Unified Agent Access Method

(1)

Unified Agent

Access Method

(2)

(3)

Copyrights

© 2016 Blue Coat Systems, Inc.All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS

APPLIANCE, CONTENT ANALYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND

REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.

Americas

Rest of the World

Blue Coat Systems, Inc. 384 Santa Trinita Avenue Sunnyvale, CA 94085

Blue Coat Systems International SARL

3a Route des Arsenaux

1700 Fribourg, Switzerland

(4)

(5)

Blue Coat Web Security Service:

Unified Agent Guide

The Blue Coat Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based product, the Web Security Service leverages Blue Coat's proven security technology as well as the WebPulse™ cloud com-munity of over 75 million users.

With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to create and enforce granular policies that are instantly applied to all covered users, including fixed locations and roaming users.

To provide security to employees who take corporate clients beyond the corporate network, such as laptops on business trips, Blue Coat provides the Unified Agent that routes web requests through the Web Security Service.

This brief provides remote client conceptual information and installation tasks. The document breaks out information into phases.

"Learn..." on page 9 "Configure..." on page 21 "Troubleshoot..." on page 63

This document contains topics collected from the Web Security Service online documentation. For the complete doc set, see:

https://bto.bluecoat.com/documentation/All-Documents/Web%20Security%20Service

Copyrights

3 Blue Coat Web Security Service:Unified Agent Guide

5

Table Of Contents 5

Learn...

9

About Remote User Protection 10

Additional Security with the Unified Agent 10

High-Level Example 10

Example Data Flow 11

Dynamic User Location Example 12

About Bypyassed Non-Routable IP Addresses 12

About Proxy Avoidance Attempts 13

About Password Protection 13

Challenge-based Authentication (Captive Portal) 13

About Time Zones 13

(6)

Why Select This Method? 13

About Challenge-based Auth (Captive Portal) 14

A—On-Premise WiFi (Captive Portal Over IPsec) 15

B—Explicit Proxy 15

C—Remote Users (Unified Agent) 16

D—Quick Authentication Demonstration (Roaming Captive Portal) 16

Additional Information 16

About Challenges 16

Enable Captive Portal? 17

Reference: Required Locations, Ports, and Protocols 18

Access Methods 18

Additional Trans-Proxy Information 18

Authentication 19

Supported Client Operating Systems 20

Unified Agent 20

Legacy Client Connector 20

Configure...

21

Plan 21

Install 21

Configure Service 21

Plan the Remote User Access Method 22

Select Remote Client Access Method 23

Windows 7, 8, 10 23

Windows XP 23

Apple OS X 9.x/10.x 23

Windows: Unified Agent Single Client Installation 25

Next Selection 27

Windows: Unified Agent GPO Distribution 28

Next Selection 30

Windows: Client Connector Single Client Installation 31

Next Selection 35

Mac OS X: Unified Agent JAMF Distribution 36

(7)

Unified Agent Guide/Page 7

Mac OS X: Unified Agent Single Client Installation 40

Next Selection 42

Set Unified Agent Network/Security Options 43

Prevent IP/Subnet From Routing to the Web Security Service 46

Notes 46

Manually Add IP Addresses 46

Import IP Address Entries From a Saved List 47

Prevent a Domain From Routing to the Web Security Service 48

Notes 48

Manually Add Domain Entries 48

Import Domain Entries From a Saved List 49

Block Web Access When Service is Unavailable to Remote Users 50

Prevent Automatic Updates to Remote Clients 51

Route Remote Connections Through an HTTP Proxy 52

Next Step 53

Forward a Specific Port from Remote Clients 54

Require Authentication Challenges 55

Verify Service Connectivity to Locations 56

Mac 57

Uninstall the Unified Agent 59

Available Options 59

Unified Agent—With Uninstall Token 59

Information 59

Procedure 59

Windows 60

OS X 61

No Token Defined/Client Connector 61

Windows 62

OS X 62

CLI 62

Reference—MSI Versions 62

MSI Version Mis-Match (Unknown MSI) 62

(8)

Unified Agent Drops Connections 64

Manage Web Security Service Client Connections 65

Manually Disable the Unified Agent 66

Activate the Disable Option 66

Instruct Employess How to Disable the Unified Agent 66

Windows 66

OS X 66

Reference: Remote Client Application Package Versions 67

Captive Portal Diagnostic Messages 68

Review System Events Generated by Remote Clients 69

(9)

Learn...

This section describes the purpose of the Unified Agent application, which provides security to users who use cor-porate clients, such as laptops, outside of the corcor-porate network.

n "About Remote User Protection" on page 10

n "About Challenge-based Auth (Captive Portal)" on page 14

(10)

About Remote User Protection

The Blue Coat Unified Agent (Client Connector for older OSes) provides Web security to remote users when a route through the Corporate network is not possible or practical. Remote users are defined as:

n Users with laptops that are taken outside of the corporate network.

n Users inmicro-branchoffices where it is not practical to deploy a corporate firewall or proxy.

n Users inmicro-branchoffices where the firewall does not support IPsec or in the case where the firewall is controlled

by another entity such as an Internet service provider.

When installed on client systems, the Unified Agent works as part of the client system's configuration; after the application is installed, no further configuration is required on the client system. It directs content requests to the Blue Coat Web Secur-ity Service (ThreatPulse) over a secure connection (port443). To enforce proxy avoidance, the Unified Agent detects and dropsHTTP_CONNECT method requests to any external, non-Web Security Service IP address. As such connections are dropped, the user is unable to circumvent filtering and malware scanning.

Additional Security with the Unified Agent

Furthermore, the Unified Agent provides additional security features.

n The Unified Agent prevents employees from stopping and starting the service from the Services Management Console, even if such employee has Windows Administrator privileges.

n You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routing traffic

through another egress device.

n You can give the ability to employees to temporarily disable the Unified Agent should they be experiencing

connection issues.

High-Level Example

(11)

Example Data Flow

1—A Sales person on business trip in India initiates a web request for a website.

2—The Unified Agent initiates a connection to the Web Security Service because it detects web-bound traffic on a port it is capturing. DNS performs a lookup onclient.threatpulse.net to obtain the IP address of the nearest geographical Blue Coat Web Security Service data center. In this example, it is Mumbai. The connection to the Data Pod occurs over port 443.

2.1—If this is the initial connection, the client receives additional configuration.

3—The client establishes a tunnel to the service for each logged in user, which serves content from the destination web-site.

4—In addition, the client establishes a default tunnel that is used for system level requests, such as Windows update or other requests initiated by a system owned process.

The Web Security Service provides the policy rule enforcement.

(12)

If the user logs in while on a protected network—for example, a corporate location—the client agent goes into passive mode. That is, the use policies are enforced by the on-site web service.

The following diagram illustrates the various access points from remote users to the Web Security Service.

n A—An employee logs in and is detected by the on-premise network. As a gateway ProxySG appliance provides the

security and web access policies, the Unified Agent enters into Passive Mode; that is, it does not intercept any traffic.

n B—The same employee travels to a hotel near a client and logs into the hotel's WiFi service. The Unified Agent now

engages and connects to the nearest Blue Coat Web Security Service datacenter, which provides the web access policies.

This allows you to write different policies for corporate locations versus remote locations; or you can implement common policy autosnychronization.

About Bypyassed Non-Routable IP Addresses

By default, the Web Security Service bypasses the following RFC 1918 addresses.

n _10.0.0.0/8 n _{169.254.0.0/16} n _{172.16.0.0/12} n _{192.168.0.0/16}

(13)

About Proxy Avoidance Attempts

To enforce proxy avoidance, the Unified Agent detects proxy HTTP requests in outbound streams for ports other than those configured to be forwarded to the service (typically80 and 443). Such connections are dropped and the user is unable to circumvent filtering and malware scanning. Furthermore, the Unified Agent does not interpret proxy auto-configuration (PAC) settings as a proxy avoidance attempt. If your deployment uses a PAC control to manage outbound web connections, the Unified Agent detects it and uses this connection to forward web traffic (on ports80, 443, and by default). If the Unified Agent cannot connect with the PAC settings, it attempts a direct connection to the Web Security Service IP address. You can allow additional ports. Also, Blue Coat recommends adding internal subnets to the IP Bypass List so that internal traffic is not sent to the Web Security Service.

About Password Protection

You can configure a un-installation token in the portal. Users cannot uninstall the remote client application from their sys-tems without the token. (For Client Connector, this involves uses a CLI command during setup.)

Challenge-based Authentication (Captive Portal)

For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours after their previous successful entry). This eliminates cached credential access. For more information, see"About Challenge-based Auth (Captive Portal)" on page 14.

MAC CLIENT NOTE

You can install Unified Agent on Windows and Mac clients. If a Mac user'susernameis the same as in the your AD and there is onlyonedomain in your AD, then user based policy is applied for the Mac client. The domain defaults to the single domain in the AD. You can, however, enable the Captive Portal feature, which allows users and groups to be available for policy checks.

About Time Zones

When a user's system connects to the Web Security Service from the Unified Agent, the time zone is the recognized sys-tem time of their machine.

Why Select This Method?

(14)

About Challenge-based Auth (Captive Portal)

By definition, challenge-based authentication displays a credential dialog to users each time they open a web browser. Users must enter their corporate network username and password into the dialog and click Accept before performing web content requests. In this context, this feature is also commonly referred to as Captive Portal.

The Blue Coat Web Security Service provides the Captive Portal as an alternative method to check user credentials rather than the method provided natively by the Unified Agent application that is installed on remote systems

The Web Security Service provides the Captive Portal for the following deployment methods:

n As an alternative method to check user credentials rather than the method provided by the Unified Agent application

that is installed on remote systems.

n Allows an authentication method forBYOD—employees access the network from their personal devices.

n This option also provides user credential checks for Explicit Proxy (PAC file) deployments. n Required for SAML Authentication integration (Firewall/VPN and Explicit Proxy Access Methods). n Quickly configure a browser or device for authentication demonstration.

(15)

A—On-Premise WiFi (Captive Portal Over IPsec)

With the proliferation ofbring your own devices(BYOD), companies must find a way to accommodate employees who use their personal phones and tablets for both work and personal use. One method is to maintain a separate WiFi for BYOD use. The WiFi network might be seen by the Web Security Service as its own location or as one or subnets. With Captive Portal enabled, users must enter their network credentials. Credentials are cached for one day; however, a timeout occurs after one hour of inactivity. Closing and re-opening a browser window within that time does not trigger a new authentication challenge.

DEPLOYMENT NOTE: After a user authenticates from an IP address, all further requests from that IP address are treated as from that user. If the client is behind a NAT or on a multi-user system, the first user’s credentials will be used. For example, Employee A requests web content and the Web Security Service successfully authenticates him. Employee B then connects, but she is not sent an authentication challenge. She is seen as Employee A and thus receives all policy designated for Employee A.

B—Explicit Proxy

(16)

Without Captive Portal enabled, remote users log into the corporate network using their cached credentials. With Captive Portal enabled, the challenge dialog initiates from the client system, which ensures that the correct person logging in is recor-ded. This allows the system to be accessed by multiple users. Furthermore, the benefit for network administrators is that you have more control of your network access. If a laptop becomes lost or you need to deny a remote employee access, change their status in the Active Directory and that user's access credentials are now denied.

D—Quick Authentication Demonstration (Roaming Captive Portal)

Roaming Captive Portal allows you to quickly connect a non-enrolled device (mobile device or laptop) to the Web Security Service and receive an authentication challenge. For browsers, this allows the enforcement of employee credentials to access web content. For mobile devices, this allows for quick demonstrations of authentication and policy. These browser-s/devices are configured to explicitly proxy to the Web Security Service and a user's corporate e-mail addresses are used to validate access.

Additional Information

n Client systems must have third-party cookies enabled.

n Client systems must have the Blue Coat Web Security Service SSL Root Certificate on their browsers. This is described in the configuration topics.

n If your enterprise comprises multiple domains, users must enter the full domain name rather than just their login

name. For example, they must [email protected], not just alan.user.

n If the Auth Connector becomes unavailable, the user receives the following error message: Authentication

server error, connecting as unauthenticated user (also, the Web Security Service adds the event to the diagnostic log). The behavior defaults to what happens when Captive Portal is not enabled. That is, the users' access credentials creates a tunnel. For diagnostic analysis, this Advanced dialog entry isunauthenticated (user_name). For other diagnostic entries, see"Captive Portal Diagnostic Messages" on page 68.

n Verify that each user to be authenticated has their e-mail address attribute populated in the AD (User Properties

dialog > General > E-mail). For example,EXAMPLECORP\alan.user has an e-mail attribute of

[email protected]. If you are employing Exchange, default policies automatically create this attribute. If you are not employing Exchange and have a large number of users with undefined e-mail attributes in the AD, search online for resources about how to use a script to populate.

About Challenges

When Captive Portal is enabled:

n Challenges are based on each browser session. For example, users are challenged when they open Firefox and then

can browse (including new tabs). If they then open a Internet Explorer browser, they must enter their credentials in that browser to continue.

n Entered passwords, represented asauth tokens, are retained in acredential cacheon the device in the data center

that is processing authentication for that client. They are not stored permanently in the cloud. The credentials are valid for 24 hours for Captive Portal and 60 minutes for Roaming Captive Portal. The following conditions prompt employees to re-enter their credentials.

n When the user attempts to reconnect to the web after those respective time thresholds.

n If the user is inactive on the web for 60 minutes.

n Other network activity, such as that employee's data getting moved from one data pod to another. n The Auth Connector abides by the lockout settings in the AD. For example, the AD is configured to allow three

(17)

n If a lockout configuration exists and the user triggers it or if the user attempts to use an expired password: n All web-bound transaction intended for the Web Security Service is dropped; all other traffic continues

normally.

n If the fault is an Auth Connector problem, the user connects to the Web Security Service as an unauthenticated user.

n If you render an employee disabled, the Web Security Service requires 15 minutes to complete the transaction; the

employee is still able to browse during that time period.

Enable Captive Portal?

(18)

Reference: Required Locations, Ports, and Protocols

Depending on your configured Blue Coat Web Security Service Access Methods, some ports, protocols, and locations must be opened on your firewalls to allow connectivity to the various cloud service components and data centers.

Access Methods

Access Method

Port(s)

Protocol

Resolves To

Web Security Service IP

addresses

199.19.250.192 199.116.168.192

Firewall/VPN (IPsec)

80/443 UDP 500 (ISAKMP)

IPsec/ESP

Proxy Forwarding

8080/8443 8084* HTTP/HTTPS Port 8080 to proxy.threatpulse.net Port 8443 to proxy.threatpulse.net Port 8084 to proxy.threatpulse.net*

Explicit Proxy

8080

To proxy.threatpulse.net

https://portal.threatpulse.com/pac

Trans-Proxy

80 (VPN Tunnel) ep.threatpulse.net resolves to the

fol-lowing pseudo address.* 199.19.250.205

(* See more information after this table)

Unified Agent/Client

Con-nector

443

SSL Port 443 to client.threatpulse.net Port 443 to proxy.threatpulse.net Port 443 to portal.threatpulse.net (199.19.250.192)

MDM (registered iOS and

Android devices)

UDP 500 (ISAKMP) UDP 4500 (NAT-T)

IPSec/ESP

Roaming Captive Portal

8880

*If this forwarding host is configured for local SSL interception.

Additional Trans-Proxy Information

(19)

Authentication

Auth Method

Port(s)

Protocol

Resolves To

Auth Connector

443

SSL to auth.threatpulse.net:

199.19.250.193 199.116.168.193 portal.threatpulse.net: 199.19.250.19 Additional Required Information: Reference: Authentication IP Addresses.

Auth Connector to Active

139,445

TCP

389 LDAP

3268

ADSI LDAP

135 Location Services

88 Kerberos

(20)

Supported Client Operating Systems

If you plan to install the Unified Agent (or Client Connector) application onto employee systems to support remote access to the Blue Coat Web Security Service, those client systems must be one of the following operating systems:

Unified Agent

n Windows 7.x 32-64 bit (Pro and Enterprise) n Windows 8.x 32-64 bit (Pro and Enterprise)

n Windows 10.x

n Apple OS X (Mavericks (version 10.9.x)) n Apple OS X (Yosemite (version 10.10.x))

Legacy Client Connector

n Windows XP SP3 32 Bit

Split Tunnel Prerequisite

(21)

Configure...

To connect remote users to the Blue Coat Web Security Service, you must download the Unified Agent application and install it on client systems, then configure various options on the service.

Plan

n "Plan the Remote User Access Method" on the next page

Install

n "Select Remote Client Access Method" on page 23

n "Route Remote Connections Through an HTTP Proxy" on page 52 n "Set Unified Agent Network/Security Options" on page 43

Configure Service

n "Prevent IP/Subnet From Routing to the Web Security Service" on page 46 n "Prevent a Domain From Routing to the Web Security Service" on page 48 n "Block Web Access When Service is Unavailable to Remote Users" on page 50 n "Prevent Automatic Updates to Remote Clients" on page 51

n "Route Remote Connections Through an HTTP Proxy" on page 52 n "Forward a Specific Port from Remote Clients" on page 54

(22)

Plan the Remote User Access Method

Complete the forms in the following sheet (one per location).

Information

Comments

Values

Remote Client OS Windows

5 Unified Agent 5 Windows 7 32-64 bit (excluding Home editions)

5 Windows 8 32-64 bit (Pro and Enterprise) 5 Windows 10 5 Client Connector 5 Windows XP SP3 Apple OS X 5 Unified Agent 5 Mavericks (version 10.9.x) 5 Yosemite (version 10.10.x) Entrust Root CA 2048 Installed?

Applies to Windows clients. Required for Internet connection.

Consult the fol-lowing Knowledge Base article. Entrust KB Article Network

Inform-ation

Proxy server locations:

To where is the application downloaded (network/folder location)?

VPN Client Tunnel 5 Split tunnel

(can-not be full tunnel) Corporate Web

Use Policy

List trusted sources:

List trusted destinations:

List blocked categories/types:

Captive Portal

Enable challenge-based auth? 5 Yes

(23)

Select Remote Client Access Method

To provide Blue CoatWeb Security Service to remote users, you must download the Unified Agent and install it on client systems.

Windows 7, 8, 10

Select a Unified Agent installation method.

n Manual

n Group Policy Object (GPO)

Windows XP

Windows XP (SP3, 32 Bit) clients must run the legacy Client Connector application.

n Manual

n Group Policy Object (GPO): KB Article

Apple OS X 9.x/10.x

Select a Unified Agent installation method.

(24)

(25)

Windows: Unified Agent Single Client Installation

To provide Blue CoatWeb Security Service to remote users on Windows 7.x, 8.x, or 10.x clients, you must download the Unified Agent and install it on client systems. See"About Remote User Protection" on page 10.

For Windows XP, see"Windows: Client Connector Single Client Installation" on page 31.

Split Tunnel Prerequisite

The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You must configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceed through the Web Security Service.

Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

This applies to Unified Agent 4.4 and later only. You must make the following decision before installing the Unified Agent. In Service Mode; select Mobility > Unified Agent.

n A scenario might require this or other clients require to connect to the Web Security Service through an HTTP

proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation.

n For increased security in a production installation, Blue Coat recommends clearing this option, which means that

the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system.

If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it, return to this page and enable it. However, the Unified Agent on does not display the tab until after the next client restart/reboot.

Step 2—Entrust Certificate Prerequisite

Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the Web Secur-ity Service. For more notes and installation steps, consult the following Blue Coat Knowledge Base article:

https://kb.bluecoat.com/index?page=content&id=KB4968

Step 3—Download the Unified Agent Installer.

If you downloaded the Unified Agent during the Initial Configuration Wizard process, begin withStep 4: Install the Client. 1. In Service Mode; select Mobility > Unified Agent.

(26)

went live, the service displays the Profile dialog.

As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Unified Agent. The fields with blue asterisks (*) are required.

Click Save to update your profile and then close the dialog. 4. Download the installation file.

Step 4—Install the Unified Agent on a Client System.

1. Launch the installer.

a. In Windows, navigate to the directory where you saved the UnifiedAgentInstaller[32 |

64]-version_number.msifile. Blue Coat strongly recommends that you record this full MSI name; it might be required for future uninstallation tasks.

b. Double-click the file, which launches the installer.

2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The installation begins.

4. Click Finish to complete the installation.

5. The service displays the Installer Information dialog. Click Yes to reboot the computer.

(27)

Unified Agent Guide/Page 27 When the system reboots, it connects to the Web Security Service and begins intercepting web-bound traffic.

1. In the Windows system tray, locate the Unified Agent icon and double-click it. Windows displays the a dialog with the Status tab.

2. Verify that the connection to the Web Security Service is active.

(If the system detects a defined location, the agent displays ...in Passive Mode).

3. Use a browser on the client and attempt to access a site that belongs to a blocked category. The browser displays an exception (blocked content) page.

Next Selection

n If you enabled the Allow access to Proxy Settings option inStep 1, proceed to"Route Remote Connections

Through an HTTP Proxy" on page 52.

(28)

Windows: Unified Agent GPO Distribution

To provide Blue Coat Web Security Service to remote users on Windows 7.x or 8.x clients, you must download the Unified Agent and install it on client systems. See"About Remote User Protection" on page 10. This section describes how to use Group Policy Object (GPO) to distribute the Unified Agent to multiple Windows 7.x or 8.x clients.

This method does not support using a command line to add optional parameters.

Server Prerequisites

This method requires the following.

n A Windows 2008 or 2012 domain controller.

n A DNS server.

n The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller. n Verify the client system can resolve the name of the AD server that contains the client library.

Split Tunnel Prerequisite

Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

n For increased security in a production installation, Blue Coat recommends clearing this option, which means that the

Proxy tab is not visible nor available on the Unified Agent application on the employee's client system.

You cannot regain visibility of the Proxy tab post-installation. You must re-install the Unified Agent with this option enabled.

Step 2—Entrust Certificate Prerequisite

(29)

Unified Agent Guide/Page 29 Service. For more notes and installation steps, consult the following Blue Coat Knowledge Base article:

Step 3—Download the Unified Agent Installer.

2. In the Installers area, click the 32-bit or 64-bit buttons in the Windows 7+Unified Agent section.

3. If this is the first time you are attempting to download the application after the Web Security Service version 6.5.2 went live, the service displays the Profile dialog.

Click Save to update your profile and then close the dialog.

4. Download the installation file. If the location of the file is not a Windows share, create a share. Verify that the directory and files have Read and Execute file system rights.

Step 4—Distribute the Unified Agent

(30)

3. On the Group Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO object and click Edit.

4. Navigate to Computer Configuration > Software Settings > Software installation. a. Right-click Software Installation and select New > Package.

Verify that you have a valid UNC path. Click My Network Places > Entire Network > Microsoft Windows Network >server_domain>server_name>client_binary_share_name>select_the_ binary.

b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click Software Installation and click Refresh.

5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup) and executes policy. The workstation installs the client and reboots once more.

6. Test.

Next Selection

n If you enabled the Allow access to Proxy Settings option inStep 1, proceed to"Route Remote Connections Through an HTTP Proxy" on page 52.

(31)

Windows: Client Connector Single Client Installation

To provide Blue CoatWeb Security Service to remote users on Windows XP clients, you must download the legacy Client Connector and install it on client systems. See"About Remote User Protection" on page 10.

There are two Client Connector installation methods.

n The standard (default) installation provides the full web security service.

n With password protection. Users cannot uninstall the remote client application from their systems without a password, which you define and distribute as necessary. (Requires you to launch the installation wizard with a CLI command).

Split Tunnel Prerequisite

Step 1—Entrust Certificate Prerequisite

Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the Web Secur-ity Service. For more notes and installation steps, consult the following Blue Coat Knowledge Base article:

Step 2—Download the Client Connector Installer.

If you downloaded the Client Connector during the Initial Configuration Wizard process, begin withStep 4: Install the Cli-ent.

1. In Service Mode; select Mobility > Unified Agent.

2. In the Installers area, click the button in the Windows Vista/XP section.

(32)

As a company that provides security services across the globe, Blue Coat supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Client Connector. The fields with blue asterisks (*) are required.

Step 4—Install the Client.

Perform one of the following tasks.

Standard Installation

1. Launch the wizard:

In Windows, navigate to the directory where you saved the ClientInstaller32-version_number.msi file and double-click it to launch the installation wizard. The system displays the setup dialog.

2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The installation begins.

(33)

Unified Agent Guide/Page 33 1. Launch the wizard:

Open a command prompt (run as administrator), navigate to the directory that contains the installer and execute the following command, which is the installer name plus the option:

ClientInstaller32-version_number.msi SUP=password

Entering this command launches the installation wizard.

2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The remote client application installation begins.

Option 2—With Tamper Proofing (Hide the Proxy Settings tab).

1. Launch the wizard:

Open a command prompt (run as administrator), navigate to the directory that contains the installer and execute the following command, which is the installer name plus the option:

ClientInstaller32-version_number.msi HPUI=1

2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The remote client application installation begins.

(34)

Open a command prompt (run as administrator), navigate to the directory that contains the installer and execute the following command, which is the installer name plus the options:

ClientInstaller32-version_number.msi SUP=passwordHPUI=1

2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The Client Connector installation begins.

Step 5—Verify the Client Installation.

1. In the Windows system tray, locate the Client Connector icon and double-click it. Windows displays the a dialog with the Status tab.

2. Verify that the connection to the Web Security Service is active.

(35)

Next Selection

(36)

Mac OS X: Unified Agent JAMF Distribution

To provide Blue Coat Web Security Service to remote users on Apple Mac OS X 9.x or later, you must download the Uni-fied Agent and install it on client systems. See"About Remote User Protection" on page 10.

JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the Uni-fied Agent to Mac/OS X clients. For general information about using JAMF polices and packages, see the user doc-umentation for JAMF atwww.jamfsoftware.com.

Split Tunnel Prerequisite

Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

n A scenario might require this or other clients require to connect to the Web Security Service through an HTTP proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation.

n For increased security in a production installation, Blue Coat recommends clearing this option, which means that

the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system.

You cannot regain visibility of the Proxy tab post-installation. You must re-install the Unified Agent with this option enabled.

Step 2—Download the Unified Agent Installer.

2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section.

(37)

Blue Coat Web Security Service/Page 37

Step 3—High-Level JAMF Procedure

1. Create the upgrade packages for Unified Agent installation.

If you deploy both the on-box and cloud versions of the Unified Agent on your network, create two packages with different names.

2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory. 3. Create a policy with the following settings.

n Category—Select the appropriate setting for your network.

n Triggers—Select the appropriate setting for your network. n Execution Frequency—Once per device.

n Add the following script.

(38)

n Scope—Add the devices to update. Each of the devices must be marked as Managed. n Restart—Not needed.

The interface displays the new policy in the list.

What Occurs on Employee Clients?

After you use JAMF to push the update package, the following events occur on the employee OS X client. 1. The client displays a Management Notification dialog.

2. The employee follows the prompts to accept and install the Unified Agent application.

Employee Template

(Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copy contents in an email; edit as needed; send.

[Company] is distributing a security update to your corporate Mac client. You will be prompted to [install / update] an applic-ation called Unified Agent. Perform the following steps.

1. When your Mac client receives the update, the client displays a Management Notification. 2. To complete the installation, click through the prompts.

3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application. If you have any questions or issues, contact IT.

Next Selection

(39)

(40)

Mac OS X: Unified Agent Single Client Installation

To provide Blue Coat Web Security Service to remote users on Apple Mac OS X 10.9.x or later, you must download the Unified Agent and install it on client systems. See"About Remote User Protection" on page 10.

Split Tunnel Prerequisite

Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

n For increased security in a production installation, Blue Coat recommends clearing this option, which means that the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system.

If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it, return to this page and enable it. However, the Unified Agent on does not display the tab until after the next client restart/reboot.

Step 2—Download the Unified Agent Installer.

2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section.

(41)

Click Save to update your profile and then close the dialog. 4. Download the installer.

Step 3—Install the Unified Agent on a Client System.

1. Launch the installer assistant.

a. Navigate to the directory where you saved the installer. Double-click it to mount the disk image.

(42)

2. Click Continue. The Unified Agent Installation wizard begins.

3. The installer displays a prompt for the administrator user name and password. 4. When the installation completes, click Close.

From the toolbar, select the Unified Agent icon and select Status. On the Advanced tab, verify that agent is running (if you still require a proxy connection to the Internet, see below).

Next Selection

(43)

Set Unified Agent Network/Security Options

The Web Security Service provides several options that allow you to specify how the Unified Agent behaves on the client and how to route traffic.

In Service Mode; select Mobility > Unified Agent.

This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the dis-played message.

Step 1—Configure client-side options.

a. Determine the Fail Behavior, which is what happens to web requests if the Web Security Service is not available from remote locations. For more details, see"Block Web Access When Service is Unavailable to Remote Users" on page 50.

b. You have the option to Prompt users when a new Unified Agent version is available or prevent automatic updates and distribute from a central location at a time of your choosing. For more details, see"Prevent Automatic Updates to Remote Clients" on page 51.

Step 2—Define Unified Agent-specific options.

The following configurations apply only to the Unified Agent.

(44)

can (temporarily) disable the Unified Agent. For a business use case and more information, see"Manually Disable the Unified Agent" on page 66.

c. Available for Unified Agent v4.4+. See"Uninstall the Unified Agent" on page 59for more details.

Step 3—Select what connection provides the username (v.4.6+ only).

By default, a Unified Agent process sends the User ID through the tunnel to the Web Security Service. This ensures an accurate account of who initiated the request and allows for policy enforcement and reporting. Your network might have third-party products that also intercept these connections, which causes the Web Security Service to erroneously view the username as something similar to the following. Examples of these products include anti-virus programs and applications run browsers in a secure virtual container.

NT AUTHORITY\SYSTEM

This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause this issue, instruct the Unified Agent to send the logged-in username (applies to Unified Agent v4.6+).

On the Mobility > Unified Agent page, select Logged in User ID from the Username Format drop-down list.

For a current list of known third-party applications that cause this issue, seeNT AUTHORITY\SYSTEM Username Returned From the UA.

Step 4—Define Network Connections.

(45)

If clients are configured to have ports other than the defaults (80, 443, and 8080) listen for web requests, add those ports to the Web Security Service. For more information, see"Forward a Specific Port from Remote Clients" on page 54.

2. Bypass IP addresses/subnets and domains.

By default, the Web Security Service bypasses the following RFC 1918 addresses.

n _10.0.0.0/8 n _{169.254.0.0/16} n _{172.16.0.0/12} n _{192.168.0.0/16}

If a destination request contains one of these IP addresses, the traffic bypasses the Web Security Service the client connects directly.

Personal choices or business requirements might require you to configure the Web Security Service to bypass additional IP addresses/Subnets and Domains. For example, bypass test networks.

Clicking Network > Bypassed Sites link takes you to that screen, as this is a shared configuration with other Web Security Service features.

n For more details, see"Prevent IP/Subnet From Routing to the Web Security Service" on page 46.

Client Connector only: the Web Security Service can only bypass the first 256 items in the list. If you require more, consider deploying the Unified Agent.

n Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a Domain From Routing to the Web Security Service" on page 48.

Step 5—(Optional) Enable challenge-based authentication (Captive Portal).

To enforce accurate user credentials rather than rely on locally cached credentials, select Enable Captive Portal

for remote users (using Unified Agent). This option requires deployment of the Auth Connector application,

which integrates with your Active Directory to provide username and group information.

(46)

Prevent IP/Subnet From Routing to the Web Security

Ser-vice

Some source IP addresses or subnets do not require Blue Coat Web Security Service processing. For example, you want to exclude test networks. Configure the service to ignore these connections.

Notes

n The Web Security Service allows an unlimited number of bypassed IP addresses/subnets. The exception is Client

Connector, which only bypasses the first 256 entries.

n The setting is global; that is, it applies to every location/client in your Web Security Service account.

n Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off campus and connects through a non-corporate network), the client checks against any updates to the list.

Manually Add IP Addresses

1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab. 2. Click Add Bypass IP(s). The service displays a dialog.

a. Enter an IP/Subnet.

b. (Optional) Enter a Comment.

c. (Optional) Click the + icon to add another row for another entry. d. Click Add Bypass IP(s).

(47)

Import IP Address Entries From a Saved List

This procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each entry in the file must be on its own line.

1. In Service Mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab. 2. Click Add Bypass IP(s). The service displays the Add Bypass IP Address/Subnet dialog. 3. Click Add Bypass IP(s). The portal displays a dialog.

a. Select Import From File.

b. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it. c. Click Add Bypass IP(s).

All of the new entries display in the tab view. You can edit or delete any entry from here.

(48)

Prevent a Domain From Routing to the Web Security

Ser-vice

IMPORTANT—This topic only applies to locations that use the Explicit Proxy and Unified Agent (v4.4+) Access Methods to connect to the Blue Coat Web Security Service. All other access methods ignore any bypass domain configurations. Some destinations, such as intranets, do not require Web Security Service processing. Configure the service to ignore these connections. Another use case is you have use policy enabled, such as blocking several leisure categories, but you want to relax restraints for remote users and allow their requests to bypass the Web Security Service en route to specific sites.

Notes

n The Web Security Service allows an unlimited number of bypassed domains.

n The setting is global; that is, it applies to every location/client in your Web Security Service account. n Be advised that multi-homed domains might lead to over-bypassing a site.

n Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off campus and connects through a non-corporate network), the client checks against any updates to the list.

Manually Add Domain Entries

(49)

Blue Coat Web Security Service/Page 49 a. Enter a valid Domain. b. (Optional) Enter a Comment.

c. (Optional) Click the + icon to add another row for another entry. d. Click Add Bypass Domain.

The new entries display in the tab view. You can edit or delete any entry from here.

Import Domain Entries From a Saved List

This procedure assumes that you have already created an accessible list (text file) of domains to be bypassed. Each entry in the file must be on its own line.

1. In Service Mode, select the Network > Bypassed Sites > Bypassed Domains/URL tab. 2. Click Add Bypass Domain(s). The service displays the Add Bypass Domain dialog. 3. Click Add Bypass Domain(s). The portal displays a dialog.

a. Select Import From File.

b. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it. c. Click Add Bypass Domain.

All of the new entries display in the tab view. You can edit or delete any entry from here.

(50)

Block Web Access When Service is Unavailable to Remote

Users

By default, theBlue Coat Web Security Service allows remote clients unabated web access if the service becomes unavailable. For maximum security, set the fail behavior to block access until IT or Blue Coat restores the service.

1. In Service Mode, select Mobility > Unified Agent.

2. The default is Allow All Traffic. From the Fail Behavior drop-down list, select Block All Traffic.

(51)

Prevent Automatic Updates to Remote Clients

Blue Coat periodically updates the Unified Agent (or Client Connector), which is an application that allows remote users to connect to the Web Security Service. By default, the Web Security Service alerts remote users when a new Unified Agent software version is available. Similar to other application updates, the end user receives a prompt to update the software. They must click Install and follow the manual process to replace the current version with the new version (this operation does not require administrative access).

Your standard practices might not now allow for users to manage their own business applications. Or you might find it more efficient to roll out all business software updates on a set calendar basis. You can configure the Web Security Service to not notify end users of new Unified Agent updates, which allows you to download the new version to your central location and distribute at a time of your choosing.

1. In Service Mode, select Mobility > Unified Agent. 2. For the Prompt client user for update option, select No.

(52)

Route Remote Connections Through an HTTP Proxy

If you encounter a situation that requires the Unified Agent or Client Connector to connect to the Blue CoatWeb Security Service through an HTTP proxy, such as a test network trial or demonstration, you must provide the proxy IP address. Perform the following steps on Windows or Mac clients.

If you do not see the Proxy tab, you or another administrator installed the client with the option to hide that tab enabled. This is a higher-security measure that prevents employees from evading the corporate-to-Internet egress addresses that are linked to enforced browsing policies. If a particular client requires this setting, you must re-install the agent on the system.

In Windows

This section demonstrates the Unified Agent.

1. Right-click the Unified Agent icon in the system tray and select Proxy Settings.

a. Select the Connect to the Blue Coat Cloud Service using the HTTP proxy at: option. b. Enter the IP address and port number in the appropriate fields.

c. (Optional) If required to gain access to the proxy server, enter the proxy user name and password. d. Click Apply.

In OS X:

This section demonstrates the Unified Agent.

1. Click the Unified Agent icon in the menu bar (located at the upper right-hand corner of the screen) and click Status. The system displays the dialog.

(53)

a. Select Connect to the Blue Coat Cloud Service using the HTTP proxy at. b. Enter the HTTP proxy IP Address and Port.

c. (Optional) If the HTTP proxy requires a User Name and Password for access, enter those. 3. Click Apply.

Next Step

(54)

Forward a Specific Port from Remote Clients

By default, the Blue Coat Web Security Service accepts traffic from the Unified Agent (or Client Connector), that is installed on client systems, from common gateway ports of80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP). The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS traffic, configure the Web Security Service to listen on those ports. For example, the Web Security Service must also listen to ports8000 (HTTP) and 8083 (HTTPS).

1. In Service Mode, select Mobility > Unified Agent.

2. In the Forwarding Ports area, click Edit Ports. The service displays the Edit Forward Ports dialog. 3. Specify the ports.

a. Select Ports to Forward.

b. Defaults Ports—You cannot select the default ports of80 and 443, but you can select 8080.

c. Additional Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriate traffic type and entering the port. You can only enter one port in each field. d. Click Save.

(55)

Require Authentication Challenges

To enforce accurate user credentials rather than rely on locally cached credentials, you enable Captive Portal on the Web Security Service. See About Challenge-based Auth (Captive Portal).

This option requires deployment of the Blue Coat Auth Connector application, which integrates with your Active Directory to provide username and group information.

1. In Service Mode; select Network > Mobility. 2. Enable Captive Portal.

(56)

Verify Service Connectivity to Locations

After configuring access to the Blue CoatWeb Security Service, verify that the service is receiving and processing content requests.

1. Click the Service link (upper-right corner). 2. Select Network > Locations.

3. Verify the status of each location.

Various icons represent the connection status. Icon Connection Status Description

The Web Security Service recognizes the location and accepts web traffic.

A location has been configured, but the Web Security Service cannot connect. Verify that the web gateway device is properly configured to route traffic.

A previously successful web gateway to Web Security Service configuration is currently not connected.

n Proxy Forwarding—Verify the gateway address in the forwarding host is correct.

(57)

Mac

If the system detects a corporate network that provides web access and security, the Unified Agent enters into passive mode.

(58)

(59)

Uninstall the Unified Agent

The Blue Coat Unified Agent and Client Connector are applications installed on remote systems that frequently connect to the Internet from non-corporate networks. You have the option to require an uninstall token, which employees must enter to remove the Unified Agent.

Available Options

n "Unified Agent—With Uninstall Token" below n "No Token Defined/Client Connector" on page 61 n "CLI" on page 62

n "MSI Version Mis-Match (Unknown MSI)" on page 62

Unified Agent—With Uninstall Token

Employees attempting to uninstall the Unified Agent require an uninstall token that you define in the Web Security Service portal.

Information

n This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014).

n If you have previously deployed Unified Agent to clients and used the CLI options (Windows: SUP=password;

OSX: "--args -SUP password"), those passwords are no longer valid. You must log in to the portal and define the uninstall token.

n Each time that a Unified Agent reconnects to the Web Security Service (for example, a user who takes a laptop off

campus and connects through a non-corporate network), the client receives the latest uninstall token.

n If you did not define an uninstall token, you can use the Control Panel.

Procedure

(60)

b. Click Uninstall Token (or Change Token if you or someone previously obtained a token). The service displays the Set Unified Agent Uninstall Token dialog.

c. Name the Uninstall Token and click Set Token. The service displays that an uninstall token was set on a given date and time.

d. Distribute the uninstall token and instructions (see below) to those who have permission to uninstall the Unified Agent.

You can change the uninstall token any time.

Windows

(61)

n Execute the Unified Agent installer (MSI).Show screen...

In the Removal...uninstall token field, enter the token and click Validate.

The equivalent CLI command isUNINSTALL_TOKEN=password, wherepasswordis the token obtained from the portal.

If an employee attempts to remove the Unified Agent from the Windows > Control Panel menu, they receive a pop-message prompting them to contact their Administrator for removal permission.

OS X

1. In the menu bar, click the Unified Agent icon.

2. Hold down the Option and Alt keys. The Quit menu changes to Uninstall. 3. The system prompts you for the uninstall token.Show screen...

Enter the uninstall token and click OK. 4. Click Uninstall.

No Token Defined/Client Connector

(62)

(Start > Control Panel > Add/Remove Programs). You must have administrative rights to the system.

OS X

1. In the menu bar, click the Unified Agent or Client Connector icon.

2. Hold down the Option and Alt keys. The Quit menu changes to Uninstall. 3. Click Uninstall.

Alternative

Navigate to/Library/Application Support/Blue Coat Systems and double-click the cloud-client-uninstaller.

CLI

If you know or recorded the exact MSI that was used to install the application, use the CLI command to remove it. msiexec /x {MSI_Value} [/quiet UNINSTALL_TOKEN=password]

Reference—MSI Versions

See"Reference: Remote Client Application Package Versions" on page 67for versions.

MSI Version Mis-Match (Unknown MSI)

The following scenario creates an MSI-version mis-match.

n You configured the option in the Web Security Service portal to allow Unified Agent clients to automatically update.

n You defined an uninstall token.

For example, you downloaded and installed Unified Agent 4.4, then (per configuration) the portal automatically updates the installed client versions to 4.5 when Blue Coat posts it to datacenters. With the uninstall token option defined, you or employees cannot uninstall the application because no MSI was downloaded and paired with the upgraded product ID. To remove the application, you must use the CLI command with correctproduct ID code.

msiexec /x {product_id_code} /quiet UNINSTALL_TOKEN=password You find this code one of two ways:

n (Recommended) Review the MSI uninstall failure log.

n Find it in the registry. For more information about this method, see the Knowledge Base article.

(63)

Troubleshoot...

Attempt to solve remote client application connections.

n "Unified Agent Drops Connections" on the next page

n "Manage Web Security Service Client Connections" on page 65 n "Captive Portal Diagnostic Messages" on page 68

n "Capture Remote Client Trace Log" on page 70

(64)

Unified Agent Drops Connections

n Symptom

The Unified Agent or Client Connector randomly loses connection and then reconnect causing interruptions to internet access.

Check

(65)

Manage Web Security Service Client Connections

If employees are sending complaint requests regarding dropped connections to the web, reviewing the Blue Coat Web Security Service client connections status might help you determine if this is a widespread or minimal issue. Also, if you see a client on the system that you do not believe belongs in your organization (for example, a stolen laptop), you can log in to the Web Security Service portal and block access to that client while you investigate.

To review client connections, in Service Mode click the Service mode > Mobility > Agent Status tab.

(66)

Manually Disable the Unified Agent

TheBlue Coat Unified Agent, installed on employee devices such as laptops, provides web security when the client is not connected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseen environment might cause connection issues or prevent the Unified Agent from passing web traffic to the Web Security Ser-vice. Your business might depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet con-nection.

You can configure the Web Security Service to allow employees totemporarilydisable the Unified Agent should connection issues occur. The Unified Agent remains disabled only until the client machine reboots or the employee initiates a reconnect from the Unified Agent interface.

Furthermore, this setting in the Web Security Service applies to all Unified Agents in the field. You cannot selectively target which installations receive the disable option.

This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014).

Activate the Disable Option

1. In Service Mode; select Mobility > Unified Agent.

2. In the Unified Agent Settings area, select Yes for the Allow agent to be disabled by user option.

Instruct Employess How to Disable the Unified Agent

Windows

In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return here and Enable the agent.

OS X

(67)

Reference: Remote Client Application Package Versions

(68)

Captive Portal Diagnostic Messages

When Captive Portal is enabled for remote clients on the Blue Coat Web Security Service, various messages are logged in association with user login activities and authentication. They display on the Service mode > Troubleshooting > Mobile Clients page.