Blue Coat Systems ProxySG Appliance

16  Download (0)

Full text

(1)

Blue Coat

®

Systems

Proxy

SG

®

Appliance

SGOS 6.2 Upgrade/Downgrade Feature Change Reference

(2)

Blue Coat SGOS 6.2 Upgrade/Downgrade Feature Change Reference

Contact Information

Americas:

Blue Coat Systems Inc. 410 North Mary Ave

Sunnyvale, CA 94085-4121 Rest of the World:

Blue Coat Systems International SARL 3a Route des Arsenaux

1700 Fribourg, Switzerland

http://www.bluecoat.com/support/contactsupport http://www.bluecoat.com

For concerns or feedback about the documentation: documentation@bluecoat.com

Copyright© 1999-2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, ProxyOne™, CacheOS™, SGOS™, SG™, Spyware Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, PacketShaper®, PacketShaper Xpress®, PolicyCenter®, PacketWise®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. AND BLUE COAT SYSTEMS INTERNATIONAL SARL (COLLECTIVELY “BLUE COAT”) DISCLAIM ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN,

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

America’s: Rest of the World:

Blue Coat Systems, Inc. Blue Coat Systems International SARL

410 N. Mary Ave. 3a Route des Arsenaux Sunnyvale, CA 94085 1700 Fribourg, Switzerland

Document Number: 231-03034

(3)

Contents

Chapter 1: Before You Begin

About the Document Organization... 5

Document Conventions ... 5

Chapter 2: Feature-Specific Upgrade Behavior Feature Changes Introduced in SGOS 6.2.x ... 7

IPv6 Support for ADN... 8

Access Log Formats... 8

Adaptive Compression... 9

Bandwidth Optimization ... 9

Disk Object Capacity... 10

Encrypted MAPI Acceleration... 11

Flash Proxy ... 11

Last Peer Detection... 12

Reflect Client IP for ProxyClient Peers... 12

Report Data Series Changes... 13

SMTP Server Configuration... 13

Chapter 3: Deprecation Notices CPL Deprecations in SGOS 6.2.x ... 15

Command Deprecations in SGOS 6.2.x ... 15

Adaptive Refresh... 15

(4)
(5)

Chapter 1: Before You Begin

This document describes how upgrading to, or downgrading from, this release impacts new and existing features. It also describes options or commands that have been deprecated. Blue Coat® strongly recommends that you read this document before attempting to upgrade to SGOS 6.2.

You should also refer to the following documents before upgrading:

Blue Coat SGOS 6.2 Release Notes

Blue Coat SGOS 6.2 Upgrade Guide

These documents are available here:

https://bto.bluecoat.com/documentation/pubs/view/SGOS 6.2.x

Existing features and policies might not perform as with previous versions, and upgrading to this version might require some additional configuration tuning.

About the Document Organization

This document is organized for easy reference and is divided into the following chapters:

Document Conventions

The following section lists the typographical and Command Line Interface (CLI) syntax conventions used in this manual.

Table 1–1 Document Organization

Chapter Title Description

Chapter 1 — Before You Begin This chapter discusses related Blue Coat documents and documentation conventions. Chapter 2 — Feature-Specific Upgrade

Behavior

This chapter identifies new behaviors in SGOS 6.2 and discusses any upgrade/downgrade issues. Chapter 3 — Deprecation Notices This chapters lists any commands and options that

are being phased out in future releases.

Table 1–2 Typographic Conventions

Conventions Definition

Italics The first use of a new or Blue Coat-proprietary term.

Courier font Command-line interface text that appears on your administrator workstation.

Courier Italics

A command-line variable that is to be substituted with a literal name or value pertaining to the appropriate facet of your network system.

(6)

Blue Coat SGOS 6.2 Upgrade/Downgrade Feature Change Reference

Courier Boldface

Text that must be entered as shown.

{ } One of the parameters enclosed within the braces must be supplied.

[ ] Encompasses one or more optional parameters.

| This pipe character delineates options in a mandatory or optional list. For example:

configure {terminal | network url}

Table 1–2 Typographic Conventions (Continued)

(7)

Chapter 2: Feature-Specific Upgrade Behavior

This chapter provides critical information about how specific features are affected by upgrading to or downgrading from SGOS 6.2 and provides actions for administrators to take as a result of upgrading. If a specific feature is not mentioned, there are no known upgrade or downgrade issues. This guide assumes you are upgrading to SGOS 6.2 from a supported direct-upgrade version. SGOS 6.2 supports direct upgrade from specific releases of 5.4, 5.5, and 6.1. Consult the Release Notes or the Upgrade/Downgrade Guide for the specific release numbers.

Note: Policy using any new CPL triggers (such as the url.application.name

and url.aplication.operation conditions for application filtering) will not compile if the ProxySG is downgraded to a release that doesn’t support these triggers.

Feature Changes Introduced in SGOS 6.2.x

This section describes behavior changes that occur from features introduced in SGOS 6.2.x. The upgrade and downgrade information is provided by

component.

❐ "IPv6 Support for ADN" on page 8

❐ "Access Log Formats" on page 8

❐ "Adaptive Compression" on page 9

❐ "Bandwidth Optimization" on page 9

❐ "Disk Object Capacity" on page 10

❐ "Encrypted MAPI Acceleration" on page 11

❐ "Flash Proxy" on page 11

❐ "Last Peer Detection" on page 12

❐ "Reflect Client IP for ProxyClient Peers" on page 12

❐ "Report Data Series Changes" on page 13

(8)

SGOS 6.2 Upgrade/Downgrade Feature Change Reference

IPv6 Support for ADN

SGOS 6.2.4.1 expands the ProxySG support for IPv6 to include ADN. Blue Coat’s WAN optimization solution now works in an IPv4, IPv6, or combination IPv4/ IPv6 Application Delivery Network (ADN).

Impact: Upgrades from pre-6.2.4 releases

❐ When upgrading managed ADN deployments to a release that supports IPv6 on ADN (SGOS 6.2.4 or higher), the ProxySG that is functioning as the ADN manager must be upgraded before the managed nodes. The manager should continue to be assigned a reachable IPv4 address until all managed nodes have been upgraded. A managed node that has been upgraded to a release that supports IPv6 on ADN (SGOS 6.2.4 or higher) can use either IPv4 or IPv6 to connect to the previously upgraded manager.

❐ In explicit deployments, an IPv6-only Concentrator peer will not be advertised as the Internet gateway for a node that is running an older (pre-6.2.4) version of software.

❐ Only IPv4 routes are advertised to managed nodes running pre-6.2.4 versions.

Impact: Downgrades to pre-6.2.4 releases

When downgrading to a pre-6.2.4 release, only the IPv4 ADN configuration is carried over. If a particular ADN setting allows only a single IP address to be entered, and that address is IPv6, the setting will revert to its default value after downgrade. For example:

❐ Primary Manager IP will be set to none if an IPv6 address was configured in

6.2.4

❐ Backup Manager IP will be set to none if an IPv6 address was configured in 6.2.4

❐ External Load Balancer VIP will be cleared if an IPv6 address was configured in 6.2.4

Related Documentation

SGOS 6.2 Administration Guide, “Using the ProxySG in an IPv6 Environment” and “Configuring an Application Delivery Network”

Access Log Formats

SGOS 6.2 offers a new access log format for streaming and adds new fields to the existing bcreportermain_v1 format.

Impact: Upgrades from 5.4, 5.5, or 6.1 releases

A new streaming log format is introduced in SGOS 6.2, bcreporterstreaming_v1; this format is the default on new systems. The legacy streaming log format, streaming, is used on upgrades to SGOS 6.2. To use the bcreporterstreaming_v1 format after upgrade, do one of the following:

(9)

Chapter 2: Feature-Specific Upgrade Behavior

• Create a new streaming log that specifies the bcreporterstreaming_v1 log format, and then edit the various streaming protocols to use this new log.

Impact: Downgrades to pre-6.2 releases

The bcreportermain_v1 format contains new fields to support the application filtering feature. If you downgrade to a pre-6.2 release, the new fields will remain in the bcreportermain_v1 format but will be ignored.

Related Documentation

SGOS 6.2 Administration Guide, Creating Access Log Formats chapter

Adaptive Compression

Starting in SGOS 5.5, adaptive compression was enabled by default on multi-processor platforms, but disabled on unimulti-processor platforms. All ProxySG platforms that are manufactured or remanufactured with the SGOS 6.2 release now have adaptive compression enabled by default.

Impact: Upgrades from 5.5 or 6.1 releases

After upgrading to SGOS 6.2, the adaptive compression setting matches the configuration before the upgrade. For example, if adaptive compression was disabled in SGOS 6.1, it will be disabled after upgrading to SGOS 6.2.

Impact: Downgrades to 6.1 releases

After downgrading from SGOS 6.2 to 6.1, the setting for adaptive compression is preserved.

Impact: Downgrades to 5.5 release

After downgrading from SGOS 6.2 to 5.5, the setting for adaptive compression returns to the value previously set in 5.5 prior to upgrade.

Bandwidth Optimization

Pre-6.2 versions had a single control for enabling byte caching and compression optimization for a particular service (called adn-optimize in the CLI and Optimize Bandwidth in the Management Console). SGOS 6.2 introduces separate controls for byte caching (adn-byte-cache or Enable byte caching) and compression ( adn-compress or Enable compression).

(10)

Blue Coat SGOS 6.2 Upgrade/Downgrade Guide

Impact: Upgrade from 5.4, 5.5, or 6.1 releases

The table below indicates how the value of the adn-optimize setting before upgrade affects the values of the adn-byte-cache and adn-compress settings after upgrading to SGOS 6.2.

Impact: Downgrade to pre-6.2 releases

The table below indicates how the values of the adn-byte-cache and adn-compress

settings in SGOS 6.2 affect the adn-optimize setting after downgrading from SGOS 6.2.

Disk Object Capacity

All multi-disk systems that are manufactured with SGOS 6.2 have an increased object capacity; you can get this extra capacity on other multi-disk systems by initiating the disk increase-object-limit command after upgrading to 6.2. The disks are re-initialized in a format that is not compatible with SGOS releases prior to 6.2.

Impact: Downgrades to pre-6.2 releases

If your disks have the increased object capacity, you must use the disk decrease-object-limit command before downgrading to a pre-6.2 release. This command preserves the configuration, registry settings, policy, licensing files, and the appliance birth certificate; it does not retain cache contents, access logs, event log, and sysinfo snapshots.

WARNING! If you fail to use the disk decrease-object-limit command before downgrading, all data and settings will be lost after the downgrade.

adn-optimize (before upgrade) adn-byte-cache (after upgrade) adn-compress (after upgrade)

Enabled Enabled Enabled

Disabled Disabled Disabled

adn-byte-cache (before downgrade) adn-compress (before downgrade) adn-optimize (after downgrade)

Enabled Enabled Enabled

Disabled Enabled Enabled

Enabled Disabled Enabled

(11)

Chapter 2: Feature-Specific Upgrade Behavior

Encrypted MAPI Acceleration

SGOS 6.2 is able to accelerate encrypted MAPI sessions.

Impact: ADN peers that have not been upgraded to 6.2

❐ The Concentrator and Branch peers must both be upgraded to SGOS 6.2 in order for encrypted MAPI to be accelerated.

❐ If a peer is running a pre-6.2 SGOS release, the connection will be tunneled but will not be accelerated.

Related Documentation

SGOS 6.2 Administration Guide, Accelerating the Microsoft Outlook Application chapter

Flash Proxy

When a ProxySG is running SGOS 6.1 with Flash/RTMP traffic and is upgraded to SGOS 6.2, historical reports show two types of RTMP traffic: RTMP (RTMP) and RTMP (Flash). This happens because the proxy name was changed from RTMP (in 6.1) to Flash (in 6.2).

In addition, the default value for HTTP handoff on the Flash proxy has changed from disabled to enabled.

Impact: Upgrades from 5.5 LA and 6.1 releases

The table below indicates the value of the HTTP handoff setting after upgrading to SGOS 6.2 from various versions.

SGOS Version HTTP handoff setting on pre-6.2 version

HTTP handoff setting after upgrading to 6.2

5.4/5.5 N/A (Flash not

supported) N/A 5.5 LA Enabled Enabled 5.5 LA Disabled Enabled 6.1 Enabled Enabled 6.1 Disabled Disabled

(12)

Blue Coat SGOS 6.2 Upgrade/Downgrade Guide

Impact: Downgrades to pre-6.2 releases

The table below indicates the value of the HTTP handoff setting after downgrading to various versions from SGOS 6.2.

Related Documentation

SGOS 6.2 Administration Guide, Managing Streaming Media chapter

Last Peer Detection

Last Peer Detection is enabled by default for new installations, but not for upgrades.

Impact: Upgrades from 5.4, 5.5, or 6.1 releases

When a ProxySG is upgraded to 6.2, the feature is disabled by default. To use the feature, Last Peer Detection must be enabled on intermediate concentrators and, optionally, the last concentrator on the path to the OCS. Branch peers do not need to be upgraded to 6.2 for the feature to operate but they must be running SGOS 5.5 or higher.

Related Documentation

SGOS 6.2 Administration Guide, Configuring an Application Delivery Network chapter

Reflect Client IP for ProxyClient Peers

SGOS 6.2 offers independent controls for configuring how the Concentrator peer handles client IP reflection requests from ProxySG peers versus ProxyClient peers.

Impact: Upgrades from 5.4, 5.5, or 6.1 releases

❐ If Reflect Client IP (RCIP) on the Concentrator peer was set to deny before the upgrade to SGOS 6.2, RCIP for ProxyClient will be set to use-local upon upgrade to 6.2; this is consistent with how RCIP for ProxyClient was previously handled.

❐ If RCIP on the Concentrator peer was set to allow, then the client IP would be reflected for ProxyClient peers.

SGOS Version HTTP handoff setting on SGOS 6.2

HTTP handoff setting after downgrading

5.4/5.5 Any N/A (Flash not

supported)

5.5 LA Any Default/Previous

6.1 Enabled Enabled

(13)

Chapter 2: Feature-Specific Upgrade Behavior

Impact: Downgrades to pre-6.2 releases

The RCIP for ProxyClient setting that was configured in 6.2 is disregarded after downgrading to a pre-6.2 release, and the behavior in these earlier releases is used. When the Concentrator was configured to deny reflect client IP requests from branch peers, there was a special hard-coded override that always used the Concentrator’s local IP address for ProxyClient tunnel connections; if reflect client IP was set to allow, then the client IP would be reflected.

Related Documentation

SGOS 6.2 Administration Guide, Configuring an Application Delivery Network chapter

Report Data Series Changes

Starting with SGOS 6.2, the ProxySG is able to store certain report data in five-second increments over the last five minutes and 15-minute increments over the last 24 hours; this data provides increased granularity in reports.

Impact: Upgrades from 5.4, 5.5, or 6.1 releases

As a consequence of this change, the granular trend data is not available before the upgrade to SGOS 6.2 for Traffic History reports. If you view the Traffic History report for the last day, there will be no data points for the time before the upgrade.

SMTP Server Configuration

A new top-level configuration mode, smtp, is available for configuring the SMTP server that the ProxySG uses for emailing notifications and sending heartbeats. In addition, the server port is now user-configurable; previously, it was hard-coded to port 25.

#(config smtp) server domainname | ip-address [port]

#(config smtp) from from-address

#(config smtp) no server

#(config smtp) view

With the introduction of the smtp subcommands, the event-log CLI commands for configuring the SMTP gateway and sender email address are deprecated.

#(config event-log) mail smtp-gateway {domain_name | ip_address} #(config event-log) mail from from_address

#(config event-log) mail no smtp-gateway

Impact: Upgrades from 5.4, 5.5, or 6.1 releases

❐ After upgrading, values defined in the (config event-log) mail commands are mirrored in the (config smtp) subcommands. For example:

Before upgrade:

#(config event-log) mail smtp-gateway mail.test.com #(config event-log) from john.smith@test.com

After upgrade: #(config smtp) view

(14)

Blue Coat SGOS 6.2 Upgrade/Downgrade Guide

Settings:

server mail.test.com port 25 From-address:

"john.smith@test.com"

❐ For a new installation of 6.2 (or if you perform a restore-defaults command while running 6.2), the SMTP server is not defined; in previous versions, the default setting was mail.heartbeat.bluecoat.com. If you use a 6.1 script to configure a 6.2 system, your SMTP server name may change from

mail.heartbeat.bluecoat.com to undefined; this is different behavior from what happens during an upgrade from 6.1 to 6.2.

Impact: Downgrades to pre-6.2 releases

❐ If you configure an SMTP server and use the default port (25) in SGOS 6.2, the server settings get mirrored into the event-log configuration for smtp-gateway

after downgrading. The same is true if you clear the server settings and then downgrade.

❐ If you set an SMTP port to any value other than 25 in SGOS 6.2, the SMTP server settings do not get mirrored into the event-log configuration for smtp-gateway after downgrading.

Related Documentation

SGOS 6.2 Command Line Interface Reference

(15)

Chapter 3: Deprecation Notices

This chapter discusses command and CPL deprecations in SGOS 6.2.

CPL Deprecations in SGOS 6.2.x

Deprecation warnings are issued for CPL syntax that will abandoned in the next major SGOS release.

In the ftp.server_data( ) CPL property, the port and pasv arguments have been deprecated. If you install existing policy with these arguments, they will automatically get converted to active and passive.

When upgrading from SGOS 5.x, you must resolve any CPL deprecations before upgrading the software. See the Blue Coat SGOS 6.2 Upgrade Guide.

Command Deprecations in SGOS 6.2.x

The following CLI commands are deprecated in SGOS 6.2.x.

Adaptive Refresh

The following caching configuration CLI commands are deprecated starting in SGOS 6.2.6:

#(config caching) refresh automatic

#(config caching) refresh bandwidthkbps

#(config caching) refreshno automatic

They are replaced starting in SGOS 6.2.6 by the following commands, also in

caching configuration mode:

#(config caching) refresh bandwidth {automatic | kbps } #(config caching) no refresh

In addition, refresh bandwidth is now disabled by default.

Proxy Processing

The proxy processing feature was deprecated starting with SGOS v5.5. In SGOS v6.1.2, the Proxy Processing tab was removed from the Management Console, but the feature can still be configured via the CLI. Since proxy processing will be completely removed from an SGOS release in the future, Blue Coat

recommends that you discontinue using this feature and deploy a separate secure web gateway to handle proxy processing.

The following CLI command is deprecated:

(16)

Figure

Updating...

References