ProxySG VA Initial Configuration Guide (v6.3) .F

Download as pdf or txt
Download as pdf or txt
You are on page 1of 46

Blue Coat

Systems
ProxySG VA
Initial Configuration Guide
For SGOS 6.3.1 or later
Platform: ESX / ESXi Server
ii
Contact Information
Americas:
Blue Coat Systems Inc.
410 North Mary Ave
Sunnyvale, CA 94085-4121
Rest of the World:
Blue Coat Systems International SARL
3a Route des Arsenaux
1700 Fribourg, Switzerland
http://www.bluecoat.com/support/contactsupport
http://www.bluecoat.com
For concerns or feedback about the documentation:
[email protected]
Document Number: 231-03049
Document Revision: SGOS 6.3.1, January 2012, Rev. B
Initial Configuration Guide iii
Table of Contents
Table of Contents
Chapter 1: Overview
Chapter 2: Before You Begin
Confirm System Requirements for the ProxySG VA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Host Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Support for RAID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
WCCP-Capable Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Support for VMware Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Support for SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Verify Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Retrieve Appliance Serial Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Create a Virtual Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Chapter 3: Create the ProxySG Virtual Appliance
Download the Virtual Appliance Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Import a ProxySG VA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Enable Performance Monitoring on the ProxySG VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20
Reserve Resources for the ProxySG VA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Power on the ProxySG VA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Chapter 4: Configure the ProxySG VA
Perform Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-23
Launch Blue Coat Sky. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27
Register and License the ProxySG VA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Supported Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
License the ProxySG VA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28
Download and Install the License Key File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29
Configure WCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-31
Configure WCCP on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Configure WCCP on the ProxySG VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32
Verify your Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Verifying WCCP Statistics and Service Group Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35
Verifying Acceleration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-36
Power Off the ProxySG VA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-39
iv Initial Configuration Guide
Table of Contents
Appendix A: WCCP Reference
About Service Group States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Worksheet for Configuring WCCP (Blank) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-2
Worksheet for Configuring WCCP (Sample) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
Appendix B: Upgrading the SGOS
Initial Configuration Guide 1 - 5
1 Overview
The ProxySG Virtual Appliance (ProxySG VA) is a software solution that can be installed and deployed on
a server running VMwares ESX or ESXi Server. It is a branch office solution that accelerates the flow of data
and applications between the branch office and data center, and facilitates server consolidation since the
ProxySG VA can co-exist with other virtual machines on a single hardware platform. With the ProxySG VA
providing WAN acceleration, the other virtual machines can provide branch office services (such as Domain
Controller, print, DNS, and DHCP), as well as any VMware-certified software application.
The ProxySG VA must be installed virtually in-path using Web Cache Communication Protocol (WCCP).
WCCP is a protocol that is used when a caching device, such as the ProxySG VA, is not deployed physically
in-path with the router. Using the WCCP protocol, a WCCP-capable router transparently intercepts traffic
and redirects it to the ProxySG VA. The following network diagram shows an Application Delivery
Network (ADN) where the ProxySG VA is deployed virtually inline at a branch office and a ProxySG
hardware appliance is deployed inline at the data center.
About This Guide
This guide is intended for users who are deploying and running a ProxySG VA on VMwares ESX or ESXi
Server. It provides information on the minimum system requirements and instructions for creating and
configuring a virtual ProxySG.
The following topics are covered in this guide:
Before You Begin
Create the ProxySG Virtual Appliance
Configure the ProxySG VA
WCCP Reference
Upgrading the SGOS
Note Check Blue Touch Online for the most up-do-date version of this guide.
1 - 6 Initial Configuration Guide
Overview
Conventions Used in This Guide
This guide uses the following typographical conventions:
Terminology
The following table lists the terms used in this guide.
Convention Example
Terms that identify buttons, fields, menu or options on
the user interface are shown in Palatino font.
Step 1 Select Maintenance > Licensing > Install
Step 2 Click Retrieve
Text that you must type exactly is denoted using bold,
Courier New font.
Enter
https://<ProxySG_IP_address>:8082/mgmt
Information that is variable and specific to your
environment is denoted in angle brackets, bold, and in
italics.
<ProxySG_IP_address> in
https://<ProxySG_IP_address>:8082/mgmt
Term Definition
Application Delivery
Network (ADN)
A Blue Coat solution that provides visibility, acceleration, and control for the
application traffic traversing a WAN.
Appliance Serial
Number
A string of characters that uniquely identify a virtual appliance. On the first boot,
you must enter the appliance serial number to begin initial configuration on the
ProxySG VA.
Blue Coat Sky The default Web interface for the MACH 5 license.
BCLP Blue Coat Licensing Portal, for licensing your ProxySG VA.
https://services.bluecoat.com/eservice_enu/licensing/register.cgi
Datastore Storage defined in ESX/i, made up of one or more physical disks.
Director The Blue Coat Director is the centralized management platform for managing
ProxySG configurations and policies. It allows you to effectively manage
multiple ProxySG appliances in your deployment.
Enable Mode A mode that allows administrative privileges on the Command Line Interface
(CLI) of the ProxySG appliance. You can make changes to the configuration in
this mode.
Enable Password A password used to enter enable mode so that you can configure an appliance.
The enable password is for administrators who are authorized to configure an
appliance.
ESX/i Server The physical computer (host) onto which VMwares virtualization product is
installed. The ESX or ESXi Server provides CPU and memory resources, access to
storage, and network connectivity to multiple virtual machines.
Note: Throughout this guide, ESX/i Server is used as a shorthand for ESX or ESXi
Server.
Initial Configuration Guide 1 - 7
Overview
Management Console The Web interface for advanced configuration on the ProxySG VA.
Enter the following URL in the Web browser for directly accessing the
Management Console:
https://<ProxySG_IP_address>:8082/mgmt
where <ProxySG_IP_address> is the IP address of your ProxySG VA.
MACH5 Blue Coats MACH5 edition license on the ProxySG is used for acceleration
deployments. The MACH5 base license allows acceleration of HTTP, FTP, CIFS,
DNS, email, and streaming protocols. Security-related features are not included.
OVF The Open Virtualization Format is a format for packaging and distributing
virtual machines. It is an XML text file that defines the attributes of a specific
virtual machine package.
ProxySG VA A ProxySG running as a virtual appliance on VMwares ESX or ESXi Server.
SGOS The ProxySG operating system.
VAP The Virtual Appliance Package is the zip file that contains the OVF file and the
virtual disk files (.vmdk) required for creating the ProxySG VA. It also includes
this guide, the ProxySG VA Initial Configuration Guide.
Virtual Machine An instance of an operating system and one or more applications that run in an
isolated partition of an ESX or ESXi Server. ProxySG VA is a virtual machine.
VLAN Virtual Local Area Network. A local area network (LAN) that is created with
software. It maps clients (hosts) on a basis other than by geographic location and
extends across LAN segments rather than remaining in one physical LAN.
WCCP Web Cache Communication Protocol. Allows you to redirect the traffic that flows
through routers.
Term Definition
1 - 8 Initial Configuration Guide
Overview
Initial Configuration Guide 2 - 9
Before You Begin
2 Before You Begin
This chapter assumes that you have configured your hardware platform as an ESX/i Server, have created
datastores, and have configured the ESX/i Server for network access. For information on setting up your
ESX/i Server, refer to the VMware documentation.
Before you proceed with creating the ProxySG VA, perform the following tasks:
Confirm System Requirements for the ProxySG VA
Retrieve Appliance Serial Numbers
Create a Virtual Switch
Confirm System Requirements for the ProxySG VA
To achieve the best performance on the ProxySG VA, its important that you install the software
on a system that satisfies the specified requirements. Follow these guidelines to guarantee
satisfactory performance and operation of the ProxySG VA.
Host Server
The host server must be on VMwares Hardware Compatibility List (located at
http://www.vmware.com/resources/compatibility/search.php). The server must have
sufficient virtual resources to run your ProxySG VA model, as described in the following table.
Table 2-1 Resource requirements by model

The storage partition in which a ProxySG VA is installed must include the minimum number of physical
drives shown in this table. This requirement ensures that adequate disk IO bandwidth is available to
support the throughput for which the model is rated.
The storage partition must be on the ESX/i Server and it must contain adequate storage space.
Model ProxySG VA-5
(5 - 10 users)
ProxySG VA-10
(10 - 50 users)
ProxySG VA-15
(50 - 125 users)
ProxySG VA-20
(125 - 300 users)
Virtual CPU minimum 1.0 GHz 1.5 GHz 2.0 GHz 2.5 GHz
Virtual memory 1024 MB 1536 MB 2048 MB 3072 MB
Virtual drives 1 2 4 6
Minimum storage space 100 GB 200 GB 400 GB 600 GB
* Minimum number of physical
drives in a non-RAID system.
For disk requirements in a RAID
configuration, see "Support for
RAID" on page 2-10.
1

2*** 3***
2 - 10 Initial Configuration Guide
Before You Begin

On some platforms with RAID controllers, the storage set-up utility might allow a single drive to be
configured as a RAID 0. Although a single drive is technically not a RAID configuration, it is an acceptable
configuration for the ProxySG VA-5 and the ProxySG VA-10.
*** To configure drives on the ProxySG VA-15 and ProxySG VA-20, add extents to the datastore; refer to the
VMware documentation for details.
Enforced Licensed User Limit
As indicated in Table 2-1, each ProxySG VA model supports a range of users, for example the ProxySG
VA-10 supports 10-50 users. However, unlike a physical appliance, the ProxySG VA does enforce the number
of user connections, as permitted by the license. The ProxySG VA bypasses connections from users after the
maximum has been reached. For example, on the ProyxSG VA-10, the 51st user connection is bypassed.
Alternatively, you can choose to queue the connections for users over the licensed limit.
Deployment Recommendations
Create only one ProxySG VA on an ESX or ESXi Server.
For optimal performance, follow these guidelines:
Use only up to 85% of the available disk space on a datastore, as recommended by VMware. For
example, when selecting a datastore for a ProxySG VA-15 that uses 400GB of disk space, ensure that
at least 15% disk space is still available on the datastore after the ProxySG VA is created.
To meet performance expectations, the ProxySG VA requires local storage; SAN and NAS are not
supported storage options and might result in reduced performance.
To make a back up of your system configuration, use the archiving feature in the ProxySG VA. Do
not take snapshots of the ProxySG VA configuration. Snapshots are detrimental to the performance
of the ProxySG VA because they occupy too much disk space. When a snapshot is created, a delta
file is created on the Virtual Machine File System. The initial size of the delta file is 16MB, but it
grows in increments of 16 MB as writes are made to the disk.
Do not suspend and resume the ProxySG VA. When you suspend the ProxySG VA, any active TCP
connection is suspended at first and is subsequently aborted. Clients will need to reconnect when
the ProxySG VA becomes available again. This suspend and resume action thereby creates a poor
performance experience for the users.
Support for RAID
RAID (Redundant Array of Independent Disks) technology is a data storage scheme that provides storage
reliability and increased performance by dividing and replicating data among multiple hard disk drives.
You can install the ProxySG VA on an ESX/i Server that implements RAID level 0 or RAID level 5
architecture.
RAID 0 configurations provide the best possible performance for the ProxySG VA. RAID 5 configurations,
while commonly used, add significant overhead when writing data to disk and might reduce overall
performance of the ProxySG VA.
Initial Configuration Guide 2 - 11
Before You Begin
The minimum number of physical disk drives required by the ProxySG VA on the ESX/i Server is as
follows:
WCCP-Capable Router
The ProxySG VA must be installed virtually in-path using Web Cache Communication Protocol (WCCP).
WCCP is a protocol that is used when a caching device, such as the ProxySG VA, is not deployed physically
in-path with the router. Using the WCCP protocol, a WCCP-capable router transparently intercepts traffic
and redirects it to the ProxySG VA.
Support for VMware Products
The ProxySG VA is a VMware Ready virtual appliance and is compatible with the following
VMware products:
ESX or ESXi Server v3.5 (update 3 or 4) or v4.0
VI Client v2.5 or vSphere Client 4.0
vCenter Server v2.5 or v4.0
Note VMotion, Distributed Resource Scheduling (DRS), High Availability (HA), clustering and resource
pools are not supported in this release.
Blue Coat worked closely with VMware to ensure that the ProxySG VA runs efficiently in the virtual
environment and meets all technical criteria and specifications. The VMware Ready program is a validation
program designed to provide the best possible user experience among virtual appliances being deployed
in production. This status indicates that Blue Coat has followed best practices and the software is optimized
for VMware vSphere, helping to ensure ready-to-run reliability and security.
Support for SSL
On the ProxySG VA, all cryptographic operations are performed in the SGOS software. The SSL license is
included with the virtual appliance license. The SSL accelerator card is not supported on the ProxySG VA.
Model ProxySG VA-5 ProxySG VA-10 ProxySG VA-15 ProxySG VA-20
Minimum number of
physical drives for RAID 0
2 2 2 3
Minimum number of
physical drives for RAID 5
3

3

3 4
2 - 12 Initial Configuration Guide
Before You Begin
Verify Resource Availability
Because all virtual appliances use a hardware resource pool that can be shared and assigned as needed, you
must verify that the ESX/i Server meets the minimum hardware requirements for the ProxySG VA model
that you have purchased.
The following instructions describe how to verify system resources on the ESX/i Server using a VMware
client. The Client is used to connect directly to an ESX/i Server or indirectly to an ESX/i Server through
vCenter Server. This guide assumes that you are connected to an ESX/i Server using vSphere Client 4.0 or
VI Client v2.5.
Verifying Resource Availability
Step 1 Access the ESX/i Server using your VMware
client.
Enter the IP address of the ESX/i Server into the
log-in screen of your VMware client.
Step 2 Display the summary of the ESX/i Servers
resources.
a. Select the ESX/i Server.
b. Click the Summary tab.
Step 3 Verify adequate resource availability. For
ProxySG VA resource requirements, see Table
2-1 on page 2 - 9.
a. In the General panel, confirm availability of
the minimum Processor speed requirement
for your ProxySG VA model.
b. In the Memory Usage section of the
Resources panel, confirm availability of
adequate memory resources.
c. In the Datastore section of the Resources
panel, confirm adequate free storage space
availability on a local datastore on the
ESX/i Server.
Initial Configuration Guide 2 - 13
Before You Begin
Retrieve Appliance Serial Numbers
The Blue Coat eFulfillment email you received after placing your order for ProxySG VA appliances contains
activation codes for retrieving appliance serial numbers from the Blue Coat Licensing Portal (BCLP).
Retrieving Appliance Serial Numbers
Step 1 Make sure you have a BlueTouch Online
username and password. In addition to
retrieving appliance serial numbers, these
credentials are required for obtaining your
license, downloading software upgrades, and
accessing documentation.
If you do not have a BlueTouch Online account,
contact [email protected].
Or, for call-in information, see
https://bto.bluecoat.com.
Step 2 Locate the email you received from Blue Coat
Systems. This email contains the software
activation codes as well as a link to the BCLP.
Step 3 Log in to BCLP. a. Click the link embedded in the email. (The
link begins with
https://services.bluecoat.com/).
b. Enter your BlueTouch online username and
password.
Step 4 Enter the activation code. You can select any of
the ProxySG VA activation codes that are listed
in the email; the system retrieves all serial
numbers from the same purchase order.
a. Type the code as it appears in the email, or
copy and paste it into the Activation Code
field.
b. Click Next. The ProxySG VA Serial Numbers
screen displays.
Step 5 Record the appliance serial number(s). You will
need to refer to the serial number when you
perform initial configuration on the
ProxySG VA.
Perform one of the following tasks to note the
appliance serial number.
Write down the serial number(s) listed on
the screen.
Click the Download link to save the serial
numbers in a CSV (Comma Separated
Value) file.
For future reference, record the location and
name of the ProxySG VA alongside the serial
number.
2 - 14 Initial Configuration Guide
Before You Begin
Note Each appliance serial number is unique. When performing initial configuration on
the ProxySG VA, make sure that you use a dedicated serial number for each instance
of a ProxySG VA. If you reuse a serial number, the ProxySG VA license could be
suspended. License suspension disables proxy functionality and the graphical user
interface displays the Duplicate serial number detected error message. To re-enable
your license, the ProxySG VA with the duplicate serial number must be deleted.
Create a Virtual Switch
A virtual machine has virtual network interfaces that are not physically cabled to a network interface card
(NIC) on the ESX/i host. Therefore, to provide network access, a virtual switch (vSwitch) is required to
logically connect the virtual network interfaces on the virtual machine to a physical NIC on the ESX/i host.
By default, the ESX/i Server creates a vSwitch that is connected to a physical NIC. You could use this default
vSwitch, use a vSwitch that you might have created for an existing deployment or create a new vSwitch for
the ProxySG VA. For instructions, see "Creating a Virtual Switch" on page 2-15.
The ProxySG VA includes three virtual network interfaces a LAN interface, a WAN interface and a third
optional interface for handling management traffic. Before creating the ProxySG VA, confirm that you have
one vSwitch available for connecting the WAN and LAN interfaces. The vSwitch for the third interface is
optional.
The vSwitch that connects the WAN and LAN interfaces is required. This virtual switch on the ESX/i host
allows the ProxySG VA to connect to external devices, such as the WCCP router. This virtual switch handles
all incoming and outgoing traffic for the ProxySG VA.
If your network topology requires a separate interface for handling management traffic to the ProxySG VA,
create a virtual switch for the third interface, or use an existing vSwitch that provides the desired
connectivity.
Note If you use VLANs for segregating traffic within the ESX/i Server or across your network, you must
enable VLAN trunking on all interconnecting devices such as switches or routers. This guide does
not include information on VLAN configurations.
Initial Configuration Guide 2 - 15
Before You Begin
The instructions in this section use vSphere Client v4.0.
Creating a Virtual Switch
Step 1 Add a virtual switch for the ProxySG VA. a. In your VMware client, select the ESX/i
Server that will host the ProxySG VA.
b. Select the Configuration tab and choose
Hardware > Networking.
c. Click Add Networking, in the right corner of
the dialog box.
d. In the Add Network Wizard, select Virtual
Machine in the Connection Types dialog.
Click Next.
e. Select Create a virtual switch.
f. Select the physical NIC to manage the traffic
to and from the ProxySG VA. This physical
NIC will be mapped to the virtual switch.
Click Next.
g. Specify the Network Label. The default label
is Virtual Machine Network.
h. Verify that the VLAN ID field is blank or
enter 0.
This guide assumes that you do not use
VLANs. If you use VLANs, enter 4095 to
enable VLAN trunking. This value enables
Virtual Guest Machine Tagging mode on
the switch, and it allows the virtual switch
to preserve VLAN tags between the virtual
machine and the external switch/router.
Refer to the WAN Optimization and
Application Acceleration Guide for advanced
configuration details on configuring your
ProxySG VA with VLANs.
i. Verify the details and exit the Add Network
Wizard.
2 - 16 Initial Configuration Guide
Before You Begin
Initial Configuration Guide 3 - 17
Create the ProxySG Virtual Appliance
3 Create the ProxySG Virtual Appliance
This chapter describes how to import a virtual appliance in to the ESX/i Server, enable performance
monitoring on the virtual appliance, and ensure that the ProxySG VA has the resources available for optimal
performance.
To create the ProxySG VA, you must have administrative privileges on the ESX/i Server.
Note: Blue Coat recommends creating only one ProxySG VA on an ESX/i Server.
The following topics are covered in this chapter:
Download the Virtual Appliance Package
Import a ProxySG VA
Enable Performance Monitoring on the ProxySG VA
Reserve Resources for the ProxySG VA
Power on the ProxySG VA
Download the Virtual Appliance Package
The Virtual Appliance Package (VAP) is required for the initial setup of the ProxySG virtual machine on
your ESX/i Server. Each ProxySG VA model has a unique VAP, available for download on the BlueTouch
Online download site.
The VAP is a zip file that contains the following files:
Open Virtualized Format (OVF) file
Virtual Machine Disk Format (VMDK) files, one for each virtual disk required on the model. For
example, the ProxySG VA-20 has six .vmdk files.
A PDF of the ProxySG VA Initial Configuration Guide (this guide)
Downloading the VAP
Step 1 Log in to BlueTouch Online. a. In a Web browser, go to
https://bto.bluecoat.com/download
b. Enter your login credentials when
prompted.
Step 2 Download the VAP file. a. In BTO, click the Downloads tab.
b. Select ProxySG.
c. Click SGOS6.3.
d. Select the VAP file for your ProxySG VA
model (for example, VA-10).
e. Follow the onscreen instructions.
3 - 18 Initial Configuration Guide
Create the ProxySG Virtual Appliance
Step 3 Extract the contents of the VAP file. The files should be extracted to a location that
can be accessed from the system running the
VMware client or vCenter Server.
Note Because the .ovf file includes a pointer
to the .vmdk files, you must extract and
store the contents of the .zip file within
the same folder. Do not rename the files.
Downloading the VAP
Initial Configuration Guide 3 - 19
Create the ProxySG Virtual Appliance
Import a ProxySG VA
The instructions in this section use vSphere Client v4.0.
Importing the OVF File
Step 1 Create the ProxySG VA on your host ESX/i
Server.
Note In ESX 4.0, you cannot deploy the OVF from
vSphere Server; you must use the vSphere
Client to import OVF templates.
a. In your VMware client, select your host
ESX/i Server.
b. Select File > Deploy OVF Template.
Note The equivalent command in VI Client is
File > Virtual Appliance > Import.
c. Select Deploy from file or Deploy from URL
and browse to the location of the .ovf file.
Click Next.
d. Verify the OVF template details and click
Next.
e. Enter a name for the ProxySG VA, for
example: SGVA_Model15_Sydney. The
name should be unique within your ESX/i
host. Click Next.
f. Choose a datastore with sufficient free
space. See Confirm System Requirements
for the ProxySG VA on page 2-9 for disk
space requirements. Click Next.
g. For the WAN and LAN interfaces, select the
vSwitch to be used by the ProxySG VA.
Click Next.
h. (Optional) Connect the third interface to a
different virtual switch on the ESX/i host.
This interface is required only if a client on
a private subnet requires management
access to the ProxySG VA, for example, if
the management client cannot access the
ProxySG VA through its WAN and LAN
ports.
i. Review the details and click Finish to begin
creating the ProxySG VA.
See the Recent Tasks panel located at the
bottom of your VMware client screen, for
the progress bar indicating the percentage
complete.
3 - 20 Initial Configuration Guide
Create the ProxySG Virtual Appliance
Enable Performance Monitoring on the ProxySG VA
To monitor performance more accurately, you must enable a performance monitoring counter for the
ProxySG VA. You will enter this setting using your VMware client.
The ProxySG VA uses the monitor_control.pseudo_perfctr counter to monitor stolen time. Stolen time
is the difference between real time (as measured on the host servers clock) and apparent time (as
measured on the ProxySG); small amounts of stolen time are an inevitable occurrence on virtual machines.
Stolen time can become excessive when the ProxySG VA is running at 100% CPU utilization, the ESX/i
Server is overloaded, and the recommended resources for the ProxySG are not reserved (as described in the
next section).
Because excessive stolen time can create issues with ProxySG reporting and operations, the following
actions are taken when stolen time on your ProxySG VA has exceeded predefined thresholds:
Step 2 (Optional) Enable the vSwitch for the third
interface.
Note This step is required only if you plan to use the
third interface on the ProxySG VA.
a. Select the ProxySG VA, on the ESX/i Server.
b. Right click and select Edit Settings.
c. Select Hardware > Network Adapter 3.
d. In the Device Status panel, enable the check
box for Connect at power on.
e. Click OK to exit the dialog.
Enable the Performance Monitoring Counter
Step 1 Navigate to the CPU settings for the
ProxySG VA.
a. In your VMware client, select the
ProxySG VA virtual machine.
b. Right click and select Edit Settings.
c. In the Options tab, select Advanced >
General.
d. Click Configuration Parameters.
Step 2 Add the string for monitoring performance. a. Click Add row, in the Configuration
Parameters window.
b. Enter monitor_control.pseudo_perfctr
in the Name column of the new row.
c. Enter 1 in the Value column.
d. Verify that the string has no typographical
errors.
e. Click OK.
f. Click OK to close the dialog.
Importing the OVF File (Continued)
Initial Configuration Guide 3 - 21
Create the ProxySG Virtual Appliance
If instantaneous stolen time exceeds 15 seconds, the ProyxSG VA automatically reboots.
If accumulated stolen time exceeds 30 minutes in a 24-hour period, the ProxySG license is temporarily
disabled, and all traffic is bypassed. The health state of the ProxySG VA transitions to Critical, and the
following alerts appear:
License expired. All traffic is now bypassed.
Virtual appliance stolen time threshold exceeded.
Reserve Resources for the ProxySG VA
Blue Coat recommends reserving memory and a CPU core for the ProxySG VA. If resource allocation is not
accurate for the ProxySG VA model that you have created, the ProxySG VA might not perform optimally. If
the ESX/i host does not have the available resources to satisfy the resource reservations, the ProxySG VA
will not power on.
Reserving Resources
Step 1 Determine the appropriate value for the CPU
reservation. The reservation should be the full
CPU frequency of one core.
a. In your VMware client, select the ESX/i
host.
Note: Make sure the host is selected and not
the ProxySG VA virtual machine.
b. Click the Summary tab.
c. Note the value next to Processor (for
example, 2.26 GHz).
d. Multiply this number by 1000 to obtain the
value in MHz.
For example, 1000 x 2.26 = 2260 MHz.
Step 2 Specify the CPU reservation value for the
ProxySG VA.
a. Select the ProxySG VA, on the ESX/i host.
b. Right click and select Edit Settings.
The Virtual Machine Properties window
displays.
c. In the Resources tab, select CPU.
d. Specify the Reservation value for the CPU
that you determined in Step 2.
e. Retain the default values for the other
options.
3 - 22 Initial Configuration Guide
Create the ProxySG Virtual Appliance
Power on the ProxySG VA
Make sure that you have enabled the performance monitoring counter and reserved resources for the
ProxySG VA before powering it on. If resource allocation is not accurate for the ProxySG VA model that you
have created, the ProxySG VA will not power on.
Step 3 Specify the memory reservation for the
ProxySG VA.
a. In the Resources tab, select Memory.
b. Specify the Reservation value for memory
allotted to the ProxySG VA.
Input the value recommended for your
model. See Confirm System Requirements
for the ProxySG VA on page 2-9 for the
values by model.
c. Retain the default values for the other
options.
Step 4 Give the virtual disks on the ProxySG VA a
higher priority access to the physical disks on
the ESX/i Server.
(Recommended if the ProxySG VAs datastore is
shared by other virtual machines on the ESX/i
Server.)
a. In the Resources tab, select Disk.
b. For each of the disks on the ProxySG VA,
change the value to High in the Shares field.
Setting this value to high ensures that the
ProxySG VA gains higher priority access to
disk resources, as compared to other virtual
machines that use the same physical disks.
c. Click OK to exit the dialog.
Powering On the ProxySG VA
Step 1 Power on the ProxySG VA. a. Log in to the ESX/i Server using your
VMware client.
b. Select the ProxySG VA.
c. Right click and select Power On.
When the ProxySG VA is powered on, a
green arrow appears next to its virtual
machine name.
Reserving Resources (Continued)
Initial Configuration Guide 4 - 23
4 Configure the ProxySG VA
This chapter describes how to perform the initial set-up and configuration of the ProxySG VA for
transparent redirection of traffic. The following topics are covered in this chapter:
Perform Initial Configuration
Launch Blue Coat Sky
Register and License the ProxySG VA
Configure WCCP
Verify your Configuration
Next Steps
Perform Initial Configuration
You will use the Console tab on your VMware client to access the ProxySG VA for initial configuration. The
set-up script prompts you to configure basic network settings, including adding two interface IP addresses
for WCCP (transparent redirection), and setting up administrative credentials for console access.
The following table summarizes the prompts in the set-up wizard. Before you launch the set-up wizard,
obtain and record the information specific to your deployment in this table. After you have recorded your
settings in the table, see "Completing Initial Configuration" on page 4-24.
Description Value
Appliance Serial
Number
Refer to the appliance serial number that you recorded in "Retrieving Appliance
Serial Numbers" on page 2-13.
Default value: none provided
Manual set-up or use
Director
If using Director, you must configure a registration password or shared secret on
the Director. The same password must be entered while performing the initial
configuration. The shared secret is required because the ProxySG VA does not
have an appliance certificate.
Default value: none provided
Solution to implement Acceleration is the only option for the ProxySG VA and is set automatically.
Default value: Acceleration
Deployment type WCCP is the only option for the ProxySG VA and is set automatically.
Default value: WCCP
Appliance name For easy identification, use the same or similar name that you used while creating
the ProxySG VA on the ESX/i Server.
Default value: VA serial number
4 - 24 Initial Configuration Guide
Configure the ProxySG VA
Use the instructions below for performing initial configuration on the ProxySG VA.
Interface configuration Identify the IP addresses and subnet masks for the WAN and LAN interfaces.
Blue Coat recommends keeping the WAN and LAN interfaces of the ProxySG VA
on the same subnet. Both interfaces will be connected to one virtual switch that is
connected to the same physical NIC on the ESX/i Server.
You also have an option to assign a VLAN ID to each interface. If you use VLANs
for segregating traffic within the ESX/i Server or across your network, you must
enable VLAN trunking on all interconnecting devices such as switches or routers.
This guide does not include information on VLAN configurations.
Default value: none provided
Default gateway Provide the IP address for the default gateway.
Default value: none provided
Primary DNS server Provide the IP address for the primary DNS server.
Default value: none provided
Administrator
username (ID) and
password
The password you assign here will also be used for accessing enable mode in the
CLI. Enable mode allows the user to make configuration changes.
Default username: admin
Default password: none provided
Completing Initial Configuration
Step 1 Verify that your ProxySG VA is powered on. a. Log in to the ESX/i Server using your
VMware client.
b. Check for power on status. If the ProxySG
VA is powered on, a green arrow appears
next to its virtual machine name.
Step 2 Access the virtual console of the ProxySG VA on
the ESX/i Server.
a. Select the ProxySG VA on the ESX/i Server.
b. Select the Console tab and click inside the
console window to activate your mouse.
Step 3 The appliance serial number is unique for each
appliance and must be used on only one
ProxySG VA. See "Retrieve Appliance Serial
Numbers" on page 2-13.
a. Enter the appliance serial number at the
prompt.
Note The leading zeroes are significant for
serial numbers. Enter all 10 digits at the
prompt.
b. Press Enter.
Description Value
Initial Configuration Guide 4 - 25
Configure the ProxySG VA
Step 4 Follow the prompts and enter the details in the
set-up script.
a. Press Enter three times to activate the serial
console.
Note To release the mouse from the VMware
clients Console tab, press the Ctrl and
Alt keys on your keyboard.
b. Step 1: For the question How do you plan to
configure this appliance? select your
preference for either configuring the
ProxySG VA manually or using Director,
If using Director, you must assign a
registration password on Director and enter
the password in the set-up console, when
prompted. For information on setting up a
registration password, refer to the Blue Coat
Director Configuration and Management
Guide.
c. Step 2: For the question Which solution
would you like to implement? press Enter to
accept the auto-selected value
(Acceleration).
d. Step 3: For the question How will you deploy
this appliance? press Enter to accept the
auto-selected value (WCCP)
e. Step 4: (Optional) Enter an appliance name
for the ProxySG VA. The default value is
ProxySG VA serial number. This name helps
identify the appliance when you log in to
the appliance using a Web browser. The
name displays on your Web browser and on
the banner on Blue Coat Sky.
f. Step 5: Add the IP address and subnet mask
for two interfaces WAN and LAN on
your ProxySG VA.
Note You will also be asked if you want to
assign a VLAN ID to each interface. If
you use VLANs for segregating traffic
within the ESX/i Server or across your
network, you must enable VLAN
trunking on all interconnecting devices
such as switches or routers. This guide
does not include information on VLAN
configurations.
Completing Initial Configuration (Continued)
4 - 26 Initial Configuration Guide
Configure the ProxySG VA
Setup script continued g. Step 6: Add the IP address for the default
gateway.
h. Step 7: Add the IP address for the DNS
server.
i. Step 8: Change the username for
administrative access on the ProxySG VA.
The default username is admin.
j. Step 9: Add a password for allowing
administrative access privilege.
k. Step 10: Confirm that you would like to
activate acceleration after you configure
WCCP.
Step 5 Verify the configuration settings. a. Look over the configuration settings
displayed on the screen.
b. To modify a setting, follow the onscreen
prompts.
c. Press Enter to save the settings.
Step 6 Enable return to sender (RTS) for Inbound and
Outbound requests. Inbound RTS is enabled by
default, but you must enable RTS for Outbound.
Note RTS configures the ProxySG to send response
packets back to the same interface that received
the request packet.
a. Press Enter three times.
b. Enter 1 to go to the command line interface.
c. At the console prompt, enter enable and
type the enable password when prompted.
d. Enter conf t. The (config) prompt
displays.
e. Enter the following command:
return-to-sender outbound enable
f. To verify that RTS is enabled for both
Inbound and Outbound:
#(config)show return-to-sender
Return to sender:
Inbound sessions: enabled
Outbound sessions: enabled
Overwrite static route entry: disabled
Version: 2
Step 7 Close the Console. a. Press Ctrl and Alt to release the mouse from
the Console.
b. Click any other tab in the VMware client
(such as Summary).
Completing Initial Configuration (Continued)
Initial Configuration Guide 4 - 27
Configure the ProxySG VA
Launch Blue Coat Sky
The ProxySG has two graphical user interfaces Blue Coat Sky and the Management Console. Blue Coat
Sky is the default Web interface for managing the ProxySG VA. The Management Console allows you to
perform advanced configuration tasks, such as creating policy.
To access Blue Coat Sky, enter the IP address of the ProxySG VA into the Web browser, for example:
https://192.168.16.10:8082
or
https://192.168.16.10:8082/sky
To access the Management Console directly, enter the following URL in your Web browser:
https://<ProxySG_IP_Address>:8082/mgmt
For example, https://192.168.16.10:8082/mgmt
Before you can accelerate traffic in your network, you must obtain and install the license for the ProxySG
VA and configure WCCP for transparent redirection of traffic to the ProxySG VA.
When you log in to Blue Coat Sky, two alerts are displayed, one for licensing the appliance and the other
for configuring WCCP. Use the following instructions to complete initial configuration on the ProxySG VA.
Note Before you can accelerate traffic in your network, you must complete both tasks: licensing and
WCCP configuration.
Accessing Blue Coat Sky
Step 1 Access Blue Coat Sky. Enter the IP address of the ProxySG VA into the
Web browser. For example:
https://192.168.16.10:8082
or
https://192.168.16.10:8082/sky
The WCCP configuration incomplete dialog box
displays.
Step 2 Close the WCCP configuration incomplete dialog
box. (You will configure WCCP later.)
a. Click Do it Later.
Step 3 View the alerts and proceed with additional
configuration tasks.
a. View the messages in the Alerts list.
b. Perform the following tasks:
Click the license alert to retrieve the
license for the ProxySG VA. See
Register and License the ProxySG VA
on page 4-28.
Click the WCCP alert to configure
WCCP on the ProxySG VA. See
Configure WCCP on page 4-31.
4 - 28 Initial Configuration Guide
Register and License the ProxySG VA Configure the ProxySG VA
Register and License the ProxySG VA
The ProxySG VA offers two types of licenses:
A subscription-based license is valid for a set period of time (such as one year). After you have installed
the license, the ProxySG VA has full functionality, and you have access to software upgrades and
product support for the subscription period.
A perpetual license is a permanent license. For software upgrades and product support, you need to
purchase a support contract.
Supported Licenses
The ProxySG VA supports only the Blue Coat MACH5 Edition license which allows acceleration of HTTP,
FTP, CIFS, DNS, email, and streaming protocols. Security-related features are not included. The ProxySG
VA also includes an SSL license for intercepting SSL traffic and a Flash Streaming license for optimizing
Flash video content.
The following license components are not supported:
Proxy Edition license
Trial period
A new ProxySG VA is unlicensed. Until you install the license, the virtual appliance bypasses all traffic.
If your ProxySG VA has direct access to the Internet, follow the first procedure ("License the ProxySG VA"
on page 4-28). If your ProxySG VA does not have Internet access, skip the first procedure and follow the
instructions in the second procedure ("Download and Install the License Key File" on page 4-29).
License the ProxySG VA
The ProxySG VA is in a License expired state when it cannot detect a license, either because it hasnt been
installed yet or because the license subscription has expired. An unlicensed virtual appliance bypasses all
traffic.
Note Unlike subscription-based licenses, perpetual licenses do not expire. However, until you install the
license, the License expired alert will display for either type of license.
Follow this procedure if your ProxySG VA can access the Internet.
Licensing the ProxySG VA
Step 1 Navigate to the Licensing page in Blue Coat Sky. This procedure requires that the ProxySG VA
has Internet access.
Click the License expired link in the Alerts list.
or
Select System Settings > Software > Licensing.
The Licensing page displays.
Initial Configuration Guide 4 - 29
Configure the ProxySG VA Register and License the ProxySG VA
Note For 90 days before a subscription-based license expires, Blue Coat Sky and the Management
Console alert you that the license will be expiring. If your license expires before you have renewed
the subscription, the ProxySG VA will cease to optimize your network traffic; all traffic will be
bypassed. Therefore, it's important that you renew your license during the warning period so that
you never lose functionality.
Download and Install the License Key File
If your ProxySG does not have direct Internet access, you cannot use the automatic procedure described in
"License the ProxySG VA" on page 4-28. You need to download the license key file from a workstation with
Internet access and place the file on a web server or a workstation that is used to manage the ProxySG VA.
After the license key is accessible, you can install the license on the ProxySG VA.
You use the Blue Coat Licensing Portal (BCLP) to create a License Key File (LKF) for your ProxySG VA
appliance. The LKF contains all the component licenses for your ProxySG VAthe MACH5 license along
with the SSL and Flash Streaming licenses.
Step 2 Install the ProxySG VA license. a. In the Install License panel, enter your
BlueTouch Online credentials (User ID and
Password).
b. Click Submit credentials and install license.
After a moment, the message License
installed successfully displays.
c. Click OK.
Step 3 Verify that your license is installed. a. Refresh your browser. (The licensing
information may not display until you
refresh the browser.)
The ProxySG VA model number displays on
the banner, in place of the Unlicensed
message.
b. Return to the Licensing configuration page.
The Type now reflects the license type:
SGOS 6 MACH5 Edition, and the Expiration
date indicates when your license
subscription will expire (subscription-based
licenses only).
Licensing the ProxySG VA
4 - 30 Initial Configuration Guide
Register and License the ProxySG VA Configure the ProxySG VA
Manually Licensing the ProxySG VA
Step 1 Log in to Blue Coats licensing portal. a. From a workstation with Internet access,
use a Web browser and navigate to
https://bto.bluecoat.com/licensing
b. Click License a Proxy on the page that
displays.
c. Use your BlueTouch Online credentials to
log on to the License Configuration and
Management System portal. A list displays
all Blue Coat appliances registered to this
BTO account.
Step 2 Download the License Key File for the ProxySG
VA.
a. Click on the appropriate virtual appliance
serial number.
b. Select Manage Software Serial Numbers.
The License Self-Service page displays.
c. Click Get License. The Get License link is
located in the Cust Info > Links tab.
A new window displays with the .bin LKF
file.
d. Verify that the serial number is correct and
save the LKF on a local directory or a Web
server.
Step 3 Manually install the License Key File. a. In Blue Coat Sky, select System Settings >
Software > Licensing.
b. In the Manually install a new license section,
select one of the following:
URL Enter the address/name of the web
server and the path to the License Key File;
then click Upload and install.
Local file Click Browse and install and
locate the License Key File; then click Open.
Text editor Paste in the contents of the
License Key File; then click Install. (You
need to open the .bin file in a text editor,
such as Notepad.)
After a moment, the message License installed
successfully displays.
Initial Configuration Guide 4 - 31
Configure the ProxySG VA Register and License the ProxySG VA
Note For 90 days before the subscription-based license expires, Blue Coat Sky and the Management
Console alert you that the license will be expiring. If your license expires before you have renewed
the subscription, the ProxySG VA will cease to optimize your network traffic; all traffic will be
bypassed. Therefore, it's important that you renew your license during the warning period so that
you never lose functionality.
Configure WCCP
WCCP is a routing protocol that allows certain Cisco switches and routers to transparently redirect traffic
to a caching device such as the ProxySG VA. To facilitate transparent traffic redirection and service requests
from clients, you need to configure both the WCCP-capable switch or router and the ProxySG VA to
participate in a service group scheme. A service group is established when the WCCP-capable device and
the ProxySG VA are able to discover, advertise, and verify connectivity to each other.
To configure WCCP, perform the following tasks:
Plan two service groups for redirecting traffic between the ProxySG VA and the WCCP-capable switch
or router. On the ProxySG VA and the WCCP-capable device, you must create two service groups to
redirect traffic from the WAN and the LAN to the ProxySG VA. See Overview on page 1-5, for a
network diagram. Creating separate service groups allows you to segregate WAN and LAN traffic and
helps you monitor the performance of LAN and WAN traffic on your network.
Determine the WCCP capabilities that your switch or router supports. The packet forwarding and
return mechanism (L2 or GRE) that you choose for redirecting traffic between the switch or router and
the ProxySG VA must be supported on your switch or router. Refer to your switch or router
documentation for details.
Configure your router with the service groups, define the unicast or multicast addressing scheme, and
enable WCCP. For a sample router configuration, see Configure WCCP on the Router on page 4-32.
Configure WCCP on the ProxySG VA. See Configure WCCP on the ProxySG VA on page 4-32.
For more information on configuring WCCP on the ProxySG VA, refer to the WCCP Reference Guide at
https://bto.bluecoat.com/documentation/sgos-63
Step 4 Verify that your license is installed. a. Refresh your browser. (The licensing
information may not display until you
refresh the browser.)
The ProxySG VA model number displays on
the banner, in place of the Unlicensed
message.
b. Return to the Licensing configuration page.
The Type now reflects the license type:
SGOS 6 MACH5 Edition, and the Expiration
Date indicates when your license
subscription will expire (subscription-based
licenses only).
Manually Licensing the ProxySG VA
4 - 32 Initial Configuration Guide
Register and License the ProxySG VA Configure the ProxySG VA
Configure WCCP on the Router
A sample router configuration follows. Refer to your router documentation for commands that are specific
to configuring the router. In the example below, interface 0/0 is the one being used to connect to the
ProxySG VA.
Router>enable
Router#conf t
Router(config)#ip wccp version 2
Router(config)#ip wccp 10
Router(config)#ip wccp 11
Router(config)#interface gigabitethernet0/0
Router(config-if)#description ProxySG VA facing interface
Router(config-if)#ip address 192.168.16.1 255.255.255.0
Router(config-if)#exit
Router(config)#interface gigabitethernet0/1
Router(config-if)#description LAN facing interface
Router(config-if)#ip address 51.3.200.1 255.255.255.0
Router(config-if)#ip wccp 10 redirect in
Router(config-if)#exit
Router(config)#interface gigabitethernet0/2
Router(config-if)#description WAN facing interface
Router(config-if)#ip address 130.34.191.1 255.255.255.0
Router(config-if)#ip wccp 11 redirect in
Router(config-if)#exit
Router(config)#copy running-config startup-config
Configure WCCP on the ProxySG VA
On the ProxySG VA, both the LAN and the WAN ports are connected to one vSwitch, which is attached to
a physical adapter on the ESX/i Server. Because the WCCP router communicates with the ProxySG VA on
one physical link, both the LAN and the WAN ports on the ProxySG VA must be on the same subnet. You
must configure both the LAN and the WAN interfaces before enabling WCCP.
For planning the service groups in your configuration, use the empty Worksheet for Configuring
WCCP (Blank) on page A-2.
For a sample completed worksheet, see Worksheet for Configuring WCCP (Sample) on page A-3.
Use the following instructions to configure WCCP on the ProxySG VA.
Configuring WCCP for Traffic Redirection
Step 1 Access Blue Coat Sky. Enter the IP address of the ProxySG VA into the
Web browser. For example:
https://192.168.16.10:8082
Step 2 Navigate to the WCCP configuration page. Click the WCCP message in the Alerts list.
or
Select System Settings > Network > WCCP.
Initial Configuration Guide 4 - 33
Configure the ProxySG VA Register and License the ProxySG VA
Step 3 Enable WCCP. Select Enable WCCP.
Step 4 Add a new pair of interfaces for WCCP. Click Add new pair. The WCCP Configuration Pair
details display.
Configuring WCCP for Traffic Redirection (Continued)
4 - 34 Initial Configuration Guide
Register and License the ProxySG VA Configure the ProxySG VA
Step 5 Define your service groups for the LAN to WAN
and the WAN to LAN interfaces and apply the
respective service group to each interface of the
ProxySG VA.
a. Select the interface on the ProxySG VA from
the drop-down list. For example, the LAN
to WAN interface handles LAN traffic that
is redirected from the router to the ProxySG
VA. For example:
1:0 (10.9.59.65)
b. Make sure the Same for the pair check box is
selected. This selection retains identical
settings for router IP address, forwarding
and returning type configuration on both
service groups of the ProxySG VA.
c. Add the unicast address in the Home Router
IP field to establish and maintain the service
group. The home router address that you
use for a service group on the ProxySG VA
should match the IP address that the
ProxySG VA uses to communicate with the
router. The ProxySG VA and the router use
this IP address to communicate WCCP
messages with each other.
d. Select the forwarding method and returning
method: GRE (default) or L2.
Forwarding type defines the method that the
router uses to redirect traffic to the ProxySG
VA.
Returning type defines the method that the
router uses to return bypassed packets to
the ProyxSG VA. If you select GRE
forwarding, GRE returning is auto selected.
With L2 forwarding, you can select either
GRE return or L2 return.
e. Enter the Service group number for the LAN
to WAN interface; this number needs to
match what was configured on the router.
f. Enter the Service group number for the WAN
to LAN interface; this number also needs to
match the router configuration.
Step 6 (Optional) Change advanced settings if
necessary. For example, use these instructions to
change the default assignment type.
a. Click to expand the More Settings panel for
both LAN to WAN and WAN to LAN
traffic.
Make sure to leave TCP ports to redirect at
its default setting (All ports).
b. Use the help button for an explanation of
any of these settings.
Step 7 Save the settings. a. Click Commit all. (You may need to scroll up
to see the button.)
Configuring WCCP for Traffic Redirection (Continued)
Initial Configuration Guide 4 - 35
Configure the ProxySG VA Verify your Configuration
Verify your Configuration
Use the following instructions to verify that the traffic in your network is being intercepted and accelerated
as required.
Verifying WCCP Statistics and Service Group Status
Verifying Acceleration
Verifying WCCP Statistics and Service Group Status
After you configure WCCP, the WCCP router and ProxySG VA begin negotiating the capabilities that are
configured. Use the following procedure to monitor the configured service groups.
Viewing WCCP Service Group Status
Step 1 View WCCP status. a. Navigate to the System Settings > Network >
WCCP page.
b. If necessary, click the icon next to Total
pairs, to open the status panel.
Step 2 Verify WCCP status. Verify the following:
WCCP is enabled.
Each service group is in the Ready state.
The overall status is All Ready.
Messages are being sent to the router (Here I
Am sent) and received from the router (I See
You received). These statistics are updated
every minute.
If a service group state is not Ready, see "About
Service Group States" on page A-1 for
descriptions of other states.
4 - 36 Initial Configuration Guide
Verify your Configuration Configure the ProxySG VA
Verifying Acceleration
Use the steps below to verify that network connectivity is uninterrupted and intercepted traffic is being
accelerated and optimized.
Verify Performance
Step 1 Verify that the ProxySG VA is in acceleration
mode.
a. In Blue Coat Sky, select Configure >
Acceleration > Traffic Management.
b. If necessary, select Acceleration mode and
click Commit all.
Step 2 Verify that the services enabled on your
ProxySG VA are being accelerated.
Select Report > Active Sessions to view the
sessions that are being intercepted and
optimized by the ProxySG VA.
Initial Configuration Guide 4 - 37
Configure the ProxySG VA Verify your Configuration
Step 3 Verify traffic optimization. a. Click Traffic Summary.
In the Traffic Summary report, you can see which
proxies are processing traffic and how much
benefit you are getting from each proxy. The
statistical table at the bottom lists bandwidth
utilization and savings for each service or proxy.
Use the buttons at the top to switch views (Proxy
vs. Service) and to select different time periods.
b. Click Bandwidth Savings.
The Bandwidth Savings report shows you how
much bandwidth you are saving with the
ProxySG VA. By compressing data and caching
objects on the ProxySG VA, less traffic has to
travel over the WAN, resulting in significant
bandwidth savings.
Select what you want to graph:
To view bandwidth savings for a specific
service, select it from the Service
drop-down list.
To view bandwidth savings for a specific
proxy, select it from the Proxy drop-down
list.
Select All for the Service or Proxy. All
services/proxies will be included in the line
graph.
Verify Performance
4 - 38 Initial Configuration Guide
Verify your Configuration Configure the ProxySG VA
Power Off the ProxySG VA
You have completed initial configuration of the ProxySG VA; the appliance does not require rebooting or
shutting down at this time.
In the future, you will need to shut down the system before performing the following tasks:
Backing up the system
Upgrading the server software
Taking the server offline for maintenance
Migrating the ProxySG VA to a different server
Installing additional or higher-capacity drives on the ESX/i host
Adding a serial port to the ProxySG VA
Upgrading the virtual appliance model
To power the system back on, you need to use your VMware client. See "Power on the ProxySG VA" on page
3-22.
Shutting Down the ProxySG VA
Step 1 Save all configuration changes and shut down. a. In the Blue Coat Sky Configure tab, click
Commit all to save all configuration changes.
b. Click Shut down, a link on the right side of
the banner. The Shut Down ProxySG VA
dialog box displays.
c. Click Shut down to confirm.
Initial Configuration Guide 4 - 39
Configure the ProxySG VA Next Steps
Next Steps
You have completed configuring and verifying your initial configuration on the ProxySG VA. For further
information, use the context-sensitive online help in Blue Coat Sky or the Management Console. You can
also refer to the following documents at:
https://bto.bluecoat.com/documentation/sgos-63
Acceleration WebGuide is a web-based resource for setting up your ProxySG appliances for acceleration,
including conceptual information related to WAN optimization, and solutions on how to achieve
different goals: accelerating applications, improving the quality of streaming media, reducing
bandwidth usage, and optimizing users Web experience.
ProxySG Administration Guide for complete product documentation on SGOS.
WCCP Reference Guide for comprehensive information on WCCP concepts and configuration tasks.
4 - 40 Initial Configuration Guide
Next Steps Configure the ProxySG VA
Initial Configuration Guide A - 1

Appendix A: WCCP Reference
About Service Group States
The ProxySG VA maintains state information on the configured service groups. The following table lists the
state of a service group and helps you interpret the status message. Use this table to confirm that service
group is configured properly or to troubleshoot the service group error message.
State Description
Assignment mismatch The router does not support the assignment type (hash or mask) that
is configured for the service group.
Bad router id The home-router specified in the service group configuration does not
match the actual router ID.
Bad router view The ProxySG VA listed in the service group does not match the one
specified on the router.
Capability mismatch The WCCP configuration includes capabilities that the router does not
support.
Initializing WCCP was just enabled and the ProxySG VA is getting ready to send
out its first HERE_I_AM message.
Interface link is down The ProxySG VA cannot send the HERE_I_AM message because the
interface link is down.
Negotiating assignment The ProxySG VA received the I_SEE_YOU message from the router
but has not yet negotiated the service group capabilities.
Negotiating membership The ProxySG VA sent the HERE_I_AM message and is waiting for an
I_SEE_YOU message from the router.
Packet forwarding mismatch The router does not support the forwarding method (GRE or L2) that
is configured for the service group.
Packet return mismatch The router does not support the return method (GRE or L2) that is
configured for the service group.
Ready The service group formed successfully and the ProxySG VA sent the
REDIRECT_ASSIGN message to the router with the hash or mask
values table.
Service group mismatch The router and the ProxySG VA have a mismatch in port, protocol,
priority, and/or other service flags.
Security mismatch The service group passwords on the router and the ProxySG VA do
not match.
A - 2 Initial Configuration Guide
Worksheet for Configuring WCCP (Blank)
Worksheet for Configuring WCCP (Blank)
Use this worksheet for planning your WCCP deployment.
WCCP CONFIGURATION WORKSHEET (BLANK)
Service Group ID:
Router Configuration for Service Group
Router Name: ProxySG VA-Facing
Interface:
Interfaces to Redirect: Redirect Direction In Out
ProxySG VA Configuration for Service Group
ProxySG VA Interface: 1:0 (LAN to WAN) Protocol: 6 (TCP)
Ports to Redirect: All HTTP (80) HTTPS (443) CIFS (139, 445) RTSP (554) Other
Priority (0-255): 0 Home Router IP Address:
Forwarding/Return Method: GRE/GRE L2/L2
L2/GRE
Assignment Type: Hash Mask
Field to use in Assignment Type Algorithm: Source IP Dest IP Source Port Dest Port
Did you check whether settings are compatible with router hardware/software? Yes No
Service Group ID:
Router Configuration for Service Group
Router Name: ProxySG VA-Facing
Interface:
Interfaces to Redirect: Redirect Direction In Out
ProxySG VA Configuration for Service Group
ProxySG VA Interface: Protocol:
Ports to Redirect: All HTTP (80) HTTPS (443) CIFS (139, 445) RTSP (554) Other
Priority (0-255): Home Router IP Address:
Forwarding/Return Method: GRE/GRE L2/L2
L2/GRE
Assignment Type: Hash Mask
Field to use in Assignment Type Algorithm: Source IP Dest IP Source Port Dest Port
Did you check whether settings are compatible with router hardware/software? Yes No
Initial Configuration Guide A - 3
Worksheet for Configuring WCCP (Sample)
Worksheet for Configuring WCCP (Sample)
This sample reference worksheet has been filled in for your reference.
WCCP CONFIGURATION WORKSHEET (SAMPLE)
Service Group ID: 10
Router Configuration for Service Group
Router Name: ABC ProxySG VA-Facing
Interface:
GigE 0/0
Interfaces to Redirect: GigE 0/1 Redirect Direction In Out
ProxySG VA Configuration for Service Group
ProxySG VA Interface: 1:0 (LAN to WAN) Protocol: TCP
Ports to Redirect: All HTTP (80) HTTPS (443) CIFS (139, 445) RTSP (554) Other
Priority (0-255): 1 Home Router IP Address: 192.168.16.1
Forwarding/Return Method: GRE/GRE L2/L2
L2/GRE
Assignment Type: Hash Mask
Field to use in Assignment Type Algorithm: Source IP Dest IP Source Port Dest Port
Did you check whether settings are compatible with router hardware/software? Yes No
Service Group ID: 11
Router Configuration for Service Group
Router Name: ABC ProxySG VA-Facing
Interface:
GigE 0/0
Interfaces to Redirect: GigE 0/2 Redirect Direction In Out
ProxySG VA Configuration for Service Group
ProxySG VA Interface: 0:0 (WAN to LAN) Protocol: TCP
Ports to Redirect: All HTTP (80) HTTPS (443) CIFS (139, 445) RTSP (554) Other
Priority (0-255): 1 Home Router IP Address: 192.168.16.1
Forwarding/Return Method: GRE/GRE L2/L2
L2/GRE
Assignment Type: Hash Mask
Field to use in Assignment Type Algorithm: Source IP Dest IP Source Port Dest Port
Did you check whether settings are compatible with router hardware/software? Yes No
A - 4 Initial Configuration Guide
Worksheet for Configuring WCCP (Sample)
Initial Configuration Guide B - 1

Appendix B: Upgrading the SGOS
As new SGOS versions are released, you might choose to upgrade your ProxySG VA. Keep the following in
mind:
You must have a valid, unexpired license to upgrade your virtual appliance software. If you have a
subscription-based license that has expired, you need to renew your subscription with Blue Coat
Systems before you can upgrade the software. If you have a perpetual license, you need to have a valid
Blue Coat support contract to upgrade the SGOS software.
The procedure for upgrading the software on a virtual appliance is the same as for upgrading a physical
appliance. See the Blue Coat SGOS 6.3.x Release Notes for details.
When selecting the image to download, you select ESX, instead of a hardware model.
All ProxySG VA models use the same image; in other words, there are not separate image files for each
ProxySG VA model (VA-5, VA-10, and so forth).
When upgrading the software, you do not need to download and install a Virtual Appliance Package
(VAP). VAPs are used for initial configuration only.
B - 2 Initial Configuration Guide

You might also like