Problem:If you have set up a SAML realm, users might experience dropped connections if the ProxySG appliance uses the default policy of Deny. When the policy is set to Deny, the appliance intercepts and denies requests to the IDP.
Resolution:Install the following policy to allow requests to the IDP:
<Proxy>
authenticate(<realm-name>)
<Proxy>
allow group=saml_users
<Proxy>
allow url.host=<hostname>
In the previous policy example, <realm-name> is the name of the SAML realm and <hostname> is the hostname of the IDP.
135
Chapter 7: Reference
Chapter 7: Reference
See the following reference topics for more information about authentication.
BCAAA Compatibility Matrix 137
Locate Browser Proxy Settings 139
SAML Reference 140
Federation and Metadata 140
Assertions 141
Profiles and Bindings 142
Backing up the ProxySG Appliance 143
136
Every SGOS release is compatible only with a specific BCAAA version. Before installing SGOS, always ensure you are running the compatible BCAAA version for that release. You must install the compatible BCAAA service before upgrading or downgrading SGOS.
If you do not install the compatible BCAAA version before upgrad-ing or downgradupgrad-ing, authentication will fail and you will not be able to reach any internal or external servers to download a com-patible version. Do not delete any existing BCAAA installations as this will cause authentication failure for any appliances run-ning SGOS versions that require that version.
If you have multiple appliances running different versions of SGOS:
You must have the appropriate version of BCAAA for each SGOS version. However, when you install a new version of BCAAA on your Windows server, previous versions are maintained (that is, the bcaaa.ini and bcaaa-nn.exe files are not removed during the upgrade) and will automatically be used to service requests from appliances running the corresponding SGOS version. For example, if you are planning to upgrade to SGOS 6.1.x from SGOS 5.3.x, you must first upgrade your BCAAA server to version 130. However, when you do so, bcaaa-120.exe will continue to run on the server so that authentication will still work on any appliances running SGOS 5.3.x. Similarly, if you are run-ning SGOS 5.4.2.2 with BCAAA version 130 and then install BCAAA version 120 so that you can downgrade to SGOS 4.2.10.1, SGOS 5.4.2.2 continues to use BCAAA version 130 until you have downgraded.
If you need to install multiple BCAAA versions on the same server:
Install the lowest BCAAA version first before any later versions, allowing each version to uninstall the previous ver-sion (yet continue to be compatible with those SGOS verver-sions).
Appliance Operating Sys-tem
Required BCAAA Version and Location
SGOS 6.3.x BCAAA 130:Go tohttps://bto.bluecoat.com/download/product/9063 and click the Windows BCAAA link that corresponds to your OS version.
SGOS 6.2.x BCAAA 130:Go tohttps://bto.bluecoat.com/download/product/7375 and click the Windows BCAAA link that corresponds to your OS version.
SGOS 6.1.x BCAAA 130:Go tohttps://bto.bluecoat.com/download/product/5351 and click the Windows BCAAA link that corresponds to your OS version.
SGOS 5.5.x BCAAA 130:Go tohttps://bto.bluecoat.com/download/product/41and click the Windows BCAAA link that corresponds to your OS version.
SGOS 5.4.x BCAAA 130:Go tohttps://bto.bluecoat.com/download/product/17and click the Windows BCAAA link that corresponds to your OS version.
Note: SGOS 5.4.x includes a new release of BCAAA 130 which adds sup-port for Windows Server 2008. The initial version of BCAAA 130 (which shipped with SGOS 5.4.1.x) does not support Windows Server 2008.
SGOS 5.3.x BCAAA 120:Go tohttps://bto.bluecoat.com/download/product/16and click the Windows BCAAA link that corresponds to your OS version.
SGOS 5.2.1, 5.2.2, 5.2.3 BCAAA 120:Go tohttps://bto.bluecoat.com/download/product/15and click the Windows BCAAA link that corresponds to your OS version.
137
-Chapter 7: Reference
Appliance Operating Sys-tem
Required BCAAA Version and Location
SGOS 5.1.1.x, SGOS 5.1.2, SGOS 5.1.3, SGOS 5.1.4
BCAAA 110:Go tohttps://bto.bluecoat.com/download/product/14and click the Windows BCAAA link that corresponds to your OS version.
SGOS 4.3.x BCAAA 120:Go tohttps://bto.bluecoat.com/download/product/13and click the Windows BCAAA link that corresponds to your OS version.
SGOS 4.2.3, SGOS 4.2.4 BCAAA 120:Go tohttps://bto.bluecoat.com/download/product/13and click the Windows BCAAA link that corresponds to your OS version.
SGOS 4.2.2 BCAAA 110:Go tohttps://bto.bluecoat.com/download/product/13and click the Windows BCAAA link that corresponds to your OS version.
SGOS 4.2.1 BCAAA 100:Go tohttps://bto.bluecoat.com/download/product/13and click the Windows BCAAA link that corresponds to your OS version.
138
-If you are using an explicit proxy deployment, you mustset up each client Web browserto use the ProxySG appli-ance as its proxy server.
Use the following table to help you locate the browser proxy settings:
Browser Proxy Configuration Settings
Internet Explorer Tools > Internet Options > Connections > LAN Set-tings
Firefox Tools > Options > Advanced > Network > Settings >
Manual Proxy Configuration
Chrome Options > Under the Hood > Change proxy settings
> LAN settings
Safari (Macintosh) Apple menu > System Preferences >Internet & Wire-less > Network > Advanced > Proxies
Safari (Windows) Settings menu > Preferences > Advanced > Proxies
> Change Settings > LAN settings
139
-Chapter 7: Reference