Blue Coat Systems Proxy SG Bedienungsanleitung

Blue Coat Systems TM Pro xy SG Content P olicy Language Guide Content P olicy Language Guide[...]

Proxy SG Content Policy Language Guide 2 Blue Coat Systems Inc. (408) 220-2200 V oice 650 Almanor A venue (408) 220-2250 F AX Sunnyvale, California 94086 (866) 302-2628 T echnical Support (866) 362-2628 info@bluecoat.com www .bluecoat.com Copyright (c) 2002, 2003 Blue Co at Systems, Inc. All rights reserved worldwide. No part of this document m ay [...]

Copyrights 3 THIRD P ARTY COPYRIGHT NO TICE S Blue Coat Systems, Inc. Security Gateway Operating System (SGO S) version 3 utilizes third party software fr om various sources. Portions of this software ar e copyrighted by their respective owne rs as indicated in the copyright notices below . The following lists the copyright notices for: BPF Copyrig[...]

Proxy SG Content Policy Language Guide 4 Redistribution and use of this software and associated document ation ("Software"), with or without modification, ar e permitted provided that the following conditions are met: 1. Redistributions of so urce code must retain copyright statements and notices, 2. Redistributions in binary form must re[...]

Copyrights 5 A F AILURE OF THE PROGRAM TO OPERA TE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER O R OTHER P ARTY HAS BEEN ADVISED OF THE POSSI BILITY OF SUCH DAMAGES. 2) The 32-bit CRC compensation attack de tector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license. Cryptographic attack detector for ssh - sour ce code Copyrig[...]

Proxy SG Content Policy Language Guide 6 2. Redistributions in binary form must reproduce the above copy right notice, this list of condit ions and the following disclaim er in the documentation and/or other materials provided with the distribution. THIS SOFTW ARE IS PROVIDED BY THE AU THOR ``AS IS'' AND ANY EX PRESS OR IMPLIED W ARRANTIE[...]

Copyrights 7 This produc t includes cryptographic softwar e written by Eric Y o ung (eay@c ryptsoft .com). This pr oduct includes software written by T im Hudson (tjh@cr yptsoft.c om). PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. W ritten by: P hilip Haze[...]

Proxy SG Content Policy Language Guide 8 documentation. Moscow Center for SP ARC T e chnology makes no repr esentations about the suitability of this software for any purpos e. It is provided "as is" without express or implied warranty . SmartFilter Copyright (c) 2003 Secure Computing Corporation. All rights reserved. SurfControl Copyrigh[...]

Pref ace: Introducing the Content P o licy Language The Content Policy Language (CPL) is a powerful, flexible language that enables you to specify a variety of W eb-access policies. Proxy SG policy is written in CPL, and ever y W e b request is evaluated based on the installed policy . The language is designed so that policies can be customiz ed to[...]

Proxy SG Content Policy Language Guide x Suppor ted Bro wsers The Proxy SG Management Console supports Micr osoft ® Internet Explorer 5 and 6, and Netscape ® Communicator 4. 78, 6.2, and 7.1. The Management Console uses the Java Runtime En vironment. All br owsers come with a default, built-in JRE, and you should us e this default JRE rather than[...]

Contents Preface: Introducing t he Content Policy Language About the Document Organization ............ .................... .................... ................... .................... ..... ............... ..ix Supported Browsers .................. .................... .................... .................... ................... ............ ..[...]

Proxy SG Content Policy Language Guide xii <Forward> Layers ..................... ................. ................... .................... .................... .............. ........ ............. 39 <Proxy> Layers ...... .................... ................... .................... .................... .................... ........ [...]

Contents xiii http.method= ............ .................... ................... .................... ................. .................... ....... ............ ............. 79 http.request.version= ............. .................... ................... .................... ................. ................. ... .................. 8 0 http.respo[...]

Proxy SG Content Policy Language Guide xiv server_url= .......... .................... .................... ................. ................... .................... .......... ............. ............. 125 socks= .............. ................ .................... .................... .................... ................... ............ .....[...]

Contents xv force_cache( ) ................. .................... .................... .................... ................... ................. .................... ..... 180 force_deny( )................. ................... ................. .................... .................... .................... . ..................... ..... 181 force_e[...]

Proxy SG Content Policy Language Guide xvi trace.request( ) ........................ ................. .................... ................... .................... .......... ....... ................... 223 trace.rules( ) ...................... .................... .................... ................. ................... .............. ... .....[...]

Contents xvii Appendix B: T esting and Troubleshooting Enabling Rule Tracing ................... .................... .................... .................... ................... ........ ............ ..... 275 Enabling Request Tracing ........... ................... .................... .................... .................... ............. ....[...]

Proxy SG Content Policy Language Guide xviii[...]

Chapter 1: Ov er view of Content P olicy Language The Content Policy Language (CPL) is a programming langu age with its own concepts and rules that you must follow . This chapter pr ovides an overview of CPL, including the following topics: • "Concepts" • "CPL Language Basics" • "W riting Policy Using CP L" • &[...]

Proxy SG Content Policy Language Guide 20 This provides the abi lity to test various aspects of a re quest, such as the IP address of the client and the URL used, or the response, such as th e contents of any HTTP headers. • Ensures policy integ rity during processing. The lifetime of a transaction may be rel atively long, especially if a large o[...]

Chapter 1: Overview of Content Policy Language 21 For new Proxy SG appliances, the default is to deny all requests . For Proxy SG appliances being upgraded fr om 4.x, the default is to allo w all requests. In ei ther case, the P roxy SG can be configured for either default. The default setti ng is displayed in policy listing s. The proper appr oach[...]

Proxy SG Content Policy Language Guide 22 W ith a few notable exceptions, trigge rs te st on e as pe c t o f re qu e st, re sponse, or associated state against a boolean expression of values. For the conditions in a rule, each of the triggers is logically anded together . In other words, the condition is only true if each one of the trigger express[...]

Chapter 1: Overview of Content Policy Language 23 • More complex boolean expressions ar e allowed for the pattern_expres sion in the triggers. For example, the second part of the condition in the simple rule shown above could be “the request is made between 9 a.m. and noon or between 1 p.m. and 5 p.m”, expressed as: ... time=(0900..1200 || 13[...]

Proxy SG Content Policy Language Guide 24 La y ers A policy layer is a CPL construct used to evaluate a set of rules and reach one decision. Separating decisions helps contr ol policy complexi ty , and is do ne through writing each decision in a separate layer . Each layer has the form: < layer_type [ label ] > [ layer_condition ][ l ayer_pro[...]

Chapter 1: Overview of Content Policy Language 25 [ section_type [ label ]] [ section_condition ][ sect ion_properties ] section_content where: • The section_type defines the syn tax of the rules used in the se ction, and the evaluation strategy used to evaluate those rules. The square brackets [ ] surrounding the section name (and optional label[...]

Proxy SG Content Policy Language Guide 26 Named Definitions There ar e various types of named definitions. Each defi nition is given a user defined name that is then used in rules to refer to the definition. This sectio n highlights a few of the definition types, as an overview of the topic. Refer to the Definitions refer ence chapter for more deta[...]

Chapter 1: Overview of Content Policy Language 27 policy that does not requir e the realm. Once all outs tanding transactions that r equir ed refer ence to the realm have completed, the realm can be removed fr om configuration. Substitutions The actions used to r ewrite the URL request or to modify HTTP request he aders or HTTP r esponse headers of[...]

Proxy SG Content Policy Language Guide 28 A uthentication and Denial One of the most important timing relationships to be awar e of is the relation between authentication and denial. Denial can be done eithe r before or af ter authentication, and dif f erent or ganizations have diffe rent requir ements. For example, suppose an organization r equire[...]

Chapter 1: Overview of Content Policy Language 29 <Proxy> client.address=!corporate_subnet deny ; filter out strangers socks.authenticate(MyRealm) ; this happe ns earlier than the category test <Proxy> ; user names be displayed in the access log for the denied requests category=Gambling exception(content_filt er_denied) Note that t his [...]

Proxy SG Content Policy Language Guide 30 T roub leshooting P olicy When installed policy does not behave as expected, use policy tracing to understand the behavior of the installed policy . T racing r ecords additional information about a transa ction and re-evaluates the transaction when it is terminated; however , it does not show the timing of [...]

Chapter 1: Overview of Content Policy Language 31 Conditional Compilation Occasionally , y ou might be requir ed to maintain poli cy that can be applied to appliances running diffe rent versions of SGOS and requiring dif ferent CPL . CPL provides the foll owing conditional compilation dir ective that tes ts the SGOS version (suc h as 2.1.06): relea[...]

Proxy SG Content Policy Language Guide 32[...]

Chapter 2: Managing Content P olicy Language As discussed in Chapter 1, Content Policy Language policies are composed of transactions that are placed into rules and tested against various conditions. This chapter discusses the followi ng: • "Understanding T ransactions and T iming" • "Understanding Layers" • "Understa[...]

Proxy SG Content Policy Language Guide 34 Each of the protocol-specific pr oxy transact ions has specific information that can be tested—informati on that may not be available fr om or relevant to othe r protocols. HTTP Headers and Instant Messaging buddy names ar e two exam ples of protocol-specific information. Other key differ entiators among [...]

Chapter 2: Managing Content Policy Language 35 Some conditions cannot be evaluated during th e first stage; for example, the user and group information will not be known until stage two. Likewise, the response headers and MIME type are unavailable for testing until stage three. For conditions, this is known as the earliest available time . Policy d[...]

Proxy SG Content Policy Language Guide 36 An HTTP cache transaction is examined in two stages: • Before the object is retrieved from the origin s erver . • After the object is retrieved. F orwarding T r ansactions A forwar ding transaction is cr eated when th e Proxy SG needs to evaluate forwarding policy befor e accessing a remote host and no [...]

Chapter 2: Managing Content Policy Language 37 But policy cannot determine th e value of the Conten t-type re sponse header until the response is returned. The Pr oxy SG ca nnot contact the server to get the response until pol icy determines what hosts or gateways to route thr ough to get th ere. In othe r words, policy must s et the forward() prop[...]

Proxy SG Content Policy Language Guide 38 • The optional admin_properties is a list of properties set if an y of the rules in the layer match. These act as defaults, and can be overridden by prop erty settings in specific rules in the layer . For more informatio n on using properties, see Chapter 4: " Property Refer ence". See also the [...]

Chapter 2: Managing Content Policy Language 39 <Exception> La y ers <Exception> layers ar e evaluated when a proxy transaction is terminated by an exception. This could be caused by a bad r equest (for example, the r equ est URL names a non-existent server) or by setting the deny or exception() pr operties in policy . Policy in an excep[...]

Proxy SG Content Policy Language Guide 40 <Pro xy> La y ers <Proxy> layers define policy for authenticating and auth orizing users’ requests for service over one of the configur ed proxy service ports (r efer to Chapter 6:”Managing Port Services” in the Pr oxy SG Configuration and Management Guide .). Proxy layer policy inv olves [...]

Chapter 2: Managing Content Policy Language 41 Timing The “late guards early” timing errors that can occu r wi thin a rule can ar ise across r ules in a layer . When a trigger cannot yet be evaluated, policy also has to postpone evaluating all following r ules in that layer (since if the trigger turns out to be true and the rule matches, then e[...]

Proxy SG Content Policy Language Guide 42 url.domain=nbc.com/athletics deny ; etc, suppose it's a substantial list url.regex="sports|athletics" access_serv er(no) url.regex=".mail." deny ; etc url=www.bluecoat.com/internal group=!blu ecoat_employees deny url=www.bluecoat.com/proteus group=!blue coat_development deny ; etc[...]

Chapter 2: Managing Content Policy Language 43 • Rules in [Rule] s ections are evaluated sequentially , top to bottom. The time taken is pr oportional to the number of rules in the sec tion. • [Rule] sections can be used in any la yer . [url] The [url] section type is used to group a number of rules that test the URL. The [url] section restrict[...]

Proxy SG Content Policy Language Guide 44 • [server_url.domain] sections ar e allowed only in <Exception> or <Forward> layers. Section Guards Just as you can with layers, you can impr ove policy clarity and maintainability by gr ouping rules into sections and converting the common conditions and properties into guard expressions that [...]

Chapter 2: Managing Content Policy Language 45 • Do not mix the CacheOS 4. x filter-file syntax with CPL syntax. Although the Content Polic y Language is backwa rd-compatible with the filter -file syntax, avoid using the older syntax with the new . For example, as the filter-file syntax uses a differ ent order of evaluation, mixing the old and ne[...]

Proxy SG Content Policy Language Guide 46 The following example is an exception defined wi thin a layer . A company wants access to payroll information limited to Human Resou rces staf f on ly . The administrator uses membership in the HR_staff gr oup to define the exception for HR staff, foll owed by the general policy: <Proxy> ; Blue Coat u[...]

Chapter 2: Managing Content Policy Language 47 evaluation or der as currently configur ed. Changes to the policy file evaluation order must be managed with great car e. Remember that pr operties maintain any setting unless overridden later in th e file, so you could implement general poli cy in early layers by setting a wi de number of propertie s,[...]

Proxy SG Content Policy Language Guide 48 Best Practices • Express s eparate decisions in separate layer s. As policy gr ows and becomes more complex, mainten ance becomes a significant issue. Maintenance will be easier if the logic for each aspect of policy is separate and distinct. T ry to make policy decisions as independent as po ssible, and [...]

Chapter 3: Condition Ref erence A condition is an express ion that yields true or fals e when evaluated. Conditions can appear in: • Policy r ules. • Section and layer headers, as guards; for example, [Rule] group=(“bankabchr” || “cn=hu manresources,ou=groups,o=westernnational”) • define condition , define domain condition , and defi[...]

Proxy SG Content Policy Language Guide 50 • condition ::= trigger "=" expression • trigger ::= identifier | identifier "." word • expression ::= term | list • list ::= "(" ((pattern ",")* pattern)? " )" • disjunction ::= conjunction | disjunctio n "||" conjunction • conjunction[...]

Chapter 3: Con dition Reference 51 Una v ailable T riggers Some triggers can be unavailable in some transactions. If a trigger is unavai lable, then any condition containing that tr igger is false, regardless of the pattern expression. For example, if the current transaction is not authenticated (that is , the authenticate pr operty was set to no )[...]

Proxy SG Content Policy Language Guide 52 acl= Deprecated syntax. See "client.addr ess=" on page 60 for mor e information.[...]

Chapter 3: Con dition Reference 53 admin.access= T ests the administrative access requ ested by the current transaction. It evaluates to null if the transaction is not an admi nistrative transaction, whic h may occur if the test is included in an <Exception> layer . Replac es: method= Syntax admin.access=READ|WRITE Lay er and T ransa ction No[...]

Proxy SG Content Policy Language Guide 54 attribute . name = T ests if the curr ent transaction is authenticated in a RADIUS or LDAP realm, and if the authenticated user has the specified attribute with the specified value. This trigger is unavai lable if the curr ent transaction i s not authenticated ( that is, the authenticate pr operty is set to[...]

Chapter 3: Con dition Reference 55 <proxy> authenticate(RADIUSRealm) ; This rule would restrict non-authorize d users. <proxy> deny condition=!ProxyAllowed ; This rule would serve to override a previous denial and gr ant access to authorized ; users <proxy> allow condition=ProxyAllowed See Also • Conditions: authenticated= , gro[...]

Proxy SG Content Policy Language Guide 56 authenticated= T rue if authentication was requested and the cr edentials could be verified; otherwise, false. Syntax authenticated=(yes|no) Lay er and T ransa ction Notes •U s e i n <Admin> and <Proxy> layers. • Applies to proxy and administrator transactions. • This condition cannot be c[...]

Chapter 3: Con dition Reference 57 bitrate= T ests if a streaming tr ansaction re quests bandwidth within the specif ied range or an exact match. When providing a range, either value can be left empt y , implying either no lower or no upper limit on the test. Bitrate can change dynamically during a transaction, so this poli cy is re-evaluated for e[...]

Proxy SG Content Policy Language Guide 58 <Proxy> ; Use this layer to override a d eny in a previous layer ; Grant everybody access to streams up to 56K, sales group up to 2M allow bitrate=..56K allow group=sales bitrate=..2M See Also • Conditions: live= , streaming.client= , streaming.content= •P r o p e r t i e s : access_server( ) , ma[...]

Chapter 3: Con dition Reference 59 categor y= T ests the content categor ies of the requested URL as assigned by policy def i nitions or an installed content filter database. A URL that is not categori zed is assigned the cate gory none . If a content filter provid er is selected in configuration, but an error occurs in determini ng the category , [...]

Proxy SG Content Policy Language Guide 60 client.address= T ests the IP address of the client. The expr ession can include an IP address or subnet or the label of a subnet definit ion block. Important: If a user is explicitly proxied to the Proxy SG , <Proxy > layer policy applies even if the URL destination is an administrative URL for the P[...]

Chapter 3: Con dition Reference 61 client.protocol= T ests true if the client transport protocol matches the specification. Replaces: client_protocol= syntax client.protocol=http|https|ftp|tcp|socks |mms|rtsp|icp|aol-im|msn-im|yahoo-im Note that tcp specifies a tunneled t ransaction. Lay er and T ransa ction Notes •U s e i n <Exception> , &[...]

Proxy SG Content Policy Language Guide 62 condition= T ests if the specified defined condition is true. Syntax condition= condition_label where conditi on_label is the label of a custom condition as defined in a define condition , define url.domain conditi on , or define url condition definition block. Lay er and T ransa ction Notes • Use in all [...]

Chapter 3: Con dition Reference 63 http://www.x.com time=0800..1000 http://www.y.com month=1 http://www.z.com hour=9..10 end <proxy> condition=test deny ; Example of a define domain-suffix (or domain) condition define url.domain condition test com ; Matches all domains ending in .com end <proxy> condition=test deny See Also • Definiti[...]

Proxy SG Content Policy Language Guide 64 console_access= T ests if the cur rent request is destined for the <Admin> layer . This test can be used to distinguish access to the management console by admininstrators who are explicitly pr oxied to the Proxy SG being admininstered. The te st can be used to guard tran sfor ms that should not apply[...]

Chapter 3: Con dition Reference 65 content_admin= The content_admin= condition has bee n deprecated. For mor e information, see "content_management" on page 66.[...]

Proxy SG Content Policy Language Guide 66 content_management T ests if the curr ent request is a content management transaction. Replaces: content_admin=yes|no Syntax content_management=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Forward> layers. • Applies to all transactions. See Also • Conditions: category= , f[...]

Chapter 3: Con dition Reference 67 date[.utc]= T ests true if the curr ent time is within the startdate..enddate range, inclusive. The co mparison is made against local time unless the .utc qualifier is sp ecified. syntax date[.utc]=YYYYMMDD..YYYYMMDD date[.utc]=MMDD..MMDD Lay er and T ransa ction Notes • Using time-related con ditions to control[...]

Proxy SG Content Policy Language Guide 68 da y= T ests if the day of the month is in the spe cified range or an exact match. The Pr oxy SG appliance’s configured date and time zone ar e used to determine the curr ent day of the month. T o specify the UTC time zone, use the form day.utc= . Note that the numeric pattern used to test the day conditi[...]

Chapter 3: Con dition Reference 69 e xception.id= T ests whether the exception being r eturned to the client is the specified exception. It can also be used to determine whether the exception be ing returned is a built-in or user -defined exception. Built-in exceptions are handled automatically by the Pr oxy SG but special handling can be defined w[...]

Proxy SG Content Policy Language Guide 70 ; thrown by deny or force_deny exception.id=policy_denied action.log_in terloper(yes) <Exception> exception.id=user_defined.re stricted_content ; any policy required for this user defi ned exception ... See Also •P r o p e r t i e s : deny( ) , deny.unauthorized( ) , exception( ) •A c t i o n s : [...]

Chapter 3: Con dition Reference 71 ftp .method= T ests FTP r equest methods against any of a well-k nown set of FTP methods. A CPL parse erro r is given if an unrecognized method is specified. • ftp.method= evaluates to true if the r equest method matches any of the methods specified. • ftp.method= evaluates to NULL if the request is not an FTP[...]

Proxy SG Content Policy Language Guide 72 group= T ests if the client is authenticated, and the client belongs to the specified gr oup. If both of these conditions are met, the r esult is true. In addition, the realm= condition can be used to test whether the user is authenticated in the specified r ealm. This trigger is unavailable if the current [...]

Chapter 3: Con dition Reference 73 • Applies to proxy and administrator transactions. • This condition cannot be combined with the authe nticate( ) , proxy_authentication( ) , or socks.authenticate( ) pr operties. Examples ; Test if user is authenticated in group all_staff and specified realm. realm=corp group=all_staff ; This example shows sam[...]

Proxy SG Content Policy Language Guide 74 has_attribute . name = T ests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the specified LDAP attribute. If the at tribute specif ied is not configur ed in the LDAP schema and yes is used in the expr ession, the condition always yields fal se. This trigger i[...]

Chapter 3: Con dition Reference 75 See Also • Conditions: attribute. name = , authenticated= , group=, http.transparent_authentication= , re alm= , user= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force ( ) , check_authorization( )[...]

Proxy SG Content Policy Language Guide 76 has_client= The has_cl ient= condition is used to test whether or not the current transaction has a client. This can be used to guard triggers that depend on client identity in a <Forward> layer . Syntax has_client=yes|no Lay er and T ransa ction Notes •U s e i n <Forward> layers. • Applies [...]

Chapter 3: Con dition Reference 77 hour= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form hour.utc= . The numeric pattern used to test the hour= condition co[...]

Proxy SG Content Policy Language Guide 78 <proxy> allow server_url.domain=xyz.com ; intern al site always available allow weekday=6..7 ; unrestricted weekends allow hour=17..8; Inverted range for out side business hours See Also • Conditions: date[.utc]= , day= , minute= , month= , time= , weekday= , year=[...]

Chapter 3: Con dition Reference 79 http .method= T ests HTTP r equest methods agains t any of a common set of HTTP methods. A CPL parse error is given if an unrecognized method is specified. Syntax http.method=GET|CONNECT|DELETE|HEAD|POST |PUT|TRACE|OPTIONS|TUNNEL|LINK|UNLINK |PATCH|PROPFIND|PROPPATCH|MKCOL|COPY|MOV E|LOCK|UNLOCK|MKDIR|INDEX|RMDIR|[...]

Proxy SG Content Policy Language Guide 80 http .request.version= T ests the vers ion of HTTP used by the client in making the re quest to the appliance. syntax http.request.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers. • Applies to HTTP transact ions. See Also • Con[...]

Chapter 3: Con dition Reference 81 http .response.code= T ests true if the curr ent transaction is an HTTP tr ansaction and the response code r eceived from the origin server is as sp ecified. Replac es: http.response_code syntax http.response.code= nnn where nnn is a standard numeric range test with values in the range 100 to 999 inclusive. Lay er[...]

Proxy SG Content Policy Language Guide 82 http .response.v ersion= T ests the vers ion of HTTP used by the origin server to deliver the response to the Pr oxy SG . Syntax http.response.version=0.9|1.0|1.1 Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , and <Exception> layers. • Applies to HTTP transact ions. See [...]

Chapter 3: Con dition Reference 83 http .transparent_authentication= This trigger evaluates to true if HTTP uses tr ansparent proxy authentication for this r equest. The trigger can be used with the authenticate( ) or authentica te.force( ) p r o p e r t i e s t o s e l e c t a n authentication realm. Syntax http.transparent_authentication=yes|no L[...]

Proxy SG Content Policy Language Guide 84 http .x_method= T ests HTTP request me thods against any unc ommon HTTP methods . A CPL parse warning is given if the method specified is a recognized method (in which case, http.method= is recommende d). Uncommon methods are tested using a string compar ison, so some performanc e benefit exists with using [...]

Chapter 3: Con dition Reference 85 im.b uddy_id= Te s t s t h e buddy_id associated with the inst ant messaging transaction. Syntax im.buddy_id[.case_sensitive]= user_id_str ing im.buddy_id.substring[.case_sensitive]= s ubstring im.buddy_id.regex[.case_sensitive]=“expr ” where: • user_id_string —An exact match of the complete instant messag[...]

Proxy SG Content Policy Language Guide 86 im.chat_room.conf erence= T ests whether the chat r oom associated with the instant messaging transaction has the confer ence attribute set. Syntax im.chat_room.conference=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transac[...]

Chapter 3: Con dition Reference 87 im.chat_room.id= T ests the chat r oom ID associated wi th the instant messagi ng transaction. Syntax im.chat_room.id[.case_sensitive]= user_id _string im.chat_room.id.substring[.case_sensitiv e]= substring im.chat_room.id.regex[.case_sensitive]=“ expr ” where: • user_id_string —An exact match of the compl[...]

Proxy SG Content Policy Language Guide 88 im.chat_room.in vite_only= T ests whether the chat r oom associated with the instant messaging transaction has the invite_only attribute set. Syntax im.chat_room.invite_only=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging trans[...]

Chapter 3: Con dition Reference 89 im.chat_room.type= T ests whether the chat r oom associated wi th the transaction is public or private. Syntax im.chat_room.type=public|private Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transactions . See Also •A c t i o n s : append[...]

Proxy SG Content Policy Language Guide 90 im.chat_room.member= T ests whether the chat r oom associated with the instant messaging transaction has a member matching the specified criterion. Syntax im.chat_room.id[.case_sensitive]= buddy_i d_string m.chat_room.id.substring[.case_sensitive ]= substring im.chat_room.id.regex[.case_sensitive]=“ expr [...]

Chapter 3: Con dition Reference 91 im.chat_room.v oice_enabled= T ests whether the chat r oom associated with the instant messaging transaction is voic e enabled. Syntax im.chat_room.voice_enabled=yes|no Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to insta nt messaging transactions . See Also [...]

Proxy SG Content Policy Language Guide 92 im.file.e xtension= T ests the file extension of a file associated with an instant messag ing transaction. The leading ' . ' of the file extension is optional. Only supports an exact match. Syntax im.file.extension[.case-sensitive]=[.] fi lename_extension Notes By default the test is case-insensit[...]

Chapter 3: Con dition Reference 93 im.file.name= T ests the file name (the last component of the path), includ ing the extension, of a file a ssociated with an instant messaging transaction. Syntax im.file.name[.case_sensitive]= string im.file.name.prefix[.case_sensitive]= pre fix_string im.file.name.substring[.case_sensitive]= substring im.file.na[...]

Proxy SG Content Policy Language Guide 94 im.file.path= T ests the file path of a file as sociated with an instant messaging transaction against the specified criterion. Syntax im.file.path[.case_sensitive]= string im.file.path.prefix[.case_sensitive]= pre fix_string im.file.path.substring[.case_sensitive]= substring im.file.path.regex[.case_sensit[...]

Chapter 3: Con dition Reference 95 im.file.siz e= Performs a signed 64-bit range test of the size of a file associated wi th an instant messaging transaction. Syntax im.file.size= [min]..[max] The default minimum value is zer o ( 0 ); there is no default maximum value. Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> [...]

Proxy SG Content Policy Language Guide 96 im.message.opcode= T ests the value of an opcode associated wi th an instant messaging transaction whose im.method is send_unknown or receive_unknown . Note: Generally , this is used with deny( ) to r estrict interactions that are new to one of the supported i nstant messaging protocols and for wh ich direc[...]

Chapter 3: Con dition Reference 97 im.message.route= T ests how the instant messaging mes sage reaches its recipients. Syntax im.message.route=service|direct|chat where: • service —The message is r elayed through the IM service. • direct —The message is sent dir ectly to the re cipient. • chat —The message is sent to a chat room (includ[...]

Proxy SG Content Policy Language Guide 98 im.message.siz e= Performs a signed 64-bit range test on the si ze of the inst ant messaging m essage. Syntax im.message.size= [min]..[max} The default minimum value is zer o ( 0 ); there is no default maximum value. Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. •[...]

Chapter 3: Con dition Reference 99 im.message.te xt= T ests if the message text contains the specified text or pattern. Note: The .regex version of this test is limited to the first 8K of the message. The .substring version of the test does not have this r estriction. Syntax im.message.text.substring[.case_sensitiv e]= substring im.message.text.reg[...]

Proxy SG Content Policy Language Guide 100 im.message.type= T ests the message type of an instant messaging transaction. Syntax im.message.type=text|invite|voice_invite |file|file_list|application where: • text —Normal IM text message. • invite —An invitation to a chat room or to communicate directly . • voice_invite —Invitation to a vo[...]

Chapter 3: Con dition Reference 101 im.method= T ests the method associated with the i nstant messaging tr ansaction. Syntax im.method=open|create|join|join_user|log in|logout|notify_join|notify_quit| notify_state|quit|receive|receive_unknow n|send|send_unknown|set_state Lay er and T ransa ction Notes •U s e i n <Proxy> , <Cache> , an[...]

Proxy SG Content Policy Language Guide 102 im.user_id= Te s t s t h e user_id associated with the instant messaging transaction. Syntax im.user_id[.case_sensitive]= user_id_stri ng im.user_id.substring[.case_sensitive]= su bstring im.user_id.regex[.case_sensitive]=“ expr ” where: • user_id_string —An exact match of the complete instant mess[...]

Chapter 3: Con dition Reference 103 liv e= T ests if the str eaming content is a li ve stream. Syntax live=yes|no Lay er and T ransa ction Notes •U s e i n <Cache> and <Proxy> layers. • Applies to streaming transactions . Examples ; The following policy restricts access to live streams during morning hours. ; In this example, we use[...]

Proxy SG Content Policy Language Guide 104 method= T ests the pr otocol method name as sociated with the transaction. Appr opriate method names depend on the protocol. Also, a warning is is sued during policy file compilation if the name is not a rec og n iz ed m et h od . method= accepts any of the pr otocol sp ecific methods accepted by admin.acc[...]

Chapter 3: Con dition Reference 105 Examples <proxy> http.method=GET response.header.Pragma=”no-cache " deny ; This example is applicable to a blackl ist model. It denies access to ; transparent FTP by denying the OPEN me thod on port 21. <proxy> proxy.port=21 deny ftp.method=OPEN ; This example tests method=CONNECT to s ecure ag[...]

Proxy SG Content Policy Language Guide 106 minu te= T ests if the minute of the hour is in the specified range or an ex act match. By default, the Prox y SG appliance’s clock and time zone are used to dete rmine the curr ent minute. T o specify the UTC time zone, use the form min ute.utc= . The numeric pattern used to test the minute condition ca[...]

Chapter 3: Con dition Reference 107 month= T ests if the month is in the specified range or an exact match. By default, the Pr oxy SG appliance’s date and time zone ar e used to determine the curr ent month. T o specify the UTC time zone, use the form month.utc= . The numeric pattern used to test the month condition can contain no whitespace. Syn[...]

Proxy SG Content Policy Language Guide 108 protocol= The protocol= condition has been de precated in favor of url.scheme= . For more information see "url=" on page 137. See Also Conditions: client.protocol=[...]

Chapter 3: Con dition Reference 109 pro xy .address= T ests the de stination address of the arriving IP pa cket. The expr ession can in clude an IP address or subnet, or the label of a subnet definition blo ck. If the transaction was explicitly proxied, then proxy.address= tests the IP address the client used to reach the pr oxy , which is either t[...]

Proxy SG Content Policy Language Guide 110 pro xy .card= T ests the or dinal number of the network in terface car d (NIC) used by a r equest. Replac es: proxy_card Syntax proxy.card= card_number where card_nu mber is an integer that reflects the installation order . Lay er and T ransa ction Notes •U s e i n <Admin> , <Proxy> , and <[...]

Chapter 3: Con dition Reference 111 pro xy .por t= T ests if the IP port used by a r equest is within the specified range or an ex act match.The numeric pattern used to test the proxy.port= condition can contain no whitespace. If the transaction was explicitly proxied, then this tests the IP port that the client used to reach the proxy . The patter[...]

Proxy SG Content Policy Language Guide 112 realm= T ests if the client is authenticated and if the client has logged into the specified r ealm. If both of these conditions are met, the r espon se is true. In addi tion, the group= condition can be used to test whether the user belongs to the specified group. Thi s trigger is unavailable if the curre[...]

Chapter 3: Con dition Reference 113 •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( )[...]

Proxy SG Content Policy Language Guide 114 release.id= T ests the r elease ID of the Proxy SG softwar e. The release ID of the Proxy SG software curr ently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade>Systems tab of the M anageme nt Cons ol e. It also can be displayed thro ugh t[...]

Chapter 3: Con dition Reference 115 release.v ersion= T ests the r elease version of the Proxy SG s oftware. The r elease version of the Proxy SG softwar e currently running is displayed on the main page of the Management Console and in the Management>Mainte nance>Upgrade > Systems tab of the Management Consol e. It also can be displayed t[...]

Proxy SG Content Policy Language Guide 116 request.header . header_name = T ests the specified request hea der ( header_name ) against a regular expression. Any r ecognized HTTP request header can be tested. For custom heade rs, use request_x_header. header_name = instead. For st rea m in g re qu e st s, on ly t he User-Agent header is available. R[...]

Chapter 3: Con dition Reference 117 request.header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP ad dress extracted fr om the header is tested against the specified IP addr ess. The expressio n can include an IP address or subnet, or the label of a[...]

Proxy SG Content Policy Language Guide 118 request.header .Ref erer .ur l= T est if the URL specified by the Refer er head er matches the specified criteria. The basic request.header.Referer.url= test attempts to match the complete Refer er URL ag ainst a specified pattern. The pattern may include th e scheme , host, port, path and query components[...]

Chapter 3: Con dition Reference 119 ; Relative URLs, such as docs subdirecto ries and pages, will match. deny request.header.Referer.url=http://w ww.example.com/docs ; Test if the Referer URL host’s IP addr ess is a match. request.header.Referer.url.address=10.1. 198.0 ; Test whether the Referer URL includes company.com as domain. request.header.[...]

Proxy SG Content Policy Language Guide 120 <proxy> request.header.Referer.url.host.regex=my company ; request.header.Referer.url.path tests ; The following request.header.Referer.url.path strings would all match the examp le Referer URL: ; Referer: http://www.example.com/cgi-bi n/query.pl?q=test#fragment request.header.Referer.url.path=”/cg[...]

Chapter 3: Con dition Reference 121 request.x_header . header_name = T ests the spec ified request header ( header _name ) against a regular expression. Any HTTP request header can be tested, including custom h eaders. T o te st recognized headers, use request.header. header_name = instead, so that typing errors can be caught at compile time. For s[...]

Proxy SG Content Policy Language Guide 122 request.x_header . header_name .address= T ests if the specified r equest header can be parsed as an IP address ; otherwise, false. If parsing succeeds, then the IP addr ess extracted from the head er is tes ted against the specified IP address . The expressio n can include an IP addre ss or subnet, or th [...]

Chapter 3: Con dition Reference 123 response.header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. Any recognize d HTTP response he ader can be tested. For custom headers, use respo nse.x_header. header_name = instead. Replac es: response_header. header_name = Syntax response.header. header_name[...]

Proxy SG Content Policy Language Guide 124 response.x_header . header_name = T ests the specified response header ( header_name ) against a r egular expr ession. For HTTP requests, any response header can be tested, including cust om headers. For recognized HTTP headers, use response.header. header_name = instead so that typing errors can be caught[...]

Chapter 3: Con dition Reference 125 ser v er_ur l= T ests if a portion of the URL used in server connecti ons matches the specified criteria. The basic server_url= test attempts to match the complete possib ly-rewritte n request URL against a specified pattern. The pattern may include the scheme, host, po rt, path a nd query components of the UR L.[...]

Proxy SG Content Policy Language Guide 126 • Applies to all non-administrator transactions. Examples ; Test if the server URL includes this p attern, and block access. ; Relative URLs, such as docs subdirecto ries and pages, will match. server_url=http://www.example.com/docs a ccess_server(no) ; Test if the URL host’s IP address is a match. ser[...]

Chapter 3: Con dition Reference 127 ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fails then the firs t request is not matched <forward> server_url.host.regex=mycompany ; server_url.path tests ; The following server_url.path strings would all match the example URL: ; http://www.example.com/cgi-bin/query.p l?q=te[...]

Proxy SG Content Policy Language Guide 128 soc ks= This condition is true whenever the session for th e current transaction involves SOCKS to the client. The SOCKS=yes trigger is intended as a way to test whether or not a r equest arrived via the SOCKS proxy . It will be true for both SOCKS r equests that the Proxy SG tunnels and for SOCKS r equest[...]

Chapter 3: Con dition Reference 129 soc ks.acceler ated= T ests whether the SOCKS pr oxy will hand off this transaction to other pr otocol agents for acceleration. Syntax socks.accelerated={yes|http|aol-im|msn-i m|yahoo-im|no} where: • yes is t ru e o n ly f or S O C KS t r an s a c ti o n s t h a t w i l l hand off to another protocol-specific p[...]

Proxy SG Content Policy Language Guide 130 soc ks.method= T ests the SOCKS pr otocol method name associated with the transaction. Syntax socks.method=CONNECT|BIND|UDP_ASSOCIATE Lay er and T ransa ction Notes •U s e i n <Proxy> and <Exception> layers. • Applies to SOCKS transactions. See Also • Conditions: ftp.method= , http.method[...]

Chapter 3: Con dition Reference 131 soc ks.v ersion= T ests whether the version of the SOCKS protocol used to communicate to the cl ient is SOCKS 4/4a or SOCKS 5. SOCKS 5 has mor e security and is more high ly recommended. SOCKS 5 supports authentication and can be used to authenticate tr ansactions that may be accelerated by other protocol service[...]

Proxy SG Content Policy Language Guide 132 streaming.client= T ests the client agent associated with the current transaction. Syntax streaming.client=yes|no|windows_media|re al_media|quicktime where: • yes is true if the user agent is r ecognized as a windows media player , real media player or quicktime player . • no is true if the user agent [...]

Chapter 3: Con dition Reference 133 streaming.content= T ests the content of the curr ent transaction to determ ine whether or not it is s treaming media, and to determine the streaming media type. Syntax streaming.content=yes|no|windows_media|r eal_media|quicktime where: • yes is true if the content is r ecognized as W indows media, Real media, [...]

Proxy SG Content Policy Language Guide 134 time= T ests if the time of day is in the specif ied range or an exact match. The curren t time is determin ed by the Pr oxy SG appliance’s configured clock and time zone by default, although the UTC time zone can be specified by us ing the form time.utc= . The numeric pattern us ed to test the time cond[...]

Chapter 3: Con dition Reference 135 ; This example restricts the times durin g which certain ; stations can log in with administrativ e privileges. define subnet restricted_stations 10.10.10.4/30 10.10.11.1 end subnet restricted_stations <admin> client.address=restricted_statio ns allow time=0800..1800 weekday=1..5 admin .access=(READ||WRITE)[...]

Proxy SG Content Policy Language Guide 136 tunneled= T ests if the curr ent transaction repr esents a tunneled request. A tunneled request is one of: • TCP tunneled r equest • HTTP CONNECT request • Unaccelerated SOCKS request Note: HTTPS connections to the management console ar e not tunneled for the purposes of this test. Syntax tunneled=ye[...]

Chapter 3: Con dition Reference 137 url= T ests if a portion of the r equested URL matches the specified criteria. The basic url= test attempts to match the complete request URL against a specifie d pattern. The pattern may include the scheme, host, port, path an d query components of the URL. If any of these is not incl uded in the pattern, then t[...]

Proxy SG Content Policy Language Guide 138 // host : port // host : port / path_query // host / path_query host host : port host : port / path_query host / path_query / path_query • domain_suffix_pattern —A URL pattern that includes a dom ain suffix, as a minimum, using the following sy ntax: scheme :// domain_suffix : port / path Accepted doma[...]

Chapter 3: Con dition Reference 139 include a filename extension, such as http://example.com/ and http:// example.com/test . T o test multiple extensions, use pa rentheses and a comma separator (see the Example section below). • regular_expression —A Perl r egular expres sion. The expressi on must be quoted if it contains whitespace or any of t[...]

Proxy SG Content Policy Language Guide 140 • .suffix —T est if the s tring pattern is a suffix of the URL or component. The suffix need not match on a boundary (such as a domain component or path directory) within a URL component. Note: .prefix , .regex , .substring , and .suff ix are string comparisons that do not r equire a match on component[...]

Chapter 3: Con dition Reference 141 slash is always pr esent in the request URL being tested, because the UR L is normaliz ed before any comparison is performed. Unless an .exact , .su bstring , or .regex modifier is used, the pattern specified must include the lead ing ‘ / ’ character . In the following URL example, bolding shows the component[...]

Proxy SG Content Policy Language Guide 142 If you are testing a lar ge number of URLs using the url.domain= condition, consider the performance benefits of a url.domain definition block or a [url.domain] section (see Chapter 6: "Definit ion Refer ence"). Regular expr ession matches are not anchored. Y ou may want to use either or both of [...]

Chapter 3: Con dition Reference 143 ; http://www.example.com <proxy> url.host.is_numeric=yes; ; In the example below we assume that 1. 2.3.4 is the IP of the host mycompany ; The condition will match the following two requests if the reverse DNS was ; successful: ;request http://1.2.3.4/ ;request http://mycompany.com/ ; If the reverse DNS fai[...]

Proxy SG Content Policy Language Guide 144 user= T ests the authenticated username associated with the transaction. This t rigger is only availa ble if the transaction was authenticated (that is, the authenticate( ) property was set to something other than no , and the proxy_authentication ( ) property was not set to no ). Syntax user= user_name wh[...]

Chapter 3: Con dition Reference 145 See Also • Conditions: attribute. name = , authentica ted= , group= , has_attribute. name = , http.transparent_authentication= , re alm= , user.domain= •P r o p e r t i e s : authenticate( ) , authenticate.force( ) , check_authorization( ) , deny.unauthorized( ) , socks.authenti cate( ) , socks.authenticate.f[...]

Proxy SG Content Policy Language Guide 146 user .domain= T ests if the client is authenticated, the logged - into realm is an NTLM r ealm, and the domain component of the username is the specifie d domain. If all of these conditions are met, the r esponse will be true. This trig ger is unavailable if the cu rr ent transaction is not authenticated ([...]

Chapter 3: Con dition Reference 147 user .x509.issuer= T ests the issuer of the x509 ce rtificate used in authentication to certificate realms. The user.x509.issuer= condition is primarily useful in constructi ng explicit certif icate revocation lists. This condition will only be true for users authenticated aga inst a certificate realm. Syntax use[...]

Proxy SG Content Policy Language Guide 148 user .x509.seri alNumber= T ests the serial numbe r of the x509 certificate used to authenticate the user against a certificat e realm. The user.x509.serialNumber= condition is primarily useful in constr ucting explicit certificate revocation lists. Comparisons are case-insensitive. Syntax user.x509.serial[...]

Chapter 3: Con dition Reference 149 user .x509.subject= T ests the subject field of the x509 certificate used to authenticate the user ag ainst a certificate realm. The user.x509.subject= condition is primarily use ful in constructing explicit certificate r evocation lists. Syntax user.x509.subject= subject where subject is an RFC2253 LDAP DN, appr[...]

Proxy SG Content Policy Language Guide 150 weekda y= T ests if the day of the week is in the spe cified range or an exact match. By default, the Proxy SG appliance’s date is used to de termine the day of th e week. T o specify the UTC time zone, use the form weekday.utc=. The numeric pattern used to test the weekday= condition can contain no whit[...]

Chapter 3: Con dition Reference 151 y ear= T ests i f the year is in the specified range or an exact match. The curr ent year is de termined by the date set on the Pr oxy SG by default. T o specify the UTC time zone, use the form year.utc= . Note that the numeric pattern used to test the year= condition can contain no whitespace. Syntax year[.utc]=[...]

Proxy SG Content Policy Language Guide 152[...]

Chapter 4: Proper ty Ref erence A property is a variable that ca n be set to a value. At th e beginning of a transactio n, all pr operties ar e set to their default values. As each layer in the policy is evaluated in sequence, it can set a pr operty to a particular value. A property r etains the final valu e setting when evaluation ends, and the tr[...]

Proxy SG Content Policy Language Guide 154 access_log( ) Selects the access log used for this transaction . Multiple acc ess logs can be selected to recor d a single transaction. Individual access logs are r eferenced by the name given in configuration. Configuration also determines the format of the each log. For mor e information on logging, refe[...]

Chapter 4: Property Reference 155 access_ser v er( ) Determines whether the client can receive str eaming co ntent directly from the origin content server or other upstr eam device. Se t to no to serve only cached content. Note: Since part of a stre am can be cached, and anot her part of the same stream can be uncached, access_server(no) can cause [...]

Proxy SG Content Policy Language Guide 156 action( ) Selectively enables or disables a specified define action block. The default value is no. Note: Several define action bl ocks may be enab led for a tra nsaction. If more th an one action selected rewrites the URL o r header a specific header , the actions ar e deemed to conflict and only one will[...]

Chapter 4: Property Reference 157 adv er tisement( ) Determines whether to treat the objects at a partic ular URL as banner ads to improve performance. If the content is not specific to a particular user or client, the n the hit count on the or igin server is maintained while the response time is optimized using the followi ng behavior: • Always [...]

Proxy SG Content Policy Language Guide 158 allow Allows the transaction to be served. Allow can be overridden by the access_server( ) , deny( ) , force_deny( ) , authenticate( ) , exception( ) , or force_exception( ) pr operties or by the redirect( ) action. Allow overrides deny( ) and exception( ) pr operties. Note: Caution should be exer cised wh[...]

Chapter 4: Property Reference 159 alwa ys_v er ify( ) Determines whether each r equest for the objects at a part icular URL must be verified wi th the origin server . This property pr ovides a URL-specific alternative to the global caching setting always-verify-source . If the re are multiple simultaneous accesses of an obje ct, the requests ar e r[...]

Proxy SG Content Policy Language Guide 160 authenticate( ) Identifies the r ealm used to au thenticate the user associated with the current transaction. Authentication realms ar e refer enced by the name given in configuration. If the transaction has already been authenticated in the same r ealm by the SOCKS pr oxy , no new authentication challenge[...]

Chapter 4: Property Reference 161 url.domain = !corporate.com authenticate (OurRealm, “log in for internet access”) The next example illustrates the r elation between authentication and denial. All users outside an allowed subnet are denied before authentication. Th ey ar e not allowed to submit credentials to the authentication server . Users [...]

Proxy SG Content Policy Language Guide 162 authenticate .f orce( ) This propert y controls th e relation betwe en authentication and deni al. Syntax authenticate.force(yes|no) The default value is no . where: • yes —Makes an authenticate( ) higher priority than deny( ) or exception( ) . Use yes to ensure that userID's ar e available for a [...]

Chapter 4: Property Reference 163 authenticate .mode( ) Using the authentication.mode( ) property selects a combination of challenge type and surr ogate credentials. Challenge type is what kind of challenge (proxy , origin or origin-redirect) is issued. Surrogate cr edentials are cr edentials accepted in place of the user ’s real cr edentials. Th[...]

Proxy SG Content Policy Language Guide 164 • origin-cookie (origin/cookie)—Used in forward pr oxies to support pass-through authentication more secur ely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other pr otocols are automati call y downgraded to origin-ip . This mode could also be used[...]

Chapter 4: Property Reference 165 authenticate .use_ur l_cookie( ) This property is used to authenticate users wh o have third party cookie s explicitly disabled. Note: W ith a value of yes , if there is a pr oblem loading the page (you get an err or page or you cancel an authentication challenge), the cfauth cookie is displaye d. Y ou can also see[...]

Proxy SG Content Policy Language Guide 166 bl o ck_ c at e g o r y ( ) This property has been deprecated. In current CPL, the us e of block_category( category_list ) has be en replaced by category=category_list exception(content _filter_denied) However , block_category() will be o verridden by content_filter_override(yes) , while this is not the ca[...]

Chapter 4: Property Reference 167 b ypass_cache( ) Determines whether the cache is bypassed for a request. If set to yes , the cache is not queried and the response is not stored in the cache. Set to no t o specify the defaul t behavior , which is to follow standar d caching behavior . While static and dynamic bypass lists allow traf fic to bypass [...]

Proxy SG Content Policy Language Guide 168 cache( ) Contro ls HTTP and FTP caching behavior . A number of CPL pr operties affect caching behavior . •I f bypass_cache(yes) is set, then the cache is not accessed and the value of cache( ) is irrele vant. •I f cache(yes) is set, then the force_cache(all) pr operty setting modifies the definition of[...]

Chapter 4: Property Reference 169 See Also •P r o p e r t i e s : advertisement( ) , always_verify( ) , b ypass_cache( ) , cookie_sensitive( ) , direct( ) , dynamic_bypass , force_cache() , pipeline( ) , refresh( ) , ttl( ) , ua_sensitive( )[...]

Proxy SG Content Policy Language Guide 170 chec k_author ization( ) In connection with CAD (Caching Authenticated Data) and CP AD (Caching Proxy-Authenticated Data) support, check_authorization( ) is used when you know that the upstr eam device sometimes (not always or never) r equires the us er to authenticate and be authorized for t his object. S[...]

Chapter 4: Property Reference 171 content_filter_ov err ide( ) This property has been deprecated. content_filter_override(yes) has two ef fects: • It prevents the r equest from being sent to the of f- box content filter , if off -box content filtering is configured. In this case, it is equivalent to request.filter_service(no). • It suppr esses [...]

Proxy SG Content Policy Language Guide 172 cookie_sensitiv e( ) Used to modify caching behavior by declaring that the object s erved by the request varies based on cookie values. Set to yes to specify this behavior , or set to no for the default behavior , which caches based on HTTP heade rs. Using cookie_sensitiv e(yes) has the sam e effect as cac[...]

Chapter 4: Property Reference 173 delete_on_abandonment( ) If set to yes , specifies that if all cl ients who may be simult aneously requesting a pa rticular objec t close their connections before the object is delivered, the object fetch fr om the origin server is abandoned, and any prior ins tance of the object is deleted f rom the cache. Syntax [...]

Proxy SG Content Policy Language Guide 174 deny( ) Denies service. Denial can be overridden by allow or excep tion( ) . T o deny service i n a way th at cannot be overridden by a subsequent allow , us e force_deny( ) or force_exception( ) . The relation between aut henticate( ) and deny( ) is contro lled by the authenticate.force( ) property . By d[...]

Chapter 4: Property Reference 175 deny .unauthor ized( ) The deny.unauthorized pr operty instructs the Proxy SG to issue a challenge (401 Unauthorized or 407 Proxy authorization requir ed). This indicates to the client that the resource canno t be accessed with their current identity , but might be accessible using a differ ent identity . The br ow[...]

Proxy SG Content Policy Language Guide 176 direct( ) Used to preve nt requests fr om being forwarded to a par ent proxy or SOCKS server , when the Proxy SG is configur ed to forward r equests. When set to ye s , <Forward> layer policy is not evaluated for the transaction. Syntax direct(yes|no) The default value is no , which allows request fo[...]

Chapter 4: Property Reference 177 dynamic_b ypass( ) Used to indicate tha t a particular trans parent r eques t is not to be handled by the proxy , but instead be subjected to Pr oxy SG dynamic bypass methodology . The dynamic_bypass(yes) pr operty takes precedence over authenticate() ; however , a committed denial takes prece dence over dynamic_by[...]

Proxy SG Content Policy Language Guide 178 e xception( ) Selects a built-in or user -defined res ponse to be returned to the user . The exception( ) property is overridden by allow or deny( ) . T o set an exception that cannot be overridden by allow , use force_excep tion( ) . The identity of the exception being returned can be tested in an <Exc[...]

Chapter 4: Property Reference 179 e xception.autopad( ) Pad an HTTP exception response by including trailing whitespa ce in the response body so that Content-Length is at lea st 513 characters. A setting of yes is used to prevent Internet Explor er from substituting friend ly err or messages in place of the exception r esponse being returned, when [...]

Proxy SG Content Policy Language Guide 180 f orce_cache( ) Used to force caching of HTTP r esponses that would otherwise be considered uncacheable . The default HTTP caching beha vior is restor ed using force_cache(no) . The value of the force_cache( ) property is ignor ed un less all of the fo llowing property settings are in effect: b ypass_cache[...]

Chapter 4: Property Reference 181 f orce_deny( ) The force_deny( ) proper ty is similar to deny( ) except that it: • Cannot be overridden by an allo w . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny or force_exception i s subsequently matched, the latter commits. • Commits immediately ([...]

Proxy SG Content Policy Language Guide 182 f orce_e xception( ) The force_exception( ) pr operty is similar to exception except that it: • Cannot be overridden by an allow . • Overrides any pending termina tion (that is, if a deny( ) has already been matched, and a force_deny( ) or force_exception( ) is subsequently matched , the latter commits[...]

Chapter 4: Property Reference 183 f orce_patience_page( ) This property pr ovides control over the application of the default patience page logic. Syntax force_patience_page(yes|no) force_patience_page( reason ) force_patience_page.reason(yes|no) force_patience_page[ reason , ...](yes|no) where: reason —T akes one of the following values, corr es[...]

Proxy SG Content Policy Language Guide 184 fo r w a r d ( ) Determines forwarding behavior . There is a box-wide conf iguration setting ( config>forwarding>sequence ) for the default forwarding failover sequence. The forward( ) property is used to override the default forwarding failover sequence with a specific list of host and/or group alia[...]

Chapter 4: Property Reference 185 f orward.f ail_open( ) Controls whether the Proxy SG terminates or continues to proc ess the request if the specified forwarding host or any de signated back up or defaul t cannot be contacted. There is a box-wide configuration sett ing ( config>forwarding>failure-mode ) for the de fault forward failure mode.[...]

Proxy SG Content Policy Language Guide 186 ftp .ser v er_connection( ) Determines when the contr ol connection to the se rver is established. If set to deferred , the pr oxy defers establishing the control connection to the server . Syntax ftp.server_connection(deferred|immediate ) The default value is immediate. Lay er and T ransa ction Notes •U[...]

Chapter 4: Property Reference 187 ftp .ser v er_data( ) Determines the type of data connection to be used with this FTP transaction. Syntax ftp.server_data(auto|passive|port) where: • auto —First attempt a P ASV data connection. If this fails, switch to POR T . • passive —Use a P ASV data connection. P ASV data co nnections are not allowed [...]

Proxy SG Content Policy Language Guide 188 ftp .transpor t( ) Determines the upstream transport mechanism. This setting is not definitive. It depends on th e capabilities of the se lected for warding host. Syntax ftp_transport(auto|ftp|http) The default value is auto . where: • auto —Use the default transport for the upstream co nnection, as de[...]

Chapter 4: Property Reference 189 http .force_ntlm_f or_ser v er_auth( ) T urns on/of f NTLM cloaking on a per-r equest basi s. Refer to Appendix A: “NTLM and CAASNT” in the Pr oxy SG Configuration and Management Guide for a discussion of NTLM cloaking. Syntax http.force_ntlm_for_server_auth(yes|no) This property overrides the default specified[...]

Proxy SG Content Policy Language Guide 190 http .request.version( ) The http.request.version( ) property sets the version of the HTTP protocol to be used in the request to the origin content server or upstr eam pr oxy . Syntax http.request.version(1.0|1.1) The default is taken fr om the CLI configuratio n setting http version , whic h can be set to[...]

Chapter 4: Property Reference 191 http .response.v ersion( ) The http.response.version( ) pr operty sets the version of the HTTP protocol to be used in the response to the client's user agent. Syntax http.response.version(1.0|1.1) The default is taken fr om the CLI configuration setting http version , which can be set to either 1.0 or 1.1. Cha[...]

Proxy SG Content Policy Language Guide 192 icp( ) Determines whether to consult ICP when forwar ding r equests. Any forw ar ding host or SOCKS gateway identified as an ups tream tar get takes precede nce over consulting ICP . Syntax icp(yes|no) The default is yes if ICP hosts ar e configur ed, no otherwise. where: • yes —Consult ICP u nless for[...]

Chapter 4: Property Reference 193 im.strip_attachments( ) Determines whether attachments ar e stripped fr om instant messages. If set to yes , attachments are stripped fr om instant messages. Syntax im.strip_attachments(yes|no) The default value is no . Lay er and T ransa ction Notes •U s e i n <Proxy> layers. • Applies to insta nt messag[...]

Proxy SG Content Policy Language Guide 194 integr ate_new_hosts( ) Determines whether to add new host addre sses to he alth checks and load balancing. Syntax integrate_new_hosts(yes|no) The default is no . If it is set to yes , any new host addr esses encountered duri ng DNS resolution of forwarding hosts ar e added to he alth checks and load balan[...]

Chapter 4: Property Reference 195 label( ) This deprecated pr operty is provided for backward compatibility with CacheOS 4.x filter files. For more information, see "action( )" on page 156.[...]

Proxy SG Content Policy Language Guide 196 log.re wr ite. field-id () The log.rewrite. field-id pr operty controls r ewrites of a specific log field in one or more access logs. Individual access l ogs are r eferenced by the name given in configuratio n. Configuration also determines the format of the each log. For more information on logg ing, refe[...]

Chapter 4: Property Reference 197 log.suppress. field-id ( ) The log.suppress. field-id ( ) pr operty control s suppression of the specified field-id in one or more access l ogs. Individual access logs are r eferenced by the name given in configuration. Configuration also determines the format of the each log. For mor e information on logging, refe[...]

Proxy SG Content Policy Language Guide 198 max_bitrate( ) Enforces upper limits on the instantaneous bandwi dth of the current streaming transaction. This policy is enfor ced during initial connection setup. If the client requests a higher bit rate than al lowed by policy , the request is denied. Note: Under certain network conditions , a client ma[...]

Chapter 4: Property Reference 199 ne v er_refresh_bef ore_e xpir y( ) The never_refresh_before_expiry( ) pr operty is similar to the CLI command: SGOS#(config) http strict-expiration ref resh except that it provides per -transaction control to allow overriding the box- wide default set by the command. Syntax never_refresh_before_expiry(yes|no) The [...]

Proxy SG Content Policy Language Guide 200 ne v er_ser ve_after_e xpir y( ) The never_serve_after_expiry( ) property is similar to the CLI command: SGOS#(config) http strict-expiration ser ve except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax never_serve_after_expiry(yes|no) The defau[...]

Chapter 4: Property Reference 201 patience_page( ) Controls whether or not a patience page can be served, and i f so, the delay interval befor e serving. If no patience_page property is explicitly set, the decision about whether to serve a patience page and the delay befor e a patience page is pr esented ar e taken from the ICAP service configurati[...]

Proxy SG Content Policy Language Guide 202 pipeline( ) Determine s whether a n object emb edded within an HTML contain er object is pipeli ned. Set to yes to force pipelining, or set to no to prevent the embedded obje ct from being pipelined. Note that this property af fects pr ocessing of the individual URLs embedded within a container object. It [...]

Chapter 4: Property Reference 203 pref etch( ) This deprecated pr operty has been replaced by pipeline( ). For more infor mation, see "pipeline( ) " on page 202.[...]

Proxy SG Content Policy Language Guide 204 reflect_ip( ) Determines how the client IP addr ess is pr esented to the origin server for explicitly proxied r equests. Replac es: • reflect_ip(vip) replaces reflect_vip( yes) . • reflect_ip(auto) r eplaces reflect_vip(no) . Syntax reflect_ip(auto|no|client|vip|ip_address ) The default value is auto .[...]

Chapter 4: Property Reference 205 reflect_ vip( ) This depre cated syntax has been replaced by the reflect_ip( ) pr operty . For more information, see "reflect_ip( )" on page 204.[...]

Proxy SG Content Policy Language Guide 206 refresh( ) Controls r efreshing of r e quested objects. Set to no to pr event refr eshing of the object if it is cached. Set to yes to allow the cache to behave normally . Syntax refresh(yes|no) The default value is yes . Lay er and T ransa ction Notes •U s e i n <Cache> layers. •D o n o t u s e [...]

Chapter 4: Property Reference 207 remov e_IMS_from_GET( ) The remove_IMS_from_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute if-modifie d-since except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_IMS_from_GET(yes|no) The default value is taken fr o[...]

Proxy SG Content Policy Language Guide 208 remov e_PNC _from_GET( ) The remove_PNC_from_GET pr operty is similar to the CLI command: SGOS#(config) http substitute pragma-no- cache except that it provides per transaction control to allow overriding the box-wide default set by the command. Syntax remove_PNC_from_GET(yes|no) The default value is taken[...]

Chapter 4: Property Reference 209 remov e_reload_from_IE_GET( ) The remove_reload_from_IE_GET( ) pr operty is similar to the CLI command: SGOS#(config) http substitute ie-reload except that it provides per transaction control to override the box-wide def ault set by the command. Syntax remove_reload_from_IE_GET(yes|no) The default value is taken fr[...]

Proxy SG Content Policy Language Guide 210 request.filter_ser vice( ) Controls whether the request is pr ocessed by an external content filter service. The Pr oxy SG currently supports W ebsense Enterprise Server external content filtering. Dire cting the request to an exte rnal content filter service does not affect policy based on categories dete[...]

Chapter 4: Property Reference 211 url.address=10.0.0.0/8 ; don't filter i nternal network client.address=10.1.2.3 ; don't filter this client See Also •T h e P r o x y SG Command L ine Reference for information on configurin g W ebsense off-box servi ces.[...]

Proxy SG Content Policy Language Guide 212 request.icap_ser vice( ) Determines whether a r equest fr om a client should be pr ocessed by an external ICAP service before going out. T ypical applications include content fi ltering and virus scanni ng. Syntax request.icap_service( servicename [, fail _open | fail_closed]) request.icap_service(no) The [...]

Chapter 4: Property Reference 213 response.icap_service( ) De te r mi ne s w h et he r a res p on se to a cl ie nt req u es t i s f i rs t s en t t o a n IC AP se r vi ce be f ore be in g g i ve n t o the client. Depending on the ICAP service, the response may be allowed, denied , or altered. T ypical applications include virus scanning. Syntax res[...]

Proxy SG Content Policy Language Guide 214 ser vice( ) This depre cated syntax has been replaced by the allow , deny( ) and exception( ) pr operties.[...]

Chapter 4: Property Reference 215 soc ks.acceler ate( ) The socks.accelerate pr operty controls the SOCKS pr oxy handoff to othe r protocol agents. Syntax socks.accelerate(no|auto|http|aol_im|msn _im|yahoo_im) The default value is auto . where: • no —The SOCKS proxy doe s not hand off the transaction to another pr oxy agent, but tunnels the SOC[...]

Proxy SG Content Policy Language Guide 216 soc ks.authenticate( ) The same realms can be used for SOCKS proxy au thentication as can be used for regular pr oxy authentication. This form of authentica tion applies only to SOCKS transactions. The regular au thenticate( ) property does not apply to SOCK S transactions. However , if an accelerated SOCK[...]

Chapter 4: Property Reference 217 soc ks.authenticate .f orce( ) This property controls the r elation be tween SOCKS authentication and denial. Syntax socks.authenticate.force(yes|no) The default value is no . where: • yes —Makes socks.authenticate( ) higher priority than deny( ) or exception( ) . Use yes to ensure that userID's ar e avail[...]

Proxy SG Content Policy Language Guide 218 soc ks_gatew a y( ) Controls whether or not the request associated with the current transaction is sent thr ough a SOCKS gateway . There is a box-wide configuration sett ing ( config>socks-gateways>sequence ) for the de fault SOCKS gateway failover sequence. The socks_gateway( ) pr operty is used to [...]

Chapter 4: Property Reference 219 soc ks_gatew a y .f ail_open( ) Controls whether the Proxy SG terminates or continues to proces s the request if the specified SOCKS gateway or any de signated backup or default cannot be contacted. There is a box-wide configuration sett ing ( config>socks-gateways>failure-mode ) for the default SOCKS gateway[...]

Proxy SG Content Policy Language Guide 220 streaming.transpor t( ) Determines the upstream transport mechanism to be u sed for this streaming transaction. T his setting is not definitive. The ability to use the specified transport mechanis m depends on the capabilities of the selected forwar ding host. Syntax streaming.transport(auto|tcp|http) wher[...]

Chapter 4: Property Reference 221 ter minate_connection( ) The terminate_connection( ) pr operty is used in an <Exception> layer to dr op the connection rather than return the exception r esponse. The yes option terminates the connection instead of returning the r esponse. (This property pr ovid es backwards compatible support with the TERMIN[...]

Proxy SG Content Policy Language Guide 222 trace .destination( ) Used to change the default path to the trace output file. By default, policy ev aluation trace output is written to an object in the cache accessibl e using a console URL of the following form: http:// ProxySG_IP_address :8081/Policy/Tr ace/ path Syntax trace.destination( path ) where[...]

Chapter 4: Property Reference 223 trace .request( ) Determines whether detailed trace output is genera te d for the current reque st. The default value is no , which produces no output. T r ace output is generate d at the end of a request, and includ es request parameters, property settings, and the ef fects of all actions taken. Output tracing can[...]

Proxy SG Content Policy Language Guide 224 trace .rules( ) Determines whether trace output is generated show ing policy rule evaluation for the transaction. By default, trace output is written to an object accessible using the following console URL: http:// ProxySG_IP_address :8081/Policy/Tr ace/default_trace.html The trace output location can be c[...]

Chapter 4: Property Reference 225 ttl( ) Sets the time-to-live (TTL) value of an object in the cache, in seconds. Upon expiration, the cached copy is considered stale and will be re-obtained fr om the origin server when next accessed. However , this property has an effect only if the following HTTP command line option is enabled : Force explicit ex[...]

Proxy SG Content Policy Language Guide 226 ua_sensitiv e( ) Used to modify caching behavior by declaring that the response for a given object is expected to vary based on the user agent used to r etrieve the object. Set to yes to specify this behavior . Using ua_sensitive(ye s) has the same effect as cache(no) . Note: Remember that any conflict amo[...]

Chapter 5: Action Ref erence An action takes arguments and is wrapped in a user -named action definition block. When the action definition is called fr om a policy rule, any actions it contains operate on th eir respective arguments. W ithin a rule, named action definitions are enabled and disabled using the action( ) property . Actions take the f [...]

Proxy SG Content Policy Language Guide 228 append( ) Appends a new component to the specified head er . Note: An err or results if two head er modification actions modify the same header . This r esults in a compile time error if the conflicting actions ar e within the same action definition block. A runtime err or is r ecorded in the event log if [...]

Chapter 5: Action Refe rence 229 delete( ) Deletes all compone nts of the specified header . Note: An err or results if two header modification actions modify the same head er . The error is noted at compile time if the conflicting actions ar e within the same action definition block. A runtime err or is r ecorded in the event log if the conflictin[...]

Proxy SG Content Policy Language Guide 230 delete_matching( ) Deletes all components of the specified header that contain a substring matchi ng a regular -expression pattern. Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action[...]

Chapter 5: Action Refe rence 231 im.aler t( ) Deliver a message in-band to the instant messaging user . The text appears in the instant message window . This action is similar to log_message( ) , except that it appends entries to a list in the instant messaging transaction that the IM protocol r enders in an appropriate way . Multiple alerts can be[...]

Proxy SG Content Policy Language Guide 232 log_message( ) W rites the specified string to the Proxy SG event log. Events generated by log_message( ) ar e viewed by selecting the Policy messages event logging level in the Management Console. Note: This is independent of acce ss logging. Syntax log_message( string ) Where stri ng is a quoted string t[...]

Chapter 5: Action Refe rence 233 notify_email( ) Sends an email notif ication to the list of r ecipients specified in the Event Log mail configuration. The sender of the email appears as Primary_ProxySG_IP_address - configured_appliance_hostname >. Y ou can speci fy multiple notify_email actions, which may result in multiple mail messages for a [...]

Proxy SG Content Policy Language Guide 234 notify_snmp( ) Multiple notify_snmp actions may be specified, resulting in multiple SNMP traps for a s ingle transaction. The SNMP trap is sent when the transaction terminates. Syntax notify_snmp( message ) where messag e is a quoted string that ca n optionally include one or mor e variable su bstitutions.[...]

Chapter 5: Action Refe rence 235 redirect( ) Ends the current HTTP transaction and r eturns an HTTP r edirect r esponse to the client by setting the policy_redirect exception. Use this action to specify an HTTP 3 xx r esponse code, optionally set substitution variables based on the request URL, and generate the new Location r esponse-header URL aft[...]

Proxy SG Content Policy Language Guide 236 replace( ) This depre cated action has been replaced by rewrite( ) . For more information, see "rewrite( )" on page 237.[...]

Chapter 5: Action Refe rence 237 re wr ite( ) Rewrites the r equest URL, URL host, or componen ts of the specified header if it matches the regular-expr ession pattern. This action is often us ed in conjunction with the URL rewr ite form of the transform acti on in a server portal application. Note: The URL form of the rewrite( ) action does not r [...]

Proxy SG Content Policy Language Guide 238 URL is considered complete, and replaces any URL that contains a su bstring matching the regex_pattern substring. Sub-patterns of the regex_pattern matched can be substituted in replacement_url using the $( n ) syntax, where n is an integer fr om 1 to 32, specifyi ng the matched sub-pattern. For mor e info[...]

Chapter 5: Action Refe rence 239 See Also • Actions: append( ) , delete( ) , delete_match ing( ) , redirect( ) , set( ) , transform • Conditions: request.header. header_name = , request.header. header_name .address= , request.x_header. header_name = , request.x_header. heade r_name .address= , response.header. header_name = , respon se.x_header[...]

Proxy SG Content Policy Language Guide 240 set( ) Sets the specified header to the specified string after delet ing all components of the header . Note: An error r esults if two header modification acti ons modify the same header . The err or is noted at compile time if the conflicting actions ar e within the same action definition block. A runtime[...]

Chapter 5: Action Refe rence 241 Discussion An y c h an ge t o t he se rv er f or m o f t h e re qu es t U R L m us t be res pe ct ed b y p ol ic y co nt rol l in g u ps tre a m connections. The server form o f the URL is tested by the server_url= conditions, which ar e the only URL tests al lowed in <Forward> layers. All forms of the URL are[...]

Proxy SG Content Policy Language Guide 242 transf or m Invokes an active content or URL rewrite transformer . The invoked transformer takes effect only if the transform action is used in a define ac tion definition block, and that block is in turn enabled by an action( ) property . See chapters 1 1 and 13 in the Configuration and Management Guide f[...]

Chapter 5: Action Refe rence 243 See Also • Properties: action( ) • Definitions: define action , transform a ctive_content , transform url.rewrite[...]

Proxy SG Content Policy Language Guide 244 virus_check( ) This depre cated action sends the r equested do cument to a virus scanning ser ver . For more information, see "r esponse.icap_service( )" on page 213.[...]

Chapter 6: Definition Ref erence In policy files, definitions serv e to bind a set of conditions, ac tions, or transformations to a user-defined labe l. T wo types of definitions e xist: • Named definition s—Explicitly r eferenced by policy . • Anonymous definitions—Apply to all policy evaluation and are no t ref e ren ce d d i rec tl y i n[...]

Proxy SG Content Policy Language Guide 246 define action Binds a user -defined label to a sequence of action statements. The action( ) pr operty has synt ax that allows for individual action de finition blocks to be enabled and disabled independ ently , based on the policy evaluation for the transaction. When an action definition block is enabled, [...]

Chapter 6: Definition Reference 247 • Definitions: transform active_content , transform url_rewrite • Chapter 5: "Action Refer ence".[...]

Proxy SG Content Policy Language Guide 248 define activ e_content Defines rules for removing or r eplacing active cont ent in HTML or ASX docu ments. This definition takes ef fect only if it is invoked by a transform action in a define action definition block, and that block is in turn enabled an action( ) pr operty as a result of policy evaluation[...]

Chapter 6: Definition Reference 249 Lay er and T ransa ction Notes • Applies to proxy transactions. • Only alph anumeric, und erscore, dash, and slas h characters can be used with the defin e action name. Example <proxy> url.domain=!my_site.com action.strip_active_cont ent(yes) define active_content strip_with_indication tag_replace apple[...]

Proxy SG Content Policy Language Guide 250 define categor y Category definitions are used to extend vendor content categories or to create your own. The category_name definition can be used anywher e a conten t filter category name would normally be used, including in catego ry= test s. Definitions can includ e other definitions to cr eate a hierar[...]

Chapter 6: Definition Reference 251 sportsworld.com category=football ; include subcategory end define category football nfl.com cfl.ca end The following policy need s only to ref er to the sports category to also test the sub- category football: <Proxy> deny category=sports ; includes subc ategories For more information on using categor y= t[...]

Proxy SG Content Policy Language Guide 252 define condition Binds a user -defined label to a set of conditions for use in a condition= expr ession. For condition definitions, the manner in which the condition expressions are listed is significant. Multiple condition expressions on one line, separate d by whitespace, are conside red to have a Boolea[...]

Chapter 6: Definition Reference 253 define condition extension_low_risk ; fi le types assumed to be low risk. url.extension=(asf,asx,gif,jpeg,mov,m p3,ram,rm,smi,smil,swf,txt,wax,wma,wmv,wvx) end define condition internal_prescanned ; will be prescanned so we can assum e safe server_url.domain=internal.myco.com s erver_url.extension=(doc,dot,hlp,ht[...]

Proxy SG Content Policy Language Guide 254 define domain This depre cated syntax has been replaced by the url.domain condition. For mor e information see "define url.domain con dition" on page 263.[...]

Chapter 6: Definition Reference 255 define ja v ascr ipt A javascript definition is used to define a javascript transformer , which adds javascrip t that you supply to HTML responses. Syntax define javascript transformer_id javascript-statement [ javascript-stateme nt] … end where: • transformer_id —A user -defined identifier for a transforme[...]

Proxy SG Content Policy Language Guide 256 See Also •A c t i o n s : transform • Definitions: define action •P r o p e r t i e s : action ( )[...]

Chapter 6: Definition Reference 257 define prefix condition This depre cated syntax has been replaced by th e define url condition. For mor e information see "define url condition" on page 261.[...]

Proxy SG Content Policy Language Guide 258 define ser ver_url.domain condition Binds a user-defined label to a set of domain-s uffix patterns for use in a condition= expr ession. Using this definition block allows you to quickl y test a large set of server_url.domain= conditions. Although the define condition definition blo ck could be used in a si[...]

Chapter 6: Definition Reference 259 affinityclub.example.com end <Forward> condition=!allowed access_server(no) See Also Condition: condition= , server_url.domain= Definitions: define url.domain condition[...]

Proxy SG Content Policy Language Guide 260 define subnet Binds a user-defi ned label to a set of IP addresses or IP subnet patterns. Use a subnet definiti on label with any of the conditions th at test part of the transaction as an IP address, including: client.address= , proxy.address= , request.header. header_name .address= , request.x_header. he[...]

Chapter 6: Definition Reference 261 define url condition Binds a user -defined label to a set of URL pr efix patterns for use in a condition= expression. U sing this definition block allows you to quickl y test a large set of url= conditions. Although the define condition definition block coul d be used in a similar way to encapsulate a set of URL [...]

Proxy SG Content Policy Language Guide 262 timing restrictions for the defined condition will depend on the layer and timing restrictions of the contained expressions. The conditio n= condi tion is on e of the ex pressions th at can be included in the body of a define url condition definition block, following a URL patter n. In this way , one pr ef[...]

Chapter 6: Definition Reference 263 define url.domain condition Binds a user -defined label to a set of domain-suf fix patterns for us e in a condition= expressi on. Using this def inition block allows y ou to test a lar ge set of serv er_url.domain= conditions very quickly . Although the de fine condition definition block could be used in a si mil[...]

Proxy SG Content Policy Language Guide 264 See Also • Condition: condition= , server_url.domain= • Definitions: define url condition , define server_url.domain condition[...]

Chapter 6: Definition Reference 265 define url_rewrite Defines rules f or rewriting URLs embedded in tags within HTML, CSS, JavaScript or ASX documents. This transformer takes ef fect only if it is also invoked by a transfor m action in a define action definition block, and that block is in turn called fr om an action( ) pr operty . For each url fo[...]

Proxy SG Content Policy Language Guide 266 • server_url_substring —A string that, if found in the serv er URL, will be r eplaced by the client_url_substring . The comparison is done against original normalized URLs embedded in the document. Note: Both client_url_substring and server_url_substring ar e literal strings. W ildcard characters and r[...]

Chapter 6: Definition Reference 267 restrict dns This definition r estricts DNS lookups and is useful in installations wher e access to DNS resolution is limited or problematic. The definition has no name beca use it is not directly r eferenced by any rules. It is global to policy eval uation and intended to prev ent any DNS lookups caused by polic[...]

Proxy SG Content Policy Language Guide 268 restrict rdns This definition r estricts reverse DNS lookups and is useful in i nstallations where acces s to reverse DNS resolution is limited or pr oblema tic. The definition has no name. It is global to po licy evaluatio n and is not directly referenced by any rules. If the requested URL specifies the h[...]

Chapter 6: Definition Reference 269 transf or m activ e_content This depre cated syntax has been replaced by define active_content . For more inf ormation see "define active_content" on page 248.[...]

Proxy SG Content Policy Language Guide 270 transf or m url_rewrite This depre cated syntax has been r eplaced by define url_rewrite . For more inform ation see "define url_rewrite" on page 265.[...]

Appendix A: Glossar y actions A class of definitions. CPL has two gene ral classes of actions: request or response modifications and notifications. An act ion takes arguments (such as the portion of the request or r esponse to modify) and is wrapped in a named action defi nition block. When the action definition is turned on by the policy rules, an[...]

Proxy SG Content Policy Language Guide 272 Forwar d Policy File A file you cr eate or that mi ght be created during an upgrade from prior SGOS versions, and that you maintain to supplement any policy descri bed in th e other three policy files. It is normally used for forwar ding policy . The Forwar d policy file is always last in the evaluation or[...]

Appendix A: Glossary 273 resp on se transformation a modification of the object being returned. This modification can be to either the protocol headers associat ed with the r esponse sent to the client, or a transformation of the object contents itself, such as the r e moval of active content fr om HTML pages. rule A list of triggers and property s[...]

Proxy SG Content Policy Language Guide 274[...]

Appendix B: T esting and T roub leshooting If you are experiencing pr oblems with your policy files or would like to monitor evaluation for brief periods of time, consider using the po licy tracing capabilities of the policy la nguage. Tr a c i n g allows you to examine how the Proxy SG policy is applied to a part icular request. T o configure trac[...]

Proxy SG Content Policy Language Guide 276 Enabling Request T racing Use the trace.request( ) pr operty to enable request tracing. Request tracing l ogs a summary of information about the transaction: r equest parameter s , property settings, and th e effects of all actions taken. This property uses the following syntax: trace.request(yes|no) where[...]

Appendix B: Testing and Troubleshoo ting 277 Here ar e the relevant policy r equirements to be expresse d: • DNS lookups are r estricted except for a site being hosted. • There is no access to reverse DNS so that is completely restricted. • Any requests not addr essed to the hosted site ei ther by name or subnet should be r ejected. • FTP P[...]

Proxy SG Content Policy Language Guide 278 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.domain=!//my_site.com/ 7 miss: url.address=!my_subnet 8 <Proxy> 9 n/a : ftp.method=STOR 10 <Proxy> 11 MATCH: url.domain=//my_site.[...]

Appendix B: Testing and Troubleshoo ting 279 The following is a trace of the same p olicy , but f or a transaction in which the request URL has an IP addres s instead of a hostname. 1 start transaction ------------------ ------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all) trace.request(yes) 5 <Proxy> 6 miss: url.hos[...]

Proxy SG Content Policy Language Guide 280 Policy: Action discarded, 'set_header_1' conflicts with an action already committed The conflict is re flected in the following trace of a r equest for //www.my_site.com/home.html : 1 start transaction ------------------------------ 2 CPL Evaluation Trace: 3 <Proxy> 4 MATCH: trace.rules(all[...]

Appendix C: Recogniz ed HTTP Headers The tables pr ovided in this appendix list all recogni zed HTTP 1.1 headers and indicate how the Proxy SG is able to interact wi th them. For each head er , columns show whether the header appears in req ue s t or re sp on s e f or ms , an d w he th e r t he append( ) , delete( ) , rewrite( ) , or set( ) actions[...]

Proxy SG Content Policy Language Guide 282 The following table lists custom he ader s that are r ecognized by the Proxy SG . If-Match Request X If-Modified-Since R equest If-None-Match Request X If-Range Request If-Unmodified-S ince Request Last-Modified Requ est/Response Location Response X X Max-Forwards Request Meter Request/ Response X X Pragma[...]

Appendix D: CPL Substitutions This appendix lists all su bstitution variables avail able in CPL. T o use a variable in CPL, it is expressed as: $(<field-id> , s uch as $(cs-bodylength). For fields that have bo th ELFF and CPL tokens, ei ther token can be used. For example, $(cs-ip) and $(proxy.address) ar e equivalent. Note that $(request.x_h[...]

Proxy SG Content Policy Language Guide 284 sr-bytes Number of bytes sent fr om appliance to upstream host. sr-headerlength Number of bytes in the header sent from appliance to upstream host. Category: connection ELFF CPL Description cs-ip proxy.address IP addr ess of the destination of the client's connection. c-connect-type The type of co nne[...]

Appendix D: CPL Substitutions 285 x-bluecoat- transaction-id transaction.id Unique per -request identifier generated by the appliance (note: this value is not unique across multiple appliances). x-bluecoat-appliance- name appliance.name Configured name of the appli ance. x-bluecoat-appliance- primary-address appliance. primary_address Primary IP ad[...]

Proxy SG Content Policy Language Guide 286 cs-version request.version Protocol and version fr om the client's request; for exam ple, HTTP/1.1. x-bluecoat-proxy-via- http-version proxy.via_http_version D efault HTTP protocol v ersion of the appliance without protocol decoration (e.g. 1.1 for HTTP/1.1). x-bluecoat-redirect- location redirect.loc[...]

Appendix D: CPL Substitutions 287 x-bluecoat-special-esc esc Resolve s to the esc ape charact er (ASCII HEX 1B). x-bluecoat-special-gt gt The gr eater-than characte r . x-bluecoat-special-lf lf The line feed character . x-bluecoat-special-lt lt The less-than characte r . x-bluecoat-special- quot quot The double quote character . x-bluecoat-special-[...]

Proxy SG Content Policy Language Guide 288 x-bluecoat-surfcontrol- reporter-id Specialized value for SurfControl reporter . x-bluecoat-websense- category-id The W e bsense specific content category ID. x-bluecoat-websense- keyword The W ebsense specific keywo rd. x-bluecoat-websense- reporter-id The W ebsense specific reporter category ID. x-blueco[...]

Appendix D: CPL Substitutions 289 x-patience-url patience_url The url to be requested for mor e patience information. x-virus-id Identif ier of a virus if one was det ected. Category: streaming ELFF CPL Description x-cs-streaming-client streaming.client T ype of streaming client in use (windows_media, r eal_media, or quicktim e). x-rs-streaming-con[...]

Proxy SG Content Policy Language Guide 290 x-bluecoat-day day Localtime day (as a number) formatted to take up two spaces; for example, 07 for the 7th of the month. x-bluecoat-hour hour Localtime hour formatted to always take up two spaces; for example, 01 for 1AM. x-bluecoat-minute minute Localtime minute forma tted to always take up two spaces; f[...]

Appendix D: CPL Substitutions 291 cs-uri-hostname log_url.hostname Hostname fr om the 'log' URL. RDNS is used if the URL uses an IP addr ess. cs-uri-path log_url.path Path from the 'log' UR L. Doe s not include query . cs-uri-pathquery log_url.pathquery Path and query fr om the 'log' URL. cs-uri-port log_url.port Port [...]

Proxy SG Content Policy Language Guide 292 sr-uri-query server_url.query Query from the u pstream request URL . sr-uri-scheme server_url.scheme Scheme fr om the URL used in the upstream req u es t. sr-uri-stem Path from the upstr eam request URL s-uri cache_url The URL used for cache access. s-uri-address cache_url.address IP addr ess from the U RL[...]

Appendix D: CPL Substitutions 293 Category: user ELFF CPL Description cs-auth-group group One group that an auth enticated client is a member of. The group selected is determined by either a group.log_order definition in policy or the order gr oups are refer enced in policy cs-auth-groups groups Groups that a n authenticated client is a member of. [...]

Proxy SG Content Policy Language Guide 294 cs(Accept-Language) request.header.Accep t- Language Request header: Accept-Langua ge cs(Accept-Ranges) request.header.Accep t- Ranges Request header: Accept-Range s cs(Age) request.header.Age Request header: Age cs(Allow) request.header.Allow Request header: Allow cs(Authentication- Info) request.header. [...]

Appendix D: CPL Substitutions 295 cs(If-Unmodified- Since) request.header.If- Unmodified-Since Request header: If-Unmodified-Since cs(Last-Modified) request.header.Last- Modified Request header: Las t-Modified cs(Location) request.header.Location Reque st header: Location cs(Max-Forwards) request.header. Max-Forwards Request header: Max-Forwards cs[...]

Proxy SG Content Policy Language Guide 296 cs(X-Forwarded-For) request.header. X-Forwarded-For Request header: X-Forwar ded-For Category: si_response _header ELFF CPL Description rs(Accept) response.header.Accept Response header: Accept rs(Accept-Charset) response.header. Accept-Charset Response header: Accept-Charset rs(Accept-Encoding) response.h[...]

Appendix D: CPL Substitutions 297 rs(From) response.header.From Re sponse header: From rs(Front-End-HTTPS) response.header. Front-End-HTTPS Response header: Fr ont-End-HTTPS rs(Host) response.header.Host Re sponse header: Host rs(If-Match) response.header. If-Match Response header: If-Match rs(If-Modified-Since) response.header. If-Modified-Since R[...]

Proxy SG Content Policy Language Guide 298 rs(Vary) response.header.Vary Response header: V ary rs(Via) response.header.Via Response header: V ia rs(WWW-Authenticate) response.header. WWW-Authenticate Response header: WW W -Authenticate rs(Warning) response.header.Warning Response header: W arning rs(X-BlueCoat-Error) response.header. X-BlueCoat-Er[...]

Appendix E: Filter File Syntax This appendix provides a summary of the syntax and evaluation order used in CacheOS version 4. x filter files. While it is recommended that you conver t any filter fil e to take advantage of the policy features of Pr oxy SG , it is possib le to use a CacheOS 4. x filter file in the place of a policy file, and have it [...]

Proxy SG Content Policy Language Guide 300 Filter-P ar t Components The filter part of a filter file can cont ain the following: • Filters that are not part of a section •S e c t i o n s • ALL st atement s • default_filter_properties statements • Access-control list (ACL) definitions Filters that ar e not part of a section mu st occur bef[...]

Appendix E: Filter File Syntax 301 • The only condition available in filter lines is the acl= condition, which is a synonym for the CPL condition client.address= . • The only way to specif y case-sensitivity is wi th case_insensitive={yes|no}. The following are r equirements for filter lines: • A line br eak is consider ed to be a new filter [...]

Proxy SG Content Policy Language Guide 302 ALL Statements An ALL st atement is a line begi nning with the keyword ALL , f o l l o w e d b y z e ro o r m o r e c o n di ti on s a nd property settings . There ar e two conditions available in an ALL statement: acl= and protocol=. The ALL statement acts as a match of first resort, befor e any filters a[...]

Appendix E: Filter File Syntax 303 • protocol= value — An optional protocol= condition expr ession. A vailable values ar e http , https , ftp , mms , rtsp , tcp , aol-im , msn-im , or yahoo-im . For detai ls, see "url=" on page 137. • property=value — An optional property setting. For a list of properties available in filter files[...]

Proxy SG Content Policy Language Guide 304 While prefix-pattern filters are commonly used outside of any s ection, the Prefix section is pr ovided t o help differ entiate these type of filters when domain -suf fix and r egular-expr essi on filters are also used. The filters in a prefix section follow the pattern used in a CPL url= condition. For mo[...]

Appendix E: Filter File Syntax 305 • The domain-suffix filter http://company.com/ denies service to all URLs where compan y.com is a pr oper super-domain and any path r elative to th e matched domain, including the null path. For example, service is denied to the URL http://www.intranet.com pany.com/ , but not http://mycompany.com/ since mycompan[...]

Proxy SG Content Policy Language Guide 306 Ev aluation Order CacheOS 4. x filter files have a differ ent orde r of evaluation than CPL files. A compiled fi lter file behaves as if it had a single [Prefix] section, a single [Domain-Suffix] section, and a single [Regular-Expression] section. The filter file is rewritten during file compilation, as fo[...]

Appendix F: Upgr ading from CacheOS When upgrading from CacheOS version 4. x to the Proxy SG , the default policy files are cr eated as follows: • The CacheOS 4. x central filter f ile is copied to the Pr oxy SG central policy file with no changes. • The CacheOS 4. x local filter file is copied to the Proxy SG local policy file with no changes.[...]

Proxy SG Content Policy Language Guide 308 For the CPL compiler , the corr ect filter will be sele cted at run time based on the ACL if the filters are distin guished by having dif ferent ACL conditions. Conv er ting Filter-Style Files to CPL Syntax When converting your filter -style files, do not inse rt snippets of CPL syntax to take a dvantage o[...]

Inde x A <Admin> layers, understanding 37 access_log( ) property 154 access_server() property 155 action definition block 246 action part, filter file 30 5 action.action_label( ) property 156 actions append() 228 argument syntax in 227 conflicting 47 delete() 229 delete_matching() 230 log_message() 232 notify_email 233 , 234 redirect() 235 re[...]

Proxy SG Configuration and Management Guide 310 D date= condition 67 day= condition 68 define acl definition block, filter fi le 303 define action definition block 246 define category definiti on 250 define condition definition block 252 define prefix condition definition block 257 , 261 define server_url.domain condition name definition 258 define[...]

Index 311 H has_attribute.name= condition 74 has_client= condition 76 hour= condition 77 HTTP cache transactions 36 http.method= condition 79 http.request.version( ) property 190 http.request.version=condition 80 http.response.code=condition 81 http.response.version( ) property 191 http.response.version=condition 82 http.transparent_authentication=[...]

Proxy SG Configuration and Management Guide 312 rules, conflicting 47 statistics, example 276 testing 275 tips on writing 44 troubleshooting 275 whitelists 45 policy ix authentication/denial, setting 28 installing, overview 29 troubleshooting, overview 30 writing, overview 27 policy model, understanding 20 policy rules order 45 policy tracing enabl[...]

Index 313 Q quoting, understanding 22 R realm= condition 112 redirect() action 235 references related Blue Coat documentation x referential integrity, understa nding 26 reflect_ip( ) property 204 reflect_vip( ) property. See reflect_ip( ) property refresh property, filter file 30 2 refresh transactions 35 refresh( ) property 206 regular-expression [...]

Proxy SG Configuration and Management Guide 314 T time= condition 134 timing in layers, understanding 41 understanding 36 trace.destination( ) 276 trace.destination( ) property 222 trace.request( ) property 22 3 trace.rules enabling 275 trace.rules() property 224 trace.rules, enabling. 275 transactions administrator 33 cache 33 , 35 , 271 forwardin[...]