Bluecoat-Proxyswg-6.5.7.6 Opentouchr2.1 Iwr Ed01

Alcatel-Lucent Application Partner Program
Inter-Working Report
Partner: Blue Coat
Application type: Reverse Proxy
Application name: ProxySWG Virtual Appliance
Alcatel-Lucent Enterprise Platform: OpenTouch
The product and release listed have been tested with the Alcatel-Lucent Enterprise Communication Platform and the
release specified hereinafter. The tests concern only the inter-working between the AAPP members product and the
Alcatel-Lucent Enterprise Communication Platform. The inter-working report is valid until the AAPP members product
issues a new major release of such product (incorporating new features or functionality), or until ALE International issues a
new major release of such Alcatel-Lucent Enterprise product (incorporating new features or functionalities), whichever first
occurs.
ALE INTERNATIONAL MAKES NO REPRESENTATIONS, WARRANTIES OR CONDITIONS WITH RESPECT TO THE
APPLICATION PARTNER PRODUCT. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, ALE
INTERNATIONAL HEREBY EXPRESSLY DISCLAIMS ANY AND ALL REPRESENTATIONS, WARRANTIES OR
CONDITIONS OF ANY NATURE WHATSOEVER AS TO THE AAPP MEMBERS PRODUCT INCLUDING WITHOUT
LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON INFRINGEMENT OR FITNESS FOR A
PARTICULAR PURPOSE AND ALE INTERNATIONAL FURTHER SHALL HAVE NO LIABILITY TO AAPP MEMBER OR
ANY OTHER PARTY ARISING FROM OR RELATED IN ANY MANNER TO THIS CERTIFICATE.
Alcatel-Lucent Application Partner Program Inter-working report

Copyright 2015 ALE International 2015
- Edition 1 - page 1/71
Certification overview
Date of certification
September 2015
ALE International representative

AAPP member representative
Alcatel-Lucent Enterprise
Communication Platform
Alcatel-Lucent Enterprise
Communication Platform Release
AAPP member application version
Application Category
Author(s):
Reviewer(s):
Florian Residori
Claire Dechrist
Jana Whitcomb
OpenTouch BE/MS
OT 2.1 (2.1.000.093)
ProxySG V100, SGOS
6.5.7.6 SWG Edition
Security
Gateway
Collaboration & UC
Florian Residori, Claire Dechrist

Lienhart Denis, Himmi Rachid
Revision History
Edition 1: creation of the document September 2015
Test results
Passed
Refused
Postponed
Passed with restrictions
Refer to the section 0 for a summary of the test results.
IWR validity extension

None

AAPP Member Contact Information
Contact name:
Title:
Jana Whitcomb
Managing Director, Global Service Providers
Address:
Zip Code:
City:
Country:
Phone:
Fax:
Mobile Phone:
+1 206-799-2726
Web site:
Email address:
www.bluecoat.com
[email protected]

TABLE OF CONTENTS
1 INTRODUCTION ......................................................................................................................................... 6
1.1 GLOSSARY .................................................................................................................................................. 7
2 VALIDITY OF THE INTERWORKING REPORT .................................................................................. 8
3 LIMITS OF TECHNICAL SUPPORT ........................................................................................................ 9
3.1 CASE OF ADDITIONAL THIRD PARTY APPLICATIONS ................................................................................... 9
4 SUMMARY OF TEST RESULTS ............................................................................................................. 10
4.1 SUMMARY OF THE MAIN FEATURES TESTED................................................................................................. 10
4.2 SUMMARY OF PROBLEMS ........................................................................................................................... 11
4.3 SUMMARY OF LIMITATIONS........................................................................................................................ 11
4.4 NOTES, REMARKS ..................................................................................................................................... 11
5 APPLICATION INFORMATION ............................................................................................................. 12
6 TEST ENVIRONMENT ............................................................................................................................. 14
6.1 TESTS PERFORMED ................................................................................................................................... 14
6.2 GENERAL ARCHITECTURE .......................................................................................................................... 15
6.3 HARDWARE CONFIGURATION ..................................................................................................................... 16
6.4 SOFTWARE CONFIGURATION...................................................................................................................... 16
6.4.1 Alcatel-Lucent EnterpriseCommunication Platform OT ........................................................... 16
6.4.2 Partner Application ....................................................................................................................... 16
7 TEST RESULT TEMPLATE ..................................................................................................................... 17
8 TEST RESULTS .......................................................................................................................................... 18
8.1 CLIENT INITIALIZATION AND AUTHENTICATION .......................................................................................... 18
8.2 OUTGOING CALLS ..................................................................................................................................... 19
8.3 INCOMING CALLS ...................................................................................................................................... 20
8.4 FEATURES DURING CONVERSATION ............................................................................................................ 21
8.5 WEB SERVICES ......................................................................................................................................... 23
8.6 MYTEAMWORK SERVICES ........................................................................................................................... 24
9 APPENDIX A: AAPP MEMBERS APPLICATION DESCRIPTION .................................................. 25
9.1 SECURE WEB GATEWAY WITH THE FLEXIBILITY OF VIRTUALIZATION .............................. 25
10 APPENDIX B: CONFIGURATION REQUIREMENTS OF THE AAPP MEMBERS
APPLICATION .............................................................................................................................................. 27
10.1 IMPORTING A ROOT CA CERTIFICATE ..................................................................................................... 28
10.2 CREATING CERTIFICATE LIST .................................................................................................................. 30
10.3 CREATING A PROXYSG CERTIFICATE ....................................................................................................... 31
10.3.1 Creating ProxySG keyring ......................................................................................................... 31
10.3.2 Creating a Certificate Signing Request .................................................................................... 32
10.3.3 Importing your certificate ......................................................................................................... 33
10.4 CREATING THE PROXY SERVICES ............................................................................................................. 34
10.5 CREATING HTTPS 443 PROXY SERVICE ................................................................................................. 35
10.5.1 Creating HTTPS 443 Proxy Service for LDAP based authentication ............................................ 35
10.5.2 Creating HTTPS 443 Proxy Service for certificate based authentication ...................................... 37
10.6 CREATING HTTPS 8016 PROXY SERVICE ............................................................................................... 39
10.7 CREATING THE FORWARDING HOSTS ...................................................................................................... 41
10.7.1 Host1: OT_443 ........................................................................................................................... 42
10.7.2 Host2: OT_8016 ......................................................................................................................... 43
10.8 CONFIGURING CLIENT EXTERNAL AUTHENTICATION .............................................................................. 44
10.8.1 Configuring LDAP external authentication ................................................................................... 44
10.8.2 Configuring Certificate authentication .......................................................................................... 48
10.9 CREATING POLICY .................................................................................................................................. 52
10.9.1
10.9.2
10.9.3
10.9.4
10.9.5
Configuring the Forwarding Layer ........................................................................................... 53

Configuring the Web Authentication Layer ............................................................................ 59
Configuring the SSL Access Layer ............................................................................................ 61
Configuring the CPL Layer ........................................................................................................ 62
Installing the Policy .................................................................................................................... 62
11 APPENDIX C: ALCATEL-LUCENT ENTERPRISE COMMUNICATION PLATFORM:

CONFIGURATION REQUIREMENTS ...................................................................................................... 63
11.1 OT REVERSE PROXY CONFIGURATION ...................................................................................................... 63
11.2 OT SBC CONFIGURATION ....................................................................................................................... 64
12 APPENDIX D: AAPP MEMBERS ESCALATION PROCESS ........................................................... 65
13 APPENDIX E: AAPP PROGRAM .......................................................................................................... 66
13.1 ALCATEL-LUCENT APPLICATION PARTNER PROGRAM (AAPP) ............................................................. 66
13.2 ENTERPRISE.ALCATEL-LUCENT.COM..................................................................................................... 67
14 APPENDIX F: AAPP ESCALATION PROCESS .................................................................................. 68
14.1 INTRODUCTION ...................................................................................................................................... 68
14.2 ESCALATION IN CASE OF A VALID INTER-WORKING REPORT ................................................................. 69
14.3 ESCALATION IN ALL OTHER CASES ......................................................................................................... 70
14.4 TECHNICAL SUPPORT ACCESS ................................................................................................................ 71

1 Introduction
This document is the result of the certification tests performed between the AAPP members
application and Alcatel-Lucent Enterprises platform.
It certifies proper inter-working with the AAPP members application.
Information contained in this document is believed to be accurate and reliable at the time of printing.
However, due to ongoing product improvements and revisions, ALE International cannot guarantee
accuracy of printed material after the date of certification nor can it accept responsibility for errors or
omissions. Updates to this document can be viewed on:
-
the Technical Support page of the Enterprise Business Portal

(https://businessportal.alcatel-lucent.com) in the Application Partner Interworking Reports
corner (restricted to Business Partners)
the Application Partner portal (https://applicationpartner.alcatel-lucent.com) with free

access.

1.1 Glossary
API
Application Public Interface
AAA
Authentication, Authorization and Accounting
CA
Certificate Authority. It is part of a PKI. It issues and verifies digital certificates.
DMS
Device Management Server
CSR
Certificate Signing Request. This is file generated by a server to get signed by a
CA which will deliver a signed certificate.
DN
Distinguished Name
DNS
Domain Name System. Server that translates FQDN into IP addresses.
EVS
Event server
FQDN
Fully Qualified Domain Name. A domain name that specifies its exact location in
the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels,
including the top-level domain, relative to the root domain. Ex: myhost.mydomain.com
IM
LDAP
Lightweight Directory Access Protocol. This is a directory that can be used as an
authentication server.
OTES
Opentouch Edge Server
PLMN
Public Land Mobile Network
PKI
Public Key Infrastructure. It provides digital certificates that can identify an
individual or an organization and directory services that can store and, when necessary,
revoke the certificates.
RADIUS Remote Authentication Dial In User Service. This is an Authentication Server.
RP
Reverse Proxy
SBC
Session Border Controller
SSL TLS
Transport Layer Security (formerly Secure Socket Layer). It allows
client/server applications to communicate across a network in a way designed to prevent
eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and
communications confidentiality over the Internet using cryptography.
Instant Messaging

2 Validity of the InterWorking Report

This InterWorking report specifies the products and releases which have been certified.
This inter-working report is valid unless specified until the AAPP member issues a new major
release of such product (incorporating new features or functionalities), or until ALE International
issues a new major release of such Alcatel-Lucent Enterprise product (incorporating new features
or functionalities), whichever first occurs.
A new release is identified as following:
a Major Release is any x. enumerated release. Example Product 1.0 is a major product
release.
a Minor Release is any x.y enumerated release. Example Product 1.1 is a minor product
release
The validity of the InterWorking report can be extended to upper major releases, if for example the
interface didnt evolve, or to other products of the same family range. Please refer to the IWR
validity extension chapter at the beginning of the report.
Note: The InterWorking report becomes automatically obsolete when the mentioned product
releases are end of life.

3 Limits of Technical support

For certified AAPP applications, Technical support will be provided within the scope of the features
which have been certified in the InterWorking report. The scope is defined by the InterWorking
report via the tests cases which have been performed, the conditions and the perimeter of the
testing and identified limitations. All those details are documented in the IWR. The Business Partner
must verify an InterWorking Report (see above Validity of the InterWorking Report) is valid and that
the deployment follows all recommendations and prerequisites described in the InterWorking
Report.
The certification does not verify the functional achievement of the AAPP members application as
well as it does not cover load capacity checks, race conditions and generally speaking any real
customer's site conditions.
Any possible issue will require first to be addressed and analyzed by the AAPP member before
being escalated to ALE International. Access to technical support by the Business Partner requires
a valid ALE maintenance contract
rd
For details on all cases (3 party application certified or not, request outside the scope of this IWR,
etc.), please refer to Appendix F AAPP Escalation Process.
3.1 Case of additional Third party applications

In case at a customer site an additional third party application NOT provided by ALE International is
included in the solution between the certified Alcatel-Lucent Enterprise and AAPP member products
such as a Session Border Controller or a firewall for example, ALE International will consider that
situation as to that where no IWR exists. ALE International will handle this situation accordingly (for
more details, please refer to Appendix F AAPP Escalation Process).

4 Summary of test results

4.1 Summary of the main features tested
Note: only the features, which interact with the ALU solution, are mentioned here.
Feature
N/A
OK
OK
But
NOK
Application initialization and authentication

Start and stop phase
Authentication on RP using LDAP
Authentication on RP using client certificate
Erreur ! Source du renvoi introuvable.
Local call
External call
2nd outgoing call
Local callErreur ! Source du renvoi introuvable.
External call
2nd incoming call
Back and forth
Push/Get call (Transfer to another users device)
Transfer
Web Services
Event notification
Directory search
Routing profile modification
My teamwork services
IM
Whiteboard

4.2 Summary of problems

OT problems:
o None
Blue Coat problems:
o None
4.3 Summary of limitations

OT limitations:
o OTCv PC, OTCt PC, OTCv Ipad are mono-line applications: no second call, no transfer, hold
not available
o OTCv PC, OTCt PC, OTCv Android tablet : client authentication using certificate is not yet
available
o OTCv Android smartphone, OTCv iphone, OTCt PC: presentation sharing not available
Blue Coat limitations:
o LDAP and certificate based authentication cannot be activated at the same time.
4.4 Notes, remarks

It is possible to do the tests using encryption of signaling (SIP-TLS) and audio (SRTP). Using
encrypted or unencrypted signaling and media has no impact on reverse proxy.

5 Application information
Application commercial name:
Blue Coat ProxySG
Application version:
SGOS 6.5.7.6 SWG Edition
Interface type:
HTTP, HTTPS, TELNET, MSN IM...
Brief application description:
Blue Coat ProxySG appliances offer a comprehensive foundation for the Blue Coat Secure Web
Gateway solution and advanced WAN Optimization feature sets. ProxySG appliances combine highperformance hardware with Blue Coat SGOS, a custom, object-based operating system that enables
flexible policy control over content, users, applications and protocols.Blue Coat ProxySG appliances
enable enterprise customers to:
Protect internal users and networks from spyware and other attacks.
Accelerate application performance for files, email, Web, SSL, and rich media applications.
Figure 1 Global Principle
Blue Coat ProxySG Reverse Proxy Deployment

Protect GP Servers/OS while providing access to Internal Enterprise Services
Intranet Portal
Software Distribution
Secure Custom OS
Fast end user Response
Easily Manageable/Scalable Solution
SSL Termination
SSO

The following list details the Blue Coat ProxySG Reverse Proxy Deployment features that are
used for the Alcatel-Lucent solution deployment:
HTTPS Reverse Proxy service configured to associate a certificate with a public IP

Importing SSL keyrings and CA
Hostname or domain name based SSL certificates
Proxy supports portal mode optimization
HTTP basic and cookie based Authentication based on AD/LDAP or RADIUS
Powerful and flexible CPL policy
HTTP header rewriting
Cookie sharing between the different FQDN
SSL rule modification to ignore hostname mismatch
Support for split brain DNS architecture
The following diagram describes a typical redirection policy implemented on the Blue Coat ProxySG
for the Alcatel-Lucent solution.

6 Test environment
6.1 Tests performed
This document describes the tests of homeworker scenario using Blue Coat ProxySG and
Opentouch client applications in the context of OT solution
Blue Coat ProxySG has been virtualized on Vmware eSXI 5.1 environment.
Clients tested in this report are:
For OT users:
OTCV PC
OTCV iPad
OTCV iPhone
OTCV Android smartphone
OTCV Android tablet
For OXE users:
OTCT PC
OTCT iPhone
OTCT Android
OpenTouch PC clients use an internet connection on the WAN. Remote user is connected to the
enterprise network through the RP in HTTPS and to a SBC in SIP without media encryption.
OpenTouch users have several devices: at least an OTCv PC or OTCv Android smartphone and a
SIP desktop phone (8088).
The way to configure OpenTouch server, OpenTouch clients and BlueCoat ProxySG is described in
the Appendix.

6.2 General Architecture
Figure 3 Test architecture
OpenTouch clients send web requests to OT server through Blue Coat reverse proxy which forwards
the requests to the OT OpenTouch located in the trusted zone.
Users can be authenticated by the RP using LDAP authentication.
Blue Coat ProxySG Deployment:
Public fqdn: https://opentouch2.aapp-etesting.com
Public IP address: 83.206.62.68
Internal fqdn: rp.etesting.lab
Internal IP address: 10.1.2.23
Operating system: SGOS 6.5.7.6 SWG Edition
Alcatel-Lucent Enterprise Communication Platform:
IP address: 10.1.2.85
fqdn: ice2.etesting.lab
DNS: 10.1.2.15

6.3 Hardware configuration

ProxySG Blue Coat SVGA series V100
HP Proliant DL380p Gen8 hosting VMWare eSXI 5.1
Alcatel-Lucent OT:
HP Proliant DL120 G7 hosting VMWare eSXI 5.1
6.4 Software configuration

6.4.1 Alcatel-Lucent EnterpriseCommunication Platform OT
o
o
o
o
o
OT version 2.1.0.93
OTC Iphone version 2.10.23.2
OTC Android smartphone version 2.10.23.2
OTC Ipad version 2.1.052.000
OTC Android tablet version 2.1.43.3
6.4.2 Partner Application

ProxySG Platform:
SGOS 6.5.7.6 SWG Edition

7 Test Result Template

The results are presented as indicated in the example below:
Test
Case
Id
1
Test Case
N/A
OK
NOK
Comment
Test case 1
Action
Expected result
Test case 2
Action
Expected result
Test case 3
Action
Expected result
Test case 4
Action
Expected result
The application waits

for PBX timer or
phone set hangs up
Relevant only if the
CTI interface is a
direct CSTA link
No indication, no error
message
Test Case Id: a feature testing may comprise multiple steps depending on its complexity. Each
step has to be completed successfully in order to conform to the test.
Test Case: describes the test case with the detail of the main steps to be executed the and the
expected result
N/A: when checked, means the test case is not applicable in the scope of the application
OK: when checked, means the test case performs as expected
NOK: when checked, means the test case has failed. In that case, describe in the field Comment
the reason for the failure and the reference number of the issue either on ALE International side or
on AAPP member side
Comment: to be filled in with any relevant comment. Mandatory in case a test has failed especially
the reference number of the issue.

8 Test Results
In all following sections, the SIP client under test is an external user; It has been declared on the
public side of the RP.
8.1 Client initialization and authentication
Test
Case
Id
1
Test Case
N/A
OK
NOK
Comment
Application initialization
OTC client connection to the OT through
reverse proxy using HTTP basic authentication
Check OT login/password verification

Go through OTC application menus and verify that
the application is responding correctly.

reverse proxy using LDAP authentication
Check credentials validation
reverse proxy using certificate authentication
OTC
Android
Smartphone,
OTC
Ipad
Check OT login/password verification

Go through OTC application menus and verify that
the application is responding correctly.
OTCv Android Tablet,

OTC
Android
Smartphone,
OTCv
Iphone
Not supported on
OTCv/t PC, OTCv
Android Tablet
Application exit
Stop OTC client.
A
OTC user is unregistered.

8.2 Outgoing calls
Test
Case
Id
1
Test Case
N/A
OK
NOK
Comment
Internal outgoing call

Call from remote User A (OTC client) to User B
Check that the call is established

External outgoing call
External call from remote User A (OTC client)
to user B
Check that the call is correctly established
Second outgoing call
Call from remote User A (OTC client) to User B

Call from remote User A (OTC client) to User C
Check that the 2nd call is correctly established

OTCv/t PC: Not

possible to make a
second call, the
application is not
multi-line
OTCv ipad, OTCv
Android Tablet, OTCv
ipad: Not possible to
make a second call,
the application is not
multi-line, but it is
possible dial a number
to start a conference
OTC Android
smartphone, OTCv
iphone
8.3 Incoming calls
Test
Case
Id
1
Test Case
N/A
OK
NOK
Comment
Internal incoming call

Internal call from User B to User A (OTC
client)
Check that the call is correctly presented and

established
External incoming call
External call from User B to User A (OTC
client)
Check that the call is correctly presented and is

correctly established
Second incoming call
Call from User B to User A (OTC client)
Call from User C to User A (OTC client)
Check that the 2nd call is correctly presented and is

correctly established

Not possible to
receive a second call.
The 2nd call is routed
to the other users
devices or to the voice
mail.
8.4 Features during conversation

Test
Case
Id
1
Test Case
Verify the music on hold is played

Verify you can resume the call by clicking on it
again.
User B must be put on hold.

Check that you can retrieve User B.
User C must be on hold.
Check that you can retrieve User C.
User B must be on hold.
Comment
OTCv PC, OTCv ipad,

OTCv Android Tablet:
hold feature is not
available
OTC Android
smartphone, OTCv
iphone, OTCt PC
OTCv/t PC, OTCv

ipad, OTCv iphone,
PTCv Android Tablet:
Not possible to make
a second call, the
application is not
multi-line
OTC Android
smartphone, OTC
iphone
Transfer to another users device

(Push call/Get call)
Internal call from User B to User A (OTC

Client), establish the communication, then
OTC user transfers the call to another of his
device (OTC Phone deskphone for example)
A
NOK
Back and forth

Call from User A (OTC Client) to User B.
Establish the call.
Call from User A (OTC Client) to User C
Establish the call.
OK
Hold/Resume
Call from User A (OTC Client) to User B and
establish the call.
Put User B on hold.
N/A
Check that the call is correctly presented to OTC

Phone and can be correctly established
From OTC Client, get the current call again.
Check that the call is correctly presented to OTC
client and can be correctly established

OTCv PC: transfer to

another device is not
available
OTC Android
smartphone, OTCv
ipad, OTC iphone,
OTCv Android Tablet
OTCt PC: It is only
possible to transfer to
one of the configured
numbers (home
phone, mobile,...).
Not possible to get
the call again.
Test
Case
Id
4
Test Case
OK
NOK
Comment
Transfer to another user
Call from User A (OTC Client) to User B.

Establish the call.
Call from User A (OTC Client) to User C
Establish the call.
Transfer User C to User B
N/A
OTCv PC , OTCv
Android Tablet: Not
possible to make a
second call, the
application is not
multi-line
OTCt PC, OTCv ipad:
the call can only be
transfered blindly to
one of the configured
numbers (home
phone, mobile,...). It
is not possible to start
a consultation call.
OTC Android, OTCv
iphone
User picture
Call from User B to User A (OTC Client)
Check that the callers picture is correctly presented

8.5 Web services
Test
Case
Id
1
Test Case
N/A
OK
NOK
Comment
Event notifications
Missed call event
From another user or station, call OTC Client
user but do not answer.
Check that the event logs show a missed call.

Check that it is propagated to other users devices.
Check the that the missed call event disappears
after consultation.
Voice mail event
User B (OTC Phone) calls User A (OTC Client)
and leaves a message.
User A can see a voice message in his events logs.

User A can listen to the voice message, and delete
it.
The voice mail event must disappear.
Directory Search (dial by name)

User A (OTC client) calls an OT user using dial
by name
Verify that dial by name feature is working.

Check that the call can be established
Routing profile modification
On User A (OTC client), change the routing

profile of the remote user
Check that that the routing modification is working.

OTCt PC: Feature not

available
8.6 Myteamwork services

Application sharing and file transfer will not be tested here as they do not use HTTP protocol.
Test
Case
Id
Test Case
IM
Check IM is possible between remote worker

and an internal user
Presention/doc sharing
Check Presention sharing session is possible

between remote worker and an internal user
N/A
OK
NOK
Comment
OTCv PC, OTCv ipad,

OTCv Android Tablet :
It is possible to share
a presentation and to
modify it
OTC Android
smartphone, OTC
iphone, OTCt PC,:
Feature not available

9 Appendix A: AAPP members Application

description
The Blue Coat ProxySG Proxy Edition of ProxySG appliances are part of Blue Coats Application
Delivery Network (ADN) infrastructure that provides complete application visibility, acceleration and
security. To support the Application Delivery Network, ProxySG delivers a scalable proxy platform
architecture to secure Web communications and accelerate the delivery of business applications.
ProxySG enables flexible policy controls over content, users, applications and protocols and is the
choice of more than 80% of the Fortune Global 500.
The following picture illustrates some functionality of the ProxySG:
9.1 SECURE WEB GATEWAY WITH THE FLEXIBILITY OF

VIRTUALIZATION
Blue Coat expands its unified security portfolio of enterprise appliances and cloud service to include
a virtual appliance for branch offices. The Blue Coat Secure Web Gateway Virtual Appliance (SWG
VA) combines the market-leading security capabilities of Blue Coat ProxySG with the flexibility of
virtualization to provide a cost-effective enterprise branch office solution. With the new Blue Coat
Secure Web Gateway Virtual Appliance, businesses can support Web security and other critical
remote office infrastructure on a common platform, reducing costs and IT resource requirements.
SWG Virtual Appliance extends the same depth of protection and control delivered by the Blue Coat
ProxySG appliances to small branch office locations with space limitations and limited IT resources.
The SWG VA is backed by the WebPulse Collaborative Defense of more than 75 million users which
delivers a Negative Day Defense through blocking of malnets. In addition, SWG VA offers all the
Blue Coat security capabilities enterprise customers expect, including a wide selection of user
authentication, granular and accurate web filtering with multi-dimensional categories and highperforming inspection of SSL traffic. These combined capabilities deliver unbeatable efficiency to
help enterprises optimize IT resources and reduce physical footprint.


10 Appendix B: Configuration requirements of the

AAPP members application
To establish the HTTPS connection, the ProxySG sends its certificate to the client on behalf of the
OT servers. The Root CA of etesting lab PKI has been used to sign Blue Coat ProxySG certificate.
The RP server also needs to have the Root Certificate that signed its own certificate. A large
number of public PKI Root Certificate as Entrust or Verify sign are already loaded into the proxy but
if you use your own PKI, you will need to import your root CA certificate.
Then, proxy services need to be created. They describe the kind of flows that are sent to the
ProxySG Reverse Proxy: the protocol and port and a number of other options.
Forwarding Hosts are the description of the backend servers to which flows are forwarded to: their
IP Address, the protocol and port used. In our cases, we need 2 Forwarding Hosts: OT_443 to call
Web Services and OT_8016 for the Event Server.
Once this is configured, policy can be created. There are three Layers for the policy:
Forwarding Layer: defines the mapping between the requests received by the ProxySG RP
and those forwarded to the backend servers.
Web Authentication Layer: defines the authentication method used at the ProxySG RP.
Web Access Layer: defines filtering/firewall rules if needed

10.1 Importing a Root CA Certificate

Open CA Certificates from the Management Console -> Configuration -> SSL -> CA Certificates
Select the CA Certificates tab. Click on Import and choose the CA Certificate to import.
Enter the CA Name (for example CA_etesting) and the paste the certificate in the CA Certificate
PEM field.


10.2 Creating Certificate List

Create a certificate list containing trusted CA certificates. In our case, we will only use etesting root
CA.

10.3 Creating a ProxySG Certificate

10.3.1 Creating ProxySG keyring
Open Keyrings from the Management Console -> Configuration -> SSL -> Keyrings
Click on Create.
Choose a Keyring Name (for example myKeyring)
Click on OK

10.3.2 Creating a Certificate Signing Request

Select your keyring and click on Edit/View
Create a Certificate Signing Request for your domain with a Common Name set to your public
reverse proxy domain.
Click on Close
Click on Apply
Reedit your Keyring.
Copy your CSR to text file and make it signed by your PKI (CA_etesting in our case).

10.3.3 Importing your certificate

Then, Click on Import and copy the signed Certificate.

10.4 Creating the Proxy Services

Open the Proxy Services from the Management Console -> Configuration -> Services -> Proxy
Services.
Create a new service group named OT_SERVICES.

10.5 Creating HTTPS 443 Proxy Service

10.5.1 Creating HTTPS 443 Proxy Service for LDAP based authentication
Create two services as follows:
Click on New
In Name: Choose HTTPS_443
In service group, you can select OT_SERVICES group
In Proxy Settings: select HTTPS Reverse Proxy
In keyring, choose myKeyring

In CA-Cert List, select CACL_etesting,
Do not check Verify client.

In Listeners, click on New
Add the IP address on which your Reverse Proxy is listening

Choose Port range: 443
And Action: Intercept

10.5.2 Creating HTTPS 443 Proxy Service for certificate based authentication
Create two services as follows:
Click on New
In Name: Choose HTTPS_443
In service group, you can select OT_SERVICES group
In Proxy Settings: select HTTPS Reverse Proxy
In keyring, choose myKeyring

In CA-Cert List, select CACL_etesting,
Check Verify client.

In Listeners, click on New
Add the IP address on which your Reverse Proxy is listening

Choose Port range: 443
And Action: Intercept

10.6 Creating HTTPS 8016 Proxy Service

Repeat this operation with HTTPS on port 8016

Once configured, services should appear in the Proxy Services as follows:

10.7 Creating the Forwarding Hosts

Create 2 Forwarding Hosts.

10.7.1 Host1: OT_443

Go to the Management Console -> Configuration -> Forwarding -> Forwarding Hosts.
Click on New
Choose an alias OT_443
For Type: select Server
For Host: enter the OT IP address
Check HTTPS and port 443
Click on OK

10.7.2 Host2: OT_8016

Go to the Management Console -> Configuration -> Forwarding -> Forwarding Hosts.
Click on New
Choose an alias OT_8016
For Type: select Server
Host: Enter the OT IP address
Check HTTPS port and port 8016
Click on OK

10.8 Configuring client external authentication

Two types of authentication can be activated for Opentouch clients on BlueCoat reverse proxy:
LDAP based authentication
Client certificate based authentication
Even both authentication methodsc an be configured BlueCoat reverse proxy, on nly one
authentication type can be activated for HTTPS reverse proxy traffic. So all Opentouch clients
configured on the same reverse proxy must share the same authentication method.
10.8.1 Configuring LDAP external authentication

Go to the Management Console -> Configuration -> Authentication -> LDAP
Go to LDAP Realms
Click on New
Choose a name like LDAP_realm.

For Primary server host: enter the name of your LDAP server.

Go to LDAP DN tab
Click on New
In Add Base DNs: type in something like: dc=etesting,dc=lab

Click on LDAP Search & Groups

Enter search user DN and password

10.8.2 Configuring Certificate authentication

Go to the Management Console -> Configuration -> Authentication -> Certificate
Go to Certificate Realms
Click on New
Choose a name like Certificate_realm.

Go to Certificate Main tab
Enter the following values:
Username : $(CN.1)
Full Username : $(CN=CN.1)

Go to Autorization tab
Enter the following values:
Autorization realm nameUsername : $(cs-username)

Go to Autorization tab
Uncheck Use persistent cookies and Verify the IP address in the cookies

10.9 Creating Policy

Go to the Management Console -> Configuration -> Policy -> Visual Policy Manager
Click on Launch

10.9.1 Configuring the Forwarding Layer

In the Forwarding Layer, one rule per kind of flow is created. It describes the action to be done by
the Reverse Proxy.
Policy>add forwarding layer:

Go to Forwarding Layer tab and create two forwarding rules:

10.9.1.1 Rule1: Forward to OT_443

Click on Add rule
Right-click on Destination
Select Set
Then New then select server URL
Name: OT_443
Check Advanced Match
Scheme: HTTPS
Host: enter the OT FQDN
Port: 443
Click on OK

Right-click on Action
Select New
Select Forwarding
Name: Forwarding_OT_443
Check Forward To:
And choose OT_443

10.9.1.2 Rule2: Forward to OT_8016

Click on Add rule
Right-click on Destination
Select Set
Then New then select server URL
Name: OT_8016
Check Advanced Match
Scheme: HTTPS
Host: enter the OT FQDN
Port: 8016
Click on OK

Right-click on Action
Select New
Select Forwarding
Name: Forwarding_OT_8016
Check Forward To:
And choose OT_8016

10.9.2 Configuring the Web Authentication Layer

10.9.2.1 Configuring the Web Authentication Layer for LDAP based authentication
method
Click on Policy in tool bar, right click on Add Web Authentication Layer --> a new Tab is
added
Name it adequately e.g. Authenticate_LDAP
While still selected, Click on Add rule
Right-click in Action row, Set
New , Authenticate object
For Realm: select LDAP_realm

For Mode: select Origin Cookie
Select OK
10.9.2.2 Configuring the Web Authentication Layer for certificate based

authentication method
Click on Policy in tool bar, right click on Add Web Authentication Layer --> a new Tab is
added
Name it adequately e.g. Authenticate_certificate
While still selected, Click on Add rule
Right-click in Action row, Set
New , Authenticate object
For Realm: select certificate_realm

For Mode: select Origin Cookie
Select OK

10.9.3 Configuring the SSL Access Layer

Click on Policy in tool bar, right click on Add SSL Access Layer --> a new Tab is added
Go to the SSL Access Layer tab
Click on Add Rule
Right-click on Destination.
Add all servers in a combined object
Click on OK.

10.9.4 Configuring the CPL Layer

10.9.4.1 Configuring the CPL Layer for LDAP based authentication method
Click on Policy in tool bar, right click on Add CPL Layer --> a new Tab is added
Enter the following text:
<Proxy> ssl.proxy_mode = https-reverse-proxy
authenticate(LDAP_Realm)
10.9.4.2 Configuring the CPL Layer for certificate based authentication method
Click on Policy in tool bar, right click on Add CPL Layer --> a new Tab is added
Enter the following text:
<Proxy> ssl.proxy_mode = https-reverse-proxy
authenticate(Certificate_Realm)
10.9.5 Installing the Policy

Once the configuration is done, you must click on Install Policy
All the policies are installed at the same time.

11 Appendix C: Alcatel-Lucent Enterprise

Communication Platform: configuration
requirements
11.1 OT reverse proxy configuration
Declare the reverse proxy and the mapping between public and private URLs of servers.
Select System services > Topology > Reverse proxy
OT is listening on 2 ports:
- 443 for web services
- 8016 for event management
API: enter the public FQDN of the OpenTouch server
EVS: enter the public FQDN of the OpenTouch server followed by the 8016 port
Number
ACS:
If there is no OTES (OpenTouch Edge Server), enter the public FQDN of the OpenTouch
server
If there is an OTES, enter the Cluster Name/FQDN
DMS (Device Management): enter the public FQDN of the OpenTouch server

11.2 OT SBC configuration

A SBC is needed for SIP signaling and audio management.
SBC declaration on user side:

12 Appendix D: AAPP members escalation

process
The URL to contact the Customer Service&Support is:
http://www.bluecoat.com/support/contactsupport
How to Contact Customer Service&Support:

Americas
Online
Support
Telephone
Support
Duty Manager
Customer
Care
Professional
Services
Training
Services
Purchase
Support
Renew
Support
K9 Web
Protection
Europe, Middle East,

Africa
Asia Pacific, Australia, NZ
BlueTouch Online: https://bto.bluecoat.com

+1 408 220 2200, +44 (0)1252 554 700
+6 03-2687-7501
option #3
Japan: +81 335808390
+1 866 362 2628,
option #1
Worldwide: +1 408-541-3700 (case escalation)
[email protected] (BlueTouch Online account login, licensing,
entitlement)
6:00AM 5:00PM
8:00AM 4:00PM
8x5, Business Days
PST
GMT+1
+1 408 220 2200,
+44 (0)1252 554 604
n/a
option #2
+1 888-946 7769,
n/a
n/a
option #2
+1 408 220-2200, EMEAProfessionalServi
+1 408 220-2200, option #1
option #1
[email protected]
Contact Blue Coat Sales or Telephone: +1 408-220-2200, option #1
Contact Blue Coat Sales (http://www.bluecoat.com/salesrep/search)
Blue coat online Registration or contact Authorized Training Centers
[email protected]
[email protected]
[email protected]
[email protected]
om
K9 Online Support or K9 Online Instant Support (Online 24x7)

13 Appendix E: AAPP program

13.1 Alcatel-Lucent Application Partner Program (AAPP)
The Application Partner Program is designed to support companies that develop communication
applications for the enterprise market, based on Alcatel-Lucent Enterprise's product family.
The program provides tools and support for developing, verifying and promoting compliant thirdparty applications that complement Alcatel-Lucent Enterprise's product family. ALE International
facilitates market access for compliant applications.
The Alcatel-Lucent Application Partner Program (AAPP) has two main objectives:
Provide easy interfacing for Alcatel-Lucent Enterprise communication products:

Alcatel-Lucent Enterprise's communication products for the enterprise market include
infrastructure elements, platforms and software suites. To ensure easy integration, the
AAPP provides a full array of standards-based application programming interfaces and
fully-documented proprietary interfaces. Together, these enable third-party applications to
benefit fully from the potential of Alcatel-Lucent Enterprise products.
Test and verify a comprehensive range of third-party applications:

to ensure proper inter-working, ALE International tests and verifies selected third-party
applications that complement its portfolio. Successful candidates, which are labelled
Alcatel-Lucent Enterprise Compliant Application, come from every area of voice and data
communications.
The Alcatel-Lucent Application Partner Program covers a wide array of third-party

applications/products designed for voice-centric and data-centric networks in the enterprise market,
including terminals, communication applications, mobility, management, security, etc.

Web site
The Application Partner Portal is a website dedicated to the AAPP program and where the
InterWorking Reports can be consulted. Its access is free at
http://applicationpartner.alcatel-lucent.com
13.2 Enterprise.Alcatel-Lucent.com
You can access the Alcatel-Lucent Enterprise website at this URL: http://www.enterprise.alcatellucent.com/

14 Appendix F: AAPP Escalation process

14.1 Introduction
The purpose of this appendix is to define the escalation process to be applied by the ALE
International Business Partners when facing a problem with the solution certified in this document.
The principle is that ALE International Technical Support will be subject to the existence of a valid
InterWorking Report within the limits defined in the chapter Limits of the Technical support.
In case technical support is granted, ALE International and the Application Partner, are engaged as
following:
(*) The Application Partner Business Partner can be a Third-Party company or the ALE
International Business Partner itself

14.2 Escalation in case of a valid Inter-Working Report

The InterWorking Report describes the test cases which have been performed, the conditions of the
testing and the observed limitations.
This defines the scope of what has been certified.
If the issue is in the scope of the IWR, both parties, ALE International and the Application Partner,
are engaged:
Case 1: the responsibility can be established 100% on ALE International side.

In that case, the problem must be escalated by the ALE Business Partner to the ALE
International Support Center using the standard process: open a ticket (eService Request
eSR)
Case 2: the responsibility can be established 100% on Application Partner side.
In that case, the problem must be escalated directly to the Application Partner by opening a
ticket through the Partner Hotline. In general, the process to be applied for the Application
Partner is described in the IWR.
Case 3: the responsibility cannot be established.
In that case the following process applies:
The Application Partner shall be contacted first by the Business Partner (responsible for
the application, see figure in previous page) for an analysis of the problem.
The ALE International Business Partner will escalate the problem to the ALE
International Support Center only if the Application Partner has demonstrated with
traces a problem on the ALE International side or if the Application Partner (not the
Business Partner) needs the involvement of ALE International
In that case, the ALE International Business Partner must provide the reference of the Case
Number on the Application Partner side. The Application Partner must provide to ALE
International the results of its investigations, traces, etc, related to this Case Number.
ALE International reserves the right to close the case opened on his side if the
investigations made on the Application Partner side are insufficient or do not exist.
Note: Known problems or remarks mentioned in the IWR will not be taken into account.
For any issue reported by a Business Partner outside the scope of the IWR, ALE International offers
the On Demand Diagnostic service where ALE International will provide 8 hours assistance
against payment .
IMPORTANT NOTE 1: The possibility to configure the Alcatel-Lucent Enterprise PBX with ACTIS
quotation tool in order to interwork with an external application is not
the guarantee of the availability and the support of the solution. The reference remains the
existence of a valid InterWorking Report.
Please check the availability of the Inter-Working Report on the AAPP (URL:
https://private.applicationpartner.alcatel-lucent.com) or Enterprise Business Portal (Url: Enterprise
Business Portal) web sites.
IMPORTANT NOTE 2: Involvement of the ALE International Business Partner is mandatory, the
access to the Alcatel-Lucent Enterprise platform (remote access, login/password) being the
Business Partner responsibility.

14.3 Escalation in all other cases

For non-certified AAPP applications, no valid InterWorking Report is available and the integrator is
expected to troubleshoot the issue. If the ALE Business Partner finds out the reported issue is
maybe due to one of the Alcatel-Lucent Enterprise solutions, the ALE Business Partner opens a
ticket with ALE International Support and shares all trouble shooting information and conclusions
that shows a need for ALE International to analyze.
Access to technical support requires a valid ALE maintenance contract and the most recent
maintenance software revision deployed on site. The resolution of those non-AAPP solutions cases
is based on best effort and there is no commitment to fix or enhance the licensed Alcatel-Lucent
Enterprise software.
For information, for non-certified AAPP applications and if the ALE Business Partner is not able to
find out the issues, ALE International offers an On Demand Diagnostic service where assistance
will be provided for a fee.

14.4 Technical support access

The ALE International Support Center is open 24 hours a day; 7 days a week:
e-Support from the Application Partner Web site (if registered Alcatel-Lucent Application
Partner): http://applicationpartner.alcatel-lucent.com
e-Support from the ALE International Business Partners Web site (if registered AlcatelLucent Enterprise Business Partners): https://businessportal.alcatel-lucent.com click under
Contact us the eService Request link
e-mail: [email protected]
Fax number: +33(0)3 69 20 85 85
Telephone numbers:
ALE International Business Partners Support Center for countries:
Country
Supported language
Toll free number
France
Belgium
French
Luxembourg
Germany
Austria
German
Switzerland
United Kingdom
Italy
Australia
Denmark
Ireland
Netherlands
+800-00200100
South Africa
Norway
Poland
English
Sweden
Czech Republic
Estonia
Finland
Greece
Slovakia
Portugal
Spain
For other countries:
English answer:
French answer:
German answer:
Spanish answer:
Spanish
+ 1 650 385 2193

+ 1 650 385 2196
+ 1 650 385 2197
+ 1 650 385 2198
END OF DOCUMENT

Bluecoat-Proxyswg-6.5.7.6 Opentouchr2.1 Iwr Ed01

Uploaded by

Copyright:

Available Formats

Bluecoat-Proxyswg-6.5.7.6 Opentouchr2.1 Iwr Ed01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bluecoat-Proxyswg-6.5.7.6 Opentouchr2.1 Iwr Ed01

Uploaded by

Copyright:

Available Formats

Alcatel-Lucent Application Partner Program

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 1/71

ALE International representative

Florian Residori, Claire Dechrist

Passed with restrictions

Refer to the section 0 for a summary of the test results.

IWR validity extension

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 2/71

AAPP Member Contact Information

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 3/71

- Edition 1 - page 4/71

Configuring the Forwarding Layer ........................................................................................... 53

11 APPENDIX C: ALCATEL-LUCENT ENTERPRISE COMMUNICATION PLATFORM:

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 5/71

the Technical Support page of the Enterprise Business Portal

the Application Partner portal (https://applicationpartner.alcatel-lucent.com) with free

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 6/71

Application Public Interface

Authentication, Authorization and Accounting

Certificate Authority. It is part of a PKI. It issues and verifies digital certificates.

Device Management Server

Domain Name System. Server that translates FQDN into IP addresses.

Opentouch Edge Server

Public Land Mobile Network

RADIUS Remote Authentication Dial In User Service. This is an Authentication Server.

Session Border Controller

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 7/71

2 Validity of the InterWorking Report

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 8/71

3 Limits of Technical support

3.1 Case of additional Third party applications

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 9/71

4 Summary of test results

Application initialization and authentication

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 10/71

4.2 Summary of problems

4.3 Summary of limitations

4.4 Notes, remarks

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 11/71

Blue Coat ProxySG

SGOS 6.5.7.6 SWG Edition

HTTP, HTTPS, TELNET, MSN IM...

Brief application description:

Figure 1 Global Principle

Blue Coat ProxySG Reverse Proxy Deployment

Alcatel-Lucent Application Partner Program Inter-working report

- Edition 1 - page 12/71

HTTPS Reverse Proxy service configured to associate a certificate with a public IP

Alcatel-Lucent Application Partner Program Inter-working report