SECURE ICAP Gateway
Blue Coat Implementation Guide
Technical note
Version 1.0 23/12/13
Product Information
Partner Name Blue Coat Systems, Inc. Web Site www.bluecoat.com
Product Name ProxySG Version & Platform SGOS 6.5
SECURE ICAP Gateway
Blue Coat Implementation Guide
Copyright
Revision 1.0, December, 2013 Published by Clearswift Ltd. © 1995–2013 Clearswift Ltd. All rights reserved.
The materials contained herein are the sole property of Clearswift Ltd unless otherwise stated. The property of Clearswift may not be reproduced or disseminated or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or
otherwise stored in any retrievable system or otherwise used in any manner whatsoever, in part or in whole, without the express permission of Clearswift Ltd.
Information in this document may contain references to fictional persons, companies, products and events for illustrative purposes. Any similarities to real persons, companies, products and events are coincidental and Clearswift shall not be liable for any loss
suffered as a result of such similarities.
The Clearswift Logo and Clearswift product names are trademarks of Clearswift Ltd. All other trademarks are the property of their respective owners. Clearswift Ltd. (registered number 3367495) is registered in Britain with registered offices at 1310 Waterside,
Arlington Business Park, Theale, Reading, Berkshire RG7 4SA, England. Users should ensure that they comply with all national legislation regarding the export, import, and use of cryptography.
SECURE ICAP Gateway
Blue Coat Implementation Guide
Contents
1 Introduction ... 4
2 Architecture Overview ... 4
3 Clearswift SECURE ICAP Gateway Configuration ... 5
4 Blue Coat ProxySG Configuration ... 6
5 Feature List ... 11
5.1 Certified Platform ... 11
SECURE ICAP Gateway
Blue Coat Implementation Guide
1
Introduction
The Clearswift SECURE ICAP Gateway is an ICAP server that provides all the Clearswift Content inspection functionality to Blue Coat ProxySG product. This document describes the steps to take when deploying and integrating both products.
2
Architecture Overview
The Blue Coat ProxySG is a scalable, high performance web security product that can extend its capabilities through the addition of external components. The communication between the different elements is performed using the Internet Content Adaptation Protocol (ICAP). In such configurations, the ProxySG performs the communication between the user and the Internet, redirecting the selected requests or responses to the available ICAP servers.
Users
ICAP
Blue Coat ProxySG
Clearswift SECURE ICAP Gateway
SECURE ICAP Gateway
Blue Coat Implementation Guide
3
Clearswift SECURE ICAP Gateway Configuration
The Blue Coat ProxySG acts as an ICAP client, as it sends requests for content to be inspected. The Clearswift ICAP Gateway act as an ICAP server, as it responds to requests made by the ProxySG.
The ICAP Gateway only scans requests from registered ICAP clients’ served. Thus, the IP address that the ProxySG will be using to communicate to the ICAP Gateway is required in order to perform the configuration.
Configuration is done on the “ICAP Server Configuration” page, available under the System menu.
In the ICAP Clients area all of the ProxySG deployed servers must be configured. The Clearswift ICAP Gateway is configured to listen on the port 1344, the default ICAP communications port. This can be modified if required through the
configuration page.
SECURE ICAP Gateway
Blue Coat Implementation Guide
order to identify them individually, different service URLs are used. These can be defined in the “ICAP Services Configuration” box, including whether message previewing option will be accepted or not.
Additionally, the Clearswift SECURE ICAP Gateway can be configured to log specific actions and to have an appropriate logging level.
It must be noted that a high log level can have a negative performance impact on the platform.
4
Blue Coat ProxySG Configuration
The Blue Coat ProxySG allows creating policies to send content for inspection by the ICAP Gateway. The following steps should be taken as a basic configuration guideline, and never be taken as the optimum configuration.
It is required that the configuration is done by an administrator with working knowledge of the platforms involved.
The entire configuration of the ProxySG is done through the management web interface. The steps to redirect the users’ requests and responses follow:
1. Connect to the Blue Coat web interface. Open a web browser and point it to https://Blue_Coat_IP_address:8082.
SECURE ICAP Gateway
Blue Coat Implementation Guide
3. In the Blue Coat Management UI, browse to ICAP Services configuration under the “External Services” option in the “Configuration” tab.
SECURE ICAP Gateway
Blue Coat Implementation Guide
5. ICAP feedback can be configured, such as when to show the patience page to the user while the inspection takes place.
6. A pool of SECURE ICAP Gateways can be configured so that ProxySG will make requests evenly through the pool. In order to do that, a Service Group needs to be configured containing the available ICAP Gateways.
Once the basic configuration has been done, the policy needs to be set up so that the selected requests or responses are sent to the SECURE ICAP Gateway for inspection. This process will usually be performed on an existing ProxySG. Thus, the policy will need to be modified for the redirection.
As a simple reference, the following steps show how to configure a basic policy for inspecting requests from users and responses from servers.
SECURE ICAP Gateway
Blue Coat Implementation Guide
2. In the appropriate Web Content Layer policy set a new action object.
3. Select the previously created ICAP services so that the content that hits this rule is redirected to the ICAP Gateway for inspection.
Logs provide information to validate that the integration has been properly done. 1. Enable access logging by selecting the option in the web interface and
SECURE ICAP Gateway
Blue Coat Implementation Guide
2. In the log tail of the main log, new entries should be shown with “404 TCP_NC_MISS” which correspond to the tests that the ProxySG does to validate that the ICAP Gateway is running.
SECURE ICAP Gateway
Blue Coat Implementation Guide
5
Feature List
5.1
Certified Platform
Certification Environment
Product Name Version Information Operating System
Clearswift SECURE ICAP Gateway 3.1.1 Virtual Appliance Blue Coat Proxy SG 300 Series
500 Series SGOS 6.5.1
5.2
Feature List
Feature Benefit
Platform
ICAP server Connect to existing ICAP clients within your infrastructure. Supported ICAP client: Blue Coat Proxy SG
Flexible deployment options: Hardware,
Software image, VMware vSphere Provides full flexibility to adapt to your organization’s IT strategy.
Active Directory (AD) / LDAP integration Full user-based policy control for flexible policy and audit reporting bygroup or individual.
Policy
Flexible and granular policy controls Easily define policies to enable and allow Web 2.0 usage while minimizingrisk.
Facebook, LinkedIn, Twitter and YouTube policy
Allow access to Web 2.0 sites, but only to content and features allowed by your policy.
Policy direction to provide additional contextPrevent certain file types, e.g. spreadsheets, from being uploaded but allow them to be downloaded.
Customizable block pages Educate users by providing personalized feedback on their actions.
Data Loss Prevention
Adaptive Redaction: Data Redaction (Optional)
Modify content in real time to avoid delaying business processes while protecting sensitive information.
Adaptive Redaction: Document Sanitization (Optional)
Prevent hidden information within documents (e.g. metadata, properties, or quick save data) from being leaked.
Adaptive Redaction: Structural Sanitization (Optional)
Detect and strip active content from documents and HTML pages to protect from APT’s and unknown threats.
Clearswift Information Governance Server integration (Optional)
Detect full or partial files being uploaded or downloaded. Allow tracking of any information traversing the SECURE ICAP Gateway.
External data source connection Accurately identify data from your databases that is found in transit. Lexical analysis and regular expression rules Search file content for key words and phrases using simple or more complex
pattern matching to identify sensitive data in over 200 character encodings. Pre-defined sensitive data templates Identify credit card, bank account, social security and national security
numbers.
Compliance dictionaries Multi-language editable compliance dictionaries including GLBA, HIPAA, SEC, SOX, PCI and PII to minimize risks.
Predefined Tokens Multiple, including: Credit Card, Social Security, IBAN, National Insurance, Tax file number, German Identity, Business Identifier Code
MIMEsweeper true ‘binary file-type’ identification
Accurate binary based identification with the ability to define own file signatures.
Hygiene
Bi-directional virus and anti-malware scanning
Stops known and unknown malware infection entering or leaving the network. Bi-directional anti-spyware scanning Stops spyware, adware, key loggers and spyware call homes from infected
machines.
SECURE ICAP Gateway
Blue Coat Implementation Guide
Feature Benefit
Real-time categorization engine Prevents access to new or uncategorized sites with inappropriate content. Content aware recursive inspection Decomposes the requests and responses to provide true detection of content
like executables even when embedded in other file types or compressed containers.
Management and Reporting
Intuitive web-based interface Ease of use and no requirement to learn complex syntax or operating system commands.
Pre-defined customizable reports Easy to modify, run and share graphical reports with intuitive drill down. Scheduled reporting Allows create once, run and distribute many times with circulation via email. Multi-Gateway consolidated reporting Consolidated reporting view of user’s activities for easier analysis and sharing of
management data.