache in modern networks
 Server appliance software layers
- Management features that make it easy to deploy and manage the
device
- An operating system customised to maximise security, reliability and ease
of use
 Bespoke hardware, with a design optimised for caching
PLANNING DEPLOYMENT - CACHEBOX Overview I 13

Cache Application
CACHEBOX is unusual in being an appliance dedicated to web caching, rather than
including cache as just one of several workloads on the device. Its highly tuned cache
engine and cache extensions are designed to give you high performance and versatile
caching.
CACHEBOX‘s core caching engine is based on Squid, the open source, industry-
standard web caching server.
Through years of experience and extensive testing, ApplianSys’ web caching experts
have been able to tune Squid’s configuration and storage schemes to offer extremely
high performance compared to a standard installation of Squid on a Linux server.
Key caching features are:
 Flexible Deployment Options
CACHEBOX can be deployed within multiple network scenarios, in transparent or
Explicit mode, with optional Source Address Spoofing and support for Bridge
mode.
 Video cache and Content Delivery Network (CDN) Support

Proprietary caching extensions let Squid cache YouTube, Google Video and
other flash video sites that use multiple backend servers serving the same
content.
 Software Update Caching

CACHEBOX can cache Microsoft, Apple and Linux operating system updates as
well as software and anti-virus signature updates from a variety of vendors. This
leads to significant bandwidth saving on days when major updates are released.
 Pre-Loader: Pre-caching
The content of websites can be automatically downloaded at predefined times
(such as during the night) and cached ready for clients to access.
 WCCP Support
Multiple CACHEBOXes can be transparently clustered together for performance
and high availability on fast links utilising Cisco routers and switches.
 Cache Hierarchy Support

Multiple CACHEBOXes may be connected to each other to share cached
objects. Flexible architectures involving both distributed and co-located caches
can be built, with networks including both parent and sibling caches.
 Custom ACLs
Advanced configuration parameters can be entered that control the way that
CACHEBOX handles requests.
14 I PLANNING DEPLOYMENT - CACHEBOX Overview

Appliance Management
CACHEBOX does not require specialist training to deploy and manage.
After initial set-up using a monitor and keyboard; CACHEBOX can be administered using
the secure web interface. This allows configuration to be performed from any computer
with a web browser, without the need for additional software to be installed.
The interface provides easy access to product features. These include:
 Shared management support

Multiple Administrators/Users can log in to the interface at one time, from
different locations.
 Reporting Tools
CACHEBOX automatically produces reports on bandwidth usage and savings.
 Alerting
CACHEBOX can be configured to send emails and SMS messages if problems
such as overheating or the failure of a fan are detected.
 Logging Support
Log files can be generated showing every request that is placed via CACHEBOX.
These can then be automatically uploaded to another file server. This allows logs
to be analysed off-box and centrally stored in order to comply with data
retention laws.
 Backup & Restore

Configuration parameters can be backed up with a single click, then archived or
sent to ApplianSys support to aid in troubleshooting. Restoration of previous
back-ups can be performed with similar ease.
 Upgrade
Upgrades provided by ApplianSys (adding features, improving performance,
responding to newly discovered security flaws, etc) can be applied via the web
interface.
 Simple Network Management (SNMP) Support

Performance statistics may be accessed remotely in real-time by external
management applications.
 Centralised Management Console

Centralised management and reporting of a number of CACHEBOXes can be
achieved using the ApplianSys CACHEBOXCMC product. This allows secure
remote control and monitoring of groups of caches from a single device.

Operating System
The Linux based operating system used by CACHEBOX is a custom-built “distribution”
developed by ApplianSys to optimise its appliance products. It is designed to maximise
security, reliability and ease of use.
All programs, services and files found on a standard Linux distribution that are not
required for effective web caching are not included, making CACHEBOX faster and
more secure than a standard Linux server.
The operating system runs from RAM once booted, writing to the flash card storage only
when configuration changes are made or alerts sent.
CompactFlash
CompactFlash cards are used for the operating system and settings. These allow for
faster boot times and give more resilience to hardware failure than traditional hard
drives. If you suffer an unexpected power outage, the risk of configuration data and
application corruption is minimised.
Cards can be ejected from each unit, allowing them to be moved to a spare or new
appliance in the unlikely event of failure, retaining all settings and license information.
You should only eject cards AFTER disconnecting power to the appliance. Failure to do
so could result in data corruption.

Hardware
CACHEBOX uses specially selected hardware to ensure reliability and high performance
without high cost.
There are several different models in the CACHEBOX range. All models use the same
software but differ in terms of hardware and performance. This allows them to support
different types of deployment.
CACHEBOX420
Front:
Rear (subject to change):
CACHEBOX420 is a high-end 2U rack-mountable device with four network interfaces as

standard.
Due to its depth, it needs to be deployed in a full rack. It can also be mounted on rails
as it has front to back ventilation. Where rails are not used, its weight must be supported
by either a shelf or other rack mounted equipment secured directly below it.
CACHEBOX420 has been designed to handle extreme workloads with very high reliability,
featuring swappable disks and dual redundant power supply.
It can support more than 10,000 simultaneous users over a 1Gbps bandwidth link.
It has 4 hard disks (HDDs) for large objects, 2 SSDs for small/medium objects, 1 SSD for disk
caching and 1 HDD for logging. It will serve twice as many requests as CACHEBOX310
and is best suited for use in network cores. By default, its multi-processing engine is
enabled.
The multi-processing engine is specifically recommended for networks with high RPS and
low throughput.

CACHEBOX310 and CACHEBOX200 series

Front:
CACHEBOX210, CACHEBOX230 and CACHEBOX310 are 1U rack-mountable devices, with

two network interfaces as standard.
Due to their depth, they need to be deployed in a full rack. They have side to side
ventilation and so cannot be mounted on rails. They must have their weight supported
by either a shelf or other rack mounted equipment secured directly below it.
CACHEBOX210 uses two hard disks (HDDs) and is ideal for deployment in small ISPs.
CACHEBOX230 uses two SSDs for small objects and a high capacity HDD for large
objects. It will serve twice as many requests as CACHEBOX210 and is best suited for use in
larger ISPs.
CACHEBOX310 features higher specification motherboard and processor with larger disks
to deliver more than 2x the performance of CACHEBOX230. Additionally, its multi-
processing engine can be enabled for networks that demand higher throughput.

CACHEBOX050 and CACHEBOX100 series are entry level devices, designed for use on
small networks, such as customer sites. They differ in the following ways:
 CACHEBOX050 is a small form factor (SFF) unit designed to be placed on a
desk/shelf, whereas CACHEBOX100 is a 1U rack-mountable device.
 CACHEBOX050 has an external power supply, whereas CACHEBOX100 has an
internal power supply. When deploying CACHEBOX050 in cabinets with no active
ventilation, we recommend putting the power adapter outside the cabinet and
feeding the cord into it to minimise the heat generated within the cabinet.
 CACHEBOX050 has a single CompactFlash card which ejects from the rear.
CACHEBOX100 series models have a pair of cards which eject from the front.
 CACHEBOX110 offers the same performance as CACHEBOX050 in a 1U rack-
mountable form factor.
 CACHEBOX130 is a premium light duty model featuring a higher specification
motherboard to enable Fail-to-Wire along with IP-KVM (Keyboard, Video and
Mouse) functionality to help users administer their units without having to
physically access them.

CACHEBOX100 series
Front:

CACHEBOX050
Front:
CACHEBOX050 and CACHEBOX100 models are usually shipped with either 1 or 2 Network
Interfaces, depending on which you have purchased.
Fail-to-Wire option
A Fail-to-Wire option is available on CACHEBOX130, CACHEBOX210, CACHEBOX230 and
CACHEBOX310. It is not available on CACHEBOX050, CACHEBOX110 and CACHEBOX420.
A Fail-to-Wire card allows you to use CACHEBOX in Bridge mode resiliently, without
establishing a single point of failure on your network. An expansion card electrically
connects the Ethernet ports (logically making the appliance a ‘piece of wire’) in the
event of device failure such as power loss or software error.
If you are using Fail-to-Wire (see “Introduction to Caching”: “Bridge Mode”), you will
have a minimum of three interfaces.

SECTION 2:
GETTING STARTED
This section walks through the standard tasks

IN THIS SECTION
you need to carry out to install and deploy
CACHEBOX, to help you to start using your Initial Installation 22
appliance as quickly as possible
Introduction 22
Physical Setup 23
 Get the appliance installed and started Network Requirements 24
 Integrate CACHEBOX with your network Switching on and logging in 24
Introduction to the Web Interface 28
equipment to cache in one of the main
Online Help and Documentation 33
deployment modes typical in a service Initial Appliance Configuration 34
provider environment Basic Caching Assistant 40
 Check your deployment is correct and Completing Network Integration 46
the cache is working properly in your
WCCP Deployment 46
network Bridge Mode 64
Policy-Based Routing (PBR) 71
Checking Your Deployment 73
GETTING STARTED I 21
Initial Installation
Introduction
This first part of “Getting Started” will help you to get CACHEBOX installed and running. It
will help you complete:
 Physical Setup – unpack and physically connect CACHEBOX
 Switching on and logging in – a console interface will prompt you to enter
network details and allow you to log in to CACHEBOX‘s web interface
 The first stage of configuration of CACHEBOX using its web interface
After that, “Completing Network Integration” shows you how to complete deployment in
each of the modes likely in a service provider deployment.
It is quite likely you will want to deploy in two stages:

1 Get CACHEBOX working first in a local “test network”
- This may be simply just to check the appliance is functioning correctly and
to familiarise yourself with it briefly before putting it in a live network
- Or if your deployment is particularly complex, you may want to spend
some time completing and checking detailed configuration before going
“live”
2 Move CACHEBOX into position, deployed and fully integrated in your live network
If you want to follow this 2-stage approach, then simply working through Section 2,
starting here at the beginning, should work well.
If on the other hand, you want to go straight to stage 2 and deploy CACHEBOX
immediately in position in your live network, then to save time and avoid mistakes, you
should first read the detail on your chosen deployment mode in “Completing Network
Integration” before implementing the steps described here in “Initial Installation”.
This is because the details and topology of your network equipment and deployment
mode will determine some of the details of initial installation (e.g. which NICs on the
appliance to connect, network addresses to use in your initial configuration). If you carry
out a 2-stage approach, you may modify a few details when you go live.
You will probably find it helpful in any case to take a quick look at all the relevant
material in Section 2 before you actually get started!
If at any time you need further assistance, contact your vendor (ApplianSys Support
Partner or ApplianSys):
ApplianSys Support: Email Support:

+44 (0) 8707 707 789 support@appliansys.com
22 I GETTING STARTED - Initial Installation

Physical Setup
For initial deployment you will need a keyboard, VGA monitor, a Cat 5/6 network cable
and network addressing information to hand.
Your appliance should be positioned so that adequate airflow can be achieved.
 CACHEBOX050 is designed for desktop use, but can be placed on a shelf in a
rack. If placed in a rack without fan units (i.e. a wall mounted communications
cabinet), the power brick should be placed outside the rack and the cable
looped through to reduce the heat generated within the cabinet.
 CACHEBOX100 can be placed in a rack without a shelf – its lugs will support its
weight. Ventilation is side to side. If placed in a rack without fan units (i.e. a wall
mounted communications cabinet), the power brick should be placed outside
the rack and the cable looped through to reduce the heat generated within the
cabinet.
 CACHEBOX210, 230 and 310 must be supported from underneath when placed in a
rack (i.e. using a shelf). This is because the lugs alone cannot support its weight.
Ventilation is side to side – which is why rails are not provided. These appliances
are not suitable for use in racks without active cooling.
 CACHEBOX420 is recommended to be installed with the available rail kits and
secured using the front lugs. If you are not using the available rail kits, the unit
must be supported, e.g. using a shelf.
Step 1
Unpack your server, check that all items listed on your delivery note are present and
then check for any transit damage. Please call our support line immediately if there is
any problem.
Step 2
Choose a suitable place to house your CACHEBOX and connect the appropriate
connectors to:
 a mains supply
 a keyboard and VGA monitor
To avoid an IP address conflict between CACHEBOX’s default IP address and any other
equipment on your network do not connect the network cable until you have
performed initial setup.
Serial Port Settings

Another way of accessing your CACHEBOX is via the serial port. When setting this up
make sure you use a null modem cable (DB-9) and not a cross-over cable. The following
details should be checked for your Serial Port:
 Port Speed: 38,400 bps
 Data bits: 8
 Stop bits: 1
 Parity: None
 Flow Control: XON/XOFF
GETTING STARTED - Initial Installation I 23

When connecting CACHEBOX to certain KVM devices, you may need to set DTR to
enable on connect and pin out to ACS. These settings are usually not necessary unless
your KVM has an option to set them.
Network Requirements
You should configure your DNS server with full forward and reverse DNS records for your
CACHEBOX. This avoids problems with remote hosts attempting reverse lookups on
connections. This can cause problematic delays.
If your network employs firewalls, then you may need to change their configuration in
order to use CACHEBOX.
The following table details TCP and UDP ports used by CACHEBOX.
Port TCP UDP Protocol Incoming Outgoing Required

22* x SSH Debugging - -
25* x SMTP - Sending Email -
53 x x DNS - DNS Resolution Always
80 x HTTP Mirroring Web Requests Always
(Outgoing)
123 x NTP Time Server Time Synchronisation Recommended
139 x x NTLM - Authentication -
161 x SNMP Monitoring Alerts -
443* x HTTPS Web Admin Web Requests Always
7770* x x SSH Node Node Always
Communication Communication
800* x HTTP Web Requests - In Explicit mode
2048 x WCCP WCCP WCCP In WCCP mode**
3130 x x ICP Clustering Clustering -
* These ports are configurable via the web interface. Defaults are shown for reference.
** If you are using GRE based WCCP redirection, then you will need to allow Protocol 50
traffic between the router and CACHEBOX (if not directly connected).
Switching on and logging in

For CACHEBOX to operate on your network, it first needs some basic network settings.
Console configuration takes only a few minutes. For this you will need:
 IP address/netmask CACHEBOX will use
 IP address of the default gateway/router through which it can access the internet
 IP addresses of one or more DNS servers
Everything else can be configured via the web interface later on. However, if you
choose to, during this stage you can also specify a time server and ‘admin addresses’ –
IP addresses or address ranges from which web based administration can take place,
with access to all other addresses restricted. By default (if this field is left blank) any
address can access the log-in screen.
You will be prompted to reboot the device after changing configuration settings.
CACHEBOX will allow you to configure up to four interfaces, although not all of these
may be physically installed on your unit.

The following steps detail the console configuration procedure:
Step 1
 Attach the power, VGA monitor and keyboard
 Plug the network cable into the network port labelled ETH0
Step 2
Power the appliance on using the power button on the front panel.
Step 3
Once booted, a series of screens allows you to set basic network settings. Once this is
done, you will be able to do all further configuration via the web interface.
Step 4
Press [ENTER] and you will be prompted for the following information:
 the hostname you wish to assign to the appliance
 the network address and netmask, in either dotted decimal or as a CIDR mask
 the default gateway
 the DNS servers that the CACHEBOX can use to resolve network addresses
Step 5
You will be asked to review all settings and type the word ‘yes’ to continue. Type ‘no’
if you need to change any settings.

It will take a few seconds for these settings to be verified and applied.
Step 6
The final step is to set the password for the Administrator. Type the word 'yes' to set
your password.
The user name is fixed as “admin”.
Type the same password twice: remember that it is case-sensitive. Your passwords will
not be printed to the screen.
Step 7
Your settings will then be saved and the following screen will be displayed:
Setup is now complete. There is no need to reboot.

Step 8
Remaining configuration is from a web browser and can be completed You can now
access the web interface for CACHEBOX using http://ipofcachebox/
If you are unable to access the interface, return to Step 7 and check that the network
settings are correct.
Many browsers will complain that the SSL certificate is not valid. This is because it is self
signed and not registered with a certifying body for the IP address that it is on.
The warning (and similar warnings on other browsers) can be safely ignored:
You must enable JavaScript in your browser if you have previously disabled it for the
interface to work correctly.
Step 9
Enter the username admin and the password that you set in Step 8. You can also select
a language preference – English (default), Spanish, French or Portuguese – from the
dropdown menu.

Introduction to the Web Interface

Once logged in, the following page is shown:
The interface is divided into four sections, as shown by the tabs on the top right of each
page:
 ‘System’ – Appliance Operating System (Configuration, Upgrade etc)

 ‘Network’ – Network Configuration (Interfaces, Services etc)
 ‘Cache’ – Cache Engine Configuration
 ‘Content’ – Content Management Configuration
 ‘Reports’ – Access Reports (unavailable if logging is disabled)

Searching for a particular keyword in the search box will list all pages in the interface
which include your search term. For example, searching for ‘report’ will display links to
pages such as ‘System’ > ‘Reports’ as well as ‘Reports’ > ‘Daily Reports’.
Each section is comprised of an ‘Overview’ page and a list of related functions/pages in
a menu on the left.

Pages
Many pages are divided into sections by headers, such as:
Some pages have multiple views, accessible via tabs:

Forms
Text entry fields that require a value are shown with a yellow background:
Errors in form submission are highlighted by red bars across the page and the text entry
field turning red:

Graphs
Pages containing real-time graphs have a header area where you can adjust the time
range used by:
 Clicking the calendar icons
 Using the drop down list to choose a pre-set time period
 Dragging a range on the timeline
 Dragging a range on any graph
If after selecting a time frame the report doesn’t change, click UPDATE.
Clicking the PDF icon will generate a downloadable PDF containing all information for
the selected time range.
By clicking a graph legend, you can turn data series on and off:

Languages
The interface is currently available in three languages – English (default), Spanish, French
and Portuguese.
You can select your choice of language from any page in the interface, including the
login page.

Online Help and Documentation

In addition to this manual, CACHEBOX has an online help system.
 Click on to see help relevant to a whole page or section
 Click on to see specific information relating to a particular field
Section 3 of this Guide – “Configuration Reference” – reproduces the online help, with
additional notes in some places.

Initial Appliance Configuration

The Initial Configuration Assistant will guide you through the basic steps required to
complete a standard install of CACHEBOX within your network, configured ready to
communicate with other related network devices.
Ideally, before you start you should have the following information available:
 Details of an SMTP (email) server which the CACHEBOX can use to send alerts
and reports
 A syslog server hostname or IP address
Step 1
Click Initial Configuration Assistant to start the assistant.

Click NEXT to continue. You will have a chance to review the information you have
entered before applying the settings. You can cancel an assistant at any time. No
changes are made to this CACHEBOX until they are committed.
Step 2
Record identification information for this CACHEBOX.
This step is optional. If you have multiple CACHEBOXes, this information will help you
identify each unit.
The Description and Location information are published by the on-box SNMP server. So if
you use an SNMP network monitoring system to monitor the CACHEBOX, it will be able to
show the description and location. Click NEXT to continue.

Step 3
Configure external servers.
 Enter the IP address of your primary server - DNS Server #1

The cache engine on CACHEBOX depends on a fast and accurate recursive DNS
server. A slow DNS server can seriously limit the performance of the CACHEBOX.
So it is important to configure the CACHEBOX with the IP address of your local
caching DNS server.
It is also important to configure the CACHEBOX to use the same DNS server as the
client computers. This is especially important if the CACHEBOX is deployed
transparently because in transparent mode both the client and the CACHEBOX
will generate a DNS request for the target webserver domain name. If clients and
the CACHEBOX receive different DNS responses from different DNS servers, it can
cause connection failures and timeouts.
 Choose your local Timezone

It is important to set the local time zone.
CACHEBOX carries out various CPU intensive tasks daily at 0400 local time (for
example generating monthly reports, compressing logging databases). If you
forget to set the correct time zone, you may find that these tasks occur during
your peak hours and may affect the performance of the CACHEBOX.
The local time zone is used when sending scheduled reports and alerts.
The local time zone is also used to translate the times displayed in the web
interface log viewer.

 Configure your NTP Timeserver(s)

CACHEBOX relies on having an accurate and consistent system clock.
For example, the reporting system will not start until the system clock has
synchronised and stabilised.
The Squid HTTP proxy depends on an accurate system clock in order to identify
when cached files should be refreshed.
The system log messages should be stored with accurate time stamps so that the
messages can be used for diagnostics and accurately compared with messages
from other devices on your network.
For these reasons you should configure the CACHEBOX to use the same NTP time
servers as the other devices and servers on your network.
Ideally all your servers and devices should be configured to use local timeservers.
If possible, configure multiple timeservers. This will allow the CACHEBOX to
synchronise its clock faster.
You can enter an NTP server IP address or a DNS hostname. If you choose a DNS
hostname, make sure that the name can be resolved by the CACHEBOX DNS
server.
CACHEBOX can be used as an NTP time server. See Configuration Reference in
Section 3 for more information about the NTP time server.
 Change the SNMP Community string

The default SNMP community string on the CACHEBOX is “public”.
You must change this to prevent unauthorised clients accessing the SNMP
service.
You can then use a network monitoring server (for example Zenoss) to monitor
the performance of your CACHEBOX and other servers and devices on your
network.
See Section 3 for more information about SNMP MIBS supported by CACHEBOX.

Step 4
Configure the SMTP mail server settings.
CACHEBOX can be configured to send you email alert messages (for example, to send
you an email when users log in and log out).
To enable this, CACHEBOX must first be configured to use an SMTP mail server. Enter the
IP address or DNS hostname of your preferred SMTP server. Click NEXT to continue.
Step 5
Restrict access to administrative services
The Admin Network(s) setting controls which machines or networks can access the web
and SSH admin interfaces, as well as SNMP monitoring. Other services are not affected.

The use of admin networks is very important for appliances open to the internet, to
prevent automated login attempts that could compromise the device. The public IP
address(es) of the networks from which the device needs administering should be
entered in admin networks. It is also useful on a LAN, to only allow specific hosts or parts
of the network to access the device.
Enter the IP address of your trusted administrative network. More than one network can
be provided separated by space. Click NEXT to continue.
Step 6
You will now be shown a summary of the settings you have chosen. If all settings are
correct, click SUBMIT to save the changes. If there is some information you want to
correct, click PREVIOUS to go back to previous screens.
Your settings will be checked: if there are any problems, a message will show details of
the invalid data.

If you are using deployments in Gateway mode, WCCP or Bridge mode, the Basic
Caching Assistant can be used to do the initial configuration setup.
If you prefer to configure these settings later, you can do so at any time by either
accessing the Basic Caching Assistant from ‘System’ > ‘Overview’, or navigating to the
relevant pages of the Web Interface (‘Cache’ > ‘Service’ for configuring permitted
subnets and ‘Cache’ > ‘Advanced’ for enabling Source Address Spoofing).
Basic Caching Assistant

This assistant will help you set up your basic deployment configuration for your
CACHEBOX. It will ask you some questions to help ensure your CACHEBOX is secure and
configured correctly.
You will be asked the following:

 What kind of deployment should this CACHEBOX be
- Gateway mode settings
- Bridge mode settings
- WCCP mode settings
 Which networks are allowed to access the web caching server
Click NEXT to choose your basic deployment options. You will have a chance to review
all information entered before committing.
There is no basic caching assistant for PBR as this deployment mode require the router to
be configured rather than CACHEBOX. If you are deploying in PBR mode, you should
refer directly to the ‘Next Steps’ section below.

Step 1
You should make a note of which addresses you would like to allow access to this
CACHEBOX. You should also know the mode in which you will deploy your appliance.
Step 2
Select your method of deployment from one of the four options available.
Click NEXT to continue.
The remaining steps will vary depending on the mode you have selected.
To continue, please go to the instructions below for your chosen method.

Bridge mode deployment
Step 3
Tick both interfaces for the bridge and click NEXT continue.
Step 4
Add your permitted subnets. If you do not add these, your CACHEBOX will become
vulnerable to unauthorised users who may abuse it.

Step 5
Confirm that your basic Bridge mode settings are correct.
If you want to edit any configurations, click PREVIOUS to go back to the relevant step.
Otherwise, click SUBMIT.
By default, the Intercept Requests From for bridge mode settings is All IP Addresses.
If you want to customise this, you must do so from the ‘Cache’ > ‘Deployment’ menu,
under the heading Bride Mode Settings.
You have now set up the basic CACHEBOX configuration for Bridge mode. Continue
reading from “Next Steps” in the section below.

WCCP mode deployment
Step 3
Set global settings for WCCP deployment.
Step 4
Add your permitted subnets. If you do not add these, your CACHEBOX will become
vulnerable to unauthorised users who may abuse it.

Step 5
Confirm that your basic WCCP settings are correct.
If you want to edit any configurations, click PREVIOUS to go back to the relevant step.
Otherwise, click SUBMIT. You have now set up the basic CACHEBOX configuration for
WCCP mode.
This assistant helps you set up the most basic form of WCCP deployment. If you want to
set up Source Address Spoofing with WCCP, you must first set up your dynamic groups.
This option is not available on the basic caching assistant. You should refer to the next
section for details on how to do this.
Next Steps
The basic installation of your appliance is complete. You are now ready to carry out
remaining configuration tasks specific to your deployment, detailed in the remainder of
this Getting Started section on the following pages. The remaining tasks are:
 Complete Network Integration. If you have not already done so, confirm which
deployment mode you are going to use. Then follow the steps in the appropriate
one of the following sections on how to implement a specific deployment mode:
- WCCP
- Bridge mode
- Policy-Based Routing
 Check your deployment. Make sure CACHEBOX is functioning correctly after you
have completed configuration within your network.
 Configure your permitted subnets. Implement important security measures to
control access to CACHEBOX. It is best to do this after configuring the cache
and checking it is working.
 After that, make any further configurations you want beyond simply the steps for
“Getting Started”. For example, you may wish to set up the appliance
administration – users, logs, reporting, alerts and so on.

Completing Network Integration

The following pages describe the general and/or detailed steps to complete
deployment in your network in each of the four deployment modes recommended for
service providers:
 WCCP
 Bridge Mode
 Policy-Based Routing
First you must...

 Have decided which deployment mode is right for you. If in doubt, read Section
1 and these pages to help you decide.
WCCP Deployment
WCCP (Web Cache Co-ordination Protocol) is a feature of some Cisco routers and
switches which allows you to re-route HTTP traffic to a caching device. If your network
uses routers, layer 3 switches or firewalls that support Cisco’s WCCP protocol, it is likely to
be your best deployment option. However, WCCP deployment usually involves more
complicated configuration than other options – both on the (typically) Cisco device and
on CACHEBOX.
Therefore, you should ensure that if you are carrying out WCCP deployment, you have
the necessary knowledge and information. In the following pages, you will find detail
on:
 What you need to know before implementing WCCP deployment
 Detailed configuration steps for each of two WCCP deployment options:
- Basic WCCP “standard” deployment
- WCCP deployment with Source Address Spoofing
 Instructions on how to check your deployment
The information in this section is provided as a guide only. ApplianSys cannot be held
responsible for changes that you make to your Cisco set up. Please do not attempt to
make changes without adequate Cisco training and/or support.
46 I GETTING STARTED - Completing Network Integration

First you must…

 Have configured your CACHEBOX as described in “Initial Installation” and
checked it is working correctly
 Ensure your equipment has a version of Cisco IOS software which supports
WCCPv2 operation with CACHEBOX
For a successful WCCP deployment, you need to have a suitable version of
Cisco’s IOS because WCCP relies on many IOS features to function properly.
Having an unstable IOS can cause issues like router CPU overload and WCCP
sessions dropping frequently and randomly.
One way of checking the suitability of your Cisco IOS software is to download the
"Service Provider" IOS image, as this has proven more stable than other versions
such as "Advanced IP services".
Alternatively, CACHEBOX supports the following families of routers and switches
for WCCP deployment:
Routers Switches
800 CAT3550
1000 CAT3560
2000 CAT3750
3000 CAT4500
4000 CAT4900
7000 CAT5000
10000 CAT6000
Due to the variance in Cisco hardware/software feature support, it is advised that you
check the level of WCCPv2 support available.
A list of supported features can be found in the online help of the interface: Navigate to
‘Cache’ > ‘(Deployment) Advanced’ > ‘WCCP Global Settings’ and click the icon.
GETTING STARTED - Completing Network Integration I 47

 If you are using 3750 series switches or similar, ensure your IOS version is suitable
You need to make sure the IOS you are running supports:
- WCCP Redirection on Inbound Interfaces
- WCCP version 2
You can check these features by using the Cisco Feature Navigator available
free on the Cisco website. Searching online for “Cisco Feature Navigator” should
give you the latest link. If your IOS does not list these features, you will need to
upgrade to a newer version of IOS that does include them.
 If you are using 3750 series switches or similar, ensure your SDM template is correct
Type the "show sdm prefer" command on your switch:
C3750G-24T# show sdm prefer

The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of igmp groups + multicast routes: 1K
number of unicast routes: 8K
number of directly connected hosts: 6K
number of indirect routes: 2K
number of policy based routing aces: 0
number of qos aces: 512
number of security aces: 1K
C3750G-24T#
If your profile is set to "desktop default" or to "desktop vlan", change it to routing.

You need to type the following command:
C3750G-24T#conf t
Enter configuration commands, one per line. End with CNTL/Z.
C3750G-24T(config)# sdm prefer routing
Changes to the running SDM preferences have been stored, but
cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently
active.
C3750G-24T(config)#^Z
C3750G-24T#show sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of igmp groups + multicast routes: 1K
number of unicast routes: 8K
number of directly connected hosts: 6K
number of indirect routes: 2K
number of policy based routing aces: 0
number of qos aces: 512
number of security aces: 1K
On next reload, template will be "desktop routing" template.
C3750G-24T#

After the changes have been applied, you need to reload your switch IOS for the
changes to take effect.
 Have Cisco network interfaces with VLAN support
For an ideal WCCP Source Address Spoofing implementation, we recommend
you connect CACHEBOX to a separate interface/VLAN. The main reason is the
handling of traffic redirection.
 Have a detailed understanding of your network architecture and traffic flows

For smooth deployment of WCCP, you need to know about the relevant devices
in your network and how they are deployed, how they relate to each other, IP
addresses in use, what traffic and services are flowing on your network and so on.
In particular, you need to know about the factors relevant for your organisation
which allow you to decide whether or not to deploy with Source Address
Spoofing
 Decide whether or not to implement Source Address Spoofing

You will implement one of two WCCP deployment options:
- Basic deployment, using WCCP’s “standard” service
- With Source Address Spoofing
If it is important to you that HTTP requests appear to originate from the original
client IP addresses, rather than from the CACHEBOX, you will want to use Source
Address Spoofing. However, basic “standard” deployment is much simpler to
configure.
 Know how to carry out Cisco configuration, including access lists

You will need to exclude certain traffic from being redirected via WCCP, as some
services will not work. To do that, you will need to setup and apply access lists.

Basic WCCP Deployment

In “standard” WCCP deployment, a single WCCP service group ‘Web-cache’ handles
traffic redirection. When this deployment is used, the Cisco router will redirect all HTTP
(TCP port 80) traffic to the CACHEBOX devices belonging to the ‘Web-cache’ Service
Group. It will be a gateway for the CACHEBOX.
Router configuration
This configuration uses the standard WCCP “Web-cache” service for redirection.
Step 1
Back-up your Cisco router configuration
copy startup-config ftp://username:password@my.ftp.server/startup-config
copy running-config ftp://username:password@my.ftp.server/running-config
Step 2
Activate the WCCP v2 Web-cache Service
wccprouter#conf t
wccprouter(config)#ip wccp web-cache password secret
wccprouter(config)#exit

Step 3
Configure WCCP redirect inbound on the network interface
wccprouter#conf t
wccprouter(config)#interface GigabitEthernet0/2
wccprouter(config-if)#ip wccp web-cache redirect in
wccprouter(config-if)#end
Step 4
Save the Cisco configuration
wccprouter#copy running-config startup-config

Destination filename [startup-config]?
Building configuration...
[OK]
If both your clients and the CACHEBOX connect to the router on the same network
interface, you will need to create specific access lists for WCCP traffic redirection in
order to avoid creating a WCCP loop. This is particularly relevant for Cisco ASA devices
which only support WCCP redirection through the same interface as the client network.
Example
Your customers and the CACHEBOX are connected to the router on interface
GigabitEthernet0/2. The CACHEBOX uses the IP address: 192.168.100.254, the rest of the
customers use IP addresses within the address range: 192.168.100.0/24. Now because
both the CACHEBOX and the customers are connected using the same interface and
because we are redirecting all HTTP traffic on that interface via WCCP, we need to
exclude the IP address of the CACHEBOX from the redirection.
In order to do that you need to create an access-list on the router:
wccprouter#configure terminal
Enter configuration commands, one per line. End with CNRL/Z.
wccprouter(config)#ip access-list extended 100
wccprouter(config-ext-nacl)#deny tcp host 192.168.100.254 any eq www
wccprouter(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255 any eq

www
wccprouter(config-ext-nacl)#end
Now that you have the access-list ready to use, you need to repeat "Step 2" in modified
form to apply the access-list.
wccprouter#conf t
wccprouter(config)#ip wccp web-cache password secret redirect-list 100
wccprouter(config)#exit
This will allow you to use WCCP redirection without creating a WCCP loop.

CACHEBOX configuration
Step 1
You should already have configured basic settings during “Initial Installation”. However,
you may want to check, in particular that the settings are correct to communicate with
your Cisco device:
In ‘Network > ‘Settings’ check:
 Network Interface eth0 has the correct IP address and Netmask
 The default route is set to the IP address of the Cisco interface facing CACHEBOX
 A valid (and routable) DNS server IP address has been set
If you are not sure, check in ‘System > ‘Time’ that a valid network timeserver has been set
Step 2
Configure WCCP
 Navigate to ‘Cache’ > ‘Deployment’ > ‘Mode’
 Select WCCP from the dropdown list and click SAVE

 Navigate to ‘Cache’ > ‘Deployment’ > ‘Advanced’

 Under the ‘WCCP Global Settings’ heading, select WCCP mode to Enabled.
 In the Router/Switch IPs or hostnames field, input the IP addresses of your WCCP
routers/switches on separate lines. You can specify multiple routers if you plan to
use multiple routers for WCCP.
 Select the required Forwarding Method (GRE or Layer 2 Redirect)
 If GRE Tunnel, define the appropriate GRE Remote Endpoint IP (usually the
CACHEBOX facing interface IP on the Cisco or loopback address).
 For Assignment Method, chose Hash Assignment if Forwarding Method is GRE
Tunnel. Otherwise choose Mask Assignment for ‘Layer 2 Redirect’.
 Ensure Rebuild Wait is Yes.
 Assign a Weight
 Input the password used to create the Cisco WCCP Service to the Standard Web
Cache Password box.
 Click SAVE
The CACHEBOX proxy service will restart and it will attempt to negotiate a WCCP
connection to the Cisco router.

Check the setup

On the Cisco device run:
wccprouter#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.100.1.1
Protocol Version: 2.0
Service Identifier: web-cache

Number of Cache Engines: 1
Number of routers: 1
Total Packets Redirected: 32
Redirect access-list: -none-
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Show detail of web-cache WCCP service
wccprouter#show ip wccp web-cache detail

WCCP Cache-Engine information:
Web Cache ID: 172.100.1.101
State: Usable
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 256 (100.00%)
Packets Redirected: 204
Connect Time: 00:52:05
Next Steps
 Check your deployment. See details in the next section of “Getting Started”.
 Configure permitted subnets. See details in the final section of “Getting Started”.
 Make any further configurations you want beyond simply the steps for “Getting
Started”. See “Configuration Reference” and online help for details.

WCCP Deployment with Source Address Spoofing

The "Source Address Spoofing" feature allows CACHEBOX to impersonate the IP address
of the clients that are proxying through it.
Source Address Spoofing requires careful configuration of your network routes. Requests
will appear to originate from the original client IP addresses; therefore, it is important that
the responses to these requests are routed back via the CACHEBOX so that it can cache
the response and pass the response back to the original client.
Instead of using the standard WCCP Web-cache service, you have to configure two
custom “dynamic” services. Dynamic WCCP Services are defined during the
handshaking phase with the CACHEBOX once it has successfully authenticated.
 The first handles the redirection of outbound client requests to the CACHEBOX,
based on the destination IP address.
 The second service handles redirection of responses coming back from web
servers, based on the source IP address.
Your Cisco router must have at least three physical interfaces/vlans. The CACHEBOX,
the client network and the WAN gateway must be connected to separate physical
network interfaces.
Client HTTP requests must be routed out via the client network interface. HTTP responses
must be routed back via the WAN gateway interface.

Router configuration
The following example shows annotated Cisco IOS commands which are known to work
on a Cisco 7206 router with three physical ethernet interfaces:
 GigabitEthernet0/1: WAN Gateway
 GigabitEthernet0/2: client network gateway
 GigabitEthernet0/3: interface where the CACHEBOX is connected
Step 1
Backup your current configuration. e.g.
copy startup-config ftp://username:password@my.ftp.server/startup-config
copy running-config ftp://username:password@my.ftp.server/running-config
Step 2
Enter CISCO configuration mode
wccprouter# conf t
Step 3
Enable WCCP version 2
wccprouter(config)#ip wccp version 2
Step 4
Create two custom WCCP services. It is important to use the service numbers 80 and 90
wccprouter(config)#ip wccp 80 password secret

wccprouter(config)#ip wccp 90 password secret
Step 5
Configure the outbound WCCP service on the client network interface.
wccprouter(config-if)#ip wccp 80 redirect in
wccprouter(config-if)#exit
Step 6
Configure the inbound WCCP service on the WAN gateway interface
wccprouter(config-if)#ip wccp 90 redirect in
wccprouter(config-if)#exit

Step 7
Exit the config mode and copy the changes to the startup-config
wccprouter#copy running-config startup-config

Destination filename [startup-config]?
[OK]
This will enable WCCP redirection for all the traffic on the interfaces that have WCCP
redirection active. This is generally not a problem if that is what you want to do,
however this can be a problem when you don't want all the HTTP traffic to go via the
cache or you want to use web caching for certain customers only. In order to be able
to choose who will use the cache and who will not, you will need to define access lists
on your router and apply these access lists to the dynamic WCCP services. We've
already setup access lists for WCCP in ‘Standard WCCP setup‘ above; however
because now we're using 2 dynamic services and because we also use Source Address
Spoofing, the access lists are slightly different.
Example: The CACHEBOX IP is 192.168.100.254, the CACHEBOX is connected to the interface
GigabitEthernet0/3, the customers are connected to the interface GigabitEthernet 0/2
and the internet connection is on GigabitEthernet0/1. In this example we will use WCCP
redirection for multiple customers IP address ranges and we will use the access lists to
control WCCP redirection access. We will use 192.168.100.0/24, 172.16.100.0/24, 172.16.200.0/24 as
the requesting IP address subnets. First we will create two extended access lists to use
with the dynamic WCCP services.
Please note that the access lists CACHEBOX80 and CACHEBOX90 are different.
CACHEBOX80 permits traffic based on the source IP address while CACHEBOX90 permits
traffic based on the destination IP address. Please note that if you want to add new IP
addresses or subnets to WCCP redirection, you need to add them to both access lists
based on the examples above. This is very important, as redirection will not work
properly if you only add them to one access list.
Access list CACHEBOX80 for WCCP service 80.

wccprouter(config)#ip access-list extended CACHEBOX80
wccprouter(config-ext-nacl)#permit tcp 192.168.100.0 0.0.0.255 any eq

www
wccprouter(config-ext-nacl)#permit tcp 172.16.100.0 0.0.0.255 any eq www
wccprouter(config-ext-nacl)#permit tcp 172.16.200.0 0.0.0.255 any eq www
wccprouter(config-ext-nacl)#exit

Access list CACHEBOX90 for WCCP service 90.

wccprouter(config)#ip access-list extended CACHEBOX90

wccprouter(config-ext-nacl)#permit tcp any 192.168.100.0 0.0.0.255
Now that we have the access lists ready to use, we need to repeat Step 4 in a modified
form and apply the lists to the proper WCCP services.
wccprouter(config)#ip wccp 80 password secret redirect-list CACHEBOX80

wccprouter(config)#ip wccp 90 password secret redirect-list CACHEBOX90
At this point WCCP will only redirect traffic for the subnets allowed in the access lists
"CACHEBOX80" and "CACHEBOX90".
CACHEBOX Configuration
Step 1
You should already have configured basic settings during “Initial Installation”. However,
you may want to check, in particular that the settings are correct to communicate with
your Cisco device:
In ‘Network’ > ‘Settings’ check:
 Network Interface eth0 has the correct IP address and Netmask
 The default route is set to the IP address of the Cisco interface facing CACHEBOX
 A valid (and routable) DNS server IP address has been set
If you are not sure, check in ‘System > ‘Time’ that a valid network timeserver has been set

Step 2
Enable Source Address Spoofing
 Navigate to ‘Cache’ > ‘Deployment’ > ‘Mode’
 Select WCCP from the dropdown list and click SAVE
 Navigate to ‘Cache’ > ‘Deployment’ > ‘Advanced’
 Set Source Address Spoofing to ’Enabled’
Step 3
Configure and enable the WCCP service
 Set the WCCP Mode to Enabled)
 In the Router/Switch IPs or hostnames field, input the IP addresses of your WCCP
routers/switches on separate lines. You can specify multiple routers if you plan to
use multiple routers for WCCP
 Select the required Forwarding Method (GRE Tunnel or Layer 2 Redirect)
 If GRE Tunnel has been selected, define the appropriate GRE Remote Endpoint
IP (Usually the CACHEBOX facing interface IP on the Cisco or loopback address).
 For Assignment Method, chose Hash Assignment if the Forwarding Method is GRE
Tunnel. Otherwise choose Mask Assignment for ‘Layer 2 Redirect’
 Ensure Rebuild Wait is Yes
 Ensure the weight value is 10,000
 You do not need to enter a Standard Web Cache Password as it isn’t required for
Source Address Spoofing.
 If you want CACHEBOX to log statistics from the router, set Log Router Statistics to
Enabled. The logging mechanism uses SNMP to retrieve the data from the
router.
 Click SAVE

Step 4
Configure WCCP Dynamic Service Group (80)
 Click ADD
 Enter the Service ID, in our case 80
 Enter the Password, this is the WCCP password specified when you configured the
Service Group within the router
 Select Protocol to tcp
 Select the Flags, only check the box for src_ip_hash. Leave the others un
ticked
 Set the Priority to 240
 Set Ports to 80
 Click SAVE

Step 5
Configure WCCP Dynamic Service Group (90)
 Click ADD
 Enter the Service ID, in this case 90
 Enter the Password, this is the WCCP password specified when you configured the
Service Group within router
 Set Protocol to tcp
 Select the Flags, check only the boxes for dst_ip_hash and ports_source. The
flags for Service Group 90 are different from Service Group 80. Ensure they are set
correctly
 Set the Priority to 240
 Set Ports to 80 and click SAVE
Step 6
Verify Service Groups and enable WCCP
 Verify that the service groups are now defined as required
 Enable WCCP mode

The CACHEBOX proxy service will restart and it will attempt to negotiate a WCCP
connection to the Cisco router.
Check the setup
Step 1
Turn on WCCP debugging and watch the Cisco syslog output for WCCP debug
messages.
monitor terminal
debug ip wccp events
debug ip wccp packets
Feb 11 15:16:59 10.100.1.1 15: *Mar 1 00:00:31.743: %WCCP-5-CACHEFOUND:

Web Cache 172.100.1.101 acquired
Feb 11 15:16:59 10.100.1.1 16: *Mar 1 00:00:31.743: %WCCP-5-CACHEFOUND:
Web Cache 172.100.1.101 acquired
Feb 11 15:34:49 10.100.1.1 17: *Mar 1 00:18:21.917: WCCP-PKT:D90:
Received valid Here_I_Am packet from 172.100.1.101 w/rcv_id 0000006C
Feb 11 15:34:49 10.100.1.1 18: *Mar 1 00:18:21.917: WCCP-PKT:D90:
Sending I_See_You packet to 172.100.1.101 w/ rcv_id 0000006D
...
Step 2
Show the Cisco WCCP status e.g.
wccprouter#show ip wccp
Global WCCP information:
Router information:
Router Identifier: 172.100.1.1
Service Identifier: 80
Service Identifier: 90

Step 3
Show detail of each WCCP service
wccprouter#show ip wccp 80 detail

Web Cache ID: 172.100.1.101
State: Usable
00000000000000000000000000000000
wccprouter#show ip wccp 90 detail

Web Cache ID: 172.100.1.101
State: Usable
00000000000000000000000000000000
Step 4
Examine the Cisco running configuration
wccprouter#show running-config
...
ip wccp 80 password secret
ip wccp 90 password secret
--More--
Next Steps

Bridge Mode
Bridge mode – with a Fail-to-Wire option – is a preferred, resilient deployment method
where more advanced routing equipment is not available.
This is a simple in-line deployment with a minimum of changes required to your network.
Bridge mode is a form of HTTP Interception caching. As such, it would normally be
deployed with Source Address Spoofing to minimise the impact on the logical network.
First you must…

 Have configured your CACHEBOX as described in “Initial Installation” above and
checked it is working correctly.
The following pages give you configuration details for the main steps in setting up Bridge
mode. These are:
 Check which ports should be used in your particular deployment
 Configure CACHEBOX to establish a bridge interface
 Configure CACHEBOX to enable Bridge mode HTTP interception
 Optionally, if you have VLAN-tagged traffic passing through CACHEBOX, choose
to intercept traffic VLAN traffic interception for each VLAN
 Check everything is working as intended.
Decide on Port Usage

There are two recommended deployment options for CACHEBOX in Bridge mode,
depending on whether:
 A physically separate administration network interface is desirable/required
 Your CACHEBOX has the Fail-to-Wire option fitted
If either of these apply, then a three-port deployment is required, otherwise a simpler 2-
port solution can be used.

Using 2 ports
Here the CACHEBOX has its default route set to the router, and is managed via the
(single) IP address on the bridge. This should not be used with Fail-to-Wire, as there
would be no connectivity to the appliance in order to diagnose faults which caused the
bridge to enter ‘bypass’ mode.

Using 3 ports
Here the CACHEBOX has an independent IP – not part of the bridge – which is used for
management. This will remain available even in the event of a Fail-to-Wire bypass
condition. The bridge should still be given an IP address in the same subnet as the
default route, to ensure that internet requests are directed towards the WAN router.
Set up a Bridge
It is possible to use any combination of network devices to create a bridge, the most
common (and recommended) scenarios are as follows:
 2-port Bridge mode:
- Bridge eth0 and eth1
 3-port Bridge mode:
- Bridge eth1 and eth2. Keep eth0 as an independent management
interface.
 3-port with Fail-to-Wire:
- The Fail-to-Wire interfaces are typically eth2 and eth3 - these should be
bridged. Leave eth1 unused and eth0 for the management interface.
When setting up bridge mode with the Fail-to-Wire card option on, you should initially set
up eth0 to have the management IP on it and not the service IP.

Step 1
Navigate to ‘Network’ > ‘Settings’. The section ’Available Network Interfaces’ shows
available physical devices.
Step 2
For each interface that you want to be in the bridge (e.g. eth1 & eth2), click the
'Aggregation' tab, select Bridge from the dropdown menu and select the 2 interfaces
to bridge. Ensure STP is ticked and click SAVE to apply the changes.
The ‘Available Network Interfaces’ should now show the bridge “br0” made up of “eth2”
and “eth3”.
Step 3
Plug the LAN (client) side of your network and the WAN (internet) side of your network
into the bridged ports.
Step 4
Navigate to ‘Network’ > ‘Overview’ to check the status of network ports. Both bridge
ports should be green and should be reporting their negotiated port speed e.g.
1000Mb/s

Step 5
Log into a client computer (on the LAN side of the bridge) and test that it has full access
to the internet, e.g.
 Ping the default gateway IP
 Ping an internet IP (e.g. 8.8.8.8)
 Ping an internet domain name (e.g. www.appliansys.com)
 Browse internet websites
All network protocols should work exactly as before the deployment of the bridge.
Enable Bridge Mode HTTP Interception

Once you are satisfied that the CACHEBOX is functioning as a simple Ethernet bridge,
enable HTTP interception.
When HTTP Interception mode is enabled all "port 80" (the standard HTTP port used for
web servers) traffic passing over the bridge is intercepted and handled by the
CACHEBOX's proxy/cache mechanism.
1 Navigate to ‘Cache’ > ‘Deployment’ > ‘Mode’
2 Select Bridge Interception from the Select Mode dropdown list and click
SAVE
3 Navigate to Cache > Deployment > Advanced
4 Set Source Address Spoofing to Enabled if you need to maintain outbound
(client > web server) transparency (Optional)
5 In the ‘Bridge Mode Settings’ section set Bridge-mode HTTP Interception to
Enabled
6 Click SAVE

The CACHEBOX proxy service will now start intercepting and caching HTTP traffic.
You can choose which traffic is intercepted by changing the Intercept Requests From
and Intercept Requests On options.
Intercept Requests From can be set to All IP Addresses or Permitted Subnets
Only. Choosing Permitted Subnets Only will make the CACHEBOX only intercept
traffic originating in the permitted subnets configured on the ‘Cache’ > ‘Basic Settings’
page.
Intercept Requests On lists the network interfaces currently configured as a bridge. By
default traffic arriving at all interfaces will be intercepted. You can stop the CACHEBOX
intercepting HTTP requests arriving at an interface by un-ticking the relevant box.
VLAN Traffic Interception (optional)

By default CACHEBOX will only intercept port 80 HTTP traffic that is not VLAN-tagged. If
you have VLAN-tagged traffic passing over the bridge then you can choose, per VLAN,
to intercept port 80 HTTP traffic. To do this first configure a bridge and activate HTTP
interception and Source Address Spoofing (if required) as above.
To intercept VLAN traffic, two steps are required:
Step 1: Add IPs

CACHEBOX’s bridge device must be configured with an IP address for each VLAN. For
each VLAN:
1 Navigate to ‘Network’ > ‘Settings’ > ‘IP Addresses’ and click ADD
2 Enter a valid IP address and subnet mask for the chosen VLAN
3 Select the bridge device “br0” as the interface
4 In the VLAN field, enter the VLAN id (an integer between 1 and 4094), click SAVE
5 Repeat for all VLANs you wish to intercept

Step 2: Configure permitted subnets (Optional)

If you wish to intercept HTTP requests from specific VLANs:
1 Navigate to ‘Cache’ > ‘Deployment’ > ‘Advanced’ and for Intercept Requests
From, select Permitted Subnets Only
2 Then add these subnets to the ‘Cache’ > ‘Basic Settings’ > Service > ‘Permitted
Subnets’
CACHEBOX will bypass all traffic - including HTTP - for VLANs or subnets that are not
specified in ‘Permitted Subnets’.
Next Steps

Policy-Based Routing (PBR)

Policy-Based Routing is often a sensible deployment option for small ISPs with low-cost
routers.
First you must...

 Have in place a router which supports Policy-Based Routing
 Have configured your CACHEBOX as described above in “Initial Installation” and
checked it is working correctly.
Having completed “Initial Installation”, the remaining task in this scenario is typically
simply to configure your router. You need to make sure it redirects client HTTP traffic (TCP
port 80) to the CACHEBOX, while all other IP traffic continues to be routed using existing
routes.
These instructions give you a general guide to implementing Policy-Based Routing.
Actual configuration details will depend on your router hardware/software.
Consult your router manufacturer’s support documentation for detailed information

about configuring Policy-Based Routing.

The generic configuration steps are:

3 For each client subnet, add a policy rule with the following criteria:
- IP source address is within the client subnet.
- IP source address is not the CACHEBOX IP (to avoid redirect loops)
- IP destination address is not within any of your subnets (this is optional and
prevents caching local HTTP traffic).
- IP protocol is TCP.
- TCP destination port is 80.
4 Add a new route with the following criteria:
- Gateway / next hop IP address is the CACHEBOX IP address
- Used only for IP packets that match the policy rules above.
5 Test that HTTP traffic is redirected and cached
ApplianSys maintains detailed Policy-Based Routing documentation for a selection of

popular routers. If you need information on how to deploy your CACHEBOX with your
specific network equipment or router, please contact Support.
Usually, you cannot use Source Address Spoofing (server transparency) with Policy-Based
Routing. When Source Address Spoofing is enabled, the router cannot distinguish client
IP traffic from spoofed IP traffic (originating from the CACHEBOX).
Source Address Spoofing may be possible if your router can be configured with policy
routing rules that match source MAC addresses, or rules that match the ingress port
(assuming the CACHEBOX is attached to a specific router port).
Consult your router product manual for information about these advanced Policy-Based
Routing features.
Some routers and firewalls may be configured to monitor CACHEBOX’s IP, such that they
will automatically bypass the CACHEBOX in the event it becomes unavailable. Consult
your device’s manual, or contact support or your local vendor for more information on
your specific device.
Next Steps

Checking Your Deployment

You have now completed the most important configuration steps.
To ensure that the settings you have chosen are correct you can run a diagnostic tool
available from the CACHEBOX web interface, which will run a series of tests. Browse to
‘System’ > ‘Support’ > ‘System and Network Diagnostics’ and click RUN TESTS. Successful
tests will be displayed in green, while failed ones will be in red.
Test if the HTTP traffic is intercepted. Browse to http://www.appliansys.com/cgi-bin/proxy_test.cgi.

This page displays various HTTP headers including the headers added by the Squid server
on CACHEBOX. You should see a 'Via' header which contains the name of your
CACHEBOX. This confirms that the HTTP request was intercepted and a new request sent
out by the CACHEBOX engine. Note it is possible to turn off the transmission of 'Via'
headers in the ‘Cache’ > ‘Advanced’ page with the X-Forwarded-For/Via headers entry
- if this has been done then no Via header will be seen.
If more than one client subnet is being served, the check should be repeated for each
subnet, as routing is different for each one and the setup could work correctly for one
client subnet but not another. This can be an indication that any client subnets that do
not work lack an IP address on the bridge interface, so the HTTP responses cannot be
routed back to the request originators.
GETTING STARTED - Checking Your Deployment I 73

Configure Permitted Subnets

It is likely that you only want specific clients to have access to this CACHEBOX.
Unauthorised clients may cause issues such as excessive bandwidth usage and may
pose a security risk.
Once you have completed your network integration, it is highly recommended that you
configure which networks are permitted access to the CACHEBOX.
If you do not add any permitted subnets then you leave this appliance open to
unauthorised users who may abuse this system.
For example, through an open server, unauthorised users may browse anonymously, and
therefore circumvent existing internet browsing restrictions, as well as cause excessive
bandwidth usage.
1 Navigate to ‘Cache’ > ‘Basic’ settings:
The ‘Permitted Subnets’ section allows you to restrict HTTP access through the
caching server to a number of subnets. If no subnets are defined, then no
restrictions are placed on the clients' network.
2 To configure a new subnet click ADD NETWORK and add an IP address and a
Label (name) for each subnet.
If you already have a list of permitted subnets, click on the Advanced tab to
switch to a text view. You can then paste the permitted subnets you wish to
define.
74 I GETTING STARTED - Checking Your Deployment

Example:
192.168.1.0/24 Office network
172.16.0.0/16 Clients 1
172.31.0.0/16 Clients 2
10.129.0.0/16 Clients 3
3 Click SAVE to confirm your settings.
If no subnets are defined, a warning banner will be displayed.

However, if the appliance is protected by another firewall, or the appliance is not
reachable from external networks, a subnet of 0.0.0.0/0 can be used to disable the
warning.
Next Steps
 Complete any further special configuration beyond the standard generic steps
detailed here in Section 2.
GETTING STARTED - Checking Your Deployment I 75

SECTION 3:
CONFIGURATION REFERENCE
This reference section describes in detail each of the screens you can find in your appliance’s
web administration interface.
IN THIS SECTION
Introduction 78
Content Menu 162
System Menu 78 Overview 162
Overview 79 CDN 163
Information 80 Filtering 164
Services 81 Bypass 167
Disks 82
Purge Objects 168
Alarms 84
Logging 85
Cache Backup 169
Alerting 87 Pre-Caching 171
Thresholds 88
Reports 90 Reports Menu 175
Users 92 Overview 176
Authentication 94 Periodic 177
Time 98 Performance 180
CMC 99 Statistics 182
Support 101
Settings 184
Licensing 105
Backup 106
Schedule 186
Firmware 108
Shutdown 110
Network Menu 111

Overview 111
Settings 112
Static Routes 119
Services 120
Proxy Settings 122
Reports 123
Tools 125
Firewall Settings 126
Open Ports 128
NAT 129
SMS 130
Email 131
SNMP 132
Cache Menu 133

Overview 133
Deployment Mode 135
Deployment 136
Service 143
Cache Settings 145
Logging 147
Cache Peers 149
Custom Configuration 151
Error Pages 156
Other 158
CONFIGURATION REFERENCE I 77
Introduction
Once connected to the network, the secure web interface can be accessed. Visiting
http://ipofCACHEbox/ will redirect automatically to the HTTPS interface.
Many browsers will complain that the SSL certificate is not valid. This is because it is self
signed and not registered with a certifying body for the IP address that it is on. The
warning can therefore be ignored. The self-signed certificate can also be downloaded
from the login screen by clicking on the shield icon.
The default username is “admin”; the password is as configured during the initial
console_ui configuration. Once logged in you should see the ‘Overview’ screen in the
‘System’ tab.
System Menu
The ‘System’ menu is where you edit and view configuration details relating to the
appliance operating system. From here you can:
 Run assistants
 View system statistics
 Diagnose problems
 Monitor the hardware inside the appliance
 Upgrade the CACHEBOX’s software or operating system using an upgrade patch
 Perform system backup and restore operations
 Shutdown or restart the appliance
78 I CONFIGURATION REFERENCE - Introduction

Overview
This page shows key information about the system as well as Assistants to help you
perform initial installation tasks.
The ‘System Overview’ section shows:
System Status If the system is working normally, System Status will display a green
tick. If a system error has occurred, such as the licence will expire
in the near future or an incorrect upgrade has been detected, a
cross will be displayed. If this is the case, go to the ‘Alerting’ page
to find out what the issue is.
System (or CPU) System Load reports on the average CPU load in the last 5
Load minutes. Place your mouse over the icon to see the five
processes consuming the most CPU time. If the status is not OK, but
the load actually now drops to an OK level, it could take minutes
before the OK message re-appears, because this is a 5-minute
average.
Service Status If the service indicator is not OK, click on SERVICE DETAILS to go to
the ‘Services’ page. Here you can view a list of key services on
CACHEBOX, showing whether any important issues have been
detected. The status of services is regularly refreshed. For further
details see the ‘Services’ section.
Licence Some services running on this appliance require a licence. If your
licence has expired (in the case of temporary licences) or has not
been installed, a cross here will indicate a problem.
Uptime Uptime tells you how long CACHEBOX has been running since it
was last booted. This is refreshed automatically every 10 seconds.
CONFIGURATION REFERENCE - System Menu I 79

CACHEBOX ‘Assistants’ help you perform important initial configuration tasks. You can
re-run them at any time. To start an assistant click on its icon. You can cancel an
assistant at any time. No changes are made to CACHEBOX until they are committed.
Initial Helps you setup your appliance for the first time.
Configuration
Assistant
Basic Caching Helps you configure the web caching service.
Assistant
Information
This ‘Appliance Details’ section can be used to store useful information about this
CACHEBOX. Some of this information will be available for use by SNMP.
The Server Administrator Email is the email address of the local administrator of the
CACHEBOX.
Support Contact Details can be used to specify an email address, telephone number or
other contact details for the person who should be contacted when the CACHEBOX
malfunctions. This will be shown on the CACHEBOX login page.
80 I CONFIGURATION REFERENCE - System Menu

Services
This section contains a list of services which should be running on this appliance, with
status indicators and information. These are regularly refreshed.
In the example screenshot below the cmc_client and cmc_sync services are disabled as
the CACHEBOX is not configured to connect to a CMC.
Some services require a valid licence in order to run. Provided CACHEBOX is fully
licensed and has completed its boot sequence, a tick should be shown against each
enabled service.
If a warning is shown against one of the services (if you place your mouse over it you
should then see a “not running” message), wait 30 seconds:
 If the service is now shown as running then it is likely that a service restart had
been scheduled by the system, which is normal behaviour.
 If the service is still not running, you should contact support.
This section will also indicate if any important issues have been detected. An hourglass
indicates a service which is currently starting.
It is normal that some services may be “stopped or disabled”. These will show a stop sign
and be greyed out.
An hourglass indicates a service which is currently starting.
The collectd service is dependent on the time having been synchronised via NTP. If
you see that NTP is not running, check that the time servers listed in ‘System’ > ‘Time’ are
reachable and working.

Disks
To view a summary of disk usage in CACHEBOX, navigate to ‘System’ > ‘Disks’. The
Overview page (default view) displays the installed disks and current disk usage. Disk
names are listed on the left; filesystems mounted on these disks are displayed on the
right.
Physical Disks Detailed information can be retrieved by clicking on the

magnifying glass next to the disk name. The amount of information
displayed will depend on the disk type, and some of the displayed
information may only be of use in support queries. For drives
supporting SMART monitoring, a small icon will appear next to the
drive which will indicate that the drive is OK, in a warning
condition, or that failure is imminent. The status can also be
displayed by putting your mouse pointer over the drive icon.
Filesystems The filesystems on each disk are displayed on the right. The usage,
size and percentage full are displayed for each filesystem.

Clicking on the Charts tab will display graphs relating to disk performance and status.
Options at the top of each page allow you to select the time frame:
 Clicking the calendar icons allows you to select a date range
 The drop down menu lets you select frequently used time periods
 The timeline allows you to quickly drag a time period to be displayed
Be sure to click UPDATE after making any changes.

The number of graphs displayed in this section can vary depending on CACHEBOX
model. The following graphs are usually available in this section:
Disk IO This graph shows the rate at which data is being written to and
read from each of the disks in the CACHEBOX. The Disk IO data
can help diagnose problems related to the performance of the
disks.
Disk Operations This graph is related to Disk IO, but shows the number of distinct IO
operations, rather than the total amount of data written and read
to/from the disks. A few large operations may load the disk
subsystem of your CACHEBOX differently to many small operations.
Disk Health This graph shows the number of errors reported by the SMART
monitoring function of some disks. Some disks may not report
values here. For those which do, an increase in this figure can
indicate impending disk failure.

Free Space Free space for relevant filesystems is reported here. The
interpretation of these graphs depends on the use of the specific
filesystem being reported on. This information can be useful in
diagnosing problems or examining historic use.
By default times are adjusted to the local timezone offset of your web browser. Choose
a different timezone offset from the control panel if you want to view times in an
alternative timezone. Some graphs contain multiple data series. You can turn these on
and off by clicking the data series label in the top left corner of each graph.
Statistics are stored for one year and the resolution of the data decreases as it ages. For
example, data collected within the last hour is aggregated and displayed at a
resolution of ten seconds, while data which is over one month old will be aggregated
and displayed at a resolution of 3 hours.
Alarms
This page shows you any active alerts on the CACHEBOX.
Alarms should be dealt with straight away. If you require assistance then please contact
ApplianSys Support or your local vendor.
Alarms can be acknowledged, if you are confident that they don't matter in your
environment. Acknowledged alarms are listed below the active alarms.
On CACHEBOX420, active alarms are also displayed on the LCD display screen.

Logging
CACHEBOX supports two types of logging:
 System – Authentication, Operating System, Hardware and Networking
 Cache – Web Cache Usage
System level messages are logged automatically by CACHEBOX in this section. These
logs are generated for the purpose of fault diagnosis; there is no need to regularly review
them. CACHEBOX will perform its own maintenance functions and remedies for
temporary problems.
This page also allows you to configure a remote syslog server, to which the most
important log messages from this appliance will be forwarded. This is the only way to
make the appliance's logs persistent. This is recommended as this appliance only stores
a small number of recent log lines. There are a number of syslog servers available. Some
of the more popular include:
 Syslog-ng - this is available for Linux and Microsoft Windows (premium edition
only) http://www.balabit.com/network-security/syslog-ng/
 Kiwi Syslog Daemon - a syslog server available for Microsoft Windows
http://www.kiwisyslog.com/
 All mainstream Linux distributions will include a syslog server

You can add multiple remote systog servers and configure them from this page. To add
a remote syslog server, click ADD SERVER and fill in the details as appropriate.
This appliance keeps a number of logs which may be useful in resolving problems. All
logs store only the most recent lines of output, usually a few thousand. If the appliance is
restarted then the logs are reset. It is recommended to make use of a remote syslog
server. You can view a log file by clicking one of the log file links listed. The page will
display the most recent 100 lines by default in that log.
The following buttons are available underneath the log contents:
Last Displays the Last part of the log

First Displays the First part of the log
All Displays all content of the log. Most logs on the system store only
the most recent 10,000 lines.
Save Saves the log to a local file on your computer
Cancel Cancels viewing the log and return to the main Logging page
There are various other service specific log files which can be accessed from the
CACHEBOX command line interface:
 Log into CACHEBOX with the username admin and your chosen password
 Change directory to /var/log
 Use the 'rr-logview' command to view any or all of the log files
$ cd /var/log
$ rr-logview httpd/access_log
Calling rr-logview -f shows only new entries and keeps the log viewer running. See
rr-logview –help for available options.
The Events table lists all system events. By default the events are listed with the most
recent event first. The sort order can be changed by clicking on the column headings.
An event is generated by the system when something happens which may be of
interest. Examples of events include:
 A user logging in
 A user getting their password wrong when logging in
 A service (such as sshd) has been started successfully
 A system restart

Alerting
CACHEBOX can send alerts by email, SMS or SNMP when certain events happen which
an administrator would want to know about. There are different categories of alerts
generated by the CACHEBOX:
 Hardware, e.g. a fan stops working
 System, e.g. a disk is more than 90% full
 Service, e.g. a system service such as ntpd is misconfigured
 User, e.g. the admin user logs in to the administration interface
 Cache, e.g. access log rotation has failed
When an alert is generated it will be sent to all alert subscribers that have registered an
interest in that type of alert. The table of Alert Subscriptions shows all of the subscriptions
to alerts. For each entry in the table, the following is shown:
Active Shows whether subscription is currently active via a tick or cross

icon
Label A label to identify this subscription
Last alert When the most recent alert was sent
Count Count of how many alert notifications have been sent using this
subscription
Destination The target of the alert notification. This may be an email address,
phone number (for SMS), or the IP address or hostname of an
SNMP trap server. Icons display the type of notification being
used.
Actions These icons allow alert subscriptions to be edited or deleted.
To send an alert by email or SMTP, you must first ensure that the SMTP settings have been
configured correctly. If you want to send an alert by SMS, check to see whether your
preferred SMS gateway is supported and configured.

Thresholds
This page lets you define and set up specific parameters to set off custom alarms.
Such alarms can help you actively manage traffic. For example, you can add a rule to
alert you any time throughput exceeds 750 Mbps. This could indicate that there's more
than the expected traffic being generated by users, and therefore a risk of bandwidth
saturation. You could cancel large downloads to reduce the impact. Alarms persist
until such time they meet the 'Off' criteria set.
The following must be specified to define a threshold alarm:
Name A unique name to give this threshold alarm. When the alarm is
raised, this name will be reported
Metric The type of value to monitor against the specified thresholds
Mode Select either Above to raise an alarm when the threshold is
exceeded, or Below to raise an alarm when the metric value goes
below the threshold
On The threshold value at which to raise the alarm
Off The threshold value at which to clear the alarm. Allowing different
'On' and 'Off' thresholds provides for hysteresis
Severity This defines the severity of the raised alarm, which will determine
whether it generates alerts
Enabled This toggle allows the threshold alarm to be disabled temporarily
without needing to delete the entry

You can define alerts by adding subscriptions. To add an alert subscription, click ADD.
Each subscription defines a named subscriber, whether they are to receive the alerts by
email, SMS or SNMP and for each category, what severity level of alerts they should
receive.
The level of the alert raised will be one of:
All alerts Informational messages

At least notice For example a new firmware is available for upgrade
At least warning Immediate action is not required, but this alert should be reviewed
At least error Something unexpected has happened and may require attention
At least critical Immediate action should be taken
Only emergency Something has happened which will likely have taken the box
offline. Immediate investigation is required
Subscriptions can be enabled and disabled using the Active checkbox. This is useful for
temporarily disabling alerts to particular subscribers without changing other subscription
details.
As you can create multiple subscriptions, you can set up many subscriptions of different
types for the same person. So, for example, they could receive less sever error level
alerts via email and emergency level alerts by SMS.

Reports
This page shows you an overview of the hardware monitoring data held on the
CACHEBOX.

On the ‘Reports’ page you are usually able to see the following graphs:
Total CPU How hard the Central Processing Unit is working. The more
requests per second that the CACHEBOX is handling, the higher
the CPU usage will be.
cpu-n A breakdown of the CPU usage for each CPU core will be
presented (there could be data for up to 8 CPU cores depending
on the CACHEBOX model.)
Memory There are many processes running on the CACHEBOX performing
different functions. Each of these processes will use up some
memory. Any remaining memory is used to speed up access to
the data stored on the disks / compact flash cards.
Swap Usage This graph shows the usage of swap space – used as an overflow
(and much slower) memory when main memory is exhausted.
Excessive use of the swap area may lead to degraded
performance.
Load Average This is a metric commonly used on servers. The higher the load
the more the CACHEBOX is being used and a high load may
result in slower response times.
Voltage Levels Voltage levels in the CACHEBOX are monitored to determine
potential hardware or power supply issues. This graph will show
the main 12V supply to the motherboard.
Temperature Temperatures may be reported for both the system as a whole
and specifically for the CPU. If the graph starts showing
abnormally high temperatures this may indicate a fan failure or
an issue with the environment in which the CACHEBOX is running
(such as poor air conditioning)
Fan Speed Many of the components in the CACHEBOX are sensitive to
extremes of heat, and fans keep these components cool. They
typically run faster when they need to provide more cooling.
There are various fans installed in the CACHEBOX to cool its
internal components. These should rotate at a constant speed.
Large fluctuations in fan speed may indicate a failing fan, which
could cause the appliance to stop working.
Downloadable PDFs are available throughout all reporting pages, for all time ranges
except custom. It is still possible to select and view reports for a custom time period.
There are two more types of reports generated by CACHEBOX:

 Performance reports, which include statistics on requests per second, hit ratio, etc.
The reports are available in the ‘Reports’ menu
 Network statistics reports, which include statistics on network latency, throughput,
etc. The reports are available in ‘Network’ > ‘Reports’

Users
This page shows users that have already been added and gives the option to add a
new local user or edit an existing one. CACHEBOX’s web administration system comes
with a default user (admin) who has access to all areas of the system. To edit a user's
settings, including changing their password, click on the edit icon in the actions column.
To remove a user, click on the delete icon in the actions column.
The admin user cannot be deleted. Also, you cannot delete your own user.
To add a new user, click the ADD LOCAL button:

Each user on CACHEBOX requires a Username and Password. The remaining fields in the
’User Details’ section can be optionally used to store additional information about a user.
In the current version of the firmware only the admin user can log in by ssh on the
console.
Depending on the appliance, the ‘Roles’ section will allow a user to be given one or
more roles. Different roles are required to access different parts of the appliance's
functionality.
Administrator Has full access to all parts of the interface. A user with this role
may log on at the appliance console (this is not required for
normal operation of the appliance).
Reporting Only has access to the 'Reports' menu; is able to view reports and
schedule report emails (providing an Administrator has set up an
SMTP server), but not to view or configure other appliance
settings.
Content Has access to selected pages on the 'Cache' menu; specifically
the Overview page, CDNs, Filtering, Bypass, and Pre-Caching.
These allow a Content user to fine-tune parameters related to
cache behaviour.
If you wish to change a user's password you must enter the new password in the
Password and Confirm Password fields. If you need a user to be forced to change their
password the next time they log in then tick the Change Password on Login checkbox.
If the only role available on this appliance is the Administrator role then all created users
will be assigned this role.
You cannot modify your own roles - this is to prevent you locking yourself out of the
CACHEBOX.
The CACHEBOX can also authenticate users of its appliance web interface against a
Radius server. After you add a Radius server IP and Secret (see ‘Network’ -> ‘Settings’),
you will find an ADD RADIUS button on the users page. Click the button to add a new
Radius user. The username must match a user that you have already defined on your
Radius server.
After you add a Radius user, that user can log into the CACHEBOX using the password
stored on the Radius server. When you add a Radius user, you do not need to choose a
password. The password is stored remotely on the Radius server. In the current
CACHEBOX firmware, Radius users cannot log into the command line console or via SSH.
The remaining fields in this section can be optionally used to store additional information
about a user.

Authentication
Users can be authenticated by an external authentication server, meaning that no
credentials are stored on the CACHEBOX and can be managed from a central point.
The "admin" user will always be authenticated on the CACHEBOX and cannot be
remotely authenticated; additional Administrator users can be added and
authenticated remotely instead.
Only one remote authentication server can be setup and used, multiple remote
authentication servers are not supported.
By default, the CACHEBOX will only authenticate local users; if an external
authentication server is set up, the CACHEBOX will try to authenticate against local users
first, then try the remote authentication server.
There are three types of supported authentication server available. These are Microsoft
Active Directory Server (via LDAP), LDAP (Lightweight Directory Access Protocol) and
RADIUS (Remote Authentication Dial In User Service).

Microsoft Active Directory

CACHEBOX can authenticate users of its appliance web interface against a Microsoft
Active Directory server.
You must provide the following settings to configure Active Directory authentication:
Server Address The domain name or IP address of the Active Directory server.
Port Number Listening port on the authentication server (e.g. 389, 636).
AD Domain The Active Directory Domain name that the authenticated users are
Name listed in.
Base DN The base part of the Active Directory Domain Distinguished Name
(DN) for a user should be entered here.
Server Bind By default, Active Directory Server LDAP configurations do not allow
"Anonymous" binds to the server, required to search and
authenticate the user. A suitable user must be provided. The Bind
User must be a full Distinguished Name (DN), for example:
sAMAccountName=Administrator,CN=Users,dc=example,dc=lan
SSL Connection If required, an Active Directory Server can use LDAPS (LDAP over
SSL) for secure client to server communication.
If the Active Directory Server is using an SSL certificate signed by a
Certificate Authority (CA), for example thawte, Verisign, etc, use
"CA signed" for the SSL Connection
If the Active Directory Server is using an SSL certificate generated by
the Active Directory Server, or self-signed certificate, then this must
be uploaded to the CACHEBOX to allow SSL Connections.
For example, if a user's full DN is:
sAMAccountName=username,CN=Users,dc=example,dc=lan
the Base DN would be:
CN=Users,dc=example,dc=lan
After you have configured Active Directory authentication, you will find an ADD Active
Directory button on the ‘Users’ page (see ‘System’ > ‘Users’).

LDAP
CACHEBOX can authenticate users of its appliance web interface against an LDAP
server.
You must provide the following settings to configure LDAP Authentication:
LDAP Server The IPv4 address of the LDAP server.

Address
LDAP Base DN The base part of the Distinguished Name (DN) for an LDAP user to
use as the search base. For example:
CN=username,OU=people,dc=ldap,dc=server
After you add a LDAP Server Address and LDAP Base DN, you will find an ADD LDAP
button on the ‘Users’ page (see ‘System’ > ‘Users’).
On the LDAP server, the minimum 'uidNumber' should be 20,000, and the gidNumber
should be '100'. Using other values will cause errors when authenticating with the
CACHEBOX.

RADIUS
CACHEBOX can also authenticate users of its appliance web interface against a RADIUS
server.
You must provide the following settings to configure LDAP Authentication:
RADIUS Server IP The IP address of your RADIUS server.

Address
RADIUS Server The shared secret of your RADIUS server.
Secret
After you add a RADIUS Server IP Address and RADIUS Server Secret, you will find an ADD
RADIUS button on the users page (see ‘System’ > ‘Users’).

Time
In this section you can set your Timezone and Timeserver(s). CACHEBOX can also act as
NTP server, which is accessible to hosts in the given Permitted Subnets.
Timezone It is important that you choose the correct Timezone. This will be
used to show local times and dates in reports, and for scheduled
services such as shutdown.
Timeserver(s) A timeserver ensures that the date and time on your CACHEBOX
is accurate. It is recommended that you enter one or more
timeservers into the Timeserver(s) field. The more timeservers you
specify the more accurate the time on the appliance will be.
ntp.org recommends that you specify four timeservers. If for any
reason the time has not yet synchronised, the SYNC TIME NOW
button will appear on this page. Click the button to force time
synchronisation.
Permitted Subnets CACHEBOX can act as a time server for other devices on your
network. By default, the firewall on CACHEBOX will deny all
external NTP requests as a security precaution. But if you do want
to allow NTP requests from other servers and clients on your
network, click ADD NETWORK to set permitted subnets here. You
should use CIDR notation. The SIMPLE option helps you enter one
subnet at a time while the ADVANCED option presents you with a
single large field where you can enter a long list, which you
should be careful to type correctly. Then click SAVE.
You should never have to set the time manually. If you find that you do, you should
contact support for details: this may indicate a problem with your unit’s hardware.

CMC
This device may be configured to report to, and be managed by, a Central
Management Console (CMC).
This page shows a list of configured CMCs. For each, it displays whether the CMC is
enabled or disabled, a label given to the CMC, the CMC's host address, and the time of
last contact with the CMC which may be useful in determining whether a CMC pairing is
working correctly.
Only one CMC should be enabled at any one time, as concurrent enabled CMCs could
lead to configuration conflicts.
CMC settings can be changed by selecting the Edit icon ; the CMC configuration
can be deleted by selecting the Delete icon . If deleted, the node will no longer
communicate with the CMC and any settings will be lost. To temporarily halt
communication with a CMC, edit the settings and disable the CMC entry.

To add a new CMC Server click ADD. You will see the following page:
Address The hostname or IP address of the CMC device. This must be

resolvable (if a hostname) and routable from this CACHEBOX
Port The TCP port number over which CMC communication occurs
(default is 7770)
Passcode This is used to pair your CACHEBOX with the CMC. The value to
enter here must be obtained from your CMC administrator.
Notes Free-form text notes regarding this CMC
Enabled If enabled, CACHEBOX will regularly communicate with the CMC.
Disabling this allows this to be paused without deleting the settings
information.
Note: When connecting CACHEBOX to the CACHEBOXCMC, either the Allowing

Connections From setting must be configured as Allow any appliance (automatic
registration)OR the Unique Server Code of your connecting CACHEBOX must be
registered within the CACHEBOXCMC.

Support
The ‘Support’ page allows you to:
 View details of any important issues that have been detected
 Run system and network diagnostic tests
 Download diagnostic information
 View details of any program crashes
 Have ApplianSys technical support securely access your CACHEBOX
The ’Important Issues’ section will only be displayed if important issues have been
detected. Examples of important issues are that your licence will shortly expire, or a
serious issue was detected during firmware upgrade.
If important issues have been detected then a red banner is also displayed at the top of
every page.
Important issues should be dealt with straight away. If you require assistance then
please contact your vendor.

The ’System and Network Diagnostics’ section displays results of various system and
diagnostic tests. Click RUN TESTS and the tests results should all appear in a few seconds.
Tests that have succeeded will display in green, whereas tests that have failed will
display in red. If any tests fail, please check the configuration of your CACHEBOX.
Depending on the model of your CACHEBOX there may be more product-specific
diagnostic tests included after the core tests. The core tests are:
Network Tests The ‘Ping default gateway’ test checks that the default gateway
(default route) is valid and can be reached using the “ping”
command. If the default gateway test fails then either the
default gateway configuration is incorrect or there is a serious
network problem. If this test fails then other tests are also likely to
fail as a result.
The ‘Ping Internet IP’ test checks that an internet address can be
reached using the “ping” command. On some networks this may
not be allowed, and the test will fail. If this test fails then you
should contact your network administrator.

DNS Tests The ‘Resolve an Internet host’ test checks that the configured DNS
server(s) can be reached and will answer a simple query. If this
test fails but the ‘Network Tests’ succeeded, then you should
check the configured DNS server(s).
NTP Tests The ‘Test time sync status’ test checks that the configured NTP
server(s) can be reached and successfully synchronised with. If
this test fails but the ‘Network Tests’ succeeded then you should
check the configured NTP server(s).
The tool rr-diagnostics can also be used to run these tests on the command-line.
Execute “rr-diagnostics –help” for more information.
The ’Support Details’ section lists the support contact information. If you are
experiencing problems with CACHEBOX, click DIAGNOSTIC BUNDLE.
This will download a file containing a set of internal diagnostic information. Please
forward this to your support contact to receive help. Administrative users can change
this information on the appliance ‘Information’ page.
The ’Crash Logs’ section will only be displayed if a program has crashed. Detailed
backtrace information is provided which can be used by your support contact to
analyse the crash.
Depending on the model of your CACHEBOX crash logs may be cleared on reboot. You
can manually clear the crash logs by clicking CLEAR CRASH LOGS.
By default, ApplianSys’ Phone Home Feature is enabled. This feature will provide
ApplianSys with helpful information about CACHEBOXes in the field and the traffic that
they are serving. Using this data, ApplianSys Engineers can react to changes in traffic
demands even faster, for example, it provides the ability to identify new Content
Delivery Networks (CDNs) which are most popular per geography.

You can choose to disable this feature by clicking DISABLE PHONE HOME.
The ‘Remote Support Tunnel’ feature can be used to allow ApplianSys technical support
to securely access your CACHEBOXCMC
Click ENABLE to start the remote support tunnel. This will generate an ID and Password
which you will need to provide to ApplianSys technical support so that they can access
your appliance securely.
The support tunnel will automatically be disabled if it is idle for an extended period of
time, but it should normally be explicitly disabled after use.
This feature should only be used at the direction of ApplianSys support.

Licensing
This appliance will usually have been licensed, so there is no immediate need to use this
feature. The ‘Licensing’ page lets you manage licences that enable certain features.
Each CACHEBOX has a Unique Appliance Code that is generated from the
CompactFlash card hardware serial number to ensure that only licences suitable for this
appliance can be installed. If a card is removed and moved to another system, it will
retain the licence information as well as appliance configuration. If the appliance is not
yet licensed, you will need the Unique Appliance Code to obtain a licence. You will also
need to supply the Appliance Code to ApplianSys if a new licence is required.
To install a licence click CHOOSE FILE in the ’Upload Licence File’ section.
To save a backup copy of the licence for the CACHEBOX click DOWNLOAD in the
‘Backup Licence’ section.
The ’Appliance Licence Details’ section will show you the additional services which the
installed licence has enabled. If for any reason a service is shown not to be running, try
refreshing this page after 30 seconds. It may be that a normal service restart was
happening as this page was loaded.

Backup
This page allows you to output a backup file containing all configuration data.
It is recommended that you take regular backups, particularly before changing any
settings.
To create a backup, click DOWNLOAD.

The downloaded backup file can be used to restore the system at a later date.
To restore settings to an appliance, you can upload a previously saved backup file in the
‘Restore System’ section and then click RESTORE. If the file type is not recognised, you will
be asked what type of file is.
CACHEBOX will automatically reboot once the backup has been restored. If the
backup changed the network configuration, then you may not be able to access the
CACHEBOX once the restart has completed.
After applying a configuration file, CACHEBOX will not automatically restart. You may
have to restart it manually for the changes to take effect, depending on the
configuration applied.

The ‘Overnight Remote Backup’ is an upload facility that allows you to schedule an
upload of daily backup files to a remote server (an FTP server, Windows/Samba Share or
a server that supports SSH/SCP secure uploads).
This is useful for:
 Copying configuration data between appliances
 Reverting back to previous configurations that have been saved
 Support – sending a backup of configuration to support staff for analysis
To create an Overnight Remote Backup, choose your preferred remote backup server
protocol from the Backup Method drop-down list. We recommend that when you set
the username you create an unprivileged account just for the purpose of the backup.
The Backup Method drop-down list displays the following options:
FTP Enter the Server Name you want to send the backup to (e.g.
computer name). Set File Transfer Mode to Passive or Active.
Passive mode is the default and is suitable for most situations.
Active mode can be used but may require further configuration of
intermediate firewalls. Set Path to be the folder on the server where
the backup should be saved. Finally, set the username and
password for the FTP session.
Windows share Enter the Server Name you want to send the backup to (e.g.
computer name). Set Windows Share to be the name of the
shared folder. The Path refers to the name of the folder you might
have created inside the shared folder, where the backup should
be saved. It may be left blank. Finally, set the username and
password of the Windows account.
SSH/SCP Enter the Server Name you want to send the backup to (e.g.
computer name). Set Path to be the folder on the server where the
backup should be saved and set the username. Click on the link to
download the public SSH key for the CACHEBOX and append it to
the authorized_keys file (e.g. ~/.ssh/authorized_keys) of your
remote server.
Click SAVE to save the remote settings.

Clicking UPLOAD BACKUP NOW will save the remote server settings and upload it to the
remote machine. The operation might take a while to complete, depending on the size
of the backup and the network speed between this CACHEBOX and the target server.
The uploaded file is a gzipped tar file. If you are using Microsoft Windows, see the
Microsoft file association page for details on utilities suitable for uncompressing the file.
Mac OS X and Linux based operating systems can handle these files without the need
for additional software.

Firmware
The appliance firmware contains the operating system and services. Upgrades to your
appliance will be made available to provide new features and fix bugs. When you start
up the appliance, you are presented with a menu. The default option boots you into
the latest firmware. If you have not upgraded the firmware, this will be the firmware that
was shipped with the appliance.
In the case of major upgrades ApplianSys may choose to distribute replacement
compact flash cards to its customers or provide an image that can be downloaded and
written using a USB compact flash reader connected to a workstation.
In addition to full system upgrades, ApplianSys releases 'Subsystem Updates', which
modify the software for handling Content Delivery Networks in order to maintain efficient
caching of these sites. ApplianSys releases updates via its website when CDNs change
their behaviour. These will automatically be picked up and applied by CACHEBOXes in
most network configurations. Upgrades may include new features and/or security fixes.
Applying updates is recommended and support requests may be rejected if pertaining

to appliances that are not running the most recent version of software.

The ‘Firmware’ page shows:
Firmware Version The current version of the firmware – so either the shipped version
or the version of an upgrade which has been installed by the user.
If CACHEBOX is downloading firmware via a URL (see ‘Firmware
Upgrade’ section below), then you will see a “Downloading”
message next to Firmware Version.
You can select either Enable or Disable the Check
automatically for updates option.
Update Version The version of the latest subsystem update installed automatically
by CACHEBOX. The CACHEBOX regularly checks the ApplianSys
website for new updates to various subsystems. If one is available,
it will be downloaded and installed automatically. You can also
manually check for updates by clicking CHECK UPDATES. If an
update has been installed, then you will see an additional
number after the main firmware version, e.g. 2.4.0 (1.61.26518a) +
26612.
If you have upgraded the firmware, then you will be able to select which firmware is
booted on system start or reboot via the ‘System Boot’ section.
System Boot This is useful if you have installed an upgrade, but for some reason
want to switch back to the previous version of the firmware. The
old firmware will be kept and can be booted by selecting the
second menu option. CACHEBOX only keeps two versions of the
firmware, the one currently running and the previous version.
Patches fix security vulnerabilities and correct software errors; patches do not upgrade
between firmware versions. They are applied immediately if possible, and will restart
services as necessary. Some patches will require a reboot before being applied, and
these patches will display the critical issues banner. Explanatory notes are provided with
each patch, and can be viewed by clicking PATCH NOTES.
There are two methods for upgrading the firmware:
From URL If you have been provided with a URL by your vendor, paste it into
the Download Firmware From URL field and click APPLY.
CACHEBOX will download the firmware in the background. Click
CANCEL to cancel this download.
From File Updated firmware images may also be supplied to you directly by
your appliance vendor. When you have the new firmware image
on your computer, select the From File option to upgrade your
appliance. Click the CHOOSE FILE link and select the firmware file.
Click APPLY to upload the new firmware to the appliance. The
firmware image will be between 50MB and 400MB. The progress
of uploading the file to the appliance will be shown on the page
or by your browser. The time taken to upload a new firmware
image will depend on the speed of your connection to the
appliance.

Once a new firmware image has been uploaded/downloaded, click INSTALL to install
the firmware to your appliance, or click CANCEL to remove the new firmware. Do not
turn off the power or reset this appliance whilst the firmware is being installed.
Once a new firmware image has been installed, click REBOOT to reboot your appliance
and start using the new firmware.
If the upgrade file you have has an extension of .tgz or .zip do not attempt to extract the
files from it first – CACHEBOX will handle this for you.
Shutdown
This option allows you to instruct your CACHEBOX to restart or be powered off either
immediately or at some point in the future.
It is important to provide a reason as to why the appliance is being restarted or shut

down for the purposes of maintaining an audit trail of administration activities. If you
have scheduled a restart/shutdown for a specific time, the restart/shutdown will be
initiated as close to that time as possible. However, the system cannot guarantee the
exact time that the appliance will actually restart or shutdown.

Network Menu
The ‘Network’ menu contains options relating to the configuration of network settings.
From here you can:
 Configure settings for individual network interfaces and bridges by clicking on the
relevant icons
 Check the status of each network interface, including the interface link speed if a
link is established,
 View information about assigned IP addresses and edit or add IP addresses on
the ‘Settings’ page
 Configure additional static routes to enable access to hosts on networks which
would otherwise be inaccessible.
 View reports of network statistics
 Configure the firewall
 Communicate alerts via ‘SMS’, ‘Email’ and ‘SNMP’
Overview
This is the default page on the ‘Network’ menu. It gives an overview of the current
configuration options, which you can edit from the ‘Settings’ sub-menu on the left.
The ’Details’ section shows a summary of the current network configuration.

Settings for individual network interfaces can be configured by clicking on the relevant
icon in the ’Available Network Interfaces’ section. The status of each network interface
is indicated, including the interface link speed if a link is established. Bridged network
interfaces will be grouped together under the name of the corresponding bridge.
If a Fail-to-Wire card (FtW) is installed, and those network interfaces constitute the bridge,
then the Fail-to-Wire status is shown. In "bypass" mode the two network interfaces act as
CONFIGURATION REFERENCE - Network Menu I 111

a simple network cable. In "normal" mode the two network interfaces act
independently, allowing the CACHEBOX to intercept traffic passing over the bridge.
The ’IP Addresses’ section shows all IP addresses which are currently assigned. If an IP
address is bound to a physical interface whose link is currently down, then the interface
name will be shown in red. Place the mouse pointer over an interface for more details,
such as link speed. IP addresses can be edited or added on the ‘Settings’ page.
Settings
The ‘Settings’ page allows you to configure your appliance’s network interfaces, as well
as set common parameters.
Network Settings
This appliance will have one or more network interfaces. An icon is displayed for each
network interface present. The status of each network interface is indicated, including
the interface link speed if a link is established. Bridged network interfaces will be
grouped together under the name of the corresponding bridge. Hover the mouse
pointer over a network interface for more details, such as link speed.
112 I CONFIGURATION REFERENCE - Network Menu

Settings for individual network interfaces are configured by clicking on the relevant icon:
Each interface has the following available configuration options:
Name The name of this physical network interface. It is automatically

assigned by the operating system and is a readonly field.
MAC Address The MAC Address can be useful to help you resolve certain
networking issues. This is a read-only field.
Notes Optional one line label to help identify this network interface.
Link Type The Link Type should only be changed to 100baseTX-FD if you
experience problems connecting this CACHEBOX to a 100Mbps
port on your switch or other networking device.
MTU The Maximum Transmission Unit gives the maximum size of the
payload in each ethernet frame. This may need reducing in
networks with VLANs, VPNs, and other considerations.
Jumbo frames are Ethernet frames greater than the default
maximum size of 1500 bytes. Setting an MTU of up to 9000 bytes
here will allow the interface to use jumbo frames, allowing greater
network utilisation at lower CPU resource. However the
connected switch or other device must also support jumbo
frames otherwise network connectivity could be lost.

The Ethernet Bonding feature does not alter the actual capacity of CACHEBOX and
should not be used with the intent to increase throughput or performance of your
CACHEBOX.
Please consult ApplianSys Support before using this feature.
This CACHEBOX must have at least one IP address. However it can have as many IP
addresses as you need. An interface, such as eth0, can support multiple IP addresses;
however an IP address can only be bound to one interface. You cannot, for example,
have the IP address 1.2.3.4 bound to eth0 and eth1.
To add a new IP address click ADD. Existing IP addresses can be edited by clicking the
pencil icon in the actions column.
An IP address requires the IP, subnet mask and interface.

You can optionally set the Virtual LAN the IP address belongs. You can also set an IP
address as a cluster address and configure the proportion of traffic to the cluster you
want this specific unit to handle.
When adding an IP address you need to specify:
IP Address The IP address you wish to add

Subnet Mask To say which network the IP address is on.
Interface You will have a choice of physical interfaces to which to bind the
IP address (dependent on the exact hardware specification of
your appliance)
VLAN The Virtual LAN to which the IP address belongs. This must be a
single integer between 1 and 4094. If you are not using VLANs,
leave this blank.
Clustered On certain products you can specify that this address will be used
by an LVS cluster. You must have another IP address configured in
the same subnet to be used as the cluster member address.
Cluster Local When the IP is used by an LVS cluster you can specify the weight
Weight to be applied to this local cluster member. If you specify weight
'10' on this CACHEBOX and '20' on a remote member, then
approximately twice as many requests will be handled by the
remote member.

Once you have added an IP address you can assign services to it.
It is also possible to delete an existing IP address by clicking the trash icon appearing in
the corresponding row of the IP address.
You cannot delete an IP address if it is “In Use”. An IP address is considered “In Use” if it is
required by a static route or if it is being used explicitly by one of the network services on
the CACHEBOX. If you hover your mouse pointer over the word you will see a popup
window listing the services and routes that depend on the IP address. Remove those
dependencies before you remove the IP address.
The ’Common Settings’ section allows you to configure the network interfaces for the
appliance, plus some system-wide settings.
The following settings can be changed:
Hostname This is the name by which the appliance will be referred to on the
network. The hostname provided here should be a fully qualified
domain name. e.g. myappliance.example.com
not myappliance
Default Route If no other route can be found for an IP address, then the router
pointed to be the default route is used. The default route is often
known as the gateway. You must supply an IP address and not a
hostname for the default route.
DNS Server #1 The DNS server must be set so that the appliance can resolve
hostnames.
DNS Server #2 If the first DNS server cannot be contacted then the second DNS
server will be used. It is recommended to provide at least two DNS
servers so that hostnames can continue to be resolved if for any
reason one of the DNS servers cannot be contacted.
DNS Server #3 If the first and second DNS servers cannot be contacted then the
third DNS server will be used.
The ’Advanced Settings’ section allows you to restrict where the appliance interface and
SSH interface can be accessed from.
Admin Network(s) A list of networks can be provided, either in CIDR notation, for
example 192.168.1.0/24, or using a netmask form, for example
192.168.1.0/255.255.255.0.
If the admin networks are being set or modified, they must contain
the IP address of the machine being used to perform the change.
The default behaviour (empty field) is to allow access from any
network to any of the IP Addresses configured on eth0.
If no admin networks are defined, a warning banner will be displayed. If the appliance is
protected by another firewall, or the appliance is not reachable from external networks,
an admin network of 0.0.0.0/0 can be used to disable the warning.

When you change the network settings you may see a message saying that the settings
were saved, but that the configuration has not yet been applied. This feature lets you
change interdependent settings (such as IP address and default route), yet delays the
application of such settings until the configuration is 'sane' (e.g. the default route can be
reached from the available IP addresses).
Aggregation
Two or more physical network interfaces can be aggregated together. There are several
aggregation options depending on your requirements.
By default, 'No Aggregation' is selected for Aggregation Mode. This means that all
NICs in the CACHEBOX will be independent.
If you have set up any kind of Ethernet Bonding, you must select the Bonding Mode.
Supported modes are:
Balance-rr Packets are transmitted "round robin" from the configured

interfaces.
Active backup One interface is designated as 'backup' and will only be used if
the 'active' interface's link is lost.
balance-xor Packets are transmitted via an interface chosen based on the
source MAC address.
broadcast All packets are transmitted on every interface.
802.3ad "Dynamic This mode requires a switch that supports IEEE 802.3ad to create
Link Aggregation" aggregation groups. This is likely to be the best option if such
equipment is available.
balance-tlb Packets are transmitted based on load on each device. Incoming
"Adaptive transmit traffic is received by the currently active device.
load balancing"
balance-alb Both incoming and outgoing packets are load balanced accross
"Adaptive load the physical devices.
balancing"

Bonding
Bonding allows two or more interfaces to be aggregated onto a single virtual interface.
Bridge
Bridged network interfaces can allow very simple transparent / inline deployments with
minimal changes required to your existing network. Select Bridge from the dropdown
list for Aggregation Mode.
An Ethernet bridge behaves like a switch; it will maintain a list of the Ethernet hardware
addresses (MAC addresses) that are available on each network interface.
Ethernet traffic arriving at one bridge interface will only be sent out via another bridged
network interface which is known to be connected to the target hardware address.

Bridge of Bonds
You can also combine bonding and bridging to create a 'Bridge of Bonds'. This is a
Bridge where each side is made out of several network interfaces aggregated into an
Ethernet Bond.
For any kind of Bridge you can enable or disable STP (Spanning Tree Protocol). This
protocol will prevent creating loops when using the CACHEBOX in complex
deployments, as long as the switches in the network support it.

Static Routes
The ‘Static Routes’ page allows you to configure additional static routes. These routes
allow you to change the route traffic will take depending on the source and/or
destination address - in either IPv4 or IPv6.. If you need to use static routes on your
network, click ADD ROUTE to create a new route.
This will take you to the ‘Static Route’ page:
Fill in the following fields:
Name Used to identify the route

Source / These two fields allow you to specify the source and/or
Destination destination of the packets you want to route. The network can be
specified in CIDR format (for example 192.168.1.0/24) or using a
netmask (for example 192.168.1.0/255.255.255.0).
If you want to specify that all packets from a specific IP address
should match, then put "0.0.0.0/0" or "::/0" in as the destination.
You can similarly specify the source like this. You can also leave
the box blank to indicate this, and the IP version will be
determined from the router address. You can specify blank,
"0.0.0.0/0" or "::/0" for both the source and destination. This will
create the equivalent of another default route. Use this method to
create a default route for IPv6 if the standard default route is IPv4.
Router The IP address of the router that will be used to gain access to this
network. It must be accessible on the appliance's network. For
example if the appliance has an IP address 192.168.1.10 with a
netmask of 255.255.255.0, then the router must be in the range
192.168.1.1-254. Note that dynamically assigned (DHCP) IP
addresses cannot be used for static routing. The router must be
accessible via one of the local static IP addresses.
Interface In some circumstances it is important to specify the physical
network Interface through which the traffic will be routed.
Priority The priority must be a unique integer between 100 and 254. Lower
numbers are applied first. So a packet matching a priority 100 rule
will be routed via that router, even if it would have then matched
a later priority rule. As a result you should define more specific
rules with low numbers, and more general rules with higher
numbers.

Take care when adding static routes. You may disrupt network access to or from the
appliance.
Services
The ‘Services’ page allows you to enable and set the port for SSH command line access
and to set the port for the web interface.
SSH
The SSH service provides secure network access to the CACHEBOX command line
interface. To use SSH you will need to have a suitable client installed. Most Linux
distributions and Mac OS X come with an SSH client pre-installed. A popular SSH client
for Microsoft Windows is Putty.
The following Network Service Configuration options are available:
SSH Enabled Turn the SSH service on or off
SSH Port Change the TCP port that the SSH service listens on. (default: 22)
For detailed information on using SSH command line access, see Appendix A.

Web Interface
The CACHEBOX web interface is served using an SSL enabled web server (default: 443).
You can change the port on which the web server listens by changing the default value
(443) in the ’Web Interface Port’ field. If you do this, the web server will be restarted and
you will be automatically redirected to the new web interface URL.
The following web interface configuration options are available:
HTTPS Only Controls HTTP access to the web interface on port 80. By default
(with this disabled), if you access the web interface on port 80 you
will be automatically redirected to the secure (SSL) web interface.
With 'HTTPS Only' set, the web interface does not listen on port 80
HTTPS Port Change the TCP port that the SSL web server listens on. (default:
443). You cannot disable HTTPS access.
Restricted Ports: modern web browsers do not allow you to access web sites on certain
network ports. See the following link for details:
https://developer.mozilla.org/en/Mozilla_Port_Blocking

Proxy Settings
CACHEBOX can use a proxy to reach the internet in order to get firmware updates.
Fill in the following fields to enter your proxy settings and then click SAVE.
Proxy Server The IPv4 address of the proxy server, or empty for no proxy.
Proxy Port The port where the proxy is accepting connections
Proxy User The username of the account required for accessing the proxy, or
empty if no account is required
Proxy Password The password of the account required for accessing the proxy

Reports
The ‘Reports’ page shows you networking statistics and allows you to change related
settings on your CACHEBOX. This page has two tabs: ‘Charts’ (the default page) and
‘Options’. The default page presents the following graphs:
Throughput The volume of data being transmitted and received by each of

the network interfaces on your CACHEBOX.
Network Latency Network latency is measured via ICMP ‘echo requests’, usually
known as ‘ping’. It is measured as round-trip time in miliseconds.
By default, default route, primary DNS server and time servers are
enabled to measure the latency for CACHEBOX. You may
enable your other servers (e.g. other DNS servers or remote syslog
server) and add your own choice of domains (up to 10). To
change your latency graphing options switch to the Options tab.
PDF reports can be downloaded by clicking the icon.

The ‘Options’ tab allows you to change the networking statistics options on your
CACHEBOX.
Under ‘Ping Options’ you can enable/disable measuring the latency of your already
configured servers. The list of servers is:
 Monitor Network Latency - tick this box to enable the monitoring of network
statistics of your CACHEBOX.
 Default Route
 Primary DNS Server
 Secondary DNS Server
 Tertiary DNS Server
 Time Servers
‘Custom Destinations’ lets you may add more destinations to measure the latency
between the destination and CACHEBOX.
‘Custom Destinations’ only allows adding a maximum of 10 domains/IPv4 addresses. If

more than 10 addresses are submitted, only the first 10 addresses are used and the rest
are ignored.

Tools
Network tools like Ping, Trace Route and DNS lookups can help you determine if the
network settings of your appliance have been configured correctly.
The ‘Tools’ page allows you to see the output of these commands from the interface
rather than the command line interface.

Firewall Settings
This page allows you to use this CACHEBOX as a gateway and specify additional firewall
rules.
This page can be ignored if you are not deploying in Gateway mode.
Forwarding If you wish to use this CACHEBOX as a gateway then you should
check the Forwarding checkbox.
Enable Custom Custom firewall rules can be specified by ticking the Enable
Rules Custom Rules box. These will be applied after any other rules
produced by the CACHEBOX configuration. You should not
normally need to use this feature, but in certain deployments it
may be helpful to cope with specific network scenarios.
The format of the custom rules is based on the iptables-save / iptables-restore

commands. The general format of this field will be a table specifier (the table name
preceded by an asterisk), followed by a number of rules, followed by the keyword
COMMIT. Most rule types are similar to the command line format which would be used if
iptables commands were being used directly, but chain policies are specified by an
alternative format: CHAIN POLICY

IPv4 and IPv6 iptables commands must be entered separately, to ensure the firewall
applies the correct rules on the CACHEBOX. When Enable Custom Rules is checked, the
following fields will appear:
IPv4 Custom Enter the IPv4 rules here

Settings
IPv6 Custom Enter the IPv6 rules here
Settings
Custom Firewall The current firewall settings of the CACHEBOXCMC are available by
Settings clicking the 'Current Firewall Settings' link. The same format is used
as for custom rules.
Examples:
 Fully open input chain (not recommended!):
*filter
:INPUT ACCEPT
COMMIT
 Limit SSH to 5 new connections per minute:

*filter
-I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
-I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --
seconds 60 --hitcount 5-j DROPCOMMIT
The current firewall settings of the CACHEBOX are available by clicking the Current Firewall
Settings link. The same format is used as for custom rules.
Custom firewall rules are an advanced feature and incorrect settings could cause
problems using the CACHEBOX, as well as prevent administrative access. In this case
there is a command-line script which can be run to disable custom firewall rules:
disable_custom_firewall

Open Ports
If you wish to use this appliance as a router you will need to explicitly open ports for
which you wish to route traffic. To define a new open port click ADD.
Port From / Port To You can open a range of ports, although the Port From and Port
To can be the same if you wish to open just one port. For
example settings Port From to 10000 and Port To to 10000 will open
only port 10000 for traffic.
Protocol The expected traffic protocol. In addition to the range of ports to
allow traffic through you must also set the protocol to allow TCP,
UDP or BOTH TCP and UDP.
Description A useful description of what the port forwarding is. Make use of
the field to remind you which ports have been opened.
Enabled This enables the forwarding rule. If you wish to temporarily close
ports then un-tick the checkbox.

NAT
CACHEBOX is capable of basic Source Network Address Translation (SNAT). This allows it
to be deployed as an internet gateway for a network of computers that use private IP
addresses.
IP packets routed via CACHEBOX will have their source IP address rewritten to one of the
CACHEBOX local IP addresses. CACHEBOX will track the outbound IP traffic whose
source address has been translated and automatically rewrite the inbound traffic with
the real IP address of the origin client.
Depending on the type of Layer 4 protocol, the source port may also be rewritten. If two
clients on different local IP addresses attempt to connect to a the same TCP destination
IP:port and from the same source port, the CACHEBOX will automatically use an
alternative source port for the second connection. For this reason, this type of NAT is
sometimes known as Port Address Translation (PAT).
Certain Layer 7 protocols (such as active FTP) require the server to make a connection
to the client. CACHEBOX does not currently support SNAT for these "active" protocols.
Use a passive FTP client to work around this limitation.
To create new source NAT rules click ADD.
NAT IP Address Choose one of the local CACHEBOX IP addresses to which the
source traffic IP will be translated. Traffic will appear to originate
from this NAT IP Address rather than the original client IP address.
Source Networks Enter a new line separated list of source CIDR networks. IP traffic
which originates from these Source Networks and which is routed
via the CACHEBOX will have its source IP address translated to the
NAT IP address that you chose above.

SMS
This appliance can send alerts via SMS to a mobile phone.
Currently supported methods of sending SMS are:

 Twilio Messaging Service – see https://www.twilio.com/sms
 TextMagic SMS Gateway - see http://www.textmagic.com
 RoutoMessaging SMS Gateway - see http://www.routomessaging.com
More methods can be added if required.

Once you have selected a provider, you will be able to enter the service's Username
and Password. The username and password are for the API provided. These will likely be
separate from the username and password needed to use your provider's web interface
for sending SMS. The password is sometimes known as the API key.

Email
CACHEBOX can send alerts and copies of reports via email. SMTP (Simple Mail Transfer
Protocol) is the standard protocol used for sending mail. It may also be used to send
scheduled reports, if supported by your appliance.
Most SMTP servers only require an address and port (the default is 25), but authentication
may also be required by some servers.
You must provide the following settings to configure SMTP:
Address This is the address of the SMTP server the appliance should use to
send emails.
Port The port that the SMTP server is running on.
Sender Email The email address that your messages will appear to come from
Username and The username and password used on the service. If Use
Password Authentication is set to No then the Username and Password will
not be used.
Use authentication If your SMTP server requires user authentication to send an email,
then this should be set to Yes.
Use TLS encryption Whether communication with the server will be encrypted or in
plain text.
Send a test email If you wish to test the SMTP server settings provided, enter an
to email address to which you have access. When the form is
submitted, the appliance will attempt to send you a test email.
Check that the test email has been received.
Once you have set up SMTP, you can enter an email address into the test field to check
that CACHEBOX can successfully send email. If you are using a hosted email service
such as Google Gmail, then it is recommended that you use the Initial Configuration
Assistant to configure SMTP (‘System’ > ‘Overview’).

SNMP
The Simple Network Management Protocol is used for managing devices on IP networks
and in network management systems to monitor network-attached devices for
conditions that warrant administrative attention.
This page allows you to configure the SNMP (Simple Network Management Protocol)
settings for the appliance.
SNMP Community defines the community that this appliance is a member of. By default
SNMP is enabled with the community name “public”.
It is not recommended to use an SNMP community of 'public', 'private', 'default', 'snmpd'

or 'admin' as these are commonly used by malicious individuals to probe networks.
If you wish to use one of these, we recommended that you set Admin Network(s) (in
‘Network’ > ‘Settings’) to limit access to this appliance.
By default, the SNMP community is unset: this will disable remote access to the SNMP
service.
For reference, a list of MIBs defined by this appliance can be downloaded in the
’Appliance MIBs’ section.

Cache Menu
All options and log analysis pertaining to the caching software can be found in the
‘Cache’ menu.
From here you can view:
 Executive summary of current performance
 Deployment configuration options
 Detailed analysis of current configuration
 Parent cache and sibling options
 Range request caching options
 Logging options
 Users via Active Directory
 Squid configuration tuning (advanced users only)
Overview
The Overview page gives you a summary of the main settings relating to web caching.
CONFIGURATION REFERENCE - Cache Menu I 133

The following information is displayed on the page:
Proxy The IP address and port which can be entered into a browser’s
proxy configuration
Server Whether the web cache proxy is running, or starting. If the server
is shown as ‘Starting’, then any client requests will be ignored.
Deployment The current deployment mode.
Mode
Caching Storage The amount of total storage available for caching, and whether
Configured the default storage scheme or a custom storage scheme is being
used
Access Logging If on then all client requests are logged to a text file. Daily and
monthly summary reports are updated every five minutes from
the access log.
The information displayed in the ‘Statistics’ section, with the exception of Number of
Cached Objects, only applies since the appliance was last booted.
The following information is available here:
Number Of The number of objects (HTML files, CSS files, videos, software
Cached Objects update files, etc) which are currently in the cache (memory or
disk)
Byte Hit Ratio (60 The average byte hit ratio over the last 60 minutes. A high ratio
mins) shows that the cache is being used efficiently.
Internet In/Out This is the total amount of traffic received by the CACHEBOX
from the internet and the traffic, which has been sent out of the
CACHEBOX to the internet.
LAN Clients Out/In This is the total amount of traffic sent by the CACHEBOX to all
clients and received from all clients.
The ’Recent Requests’ section gives you a list of recent requests that have been served
by the CACHEBOX.
Most recent requests made by a client through the CACHEBOX are displayed at the top
and show information about the Time when the request was made, client's IP address,
the requested URL, Size of the response, as well as caching status of and HTTP Status of
each request.
The requests can be filtered to restrict the information displayed by clicking the Toggle
filters link. For example, you can filter the requests to only see the URLs which contain
bbc.co.uk. Multiple filters can be used at the same time to further restrict the
information displayed.
To change filters, click the 'Filters...' link and edit the values in the popup dialog. Filters
are applied to new requests and may take a moment to be applied to new data. Note
that these filters are applied on the CACHEBOX itself so apply to all users of the web
interface, but do not affect the logging of information to the other access logging
facilities.
134 I CONFIGURATION REFERENCE - Cache Menu

Deployment Mode
This page allows you to specify the deployment mode to use on your CACHEBOX. Once
you've selected a mode, some settings on the 'Advanced' page that are not applicable
to your chosen deployment mode will be hidden.
The following deployment options are available from the dropdown list in front of Select
Mode:
 Explicit Proxy: Clients will connect explicitly to CACHEBOX
 Bridge Interception: CACHEBOX is deployed in-line as a bridge
 Gateway Interception (e.g. PBR): CACHEBOX acts as a gateway router for clients.
Clients' traffic is transparently intercepted.
 WCCP: CACHEBOX is configured to communicate with a Cisco device using
WCCP.
 Advanced: All deployment settings are available.
You should refer to Section 1 – “Planning Deployment” and Section 2 – ”Getting Started”
of this user guide to make an informed decision about how to deploy CACHEBOX in your
network and what configuration your chosen deployment mode requires.
Select your chosen mode of deployment from the dropdown list and click SAVE.

Deployment
The 'Deployment Mode' page allows you to configure the options of your selected
deployment mode.
For each mode you can configure Source Address Spoofing.
Normally the HTTP proxy on CACHEBOX will connect to a web server using the local IP
address as the source address. This can cause problems because some websites restrict
the number of connections that originate from a single IP address. For example, YouTube
will limit the number of videos streamed to a single IP address and RapidShare will only
allow a single download from each client IP address.
`Source Address Spoofing allows CACHEBOX to connect to a web server using the
original source IP address of the client. It requires careful configuration of your network
routes. In particular, responses from web servers to the HTTP proxy on CACHEBOX must
be routed via the CACHEBOX IP address, so that the traffic can be properly intercepted
and the response sent back to the client. This section allows you to enable and disable
the feature.
In Explicit Mode, you can also upload a Proxy Config file to automate the configuration
of client proxy connection. This file will be served to any client requesting /wpad.dat
from the CACHEBOX. Configuration of DNS or DHCP devices will be required for a
complete auto-configuration set-up.
In Explicit mode, Source Address Spoofing requires careful configuration of your network
routes. In particular, the responses from webservers to the HTTP proxy on CACHEBOX
must be routed via the CACHEBOX IP address, so that the traffic can be properly
received and the response sent back to the client. This will probably require connection
tracking on routers as traffic from the same client address may come directly from the
client or from the CACHEBOX.

Bridge Mode
When a CACHEBOX has been configured in Bridge mode, two or more of its network
interfaces are used to create a special ‘bridge’ device. The CACHEBOX is then
connected in-line into the network and all network traffic passes over the bridge.
If under ‘Bridge Mode’, Bridge mode HTTP Interception is set to Enabled, all ‘port 80’
traffic passing over the bridge is intercepted and handled by the CACHEBOX’s
proxy/cache mechanism. ‘Port 80’ is the standard HTTP port used by web servers.
'Intercept Requests From' can be set to Anywhere or Permitted Subnets Only.
Choosing Permitted Subnets Only will make the CACHEBOX only intercept traffic
originating in the permitted subnets configured on the ‘Cache’ > ‘Basic Settings’ page.
When VLAN (Virtual LAN) tagged traffic passes over the bridge then it will only be
intercepted if you have configured an IP address for each different VLAN ID on the
bridge device.
By default the CACHEBOX will intercept all "port 80" traffic, as it is the standard HTTP port
used by web servers. You can use the 'Custom HTTP Ports to Intercept' field to specify
extra ports to intercept. Enter port numbers separated by spaces, e.g. 10080 8080 12345.
If you have not already enabled bridge mode HTTP interception, this page will direct you
to the ‘Network’ > ‘Settings’ page where you can do so.

HTTP Interception Mode

In Gateway Mode, the following HTTP Interceptions Settings are available.
Source Address Enable or disable Source Address Spoofing. You need to enable
Spoofing this if you want to maintain outbound (client > web server)
transparency.
The responses from webservers to the HTTP proxy on CACHEBOX
must be routed via the CACHEBOX IP address, so that the traffic
can be properly intercepted and the response sent back to the
client.
Custom HTTP By default the CACHEBOX will intercept all "port 80"* traffic. You
Ports to Intercept can use this field to specify extra ports to intercept. Enter port
numbers separated by spaces, e.g. "10080 8080 12345"
* "port 80" is the standard HTTP port used by web servers.

WCCP Mode
WCCP (Web Cache Co-ordination Protocol) is a feature of some Cisco routers and
switches which allows you to re-route HTTP traffic to a caching device.
CACHEBOX supports the following WCCPv2 features:

 Standard ‘web-cache’ service
 GRE forwarding method (routing traffic through a GRE tunnel)
 Layer 2 forwarding method (MAC address rewriting)
 Hash assignment method
 Mask assignment method
 Multiple CACHEBOXes in a service group
 Multiple router support
 WCCP weight settings
 Dynamic service groups
You will find a full description of WCCP deployment; including example Cisco IOS
configuration settings in Section 1 – “Planning Deployment” and Section 2 – “Getting
Started” of this user guide.

In WCCP Mode the following HTTP Interceptions Settings are available.
Source Address Enable or disable Source Address Spoofing. You need to enable
Spoofing this if you want to maintain outbound (client > web server)
transparency.
The responses from webservers to the HTTP proxy on CACHEBOX
must be routed via the CACHEBOX IP address, so that the traffic
can be properly intercepted and the response sent back to the
client.
Custom HTTP By default the CACHEBOX will intercept all "port 80"* traffic. You
Ports to Intercept can use this field to specify extra ports to intercept. Enter port
numbers separated by spaces, e.g. "10080 8080 12345"
* "port 80" is the standard HTTP port used by web servers.
‘WCCP Global settings’ has the following configuration options:
WCCP Mode Switch WCCP on or off. When WCCP is disabled, the CACHEBOX
will not attempt to connect to a WCCP router and it will not
respond to WCCP redirected traffic sent from the router. This
option allows you to quickly disable WCCP whilst retaining your
WCCP configuration options.
Router/Switch IPs Enter one or more IP addresses of your WCCP routers/switches
or hostnames
Forwarding  GRE Tunnel: Cisco routers generally forward HTTP traffic via
Method a GRE tunnel. If you choose this forwarding method, you
must also configure the GRE Remote Endpoint IP (below).
 Layer 2 Redirect: Cisco switches generally forward HTTP
traffic by layer 2 redirection This works by rewriting the
destination MAC address of HTTP traffic to that of the
CACHEBOX. When using the Layer 2 Redirect method, the
CACHEBOX must be directly connected (or deployed on
the same network segment as the Cisco device).
Note that some high-end Cisco routers and switches are capable
of both GRE and Layer 2 forwarding.
GRE Remote Only required if you are using GRE redirection. Enter the master IP
Endpoint IP address of your Cisco device. The master IP is likely to be either the
WAN IP or the loopback IP of the device.
Assignment When multiple CACHEBOXes are participating in a WCCP v2
Method service group, the Cisco router/switch will attempt to balance the
redirected traffic between them. There are two alternative
methods that can be used to calculate to which CACHEBOX
traffic should be redirected: Hash Assignment and Mask
Assignment. You can find further information on these two
assignment methods at the following URL address:
http://www.wrec.org/Drafts/draft-wilson-wrec-wccp-v2-00.txt

Rebuild Wait This option allows you to control whether WCCP negotiation takes
place after the Squid proxy server has fully rebuilt/checked its
cache storage. You should normally leave this option enabled
unless you are testing new WCCP options and want to quickly see
the result of your configuration changes.
Weight When multiple CACHEBOXes are connected to the same WCCP
cluster, the router will use the value in the Weight field to calculate
what proportion of traffic will be redirected to each CACHEBOX.
Standard Web In the absence of any dynamic service groups the CACHEBOX will
Cache Password attempt to configure your router with the standard web cache
service. This service supports an optional shared password with
which the router can authenticate participating cache devices. If
you configured a password on your router, enter it here.
The ‘WCCP Dynamic Service Groups’ section provides advanced redirection options.
For example, you might want to redirect HTTP traffic on a non-standard port.
If you want to use the Source Address Spoofing feature with WCCP, you will need to set
up a pair of dynamic service groups.
To add a new WCCP Dynamic Service Group, click ADD.

The following fields are visible:
Service ID This is the unique ID number of this service group. Choose a

number between 51 and 255.
Password Each dynamic service supports an optional password. If you
have configured a WCCP v2 password on your router/switch,
enter the same password here.
Protocol Your WCCP router/switch can redirect TCP or UDP traffic.
Generally, you will only redirect HTTP (TCP) traffic to the
CACHEBOX, but this option is included for completeness.
Flags If there are multiple devices in a WCCP cluster, your WCCP
router/switch will attempt to balance the load between all the
cluster members using a hash algorithm. Flags allow you to
control which aspects of the IP traffic are used in this hashing
algorithm.
Priority Packets for redirection are matched against services in priority
order, highest first. Enter a value between 0 and 255. A default
value is 240.
Ports Enter one or more TCP/UDP ports. Packets will be matched
against this set of ports. If the ports_source flag is set, the port
information refers to a source port; otherwise the port information
refers to a destination port.
Cisco IOS supports the following commands to show WCCP status:

# show ip wccp
# show ip wccp web-cache detail
The Squid cache.log contains useful information about the state of the WCCP service
group. If the WCCP negotiation has been successful, you will see Incoming
WCCP2_I_SEE_YOU in the cache.log. Navigate to ‘System’ > ‘Logging’ > ‘Read Logs’ >
cache.log.

Service
The ‘Service’ settings page lets you specify the IP addresses on which web requests
should be served.
The proxy port allows you to control the IP addresses and ports on which the web
caching proxy listen for explicit connections.
Bridge mode and Gateway mode do not need an explicit listening address.
To add a new address, click ADD ADDRESS. The default port on CACHEBOX is 800. A
common value for this is 8080.
The ‘Permitted Subnets’ section allows you to control which source networks can access
the web caching service on the CACHEBOX.
If you do not add any permitted subnets then you leave this appliance open to
unauthorised users who may abuse this system.
For example, through an open server, unauthorised users may browse anonymously, and
therefore circumvent existing internet browsing restrictions, as well as cause excessive
bandwidth usage.
To configure a new subnet click ADD NETWORK and add an IP address and a Label
(name) for each subnet.

If you already have a list of permitted subnets, click on the Advanced tab to switch to a
text view. You can then paste the permitted subnets you wish to define. For example:
192.168.1.0/24 Office network
172.16.0.0/16 Clients 1
172.31.0.0/16 Clients 2
10.129.0.0/16 Clients 3
If no subnets are defined, a warning banner will be displayed.
However, if the appliance is protected by another firewall, or the appliance is not

reachable from external networks, a subnet of 0.0.0.0/0 can be used to disable the
warning.
Click SAVE to confirm your settings.

Cache Settings
If you have a high proportion of ‘range request’ traffic or traffic served over HTTP/S 206,
CACHEBOX’s range request caching feature improves caching performance.
From version 4.12 of the firmware, this feature is enabled by default for specific domains.
For a list of these, please contact support@appliansys.com.
When enabled, if a user requests only a subset of a large document – such as a video
file or software update image - that subset will be available from cache to other clients
requesting the same range or overlapping ranges of data.
Because this feature uses additional resources on your CACHEBOX, we recommend

checking your periodic reports to assess whether your network has a high proportion of
‘range request’ traffic.
Navigate to Reports > Periodic and scroll down to the Top HTTP Status Codes report. The
graph below is an example of a network with a high proportion of HTTP/S 206 traffic – we
recommend leaving range request caching enabled such instances.

If you wish to change the settings of the range request cache feature, navigate to the
‘Cache Settings’ page
The following configuration options are available:
Enable Range By default, this is set to Yes. To disable range request caching,
Request Cache select No.
Engine
Range Request Two modes are available for partial caching: ‘Pre-configured
Cache Mode domains only’ uses the Range Request engine only for requests
to specific domains which have been identified as suitable by
ApplianSys.
Alternatively you may choose to use this for All Domains
requested.
You can add domains to bypass the range request cache engine regardless of the
range request mode. This might be used if some web sites are not available when using
this engine.
All subdomains of any entries here will also bypass the range request cache engine. For
example, bypassing microsoft.com will also bypass download.microsoft.com and so forth.
When range request caching is enabled, you will also be able to see custom reporting
for range requests served from cache.

Logging
By default CACHEBOX logs all the HTTP traffic it proxies. It records the IP address of the
client that requested the data, the time, the full URL and whether or not the request was
served from cache. This information is stored in a text file. Every five minutes the
information is compressed to enable the CACHEBOX to log many millions of requests.
The ‘Logging’ page allows you to edit the logging options.
The Access Log option enables or disables logging of user requests through the
CACHEBOX.
The following features of your CACHEBOX will only work with access logging enabled:
 Report graphs (excluding Reports > Statistics)
 Scheduled Reports
 Remote Log Uploads
 Recent Request display
 CACHEBOXCMC generated aggregate reports
Access logging is enabled by default.
Access logging uses CACHEBOX resources. In the event of resource overload, switch it
off as a temporary solution whilst resolving the cause.
The ’Remote Log Upload’ section allows you to schedule an upload of access logging
data to an FTP server, a Windows Share or a SSH enabled server via SCP. Only the
data since the last upload will be sent. This will happen at midnight every night.
The time taken to generate and upload the access logging data is dependent on how
busy the cache was. For example, if for 8 hours during the day an average of 50
requests per second were being made then the data would take 10 minutes to prepare,
and a file of 32MB would be uploaded to the specified server. A maximum of 30 minutes
is allowed for the data generation and upload.

This feature is not suitable for a cache which is in continuous use 24 hours a day.
The uploaded file is a gzipped text file. If you are using Microsoft Windows, see the
Microsoft file association page at http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=GZ for
details on utilities suitable for uncompressing the file. These raw log files can be imported
into Microsoft Excel or other log parsing programs. Mac OS X and Linux based operating
systems can handle these files without the need for additional software. CACHEBOX will
automatically remove old log information from its database to free up space for storage
of new requests.
If using SSH/SCP to upload the log files, the public SSH key of the CACHEBOX will need to
be installed on to the upload server. To do this, either edit the .ssh/authorized_keys
file for the username on the server being used by the upload and add the CACHEBOX
SSH key to the end of the file, or append a file containing the key using cat
CACHEBOX_public_key >> .ssh/authorized_keys.

Cache Peers
The ‘Parent Cache’ settings allow you to set the CACHEBOX to make use of a parent
cache or proxy. A common use is to set the CACHEBOX to use a firewall proxy as its
parent. If a Parent Cache is defined, then any cache misses will be forwarded on to it.
To enable the ‘Parent Cache’ feature, select Enabled. The following settings are
required:
Parent The parent proxy's hostname or IP address

Port The port of the proxy service on the parent server
Username The upstream cache/proxy may require authentication. If so,
enter the username here. Basic HTTP authentication is supported.
Password If a username is required by the parent proxy, then the password
must be entered here.
Force Parent If Force Parent is set to yes, then all requests will be forwarded to
the parent proxy, regardless of whether the parent proxy is down.
If the setting is enabled and the parent proxy is down (e.g. for
filtering), CACHEBOX will not contact the origin server to get the
data.

One or more other CACHEBOXes may be included as cache peers ('siblings') of this
CACHEBOX. If a request is made to this CACHEBOX and a sibling cache contains the
requested object, then it will be retrieved from there, rather than downloading it from
the origin server.
Normally all sibling caches within a group should include each other in the ‘Sibling
Caches’ list.
Click ADD SIBLING CACHE and enter the following settings:
Peer The IP address or hostname of the sibling cache

Port The port of the proxy service on the sibling cache
Auth Username The username to access the sibling cache if authentication is
required
Auth Password The password for the username to access the sibling cache
Use Digest Digests are an efficient way of informing caches about objects
which are likely to be on a particular CACHEBOX to reduce
network load between siblings. However generating the digest
takes substantial CPU and this should be set to disabled if no
peering is required. If chosen, a list of the currently cached
objects on the sibling cache is requested. Using cache digests
can reduce the latency and response time of the CACHEBOX.
Proxy Only If chosen, the CACHEBOX will not cache objects retrieved from
the sibling cache. This is recommended if the sibling cache is
connected via a low latency network link.
If you want to use this CACHEBOX as a parent cache for another CACHEBOX or other
web cache, then you must configure the IP addresses of the children.
Click ADD CHILD to add the IP address of a child cache. This will allow that cache to
make ICP requests to the caching engine running on this CACHEBOX.

Custom Configuration
You should have a good understanding of CACHEBOX configuration before using this
feature.
‘Custom Configuration’ is for advanced use only and it should be ignored by most users.
If you have a specific need or require assistance using this feature, please contact
support@appliansys.com.
Whilst the CACHEBOX has options in its web interface for commonly used features of
Squid, it is also possible to specify custom Squid commands to be loaded into Squid’s
configuration file.
Most deployments do not require this feature, but it is provided for flexibility – particularly
for administrators who are familiar with Squid and require finer control over it than the
standard interface allows.
Squid uses an ACL (Access Control List) language to control use of the proxy and
supports many features, such as timed access, restricting access from different subnets,
forcing various sites to never be cached.
Syntax
The ACL syntax can be learnt with relative ease. Due to the wealth of information freely
available online this guide will only discuss commonly used ACLs. The most useful online
guide can be found at:
http://www.wiki.squid-cache.org/SquidFaq/SquidAcl
Several books have been published that also cover ACLs, including O’Reilly’s: “Squid:
The Definitive Guide”; much of which can be viewed for free on http://www.books.google.com
The ACL syntax and options available vary slightly between versions of Squid.
CACHEBOX currently uses version 2.7.

Specifying custom ACLs cannot ‘break’ CACHEBOX, but it is possible to modify its
behaviour in such a way that legitimate traffic is not accepted.
CACHEBOX will check any changes made for correct syntax and disallow them (with an
error message) if accepting would cause Squid not to start.
ApplianSys recommends that any changes are actioned during a pre-defined
maintenance period to ensure you are able to test the behaviour of CACHEBOX without
affecting users.
Examples
Restricting access to a range of individual network addresses:

Allowing access from three IP addresses (192.168.0.5, 172.16.0.99, 10.0.0.23), while
preventing access from others can be done in the following two ways:
acl good_ips src 192.168.0.5 172.16.0.99 10.0.0.23

http_access allow good_ips
http_access deny all
acl good_ip1 src 192.168.0.5

http_access allow good_ip1 good_ip2 good_ip3
Either CIDR (eg. 192.168.0.5/32) or doted quad (192.168.0.5/255.255.255.255) notation can

be used for subnet specifications. If you have a class C subnet in the range
192.168.0.1-192.168.1.255:
acl local_net src 192.168.0.0/24

http_access allow local_net
http_acess deny all
Preventing certain IP addresses from accessing the CACHE:

Preventing access from three IP addresses (192.168.0.5, 172.16.0.99, 10.0.0.23), whilst
allowing access from other IP addresses, can be done in the following two ways:
acl bad_ips src 192.168.0.5 172.16.0.99 10.0.0.23

http_access allow all
http_access deny bad_ips
acl bad_ip1 src 192.168.0.5

http_access deny bad_ip1 bad_ip2 bad_ip3

Either CIDR (eg. 192.168.0.5/32) or doted quad (192.168.0.5/255.255.255.255) notation can

be used for subnet specifications. If you have a class C subnet in the range
192.168.0.1-192.168.1.255:
acl local_net src 192.168.0.0/24

http_acess deny local_net
Forcing a site not to be cached:

Sometimes you may find that a site that is set as cacheable in the web server’s
HTTP headers is in fact not so. Overriding this is very simple with ACLs:
acl example dstdomain .example.com

cache deny example
Allowing access only at certain times of day:

Day codes: S = Sunday, M = Monday, T = Tuesday, W = Wednesday, H = Thursday,
F = Friday, A = Saturday, D = All Weekdays (M-F)
Only allow access Monday to Friday from 9:00 to 18:00:
acl Working_Hours time D 09:00-18:00

http_access allow Working_Hours
Only allow access on Friday between 11:00 and 14:00:
acl Happy_Friday time F 11:00-14:00

http_access allow Happy_Friday
Prevent access to the cache outside work hours (Monday to Friday from 9:00 to
18:00):
acl Work_Hours time D 09:00-18:00

http_access deny !Work_Hours
Prevent access on Sunday from 10:00 to 12:00:
acl bad_time time S 10:00-12:00

http_access deny bad_time
Prevent access from the cache on Tuesday, Wednesday and Thursday between
13:00-14:00:
acl lunch_break time TWH 13:00-14:00

http_access deny lunch_break

Blocking access to certain sites/domains:

Block access to www.example.com:
acl Deny_Example dstdomain www.example.com

http_access deny Deny_Example
Block access to all hosts from the example.com domain:
acl Deny_Example_All dstdomain .example.com

http_access deny Deny_Example_All
Blocking access to a certain domain at a certain time of the day:

Block access to www.example.com Monday to Friday during work hours:
acl workhours time D 09:00-17:00

acl example dstdomain www.example.com
http_access deny example workhours
Turning off CACHEBOX generated HTTP headers:

By default CACHEBOX will insert 2 headers into requests – X_FORWARDED_FOR <IP
of client> and VIA (requirement of RFC2616.
To hide the IP address of the client use:
via off
forwarded_for off
Some sites such as MSN may behave incorrectly if these options are turned off.
To ensure compatibility further lines need to be added:
acl msnbc dstdomain .msnbc.msn.com

header_access Accept-Encoding deny msnbc

Blocking access to certain file types:

It is possible to instruct CACHEBOX to block files based on their extension and
mime type.
The following example will block the majority of video streaming sites like
YouTube, Metacafe, BBC iPlayer, StupidVideos, Yahoo Videos and MSN videos:
# IP not to be blocked
acl myip src 192.168.1.25/32
#
# Block different types of video/audio content (including Youtube)
#
acl x-type_req req_mime_type -i ^video/flv$
acl x-type_req req_mime_type -i ^video/x-flv$
acl x-type_req req_mime_type -i âpplication/x-shockwave-flash$
acl x-type_req req_mime_type -i âpplication/x-amf$
acl x-type_req req_mime_type -i âudio/x-pn-realaudio$
acl x-type_req req_mime_type -i âpplication/octet-stream$
acl x-type_req req_mime_type -i application/octet-stream
acl x-type_req req_mime_type -i âpplication/x-mplayer2$
acl x-type_req req_mime_type -i application/x-mplayer2
acl x-type_req req_mime_type -i âpplication/x-oleobject$
acl x-type_req req_mime_type -i application/x-oleobject
acl x-type_req req_mime_type -i application/x-pncmd
acl x-type_req req_mime_type -i ^video/x-ms-asf$
#
#
acl x-type_rep rep_mime_type -i ^video/flv$
acl x-type_rep rep_mime_type -i ^video/x-flv$
acl x-type_rep rep_mime_type -i âpplication/x-shockwave-flash$
acl x-type_rep rep_mime_type -i âpplication/x-amf$
acl x-type_rep rep_mime_type -i âudio/x-pn-realaudio$
acl x-type_rep rep_mime_type -i âpplication/octet-stream$
acl x-type_rep rep_mime_type -i application/octet-stream
acl x-type_rep rep_mime_type -i âpplication/x-mplayer2$
acl x-type_rep rep_mime_type -i application/x-mplayer2
acl x-type_rep rep_mime_type -i âpplication/x-oleobject$
acl x-type_rep rep_mime_type -i application/x-oleobject
acl x-type_rep rep_mime_type -i application/x-pncmd
acl x-type_rep rep_mime_type -i ^video/x-ms-asf$
#
#
http_access deny x-type_req all !myip
http_reply_access deny x-type_req all !myip
http_access deny x-type_rep all !myip
http_reply_access deny x-type_rep all !myip
#
# Blocking Audio, Video and other file types content based on file
extension
#
acl bad_files url_regex -i \.flv$ \.swf$ \.mp3$ \.asx$ \.wma$
\.wmv$ \.avi$ \.mpeg$ \.mpg$ \.qt$ \.ram$ \.rm$ \.iso$ \.wav$
\.exe$
http_access deny bad_files !myip

Error Pages
On occasion, the CACHEBOX may need to display an error page to a client. For
example, if the client goes to a website which is in a filter group and therefore does not
have access to it. Here you can choose the error page language and content that will
be served by this CACHEBOX.
When a suitable translation is not available, you can select a Default Error Page
Language using the dropdown menu and choose the language that will be used for
error pages.
You are able to use your own template to serve the error pages for CACHEBOX. The
template you provide will be verified for valid HTML and could be altered to be valid.
Some providers may wish to customise these pages by modifying the text and adding a
company logo.
To create a custom error page:
 Set Error Page Template to Custom
 Modify the HTML page content
 Click the Preview icon to check the error page
 Click SAVE to save the error page

Available variables for use in this page:

 %B - URL with FTP %2df hack
 %c - Squid error code
 %e - errno
 %E - strerror()
 %h - cache host name
 %H - server host name
 %i - client IP adress
 %I - server IP address
 %P - protocol
 %R - full HTTP request
 %t - local time
 %T - UTC
Sample error pages could look like this:

By default the CACHEBOX will show English error pages. A number of other languages
are provided with the CACHEBOX, including French and Spanish. To change the
language of the error pages:
 Set Template to Default
 Choose the desired language from the Content Language drop-down
 Click SAVE to commit the changed language
If the language you need is not included, then you can create a custom error page.
Other
CACHEBOX stores cached objects differently depending on their size. Cached objects
are split into two categories:
 Small objects
 Large objects
Small objects are stored in a different way to large objects to optimise caching
performance.
CACHEBOX comes with a default storage recipe for each CACHEBOX model. A storage
recipe defines how much storage is available for different types of cached objects.
Choose Default to let the CACHEBOX decide on the best storage scheme.
It is strongly recommended that you leave the Cache Object Profile set to Default. This
setting allows CACHEBOX to choose the best storage settings for your hardware.

If you need to use a Custom Cache Object Profile (for example because your support
vendor has suggested it), then the following fields are available:
Max Object Size The maximum size of objects that will be cached by CACHEBOX
(in KB). For example, if the Max Object Size is set to 10MB, then an
object of 15MB will not be cached. If you wish to cache larger
files such as Windows Updates or long YouTube videos, this will
need to be increased. By default this is set to 1GB
Large Object CACHEBOX stores cached objects differently depending on their
Threshold size. It is recommended that you only store a relatively small
number of small objects (i.e. objects whose size is less than the
Large Object Threshold). Objects which are smaller than this are
stored in the Small Object Allocation. Objects larger than this are
stored in the Large Object Allocation. Depending on your
hardware configuration you may find that the Large Object
Allocation is much bigger than the Small Object Allocation.
Medium Object If your CACHEBOX model uses separate storage for small and
Threshold medium objects, then the Medium Object Threshold is used to
determine which store is used for a given object. Objects smaller
than the Medium Object Threshold will be stored in the small
object store. Objects larger than the Medium Object Threshold
(and smaller than the Large Object Threshold) will use the medium
object store. NOTE: setting this value low will increase Squid's RAM
usage. This is automatically limited and the actual threshold
applied may be higher than the value configured here.
Minimum Object The minimum size of objects that will be stored on disk by
Size CACHEBOX. If for example the Minimum Object Size is set to 100B
then an object of, for example, 70B will not be cached on disk
(but could still be returned from memory).
Accepted units are KB, MB, GB and TB. All values are rounded to the nearest default unit
before saving, e.g. 1.1 MB would be rounded to 1 MB.

If you change from the Default to a Custom storage scheme, or change the amount
of storage allocated to cache objects, then the web cache server will need to be
restarted. After the restart, the web cache server may need to build new cache
storage. This process can take some time during which the web cache may not be able
to process client requests during this time.
'Miscellaneous Settings' include additional settings related to caching. It is unlikely that

these will need to be changed and in most cases should only be modified under the
supervision of vendor support.
The settings available in this section include:
Offline Mode When you enable Offline Mode, CACHEBOX will not attempt to
check the freshness of the objects which are requested by clients.
This is useful if your internet connection is broken and you want
your clients to be able to browse those files which have been
cached. Note: The effectiveness of Offline Mode depends very
much on the cacheability of the requested content, i.e.
interactive websites, such as Facebook or Google may not
display properly in Offline Mode.
X-Forwarded- When this option is enabled, then the IP address of the client will
For/Via Headers be included in the HTTP request forwarded to the origin web
server. If disabled, then the client's real IP address will be hidden.
Aggressive If enabled and a client aborts the download of a file, the web
Update Caching cache will continue to download and cache it. This can be useful
for caching of software updates which make use of byte range
requests. For example if a client makes a range request for only
part of a file then the file will only be cached if the whole of the
file is downloaded. If this option is turned off such a file would
never be cached.
Disk Caching When this option is Disabled, CACHEBOX will stop storing any
objects into its disk stores, serving these requests from the origin.
Behaviour on Disk The option sets the running mode of CACHEBOX if any of the
Failure cache store hard disks have failed.
The default is to Degrade, which means that failed hard disks will
be removed from the available cache disks, but the server will
continue using the remaining disks.
The Proxy Only option will remove all the hard disks from the
available cache disks, bypassing disk caching for all requests.
Multiprocessing Enable multiprocessing options that enhance the maximum
Optimisations throughput of your CACHEBOX. This option is incompatible with
other settings such as cache peers. It is only available on some
CACHEBOX models.

Peak Times Set 'Peak Time' to define the busiest hours for your network traffic.
This configuration is used when you
 Create an additional custom report to see how CACHEBOX
performs during peak times traffic (‘Reports’ > ‘Settings’)
 Define certain domains to block during peak times
(‘Content’ > ‘Filtering’)
Times should be specified in 24-hour format, and are applied to
the local time zone configured for your appliance.
The Aggressive Update Caching option can negatively affect your cache hit ratio, as
more content may be downloaded than is delivered to clients. This option is off by
default.
Specific objects stored in the cache can be removed if their full URL is known.
To remove an object, enter its URL in the URLs to delete field and click DELETE OBJECTS.
For example, to remove the image 'flower.png' from http://example.com, the URL would be:
http://example.com/flower.png.
Regular expressions and wildcards are not supported.
To delete all objects all cached objects click DELETE ALL OBJECTS. The request will
schedule the removal at next boot time.
This action should not be required in normal operation, and it should only be used where
the cache has become corrupted or unrecoverable.

Content Menu
All options and log analysis pertaining to the caching software can be found in the
‘Content’ menu.
From here you can:
 View a summary of the state of content on your CACHEBOX
 Specify websites that you don't want to be cached
 Specify websites you don't want your users to access
 Configure pre-caching jobs
 Remove objects from your cache
 Create a backup your cache store
Overview
This page provides an overview of the content in your cache.
162 I CONFIGURATION REFERENCE - Content Menu

CDN
Many organisations use Content Distribution Networks (CDNs) to serve large files to users
all over the world. For example, when a user watches a video from a CDN they will likely
download the video from a server geographically close to their own location. Some
CDNs have one hostname and use DNS to provide the user with the IP of a server close
to them. Other CDNs use multiple hostnames - for example cache-21.cdn.example.com.
CACHEBOX is optimised to cache files served from a number of CDNs. Since the details
of these CDNs change over time, regular updates are provided by ApplianSys and are
downloaded automatically by the CACHEBOX.
Navigate to ‘Content’ > ‘CDN’:
CONFIGURATION REFERENCE - Content Menu I 163

You can disable support for individual CDNs by clicking the suspend icon in the
Actions column. The CDN should now be greyed out. To enable it again, click the
unsuspend icon in the Actions column.
If support for a CDN is disabled then files downloaded from it will be handled as any
other web object. For example, if a file from the CDN includes a header saying that the
content cannot be cached then the CACHEBOX will not cache the file.
Filtering
CACHEBOX can work with almost any off–box content filtering solution, irrespective of
whether that solution is an appliance or software running on a server. Typically we
suggest deploying the content filter closer to the users on the network than the
CACHEBOX(es). This ensures cached copies of data cannot be served to users without
being filtered.
The filtering feature of your CACHEBOX allows you to specify websites which you do not
want your users to access. You should note that this is not an alternative to a full filtering
solution. It can block websites only by domain name, and does not do any content
filtering.
Blocked websites are organised into groups. The Filter Groups section lets you define
these. For example, you might define the groups Games, Adult and Social. Groups can
be enabled and disabled. If a group is disabled then the websites will not be blocked.
To add a new filter group click ADD.

You should give each filter group a descriptive name. It should be a good indicator of
the websites being blocked by the group.
If you wish to temporarily unblock access to this group, uncheck the Enabled checkbox.
You can also block certain website groups from being accessed during peak times. To
do this:
1 Navigate to ‘Cache’ > ‘Other’ and define your peak time hours
2 Then navigate to ‘Content’ > ‘Filtering’, select your desired filter group (or create
one first) and tick the ‘Block During Peak Times Only' option.

You can add as many Websites To Filter as you need.

To add a new website click ADD WEBSITE. Enter the domain name for the website and a
description. The domain name and all subdomains will be blocked if this filter group is
enabled.
For example, if you add the website google.com, then google.com, images.google.com and
mail.google.com will also be blocked. You should be aware that many websites have more
than one way to get to the same pages.
You can block websites using a filter list defined in a file.
To add a new filter file, click UPLOAD new file under the ‘Upload Website Filter File’
heading, select the file from your computer then click SAVE to upload it
The file should be in the format below:
 badsite.com
 www.anotherbadsite.com
 baddomain.com

Bypass
The ‘Bypass’ page allows you to control which traffic should not be cached.
In the ‘Cache Bypass’ section you can list websites which you do not want cached by
your CACHEBOX. The websites will still be proxied by the CACHEBOX. Add as many
websites as you want by clicking ADD WEBSITE. Click SAVE to apply the configuration.
Click on the Advanced tab to switch to a text view.
The Proxy Bypass feature allows you to list a range of IP addresses and/or domain
names, which you do not want to pass through the web caching engine. Individual IP
addresses or CIDR networks (of the form x.x.x.x/N) may be specified. This feature only
works for clients using the CACHEBOX transparently, i.e. having the CACHEBOX
configured as their gateway/default route.
You can bypass a request to an IP address or domain name based on Sources or
Destinations. To bypass requests from some particular originating IPs, add those IPs to
the Sources list. Similarly, if you want to bypass a request for a destination IP, add it to
the Destinations list.
Where domain names are specified, the CACHEBOX performs a DNS lookup for any
specified domains at the time the domain is added. The result may not be correct if a
specified domain uses dynamically assigned IP addresses.

Purge Objects
The ’Delete Cached Objects’ section allows you to make a request for the removal of
one or more cached objects from the cache store.
‘Delete All Objects’ makes it quick and easy to clear your cache stores. The following
options are available:
All Allows you to make a request for the removal of all cached
objects, and a previous request for the removal of cache can
be cancelled. The request will schedule the removal at next
boot time. This action should not be required in normal
operation, and it should only be used where the cache has
become corrupted or unrecoverable.
Cached Objects Only Allows you to delete all cached objects (excluding static
content). This action is executed immediately, and usually
takes a while before completing, especially if you have a lot
of objects in your cache.
Partially Cached Allows a user to delete all range-request objects only
Objects Only
Static Objects Only Deletes all objects stored in the static store. It also resets the
size of your static store to 0MB.
Selecting All will schedule a removal of all cached objects from your CACHEBOX. This
should NOT be used unless absolutely necessary.

Cache Backup
This feature allows the stored objects from cache to be backed up to an external USB
disk drive, and then either restored at a later point or migrated to other CACHEBOXes.
This page can be used to perform cache backup and restore operations for your
cached data. You can:
 Backup your cache content to an attached USB device
 Restore cache content from the USB device to this CACHEBOX
 Show the progress of a running backup or restore job

It has the following sections:
Attached USB Disk The last attached USB disk is displayed here as well as any
partition or usage information
Found a Cache If an attached USB disk has a previous backup, this backup's
Backup details will be displayed in this section including (Source Model,
Source Firmware, Source Unique Appliance Code, Source Serial,
Backup Date, Backup Notes)
If you don’t see information in this section having attached the
disk, refresh the page.
If the source model and the running cache engine are
compatible with your CACHEBOX then a restore is possible, and
a RESTORE button will be displayed.
Pressing this button will restore content from the attached USB
disk to your CACHEBOX.
Create a Backup Use this section to create a new backup:
 Prepare Disk: Select Yes to prepare the disk first, before
performing a backup. This will erase all the content on the
USB disk. You must do this for a disk that has never been
used for cache backup before.
 Backup Notes: Use this text field to add information
relevant to your backup.
The following precautions should be taken while performing backup/restore
Disable disk caching: In this mode, the CACHEBOX will not write any data to its stores.
This will prevent corruption of the data while performing a backup or restore job. You
need to enable disk caching once job is complete to store data to the disk stores
normally
Do not remove the USB disk: Unplugging the USB disk during a backup/restore job will
result in data corruption.
Specify an appropriate USB disk size: The USB disk size should be at least the size of the
data you intend to backup.

Pre-Caching
This feature lets you automatically download and cache the content of websites at
predefined times (such as during the night). It works in the same way as a search engine
spider: starting with a single URL and following the links it finds.
Please take careful consideration when using this feature on connections where
bandwidth usage is charged and limited because it could download content that is not
used.
It is most suited for networks where bandwidth is unlimited and using it when there are no
users on the network can give a performance increase at no extra cost.
The ‘Pre-Cache Jobs’ section displays any pre-caching jobs configured on your
CACHEBOX.
For each job, the Description and URL associated with the job are displayed. If the pre-
cache job is currently running, this will be displayed under the Status column, and an
option to cancel the job will be given. The Actions column allows editing and deletion
of existing pre-cache jobs.

Additional jobs may be added using the ADD button, which takes you to:
The following entries can be set for each pre-cache job:
Pre-Cache Type Select the pre-cache job type.

 The default is to Crawl a Site which is given a html page
of a site, the job will crawl the site by visiting URLs found on
the html page.
 Custom URL List is a URL that points to a text file of a list of
URLs. This text file must contain one URL per line.
 There are some pre-cache services provided by
ApplianSys that can start a pre-cache job for specific
domains or software updates.
Description Enter a description to identify this pre-cache job. This will be

displayed on the ‘Pre-caching’ default page.
URL This must be a HTTP URL, which is the base URL to pre-cache.
Follow Link Depth This determines the number of links to follow. For each page read
into cache, attempts will be made to load all the required
resources for that page. This setting determines how many
hyperlinks away from the base URL will be followed. Caution
should be exercised setting this to larger values, as it will require
more bandwidth in the pre-caching operation.

Follow Off-Site If this is selected, then hyperlinks, which point to different domains,
Links will be followed. By default, they will not be, and this option should
only be enabled if really required for a site.
Ignore robots.txt Select this to ignore robot exclusions.
Verify SSL Select this to enforce strict certificate checks
Certificates
Max Wait Wait up to this duration between each file download. Only use a
Between Files low value if you are in charge of the remote server.
Max Run This allows limiting the amount of time the job will run for. Some
Duration sites with very high numbers of links could otherwise take significant
amount of bandwidth and time even with fairly low link depths.

Some servers need specific headers in order to serve objects. The ‘Custom Request
Headers’ allows you to add custom request headers to a pre-cache job.
Click ADD HEADER and enter the Name and Value of a custom request header:
For example, you can add a Cookie name value pair here if the server authorises
requests using cookies.
There are two modes available for pre-cache jobs under ‘Scheduling’:
On-demand This is the default mode. In this mode, a pre-caching operation is

initiated from this page by selecting the Start Pre-Caching
immediately checkbox and clicking SAVE. The job will start
immediately, which will be reflected in the Status of the job on
the main ‘Pre-Caching’ page.
Scheduled In this mode, the schedule for the pre-caching operation can be
defined. You should run pre-caching jobs while the network load
is lower, typically during the night. A scheduled job can be
temporarily disabled without losing its schedule configuration by
simply setting it to On-demand mode. When it is later set back to
Scheduled mode, it will have retained its schedule settings.
To run an on-demand pre-cache job, tick the box in front of ‘Start Pre-caching
Immediately’.

Reports Menu
When logging is enabled, CACHEBOX will automatically generate reports, which are
useful for monitoring caching performance and user activity.
The ‘Reports’ menu allows you to view the reports. Reports are divided into the following
categories:
 Overview - an overview of the cache’s performance in the last hour
 Periodic –traffic reports showing user activity by second-level domains
 Performance -a number of graphs indicating the CACHEBOX performance.
 Statistics – detailed statistics on the use of CACHEBOX
Additionally, you can configure reports from the following pages:
 ‘Settings’ page allows you to configure all report settings from a single page.
 ‘Schedule’ – a table showing you all reports which are scheduled to be sent via
email
Reports run automatically in the background and graphs are produced every 5 minutes.
Data on the ‘Statistics’ page is available in real time.
There are two more types of reports generated by CACHEBOX:

 Hardware reports, which include statistics on CACHEBOX temperature, fan speed,
etc. The reports are available in ‘System’ > ‘Reports’
 Network statistics reports, which include statistics on network latency and
throughput. The reports are available in ‘Network’ > ‘Reports’
CONFIGURATION REFERENCE - Reports Menu I 175

Overview
This page provides you with an overview of the most recent daily web caching
performance figures. Information displayed here includes Bandwidth Total, Bandwidth
Saved, Average Speed Increase and pie charts showing the Top Domains and Top MIME
Types.
The graphs and pie charts shown on this page include:
Top Domains This is the list of top domains accessed recently.

MIME Types The list of content types that has been accessed last hour.
Bandwidth Saved This chart shows how much bandwidth was saved in the last hour.
Hit Ratio There are two hit ratios displayed on this graph. ‘Byte Hit Ratio’
shows the percentage of bytes being served to clients from the
cache, instead of being fetched from the Internet. ‘Document
Hit Ratio’ shows the percentage of objects which have come
from the cache - e.g. HTML files, Flash videos, stylesheet.
176 I CONFIGURATION REFERENCE - Reports Menu

Load Average This is a metric commonly used on servers. The higher the load the
more the CACHEBOX is being used and a high load may result in
slower response times.
Interface The volume of data being transmitted and received by each of
Throughput the network interfaces on your CACHEBOX.
If it takes too long to collate the data, you may see a message telling you that another
attempt is being made.
Periodic
The ‘Periodic’ page provides insight into the total traffic served to clients as well as values
saved by CACHEBOX.
Type of Report
To select which report is shown use the drop down options at the top of the page to
view traffic reports.
Time Period This allows selection of the time period to view. Daily, weekly
and monthly reports are available. Daily reports are updated
approximately every 5 minutes; weekly and monthly reports
are updated approximately hourly.
Report Traffic Different report types are available allowing reporting to be
restricted to a subset of all traffic. The available options here
depend on your CACHEBOX configuration and the settings
configured on the ‘Reports’ > ‘Settings’ page.
Sort Order Sort reports by total volume of traffic and requests, as well as
what percentage of these values is handled by CACHEBOX.
Clicking the PDF icon will generate a downloadable PDF report of the selected type
for the chosen day/month.
Clicking the CSV icon (next to the PDF icon) will allow you to download reports such
that you can reuse data for analysis or other uses.
For a list of Status codes used in some of the reports, see Appendix B.

Traffic Summary
Depending on the time period set, the ‘Traffic Summary’ shows the performance
overview in terms of bandwidth, requests and average speed increase. It also provides
the number of unique domains and devices which the CACHEBOX deals with.
The summary provides an overview of the total traffic served to clients as well as the
values saved by CACHEBOX - which did not need to be requested from the Internet.
Bandwidth Total The total amount of data served to clients

(bytes)
Bandwidth Saved The amount of data which did not need to be retrieved from
(bytes) the internet, representing bandwidth saved by CACHEBOX
Requests Total The number of requests served to clients
Requests Saved The number of requests which were served from cache and
did not require onward requests to the internet
Average Object Size The average object size (in bytes) of requests which were
(direct) served directly from the upstream internet connection.
Average Object Size The average object size (in bytes) of requests served from the
(from cache) cache store.
Unique Sources The number of different source names or addresses making
requests via the CACHEBOX.
Unique Domains The number of different domains being requested by clients.
Average Speed (from The average speed of requests served from cache storage.
cache)
Average Speed The average speed of requests served directly from the
(direct) internet. (e.g. traffic requested for the first time or traffic that’s
un-cacheable)
Some very slow or very small objects are ignored in speed calculations: Small objects
(less than a few KB) typically have significant per-request overhead which masks any
speed measurement. Similarly very slow requests are often caused by connections held
open for a long time while data is streamed in response to specific events, rather than
transferring specific documents.

Reports
The reports displayed on this page are a subset of the graphs from the PDF report.
Each section of the generated report shows a graph followed by tabular information.
The following statistics are available:
Request destinations The most popular web sites requested through the cache.
by domain Higher hit rates for the most popular sites indicate better
savings from caching.
Request destinations The most popular applications requested through the cache.
by Application
Requested Content The types of object requested through the proxy. The object
Types type is determined by the MIME headers.
Top HTTP Status Codes The distribution of response codes returned from web servers.
This should reflect your web traffic and not be affected by the
proxy.
Top Sources The average speed of top sources – that is, the devices most
heavily using the cache.
Size Distribution The total size of different objects by size range.
Speed Distribution The distribution of speeds for different sized objects. Typically
(Cache Hit & Cache larger objects will be downloaded at a faster speed (in bytes
Miss) per second) than small objects, and cache hits will be served
much faster than misses.

Performance
The ’Performance’ page shows a number of graphs representing the CACHEBOX
performance. The information contained on this page will depend on the configuration
of this CACHEBOX.
For detail on how to select graph data using the options at the top of the page, see
“Introduction to the Web Interface” in Section 2.
The ‘Performance Overview for today’ shows a daily performance overview in terms of
Bandwidth Total/Saved and Requests Saved.

The graphs shown on this page include:
Data Transferred This chart shows how much bandwidth has been used in the
given time interval. It is split into data retrieved from the Internet
and data served directly from CACHEBOX.
Requests This is the number of request being made by clients to the web
caching proxy. The total requests per second is split into two
sections: Miss and Hit. 'Hit' Requests are those served directly from
the CACHEBOX without needing to access the Internet. This
graph will be useful to help you spot peaks in traffic.
Hit Ratio There are two different hit ratios displayed on this graph. The ‘Byte
Hit Ratio’ shows the percentage of bytes being served to clients
which come from the cache (instead of being fetched from the
Internet).
The ‘Document Hit Ratio’ shows the percentage of objects which
have come from the cache - e.g. HTML files, Flash videos,
stylesheet.
Speed Increase This displays the weighted average of increase in request speed
provided by the CACHEBOX. Large requests which get sent
quickly to clients will have a large positive effect here; the values
will also depend on the difference between upstream request
speed (of misses) and the speed cache hits can be delivered to
clients.
Number of Active This displays the number of unique sources (either IP or username
Clients if authentication is available) which completed requests during
the given minute. This gives a user-based indication of how busy
your CACHEBOX is at any point in time.
Service Times This displays the time taken for requests of different types of
requests as well as DNS service times.
Cache Engine This chart shows the amount of network traffic flowing into
Traffic and out of the cache engine(s) within the CACHEBOX.
The deployment mode affects the data shown here:
 In Explicit mode, the traffic being sent back to clients out of
the cache engine is all returned to the client from the
explicit listening port, and the type of traffic (HTTP vs HTTPS)
cannot be distinguished at the network level. The
upstream requests are determined based on port number,
showing as Cache In (HTTP) and Cache In (HTTPS).
 In interception / transparent modes, the outgoing traffic
returning to clients can be distinguished by port number,
and is shown as Cache Out (HTTP) and Cache Out (HTTPS)
(if HTTPS interception is available). Any network traffic
which uses 'Proxy Bypass' - or which is not intercepted in
bridge mode - will not be shown in this chart, which only
shows network data entering and leaving the cache
engine.
 In Advanced mode, a combination of explicit and
interception modes may be used - in which case all the
data series may show information as detailed above.

Interface The volume of data being transmitted and received by each of

Throughput the network interfaces on your CACHEBOX.
Load Average This is a metric commonly used on servers. The higher the load the
more the CACHEBOX is being used and a high load may result in
slower response times.
Disk IO This graph shows the rate at which data is being written to and
read from each of the disks in the CACHEBOX.
The disk IO data can help diagnose problems related to the
performance of the disks.
If the server takes too long in preparing the data you may see a message telling you that
another attempt is being made.
Statistics
The ‘Statistics’ page provides a quick overview of several statistics related to the web
caching service. The information contained on this page will depend on the
configuration of this CACHEBOX.

The information on this page comes from a database containing a series of counters
measuring important information about the web caching service. These counters are
updated multiple times a minute.
Recent data is stored at a high resolution. As data gets older the resolution decreases.
This allows years of statistics to be stored on this appliance.
For detail on how to select graph data using the options at the top of the page, see
“Introduction to the Web Interface” in Section 2.
The following graphs are shown on this page:
Cache Usage Shows the amount of storage space used by each of the cache
stores.
File Descriptors Each connection that the web cache service opens has one or
more file descriptors. There is only a limited number of file
descriptors which can be held open at once.
Memory Use This graph shows how much memory the web caching service is
using. There may be issues if too much memory is being used as
this will reduce the memory available to other processes on the
system. You can monitor the overall memory usage statistics on
the ‘System Reports’ page.
Uptime This graph displays the uptime of the caching service in minutes.
If there are breaks in the graph, it is likely that the reporting
service has stopped rather than the caching service and maybe
indicative of a loaded box.
If the server takes too long in preparing the data you may see a message telling you that
another attempt is being made.

Settings
Here, you configure settings for your CACHEBOX reporting.
CACHEBOX accumulates various reporting statistics and how they are presented. By
default all reports show all client traffic, however, additional detail on particular subsets
of the traffic can also be added.
The Reporting Settings section lets you enable or disable different types of reports.
Additional reports may be viewed and downloaded as PDFs or CSV files on the ‘Reports’
> ‘Periodic’ page. Each additional enabled report will use more resources, so disable
any which are not needed.
The following settings are available:
Enable reporting If enabled, new periodic and scheduled reports will not be
created. However, this will free up some resources. Disabling all
reporting is possible, but not recommended as CACHEBOX
performance and status will be more difficult to measure.
Create Peak- This report covers only the peak time specified in ‘Cache’ > ‘Other’
Time report
Create Pre- This report shows requests made as part of pre-cache operations.
Cache report
Create Static This report shows requests served from the Static Content store.
Content report

Create HTTP-only This creates an additional report for only HTTP traffic. It will exclude
report CONNECT requests.
Create Range This report displays client range requests.
Request report
Create Errored This report shows client requests with errors HTTP status (4xx or 5xx).
Request report
Create Custom This report shows custom domains that can be specified in the
Domains report Custom Domain Report section on the same page.
CACHEBOX can create a custom report including or excluding a user-defined list of

domains.
All subdomains of the given domains will also be included/excluded in the custom
report. For example, entering yahoo.com under the Custom Domain Report section will
include all yahoo subdomains, such as uk.yahoo.com and mail.yahoo.com, as well as yahoo.com.
Instead of domains, you can specify IPv4 addresses and networks. The addresses may
be either individual IPs (e.g. 10.1.2.3) or CIDR networks (e.g. 10.1.0.0/16).
In advanced mode, one can add a list of domain/IPv4 addresses separated by new
lines.
To specify the domains to be included in the Custom Domains report, click ADD DOMAIN
under the Custom Domain Report section.
To specify the domains to be excluded from the Custom Domains report, click ADD
DOMAIN under the Exclude From Reports section.

Schedule
The ‘Scheduled Reports’ section shows you all reports which are scheduled to be sent via
email. A report contains an overview of performance and traffic statistics. It will be sent
as a PDF attachment to one or more email addresses.
The following information is displayed here:
Report The column specifies the kind of report to be sent

When When the report is scheduled to be generated and sent
Actions To edit or remove a report, click on a relevant icon in the column
To create a new scheduled report click ADD.

When you schedule a report you need to provide the following information:
Report Time What data the report is going to include.

Range  Yesterday - data from midnight yesterday to 00:00 on the
day the report is generated
 Last Week - data from midnight last Monday to 00:00 the
following Monday
 Last Month - data from the midnight on the 1st of last
month or midnight on the 1st of the month the report is
generated
Send Report At What time the report should be generated. It is not guaranteed
that the report will be generated and sent on exactly the time
chosen. If the appliance is very busy, then report may be
delayed by a few minutes.
Recipient Email Provide one or more email addresses (one per line).
Addresses
If you fail to receive a scheduled report, verify that an SMTP server has been configured
correctly.

SECTION 4:
FREQUENTLY ASKED QUESTIONS
This reference section helps you quickly find IN THIS SECTION

answers to the most common questions asked
about CACHEBOX by users deploying it. Deployment 190
Appliance Management 191
Security 191
Hardware 191
FREQUENTLY ASKED QUESTIONS I 189

Deployment
How do we deploy CACHEBOX? What are the options?
For service providers, typically CACHEBOX is deployed transparently via either:
 HTTP Redirection (Policy-Based Routing or WCCP modes) or
 HTTP Interception (Bridge Mode)
See the deployment section of this guide for more information.
How can I configure my web browsers to work with CACHEBOX?
If CACHEBOX is not deployed transparently, then users will need to have their browsers
configured to forward web traffic via your CACHEBOX. Options to do this are provided
in all modern browsers (please contact your support for details). In the case of Microsoft
Internet Explorer running on workstations that are part of an Active Directory domain the
configuration can be done centrally using group policy.
How can I deploy CACHEBOX transparently?
Depending on the firewalling rules you have configured, CACHEBOX will forward traffic
sent via it, redirecting any HTTP traffic to its caching engine. It can act as a gateway for
a network segment or have TCP port 80 traffic sent to it by another router.
What is the default proxy port and can it be configured?
TCP port 800. It can be changed on the Basic Settings page. Navigate to ‘Cache’ >
‘Basic’.
What is the default web interface port and can it be configured?
TCP port 443. It can be changed on the Services page. Navigate to ‘Network’ >
‘Services’.
Can you cache dynamic data/SSL traffic?
Dynamic data can be cached if required and notification from sites not to cache pages
can be overridden using ACLs. However some caution should be used, assuming that
user specification session data may be stored in the pages. CACHEBOX supports SSL
traffic but will not cache the contents. This is to prevent the appearance of a ‘man in
the middle’ attack.
Does CACHEBOX support transparent FTP?
It neither supports explicit nor transparent FTP.
Can we log user activity?
Yes. By default the IP addresses of all workstations accessing web pages is logged.
190 I FREQUENTLY ASKED QUESTIONS - Deployment

Appliance Management
How do I access CACHEBOX to manage it?
Initial network configuration can be done via a console (accessible by plugging a
monitor and keyboard into the device), after which all administration is performed via a
secure web interface. This can be accessed by any browser on any operating system
and does not rely on technologies such as Java, Flash etc. If required, access to the
interface can be limited to certain IP addresses for extra security.
Security
How do we apply the latest security patches?
Patches are supplied by ApplianSys. They are easily applied via the secure web
interface - shell access is not required. The Operating System was designed with security
as a priority so all non-essential tools were left out from the start. Often when a problem
is found in software such as Squid, a patch is not required because the vulnerable code
is not on the appliance.
Hardware
What input voltages will CACHEBOX work with?
110-240 volts.
Is it possible to rewrite the operating system Compact Flash card?
Yes; however in all except the rarest cases, it is not required. The update mechanism is
used for standard upgrades.
The following procedure requires an operating system image to be made available to
you by ApplianSys support. You will need a computer running Microsoft Windows and a
USB Compact Flash card reader. Mac OS X (Disk Utility) and Linux (dd) can also be used
but these are not covered below.
1 Power down the CACHEBOX and remove the operating system card. Do not
remove the card whilst power is on or you could potentially damage your data
2 Download and install WinImage: http://www.winimage.com/
3 Plug in a compact flash card reader with CACHEBOX OS card inserted
4 Open WinImage and click ‘Disk’ > ‘Restore Virtual Harddisk Image on virtual drive’
5 When prompted with a list of removable drives, choose the right one and click OK
6 When prompted for an image to restore, select the CACHEBOX dd image file from
your hard disk (ensure you choose All Files from the Files of Type drop down list)
7 When asked "Do you want to erase disk content", answer YES
8 The image will now be written to the CF card
9 Once complete, reinsert the card into CACHEBOX and power on
10 You will need to log in via the console and configure new network settings
11 Once you are able to access the web interface you will need to send the Server
Code displayed on the Licensing page (‘System’ > ‘Licensing’) to
support@appliansys.com for an activation code to be generated for you
FREQUENTLY ASKED QUESTIONS - Appliance Management I 191

APPENDICES
Appendix A: SSH Command Line Access

Enabling/Disabling SSH
SSH access is not needed in most set-ups but can be useful for administrators familiar
with Linux operating systems and Squid, and who wish to run advanced diagnostics.
This mode should only be used by advanced users. Those unfamiliar with Linux are
strongly advised against enabling SSH access. If you are not an advanced user, you
should use the ‘Tools’ page in the ‘Network’ menu to do basic connectivity tests.
When configuring CACHEBOX via the command line, it is possible to make mistakes
which cannot be undone and permanently damage your data. If damage does occur,
the compact flash card(s) and disk(s) may need to be rewritten before normal operation
can be resumed, resulting in loss of data.
You can gain SSH access to the CACHEBOX as the admin user. You can now run
console_ui to change network settings.
CACHEBOX uses a proprietary Linux based operating system developed by ApplianSys

for use in its appliances. Whilst it will be familiar to users of other Linux systems, restrictions
set by ApplianSys for reasons of security and performance will limit what you can
achieve via the shell.
ApplianSys does not include a compiler on any of its appliances. Installation of other
software is restricted, strongly discouraged and may cause support requests to be
denied.
192 I Appendix A: SSH Command Line Access

The console should not be used to configure services – doing so could affect your ability
to make future changes via the web interface. Additionally, many of the files in
directories such as /etc are automatically generated at boot time, meaning that
changes will be overwritten.
Useful commands that are present to aid diagnostics and deployment include:
 tracepath – perform a traceroute
 ping – check availability of remote systems
 telnet – create TCP connections
 nslookup – perform DNS lookups
 nano – a simple text editor
 vi – an advanced text editor
 wget – download web objects over HTTP and HTTPS
 squidclient – perform diagnostics on squid
 who – check which users are logged in
 top – view CPU and Memory usage
 netstat – view network connections
 ifconfig – review network settings and make run time modifications (may be
overwritten – use console_ui instead)
 ssh – connect to a remote system
 dmesg – review system messages
 rr-diagnostics – run a series of diagnostics to check for network connectivity
and that web content can be cached
To gain root access run “sudo su –“, after which the following additional commands
are available:
 tcpdump – sniff traffic on network interfaces
 route – review the routing table (modifications will be automatically overwritten
almost immediately – to make changes please use the web ui)
 reboot – immediately reboot
 reset_appliance – remove all configuration (but not cached objects, logs &
reports) and reboots the appliance
 shutdown – shutdown either now (-h now) or at a scheduled time
You should only use the reboot and shutdown commands if you have no access to the
web interface, as this method does not record a reason for the reboot/shutdown in the
system log.
Appendix A: SSH Command Line Access I 193

Appendix B: HTTP Status Codes

Status codes seen on the HTTP Status Report may include:
Code Description
TCP_HIT Objects that were in the cache
TCP_MEM_HIT Objects in the cache,and in memory
TCP_NEGATIVE_HIT Hits for errors, e.g. 404 Not Found
TCP_MISS Objects not in the cache,i.e. had to be retrieved from the Internet
TCP_REFRESH_HIT Stale objects that were in the cache. A stale object is one whose
age is greater than its expiry time
TCP_REFRESH_MISS A stale object that has been modified and had to be retrieved from
the Internet
TCP_CLIENT_REFRESH Browser refresh with instructions to retrieve again from the Internet
TCP_IMS_HIT A request to see whether the cached object is fresh, and was found
not be stale
TCP_IMS_MISS A request to see whether the cached object is fresh, and was found
to be stale
TCP_DENIED Access denied
194 I Appendix B: HTTP Status Codes

Appendix C: IP-KVM option

An IP-KVM (Keyboard-Video-Mouse) option is now available on some models to help
users administer their units without having to physically access them, particularly if there
is a problem. The add-on uses a second independent network connection, allowing you
to access and control a unit even if its firmware isn’t running:
 View the unit's full boot sequence
 Access the console of the device
 Access BIOS/CMOS configuration
 Recover from misconfiguration that blocks management access
 Perform a physical Reboot (in the event of failure or ‘hard lock’)
Log in details
 Login (for all models except CACHEBOX420): admin / admin
 Login for CACHEBOX420): ADMIN / ADMIN
 Default IP address: 10.10.10.1
The default IP address can be changed to another static address or configured to use
DHCP once logged in to the KVM management interface
Deployment instructions
To connect your unit to the network, you should insert a network cable into the
dedicated console port DM_LAN1 port above the USB ports:
Appendix C: IP-KVM option I 195

Using the Remote KVM option

If your unit becomes unavailable you can configure it using the remote KVM option.
Customers of CACHEBOX130 and CACHEBOX420 will see a slightly different menu

structure, however, all of the same options are available.
Logging in
Type the IP address and the details provided above to log in:
Using Google Chrome may cause issues. It is recommended you use Mozilla Firefox or
Internet Explorer.
System Information
Once you log in you will see a section with general information about the system:
196 I Appendix C: IP-KVM option

Server Health
The Server Health section shows you data related to the server's health, such as sensor
readings and the event log.
Configuration
The Configuration menu allows you to edit any network settings. You can use the pages
on this menu to configure various settings, such as alerts, users, or network.
Network Settings
If using DM_LAN1 is not your preferred option, KVM access can be shared onto LAN1
using its own IP. The IP can be configured statically or via DHCP.

Navigate to Configuration > Network to change your preferred settings.
Clicking the Power Control button shows you the server power status. To perform a
power control operation, select one of the options below and press Perform Action.
Clicking the Console Redirection button allows you to launch the redirection console
and manage the server remotely.
198 I Appendix C: IP-KVM option

This does not work on Google Chrome. Please make sure you use an alternative
browser.
The Power Button allows you to perform a power button disabled or enabled operation,
select one of the options below and press Perform Action.

Notes
Notes I 201

Userguige New Server

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Userguige New Server

Uploaded by

Copyright:

Available Formats

CACHEBOX

Web Caching Appliance

Using This Guide

How This Guide Is Organised

 ‘GETTING STARTED’ - step-by-step instructions for the main tasks involved in

2 I Using This Guide

Conventions Used in This Guide

 ACLs and CACHEBOX commands (fixed width font)

Using This Guide I 3

Make sure the big picture is clear so that you

 Understand the different modes for Deployment Scenarios and Options 6

Deployment Scenarios and Options

6 I PLANNING DEPLOYMENT - Introduction to Caching

This architecture needs a device which is capable of redirecting HTTP traffic.

The three possible interception modes are:

PLANNING DEPLOYMENT - Introduction to Caching I 7

How to choose the right mode

Choosing between these options is a 2-part process:

8 I PLANNING DEPLOYMENT - Introduction to Caching

PLANNING DEPLOYMENT - Introduction to Caching I 9

10 I PLANNING DEPLOYMENT - Introduction to Caching

Policy-Based Routing (PBR)

PLANNING DEPLOYMENT - Introduction to Caching I 11

Deployment Modes Compared

Feature WCCP Bridge mode PBR

Only HTTP traffic to the cache

Source Address Spoofing

Resilience to network disruption

Only with certain equipment

12 I PLANNING DEPLOYMENT - Introduction to Caching

 Pre-installed caching application software

PLANNING DEPLOYMENT - CACHEBOX Overview I 13

 Video cache and Content Delivery Network (CDN) Support

 Software Update Caching

 Cache Hierarchy Support

14 I PLANNING DEPLOYMENT - CACHEBOX Overview

 Shared management support

 Backup & Restore

 Simple Network Management (SNMP) Support

 Centralised Management Console

PLANNING DEPLOYMENT - CACHEBOX Overview I 15

16 I PLANNING DEPLOYMENT - CACHEBOX Overview

Rear (subject to change):

CACHEBOX420 is a high-end 2U rack-mountable device with four network interfaces as

PLANNING DEPLOYMENT - CACHEBOX Overview I 17

CACHEBOX310 and CACHEBOX200 series

Rear (subject to change):

CACHEBOX210, CACHEBOX230 and CACHEBOX310 are 1U rack-mountable devices, with

18 I PLANNING DEPLOYMENT - CACHEBOX Overview

Rear (subject to change):

PLANNING DEPLOYMENT - CACHEBOX Overview I 19

Rear (subject to change):

20 I PLANNING DEPLOYMENT - CACHEBOX Overview

This section walks through the standard tasks

Checking Your Deployment 73

It is quite likely you will want to deploy in two stages:

ApplianSys Support: Email Support:

22 I GETTING STARTED - Initial Installation

Serial Port Settings

GETTING STARTED - Initial Installation I 23

Port TCP UDP Protocol Incoming Outgoing Required

Switching on and logging in

24 I GETTING STARTED - Initial Installation

The following steps detail the console configuration procedure: