Blue Coat® Systems ProxySG™ Appliance

Blue Coat® Systems ProxySG™ Appliance
Blue Coat® Systems
ProxySG™ Appliance
Configuration and Management Suite
Volume 3: Web Communication Proxies
SGOS Version 5.3.x
Web Communication Proxies
Contact Information
Blue Coat Systems Inc.
420 North Mary Ave
Sunnyvale, CA 94085-4121
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation: documentation@bluecoat.com
Copyright© 1999-2008 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are
and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxyAV™, CacheOS™, SGOS™, SG™, Spyware
Interceptor™, Scope™, ProxyRA Connector™, ProxyRA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat
Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering
Internet Management®, The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian
and Permeo logos are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the
Software are the property of their respective owners.
BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS,
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Document Number: 231-03012
Document Revision: SGOS 5.3.1—08/2008
ii
Contents
Contact Information
Chapter 1: Introduction
Document Conventions ..................................................................................................................... 7
Notes and Warnings ........................................................................................................................... 7
Chapter 2: Managing Instant Messaging Protocols
About the Risks of Instant Messaging ............................................................................................. 9
About the Blue Coat IM Proxies ....................................................................................................... 9
HTTP Proxy Support ................................................................................................................. 10
Instant Messaging Proxy Authentication ............................................................................... 10
Access Logging ........................................................................................................................... 10
Managing Skype ......................................................................................................................... 10
About Instant Message Network Inter-activity............................................................................ 11
Recommended Deployments ................................................................................................... 11
About Instant Messaging Reflection........................................................................................ 11
Configuring ProxySG IM Proxies ................................................................................................... 14
Intercepting Default IM Services.............................................................................................. 15
Creating New IM Services For Custom Ports ........................................................................ 16
Redirecting IM Client Requests................................................................................................ 18
The Default IM Hosts................................................................................................................. 19
Handing Off Instant Messaging to HTTP............................................................................... 20
Configuring IM Alerts ............................................................................................................... 20
Configuring IM Clients .................................................................................................................... 21
General Configuration ............................................................................................................... 22
AOL Messenger Client Explicit Proxy Configuration .......................................................... 22
MSN Messenger Client Explicit Proxy Configuration .......................................................... 23
Yahoo Messenger Client Explicit Proxy Configuration........................................................ 24
Policy Examples ................................................................................................................................ 26
Example 1: File Transfer ............................................................................................................ 26
Example 2: Send an IM Alert Message.................................................................................... 28
Reference: Equivalent IM CLI Commands.................................................................................... 29
Reference: Access Log Fields........................................................................................................... 30
Reference: CPL Triggers, Properties, and Actions ....................................................................... 31
Triggers ........................................................................................................................................ 31
Properties and Actions .............................................................................................................. 31
IM History Statistics ......................................................................................................................... 31
iii
Volume 3: Web Communication Proxies
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
How the ProxySG Accelerates and Controls Media Streaming................................................. 36
What is Streaming Media? .............................................................................................................. 36
Live versus On-Demand Streaming Media............................................................................ 36
Streaming Media and Bandwidth .................................................................................................. 37
About Windows Media ................................................................................................................... 37
Pre-Populating WM Objects Hosted on a Web Server ......................................................... 38
Windows Media Deployment .................................................................................................. 38
Supported Streaming Features................................................................................................. 38
Other Supported Features......................................................................................................... 40
Supported VPM Properties and Actions ................................................................................ 40
Bandwidth Management........................................................................................................... 41
About Processing Streaming Media Content ............................................................................... 41
Delivery Methods....................................................................................................................... 41
Serving Content: Live Unicast.................................................................................................. 41
Serving Content: Video-on-Demand Unicast ........................................................................ 42
Serving Content: Multicast Streaming .................................................................................... 42
Limiting Bandwidth................................................................................................................... 43
Caching Behavior: Protocol Specific........................................................................................ 45
Caching Behavior: Video-on-Demand .................................................................................... 46
Splitting Behavior: Live Broadcast .......................................................................................... 46
Multiple Bit Rate Support ......................................................................................................... 46
Bit Rate Thinning........................................................................................................................ 47
Pre-Populating Content............................................................................................................. 47
About Fast Streaming (Windows Media)............................................................................... 48
About QoS Support.................................................................................................................... 48
About Streaming Media Authentication....................................................................................... 48
Windows Media Server-Side Authentication ........................................................................ 48
Windows Media Proxy Authentication .................................................................................. 49
Windows Media Server Authentication Type (MMS).......................................................... 50
Real Media Proxy Authentication ........................................................................................... 50
QuickTime Proxy Authentication............................................................................................ 50
Section B: Configuring Streaming Media
Configuring Streaming Services to Intercept Traffic................................................................... 51
Adding a New Streaming Service ........................................................................................... 52
Configuring the Streaming Proxies................................................................................................ 55
Limiting Bandwidth ......................................................................................................................... 56
Configuring Bandwidth Limits—Global ................................................................................ 56
Configuring Bandwidth Limits—Protocol-Specific .............................................................. 57
iv
Contents
Configuring Bandwidth Limitation—Fast Start (WM)......................................................... 58
Configuring the ProxySG Multicast Network.............................................................................. 58
Forwarding Client Logs................................................................................................................... 59
Related CLI Syntax to Manage Streaming .................................................................................... 60
Reference: Access Log Fields .......................................................................................................... 60
Reference: CPL Triggers, Properties, and Actions....................................................................... 62
Triggers........................................................................................................................................ 62
Properties and Actions .............................................................................................................. 62
Streaming History Statistics ............................................................................................................ 62
Viewing Current and Total Streaming Data Statistics.......................................................... 63
Section C: Additional Windows Media Configuration Tasks
Managing Multicast Streaming for Windows Media.................................................................. 65
About Multicast Stations........................................................................................................... 65
Creating a Multicast Station ..................................................................................................... 66
Monitoring the Multicast Station............................................................................................. 68
Multicast to Unicast Live Conversion at the ProxySG ......................................................... 69
Managing Simulated Live Content (Windows Media) ............................................................... 69
About Simulated Live Content ................................................................................................ 69
Creating a Broadcast Alias for Simulated Live Content....................................................... 70
ASX Rewriting (Windows Media) ................................................................................................. 71
About ASX Rewrite.................................................................................................................... 71
Section D: Configuring Windows Media Player
Windows Media Player Interactivity Notes ................................................................................. 76
Striding ........................................................................................................................................ 77
Other Notes ................................................................................................................................. 77
Section E: Configuring RealPlayer
Section F: Configuring QuickTime Player
Section G: Supported Streaming Media Clients and Protocols
Supported Streaming Media Clients and Servers ................................................................. 84
Supported Streaming Protocols ............................................................................................... 85
Glossary
Index
v
Volume 3: Web Communication Proxies
vi
Chapter 1: Introduction
This chapter describes how to manage enterprise and non-enterprise instant
messaging (IM) traffic through the ProxySG IM proxies.
The ProxySG allows you to control, track, and record communications that
occur over AOL, MSN, or Yahoo IM clients on your corporate networks. The
Streaming proxies allow you to alter allowed bandwidth and manage the
broadcasts of streaming content over Microsoft and RealNetworks (with
limited support for Apple) protocols.
This document contains the following chapters:
❐
Chapter 2: "Managing Instant Messaging Protocols" on page 9
❐
Chapter 3: "Managing Streaming Media" on page 35
Document Conventions
The following section lists the typographical and Command Line Interface
(CLI) syntax conventions used in this manual.
Table 1–1 Document Conventions
Conventions
Definition
Italics
The first use of a new or Blue Coat-proprietary term.
Courier font
Screen output. For example, command line text, file names, and
Blue Coat Content Policy Language (CPL).
Courier Italics
A command line variable that is to be substituted with a literal
name or value pertaining to the appropriate facet of your
network system.
Courier Boldface
A Blue Coat literal to be entered as shown.
Arial Boldface
Screen elements in the Management Console.
{ }
One of the parameters enclosed within the braces must be
supplied
[ ]
An optional parameter or parameters.
|
Either the parameter before or after the pipe character can or
must be selected, but not both.
Notes and Warnings
The following is provided for your information and to caution you against
actions that can result in data loss or personal injury:
Note: Information to which you should pay attention.
7
Volume 3: Web Communication Proxies
Important:
Critical information that is not related to equipment damage or
personal injury (for example, data loss).
WARNING!
Used only to inform you of danger of personal injury or physical
damage to equipment. An example is a warning against electrostatic discharge
(ESD) when installing equipment.
8
Chapter 2: Managing Instant Messaging Protocols
This chapter discusses how to control Instant Messaging (IM) activity through
the ProxySG.
Topics in this Chapter
This chapter includes information about the following topics:
❐
"About the Risks of Instant Messaging" on page 9
❐
"About the Blue Coat IM Proxies" on page 9
❐
"About Instant Message Network Inter-activity" on page 11
❐
"Configuring ProxySG IM Proxies" on page 14
❐
"Configuring IM Clients" on page 21
❐
"Policy Examples" on page 26
❐
"Reference: Equivalent IM CLI Commands" on page 29
❐
"Reference: Access Log Fields" on page 30
❐
"Reference: CPL Triggers, Properties, and Actions" on page 31
❐
"IM History Statistics" on page 31
About the Risks of Instant Messaging
Instant Messaging use in an enterprise environment creates security concerns
because regardless of how network security is configured, IM connections can
occur from any established protocol, such as HTTP or SOCKS, on any open
port. Because it is common for coworkers to use IM to communicate, especially
in remote offices, classified company information can be exposed outside the
network. Viruses and other malicious code can also be introduced into the
network from file sharing through IM clients.
About the Blue Coat IM Proxies
The ProxySG serves as an IM proxy. With policy, you can control IM actions by
allowing or denying IM communications and file sharing based on users (both
employee identities and IM handles), groups, file types and names, and other
triggers. All IM communications can be logged and archived for review.
The ProxySG supports the AOL, MSN, and Yahoo IM client protocols. For the
most current list of supported client versions, refer to the most current Release
Notes for this release.
9
Volume 3: Web Communication Proxies
HTTP Proxy Support
The ProxySG supports instant messaging through the HTTP proxy. IM clients are
configured to connect to IM services through HTTP, which allows IM activity
from behind restrictive firewalls.
The application of policies and IM activity logging is accomplished by the HTTP
proxy handing off IM communications to the IM proxy.
Notes
❐
AOL—Direct connections, file transfers, and files sharing are not available.
❐
Yahoo—Client cannot create a chat room.
Instant Messaging Proxy Authentication
The ProxySG supports explicit proxy authentication if explicit SOCKS V5 proxy is
specified in the IM client configuration.
Because the IM protocols do not natively support proxy authentication,
authentication for transparently redirected clients is not supported because
policies requiring authentication would deny transparently redirected clients.
Notes
Consider the following proxy authentication notes, which apply to IM clients
using HTTP proxy:
❐
AOL IM—Proxy authentication is supported.
❐
MSN IM (5.0 and above)—The ProxySG supports MSN/Live Messenger if the
appliance is configured to use HTTP ProxyAuth code 407, not HTTP auth
code 401.
❐
Yahoo IM—Yahoo IM clients do not have proxy authentication configuration
abilities.
Access Logging
Access log entries occur from various IM actions, such as logging on or joining a
chat room. By default, the ProxySG uses the Blue Coat IM access log format:
date time c-ip cs-username cs-auth-group cs-protocol x-im-method x-imuser-id x-im-user-name x-im-user-state x-im-client-info x-im-buddy-id
x-im-buddy-name x-im-buddy-state x-im-chat-room-id x-im-chat-room-type
x-im-chat-room-members x-im-message-text x-im-message-size x-immessage-route x-im-message-type x-im-file-path x-im-file-size s-action
For a reference list and descriptions of used log fields, see "Reference: Access Log
Fields" on page 30.
Managing Skype
Skype is the most used IM service outside of the United States. It provides free
PC-to-PC calling using VoIP. Skype communication is based on Peer-to-Peer
technology. Managing Skype communications requires the creation of firewall
and ProxySG policies, procedures that are outside the scope of this chapter.
10
Chapter 2: Managing Instant Messaging Protocols
See the Blue Coat Controlling Skype Technical Brief, available on the Blue Coat Web
site Download page.
About Instant Message Network Inter-activity
This section discusses IM deployment and describes IM reflection, which is how
the ProxySG policy dictates IM communications.
Recommended Deployments
Blue Coat recommends the following deployments:
❐
For large networks with unimpeded Internet access, Blue Coat recommends
transparently redirecting the IM protocols to the ProxySG, which requires the
ProxySG bridging feature or an L4 switch or WCCP.
❐
For networks that do not allow outbound access, Blue Coat recommends
using the SOCKS proxy and configuring policy and content filtering denials
for HTTP requests to IM servers.
About Instant Messaging Reflection
IM reflection allows you to contain IM traffic within the enterprise network,
which further reduces the risk of exposing company-confidential information
through public IM networks or allow a client to incur a virus or malicious code.
Normally, an IM sent from one buddy to another is sent to and from an IM
service. With IM reflection, IM traffic between buddies, including chat messaging,
on the same network never has to travel beyond the ProxySG. This includes IM
users who login to two different ProxySG appliances configured in a hierarchy
(proxy chaining).
IM Reflection with Fail Open
When the ProxySG policy is configured to fail open, IM reflection operates
essentially the same as pass through mode. All messages are allowed in and out
of the network. The following diagram illustrates IM processes with ProxySG fail
open policy.
11
Volume 3: Web Communication Proxies
Legend
A: IM client 1—logged into the ProxySG.
B: IM client 2—logged into the ProxySG.
C: IM client 3—outside the network.
D: ProxySG configured to reflect all IM activity, but with fail open policy.
E: IM service provider.
Process Flow
1: (Blue arrows) IM client 1, an employee, sends an IM directed to a co-worker: “Did you finish
coding Project X?”
2: The ProxySG directs the message to IM client 2, who is an employee on the same network,
who is able to respond: “Yes! The system runs ten times faster now!”
3: (Green arrows) IM client 1 sends an IM directed to a friend: “Want to see a movie tonight?”
4: The ProxySG allows the message to leave the network and ultimately arrive to IM client 3.
Figure 2–1
IM Reflection with ProxySG fail open policy.
IM Reflection With Fail Closed
If the ProxySG is configured with fail closed policy, messages cannot leave the
network (they never reach the IM service provider). Only clients on allowed
enterprise networks can send and receive IMs. The following diagram illustrates
IM processes with ProxySG fail closed policy.
12
Chapter 2: Managing Instant Messaging Protocols
Legend
A: IM client 1—logged into the ProxySG.
B: IM client 2—logged into the ProxySG.
C: IM client 3—outside the network.
D: ProxySG configured to reflect all IM activity, but with fail closed policy.
E: IM service provider.
Process Flow
1: (Blue arrows) IM client 1, an employee, sends an IM directed to a co-worker: “Did you finish
coding Project X?”.
2: The ProxySG directs the message to IM client 2, who is an employee on the same network,
who is able to respond: “Yes! The system runs ten times faster now!”.
3: (Green arrow) IM client 1 sends an IM directed to a friend (IM client 3): “Want to see a movie
tonight?”.
4: (Red arrow) The ProxySG does not allow the message to leave the network; IM client 1
receives an automated response: “Denial of service. Please review the company IM policy.”
Figure 2–2
IM Reflection with ProxySG fail close policy
IM Reflection With A Hierarchy Of Proxies
While the previous two sections document the conceptual fail open/fail closed
functionality, larger, more typical enterprise networks have users logging in
through different primary ProxySG appliances. IM reflection involving clients in
different buildings and even on different sites is still possible by using SOCKS
and HTTP forwarding, policy, and an ProxySG hierarchy. The following diagram
illustrates IM processes with ProxySG proxy chaining and a combination of fail
open/fail closed policies.
13
Volume 3: Web Communication Proxies
Legend
BC_SG1: Located in building 1 of the corporate campus; configured to fail open.
BC_SG2: Located in building 2 of the corporate campus; configured to fail open.
BC_SG3: Located in the IT lab of the corporate campus; configured to fail open.
BC_SG4: Located in the IT lab of the corporate campus; configured to fail close.
BC_SG5: Located at a branch location.
A: IM client 1—logged into BC_SG1.
B: IM client 2—logged into BC_SG2.
C: IM client 3—logged into BC_SG5.
D: IM client 4—off the corporate network.
E: IM service provider.
Process Flow
1: (Blue arrows) IM client 1, a project manager, sends an IM directed to IM client 2, the QA lead:
“Did you finish testing Project X?”. BC_SG1 directs the message to IM client 2 (BC_SG3 to
BC_SG2), who is able to respond: “Yes. Testing is complete.”
2: (Blue-dashed arrows) IM client 1 sends an IM directed to a sales manager (IM client 3):
“Project X is complete.” BC_SG4 recognizes the destination as allowable, and IM client
receives the message and is able respond: “Excellent. We we start announcing Project X.”
3: (Red arrows) IM client 2 attempts to send an IM to a personal buddy. “We finally finished
Project X.” BC_SG4, configured to fail close, does not allow the message to leave the network;
IM client 2 receives an automated response: “Denial of service. Please review the company IM
policy.”
Figure 2–3
Proxy chaining deployment with fail open/fail closed policies.
Configuring ProxySG IM Proxies
This chapter contains the following sections:
14
❐
"Intercepting Default IM Services" on page 15
❐
"Redirecting IM Client Requests" on page 18
Chapter 2: Managing Instant Messaging Protocols
❐
"The Default IM Hosts" on page 19
❐
"Handing Off Instant Messaging to HTTP" on page 20
❐
"Configuring IM Alerts" on page 20
Intercepting Default IM Services
This section describes how to configure the ProxySG to intercept the default IM
service ports.
Defaults:
❐
❐
Proxy Edition: Upon upgrade and on new systems, the ProxySG has IM
services configured for transparent connections on the following ports:
•
AOL-IM: 5190
•
MSN-IM: 1863 and 6891
•
Yahoo-IM: 5050 and 5101
MACH5 Edition: IM services are not created and are not included in trend
data.
Notes:
❐
MSN port 1863 and Yahoo port 5050 are the default client login ports. MSN
port 6891 and Yahoo port 5101 are the default for client-to-client direct
connections and file transfers. If these ports are not enabled:
❐
Client-to-client direct connections do not occur.
❐
After a file transfer request is allowed by the ProxySG, the resulting data is
sent directly from one client to another without passing through the ProxySG:
•
For MSN: The above bullet point only applies to MSN version previous to
and including 6.0. Post-6.0 versions use a dynamic port for file transfers;
therefore, port 6891 is not required for the ProxySG to intercept file
transfers.
•
For Yahoo: The above bullet only applies to standard file transfer requests.
Port 5101 must be enabled to allow file list requests.
Note: All file transfers for AOL clients are handled through the default (5190)
or specified client login port.
By default, these services are configured be Transparent and in Bypass mode. The
following procedure describes how to change them to Intercept mode, and
explains other attributes within the service.
To configure the IM proxies services attributes:
1. From the Management Console, select Configuration > Services > Proxy Services.
15
Volume 3: Web Communication Proxies
2
3
2. Scroll the list of service groups and click Other to expand the services list.
3. As you expand the services for AOL, MSN, and Yahoo, notice the Action for
each default service is Bypass. Select Intercept from the drop-down list(s) for
the IM services that apply in your enterprise.
4. Click Apply.
If you do not have custom IM service ports, proceed to "Redirecting IM Client
Requests" on page 18.
Creating New IM Services For Custom Ports
If your enterprise requires you to intercept IM traffic on ports other than the
defaults, you can create custom services.
To create custom IM services:
1. From the Management Console, select Configuration > Services > Proxy Services.
2. At the bottom of the page, click New Service. The New Service dialog displays.
16
Chapter 2: Managing Instant Messaging Protocols
3a
3b
3c
3d
3. Configure the new service attributes:
a. Name the service (tip: cannot use the default service name, such as
AOL IM).
b. From the Service Group drop-down list, select Other.
c. From the Proxy drop-down list in the Proxy settings area, select the IM
type for this service.
d. In the Listeners area, click New. The New Listener dialog displays.
17
Volume 3: Web Communication Proxies
4
4. Configure the new listener options:
a. In the Destination address area, select All unless you want to restrict the
service to specific IP addresses and subnets.
b. In the Port range field, enter the port number or range of ports that this
service listens on. For example: 1800-1890.
c. Select Intercept.
d. Click OK to close the dialog.
5. Click OK to close the New Service dialog.
6. Click Apply.
Result: The IM service status appears in Management Console.
Redirecting IM Client Requests
The ProxySG is configured as an IM proxy that performs a DNS redirection for
client requests. This provides greater control because it prevents IM clients from
making outside connections.
The IM clients provide the DNS lookup to the IM server, which the ProxySG DNS
module uses to connect to the IM server. To the client, the ProxySG appears to be
the IM server. A virtual IP address used only for IM must be configured, as it is
used to represent the IM server address for all IM protocols.
To configure DNS redirection for IM:
1. Select to Configuration > Network > Advanced > VIPs.
18
Chapter 2: Managing Instant Messaging Protocols
2b
2a
2. Create a virtual IP address:
a. Click New. The Add Virtual IP dialog appears.
b. Enter a unique IP address (used only to represent IM connections).
c. Click OK to add the VIP to the list.
3. Click Apply.
4. From the Management Console, select Configuration > Services > IM Proxies > IM
Proxy Settings.
5. In the General Settings field, select
the VIP from the Explicit Proxy
Virtual IP drop-down list.
6. Click Apply.
Result: IM clients regard the ProxySG
as the IM server.
Remain on this screen and continue to the next section.
The Default IM Hosts
Each IM client has hard-coded IM hosts. The ProxySG displays these values on
the Configuration > Services > IM Proxies > IM Proxy Settings tab, which vary in number
and fields dependent upon the selected IM protocol. Do not alter these hosts
unless the client experiences a hard-coded change.
19
Volume 3: Web Communication Proxies
Handing Off Instant Messaging to HTTP
HTTP handoff allows the Blue Coat HTTP proxy to handle requests from
supported IM protocols. If HTTP handoff is disabled, requests are passed
through, and IM-specific policies are not applied. Enable HTTP handoff if you
create and apply IM policy.
To allow a specific IM client to connect using the HTTP protocol through the
ProxySG and that IM protocol has not been licensed, disable HTTP handoff to
allow the traffic to be treated as plain HTTP traffic and to avoid an error in the
licensing check performed by the IM module. This might be also be necessary to
temporarily pass through traffic from new versions of IM clients that are not yet
supported by Blue Coat.
To enable HTTP handoff:
1. From the Management Console, select Configuration > Services > IM Proxies > IM
Proxy Settings.
2. In the General Settings field, select
Enable HTTP Handoff.
3. Click Apply.
Result: IM-specific policies are
applicable on IM communications.
Configuring IM Alerts
A ProxySG IM alert is an IM message sent to clients upon an action triggered by
policy. An IM alert contains two elements:
❐
Admin buddy names: You can assign an administrator buddy name for each
client type. An administrator buddy name can be a registered name user
handle or a fictitious handle. The benefit of using a registered name is that
users can send IM messages to the administrator directly to report any issues,
and that communication can be logged for tracking and record-keeping. By
default, the ProxySG assigns each IM protocol the admin buddy name: Blue
Coat ProxySG.
❐
Exception message delivery method: Alert messages can be delivered in the
same window or spawn a new window.
To configure IM alert components:
1. From the Management Console, select Configuration > Services > IM Proxies > IM
Alert Settings.
20
Chapter 2: Managing Instant Messaging Protocols
2
3a
3b
2. In the Admin buddy names field, enter the handle or handles to represent the
administrator. In this example, the company sanctions AOL Messenger as the
one used for internal communications. IM alerts are sent from Example Corp IT.
MSN and Yahoo are acceptable for personal use, but a created policy denies
file transfers. Alerts are sent from Example Corp HR.
3. Specify the exceptions message delivery method:
a. Send exception messages in a separate window (out-of-band)—If an
exception occurs, the user receives the message in a separate IM
window.
b. Send exception messages in the existing window (in-band)—If an exception
occurs, the message appears in the same IM window. The message
appears to be sent by the buddy on the other end, with the exception
that when in a chat room, the message always appears to be sent by
the configured Admin buddy name. You can enter a prefix message
that appears in the client window before the message. For example:
Inappropriate IM use. Refer to Employee Conduct Handbook concerning Internet
usage.
Note: Regardless of the IM exception delivery configuration, IM alert
messages triggered by policy based on certain protocol methods are
always sent out-of-band because a specific buddy is not associated.
4. Click Apply.
ProxySG IM proxy configuration is complete. The final step is to configure IM
clients to send traffic to the ProxySG.
Configuring IM Clients
This section describes how to configure the IM clients to send traffic through the
ProxySG.
21
Volume 3: Web Communication Proxies
General Configuration
As each IM client has different menu structures, the procedures to configure them
differ. This section provides the generic tasks that need to be completed.
Explicit Proxy
Perform the following tasks on the IM client:
1. Navigate to the Connection Preferences dialog.
2. Select Use Proxies.
3. Select proxy type as SOCKS V5.
4. Enter the ProxySG IP address.
5. Enter the SOCKS port number; the default is 1080.
6. Enter authentication information, if required.
Transparent Proxy
IM clients do not require any configuration changes for transparent proxy. An L4
switch or inline ProxySG routes the traffic.
AOL Messenger Client Explicit Proxy Configuration
The following example configures a Yahoo Messenger client for explicit proxy.
Note: This example uses AOL Messenger 5.9. Other versions might vary.
1. Select My AIM > Edit Options > Edit Preferences.
22
Chapter 2: Managing Instant Messaging Protocols
3a
3b
2a
3c
3d
3e
2b
2. Navigate to Connection Preferences:
a. Select Sign On/Off.
b. Click Connection.
3. Configure the proxy settings:
a. Select Connect using proxy.
b. In the Host field, enter the ProxySG IP address. If the default port is
1080, accept it; if not, change it to port 1080.
c. Select SOCKS 5.
d. If authentication is required on the ProxySG, enter the authentication
user name and password.
e. Click OK to close the Connections Preferences dialog.
4. Click OK to close the Preferences dialog. Result: the AOL client now sends
traffic to the ProxySG.
MSN Messenger Client Explicit Proxy Configuration
The following example configures a Yahoo Messenger client for explicit proxy.
Note: This example uses MSN Messenger 7.5. Other versions might vary.
1. From MSN Messenger, select Tools > Options.
23
Volume 3: Web Communication Proxies
3a
3b
2a
3c
2b
2. Navigate to Settings:
a. Click Connection.
b. Click Advanced Settings. The Settings dialog appears.
3. Configure the proxy settings:
a. In the SOCKS field, enter the ProxySG IP address. If the default port is
1080, accept it; if not, change it to port 1080.
b. If authentication is required on the ProxySG, enter the authentication
user name and password.
c. Click OK.
4. Click OK to close the Options dialog. Result: the MSN client now sends traffic to
the ProxySG.
Yahoo Messenger Client Explicit Proxy Configuration
The following example configures a Yahoo Messenger client for explicit proxy.
24
Chapter 2: Managing Instant Messaging Protocols
Note:
This example uses Yahoo Messenger 7.0. Other versions might vary.
1. From Yahoo Messenger, select Messenger > Preferences.
2b
2a
2d
2c
2e
2f
2. Configure the following features:
a. Click Connection.
b. Select Use proxies.
c. Select Enable SOCKS proxy; select Ver 5.
d. Enter the ProxySG IP address. If the default port is 1080, accept it; if
not, change it to port 1080.
e. If authentication is required on the ProxySG, enter the authentication
user name and password.
f.
Click Apply and OK. Result: the Yahoo client now sends traffic to the
ProxySG.
Notes
If Yahoo Messenger is configured for explicit proxy (SOCKS) through the
ProxySG, the IM voice chat feature is disabled. Any client attempting a voice chat
with a client behind the ProxySG firewall receives an error message. The voice
data stream is carried by default on port 5001; therefore, you can create and open
this port and configure Yahoo IM to use transparent proxy. However, the
ProxySG only supports the voice data in pass-through mode.
25
Volume 3: Web Communication Proxies
Policy Examples
After the IM clients are configured to send traffic through the ProxySG, you can
control and limit IM activity. The Visual Policy Manager (VPM) allows you to
create rules that control and track IM communications, including IM activities
based on users and groups, IM handle, chat room handle, file name, and other
triggers.
To learn about the VPM, refer to Volume 6: The Visual Policy Manager and Advanced
Policy.
Example 1: File Transfer
The following example demonstrates an IM rule created with the VPM that IM
handle Nigel1 can perform a file transfer at any time, but the file must be between
1 and 5 MB in size, and the handle, the file path, and file size are logged.
1
2a
2c
2b
1. In the VPM, select Policy > Add Web Access Layer; name it IM_File_Transfer.
2. Create a new IM user object:
a. Right-click the Source field; select Set. The Set Source Object dialog
appears.
b. Click New; select IM User. The Add IM User Object dialog appears.
c. In the IM User field, enter Nigel1; click OK in each dialog.
26
Chapter 2: Managing Instant Messaging Protocols
3a
3c
3b
3. Create a File Transfer object:
a. Right-click the Service field; select Set. The Set Service Object dialog
appears.
b. Click New; select IM File Transfer. The Add IM File Transfer dialog
appears.
c. Select Size and enter a range 1 and 5.
d. Select MBytes from the drop-down list; click OK in each dialog.
4. Right-click the Track field; select Set. The Add Track Object dialog appears.
5. Click New; select Event Log. The Add Event Log Object dialog appears.
27
Volume 3: Web Communication Proxies
6
6. From the Substitution Variables list, select x-im-buddy-name and click insert.
Repeat for x-im-file-path and x-im-file-size. Click OK in each dialog.
7
7. In the VPM, click Install Policy.
Example 2: Send an IM Alert Message
The following example demonstrates a rule created with the VPM that informs all
IM users when they login that their IM activity is tracked and logged.
1. In the VPM, select Policy > Add Web Access Layer; name it IM_NotifyMessage.
2. Right-click the Service field; select Set. The Set Service Object dialog appears.
3. Click New; select Protocol Methods. The Add Methods Object dialog appears.
28
Chapter 2: Managing Instant Messaging Protocols
2a
2b
4. Configure protocol method options:
a. From the Protocol drop-down list, select Instant Messaging.
b. Click Login/Logout; LOGIN; click OK to close the dialog; click OK to
insert the object in the rule.
c. Click OK in each dialog.
5. Right-click the Action field; select Set. The Set Action Object dialog appears.
6. Click New; select Send IM Alert. The Add Send IM Alert Object dialog appears.
7
7. In the Alert Text field, enter a message that appears to users. For example,
Employee notice: Your Instant Messaging activity is tracked and logged.
8. Click OK to close the dialog; click OK to insert the object in the rule.
9. Click Install Policy.
Reference: Equivalent IM CLI Commands
The configuration tasks describes in this chapter can also be accomplished
through the ProxySG CLI. The following are the equivalent CLI command
syntaxes:
29
Volume 3: Web Communication Proxies
❐
To enter configuration mode:
SGOS#(config) proxy-services
SGOS#(config proxy-services) create {aol-im | msn-im | yahoo-im}
service_name
❐
The following submodes are available:
SGOS#(config proxy-services) edit service-name
SGOS#(config service-name) add all | ip_address | ip_address/subnetmask} {port | first_port-last_port} [intercept | bypass]
SGOS#(config service-name) attribute reflect-client-ip {enable |
disable}
SGOS#(config service-name) bypass all | ip_address | ip_address/
subnet-mask} {port | first_port-last_port}
SGOS#(config service-name) exit
SGOS#(config service-name) intercept all | ip_address | ip_address/
subnet-mask} {port | first_port-last_port}
SGOS#(config service-name) remove all | ip_address | ip_address/
subnet-mask} {port | first_port-last_port}
SGOS#(config service-name) view
Reference: Access Log Fields
The default Blue Coat IM fields are (only IM-specific or relative are listed and
described):
30
❐
cs-protocol: Protocol used in the client's request.
❐
x-im-method: The method associated with the instant message.
❐
x-im-user-id: Instant messaging user identifier.
❐
x-im-user-name: Display name of the client.
❐
x-im-user-state: Instant messaging user state.
❐
x-im-client-info: The instant messaging client information.
❐
x-im-buddy-id: Instant messaging buddy ID.
❐
x-im-buddy-name: Instant messaging buddy display name.
❐
x-im-buddy-state: Instant messaging buddy state
❐
x-im-chat-room-id: Instant messaging identifier of the chat room in use.
❐
x-im-chat-room-type: The chat room type, one of public or public, and possibly
invite_only, voice and/or conference.
❐
x-im-chat-room-members: The list of chat room member IDs.
❐
x-im-message-text: Text of the instant message.
❐
x-im-message-size: Length of the instant message
❐
x-im-message-route: The route of the instance message.
❐
x-im-message-type: The type of the instant message.
❐
x-im-file-path: Path of the file associated with an instant message.
Chapter 2: Managing Instant Messaging Protocols
❐
x-im-file-size: Size of the file (in...?) associated with an instant message.
Reference: CPL Triggers, Properties, and Actions
The following Blue Coat CPL is supported for IM:
Triggers
❐
im.buddy=
❐
im.chat_room.conference=
❐
im.chat_room.id=
❐
im.chat_room.invite_only=
❐
im.chat_room.type=
❐
im.chat_room.member=
❐
im.chat_room.voice_enabled=
❐
im.client=
❐
im.file.extension=
❐
im.file.name=
❐
im.file.path=
❐
im.file.size=
❐
im.message.opcode=
❐
im.message.reflected=
❐
im.message.route=
❐
im.message.size=
❐
im.message.text=
❐
im.message.type=
❐
im.method=
❐
im.user_agent=
❐
im.user_id=
Properties and Actions
❐
im.block_encryptions()
❐
im.reflect()
❐
im.strip_attachments()
❐
im.transport()
❐
im.alert()
IM History Statistics
The IM statistics allow you to track IM connections, file transfers, and messages
that are currently in use and in total, or have been allowed and denied. The
information can be displayed for each IM client type or combined.
IM Connection Data Tab
The following IM Connection Data statistics indicate current and overall
connection data since the last statistics clear:
31
Volume 3: Web Communication Proxies
❐
Native Clients—The
❐
HTTP Clients—The
❐
Chat Sessions—The
❐
Direct IM Sessions—The
❐
File Transfers—The
number of native IM clients connected.
number of HTTP IM clients connected.
number of IM chats occurring.
number of chats using direct connections.
number of file transfers sent through IM clients.
To view the connection data statistics:
1. Select Statistics > Protocol Details > IM History > IM Connection Data.
2. The default protocol is All. To select a specific protocol, select AOL, MSN, or
Yahoo from the drop-down list.
IM Activity Data Tab
The following IM Activity Data statistics indicate allowed and denied connections
since the last statistics clear:
❐
Logins—The
❐
Messages—The
❐
File Transfers—The
❐
Voice Chats—The
❐
Messages—The number of IM messages reflected or not reflected (if IM
Reflection policy is enabled).
number of times IM clients have logged in.
number of IM messages.
number of file transfers sent through IM clients.
number of voice conversations through IM clients.
Note: The IM activity data statistics are available only through the Management
Console.
To view the activity data statistics:
1. Select Statistics > Protocol Details > IM History > IM Activity Data.
32
Chapter 2: Managing Instant Messaging Protocols
2. The default protocol is All. To select a specific protocol, select AOL, MSN, or
Yahoo from the drop-down list.
IM Clients Tab
The IM Clients tab displays dynamic graphical statistics for connections over 60
minutes, 24 hours and 30 days. The page displays all values in the graph or clip a
percentage of peak values. When peak values are clipped by a percentage, that
percentage is allowed to fall off the top of the scale.
For example, if you clip 25% of the peaks, the top 25% of the values are allowed to
exceed the scale for the graph, showing greater detail for the remaining 75% of the
values.
Move the cursor over the graphs to dynamically display the color-coded AOL,
MSN, Yahoo, and total statistics.
Note: The IM clients statistics are available only through the Management
Console.
To view the client connection statistics:
1. Select Statistics > Protocol Details > IM History > IM Clients.
33
Volume 3: Web Communication Proxies
2. Select the Duration: for which the graph displays. The default is last hour. You
can select from last hour, last day, last month and all periods.
3. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
34
Chapter 3: Managing Streaming Media
This chapter describes how to manage streaming content on the enterprise
network through the ProxySG streaming proxies.
Topics of this Chapter
This chapter includes information about the following topics:
❐
Section A: "Concepts: Streaming Media" on page 36—Explain general
streaming solution concepts and terminology, as well as ProxySG streaming
solution concepts and functionality.
❐
Section B: "Configuring Streaming Media" on page 51—Provides
procedures for configuring the ProxySG to manage streaming media
applications and bandwidth.
❐
Section C: "Additional Windows Media Configuration Tasks" on page 65—
Provides additional procedures for configuring Windows Media.
❐
Section D: "Configuring Windows Media Player" on page 75—Explains
❐
how to configure the Windows Media client and describes associated
interactivities and access log conventions.
❐
Section E: "Configuring RealPlayer" on page 79—Explains how to configure
the Real Media client.
❐
Section F: "Configuring QuickTime Player" on page 83—Describes how to
configure the QuickTime client.
❐
Section G: "Supported Streaming Media Clients and Protocols" on page
84—Describes the vendor-specific streaming protocols supported by the
ProxySG.
35
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
Section A: Concepts: Streaming Media
This section contains the following topics:
❐
"How the ProxySG Accelerates and Controls Media Streaming" on page 36
❐
"What is Streaming Media?" on page 36
❐
"About Windows Media" on page 37
❐
"About Processing Streaming Media Content" on page 41
❐
"About Streaming Media Authentication" on page 48
How the ProxySG Accelerates and Controls Media Streaming
The ProxySG streaming media proxies allow you to monitor, control, limit, or
even block streaming media traffic on your network. Using the ProxySG for
streaming delivery improves the quality of streaming media, reducing stutter and
static. It supports the most popular streaming media clients: Windows Media,
Real Media, and QuickTime.
ProxySG supports a variety of acceleration, control, and visibility features for
streaming media. It provides acceleration features such as live splitting, video-ondemand caching, content prepopulation, and multicasting. It also offers control
and visibility features such as fine-grained policy control including
authentication, bandwidth limiting, access logging, and limiting the maximum
user connections. ProxySG supports all the delivery methods supported by the
client applications: TCP and UDP for unicast, HTTP, and multicast.
For example, ProxySG’s pre-population process can deliver on-demand videos to
branch offices during off-hours and save them for future viewing. ProxySG
appliances can also cache or save video requested from the headquarters location
by a user in a branch office and store it locally for use by subsequent viewers. In
the case of live video broadcasts, ProxySG appliances can take a single stream of
video and then split it locally into enough streams to serve all local viewers; this is
called live splitting. The appliance’s ability to identify individual users also
enables the company to track which employees have watched required videos.
What is Streaming Media?
Streaming media is a term used to describe media files that are served in discrete
paced individual packets rather than in bulk, playing while they are being
transmitted over the network to the media player on the client computer. In
contrast, conventional Web files, which are downloaded through a file transfer,
must be downloaded entirely before the user can view them. Commonly
requested types of streaming media are video and audio. Streaming media also
includes interactive media, cartoon-like animations, panoramic data, and more.
Live versus On-Demand Streaming Media
Streaming media is delivered in the following ways:
36
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
❐
Live media streams Live media streams occur in real time, like the news
program that you watch on your television set. Some organizations record a
live media stream and then broadcast the media stream to their employees or
customers at a specified time. All users who have requested the media stream
see the same media stream at the same time. Users are not able to rewind or
fast-forward the media stream.
❐
On-demand (previously-recorded) media streams Users can request these
on-demand media streams at a time most convenient to them. Users can
pause the media, seek to a different position, rewind, and fast-forward ondemand media streams. On-demand streaming content is commonly referred
to as VOD (vide-on-demand).
ProxySG supports both of these types of streaming media.
Streaming Media and Bandwidth
Video, audio, and other streaming media use a considerable amount of
bandwidth—much more than the amount of bandwidth needed for Web and
news traffic. For example, a media stream could require 10 KB each second,
whereas a Web page that the user views for 10 seconds could require 10 KB.
In the typical streaming server-client model, the streaming server sends a
separate copy of the media stream to each client that requested the same unique
stream. Because streaming media uses a considerable amount of bandwidth,
delivering multiple copies of the same media data between the streaming server
and the clients can cause significant network and server congestion. The more
clients that request the same media stream, the more bandwidth is used.
Planning for efficient bandwidth use is important for streaming media because
bandwidth use has a direct correspondence to the quality of the media streams
that are delivered to the clients. If your network is congested, your users are likely
to experience problems such as jagged video, patchy audio, and unsynchronized
video and audio as packets are dropped or arrive late. Conversely, the more
bandwidth that is available, the better the quality of media streams.
The ProxySG has several methods for allocating bandwidth to streaming media
traffic. See "Limiting Bandwidth" on page 43.
About Windows Media
For heightened security and control, some enterprises prefer network
environments that restrict Web traffic access (gateway connections) to port 80.
Furthermore, beginning with Windows Media Player (WMP) version 11, WMP
clients do not use the Microsoft Media Services (MMS) protocol—opting instead
for traffic over HTTP and the Real Time Streaming Protocol (RTSP).
Windows Media streaming over HTTP differs slightly from downloading
Windows Media objects over HTTP, which can be stored on any Web server.
Streaming content, however, must be hosted on Windows Media Servers that
allow the streaming of content over port 80.
37
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
Beginning in version 5.3, SGOS offers unified support for WM content delivered
over RTSP and HTTP. The ProxySG HTTP proxy hands off Windows Media
Player HTTP streaming requests to the Windows Media HTTP Module, which
itself is a component of the Windows Media RTSP Proxy.
The ProxySG supports the caching of WM content over the RTSP and HTTP
protocols. The ProxySG uses the same object cache, which means the content can
be served over RTSP and HTTP protocols. WM-HTTP and WM-RTSP both share
the same cache.
Live splitting is also supported over both protocols, where all RTSP clients are
served by an RTSP splitter and all HTTP clients are served by a separate HTTP
splitter, involving two separate live streams to the server, one each for RTSP and
HTTP.
Pre-Populating WM Objects Hosted on a Web Server
SGOS 5.3 also supports pre-population of WM content from a Web server for the
subsequent serving of RTSP and HTTP streaming requests for the content from
the cache. This feature is in addition to the already existing support for prepopulation of WM content from a WM server using the RTSP protocol. Existing
content CLI commands can be used for this feature.
For example:
content distribute rtsp://wm_server/bar.wmv from http://web_server/
bar.wmv
Note:
In the example above, rtsp://wm_server/bar.wmv should also be accessible
as a streaming object on a streaming server.
Windows Media Deployment
In a Gateway Proxy deployment, the ProxySG supports the caching and splitting
of WM content over the RTSP and HTTP protocols. In addition, there are
streaming-specific acceleration and policy checks for WM HTTP streaming traffic.
In a Reverse Proxy deployment, the ProxySG can function as a Windows Media
server, with WM content delivered over the RTSP and HTTP protocols.
As a Content Delivery Network (CDN) node, the ProxySG supports a shared
cache for pre-populated content for delivery over RTSP or HTTP protocols.
Deployment action: Windows Media clients must be configured to enable the
HTTP protocol to stream the WM content using HTTP protocol. Similarly, WM
clients must be configured to enable RTSP/TCP, and/or RTSP/UDP protocols to
stream WM content using RTSP protocol.
Supported Streaming Features
The following table describes the supported Windows Media streaming features.
38
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
Live Support
Table 3–1 Windows Media live streaming feature support
Feature
Live Support
Multi-Bit Rate and Thinning
Yes
UDP Retransmission
No
Server-Side Playlists
Yes
Stream Change
Yes
Splitting Server-Authenticated Data
Yes
Splitting Proxy-Authenticated Data
Yes
On-Demand Support
Table 3–2 Windows Media on-demand streaming feature support
Feature
On-Demand Support
Multi-Bit Rate and Thinning
Yes
Fast Forward and Rewind
No Caching
Fast Streaming
Yes
UDP Retransmission
No
Server-Side Playlists
No Caching
Stream Change
No
Caching Server-Authenticated Data
Yes
Caching Proxy-Authenticated Data
Yes
Adherence to RTSP Cache Directives
Yes
Partial File Caching
Yes
File Invalidation/Freshness checking for
Yes
Cached Files
Multicast Support
Table 3–3 Windows Media Multicast UDP streaming feature support
Feature
Multicast
Multi-Bit Rate and Thinning
Yes
Server-Side Playlists
No
Stream Change
No
39
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
Table 3–3 Windows Media Multicast UDP streaming feature support (Continued)
Feature
Multicast
Multicasting Server-Authenticated Data
No
Multicasting Proxy-Authenticated Data
No
Other Supported Features
The Windows Media streaming feature also supports the following features:
❐
Access logging for unicast clients
❐
Summary statistics in the Management Console
❐
Detailed statistics
❐
Forwarding of client streaming logs to origin servers.
Supported VPM Properties and Actions
Windows Media supports the following policy properties and actions:
❐
allow, deny, force_deny
❐
access_server(yes|no). Forces the ProxySG to deliver content only from the
cache. Requests for live streams are denied.
❐
authenticate(realm)
❐
forward(alias_list|no)
❐
forward.fail_open(yes|no)
❐
reflect_ip(auto|no|client|vip|<ip address>)
❐
bypass_cache(yes|no).
Forces the ProxySG to deliver content in pass-through
mode.
❐
limit_bandwidth()
❐
rewrite().
One-way URL rewrite of server-side URLs is supported.
Windows Media also supports the following streaming-relevant properties:
❐
max_bitrate(bitrate|no). Sets the maximum bit rate that can be served to the
client. (This property does not apply to the bit rate consumed on the gateway
connection.) If the bit rate of a client-side session exceeds the maximum bit
rate set by policy, that client session is denied.
❐
force_cache(yes|no).
Causes the ProxySG to ignore cache directives and
cache VOD content while serving it to clients.
Note: Windows Media does not support policy-based streaming transport
selection.
40
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
Bandwidth Management
Windows Media supports bandwidth management for both client-side and
gateway-side streaming traffic. Bandwidth limits are also be supported for passthrough streams. See "Limiting Bandwidth" on page 43 for more information.
About Processing Streaming Media Content
The following sections describe how the ProxySG processes, stores, and serves
streaming media requests. Using the ProxySG for streaming delivery minimizes
bandwidth use by allowing the ProxySG to handle the broadcast and allows for
policy enforcement over streaming use. The delivery method depends on whether
the content is live or video-on-demand.
Delivery Methods
The ProxySG supports the following streaming delivery methods:
❐
Unicast—A one-to-one transmission, where each client connects individually
to the source, and a separate copy of data is delivered from the source to each
client that requests it. Unicast supports both TCP- and UDP-based protocols.
The majority of streaming media traffic on the Internet is unicast.
❐
Multicast—Allows efficient delivery of streaming content to a large number of
users. Multicast enables hundreds or thousands of clients to play a single
stream, thus minimizing bandwidth use.
The following table provides a high-level comparison of unicast and multicast
transmission.
Table 3–4 Unicast vs. Multicast
Element
Unicast
Multicast
Connections
One-to-one transmission
One-to-many transmission
Transport
TCP, UDP, HTTP
IP multicast channel
Type of stream
Video-on-demand or live
streams
Live streams only
Device requirement
The network devices use
unicast.
The network devices must
support multicast (not all
do).
Serving Content: Live Unicast
A live broadcast can either be truly live or can be of prerecorded content. A
common example is a company president making a speech to all employees.
A ProxySG can serve many clients through one unicast connection by receiving
the content from the origin content server (OCS) and then splitting that stream to
the clients that request it. This method saves server-side bandwidth and reduces
the server load.
41
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
Note that you cannot pause or rewind live broadcasts.
Serving Content: Video-on-Demand Unicast
Video-on-demand (VOD) is a service in which individuals can select
programming from a central information bank, allowing a movie or film clip to be
broadcasted immediately when requested. Common examples of VOD include
training videos or news broadcasts.
A ProxySG stores frequently requested data and distributes it upon client
requests. Because the ProxySG is closer to the client than the origin server, the
data is served locally, which saves firewall bandwidth and increases quality of
service by reducing pauses or buffering during playback. Because of its proximity
to the end user, the ProxySG provides higher quality streams (also dependent on
the client connection rate) than the origin server.
Note that VOD content can be paused, rewound, and played back.
Serving Content: Multicast Streaming
Multicast transmission is analogous to a radio frequency on which any device can
listen. Any device that supports multicast can transmit on the multicast channel.
One copy of the data is sent to a group address. Devices in the group listen for
traffic at the group address and join the stream if clients in the routing tree are
requesting the stream. Only the group participants receive the traffic at the
address associated with the group. Broadcasts differ from multicast because
broadcast traffic is sent to the entire network.
For multicast transmission to occur, the network devices through which the
content is to be sent must support multicast. In particular:
❐
Content creators must explicitly set up their streaming servers to support
multicast.
For example, for Windows Media, content creators can set up multicastenabled stations, stations that are not multicast-enabled, or both. For
RealNetworks, the configuration of the server includes specifying whether the
server supports multicast and, if so, which clients (subnets) can use multicast.
❐
Routers on the path must support multicast.
❐
Clients must request a multicast transmission. Media players that are set for
multicast transmission simply join the multicast channel to receive the
streaming data, sometimes without establishing an explicit one-to-one
connection to the device sending the transmission.
Benefits of Multicast
The benefits of using multicast for streaming media include the following:
❐
42
It alleviates network congestion.
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
❐
For live streaming events that have a large audience, multicast significantly
reduces network traffic compared to the traffic that would result from
transmitting the same live event over unicast. If unicast transport is used, the
same content must be sent across the network multiple times or it must be
broadcast to all devices on the network.
❐
It scales well as the number of participants expand.
❐
It is well suited for efficient transmission over satellite links.
A company might, for example want to reserve WAN connections for
business-critical traffic, such as stock trades, but it needs a way to deliver
corporate broadcasts. The company could efficiently transmit corporate
broadcasts over satellite by using multicast transmission and reserve the
WAN for business-critical traffic.
❐
It enables network planners to proactively manage network growth and
control cost because deploying multicast is more cost-effective than
alternatives for increasing LAN and WAN capabilities.
Limitations of Multicast
The limitations of multicast include the following:
❐
In general, multicast support is not yet available on the Internet. Therefore,
using multicast to deliver content is limited to intranet-style deployments.
❐
Not all networking equipment supports multicasting. In addition, not all
network administrators enable the multicast functionality on their networking
equipment.
❐
Switches do not understand multicast. When a multicast stream reaches a
switch, the switch sends the multicast stream to all of its ports. A switch treats
a multicast address as an Ethernet broadcast.
About Serving Multicast Content
The ProxySG takes a multicast stream from the origin server and delivers it as a
unicast stream. This avoids the main disadvantage of multicasting—that all of the
routers on the network must be multicast-enabled to accept a multicast stream.
Unicast-to-multicast, multicast-to-multicast, and broadcast alias-(scheduled live
from stored content)-to-multicast are also supported.
For Windows Media multicast, a Windows Media Station file (.NSC) is
downloaded through HTTP to acquire the control information required to set up
content delivery.
For Real Media, multicasting maintains a TCP control (accounting) channel
between the client and media server. The multicast data stream is broadcast using
UDP from the ProxySG to streaming clients, who join the multicast.
Limiting Bandwidth
The following sections describe how to configure the ProxySG to limit global and
protocol-specific media bandwidth.
43
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
To manage streaming media bandwidth, you configure the ProxySG to restrict the
total number of bits per second the appliance receives from the origin media
servers and delivers to clients. The configuration options are flexible to allow you
to configure streaming bandwidth limits for the ProxySG, as well as for each
streaming protocol (Windows Media, Real Media, and QuickTime).
Note: Bandwidth claimed by HTTP, non-streaming protocols, and network
infrastructure is not constrained by this limit. Transient bursts that occur on the
network can exceed the hard limits established by the bandwidth limit options.
After it has been configured, the ProxySG limits streaming access to the specified
threshold. If a client tries to make a request after a limit has been reached, the
client receives an error message.
Note: If a maximum bandwidth limitation has been specified for the ProxySG,
the following condition can occur. If a Real Media client, followed by a Windows
Media client, requests streams through the same ProxySG and total bandwidth
exceeds the maximum allowance, the Real Media client enters the rebuffering
state. The Windows Media client continues to stream.
Consider the following features when planning to limit streaming media
bandwidth:
❐
ProxySG to server (all protocols)—The total kilobits per second allowed
between the appliance and any origin content server or upstream proxy for all
streaming protocols. Setting this option to 0 effectively prevents the ProxySG
from initiating any connections to the media server. The ProxySG supports
partial caching in that no bandwidth is consumed if portions of the media
content are stored in the ProxySG.
Limiting ProxySG bandwidth restricts the following streaming media-related
functions:
❐
•
Live streaming, where the proxy requests from the server, the sum of all
unique bit rates requested by the clients
•
The ability to fetch new data for an object that is partially cached
•
Reception of multicast streams
Client to ProxySG (all protocols)—The total kilobits per second allowed
between streaming clients and the ProxySG. Setting this option to 0 effectively
prevents any streaming clients from initiating connections through the
ProxySG.
Limiting client bandwidth restricts the following streaming media-related
functions:
•
44
MBR support; when lower bit-rate selection by the client could have
allowed the client to stream, the client is denied when the bandwidth limit
is exceeded
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
•
❐
Limits the transmission of multicast streams
Client connections—The total number of clients that can connect concurrently.
When this limit is reached, clients attempting to connect receive an error
message and are not allowed to connect until other clients disconnect. Setting
this variable to 0 effectively prevents any streaming media clients from
connecting.
Selecting a Method to Limit Streaming Bandwidth
The ProxySG offers two methods for controlling streaming bandwidth. The way
that each method controls bandwidth differs—read the information below to
decide which method best suits your deployment requirements.
Limiting streaming bandwidth using the streaming features (described in this
chapter) works as follows: if a new stream comes in that pushes above the
specified bandwidth limit, that new stream is denied. This method allows existing
streams to continue to get the same level of quality they currently receive.
The alternate way of limiting streaming bandwidth is with the bandwidth
management feature. With this technique, all streaming traffic for which you have
configured a bandwidth limit shares that limit. If a new stream comes in that
pushes above the specified bandwidth limit, that stream is allowed, and the
amount of bandwidth available for existing streams is reduced. This causes
streaming players to drop to a lower bandwidth version of the stream. If a lower
bandwidth version of the stream is not available, players that are not receiving
enough bandwidth can behave in an unpredictable fashion. In other words, if the
amount of bandwidth is insufficient to service all of the streams, some or all of the
media players experience a reduction in stream quality. For details, see Volume 6:
Advanced Networking.
Because of the degradation in quality of service, for most circumstances, Blue
Coat recommends that you use the streaming features to control streaming
bandwidth rather than the bandwidth management features. Do not use both
methods at the same time.
Caching Behavior: Protocol Specific
This section describes the type of content the ProxySG caches for each supported
protocol.
Windows Media
The ProxySG caches Windows Media-encoded video and audio files. The
standard extensions for these file types are: .wmv, .wma, and .asf.
Real Media
The ProxySG caches Real Media-encoded files, such as RealVideo and RealAudio.
The standard extensions for these file types are: .ra, .rm, and .rmvb. Other content
served from a Real Media server through RTSP is also supported, but it is not
45
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
cached. This content is served in pass-through mode only. (Pass-through mode
offers application, layer-7 proxy functionality, but does not support acceleration
features—caching, pre-population, splitting, and multi-casting.)
QuickTime
The ProxySG does not cache QuickTime content (.mov files). All QuickTime
content is served in pass-through mode only.
Caching Behavior: Video-on-Demand
The ProxySG supports the caching of files for VOD streaming. First, the client
connects to the ProxySG, which in turn connects to the origin server and pulls the
content, storing it locally. Subsequent requests of this same content are served
from the ProxySG. This provides bandwidth savings, as every hit to the ProxySG
means less network traffic. Blue Coat also supports partial caching of streams.
.
Note: On-demand files must be unicast.
Splitting Behavior: Live Broadcast
The ProxySG supports splitting of live content, but behavior varies depending
upon the media type.
For live streams, the ProxySG can split streams for clients that request the same
stream. First, the client connects to the ProxySG, which then connects to the origin
server and requests the live stream. Subsequent requests of the same content from
different clients are split from the appliance.
Two streams are considered identical by the ProxySG if they share the following
characteristics:
❐
The stream is a live or broadcast stream.
❐
The URL of the stream requested by client is identical.
❐
MMS (Microsoft Media Services), MMSU (MMS UDP), and MMST (MMS
TCP) are considered to be identical.
Splitting of live unicast streams provides bandwidth savings, since subsequent
requests do not increase network traffic.
Multiple Bit Rate Support
Content authors normally encode streaming media content into different bit rates
to meet the needs of the different speeds of Internet access—modem, ISDN, DSL,
and LAN. In contrast, the delivery bit rate is the actual speed at which the content
is delivered to the client. For example, a stream encoded for playback at 56Kbps
must be delivered to clients at a bit rate of 56Kbps or higher. A client with enough
bandwidth might ask the streaming server to send the 56Kbps encoded stream at
220Kbps; the data is buffered locally and played back at 56Kbps. The playback
46
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
experience of 56Kbps stream delivered at 220Kbps would be better at 220Kbps
than at 56Kbps. The reason is that more time is available for the client to request
packets to be retransmitted if packets are dropped.
The ProxySG supports multiple bit rate (MBR), which is the capability of a single
stream to deliver multiple bit rates to clients requesting content from caches from
within varying levels of network conditions (such as different connecting
bandwidths and varying levels of competing traffic). This allows the ProxySG and
the client to negotiate the optimal stream quality for the available bandwidth even
when the network conditions are bad. MBR increases client-side streaming
quality, especially when the requested content is not cached.
The ProxySG caches only the requested bit rate. For example, a media client that
requests a 50Kbps stream receives that stream, and the ProxySG caches only the
50Kbps bit rate content, no other rate.
Bit Rate Thinning
Thinning support is closely related to MBR, but thinning allows for data rate
optimizations even for single data-rate media files. If the media client detects that
there is network congestion, it requests a subset of the single data rate stream. For
example, depending on how congested the network is, the client requests only the
key video frames or audio-only instead of the complete video stream.
Pre-Populating Content
The ProxySG supports pre-population of streaming files from both HTTP (Web)
servers and origin content servers (that is, streaming servers). Downloading
streaming files from HTTP servers reduces the time required to pre-populate the
file.
Note: QuickTime content is not supported.
Pre-population can be accomplished through streaming from the media server.
The required download time is equivalent to the file length; for example, a twohour movie requires two hours to download. Now, if the media file is hosted on
an HTTP server, the download time occurs at normal transfer speeds of an HTTP
object, and is independent of the play length of the media file.
Note: Content must be hosted on an HTTP server in addition to the media server.
Using the content distribute CLI command, content is downloaded from the
HTTP server and renamed with a given URL argument. A client requesting the
content perceives that the file originated from a media server. If the file on the
origin media server experiences changes (such as naming convention), SGOS
bypasses the cached mirrored version and fetches the updated version.
47
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
About Fast Streaming (Windows Media)
Note: This feature applies to Windows Media only.
Windows Media Server version 9 and higher contains a feature called Fast
Streaming that allows clients to provide streams with extremely low buffering
time.
SGOS supports the following functionality for both cached and uncached content:
❐
Fast Start—Delivers an instant playback experience by eliminating buffering
time. The first few seconds of data are sent using the maximum available
bandwidth so that playback can begin as soon as possible.
❐
Fast Cache—Streams content to clients faster than the data rate that is
specified by the stream format.
Fast Recovery and Fast Reconnect are currently not supported.
About QoS Support
The ProxySG supports Quality of Service (QoS), which allows you to create policy
to examine the Type of Service fields in IP headers and perform an action based
on that information. For streaming protocols, managing the QoS assists with
managing bandwidth classes.
For detailed information about managing QoS, see the Advanced Policy chapter
in Volume 6: The Visual Policy Manager and Advanced Policy.
About Streaming Media Authentication
The following sections discuss authentication between streaming media clients
and ProxySG appliances and between ProxySG appliances and origin content
servers (streaming servers).
Windows Media Server-Side Authentication
Windows Media server authentication for HTTP and MMS supports the
following authentication types:
❐
HTTP—BASIC Authentication and Membership Service Account
❐
HTTP—BASIC Authentication and Microsoft Windows Integrated Windows
Authentication (IWA) Account Database
❐
IWA Authentication and IWA Account Database
The ProxySG supports the caching and live-splitting of server-authenticated data.
It has partial caching functionality so that multiple security challenges are not
issued to Windows Media Player when it accesses different portions of the same
media file.
48
Chapter 3: Managing Streaming Media
Section A: Concepts: Streaming Media
The first time Windows Media content is accessed on the streaming server, the
ProxySG caches the content along with the authentication type that was enabled
on the origin server at the time the client sent a request for the content. The cached
authentication type remains until the appliance learns that the server has changed
the enabled authentication type, either through cache coherency (checking to be
sure the cached contents reflect the original source) or until the ProxySG connects
to the origin server (to verify access credentials).
Windows Media Proxy Authentication
If you configure proxy authentication on the ProxySG, Windows Media clients
are authenticated based on the policy settings. The ProxySG evaluates the request
from the client and verifies the accessibility against the set policies. Windows
Media Player then prompts the client for the proper password. If the client
password is accepted, the Windows Media server might also require the client to
provide a password for authentication. If a previously accepted client attempts to
access the same Windows Media content again, the ProxySG verifies the user
credentials using its own credential cache. If successful, the client request is
forwarded to the Windows Media server for authentication.
Windows Media Player Authentication Interactivities
Consider the following proxy authentication interactivities with Windows Media
Player (except when specified, these do not apply to HTTP streaming):
❐
If the proxy authentication type is configured as BASIC and the server
authentication type is configured as IWA, the default is denial of service.
❐
If proxy authentication is configured as IWA and the server authentication is
configured as BASIC, the proxy authentication type defaults to BASIC.
❐
The ProxySG does not support authentication based on url_path or
url_path_regex conditions when using mms as the url_scheme.
❐
Transparent style HTTP proxy authentication fails to work with Windows
Media Players when the credential cache lifetime is set to 0 (independent of
whether server-side authentication is involved).
❐
If proxy authentication is configured, a request for a stream through HTTP
prompts the user to enter access credentials twice: once for the proxy
authentication and once for the media server authentication.
❐
Additional scenarios involving HTTP streaming exist that do not work when
the TTL is set to zero (0), even though only proxy authentication (with no
server authentication) is involved. The ProxySG returning a 401-style proxy
authentication challenge to Windows Media Player 6.0 does not work because
the Player cannot resolve inconsistencies between the authentication response
code and the server type returned from the ProxySG. This results in an infinite
loop of requests and challenges. Example scenarios include transparent
authentication—resulting from either a transparent request from a player or a
hard-coded service specified in the ProxySG—and request of cache-local
(ASX-rewritten or unicast alias) URLs.
49
Volume 3: Web Communication Proxies
Section A: Concepts: Streaming Media
Windows Media Server Authentication Type (MMS)
Note: This section applies to Windows Media MMS and requires the CLI.
Configure the ProxySG to recognize the type of authentication the origin content
server is using: BASIC or NTLM/Kerberos.
To configure the media server authentication type for WM-MMS:
At the (config) prompt, enter the following command:
SGOS#(config) streaming windows-media server-auth-type {basic | ntlm}
Real Media Proxy Authentication
If you configure proxy authentication on the ProxySG, Real Media clients are
authenticated based on the policy settings. The ProxySG evaluates the request
from the client and verifies the accessibility against the set policies. Next,
RealPlayer prompts the client for the proper password. If the client password is
accepted, the Real Media server can also require the client to provide a password
for authentication. If a previously accepted client attempts to access the same Real
Media content again, the ProxySG verifies the user credentials using its own
credential cache. If successful, the client request is forwarded to the Real Media
server for authentication.
Real Media Player Authentication Limitation
Using RealPlayer 8.0 in transparent mode with both proxy and Real Media server
authentication configured to BASIC, RealPlayer 8.0 always sends the same proxy
credentials to the media server. This is regardless of whether a user enters in
credentials for the media server. Therefore, the user is never authenticated and
the content is not served.
QuickTime Proxy Authentication
BASIC is the only proxy authentication mode supported for QuickTime clients. If
an IWA challenge is issued, the mode automatically downgrades to BASIC.
50
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
Section B: Configuring Streaming Media
This section describes how to configure the various ProxySG streaming options. It
contains the following topics:
❐
"Configuring Streaming Services to Intercept Traffic" on page 51
❐
"Configuring the Streaming Proxies" on page 55
❐
"Limiting Bandwidth" on page 56
❐
"Configuring the ProxySG Multicast Network" on page 58
❐
"Forwarding Client Logs" on page 59
❐
"Related CLI Syntax to Manage Streaming" on page 60
❐
"Reference: Access Log Fields" on page 60
❐
"Reference: CPL Triggers, Properties, and Actions" on page 62
❐
"Streaming History Statistics" on page 62
Related Topics
You must also configure the network service (Configuration > Network > Services) to
assign port numbers and modes (transparent or proxy). For more information,
refer to Volume 2: Proxies and Proxy Services.
Configuring Streaming Services to Intercept Traffic
By default (upon upgrade and on new systems), the ProxySG has streaming
services configured on ports 1755 (MMS) and 554 (RTSP). The services are
configured to listen to all IP addresses, but are set to Bypass mode.
The following procedure describes how to change the service to Intercept mode.
To configure the MMS/RTSP proxy services attributes:
1. From the Management Console, select Configuration > Services > Proxy Services.
51
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
2a
2b
2c
2. Change the streaming services to Intercept:
a. Scroll the list of services and select the Standard service group; select
the MMS and RTSP groups (the service trees expand).
b. From the MMS: <All>:1755 drop-down list, select Intercept.
c. From the RTSP: <All>:554 drop-down list, select Intercept.
3. Click Apply.
Now that the streaming listeners are configured, you can configure the streaming
proxies. Proceed to:
❐
"Configuring the Streaming Proxies" on page 55 to configure the proxy
options that determine how to process streaming traffic.
❐
"Adding a New Streaming Service" (below) to add new streaming services
that bypass specific network segments or listen on ports other than the
defaults.
Adding a New Streaming Service
The ProxySG allows you to add new streaming services. Consider the following
scenario: you want the ProxySG to exclude (bypass) an IP address/subnet from
intercepting streaming because that network segment is undergoing routine
maintenance.
To add a new streaming service:
1. From the Management Console, select Configuration > Services > Proxy Services.
52
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
2
3
2. Scroll the list of services and select the Standard service group.
3. Click New Service. The New Service dialog displays with the default settings.
53
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
4a
4b
4c
4e
4f
4d
4g
4. Configure the service options:
a. Name the service. In this example, the service is named
ExcludeStreaming because the network admin wants to prevent the
ProxySG from intercepting streaming traffic from a specific IP address.
b. From the Service Group drop-down list, select Standard—the service
group to which streaming traffic belongs.
c. From the Proxy Settings drop-down list, select MMS or RTSP.
54
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
Note: To bypass traffic from both streaming protocols, create another
service for the streaming protocol not selected in this step.
d. Click New. The New Listener dialog displays.
e. This example selects the Destination host or subnet option and specifies a
sample IP address.
f.
This example accepts the default value of 554, the default port for the
RTSP protocol. If the ProxySG is intercepting streaming traffic on a
different port, you must specify the port number here.
g. This example selects Bypass as the option; the ProxySG will not
intercept streaming traffic.
h. Click OK in each dialog to close them. The new service displays under
the Intranet service group as its own service, not under the Endpoint
Mapper service.
Configuring the Streaming Proxies
This section describes how to configure the Streaming Media proxies. The
Windows Media and Real Media proxy options are identical except for one extra
option for Real Media. As QuickTime is passed through the ProxySG and not
cached, there is only one option (Enable HTTP Handoff).
To configure Windows Media, Real Media, and QuickTime streaming proxies:
1. From the Management Console, select Configuration > Proxy Settings> Streaming
Proxies > Windows Media, Real Media, or QuickTime.
2
3
4
5
2. Specify how often the ProxySG checks cached streaming content for freshness.
•
Never check freshness:
Although this is the default setting, Blue Coat
recommends selecting one of the other freshness options.
55
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
•
Check freshness every value hours:
The ProxySG checks content freshness
every n.nn hours.
Note: A value of 0 requires the streaming content to always be checked
for freshness.
•
Check freshness every access:
Every time cached content is requested, it is
checked for freshness.
3. Enable HTTP handoff: Enabled by default. When a Windows Media, Real Media,
or QuickTime client requests a stream from the ProxySG over port 80, which
in common deployments is the only port that allows traffic through a firewall,
the HTTP module passes control to the streaming module so HTTP streaming
can be supported through the HTTP proxy port. Only disable if you do not
want HTTP streams to be cached or split.
4. Forward client-generated logs to origin media server: Enabled by default. The
ProxySG logs information, such as client IP address, the date, and the time, to
the origin server for Windows Media and Real Media content. See
"Forwarding Client Logs" on page 59 for more information about log
forwarding.
5. Enable multicast (Real Media proxy only): The ProxySG receives a unicast
stream from the origin RealServer and serves it as a multicast broadcast. This
allows the ProxySG to take a one-to-one stream and split it into a one-to-many
stream, saving bandwidth and reducing the server load. It also produces a
higher quality broadcast.
Multicasting maintains a TCP control (accounting) channel between the client
and RealServer. The multicast data stream is broadcast using UDP from the
ProxySG to RealPlayers that join the multicast. The ProxySG support for Real
Media uses UDP port 554 (RTSP) for multicasting. This port number can be
changed to any valid UDP port number.
6. Click Apply.
Note: For multicast, additional configuration is required. See "Configuring the
ProxySG Multicast Network" on page 58.
Limiting Bandwidth
This section describes how to limit bandwidth from the clients to the ProxySG
and the ProxySG to origin content servers.
Configuring Bandwidth Limits—Global
This section describes how to limit bandwidth use of all streaming protocols
through the ProxySG.
56
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
To specify the bandwidth limit for all streaming protocols:
1. Select Configuration > Proxy Settings> Streaming Proxies > General.
2a
2b
2. To limit the client connection bandwidth:
a. In the Bandwidth field, select Limit client bandwidth to. In the Kilobits/sec
field, enter the maximum number of kilobits per second that the
ProxySG allows for all streaming client connections.
Note: This option is not based on individual clients.
b. In the Bandwidth pane, select Limit gateway bandwidth. In the Kilobits/sec
field, enter the maximum number of kilobits per second that the
ProxySG allows for all streaming connections to origin media servers.
3. Click Apply.
Configuring Bandwidth Limits—Protocol-Specific
This section describes how to limit bandwidth use per-protocol through the
ProxySG. You can also limit the number of connections from the ProxySG to the
OCS. The following example uses Real Media, but the Management Console
screens are identical for all protocols.
To specify the bandwidth limit for Windows Media, Real Media, or QuickTime:
1. Select Configuration > Proxy Settings> Streaming Proxies > WMedia Bandwidth -orRMedia Bandwidth -or- QuickTime Bandwidth.
57
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
2a
2b
3
2. Configure bandwidth limit options:
a. To limit the bandwidth for client connections to the ProxySG, select
Limit client bandwidth to. In the Kilobits/sec field, enter the maximum
number of kilobits per second that the ProxySG allows for all
streaming client connections.
b. To limit the bandwidth for connections from the ProxySG to origin
content servers, select Limit gateway bandwidth to. In the Kilobits/sec field,
enter the maximum number of kilobits per second that the ProxySG
allows for all streaming connections to origin media servers.
3. To limit the bandwidth for connections from the ProxySG to the OCS, select
Limit maximum connections. In the clients field, enter the total number of clients
that can connect concurrently.
4. Click Apply.
Configuring Bandwidth Limitation—Fast Start (WM)
Note: This section applies to Windows Media only and requires the CLI.
Upon connection to the ProxySG, Windows Media clients do not consume more
bandwidth (in kilobits per second) than the defined value.
To specify the maximum starting bandwidth:
At the (config) prompt, enter the following command:
SGOS#(config) streaming windows-media max-fast-bandwidth kbps
Configuring the ProxySG Multicast Network
This section describes how to configure the ProxySG multicast service. Additional
steps are required to configure the ProxySG to serve multicast broadcasts to
streaming clients (Windows Media and Real Media); those procedures are
provided in subsequent sections.
To configure the multicast service:
1. Select Configuration > Services > Streaming Proxies > General.
58
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
2a
2b
2c
2. Configure multicast options:
a. In the Maximum hops field, enter a time-to-live (TTL) value.
b. In the IP range fields, enter the range of IP addresses that are available
for multicast.
c. In the Port range fields, enter the range of ports available for multicast.
3. Click Apply.
4. Enable multicast:
•
Real Media: See Step 5 on page 56.
•
Windows Media: See "Managing Multicast Streaming for Windows
Media" on page 65.
Forwarding Client Logs
The ProxySG can log information about Windows Media and Real Media
streaming sessions between the client and the ProxySG and can also forward
these client generated logs to the origin media server. Additionally, for Windows
Media RTSP only, ProxySG also supports forwarding values for certain fields to
the server, when windows-media streaming proxy has log forwarding enabled
and logging compatibility disabled.
Note: For Real Media, the log is only forwarded before a streaming session is
halted; QuickTime log forwarding is not supported.
The following fields are included in the client log record:
❐
cs-uri-stem:
❐
s-cpu-util:
❐
s-totalclients:
❐
URI stem of the client request.
CPU utilization of the ProxySG.
Clients connected to the ProxySG (but not necessarily
receiving streams).
s-pkts-sent:
Number of packets the ProxySG sent to the client, during the
playspurt.
59
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
❐
s-proxied:
Set to 1 for proxied sessions.
❐
s-session-id: A unique ID of the streaming session between the client and the
ProxySG.
❐
sc-bytes:
Number of bytes the ProxySG sent to the client, during the
playspurt.
To enable/disable log forwarding:
Use the Management Console (see "Configuring the Streaming Proxies" on page
55) or use the following CLI command at the (config) prompt:
SGOS#(config) streaming windows-media log-forwarding {enable |
disable}
To enable/disable RTSP log compatibility:
At the (config) prompt, enter the following command:
SGOS#(config) streaming windows-media log-compatibility {enable |
disable}
Related CLI Syntax to Manage Streaming
❐
To enter configuration mode:
SGOS#(config) proxy-services
SGOS#(config proxy-services) create {mms | rtsp} service_name
❐
The following submodes are available:
SGOS#(config) streaming max-client-bandwidth kbits_second
SGOS#(config) streaming max-gateway-bandwidth kbits_second
SGOS#(config) streaming {windows-media | real-media | quicktime} {maxclient-bandwidth kbits_second | no max-client-bandwidth}
SGOS#(config) streaming {windows-media | real-media | quicktime} {maxgateway-bandwidth kbits_second | no max-gateway-bandwidth}
SGOS#(config) streaming {windows-media | real-media | quicktime} {maxconnections number | no max-connection}
SGOS#(config) streaming {windows-media | real-media | quicktime} httphandoff disable
SGOS#(config) streaming {windows-media | real-media} refresh-interval
number.number
SGOS#(config) streaming real-media multicast enable
SGOS#(config) streaming windows-media server-auth-type {basic | ntlm}
SGOS#(config) content-distribute url [from url]
Reference: Access Log Fields
The QuickTime and Real Media proxies generate a streaming access log at the end
of a streaming session; the Windows Media proxy generates a log entry when one
of the following occurs:
❐
60
It receives a log record from the client at the end of each playspurt.
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
❐
A denial or error condition prevents the client from creating a playspurt or
ends the playspurt abruptly. Examples include: when a client is denied access
due to authentication failures or content filtering, when the ProxySG is unable
to process a session due to bandwidth or connection allocation errors, and
when the server returns an error to a client request.
The type of action is recorded in the s-action access log field: ALLOWED, DENIED,
FAILED, SERVER_ERROR.
The streaming-specific access log fields are described below, in alphabetical
order.
❐
audiocodec:
Audio codec used in stream.
❐
avgbandwidth: Average bandwidth (in bits per
second) at which the client was
connected to the server.
❐
channelURL:
URL to the .nsc file.
❐
c-buffercount:
❐
c-bytes:
Number of times the client buffered while playing the stream.
An MMS-only value of the total number of bytes delivered to the
client.
❐
c-cpu:
❐
c-hostexe:
❐
c-hostexever:
❐
c-os:
❐
c-osversion:
❐
c-playerid:
❐
c-playerlanguage:
❐
c-playerversion:
❐
Client computer CPU type.
Host application.
Host application version number.
Client computer operating system.
c-rate:
Client computer operating system version number.
Globally unique identifier (GUID) of the player.
Client language-country code.
Version number of the player.
Mode of Windows Media Player when the last command event was
sent.
❐
c-starttime: Timestamp (in seconds) of the stream when an entry is
generated in the log file.
❐
c-status:
❐
c-totalbuffertime:
❐
filelength:
❐
filesize:
Size of the file (in bytes).
❐
protocol:
Protocol used to access the stream: mms, http, or asfm.
❐
s-session-id:
❐
s-totalclients:
Codes that describe client status.
Time (in seconds) the client used to buffer the stream.
Length of the file (in seconds).
Session ID for the streaming session.
Clients connected to the server (but not necessarily receving
streams).
❐
transport:
Transport protocol used (UDP, TCP, multicast, and so on).
61
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
❐
videocodec:
❐
x-cache-info: Values: UNKNOWN, DEMAND_PASSTHRU, DEMAND_MISS, DEMAND_HIT,
LIVE_PASSTHRU, LIVE_SPLIT.
❐
x-duration: Length of time a client played content prior to a client event (FF,
REW, Pause, Stop, or jump to marker).
❐
x-wm-c-dns:
Video codec used to encode the stream.
Hostname of the client determined from the Windows Media
protocol.
❐
x-wm-c-ip:
The client IP address determined from the Windows Media
protocol.
❐
x-cs-streaming-client: Type
real_media, or quicktime).
❐
x-rs-streaming-content:
❐
x-streaming-bitrate:
of streaming client in use (windows_media,
Type of streaming content served.
The reported client-side bitrate for the stream.
Reference: CPL Triggers, Properties, and Actions
The following Blue Coat CPL is supported in streaming proxies:
Triggers
❐
streaming.client=
❐
streaming.content=
Properties and Actions
streaming.transport=
Streaming History Statistics
The Streaming History tabs (Windows Media, Real Media, and QuickTime) display
bar graphs that illustrate the number of active client connections over the last
hour (60 minutes), day (24 hours), and month (30 days). These statistics are not
available through the CLI. The Current Streaming Data and Total Streaming Data
tabs display real-time values for current connection and live traffic activity on the
ProxySG. Current and total streaming data statistics are available through the
CLI.
To view client statistics:
1. Select Statistics > Protocol Details > Streaming History.
2. Select the tab for the client for which you want to view statistics: Windows
Media, RealMedia, QuickTime.
3. Select the Duration: from the drop-down menu.
Choose from Last Hour, Last Day, Last Month, and All Periods.
62
Chapter 3: Managing Streaming Media
Section B: Configuring Streaming Media
4. (Optional) To set the graph scale to a different value, select a value from the
Graph scale should drop-down list.
Viewing Current and Total Streaming Data Statistics
The Management Console Current Streaming Data tab and the Total Streaming Data tab
show real-time values for Windows Media, Real Media, and QuickTime activity
on the ProxySG. These statistics can also viewed through the CLI.
To view current streaming data statistics:
1. Select Statistics > Protocol Details > Streaming History > Current Streaming Data.
2. Select a streaming protocol (Windows Media, Real Media, QuickTime) from the
Protocol drop-down list.
3. Select a traffic connection type (Live Traffic, On-Demand Traffic, or Passthru Traffic)
from the drop-down list.
To view total streaming data statistics:
1. Select Statistics > Streaming History > Total Streaming Data.
63
Volume 3: Web Communication Proxies
Section B: Configuring Streaming Media
2. Select a streaming protocol (Windows Media, Real Media, QuickTime) from the
Protocol drop-down list.
3. Select a traffic connection type (Live Traffic, On-Demand, or Passthru Traffic) from
the drop-down list.
To clear streaming statistics:
To zero-out the streaming statistics, enter the following command at the CLI
prompt:
SGOS# clear-statistics {quicktime | real-media | windows-media}
64
Chapter 3: Managing Streaming Media
Section C: Additional Windows Media Configuration Tasks
Section C: Additional Windows Media Configuration Tasks
This section provides Windows Media configuration tasks that aren’t available
through the Management Console, but can be executed through the CLI.
This section contains the following topics:
❐
"Managing Multicast Streaming for Windows Media" on page 65
❐
"Managing Simulated Live Content (Windows Media)" on page 69
❐
"ASX Rewriting (Windows Media)" on page 71
Managing Multicast Streaming for Windows Media
This section describes multicast station and .nsc files, and explains how to
configure the ProxySG to send multicast broadcasts to Windows Media clients.
About Multicast Stations
A multicast station is a defined location from where Windows Media Player
retrieves live streams. This defined location allows Advanced Streaming Format
(.asf) streams to be delivered to many clients using only the bandwidth of a
single stream. Without a multicast station, streams must be delivered to clients
through unicast.
A multicast station contains all of the information needed to deliver .asf content
to a Windows Media Player or to another ProxySG, including:
❐
IP address
❐
Port
❐
Stream format
❐
TTL value (time-to-live, expressed hops)
The information is stored in an .nsc file, which Window Media Player must be
able to access to locate the IP address.
If Windows Media Player fails to find proper streaming packets on the network
for multicast, the player can roll over to a unicast URL. Reasons for this include
lack of a multicast-enabled router on the network or if the player is outside the
multicast station’s TTL. If the player fails to receive streaming data packets, it uses
the unicast URL specified in the .nsc file. All .nsc files contain a unicast URL to
allow rollover.
Unicast to Multicast
Unicast to multicast streaming requires converting a unicast stream on the serverside connection to a multicast station on the ProxySG. The unicast stream must
contain live content before the multicast station works properly. If the unicast
stream is a video-on-demand file, the multicast station is created but is not able to
send packets to the network. For video-on-demand files, use the broadcast-alias
command. A broadcast alias defines a playlist, and specifies a starting time, date,
and the number of times the content is repeated.
65
Volume 3: Web Communication Proxies
Section C: Additional Windows Media Configuration Tasks
Multicast to Multicast
Use the multicast-alias command to get the source stream for the multicast
station.
Creating a Multicast Station
To create a multicast station, you perform the following steps:
❐
Define a name for the multicast station.
❐
Define the source of the multicast stream.
❐
(Optional) Change the port range to be used.
❐
(Optional) Change the IP address range of the multicast stream.
❐
(Optional) Change the Time-to-Live (TTL) value. TTL is a counter within an
ICMP packet. As a packet goes through each router, the router decrements
this TTL value by 1. If the packet traverses enough routers for the value to
reach 0, routers will no longer forward this packet.
❐
Use the multicast alias, unicast alias, and broadcast alias commands to enable
the functionality.
Syntax
multicast-station name {alias | url} [address | port | ttl]
where
•
name
•
{alias | url}
•
[address | port | ttl] are optional commands that you can use to
override the default ranges of these values. (Defaults and permissible
values are discussed below.)
specifies the name of the multicast station, such as station1.
defines the source of the multicast stream. The source can
be a URL or it can be a multicast alias, a unicast alias, or simulated live.
(The source commands must be set up before the functionality is enabled
within the multicast station.)
Example 1: Create a Multicast Station
This example:
❐
Creates a multicast station, named station1, on ProxySG 10.25.36.47.
❐
Defines the source as rtsp://10.25.36.47/tenchi
❐
Accepts the address, port, and TTL default values.
SGOS#(config) streaming windows-media multicast-station station1
rtsp://10.25.36.47/tenchi.
To delete multicast station1:
SGOS#(config) streaming no multicast-station station1
66
Chapter 3: Managing Streaming Media
Section C: Additional Windows Media Configuration Tasks
Example 2: Create a Broadcast Alias and Direct a Multicast Station to Use
it as the Source
This example:
❐
To allow unicast clients to connect through multicast, creates a broadcast alias
named array1; defines the source as rtsp://10.25.36.48/tenchi2.
❐
Instructs the multicast station from Example 1, station1, to use the broadcast
alias, array1, as the source.
SGOS#(config) streaming windows-media broadcast-alias array1 rtsp://
10.25.36.48/tenchi2 0 today noon
SGOS#(config) streaming windows-media multicast-station station1
array1
Changing Address, Port, and TTL Values
Specific commands allow you to change the address range, the port range, and
the default TTL value. To leave the defaults as they are for most multicast stations
and change it only for specified station definitions, use the multicast-station
command.
The multicast-station command randomly creates an IP address and port from
the specified ranges.
❐
Address-range: the default ranges from 224.2.128.0 to 224.2.255.255; the
permissible range is between 224.0.0.2 and 239.255.255.255.
❐
Port-range: the default ranges from 32768 to 65535; the permissible range is
between 1 and 65535.
❐
TTL value: the default value is 5 hops; the permissible range is from 1 to 255.
Syntax, with Defaults Set
multicast address-range <224.2.128.0>-<224.2.255.255>
multicast port-range <32768>-<65535>
multicast ttl <5>
Getting the .nsc File
The .nsc file is created from the multicast station definition and saved through
the browser as a text file encoded in a Microsoft proprietary format.
Without an .nsc file, the multicast station definition does not work.
To create an .nsc file from the newly created station1, open the file by navigating
through the browser to the multicast station’s location (where it was created) and
save the file as station1.nsc.
The file location, based on the streaming configuration above:
http://10.25.36.47/MMS/nsc/station1.nsc
Save the file as station1.nsc.
Note: You can also enter the URL in Windows Media Player to start the stream.
67
Volume 3: Web Communication Proxies
Section C: Additional Windows Media Configuration Tasks
The newly created file is not editable; the settings come from the streaming
configuration file. In that file, you have already defined the following pertinent
information:
❐
The address, which includes TTL, IP address, IP port, Unicast URL, and the
NSC URL. All created .nsc files contain a unicast URL for rollover in case
Windows Media Player cannot find the streaming packets.
❐
The description, which references the RTSP URL that you defined.
❐
The format, which contains important Advanced Streaming Format (ASF)
header information. All streams delivered by the multicast station definition
have their ASF headers defined here.
Monitoring the Multicast Station
You can determine the multicast station definitions by viewing the streaming
Windows Media configuration.
To view the multicast station setup:
SGOS#(config) show streaming windows config
; Windows Media Configuration
license:
1XXXXXXX-7XXXXXXX-7XXXXX
logging: enable
logging
enable
http-handoff: enable
live-retransmit: enable
transparent-port (1755):
enable
explicit proxy: 0
refresh-interval:
no refresh interval (Never check freshness)
max connections:
no max-connections (Allow maximum
connections)
max-bandwidth:
no max-bandwidth (Allow maximum bandwidth)
max-gateway-bandwidth:
no max-gateway-bandwidth (Allow maximum
bandwidth)
multicast address:
224.2.128.0 – 224.2.255.255
multicast port:
32768 – 65535
multicast TTL:
5
asx-rewrite:
No rules
multicast-alias:
No rules
unicast-alias:
No rules
broadcast-alias:
No rules
multicast-station:
station1 rtsp://10.25.36.47/tenchi
224.2.207.0 40465 5 (playing)
Note: Playing at the end of the multicast station definition indicates that the
station is currently sending packets onto the network. The IP address and
port ranges have been randomly assigned from the default ranges allowed.
To determine the current client connections and current ProxySG connections, use
the show streaming windows-media statistics command.
68
Chapter 3: Managing Streaming Media
Section C: Additional Windows Media Configuration Tasks
To view the multicast station statistics:
SGOS#(config) show streaming windows stat
;Windows Media Statistics
Current client connections:
by transport: 0 UDP, 0 TCP, 0 HTTP, 1 multicast
by type: 1 live, 0 on-demand
Current gateway connections:
by transport: 0 UDP, 1 TCP, 0 HTTP, 0 multicast
by type:
1 live, 0 on-demand
Multicast to Unicast Live Conversion at the ProxySG
The ProxySG supports converting multicast streams from an origin content server
to unicast streams. The stream at the ProxySG is given the appropriate unicast
headers to allow the appliance to direct one copy of the content to each user on
the network.
Multicast streaming only uses UDP protocol and does not know about the control
channel, which transfers essential file information. The .nsc file (a file created offline that contains this essential information) is retrieved at the beginning of a
multicast session from an HTTP server. The multicast-alias command specifies
an alias to the URL to receive this .nsc file.
The converted unicast stream can use any of the protocols supported by Windows
Media, including HTTP streaming.
When a client requests the alias content, the ProxySG uses the URL specified in
the multicast-alias command to fetch the .nsc file from the HTTP server.
The .nsc file contains all of the multicast-related information, such as addresses
and .asf file header information that is normally exchanged through the control
connection for unicast-delivered content.
Note: For Windows Media streaming clients, additional multicast information is
provided in "Managing Multicast Streaming for Windows Media" on page 65.
Managing Simulated Live Content (Windows Media)
This section describes simulated live content and how to configure the ProxySG to
manage and serve simulated live content.
About Simulated Live Content
The simulated live content feature defines playback of one or more video-ondemand files as a scheduled live event, which begins at a specified time. The
content can be looped multiple times, or scheduled to start at multiple start times
throughout the day. If used in conjunction with the multicast-alias command,
the live content is multicast; otherwise, live content is accessible as live-splitting
sources. The feature does not require the content to be cached.
When you have set a starting date and time for the simulated live content, the
broadcast of the content starts when at least one client requests the file. Clients
connecting during the scheduled playback time of the simulated live content
receive cached content for playback. Clients requesting the simulated live content
69
Volume 3: Web Communication Proxies
Section C: Additional Windows Media Configuration Tasks
before the scheduled time are put into wait mode. Clients requesting the content
after all of the contents have played receive an error message. Video-on-demand
content does not need to be on the ProxySG before the scheduled start time, but
prepopulating the content on the provides better streaming quality.
The ProxySG computes the starting playtime of the broadcast stream based on the
time difference between the client request time and the simulated live starting
time.
Before configuring simulated live, consider the following:
❐
The simulated live content name must be unique. Aliases are not case
sensitive.
❐
The name cannot be used for both a unicast and a multicast alias name.
❐
After simulated live content is referenced by one or more multicast stations,
the simulated live content cannot be deleted until all multicast stations
referencing the simulated live content are first deleted.
The multicast station appears as another client of simulated live content, just like
a Windows Media Player.
Note: This note applies to HTTP only. If a client opens Windows Media Player
and requests an alias before the starting time specified in the broadcast-alias
option, the HTTP connection closes after a short time period. When the specified
time arrives, the player fails to reconnect to the stream and remains in waiting
mode.
Creating a Broadcast Alias for Simulated Live Content
Syntax
streaming windows-media broadcast-alias alias url loops date time
where:
•
alias
•
url
•
loops is the number of times you want the content to be played back. Set
to 0 (zero) to allow the content to be viewed an indefinite number of times.
•
date is the simulated live content starting date. Valid date strings are in
the format yyyy-mm-dd or today. You can specify up to seven start dates by
using the comma as a separator (no spaces).
•
time is the simulated live content starting time. Valid time strings are in
the format hh:mm (on a 24-hour clock) or one of the following strings:
is the name of the simulated live content.
is the URL for the video-on-demand stream. Up to 128 URLs can be
specified for simulated live content.
— midnight, noon
— 1am, 2am, ...
— 1pm, 2pm, ...
70
Chapter 3: Managing Streaming Media
Section C: Additional Windows Media Configuration Tasks
Specify up to 24 different start times within a single date by using the comma
as a separator (no spaces).
Example 1
This example creates a playlist for simulated live content. The order of playback is
dependent on the order you enter the URLs. You can add up to 128 URLs.
SGOS#(config) streaming windows-media broadcast-alias alias url
Example 2
This example demonstrates the following:
❐
creates a simulated live file called bca.
❐
plays back rtsp://ocs.bca.com/bca1.asf and rtsp://ocs.bca.com/bca2.asf.
❐
configures the ProxySG to play back the content twice.
❐
sets a starting date and time of today at 4 p.m., 6 p.m., and 8 p.m.
SGOS#(config) streaming windows-media broadcast-alias bca rtsp://
ocs.bca.com/bca1.asf 2 today 4pm,6pm,8pm
SGOS#(config) streaming windows-media broadcast-alias bca rtsp://
ocs.bca.com/bca2.asf
To delete simulated live content:
SGOS#(config) streaming windows-media no broadcast-alias alias
ASX Rewriting (Windows Media)
This section describes ASX rewriting and applies to Windows Media only.
An ASX file is an active streaming redirector file that points to a Windows Media
audio or video presentation. It is a metafile that provides information about
Active Streaming Format (ASF) media files.
About ASX Rewrite
If your environment does not use a Layer 4 switch or the Cisco Web Cache
Control Protocol (WCCP), the ProxySG can operate as a proxy for Windows
Media Player clients by rewriting the Windows Media ASX file (which contains
entries with URL links to the actual location of the streaming content) to point to
the ProxySG rather than the Windows Media server.
The metadata files can have .asx, .wvx, or .wax extensions, but are commonly
referred to as ASX files. The ASX file references the actual media files
(with .asf, .wmv, and .wma extensions). An ASX file can refer to other .asx files,
although this is not a recommended practice. If the file does not have one of the
metafile extensions and the Web server that is serving the metadata file does not
set the correct MIME type, it is not processed by the Windows Media module.
Also, the .asx file with the appropriate syntax must be located on an HTTP (not a
Windows Media) server.
The ASX rewrite module is triggered by either the appropriate file extension or
the returned MIME type from the server (x-video-asf).
71
Volume 3: Web Communication Proxies
Section C: Additional Windows Media Configuration Tasks
Note: If an .asx file syntax does not follow the standard <ASX> tag-based syntax,
the ASX rewrite module is not triggered.
For the ProxySG to operate as a proxy for Windows Media Player requires the
following:
❐
The client is explicitly proxied for HTTP content to the ProxySG that rewrites
the .asx metafile.
❐
The streaming media ProxySG is configurable.
Note: Windows Media Player automatically tries to roll over to different
protocols according to its Windows Media property settings before trying the
rollover URLs in the .asx metafile.
With the asx-rewrite command, you can implement redirection of the streaming
media to a ProxySG by specifying the rewrite protocol, the rewrite IP address,
and the rewrite port.
The protocol specified in the ASX rewrite rule is the protocol the client uses to
reach the ProxySG. You can use forwarding and policy to change the default
protocol specified in the original .asx file that connects to the origin media server.
When creating ASX rewrite rules, you need to determine the number priority. It is
likely you will create multiple ASX rewrite rules that affect the .asx file; for
example, rule 100 could redirect the IP address from 10.25.36.01 to 10.25.36.47,
while rule 300 could redirect the IP address from 10.25.36.01 to 10.25.36.58. In
this case, you are saying that the original IP address is redirected to the IP address
in rule 100. If that IP address is not available, the ProxySG looks for another rule
matching the incoming IP address.
Notes and Interactivities
Before creating rules, consider the following.
❐
Each rule you create must be checked for a match; therefore, performance
might be affected if you create many rules.
❐
Low numbers have a higher priority than high numbers.
Note: Rules can only be created through the CLI.
❐
72
ASX rewrite rules configured for multiple ProxySG appliances configured in
an HTTP proxy-chaining configuration can produce unexpected URL entries
in access logs for the downstream ProxySG (the ProxySG that the client proxies
to). The combination of proxy-chained ProxySG appliances in the HTTP path
coupled with ASX rewrite rules configured for multiple ProxySG appliances
in the chain can create a rewritten URL requested by the client in the example
form of:
Chapter 3: Managing Streaming Media
Section C: Additional Windows Media Configuration Tasks
protocol1://downstream_SecApp/redirect?protocol2://<upstream_
SecApp>/redirect?protocol3://origin_host/origin_path
In this scenario, the URL used by the downstream ProxySG for caching and
access logging can be different than what is expected. Specifically, the
downstream ProxySG creates an access log entry with protocol2://
upstream_SecApp/redirect as the requested URL. Content is also cached using
this truncated URL. Blue Coat recommends that the ASX rewrite rule be
configured for only the downstream ProxySG, along with a proxy route rule
that can forward the Windows Media streaming requests from the
downstream to upstream ProxySG appliances.
Syntax for the asx-rewrite Command:
asx-rewrite rule # in-addr cache-proto cache-addr [cache-port]
where:
•
in-addr—Specifies
•
cache-proto—Specifies the rewrite protocol on the ProxySG. Acceptable
values for the rewrite protocol are:
the hostname or IP address delivering the content
•
mmsu
specifies Microsoft Media Services UDP
•
mmst
specifies Microsoft Media Services TCP
•
http
specifies HTTP
•
mms
•
*
specifies either MMS-UDP or MMS-TCP
specifies the same protocol as in the .asx file
If the .asx file is referred from within another .asx file (not a recommended
practice), use a * for the cache-proto value. The * designates that the
protocol specified in the original URL be used. As a conservative, alternative
approach, you could use HTTP for the cache-proto value.
•
cache-addr—Specifies
the rewrite address on the ProxySG.
•
cache-port—Specifies
the port on the ProxySG. This value is optional.
To set up the .asx rewrite rules:
At the (config) command prompt, enter the following command:
SGOS#(config) streaming windows-media asx-rewrite number in-addr
cache-proto cache-addr cache-port
Note: To delete a specific rule, enter streaming windows-media no asxrewrite number.
To ensure that an ASX rewrite rule is immediately recognized, clear the local
browser cache.
Example
This example:
73
Volume 3: Web Communication Proxies
Section C: Additional Windows Media Configuration Tasks
❐
Sets the priority rule to 200.
❐
Sets the protocol to be whatever protocol was originally specified in the URL
and directs the data stream to the appropriate default port.
❐
Provides the rewrite IP address of 10.9.44.53, the ProxySG.
SGOS#(config) streaming windows-media asx-rewrite 200 * * 10.9.44.53
Note: ASX files must be fetched from HTTP servers. If you are not sure of the
network topology or the content being served on the network, use the
asterisks to assure the protocol set is that specified in the URL.
ASX Rewrite Incompatibility With Server-side IWA Authentication
Server-side authentication (MMS only, not HTTP) is supported if the origin media
server authentication type is BASIC or No Auth. However, if you know that a
Windows Media server is configured for IWA authentication, the following
procedure allows you to designate any virtual IP addresses to the IWA
authentication type. If you know that all of the activity through the ProxySG
requires IWA authentication, you can use the IP address of the appliance.
To designate an IP address to an authentication type:
1. If necessary, create a virtual IP address that is used to contact the Windows
Media server.
2. At the (config) prompt, enter the following command:
SGOS#(config) streaming windows-media server-auth-type ntlm ip_address
3. Configure the ASX rewrite rule to use the IP address.
a. To remove the authentication type designation:
SGOS#(config) streaming windows-media no server-auth-type
ip_address
b. To return the authentication type to BASIC:
SGOS#(config) streaming windows-media server-auth-type basic
ip_address
74
Chapter 3: Managing Streaming Media
Section D: Configuring Windows Media Player
Section D: Configuring Windows Media Player
This section describes how to configure Windows Media Player to communicate
through the ProxySG.
To apply the ProxySG Windows Media streaming services, Windows Media
Player must be installed and configured to use explicit proxy.
Note: The example below uses Windows Media Player 11. Installation and setup
varies with different versions of Windows Media Player.
To configure Windows Media Player:
1. Start Windows Media Player.
2. Select Tools > Options.
75
Volume 3: Web Communication Proxies
Section D: Configuring Windows Media Player
3a
4a
3b
4b
3c
3. Navigate to protocol configuration:
a. Select Network.
b. Select HTTP.
c. Click Configure. The Configure Protocol dialog displays.
4. Configure the proxy settings:
a. Select Use the following proxy server.
b. Enter the ProxySG IP address and the port number used for the
explicit proxy (the default HTTP port is 80). These settings must match
the settings configured in the ProxySG. If you change the ProxySG
explicit proxy configuration, you must also reconfigure Windows
Media Player.
5. Click OK in both dialogs. Result: Windows Media Player now proxies through
the ProxySG and content is susceptible to streaming configurations and access
policies.
Windows Media Player Interactivity Notes
This section describes Windows Media Player interactivities that might affect
performance.
76
Chapter 3: Managing Streaming Media
Section D: Configuring Windows Media Player
Striding
When you use Windows Media Player, consider the following interactivities in
regard to using fast forward and reverse (referred to as striding):
❐
If you request a cached file and repeatedly attempt play and fast forward, the
file freezes.
❐
If you attempt a fast reverse of a cached file that is just about to play, you
receive an error message, depending on whether you have a proxy:
❐
•
Without a proxy: A device attached to the system is not functioning.
•
With a proxy: The request is invalid in the current state.
If Windows Media Player is in pause mode for more than ten minutes and
you press fast reverse or fast forward, an error message displays: The network
connection has failed.
Other Notes
❐
Applies to Version 9: If a url_host_rewrite rule is configured to rewrite a host
name that is a domain name instead of an IP address, a request through the
MMS protocol fails and the host is not rewritten. As the connect message sent
by the player at the initial connection does not contain the host name, a
rewrite cannot occur. HTTP requests are not affected by this limitation.
❐
If explicit proxy is configured and the access policy on the ProxySG is set to
deny, a requested stream using HTTP from Windows Media Player 9 serves
the stream directly from the origin server even after the request is denied. The
player sends a request to the OCS and plays the stream from there.
Blue Coat recommends the following policy:
<proxy>
streaming.content=yes deny
-or<proxy>
streaming.content=windows_media deny
The above rules force the HTTP module to hand off HTTP requests to the
MMS module. MMS returns the error properly to the player, and does not go
directly to the origin server to try to serve the content.
❐
If you request an uncached file using the HTTP protocol, the file is likely to
stop playing if the authentication type is set to BASIC or NTLM/Kerberos and
you initiate rapid seeks before the buffering begins for a previous seek.
Windows Media Player, however, displays that the file is still playing.
❐
If a stream is scheduled to be accessible at a future time (using a simulated live
rule), and the stream is requested before that time, Windows Media Player
enters a waiting stage. This is normal. However, if HTTP is used as the
protocol, after a minute or two Windows Media Player closes the HTTP
connection, but remains in the waiting stage, even when the stream is
broadcasting.
77
Volume 3: Web Communication Proxies
Section D: Configuring Windows Media Player
Notes:
For authentication-specific notes, see "Windows Media Server-Side
Authentication" on page 48 and "Windows Media Proxy Authentication" on page
49.
78
Chapter 3: Managing Streaming Media
Section E: Configuring RealPlayer
This section describes how to configure Real Player to communicate through the
ProxySG.
To use the ProxySG Real Media streaming services with an explicit proxy
configuration, the client machine must have RealPlayer installed and configured
to use RTSP streams. If you use transparent proxy, no changes need to be made to
RealPlayer.
Note: This procedure features RealPlayer, version 10.5. Installation and setup
menus vary with different versions of RealPlayer. Refer to the RealPlayer
documentation to configure earlier versions of RealPlayer.
To configure RealPlayer:
1. Start RealPlayer.
2. Select Tools > Preferences.
3a
3b
4a
4b
79
Volume 3: Web Communication Proxies
3. Navigate to proxy settings:
a. Select Connection > Proxy.
b. Click Change Settings. The Streaming Proxy Settings dialog appears.
4. Configure options:
a. In the PNA and RTSP proxies: field, select Use proxies.
b. Enter the ProxySG IP address and the port number used for the
explicit proxy (the default RTSP port is 544). These settings must
match the settings configured in the ProxySG. If you change the
ProxySG explicit proxy configuration, you must also reconfigure
RealPlayer. If using transparent proxy, RTSP port 554 is set by default
and cannot be changed.
Note: For HTTP Proxy, if you have an HTTP proxy already configured in
your browser, select Use system Internet Connection proxy settings.
c. Optional: For HTTP Proxy, if you have an HTTP proxy already
configured in your browser, select Use system Internet Connection proxy
settings.
d. Optional: In the Do not use proxy for: section, you can enter specific hosts
and bypass the ProxySG.
Note: This can also be accomplished with policy, the method Blue Coat
recommends.
e. Click OK to close the Streaming Proxy Settings dialog.
80
Chapter 3: Managing Streaming Media
5a
5b
5. Configure RealPlayer transport settings:
a. Select Connection > Network Transports.
b. Click RTSP Settings. The RTSP Transport Settings dialog appears.
6. If required, deselect options, based on your network configuration. For
example, if your firewall does not accept UDP, you can deselect Attempt to use
UDP for all content, but leave the TCP option enabled. Blue Coat recommends
using the default settings.
7. Click OK.
To allow the creation of access log entries, RealPlayer must be instructed to
communicate with the RealServer.
81
Volume 3: Web Communication Proxies
8a
8b
8. Perform the following:
a. Select View > Preferences > Internet/Privacy.
b. In the Privacy field, select Send connection-quality data to RealServers; click
OK.
Result: RealPlayer now proxies through the ProxySG and content is susceptible to
streaming configurations and access policies.
Notes:
For authentication-specific issues, see "Real Media Proxy Authentication" on page
50.
82
Chapter 3: Managing Streaming Media
Section F: Configuring QuickTime Player
This section describes how to configure QuickTime player for explicit proxy to the
ProxySG.
To configure QuickTime
1. Start QuickTime player.
2. Select Edit > Preferences > QuickTime Preferences.
2a
2b
2c
2d
3. Configure the protocol settings:
a. Click Advanced.
b. Select RTSP Proxy Server;
c. Enter the IP address of the ProxySG.
d. Enter the port number (554 is the default).
These settings must match the settings configured in the ProxySG. If you
change the ProxySG explicit proxy settings, set similar settings in
QuickTime.
4. Close OK. Result: QuickTime now proxies—in pass-through mode—through
the ProxySG.
Notes:
For authentication-specific issues, see "QuickTime Proxy Authentication" on page
50.
83
Volume 3: Web Communication Proxies
Section G: Supported Streaming Media Clients and Protocols
This section describes the vendor-specific streaming protocols supported by the
ProxySG.
Note:
Blue Coat recommends upgrading to WMP version 9 or later. Note that
WMP version 11 does not support the Microsoft Media Services (MMS) protocol.
Supported Streaming Media Clients and Servers
The ProxySG supports Microsoft Windows Media, RealNetworks RealPlayer, and
Apple QuickTime; however, the various players might experience unexpected
behavior dependent upon certain SGOS configurations and features. Feature
sections list such interactivities, as necessary. For a list of the most current
versions of each supported client, refer to the Blue Coat SGOS Release Notes for
this release.
Supported Windows Media Players and Servers
The ProxySG supports the following versions and formats:
❐
Windows Media Player
❐
Windows Media Server
Supported Real Media Players and Servers
The ProxySG supports the following versions:
❐
RealOne Player
❐
RealPlayer
❐
RealServer
❐
Helix Universal Server
Note: Blue Coat recommends not deploying a Helix proxy between the
ProxySG and a Helix server where the Helix proxy is the parent to the
ProxySG. This causes errors with the Helix server. The reverse is acceptable
(using a Helix proxy as a child to the ProxySG).
Supported QuickTime Players and Servers
The ProxySG supports the following versions, but in pass-through mode only:
84
❐
QuickTime Player
❐
Darwin Streaming Server
❐
Helix Universal Server
Chapter 3: Managing Streaming Media
Supported Streaming Protocols
Each streaming media platform supports its own set of protocols. This section
describes the protocols the ProxySG supports.
Windows Media Protocols
The ProxySG supports Windows Media content streamed over RTSP and HTTP.
The following Windows Media transports are supported:
Client-side
❐
RTP over unicast UDP (RTSP over TCP, RTP over unicast UDP)
❐
Interleaved RTSP (RTSP over TCP, RTP over TCP on the same connection)
❐
RTP over multicast UDP (RTP over multicast UDP; for live content only)
❐
HTTP streaming
❐
MMS-UDP (Microsoft Media Streaming—User Data Protocol)
❐
MMS-TCP (Microsoft Media Streaming—Transmission Control Protocol)
❐
Multicast-UDP is the only delivery protocol supported for multicast. No TCP
control connection exists for multicast delivery
Server-side
❐
Interleaved RTSP
❐
HTTP streaming
❐
MMS-TCP between the ProxySG and origin server for video-on-demand and
live unicast content
Server-side RTP over UDP is not supported. If policy directs the RTSP proxy to
use HTTP as server-side transport, the proxy denies the client request. The client
then rolls over to MMS or HTTP.
Note: The MMS protocol is usually referred to as either MMS-TCP or MMSUDP depending on whether TCP or UDP is used as the transport layer for
sending streaming data packets. MMS-UDP uses a TCP connection for
sending and receiving media control messages, and a UDP connection for
streaming the actual media data. MMS-TCP uses TCP connections to send
both control and data messages. The MMS protocol is not supported in WMP
11 and higher.
Real Media Protocols
The ProxySG supports the following Real Media protocols:
85
Volume 3: Web Communication Proxies
Client-Side
❐
HTTP streaming (RTSP and RDT over TCP tunneled through HTTP)—HTTP
streaming is supported through a handoff process from HTTP to RTSP. HTTP
accepts the connection and, based on the headers, hands off to RTSP. The
headers identify an RTSP URL.
❐
RDT over unicast UDP (RTSP over TCP, RDT over unicast UDP)
❐
Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection)
❐
RDT over multicast UDP (RTSP over TCP, RDT over multicast UDP; for live
content only)
Server-Side
❐
HTTP streaming
❐
Interleaved RTSP
Unsupported Protocols
The following Real Media protocols are not supported in this version of SGOS:
❐
PNA
❐
Server-side RDT/UDP (both unicast and multicast)
QuickTime Protocols
The ProxySG supports the following QuickTime protocols:
❐
HTTP streaming (RTSP and RDT over TCP tunneled through HTTP)—HTTP
streaming is supported through a handoff process from HTTP to RTSP. HTTP
accepts the connection and, based on the headers, hands off to RTSP. The
headers identify an RTSP URL.
❐
RTP over unicast UDP (RTSP over TCP, RDT over unicast UDP)
❐
Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection)
Server-Side
❐
HTTP streaming
❐
Interleaved RTSP
Unsupported Protocols
The following QuickTime protocols are not supported in this version of SGOS:
❐
Server-side RTP/UDP, both unicast and multicast, is not supported.
Client-side multicast is not supported.
86
Glossary
A
access control list—Allows
or denies specific IP addresses access to a server.
access log—A list of all the requests sent to a ProxySG. You can read an access
log using any of the popular log-reporting programs. When a client uses HTTP
streaming, the streaming entry goes to the same access log.
account—A
named entity that has purchased the ProxySG or the Entitlements
from Blue Coat.
activation code—A string of approximately 10 characters that is generated and
mailed to customers when they purchase the ProxySG.
active content stripping—Provides a way to identify potentially dangerous mobile
or active content and scripts, and strip them out of a response.
active content types—Used in the Visual Policy Manager. Referring to Web
Access policies, you can create and name lists of active content types to be
stripped from Web pages. You have the additional option of specifying a
customized message to be displayed to the user
administration access policy—A
policy layer that determines who can access the
ProxySG to perform administrative tasks.
administration authentication policy—A
policy layer that determines how
administrators accessing the ProxySG must authenticate.
AJAX—Acronym
for Asynchronous JavaScript and XML, the technology used
for live updating of Web objects without having to reload the entire page.
Application Delivery Network (ADN)—A
WAN that has been optimized for
acceleration and compression by Blue Coat. This network can also be secured
through the use of appliance certificates. An ADN network is composed of an
ADN manager and backup ADN manager, ADN nodes, and a network
configuration that matches the environment.
ADN backup manager—Takes
over for the ADN manager in the event it becomes
unavailable. See ADN manager.
ADN manager—Responsible
for publishing the routing table to SG Clients (and
to other ProxySG appliances).
ADN optimize attribute—Controls whether to optimize bandwidth usage when
connecting upstream using an ADN tunnel.
A record—The central records of DNS, which link a domain or subdomain to an
IP address. An A record can correspond to a single IP address or many IP
addresses.
asx rewrite—Allows you to rewrite URLs and then direct a client's subsequent
request to the new URL. One of the main applications of ASX file rewrites is to
provide explicit proxy-like support for Windows Media Player 6.4, which
cannot set explicit proxy mode for protocols other than HTTP.
87
Volume 3: Web Communication Proxies
audit—A
log that provides a record of who accessed what and how.
authenticate-401 attribute—All transparent and explicit requests received on the port
always use transparent authentication (cookie or IP, depending on the
configuration). This is especially useful to force transparent proxy authentication
in some proxy-chaining scenarios
authenticated content—Cached
content that requires authentication at the origin
content server (OCS). Supported authentication types for cached data include
basic authentication and IWA (or NTLM).
authentication—Allows you to verify the identity of a user. In its simplest form, this
is done through usernames and passwords. Much more stringent authentication
can be employed using digital certificates that have been issued and verified by a
Certificate Authority. See also basic authentication, proxy authentication, and SSL
authentication.
authentication realm—Authenticates
and authorizes users to access SG services
using either explicit proxy or transparent proxy mode. These realms integrate
third-party vendors, such as LDAP, Windows, and Novell, with the Blue Coat
operating system.
authorization—The
permissions given to an authenticated user.
B
bandwidth—The
amount of data you can send through a network or modem
connection, usually measured in bits per second (bps).
bandwidth class—A defined
unit of bandwidth allocation.
bandwidth class hierarchy—A
gouping of bandwidth classes into a tree structure
that specifies the relationship among different classes. You create a hierarchy by
creating at least one parent class and assigning other classes as its children.
bandwidth gain—Bandwidth
gain is a calculation of the savings that occur when
bandwidth is not consumed as a result of some form of optimization.
For example, bandwidth gain for active sessions is calculated by subtracting the
number of client bytes from the number of server bytes and dividing the result by
the number of server bytes.
(Client Bytes - Server Bytes) / Server Bytes
bandwidth management—Classify,
control, and, if needed, limit the amount of
bandwidth used by network traffic flowing in or out of a ProxySG.
basic authentication—The
standard authentication for communicating with the
target as identified in the URL.
BCAAA—Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to
manage authentication and authorization for IWA, CA eTrust SiteMinder realms,
Oracle COREid, Novell, and Windows realms. The agent is installed and
configured separately from SGOS 5.x and is available from the Blue Coat Web
site.
BCLP—Blue
Coat Licensing Portal.
byte-range support—The
ability of the ProxySG to respond to byte-range requests
(requests with a Range: HTTP header).
88
C
cache—An
"object store," either hardware or software, that stores information
(objects) for later retrieval. The first time the object is requested, it is stored,
making subsequent requests for the same information much faster.
A cache helps reduce the response time and network bandwidth consumption on
future, equivalent requests. The ProxySG serves as a cache by storing content
from many users to minimize response time and prevent extraneous network
traffic.
cache control—Allows
you to configure which content the ProxySG stores.
cache efficiency—A
tab found on the Statistics pages of the Management Console
that shows the percent of objects served from cache, the percent loaded from the
network, and the percent that were non-cacheable.
cache hit—Occurs when the ProxySG receives a request for an object and can serve
the request from the cache without a trip to the origin server.
cache miss—Occurs
when the ProxySG receives a request for an object that is not
in the cache. The ProxySG must then fetch the requested object from the origin
server.
cache object—Cache contents includes all objects currently stored by the ProxySG.
Cache objects are not cleared when the ProxySG is powered off.
Certificate Authority (CA)—A
trusted, third-party organization or company that
issues digital certificates used to create digital signatures and public key/private
key pairs. The role of the CA is to guarantee that the individuals or company
representatives who are granted a unique certificate are who they claim to be.
child class (bandwidth gain)—The child of a parent class is dependent on that parent
class for available bandwidth (they share the bandwidth in proportion to their
minimum/maximum bandwidth values and priority levels). A child class with
siblings (classes with the same parent class) shares bandwidth with those siblings
in the same manner.
cipher suite—Specifies
the algorithms used to secure an SSL connection. When a
client makes an SSL connection to a server, it sends a list of the cipher suites that it
supports.
client consent certificates—A
certificate that indicates acceptance or denial of
consent to decrypt an end user's HTTPS request.
client-side transparency—A
way of replacing the ProxySG IP address with the Web
server IP address for all port 80 traffic destined to go to the client. This effectively
conceals the ProxySG address from the client and conceals the identity of the
client from the Web server.
concentrator—A
ProxySG, usually located in a data center, that provides access to
data center resources, such as file servers.
content filtering—A way of controlling which content is delivered to certain users.
ProxySG appliances can filter content based on content categories (such as
gambling, games, and so on), type (such as http, ftp, streaming, and mime type),
identity (user, group, network), or network conditions. You can filter content
using vendor-based filtering or by allowing or denying access to URLs.
89
Volume 3: Web Communication Proxies
D
default boot system—The system that was successfully started
last time. If a system
fails to boot, the next most recent system that booted successfully becomes the
default boot system.
default proxy listener—See
proxy service (default).
denial of service (DoS)—A
method that hackers use to prevent or deny legitimate
users access to a computer, such as a Web server. DoS attacks typically send many
request packets to a targeted Internet server, flooding the server's resources and
making the system unusable. Any system connected to the Internet and equipped
with TCP-based network services is vulnerable to a DoS attack.
The ProxySG resists DoS attacks launched by many common DoS tools. With a
hardened TCP/IP stack, the ProxySG resists common network attacks, including
traffic flooding.
destination objects—Used in Visual Policy Manager. These are the objects that
define the target location of an entry type.
detect protocol attribute—Detects
the protocol being used. Protocols that can be
detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and
Endpoint Mapper.
diagnostic reporting—Found in the Statistics pane, the Diagnostics tab allows you to
control whether Daily Heartbeats and/or Blue Coat Monitoring are enabled or
disabled.
directives—Commands
used in installable lists to configure forwarding and
SOCKS gateway.
DNS access—A
policy layer that determines how the ProxySG processes DNS
requests.
domain name system (DNS)—An
Internet service that translates domain names into
IP addresses.
dynamic bypass—Provides a maintenance-free method for improving performance
of the ProxySG by automatically compiling a list of requested URLs that return
various kinds of errors.
dynamic real-time rating (DRTR)—Used
in conjunction with the Blue Coat Web Filter
(BCWF), DRTR (also known as dynamic categorization) provides real-time analysis
and content categorization of requested Web pages to solve the problem of new
and previously unknown uncategorized URLs—those not in the database.
When a user requests a URL that has not already been categorized by the BCWF
database (for example, a brand new Web site), the ProxySG dynamic
categorization service analyzes elements of the requested content and assigns a
category or categories. The dynamic service is consulted only when the installed
BCWF database does not contain category information for an object.
E
early intercept attribute—Controls whether the proxy responds to client TCP
connection requests before connecting to the upstream server. When early
intercept is disabled, the proxy delays responding to the client until after it has
attempted to contact the server.
90
ELFF-compatible format—A
log type defined by the W3C that is general enough to
be used with any protocol.
emulated certificates—Certificates
that are presented to the user by the ProxySG
when intercepting HTTPS requests. Blue Coat emulates the certificate from the
server and signs it, copying the subjectName and expiration. The original
certificate is used between the ProxySG and the server.
encrypted log—A
log is encrypted using an external certificate associated with a
private key. Encrypted logs can only be decrypted by someone with access to the
private key. The private key is not accessible to the ProxySG.
EULA—End
user license agreement.
event logging—Allows you to specify the types of system events logged, the size of
the event log, and to configure Syslog monitoring. The ProxySG can also notify
you by email if an event is logged. See also access logging.
explicit proxy—A configuration in which the browser is explicitly configured to
communicate with the proxy server for access to content. This is the default for
the ProxySG and requires configuration for both the browser and the interface
card.
extended log file format (ELFF)—A variant of the common log file format, which has
two additional fields at the end of the line—the referer and the user agent fields.
F
fail open/closed—Failing open or closed applies to forwarding hosts and groups
and SOCKS gateways. Fail open or closed applies when health checks are
showing sick for each forwarding or SOCKS gateway target in the applicable failover sequence. If no systems are healthy, the ProxySG fails open or closed,
depending on the configuration. If closed, the connection attempt simply fails.
If open, an attempt is made to connect without using any forwarding target (or
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no
setting is specified.
filtering—See
content filtering.
forward proxy—A
proxy server deployed close to the clients and used to access
many servers. A forward proxy can be explicit or transparent.
FTP—See
Native FTP and Web FTP.
G
gateway—A
device that serves as entrance and exit into a communications
network.
H
hardware serial number—A string that uniquely identifies the ProxySG; it is assigned
to each unit in manufacturing.
health check tests—The
method of determining network connectivity, target
responsiveness, and basic functionality. The following tests are supported:
91
Volume 3: Web Communication Proxies
•
ICMP
•
TCP
•
SSL
•
HTTP
•
HTTPS
•
Group
•
Composite and reference to a composite result
•
ICAP
•
Websense
•
DRTR rating service
health check type—The kind of device or service the specific health check tests. The
following types are supported:
•
Forwarding host and forwarding group
•
SOCKS gateway and SOCKS gateway group
•
CAP service and ICAP service group
•
Websense off-box service and Websense off-box service group
•
DRTR rating service
•
User-defined host and a user-defined composite
heartbeat—Messages
sent once every 24 hours that contain the statistical and
configuration data for the ProxySG, indicating its health. Heartbeats are
commonly sent to system administrators and to Blue Coat. Heartbeats contain no
private information, only aggregate statistics useful for pre-emptively diagnosing
support issues.
The ProxySG sends emergency heartbeats whenever it is rebooted. Emergency
heartbeats contain core dump and restart flags in addition to daily heartbeat
information.
host affinity—The
attempt to direct multiple connections by a single user to the
same group member. Host affinity is closely tied to load balancing behavior; both
should be configured if load balancing is important.
host affinity timeout—The host affinity timeout determines how long a user remains
idle before the connection is closed. The timeout value checks the user's IP
address, SSL ID, or cookie in the host affinity table.
I
inbound traffic (bandwidth gain)—Network
packets flowing into the ProxySG.
Inbound traffic mainly consists of the following:
•
92
Server inbound: Packets originating at the origin content server (OCS) and
sent to the ProxySG to load a Web object.
•
Client inbound: Packets originating at the client and sent to the ProxySG
for Web requests.
installable list—A
list of configuration parameters that can be created using a text
editor (either Blue Coat or another text editor) or through the CLI inline
commands. The list can then be downloaded to the ProxySG from an HTTP server
or locally from your PC. Configurations that can be created and installed this way
include the SG Client, archiving, forwarding hosts, SOCKS gateways, ICP, policy
files, and exceptions.
integrated host timeout—An
integrated host is an origin content server (OCS) that
has been added to the health check list. The host, added through the
integrate_new_hosts property, ages out of the integrated host table after
being idle for the specified time. The default is 60 minutes.
intervals—Time period from the completion of one health check to the start of the
next health check.
IP reflection—Determines
how the client IP address is presented to the origin
server for explicitly proxied requests. All proxy services contain a reflect-ip
attribute, which enables or disables sending of client's IP address instead of the IP
address of the ProxySG.
issuer keyring—The keyring used by the ProxySG to sign emulated certificates. The
keyring is configured on the appliance and managed through policy.
L
licensable component (LC)—(Software) A subcomponent of a license; it is an option
that enables or disables a specific feature.
LCAMS—License
Configuration and Management System.
license—Provides
both the right and the ability to use certain software functions
within a ProxyAV (or ProxySG) appliance. The license key defines and controls
the license, which is owned by an account.
listener—The service that is listening on a specific port. A listener can be identified
by any destination IP/subnet and port range. Multiple listeners can be added to
each service.
live content—Also
called live broadcast. Used in streaming, it indicates that the
content is being delivered fresh.
LKF—License
key file.
load balancing—A
way to share traffic requests among multiple upstream systems
or multiple IP addresses on a single host.
local bypass list—A
list you create and maintain on your network. You can use a
local bypass list alone or in conjunction with a central bypass list.
local policy file—Written
by enterprises (as opposed to the central policy file
written by Blue Coat); used to create company- and department-specific
advanced policies written in the Blue Coat Policy Language (CPL).
93
Volume 3: Web Communication Proxies
log facility—A
separate log that contains a single logical file and supports a single
log format. It also contains the file’s configuration and upload schedule
information as well as other configurable information such as how often to rotate
(switch to a new log) the logs at the destination, any passwords needed, and the
point at which the facility can be uploaded.
log format—The type of log that is used: NCSA/Common, SQUID, ELFF,
SurfControl, or Websense.
The proprietary log types each have a corresponding pre-defined log format that
has been set up to produce exactly that type of log (these logs cannot be edited). In
addition, a number of other ELFF type log formats are also pre-defined (im, main,
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log
fields for logging particular protocols understood by the ProxySG. It is also
possible to create new log formats of type ELFF or Custom which can contain any
desired combination of log fields.
log tail—The access log tail shows the log entries as they get logged. With high
traffic on the ProxySG, not all access log entries are necessarily displayed.
However, you can view all access log information after uploading the log.
M
MACH5—SGOS
5 MACH5 Edition.
Management Console—A
graphical Web interface that lets you to manage,
configure, monitor, and upgrade the ProxySG from any location. The
Management Console consists of a set of Web pages and Java applets stored on
the ProxySG. The appliance acts as a Web server on the management port to serve
these pages and applets.
management information base (MIB)—Defines
the statistics that management systems
can collect. A managed device (gateway) has one or more MIBs as well as one or
more SNMP agents, which implements the information and management
functionality defined by a specific MIB.
maximum object size—The maximum object size stored in the ProxySG. All objects
retrieved that are greater than the maximum size are delivered to the client but
are not stored in the ProxySG.
Media Access Control (MAC) address—A unique value associated with a network
adapter; also known as hardware address or physical address. For the ProxySG, it
is a hardware address that is stored in each network card (such as an SSL
accelerator card or a Quad GigE Fiber LX card) on the ProxySG. The MAC
address uniquely identifies an adapter on a LAN and is a 12-digit hexadecimal
number (48 bits in length).
MIME/FILE type filtering—Allows
organizations to implement Internet policies for
both uploaded and downloaded content by MIME or FILE type.
multi-bit rate—The
capability of a single stream to deliver multiple bit rates to
clients requesting content from ProxySG appliances from within varying levels of
network conditions (such as different connecting bandwidths and traffic).
multicast—Used in streaming; the ability for hundreds or thousands of users to
play a single stream.
94
multicast aliases—Used
in streaming; a streaming command that specifies an alias
for a multicast URL to receive an .nsc file. The .nsc files allows the multicast
session to obtain the information in the control channel
multicast station—Used
in streaming; a defined location on the proxy where the
Windows Media player can retrieve streams. A multicast station enables
multicast transmission of Windows Media content from the cache. The source of
the multicast-delivered content can be a unicast-live source, a multicast (live)
source, and simulated live (video-on-demand content converted to scheduled live
content).
multimedia content services—Used
in streaming; multimedia support includes Real
Networks, Microsoft Windows Media, Apple QuickTime, MP3, and Flash.
N
name inputing—Allows a
ProxySG to resolve host names based on a partial name
specification. When a host name is submitted to the DNS server, the DNS server
resolves the name to an IP address. If the host name cannot be resolved, Blue Coat
adds the first entry in the name-inputing list to the end of the host name and
resubmits it to the DNS server
native FTP—Native
FTP involves the client connecting (either explicitly or
transparently) using the FTP protocol; the ProxySG then connects upstream
through FTP (if necessary).
NCSA common log format—Blue Coat products are compatible with this log type,
which contains only basic HTTP access information.
network address translation (NAT)—The process of translating private network (such
as intranet) IP addresses to Internet IP addresses and vice versa. This
methodology makes it possible to match private IP addresses to Internet IP
addresses even when the number of private addresses outnumbers the pool of
available Internet addresses.
non-cacheable objects—A number of objects are not cached by the ProxySG because
they are considered non-cacheable. You can add or delete the kinds of objects that
the appliance considers non-cacheable. Some of the non-cacheable request types
are:
•
Pragma no-cache, requests that specify non-cached objects, such as when
you click refresh in the Web browser.
•
Password provided, requests that include a client password.
•
Data in request that include additional client data.
•
Not a GET request.
.nsc file—Created from the multicast station definition and saved through the
browser as a text file encoded in a Microsoft proprietary format. Without an .nsc
file, the multicast station definition does not work.
95
Volume 3: Web Communication Proxies
NTP—To
manage objects in an appliance, a ProxySG must know the current
Universal Time Coordinates (UTC) time. By default, the ProxySG attempts to
connect to a Network Time Protocol (NTP) server to acquire the UTC time. The
ProxySG includes a list of NTP servers available on the Internet, and attempts to
connect to them in the order they appear in the NTP server list on the NTP tab.
O
object (used in caching)—An object is the item that is stored in an appliance. These
objects can be frequently accessed content, content that has been placed there by
content publishers, or Web pages, among other things.
object (used in Visual Policy Manager)—An
object (sometimes referred to as a
condition) is any collection or combination of entry types you can create
individually (user, group, IP address/subnet, and attribute). To be included in an
object, an item must already be created as an individual entry.
object pipelining—This
patented algorithm opens as many simultaneous TCP
connections as the origin server will allow and retrieves objects in parallel. The
objects are then delivered from the appliance straight to the user's desktop as fast
as the browser can request them.
Online Certificate Status Protocol (OCSP)—
An Internet protocol used for obtaining
the revocation status of an X.509 digital certificate. OCSP was created as an
alternative to certificate revocation lists (CRL), specifically addressing certain
problems associated with using CRLs in a public key infrastructure (PKI). OCSP
servers are called OCSP responders due to the request/response nature of these
messages.
origin content server (OCS)—Also called origin server. This is the original source of
the content that is being requested. An appliance needs the OCS to acquire data
the first time, to check that the content being served is still fresh, and to
authenticate users.
outbound traffic (bandwidth gain)—Network packets flowing out of the ProxySG.
Outbound traffic mainly consists of the following:
•
Client outbound: Packets sent to the client in response to a Web request.
•
Server outbound: Packets sent to an OCS or upstream proxy to request a
service.
P
PAC (Proxy AutoConfiguration) scripts—Originally created by Netscape, PACs are a
way to avoid requiring proxy hosts and port numbers to be entered for every
protocol. You need only enter the URL. A PAC can be created with the needed
information and the local browser can be directed to the PAC for information
about proxy hosts and port numbers.
packet capture (PCAP)—Allows
filtering on various attributes of the Ethernet frame
to limit the amount of data collected. You can capture packets of Ethernet frames
going into or leaving a ProxySG.
96
parent class (bandwidth gain)—A
class with at least one child. The parent class must
share its bandwidth with its child classes in proportion to the minimum/
maximum bandwidth values or priority levels.
passive mode data connections (PASV)—Data
connections initiated by an FTP client
to an FTP server.
pipelining—See
object pipelining.
policies—Groups
of rules that let you manage Web access specific to the needs of
an enterprise. Policies enhance ProxySG feature areas such as authentication and
virus scanning, and let you control end-user Web access in your existing
infrastructure.
policy-based bypass list—Used in policy. Allows a bypass based on the properties of
the client, unlike static and dynamic bypass lists, which allow traffic to bypass the
appliance based on destination IP address. See also dynamic bypass.
policy layer—A
collection of rules created using Blue Coat CPL or with the VPM.
pragma: no cache (PNC)—A
metatag in the header of a request that requires the
appliance to forward a request to the origin server. This allows clients to always
obtain a fresh copy.
proxy—Caches
content, filters traffic, monitors Internet and intranet resource
usage, blocks specific Internet and intranet resources for individuals or groups,
and enhances the quality of Internet or intranet user experiences.
A proxy can also serve as an intermediary between a Web client and a Web server
and can require authentication to allow identity-based policy and logging for the
client.
The rules used to authenticate a client are based on the policies you create on the
ProxySG, which can reference an existing security infrastructure—LDAP,
RADIUS, IWA, and the like.
Proxy Edition—SGOS
5 Proxy Edition.
proxy service—The proxy service defines the ports, as well as other attributes. that
are used by the proxies associated with the service.
proxy service (default)—The
default proxy service is a service that intercepts all
traffic not otherwise intercepted by other listeners. It only has one listener whose
action can be set to bypass or intercept. No new listeners can be added to the
default proxy service, and the default listener and service cannot be deleted.
Service attributes can be changed.
ProxySG—A
Blue Coat security and cache box that can help manage security and
content on a network.
public key certificate—An
electronic document that encapsulates the public key of
the certificate sender, identifies this sender, and aids the certificate receiver to
verify the identity of the certificate sender. A certificate is often considered valid if
it has been digitally signed by a well-known entity, which is called a Certificate
Authority (such as VeriSign).
public virtual IP (VIP)—Maps multiple servers to one IP address and then propagates
that information to the public DNS servers. Typically, there is a public VIP known
to the public Internet that routes the packets internally to the private VIP. This
enables you to “hide” your servers from the Internet.
97
Volume 3: Web Communication Proxies
R
real-time streaming protocol (RTSP)—A
standard method of transferring audio and
video and other time-based media over Internet-technology based networks. The
protocol is used to stream clips to any RTP-based client.
reflect client IP attribute—Enables the sending of the client's IP address instead of the
SG's IP address to the upstream server. If you are using an application delivery
network (ADN), this setting is enforced on the concentrator proxy through the
Configuration > App. Delivery Network > Tunneling tab.
registration—An
event that binds the appliance to an account, that is, it creates the
Serial#, Account association.
remote authentication dial-in user service (RADIUS)—Authenticates
user identity via
passwords for network access.
Return to Sender (RTS)—A
way of allowing outgoing TCP packets to use the same
network interface on which the corresponding incoming TCP packets arrived.
The destination Media Acess Control (MAC) address for the outgoing packets is
the same as the source MAC address of the incoming packets. See also Media
Access Control (MAC) address.
reverse proxy—A proxy that acts as a front end to a small number of predefined
servers, typically to improve performance. Many clients can use it to access the
small number of predefined servers.
routing information protocol (RIP)—Designed to select the fastest route to a
destination. RIP support is built into ProxySG appliances.
router hops—The
RTS—See
number of jumps a packet takes when traversing the Internet.
Return to Sender.
S
secure shell (SSH)—Also known as Secure Socket Shell. SSH is an interface and
protocol that provides strong authentication and enables you to securely access a
remote computer. Three utilities—login, ssh, and scp—comprise SSH. Security
via SSH is accomplished using a digital certificate and password encryption.
Remember that the Blue Coat ProxySG requires SSH1. A ProxySG supports a
combined maximum of 16 Telnet and SSH sessions.
serial console—A
third-party device that can be connected to one or more Blue
Coat appliances. Once connected, you can access and configure the appliance
through the serial console, even when you cannot access the appliance directly.
server certificate categories—The hostname in a server certificate can be categorized
by BCWF or another content filtering vendor to fit into categories such as
banking, finance, sports.
server portals—Doorways
that provide controlled access to a Web server or a
collection of Web servers. You can configure Blue Coat appliances to be server
portals by mapping a set of external URLs onto a set of internal URLs.
98
server-side transparency—The ability for the server to see client IP addresses, which
enables accurate client-access records to be kept. When server-side transparency
is enabled, the appliance retains client IP addresses for all port 80 traffic to and
from the ProxySG. In this scheme, the client IP address is always revealed to the
server.
service attributes—Define
the parameters, such as explicit or transparent, cipher
suite, and certificate verification, that the ProxySG uses for a particular service.
sibling class (bandwidth gain)—A
bandwidth class with the same parent class as
another class.
signed system image—Cryptographically
signed with a key known only to Blue
Coat, and the signature is verified when the image is downloaded to the system.
simple network management protocol (SNMP)—The standard operations and
maintenance protocol for the Internet. It consists of a set of standards for network
management, including an application layer protocol, a database schema, and a
set of data objects. In SNMP, the available information is defined by management
information bases (MIBs), which describe the structure of the management data.
simulated live—Used
in streaming. Defines playback of one or more video-ondemand files as a scheduled live event, which begins at a specified time. The
content can be looped multiple times, or scheduled to start at multiple start times
throughout the day.
SmartReporter log type—A
proprietary ELFF log type that is compatible with the
SmartFilter SmartReporter tool.
SOCKS—A
proxy protocol for TCP/IP-based networking applications that allows
users transparent access across the firewall. If you are using a SOCKS server for
the primary or alternate forwarding gateway, you must specify the appliance’s ID
for the identification protocol used by the SOCKS gateway. The machine ID
should be configured to be the same as the appliance’s name.
SOCKS proxy—A generic way to proxy TCP and UDP protocols. The ProxySG
supports both SOCKSv4/4a and SOCKSv5; however, because of increased
username and password authentication capabilities and compression support,
Blue Coat recommends that you use SOCKS v5.
splash page—The custom message page that displays the first time you start the
client browser.
split proxy—Employs co-operative processing at the branch and the core to
implement functionality that is not possible in a standalone proxy. Examples of
split proxies include:
•
Mapi Proxy
•
SSL Proxy
SQUID-compatible format—A
log type that was designed for cache statistics and is
compatible with Blue Coat products.
squid-native log format—The
Squid-compatible format contains one line for each
request.
SSL authentication—Ensures
that communication is with “trusted” sites only.
Requires a certificate issued by a trusted third party (Certificate Authority).
99
Volume 3: Web Communication Proxies
SSL client—See
SSL device profile.
SSL device profile—Used to determine various SSL parameters for outgoing HTTPS
connections. Specifically, its role is to:
•
Identify the SSL protocol version that the ProxySG uses in negotiations
with origin servers.
•
Identify the cipher suites used.
•
Determine which certificate can be presented to origin servers by
associating a keyring with the profile.
SSL interception—Decrypting
SSL connections.
SSL proxy—A proxy that can be used for any SSL traffic (HTTPS or not), in either
forward or reverse proxy mode.
static route—A
manually-configured route that specifies the transmission path a
packet must follow, based on the packet’s destination address. A static route
specifies a transmission path to another network.
statistics—Every Blue Coat appliance keeps statistics of the appliance hardware
and the objects it stores. You can review the general summary, the volume,
resources allocated, cache efficiency, cached contents, and custom URLs
generated by the appliance for various kinds of logs. You can also check the event
viewer for every event that occurred since the appliance booted.
stream—A flow of a single type of data, measured in kilobits per second (Kbps). A
stream could be the sound track to a music video, for example.
SurfControl log type—A
proprietary log type that is compatible with the
SurfControl reporter tool. The SurfControl log format includes fully-qualified
usernames when an NTLM realm provides authentication. The simple name is
used for all other realm types.
syslog—An
event-monitoring scheme that is especially popular in Unix
environments. Most clients using Syslog have multiple devices sending messages
to a single Syslog daemon. This allows viewing a single chronological event log of
all of the devices assigned to the Syslog daemon. The Syslog format is: “Date Time
Hostname Event.”
system cache—The software cache on the appliance. When you clear the cache, all
objects in the cache are set to expired. The objects are not immediately removed
from memory or disk, but a subsequent request for any object requested is
retrieved from the origin content server before it is served.
T
TCP window size—The number of bytes that can be buffered before the sending host
must wait for an acknowledgement from the receiving host.
time-to-live (TTL) value—Used
in any situation where an expiration time is needed.
For example, you do not want authentication to last beyond the current session
and also want a failed command to time out instead of hanging the box forever.
traffic flow (bandwidth gain)—Also referred to as flow. A set of packets belonging to
the same TCP/UDP connection that terminate at, originate at, or flow through the
ProxySG. A single request from a client involves two separate connections. One of
100
them is from the client to the ProxySG, and the other is from the ProxySG to the
OCS. Within each of these connections, traffic flows in two directions—in one
direction, packets flow out of the ProxySG (outbound traffic), and in the other
direction, packets flow into the ProxySG (inbound traffic). Connections can come
from the client or the server. Thus, traffic can be classified into one of four types:
•
Server inbound
•
Server outbound
•
Client inbound
•
Client outbound
These four traffic flows represent each of the four combinations described above.
Each flow represents a single direction from a single connection.
transmission control protocol (TCP)—TCP,
when used in conjunction with IP
(Internet Protocol) enables users to send data, in the form of message units called
packets, between computers over the Internet. TCP is responsible for tracking and
handling, and reassembly of the packets; IP is responsible for packet delivery.
transparent proxy—A configuration in which traffic is redirected to the ProxySG
without the knowledge of the client browser. No configuration is required on the
browser, but network configuration, such as an L4 switch or a WCCP-compliant
router, is required.
trial period—Starting with the first boot, the trial period provides 60 days of free
operation. All features are enabled during this time.
U
unicast alias—Defines
an name on the appliance for a streaming URL. When a
client requests the alias content on the appliance, the appliance uses the URL
specified in the unicast-alias command to request the content from the origin
streaming server.
universal time coordinates (UTC)—A
ProxySG must know the current UTC time. By
default, the appliance attempts to connect to a Network Time Protocol (NTP)
server to acquire the UTC time. If the ProxySG cannot access any NTP servers,
you must manually set the UTC time.
URL filtering—See
content filtering.
URL rewrite rules—Rewrite
the URLs of client requests to acquire the streaming
content using the new URL. For example, when a client tries to access content on
www.mycompany.com, the ProxySG is actually receiving the content from the
server on 10.253.123.123. The client is unaware that mycompany.com is not
serving the content; however, the ProxySG access logs indicate the actual server
that provides the content.
W
WCCP—Web
Cache Communication Protocol. Allows you to establish redirection
of the traffic that flows through routers.
101
Volume 3: Web Communication Proxies
Web FTP—Web
FTP is used when a client connects in explicit mode using HTTP
and accesses an ftp:// URL. The ProxySG translates the HTTP request into an
FTP request for the OCS (if the content is not already cached), and then translates
the FTP response with the file contents into an HTTP response for the client.
Websense log type—A
Blue Coat proprietary log type that is compatible with the
Websense reporter tool.
X
XML responder—HTTP
XML requestor—XML
102
XML service that runs on an external server.
realm.
Index
A
P
ASX rewrite
command syntax 73
rules 72
setting up for Windows Media 71
port services
instant messaging protocols 9
B
Blue Coat SG
instant messaging
configuring clients 21
proxy authentication 10
securing 9
Yahoo Messenger client configuration 24
instant messaging, IM clients tab statistics 33
instant messaging, IM data tab statistics 31
R
RealMedia
proxy authentication 50
S
streaming media
delivery type 41
live content defined 42
multicast defined 41
prepopulating content, description 47
unicast defined 41
D
U
document
conventions 7
unicast
defined 41
multicast, converting from by Windows
Media 69
I
instant messaging
configuring clients 21
proxy authentication 10
securing 9
statistics, IM clients tab 33
statistics, IM data tab 31
Yahoo Messenger client configuration 24
M
multicast
defined 41
unicast, converting by Windows Media 69
W
Windows Media
.ASX-rewrite rules 72
.nsc file 67
ASX rewrite and NTLM incompatibility 74
authentication limitations 49
multicast station monitoring 68
multicast to unicast 69
prepopulating content description 47
setting up ASX rewrite 71
103
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising